| 6658905f |
1 | //-----------------------------------------------------------------------------\r |
| 2 | // Routines to support ISO 14443 type A.\r |
| 3 | //\r |
| 4 | // Gerhard de Koning Gans - May 2008\r |
| 5 | //-----------------------------------------------------------------------------\r |
| 6 | #include <proxmark3.h>\r |
| 7 | #include "apps.h"\r |
| 30f2a7d3 |
8 | #include "../common/iso14443_crc.c"\r |
| 6658905f |
9 | \r |
| d24438f8 |
10 | static BYTE *trace = (BYTE *) BigBuf;\r |
| 11 | static int traceLen = 0;\r |
| 12 | static int rsamples = 0;\r |
| 13 | \r |
| 6658905f |
14 | typedef enum {\r |
| 15 | SEC_D = 1,\r |
| 16 | SEC_E = 2,\r |
| 17 | SEC_F = 3,\r |
| 18 | SEC_X = 4,\r |
| 19 | SEC_Y = 5,\r |
| 20 | SEC_Z = 6\r |
| 21 | } SecType;\r |
| 22 | \r |
| d24438f8 |
23 | static const BYTE OddByteParity[256] = {\r |
| 24 | 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,\r |
| 25 | 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,\r |
| 26 | 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,\r |
| 27 | 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,\r |
| 28 | 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,\r |
| 29 | 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,\r |
| 30 | 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,\r |
| 31 | 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,\r |
| 32 | 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,\r |
| 33 | 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,\r |
| 34 | 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,\r |
| 35 | 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,\r |
| 36 | 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,\r |
| 37 | 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,\r |
| 38 | 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,\r |
| 39 | 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1\r |
| 40 | };\r |
| 41 | \r |
| 84c02e97 |
42 | // BIG CHANGE - UNDERSTAND THIS BEFORE WE COMMIT\r |
| 43 | #define RECV_CMD_OFFSET 3032\r |
| 44 | #define RECV_RES_OFFSET 3096\r |
| 45 | #define DMA_BUFFER_OFFSET 3160\r |
| 46 | #define DMA_BUFFER_SIZE 4096\r |
| 47 | #define TRACE_LENGTH 3000\r |
| 48 | \r |
| d24438f8 |
49 | //-----------------------------------------------------------------------------\r |
| 50 | // Generate the parity value for a byte sequence\r |
| 51 | // \r |
| 52 | //-----------------------------------------------------------------------------\r |
| 53 | DWORD GetParity(const BYTE * pbtCmd, int iLen)\r |
| 54 | {\r |
| 55 | int i;\r |
| 56 | DWORD dwPar = 0;\r |
| 57 | \r |
| 58 | // Generate the encrypted data\r |
| 59 | for (i = 0; i < iLen; i++) {\r |
| 60 | // Save the encrypted parity bit\r |
| 61 | dwPar |= ((OddByteParity[pbtCmd[i]]) << i);\r |
| 62 | }\r |
| 63 | return dwPar;\r |
| 64 | }\r |
| 65 | \r |
| 84c02e97 |
66 | static void AppendCrc14443a(BYTE* data, int len)\r |
| 67 | {\r |
| 68 | ComputeCrc14443(CRC_14443_A,data,len,data+len,data+len+1);\r |
| 69 | }\r |
| 70 | \r |
| 71 | BOOL LogTrace(const BYTE * btBytes, int iLen, int iSamples, DWORD dwParity, BOOL bReader)\r |
| 72 | {\r |
| 73 | // Return when trace is full\r |
| 74 | if (traceLen >= TRACE_LENGTH) return FALSE;\r |
| 75 | \r |
| 76 | // Trace the random, i'm curious\r |
| 77 | rsamples += iSamples;\r |
| 78 | trace[traceLen++] = ((rsamples >> 0) & 0xff);\r |
| 79 | trace[traceLen++] = ((rsamples >> 8) & 0xff);\r |
| 80 | trace[traceLen++] = ((rsamples >> 16) & 0xff);\r |
| 81 | trace[traceLen++] = ((rsamples >> 24) & 0xff);\r |
| 82 | if (!bReader) {\r |
| 83 | trace[traceLen - 1] |= 0x80;\r |
| 84 | }\r |
| 85 | trace[traceLen++] = ((dwParity >> 0) & 0xff);\r |
| 86 | trace[traceLen++] = ((dwParity >> 8) & 0xff);\r |
| 87 | trace[traceLen++] = ((dwParity >> 16) & 0xff);\r |
| 88 | trace[traceLen++] = ((dwParity >> 24) & 0xff);\r |
| 89 | trace[traceLen++] = iLen;\r |
| 90 | memcpy(trace + traceLen, btBytes, iLen);\r |
| 91 | traceLen += iLen;\r |
| 92 | return TRUE;\r |
| 93 | }\r |
| 94 | \r |
| 6658905f |
95 | //-----------------------------------------------------------------------------\r |
| 96 | // The software UART that receives commands from the reader, and its state\r |
| 97 | // variables.\r |
| 98 | //-----------------------------------------------------------------------------\r |
| 99 | static struct {\r |
| 100 | enum {\r |
| 101 | STATE_UNSYNCD,\r |
| 102 | STATE_START_OF_COMMUNICATION,\r |
| 103 | STATE_MILLER_X,\r |
| 104 | STATE_MILLER_Y,\r |
| 105 | STATE_MILLER_Z,\r |
| 106 | STATE_ERROR_WAIT\r |
| 107 | } state;\r |
| 108 | WORD shiftReg;\r |
| 109 | int bitCnt;\r |
| 110 | int byteCnt;\r |
| 111 | int byteCntMax;\r |
| 112 | int posCnt;\r |
| 113 | int syncBit;\r |
| 114 | int parityBits;\r |
| 115 | int samples;\r |
| 116 | int highCnt;\r |
| 117 | int bitBuffer;\r |
| 118 | enum {\r |
| 119 | DROP_NONE,\r |
| 120 | DROP_FIRST_HALF,\r |
| 121 | DROP_SECOND_HALF\r |
| 122 | } drop;\r |
| 123 | BYTE *output;\r |
| 124 | } Uart;\r |
| 125 | \r |
| 126 | static BOOL MillerDecoding(int bit)\r |
| 127 | {\r |
| 128 | int error = 0;\r |
| 129 | int bitright;\r |
| 130 | \r |
| 131 | if(!Uart.bitBuffer) {\r |
| 132 | Uart.bitBuffer = bit ^ 0xFF0;\r |
| 133 | return FALSE;\r |
| 134 | }\r |
| 135 | else {\r |
| 136 | Uart.bitBuffer <<= 4;\r |
| 137 | Uart.bitBuffer ^= bit;\r |
| 138 | }\r |
| 139 | \r |
| 140 | BOOL EOC = FALSE;\r |
| 141 | \r |
| 142 | if(Uart.state != STATE_UNSYNCD) {\r |
| 143 | Uart.posCnt++;\r |
| 144 | \r |
| 145 | if((Uart.bitBuffer & Uart.syncBit) ^ Uart.syncBit) {\r |
| 146 | bit = 0x00;\r |
| 147 | }\r |
| 148 | else {\r |
| 149 | bit = 0x01;\r |
| 150 | }\r |
| 151 | if(((Uart.bitBuffer << 1) & Uart.syncBit) ^ Uart.syncBit) {\r |
| 152 | bitright = 0x00;\r |
| 153 | }\r |
| 154 | else {\r |
| 155 | bitright = 0x01;\r |
| 156 | }\r |
| 157 | if(bit != bitright) { bit = bitright; }\r |
| 158 | \r |
| 159 | if(Uart.posCnt == 1) {\r |
| 160 | // measurement first half bitperiod\r |
| 161 | if(!bit) {\r |
| 162 | Uart.drop = DROP_FIRST_HALF;\r |
| 163 | }\r |
| 164 | }\r |
| 165 | else {\r |
| 166 | // measurement second half bitperiod\r |
| 167 | if(!bit & (Uart.drop == DROP_NONE)) {\r |
| 168 | Uart.drop = DROP_SECOND_HALF;\r |
| 169 | }\r |
| 170 | else if(!bit) {\r |
| 171 | // measured a drop in first and second half\r |
| 172 | // which should not be possible\r |
| 173 | Uart.state = STATE_ERROR_WAIT;\r |
| 174 | error = 0x01;\r |
| 175 | }\r |
| 176 | \r |
| 177 | Uart.posCnt = 0;\r |
| 178 | \r |
| 179 | switch(Uart.state) {\r |
| 180 | case STATE_START_OF_COMMUNICATION:\r |
| 181 | Uart.shiftReg = 0;\r |
| 182 | if(Uart.drop == DROP_SECOND_HALF) {\r |
| 183 | // error, should not happen in SOC\r |
| 184 | Uart.state = STATE_ERROR_WAIT;\r |
| 185 | error = 0x02;\r |
| 186 | }\r |
| 187 | else {\r |
| 188 | // correct SOC\r |
| 189 | Uart.state = STATE_MILLER_Z;\r |
| 190 | }\r |
| 191 | break;\r |
| 192 | \r |
| 193 | case STATE_MILLER_Z:\r |
| 194 | Uart.bitCnt++;\r |
| 195 | Uart.shiftReg >>= 1;\r |
| 196 | if(Uart.drop == DROP_NONE) {\r |
| 197 | // logic '0' followed by sequence Y\r |
| 198 | // end of communication\r |
| 199 | Uart.state = STATE_UNSYNCD;\r |
| 200 | EOC = TRUE;\r |
| 201 | }\r |
| 202 | // if(Uart.drop == DROP_FIRST_HALF) {\r |
| 203 | // Uart.state = STATE_MILLER_Z; stay the same\r |
| 204 | // we see a logic '0' }\r |
| 205 | if(Uart.drop == DROP_SECOND_HALF) {\r |
| 206 | // we see a logic '1'\r |
| 207 | Uart.shiftReg |= 0x100;\r |
| 208 | Uart.state = STATE_MILLER_X;\r |
| 209 | }\r |
| 210 | break;\r |
| 211 | \r |
| 212 | case STATE_MILLER_X:\r |
| 213 | Uart.shiftReg >>= 1;\r |
| 214 | if(Uart.drop == DROP_NONE) {\r |
| 215 | // sequence Y, we see a '0'\r |
| 216 | Uart.state = STATE_MILLER_Y;\r |
| 217 | Uart.bitCnt++;\r |
| 218 | }\r |
| 219 | if(Uart.drop == DROP_FIRST_HALF) {\r |
| 220 | // Would be STATE_MILLER_Z\r |
| 221 | // but Z does not follow X, so error\r |
| 222 | Uart.state = STATE_ERROR_WAIT;\r |
| 223 | error = 0x03;\r |
| 224 | }\r |
| 225 | if(Uart.drop == DROP_SECOND_HALF) {\r |
| 226 | // We see a '1' and stay in state X\r |
| 227 | Uart.shiftReg |= 0x100;\r |
| 228 | Uart.bitCnt++;\r |
| 229 | }\r |
| 230 | break;\r |
| 231 | \r |
| 232 | case STATE_MILLER_Y:\r |
| 233 | Uart.bitCnt++;\r |
| 234 | Uart.shiftReg >>= 1;\r |
| 235 | if(Uart.drop == DROP_NONE) {\r |
| 236 | // logic '0' followed by sequence Y\r |
| 237 | // end of communication\r |
| 238 | Uart.state = STATE_UNSYNCD;\r |
| 239 | EOC = TRUE;\r |
| 240 | }\r |
| 241 | if(Uart.drop == DROP_FIRST_HALF) {\r |
| 242 | // we see a '0'\r |
| 243 | Uart.state = STATE_MILLER_Z;\r |
| 244 | }\r |
| 245 | if(Uart.drop == DROP_SECOND_HALF) {\r |
| 246 | // We see a '1' and go to state X\r |
| 247 | Uart.shiftReg |= 0x100;\r |
| 248 | Uart.state = STATE_MILLER_X;\r |
| 249 | }\r |
| 250 | break;\r |
| 251 | \r |
| 252 | case STATE_ERROR_WAIT:\r |
| 253 | // That went wrong. Now wait for at least two bit periods\r |
| 254 | // and try to sync again\r |
| 255 | if(Uart.drop == DROP_NONE) {\r |
| 256 | Uart.highCnt = 6;\r |
| 257 | Uart.state = STATE_UNSYNCD;\r |
| 258 | }\r |
| 259 | break;\r |
| 260 | \r |
| 261 | default:\r |
| 262 | Uart.state = STATE_UNSYNCD;\r |
| 263 | Uart.highCnt = 0;\r |
| 264 | break;\r |
| 265 | }\r |
| 266 | \r |
| 267 | Uart.drop = DROP_NONE;\r |
| 268 | \r |
| 269 | // should have received at least one whole byte...\r |
| 270 | if((Uart.bitCnt == 2) && EOC && (Uart.byteCnt > 0)) {\r |
| 271 | return TRUE;\r |
| 272 | }\r |
| 273 | \r |
| 274 | if(Uart.bitCnt == 9) {\r |
| 275 | Uart.output[Uart.byteCnt] = (Uart.shiftReg & 0xff);\r |
| 276 | Uart.byteCnt++;\r |
| 277 | \r |
| 278 | Uart.parityBits <<= 1;\r |
| 279 | Uart.parityBits ^= ((Uart.shiftReg >> 8) & 0x01);\r |
| 280 | \r |
| 281 | if(EOC) {\r |
| 282 | // when End of Communication received and\r |
| 283 | // all data bits processed..\r |
| 284 | return TRUE;\r |
| 285 | }\r |
| 286 | Uart.bitCnt = 0;\r |
| 287 | }\r |
| 288 | \r |
| 289 | /*if(error) {\r |
| 290 | Uart.output[Uart.byteCnt] = 0xAA;\r |
| 291 | Uart.byteCnt++;\r |
| 292 | Uart.output[Uart.byteCnt] = error & 0xFF;\r |
| 293 | Uart.byteCnt++;\r |
| 294 | Uart.output[Uart.byteCnt] = 0xAA;\r |
| 295 | Uart.byteCnt++;\r |
| 296 | Uart.output[Uart.byteCnt] = (Uart.bitBuffer >> 8) & 0xFF;\r |
| 297 | Uart.byteCnt++;\r |
| 298 | Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;\r |
| 299 | Uart.byteCnt++;\r |
| 300 | Uart.output[Uart.byteCnt] = (Uart.syncBit >> 3) & 0xFF;\r |
| 301 | Uart.byteCnt++;\r |
| 302 | Uart.output[Uart.byteCnt] = 0xAA;\r |
| 303 | Uart.byteCnt++;\r |
| 304 | return TRUE;\r |
| 305 | }*/\r |
| 306 | }\r |
| 307 | \r |
| 308 | }\r |
| 309 | else {\r |
| 310 | bit = Uart.bitBuffer & 0xf0;\r |
| 311 | bit >>= 4;\r |
| 312 | bit ^= 0x0F;\r |
| 313 | if(bit) {\r |
| 314 | // should have been high or at least (4 * 128) / fc\r |
| 315 | // according to ISO this should be at least (9 * 128 + 20) / fc\r |
| 316 | if(Uart.highCnt == 8) {\r |
| 317 | // we went low, so this could be start of communication\r |
| 318 | // it turns out to be safer to choose a less significant\r |
| 319 | // syncbit... so we check whether the neighbour also represents the drop\r |
| 320 | Uart.posCnt = 1; // apparently we are busy with our first half bit period\r |
| 321 | Uart.syncBit = bit & 8;\r |
| 322 | Uart.samples = 3;\r |
| 323 | if(!Uart.syncBit) { Uart.syncBit = bit & 4; Uart.samples = 2; }\r |
| 324 | else if(bit & 4) { Uart.syncBit = bit & 4; Uart.samples = 2; bit <<= 2; }\r |
| 325 | if(!Uart.syncBit) { Uart.syncBit = bit & 2; Uart.samples = 1; }\r |
| 326 | else if(bit & 2) { Uart.syncBit = bit & 2; Uart.samples = 1; bit <<= 1; }\r |
| 327 | if(!Uart.syncBit) { Uart.syncBit = bit & 1; Uart.samples = 0;\r |
| 328 | if(Uart.syncBit & (Uart.bitBuffer & 8)) {\r |
| 329 | Uart.syncBit = 8;\r |
| 330 | \r |
| 331 | // the first half bit period is expected in next sample\r |
| 332 | Uart.posCnt = 0;\r |
| 333 | Uart.samples = 3;\r |
| 334 | }\r |
| 335 | }\r |
| 336 | else if(bit & 1) { Uart.syncBit = bit & 1; Uart.samples = 0; }\r |
| 337 | \r |
| 338 | Uart.syncBit <<= 4;\r |
| 339 | Uart.state = STATE_START_OF_COMMUNICATION;\r |
| 340 | Uart.drop = DROP_FIRST_HALF;\r |
| 341 | Uart.bitCnt = 0;\r |
| 342 | Uart.byteCnt = 0;\r |
| 343 | Uart.parityBits = 0;\r |
| 344 | error = 0;\r |
| 345 | }\r |
| 346 | else {\r |
| 347 | Uart.highCnt = 0;\r |
| 348 | }\r |
| 349 | }\r |
| 350 | else {\r |
| 351 | if(Uart.highCnt < 8) {\r |
| 352 | Uart.highCnt++;\r |
| 353 | }\r |
| 354 | }\r |
| 355 | }\r |
| 356 | \r |
| 357 | return FALSE;\r |
| 358 | }\r |
| 359 | \r |
| 360 | //=============================================================================\r |
| 361 | // ISO 14443 Type A - Manchester\r |
| 362 | //=============================================================================\r |
| 363 | \r |
| 364 | static struct {\r |
| 365 | enum {\r |
| 366 | DEMOD_UNSYNCD,\r |
| 367 | DEMOD_START_OF_COMMUNICATION,\r |
| 368 | DEMOD_MANCHESTER_D,\r |
| 369 | DEMOD_MANCHESTER_E,\r |
| 370 | DEMOD_MANCHESTER_F,\r |
| 371 | DEMOD_ERROR_WAIT\r |
| 372 | } state;\r |
| 373 | int bitCount;\r |
| 374 | int posCount;\r |
| 375 | int syncBit;\r |
| 376 | int parityBits;\r |
| 377 | WORD shiftReg;\r |
| 378 | int buffer;\r |
| 379 | int buff;\r |
| 380 | int samples;\r |
| 381 | int len;\r |
| 382 | enum {\r |
| 383 | SUB_NONE,\r |
| 384 | SUB_FIRST_HALF,\r |
| 385 | SUB_SECOND_HALF\r |
| 386 | } sub;\r |
| 387 | BYTE *output;\r |
| 388 | } Demod;\r |
| 389 | \r |
| 390 | static BOOL ManchesterDecoding(int v)\r |
| 391 | {\r |
| 392 | int bit;\r |
| 393 | int modulation;\r |
| 394 | int error = 0;\r |
| 395 | \r |
| 396 | if(!Demod.buff) {\r |
| 397 | Demod.buff = 1;\r |
| 398 | Demod.buffer = v;\r |
| 399 | return FALSE;\r |
| 400 | }\r |
| 401 | else {\r |
| 402 | bit = Demod.buffer;\r |
| 403 | Demod.buffer = v;\r |
| 404 | }\r |
| 405 | \r |
| 406 | if(Demod.state==DEMOD_UNSYNCD) {\r |
| 407 | Demod.output[Demod.len] = 0xfa;\r |
| 408 | Demod.syncBit = 0;\r |
| 409 | //Demod.samples = 0;\r |
| 410 | Demod.posCount = 1; // This is the first half bit period, so after syncing handle the second part\r |
| 411 | if(bit & 0x08) { Demod.syncBit = 0x08; }\r |
| 412 | if(!Demod.syncBit) {\r |
| 413 | if(bit & 0x04) { Demod.syncBit = 0x04; }\r |
| 414 | }\r |
| 415 | else if(bit & 0x04) { Demod.syncBit = 0x04; bit <<= 4; }\r |
| 416 | if(!Demod.syncBit) {\r |
| 417 | if(bit & 0x02) { Demod.syncBit = 0x02; }\r |
| 418 | }\r |
| 419 | else if(bit & 0x02) { Demod.syncBit = 0x02; bit <<= 4; }\r |
| 420 | if(!Demod.syncBit) {\r |
| 421 | if(bit & 0x01) { Demod.syncBit = 0x01; }\r |
| 422 | \r |
| 423 | if(Demod.syncBit & (Demod.buffer & 0x08)) {\r |
| 424 | Demod.syncBit = 0x08;\r |
| 425 | \r |
| 426 | // The first half bitperiod is expected in next sample\r |
| 427 | Demod.posCount = 0;\r |
| 428 | Demod.output[Demod.len] = 0xfb;\r |
| 429 | }\r |
| 430 | }\r |
| 431 | else if(bit & 0x01) { Demod.syncBit = 0x01; }\r |
| 432 | \r |
| 433 | if(Demod.syncBit) {\r |
| 434 | Demod.len = 0;\r |
| 435 | Demod.state = DEMOD_START_OF_COMMUNICATION;\r |
| 436 | Demod.sub = SUB_FIRST_HALF;\r |
| 437 | Demod.bitCount = 0;\r |
| 438 | Demod.shiftReg = 0;\r |
| 439 | Demod.parityBits = 0;\r |
| 440 | Demod.samples = 0;\r |
| 441 | if(Demod.posCount) {\r |
| 442 | switch(Demod.syncBit) {\r |
| 443 | case 0x08: Demod.samples = 3; break;\r |
| 444 | case 0x04: Demod.samples = 2; break;\r |
| 445 | case 0x02: Demod.samples = 1; break;\r |
| 446 | case 0x01: Demod.samples = 0; break;\r |
| 447 | }\r |
| 448 | }\r |
| 449 | error = 0;\r |
| 450 | }\r |
| 451 | }\r |
| 452 | else {\r |
| 453 | //modulation = bit & Demod.syncBit;\r |
| 454 | modulation = ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;\r |
| 455 | \r |
| 456 | Demod.samples += 4;\r |
| 457 | \r |
| 458 | if(Demod.posCount==0) {\r |
| 459 | Demod.posCount = 1;\r |
| 460 | if(modulation) {\r |
| 461 | Demod.sub = SUB_FIRST_HALF;\r |
| 462 | }\r |
| 463 | else {\r |
| 464 | Demod.sub = SUB_NONE;\r |
| 465 | }\r |
| 466 | }\r |
| 467 | else {\r |
| 468 | Demod.posCount = 0;\r |
| 469 | if(modulation && (Demod.sub == SUB_FIRST_HALF)) {\r |
| 470 | if(Demod.state!=DEMOD_ERROR_WAIT) {\r |
| 471 | Demod.state = DEMOD_ERROR_WAIT;\r |
| 472 | Demod.output[Demod.len] = 0xaa;\r |
| 473 | error = 0x01;\r |
| 474 | }\r |
| 475 | }\r |
| 476 | else if(modulation) {\r |
| 477 | Demod.sub = SUB_SECOND_HALF;\r |
| 478 | }\r |
| 479 | \r |
| 480 | switch(Demod.state) {\r |
| 481 | case DEMOD_START_OF_COMMUNICATION:\r |
| 482 | if(Demod.sub == SUB_FIRST_HALF) {\r |
| 483 | Demod.state = DEMOD_MANCHESTER_D;\r |
| 484 | }\r |
| 485 | else {\r |
| 486 | Demod.output[Demod.len] = 0xab;\r |
| 487 | Demod.state = DEMOD_ERROR_WAIT;\r |
| 488 | error = 0x02;\r |
| 489 | }\r |
| 490 | break;\r |
| 491 | \r |
| 492 | case DEMOD_MANCHESTER_D:\r |
| 493 | case DEMOD_MANCHESTER_E:\r |
| 494 | if(Demod.sub == SUB_FIRST_HALF) {\r |
| 495 | Demod.bitCount++;\r |
| 496 | Demod.shiftReg = (Demod.shiftReg >> 1) ^ 0x100;\r |
| 497 | Demod.state = DEMOD_MANCHESTER_D;\r |
| 498 | }\r |
| 499 | else if(Demod.sub == SUB_SECOND_HALF) {\r |
| 500 | Demod.bitCount++;\r |
| 501 | Demod.shiftReg >>= 1;\r |
| 502 | Demod.state = DEMOD_MANCHESTER_E;\r |
| 503 | }\r |
| 504 | else {\r |
| 505 | Demod.state = DEMOD_MANCHESTER_F;\r |
| 506 | }\r |
| 507 | break;\r |
| 508 | \r |
| 509 | case DEMOD_MANCHESTER_F:\r |
| 510 | // Tag response does not need to be a complete byte!\r |
| 511 | if(Demod.len > 0 || Demod.bitCount > 0) {\r |
| 512 | if(Demod.bitCount > 0) {\r |
| 513 | Demod.shiftReg >>= (9 - Demod.bitCount);\r |
| 514 | Demod.output[Demod.len] = Demod.shiftReg & 0xff;\r |
| 515 | Demod.len++;\r |
| 516 | // No parity bit, so just shift a 0\r |
| 517 | Demod.parityBits <<= 1;\r |
| 518 | }\r |
| 519 | \r |
| 520 | Demod.state = DEMOD_UNSYNCD;\r |
| 521 | return TRUE;\r |
| 522 | }\r |
| 523 | else {\r |
| 524 | Demod.output[Demod.len] = 0xad;\r |
| 525 | Demod.state = DEMOD_ERROR_WAIT;\r |
| 526 | error = 0x03;\r |
| 527 | }\r |
| 528 | break;\r |
| 529 | \r |
| 530 | case DEMOD_ERROR_WAIT:\r |
| 531 | Demod.state = DEMOD_UNSYNCD;\r |
| 532 | break;\r |
| 533 | \r |
| 534 | default:\r |
| 535 | Demod.output[Demod.len] = 0xdd;\r |
| 536 | Demod.state = DEMOD_UNSYNCD;\r |
| 537 | break;\r |
| 538 | }\r |
| 539 | \r |
| 540 | if(Demod.bitCount>=9) {\r |
| 541 | Demod.output[Demod.len] = Demod.shiftReg & 0xff;\r |
| 542 | Demod.len++;\r |
| 543 | \r |
| 544 | Demod.parityBits <<= 1;\r |
| 545 | Demod.parityBits ^= ((Demod.shiftReg >> 8) & 0x01);\r |
| 546 | \r |
| 547 | Demod.bitCount = 0;\r |
| 548 | Demod.shiftReg = 0;\r |
| 549 | }\r |
| 550 | \r |
| 551 | /*if(error) {\r |
| 552 | Demod.output[Demod.len] = 0xBB;\r |
| 553 | Demod.len++;\r |
| 554 | Demod.output[Demod.len] = error & 0xFF;\r |
| 555 | Demod.len++;\r |
| 556 | Demod.output[Demod.len] = 0xBB;\r |
| 557 | Demod.len++;\r |
| 558 | Demod.output[Demod.len] = bit & 0xFF;\r |
| 559 | Demod.len++;\r |
| 560 | Demod.output[Demod.len] = Demod.buffer & 0xFF;\r |
| 561 | Demod.len++;\r |
| 562 | Demod.output[Demod.len] = Demod.syncBit & 0xFF;\r |
| 563 | Demod.len++;\r |
| 564 | Demod.output[Demod.len] = 0xBB;\r |
| 565 | Demod.len++;\r |
| 566 | return TRUE;\r |
| 567 | }*/\r |
| 568 | \r |
| 569 | }\r |
| 570 | \r |
| 571 | } // end (state != UNSYNCED)\r |
| 572 | \r |
| 573 | return FALSE;\r |
| 574 | }\r |
| 575 | \r |
| 576 | //=============================================================================\r |
| 577 | // Finally, a `sniffer' for ISO 14443 Type A\r |
| 578 | // Both sides of communication!\r |
| 579 | //=============================================================================\r |
| 580 | \r |
| 581 | //-----------------------------------------------------------------------------\r |
| 582 | // Record the sequence of commands sent by the reader to the tag, with\r |
| 583 | // triggering so that we start recording at the point that the tag is moved\r |
| 584 | // near the reader.\r |
| 585 | //-----------------------------------------------------------------------------\r |
| 586 | void SnoopIso14443a(void)\r |
| 587 | {\r |
| 6658905f |
588 | // #define RECV_CMD_OFFSET 2032 // original (working as of 21/2/09) values\r |
| 589 | // #define RECV_RES_OFFSET 2096 // original (working as of 21/2/09) values\r |
| 590 | // #define DMA_BUFFER_OFFSET 2160 // original (working as of 21/2/09) values\r |
| 591 | // #define DMA_BUFFER_SIZE 4096 // original (working as of 21/2/09) values\r |
| 592 | // #define TRACE_LENGTH 2000 // original (working as of 21/2/09) values\r |
| 593 | \r |
| 594 | // We won't start recording the frames that we acquire until we trigger;\r |
| 595 | // a good trigger condition to get started is probably when we see a\r |
| 596 | // response from the tag.\r |
| 597 | BOOL triggered = TRUE; // FALSE to wait first for card\r |
| 598 | \r |
| 599 | // The command (reader -> tag) that we're receiving.\r |
| 600 | // The length of a received command will in most cases be no more than 18 bytes.\r |
| 601 | // So 32 should be enough!\r |
| 602 | BYTE *receivedCmd = (((BYTE *)BigBuf) + RECV_CMD_OFFSET);\r |
| 603 | // The response (tag -> reader) that we're receiving.\r |
| 604 | BYTE *receivedResponse = (((BYTE *)BigBuf) + RECV_RES_OFFSET);\r |
| 605 | \r |
| 606 | // As we receive stuff, we copy it from receivedCmd or receivedResponse\r |
| 607 | // into trace, along with its length and other annotations.\r |
| d24438f8 |
608 | //BYTE *trace = (BYTE *)BigBuf;\r |
| 609 | //int traceLen = 0;\r |
| 6658905f |
610 | \r |
| 611 | // The DMA buffer, used to stream samples from the FPGA\r |
| 612 | SBYTE *dmaBuf = ((SBYTE *)BigBuf) + DMA_BUFFER_OFFSET;\r |
| 613 | int lastRxCounter;\r |
| 614 | SBYTE *upTo;\r |
| 615 | int smpl;\r |
| 616 | int maxBehindBy = 0;\r |
| 617 | \r |
| 618 | // Count of samples received so far, so that we can include timing\r |
| 619 | // information in the trace buffer.\r |
| 620 | int samples = 0;\r |
| 621 | int rsamples = 0;\r |
| 622 | \r |
| 623 | memset(trace, 0x44, RECV_CMD_OFFSET);\r |
| 624 | \r |
| 625 | // Set up the demodulator for tag -> reader responses.\r |
| 626 | Demod.output = receivedResponse;\r |
| 627 | Demod.len = 0;\r |
| 628 | Demod.state = DEMOD_UNSYNCD;\r |
| 629 | \r |
| 630 | // And the reader -> tag commands\r |
| 631 | memset(&Uart, 0, sizeof(Uart));\r |
| 632 | Uart.output = receivedCmd;\r |
| 633 | Uart.byteCntMax = 32; // was 100 (greg)////////////////////////////////////////////////////////////////////////\r |
| 634 | Uart.state = STATE_UNSYNCD;\r |
| 635 | \r |
| 636 | // And put the FPGA in the appropriate mode\r |
| 0e25ae11 |
637 | // Signal field is off with the appropriate LED\r |
| 638 | LED_D_OFF();\r |
| 6658905f |
639 | FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER);\r |
| 640 | SetAdcMuxFor(GPIO_MUXSEL_HIPKD);\r |
| 641 | \r |
| 642 | // Setup for the DMA.\r |
| 643 | FpgaSetupSsc();\r |
| 644 | upTo = dmaBuf;\r |
| 645 | lastRxCounter = DMA_BUFFER_SIZE;\r |
| 646 | FpgaSetupSscDma((BYTE *)dmaBuf, DMA_BUFFER_SIZE);\r |
| 647 | \r |
| 648 | LED_A_ON();\r |
| 649 | \r |
| 650 | // And now we loop, receiving samples.\r |
| 651 | for(;;) {\r |
| 652 | WDT_HIT();\r |
| 6949aca9 |
653 | int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) &\r |
| 6658905f |
654 | (DMA_BUFFER_SIZE-1);\r |
| 655 | if(behindBy > maxBehindBy) {\r |
| 656 | maxBehindBy = behindBy;\r |
| 657 | if(behindBy > 400) {\r |
| 658 | DbpString("blew circular buffer!");\r |
| 659 | goto done;\r |
| 660 | }\r |
| 661 | }\r |
| 662 | if(behindBy < 1) continue;\r |
| 663 | \r |
| 664 | smpl = upTo[0];\r |
| 665 | upTo++;\r |
| 666 | lastRxCounter -= 1;\r |
| 667 | if(upTo - dmaBuf > DMA_BUFFER_SIZE) {\r |
| 668 | upTo -= DMA_BUFFER_SIZE;\r |
| 669 | lastRxCounter += DMA_BUFFER_SIZE;\r |
| 6949aca9 |
670 | AT91C_BASE_PDC_SSC->PDC_RNPR = (DWORD)upTo;\r |
| 671 | AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;\r |
| 6658905f |
672 | }\r |
| 673 | \r |
| 674 | samples += 4;\r |
| 675 | #define HANDLE_BIT_IF_BODY \\r |
| 676 | LED_C_ON(); \\r |
| 677 | if(triggered) { \\r |
| 678 | trace[traceLen++] = ((rsamples >> 0) & 0xff); \\r |
| 679 | trace[traceLen++] = ((rsamples >> 8) & 0xff); \\r |
| 680 | trace[traceLen++] = ((rsamples >> 16) & 0xff); \\r |
| 681 | trace[traceLen++] = ((rsamples >> 24) & 0xff); \\r |
| 682 | trace[traceLen++] = ((Uart.parityBits >> 0) & 0xff); \\r |
| 683 | trace[traceLen++] = ((Uart.parityBits >> 8) & 0xff); \\r |
| 684 | trace[traceLen++] = ((Uart.parityBits >> 16) & 0xff); \\r |
| 685 | trace[traceLen++] = ((Uart.parityBits >> 24) & 0xff); \\r |
| 686 | trace[traceLen++] = Uart.byteCnt; \\r |
| 687 | memcpy(trace+traceLen, receivedCmd, Uart.byteCnt); \\r |
| 688 | traceLen += Uart.byteCnt; \\r |
| 689 | if(traceLen > TRACE_LENGTH) break; \\r |
| 690 | } \\r |
| 691 | /* And ready to receive another command. */ \\r |
| 692 | Uart.state = STATE_UNSYNCD; \\r |
| 693 | /* And also reset the demod code, which might have been */ \\r |
| 694 | /* false-triggered by the commands from the reader. */ \\r |
| 695 | Demod.state = DEMOD_UNSYNCD; \\r |
| 696 | LED_B_OFF(); \\r |
| 697 | \r |
| 698 | if(MillerDecoding((smpl & 0xF0) >> 4)) {\r |
| 699 | rsamples = samples - Uart.samples;\r |
| 700 | HANDLE_BIT_IF_BODY\r |
| 701 | }\r |
| 702 | if(ManchesterDecoding(smpl & 0x0F)) {\r |
| 703 | rsamples = samples - Demod.samples;\r |
| 704 | LED_B_ON();\r |
| 705 | \r |
| 706 | // timestamp, as a count of samples\r |
| 707 | trace[traceLen++] = ((rsamples >> 0) & 0xff);\r |
| 708 | trace[traceLen++] = ((rsamples >> 8) & 0xff);\r |
| 709 | trace[traceLen++] = ((rsamples >> 16) & 0xff);\r |
| 710 | trace[traceLen++] = 0x80 | ((rsamples >> 24) & 0xff);\r |
| 711 | trace[traceLen++] = ((Demod.parityBits >> 0) & 0xff);\r |
| 712 | trace[traceLen++] = ((Demod.parityBits >> 8) & 0xff);\r |
| 713 | trace[traceLen++] = ((Demod.parityBits >> 16) & 0xff);\r |
| 714 | trace[traceLen++] = ((Demod.parityBits >> 24) & 0xff);\r |
| 715 | // length\r |
| 716 | trace[traceLen++] = Demod.len;\r |
| 717 | memcpy(trace+traceLen, receivedResponse, Demod.len);\r |
| 718 | traceLen += Demod.len;\r |
| 719 | if(traceLen > TRACE_LENGTH) break;\r |
| 720 | \r |
| 721 | triggered = TRUE;\r |
| 722 | \r |
| 723 | // And ready to receive another response.\r |
| 724 | memset(&Demod, 0, sizeof(Demod));\r |
| 725 | Demod.output = receivedResponse;\r |
| 726 | Demod.state = DEMOD_UNSYNCD;\r |
| 727 | LED_C_OFF();\r |
| 728 | }\r |
| 729 | \r |
| 730 | if(BUTTON_PRESS()) {\r |
| 731 | DbpString("cancelled_a");\r |
| 732 | goto done;\r |
| 733 | }\r |
| 734 | }\r |
| 735 | \r |
| 736 | DbpString("COMMAND FINISHED");\r |
| 737 | \r |
| 738 | DbpIntegers(maxBehindBy, Uart.state, Uart.byteCnt);\r |
| 739 | DbpIntegers(Uart.byteCntMax, traceLen, (int)Uart.output[0]);\r |
| 740 | \r |
| 741 | done:\r |
| 6949aca9 |
742 | AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;\r |
| 6658905f |
743 | DbpIntegers(maxBehindBy, Uart.state, Uart.byteCnt);\r |
| 744 | DbpIntegers(Uart.byteCntMax, traceLen, (int)Uart.output[0]);\r |
| 745 | LED_A_OFF();\r |
| 746 | LED_B_OFF();\r |
| 747 | LED_C_OFF();\r |
| 748 | LED_D_OFF();\r |
| 749 | }\r |
| 750 | \r |
| 751 | // Prepare communication bits to send to FPGA\r |
| 752 | void Sequence(SecType seq)\r |
| 753 | {\r |
| 754 | ToSendMax++;\r |
| 755 | switch(seq) {\r |
| 756 | // CARD TO READER\r |
| 757 | case SEC_D:\r |
| 758 | // Sequence D: 11110000\r |
| 759 | // modulation with subcarrier during first half\r |
| 760 | ToSend[ToSendMax] = 0xf0;\r |
| 761 | break;\r |
| 762 | case SEC_E:\r |
| 763 | // Sequence E: 00001111\r |
| 764 | // modulation with subcarrier during second half\r |
| 765 | ToSend[ToSendMax] = 0x0f;\r |
| 766 | break;\r |
| 767 | case SEC_F:\r |
| 768 | // Sequence F: 00000000\r |
| 769 | // no modulation with subcarrier\r |
| 770 | ToSend[ToSendMax] = 0x00;\r |
| 771 | break;\r |
| 772 | // READER TO CARD\r |
| 773 | case SEC_X:\r |
| 774 | // Sequence X: 00001100\r |
| 775 | // drop after half a period\r |
| 776 | ToSend[ToSendMax] = 0x0c;\r |
| 777 | break;\r |
| 778 | case SEC_Y:\r |
| 779 | default:\r |
| 780 | // Sequence Y: 00000000\r |
| 781 | // no drop\r |
| 782 | ToSend[ToSendMax] = 0x00;\r |
| 783 | break;\r |
| 784 | case SEC_Z:\r |
| 785 | // Sequence Z: 11000000\r |
| 786 | // drop at start\r |
| 787 | ToSend[ToSendMax] = 0xc0;\r |
| 788 | break;\r |
| 789 | }\r |
| 790 | }\r |
| 791 | \r |
| 792 | //-----------------------------------------------------------------------------\r |
| 793 | // Prepare tag messages\r |
| 794 | //-----------------------------------------------------------------------------\r |
| 795 | static void CodeIso14443aAsTag(const BYTE *cmd, int len)\r |
| 796 | {\r |
| 797 | int i;\r |
| 798 | int oddparity;\r |
| 799 | \r |
| 800 | ToSendReset();\r |
| 801 | \r |
| 802 | // Correction bit, might be removed when not needed\r |
| 803 | ToSendStuffBit(0);\r |
| 804 | ToSendStuffBit(0);\r |
| 805 | ToSendStuffBit(0);\r |
| 806 | ToSendStuffBit(0);\r |
| 807 | ToSendStuffBit(1); // 1\r |
| 808 | ToSendStuffBit(0);\r |
| 809 | ToSendStuffBit(0);\r |
| 810 | ToSendStuffBit(0);\r |
| 811 | \r |
| 812 | // Send startbit\r |
| 813 | Sequence(SEC_D);\r |
| 814 | \r |
| 815 | for(i = 0; i < len; i++) {\r |
| 816 | int j;\r |
| 817 | BYTE b = cmd[i];\r |
| 818 | \r |
| 819 | // Data bits\r |
| 820 | oddparity = 0x01;\r |
| 821 | for(j = 0; j < 8; j++) {\r |
| 822 | oddparity ^= (b & 1);\r |
| 823 | if(b & 1) {\r |
| 824 | Sequence(SEC_D);\r |
| 825 | } else {\r |
| 826 | Sequence(SEC_E);\r |
| 827 | }\r |
| 828 | b >>= 1;\r |
| 829 | }\r |
| 830 | \r |
| 831 | // Parity bit\r |
| 832 | if(oddparity) {\r |
| 833 | Sequence(SEC_D);\r |
| 834 | } else {\r |
| 835 | Sequence(SEC_E);\r |
| 836 | }\r |
| 837 | }\r |
| 838 | \r |
| 839 | // Send stopbit\r |
| 840 | Sequence(SEC_F);\r |
| 841 | \r |
| 842 | // Flush the buffer in FPGA!!\r |
| 843 | for(i = 0; i < 5; i++) {\r |
| 844 | Sequence(SEC_F);\r |
| 845 | }\r |
| 846 | \r |
| 847 | // Convert from last byte pos to length\r |
| 848 | ToSendMax++;\r |
| 849 | \r |
| 850 | // Add a few more for slop\r |
| 851 | ToSend[ToSendMax++] = 0x00;\r |
| 852 | ToSend[ToSendMax++] = 0x00;\r |
| 853 | //ToSendMax += 2;\r |
| 854 | }\r |
| 855 | \r |
| 856 | //-----------------------------------------------------------------------------\r |
| 857 | // This is to send a NACK kind of answer, its only 3 bits, I know it should be 4\r |
| 858 | //-----------------------------------------------------------------------------\r |
| 859 | static void CodeStrangeAnswer()\r |
| 860 | {\r |
| 861 | int i;\r |
| 862 | \r |
| 863 | ToSendReset();\r |
| 864 | \r |
| 865 | // Correction bit, might be removed when not needed\r |
| 866 | ToSendStuffBit(0);\r |
| 867 | ToSendStuffBit(0);\r |
| 868 | ToSendStuffBit(0);\r |
| 869 | ToSendStuffBit(0);\r |
| 870 | ToSendStuffBit(1); // 1\r |
| 871 | ToSendStuffBit(0);\r |
| 872 | ToSendStuffBit(0);\r |
| 873 | ToSendStuffBit(0);\r |
| 874 | \r |
| 875 | // Send startbit\r |
| 876 | Sequence(SEC_D);\r |
| 877 | \r |
| 878 | // 0\r |
| 879 | Sequence(SEC_E);\r |
| 880 | \r |
| 881 | // 0\r |
| 882 | Sequence(SEC_E);\r |
| 883 | \r |
| 884 | // 1\r |
| 885 | Sequence(SEC_D);\r |
| 886 | \r |
| 887 | // Send stopbit\r |
| 888 | Sequence(SEC_F);\r |
| 889 | \r |
| 890 | // Flush the buffer in FPGA!!\r |
| 891 | for(i = 0; i < 5; i++) {\r |
| 892 | Sequence(SEC_F);\r |
| 893 | }\r |
| 894 | \r |
| 895 | // Convert from last byte pos to length\r |
| 896 | ToSendMax++;\r |
| 897 | \r |
| 898 | // Add a few more for slop\r |
| 899 | ToSend[ToSendMax++] = 0x00;\r |
| 900 | ToSend[ToSendMax++] = 0x00;\r |
| 901 | //ToSendMax += 2;\r |
| 902 | }\r |
| 903 | \r |
| 904 | //-----------------------------------------------------------------------------\r |
| 905 | // Wait for commands from reader\r |
| 906 | // Stop when button is pressed\r |
| 907 | // Or return TRUE when command is captured\r |
| 908 | //-----------------------------------------------------------------------------\r |
| 909 | static BOOL GetIso14443aCommandFromReader(BYTE *received, int *len, int maxLen)\r |
| 910 | {\r |
| 911 | // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen\r |
| 912 | // only, since we are receiving, not transmitting).\r |
| 0e25ae11 |
913 | // Signal field is off with the appropriate LED\r |
| 914 | LED_D_OFF();\r |
| 6658905f |
915 | FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);\r |
| 916 | \r |
| 917 | // Now run a `software UART' on the stream of incoming samples.\r |
| 918 | Uart.output = received;\r |
| 919 | Uart.byteCntMax = maxLen;\r |
| 920 | Uart.state = STATE_UNSYNCD;\r |
| 921 | \r |
| 922 | for(;;) {\r |
| 923 | WDT_HIT();\r |
| 924 | \r |
| 925 | if(BUTTON_PRESS()) return FALSE;\r |
| 926 | \r |
| 6949aca9 |
927 | if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {\r |
| 928 | AT91C_BASE_SSC->SSC_THR = 0x00;\r |
| 6658905f |
929 | }\r |
| 6949aca9 |
930 | if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {\r |
| 931 | BYTE b = (BYTE)AT91C_BASE_SSC->SSC_RHR;\r |
| 6658905f |
932 | if(MillerDecoding((b & 0xf0) >> 4)) {\r |
| 933 | *len = Uart.byteCnt;\r |
| 934 | return TRUE;\r |
| 935 | }\r |
| 936 | if(MillerDecoding(b & 0x0f)) {\r |
| 937 | *len = Uart.byteCnt;\r |
| 938 | return TRUE;\r |
| 939 | }\r |
| 940 | }\r |
| 941 | }\r |
| 942 | }\r |
| 943 | \r |
| 944 | //-----------------------------------------------------------------------------\r |
| 945 | // Main loop of simulated tag: receive commands from reader, decide what\r |
| 946 | // response to send, and send it.\r |
| 947 | //-----------------------------------------------------------------------------\r |
| 948 | void SimulateIso14443aTag(int tagType, int TagUid)\r |
| 949 | {\r |
| 950 | // This function contains the tag emulation\r |
| 951 | \r |
| 952 | // Prepare protocol messages\r |
| 953 | // static const BYTE cmd1[] = { 0x26 };\r |
| 954 | // static const BYTE response1[] = { 0x02, 0x00 }; // Says: I am Mifare 4k - original line - greg\r |
| 955 | //\r |
| 956 | static const BYTE response1[] = { 0x44, 0x03 }; // Says: I am a DESFire Tag, ph33r me\r |
| 957 | // static const BYTE response1[] = { 0x44, 0x00 }; // Says: I am a ULTRALITE Tag, 0wn me\r |
| 958 | \r |
| 959 | // UID response\r |
| 960 | // static const BYTE cmd2[] = { 0x93, 0x20 };\r |
| 961 | //static const BYTE response2[] = { 0x9a, 0xe5, 0xe4, 0x43, 0xd8 }; // original value - greg\r |
| 962 | \r |
| 963 | \r |
| 964 | \r |
| 965 | // my desfire\r |
| 966 | static const BYTE response2[] = { 0x88, 0x04, 0x21, 0x3f, 0x4d }; // known uid - note cascade (0x88), 2nd byte (0x04) = NXP/Phillips\r |
| 0e25ae11 |
967 | \r |
| 968 | \r |
| 6658905f |
969 | // When reader selects us during cascade1 it will send cmd3\r |
| 970 | //BYTE response3[] = { 0x04, 0x00, 0x00 }; // SAK Select (cascade1) successful response (ULTRALITE)\r |
| 971 | BYTE response3[] = { 0x24, 0x00, 0x00 }; // SAK Select (cascade1) successful response (DESFire)\r |
| 972 | ComputeCrc14443(CRC_14443_A, response3, 1, &response3[1], &response3[2]);\r |
| 973 | \r |
| 974 | // send cascade2 2nd half of UID\r |
| 975 | static const BYTE response2a[] = { 0x51, 0x48, 0x1d, 0x80, 0x84 }; // uid - cascade2 - 2nd half (4 bytes) of UID+ BCCheck\r |
| 976 | // NOTE : THE CRC on the above may be wrong as I have obfuscated the actual UID\r |
| 977 | \r |
| 978 | \r |
| 979 | // When reader selects us during cascade2 it will send cmd3a\r |
| 980 | //BYTE response3a[] = { 0x00, 0x00, 0x00 }; // SAK Select (cascade2) successful response (ULTRALITE)\r |
| 981 | BYTE response3a[] = { 0x20, 0x00, 0x00 }; // SAK Select (cascade2) successful response (DESFire)\r |
| 982 | ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);\r |
| 0e25ae11 |
983 | \r |
| 6658905f |
984 | static const BYTE response5[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce\r |
| 985 | \r |
| 986 | BYTE *resp;\r |
| 987 | int respLen;\r |
| 988 | \r |
| 989 | // Longest possible response will be 16 bytes + 2 CRC = 18 bytes\r |
| 990 | // This will need\r |
| 991 | // 144 data bits (18 * 8)\r |
| 992 | // 18 parity bits\r |
| 993 | // 2 Start and stop\r |
| 994 | // 1 Correction bit (Answer in 1172 or 1236 periods, see FPGA)\r |
| 995 | // 1 just for the case\r |
| 996 | // ----------- +\r |
| 997 | // 166\r |
| 998 | //\r |
| 999 | // 166 bytes, since every bit that needs to be send costs us a byte\r |
| 1000 | //\r |
| 1001 | \r |
| 1002 | \r |
| 1003 | // Respond with card type\r |
| 1004 | BYTE *resp1 = (((BYTE *)BigBuf) + 800);\r |
| 1005 | int resp1Len;\r |
| 1006 | \r |
| 1007 | // Anticollision cascade1 - respond with uid\r |
| 1008 | BYTE *resp2 = (((BYTE *)BigBuf) + 970);\r |
| 1009 | int resp2Len;\r |
| 1010 | \r |
| 1011 | // Anticollision cascade2 - respond with 2nd half of uid if asked\r |
| 1012 | // we're only going to be asked if we set the 1st byte of the UID (during cascade1) to 0x88\r |
| 1013 | BYTE *resp2a = (((BYTE *)BigBuf) + 1140);\r |
| 1014 | int resp2aLen;\r |
| 1015 | \r |
| 1016 | // Acknowledge select - cascade 1\r |
| 1017 | BYTE *resp3 = (((BYTE *)BigBuf) + 1310);\r |
| 1018 | int resp3Len;\r |
| 1019 | \r |
| 1020 | // Acknowledge select - cascade 2\r |
| 1021 | BYTE *resp3a = (((BYTE *)BigBuf) + 1480);\r |
| 1022 | int resp3aLen;\r |
| 1023 | \r |
| 1024 | // Response to a read request - not implemented atm\r |
| 1025 | BYTE *resp4 = (((BYTE *)BigBuf) + 1550);\r |
| 1026 | int resp4Len;\r |
| 1027 | \r |
| 1028 | // Authenticate response - nonce\r |
| 1029 | BYTE *resp5 = (((BYTE *)BigBuf) + 1720);\r |
| 1030 | int resp5Len;\r |
| 1031 | \r |
| 1032 | BYTE *receivedCmd = (BYTE *)BigBuf;\r |
| 1033 | int len;\r |
| 1034 | \r |
| 1035 | int i;\r |
| 1036 | int u;\r |
| 1037 | BYTE b;\r |
| 1038 | \r |
| 1039 | // To control where we are in the protocol\r |
| 1040 | int order = 0;\r |
| 1041 | int lastorder;\r |
| 1042 | \r |
| 1043 | // Just to allow some checks\r |
| 1044 | int happened = 0;\r |
| 1045 | int happened2 = 0;\r |
| 1046 | \r |
| 1047 | int cmdsRecvd = 0;\r |
| 1048 | \r |
| 1049 | BOOL fdt_indicator;\r |
| 1050 | \r |
| 1051 | memset(receivedCmd, 0x44, 400);\r |
| 1052 | \r |
| 1053 | // Prepare the responses of the anticollision phase\r |
| 1054 | // there will be not enough time to do this at the moment the reader sends it REQA\r |
| 1055 | \r |
| 1056 | // Answer to request\r |
| 1057 | CodeIso14443aAsTag(response1, sizeof(response1));\r |
| 1058 | memcpy(resp1, ToSend, ToSendMax); resp1Len = ToSendMax;\r |
| 1059 | \r |
| 1060 | // Send our UID (cascade 1)\r |
| 1061 | CodeIso14443aAsTag(response2, sizeof(response2));\r |
| 1062 | memcpy(resp2, ToSend, ToSendMax); resp2Len = ToSendMax;\r |
| 1063 | \r |
| 1064 | // Answer to select (cascade1)\r |
| 1065 | CodeIso14443aAsTag(response3, sizeof(response3));\r |
| 1066 | memcpy(resp3, ToSend, ToSendMax); resp3Len = ToSendMax;\r |
| 1067 | \r |
| 1068 | // Send the cascade 2 2nd part of the uid\r |
| 1069 | CodeIso14443aAsTag(response2a, sizeof(response2a));\r |
| 1070 | memcpy(resp2a, ToSend, ToSendMax); resp2aLen = ToSendMax;\r |
| 1071 | \r |
| 1072 | // Answer to select (cascade 2)\r |
| 1073 | CodeIso14443aAsTag(response3a, sizeof(response3a));\r |
| 1074 | memcpy(resp3a, ToSend, ToSendMax); resp3aLen = ToSendMax;\r |
| 1075 | \r |
| 1076 | // Strange answer is an example of rare message size (3 bits)\r |
| 1077 | CodeStrangeAnswer();\r |
| 1078 | memcpy(resp4, ToSend, ToSendMax); resp4Len = ToSendMax;\r |
| 1079 | \r |
| 1080 | // Authentication answer (random nonce)\r |
| 1081 | CodeIso14443aAsTag(response5, sizeof(response5));\r |
| 1082 | memcpy(resp5, ToSend, ToSendMax); resp5Len = ToSendMax;\r |
| 1083 | \r |
| 1084 | // We need to listen to the high-frequency, peak-detected path.\r |
| 1085 | SetAdcMuxFor(GPIO_MUXSEL_HIPKD);\r |
| 1086 | FpgaSetupSsc();\r |
| 1087 | \r |
| 1088 | cmdsRecvd = 0;\r |
| 1089 | \r |
| 1090 | LED_A_ON();\r |
| 1091 | for(;;) {\r |
| 1092 | \r |
| 1093 | if(!GetIso14443aCommandFromReader(receivedCmd, &len, 100)) {\r |
| 1094 | DbpString("button press");\r |
| 1095 | break;\r |
| 1096 | }\r |
| 1097 | // doob - added loads of debug strings so we can see what the reader is saying to us during the sim as hi14alist is not populated\r |
| 1098 | // Okay, look at the command now.\r |
| 1099 | lastorder = order;\r |
| 1100 | i = 1; // first byte transmitted\r |
| 1101 | if(receivedCmd[0] == 0x26) {\r |
| 1102 | // Received a REQUEST\r |
| 1103 | resp = resp1; respLen = resp1Len; order = 1;\r |
| 1104 | //DbpString("Hello request from reader:");\r |
| 1105 | } else if(receivedCmd[0] == 0x52) {\r |
| 1106 | // Received a WAKEUP\r |
| 1107 | resp = resp1; respLen = resp1Len; order = 6;\r |
| 1108 | // //DbpString("Wakeup request from reader:");\r |
| 1109 | \r |
| 1110 | } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x93) { // greg - cascade 1 anti-collision\r |
| 1111 | // Received request for UID (cascade 1)\r |
| 1112 | resp = resp2; respLen = resp2Len; order = 2;\r |
| 1113 | // DbpString("UID (cascade 1) request from reader:");\r |
| 1114 | // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);\r |
| 1115 | \r |
| 1116 | \r |
| 1117 | } else if(receivedCmd[1] == 0x20 && receivedCmd[0] ==0x95) { // greg - cascade 2 anti-collision\r |
| 1118 | // Received request for UID (cascade 2)\r |
| 1119 | resp = resp2a; respLen = resp2aLen; order = 20;\r |
| 1120 | // DbpString("UID (cascade 2) request from reader:");\r |
| 1121 | // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);\r |
| 1122 | \r |
| 1123 | \r |
| 1124 | } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x93) { // greg - cascade 1 select\r |
| 1125 | // Received a SELECT\r |
| 1126 | resp = resp3; respLen = resp3Len; order = 3;\r |
| 1127 | // DbpString("Select (cascade 1) request from reader:");\r |
| 1128 | // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);\r |
| 1129 | \r |
| 1130 | \r |
| 1131 | } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x95) { // greg - cascade 2 select\r |
| 1132 | // Received a SELECT\r |
| 1133 | resp = resp3a; respLen = resp3aLen; order = 30;\r |
| 1134 | // DbpString("Select (cascade 2) request from reader:");\r |
| 1135 | // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);\r |
| 1136 | \r |
| 1137 | \r |
| 1138 | } else if(receivedCmd[0] == 0x30) {\r |
| 1139 | // Received a READ\r |
| 1140 | resp = resp4; respLen = resp4Len; order = 4; // Do nothing\r |
| 1141 | DbpString("Read request from reader:");\r |
| 1142 | DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);\r |
| 1143 | \r |
| 1144 | \r |
| 1145 | } else if(receivedCmd[0] == 0x50) {\r |
| 1146 | // Received a HALT\r |
| 1147 | resp = resp1; respLen = 0; order = 5; // Do nothing\r |
| 1148 | DbpString("Reader requested we HALT!:");\r |
| 1149 | \r |
| 1150 | } else if(receivedCmd[0] == 0x60) {\r |
| 1151 | // Received an authentication request\r |
| 1152 | resp = resp5; respLen = resp5Len; order = 7;\r |
| 1153 | DbpString("Authenticate request from reader:");\r |
| 1154 | DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);\r |
| 1155 | \r |
| 1156 | } else if(receivedCmd[0] == 0xE0) {\r |
| 1157 | // Received a RATS request\r |
| 1158 | resp = resp1; respLen = 0;order = 70;\r |
| 1159 | DbpString("RATS request from reader:");\r |
| 1160 | DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);\r |
| 1161 | } else {\r |
| 1162 | // Never seen this command before\r |
| 1163 | DbpString("Unknown command received from reader:");\r |
| 1164 | DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);\r |
| 1165 | DbpIntegers(receivedCmd[3], receivedCmd[4], receivedCmd[5]);\r |
| 1166 | DbpIntegers(receivedCmd[6], receivedCmd[7], receivedCmd[8]);\r |
| 1167 | \r |
| 1168 | // Do not respond\r |
| 1169 | resp = resp1; respLen = 0; order = 0;\r |
| 1170 | }\r |
| 1171 | \r |
| 1172 | // Count number of wakeups received after a halt\r |
| 1173 | if(order == 6 && lastorder == 5) { happened++; }\r |
| 1174 | \r |
| 1175 | // Count number of other messages after a halt\r |
| 1176 | if(order != 6 && lastorder == 5) { happened2++; }\r |
| 1177 | \r |
| 1178 | // Look at last parity bit to determine timing of answer\r |
| 1179 | if((Uart.parityBits & 0x01) || receivedCmd[0] == 0x52) {\r |
| 1180 | // 1236, so correction bit needed\r |
| 1181 | i = 0;\r |
| 1182 | }\r |
| 1183 | \r |
| 1184 | memset(receivedCmd, 0x44, 32);\r |
| 1185 | \r |
| 1186 | if(cmdsRecvd > 999) {\r |
| 1187 | DbpString("1000 commands later...");\r |
| 1188 | break;\r |
| 1189 | }\r |
| 1190 | else {\r |
| 1191 | cmdsRecvd++;\r |
| 1192 | }\r |
| 1193 | \r |
| 1194 | if(respLen <= 0) continue;\r |
| 1195 | \r |
| 1196 | // Modulate Manchester\r |
| 1197 | FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD);\r |
| 6949aca9 |
1198 | AT91C_BASE_SSC->SSC_THR = 0x00;\r |
| 6658905f |
1199 | FpgaSetupSsc();\r |
| 1200 | \r |
| 1201 | // ### Transmit the response ###\r |
| 1202 | u = 0;\r |
| 1203 | b = 0x00;\r |
| 1204 | fdt_indicator = FALSE;\r |
| 1205 | for(;;) {\r |
| 6949aca9 |
1206 | if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {\r |
| 1207 | volatile BYTE b = (BYTE)AT91C_BASE_SSC->SSC_RHR;\r |
| 6658905f |
1208 | (void)b;\r |
| 1209 | }\r |
| 6949aca9 |
1210 | if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {\r |
| 6658905f |
1211 | if(i > respLen) {\r |
| 1212 | b = 0x00;\r |
| 1213 | u++;\r |
| 1214 | } else {\r |
| 1215 | b = resp[i];\r |
| 1216 | i++;\r |
| 1217 | }\r |
| 6949aca9 |
1218 | AT91C_BASE_SSC->SSC_THR = b;\r |
| 6658905f |
1219 | \r |
| 1220 | if(u > 4) {\r |
| 1221 | break;\r |
| 1222 | }\r |
| 1223 | }\r |
| 1224 | if(BUTTON_PRESS()) {\r |
| 1225 | break;\r |
| 1226 | }\r |
| 1227 | }\r |
| 1228 | \r |
| 1229 | }\r |
| 1230 | \r |
| 1231 | DbpIntegers(happened, happened2, cmdsRecvd);\r |
| 1232 | LED_A_OFF();\r |
| 1233 | }\r |
| 1234 | \r |
| 1235 | //-----------------------------------------------------------------------------\r |
| 1236 | // Transmit the command (to the tag) that was placed in ToSend[].\r |
| 1237 | //-----------------------------------------------------------------------------\r |
| 1238 | static void TransmitFor14443a(const BYTE *cmd, int len, int *samples, int *wait)\r |
| 1239 | {\r |
| 84c02e97 |
1240 | int c;\r |
| 1241 | \r |
| 1242 | FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);\r |
| 1243 | \r |
| 1244 | if (wait)\r |
| 1245 | if(*wait < 10)\r |
| 1246 | *wait = 10;\r |
| 1247 | \r |
| 1248 | for(c = 0; c < *wait;) {\r |
| 1249 | if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {\r |
| 1250 | AT91C_BASE_SSC->SSC_THR = 0x00; // For exact timing!\r |
| 1251 | c++;\r |
| 6658905f |
1252 | }\r |
| 84c02e97 |
1253 | if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {\r |
| 1254 | volatile DWORD r = AT91C_BASE_SSC->SSC_RHR;\r |
| 1255 | (void)r;\r |
| 1256 | }\r |
| 1257 | WDT_HIT();\r |
| 1258 | }\r |
| 1259 | \r |
| 1260 | c = 0;\r |
| 1261 | for(;;) {\r |
| 1262 | if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {\r |
| 1263 | AT91C_BASE_SSC->SSC_THR = cmd[c];\r |
| 1264 | c++;\r |
| 1265 | if(c >= len) {\r |
| 1266 | break;\r |
| 1267 | }\r |
| 6658905f |
1268 | }\r |
| 84c02e97 |
1269 | if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {\r |
| 1270 | volatile DWORD r = AT91C_BASE_SSC->SSC_RHR;\r |
| 1271 | (void)r;\r |
| 1272 | }\r |
| 1273 | WDT_HIT();\r |
| 1274 | }\r |
| 1275 | if (samples) *samples = (c + *wait) << 3;\r |
| 6658905f |
1276 | }\r |
| 1277 | \r |
| 1278 | //-----------------------------------------------------------------------------\r |
| 1279 | // To generate an arbitrary stream from reader\r |
| 1280 | //\r |
| 1281 | //-----------------------------------------------------------------------------\r |
| 1282 | void ArbitraryFromReader(const BYTE *cmd, int parity, int len)\r |
| 1283 | {\r |
| 1284 | int i;\r |
| 1285 | int j;\r |
| 1286 | int last;\r |
| 1287 | BYTE b;\r |
| 1288 | \r |
| 1289 | ToSendReset();\r |
| 1290 | \r |
| 1291 | // Start of Communication (Seq. Z)\r |
| 1292 | Sequence(SEC_Z);\r |
| 1293 | last = 0;\r |
| 1294 | \r |
| 1295 | for(i = 0; i < len; i++) {\r |
| 1296 | // Data bits\r |
| 1297 | b = cmd[i];\r |
| 1298 | for(j = 0; j < 8; j++) {\r |
| 1299 | if(b & 1) {\r |
| 1300 | // Sequence X\r |
| 1301 | Sequence(SEC_X);\r |
| 1302 | last = 1;\r |
| 1303 | } else {\r |
| 1304 | if(last == 0) {\r |
| 1305 | // Sequence Z\r |
| 1306 | Sequence(SEC_Z);\r |
| 1307 | }\r |
| 1308 | else {\r |
| 1309 | // Sequence Y\r |
| 1310 | Sequence(SEC_Y);\r |
| 1311 | last = 0;\r |
| 1312 | }\r |
| 1313 | }\r |
| 1314 | b >>= 1;\r |
| 1315 | \r |
| 1316 | }\r |
| 1317 | \r |
| 1318 | // Predefined parity bit, the flipper flips when needed, because of flips in byte sent\r |
| 1319 | if(((parity >> (len - i - 1)) & 1)) {\r |
| 1320 | // Sequence X\r |
| 1321 | Sequence(SEC_X);\r |
| 1322 | last = 1;\r |
| 1323 | } else {\r |
| 1324 | if(last == 0) {\r |
| 1325 | // Sequence Z\r |
| 1326 | Sequence(SEC_Z);\r |
| 1327 | }\r |
| 1328 | else {\r |
| 1329 | // Sequence Y\r |
| 1330 | Sequence(SEC_Y);\r |
| 1331 | last = 0;\r |
| 1332 | }\r |
| 1333 | }\r |
| 1334 | }\r |
| 1335 | \r |
| 1336 | // End of Communication\r |
| 1337 | if(last == 0) {\r |
| 1338 | // Sequence Z\r |
| 1339 | Sequence(SEC_Z);\r |
| 1340 | }\r |
| 1341 | else {\r |
| 1342 | // Sequence Y\r |
| 1343 | Sequence(SEC_Y);\r |
| 1344 | last = 0;\r |
| 1345 | }\r |
| 1346 | // Sequence Y\r |
| 1347 | Sequence(SEC_Y);\r |
| 1348 | \r |
| 1349 | // Just to be sure!\r |
| 1350 | Sequence(SEC_Y);\r |
| 1351 | Sequence(SEC_Y);\r |
| 1352 | Sequence(SEC_Y);\r |
| 1353 | \r |
| 1354 | // Convert from last character reference to length\r |
| 1355 | ToSendMax++;\r |
| 1356 | }\r |
| 1357 | \r |
| 1358 | //-----------------------------------------------------------------------------\r |
| 1359 | // Code a 7-bit command without parity bit\r |
| 1360 | // This is especially for 0x26 and 0x52 (REQA and WUPA)\r |
| 1361 | //-----------------------------------------------------------------------------\r |
| 84c02e97 |
1362 | void ShortFrameFromReader(const BYTE bt)\r |
| 6658905f |
1363 | {\r |
| 1364 | int j;\r |
| 1365 | int last;\r |
| 84c02e97 |
1366 | BYTE b;\r |
| 6658905f |
1367 | \r |
| 1368 | ToSendReset();\r |
| 1369 | \r |
| 1370 | // Start of Communication (Seq. Z)\r |
| 1371 | Sequence(SEC_Z);\r |
| 1372 | last = 0;\r |
| 1373 | \r |
| 84c02e97 |
1374 | b = bt;\r |
| 6658905f |
1375 | for(j = 0; j < 7; j++) {\r |
| 1376 | if(b & 1) {\r |
| 1377 | // Sequence X\r |
| 1378 | Sequence(SEC_X);\r |
| 1379 | last = 1;\r |
| 1380 | } else {\r |
| 1381 | if(last == 0) {\r |
| 1382 | // Sequence Z\r |
| 1383 | Sequence(SEC_Z);\r |
| 1384 | }\r |
| 1385 | else {\r |
| 1386 | // Sequence Y\r |
| 1387 | Sequence(SEC_Y);\r |
| 1388 | last = 0;\r |
| 1389 | }\r |
| 1390 | }\r |
| 1391 | b >>= 1;\r |
| 1392 | }\r |
| 1393 | \r |
| 1394 | // End of Communication\r |
| 1395 | if(last == 0) {\r |
| 1396 | // Sequence Z\r |
| 1397 | Sequence(SEC_Z);\r |
| 1398 | }\r |
| 1399 | else {\r |
| 1400 | // Sequence Y\r |
| 1401 | Sequence(SEC_Y);\r |
| 1402 | last = 0;\r |
| 1403 | }\r |
| 1404 | // Sequence Y\r |
| 1405 | Sequence(SEC_Y);\r |
| 1406 | \r |
| 1407 | // Just to be sure!\r |
| 1408 | Sequence(SEC_Y);\r |
| 1409 | Sequence(SEC_Y);\r |
| 1410 | Sequence(SEC_Y);\r |
| 1411 | \r |
| 1412 | // Convert from last character reference to length\r |
| 1413 | ToSendMax++;\r |
| 1414 | }\r |
| 1415 | \r |
| 1416 | //-----------------------------------------------------------------------------\r |
| 1417 | // Prepare reader command to send to FPGA\r |
| 84c02e97 |
1418 | // \r |
| 6658905f |
1419 | //-----------------------------------------------------------------------------\r |
| 84c02e97 |
1420 | void CodeIso14443aAsReaderPar(const BYTE * cmd, int len, DWORD dwParity)\r |
| 6658905f |
1421 | {\r |
| 84c02e97 |
1422 | int i, j;\r |
| 1423 | int last;\r |
| 1424 | BYTE b;\r |
| 1425 | \r |
| 1426 | ToSendReset();\r |
| 1427 | \r |
| 1428 | // Start of Communication (Seq. Z)\r |
| 1429 | Sequence(SEC_Z);\r |
| 1430 | last = 0;\r |
| 1431 | \r |
| 1432 | // Generate send structure for the data bits\r |
| 1433 | for (i = 0; i < len; i++) {\r |
| 1434 | // Get the current byte to send\r |
| 1435 | b = cmd[i];\r |
| 1436 | \r |
| 1437 | for (j = 0; j < 8; j++) {\r |
| 1438 | if (b & 1) {\r |
| 1439 | // Sequence X\r |
| 1440 | Sequence(SEC_X);\r |
| 1441 | last = 1;\r |
| 1442 | } else {\r |
| 1443 | if (last == 0) {\r |
| 1444 | // Sequence Z\r |
| 1445 | Sequence(SEC_Z);\r |
| 1446 | } else {\r |
| 1447 | // Sequence Y\r |
| 1448 | Sequence(SEC_Y);\r |
| 1449 | last = 0;\r |
| 6658905f |
1450 | }\r |
| 84c02e97 |
1451 | }\r |
| 1452 | b >>= 1;\r |
| 6658905f |
1453 | }\r |
| 84c02e97 |
1454 | \r |
| 1455 | // Get the parity bit\r |
| 1456 | if ((dwParity >> i) & 0x01) {\r |
| 1457 | // Sequence X\r |
| 1458 | Sequence(SEC_X);\r |
| 1459 | last = 1;\r |
| 1460 | } else {\r |
| 1461 | if (last == 0) {\r |
| 1462 | // Sequence Z\r |
| 1463 | Sequence(SEC_Z);\r |
| 1464 | } else {\r |
| 1465 | // Sequence Y\r |
| 1466 | Sequence(SEC_Y);\r |
| 1467 | last = 0;\r |
| 1468 | }\r |
| 1469 | }\r |
| 1470 | }\r |
| 1471 | \r |
| 1472 | // End of Communication\r |
| 1473 | if (last == 0) {\r |
| 1474 | // Sequence Z\r |
| 1475 | Sequence(SEC_Z);\r |
| 1476 | } else {\r |
| 1477 | // Sequence Y\r |
| 1478 | Sequence(SEC_Y);\r |
| 1479 | last = 0;\r |
| 1480 | }\r |
| 1481 | // Sequence Y\r |
| 1482 | Sequence(SEC_Y);\r |
| 1483 | \r |
| 1484 | // Just to be sure!\r |
| 1485 | Sequence(SEC_Y);\r |
| 1486 | Sequence(SEC_Y);\r |
| 1487 | Sequence(SEC_Y);\r |
| 1488 | \r |
| 1489 | // Convert from last character reference to length\r |
| 1490 | ToSendMax++;\r |
| 6658905f |
1491 | }\r |
| 1492 | \r |
| 6658905f |
1493 | //-----------------------------------------------------------------------------\r |
| 1494 | // Wait a certain time for tag response\r |
| 1495 | // If a response is captured return TRUE\r |
| 1496 | // If it takes to long return FALSE\r |
| 1497 | //-----------------------------------------------------------------------------\r |
| 1498 | static BOOL GetIso14443aAnswerFromTag(BYTE *receivedResponse, int maxLen, int *samples, int *elapsed) //BYTE *buffer\r |
| 1499 | {\r |
| 1500 | // buffer needs to be 512 bytes\r |
| 1501 | int c;\r |
| 1502 | \r |
| 0e25ae11 |
1503 | // Set FPGA mode to "reader listen mode", no modulation (listen\r |
| 6658905f |
1504 | // only, since we are receiving, not transmitting).\r |
| 0e25ae11 |
1505 | // Signal field is on with the appropriate LED\r |
| 1506 | LED_D_ON();\r |
| 6658905f |
1507 | FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_LISTEN);\r |
| 1508 | \r |
| 1509 | // Now get the answer from the card\r |
| 1510 | Demod.output = receivedResponse;\r |
| 1511 | Demod.len = 0;\r |
| 1512 | Demod.state = DEMOD_UNSYNCD;\r |
| 1513 | \r |
| 1514 | BYTE b;\r |
| 84c02e97 |
1515 | if (elapsed) *elapsed = 0;\r |
| 6658905f |
1516 | \r |
| 1517 | c = 0;\r |
| 1518 | for(;;) {\r |
| 1519 | WDT_HIT();\r |
| 1520 | \r |
| 6949aca9 |
1521 | if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {\r |
| 1522 | AT91C_BASE_SSC->SSC_THR = 0x00; // To make use of exact timing of next command from reader!!\r |
| 84c02e97 |
1523 | if (elapsed) (*elapsed)++;\r |
| 6658905f |
1524 | }\r |
| 6949aca9 |
1525 | if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {\r |
| 6658905f |
1526 | if(c < 512) { c++; } else { return FALSE; }\r |
| 6949aca9 |
1527 | b = (BYTE)AT91C_BASE_SSC->SSC_RHR;\r |
| 6658905f |
1528 | if(ManchesterDecoding((b & 0xf0) >> 4)) {\r |
| 1529 | *samples = ((c - 1) << 3) + 4;\r |
| 1530 | return TRUE;\r |
| 1531 | }\r |
| 1532 | if(ManchesterDecoding(b & 0x0f)) {\r |
| 1533 | *samples = c << 3;\r |
| 1534 | return TRUE;\r |
| 1535 | }\r |
| 1536 | }\r |
| 1537 | }\r |
| 1538 | }\r |
| 1539 | \r |
| 84c02e97 |
1540 | void ReaderTransmitShort(const BYTE* bt)\r |
| 1541 | {\r |
| 1542 | int wait = 0;\r |
| 1543 | int samples = 0;\r |
| 1544 | \r |
| 1545 | ShortFrameFromReader(*bt);\r |
| 1546 | \r |
| 1547 | // Select the card\r |
| 1548 | TransmitFor14443a(ToSend, ToSendMax, &samples, &wait); \r |
| 1549 | \r |
| 1550 | // Store reader command in buffer\r |
| 1551 | LogTrace(bt,1,0,GetParity(bt,1),TRUE);\r |
| 1552 | }\r |
| d24438f8 |
1553 | \r |
| 84c02e97 |
1554 | void ReaderTransmitPar(BYTE* frame, int len, DWORD par)\r |
| 1555 | {\r |
| 1556 | int wait = 0;\r |
| 1557 | int samples = 0;\r |
| 1558 | \r |
| 1559 | // This is tied to other size changes\r |
| 1560 | // BYTE* frame_addr = ((BYTE*)BigBuf) + 2024; \r |
| 1561 | \r |
| 1562 | CodeIso14443aAsReaderPar(frame,len,par);\r |
| 1563 | \r |
| 1564 | // Select the card\r |
| 1565 | TransmitFor14443a(ToSend, ToSendMax, &samples, &wait); \r |
| 1566 | \r |
| 1567 | // Store reader command in buffer\r |
| 1568 | LogTrace(frame,len,0,par,TRUE);\r |
| 1569 | }\r |
| 1570 | \r |
| 1571 | \r |
| 1572 | void ReaderTransmit(BYTE* frame, int len)\r |
| 1573 | {\r |
| 1574 | // Generate parity and redirect\r |
| 1575 | ReaderTransmitPar(frame,len,GetParity(frame,len));\r |
| 1576 | }\r |
| 1577 | \r |
| 1578 | BOOL ReaderReceive(BYTE* receivedAnswer)\r |
| 1579 | {\r |
| 1580 | int samples = 0;\r |
| 1581 | if (!GetIso14443aAnswerFromTag(receivedAnswer,100,&samples,0)) return FALSE;\r |
| 1582 | LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE);\r |
| 1583 | return TRUE;\r |
| 1584 | }\r |
| d24438f8 |
1585 | \r |
| 6658905f |
1586 | //-----------------------------------------------------------------------------\r |
| 1587 | // Read an ISO 14443a tag. Send out commands and store answers.\r |
| 1588 | //\r |
| 1589 | //-----------------------------------------------------------------------------\r |
| 1590 | void ReaderIso14443a(DWORD parameter)\r |
| 1591 | {\r |
| 1592 | // Anticollision\r |
| 84c02e97 |
1593 | BYTE wupa[] = { 0x52 };\r |
| 1594 | BYTE sel_all[] = { 0x93,0x20 };\r |
| 1595 | BYTE sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };\r |
| 1596 | BYTE sel_all_c2[] = { 0x95,0x20 };\r |
| 1597 | BYTE sel_uid_c2[] = { 0x95,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };\r |
| 6658905f |
1598 | \r |
| 093cbaf6 |
1599 | // Mifare AUTH\r |
| 84c02e97 |
1600 | BYTE mf_auth[] = { 0x60,0x00,0xf5,0x7b };\r |
| 1601 | // BYTE mf_nr_ar[] = { 0x00,0x00,0x00,0x00 };\r |
| 1602 | \r |
| 1603 | BYTE* receivedAnswer = (((BYTE *)BigBuf) + 3560); // was 3560 - tied to other size changes\r |
| d24438f8 |
1604 | traceLen = 0;\r |
| 6658905f |
1605 | \r |
| 6658905f |
1606 | // Setup SSC\r |
| 1607 | FpgaSetupSsc();\r |
| 1608 | \r |
| 1609 | // Start from off (no field generated)\r |
| 84c02e97 |
1610 | // Signal field is off with the appropriate LED\r |
| 1611 | LED_D_OFF();\r |
| 1612 | FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r |
| 1613 | SpinDelay(200);\r |
| 6658905f |
1614 | \r |
| 84c02e97 |
1615 | SetAdcMuxFor(GPIO_MUXSEL_HIPKD);\r |
| 1616 | FpgaSetupSsc();\r |
| 6658905f |
1617 | \r |
| 1618 | // Now give it time to spin up.\r |
| 84c02e97 |
1619 | // Signal field is on with the appropriate LED\r |
| 1620 | LED_D_ON();\r |
| 1621 | FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);\r |
| 6658905f |
1622 | SpinDelay(200);\r |
| 1623 | \r |
| 1624 | LED_A_ON();\r |
| 1625 | LED_B_OFF();\r |
| 1626 | LED_C_OFF();\r |
| 6658905f |
1627 | \r |
| 84c02e97 |
1628 | while(traceLen < TRACE_LENGTH)\r |
| 1629 | {\r |
| 1630 | // Broadcast for a card, WUPA (0x52) will force response from all cards in the field\r |
| 1631 | ReaderTransmitShort(wupa);\r |
| d24438f8 |
1632 | \r |
| 1633 | // Test if the action was cancelled\r |
| 1634 | if(BUTTON_PRESS()) {\r |
| 1635 | break;\r |
| 1636 | }\r |
| 1637 | \r |
| 84c02e97 |
1638 | // Receive the ATQA\r |
| 1639 | if (!ReaderReceive(receivedAnswer)) continue;\r |
| 6658905f |
1640 | \r |
| 84c02e97 |
1641 | // Transmit SELECT_ALL\r |
| 1642 | ReaderTransmit(sel_all,sizeof(sel_all));\r |
| 6658905f |
1643 | \r |
| 84c02e97 |
1644 | // Receive the UID\r |
| 1645 | if (!ReaderReceive(receivedAnswer)) continue;\r |
| d24438f8 |
1646 | \r |
| 6658905f |
1647 | // Construct SELECT UID command\r |
| 1648 | // First copy the 5 bytes (Mifare Classic) after the 93 70\r |
| 84c02e97 |
1649 | memcpy(sel_uid+2,receivedAnswer,5);\r |
| 6658905f |
1650 | // Secondly compute the two CRC bytes at the end\r |
| 84c02e97 |
1651 | AppendCrc14443a(sel_uid,7);\r |
| 6658905f |
1652 | \r |
| 84c02e97 |
1653 | // Transmit SELECT_UID\r |
| 1654 | ReaderTransmit(sel_uid,sizeof(sel_uid));\r |
| 1655 | \r |
| 1656 | // Receive the SAK\r |
| 1657 | if (!ReaderReceive(receivedAnswer)) continue;\r |
| d24438f8 |
1658 | \r |
| 1659 | // OK we have selected at least at cascade 1, lets see if first byte of UID was 0x88 in\r |
| 1660 | // which case we need to make a cascade 2 request and select - this is a long UID\r |
| 84c02e97 |
1661 | // When the UID is not complete, the 3nd bit (from the right) is set in the SAK. \r |
| 1662 | if (receivedAnswer[0] &= 0x04)\r |
| 6658905f |
1663 | {\r |
| 84c02e97 |
1664 | // Transmit SELECT_ALL\r |
| 1665 | ReaderTransmit(sel_all_c2,sizeof(sel_all_c2));\r |
| 1666 | \r |
| 1667 | // Receive the UID\r |
| 1668 | if (!ReaderReceive(receivedAnswer)) continue;\r |
| 1669 | \r |
| 1670 | // Construct SELECT UID command\r |
| 1671 | memcpy(sel_uid_c2+2,receivedAnswer,5);\r |
| d24438f8 |
1672 | // Secondly compute the two CRC bytes at the end\r |
| 84c02e97 |
1673 | AppendCrc14443a(sel_uid_c2,7);\r |
| d24438f8 |
1674 | \r |
| 84c02e97 |
1675 | // Transmit SELECT_UID\r |
| 1676 | ReaderTransmit(sel_uid_c2,sizeof(sel_uid_c2));\r |
| d24438f8 |
1677 | \r |
| 84c02e97 |
1678 | // Receive the SAK\r |
| 1679 | if (!ReaderReceive(receivedAnswer)) continue;\r |
| 0e25ae11 |
1680 | }\r |
| 6658905f |
1681 | \r |
| 84c02e97 |
1682 | // Transmit MIFARE_CLASSIC_AUTH\r |
| 1683 | ReaderTransmit(mf_auth,sizeof(mf_auth));\r |
| d24438f8 |
1684 | \r |
| 84c02e97 |
1685 | // Receive the (16 bit) "random" nonce\r |
| 1686 | if (!ReaderReceive(receivedAnswer)) continue;\r |
| 6658905f |
1687 | }\r |
| 1688 | \r |
| d24438f8 |
1689 | // Thats it...\r |
| 5435eb0c |
1690 | FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r |
| 093cbaf6 |
1691 | LEDsoff();\r |
| 6658905f |
1692 | DbpIntegers(rsamples, 0xCC, 0xCC);\r |
| 1693 | DbpString("ready..");\r |
| 1694 | }\r |
projects / proxmark3-svn / blame