]> git.zerfleddert.de Git - proxmark3-svn/blame - armsrc/appmain.c
Fix memory bounds error
[proxmark3-svn] / armsrc / appmain.c
CommitLineData
15c4dc5a 1//-----------------------------------------------------------------------------
15c4dc5a 2// Jonathan Westhues, Mar 2006
3// Edits by Gerhard de Koning Gans, Sep 2007 (##)
bd20f8f4 4//
5// This code is licensed to you under the terms of the GNU GPL, version 2 or,
6// at your option, any later version. See the LICENSE.txt file for the text of
7// the license.
8//-----------------------------------------------------------------------------
9// The main application code. This is the first thing called after start.c
10// executes.
15c4dc5a 11//-----------------------------------------------------------------------------
12
b8e461ff 13#include <stdarg.h>
14
902cb3c0 15#include "usb_cdc.h"
16#include "cmd.h"
e30c654b 17#include "proxmark3.h"
15c4dc5a 18#include "apps.h"
f7e3ed82 19#include "util.h"
9ab7a6c7 20#include "printf.h"
21#include "string.h"
15c4dc5a 22#include "legicrf.h"
b8e461ff 23#include "hitag2.h"
24#include "hitagS.h"
31abe49f 25#include "lfsampling.h"
3000dc4e 26#include "BigBuf.h"
c89274cc 27#include "mifareutil.h"
d10e08ae 28#include "pcf7931.h"
15c4dc5a 29#ifdef WITH_LCD
902cb3c0 30 #include "LCD.h"
15c4dc5a 31#endif
32
e46fe044
CY
33// Craig Young - 14a stand-alone code
34#ifdef WITH_ISO14443a_StandAlone
35 #include "iso14443a.h"
36#endif
37
15c4dc5a 38//=============================================================================
39// A buffer where we can queue things up to be sent through the FPGA, for
40// any purpose (fake tag, as reader, whatever). We go MSB first, since that
41// is the order in which they go out on the wire.
42//=============================================================================
43
6a1f2d82 44#define TOSEND_BUFFER_SIZE (9*MAX_FRAME_SIZE + 1 + 1 + 2) // 8 data bits and 1 parity bit per payload byte, 1 correction bit, 1 SOC bit, 2 EOC bits
45uint8_t ToSend[TOSEND_BUFFER_SIZE];
15c4dc5a 46int ToSendMax;
47static int ToSendBit;
48struct common_area common_area __attribute__((section(".commonarea")));
49
15c4dc5a 50void ToSendReset(void)
51{
52 ToSendMax = -1;
53 ToSendBit = 8;
54}
55
56void ToSendStuffBit(int b)
57{
58 if(ToSendBit >= 8) {
59 ToSendMax++;
60 ToSend[ToSendMax] = 0;
61 ToSendBit = 0;
62 }
63
64 if(b) {
65 ToSend[ToSendMax] |= (1 << (7 - ToSendBit));
66 }
67
68 ToSendBit++;
69
6a1f2d82 70 if(ToSendMax >= sizeof(ToSend)) {
15c4dc5a 71 ToSendBit = 0;
72 DbpString("ToSendStuffBit overflowed!");
73 }
74}
75
76//=============================================================================
77// Debug print functions, to go out over USB, to the usual PC-side client.
78//=============================================================================
79
80void DbpString(char *str)
81{
9440213d 82 byte_t len = strlen(str);
83 cmd_send(CMD_DEBUG_PRINT_STRING,len,0,0,(byte_t*)str,len);
15c4dc5a 84}
85
86#if 0
87void DbpIntegers(int x1, int x2, int x3)
88{
902cb3c0 89 cmd_send(CMD_DEBUG_PRINT_INTEGERS,x1,x2,x3,0,0);
15c4dc5a 90}
91#endif
92
93void Dbprintf(const char *fmt, ...) {
94// should probably limit size here; oh well, let's just use a big buffer
95 char output_string[128];
96 va_list ap;
97
98 va_start(ap, fmt);
99 kvsprintf(fmt, output_string, 10, ap);
100 va_end(ap);
e30c654b 101
15c4dc5a 102 DbpString(output_string);
103}
104
9455b51c 105// prints HEX & ASCII
d19929cb 106void Dbhexdump(int len, uint8_t *d, bool bAsci) {
9455b51c 107 int l=0,i;
108 char ascii[9];
d19929cb 109
9455b51c 110 while (len>0) {
111 if (len>8) l=8;
112 else l=len;
113
114 memcpy(ascii,d,l);
d19929cb 115 ascii[l]=0;
9455b51c 116
117 // filter safe ascii
d19929cb 118 for (i=0;i<l;i++)
9455b51c 119 if (ascii[i]<32 || ascii[i]>126) ascii[i]='.';
d19929cb 120
121 if (bAsci) {
122 Dbprintf("%-8s %*D",ascii,l,d," ");
123 } else {
124 Dbprintf("%*D",l,d," ");
125 }
126
9455b51c 127 len-=8;
128 d+=8;
129 }
130}
131
15c4dc5a 132//-----------------------------------------------------------------------------
133// Read an ADC channel and block till it completes, then return the result
134// in ADC units (0 to 1023). Also a routine to average 32 samples and
135// return that.
136//-----------------------------------------------------------------------------
137static int ReadAdc(int ch)
138{
f7e3ed82 139 uint32_t d;
15c4dc5a 140
141 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_SWRST;
142 AT91C_BASE_ADC->ADC_MR =
3b692427 143 ADC_MODE_PRESCALE(63 /* was 32 */) | // ADC_CLK = MCK / ((63+1) * 2) = 48MHz / 128 = 375kHz
144 ADC_MODE_STARTUP_TIME(1 /* was 16 */) | // Startup Time = (1+1) * 8 / ADC_CLK = 16 / 375kHz = 42,7us Note: must be > 20us
145 ADC_MODE_SAMPLE_HOLD_TIME(15 /* was 8 */); // Sample & Hold Time SHTIM = 15 / ADC_CLK = 15 / 375kHz = 40us
146
147 // Note: ADC_MODE_PRESCALE and ADC_MODE_SAMPLE_HOLD_TIME are set to the maximum allowed value.
148 // Both AMPL_LO and AMPL_HI are very high impedance (10MOhm) outputs, the input capacitance of the ADC is 12pF (typical). This results in a time constant
149 // of RC = 10MOhm * 12pF = 120us. Even after the maximum configurable sample&hold time of 40us the input capacitor will not be fully charged.
150 //
151 // The maths are:
152 // If there is a voltage v_in at the input, the voltage v_cap at the capacitor (this is what we are measuring) will be
153 //
154 // v_cap = v_in * (1 - exp(-RC/SHTIM)) = v_in * (1 - exp(-3)) = v_in * 0,95 (i.e. an error of 5%)
155 //
156 // Note: with the "historic" values in the comments above, the error was 34% !!!
157
15c4dc5a 158 AT91C_BASE_ADC->ADC_CHER = ADC_CHANNEL(ch);
159
160 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
3b692427 161
15c4dc5a 162 while(!(AT91C_BASE_ADC->ADC_SR & ADC_END_OF_CONVERSION(ch)))
163 ;
164 d = AT91C_BASE_ADC->ADC_CDR[ch];
165
166 return d;
167}
168
9ca155ba 169int AvgAdc(int ch) // was static - merlok
15c4dc5a 170{
171 int i;
172 int a = 0;
173
174 for(i = 0; i < 32; i++) {
175 a += ReadAdc(ch);
176 }
177
178 return (a + 15) >> 5;
179}
180
fdcfbdcc 181void MeasureAntennaTuningLfOnly(int *vLf125, int *vLf134, int *peakf, int *peakv, uint8_t LF_Results[])
15c4dc5a 182{
fdcfbdcc 183 int i, adcval = 0, peak = 0;
15c4dc5a 184
185/*
186 * Sweeps the useful LF range of the proxmark from
187 * 46.8kHz (divisor=255) to 600kHz (divisor=19) and
188 * read the voltage in the antenna, the result left
189 * in the buffer is a graph which should clearly show
190 * the resonating frequency of your LF antenna
191 * ( hopefully around 95 if it is tuned to 125kHz!)
192 */
fdcfbdcc
RAB
193
194 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
b014c96d 195 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
2bdd68c3 196 for (i=255; i>=19; i--) {
fdcfbdcc 197 WDT_HIT();
15c4dc5a 198 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, i);
199 SpinDelay(20);
3b692427 200 adcval = ((MAX_ADC_LF_VOLTAGE * AvgAdc(ADC_CHAN_LF)) >> 10);
fdcfbdcc
RAB
201 if (i==95) *vLf125 = adcval; // voltage at 125Khz
202 if (i==89) *vLf134 = adcval; // voltage at 134Khz
15c4dc5a 203
2bdd68c3 204 LF_Results[i] = adcval>>8; // scale int to fit in byte for graphing purposes
205 if(LF_Results[i] > peak) {
fdcfbdcc 206 *peakv = adcval;
2bdd68c3 207 peak = LF_Results[i];
fdcfbdcc 208 *peakf = i;
9f693930 209 //ptr = i;
15c4dc5a 210 }
211 }
212
2bdd68c3 213 for (i=18; i >= 0; i--) LF_Results[i] = 0;
fdcfbdcc
RAB
214
215 return;
216}
217
218void MeasureAntennaTuningHfOnly(int *vHf)
219{
15c4dc5a 220 // Let the FPGA drive the high-frequency antenna around 13.56 MHz.
fdcfbdcc
RAB
221 LED_A_ON();
222 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
15c4dc5a 223 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR);
224 SpinDelay(20);
fdcfbdcc
RAB
225 *vHf = (MAX_ADC_HF_VOLTAGE * AvgAdc(ADC_CHAN_HF)) >> 10;
226 LED_A_OFF();
227
228 return;
229}
230
231void MeasureAntennaTuning(int mode)
232{
233 uint8_t LF_Results[256] = {0};
234 int peakv = 0, peakf = 0;
235 int vLf125 = 0, vLf134 = 0, vHf = 0; // in mV
236
237 LED_B_ON();
238
239 if (((mode & FLAG_TUNE_ALL) == FLAG_TUNE_ALL) && (FpgaGetCurrent() == FPGA_BITSTREAM_HF)) {
240 // Reverse "standard" order if HF already loaded, to avoid unnecessary swap.
241 MeasureAntennaTuningHfOnly(&vHf);
242 MeasureAntennaTuningLfOnly(&vLf125, &vLf134, &peakf, &peakv, LF_Results);
243 } else {
244 if (mode & FLAG_TUNE_LF) {
245 MeasureAntennaTuningLfOnly(&vLf125, &vLf134, &peakf, &peakv, LF_Results);
246 }
247 if (mode & FLAG_TUNE_HF) {
248 MeasureAntennaTuningHfOnly(&vHf);
249 }
250 }
15c4dc5a 251
3b692427 252 cmd_send(CMD_MEASURED_ANTENNA_TUNING, vLf125 | (vLf134<<16), vHf, peakf | (peakv<<16), LF_Results, 256);
d19929cb 253 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2bdd68c3 254 LED_B_OFF();
255 return;
15c4dc5a 256}
257
258void MeasureAntennaTuningHf(void)
259{
260 int vHf = 0; // in mV
261
262 DbpString("Measuring HF antenna, press button to exit");
263
3b692427 264 // Let the FPGA drive the high-frequency antenna around 13.56 MHz.
265 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
266 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR);
267
15c4dc5a 268 for (;;) {
15c4dc5a 269 SpinDelay(20);
3b692427 270 vHf = (MAX_ADC_HF_VOLTAGE * AvgAdc(ADC_CHAN_HF)) >> 10;
e30c654b 271
15c4dc5a 272 Dbprintf("%d mV",vHf);
273 if (BUTTON_PRESS()) break;
274 }
275 DbpString("cancelled");
3b692427 276
277 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
278
15c4dc5a 279}
280
281
15c4dc5a 282void ReadMem(int addr)
283{
f7e3ed82 284 const uint8_t *data = ((uint8_t *)addr);
15c4dc5a 285
286 Dbprintf("%x: %02x %02x %02x %02x %02x %02x %02x %02x",
287 addr, data[0], data[1], data[2], data[3], data[4], data[5], data[6], data[7]);
288}
289
290/* osimage version information is linked in */
291extern struct version_information version_information;
292/* bootrom version information is pointed to from _bootphase1_version_pointer */
0fa01ec7 293extern char *_bootphase1_version_pointer, _flash_start, _flash_end, _bootrom_start, _bootrom_end, __data_src_start__;
15c4dc5a 294void SendVersion(void)
295{
8e074056 296 char temp[USB_CMD_DATA_SIZE]; /* Limited data payload in USB packets */
297 char VersionString[USB_CMD_DATA_SIZE] = { '\0' };
e30c654b 298
299 /* Try to find the bootrom version information. Expect to find a pointer at
15c4dc5a 300 * symbol _bootphase1_version_pointer, perform slight sanity checks on the
301 * pointer, then use it.
302 */
303 char *bootrom_version = *(char**)&_bootphase1_version_pointer;
304 if( bootrom_version < &_flash_start || bootrom_version >= &_flash_end ) {
8e074056 305 strcat(VersionString, "bootrom version information appears invalid\n");
15c4dc5a 306 } else {
307 FormatVersionInformation(temp, sizeof(temp), "bootrom: ", bootrom_version);
8e074056 308 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
15c4dc5a 309 }
e30c654b 310
15c4dc5a 311 FormatVersionInformation(temp, sizeof(temp), "os: ", &version_information);
8e074056 312 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
e30c654b 313
e6153040 314 FpgaGatherVersion(FPGA_BITSTREAM_LF, temp, sizeof(temp));
8e074056 315 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
e6153040 316 FpgaGatherVersion(FPGA_BITSTREAM_HF, temp, sizeof(temp));
8e074056 317 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
0fa01ec7 318
e6153040 319 // Send Chip ID and used flash memory
0fa01ec7 320 uint32_t text_and_rodata_section_size = (uint32_t)&__data_src_start__ - (uint32_t)&_flash_start;
321 uint32_t compressed_data_section_size = common_area.arg1;
8e074056 322 cmd_send(CMD_ACK, *(AT91C_DBGU_CIDR), text_and_rodata_section_size + compressed_data_section_size, 0, VersionString, strlen(VersionString));
15c4dc5a 323}
324
bfb01844 325// measure the USB Speed by sending SpeedTestBufferSize bytes to client and measuring the elapsed time.
326// Note: this mimics GetFromBigbuf(), i.e. we have the overhead of the UsbCommand structure included.
67b7d6fa 327void printUSBSpeed(void)
bfb01844 328{
329 Dbprintf("USB Speed:");
67b7d6fa 330 Dbprintf(" Sending USB packets to client...");
bfb01844 331
67b7d6fa 332 #define USB_SPEED_TEST_MIN_TIME 1500 // in milliseconds
bfb01844 333 uint8_t *test_data = BigBuf_get_addr();
67b7d6fa 334 uint32_t end_time;
bfb01844 335
67b7d6fa 336 uint32_t start_time = end_time = GetTickCount();
337 uint32_t bytes_transferred = 0;
338
bfb01844 339 LED_B_ON();
67b7d6fa 340 while(end_time < start_time + USB_SPEED_TEST_MIN_TIME) {
341 cmd_send(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K, 0, USB_CMD_DATA_SIZE, 0, test_data, USB_CMD_DATA_SIZE);
342 end_time = GetTickCount();
343 bytes_transferred += USB_CMD_DATA_SIZE;
bfb01844 344 }
345 LED_B_OFF();
346
67b7d6fa 347 Dbprintf(" Time elapsed: %dms", end_time - start_time);
348 Dbprintf(" Bytes transferred: %d", bytes_transferred);
349 Dbprintf(" USB Transfer Speed PM3 -> Client = %d Bytes/s",
350 1000 * bytes_transferred / (end_time - start_time));
bfb01844 351
352}
353
c89274cc
CY
354/**
355 * Prints runtime information about the PM3.
356**/
67b7d6fa 357void SendStatus(void)
c89274cc
CY
358{
359 BigBuf_print_status();
360 Fpga_print_status();
361 printConfig(); //LF Sampling config
67b7d6fa 362 printUSBSpeed();
c89274cc
CY
363 Dbprintf("Various");
364 Dbprintf(" MF_DBGLEVEL......%d", MF_DBGLEVEL);
365 Dbprintf(" ToSendMax........%d",ToSendMax);
366 Dbprintf(" ToSendBit........%d",ToSendBit);
bfb01844 367
368 cmd_send(CMD_ACK,1,0,0,0,0);
c89274cc 369}
15c4dc5a 370
86a83668 371#if defined(WITH_ISO14443a_StandAlone) || defined(WITH_LF)
15c4dc5a 372
15c4dc5a 373#define OPTS 2
374
86a83668
MHS
375void StandAloneMode()
376{
377 DbpString("Stand-alone mode! No PC necessary.");
15c4dc5a 378 // Oooh pretty -- notify user we're in elite samy mode now
379 LED(LED_RED, 200);
380 LED(LED_ORANGE, 200);
381 LED(LED_GREEN, 200);
382 LED(LED_ORANGE, 200);
383 LED(LED_RED, 200);
384 LED(LED_ORANGE, 200);
385 LED(LED_GREEN, 200);
386 LED(LED_ORANGE, 200);
387 LED(LED_RED, 200);
388
86a83668
MHS
389}
390
391#endif
392
393
394
395#ifdef WITH_ISO14443a_StandAlone
396void StandAloneMode14a()
397{
398 StandAloneMode();
399 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
400
15c4dc5a 401 int selected = 0;
c89274cc 402 int playing = 0, iGotoRecord = 0, iGotoClone = 0;
86a83668
MHS
403 int cardRead[OPTS] = {0};
404 uint8_t readUID[10] = {0};
405 uint32_t uid_1st[OPTS]={0};
406 uint32_t uid_2nd[OPTS]={0};
c89274cc
CY
407 uint32_t uid_tmp1 = 0;
408 uint32_t uid_tmp2 = 0;
409 iso14a_card_select_t hi14a_card[OPTS];
15c4dc5a 410
15c4dc5a 411 LED(selected + 1, 0);
412
413 for (;;)
414 {
6e82300d 415 usb_poll();
86a83668 416 WDT_HIT();
15c4dc5a 417 SpinDelay(300);
418
c89274cc 419 if (iGotoRecord == 1 || cardRead[selected] == 0)
15c4dc5a 420 {
c89274cc 421 iGotoRecord = 0;
15c4dc5a 422 LEDsoff();
423 LED(selected + 1, 0);
424 LED(LED_RED2, 0);
425
426 // record
86a83668 427 Dbprintf("Enabling iso14443a reader mode for [Bank: %u]...", selected);
15c4dc5a 428 /* need this delay to prevent catching some weird data */
429 SpinDelay(500);
86a83668
MHS
430 /* Code for reading from 14a tag */
431 uint8_t uid[10] ={0};
432 uint32_t cuid;
433 iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
15c4dc5a 434
86a83668
MHS
435 for ( ; ; )
436 {
437 WDT_HIT();
c89274cc
CY
438 if (BUTTON_PRESS()) {
439 if (cardRead[selected]) {
440 Dbprintf("Button press detected -- replaying card in bank[%d]", selected);
441 break;
442 }
443 else if (cardRead[(selected+1)%OPTS]) {
444 Dbprintf("Button press detected but no card in bank[%d] so playing from bank[%d]", selected, (selected+1)%OPTS);
445 selected = (selected+1)%OPTS;
446 break; // playing = 1;
447 }
448 else {
449 Dbprintf("Button press detected but no stored tag to play. (Ignoring button)");
450 SpinDelay(300);
451 }
452 }
c04a4b60 453 if (!iso14443a_select_card(uid, &hi14a_card[selected], &cuid, true, 0, true))
86a83668
MHS
454 continue;
455 else
456 {
457 Dbprintf("Read UID:"); Dbhexdump(10,uid,0);
458 memcpy(readUID,uid,10*sizeof(uint8_t));
c89274cc 459 uint8_t *dst = (uint8_t *)&uid_tmp1;
86a83668
MHS
460 // Set UID byte order
461 for (int i=0; i<4; i++)
462 dst[i] = uid[3-i];
c89274cc 463 dst = (uint8_t *)&uid_tmp2;
86a83668
MHS
464 for (int i=0; i<4; i++)
465 dst[i] = uid[7-i];
c89274cc
CY
466 if (uid_1st[(selected+1)%OPTS] == uid_tmp1 && uid_2nd[(selected+1)%OPTS] == uid_tmp2) {
467 Dbprintf("Card selected has same UID as what is stored in the other bank. Skipping.");
468 }
469 else {
470 if (uid_tmp2) {
471 Dbprintf("Bank[%d] received a 7-byte UID",selected);
472 uid_1st[selected] = (uid_tmp1)>>8;
473 uid_2nd[selected] = (uid_tmp1<<24) + (uid_tmp2>>8);
474 }
475 else {
476 Dbprintf("Bank[%d] received a 4-byte UID",selected);
477 uid_1st[selected] = uid_tmp1;
478 uid_2nd[selected] = uid_tmp2;
479 }
480 break;
481 }
86a83668
MHS
482 }
483 }
c89274cc
CY
484 Dbprintf("ATQA = %02X%02X",hi14a_card[selected].atqa[0],hi14a_card[selected].atqa[1]);
485 Dbprintf("SAK = %02X",hi14a_card[selected].sak);
86a83668
MHS
486 LEDsoff();
487 LED(LED_GREEN, 200);
488 LED(LED_ORANGE, 200);
489 LED(LED_GREEN, 200);
490 LED(LED_ORANGE, 200);
15c4dc5a 491
492 LEDsoff();
493 LED(selected + 1, 0);
15c4dc5a 494
c89274cc
CY
495 // Next state is replay:
496 playing = 1;
3fe4ff4f 497
86a83668 498 cardRead[selected] = 1;
86a83668 499 }
c89274cc
CY
500 /* MF Classic UID clone */
501 else if (iGotoClone==1)
3fe4ff4f 502 {
c89274cc
CY
503 iGotoClone=0;
504 LEDsoff();
505 LED(selected + 1, 0);
506 LED(LED_ORANGE, 250);
3fe4ff4f 507
3fe4ff4f 508
c89274cc
CY
509 // record
510 Dbprintf("Preparing to Clone card [Bank: %x]; uid: %08x", selected, uid_1st[selected]);
3fe4ff4f 511
c89274cc
CY
512 // wait for button to be released
513 while(BUTTON_PRESS())
514 {
515 // Delay cloning until card is in place
516 WDT_HIT();
517 }
518 Dbprintf("Starting clone. [Bank: %u]", selected);
519 // need this delay to prevent catching some weird data
520 SpinDelay(500);
521 // Begin clone function here:
522 /* Example from client/mifarehost.c for commanding a block write for "magic Chinese" cards:
523 UsbCommand c = {CMD_MIFARE_CSETBLOCK, {wantWipe, params & (0xFE | (uid == NULL ? 0:1)), blockNo}};
524 memcpy(c.d.asBytes, data, 16);
525 SendCommand(&c);
526
527 Block read is similar:
528 UsbCommand c = {CMD_MIFARE_CGETBLOCK, {params, 0, blockNo}};
529 We need to imitate that call with blockNo 0 to set a uid.
530
531 The get and set commands are handled in this file:
532 // Work with "magic Chinese" card
533 case CMD_MIFARE_CSETBLOCK:
534 MifareCSetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
535 break;
536 case CMD_MIFARE_CGETBLOCK:
537 MifareCGetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
538 break;
539
540 mfCSetUID provides example logic for UID set workflow:
541 -Read block0 from card in field with MifareCGetBlock()
542 -Configure new values without replacing reserved bytes
543 memcpy(block0, uid, 4); // Copy UID bytes from byte array
544 // Mifare UID BCC
545 block0[4] = block0[0]^block0[1]^block0[2]^block0[3]; // BCC on byte 5
546 Bytes 5-7 are reserved SAK and ATQA for mifare classic
547 -Use mfCSetBlock(0, block0, oldUID, wantWipe, CSETBLOCK_SINGLE_OPER) to write it
548 */
549 uint8_t oldBlock0[16] = {0}, newBlock0[16] = {0}, testBlock0[16] = {0};
550 // arg0 = Flags == CSETBLOCK_SINGLE_OPER=0x1F, arg1=returnSlot, arg2=blockNo
551 MifareCGetBlock(0x3F, 1, 0, oldBlock0);
552 if (oldBlock0[0] == 0 && oldBlock0[0] == oldBlock0[1] && oldBlock0[1] == oldBlock0[2] && oldBlock0[2] == oldBlock0[3]) {
553 Dbprintf("No changeable tag detected. Returning to replay mode for bank[%d]", selected);
554 playing = 1;
555 }
556 else {
557 Dbprintf("UID from target tag: %02X%02X%02X%02X", oldBlock0[0],oldBlock0[1],oldBlock0[2],oldBlock0[3]);
558 memcpy(newBlock0,oldBlock0,16);
559 // Copy uid_1st for bank (2nd is for longer UIDs not supported if classic)
560
561 newBlock0[0] = uid_1st[selected]>>24;
562 newBlock0[1] = 0xFF & (uid_1st[selected]>>16);
563 newBlock0[2] = 0xFF & (uid_1st[selected]>>8);
564 newBlock0[3] = 0xFF & (uid_1st[selected]);
565 newBlock0[4] = newBlock0[0]^newBlock0[1]^newBlock0[2]^newBlock0[3];
566 // arg0 = needWipe, arg1 = workFlags, arg2 = blockNo, datain
567 MifareCSetBlock(0, 0xFF,0, newBlock0);
568 MifareCGetBlock(0x3F, 1, 0, testBlock0);
569 if (memcmp(testBlock0,newBlock0,16)==0)
570 {
571 DbpString("Cloned successfull!");
572 cardRead[selected] = 0; // Only if the card was cloned successfully should we clear it
3fe4ff4f 573 playing = 0;
c89274cc
CY
574 iGotoRecord = 1;
575 selected = (selected+1) % OPTS;
576 }
577 else {
578 Dbprintf("Clone failed. Back to replay mode on bank[%d]", selected);
579 playing = 1;
580 }
581 }
582 LEDsoff();
583 LED(selected + 1, 0);
15c4dc5a 584
86a83668 585 }
15c4dc5a 586 // Change where to record (or begin playing)
c89274cc 587 else if (playing==1) // button_pressed == BUTTON_SINGLE_CLICK && cardRead[selected])
15c4dc5a 588 {
15c4dc5a 589 LEDsoff();
590 LED(selected + 1, 0);
591
592 // Begin transmitting
593 if (playing)
594 {
595 LED(LED_GREEN, 0);
596 DbpString("Playing");
c89274cc
CY
597 for ( ; ; ) {
598 WDT_HIT();
599 int button_action = BUTTON_HELD(1000);
600 if (button_action == 0) { // No button action, proceed with sim
601 uint8_t data[512] = {0}; // in case there is a read command received we shouldn't break
86a83668 602 Dbprintf("Simulating ISO14443a tag with uid[0]: %08x, uid[1]: %08x [Bank: %u]", uid_1st[selected],uid_2nd[selected],selected);
c89274cc
CY
603 if (hi14a_card[selected].sak == 8 && hi14a_card[selected].atqa[0] == 4 && hi14a_card[selected].atqa[1] == 0) {
604 DbpString("Mifare Classic");
605 SimulateIso14443aTag(1,uid_1st[selected], uid_2nd[selected], data); // Mifare Classic
606 }
607 else if (hi14a_card[selected].sak == 0 && hi14a_card[selected].atqa[0] == 0x44 && hi14a_card[selected].atqa[1] == 0) {
608 DbpString("Mifare Ultralight");
609 SimulateIso14443aTag(2,uid_1st[selected],uid_2nd[selected],data); // Mifare Ultralight
610 }
611 else if (hi14a_card[selected].sak == 20 && hi14a_card[selected].atqa[0] == 0x44 && hi14a_card[selected].atqa[1] == 3) {
612 DbpString("Mifare DESFire");
613 SimulateIso14443aTag(3,uid_1st[selected],uid_2nd[selected],data); // Mifare DESFire
614 }
615 else {
616 Dbprintf("Unrecognized tag type -- defaulting to Mifare Classic emulation");
617 SimulateIso14443aTag(1,uid_1st[selected], uid_2nd[selected], data);
618 }
619 }
620 else if (button_action == BUTTON_SINGLE_CLICK) {
621 selected = (selected + 1) % OPTS;
622 Dbprintf("Done playing. Switching to record mode on bank %d",selected);
623 iGotoRecord = 1;
624 break;
15c4dc5a 625 }
c89274cc
CY
626 else if (button_action == BUTTON_HOLD) {
627 Dbprintf("Playtime over. Begin cloning...");
628 iGotoClone = 1;
629 break;
630 }
631 WDT_HIT();
632 }
15c4dc5a 633
634 /* We pressed a button so ignore it here with a delay */
635 SpinDelay(300);
15c4dc5a 636 LEDsoff();
637 LED(selected + 1, 0);
638 }
639 else
640 while(BUTTON_PRESS())
641 WDT_HIT();
642 }
643 }
644}
86a83668
MHS
645#elif WITH_LF
646// samy's sniff and repeat routine
647void SamyRun()
e46fe044 648{
86a83668
MHS
649 StandAloneMode();
650 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
e46fe044 651
86a83668 652 int high[OPTS], low[OPTS];
15c4dc5a 653 int selected = 0;
654 int playing = 0;
3fe4ff4f 655 int cardRead = 0;
15c4dc5a 656
657 // Turn on selected LED
658 LED(selected + 1, 0);
659
660 for (;;)
661 {
6e82300d 662 usb_poll();
86a83668 663 WDT_HIT();
15c4dc5a 664
665 // Was our button held down or pressed?
666 int button_pressed = BUTTON_HELD(1000);
667 SpinDelay(300);
668
669 // Button was held for a second, begin recording
3fe4ff4f 670 if (button_pressed > 0 && cardRead == 0)
15c4dc5a 671 {
672 LEDsoff();
673 LED(selected + 1, 0);
674 LED(LED_RED2, 0);
675
676 // record
677 DbpString("Starting recording");
678
679 // wait for button to be released
680 while(BUTTON_PRESS())
681 WDT_HIT();
682
683 /* need this delay to prevent catching some weird data */
684 SpinDelay(500);
685
686 CmdHIDdemodFSK(1, &high[selected], &low[selected], 0);
098015eb 687 Dbprintf("Recorded %x %x%08x", selected, high[selected], low[selected]);
15c4dc5a 688
689 LEDsoff();
690 LED(selected + 1, 0);
691 // Finished recording
692
693 // If we were previously playing, set playing off
694 // so next button push begins playing what we recorded
695 playing = 0;
3fe4ff4f 696
697 cardRead = 1;
698
699 }
700
701 else if (button_pressed > 0 && cardRead == 1)
702 {
703 LEDsoff();
704 LED(selected + 1, 0);
705 LED(LED_ORANGE, 0);
706
707 // record
098015eb 708 Dbprintf("Cloning %x %x%08x", selected, high[selected], low[selected]);
3fe4ff4f 709
710 // wait for button to be released
711 while(BUTTON_PRESS())
712 WDT_HIT();
713
714 /* need this delay to prevent catching some weird data */
715 SpinDelay(500);
716
098015eb 717 CopyHIDtoT55x7(0, high[selected], low[selected], 0);
718 Dbprintf("Cloned %x %x%08x", selected, high[selected], low[selected]);
3fe4ff4f 719
720 LEDsoff();
721 LED(selected + 1, 0);
722 // Finished recording
723
724 // If we were previously playing, set playing off
725 // so next button push begins playing what we recorded
726 playing = 0;
727
728 cardRead = 0;
729
15c4dc5a 730 }
731
732 // Change where to record (or begin playing)
733 else if (button_pressed)
734 {
735 // Next option if we were previously playing
736 if (playing)
737 selected = (selected + 1) % OPTS;
738 playing = !playing;
739
740 LEDsoff();
741 LED(selected + 1, 0);
742
743 // Begin transmitting
744 if (playing)
745 {
746 LED(LED_GREEN, 0);
747 DbpString("Playing");
748 // wait for button to be released
749 while(BUTTON_PRESS())
750 WDT_HIT();
098015eb 751 Dbprintf("%x %x%08x", selected, high[selected], low[selected]);
15c4dc5a 752 CmdHIDsimTAG(high[selected], low[selected], 0);
753 DbpString("Done playing");
754 if (BUTTON_HELD(1000) > 0)
755 {
756 DbpString("Exiting");
757 LEDsoff();
758 return;
759 }
760
761 /* We pressed a button so ignore it here with a delay */
762 SpinDelay(300);
763
764 // when done, we're done playing, move to next option
765 selected = (selected + 1) % OPTS;
766 playing = !playing;
767 LEDsoff();
768 LED(selected + 1, 0);
769 }
770 else
771 while(BUTTON_PRESS())
772 WDT_HIT();
773 }
774 }
775}
15c4dc5a 776
e46fe044 777#endif
15c4dc5a 778/*
779OBJECTIVE
780Listen and detect an external reader. Determine the best location
781for the antenna.
782
783INSTRUCTIONS:
784Inside the ListenReaderField() function, there is two mode.
785By default, when you call the function, you will enter mode 1.
786If you press the PM3 button one time, you will enter mode 2.
787If you press the PM3 button a second time, you will exit the function.
788
789DESCRIPTION OF MODE 1:
790This mode just listens for an external reader field and lights up green
791for HF and/or red for LF. This is the original mode of the detectreader
792function.
793
794DESCRIPTION OF MODE 2:
795This mode will visually represent, using the LEDs, the actual strength of the
796current compared to the maximum current detected. Basically, once you know
797what kind of external reader is present, it will help you spot the best location to place
798your antenna. You will probably not get some good results if there is a LF and a HF reader
799at the same place! :-)
800
801LIGHT SCHEME USED:
802*/
803static const char LIGHT_SCHEME[] = {
804 0x0, /* ---- | No field detected */
805 0x1, /* X--- | 14% of maximum current detected */
806 0x2, /* -X-- | 29% of maximum current detected */
807 0x4, /* --X- | 43% of maximum current detected */
808 0x8, /* ---X | 57% of maximum current detected */
809 0xC, /* --XX | 71% of maximum current detected */
810 0xE, /* -XXX | 86% of maximum current detected */
811 0xF, /* XXXX | 100% of maximum current detected */
812};
813static const int LIGHT_LEN = sizeof(LIGHT_SCHEME)/sizeof(LIGHT_SCHEME[0]);
814
815void ListenReaderField(int limit)
816{
3b692427 817 int lf_av, lf_av_new, lf_baseline= 0, lf_max;
818 int hf_av, hf_av_new, hf_baseline= 0, hf_max;
15c4dc5a 819 int mode=1, display_val, display_max, i;
820
3b692427 821#define LF_ONLY 1
822#define HF_ONLY 2
823#define REPORT_CHANGE 10 // report new values only if they have changed at least by REPORT_CHANGE
824
825
826 // switch off FPGA - we don't want to measure our own signal
827 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
828 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
15c4dc5a 829
830 LEDsoff();
831
3b692427 832 lf_av = lf_max = AvgAdc(ADC_CHAN_LF);
15c4dc5a 833
834 if(limit != HF_ONLY) {
3b692427 835 Dbprintf("LF 125/134kHz Baseline: %dmV", (MAX_ADC_LF_VOLTAGE * lf_av) >> 10);
15c4dc5a 836 lf_baseline = lf_av;
837 }
838
3b692427 839 hf_av = hf_max = AvgAdc(ADC_CHAN_HF);
15c4dc5a 840
841 if (limit != LF_ONLY) {
3b692427 842 Dbprintf("HF 13.56MHz Baseline: %dmV", (MAX_ADC_HF_VOLTAGE * hf_av) >> 10);
15c4dc5a 843 hf_baseline = hf_av;
844 }
845
846 for(;;) {
847 if (BUTTON_PRESS()) {
848 SpinDelay(500);
849 switch (mode) {
850 case 1:
851 mode=2;
852 DbpString("Signal Strength Mode");
853 break;
854 case 2:
855 default:
856 DbpString("Stopped");
857 LEDsoff();
858 return;
859 break;
860 }
861 }
862 WDT_HIT();
863
864 if (limit != HF_ONLY) {
3b692427 865 if(mode == 1) {
cf194819 866 if (ABS(lf_av - lf_baseline) > REPORT_CHANGE)
3b692427 867 LED_D_ON();
868 else
869 LED_D_OFF();
15c4dc5a 870 }
e30c654b 871
3b692427 872 lf_av_new = AvgAdc(ADC_CHAN_LF);
15c4dc5a 873 // see if there's a significant change
cf194819 874 if(ABS(lf_av - lf_av_new) > REPORT_CHANGE) {
3b692427 875 Dbprintf("LF 125/134kHz Field Change: %5dmV", (MAX_ADC_LF_VOLTAGE * lf_av_new) >> 10);
15c4dc5a 876 lf_av = lf_av_new;
877 if (lf_av > lf_max)
878 lf_max = lf_av;
15c4dc5a 879 }
880 }
881
882 if (limit != LF_ONLY) {
883 if (mode == 1){
cf194819 884 if (ABS(hf_av - hf_baseline) > REPORT_CHANGE)
3b692427 885 LED_B_ON();
886 else
887 LED_B_OFF();
15c4dc5a 888 }
e30c654b 889
3b692427 890 hf_av_new = AvgAdc(ADC_CHAN_HF);
15c4dc5a 891 // see if there's a significant change
cf194819 892 if(ABS(hf_av - hf_av_new) > REPORT_CHANGE) {
3b692427 893 Dbprintf("HF 13.56MHz Field Change: %5dmV", (MAX_ADC_HF_VOLTAGE * hf_av_new) >> 10);
15c4dc5a 894 hf_av = hf_av_new;
895 if (hf_av > hf_max)
896 hf_max = hf_av;
15c4dc5a 897 }
898 }
e30c654b 899
15c4dc5a 900 if(mode == 2) {
901 if (limit == LF_ONLY) {
902 display_val = lf_av;
903 display_max = lf_max;
904 } else if (limit == HF_ONLY) {
905 display_val = hf_av;
906 display_max = hf_max;
907 } else { /* Pick one at random */
908 if( (hf_max - hf_baseline) > (lf_max - lf_baseline) ) {
909 display_val = hf_av;
910 display_max = hf_max;
911 } else {
912 display_val = lf_av;
913 display_max = lf_max;
914 }
915 }
916 for (i=0; i<LIGHT_LEN; i++) {
917 if (display_val >= ((display_max/LIGHT_LEN)*i) && display_val <= ((display_max/LIGHT_LEN)*(i+1))) {
918 if (LIGHT_SCHEME[i] & 0x1) LED_C_ON(); else LED_C_OFF();
919 if (LIGHT_SCHEME[i] & 0x2) LED_A_ON(); else LED_A_OFF();
920 if (LIGHT_SCHEME[i] & 0x4) LED_B_ON(); else LED_B_OFF();
921 if (LIGHT_SCHEME[i] & 0x8) LED_D_ON(); else LED_D_OFF();
922 break;
923 }
924 }
925 }
926 }
927}
928
f7e3ed82 929void UsbPacketReceived(uint8_t *packet, int len)
15c4dc5a 930{
931 UsbCommand *c = (UsbCommand *)packet;
15c4dc5a 932
902cb3c0 933// Dbprintf("received %d bytes, with command: 0x%04x and args: %d %d %d",len,c->cmd,c->arg[0],c->arg[1],c->arg[2]);
934
15c4dc5a 935 switch(c->cmd) {
936#ifdef WITH_LF
31abe49f
MHS
937 case CMD_SET_LF_SAMPLING_CONFIG:
938 setSamplingConfig((sample_config *) c->d.asBytes);
939 break;
15c4dc5a 940 case CMD_ACQUIRE_RAW_ADC_SAMPLES_125K:
b9957414 941 cmd_send(CMD_ACK,SampleLF(c->arg[0], c->arg[1]),0,0,0,0);
15c4dc5a 942 break;
15c4dc5a 943 case CMD_MOD_THEN_ACQUIRE_RAW_ADC_SAMPLES_125K:
944 ModThenAcquireRawAdcSamples125k(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
945 break;
b014c96d 946 case CMD_LF_SNOOP_RAW_ADC_SAMPLES:
31abe49f 947 cmd_send(CMD_ACK,SnoopLF(),0,0,0,0);
b014c96d 948 break;
7e67e42f 949 case CMD_HID_DEMOD_FSK:
3fe4ff4f 950 CmdHIDdemodFSK(c->arg[0], 0, 0, 1);
7e67e42f 951 break;
952 case CMD_HID_SIM_TAG:
3fe4ff4f 953 CmdHIDsimTAG(c->arg[0], c->arg[1], 1);
7e67e42f 954 break;
abd6112f 955 case CMD_FSK_SIM_TAG:
956 CmdFSKsimTAG(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
957 break;
958 case CMD_ASK_SIM_TAG:
959 CmdASKsimTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
960 break;
872e3d4d 961 case CMD_PSK_SIM_TAG:
962 CmdPSKsimTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
963 break;
964 case CMD_HID_CLONE_TAG:
1c611bbd 965 CopyHIDtoT55x7(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]);
7e67e42f 966 break;
a1f3bb12 967 case CMD_IO_DEMOD_FSK:
3fe4ff4f 968 CmdIOdemodFSK(c->arg[0], 0, 0, 1);
a1f3bb12 969 break;
3fe4ff4f 970 case CMD_IO_CLONE_TAG:
9f669cb2 971 CopyIOtoT55x7(c->arg[0], c->arg[1]);
a1f3bb12 972 break;
66707a3b 973 case CMD_EM410X_DEMOD:
974 CmdEM410xdemod(c->arg[0], 0, 0, 1);
975 break;
2d4eae76 976 case CMD_EM410X_WRITE_TAG:
977 WriteEM410x(c->arg[0], c->arg[1], c->arg[2]);
978 break;
7e67e42f 979 case CMD_READ_TI_TYPE:
980 ReadTItag();
981 break;
982 case CMD_WRITE_TI_TYPE:
983 WriteTItag(c->arg[0],c->arg[1],c->arg[2]);
984 break;
985 case CMD_SIMULATE_TAG_125K:
31d1caa5 986 LED_A_ON();
7e67e42f 987 SimulateTagLowFrequency(c->arg[0], c->arg[1], 1);
31d1caa5 988 LED_A_OFF();
7e67e42f 989 break;
990 case CMD_LF_SIMULATE_BIDIR:
991 SimulateTagLowFrequencyBidir(c->arg[0], c->arg[1]);
992 break;
3fe4ff4f 993 case CMD_INDALA_CLONE_TAG:
2414f978 994 CopyIndala64toT55x7(c->arg[0], c->arg[1]);
995 break;
3fe4ff4f 996 case CMD_INDALA_CLONE_TAG_L:
2414f978 997 CopyIndala224toT55x7(c->d.asDwords[0], c->d.asDwords[1], c->d.asDwords[2], c->d.asDwords[3], c->d.asDwords[4], c->d.asDwords[5], c->d.asDwords[6]);
998 break;
1c611bbd 999 case CMD_T55XX_READ_BLOCK:
8e99ec25 1000 T55xxReadBlock(c->arg[0], c->arg[1], c->arg[2]);
1c611bbd 1001 break;
1002 case CMD_T55XX_WRITE_BLOCK:
1003 T55xxWriteBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]);
1004 break;
be2d41b7 1005 case CMD_T55XX_WAKEUP:
1006 T55xxWakeUp(c->arg[0]);
1c611bbd 1007 break;
66837a03 1008 case CMD_T55XX_RESET_READ:
1009 T55xxResetRead();
1010 break;
3fe4ff4f 1011 case CMD_PCF7931_READ:
1c611bbd 1012 ReadPCF7931();
1c611bbd 1013 break;
dc4300ba 1014 case CMD_PCF7931_WRITE:
d10e08ae 1015 WritePCF7931(c->d.asBytes[0],c->d.asBytes[1],c->d.asBytes[2],c->d.asBytes[3],c->d.asBytes[4],c->d.asBytes[5],c->d.asBytes[6], c->d.asBytes[9], c->d.asBytes[7]-128,c->d.asBytes[8]-128, c->arg[0], c->arg[1], c->arg[2]);
dc4300ba 1016 break;
1c611bbd 1017 case CMD_EM4X_READ_WORD:
7666f460 1018 EM4xReadWord(c->arg[0], c->arg[1],c->arg[2]);
1c611bbd 1019 break;
1020 case CMD_EM4X_WRITE_WORD:
7666f460 1021 EM4xWriteWord(c->arg[0], c->arg[1], c->arg[2]);
1c611bbd 1022 break;
dbf6e824
CY
1023 case CMD_AWID_DEMOD_FSK: // Set realtime AWID demodulation
1024 CmdAWIDdemodFSK(c->arg[0], 0, 0, 1);
7cfc777b 1025 break;
709665b5 1026 case CMD_VIKING_CLONE_TAG:
1027 CopyVikingtoT55xx(c->arg[0], c->arg[1], c->arg[2]);
1028 break;
e04475c4 1029 case CMD_COTAG:
1030 Cotag(c->arg[0]);
1031 break;
15c4dc5a 1032#endif
1033
d19929cb 1034#ifdef WITH_HITAG
1035 case CMD_SNOOP_HITAG: // Eavesdrop Hitag tag, args = type
1036 SnoopHitag(c->arg[0]);
1037 break;
1038 case CMD_SIMULATE_HITAG: // Simulate Hitag tag, args = memory content
1039 SimulateHitagTag((bool)c->arg[0],(byte_t*)c->d.asBytes);
1040 break;
1041 case CMD_READER_HITAG: // Reader for Hitag tags, args = type and function
1042 ReaderHitag((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes);
1043 break;
4e12287d
RS
1044 case CMD_SIMULATE_HITAG_S:// Simulate Hitag s tag, args = memory content
1045 SimulateHitagSTag((bool)c->arg[0],(byte_t*)c->d.asBytes);
1046 break;
1047 case CMD_TEST_HITAGS_TRACES:// Tests every challenge within the given file
1048 check_challenges((bool)c->arg[0],(byte_t*)c->d.asBytes);
1049 break;
1050 case CMD_READ_HITAG_S://Reader for only Hitag S tags, args = key or challenge
1051 ReadHitagS((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes);
1052 break;
1053 case CMD_WR_HITAG_S://writer for Hitag tags args=data to write,page and key or challenge
52244230
HJ
1054 if ((hitag_function)c->arg[0] < 10) {
1055 WritePageHitagS((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes,c->arg[2]);
1056 }
1057 else if ((hitag_function)c->arg[0] >= 10) {
1058 WriterHitag((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes, c->arg[2]);
1059 }
4e12287d 1060 break;
d19929cb 1061#endif
f168b263 1062
15c4dc5a 1063#ifdef WITH_ISO15693
1064 case CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_15693:
1065 AcquireRawAdcSamplesIso15693();
1066 break;
9455b51c 1067 case CMD_RECORD_RAW_ADC_SAMPLES_ISO_15693:
1068 RecordRawAdcSamplesIso15693();
1069 break;
1070
1071 case CMD_ISO_15693_COMMAND:
1072 DirectTag15693Command(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
1073 break;
1074
1075 case CMD_ISO_15693_FIND_AFI:
1076 BruteforceIso15693Afi(c->arg[0]);
1077 break;
1078
1079 case CMD_ISO_15693_DEBUG:
1080 SetDebugIso15693(c->arg[0]);
1081 break;
15c4dc5a 1082
15c4dc5a 1083 case CMD_READER_ISO_15693:
1084 ReaderIso15693(c->arg[0]);
1085 break;
7e67e42f 1086 case CMD_SIMTAG_ISO_15693:
3fe4ff4f 1087 SimTagIso15693(c->arg[0], c->d.asBytes);
7e67e42f 1088 break;
15c4dc5a 1089#endif
1090
7e67e42f 1091#ifdef WITH_LEGICRF
1092 case CMD_SIMULATE_TAG_LEGIC_RF:
1093 LegicRfSimulate(c->arg[0], c->arg[1], c->arg[2]);
1094 break;
3612a8a8 1095
7e67e42f 1096 case CMD_WRITER_LEGIC_RF:
1097 LegicRfWriter(c->arg[1], c->arg[0]);
1098 break;
3612a8a8 1099
15c4dc5a 1100 case CMD_READER_LEGIC_RF:
1101 LegicRfReader(c->arg[0], c->arg[1]);
1102 break;
15c4dc5a 1103#endif
1104
1105#ifdef WITH_ISO14443b
15c4dc5a 1106 case CMD_READ_SRI512_TAG:
51d4f6f1 1107 ReadSTMemoryIso14443b(0x0F);
15c4dc5a 1108 break;
7e67e42f 1109 case CMD_READ_SRIX4K_TAG:
51d4f6f1 1110 ReadSTMemoryIso14443b(0x7F);
7e67e42f 1111 break;
132a0217 1112 case CMD_SNOOP_ISO_14443B:
51d4f6f1 1113 SnoopIso14443b();
7e67e42f 1114 break;
132a0217 1115 case CMD_SIMULATE_TAG_ISO_14443B:
51d4f6f1 1116 SimulateIso14443bTag();
7e67e42f 1117 break;
7cf3ef20 1118 case CMD_ISO_14443B_COMMAND:
1119 SendRawCommand14443B(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
1120 break;
15c4dc5a 1121#endif
1122
1123#ifdef WITH_ISO14443a
7e67e42f 1124 case CMD_SNOOP_ISO_14443a:
5cd9ec01 1125 SnoopIso14443a(c->arg[0]);
7e67e42f 1126 break;
15c4dc5a 1127 case CMD_READER_ISO_14443a:
902cb3c0 1128 ReaderIso14443a(c);
15c4dc5a 1129 break;
7e67e42f 1130 case CMD_SIMULATE_TAG_ISO_14443a:
28afbd2b 1131 SimulateIso14443aTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); // ## Simulate iso14443a tag - pass tag type & UID
7e67e42f 1132 break;
3fe4ff4f 1133
5acd09bd 1134 case CMD_EPA_PACE_COLLECT_NONCE:
902cb3c0 1135 EPA_PACE_Collect_Nonce(c);
5acd09bd 1136 break;
3bb07d96
FM
1137 case CMD_EPA_PACE_REPLAY:
1138 EPA_PACE_Replay(c);
1139 break;
7e67e42f 1140
15c4dc5a 1141 case CMD_READER_MIFARE:
f168b263 1142 ReaderMifare(c->arg[0]);
15c4dc5a 1143 break;
20f9a2a1
M
1144 case CMD_MIFARE_READBL:
1145 MifareReadBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1146 break;
981bd429 1147 case CMD_MIFAREU_READBL:
f168b263 1148 MifareUReadBlock(c->arg[0],c->arg[1], c->d.asBytes);
981bd429 1149 break;
8258f409 1150 case CMD_MIFAREUC_AUTH:
1151 MifareUC_Auth(c->arg[0],c->d.asBytes);
a631936e 1152 break;
981bd429 1153 case CMD_MIFAREU_READCARD:
75377d29 1154 MifareUReadCard(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
117d9ec2 1155 break;
f168b263 1156 case CMD_MIFAREUC_SETPWD:
1157 MifareUSetPwd(c->arg[0], c->d.asBytes);
1158 break;
20f9a2a1
M
1159 case CMD_MIFARE_READSC:
1160 MifareReadSector(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1161 break;
1162 case CMD_MIFARE_WRITEBL:
1163 MifareWriteBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1164 break;
4973f23d 1165 //case CMD_MIFAREU_WRITEBL_COMPAT:
1166 //MifareUWriteBlockCompat(c->arg[0], c->d.asBytes);
1167 //break;
981bd429 1168 case CMD_MIFAREU_WRITEBL:
4973f23d 1169 MifareUWriteBlock(c->arg[0], c->arg[1], c->d.asBytes);
f168b263 1170 break;
c48c4d78 1171 case CMD_MIFARE_ACQUIRE_ENCRYPTED_NONCES:
1172 MifareAcquireEncryptedNonces(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1173 break;
20f9a2a1
M
1174 case CMD_MIFARE_NESTED:
1175 MifareNested(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
f397b5cc
M
1176 break;
1177 case CMD_MIFARE_CHKKEYS:
1178 MifareChkKeys(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
20f9a2a1
M
1179 break;
1180 case CMD_SIMULATE_MIFARE_CARD:
1181 Mifare1ksim(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1182 break;
8556b852
M
1183
1184 // emulator
1185 case CMD_MIFARE_SET_DBGMODE:
1186 MifareSetDbgLvl(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1187 break;
1188 case CMD_MIFARE_EML_MEMCLR:
1189 MifareEMemClr(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1190 break;
1191 case CMD_MIFARE_EML_MEMSET:
1192 MifareEMemSet(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1193 break;
1194 case CMD_MIFARE_EML_MEMGET:
1195 MifareEMemGet(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1196 break;
1197 case CMD_MIFARE_EML_CARDLOAD:
1198 MifareECardLoad(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
0675f200
M
1199 break;
1200
1201 // Work with "magic Chinese" card
3a05a1e7
OM
1202 case CMD_MIFARE_CWIPE:
1203 MifareCWipe(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1204 break;
3fe4ff4f 1205 case CMD_MIFARE_CSETBLOCK:
0675f200 1206 MifareCSetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
545a1f38 1207 break;
3fe4ff4f 1208 case CMD_MIFARE_CGETBLOCK:
545a1f38 1209 MifareCGetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
8556b852 1210 break;
3fe4ff4f 1211 case CMD_MIFARE_CIDENT:
1212 MifareCIdent();
1213 break;
b62a5a84
M
1214
1215 // mifare sniffer
1216 case CMD_MIFARE_SNIFFER:
5cd9ec01 1217 SniffMifare(c->arg[0]);
b62a5a84 1218 break;
a631936e 1219
20f9a2a1
M
1220#endif
1221
7e67e42f 1222#ifdef WITH_ICLASS
cee5a30d 1223 // Makes use of ISO14443a FPGA Firmware
1224 case CMD_SNOOP_ICLASS:
1225 SnoopIClass();
1226 break;
1e262141 1227 case CMD_SIMULATE_TAG_ICLASS:
ff7bb4ef 1228 SimulateIClass(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1e262141 1229 break;
1230 case CMD_READER_ICLASS:
1231 ReaderIClass(c->arg[0]);
1232 break;
c3963755 1233 case CMD_READER_ICLASS_REPLAY:
aa53efc3 1234 ReaderIClass_Replay(c->arg[0], c->d.asBytes);
c3963755 1235 break;
aa53efc3 1236 case CMD_ICLASS_EML_MEMSET:
e80aeb96
MHS
1237 emlSet(c->d.asBytes,c->arg[0], c->arg[1]);
1238 break;
aa53efc3 1239 case CMD_ICLASS_WRITEBLOCK:
3ac22ee1 1240 iClass_WriteBlock(c->arg[0], c->d.asBytes);
1241 break;
1242 case CMD_ICLASS_READCHECK: // auth step 1
1243 iClass_ReadCheck(c->arg[0], c->arg[1]);
aa53efc3 1244 break;
1245 case CMD_ICLASS_READBLOCK:
3ac22ee1 1246 iClass_ReadBlk(c->arg[0]);
aa53efc3 1247 break;
3ac22ee1 1248 case CMD_ICLASS_AUTHENTICATION: //check
aa53efc3 1249 iClass_Authentication(c->d.asBytes);
1250 break;
1251 case CMD_ICLASS_DUMP:
3ac22ee1 1252 iClass_Dump(c->arg[0], c->arg[1]);
aa53efc3 1253 break;
1254 case CMD_ICLASS_CLONE:
3ac22ee1 1255 iClass_Clone(c->arg[0], c->arg[1], c->d.asBytes);
aa53efc3 1256 break;
cee5a30d 1257#endif
0472d76d 1258#ifdef WITH_HFSNOOP
1259 case CMD_HF_SNIFFER:
1260 HfSnoop(c->arg[0], c->arg[1]);
1261 break;
1262#endif
cee5a30d 1263
7e67e42f 1264 case CMD_BUFF_CLEAR:
117d9ec2 1265 BigBuf_Clear();
15c4dc5a 1266 break;
15c4dc5a 1267
1268 case CMD_MEASURE_ANTENNA_TUNING:
fdcfbdcc 1269 MeasureAntennaTuning(c->arg[0]);
15c4dc5a 1270 break;
1271
1272 case CMD_MEASURE_ANTENNA_TUNING_HF:
1273 MeasureAntennaTuningHf();
1274 break;
1275
1276 case CMD_LISTEN_READER_FIELD:
1277 ListenReaderField(c->arg[0]);
1278 break;
1279
15c4dc5a 1280 case CMD_FPGA_MAJOR_MODE_OFF: // ## FPGA Control
1281 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1282 SpinDelay(200);
1283 LED_D_OFF(); // LED D indicates field ON or OFF
1284 break;
1285
1c611bbd 1286 case CMD_DOWNLOAD_RAW_ADC_SAMPLES_125K:
902cb3c0 1287
1c611bbd 1288 LED_B_ON();
117d9ec2 1289 uint8_t *BigBuf = BigBuf_get_addr();
1c611bbd 1290 for(size_t i=0; i<c->arg[1]; i += USB_CMD_DATA_SIZE) {
1291 size_t len = MIN((c->arg[1] - i),USB_CMD_DATA_SIZE);
3000dc4e 1292 cmd_send(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K,i,len,BigBuf_get_traceLen(),BigBuf+c->arg[0]+i,len);
1c611bbd 1293 }
1294 // Trigger a finish downloading signal with an ACK frame
3000dc4e 1295 cmd_send(CMD_ACK,1,0,BigBuf_get_traceLen(),getSamplingConfig(),sizeof(sample_config));
d3b1f4e4 1296 LED_B_OFF();
1c611bbd 1297 break;
15c4dc5a 1298
1299 case CMD_DOWNLOADED_SIM_SAMPLES_125K: {
8c8317a5 1300 // iceman; since changing fpga_bitstreams clears bigbuff, Its better to call it before.
1301 // to be able to use this one for uploading data to device
1302 // arg1 = 0 upload for LF usage
1303 // 1 upload for HF usage
1304 if (c->arg[1] == 0)
1305 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1306 else
1307 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1308
117d9ec2 1309 uint8_t *b = BigBuf_get_addr();
3fe4ff4f 1310 memcpy(b+c->arg[0], c->d.asBytes, USB_CMD_DATA_SIZE);
1c611bbd 1311 cmd_send(CMD_ACK,0,0,0,0,0);
1312 break;
1313 }
15c4dc5a 1314 case CMD_READ_MEM:
1315 ReadMem(c->arg[0]);
1316 break;
1317
1318 case CMD_SET_LF_DIVISOR:
8c8317a5 1319 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
15c4dc5a 1320 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, c->arg[0]);
1321 break;
1322
1323 case CMD_SET_ADC_MUX:
1324 switch(c->arg[0]) {
1325 case 0: SetAdcMuxFor(GPIO_MUXSEL_LOPKD); break;
1326 case 1: SetAdcMuxFor(GPIO_MUXSEL_LORAW); break;
1327 case 2: SetAdcMuxFor(GPIO_MUXSEL_HIPKD); break;
1328 case 3: SetAdcMuxFor(GPIO_MUXSEL_HIRAW); break;
1329 }
1330 break;
1331
1332 case CMD_VERSION:
1333 SendVersion();
1334 break;
c89274cc 1335 case CMD_STATUS:
67b7d6fa 1336 SendStatus();
c89274cc
CY
1337 break;
1338 case CMD_PING:
1339 cmd_send(CMD_ACK,0,0,0,0,0);
1340 break;
15c4dc5a 1341#ifdef WITH_LCD
1342 case CMD_LCD_RESET:
1343 LCDReset();
1344 break;
1345 case CMD_LCD:
1346 LCDSend(c->arg[0]);
1347 break;
1348#endif
1349 case CMD_SETUP_WRITE:
1350 case CMD_FINISH_WRITE:
1c611bbd 1351 case CMD_HARDWARE_RESET:
1352 usb_disable();
15c4dc5a 1353 SpinDelay(1000);
1354 SpinDelay(1000);
1355 AT91C_BASE_RSTC->RSTC_RCR = RST_CONTROL_KEY | AT91C_RSTC_PROCRST;
1356 for(;;) {
1357 // We're going to reset, and the bootrom will take control.
1358 }
1c611bbd 1359 break;
15c4dc5a 1360
1c611bbd 1361 case CMD_START_FLASH:
15c4dc5a 1362 if(common_area.flags.bootrom_present) {
1363 common_area.command = COMMON_AREA_COMMAND_ENTER_FLASH_MODE;
1364 }
1c611bbd 1365 usb_disable();
15c4dc5a 1366 AT91C_BASE_RSTC->RSTC_RCR = RST_CONTROL_KEY | AT91C_RSTC_PROCRST;
1367 for(;;);
1c611bbd 1368 break;
e30c654b 1369
15c4dc5a 1370 case CMD_DEVICE_INFO: {
902cb3c0 1371 uint32_t dev_info = DEVICE_INFO_FLAG_OSIMAGE_PRESENT | DEVICE_INFO_FLAG_CURRENT_MODE_OS;
1372 if(common_area.flags.bootrom_present) dev_info |= DEVICE_INFO_FLAG_BOOTROM_PRESENT;
1c611bbd 1373 cmd_send(CMD_DEVICE_INFO,dev_info,0,0,0,0);
1374 break;
1375 }
1376 default:
15c4dc5a 1377 Dbprintf("%s: 0x%04x","unknown command:",c->cmd);
1c611bbd 1378 break;
15c4dc5a 1379 }
1380}
1381
1382void __attribute__((noreturn)) AppMain(void)
1383{
1384 SpinDelay(100);
9e8255d4 1385 clear_trace();
15c4dc5a 1386 if(common_area.magic != COMMON_AREA_MAGIC || common_area.version != 1) {
1387 /* Initialize common area */
1388 memset(&common_area, 0, sizeof(common_area));
1389 common_area.magic = COMMON_AREA_MAGIC;
1390 common_area.version = 1;
1391 }
1392 common_area.flags.osimage_present = 1;
1393
1394 LED_D_OFF();
1395 LED_C_OFF();
1396 LED_B_OFF();
1397 LED_A_OFF();
1398
3fe4ff4f 1399 // Init USB device
902cb3c0 1400 usb_enable();
15c4dc5a 1401
1402 // The FPGA gets its clock from us from PCK0 output, so set that up.
1403 AT91C_BASE_PIOA->PIO_BSR = GPIO_PCK0;
1404 AT91C_BASE_PIOA->PIO_PDR = GPIO_PCK0;
1405 AT91C_BASE_PMC->PMC_SCER = AT91C_PMC_PCK0;
1406 // PCK0 is PLL clock / 4 = 96Mhz / 4 = 24Mhz
1407 AT91C_BASE_PMC->PMC_PCKR[0] = AT91C_PMC_CSS_PLL_CLK |
0472d76d 1408 AT91C_PMC_PRES_CLK_4; // 4 for 24Mhz pck0, 2 for 48 MHZ pck0
15c4dc5a 1409 AT91C_BASE_PIOA->PIO_OER = GPIO_PCK0;
1410
1411 // Reset SPI
1412 AT91C_BASE_SPI->SPI_CR = AT91C_SPI_SWRST;
1413 // Reset SSC
1414 AT91C_BASE_SSC->SSC_CR = AT91C_SSC_SWRST;
1415
1416 // Load the FPGA image, which we have stored in our flash.
7cc204bf 1417 // (the HF version by default)
1418 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
15c4dc5a 1419
9ca155ba 1420 StartTickCount();
902cb3c0 1421
15c4dc5a 1422#ifdef WITH_LCD
15c4dc5a 1423 LCDInit();
15c4dc5a 1424#endif
1425
902cb3c0 1426 byte_t rx[sizeof(UsbCommand)];
1427 size_t rx_len;
1428
15c4dc5a 1429 for(;;) {
902cb3c0 1430 if (usb_poll()) {
1431 rx_len = usb_read(rx,sizeof(UsbCommand));
1432 if (rx_len) {
1433 UsbPacketReceived(rx,rx_len);
1434 }
1435 }
15c4dc5a 1436 WDT_HIT();
1437
1438#ifdef WITH_LF
e46fe044 1439#ifndef WITH_ISO14443a_StandAlone
15c4dc5a 1440 if (BUTTON_HELD(1000) > 0)
1441 SamyRun();
e46fe044
CY
1442#endif
1443#endif
1444#ifdef WITH_ISO14443a
1445#ifdef WITH_ISO14443a_StandAlone
1446 if (BUTTON_HELD(1000) > 0)
1447 StandAloneMode14a();
1448#endif
15c4dc5a 1449#endif
1450 }
1451}
Impressum, Datenschutz