]> git.zerfleddert.de Git - proxmark3-svn/blame - armsrc/appmain.c
projects / proxmark3-svn / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
CHG: Added calling clear bigbuff to zero out it also, instead of just "free" it.
[proxmark3-svn] / armsrc / appmain.c
CommitLineData
15c4dc5a 1//-----------------------------------------------------------------------------
15c4dc5a 2// Jonathan Westhues, Mar 2006
3// Edits by Gerhard de Koning Gans, Sep 2007 (##)
bd20f8f4 4//
5// This code is licensed to you under the terms of the GNU GPL, version 2 or,
6// at your option, any later version. See the LICENSE.txt file for the text of
7// the license.
8//-----------------------------------------------------------------------------
9// The main application code. This is the first thing called after start.c
10// executes.
15c4dc5a 11//-----------------------------------------------------------------------------
12
c3c241f3 13#include "usb_cdc.h"
14#include "cmd.h"
15
16#include "proxmark3.h"
15c4dc5a 17#include "apps.h"
f7e3ed82 18#include "util.h"
9ab7a6c7 19#include "printf.h"
20#include "string.h"
22e24700 21
9ab7a6c7 22#include <stdarg.h>
22e24700 23
15c4dc5a 24#include "legicrf.h"
0db11b71 25#include "hitag2.h"
26#include "hitagS.h"
31abe49f 27#include "lfsampling.h"
3000dc4e 28#include "BigBuf.h"
7838f4be 29#include "mifareutil.h"
36804420 30#include "pcf7931.h"
15c4dc5a 31#ifdef WITH_LCD
902cb3c0 32 #include "LCD.h"
15c4dc5a 33#endif
34
7838f4be 35// Craig Young - 14a stand-alone code
36#ifdef WITH_ISO14443a_StandAlone
37 #include "iso14443a.h"
c2731f37 38 #include "protocols.h"
7838f4be 39#endif
40
15c4dc5a 41#define abs(x) ( ((x)<0) ? -(x) : (x) )
42
43//=============================================================================
44// A buffer where we can queue things up to be sent through the FPGA, for
45// any purpose (fake tag, as reader, whatever). We go MSB first, since that
46// is the order in which they go out on the wire.
47//=============================================================================
48
6a1f2d82 49#define TOSEND_BUFFER_SIZE (9*MAX_FRAME_SIZE + 1 + 1 + 2) // 8 data bits and 1 parity bit per payload byte, 1 correction bit, 1 SOC bit, 2 EOC bits
a501c82b 50uint8_t ToSend[TOSEND_BUFFER_SIZE];
7838f4be 51int ToSendMax = 0;
15c4dc5a 52static int ToSendBit;
53struct common_area common_area __attribute__((section(".commonarea")));
54
15c4dc5a 55void ToSendReset(void)
56{
57 ToSendMax = -1;
58 ToSendBit = 8;
59}
60
da198be4 61void ToSendStuffBit(int b) {
15c4dc5a 62 if(ToSendBit >= 8) {
da198be4 63 ++ToSendMax;
15c4dc5a 64 ToSend[ToSendMax] = 0;
65 ToSendBit = 0;
66 }
67
da198be4 68 if(b)
15c4dc5a 69 ToSend[ToSendMax] |= (1 << (7 - ToSendBit));
15c4dc5a 70
da198be4 71 ++ToSendBit;
15c4dc5a 72
6a1f2d82 73 if(ToSendMax >= sizeof(ToSend)) {
15c4dc5a 74 ToSendBit = 0;
75 DbpString("ToSendStuffBit overflowed!");
76 }
77}
78
79//=============================================================================
80// Debug print functions, to go out over USB, to the usual PC-side client.
81//=============================================================================
82
38e41917 83void DbpStringEx(char *str, uint32_t cmd){
84 byte_t len = strlen(str);
85 cmd_send(CMD_DEBUG_PRINT_STRING,len, cmd,0,(byte_t*)str,len);
86}
87
da198be4 88void DbpString(char *str) {
38e41917 89 DbpStringEx(str, 0);
15c4dc5a 90}
91
92#if 0
da198be4 93void DbpIntegers(int x1, int x2, int x3) {
38e41917 94 cmd_send(CMD_DEBUG_PRINT_INTEGERS,x1,x2,x3,0,0);
15c4dc5a 95}
96#endif
38e41917 97void DbprintfEx(uint32_t cmd, const char *fmt, ...) {
98 // should probably limit size here; oh well, let's just use a big buffer
99 char output_string[128] = {0x00};
100 va_list ap;
101
102 va_start(ap, fmt);
103 kvsprintf(fmt, output_string, 10, ap);
104 va_end(ap);
105
106 DbpStringEx(output_string, cmd);
107}
15c4dc5a 108
109void Dbprintf(const char *fmt, ...) {
da198be4 110 // should probably limit size here; oh well, let's just use a big buffer
111 char output_string[128] = {0x00};
15c4dc5a 112 va_list ap;
113
114 va_start(ap, fmt);
115 kvsprintf(fmt, output_string, 10, ap);
116 va_end(ap);
e30c654b 117
15c4dc5a 118 DbpString(output_string);
119}
120
9455b51c 121// prints HEX & ASCII
d19929cb 122void Dbhexdump(int len, uint8_t *d, bool bAsci) {
da198be4 123 int l=0, i;
9455b51c 124 char ascii[9];
d19929cb 125
9455b51c 126 while (len>0) {
da198be4 127
128 l = (len>8) ? 8 : len;
9455b51c 129
130 memcpy(ascii,d,l);
d19929cb 131 ascii[l]=0;
9455b51c 132
133 // filter safe ascii
da198be4 134 for (i=0; i<l; ++i)
9455b51c 135 if (ascii[i]<32 || ascii[i]>126) ascii[i]='.';
d19929cb 136
da198be4 137 if (bAsci)
d19929cb 138 Dbprintf("%-8s %*D",ascii,l,d," ");
da198be4 139 else
d19929cb 140 Dbprintf("%*D",l,d," ");
d19929cb 141
da198be4 142 len -= 8;
143 d += 8;
9455b51c 144 }
145}
146
15c4dc5a 147//-----------------------------------------------------------------------------
148// Read an ADC channel and block till it completes, then return the result
149// in ADC units (0 to 1023). Also a routine to average 32 samples and
150// return that.
151//-----------------------------------------------------------------------------
152static int ReadAdc(int ch)
153{
f7e3ed82 154 uint32_t d;
15c4dc5a 155
156 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_SWRST;
157 AT91C_BASE_ADC->ADC_MR =
3b692427 158 ADC_MODE_PRESCALE(63 /* was 32 */) | // ADC_CLK = MCK / ((63+1) * 2) = 48MHz / 128 = 375kHz
159 ADC_MODE_STARTUP_TIME(1 /* was 16 */) | // Startup Time = (1+1) * 8 / ADC_CLK = 16 / 375kHz = 42,7us Note: must be > 20us
160 ADC_MODE_SAMPLE_HOLD_TIME(15 /* was 8 */); // Sample & Hold Time SHTIM = 15 / ADC_CLK = 15 / 375kHz = 40us
161
162 // Note: ADC_MODE_PRESCALE and ADC_MODE_SAMPLE_HOLD_TIME are set to the maximum allowed value.
163 // Both AMPL_LO and AMPL_HI are very high impedance (10MOhm) outputs, the input capacitance of the ADC is 12pF (typical). This results in a time constant
164 // of RC = 10MOhm * 12pF = 120us. Even after the maximum configurable sample&hold time of 40us the input capacitor will not be fully charged.
165 //
166 // The maths are:
167 // If there is a voltage v_in at the input, the voltage v_cap at the capacitor (this is what we are measuring) will be
168 //
169 // v_cap = v_in * (1 - exp(-RC/SHTIM)) = v_in * (1 - exp(-3)) = v_in * 0,95 (i.e. an error of 5%)
170 //
171 // Note: with the "historic" values in the comments above, the error was 34% !!!
172
15c4dc5a 173 AT91C_BASE_ADC->ADC_CHER = ADC_CHANNEL(ch);
174
175 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
3b692427 176
da198be4 177 while (!(AT91C_BASE_ADC->ADC_SR & ADC_END_OF_CONVERSION(ch))) ;
178
15c4dc5a 179 d = AT91C_BASE_ADC->ADC_CDR[ch];
15c4dc5a 180 return d;
181}
182
9ca155ba 183int AvgAdc(int ch) // was static - merlok
15c4dc5a 184{
185 int i;
186 int a = 0;
187
da198be4 188 for(i = 0; i < 32; ++i)
15c4dc5a 189 a += ReadAdc(ch);
15c4dc5a 190
191 return (a + 15) >> 5;
192}
193
da198be4 194void MeasureAntennaTuning(void) {
d3499d36 195 uint8_t LF_Results[256];
9f693930 196 int i, adcval = 0, peak = 0, peakv = 0, peakf = 0; //ptr = 0
15c4dc5a 197 int vLf125 = 0, vLf134 = 0, vHf = 0; // in mV
198
7838f4be 199 LED_B_ON();
15c4dc5a 200
201/*
202 * Sweeps the useful LF range of the proxmark from
203 * 46.8kHz (divisor=255) to 600kHz (divisor=19) and
204 * read the voltage in the antenna, the result left
205 * in the buffer is a graph which should clearly show
206 * the resonating frequency of your LF antenna
207 * ( hopefully around 95 if it is tuned to 125kHz!)
208 */
d19929cb 209
7cc204bf 210 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
b014c96d 211 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
da198be4 212
d3499d36 213 for (i=255; i>=19; i--) {
da198be4 214 WDT_HIT();
15c4dc5a 215 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, i);
216 SpinDelay(20);
3b692427 217 adcval = ((MAX_ADC_LF_VOLTAGE * AvgAdc(ADC_CHAN_LF)) >> 10);
15c4dc5a 218 if (i==95) vLf125 = adcval; // voltage at 125Khz
219 if (i==89) vLf134 = adcval; // voltage at 134Khz
220
d3499d36 221 LF_Results[i] = adcval>>8; // scale int to fit in byte for graphing purposes
222 if(LF_Results[i] > peak) {
15c4dc5a 223 peakv = adcval;
d3499d36 224 peak = LF_Results[i];
15c4dc5a 225 peakf = i;
9f693930 226 //ptr = i;
15c4dc5a 227 }
228 }
229
d3499d36 230 for (i=18; i >= 0; i--) LF_Results[i] = 0;
231
7838f4be 232 LED_A_ON();
15c4dc5a 233 // Let the FPGA drive the high-frequency antenna around 13.56 MHz.
7838f4be 234 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
15c4dc5a 235 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR);
236 SpinDelay(20);
3b692427 237 vHf = (MAX_ADC_HF_VOLTAGE * AvgAdc(ADC_CHAN_HF)) >> 10;
15c4dc5a 238
3b692427 239 cmd_send(CMD_MEASURED_ANTENNA_TUNING, vLf125 | (vLf134<<16), vHf, peakf | (peakv<<16), LF_Results, 256);
d19929cb 240 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
da198be4 241
242 LEDsoff();
15c4dc5a 243}
244
da198be4 245void MeasureAntennaTuningHf(void) {
15c4dc5a 246 int vHf = 0; // in mV
3b692427 247 // Let the FPGA drive the high-frequency antenna around 13.56 MHz.
248 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
249 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR);
250
38e41917 251 while ( !BUTTON_PRESS() ){
15c4dc5a 252 SpinDelay(20);
3b692427 253 vHf = (MAX_ADC_HF_VOLTAGE * AvgAdc(ADC_CHAN_HF)) >> 10;
38e41917 254 //Dbprintf("%d mV",vHf);
255 DbprintfEx(CMD_MEASURE_ANTENNA_TUNING_HF, "%d mV",vHf);
15c4dc5a 256 }
3b692427 257 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
38e41917 258 DbpString("cancelled");
15c4dc5a 259}
260
261
da198be4 262void ReadMem(int addr) {
f7e3ed82 263 const uint8_t *data = ((uint8_t *)addr);
15c4dc5a 264
265 Dbprintf("%x: %02x %02x %02x %02x %02x %02x %02x %02x",
266 addr, data[0], data[1], data[2], data[3], data[4], data[5], data[6], data[7]);
267}
268
269/* osimage version information is linked in */
270extern struct version_information version_information;
271/* bootrom version information is pointed to from _bootphase1_version_pointer */
9783989b 272extern char *_bootphase1_version_pointer, _flash_start, _flash_end, _bootrom_start, _bootrom_end, __data_src_start__;
15c4dc5a 273void SendVersion(void)
274{
9783989b 275 char temp[USB_CMD_DATA_SIZE]; /* Limited data payload in USB packets */
276 char VersionString[USB_CMD_DATA_SIZE] = { '\0' };
e30c654b 277
278 /* Try to find the bootrom version information. Expect to find a pointer at
15c4dc5a 279 * symbol _bootphase1_version_pointer, perform slight sanity checks on the
280 * pointer, then use it.
281 */
282 char *bootrom_version = *(char**)&_bootphase1_version_pointer;
da198be4 283
15c4dc5a 284 if( bootrom_version < &_flash_start || bootrom_version >= &_flash_end ) {
9783989b 285 strcat(VersionString, "bootrom version information appears invalid\n");
15c4dc5a 286 } else {
287 FormatVersionInformation(temp, sizeof(temp), "bootrom: ", bootrom_version);
9783989b 288 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
15c4dc5a 289 }
e30c654b 290
15c4dc5a 291 FormatVersionInformation(temp, sizeof(temp), "os: ", &version_information);
9783989b 292 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
e30c654b 293
9783989b 294 FpgaGatherVersion(FPGA_BITSTREAM_LF, temp, sizeof(temp));
295 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
da198be4 296
9783989b 297 FpgaGatherVersion(FPGA_BITSTREAM_HF, temp, sizeof(temp));
298 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
299
300 // Send Chip ID and used flash memory
301 uint32_t text_and_rodata_section_size = (uint32_t)&__data_src_start__ - (uint32_t)&_flash_start;
302 uint32_t compressed_data_section_size = common_area.arg1;
303 cmd_send(CMD_ACK, *(AT91C_DBGU_CIDR), text_and_rodata_section_size + compressed_data_section_size, 0, VersionString, strlen(VersionString));
15c4dc5a 304}
f62b5e12 305
306// measure the USB Speed by sending SpeedTestBufferSize bytes to client and measuring the elapsed time.
307// Note: this mimics GetFromBigbuf(), i.e. we have the overhead of the UsbCommand structure included.
0de8e387 308void printUSBSpeed(void)
f62b5e12 309{
310 Dbprintf("USB Speed:");
0de8e387 311 Dbprintf(" Sending USB packets to client...");
f62b5e12 312
0de8e387 313 #define USB_SPEED_TEST_MIN_TIME 1500 // in milliseconds
f62b5e12 314 uint8_t *test_data = BigBuf_get_addr();
0de8e387 315 uint32_t end_time;
f62b5e12 316
0de8e387 317 uint32_t start_time = end_time = GetTickCount();
318 uint32_t bytes_transferred = 0;
f62b5e12 319
320 LED_B_ON();
0de8e387 321 while(end_time < start_time + USB_SPEED_TEST_MIN_TIME) {
322 cmd_send(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K, 0, USB_CMD_DATA_SIZE, 0, test_data, USB_CMD_DATA_SIZE);
323 end_time = GetTickCount();
324 bytes_transferred += USB_CMD_DATA_SIZE;
f62b5e12 325 }
326 LED_B_OFF();
327
0de8e387 328 Dbprintf(" Time elapsed: %dms", end_time - start_time);
329 Dbprintf(" Bytes transferred: %d", bytes_transferred);
330 Dbprintf(" USB Transfer Speed PM3 -> Client = %d Bytes/s",
331 1000 * bytes_transferred / (end_time - start_time));
f62b5e12 332
333}
334
7838f4be 335/**
336 * Prints runtime information about the PM3.
337**/
da198be4 338void SendStatus(void) {
7838f4be 339 BigBuf_print_status();
340 Fpga_print_status();
341 printConfig(); //LF Sampling config
0de8e387 342 printUSBSpeed();
7838f4be 343 Dbprintf("Various");
f62b5e12 344 Dbprintf(" MF_DBGLEVEL........%d", MF_DBGLEVEL);
345 Dbprintf(" ToSendMax..........%d", ToSendMax);
346 Dbprintf(" ToSendBit..........%d", ToSendBit);
347 Dbprintf(" ToSend BUFFERSIZE..%d", TOSEND_BUFFER_SIZE);
348
349 cmd_send(CMD_ACK,1,0,0,0,0);
7838f4be 350}
15c4dc5a 351
7838f4be 352#if defined(WITH_ISO14443a_StandAlone) || defined(WITH_LF)
15c4dc5a 353
7838f4be 354#define OPTS 2
7838f4be 355void StandAloneMode()
356{
357 DbpString("Stand-alone mode! No PC necessary.");
15c4dc5a 358 // Oooh pretty -- notify user we're in elite samy mode now
359 LED(LED_RED, 200);
360 LED(LED_ORANGE, 200);
361 LED(LED_GREEN, 200);
362 LED(LED_ORANGE, 200);
363 LED(LED_RED, 200);
364 LED(LED_ORANGE, 200);
365 LED(LED_GREEN, 200);
366 LED(LED_ORANGE, 200);
367 LED(LED_RED, 200);
7838f4be 368}
7838f4be 369#endif
370
7838f4be 371#ifdef WITH_ISO14443a_StandAlone
372void StandAloneMode14a()
373{
374 StandAloneMode();
375 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
376
377 int selected = 0;
0db6ed9a 378 int playing = 0, iGotoRecord = 0, iGotoClone = 0;
7838f4be 379 int cardRead[OPTS] = {0};
380 uint8_t readUID[10] = {0};
381 uint32_t uid_1st[OPTS]={0};
382 uint32_t uid_2nd[OPTS]={0};
0db6ed9a 383 uint32_t uid_tmp1 = 0;
384 uint32_t uid_tmp2 = 0;
385 iso14a_card_select_t hi14a_card[OPTS];
7838f4be 386
c2731f37 387 uint8_t params = (MAGIC_SINGLE | MAGIC_DATAIN);
388
7838f4be 389 LED(selected + 1, 0);
390
391 for (;;)
392 {
393 usb_poll();
394 WDT_HIT();
7838f4be 395 SpinDelay(300);
396
0db6ed9a 397 if (iGotoRecord == 1 || cardRead[selected] == 0)
7838f4be 398 {
0db6ed9a 399 iGotoRecord = 0;
7838f4be 400 LEDsoff();
401 LED(selected + 1, 0);
402 LED(LED_RED2, 0);
403
404 // record
405 Dbprintf("Enabling iso14443a reader mode for [Bank: %u]...", selected);
7838f4be 406 /* need this delay to prevent catching some weird data */
407 SpinDelay(500);
408 /* Code for reading from 14a tag */
810f5379 409 uint8_t uid[10] = {0};
410 uint32_t cuid = 0;
7838f4be 411 iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
412
413 for ( ; ; )
414 {
415 WDT_HIT();
0db6ed9a 416 if (BUTTON_PRESS()) {
417 if (cardRead[selected]) {
418 Dbprintf("Button press detected -- replaying card in bank[%d]", selected);
419 break;
420 }
421 else if (cardRead[(selected+1)%OPTS]) {
422 Dbprintf("Button press detected but no card in bank[%d] so playing from bank[%d]", selected, (selected+1)%OPTS);
423 selected = (selected+1)%OPTS;
424 break; // playing = 1;
425 }
426 else {
427 Dbprintf("Button press detected but no stored tag to play. (Ignoring button)");
428 SpinDelay(300);
429 }
430 }
c188b1b9 431 if (!iso14443a_select_card(uid, &hi14a_card[selected], &cuid, true, 0))
7838f4be 432 continue;
433 else
434 {
435 Dbprintf("Read UID:"); Dbhexdump(10,uid,0);
436 memcpy(readUID,uid,10*sizeof(uint8_t));
0db6ed9a 437 uint8_t *dst = (uint8_t *)&uid_tmp1;
7838f4be 438 // Set UID byte order
439 for (int i=0; i<4; i++)
440 dst[i] = uid[3-i];
0db6ed9a 441 dst = (uint8_t *)&uid_tmp2;
7838f4be 442 for (int i=0; i<4; i++)
443 dst[i] = uid[7-i];
0db6ed9a 444 if (uid_1st[(selected+1)%OPTS] == uid_tmp1 && uid_2nd[(selected+1)%OPTS] == uid_tmp2) {
445 Dbprintf("Card selected has same UID as what is stored in the other bank. Skipping.");
446 }
447 else {
448 if (uid_tmp2) {
449 Dbprintf("Bank[%d] received a 7-byte UID",selected);
450 uid_1st[selected] = (uid_tmp1)>>8;
451 uid_2nd[selected] = (uid_tmp1<<24) + (uid_tmp2>>8);
452 }
453 else {
454 Dbprintf("Bank[%d] received a 4-byte UID",selected);
455 uid_1st[selected] = uid_tmp1;
456 uid_2nd[selected] = uid_tmp2;
457 }
7838f4be 458 break;
459 }
460 }
0db6ed9a 461 }
462 Dbprintf("ATQA = %02X%02X",hi14a_card[selected].atqa[0],hi14a_card[selected].atqa[1]);
463 Dbprintf("SAK = %02X",hi14a_card[selected].sak);
7838f4be 464 LEDsoff();
465 LED(LED_GREEN, 200);
466 LED(LED_ORANGE, 200);
467 LED(LED_GREEN, 200);
468 LED(LED_ORANGE, 200);
469
470 LEDsoff();
471 LED(selected + 1, 0);
7838f4be 472
0db6ed9a 473 // Next state is replay:
474 playing = 1;
7838f4be 475
476 cardRead[selected] = 1;
7838f4be 477 }
0db6ed9a 478 /* MF Classic UID clone */
479 else if (iGotoClone==1)
7838f4be 480 {
0db6ed9a 481 iGotoClone=0;
c2731f37 482 LEDsoff();
483 LED(selected + 1, 0);
484 LED(LED_ORANGE, 250);
7838f4be 485
c2731f37 486 // record
487 Dbprintf("Preparing to Clone card [Bank: %x]; uid: %08x", selected, uid_1st[selected]);
7838f4be 488
c2731f37 489 // wait for button to be released
490 // Delay cloning until card is in place
491 while(BUTTON_PRESS())
492 WDT_HIT();
7838f4be 493
c2731f37 494 Dbprintf("Starting clone. [Bank: %u]", selected);
495 // need this delay to prevent catching some weird data
496 SpinDelay(500);
497 // Begin clone function here:
498 /* Example from client/mifarehost.c for commanding a block write for "magic Chinese" cards:
499 UsbCommand c = {CMD_MIFARE_CSETBLOCK, {params & (0xFE | (uid == NULL ? 0:1)), blockNo, 0}};
500 memcpy(c.d.asBytes, data, 16);
501 SendCommand(&c);
502
503 Block read is similar:
504 UsbCommand c = {CMD_MIFARE_CGETBLOCK, {params, blockNo, 0}};
505 We need to imitate that call with blockNo 0 to set a uid.
506
507 The get and set commands are handled in this file:
508 // Work with "magic Chinese" card
509 case CMD_MIFARE_CSETBLOCK:
510 MifareCSetBlock(c->arg[0], c->arg[1], c->d.asBytes);
511 break;
512 case CMD_MIFARE_CGETBLOCK:
513 MifareCGetBlock(c->arg[0], c->arg[1], c->d.asBytes);
514 break;
515
516 mfCSetUID provides example logic for UID set workflow:
517 -Read block0 from card in field with MifareCGetBlock()
518 -Configure new values without replacing reserved bytes
519 memcpy(block0, uid, 4); // Copy UID bytes from byte array
520 // Mifare UID BCC
521 block0[4] = block0[0]^block0[1]^block0[2]^block0[3]; // BCC on byte 5
522 Bytes 5-7 are reserved SAK and ATQA for mifare classic
523 -Use mfCSetBlock(0, block0, oldUID, wantWipe, MAGIC_SINGLE) to write it
524 */
525 uint8_t oldBlock0[16] = {0}, newBlock0[16] = {0}, testBlock0[16] = {0};
526 // arg0 = Flags, arg1=blockNo
527 MifareCGetBlock(params, 0, oldBlock0);
0db6ed9a 528 if (oldBlock0[0] == 0 && oldBlock0[0] == oldBlock0[1] && oldBlock0[1] == oldBlock0[2] && oldBlock0[2] == oldBlock0[3]) {
529 Dbprintf("No changeable tag detected. Returning to replay mode for bank[%d]", selected);
530 playing = 1;
531 }
532 else {
c2731f37 533 Dbprintf("UID from target tag: %02X%02X%02X%02X", oldBlock0[0],oldBlock0[1],oldBlock0[2],oldBlock0[3]);
534 memcpy(newBlock0,oldBlock0,16);
535 // Copy uid_1st for bank (2nd is for longer UIDs not supported if classic)
536
537 newBlock0[0] = uid_1st[selected]>>24;
538 newBlock0[1] = 0xFF & (uid_1st[selected]>>16);
539 newBlock0[2] = 0xFF & (uid_1st[selected]>>8);
540 newBlock0[3] = 0xFF & (uid_1st[selected]);
541 newBlock0[4] = newBlock0[0]^newBlock0[1]^newBlock0[2]^newBlock0[3];
542
543 // arg0 = workFlags, arg1 = blockNo, datain
544 MifareCSetBlock(params, 0, newBlock0);
545 MifareCGetBlock(params, 0, testBlock0);
546
547 if (memcmp(testBlock0, newBlock0, 16)==0) {
548 DbpString("Cloned successfull!");
549 cardRead[selected] = 0; // Only if the card was cloned successfully should we clear it
7838f4be 550 playing = 0;
0db6ed9a 551 iGotoRecord = 1;
c2731f37 552 selected = (selected + 1) % OPTS;
553 } else {
0db6ed9a 554 Dbprintf("Clone failed. Back to replay mode on bank[%d]", selected);
555 playing = 1;
556 }
557 }
558 LEDsoff();
559 LED(selected + 1, 0);
7838f4be 560 }
561 // Change where to record (or begin playing)
0db6ed9a 562 else if (playing==1) // button_pressed == BUTTON_SINGLE_CLICK && cardRead[selected])
7838f4be 563 {
7838f4be 564 LEDsoff();
565 LED(selected + 1, 0);
566
567 // Begin transmitting
568 if (playing)
569 {
570 LED(LED_GREEN, 0);
571 DbpString("Playing");
0db6ed9a 572 for ( ; ; ) {
573 WDT_HIT();
574 int button_action = BUTTON_HELD(1000);
575 if (button_action == 0) { // No button action, proceed with sim
576 uint8_t data[512] = {0}; // in case there is a read command received we shouldn't break
577 uint8_t flags = ( uid_2nd[selected] > 0x00 ) ? FLAG_7B_UID_IN_DATA : FLAG_4B_UID_IN_DATA;
578 num_to_bytes(uid_1st[selected], 3, data);
579 num_to_bytes(uid_2nd[selected], 4, data);
580
7838f4be 581 Dbprintf("Simulating ISO14443a tag with uid[0]: %08x, uid[1]: %08x [Bank: %u]", uid_1st[selected],uid_2nd[selected],selected);
0db6ed9a 582 if (hi14a_card[selected].sak == 8 && hi14a_card[selected].atqa[0] == 4 && hi14a_card[selected].atqa[1] == 0) {
583 DbpString("Mifare Classic");
584 SimulateIso14443aTag(1, flags, data); // Mifare Classic
585 }
586 else if (hi14a_card[selected].sak == 0 && hi14a_card[selected].atqa[0] == 0x44 && hi14a_card[selected].atqa[1] == 0) {
587 DbpString("Mifare Ultralight");
588 SimulateIso14443aTag(2, flags, data); // Mifare Ultralight
589 }
590 else if (hi14a_card[selected].sak == 20 && hi14a_card[selected].atqa[0] == 0x44 && hi14a_card[selected].atqa[1] == 3) {
591 DbpString("Mifare DESFire");
592 SimulateIso14443aTag(3, flags, data); // Mifare DESFire
593 }
594 else {
595 Dbprintf("Unrecognized tag type -- defaulting to Mifare Classic emulation");
596 SimulateIso14443aTag(1, flags, data);
597 }
598 }
599 else if (button_action == BUTTON_SINGLE_CLICK) {
600 selected = (selected + 1) % OPTS;
601 Dbprintf("Done playing. Switching to record mode on bank %d",selected);
602 iGotoRecord = 1;
603 break;
604 }
605 else if (button_action == BUTTON_HOLD) {
606 Dbprintf("Playtime over. Begin cloning...");
607 iGotoClone = 1;
608 break;
7838f4be 609 }
0db6ed9a 610 WDT_HIT();
611 }
7838f4be 612
613 /* We pressed a button so ignore it here with a delay */
614 SpinDelay(300);
7838f4be 615 LEDsoff();
616 LED(selected + 1, 0);
617 }
618 else
619 while(BUTTON_PRESS())
620 WDT_HIT();
621 }
622 }
623}
624#elif WITH_LF
625// samy's sniff and repeat routine
626void SamyRun()
627{
628 StandAloneMode();
629 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
630
631 int high[OPTS], low[OPTS];
15c4dc5a 632 int selected = 0;
633 int playing = 0;
72e930ef 634 int cardRead = 0;
15c4dc5a 635
636 // Turn on selected LED
637 LED(selected + 1, 0);
638
614da335 639 for (;;) {
6e82300d 640 usb_poll();
95e63594 641 WDT_HIT();
15c4dc5a 642
643 // Was our button held down or pressed?
644 int button_pressed = BUTTON_HELD(1000);
645 SpinDelay(300);
646
647 // Button was held for a second, begin recording
72e930ef 648 if (button_pressed > 0 && cardRead == 0)
15c4dc5a 649 {
650 LEDsoff();
651 LED(selected + 1, 0);
652 LED(LED_RED2, 0);
653
654 // record
655 DbpString("Starting recording");
656
657 // wait for button to be released
658 while(BUTTON_PRESS())
659 WDT_HIT();
660
661 /* need this delay to prevent catching some weird data */
662 SpinDelay(500);
663
664 CmdHIDdemodFSK(1, &high[selected], &low[selected], 0);
b7536e11 665 Dbprintf("Recorded %x %x %08x", selected, high[selected], low[selected]);
15c4dc5a 666
667 LEDsoff();
668 LED(selected + 1, 0);
669 // Finished recording
15c4dc5a 670 // If we were previously playing, set playing off
671 // so next button push begins playing what we recorded
614da335 672 playing = 0;
673 cardRead = 1;
72e930ef 674 }
614da335 675 else if (button_pressed > 0 && cardRead == 1) {
676 LEDsoff();
677 LED(selected + 1, 0);
678 LED(LED_ORANGE, 0);
72e930ef 679
614da335 680 // record
b7536e11 681 Dbprintf("Cloning %x %x %08x", selected, high[selected], low[selected]);
72e930ef 682
614da335 683 // wait for button to be released
684 while(BUTTON_PRESS())
685 WDT_HIT();
72e930ef 686
614da335 687 /* need this delay to prevent catching some weird data */
688 SpinDelay(500);
72e930ef 689
b7536e11 690 CopyHIDtoT55x7(0, high[selected], low[selected], 0);
691 Dbprintf("Cloned %x %x %08x", selected, high[selected], low[selected]);
72e930ef 692
614da335 693 LEDsoff();
694 LED(selected + 1, 0);
695 // Finished recording
72e930ef 696
614da335 697 // If we were previously playing, set playing off
698 // so next button push begins playing what we recorded
699 playing = 0;
700 cardRead = 0;
15c4dc5a 701 }
702
703 // Change where to record (or begin playing)
614da335 704 else if (button_pressed) {
15c4dc5a 705 // Next option if we were previously playing
706 if (playing)
707 selected = (selected + 1) % OPTS;
708 playing = !playing;
709
710 LEDsoff();
711 LED(selected + 1, 0);
712
713 // Begin transmitting
714 if (playing)
715 {
716 LED(LED_GREEN, 0);
717 DbpString("Playing");
718 // wait for button to be released
719 while(BUTTON_PRESS())
720 WDT_HIT();
0d5ee8e2 721
b7536e11 722 Dbprintf("%x %x %08x", selected, high[selected], low[selected]);
0d5ee8e2 723 CmdHIDsimTAG(high[selected], low[selected], 0);
15c4dc5a 724 DbpString("Done playing");
0d5ee8e2 725
726 if (BUTTON_HELD(1000) > 0) {
15c4dc5a 727 DbpString("Exiting");
728 LEDsoff();
729 return;
0d5ee8e2 730 }
15c4dc5a 731
732 /* We pressed a button so ignore it here with a delay */
733 SpinDelay(300);
734
735 // when done, we're done playing, move to next option
736 selected = (selected + 1) % OPTS;
737 playing = !playing;
738 LEDsoff();
739 LED(selected + 1, 0);
740 }
741 else
742 while(BUTTON_PRESS())
743 WDT_HIT();
744 }
745 }
746}
15c4dc5a 747
7838f4be 748#endif
15c4dc5a 749/*
750OBJECTIVE
751Listen and detect an external reader. Determine the best location
752for the antenna.
753
754INSTRUCTIONS:
755Inside the ListenReaderField() function, there is two mode.
756By default, when you call the function, you will enter mode 1.
757If you press the PM3 button one time, you will enter mode 2.
758If you press the PM3 button a second time, you will exit the function.
759
760DESCRIPTION OF MODE 1:
761This mode just listens for an external reader field and lights up green
762for HF and/or red for LF. This is the original mode of the detectreader
763function.
764
765DESCRIPTION OF MODE 2:
766This mode will visually represent, using the LEDs, the actual strength of the
767current compared to the maximum current detected. Basically, once you know
768what kind of external reader is present, it will help you spot the best location to place
769your antenna. You will probably not get some good results if there is a LF and a HF reader
770at the same place! :-)
771
772LIGHT SCHEME USED:
773*/
774static const char LIGHT_SCHEME[] = {
775 0x0, /* ---- | No field detected */
776 0x1, /* X--- | 14% of maximum current detected */
777 0x2, /* -X-- | 29% of maximum current detected */
778 0x4, /* --X- | 43% of maximum current detected */
779 0x8, /* ---X | 57% of maximum current detected */
780 0xC, /* --XX | 71% of maximum current detected */
781 0xE, /* -XXX | 86% of maximum current detected */
782 0xF, /* XXXX | 100% of maximum current detected */
783};
784static const int LIGHT_LEN = sizeof(LIGHT_SCHEME)/sizeof(LIGHT_SCHEME[0]);
785
da198be4 786void ListenReaderField(int limit) {
3b692427 787#define LF_ONLY 1
788#define HF_ONLY 2
789#define REPORT_CHANGE 10 // report new values only if they have changed at least by REPORT_CHANGE
790
da198be4 791 int lf_av, lf_av_new, lf_baseline= 0, lf_max;
792 int hf_av, hf_av_new, hf_baseline= 0, hf_max;
793 int mode=1, display_val, display_max, i;
3b692427 794
795 // switch off FPGA - we don't want to measure our own signal
796 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
797 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
15c4dc5a 798
799 LEDsoff();
800
3b692427 801 lf_av = lf_max = AvgAdc(ADC_CHAN_LF);
15c4dc5a 802
803 if(limit != HF_ONLY) {
3b692427 804 Dbprintf("LF 125/134kHz Baseline: %dmV", (MAX_ADC_LF_VOLTAGE * lf_av) >> 10);
15c4dc5a 805 lf_baseline = lf_av;
806 }
807
3b692427 808 hf_av = hf_max = AvgAdc(ADC_CHAN_HF);
15c4dc5a 809
810 if (limit != LF_ONLY) {
3b692427 811 Dbprintf("HF 13.56MHz Baseline: %dmV", (MAX_ADC_HF_VOLTAGE * hf_av) >> 10);
15c4dc5a 812 hf_baseline = hf_av;
813 }
814
815 for(;;) {
816 if (BUTTON_PRESS()) {
817 SpinDelay(500);
818 switch (mode) {
819 case 1:
820 mode=2;
821 DbpString("Signal Strength Mode");
822 break;
823 case 2:
824 default:
825 DbpString("Stopped");
826 LEDsoff();
827 return;
828 break;
829 }
830 }
831 WDT_HIT();
832
833 if (limit != HF_ONLY) {
3b692427 834 if(mode == 1) {
835 if (abs(lf_av - lf_baseline) > REPORT_CHANGE)
836 LED_D_ON();
837 else
838 LED_D_OFF();
15c4dc5a 839 }
e30c654b 840
3b692427 841 lf_av_new = AvgAdc(ADC_CHAN_LF);
15c4dc5a 842 // see if there's a significant change
3b692427 843 if(abs(lf_av - lf_av_new) > REPORT_CHANGE) {
844 Dbprintf("LF 125/134kHz Field Change: %5dmV", (MAX_ADC_LF_VOLTAGE * lf_av_new) >> 10);
15c4dc5a 845 lf_av = lf_av_new;
846 if (lf_av > lf_max)
847 lf_max = lf_av;
15c4dc5a 848 }
849 }
850
851 if (limit != LF_ONLY) {
852 if (mode == 1){
3b692427 853 if (abs(hf_av - hf_baseline) > REPORT_CHANGE)
854 LED_B_ON();
855 else
856 LED_B_OFF();
15c4dc5a 857 }
e30c654b 858
3b692427 859 hf_av_new = AvgAdc(ADC_CHAN_HF);
15c4dc5a 860 // see if there's a significant change
3b692427 861 if(abs(hf_av - hf_av_new) > REPORT_CHANGE) {
862 Dbprintf("HF 13.56MHz Field Change: %5dmV", (MAX_ADC_HF_VOLTAGE * hf_av_new) >> 10);
15c4dc5a 863 hf_av = hf_av_new;
864 if (hf_av > hf_max)
865 hf_max = hf_av;
15c4dc5a 866 }
867 }
e30c654b 868
15c4dc5a 869 if(mode == 2) {
870 if (limit == LF_ONLY) {
871 display_val = lf_av;
872 display_max = lf_max;
873 } else if (limit == HF_ONLY) {
874 display_val = hf_av;
875 display_max = hf_max;
876 } else { /* Pick one at random */
877 if( (hf_max - hf_baseline) > (lf_max - lf_baseline) ) {
878 display_val = hf_av;
879 display_max = hf_max;
880 } else {
881 display_val = lf_av;
882 display_max = lf_max;
883 }
884 }
885 for (i=0; i<LIGHT_LEN; i++) {
886 if (display_val >= ((display_max/LIGHT_LEN)*i) && display_val <= ((display_max/LIGHT_LEN)*(i+1))) {
887 if (LIGHT_SCHEME[i] & 0x1) LED_C_ON(); else LED_C_OFF();
888 if (LIGHT_SCHEME[i] & 0x2) LED_A_ON(); else LED_A_OFF();
889 if (LIGHT_SCHEME[i] & 0x4) LED_B_ON(); else LED_B_OFF();
890 if (LIGHT_SCHEME[i] & 0x8) LED_D_ON(); else LED_D_OFF();
891 break;
892 }
893 }
894 }
895 }
896}
897
f7e3ed82 898void UsbPacketReceived(uint8_t *packet, int len)
15c4dc5a 899{
900 UsbCommand *c = (UsbCommand *)packet;
15c4dc5a 901
313ee67e 902 //Dbprintf("received %d bytes, with command: 0x%04x and args: %d %d %d",len,c->cmd,c->arg[0],c->arg[1],c->arg[2]);
902cb3c0 903
15c4dc5a 904 switch(c->cmd) {
905#ifdef WITH_LF
31abe49f
MHS		 906 case CMD_SET_LF_SAMPLING_CONFIG:
907 setSamplingConfig((sample_config *) c->d.asBytes);
908 break;
15c4dc5a 909 case CMD_ACQUIRE_RAW_ADC_SAMPLES_125K:
1c8fbeb9 910 cmd_send(CMD_ACK, SampleLF(c->arg[0]),0,0,0,0);
15c4dc5a 911 break;
15c4dc5a 912 case CMD_MOD_THEN_ACQUIRE_RAW_ADC_SAMPLES_125K:
913 ModThenAcquireRawAdcSamples125k(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
914 break;
b014c96d 915 case CMD_LF_SNOOP_RAW_ADC_SAMPLES:
31abe49f 916 cmd_send(CMD_ACK,SnoopLF(),0,0,0,0);
b014c96d 917 break;
7e67e42f 918 case CMD_HID_DEMOD_FSK:
a501c82b 919 CmdHIDdemodFSK(c->arg[0], 0, 0, 1);
7e67e42f 920 break;
921 case CMD_HID_SIM_TAG:
a501c82b 922 CmdHIDsimTAG(c->arg[0], c->arg[1], 1);
7e67e42f 923 break;
abd6112f 924 case CMD_FSK_SIM_TAG:
925 CmdFSKsimTAG(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
926 break;
927 case CMD_ASK_SIM_TAG:
928 CmdASKsimTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
929 break;
872e3d4d 930 case CMD_PSK_SIM_TAG:
931 CmdPSKsimTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
932 break;
a501c82b 933 case CMD_HID_CLONE_TAG:
1c611bbd 934 CopyHIDtoT55x7(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]);
7e67e42f 935 break;
a1f3bb12 936 case CMD_IO_DEMOD_FSK:
a501c82b 937 CmdIOdemodFSK(c->arg[0], 0, 0, 1);
a1f3bb12 938 break;
a501c82b 939 case CMD_IO_CLONE_TAG:
94422fa2 940 CopyIOtoT55x7(c->arg[0], c->arg[1]);
a1f3bb12 941 break;
6ff6ade2 942 case CMD_EM410X_DEMOD:
943 CmdEM410xdemod(c->arg[0], 0, 0, 1);
944 break;
2d4eae76 945 case CMD_EM410X_WRITE_TAG:
946 WriteEM410x(c->arg[0], c->arg[1], c->arg[2]);
947 break;
7e67e42f 948 case CMD_READ_TI_TYPE:
949 ReadTItag();
950 break;
951 case CMD_WRITE_TI_TYPE:
952 WriteTItag(c->arg[0],c->arg[1],c->arg[2]);
953 break;
954 case CMD_SIMULATE_TAG_125K:
74daee24 955 LED_A_ON();
956 SimulateTagLowFrequency(c->arg[0], c->arg[1], 1);
957 LED_A_OFF();
7e67e42f 958 break;
959 case CMD_LF_SIMULATE_BIDIR:
960 SimulateTagLowFrequencyBidir(c->arg[0], c->arg[1]);
961 break;
a501c82b 962 case CMD_INDALA_CLONE_TAG:
2414f978 963 CopyIndala64toT55x7(c->arg[0], c->arg[1]);
964 break;
a501c82b 965 case CMD_INDALA_CLONE_TAG_L:
2414f978 966 CopyIndala224toT55x7(c->d.asDwords[0], c->d.asDwords[1], c->d.asDwords[2], c->d.asDwords[3], c->d.asDwords[4], c->d.asDwords[5], c->d.asDwords[6]);
967 break;
1c611bbd 968 case CMD_T55XX_READ_BLOCK:
9276e859 969 T55xxReadBlock(c->arg[0], c->arg[1], c->arg[2]);
1c611bbd 970 break;
971 case CMD_T55XX_WRITE_BLOCK:
972 T55xxWriteBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]);
973 break;
9276e859 974 case CMD_T55XX_WAKEUP:
975 T55xxWakeUp(c->arg[0]);
976 break;
94422fa2 977 case CMD_T55XX_RESET_READ:
978 T55xxResetRead();
979 break;
a501c82b 980 case CMD_PCF7931_READ:
1c611bbd 981 ReadPCF7931();
1c611bbd 982 break;
e98572a1 983 case CMD_PCF7931_WRITE:
ac2df346 984 WritePCF7931(c->d.asBytes[0],c->d.asBytes[1],c->d.asBytes[2],c->d.asBytes[3],c->d.asBytes[4],c->d.asBytes[5],c->d.asBytes[6], c->d.asBytes[9], c->d.asBytes[7]-128,c->d.asBytes[8]-128, c->arg[0], c->arg[1], c->arg[2]);
e98572a1 985 break;
1c611bbd 986 case CMD_EM4X_READ_WORD:
987 EM4xReadWord(c->arg[1], c->arg[2],c->d.asBytes[0]);
988 break;
989 case CMD_EM4X_WRITE_WORD:
990 EM4xWriteWord(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]);
991 break;
db25599d 992 case CMD_AWID_DEMOD_FSK: // Set realtime AWID demodulation
993 CmdAWIDdemodFSK(c->arg[0], 0, 0, 1);
70459879 994 break;
0de8e387 995 case CMD_VIKING_CLONE_TAG:
a126332a 996 CopyVikingtoT55xx(c->arg[0], c->arg[1], c->arg[2]);
0de8e387 997 break;
15c4dc5a 998#endif
999
d19929cb 1000#ifdef WITH_HITAG
1001 case CMD_SNOOP_HITAG: // Eavesdrop Hitag tag, args = type
1002 SnoopHitag(c->arg[0]);
1003 break;
1004 case CMD_SIMULATE_HITAG: // Simulate Hitag tag, args = memory content
1005 SimulateHitagTag((bool)c->arg[0],(byte_t*)c->d.asBytes);
1006 break;
1007 case CMD_READER_HITAG: // Reader for Hitag tags, args = type and function
1008 ReaderHitag((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes);
1009 break;
0db11b71 1010 case CMD_SIMULATE_HITAG_S:// Simulate Hitag s tag, args = memory content
1011 SimulateHitagSTag((bool)c->arg[0],(byte_t*)c->d.asBytes);
1012 break;
1013 case CMD_TEST_HITAGS_TRACES:// Tests every challenge within the given file
1014 check_challenges((bool)c->arg[0],(byte_t*)c->d.asBytes);
1015 break;
1016 case CMD_READ_HITAG_S://Reader for only Hitag S tags, args = key or challenge
1017 ReadHitagS((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes);
1018 break;
1019 case CMD_WR_HITAG_S://writer for Hitag tags args=data to write,page and key or challenge
1020 WritePageHitagS((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes,c->arg[2]);
1021 break;
d19929cb 1022#endif
f168b263 1023
15c4dc5a 1024#ifdef WITH_ISO15693
1025 case CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_15693:
1026 AcquireRawAdcSamplesIso15693();
1027 break;
9455b51c 1028 case CMD_RECORD_RAW_ADC_SAMPLES_ISO_15693:
1029 RecordRawAdcSamplesIso15693();
1030 break;
1031
1032 case CMD_ISO_15693_COMMAND:
1033 DirectTag15693Command(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
1034 break;
1035
1036 case CMD_ISO_15693_FIND_AFI:
1037 BruteforceIso15693Afi(c->arg[0]);
1038 break;
1039
1040 case CMD_ISO_15693_DEBUG:
1041 SetDebugIso15693(c->arg[0]);
1042 break;
15c4dc5a 1043
15c4dc5a 1044 case CMD_READER_ISO_15693:
1045 ReaderIso15693(c->arg[0]);
1046 break;
7e67e42f 1047 case CMD_SIMTAG_ISO_15693:
3649b640 1048 SimTagIso15693(c->arg[0], c->d.asBytes);
7e67e42f 1049 break;
15c4dc5a 1050#endif
1051
7e67e42f 1052#ifdef WITH_LEGICRF
1053 case CMD_SIMULATE_TAG_LEGIC_RF:
1054 LegicRfSimulate(c->arg[0], c->arg[1], c->arg[2]);
1055 break;
3612a8a8 1056
7e67e42f 1057 case CMD_WRITER_LEGIC_RF:
1058 LegicRfWriter(c->arg[1], c->arg[0]);
1059 break;
3612a8a8 1060
15c4dc5a 1061 case CMD_READER_LEGIC_RF:
1062 LegicRfReader(c->arg[0], c->arg[1]);
1063 break;
15c4dc5a 1064#endif
1065
1066#ifdef WITH_ISO14443b
15c4dc5a 1067 case CMD_READ_SRI512_TAG:
abb21530 1068 ReadSTMemoryIso14443b(0x0F);
15c4dc5a 1069 break;
7e67e42f 1070 case CMD_READ_SRIX4K_TAG:
abb21530 1071 ReadSTMemoryIso14443b(0x7F);
7e67e42f 1072 break;
22e24700 1073 case CMD_SNOOP_ISO_14443B:
abb21530 1074 SnoopIso14443b();
7e67e42f 1075 break;
22e24700 1076 case CMD_SIMULATE_TAG_ISO_14443B:
abb21530 1077 SimulateIso14443bTag();
7e67e42f 1078 break;
7cf3ef20 1079 case CMD_ISO_14443B_COMMAND:
1080 SendRawCommand14443B(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
1081 break;
15c4dc5a 1082#endif
1083
1084#ifdef WITH_ISO14443a
7e67e42f 1085 case CMD_SNOOP_ISO_14443a:
4d2e4eea 1086 SniffIso14443a(c->arg[0]);
7e67e42f 1087 break;
15c4dc5a 1088 case CMD_READER_ISO_14443a:
902cb3c0 1089 ReaderIso14443a(c);
15c4dc5a 1090 break;
7e67e42f 1091 case CMD_SIMULATE_TAG_ISO_14443a:
0db6ed9a 1092 SimulateIso14443aTag(c->arg[0], c->arg[1], c->d.asBytes); // ## Simulate iso14443a tag - pass tag type & UID
7e67e42f 1093 break;
95e63594 1094
5acd09bd 1095 case CMD_EPA_PACE_COLLECT_NONCE:
902cb3c0 1096 EPA_PACE_Collect_Nonce(c);
5acd09bd 1097 break;
d0f3338e 1098 case CMD_EPA_PACE_REPLAY:
1099 EPA_PACE_Replay(c);
1100 break;
7e67e42f 1101
15c4dc5a 1102 case CMD_READER_MIFARE:
810f5379 1103 ReaderMifare(c->arg[0], c->arg[1]);
15c4dc5a 1104 break;
20f9a2a1
M		 1105 case CMD_MIFARE_READBL:
1106 MifareReadBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1107 break;
981bd429 1108 case CMD_MIFAREU_READBL:
aa60d156 1109 MifareUReadBlock(c->arg[0],c->arg[1], c->d.asBytes);
981bd429 1110 break;
4d2e4eea 1111 case CMD_MIFAREUC_AUTH:
1112 MifareUC_Auth(c->arg[0],c->d.asBytes);
f38a1528 1113 break;
981bd429 1114 case CMD_MIFAREU_READCARD:
74daee24 1115 MifareUReadCard(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
117d9ec2 1116 break;
aa60d156 1117 case CMD_MIFAREUC_SETPWD:
1118 MifareUSetPwd(c->arg[0], c->d.asBytes);
117d9ec2 1119 break;
20f9a2a1
M		 1120 case CMD_MIFARE_READSC:
1121 MifareReadSector(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1122 break;
1123 case CMD_MIFARE_WRITEBL:
1124 MifareWriteBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1125 break;
95aeb706 1126 //case CMD_MIFAREU_WRITEBL_COMPAT:
1127 //MifareUWriteBlockCompat(c->arg[0], c->d.asBytes);
1128 //break;
981bd429 1129 case CMD_MIFAREU_WRITEBL:
95aeb706 1130 MifareUWriteBlock(c->arg[0], c->arg[1], c->d.asBytes);
aa60d156 1131 break;
c188b1b9 1132 case CMD_MIFARE_ACQUIRE_ENCRYPTED_NONCES:
1133 MifareAcquireEncryptedNonces(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1134 break;
20f9a2a1
M		 1135 case CMD_MIFARE_NESTED:
1136 MifareNested(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
f397b5cc
M		 1137 break;
1138 case CMD_MIFARE_CHKKEYS:
1139 MifareChkKeys(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
20f9a2a1
M		 1140 break;
1141 case CMD_SIMULATE_MIFARE_CARD:
1142 Mifare1ksim(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1143 break;
8556b852
M		 1144
1145 // emulator
1146 case CMD_MIFARE_SET_DBGMODE:
1147 MifareSetDbgLvl(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1148 break;
1149 case CMD_MIFARE_EML_MEMCLR:
1150 MifareEMemClr(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1151 break;
1152 case CMD_MIFARE_EML_MEMSET:
1153 MifareEMemSet(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1154 break;
1155 case CMD_MIFARE_EML_MEMGET:
1156 MifareEMemGet(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1157 break;
1158 case CMD_MIFARE_EML_CARDLOAD:
1159 MifareECardLoad(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
0675f200
M		 1160 break;
1161
1162 // Work with "magic Chinese" card
d52e4e88 1163 case CMD_MIFARE_CSETBLOCK:
c2731f37 1164 MifareCSetBlock(c->arg[0], c->arg[1], c->d.asBytes);
545a1f38 1165 break;
d52e4e88 1166 case CMD_MIFARE_CGETBLOCK:
c2731f37 1167 MifareCGetBlock(c->arg[0], c->arg[1], c->d.asBytes);
8556b852 1168 break;
d52e4e88 1169 case CMD_MIFARE_CIDENT:
1170 MifareCIdent();
1171 break;
b62a5a84
M		 1172
1173 // mifare sniffer
1174 case CMD_MIFARE_SNIFFER:
5cd9ec01 1175 SniffMifare(c->arg[0]);
b62a5a84 1176 break;
313ee67e 1177
aa60d156 1178 //mifare desfire
1179 case CMD_MIFARE_DESFIRE_READBL: break;
1180 case CMD_MIFARE_DESFIRE_WRITEBL: break;
1181 case CMD_MIFARE_DESFIRE_AUTH1:
1182 MifareDES_Auth1(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1183 break;
1184 case CMD_MIFARE_DESFIRE_AUTH2:
1185 //MifareDES_Auth2(c->arg[0],c->d.asBytes);
1186 break;
1187 case CMD_MIFARE_DES_READER:
1188 //readermifaredes(c->arg[0], c->arg[1], c->d.asBytes);
1189 break;
1190 case CMD_MIFARE_DESFIRE_INFO:
1191 MifareDesfireGetInformation();
1192 break;
1193 case CMD_MIFARE_DESFIRE:
1194 MifareSendCommand(c->arg[0], c->arg[1], c->d.asBytes);
1195 break;
1196
add0504d 1197 case CMD_MIFARE_COLLECT_NONCES:
add0504d 1198 break;
20f9a2a1 1199#endif
810f5379 1200#ifdef WITH_EMV
1201 case CMD_EMV_TRANSACTION:
1202 EMVTransaction();
1203 break;
1204 case CMD_EMV_GET_RANDOM_NUM:
1205 //EMVgetUDOL();
1206 break;
1207 case CMD_EMV_LOAD_VALUE:
1208 EMVloadvalue(c->arg[0], c->d.asBytes);
1209 break;
1210 case CMD_EMV_DUMP_CARD:
1211 EMVdumpcard();
1212#endif
7e67e42f 1213#ifdef WITH_ICLASS
cee5a30d 1214 // Makes use of ISO14443a FPGA Firmware
1215 case CMD_SNOOP_ICLASS:
1216 SnoopIClass();
1217 break;
1e262141 1218 case CMD_SIMULATE_TAG_ICLASS:
ff7bb4ef 1219 SimulateIClass(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1e262141 1220 break;
1221 case CMD_READER_ICLASS:
1222 ReaderIClass(c->arg[0]);
1223 break;
f38a1528 1224 case CMD_READER_ICLASS_REPLAY:
f62b5e12 1225 ReaderIClass_Replay(c->arg[0], c->d.asBytes);
f38a1528 1226 break;
e80aeb96
MHS		 1227 case CMD_ICLASS_EML_MEMSET:
1228 emlSet(c->d.asBytes,c->arg[0], c->arg[1]);
1229 break;
e98572a1 1230 case CMD_ICLASS_WRITEBLOCK:
1231 iClass_WriteBlock(c->arg[0], c->d.asBytes);
1232 break;
1233 case CMD_ICLASS_READCHECK: // auth step 1
1234 iClass_ReadCheck(c->arg[0], c->arg[1]);
1235 break;
1236 case CMD_ICLASS_READBLOCK:
1237 iClass_ReadBlk(c->arg[0]);
1238 break;
1239 case CMD_ICLASS_AUTHENTICATION: //check
1240 iClass_Authentication(c->d.asBytes);
1241 break;
1242 case CMD_ICLASS_DUMP:
1243 iClass_Dump(c->arg[0], c->arg[1]);
1244 break;
1245 case CMD_ICLASS_CLONE:
1246 iClass_Clone(c->arg[0], c->arg[1], c->d.asBytes);
1247 break;
cee5a30d 1248#endif
1d0ccbe0 1249#ifdef WITH_HFSNOOP
1250 case CMD_HF_SNIFFER:
1251 HfSnoop(c->arg[0], c->arg[1]);
1252 break;
1253#endif
cee5a30d 1254
7e67e42f 1255 case CMD_BUFF_CLEAR:
117d9ec2 1256 BigBuf_Clear();
15c4dc5a 1257 break;
15c4dc5a 1258
1259 case CMD_MEASURE_ANTENNA_TUNING:
1260 MeasureAntennaTuning();
1261 break;
1262
1263 case CMD_MEASURE_ANTENNA_TUNING_HF:
1264 MeasureAntennaTuningHf();
1265 break;
1266
1267 case CMD_LISTEN_READER_FIELD:
1268 ListenReaderField(c->arg[0]);
1269 break;
1270
15c4dc5a 1271 case CMD_FPGA_MAJOR_MODE_OFF: // ## FPGA Control
1272 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1273 SpinDelay(200);
1274 LED_D_OFF(); // LED D indicates field ON or OFF
1275 break;
1276
aaa1a9a2 1277 case CMD_DOWNLOAD_RAW_ADC_SAMPLES_125K: {
1c611bbd 1278 LED_B_ON();
117d9ec2 1279 uint8_t *BigBuf = BigBuf_get_addr();
0de8e387 1280 size_t len = 0;
1c611bbd 1281 for(size_t i=0; i<c->arg[1]; i += USB_CMD_DATA_SIZE) {
0de8e387 1282 len = MIN((c->arg[1] - i),USB_CMD_DATA_SIZE);
3000dc4e 1283 cmd_send(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K,i,len,BigBuf_get_traceLen(),BigBuf+c->arg[0]+i,len);
1c611bbd 1284 }
1285 // Trigger a finish downloading signal with an ACK frame
3000dc4e 1286 cmd_send(CMD_ACK,1,0,BigBuf_get_traceLen(),getSamplingConfig(),sizeof(sample_config));
d3b1f4e4 1287 LED_B_OFF();
1c611bbd 1288 break;
aaa1a9a2 1289 }
15c4dc5a 1290 case CMD_DOWNLOADED_SIM_SAMPLES_125K: {
117d9ec2 1291 uint8_t *b = BigBuf_get_addr();
aaa1a9a2 1292 memcpy( b + c->arg[0], c->d.asBytes, USB_CMD_DATA_SIZE);
1c611bbd 1293 cmd_send(CMD_ACK,0,0,0,0,0);
1294 break;
aaa1a9a2 1295 }
1296 case CMD_DOWNLOAD_EML_BIGBUF: {
1297 LED_B_ON();
1298 uint8_t *cardmem = BigBuf_get_EM_addr();
1299 size_t len = 0;
1300 for(size_t i=0; i < c->arg[1]; i += USB_CMD_DATA_SIZE) {
1301 len = MIN((c->arg[1] - i), USB_CMD_DATA_SIZE);
1302 cmd_send(CMD_DOWNLOADED_EML_BIGBUF, i, len, CARD_MEMORY_SIZE, cardmem + c->arg[0] + i, len);
1303 }
1304 // Trigger a finish downloading signal with an ACK frame
1305 cmd_send(CMD_ACK, 1, 0, CARD_MEMORY_SIZE, 0, 0);
1306 LED_B_OFF();
1307 break;
1308 }
15c4dc5a 1309 case CMD_READ_MEM:
1310 ReadMem(c->arg[0]);
1311 break;
1312
1313 case CMD_SET_LF_DIVISOR:
7cc204bf 1314 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
15c4dc5a 1315 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, c->arg[0]);
1316 break;
1317
1318 case CMD_SET_ADC_MUX:
1319 switch(c->arg[0]) {
1320 case 0: SetAdcMuxFor(GPIO_MUXSEL_LOPKD); break;
1321 case 1: SetAdcMuxFor(GPIO_MUXSEL_LORAW); break;
1322 case 2: SetAdcMuxFor(GPIO_MUXSEL_HIPKD); break;
1323 case 3: SetAdcMuxFor(GPIO_MUXSEL_HIRAW); break;
1324 }
1325 break;
1326
1327 case CMD_VERSION:
1328 SendVersion();
1329 break;
7838f4be 1330 case CMD_STATUS:
0de8e387 1331 SendStatus();
7838f4be 1332 break;
1333 case CMD_PING:
1334 cmd_send(CMD_ACK,0,0,0,0,0);
1335 break;
15c4dc5a 1336#ifdef WITH_LCD
1337 case CMD_LCD_RESET:
1338 LCDReset();
1339 break;
1340 case CMD_LCD:
1341 LCDSend(c->arg[0]);
1342 break;
1343#endif
1344 case CMD_SETUP_WRITE:
1345 case CMD_FINISH_WRITE:
1c611bbd 1346 case CMD_HARDWARE_RESET:
1347 usb_disable();
f62b5e12 1348 SpinDelay(2000);
15c4dc5a 1349 AT91C_BASE_RSTC->RSTC_RCR = RST_CONTROL_KEY | AT91C_RSTC_PROCRST;
1350 for(;;) {
1351 // We're going to reset, and the bootrom will take control.
1352 }
1c611bbd 1353 break;
15c4dc5a 1354
1c611bbd 1355 case CMD_START_FLASH:
15c4dc5a 1356 if(common_area.flags.bootrom_present) {
1357 common_area.command = COMMON_AREA_COMMAND_ENTER_FLASH_MODE;
1358 }
1c611bbd 1359 usb_disable();
15c4dc5a 1360 AT91C_BASE_RSTC->RSTC_RCR = RST_CONTROL_KEY | AT91C_RSTC_PROCRST;
1361 for(;;);
1c611bbd 1362 break;
e30c654b 1363
15c4dc5a 1364 case CMD_DEVICE_INFO: {
902cb3c0 1365 uint32_t dev_info = DEVICE_INFO_FLAG_OSIMAGE_PRESENT | DEVICE_INFO_FLAG_CURRENT_MODE_OS;
1366 if(common_area.flags.bootrom_present) dev_info |= DEVICE_INFO_FLAG_BOOTROM_PRESENT;
1c611bbd 1367 cmd_send(CMD_DEVICE_INFO,dev_info,0,0,0,0);
1368 break;
1369 }
1370 default:
15c4dc5a 1371 Dbprintf("%s: 0x%04x","unknown command:",c->cmd);
1c611bbd 1372 break;
15c4dc5a 1373 }
1374}
1375
1376void __attribute__((noreturn)) AppMain(void)
1377{
1378 SpinDelay(100);
9e8255d4 1379 clear_trace();
15c4dc5a 1380 if(common_area.magic != COMMON_AREA_MAGIC || common_area.version != 1) {
1381 /* Initialize common area */
1382 memset(&common_area, 0, sizeof(common_area));
1383 common_area.magic = COMMON_AREA_MAGIC;
1384 common_area.version = 1;
1385 }
1386 common_area.flags.osimage_present = 1;
1387
1388 LED_D_OFF();
1389 LED_C_OFF();
1390 LED_B_OFF();
1391 LED_A_OFF();
1392
b44e5233 1393 // Init USB device
313ee67e 1394 usb_enable();
15c4dc5a 1395
1396 // The FPGA gets its clock from us from PCK0 output, so set that up.
1397 AT91C_BASE_PIOA->PIO_BSR = GPIO_PCK0;
1398 AT91C_BASE_PIOA->PIO_PDR = GPIO_PCK0;
1399 AT91C_BASE_PMC->PMC_SCER = AT91C_PMC_PCK0;
1400 // PCK0 is PLL clock / 4 = 96Mhz / 4 = 24Mhz
1401 AT91C_BASE_PMC->PMC_PCKR[0] = AT91C_PMC_CSS_PLL_CLK |
1d0ccbe0 1402 AT91C_PMC_PRES_CLK_4; // 4 for 24Mhz pck0, 2 for 48 MHZ pck0
15c4dc5a 1403 AT91C_BASE_PIOA->PIO_OER = GPIO_PCK0;
1404
1405 // Reset SPI
1406 AT91C_BASE_SPI->SPI_CR = AT91C_SPI_SWRST;
1407 // Reset SSC
1408 AT91C_BASE_SSC->SSC_CR = AT91C_SSC_SWRST;
1409
1410 // Load the FPGA image, which we have stored in our flash.
7cc204bf 1411 // (the HF version by default)
1412 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
15c4dc5a 1413
9ca155ba 1414 StartTickCount();
902cb3c0 1415
15c4dc5a 1416#ifdef WITH_LCD
15c4dc5a 1417 LCDInit();
15c4dc5a 1418#endif
1419
f62b5e12 1420 byte_t rx[sizeof(UsbCommand)];
902cb3c0 1421 size_t rx_len;
1422
15c4dc5a 1423 for(;;) {
313ee67e 1424 if (usb_poll()) {
1425 rx_len = usb_read(rx,sizeof(UsbCommand));
da198be4 1426 if (rx_len)
313ee67e 1427 UsbPacketReceived(rx,rx_len);
313ee67e 1428 }
15c4dc5a 1429 WDT_HIT();
1430
1431#ifdef WITH_LF
7838f4be 1432#ifndef WITH_ISO14443a_StandAlone
15c4dc5a 1433 if (BUTTON_HELD(1000) > 0)
1434 SamyRun();
7838f4be 1435#endif
1436#endif
1437#ifdef WITH_ISO14443a
1438#ifdef WITH_ISO14443a_StandAlone
1439 if (BUTTON_HELD(1000) > 0)
1440 StandAloneMode14a();
1441#endif
15c4dc5a 1442#endif
1443 }
1444}
Proxmark3 GIT tracking
Impressum, Datenschutz