]> git.zerfleddert.de Git - proxmark3-svn/blame - armsrc/iclass.c
Merge pull request #22 from Proxmark/PenturaLabs-iclass-research
[proxmark3-svn] / armsrc / iclass.c
CommitLineData
cee5a30d 1//-----------------------------------------------------------------------------
2// Gerhard de Koning Gans - May 2008
3// Hagen Fritsch - June 2010
4// Gerhard de Koning Gans - May 2011
1e262141 5// Gerhard de Koning Gans - June 2012 - Added iClass card and reader emulation
cee5a30d 6//
7// This code is licensed to you under the terms of the GNU GPL, version 2 or,
8// at your option, any later version. See the LICENSE.txt file for the text of
9// the license.
10//-----------------------------------------------------------------------------
11// Routines to support iClass.
12//-----------------------------------------------------------------------------
13// Based on ISO14443a implementation. Still in experimental phase.
14// Contribution made during a security research at Radboud University Nijmegen
15//
16// Please feel free to contribute and extend iClass support!!
17//-----------------------------------------------------------------------------
18//
cee5a30d 19// FIX:
20// ====
21// We still have sometimes a demodulation error when snooping iClass communication.
22// The resulting trace of a read-block-03 command may look something like this:
23//
24// + 22279: : 0c 03 e8 01
25//
26// ...with an incorrect answer...
27//
28// + 85: 0: TAG ff! ff! ff! ff! ff! ff! ff! ff! bb 33 bb 00 01! 0e! 04! bb !crc
29//
30// We still left the error signalling bytes in the traces like 0xbb
31//
32// A correct trace should look like this:
33//
34// + 21112: : 0c 03 e8 01
35// + 85: 0: TAG ff ff ff ff ff ff ff ff ea f5
36//
37//-----------------------------------------------------------------------------
38
39#include "proxmark3.h"
40#include "apps.h"
41#include "util.h"
42#include "string.h"
7e67e42f 43#include "common.h"
fecd8202 44#include "cmd.h"
1e262141 45// Needed for CRC in emulation mode;
46// same construction as in ISO 14443;
47// different initial value (CRC_ICLASS)
48#include "iso14443crc.h"
c3963755 49#include "iso15693tools.h"
cee5a30d 50
1e262141 51static int timeout = 4096;
cee5a30d 52
cee5a30d 53
1e262141 54static int SendIClassAnswer(uint8_t *resp, int respLen, int delay);
cee5a30d 55
56//-----------------------------------------------------------------------------
57// The software UART that receives commands from the reader, and its state
58// variables.
59//-----------------------------------------------------------------------------
60static struct {
61 enum {
62 STATE_UNSYNCD,
63 STATE_START_OF_COMMUNICATION,
64 STATE_RECEIVING
65 } state;
66 uint16_t shiftReg;
67 int bitCnt;
68 int byteCnt;
69 int byteCntMax;
70 int posCnt;
71 int nOutOfCnt;
72 int OutOfCnt;
73 int syncBit;
1e262141 74 int parityBits;
75 int samples;
cee5a30d 76 int highCnt;
77 int swapper;
78 int counter;
79 int bitBuffer;
80 int dropPosition;
81 uint8_t *output;
82} Uart;
83
1e262141 84static RAMFUNC int OutOfNDecoding(int bit)
cee5a30d 85{
9f693930 86 //int error = 0;
cee5a30d 87 int bitright;
88
89 if(!Uart.bitBuffer) {
90 Uart.bitBuffer = bit ^ 0xFF0;
91 return FALSE;
92 }
93 else {
94 Uart.bitBuffer <<= 4;
95 Uart.bitBuffer ^= bit;
96 }
97
98 /*if(Uart.swapper) {
99 Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
100 Uart.byteCnt++;
101 Uart.swapper = 0;
102 if(Uart.byteCnt > 15) { return TRUE; }
103 }
104 else {
105 Uart.swapper = 1;
106 }*/
107
108 if(Uart.state != STATE_UNSYNCD) {
109 Uart.posCnt++;
110
111 if((Uart.bitBuffer & Uart.syncBit) ^ Uart.syncBit) {
112 bit = 0x00;
113 }
114 else {
115 bit = 0x01;
116 }
117 if(((Uart.bitBuffer << 1) & Uart.syncBit) ^ Uart.syncBit) {
118 bitright = 0x00;
119 }
120 else {
121 bitright = 0x01;
122 }
123 if(bit != bitright) { bit = bitright; }
124
125
126 // So, now we only have to deal with *bit*, lets see...
127 if(Uart.posCnt == 1) {
128 // measurement first half bitperiod
129 if(!bit) {
130 // Drop in first half means that we are either seeing
131 // an SOF or an EOF.
132
133 if(Uart.nOutOfCnt == 1) {
134 // End of Communication
135 Uart.state = STATE_UNSYNCD;
136 Uart.highCnt = 0;
137 if(Uart.byteCnt == 0) {
138 // Its not straightforward to show single EOFs
139 // So just leave it and do not return TRUE
140 Uart.output[Uart.byteCnt] = 0xf0;
141 Uart.byteCnt++;
142
143 // Calculate the parity bit for the client...
144 Uart.parityBits = 1;
145 }
146 else {
147 return TRUE;
148 }
149 }
150 else if(Uart.state != STATE_START_OF_COMMUNICATION) {
151 // When not part of SOF or EOF, it is an error
152 Uart.state = STATE_UNSYNCD;
153 Uart.highCnt = 0;
9f693930 154 //error = 4;
cee5a30d 155 }
156 }
157 }
158 else {
159 // measurement second half bitperiod
160 // Count the bitslot we are in... (ISO 15693)
161 Uart.nOutOfCnt++;
162
163 if(!bit) {
164 if(Uart.dropPosition) {
165 if(Uart.state == STATE_START_OF_COMMUNICATION) {
9f693930 166 //error = 1;
cee5a30d 167 }
168 else {
9f693930 169 //error = 7;
cee5a30d 170 }
171 // It is an error if we already have seen a drop in current frame
172 Uart.state = STATE_UNSYNCD;
173 Uart.highCnt = 0;
174 }
175 else {
176 Uart.dropPosition = Uart.nOutOfCnt;
177 }
178 }
179
180 Uart.posCnt = 0;
181
182
183 if(Uart.nOutOfCnt == Uart.OutOfCnt && Uart.OutOfCnt == 4) {
184 Uart.nOutOfCnt = 0;
185
186 if(Uart.state == STATE_START_OF_COMMUNICATION) {
187 if(Uart.dropPosition == 4) {
188 Uart.state = STATE_RECEIVING;
189 Uart.OutOfCnt = 256;
190 }
191 else if(Uart.dropPosition == 3) {
192 Uart.state = STATE_RECEIVING;
193 Uart.OutOfCnt = 4;
194 //Uart.output[Uart.byteCnt] = 0xdd;
195 //Uart.byteCnt++;
196 }
197 else {
198 Uart.state = STATE_UNSYNCD;
199 Uart.highCnt = 0;
200 }
201 Uart.dropPosition = 0;
202 }
203 else {
204 // RECEIVING DATA
205 // 1 out of 4
206 if(!Uart.dropPosition) {
207 Uart.state = STATE_UNSYNCD;
208 Uart.highCnt = 0;
9f693930 209 //error = 9;
cee5a30d 210 }
211 else {
212 Uart.shiftReg >>= 2;
213
214 // Swap bit order
215 Uart.dropPosition--;
216 //if(Uart.dropPosition == 1) { Uart.dropPosition = 2; }
217 //else if(Uart.dropPosition == 2) { Uart.dropPosition = 1; }
218
219 Uart.shiftReg ^= ((Uart.dropPosition & 0x03) << 6);
220 Uart.bitCnt += 2;
221 Uart.dropPosition = 0;
222
223 if(Uart.bitCnt == 8) {
224 Uart.output[Uart.byteCnt] = (Uart.shiftReg & 0xff);
225 Uart.byteCnt++;
226
227 // Calculate the parity bit for the client...
228 Uart.parityBits <<= 1;
229 Uart.parityBits ^= OddByteParity[(Uart.shiftReg & 0xff)];
230
231 Uart.bitCnt = 0;
232 Uart.shiftReg = 0;
233 }
234 }
235 }
236 }
237 else if(Uart.nOutOfCnt == Uart.OutOfCnt) {
238 // RECEIVING DATA
239 // 1 out of 256
240 if(!Uart.dropPosition) {
241 Uart.state = STATE_UNSYNCD;
242 Uart.highCnt = 0;
9f693930 243 //error = 3;
cee5a30d 244 }
245 else {
246 Uart.dropPosition--;
247 Uart.output[Uart.byteCnt] = (Uart.dropPosition & 0xff);
248 Uart.byteCnt++;
249
250 // Calculate the parity bit for the client...
251 Uart.parityBits <<= 1;
252 Uart.parityBits ^= OddByteParity[(Uart.dropPosition & 0xff)];
253
254 Uart.bitCnt = 0;
255 Uart.shiftReg = 0;
256 Uart.nOutOfCnt = 0;
257 Uart.dropPosition = 0;
258 }
259 }
260
261 /*if(error) {
262 Uart.output[Uart.byteCnt] = 0xAA;
263 Uart.byteCnt++;
264 Uart.output[Uart.byteCnt] = error & 0xFF;
265 Uart.byteCnt++;
266 Uart.output[Uart.byteCnt] = 0xAA;
267 Uart.byteCnt++;
268 Uart.output[Uart.byteCnt] = (Uart.bitBuffer >> 8) & 0xFF;
269 Uart.byteCnt++;
270 Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
271 Uart.byteCnt++;
272 Uart.output[Uart.byteCnt] = (Uart.syncBit >> 3) & 0xFF;
273 Uart.byteCnt++;
274 Uart.output[Uart.byteCnt] = 0xAA;
275 Uart.byteCnt++;
276 return TRUE;
277 }*/
278 }
279
280 }
281 else {
282 bit = Uart.bitBuffer & 0xf0;
283 bit >>= 4;
284 bit ^= 0x0F; // drops become 1s ;-)
285 if(bit) {
286 // should have been high or at least (4 * 128) / fc
287 // according to ISO this should be at least (9 * 128 + 20) / fc
288 if(Uart.highCnt == 8) {
289 // we went low, so this could be start of communication
290 // it turns out to be safer to choose a less significant
291 // syncbit... so we check whether the neighbour also represents the drop
292 Uart.posCnt = 1; // apparently we are busy with our first half bit period
293 Uart.syncBit = bit & 8;
294 Uart.samples = 3;
295 if(!Uart.syncBit) { Uart.syncBit = bit & 4; Uart.samples = 2; }
296 else if(bit & 4) { Uart.syncBit = bit & 4; Uart.samples = 2; bit <<= 2; }
297 if(!Uart.syncBit) { Uart.syncBit = bit & 2; Uart.samples = 1; }
298 else if(bit & 2) { Uart.syncBit = bit & 2; Uart.samples = 1; bit <<= 1; }
299 if(!Uart.syncBit) { Uart.syncBit = bit & 1; Uart.samples = 0;
300 if(Uart.syncBit && (Uart.bitBuffer & 8)) {
301 Uart.syncBit = 8;
302
303 // the first half bit period is expected in next sample
304 Uart.posCnt = 0;
305 Uart.samples = 3;
306 }
307 }
308 else if(bit & 1) { Uart.syncBit = bit & 1; Uart.samples = 0; }
309
310 Uart.syncBit <<= 4;
311 Uart.state = STATE_START_OF_COMMUNICATION;
312 Uart.bitCnt = 0;
313 Uart.byteCnt = 0;
314 Uart.parityBits = 0;
315 Uart.nOutOfCnt = 0;
316 Uart.OutOfCnt = 4; // Start at 1/4, could switch to 1/256
317 Uart.dropPosition = 0;
318 Uart.shiftReg = 0;
9f693930 319 //error = 0;
cee5a30d 320 }
321 else {
322 Uart.highCnt = 0;
323 }
324 }
325 else {
326 if(Uart.highCnt < 8) {
327 Uart.highCnt++;
328 }
329 }
330 }
331
332 return FALSE;
333}
334
335//=============================================================================
1e262141 336// Manchester
cee5a30d 337//=============================================================================
338
339static struct {
340 enum {
341 DEMOD_UNSYNCD,
342 DEMOD_START_OF_COMMUNICATION,
343 DEMOD_START_OF_COMMUNICATION2,
344 DEMOD_START_OF_COMMUNICATION3,
345 DEMOD_SOF_COMPLETE,
346 DEMOD_MANCHESTER_D,
347 DEMOD_MANCHESTER_E,
348 DEMOD_END_OF_COMMUNICATION,
349 DEMOD_END_OF_COMMUNICATION2,
350 DEMOD_MANCHESTER_F,
351 DEMOD_ERROR_WAIT
352 } state;
353 int bitCount;
354 int posCount;
355 int syncBit;
356 int parityBits;
357 uint16_t shiftReg;
358 int buffer;
359 int buffer2;
360 int buffer3;
361 int buff;
362 int samples;
363 int len;
364 enum {
365 SUB_NONE,
366 SUB_FIRST_HALF,
367 SUB_SECOND_HALF,
368 SUB_BOTH
369 } sub;
370 uint8_t *output;
371} Demod;
372
373static RAMFUNC int ManchesterDecoding(int v)
374{
375 int bit;
376 int modulation;
377 int error = 0;
378
379 bit = Demod.buffer;
380 Demod.buffer = Demod.buffer2;
381 Demod.buffer2 = Demod.buffer3;
382 Demod.buffer3 = v;
383
384 if(Demod.buff < 3) {
385 Demod.buff++;
386 return FALSE;
387 }
388
389 if(Demod.state==DEMOD_UNSYNCD) {
390 Demod.output[Demod.len] = 0xfa;
391 Demod.syncBit = 0;
392 //Demod.samples = 0;
393 Demod.posCount = 1; // This is the first half bit period, so after syncing handle the second part
cee5a30d 394
395 if(bit & 0x08) {
396 Demod.syncBit = 0x08;
397 }
398
399 if(bit & 0x04) {
400 if(Demod.syncBit) {
401 bit <<= 4;
402 }
403 Demod.syncBit = 0x04;
404 }
405
406 if(bit & 0x02) {
407 if(Demod.syncBit) {
408 bit <<= 2;
409 }
410 Demod.syncBit = 0x02;
411 }
412
413 if(bit & 0x01 && Demod.syncBit) {
414 Demod.syncBit = 0x01;
415 }
416
417 if(Demod.syncBit) {
418 Demod.len = 0;
419 Demod.state = DEMOD_START_OF_COMMUNICATION;
420 Demod.sub = SUB_FIRST_HALF;
421 Demod.bitCount = 0;
422 Demod.shiftReg = 0;
423 Demod.parityBits = 0;
424 Demod.samples = 0;
425 if(Demod.posCount) {
426 //if(trigger) LED_A_OFF(); // Not useful in this case...
427 switch(Demod.syncBit) {
428 case 0x08: Demod.samples = 3; break;
429 case 0x04: Demod.samples = 2; break;
430 case 0x02: Demod.samples = 1; break;
431 case 0x01: Demod.samples = 0; break;
432 }
433 // SOF must be long burst... otherwise stay unsynced!!!
434 if(!(Demod.buffer & Demod.syncBit) || !(Demod.buffer2 & Demod.syncBit)) {
435 Demod.state = DEMOD_UNSYNCD;
436 }
437 }
438 else {
439 // SOF must be long burst... otherwise stay unsynced!!!
440 if(!(Demod.buffer2 & Demod.syncBit) || !(Demod.buffer3 & Demod.syncBit)) {
441 Demod.state = DEMOD_UNSYNCD;
442 error = 0x88;
443 }
444
445 }
446 error = 0;
447
448 }
449 }
450 else {
451 modulation = bit & Demod.syncBit;
452 modulation |= ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
453 //modulation = ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
454
455 Demod.samples += 4;
456
457 if(Demod.posCount==0) {
458 Demod.posCount = 1;
459 if(modulation) {
460 Demod.sub = SUB_FIRST_HALF;
461 }
462 else {
463 Demod.sub = SUB_NONE;
464 }
465 }
466 else {
467 Demod.posCount = 0;
468 /*(modulation && (Demod.sub == SUB_FIRST_HALF)) {
469 if(Demod.state!=DEMOD_ERROR_WAIT) {
470 Demod.state = DEMOD_ERROR_WAIT;
471 Demod.output[Demod.len] = 0xaa;
472 error = 0x01;
473 }
474 }*/
475 //else if(modulation) {
476 if(modulation) {
477 if(Demod.sub == SUB_FIRST_HALF) {
478 Demod.sub = SUB_BOTH;
479 }
480 else {
481 Demod.sub = SUB_SECOND_HALF;
482 }
483 }
484 else if(Demod.sub == SUB_NONE) {
485 if(Demod.state == DEMOD_SOF_COMPLETE) {
486 Demod.output[Demod.len] = 0x0f;
487 Demod.len++;
488 Demod.parityBits <<= 1;
489 Demod.parityBits ^= OddByteParity[0x0f];
490 Demod.state = DEMOD_UNSYNCD;
491// error = 0x0f;
492 return TRUE;
493 }
494 else {
495 Demod.state = DEMOD_ERROR_WAIT;
496 error = 0x33;
497 }
498 /*if(Demod.state!=DEMOD_ERROR_WAIT) {
499 Demod.state = DEMOD_ERROR_WAIT;
500 Demod.output[Demod.len] = 0xaa;
501 error = 0x01;
502 }*/
503 }
504
505 switch(Demod.state) {
506 case DEMOD_START_OF_COMMUNICATION:
507 if(Demod.sub == SUB_BOTH) {
508 //Demod.state = DEMOD_MANCHESTER_D;
509 Demod.state = DEMOD_START_OF_COMMUNICATION2;
510 Demod.posCount = 1;
511 Demod.sub = SUB_NONE;
512 }
513 else {
514 Demod.output[Demod.len] = 0xab;
515 Demod.state = DEMOD_ERROR_WAIT;
516 error = 0xd2;
517 }
518 break;
519 case DEMOD_START_OF_COMMUNICATION2:
520 if(Demod.sub == SUB_SECOND_HALF) {
521 Demod.state = DEMOD_START_OF_COMMUNICATION3;
522 }
523 else {
524 Demod.output[Demod.len] = 0xab;
525 Demod.state = DEMOD_ERROR_WAIT;
526 error = 0xd3;
527 }
528 break;
529 case DEMOD_START_OF_COMMUNICATION3:
530 if(Demod.sub == SUB_SECOND_HALF) {
531// Demod.state = DEMOD_MANCHESTER_D;
532 Demod.state = DEMOD_SOF_COMPLETE;
533 //Demod.output[Demod.len] = Demod.syncBit & 0xFF;
534 //Demod.len++;
535 }
536 else {
537 Demod.output[Demod.len] = 0xab;
538 Demod.state = DEMOD_ERROR_WAIT;
539 error = 0xd4;
540 }
541 break;
542 case DEMOD_SOF_COMPLETE:
543 case DEMOD_MANCHESTER_D:
544 case DEMOD_MANCHESTER_E:
545 // OPPOSITE FROM ISO14443 - 11110000 = 0 (1 in 14443)
546 // 00001111 = 1 (0 in 14443)
547 if(Demod.sub == SUB_SECOND_HALF) { // SUB_FIRST_HALF
548 Demod.bitCount++;
549 Demod.shiftReg = (Demod.shiftReg >> 1) ^ 0x100;
550 Demod.state = DEMOD_MANCHESTER_D;
551 }
552 else if(Demod.sub == SUB_FIRST_HALF) { // SUB_SECOND_HALF
553 Demod.bitCount++;
554 Demod.shiftReg >>= 1;
555 Demod.state = DEMOD_MANCHESTER_E;
556 }
557 else if(Demod.sub == SUB_BOTH) {
558 Demod.state = DEMOD_MANCHESTER_F;
559 }
560 else {
561 Demod.state = DEMOD_ERROR_WAIT;
562 error = 0x55;
563 }
564 break;
565
566 case DEMOD_MANCHESTER_F:
567 // Tag response does not need to be a complete byte!
568 if(Demod.len > 0 || Demod.bitCount > 0) {
569 if(Demod.bitCount > 1) { // was > 0, do not interpret last closing bit, is part of EOF
570 Demod.shiftReg >>= (9 - Demod.bitCount);
571 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
572 Demod.len++;
573 // No parity bit, so just shift a 0
574 Demod.parityBits <<= 1;
575 }
576
577 Demod.state = DEMOD_UNSYNCD;
578 return TRUE;
579 }
580 else {
581 Demod.output[Demod.len] = 0xad;
582 Demod.state = DEMOD_ERROR_WAIT;
583 error = 0x03;
584 }
585 break;
586
587 case DEMOD_ERROR_WAIT:
588 Demod.state = DEMOD_UNSYNCD;
589 break;
590
591 default:
592 Demod.output[Demod.len] = 0xdd;
593 Demod.state = DEMOD_UNSYNCD;
594 break;
595 }
596
597 /*if(Demod.bitCount>=9) {
598 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
599 Demod.len++;
600
601 Demod.parityBits <<= 1;
602 Demod.parityBits ^= ((Demod.shiftReg >> 8) & 0x01);
603
604 Demod.bitCount = 0;
605 Demod.shiftReg = 0;
606 }*/
607 if(Demod.bitCount>=8) {
608 Demod.shiftReg >>= 1;
609 Demod.output[Demod.len] = (Demod.shiftReg & 0xff);
610 Demod.len++;
611
612 // FOR ISO15639 PARITY NOT SEND OTA, JUST CALCULATE IT FOR THE CLIENT
613 Demod.parityBits <<= 1;
614 Demod.parityBits ^= OddByteParity[(Demod.shiftReg & 0xff)];
615
616 Demod.bitCount = 0;
617 Demod.shiftReg = 0;
618 }
619
620 if(error) {
621 Demod.output[Demod.len] = 0xBB;
622 Demod.len++;
623 Demod.output[Demod.len] = error & 0xFF;
624 Demod.len++;
625 Demod.output[Demod.len] = 0xBB;
626 Demod.len++;
627 Demod.output[Demod.len] = bit & 0xFF;
628 Demod.len++;
629 Demod.output[Demod.len] = Demod.buffer & 0xFF;
630 Demod.len++;
631 // Look harder ;-)
632 Demod.output[Demod.len] = Demod.buffer2 & 0xFF;
633 Demod.len++;
634 Demod.output[Demod.len] = Demod.syncBit & 0xFF;
635 Demod.len++;
636 Demod.output[Demod.len] = 0xBB;
637 Demod.len++;
638 return TRUE;
639 }
640
641 }
642
643 } // end (state != UNSYNCED)
644
645 return FALSE;
646}
647
648//=============================================================================
1e262141 649// Finally, a `sniffer' for iClass communication
cee5a30d 650// Both sides of communication!
651//=============================================================================
652
653//-----------------------------------------------------------------------------
654// Record the sequence of commands sent by the reader to the tag, with
655// triggering so that we start recording at the point that the tag is moved
656// near the reader.
657//-----------------------------------------------------------------------------
658void RAMFUNC SnoopIClass(void)
659{
17cba269 660
cee5a30d 661
662 // We won't start recording the frames that we acquire until we trigger;
663 // a good trigger condition to get started is probably when we see a
664 // response from the tag.
9f693930 665 //int triggered = FALSE; // FALSE to wait first for card
cee5a30d 666
667 // The command (reader -> tag) that we're receiving.
668 // The length of a received command will in most cases be no more than 18 bytes.
669 // So 32 should be enough!
17cba269 670 uint8_t *readerToTagCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
cee5a30d 671 // The response (tag -> reader) that we're receiving.
17cba269 672 uint8_t *tagToReaderResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET);
cee5a30d 673
7cc204bf 674 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
675
1e262141 676 // reset traceLen to 0
677 iso14a_set_tracing(TRUE);
d19929cb 678 iso14a_clear_trace();
1e262141 679 iso14a_set_trigger(FALSE);
cee5a30d 680
681 // The DMA buffer, used to stream samples from the FPGA
682 int8_t *dmaBuf = ((int8_t *)BigBuf) + DMA_BUFFER_OFFSET;
683 int lastRxCounter;
684 int8_t *upTo;
685 int smpl;
686 int maxBehindBy = 0;
687
688 // Count of samples received so far, so that we can include timing
689 // information in the trace buffer.
690 int samples = 0;
691 rsamples = 0;
692
cee5a30d 693 // Set up the demodulator for tag -> reader responses.
17cba269 694 Demod.output = tagToReaderResponse;
cee5a30d 695 Demod.len = 0;
696 Demod.state = DEMOD_UNSYNCD;
697
698 // Setup for the DMA.
699 FpgaSetupSsc();
700 upTo = dmaBuf;
701 lastRxCounter = DMA_BUFFER_SIZE;
702 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
703
704 // And the reader -> tag commands
705 memset(&Uart, 0, sizeof(Uart));
17cba269 706 Uart.output = readerToTagCmd;
cee5a30d 707 Uart.byteCntMax = 32; // was 100 (greg)////////////////////////////////////////////////////////////////////////
708 Uart.state = STATE_UNSYNCD;
709
710 // And put the FPGA in the appropriate mode
711 // Signal field is off with the appropriate LED
712 LED_D_OFF();
713 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER);
714 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
715
81012e67
MHS
716 uint32_t time_0 = GetCountSspClk();
717
718
cee5a30d 719 int div = 0;
720 //int div2 = 0;
721 int decbyte = 0;
722 int decbyter = 0;
723
724 // And now we loop, receiving samples.
725 for(;;) {
726 LED_A_ON();
727 WDT_HIT();
728 int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) &
729 (DMA_BUFFER_SIZE-1);
730 if(behindBy > maxBehindBy) {
731 maxBehindBy = behindBy;
732 if(behindBy > 400) {
733 Dbprintf("blew circular buffer! behindBy=0x%x", behindBy);
734 goto done;
735 }
736 }
737 if(behindBy < 1) continue;
738
739 LED_A_OFF();
740 smpl = upTo[0];
741 upTo++;
742 lastRxCounter -= 1;
743 if(upTo - dmaBuf > DMA_BUFFER_SIZE) {
744 upTo -= DMA_BUFFER_SIZE;
745 lastRxCounter += DMA_BUFFER_SIZE;
746 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) upTo;
747 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
748 }
749
750 //samples += 4;
751 samples += 1;
cee5a30d 752
cee5a30d 753 if(smpl & 0xF) {
754 decbyte ^= (1 << (3 - div));
755 }
cee5a30d 756
757 // FOR READER SIDE COMMUMICATION...
17cba269 758
cee5a30d 759 decbyter <<= 2;
760 decbyter ^= (smpl & 0x30);
761
762 div++;
763
764 if((div + 1) % 2 == 0) {
765 smpl = decbyter;
1e262141 766 if(OutOfNDecoding((smpl & 0xF0) >> 4)) {
cee5a30d 767 rsamples = samples - Uart.samples;
768 LED_C_ON();
17cba269 769
81012e67 770 //if(!LogTrace(Uart.output,Uart.byteCnt, rsamples, Uart.parityBits,TRUE)) break;
17cba269 771 //if(!LogTrace(NULL, 0, Uart.endTime*16 - DELAY_READER_AIR2ARM_AS_SNIFFER, 0, TRUE)) break;
81012e67
MHS
772 if(tracing)
773 {
774 LogTrace(Uart.output,Uart.byteCnt, (GetCountSspClk()-time_0) << 4, Uart.parityBits,TRUE);
775 LogTrace(NULL, 0, (GetCountSspClk()-time_0) << 4, 0, TRUE);
776 }
777
17cba269
MHS
778
779 /* And ready to receive another command. */
cee5a30d 780 Uart.state = STATE_UNSYNCD;
781 /* And also reset the demod code, which might have been */
782 /* false-triggered by the commands from the reader. */
783 Demod.state = DEMOD_UNSYNCD;
784 LED_B_OFF();
785 Uart.byteCnt = 0;
786 }
787 decbyter = 0;
788 }
789
790 if(div > 3) {
791 smpl = decbyte;
792 if(ManchesterDecoding(smpl & 0x0F)) {
793 rsamples = samples - Demod.samples;
794 LED_B_ON();
795
81012e67
MHS
796 if(tracing)
797 {
798 LogTrace(Demod.output,Demod.len, (GetCountSspClk()-time_0) << 4 , Demod.parityBits,FALSE);
799 LogTrace(NULL, 0, (GetCountSspClk()-time_0) << 4, 0, FALSE);
800 }
17cba269 801
cee5a30d 802
803 // And ready to receive another response.
804 memset(&Demod, 0, sizeof(Demod));
17cba269 805 Demod.output = tagToReaderResponse;
cee5a30d 806 Demod.state = DEMOD_UNSYNCD;
807 LED_C_OFF();
808 }
809
810 div = 0;
811 decbyte = 0x00;
812 }
813 //}
814
815 if(BUTTON_PRESS()) {
816 DbpString("cancelled_a");
817 goto done;
818 }
819 }
820
821 DbpString("COMMAND FINISHED");
822
823 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
824 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
825
826done:
827 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
828 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
829 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
830 LED_A_OFF();
831 LED_B_OFF();
1e262141 832 LED_C_OFF();
833 LED_D_OFF();
834}
835
912a3e94 836void rotateCSN(uint8_t* originalCSN, uint8_t* rotatedCSN) {
837 int i;
838 for(i = 0; i < 8; i++) {
839 rotatedCSN[i] = (originalCSN[i] >> 3) | (originalCSN[(i+1)%8] << 5);
1e262141 840 }
841}
842
843//-----------------------------------------------------------------------------
844// Wait for commands from reader
845// Stop when button is pressed
846// Or return TRUE when command is captured
847//-----------------------------------------------------------------------------
848static int GetIClassCommandFromReader(uint8_t *received, int *len, int maxLen)
849{
912a3e94 850 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
1e262141 851 // only, since we are receiving, not transmitting).
852 // Signal field is off with the appropriate LED
853 LED_D_OFF();
854 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
855
856 // Now run a `software UART' on the stream of incoming samples.
857 Uart.output = received;
858 Uart.byteCntMax = maxLen;
859 Uart.state = STATE_UNSYNCD;
860
861 for(;;) {
862 WDT_HIT();
863
864 if(BUTTON_PRESS()) return FALSE;
865
866 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
867 AT91C_BASE_SSC->SSC_THR = 0x00;
868 }
869 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
870 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
871 /*if(OutOfNDecoding((b & 0xf0) >> 4)) {
872 *len = Uart.byteCnt;
873 return TRUE;
874 }*/
875 if(OutOfNDecoding(b & 0x0f)) {
876 *len = Uart.byteCnt;
877 return TRUE;
878 }
879 }
880 }
881}
882
883
884//-----------------------------------------------------------------------------
885// Prepare tag messages
886//-----------------------------------------------------------------------------
887static void CodeIClassTagAnswer(const uint8_t *cmd, int len)
888{
81012e67
MHS
889 //So far a dummy implementation, not used
890 //int lastProxToAirDuration =0;
1e262141 891 int i;
892
893 ToSendReset();
894
895 // Send SOF
896 ToSend[++ToSendMax] = 0x00;
897 ToSend[++ToSendMax] = 0x00;
898 ToSend[++ToSendMax] = 0x00;
81012e67 899 ToSend[++ToSendMax] = 0xff;//Proxtoair duration starts here
1e262141 900 ToSend[++ToSendMax] = 0xff;
901 ToSend[++ToSendMax] = 0xff;
902 ToSend[++ToSendMax] = 0x00;
903 ToSend[++ToSendMax] = 0xff;
904
905 for(i = 0; i < len; i++) {
906 int j;
907 uint8_t b = cmd[i];
908
909 // Data bits
910 for(j = 0; j < 8; j++) {
911 if(b & 1) {
912 ToSend[++ToSendMax] = 0x00;
913 ToSend[++ToSendMax] = 0xff;
914 } else {
915 ToSend[++ToSendMax] = 0xff;
916 ToSend[++ToSendMax] = 0x00;
917 }
918 b >>= 1;
919 }
920 }
921
922 // Send EOF
923 ToSend[++ToSendMax] = 0xff;
924 ToSend[++ToSendMax] = 0x00;
925 ToSend[++ToSendMax] = 0xff;
926 ToSend[++ToSendMax] = 0xff;
81012e67 927 ToSend[++ToSendMax] = 0xff;
1e262141 928 ToSend[++ToSendMax] = 0x00;
929 ToSend[++ToSendMax] = 0x00;
930 ToSend[++ToSendMax] = 0x00;
931
81012e67
MHS
932 //lastProxToAirDuration = 8*ToSendMax - 3*8 - 3*8;//Not counting zeroes in the beginning or end
933
1e262141 934 // Convert from last byte pos to length
935 ToSendMax++;
936}
937
938// Only SOF
939static void CodeIClassTagSOF()
940{
81012e67
MHS
941 //So far a dummy implementation, not used
942 //int lastProxToAirDuration =0;
1e262141 943
81012e67 944 ToSendReset();
1e262141 945 // Send SOF
946 ToSend[++ToSendMax] = 0x00;
947 ToSend[++ToSendMax] = 0x00;
948 ToSend[++ToSendMax] = 0x00;
949 ToSend[++ToSendMax] = 0xff;
950 ToSend[++ToSendMax] = 0xff;
951 ToSend[++ToSendMax] = 0xff;
952 ToSend[++ToSendMax] = 0x00;
953 ToSend[++ToSendMax] = 0xff;
81012e67
MHS
954
955// lastProxToAirDuration = 8*ToSendMax - 3*8;//Not counting zeroes in the beginning
956
1e262141 957
958 // Convert from last byte pos to length
959 ToSendMax++;
960}
9f6e9d15 961int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader_mac_buf);
ff7bb4ef
MHS
962/**
963 * @brief SimulateIClass simulates an iClass card.
964 * @param arg0 type of simulation
965 * - 0 uses the first 8 bytes in usb data as CSN
966 * - 2 "dismantling iclass"-attack. This mode iterates through all CSN's specified
967 * in the usb data. This mode collects MAC from the reader, in order to do an offline
968 * attack on the keys. For more info, see "dismantling iclass" and proxclone.com.
969 * - Other : Uses the default CSN (031fec8af7ff12e0)
970 * @param arg1 - number of CSN's contained in datain (applicable for mode 2 only)
971 * @param arg2
972 * @param datain
973 */
974void SimulateIClass(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain)
1e262141 975{
ff7bb4ef
MHS
976 uint32_t simType = arg0;
977 uint32_t numberOfCSNS = arg1;
7cc204bf 978 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1e262141 979
ff7bb4ef
MHS
980 // Enable and clear the trace
981 iso14a_set_tracing(TRUE);
982 iso14a_clear_trace();
81cd0474 983
ff7bb4ef 984 uint8_t csn_crc[] = { 0x03, 0x1f, 0xec, 0x8a, 0xf7, 0xff, 0x12, 0xe0, 0x00, 0x00 };
ff7bb4ef
MHS
985 if(simType == 0) {
986 // Use the CSN from commandline
987 memcpy(csn_crc, datain, 8);
9f6e9d15 988 doIClassSimulation(csn_crc,0,NULL);
ff7bb4ef
MHS
989 }else if(simType == 1)
990 {
9f6e9d15 991 doIClassSimulation(csn_crc,0,NULL);
ff7bb4ef
MHS
992 }
993 else if(simType == 2)
994 {
9f6e9d15
MHS
995
996 uint8_t mac_responses[64] = { 0 };
17cba269 997 Dbprintf("Going into attack mode");
ff7bb4ef
MHS
998 // In this mode, a number of csns are within datain. We'll simulate each one, one at a time
999 // in order to collect MAC's from the reader. This can later be used in an offlne-attack
1000 // in order to obtain the keys, as in the "dismantling iclass"-paper.
9f6e9d15
MHS
1001 int i = 0;
1002 for( ; i < numberOfCSNS && i*8+8 < USB_CMD_DATA_SIZE; i++)
ff7bb4ef
MHS
1003 {
1004 // The usb data is 512 bytes, fitting 65 8-byte CSNs in there.
1005
1006 memcpy(csn_crc, datain+(i*8), 8);
9f6e9d15 1007 if(doIClassSimulation(csn_crc,1,mac_responses))
f83cc126
MHS
1008 {
1009 return; // Button pressed
1010 }
ff7bb4ef 1011 }
9f6e9d15
MHS
1012 cmd_send(CMD_ACK,CMD_SIMULATE_TAG_ICLASS,i,0,mac_responses,i*8);
1013
81012e67
MHS
1014 }
1015 else{
ff7bb4ef
MHS
1016 // We may want a mode here where we hardcode the csns to use (from proxclone).
1017 // That will speed things up a little, but not required just yet.
1018 Dbprintf("The mode is not implemented, reserved for future use");
1019 }
9f6e9d15 1020 Dbprintf("Done...");
ff7bb4ef
MHS
1021
1022}
1023/**
1024 * @brief Does the actual simulation
1025 * @param csn - csn to use
1026 * @param breakAfterMacReceived if true, returns after reader MAC has been received.
1027 */
9f6e9d15 1028int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader_mac_buf)
ff7bb4ef 1029{
81012e67 1030
81cd0474 1031
1e262141 1032 // CSN followed by two CRC bytes
1e262141 1033 uint8_t response2[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
ff7bb4ef
MHS
1034 uint8_t response3[] = { 0,0,0,0,0,0,0,0,0,0};
1035 memcpy(response3,csn,sizeof(response3));
f83cc126 1036 Dbprintf("Simulating CSN %02x%02x%02x%02x%02x%02x%02x%02x",csn[0],csn[1],csn[2],csn[3],csn[4],csn[5],csn[6],csn[7]);
1e262141 1037 // e-Purse
1038 uint8_t response4[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
1e262141 1039
1e262141 1040 // Construct anticollision-CSN
912a3e94 1041 rotateCSN(response3,response2);
1e262141 1042
1043 // Compute CRC on both CSNs
1044 ComputeCrc14443(CRC_ICLASS, response2, 8, &response2[8], &response2[9]);
1045 ComputeCrc14443(CRC_ICLASS, response3, 8, &response3[8], &response3[9]);
1046
ff7bb4ef 1047 int exitLoop = 0;
1e262141 1048 // Reader 0a
1049 // Tag 0f
1050 // Reader 0c
1051 // Tag anticoll. CSN
1052 // Reader 81 anticoll. CSN
1053 // Tag CSN
1054
81cd0474 1055 uint8_t *resp;
1056 int respLen;
1057 uint8_t* respdata = NULL;
1058 int respsize = 0;
1059 uint8_t sof = 0x0f;
1e262141 1060
1061 // Respond SOF -- takes 8 bytes
81cd0474 1062 uint8_t *resp1 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET);
1e262141 1063 int resp1Len;
1064
1065 // Anticollision CSN (rotated CSN)
1066 // 176: Takes 16 bytes for SOF/EOF and 10 * 16 = 160 bytes (2 bytes/bit)
81cd0474 1067 uint8_t *resp2 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + 10);
1e262141 1068 int resp2Len;
1069
1070 // CSN
1071 // 176: Takes 16 bytes for SOF/EOF and 10 * 16 = 160 bytes (2 bytes/bit)
81cd0474 1072 uint8_t *resp3 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + 190);
912a3e94 1073 int resp3Len;
1e262141 1074
1075 // e-Purse
1076 // 144: Takes 16 bytes for SOF/EOF and 8 * 16 = 128 bytes (2 bytes/bit)
81cd0474 1077 uint8_t *resp4 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + 370);
1e262141 1078 int resp4Len;
1079
1080 // + 1720..
ff7bb4ef 1081 uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
81cd0474 1082 memset(receivedCmd, 0x44, RECV_CMD_SIZE);
1e262141 1083 int len;
1084
1e262141 1085 // Prepare card messages
1086 ToSendMax = 0;
1087
1088 // First card answer: SOF
1089 CodeIClassTagSOF();
1090 memcpy(resp1, ToSend, ToSendMax); resp1Len = ToSendMax;
1091
1092 // Anticollision CSN
1093 CodeIClassTagAnswer(response2, sizeof(response2));
1094 memcpy(resp2, ToSend, ToSendMax); resp2Len = ToSendMax;
1095
1096 // CSN
1097 CodeIClassTagAnswer(response3, sizeof(response3));
912a3e94 1098 memcpy(resp3, ToSend, ToSendMax); resp3Len = ToSendMax;
1e262141 1099
1100 // e-Purse
1101 CodeIClassTagAnswer(response4, sizeof(response4));
1102 memcpy(resp4, ToSend, ToSendMax); resp4Len = ToSendMax;
1103
e3dc1e4c
MHS
1104
1105 // Start from off (no field generated)
fa541aca
MHS
1106 //FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1107 //SpinDelay(200);
1108 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
1109 SpinDelay(100);
1110 StartCountSspClk();
1e262141 1111 // We need to listen to the high-frequency, peak-detected path.
1112 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1113 FpgaSetupSsc();
1114
1115 // To control where we are in the protocol
1e262141 1116 int cmdsRecvd = 0;
81012e67
MHS
1117 uint32_t time_0 = GetCountSspClk();
1118 uint32_t t2r_time =0;
1119 uint32_t r2t_time =0;
912a3e94 1120
1e262141 1121 LED_A_ON();
f83cc126 1122 bool buttonPressed = false;
9f6e9d15
MHS
1123
1124 /** Hack for testing
1125 memcpy(reader_mac_buf,csn,8);
1126 exitLoop = true;
1127 end hack **/
1128
ff7bb4ef 1129 while(!exitLoop) {
81012e67 1130
1e262141 1131 LED_B_OFF();
e3dc1e4c
MHS
1132 //Signal tracer
1133 // Can be used to get a trigger for an oscilloscope..
1134 LED_C_OFF();
1135
1e262141 1136 if(!GetIClassCommandFromReader(receivedCmd, &len, 100)) {
f83cc126 1137 buttonPressed = true;
1e262141 1138 break;
81cd0474 1139 }
81012e67 1140 r2t_time = GetCountSspClk();
e3dc1e4c
MHS
1141 //Signal tracer
1142 LED_C_ON();
1e262141 1143
81cd0474 1144 // Okay, look at the command now.
f83cc126 1145 if(receivedCmd[0] == 0x0a ) {
1e262141 1146 // Reader in anticollission phase
1147 resp = resp1; respLen = resp1Len; //order = 1;
81cd0474 1148 respdata = &sof;
1149 respsize = sizeof(sof);
1e262141 1150 } else if(receivedCmd[0] == 0x0c) {
1151 // Reader asks for anticollission CSN
1152 resp = resp2; respLen = resp2Len; //order = 2;
81cd0474 1153 respdata = response2;
1154 respsize = sizeof(response2);
1e262141 1155 //DbpString("Reader requests anticollission CSN:");
1156 } else if(receivedCmd[0] == 0x81) {
1157 // Reader selects anticollission CSN.
1158 // Tag sends the corresponding real CSN
912a3e94 1159 resp = resp3; respLen = resp3Len; //order = 3;
81cd0474 1160 respdata = response3;
1161 respsize = sizeof(response3);
1e262141 1162 //DbpString("Reader selects anticollission CSN:");
1163 } else if(receivedCmd[0] == 0x88) {
1164 // Read e-purse (88 02)
1165 resp = resp4; respLen = resp4Len; //order = 4;
81cd0474 1166 respdata = response4;
1167 respsize = sizeof(response4);
1e262141 1168 LED_B_ON();
1169 } else if(receivedCmd[0] == 0x05) {
1170 // Reader random and reader MAC!!!
1e262141 1171 // Do not respond
26c0d833 1172 // We do not know what to answer, so lets keep quiet
1e262141 1173 resp = resp1; respLen = 0; //order = 5;
81cd0474 1174 respdata = NULL;
1175 respsize = 0;
ff7bb4ef 1176 if (breakAfterMacReceived){
ff7bb4ef 1177 // dbprintf:ing ...
9f6e9d15 1178 Dbprintf("CSN: %02x %02x %02x %02x %02x %02x %02x %02x",csn[0],csn[1],csn[2],csn[3],csn[4],csn[5],csn[6],csn[7]);
ff7bb4ef
MHS
1179 Dbprintf("RDR: (len=%02d): %02x %02x %02x %02x %02x %02x %02x %02x %02x",len,
1180 receivedCmd[0], receivedCmd[1], receivedCmd[2],
1181 receivedCmd[3], receivedCmd[4], receivedCmd[5],
1182 receivedCmd[6], receivedCmd[7], receivedCmd[8]);
9f6e9d15
MHS
1183 if (reader_mac_buf != NULL)
1184 {
1185 memcpy(reader_mac_buf,receivedCmd+1,8);
1186 }
ff7bb4ef
MHS
1187 exitLoop = true;
1188 }
1e262141 1189 } else if(receivedCmd[0] == 0x00 && len == 1) {
1190 // Reader ends the session
1191 resp = resp1; respLen = 0; //order = 0;
81cd0474 1192 respdata = NULL;
1193 respsize = 0;
1194 } else {
17cba269 1195 //#db# Unknown command received from reader (len=5): 26 1 0 f6 a 44 44 44 44
1e262141 1196 // Never seen this command before
1197 Dbprintf("Unknown command received from reader (len=%d): %x %x %x %x %x %x %x %x %x",
1198 len,
1199 receivedCmd[0], receivedCmd[1], receivedCmd[2],
1200 receivedCmd[3], receivedCmd[4], receivedCmd[5],
1201 receivedCmd[6], receivedCmd[7], receivedCmd[8]);
1202 // Do not respond
1203 resp = resp1; respLen = 0; //order = 0;
81cd0474 1204 respdata = NULL;
1205 respsize = 0;
1e262141 1206 }
1207
81012e67
MHS
1208 if(cmdsRecvd > 100) {
1209 //DbpString("100 commands later...");
9f6e9d15 1210 //break;
1e262141 1211 }
1212 else {
1213 cmdsRecvd++;
1214 }
1215
81cd0474 1216 if(respLen > 0) {
1217 SendIClassAnswer(resp, respLen, 21);
81012e67 1218 t2r_time = GetCountSspClk();
81cd0474 1219 }
f83cc126 1220
81cd0474 1221 if (tracing) {
81012e67
MHS
1222 LogTrace(receivedCmd,len, (r2t_time-time_0)<< 4, Uart.parityBits,TRUE);
1223 LogTrace(NULL,0, (r2t_time-time_0) << 4, 0,TRUE);
17cba269
MHS
1224
1225 if (respdata != NULL) {
81012e67
MHS
1226 LogTrace(respdata,respsize, (t2r_time-time_0) << 4,SwapBits(GetParity(respdata,respsize),respsize),FALSE);
1227 LogTrace(NULL,0, (t2r_time-time_0) << 4,0,FALSE);
1228
1229
17cba269 1230 }
81012e67
MHS
1231 if(!tracing) {
1232 DbpString("Trace full");
1233 //break;
1234 }
1235
81cd0474 1236 }
81cd0474 1237 memset(receivedCmd, 0x44, RECV_CMD_SIZE);
1238 }
1e262141 1239
9f6e9d15 1240 //Dbprintf("%x", cmdsRecvd);
1e262141 1241 LED_A_OFF();
1242 LED_B_OFF();
f83cc126
MHS
1243 if(buttonPressed)
1244 {
1245 DbpString("Button pressed");
1246 }
f83cc126 1247 return buttonPressed;
1e262141 1248}
1249
1250static int SendIClassAnswer(uint8_t *resp, int respLen, int delay)
1251{
e3dc1e4c 1252 int i = 0, d=0;//, u = 0, d = 0;
1e262141 1253 uint8_t b = 0;
e3dc1e4c
MHS
1254
1255 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR|FPGA_HF_SIMULATOR_MODULATE_424K);
1256
1e262141 1257 AT91C_BASE_SSC->SSC_THR = 0x00;
1258 FpgaSetupSsc();
e3dc1e4c
MHS
1259 while(!BUTTON_PRESS()) {
1260 if((AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY)){
1261 b = AT91C_BASE_SSC->SSC_RHR; (void) b;
1e262141 1262 }
e3dc1e4c
MHS
1263 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)){
1264 b = 0x00;
1e262141 1265 if(d < delay) {
1e262141 1266 d++;
1267 }
e3dc1e4c
MHS
1268 else {
1269 if( i < respLen){
1270 b = resp[i];
1271 //Hack
1272 //b = 0xAC;
1273 }
1274 i++;
1e262141 1275 }
1276 AT91C_BASE_SSC->SSC_THR = b;
1e262141 1277 }
e3dc1e4c
MHS
1278
1279 if (i > respLen +4) break;
1e262141 1280 }
1281
1282 return 0;
1283}
1284
1285/// THE READER CODE
1286
1287//-----------------------------------------------------------------------------
1288// Transmit the command (to the tag) that was placed in ToSend[].
1289//-----------------------------------------------------------------------------
1290static void TransmitIClassCommand(const uint8_t *cmd, int len, int *samples, int *wait)
1291{
1292 int c;
1e262141 1293 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1294 AT91C_BASE_SSC->SSC_THR = 0x00;
1295 FpgaSetupSsc();
1296
1297 if (wait)
1298 if(*wait < 10)
1299 *wait = 10;
1300
1301 for(c = 0; c < *wait;) {
1302 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1303 AT91C_BASE_SSC->SSC_THR = 0x00; // For exact timing!
1304 c++;
1305 }
1306 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1307 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
1308 (void)r;
1309 }
1310 WDT_HIT();
1311 }
1312
1313 uint8_t sendbyte;
1314 bool firstpart = TRUE;
1315 c = 0;
1316 for(;;) {
1317 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1318
1319 // DOUBLE THE SAMPLES!
1320 if(firstpart) {
1321 sendbyte = (cmd[c] & 0xf0) | (cmd[c] >> 4);
1322 }
1323 else {
1324 sendbyte = (cmd[c] & 0x0f) | (cmd[c] << 4);
1325 c++;
1326 }
1327 if(sendbyte == 0xff) {
1328 sendbyte = 0xfe;
1329 }
1330 AT91C_BASE_SSC->SSC_THR = sendbyte;
1331 firstpart = !firstpart;
1332
1333 if(c >= len) {
1334 break;
1335 }
1336 }
1337 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1338 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
1339 (void)r;
1340 }
1341 WDT_HIT();
1342 }
1343 if (samples) *samples = (c + *wait) << 3;
1344}
1345
1346
1347//-----------------------------------------------------------------------------
1348// Prepare iClass reader command to send to FPGA
1349//-----------------------------------------------------------------------------
1350void CodeIClassCommand(const uint8_t * cmd, int len)
1351{
1352 int i, j, k;
1353 uint8_t b;
1354
1355 ToSendReset();
1356
1357 // Start of Communication: 1 out of 4
1358 ToSend[++ToSendMax] = 0xf0;
1359 ToSend[++ToSendMax] = 0x00;
1360 ToSend[++ToSendMax] = 0x0f;
1361 ToSend[++ToSendMax] = 0x00;
1362
1363 // Modulate the bytes
1364 for (i = 0; i < len; i++) {
1365 b = cmd[i];
1366 for(j = 0; j < 4; j++) {
1367 for(k = 0; k < 4; k++) {
e3dc1e4c
MHS
1368 if(k == (b & 3)) {
1369 ToSend[++ToSendMax] = 0x0f;
1370 }
1371 else {
1372 ToSend[++ToSendMax] = 0x00;
1373 }
1e262141 1374 }
1375 b >>= 2;
1376 }
1377 }
1378
1379 // End of Communication
1380 ToSend[++ToSendMax] = 0x00;
1381 ToSend[++ToSendMax] = 0x00;
1382 ToSend[++ToSendMax] = 0xf0;
1383 ToSend[++ToSendMax] = 0x00;
1384
1385 // Convert from last character reference to length
1386 ToSendMax++;
1387}
1388
1389void ReaderTransmitIClass(uint8_t* frame, int len)
1390{
1391 int wait = 0;
1392 int samples = 0;
1393 int par = 0;
1394
1395 // This is tied to other size changes
1396 // uint8_t* frame_addr = ((uint8_t*)BigBuf) + 2024;
1397 CodeIClassCommand(frame,len);
1398
1399 // Select the card
1400 TransmitIClassCommand(ToSend, ToSendMax, &samples, &wait);
1401 if(trigger)
1402 LED_A_ON();
1403
1404 // Store reader command in buffer
7bc95e2e 1405 if (tracing) LogTrace(frame,len,rsamples,par,TRUE);
1e262141 1406}
1407
1408//-----------------------------------------------------------------------------
1409// Wait a certain time for tag response
1410// If a response is captured return TRUE
1411// If it takes too long return FALSE
1412//-----------------------------------------------------------------------------
1413static int GetIClassAnswer(uint8_t *receivedResponse, int maxLen, int *samples, int *elapsed) //uint8_t *buffer
1414{
1415 // buffer needs to be 512 bytes
1416 int c;
1417
1418 // Set FPGA mode to "reader listen mode", no modulation (listen
1419 // only, since we are receiving, not transmitting).
1420 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_LISTEN);
1421
1422 // Now get the answer from the card
1423 Demod.output = receivedResponse;
1424 Demod.len = 0;
1425 Demod.state = DEMOD_UNSYNCD;
1426
1427 uint8_t b;
1428 if (elapsed) *elapsed = 0;
1429
1430 bool skip = FALSE;
1431
1432 c = 0;
1433 for(;;) {
1434 WDT_HIT();
1435
1436 if(BUTTON_PRESS()) return FALSE;
1437
1438 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1439 AT91C_BASE_SSC->SSC_THR = 0x00; // To make use of exact timing of next command from reader!!
1440 if (elapsed) (*elapsed)++;
1441 }
1442 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1443 if(c < timeout) { c++; } else { return FALSE; }
1444 b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1445 skip = !skip;
1446 if(skip) continue;
1447 /*if(ManchesterDecoding((b>>4) & 0xf)) {
1448 *samples = ((c - 1) << 3) + 4;
1449 return TRUE;
1450 }*/
1451 if(ManchesterDecoding(b & 0x0f)) {
1452 *samples = c << 3;
1453 return TRUE;
1454 }
1455 }
1456 }
1457}
1458
1459int ReaderReceiveIClass(uint8_t* receivedAnswer)
1460{
1461 int samples = 0;
1462 if (!GetIClassAnswer(receivedAnswer,160,&samples,0)) return FALSE;
7bc95e2e 1463 rsamples += samples;
1464 if (tracing) LogTrace(receivedAnswer,Demod.len,rsamples,Demod.parityBits,FALSE);
1e262141 1465 if(samples == 0) return FALSE;
1466 return Demod.len;
1467}
1468
aa41c605
MHS
1469void setupIclassReader()
1470{
1471 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1472 // Reset trace buffer
1473 iso14a_set_tracing(TRUE);
1474 iso14a_clear_trace();
1475
1476 // Setup SSC
1477 FpgaSetupSsc();
1478 // Start from off (no field generated)
1479 // Signal field is off with the appropriate LED
1480 LED_D_OFF();
1481 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1482 SpinDelay(200);
1483
1484 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1485
1486 // Now give it time to spin up.
1487 // Signal field is on with the appropriate LED
1488 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1489 SpinDelay(200);
1490 LED_A_ON();
1491
1492}
1493
1e262141 1494// Reader iClass Anticollission
1495void ReaderIClass(uint8_t arg0) {
aa41c605
MHS
1496 uint8_t act_all[] = { 0x0a };
1497 uint8_t identify[] = { 0x0c };
1498 uint8_t select[] = { 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
1499 uint8_t readcheck_cc[]= { 0x88, 0x02 };
1e262141 1500
aa41c605
MHS
1501 uint8_t card_data[24]={0};
1502 uint8_t last_csn[8]={0};
1e262141 1503
aa41c605 1504 uint8_t* resp = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
7cc204bf 1505
aa41c605
MHS
1506 int read_status= 0;
1507 bool abort_after_read = arg0 & FLAG_ICLASS_READER_ONLY_ONCE;
1e262141 1508
aa41c605 1509 setupIclassReader();
1e262141 1510
aa41c605
MHS
1511 size_t datasize = 0;
1512 while(!BUTTON_PRESS())
1513 {
1514 WDT_HIT();
1e262141 1515
aa41c605
MHS
1516 // Send act_all
1517 ReaderTransmitIClass(act_all, 1);
1518 // Card present?
1519 if(ReaderReceiveIClass(resp)) {
1e262141 1520
aa41c605 1521 ReaderTransmitIClass(identify, 1);
1e262141 1522
aa41c605
MHS
1523 if(ReaderReceiveIClass(resp) == 10) {
1524 //Copy the Anti-collision CSN to our select-packet
1525 memcpy(&select[1],resp,8);
1526 //Dbprintf("Anti-collision CSN: %02x %02x %02x %02x %02x %02x %02x %02x",resp[0], resp[1], resp[2],
1527 // resp[3], resp[4], resp[5],
1528 // resp[6], resp[7]);
1529 //Select the card
1530 ReaderTransmitIClass(select, sizeof(select));
1531
1532 if(ReaderReceiveIClass(resp) == 10) {
1533 //Save CSN in response data
1534 memcpy(card_data,resp,8);
1535 datasize += 8;
1536 //Flag that we got to at least stage 1, read CSN
1537 read_status = 1;
1538
1539 // Card selected
1540 //Dbprintf("Readcheck on Sector 2");
1541 ReaderTransmitIClass(readcheck_cc, sizeof(readcheck_cc));
1542 if(ReaderReceiveIClass(resp) == 8) {
1543 //Save CC (e-purse) in response data
1544 memcpy(card_data+8,resp,8);
1545 datasize += 8;
1546 //Got both
1547 read_status = 2;
1548 }
1549
1550 LED_B_ON();
1551 //Send back to client, but don't bother if we already sent this
1552 if(memcmp(last_csn, card_data, 8) != 0)
1553 cmd_send(CMD_ACK,read_status,0,0,card_data,datasize);
1554
1555 //Save that we already sent this....
1556 if(read_status == 2)
1557 memcpy(last_csn, card_data, 8);
1558
1559 LED_B_OFF();
1560
1561 if(abort_after_read) break;
1562 }
1563 }
1564 }
4ab4336a 1565
aa41c605
MHS
1566 if(traceLen > TRACE_SIZE) {
1567 DbpString("Trace full");
1568 break;
1569 }
1570 }
1571 LED_A_OFF();
cee5a30d 1572}
1573
c3963755 1574void ReaderIClass_Replay(uint8_t arg0, uint8_t *MAC) {
1575 uint8_t act_all[] = { 0x0a };
1576 uint8_t identify[] = { 0x0c };
1577 uint8_t select[] = { 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
1578 uint8_t readcheck_cc[]= { 0x88, 0x02 };
1579 uint8_t check[] = { 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
1580 uint8_t read[] = { 0x0c, 0x00, 0x00, 0x00 };
1581
fecd8202 1582 uint16_t crc = 0;
c3963755 1583 uint8_t cardsize=0;
1584 bool read_success=false;
1585 uint8_t mem=0;
1586
1587 static struct memory_t{
1588 int k16;
1589 int book;
1590 int k2;
1591 int lockauth;
1592 int keyaccess;
1593 } memory;
1594
1595 uint8_t* resp = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
c3963755 1596
9b82de75 1597 setupIclassReader();
c3963755 1598
c3963755 1599
1600 for(int i=0;i<1;i++) {
1601
1602 if(traceLen > TRACE_SIZE) {
1603 DbpString("Trace full");
1604 break;
1605 }
1606
1607 if (BUTTON_PRESS()) break;
1608
1609 // Send act_all
1610 ReaderTransmitIClass(act_all, 1);
1611 // Card present?
1612 if(ReaderReceiveIClass(resp)) {
1613 ReaderTransmitIClass(identify, 1);
1614 if(ReaderReceiveIClass(resp) == 10) {
1615 // Select card
1616 memcpy(&select[1],resp,8);
1617 ReaderTransmitIClass(select, sizeof(select));
1618
1619 if(ReaderReceiveIClass(resp) == 10) {
1620 Dbprintf(" Selected CSN: %02x %02x %02x %02x %02x %02x %02x %02x",
1621 resp[0], resp[1], resp[2],
1622 resp[3], resp[4], resp[5],
1623 resp[6], resp[7]);
1624 }
1625 // Card selected
1626 Dbprintf("Readcheck on Sector 2");
1627 ReaderTransmitIClass(readcheck_cc, sizeof(readcheck_cc));
1628 if(ReaderReceiveIClass(resp) == 8) {
1629 Dbprintf(" CC: %02x %02x %02x %02x %02x %02x %02x %02x",
1630 resp[0], resp[1], resp[2],
1631 resp[3], resp[4], resp[5],
1632 resp[6], resp[7]);
1633 }else return;
1634 Dbprintf("Authenticate");
1635 //for now replay captured auth (as cc not updated)
1636 memcpy(check+5,MAC,4);
9b82de75
MHS
1637 //Dbprintf(" AA: %02x %02x %02x %02x",
1638 // check[5], check[6], check[7],check[8]);
c3963755 1639 ReaderTransmitIClass(check, sizeof(check));
1640 if(ReaderReceiveIClass(resp) == 4) {
1641 Dbprintf(" AR: %02x %02x %02x %02x",
1642 resp[0], resp[1], resp[2],resp[3]);
1643 }else {
1644 Dbprintf("Error: Authentication Fail!");
1645 return;
1646 }
1647 Dbprintf("Dump Contents");
1648 //first get configuration block
1649 read_success=false;
1650 read[1]=1;
1651 uint8_t *blockno=&read[1];
1652 crc = iclass_crc16((char *)blockno,1);
1653 read[2] = crc >> 8;
1654 read[3] = crc & 0xff;
1655 while(!read_success){
1656 ReaderTransmitIClass(read, sizeof(read));
1657 if(ReaderReceiveIClass(resp) == 10) {
1658 read_success=true;
1659 mem=resp[5];
1660 memory.k16= (mem & 0x80);
1661 memory.book= (mem & 0x20);
1662 memory.k2= (mem & 0x8);
1663 memory.lockauth= (mem & 0x2);
1664 memory.keyaccess= (mem & 0x1);
1665
1666 }
1667 }
1668 if (memory.k16){
1669 cardsize=255;
1670 }else cardsize=32;
1671 //then loop around remaining blocks
1672 for(uint8_t j=0; j<cardsize; j++){
1673 read_success=false;
1674 uint8_t *blockno=&j;
1675 //crc_data[0]=j;
1676 read[1]=j;
1677 crc = iclass_crc16((char *)blockno,1);
1678 read[2] = crc >> 8;
1679 read[3] = crc & 0xff;
1680 while(!read_success){
1681 ReaderTransmitIClass(read, sizeof(read));
1682 if(ReaderReceiveIClass(resp) == 10) {
1683 read_success=true;
1684 Dbprintf(" %02x: %02x %02x %02x %02x %02x %02x %02x %02x",
1685 j, resp[0], resp[1], resp[2],
1686 resp[3], resp[4], resp[5],
1687 resp[6], resp[7]);
1688 }
1689 }
1690 }
1691 }
1692 }
1693 WDT_HIT();
1694 }
1695
1696 LED_A_OFF();
1697}
1698
fecd8202 1699//2. Create Read method (cut-down from above) based off responses from 1.
1700// Since we have the MAC could continue to use replay function.
1701//3. Create Write method
1702/*
1703void IClass_iso14443A_write(uint8_t arg0, uint8_t blockNo, uint8_t *data, uint8_t *MAC) {
1704 uint8_t act_all[] = { 0x0a };
1705 uint8_t identify[] = { 0x0c };
1706 uint8_t select[] = { 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
1707 uint8_t readcheck_cc[]= { 0x88, 0x02 };
1708 uint8_t check[] = { 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
1709 uint8_t read[] = { 0x0c, 0x00, 0x00, 0x00 };
1710 uint8_t write[] = { 0x87, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
1711
1712 uint16_t crc = 0;
1713
1714 uint8_t* resp = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
912a3e94 1715
fecd8202 1716 // Reset trace buffer
1717 memset(trace, 0x44, RECV_CMD_OFFSET);
1718 traceLen = 0;
1719
1720 // Setup SSC
1721 FpgaSetupSsc();
1722 // Start from off (no field generated)
1723 // Signal field is off with the appropriate LED
1724 LED_D_OFF();
1725 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1726 SpinDelay(200);
1727
1728 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1729
1730 // Now give it time to spin up.
1731 // Signal field is on with the appropriate LED
1732 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1733 SpinDelay(200);
1734
1735 LED_A_ON();
1736
1737 for(int i=0;i<1;i++) {
1738
1739 if(traceLen > TRACE_SIZE) {
1740 DbpString("Trace full");
1741 break;
1742 }
1743
1744 if (BUTTON_PRESS()) break;
1745
1746 // Send act_all
1747 ReaderTransmitIClass(act_all, 1);
1748 // Card present?
1749 if(ReaderReceiveIClass(resp)) {
1750 ReaderTransmitIClass(identify, 1);
1751 if(ReaderReceiveIClass(resp) == 10) {
1752 // Select card
1753 memcpy(&select[1],resp,8);
1754 ReaderTransmitIClass(select, sizeof(select));
1755
1756 if(ReaderReceiveIClass(resp) == 10) {
1757 Dbprintf(" Selected CSN: %02x %02x %02x %02x %02x %02x %02x %02x",
1758 resp[0], resp[1], resp[2],
1759 resp[3], resp[4], resp[5],
1760 resp[6], resp[7]);
1761 }
1762 // Card selected
1763 Dbprintf("Readcheck on Sector 2");
1764 ReaderTransmitIClass(readcheck_cc, sizeof(readcheck_cc));
1765 if(ReaderReceiveIClass(resp) == 8) {
1766 Dbprintf(" CC: %02x %02x %02x %02x %02x %02x %02x %02x",
1767 resp[0], resp[1], resp[2],
1768 resp[3], resp[4], resp[5],
1769 resp[6], resp[7]);
1770 }else return;
1771 Dbprintf("Authenticate");
1772 //for now replay captured auth (as cc not updated)
1773 memcpy(check+5,MAC,4);
1774 Dbprintf(" AA: %02x %02x %02x %02x",
1775 check[5], check[6], check[7],check[8]);
1776 ReaderTransmitIClass(check, sizeof(check));
1777 if(ReaderReceiveIClass(resp) == 4) {
1778 Dbprintf(" AR: %02x %02x %02x %02x",
1779 resp[0], resp[1], resp[2],resp[3]);
1780 }else {
1781 Dbprintf("Error: Authentication Fail!");
1782 return;
1783 }
1784 Dbprintf("Write Block");
1785
1786 //read configuration for max block number
1787 read_success=false;
1788 read[1]=1;
1789 uint8_t *blockno=&read[1];
1790 crc = iclass_crc16((char *)blockno,1);
1791 read[2] = crc >> 8;
1792 read[3] = crc & 0xff;
1793 while(!read_success){
1794 ReaderTransmitIClass(read, sizeof(read));
1795 if(ReaderReceiveIClass(resp) == 10) {
1796 read_success=true;
1797 mem=resp[5];
1798 memory.k16= (mem & 0x80);
1799 memory.book= (mem & 0x20);
1800 memory.k2= (mem & 0x8);
1801 memory.lockauth= (mem & 0x2);
1802 memory.keyaccess= (mem & 0x1);
1803
1804 }
1805 }
1806 if (memory.k16){
1807 cardsize=255;
1808 }else cardsize=32;
1809 //check card_size
1810
1811 memcpy(write+1,blockNo,1);
1812 memcpy(write+2,data,8);
1813 memcpy(write+10,mac,4);
1814 while(!send_success){
1815 ReaderTransmitIClass(write, sizeof(write));
1816 if(ReaderReceiveIClass(resp) == 10) {
1817 write_success=true;
1818 }
1819 }//
1820 }
1821 WDT_HIT();
1822 }
1823
1824 LED_A_OFF();
1825}*/
Impressum, Datenschutz