]> git.zerfleddert.de Git - proxmark3-svn/blame - armsrc/iso14443a.c
projects / proxmark3-svn / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Split str* and mem* into string.[ch]
[proxmark3-svn] / armsrc / iso14443a.c
CommitLineData
15c4dc5a 1//-----------------------------------------------------------------------------
2// Routines to support ISO 14443 type A.
3//
4// Gerhard de Koning Gans - May 2008
5//-----------------------------------------------------------------------------
e30c654b 6#include "proxmark3.h"
15c4dc5a 7#include "apps.h"
f7e3ed82 8#include "util.h"
9ab7a6c7 9#include "string.h"
10
15c4dc5a 11#include "iso14443crc.h"
12
f7e3ed82 13static uint8_t *trace = (uint8_t *) BigBuf;
15c4dc5a 14static int traceLen = 0;
15static int rsamples = 0;
f7e3ed82 16static int tracing = TRUE;
15c4dc5a 17
18typedef enum {
19 SEC_D = 1,
20 SEC_E = 2,
21 SEC_F = 3,
22 SEC_X = 4,
23 SEC_Y = 5,
24 SEC_Z = 6
25} SecType;
26
f7e3ed82 27static const uint8_t OddByteParity[256] = {
15c4dc5a 28 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
29 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
30 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
31 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
32 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
33 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
34 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
35 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
36 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
37 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
38 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
39 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
40 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
41 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
42 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
43 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1
44};
45
46// BIG CHANGE - UNDERSTAND THIS BEFORE WE COMMIT
47#define RECV_CMD_OFFSET 3032
48#define RECV_RES_OFFSET 3096
49#define DMA_BUFFER_OFFSET 3160
50#define DMA_BUFFER_SIZE 4096
51#define TRACE_LENGTH 3000
52
53//-----------------------------------------------------------------------------
54// Generate the parity value for a byte sequence
e30c654b 55//
15c4dc5a 56//-----------------------------------------------------------------------------
f7e3ed82 57uint32_t GetParity(const uint8_t * pbtCmd, int iLen)
15c4dc5a 58{
59 int i;
f7e3ed82 60 uint32_t dwPar = 0;
e30c654b 61
15c4dc5a 62 // Generate the encrypted data
63 for (i = 0; i < iLen; i++) {
64 // Save the encrypted parity bit
65 dwPar |= ((OddByteParity[pbtCmd[i]]) << i);
66 }
67 return dwPar;
68}
69
f7e3ed82 70static void AppendCrc14443a(uint8_t* data, int len)
15c4dc5a 71{
72 ComputeCrc14443(CRC_14443_A,data,len,data+len,data+len+1);
73}
74
f7e3ed82 75int LogTrace(const uint8_t * btBytes, int iLen, int iSamples, uint32_t dwParity, int bReader)
15c4dc5a 76{
77 // Return when trace is full
78 if (traceLen >= TRACE_LENGTH) return FALSE;
e30c654b 79
15c4dc5a 80 // Trace the random, i'm curious
81 rsamples += iSamples;
82 trace[traceLen++] = ((rsamples >> 0) & 0xff);
83 trace[traceLen++] = ((rsamples >> 8) & 0xff);
84 trace[traceLen++] = ((rsamples >> 16) & 0xff);
85 trace[traceLen++] = ((rsamples >> 24) & 0xff);
86 if (!bReader) {
87 trace[traceLen - 1] |= 0x80;
88 }
89 trace[traceLen++] = ((dwParity >> 0) & 0xff);
90 trace[traceLen++] = ((dwParity >> 8) & 0xff);
91 trace[traceLen++] = ((dwParity >> 16) & 0xff);
92 trace[traceLen++] = ((dwParity >> 24) & 0xff);
93 trace[traceLen++] = iLen;
94 memcpy(trace + traceLen, btBytes, iLen);
95 traceLen += iLen;
96 return TRUE;
97}
98
f7e3ed82 99int LogTraceInfo(byte_t* data, size_t len)
15c4dc5a 100{
101 return LogTrace(data,len,0,GetParity(data,len),TRUE);
102}
103
104//-----------------------------------------------------------------------------
105// The software UART that receives commands from the reader, and its state
106// variables.
107//-----------------------------------------------------------------------------
108static struct {
109 enum {
110 STATE_UNSYNCD,
111 STATE_START_OF_COMMUNICATION,
112 STATE_MILLER_X,
113 STATE_MILLER_Y,
114 STATE_MILLER_Z,
115 STATE_ERROR_WAIT
116 } state;
f7e3ed82 117 uint16_t shiftReg;
15c4dc5a 118 int bitCnt;
119 int byteCnt;
120 int byteCntMax;
121 int posCnt;
122 int syncBit;
123 int parityBits;
124 int samples;
125 int highCnt;
126 int bitBuffer;
127 enum {
128 DROP_NONE,
129 DROP_FIRST_HALF,
130 DROP_SECOND_HALF
131 } drop;
f7e3ed82 132 uint8_t *output;
15c4dc5a 133} Uart;
134
f7e3ed82 135static int MillerDecoding(int bit)
15c4dc5a 136{
137 int error = 0;
138 int bitright;
139
140 if(!Uart.bitBuffer) {
141 Uart.bitBuffer = bit ^ 0xFF0;
142 return FALSE;
143 }
144 else {
145 Uart.bitBuffer <<= 4;
146 Uart.bitBuffer ^= bit;
147 }
148
f7e3ed82 149 int EOC = FALSE;
15c4dc5a 150
151 if(Uart.state != STATE_UNSYNCD) {
152 Uart.posCnt++;
153
154 if((Uart.bitBuffer & Uart.syncBit) ^ Uart.syncBit) {
155 bit = 0x00;
156 }
157 else {
158 bit = 0x01;
159 }
160 if(((Uart.bitBuffer << 1) & Uart.syncBit) ^ Uart.syncBit) {
161 bitright = 0x00;
162 }
163 else {
164 bitright = 0x01;
165 }
166 if(bit != bitright) { bit = bitright; }
167
168 if(Uart.posCnt == 1) {
169 // measurement first half bitperiod
170 if(!bit) {
171 Uart.drop = DROP_FIRST_HALF;
172 }
173 }
174 else {
175 // measurement second half bitperiod
176 if(!bit & (Uart.drop == DROP_NONE)) {
177 Uart.drop = DROP_SECOND_HALF;
178 }
179 else if(!bit) {
180 // measured a drop in first and second half
181 // which should not be possible
182 Uart.state = STATE_ERROR_WAIT;
183 error = 0x01;
184 }
185
186 Uart.posCnt = 0;
187
188 switch(Uart.state) {
189 case STATE_START_OF_COMMUNICATION:
190 Uart.shiftReg = 0;
191 if(Uart.drop == DROP_SECOND_HALF) {
192 // error, should not happen in SOC
193 Uart.state = STATE_ERROR_WAIT;
194 error = 0x02;
195 }
196 else {
197 // correct SOC
198 Uart.state = STATE_MILLER_Z;
199 }
200 break;
201
202 case STATE_MILLER_Z:
203 Uart.bitCnt++;
204 Uart.shiftReg >>= 1;
205 if(Uart.drop == DROP_NONE) {
206 // logic '0' followed by sequence Y
207 // end of communication
208 Uart.state = STATE_UNSYNCD;
209 EOC = TRUE;
210 }
211 // if(Uart.drop == DROP_FIRST_HALF) {
212 // Uart.state = STATE_MILLER_Z; stay the same
213 // we see a logic '0' }
214 if(Uart.drop == DROP_SECOND_HALF) {
215 // we see a logic '1'
216 Uart.shiftReg |= 0x100;
217 Uart.state = STATE_MILLER_X;
218 }
219 break;
220
221 case STATE_MILLER_X:
222 Uart.shiftReg >>= 1;
223 if(Uart.drop == DROP_NONE) {
224 // sequence Y, we see a '0'
225 Uart.state = STATE_MILLER_Y;
226 Uart.bitCnt++;
227 }
228 if(Uart.drop == DROP_FIRST_HALF) {
229 // Would be STATE_MILLER_Z
230 // but Z does not follow X, so error
231 Uart.state = STATE_ERROR_WAIT;
232 error = 0x03;
233 }
234 if(Uart.drop == DROP_SECOND_HALF) {
235 // We see a '1' and stay in state X
236 Uart.shiftReg |= 0x100;
237 Uart.bitCnt++;
238 }
239 break;
240
241 case STATE_MILLER_Y:
242 Uart.bitCnt++;
243 Uart.shiftReg >>= 1;
244 if(Uart.drop == DROP_NONE) {
245 // logic '0' followed by sequence Y
246 // end of communication
247 Uart.state = STATE_UNSYNCD;
248 EOC = TRUE;
249 }
250 if(Uart.drop == DROP_FIRST_HALF) {
251 // we see a '0'
252 Uart.state = STATE_MILLER_Z;
253 }
254 if(Uart.drop == DROP_SECOND_HALF) {
255 // We see a '1' and go to state X
256 Uart.shiftReg |= 0x100;
257 Uart.state = STATE_MILLER_X;
258 }
259 break;
260
261 case STATE_ERROR_WAIT:
262 // That went wrong. Now wait for at least two bit periods
263 // and try to sync again
264 if(Uart.drop == DROP_NONE) {
265 Uart.highCnt = 6;
266 Uart.state = STATE_UNSYNCD;
267 }
268 break;
269
270 default:
271 Uart.state = STATE_UNSYNCD;
272 Uart.highCnt = 0;
273 break;
274 }
275
276 Uart.drop = DROP_NONE;
277
278 // should have received at least one whole byte...
279 if((Uart.bitCnt == 2) && EOC && (Uart.byteCnt > 0)) {
280 return TRUE;
281 }
282
283 if(Uart.bitCnt == 9) {
284 Uart.output[Uart.byteCnt] = (Uart.shiftReg & 0xff);
285 Uart.byteCnt++;
286
287 Uart.parityBits <<= 1;
288 Uart.parityBits ^= ((Uart.shiftReg >> 8) & 0x01);
289
290 if(EOC) {
291 // when End of Communication received and
292 // all data bits processed..
293 return TRUE;
294 }
295 Uart.bitCnt = 0;
296 }
297
298 /*if(error) {
299 Uart.output[Uart.byteCnt] = 0xAA;
300 Uart.byteCnt++;
301 Uart.output[Uart.byteCnt] = error & 0xFF;
302 Uart.byteCnt++;
303 Uart.output[Uart.byteCnt] = 0xAA;
304 Uart.byteCnt++;
305 Uart.output[Uart.byteCnt] = (Uart.bitBuffer >> 8) & 0xFF;
306 Uart.byteCnt++;
307 Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
308 Uart.byteCnt++;
309 Uart.output[Uart.byteCnt] = (Uart.syncBit >> 3) & 0xFF;
310 Uart.byteCnt++;
311 Uart.output[Uart.byteCnt] = 0xAA;
312 Uart.byteCnt++;
313 return TRUE;
314 }*/
315 }
316
317 }
318 else {
319 bit = Uart.bitBuffer & 0xf0;
320 bit >>= 4;
321 bit ^= 0x0F;
322 if(bit) {
323 // should have been high or at least (4 * 128) / fc
324 // according to ISO this should be at least (9 * 128 + 20) / fc
325 if(Uart.highCnt == 8) {
326 // we went low, so this could be start of communication
327 // it turns out to be safer to choose a less significant
328 // syncbit... so we check whether the neighbour also represents the drop
329 Uart.posCnt = 1; // apparently we are busy with our first half bit period
330 Uart.syncBit = bit & 8;
331 Uart.samples = 3;
332 if(!Uart.syncBit) { Uart.syncBit = bit & 4; Uart.samples = 2; }
333 else if(bit & 4) { Uart.syncBit = bit & 4; Uart.samples = 2; bit <<= 2; }
334 if(!Uart.syncBit) { Uart.syncBit = bit & 2; Uart.samples = 1; }
335 else if(bit & 2) { Uart.syncBit = bit & 2; Uart.samples = 1; bit <<= 1; }
336 if(!Uart.syncBit) { Uart.syncBit = bit & 1; Uart.samples = 0;
337 if(Uart.syncBit & (Uart.bitBuffer & 8)) {
338 Uart.syncBit = 8;
339
340 // the first half bit period is expected in next sample
341 Uart.posCnt = 0;
342 Uart.samples = 3;
343 }
344 }
345 else if(bit & 1) { Uart.syncBit = bit & 1; Uart.samples = 0; }
346
347 Uart.syncBit <<= 4;
348 Uart.state = STATE_START_OF_COMMUNICATION;
349 Uart.drop = DROP_FIRST_HALF;
350 Uart.bitCnt = 0;
351 Uart.byteCnt = 0;
352 Uart.parityBits = 0;
353 error = 0;
354 }
355 else {
356 Uart.highCnt = 0;
357 }
358 }
359 else {
360 if(Uart.highCnt < 8) {
361 Uart.highCnt++;
362 }
363 }
364 }
365
366 return FALSE;
367}
368
369//=============================================================================
370// ISO 14443 Type A - Manchester
371//=============================================================================
372
373static struct {
374 enum {
375 DEMOD_UNSYNCD,
376 DEMOD_START_OF_COMMUNICATION,
377 DEMOD_MANCHESTER_D,
378 DEMOD_MANCHESTER_E,
379 DEMOD_MANCHESTER_F,
380 DEMOD_ERROR_WAIT
381 } state;
382 int bitCount;
383 int posCount;
384 int syncBit;
385 int parityBits;
f7e3ed82 386 uint16_t shiftReg;
15c4dc5a 387 int buffer;
388 int buff;
389 int samples;
390 int len;
391 enum {
392 SUB_NONE,
393 SUB_FIRST_HALF,
394 SUB_SECOND_HALF
395 } sub;
f7e3ed82 396 uint8_t *output;
15c4dc5a 397} Demod;
398
f7e3ed82 399static int ManchesterDecoding(int v)
15c4dc5a 400{
401 int bit;
402 int modulation;
403 int error = 0;
404
405 if(!Demod.buff) {
406 Demod.buff = 1;
407 Demod.buffer = v;
408 return FALSE;
409 }
410 else {
411 bit = Demod.buffer;
412 Demod.buffer = v;
413 }
414
415 if(Demod.state==DEMOD_UNSYNCD) {
416 Demod.output[Demod.len] = 0xfa;
417 Demod.syncBit = 0;
418 //Demod.samples = 0;
419 Demod.posCount = 1; // This is the first half bit period, so after syncing handle the second part
420 if(bit & 0x08) { Demod.syncBit = 0x08; }
421 if(!Demod.syncBit) {
422 if(bit & 0x04) { Demod.syncBit = 0x04; }
423 }
424 else if(bit & 0x04) { Demod.syncBit = 0x04; bit <<= 4; }
425 if(!Demod.syncBit) {
426 if(bit & 0x02) { Demod.syncBit = 0x02; }
427 }
428 else if(bit & 0x02) { Demod.syncBit = 0x02; bit <<= 4; }
429 if(!Demod.syncBit) {
430 if(bit & 0x01) { Demod.syncBit = 0x01; }
431
432 if(Demod.syncBit & (Demod.buffer & 0x08)) {
433 Demod.syncBit = 0x08;
434
435 // The first half bitperiod is expected in next sample
436 Demod.posCount = 0;
437 Demod.output[Demod.len] = 0xfb;
438 }
439 }
440 else if(bit & 0x01) { Demod.syncBit = 0x01; }
441
442 if(Demod.syncBit) {
443 Demod.len = 0;
444 Demod.state = DEMOD_START_OF_COMMUNICATION;
445 Demod.sub = SUB_FIRST_HALF;
446 Demod.bitCount = 0;
447 Demod.shiftReg = 0;
448 Demod.parityBits = 0;
449 Demod.samples = 0;
450 if(Demod.posCount) {
451 switch(Demod.syncBit) {
452 case 0x08: Demod.samples = 3; break;
453 case 0x04: Demod.samples = 2; break;
454 case 0x02: Demod.samples = 1; break;
455 case 0x01: Demod.samples = 0; break;
456 }
457 }
458 error = 0;
459 }
460 }
461 else {
462 //modulation = bit & Demod.syncBit;
463 modulation = ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
464
465 Demod.samples += 4;
466
467 if(Demod.posCount==0) {
468 Demod.posCount = 1;
469 if(modulation) {
470 Demod.sub = SUB_FIRST_HALF;
471 }
472 else {
473 Demod.sub = SUB_NONE;
474 }
475 }
476 else {
477 Demod.posCount = 0;
478 if(modulation && (Demod.sub == SUB_FIRST_HALF)) {
479 if(Demod.state!=DEMOD_ERROR_WAIT) {
480 Demod.state = DEMOD_ERROR_WAIT;
481 Demod.output[Demod.len] = 0xaa;
482 error = 0x01;
483 }
484 }
485 else if(modulation) {
486 Demod.sub = SUB_SECOND_HALF;
487 }
488
489 switch(Demod.state) {
490 case DEMOD_START_OF_COMMUNICATION:
491 if(Demod.sub == SUB_FIRST_HALF) {
492 Demod.state = DEMOD_MANCHESTER_D;
493 }
494 else {
495 Demod.output[Demod.len] = 0xab;
496 Demod.state = DEMOD_ERROR_WAIT;
497 error = 0x02;
498 }
499 break;
500
501 case DEMOD_MANCHESTER_D:
502 case DEMOD_MANCHESTER_E:
503 if(Demod.sub == SUB_FIRST_HALF) {
504 Demod.bitCount++;
505 Demod.shiftReg = (Demod.shiftReg >> 1) ^ 0x100;
506 Demod.state = DEMOD_MANCHESTER_D;
507 }
508 else if(Demod.sub == SUB_SECOND_HALF) {
509 Demod.bitCount++;
510 Demod.shiftReg >>= 1;
511 Demod.state = DEMOD_MANCHESTER_E;
512 }
513 else {
514 Demod.state = DEMOD_MANCHESTER_F;
515 }
516 break;
517
518 case DEMOD_MANCHESTER_F:
519 // Tag response does not need to be a complete byte!
520 if(Demod.len > 0 || Demod.bitCount > 0) {
521 if(Demod.bitCount > 0) {
522 Demod.shiftReg >>= (9 - Demod.bitCount);
523 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
524 Demod.len++;
525 // No parity bit, so just shift a 0
526 Demod.parityBits <<= 1;
527 }
528
529 Demod.state = DEMOD_UNSYNCD;
530 return TRUE;
531 }
532 else {
533 Demod.output[Demod.len] = 0xad;
534 Demod.state = DEMOD_ERROR_WAIT;
535 error = 0x03;
536 }
537 break;
538
539 case DEMOD_ERROR_WAIT:
540 Demod.state = DEMOD_UNSYNCD;
541 break;
542
543 default:
544 Demod.output[Demod.len] = 0xdd;
545 Demod.state = DEMOD_UNSYNCD;
546 break;
547 }
548
549 if(Demod.bitCount>=9) {
550 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
551 Demod.len++;
552
553 Demod.parityBits <<= 1;
554 Demod.parityBits ^= ((Demod.shiftReg >> 8) & 0x01);
555
556 Demod.bitCount = 0;
557 Demod.shiftReg = 0;
558 }
559
560 /*if(error) {
561 Demod.output[Demod.len] = 0xBB;
562 Demod.len++;
563 Demod.output[Demod.len] = error & 0xFF;
564 Demod.len++;
565 Demod.output[Demod.len] = 0xBB;
566 Demod.len++;
567 Demod.output[Demod.len] = bit & 0xFF;
568 Demod.len++;
569 Demod.output[Demod.len] = Demod.buffer & 0xFF;
570 Demod.len++;
571 Demod.output[Demod.len] = Demod.syncBit & 0xFF;
572 Demod.len++;
573 Demod.output[Demod.len] = 0xBB;
574 Demod.len++;
575 return TRUE;
576 }*/
577
578 }
579
580 } // end (state != UNSYNCED)
581
582 return FALSE;
583}
584
585//=============================================================================
586// Finally, a `sniffer' for ISO 14443 Type A
587// Both sides of communication!
588//=============================================================================
589
590//-----------------------------------------------------------------------------
591// Record the sequence of commands sent by the reader to the tag, with
592// triggering so that we start recording at the point that the tag is moved
593// near the reader.
594//-----------------------------------------------------------------------------
595void SnoopIso14443a(void)
596{
597// #define RECV_CMD_OFFSET 2032 // original (working as of 21/2/09) values
598// #define RECV_RES_OFFSET 2096 // original (working as of 21/2/09) values
599// #define DMA_BUFFER_OFFSET 2160 // original (working as of 21/2/09) values
600// #define DMA_BUFFER_SIZE 4096 // original (working as of 21/2/09) values
601// #define TRACE_LENGTH 2000 // original (working as of 21/2/09) values
602
603 // We won't start recording the frames that we acquire until we trigger;
604 // a good trigger condition to get started is probably when we see a
605 // response from the tag.
f7e3ed82 606 int triggered = TRUE; // FALSE to wait first for card
15c4dc5a 607
608 // The command (reader -> tag) that we're receiving.
609 // The length of a received command will in most cases be no more than 18 bytes.
610 // So 32 should be enough!
f7e3ed82 611 uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
15c4dc5a 612 // The response (tag -> reader) that we're receiving.
f7e3ed82 613 uint8_t *receivedResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET);
15c4dc5a 614
615 // As we receive stuff, we copy it from receivedCmd or receivedResponse
616 // into trace, along with its length and other annotations.
f7e3ed82 617 //uint8_t *trace = (uint8_t *)BigBuf;
15c4dc5a 618 //int traceLen = 0;
619
620 // The DMA buffer, used to stream samples from the FPGA
f7e3ed82 621 int8_t *dmaBuf = ((int8_t *)BigBuf) + DMA_BUFFER_OFFSET;
15c4dc5a 622 int lastRxCounter;
f7e3ed82 623 int8_t *upTo;
15c4dc5a 624 int smpl;
625 int maxBehindBy = 0;
626
627 // Count of samples received so far, so that we can include timing
628 // information in the trace buffer.
629 int samples = 0;
630 int rsamples = 0;
631
632 memset(trace, 0x44, RECV_CMD_OFFSET);
633
634 // Set up the demodulator for tag -> reader responses.
635 Demod.output = receivedResponse;
636 Demod.len = 0;
637 Demod.state = DEMOD_UNSYNCD;
638
639 // And the reader -> tag commands
640 memset(&Uart, 0, sizeof(Uart));
641 Uart.output = receivedCmd;
642 Uart.byteCntMax = 32; // was 100 (greg)////////////////////////////////////////////////////////////////////////
643 Uart.state = STATE_UNSYNCD;
644
645 // And put the FPGA in the appropriate mode
646 // Signal field is off with the appropriate LED
647 LED_D_OFF();
648 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER);
649 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
650
651 // Setup for the DMA.
652 FpgaSetupSsc();
653 upTo = dmaBuf;
654 lastRxCounter = DMA_BUFFER_SIZE;
f7e3ed82 655 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
15c4dc5a 656
657 LED_A_ON();
658
659 // And now we loop, receiving samples.
660 for(;;) {
661 WDT_HIT();
662 int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) &
663 (DMA_BUFFER_SIZE-1);
664 if(behindBy > maxBehindBy) {
665 maxBehindBy = behindBy;
666 if(behindBy > 400) {
667 DbpString("blew circular buffer!");
668 goto done;
669 }
670 }
671 if(behindBy < 1) continue;
672
673 smpl = upTo[0];
674 upTo++;
675 lastRxCounter -= 1;
676 if(upTo - dmaBuf > DMA_BUFFER_SIZE) {
677 upTo -= DMA_BUFFER_SIZE;
678 lastRxCounter += DMA_BUFFER_SIZE;
f7e3ed82 679 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) upTo;
15c4dc5a 680 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
681 }
682
683 samples += 4;
684#define HANDLE_BIT_IF_BODY \
685 LED_C_ON(); \
686 if(triggered) { \
687 trace[traceLen++] = ((rsamples >> 0) & 0xff); \
688 trace[traceLen++] = ((rsamples >> 8) & 0xff); \
689 trace[traceLen++] = ((rsamples >> 16) & 0xff); \
690 trace[traceLen++] = ((rsamples >> 24) & 0xff); \
691 trace[traceLen++] = ((Uart.parityBits >> 0) & 0xff); \
692 trace[traceLen++] = ((Uart.parityBits >> 8) & 0xff); \
693 trace[traceLen++] = ((Uart.parityBits >> 16) & 0xff); \
694 trace[traceLen++] = ((Uart.parityBits >> 24) & 0xff); \
695 trace[traceLen++] = Uart.byteCnt; \
696 memcpy(trace+traceLen, receivedCmd, Uart.byteCnt); \
697 traceLen += Uart.byteCnt; \
698 if(traceLen > TRACE_LENGTH) break; \
699 } \
700 /* And ready to receive another command. */ \
701 Uart.state = STATE_UNSYNCD; \
702 /* And also reset the demod code, which might have been */ \
703 /* false-triggered by the commands from the reader. */ \
704 Demod.state = DEMOD_UNSYNCD; \
705 LED_B_OFF(); \
706
707 if(MillerDecoding((smpl & 0xF0) >> 4)) {
708 rsamples = samples - Uart.samples;
709 HANDLE_BIT_IF_BODY
710 }
711 if(ManchesterDecoding(smpl & 0x0F)) {
712 rsamples = samples - Demod.samples;
713 LED_B_ON();
714
715 // timestamp, as a count of samples
716 trace[traceLen++] = ((rsamples >> 0) & 0xff);
717 trace[traceLen++] = ((rsamples >> 8) & 0xff);
718 trace[traceLen++] = ((rsamples >> 16) & 0xff);
719 trace[traceLen++] = 0x80 | ((rsamples >> 24) & 0xff);
720 trace[traceLen++] = ((Demod.parityBits >> 0) & 0xff);
721 trace[traceLen++] = ((Demod.parityBits >> 8) & 0xff);
722 trace[traceLen++] = ((Demod.parityBits >> 16) & 0xff);
723 trace[traceLen++] = ((Demod.parityBits >> 24) & 0xff);
724 // length
725 trace[traceLen++] = Demod.len;
726 memcpy(trace+traceLen, receivedResponse, Demod.len);
727 traceLen += Demod.len;
728 if(traceLen > TRACE_LENGTH) break;
729
730 triggered = TRUE;
731
732 // And ready to receive another response.
733 memset(&Demod, 0, sizeof(Demod));
734 Demod.output = receivedResponse;
735 Demod.state = DEMOD_UNSYNCD;
736 LED_C_OFF();
737 }
738
739 if(BUTTON_PRESS()) {
740 DbpString("cancelled_a");
741 goto done;
742 }
743 }
744
745 DbpString("COMMAND FINISHED");
746
747 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
748 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
749
750done:
751 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
752 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
753 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
754 LED_A_OFF();
755 LED_B_OFF();
756 LED_C_OFF();
757 LED_D_OFF();
758}
759
760// Prepare communication bits to send to FPGA
761void Sequence(SecType seq)
762{
763 ToSendMax++;
764 switch(seq) {
765 // CARD TO READER
766 case SEC_D:
767 // Sequence D: 11110000
768 // modulation with subcarrier during first half
769 ToSend[ToSendMax] = 0xf0;
770 break;
771 case SEC_E:
772 // Sequence E: 00001111
773 // modulation with subcarrier during second half
774 ToSend[ToSendMax] = 0x0f;
775 break;
776 case SEC_F:
777 // Sequence F: 00000000
778 // no modulation with subcarrier
779 ToSend[ToSendMax] = 0x00;
780 break;
781 // READER TO CARD
782 case SEC_X:
783 // Sequence X: 00001100
784 // drop after half a period
785 ToSend[ToSendMax] = 0x0c;
786 break;
787 case SEC_Y:
788 default:
789 // Sequence Y: 00000000
790 // no drop
791 ToSend[ToSendMax] = 0x00;
792 break;
793 case SEC_Z:
794 // Sequence Z: 11000000
795 // drop at start
796 ToSend[ToSendMax] = 0xc0;
797 break;
798 }
799}
800
801//-----------------------------------------------------------------------------
802// Prepare tag messages
803//-----------------------------------------------------------------------------
f7e3ed82 804static void CodeIso14443aAsTag(const uint8_t *cmd, int len)
15c4dc5a 805{
806 int i;
807 int oddparity;
808
809 ToSendReset();
810
811 // Correction bit, might be removed when not needed
812 ToSendStuffBit(0);
813 ToSendStuffBit(0);
814 ToSendStuffBit(0);
815 ToSendStuffBit(0);
816 ToSendStuffBit(1); // 1
817 ToSendStuffBit(0);
818 ToSendStuffBit(0);
819 ToSendStuffBit(0);
820
821 // Send startbit
822 Sequence(SEC_D);
823
824 for(i = 0; i < len; i++) {
825 int j;
f7e3ed82 826 uint8_t b = cmd[i];
15c4dc5a 827
828 // Data bits
829 oddparity = 0x01;
830 for(j = 0; j < 8; j++) {
831 oddparity ^= (b & 1);
832 if(b & 1) {
833 Sequence(SEC_D);
834 } else {
835 Sequence(SEC_E);
836 }
837 b >>= 1;
838 }
839
840 // Parity bit
841 if(oddparity) {
842 Sequence(SEC_D);
843 } else {
844 Sequence(SEC_E);
845 }
846 }
847
848 // Send stopbit
849 Sequence(SEC_F);
850
851 // Flush the buffer in FPGA!!
852 for(i = 0; i < 5; i++) {
853 Sequence(SEC_F);
854 }
855
856 // Convert from last byte pos to length
857 ToSendMax++;
858
859 // Add a few more for slop
860 ToSend[ToSendMax++] = 0x00;
861 ToSend[ToSendMax++] = 0x00;
862 //ToSendMax += 2;
863}
864
865//-----------------------------------------------------------------------------
866// This is to send a NACK kind of answer, its only 3 bits, I know it should be 4
867//-----------------------------------------------------------------------------
868static void CodeStrangeAnswer()
869{
870 int i;
871
872 ToSendReset();
873
874 // Correction bit, might be removed when not needed
875 ToSendStuffBit(0);
876 ToSendStuffBit(0);
877 ToSendStuffBit(0);
878 ToSendStuffBit(0);
879 ToSendStuffBit(1); // 1
880 ToSendStuffBit(0);
881 ToSendStuffBit(0);
882 ToSendStuffBit(0);
883
884 // Send startbit
885 Sequence(SEC_D);
886
887 // 0
888 Sequence(SEC_E);
889
890 // 0
891 Sequence(SEC_E);
892
893 // 1
894 Sequence(SEC_D);
895
896 // Send stopbit
897 Sequence(SEC_F);
898
899 // Flush the buffer in FPGA!!
900 for(i = 0; i < 5; i++) {
901 Sequence(SEC_F);
902 }
903
904 // Convert from last byte pos to length
905 ToSendMax++;
906
907 // Add a few more for slop
908 ToSend[ToSendMax++] = 0x00;
909 ToSend[ToSendMax++] = 0x00;
910 //ToSendMax += 2;
911}
912
913//-----------------------------------------------------------------------------
914// Wait for commands from reader
915// Stop when button is pressed
916// Or return TRUE when command is captured
917//-----------------------------------------------------------------------------
f7e3ed82 918static int GetIso14443aCommandFromReader(uint8_t *received, int *len, int maxLen)
15c4dc5a 919{
920 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
921 // only, since we are receiving, not transmitting).
922 // Signal field is off with the appropriate LED
923 LED_D_OFF();
924 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
925
926 // Now run a `software UART' on the stream of incoming samples.
927 Uart.output = received;
928 Uart.byteCntMax = maxLen;
929 Uart.state = STATE_UNSYNCD;
930
931 for(;;) {
932 WDT_HIT();
933
934 if(BUTTON_PRESS()) return FALSE;
935
936 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
937 AT91C_BASE_SSC->SSC_THR = 0x00;
938 }
939 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 940 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 941 if(MillerDecoding((b & 0xf0) >> 4)) {
942 *len = Uart.byteCnt;
943 return TRUE;
944 }
945 if(MillerDecoding(b & 0x0f)) {
946 *len = Uart.byteCnt;
947 return TRUE;
948 }
949 }
950 }
951}
952
953//-----------------------------------------------------------------------------
954// Main loop of simulated tag: receive commands from reader, decide what
955// response to send, and send it.
956//-----------------------------------------------------------------------------
957void SimulateIso14443aTag(int tagType, int TagUid)
958{
959 // This function contains the tag emulation
960
961 // Prepare protocol messages
f7e3ed82 962 // static const uint8_t cmd1[] = { 0x26 };
963// static const uint8_t response1[] = { 0x02, 0x00 }; // Says: I am Mifare 4k - original line - greg
15c4dc5a 964//
f7e3ed82 965 static const uint8_t response1[] = { 0x44, 0x03 }; // Says: I am a DESFire Tag, ph33r me
966// static const uint8_t response1[] = { 0x44, 0x00 }; // Says: I am a ULTRALITE Tag, 0wn me
15c4dc5a 967
968 // UID response
f7e3ed82 969 // static const uint8_t cmd2[] = { 0x93, 0x20 };
970 //static const uint8_t response2[] = { 0x9a, 0xe5, 0xe4, 0x43, 0xd8 }; // original value - greg
15c4dc5a 971
972
973
974// my desfire
f7e3ed82 975 static const uint8_t response2[] = { 0x88, 0x04, 0x21, 0x3f, 0x4d }; // known uid - note cascade (0x88), 2nd byte (0x04) = NXP/Phillips
15c4dc5a 976
977
978// When reader selects us during cascade1 it will send cmd3
f7e3ed82 979//uint8_t response3[] = { 0x04, 0x00, 0x00 }; // SAK Select (cascade1) successful response (ULTRALITE)
980uint8_t response3[] = { 0x24, 0x00, 0x00 }; // SAK Select (cascade1) successful response (DESFire)
15c4dc5a 981ComputeCrc14443(CRC_14443_A, response3, 1, &response3[1], &response3[2]);
982
983// send cascade2 2nd half of UID
f7e3ed82 984static const uint8_t response2a[] = { 0x51, 0x48, 0x1d, 0x80, 0x84 }; // uid - cascade2 - 2nd half (4 bytes) of UID+ BCCheck
15c4dc5a 985// NOTE : THE CRC on the above may be wrong as I have obfuscated the actual UID
986
987
988// When reader selects us during cascade2 it will send cmd3a
f7e3ed82 989//uint8_t response3a[] = { 0x00, 0x00, 0x00 }; // SAK Select (cascade2) successful response (ULTRALITE)
990uint8_t response3a[] = { 0x20, 0x00, 0x00 }; // SAK Select (cascade2) successful response (DESFire)
15c4dc5a 991ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
992
f7e3ed82 993 static const uint8_t response5[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce
15c4dc5a 994
f7e3ed82 995 uint8_t *resp;
15c4dc5a 996 int respLen;
997
998 // Longest possible response will be 16 bytes + 2 CRC = 18 bytes
999 // This will need
1000 // 144 data bits (18 * 8)
1001 // 18 parity bits
1002 // 2 Start and stop
1003 // 1 Correction bit (Answer in 1172 or 1236 periods, see FPGA)
1004 // 1 just for the case
1005 // ----------- +
1006 // 166
1007 //
1008 // 166 bytes, since every bit that needs to be send costs us a byte
1009 //
1010
1011
1012 // Respond with card type
f7e3ed82 1013 uint8_t *resp1 = (((uint8_t *)BigBuf) + 800);
15c4dc5a 1014 int resp1Len;
1015
1016 // Anticollision cascade1 - respond with uid
f7e3ed82 1017 uint8_t *resp2 = (((uint8_t *)BigBuf) + 970);
15c4dc5a 1018 int resp2Len;
1019
1020 // Anticollision cascade2 - respond with 2nd half of uid if asked
1021 // we're only going to be asked if we set the 1st byte of the UID (during cascade1) to 0x88
f7e3ed82 1022 uint8_t *resp2a = (((uint8_t *)BigBuf) + 1140);
15c4dc5a 1023 int resp2aLen;
1024
1025 // Acknowledge select - cascade 1
f7e3ed82 1026 uint8_t *resp3 = (((uint8_t *)BigBuf) + 1310);
15c4dc5a 1027 int resp3Len;
1028
1029 // Acknowledge select - cascade 2
f7e3ed82 1030 uint8_t *resp3a = (((uint8_t *)BigBuf) + 1480);
15c4dc5a 1031 int resp3aLen;
1032
1033 // Response to a read request - not implemented atm
f7e3ed82 1034 uint8_t *resp4 = (((uint8_t *)BigBuf) + 1550);
15c4dc5a 1035 int resp4Len;
1036
1037 // Authenticate response - nonce
f7e3ed82 1038 uint8_t *resp5 = (((uint8_t *)BigBuf) + 1720);
15c4dc5a 1039 int resp5Len;
1040
f7e3ed82 1041 uint8_t *receivedCmd = (uint8_t *)BigBuf;
15c4dc5a 1042 int len;
1043
1044 int i;
1045 int u;
f7e3ed82 1046 uint8_t b;
15c4dc5a 1047
1048 // To control where we are in the protocol
1049 int order = 0;
1050 int lastorder;
1051
1052 // Just to allow some checks
1053 int happened = 0;
1054 int happened2 = 0;
1055
1056 int cmdsRecvd = 0;
1057
f7e3ed82 1058 int fdt_indicator;
15c4dc5a 1059
1060 memset(receivedCmd, 0x44, 400);
1061
1062 // Prepare the responses of the anticollision phase
1063 // there will be not enough time to do this at the moment the reader sends it REQA
1064
1065 // Answer to request
1066 CodeIso14443aAsTag(response1, sizeof(response1));
1067 memcpy(resp1, ToSend, ToSendMax); resp1Len = ToSendMax;
1068
1069 // Send our UID (cascade 1)
1070 CodeIso14443aAsTag(response2, sizeof(response2));
1071 memcpy(resp2, ToSend, ToSendMax); resp2Len = ToSendMax;
1072
1073 // Answer to select (cascade1)
1074 CodeIso14443aAsTag(response3, sizeof(response3));
1075 memcpy(resp3, ToSend, ToSendMax); resp3Len = ToSendMax;
1076
1077 // Send the cascade 2 2nd part of the uid
1078 CodeIso14443aAsTag(response2a, sizeof(response2a));
1079 memcpy(resp2a, ToSend, ToSendMax); resp2aLen = ToSendMax;
1080
1081 // Answer to select (cascade 2)
1082 CodeIso14443aAsTag(response3a, sizeof(response3a));
1083 memcpy(resp3a, ToSend, ToSendMax); resp3aLen = ToSendMax;
1084
1085 // Strange answer is an example of rare message size (3 bits)
1086 CodeStrangeAnswer();
1087 memcpy(resp4, ToSend, ToSendMax); resp4Len = ToSendMax;
1088
1089 // Authentication answer (random nonce)
1090 CodeIso14443aAsTag(response5, sizeof(response5));
1091 memcpy(resp5, ToSend, ToSendMax); resp5Len = ToSendMax;
1092
1093 // We need to listen to the high-frequency, peak-detected path.
1094 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1095 FpgaSetupSsc();
1096
1097 cmdsRecvd = 0;
1098
1099 LED_A_ON();
1100 for(;;) {
1101
1102 if(!GetIso14443aCommandFromReader(receivedCmd, &len, 100)) {
1103 DbpString("button press");
1104 break;
1105 }
1106 // doob - added loads of debug strings so we can see what the reader is saying to us during the sim as hi14alist is not populated
1107 // Okay, look at the command now.
1108 lastorder = order;
1109 i = 1; // first byte transmitted
1110 if(receivedCmd[0] == 0x26) {
1111 // Received a REQUEST
1112 resp = resp1; respLen = resp1Len; order = 1;
1113 //DbpString("Hello request from reader:");
1114 } else if(receivedCmd[0] == 0x52) {
1115 // Received a WAKEUP
1116 resp = resp1; respLen = resp1Len; order = 6;
1117// //DbpString("Wakeup request from reader:");
1118
1119 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x93) { // greg - cascade 1 anti-collision
1120 // Received request for UID (cascade 1)
1121 resp = resp2; respLen = resp2Len; order = 2;
1122// DbpString("UID (cascade 1) request from reader:");
1123// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1124
1125
1126 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] ==0x95) { // greg - cascade 2 anti-collision
1127 // Received request for UID (cascade 2)
1128 resp = resp2a; respLen = resp2aLen; order = 20;
1129// DbpString("UID (cascade 2) request from reader:");
1130// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1131
1132
1133 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x93) { // greg - cascade 1 select
1134 // Received a SELECT
1135 resp = resp3; respLen = resp3Len; order = 3;
1136// DbpString("Select (cascade 1) request from reader:");
1137// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1138
1139
1140 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x95) { // greg - cascade 2 select
1141 // Received a SELECT
1142 resp = resp3a; respLen = resp3aLen; order = 30;
1143// DbpString("Select (cascade 2) request from reader:");
1144// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1145
1146
1147 } else if(receivedCmd[0] == 0x30) {
1148 // Received a READ
1149 resp = resp4; respLen = resp4Len; order = 4; // Do nothing
1150 Dbprintf("Read request from reader: %x %x %x",
1151 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1152
1153
1154 } else if(receivedCmd[0] == 0x50) {
1155 // Received a HALT
1156 resp = resp1; respLen = 0; order = 5; // Do nothing
1157 DbpString("Reader requested we HALT!:");
1158
1159 } else if(receivedCmd[0] == 0x60) {
1160 // Received an authentication request
1161 resp = resp5; respLen = resp5Len; order = 7;
1162 Dbprintf("Authenticate request from reader: %x %x %x",
1163 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1164
1165 } else if(receivedCmd[0] == 0xE0) {
1166 // Received a RATS request
1167 resp = resp1; respLen = 0;order = 70;
1168 Dbprintf("RATS request from reader: %x %x %x",
1169 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1170 } else {
1171 // Never seen this command before
1172 Dbprintf("Unknown command received from reader: %x %x %x %x %x %x %x %x %x",
1173 receivedCmd[0], receivedCmd[1], receivedCmd[2],
1174 receivedCmd[3], receivedCmd[3], receivedCmd[4],
1175 receivedCmd[5], receivedCmd[6], receivedCmd[7]);
1176 // Do not respond
1177 resp = resp1; respLen = 0; order = 0;
1178 }
1179
1180 // Count number of wakeups received after a halt
1181 if(order == 6 && lastorder == 5) { happened++; }
1182
1183 // Count number of other messages after a halt
1184 if(order != 6 && lastorder == 5) { happened2++; }
1185
1186 // Look at last parity bit to determine timing of answer
1187 if((Uart.parityBits & 0x01) || receivedCmd[0] == 0x52) {
1188 // 1236, so correction bit needed
1189 i = 0;
1190 }
1191
1192 memset(receivedCmd, 0x44, 32);
1193
1194 if(cmdsRecvd > 999) {
1195 DbpString("1000 commands later...");
1196 break;
1197 }
1198 else {
1199 cmdsRecvd++;
1200 }
1201
1202 if(respLen <= 0) continue;
1203
1204 // Modulate Manchester
1205 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD);
1206 AT91C_BASE_SSC->SSC_THR = 0x00;
1207 FpgaSetupSsc();
1208
1209 // ### Transmit the response ###
1210 u = 0;
1211 b = 0x00;
1212 fdt_indicator = FALSE;
1213 for(;;) {
1214 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 1215 volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1216 (void)b;
1217 }
1218 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1219 if(i > respLen) {
1220 b = 0x00;
1221 u++;
1222 } else {
1223 b = resp[i];
1224 i++;
1225 }
1226 AT91C_BASE_SSC->SSC_THR = b;
1227
1228 if(u > 4) {
1229 break;
1230 }
1231 }
1232 if(BUTTON_PRESS()) {
1233 break;
1234 }
1235 }
1236
1237 }
1238
1239 Dbprintf("%x %x %x", happened, happened2, cmdsRecvd);
1240 LED_A_OFF();
1241}
1242
1243//-----------------------------------------------------------------------------
1244// Transmit the command (to the tag) that was placed in ToSend[].
1245//-----------------------------------------------------------------------------
f7e3ed82 1246static void TransmitFor14443a(const uint8_t *cmd, int len, int *samples, int *wait)
15c4dc5a 1247{
1248 int c;
e30c654b 1249
15c4dc5a 1250 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
e30c654b 1251
15c4dc5a 1252 if (wait)
1253 if(*wait < 10)
1254 *wait = 10;
e30c654b 1255
15c4dc5a 1256 for(c = 0; c < *wait;) {
1257 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1258 AT91C_BASE_SSC->SSC_THR = 0x00; // For exact timing!
1259 c++;
1260 }
1261 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 1262 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1263 (void)r;
1264 }
1265 WDT_HIT();
1266 }
e30c654b 1267
15c4dc5a 1268 c = 0;
1269 for(;;) {
1270 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1271 AT91C_BASE_SSC->SSC_THR = cmd[c];
1272 c++;
1273 if(c >= len) {
1274 break;
1275 }
1276 }
1277 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 1278 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1279 (void)r;
1280 }
1281 WDT_HIT();
1282 }
1283 if (samples) *samples = (c + *wait) << 3;
1284}
1285
1286//-----------------------------------------------------------------------------
1287// To generate an arbitrary stream from reader
1288//
1289//-----------------------------------------------------------------------------
f7e3ed82 1290void ArbitraryFromReader(const uint8_t *cmd, int parity, int len)
15c4dc5a 1291{
1292 int i;
1293 int j;
1294 int last;
f7e3ed82 1295 uint8_t b;
15c4dc5a 1296
1297 ToSendReset();
1298
1299 // Start of Communication (Seq. Z)
1300 Sequence(SEC_Z);
1301 last = 0;
1302
1303 for(i = 0; i < len; i++) {
1304 // Data bits
1305 b = cmd[i];
1306 for(j = 0; j < 8; j++) {
1307 if(b & 1) {
1308 // Sequence X
1309 Sequence(SEC_X);
1310 last = 1;
1311 } else {
1312 if(last == 0) {
1313 // Sequence Z
1314 Sequence(SEC_Z);
1315 }
1316 else {
1317 // Sequence Y
1318 Sequence(SEC_Y);
1319 last = 0;
1320 }
1321 }
1322 b >>= 1;
1323
1324 }
1325
1326 // Predefined parity bit, the flipper flips when needed, because of flips in byte sent
1327 if(((parity >> (len - i - 1)) & 1)) {
1328 // Sequence X
1329 Sequence(SEC_X);
1330 last = 1;
1331 } else {
1332 if(last == 0) {
1333 // Sequence Z
1334 Sequence(SEC_Z);
1335 }
1336 else {
1337 // Sequence Y
1338 Sequence(SEC_Y);
1339 last = 0;
1340 }
1341 }
1342 }
1343
1344 // End of Communication
1345 if(last == 0) {
1346 // Sequence Z
1347 Sequence(SEC_Z);
1348 }
1349 else {
1350 // Sequence Y
1351 Sequence(SEC_Y);
1352 last = 0;
1353 }
1354 // Sequence Y
1355 Sequence(SEC_Y);
1356
1357 // Just to be sure!
1358 Sequence(SEC_Y);
1359 Sequence(SEC_Y);
1360 Sequence(SEC_Y);
1361
1362 // Convert from last character reference to length
1363 ToSendMax++;
1364}
1365
1366//-----------------------------------------------------------------------------
1367// Code a 7-bit command without parity bit
1368// This is especially for 0x26 and 0x52 (REQA and WUPA)
1369//-----------------------------------------------------------------------------
f7e3ed82 1370void ShortFrameFromReader(const uint8_t bt)
15c4dc5a 1371{
1372 int j;
1373 int last;
f7e3ed82 1374 uint8_t b;
15c4dc5a 1375
1376 ToSendReset();
1377
1378 // Start of Communication (Seq. Z)
1379 Sequence(SEC_Z);
1380 last = 0;
1381
1382 b = bt;
1383 for(j = 0; j < 7; j++) {
1384 if(b & 1) {
1385 // Sequence X
1386 Sequence(SEC_X);
1387 last = 1;
1388 } else {
1389 if(last == 0) {
1390 // Sequence Z
1391 Sequence(SEC_Z);
1392 }
1393 else {
1394 // Sequence Y
1395 Sequence(SEC_Y);
1396 last = 0;
1397 }
1398 }
1399 b >>= 1;
1400 }
1401
1402 // End of Communication
1403 if(last == 0) {
1404 // Sequence Z
1405 Sequence(SEC_Z);
1406 }
1407 else {
1408 // Sequence Y
1409 Sequence(SEC_Y);
1410 last = 0;
1411 }
1412 // Sequence Y
1413 Sequence(SEC_Y);
1414
1415 // Just to be sure!
1416 Sequence(SEC_Y);
1417 Sequence(SEC_Y);
1418 Sequence(SEC_Y);
1419
1420 // Convert from last character reference to length
1421 ToSendMax++;
1422}
1423
1424//-----------------------------------------------------------------------------
1425// Prepare reader command to send to FPGA
e30c654b 1426//
15c4dc5a 1427//-----------------------------------------------------------------------------
f7e3ed82 1428void CodeIso14443aAsReaderPar(const uint8_t * cmd, int len, uint32_t dwParity)
15c4dc5a 1429{
1430 int i, j;
1431 int last;
f7e3ed82 1432 uint8_t b;
e30c654b 1433
15c4dc5a 1434 ToSendReset();
e30c654b 1435
15c4dc5a 1436 // Start of Communication (Seq. Z)
1437 Sequence(SEC_Z);
1438 last = 0;
e30c654b 1439
15c4dc5a 1440 // Generate send structure for the data bits
1441 for (i = 0; i < len; i++) {
1442 // Get the current byte to send
1443 b = cmd[i];
e30c654b 1444
15c4dc5a 1445 for (j = 0; j < 8; j++) {
1446 if (b & 1) {
1447 // Sequence X
1448 Sequence(SEC_X);
1449 last = 1;
1450 } else {
1451 if (last == 0) {
1452 // Sequence Z
1453 Sequence(SEC_Z);
1454 } else {
1455 // Sequence Y
1456 Sequence(SEC_Y);
1457 last = 0;
1458 }
1459 }
1460 b >>= 1;
1461 }
e30c654b 1462
15c4dc5a 1463 // Get the parity bit
1464 if ((dwParity >> i) & 0x01) {
1465 // Sequence X
1466 Sequence(SEC_X);
1467 last = 1;
1468 } else {
1469 if (last == 0) {
1470 // Sequence Z
1471 Sequence(SEC_Z);
1472 } else {
1473 // Sequence Y
1474 Sequence(SEC_Y);
1475 last = 0;
1476 }
1477 }
1478 }
e30c654b 1479
15c4dc5a 1480 // End of Communication
1481 if (last == 0) {
1482 // Sequence Z
1483 Sequence(SEC_Z);
1484 } else {
1485 // Sequence Y
1486 Sequence(SEC_Y);
1487 last = 0;
1488 }
1489 // Sequence Y
1490 Sequence(SEC_Y);
e30c654b 1491
15c4dc5a 1492 // Just to be sure!
1493 Sequence(SEC_Y);
1494 Sequence(SEC_Y);
1495 Sequence(SEC_Y);
e30c654b 1496
15c4dc5a 1497 // Convert from last character reference to length
1498 ToSendMax++;
1499}
1500
1501//-----------------------------------------------------------------------------
1502// Wait a certain time for tag response
1503// If a response is captured return TRUE
1504// If it takes to long return FALSE
1505//-----------------------------------------------------------------------------
f7e3ed82 1506static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse, int maxLen, int *samples, int *elapsed) //uint8_t *buffer
15c4dc5a 1507{
1508 // buffer needs to be 512 bytes
1509 int c;
1510
1511 // Set FPGA mode to "reader listen mode", no modulation (listen
1512 // only, since we are receiving, not transmitting).
1513 // Signal field is on with the appropriate LED
1514 LED_D_ON();
1515 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_LISTEN);
1516
1517 // Now get the answer from the card
1518 Demod.output = receivedResponse;
1519 Demod.len = 0;
1520 Demod.state = DEMOD_UNSYNCD;
1521
f7e3ed82 1522 uint8_t b;
15c4dc5a 1523 if (elapsed) *elapsed = 0;
1524
1525 c = 0;
1526 for(;;) {
1527 WDT_HIT();
1528
1529 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1530 AT91C_BASE_SSC->SSC_THR = 0x00; // To make use of exact timing of next command from reader!!
1531 if (elapsed) (*elapsed)++;
1532 }
1533 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1534 if(c < 512) { c++; } else { return FALSE; }
f7e3ed82 1535 b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1536 if(ManchesterDecoding((b & 0xf0) >> 4)) {
1537 *samples = ((c - 1) << 3) + 4;
1538 return TRUE;
1539 }
1540 if(ManchesterDecoding(b & 0x0f)) {
1541 *samples = c << 3;
1542 return TRUE;
1543 }
1544 }
1545 }
1546}
1547
f7e3ed82 1548void ReaderTransmitShort(const uint8_t* bt)
15c4dc5a 1549{
1550 int wait = 0;
1551 int samples = 0;
1552
1553 ShortFrameFromReader(*bt);
e30c654b 1554
15c4dc5a 1555 // Select the card
e30c654b 1556 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
1557
15c4dc5a 1558 // Store reader command in buffer
1559 if (tracing) LogTrace(bt,1,0,GetParity(bt,1),TRUE);
1560}
1561
f7e3ed82 1562void ReaderTransmitPar(uint8_t* frame, int len, uint32_t par)
15c4dc5a 1563{
1564 int wait = 0;
1565 int samples = 0;
e30c654b 1566
15c4dc5a 1567 // This is tied to other size changes
f7e3ed82 1568 // uint8_t* frame_addr = ((uint8_t*)BigBuf) + 2024;
15c4dc5a 1569 CodeIso14443aAsReaderPar(frame,len,par);
e30c654b 1570
15c4dc5a 1571 // Select the card
e30c654b 1572 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
1573
15c4dc5a 1574 // Store reader command in buffer
1575 if (tracing) LogTrace(frame,len,0,par,TRUE);
1576}
1577
1578
f7e3ed82 1579void ReaderTransmit(uint8_t* frame, int len)
15c4dc5a 1580{
1581 // Generate parity and redirect
1582 ReaderTransmitPar(frame,len,GetParity(frame,len));
1583}
1584
f7e3ed82 1585int ReaderReceive(uint8_t* receivedAnswer)
15c4dc5a 1586{
1587 int samples = 0;
1588 if (!GetIso14443aAnswerFromTag(receivedAnswer,100,&samples,0)) return FALSE;
1589 if (tracing) LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE);
1590 return TRUE;
1591}
1592
1593//-----------------------------------------------------------------------------
1594// Read an ISO 14443a tag. Send out commands and store answers.
1595//
1596//-----------------------------------------------------------------------------
f7e3ed82 1597void ReaderIso14443a(uint32_t parameter)
15c4dc5a 1598{
1599 // Anticollision
f7e3ed82 1600 uint8_t wupa[] = { 0x52 };
1601 uint8_t sel_all[] = { 0x93,0x20 };
1602 uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
1603 uint8_t sel_all_c2[] = { 0x95,0x20 };
1604 uint8_t sel_uid_c2[] = { 0x95,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
15c4dc5a 1605
1606 // Mifare AUTH
f7e3ed82 1607 uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b };
1608// uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00 };
e30c654b 1609
f7e3ed82 1610 uint8_t* receivedAnswer = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
15c4dc5a 1611 traceLen = 0;
1612
1613 // Setup SSC
1614 FpgaSetupSsc();
1615
1616 // Start from off (no field generated)
1617 // Signal field is off with the appropriate LED
1618 LED_D_OFF();
1619 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1620 SpinDelay(200);
1621
1622 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1623 FpgaSetupSsc();
1624
1625 // Now give it time to spin up.
1626 // Signal field is on with the appropriate LED
1627 LED_D_ON();
1628 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1629 SpinDelay(200);
1630
1631 LED_A_ON();
1632 LED_B_OFF();
1633 LED_C_OFF();
1634
1635 while(traceLen < TRACE_LENGTH)
1636 {
1637 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1638 ReaderTransmitShort(wupa);
e30c654b 1639
15c4dc5a 1640 // Test if the action was cancelled
1641 if(BUTTON_PRESS()) {
1642 break;
1643 }
e30c654b 1644
15c4dc5a 1645 // Receive the ATQA
1646 if (!ReaderReceive(receivedAnswer)) continue;
1647
1648 // Transmit SELECT_ALL
1649 ReaderTransmit(sel_all,sizeof(sel_all));
1650
1651 // Receive the UID
1652 if (!ReaderReceive(receivedAnswer)) continue;
e30c654b 1653
15c4dc5a 1654 // Construct SELECT UID command
1655 // First copy the 5 bytes (Mifare Classic) after the 93 70
1656 memcpy(sel_uid+2,receivedAnswer,5);
1657 // Secondly compute the two CRC bytes at the end
1658 AppendCrc14443a(sel_uid,7);
1659
1660 // Transmit SELECT_UID
1661 ReaderTransmit(sel_uid,sizeof(sel_uid));
e30c654b 1662
15c4dc5a 1663 // Receive the SAK
1664 if (!ReaderReceive(receivedAnswer)) continue;
1665
1666 // OK we have selected at least at cascade 1, lets see if first byte of UID was 0x88 in
1667 // which case we need to make a cascade 2 request and select - this is a long UID
e30c654b 1668 // When the UID is not complete, the 3nd bit (from the right) is set in the SAK.
15c4dc5a 1669 if (receivedAnswer[0] &= 0x04)
1670 {
1671 // Transmit SELECT_ALL
1672 ReaderTransmit(sel_all_c2,sizeof(sel_all_c2));
e30c654b 1673
15c4dc5a 1674 // Receive the UID
1675 if (!ReaderReceive(receivedAnswer)) continue;
e30c654b 1676
15c4dc5a 1677 // Construct SELECT UID command
1678 memcpy(sel_uid_c2+2,receivedAnswer,5);
1679 // Secondly compute the two CRC bytes at the end
1680 AppendCrc14443a(sel_uid_c2,7);
e30c654b 1681
15c4dc5a 1682 // Transmit SELECT_UID
1683 ReaderTransmit(sel_uid_c2,sizeof(sel_uid_c2));
e30c654b 1684
15c4dc5a 1685 // Receive the SAK
1686 if (!ReaderReceive(receivedAnswer)) continue;
1687 }
1688
1689 // Transmit MIFARE_CLASSIC_AUTH
1690 ReaderTransmit(mf_auth,sizeof(mf_auth));
1691
1692 // Receive the (16 bit) "random" nonce
1693 if (!ReaderReceive(receivedAnswer)) continue;
1694 }
1695
1696 // Thats it...
1697 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1698 LEDsoff();
1699 Dbprintf("%x %x %x", rsamples, 0xCC, 0xCC);
1700 DbpString("ready..");
1701}
1702
1703//-----------------------------------------------------------------------------
1704// Read an ISO 14443a tag. Send out commands and store answers.
1705//
1706//-----------------------------------------------------------------------------
f7e3ed82 1707void ReaderMifare(uint32_t parameter)
15c4dc5a 1708{
e30c654b 1709
15c4dc5a 1710 // Anticollision
f7e3ed82 1711 uint8_t wupa[] = { 0x52 };
1712 uint8_t sel_all[] = { 0x93,0x20 };
1713 uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
e30c654b 1714
15c4dc5a 1715 // Mifare AUTH
f7e3ed82 1716 uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b };
1717 uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
e30c654b 1718
f7e3ed82 1719 uint8_t* receivedAnswer = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
15c4dc5a 1720 traceLen = 0;
1721 tracing = false;
e30c654b 1722
15c4dc5a 1723 // Setup SSC
1724 FpgaSetupSsc();
e30c654b 1725
15c4dc5a 1726 // Start from off (no field generated)
1727 // Signal field is off with the appropriate LED
1728 LED_D_OFF();
1729 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1730 SpinDelay(200);
e30c654b 1731
15c4dc5a 1732 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1733 FpgaSetupSsc();
e30c654b 1734
15c4dc5a 1735 // Now give it time to spin up.
1736 // Signal field is on with the appropriate LED
1737 LED_D_ON();
1738 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1739 SpinDelay(200);
e30c654b 1740
15c4dc5a 1741 LED_A_ON();
1742 LED_B_OFF();
1743 LED_C_OFF();
e30c654b 1744
15c4dc5a 1745 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1746 ReaderTransmitShort(wupa);
1747 // Receive the ATQA
1748 ReaderReceive(receivedAnswer);
1749 // Transmit SELECT_ALL
1750 ReaderTransmit(sel_all,sizeof(sel_all));
1751 // Receive the UID
1752 ReaderReceive(receivedAnswer);
1753 // Construct SELECT UID command
1754 // First copy the 5 bytes (Mifare Classic) after the 93 70
1755 memcpy(sel_uid+2,receivedAnswer,5);
1756 // Secondly compute the two CRC bytes at the end
1757 AppendCrc14443a(sel_uid,7);
e30c654b 1758
15c4dc5a 1759 byte_t nt_diff = 0;
1760 LED_A_OFF();
1761 byte_t par = 0;
1762 byte_t par_mask = 0xff;
1763 byte_t par_low = 0;
f7e3ed82 1764 int led_on = TRUE;
e30c654b 1765
15c4dc5a 1766 tracing = FALSE;
1767 byte_t nt[4];
1768 byte_t nt_attacked[4];
1769 byte_t par_list[8];
1770 byte_t ks_list[8];
1771 num_to_bytes(parameter,4,nt_attacked);
1772
1773 while(TRUE)
1774 {
1775 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1776 SpinDelay(200);
1777 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
e30c654b 1778
15c4dc5a 1779 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1780 ReaderTransmitShort(wupa);
e30c654b 1781
15c4dc5a 1782 // Test if the action was cancelled
1783 if(BUTTON_PRESS()) {
1784 break;
1785 }
e30c654b 1786
15c4dc5a 1787 // Receive the ATQA
1788 if (!ReaderReceive(receivedAnswer)) continue;
e30c654b 1789
15c4dc5a 1790 // Transmit SELECT_ALL
1791 ReaderTransmit(sel_all,sizeof(sel_all));
e30c654b 1792
15c4dc5a 1793 // Receive the UID
1794 if (!ReaderReceive(receivedAnswer)) continue;
e30c654b 1795
15c4dc5a 1796 // Transmit SELECT_UID
1797 ReaderTransmit(sel_uid,sizeof(sel_uid));
e30c654b 1798
15c4dc5a 1799 // Receive the SAK
1800 if (!ReaderReceive(receivedAnswer)) continue;
e30c654b 1801
15c4dc5a 1802 // Transmit MIFARE_CLASSIC_AUTH
1803 ReaderTransmit(mf_auth,sizeof(mf_auth));
e30c654b 1804
15c4dc5a 1805 // Receive the (16 bit) "random" nonce
1806 if (!ReaderReceive(receivedAnswer)) continue;
1807 memcpy(nt,receivedAnswer,4);
1808
1809 // Transmit reader nonce and reader answer
1810 ReaderTransmitPar(mf_nr_ar,sizeof(mf_nr_ar),par);
e30c654b 1811
15c4dc5a 1812 // Receive 4 bit answer
1813 if (ReaderReceive(receivedAnswer))
1814 {
e30c654b 1815 if (nt_diff == 0)
15c4dc5a 1816 {
1817 LED_A_ON();
1818 memcpy(nt_attacked,nt,4);
1819 par_mask = 0xf8;
1820 par_low = par & 0x07;
1821 }
1822
1823 if (memcmp(nt,nt_attacked,4) != 0) continue;
1824
1825 led_on = !led_on;
1826 if(led_on) LED_B_ON(); else LED_B_OFF();
1827 par_list[nt_diff] = par;
1828 ks_list[nt_diff] = receivedAnswer[0]^0x05;
e30c654b 1829
15c4dc5a 1830 // Test if the information is complete
1831 if (nt_diff == 0x07) break;
e30c654b 1832
15c4dc5a 1833 nt_diff = (nt_diff+1) & 0x07;
1834 mf_nr_ar[3] = nt_diff << 5;
1835 par = par_low;
1836 } else {
1837 if (nt_diff == 0)
1838 {
1839 par++;
1840 } else {
1841 par = (((par>>3)+1) << 3) | par_low;
1842 }
1843 }
1844 }
e30c654b 1845
15c4dc5a 1846 LogTraceInfo(sel_uid+2,4);
1847 LogTraceInfo(nt,4);
1848 LogTraceInfo(par_list,8);
1849 LogTraceInfo(ks_list,8);
e30c654b 1850
15c4dc5a 1851 // Thats it...
1852 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1853 LEDsoff();
1854 tracing = TRUE;
1855}
Proxmark3 GIT tracking
Impressum, Datenschutz