]> git.zerfleddert.de Git - proxmark3-svn/blob - armsrc/iclass.c
017d5eff7dd1aec437391e072fd2db16566c056f
[proxmark3-svn] / armsrc / iclass.c
1 //-----------------------------------------------------------------------------
2 // Gerhard de Koning Gans - May 2008
3 // Hagen Fritsch - June 2010
4 // Gerhard de Koning Gans - May 2011
5 // Gerhard de Koning Gans - June 2012 - Added iClass card and reader emulation
6 //
7 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
8 // at your option, any later version. See the LICENSE.txt file for the text of
9 // the license.
10 //-----------------------------------------------------------------------------
11 // Routines to support iClass.
12 //-----------------------------------------------------------------------------
13 // Based on ISO14443a implementation. Still in experimental phase.
14 // Contribution made during a security research at Radboud University Nijmegen
15 //
16 // Please feel free to contribute and extend iClass support!!
17 //-----------------------------------------------------------------------------
18 //
19 // FIX:
20 // ====
21 // We still have sometimes a demodulation error when snooping iClass communication.
22 // The resulting trace of a read-block-03 command may look something like this:
23 //
24 // + 22279: : 0c 03 e8 01
25 //
26 // ...with an incorrect answer...
27 //
28 // + 85: 0: TAG ff! ff! ff! ff! ff! ff! ff! ff! bb 33 bb 00 01! 0e! 04! bb !crc
29 //
30 // We still left the error signalling bytes in the traces like 0xbb
31 //
32 // A correct trace should look like this:
33 //
34 // + 21112: : 0c 03 e8 01
35 // + 85: 0: TAG ff ff ff ff ff ff ff ff ea f5
36 //
37 //-----------------------------------------------------------------------------
38
39 #include "proxmark3.h"
40 #include "apps.h"
41 #include "util.h"
42 #include "string.h"
43 #include "common.h"
44 #include "cmd.h"
45 // Needed for CRC in emulation mode;
46 // same construction as in ISO 14443;
47 // different initial value (CRC_ICLASS)
48 #include "iso14443crc.h"
49 #include "iso15693tools.h"
50
51 static int timeout = 4096;
52
53
54 static int SendIClassAnswer(uint8_t *resp, int respLen, int delay);
55
56 //-----------------------------------------------------------------------------
57 // The software UART that receives commands from the reader, and its state
58 // variables.
59 //-----------------------------------------------------------------------------
60 static struct {
61 enum {
62 STATE_UNSYNCD,
63 STATE_START_OF_COMMUNICATION,
64 STATE_RECEIVING
65 } state;
66 uint16_t shiftReg;
67 int bitCnt;
68 int byteCnt;
69 int byteCntMax;
70 int posCnt;
71 int nOutOfCnt;
72 int OutOfCnt;
73 int syncBit;
74 int parityBits;
75 int samples;
76 int highCnt;
77 int swapper;
78 int counter;
79 int bitBuffer;
80 int dropPosition;
81 uint8_t *output;
82 } Uart;
83
84 static RAMFUNC int OutOfNDecoding(int bit)
85 {
86 //int error = 0;
87 int bitright;
88
89 if(!Uart.bitBuffer) {
90 Uart.bitBuffer = bit ^ 0xFF0;
91 return FALSE;
92 }
93 else {
94 Uart.bitBuffer <<= 4;
95 Uart.bitBuffer ^= bit;
96 }
97
98 /*if(Uart.swapper) {
99 Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
100 Uart.byteCnt++;
101 Uart.swapper = 0;
102 if(Uart.byteCnt > 15) { return TRUE; }
103 }
104 else {
105 Uart.swapper = 1;
106 }*/
107
108 if(Uart.state != STATE_UNSYNCD) {
109 Uart.posCnt++;
110
111 if((Uart.bitBuffer & Uart.syncBit) ^ Uart.syncBit) {
112 bit = 0x00;
113 }
114 else {
115 bit = 0x01;
116 }
117 if(((Uart.bitBuffer << 1) & Uart.syncBit) ^ Uart.syncBit) {
118 bitright = 0x00;
119 }
120 else {
121 bitright = 0x01;
122 }
123 if(bit != bitright) { bit = bitright; }
124
125
126 // So, now we only have to deal with *bit*, lets see...
127 if(Uart.posCnt == 1) {
128 // measurement first half bitperiod
129 if(!bit) {
130 // Drop in first half means that we are either seeing
131 // an SOF or an EOF.
132
133 if(Uart.nOutOfCnt == 1) {
134 // End of Communication
135 Uart.state = STATE_UNSYNCD;
136 Uart.highCnt = 0;
137 if(Uart.byteCnt == 0) {
138 // Its not straightforward to show single EOFs
139 // So just leave it and do not return TRUE
140 Uart.output[Uart.byteCnt] = 0xf0;
141 Uart.byteCnt++;
142
143 // Calculate the parity bit for the client...
144 Uart.parityBits = 1;
145 }
146 else {
147 return TRUE;
148 }
149 }
150 else if(Uart.state != STATE_START_OF_COMMUNICATION) {
151 // When not part of SOF or EOF, it is an error
152 Uart.state = STATE_UNSYNCD;
153 Uart.highCnt = 0;
154 //error = 4;
155 }
156 }
157 }
158 else {
159 // measurement second half bitperiod
160 // Count the bitslot we are in... (ISO 15693)
161 Uart.nOutOfCnt++;
162
163 if(!bit) {
164 if(Uart.dropPosition) {
165 if(Uart.state == STATE_START_OF_COMMUNICATION) {
166 //error = 1;
167 }
168 else {
169 //error = 7;
170 }
171 // It is an error if we already have seen a drop in current frame
172 Uart.state = STATE_UNSYNCD;
173 Uart.highCnt = 0;
174 }
175 else {
176 Uart.dropPosition = Uart.nOutOfCnt;
177 }
178 }
179
180 Uart.posCnt = 0;
181
182
183 if(Uart.nOutOfCnt == Uart.OutOfCnt && Uart.OutOfCnt == 4) {
184 Uart.nOutOfCnt = 0;
185
186 if(Uart.state == STATE_START_OF_COMMUNICATION) {
187 if(Uart.dropPosition == 4) {
188 Uart.state = STATE_RECEIVING;
189 Uart.OutOfCnt = 256;
190 }
191 else if(Uart.dropPosition == 3) {
192 Uart.state = STATE_RECEIVING;
193 Uart.OutOfCnt = 4;
194 //Uart.output[Uart.byteCnt] = 0xdd;
195 //Uart.byteCnt++;
196 }
197 else {
198 Uart.state = STATE_UNSYNCD;
199 Uart.highCnt = 0;
200 }
201 Uart.dropPosition = 0;
202 }
203 else {
204 // RECEIVING DATA
205 // 1 out of 4
206 if(!Uart.dropPosition) {
207 Uart.state = STATE_UNSYNCD;
208 Uart.highCnt = 0;
209 //error = 9;
210 }
211 else {
212 Uart.shiftReg >>= 2;
213
214 // Swap bit order
215 Uart.dropPosition--;
216 //if(Uart.dropPosition == 1) { Uart.dropPosition = 2; }
217 //else if(Uart.dropPosition == 2) { Uart.dropPosition = 1; }
218
219 Uart.shiftReg ^= ((Uart.dropPosition & 0x03) << 6);
220 Uart.bitCnt += 2;
221 Uart.dropPosition = 0;
222
223 if(Uart.bitCnt == 8) {
224 Uart.output[Uart.byteCnt] = (Uart.shiftReg & 0xff);
225 Uart.byteCnt++;
226
227 // Calculate the parity bit for the client...
228 Uart.parityBits <<= 1;
229 Uart.parityBits ^= OddByteParity[(Uart.shiftReg & 0xff)];
230
231 Uart.bitCnt = 0;
232 Uart.shiftReg = 0;
233 }
234 }
235 }
236 }
237 else if(Uart.nOutOfCnt == Uart.OutOfCnt) {
238 // RECEIVING DATA
239 // 1 out of 256
240 if(!Uart.dropPosition) {
241 Uart.state = STATE_UNSYNCD;
242 Uart.highCnt = 0;
243 //error = 3;
244 }
245 else {
246 Uart.dropPosition--;
247 Uart.output[Uart.byteCnt] = (Uart.dropPosition & 0xff);
248 Uart.byteCnt++;
249
250 // Calculate the parity bit for the client...
251 Uart.parityBits <<= 1;
252 Uart.parityBits ^= OddByteParity[(Uart.dropPosition & 0xff)];
253
254 Uart.bitCnt = 0;
255 Uart.shiftReg = 0;
256 Uart.nOutOfCnt = 0;
257 Uart.dropPosition = 0;
258 }
259 }
260
261 /*if(error) {
262 Uart.output[Uart.byteCnt] = 0xAA;
263 Uart.byteCnt++;
264 Uart.output[Uart.byteCnt] = error & 0xFF;
265 Uart.byteCnt++;
266 Uart.output[Uart.byteCnt] = 0xAA;
267 Uart.byteCnt++;
268 Uart.output[Uart.byteCnt] = (Uart.bitBuffer >> 8) & 0xFF;
269 Uart.byteCnt++;
270 Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
271 Uart.byteCnt++;
272 Uart.output[Uart.byteCnt] = (Uart.syncBit >> 3) & 0xFF;
273 Uart.byteCnt++;
274 Uart.output[Uart.byteCnt] = 0xAA;
275 Uart.byteCnt++;
276 return TRUE;
277 }*/
278 }
279
280 }
281 else {
282 bit = Uart.bitBuffer & 0xf0;
283 bit >>= 4;
284 bit ^= 0x0F; // drops become 1s ;-)
285 if(bit) {
286 // should have been high or at least (4 * 128) / fc
287 // according to ISO this should be at least (9 * 128 + 20) / fc
288 if(Uart.highCnt == 8) {
289 // we went low, so this could be start of communication
290 // it turns out to be safer to choose a less significant
291 // syncbit... so we check whether the neighbour also represents the drop
292 Uart.posCnt = 1; // apparently we are busy with our first half bit period
293 Uart.syncBit = bit & 8;
294 Uart.samples = 3;
295 if(!Uart.syncBit) { Uart.syncBit = bit & 4; Uart.samples = 2; }
296 else if(bit & 4) { Uart.syncBit = bit & 4; Uart.samples = 2; bit <<= 2; }
297 if(!Uart.syncBit) { Uart.syncBit = bit & 2; Uart.samples = 1; }
298 else if(bit & 2) { Uart.syncBit = bit & 2; Uart.samples = 1; bit <<= 1; }
299 if(!Uart.syncBit) { Uart.syncBit = bit & 1; Uart.samples = 0;
300 if(Uart.syncBit && (Uart.bitBuffer & 8)) {
301 Uart.syncBit = 8;
302
303 // the first half bit period is expected in next sample
304 Uart.posCnt = 0;
305 Uart.samples = 3;
306 }
307 }
308 else if(bit & 1) { Uart.syncBit = bit & 1; Uart.samples = 0; }
309
310 Uart.syncBit <<= 4;
311 Uart.state = STATE_START_OF_COMMUNICATION;
312 Uart.bitCnt = 0;
313 Uart.byteCnt = 0;
314 Uart.parityBits = 0;
315 Uart.nOutOfCnt = 0;
316 Uart.OutOfCnt = 4; // Start at 1/4, could switch to 1/256
317 Uart.dropPosition = 0;
318 Uart.shiftReg = 0;
319 //error = 0;
320 }
321 else {
322 Uart.highCnt = 0;
323 }
324 }
325 else {
326 if(Uart.highCnt < 8) {
327 Uart.highCnt++;
328 }
329 }
330 }
331
332 return FALSE;
333 }
334
335 //=============================================================================
336 // Manchester
337 //=============================================================================
338
339 static struct {
340 enum {
341 DEMOD_UNSYNCD,
342 DEMOD_START_OF_COMMUNICATION,
343 DEMOD_START_OF_COMMUNICATION2,
344 DEMOD_START_OF_COMMUNICATION3,
345 DEMOD_SOF_COMPLETE,
346 DEMOD_MANCHESTER_D,
347 DEMOD_MANCHESTER_E,
348 DEMOD_END_OF_COMMUNICATION,
349 DEMOD_END_OF_COMMUNICATION2,
350 DEMOD_MANCHESTER_F,
351 DEMOD_ERROR_WAIT
352 } state;
353 int bitCount;
354 int posCount;
355 int syncBit;
356 int parityBits;
357 uint16_t shiftReg;
358 int buffer;
359 int buffer2;
360 int buffer3;
361 int buff;
362 int samples;
363 int len;
364 enum {
365 SUB_NONE,
366 SUB_FIRST_HALF,
367 SUB_SECOND_HALF,
368 SUB_BOTH
369 } sub;
370 uint8_t *output;
371 } Demod;
372
373 static RAMFUNC int ManchesterDecoding(int v)
374 {
375 int bit;
376 int modulation;
377 int error = 0;
378
379 bit = Demod.buffer;
380 Demod.buffer = Demod.buffer2;
381 Demod.buffer2 = Demod.buffer3;
382 Demod.buffer3 = v;
383
384 if(Demod.buff < 3) {
385 Demod.buff++;
386 return FALSE;
387 }
388
389 if(Demod.state==DEMOD_UNSYNCD) {
390 Demod.output[Demod.len] = 0xfa;
391 Demod.syncBit = 0;
392 //Demod.samples = 0;
393 Demod.posCount = 1; // This is the first half bit period, so after syncing handle the second part
394
395 if(bit & 0x08) {
396 Demod.syncBit = 0x08;
397 }
398
399 if(bit & 0x04) {
400 if(Demod.syncBit) {
401 bit <<= 4;
402 }
403 Demod.syncBit = 0x04;
404 }
405
406 if(bit & 0x02) {
407 if(Demod.syncBit) {
408 bit <<= 2;
409 }
410 Demod.syncBit = 0x02;
411 }
412
413 if(bit & 0x01 && Demod.syncBit) {
414 Demod.syncBit = 0x01;
415 }
416
417 if(Demod.syncBit) {
418 Demod.len = 0;
419 Demod.state = DEMOD_START_OF_COMMUNICATION;
420 Demod.sub = SUB_FIRST_HALF;
421 Demod.bitCount = 0;
422 Demod.shiftReg = 0;
423 Demod.parityBits = 0;
424 Demod.samples = 0;
425 if(Demod.posCount) {
426 //if(trigger) LED_A_OFF(); // Not useful in this case...
427 switch(Demod.syncBit) {
428 case 0x08: Demod.samples = 3; break;
429 case 0x04: Demod.samples = 2; break;
430 case 0x02: Demod.samples = 1; break;
431 case 0x01: Demod.samples = 0; break;
432 }
433 // SOF must be long burst... otherwise stay unsynced!!!
434 if(!(Demod.buffer & Demod.syncBit) || !(Demod.buffer2 & Demod.syncBit)) {
435 Demod.state = DEMOD_UNSYNCD;
436 }
437 }
438 else {
439 // SOF must be long burst... otherwise stay unsynced!!!
440 if(!(Demod.buffer2 & Demod.syncBit) || !(Demod.buffer3 & Demod.syncBit)) {
441 Demod.state = DEMOD_UNSYNCD;
442 error = 0x88;
443 }
444
445 }
446 error = 0;
447
448 }
449 }
450 else {
451 modulation = bit & Demod.syncBit;
452 modulation |= ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
453 //modulation = ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
454
455 Demod.samples += 4;
456
457 if(Demod.posCount==0) {
458 Demod.posCount = 1;
459 if(modulation) {
460 Demod.sub = SUB_FIRST_HALF;
461 }
462 else {
463 Demod.sub = SUB_NONE;
464 }
465 }
466 else {
467 Demod.posCount = 0;
468 /*(modulation && (Demod.sub == SUB_FIRST_HALF)) {
469 if(Demod.state!=DEMOD_ERROR_WAIT) {
470 Demod.state = DEMOD_ERROR_WAIT;
471 Demod.output[Demod.len] = 0xaa;
472 error = 0x01;
473 }
474 }*/
475 //else if(modulation) {
476 if(modulation) {
477 if(Demod.sub == SUB_FIRST_HALF) {
478 Demod.sub = SUB_BOTH;
479 }
480 else {
481 Demod.sub = SUB_SECOND_HALF;
482 }
483 }
484 else if(Demod.sub == SUB_NONE) {
485 if(Demod.state == DEMOD_SOF_COMPLETE) {
486 Demod.output[Demod.len] = 0x0f;
487 Demod.len++;
488 Demod.parityBits <<= 1;
489 Demod.parityBits ^= OddByteParity[0x0f];
490 Demod.state = DEMOD_UNSYNCD;
491 // error = 0x0f;
492 return TRUE;
493 }
494 else {
495 Demod.state = DEMOD_ERROR_WAIT;
496 error = 0x33;
497 }
498 /*if(Demod.state!=DEMOD_ERROR_WAIT) {
499 Demod.state = DEMOD_ERROR_WAIT;
500 Demod.output[Demod.len] = 0xaa;
501 error = 0x01;
502 }*/
503 }
504
505 switch(Demod.state) {
506 case DEMOD_START_OF_COMMUNICATION:
507 if(Demod.sub == SUB_BOTH) {
508 //Demod.state = DEMOD_MANCHESTER_D;
509 Demod.state = DEMOD_START_OF_COMMUNICATION2;
510 Demod.posCount = 1;
511 Demod.sub = SUB_NONE;
512 }
513 else {
514 Demod.output[Demod.len] = 0xab;
515 Demod.state = DEMOD_ERROR_WAIT;
516 error = 0xd2;
517 }
518 break;
519 case DEMOD_START_OF_COMMUNICATION2:
520 if(Demod.sub == SUB_SECOND_HALF) {
521 Demod.state = DEMOD_START_OF_COMMUNICATION3;
522 }
523 else {
524 Demod.output[Demod.len] = 0xab;
525 Demod.state = DEMOD_ERROR_WAIT;
526 error = 0xd3;
527 }
528 break;
529 case DEMOD_START_OF_COMMUNICATION3:
530 if(Demod.sub == SUB_SECOND_HALF) {
531 // Demod.state = DEMOD_MANCHESTER_D;
532 Demod.state = DEMOD_SOF_COMPLETE;
533 //Demod.output[Demod.len] = Demod.syncBit & 0xFF;
534 //Demod.len++;
535 }
536 else {
537 Demod.output[Demod.len] = 0xab;
538 Demod.state = DEMOD_ERROR_WAIT;
539 error = 0xd4;
540 }
541 break;
542 case DEMOD_SOF_COMPLETE:
543 case DEMOD_MANCHESTER_D:
544 case DEMOD_MANCHESTER_E:
545 // OPPOSITE FROM ISO14443 - 11110000 = 0 (1 in 14443)
546 // 00001111 = 1 (0 in 14443)
547 if(Demod.sub == SUB_SECOND_HALF) { // SUB_FIRST_HALF
548 Demod.bitCount++;
549 Demod.shiftReg = (Demod.shiftReg >> 1) ^ 0x100;
550 Demod.state = DEMOD_MANCHESTER_D;
551 }
552 else if(Demod.sub == SUB_FIRST_HALF) { // SUB_SECOND_HALF
553 Demod.bitCount++;
554 Demod.shiftReg >>= 1;
555 Demod.state = DEMOD_MANCHESTER_E;
556 }
557 else if(Demod.sub == SUB_BOTH) {
558 Demod.state = DEMOD_MANCHESTER_F;
559 }
560 else {
561 Demod.state = DEMOD_ERROR_WAIT;
562 error = 0x55;
563 }
564 break;
565
566 case DEMOD_MANCHESTER_F:
567 // Tag response does not need to be a complete byte!
568 if(Demod.len > 0 || Demod.bitCount > 0) {
569 if(Demod.bitCount > 1) { // was > 0, do not interpret last closing bit, is part of EOF
570 Demod.shiftReg >>= (9 - Demod.bitCount);
571 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
572 Demod.len++;
573 // No parity bit, so just shift a 0
574 Demod.parityBits <<= 1;
575 }
576
577 Demod.state = DEMOD_UNSYNCD;
578 return TRUE;
579 }
580 else {
581 Demod.output[Demod.len] = 0xad;
582 Demod.state = DEMOD_ERROR_WAIT;
583 error = 0x03;
584 }
585 break;
586
587 case DEMOD_ERROR_WAIT:
588 Demod.state = DEMOD_UNSYNCD;
589 break;
590
591 default:
592 Demod.output[Demod.len] = 0xdd;
593 Demod.state = DEMOD_UNSYNCD;
594 break;
595 }
596
597 /*if(Demod.bitCount>=9) {
598 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
599 Demod.len++;
600
601 Demod.parityBits <<= 1;
602 Demod.parityBits ^= ((Demod.shiftReg >> 8) & 0x01);
603
604 Demod.bitCount = 0;
605 Demod.shiftReg = 0;
606 }*/
607 if(Demod.bitCount>=8) {
608 Demod.shiftReg >>= 1;
609 Demod.output[Demod.len] = (Demod.shiftReg & 0xff);
610 Demod.len++;
611
612 // FOR ISO15639 PARITY NOT SEND OTA, JUST CALCULATE IT FOR THE CLIENT
613 Demod.parityBits <<= 1;
614 Demod.parityBits ^= OddByteParity[(Demod.shiftReg & 0xff)];
615
616 Demod.bitCount = 0;
617 Demod.shiftReg = 0;
618 }
619
620 if(error) {
621 Demod.output[Demod.len] = 0xBB;
622 Demod.len++;
623 Demod.output[Demod.len] = error & 0xFF;
624 Demod.len++;
625 Demod.output[Demod.len] = 0xBB;
626 Demod.len++;
627 Demod.output[Demod.len] = bit & 0xFF;
628 Demod.len++;
629 Demod.output[Demod.len] = Demod.buffer & 0xFF;
630 Demod.len++;
631 // Look harder ;-)
632 Demod.output[Demod.len] = Demod.buffer2 & 0xFF;
633 Demod.len++;
634 Demod.output[Demod.len] = Demod.syncBit & 0xFF;
635 Demod.len++;
636 Demod.output[Demod.len] = 0xBB;
637 Demod.len++;
638 return TRUE;
639 }
640
641 }
642
643 } // end (state != UNSYNCED)
644
645 return FALSE;
646 }
647
648 //=============================================================================
649 // Finally, a `sniffer' for iClass communication
650 // Both sides of communication!
651 //=============================================================================
652
653 //-----------------------------------------------------------------------------
654 // Record the sequence of commands sent by the reader to the tag, with
655 // triggering so that we start recording at the point that the tag is moved
656 // near the reader.
657 //-----------------------------------------------------------------------------
658 void RAMFUNC SnoopIClass(void)
659 {
660
661
662 // We won't start recording the frames that we acquire until we trigger;
663 // a good trigger condition to get started is probably when we see a
664 // response from the tag.
665 //int triggered = FALSE; // FALSE to wait first for card
666
667 // The command (reader -> tag) that we're receiving.
668 // The length of a received command will in most cases be no more than 18 bytes.
669 // So 32 should be enough!
670 uint8_t *readerToTagCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
671 // The response (tag -> reader) that we're receiving.
672 uint8_t *tagToReaderResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET);
673
674 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
675
676 // reset traceLen to 0
677 iso14a_set_tracing(TRUE);
678 iso14a_clear_trace();
679 iso14a_set_trigger(FALSE);
680
681 // The DMA buffer, used to stream samples from the FPGA
682 int8_t *dmaBuf = ((int8_t *)BigBuf) + DMA_BUFFER_OFFSET;
683 int lastRxCounter;
684 int8_t *upTo;
685 int smpl;
686 int maxBehindBy = 0;
687
688 // Count of samples received so far, so that we can include timing
689 // information in the trace buffer.
690 int samples = 0;
691 rsamples = 0;
692
693 // Set up the demodulator for tag -> reader responses.
694 Demod.output = tagToReaderResponse;
695 Demod.len = 0;
696 Demod.state = DEMOD_UNSYNCD;
697
698 // Setup for the DMA.
699 FpgaSetupSsc();
700 upTo = dmaBuf;
701 lastRxCounter = DMA_BUFFER_SIZE;
702 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
703
704 // And the reader -> tag commands
705 memset(&Uart, 0, sizeof(Uart));
706 Uart.output = readerToTagCmd;
707 Uart.byteCntMax = 32; // was 100 (greg)////////////////////////////////////////////////////////////////////////
708 Uart.state = STATE_UNSYNCD;
709
710 // And put the FPGA in the appropriate mode
711 // Signal field is off with the appropriate LED
712 LED_D_OFF();
713 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER);
714 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
715
716 uint32_t time_0 = GetCountSspClk();
717
718
719 int div = 0;
720 //int div2 = 0;
721 int decbyte = 0;
722 int decbyter = 0;
723
724 // And now we loop, receiving samples.
725 for(;;) {
726 LED_A_ON();
727 WDT_HIT();
728 int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) &
729 (DMA_BUFFER_SIZE-1);
730 if(behindBy > maxBehindBy) {
731 maxBehindBy = behindBy;
732 if(behindBy > 400) {
733 Dbprintf("blew circular buffer! behindBy=0x%x", behindBy);
734 goto done;
735 }
736 }
737 if(behindBy < 1) continue;
738
739 LED_A_OFF();
740 smpl = upTo[0];
741 upTo++;
742 lastRxCounter -= 1;
743 if(upTo - dmaBuf > DMA_BUFFER_SIZE) {
744 upTo -= DMA_BUFFER_SIZE;
745 lastRxCounter += DMA_BUFFER_SIZE;
746 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) upTo;
747 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
748 }
749
750 //samples += 4;
751 samples += 1;
752
753 if(smpl & 0xF) {
754 decbyte ^= (1 << (3 - div));
755 }
756
757 // FOR READER SIDE COMMUMICATION...
758
759 decbyter <<= 2;
760 decbyter ^= (smpl & 0x30);
761
762 div++;
763
764 if((div + 1) % 2 == 0) {
765 smpl = decbyter;
766 if(OutOfNDecoding((smpl & 0xF0) >> 4)) {
767 rsamples = samples - Uart.samples;
768 LED_C_ON();
769
770 //if(!LogTrace(Uart.output,Uart.byteCnt, rsamples, Uart.parityBits,TRUE)) break;
771 //if(!LogTrace(NULL, 0, Uart.endTime*16 - DELAY_READER_AIR2ARM_AS_SNIFFER, 0, TRUE)) break;
772 if(tracing)
773 {
774 LogTrace(Uart.output,Uart.byteCnt, (GetCountSspClk()-time_0) << 4, Uart.parityBits,TRUE);
775 LogTrace(NULL, 0, (GetCountSspClk()-time_0) << 4, 0, TRUE);
776 }
777
778
779 /* And ready to receive another command. */
780 Uart.state = STATE_UNSYNCD;
781 /* And also reset the demod code, which might have been */
782 /* false-triggered by the commands from the reader. */
783 Demod.state = DEMOD_UNSYNCD;
784 LED_B_OFF();
785 Uart.byteCnt = 0;
786 }
787 decbyter = 0;
788 }
789
790 if(div > 3) {
791 smpl = decbyte;
792 if(ManchesterDecoding(smpl & 0x0F)) {
793 rsamples = samples - Demod.samples;
794 LED_B_ON();
795
796 if(tracing)
797 {
798 LogTrace(Demod.output,Demod.len, (GetCountSspClk()-time_0) << 4 , Demod.parityBits,FALSE);
799 LogTrace(NULL, 0, (GetCountSspClk()-time_0) << 4, 0, FALSE);
800 }
801
802
803 // And ready to receive another response.
804 memset(&Demod, 0, sizeof(Demod));
805 Demod.output = tagToReaderResponse;
806 Demod.state = DEMOD_UNSYNCD;
807 LED_C_OFF();
808 }
809
810 div = 0;
811 decbyte = 0x00;
812 }
813 //}
814
815 if(BUTTON_PRESS()) {
816 DbpString("cancelled_a");
817 goto done;
818 }
819 }
820
821 DbpString("COMMAND FINISHED");
822
823 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
824 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
825
826 done:
827 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
828 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
829 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
830 LED_A_OFF();
831 LED_B_OFF();
832 LED_C_OFF();
833 LED_D_OFF();
834 }
835
836 void rotateCSN(uint8_t* originalCSN, uint8_t* rotatedCSN) {
837 int i;
838 for(i = 0; i < 8; i++) {
839 rotatedCSN[i] = (originalCSN[i] >> 3) | (originalCSN[(i+1)%8] << 5);
840 }
841 }
842
843 //-----------------------------------------------------------------------------
844 // Wait for commands from reader
845 // Stop when button is pressed
846 // Or return TRUE when command is captured
847 //-----------------------------------------------------------------------------
848 static int GetIClassCommandFromReader(uint8_t *received, int *len, int maxLen)
849 {
850 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
851 // only, since we are receiving, not transmitting).
852 // Signal field is off with the appropriate LED
853 LED_D_OFF();
854 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
855
856 // Now run a `software UART' on the stream of incoming samples.
857 Uart.output = received;
858 Uart.byteCntMax = maxLen;
859 Uart.state = STATE_UNSYNCD;
860
861 for(;;) {
862 WDT_HIT();
863
864 if(BUTTON_PRESS()) return FALSE;
865
866 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
867 AT91C_BASE_SSC->SSC_THR = 0x00;
868 }
869 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
870 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
871 /*if(OutOfNDecoding((b & 0xf0) >> 4)) {
872 *len = Uart.byteCnt;
873 return TRUE;
874 }*/
875 if(OutOfNDecoding(b & 0x0f)) {
876 *len = Uart.byteCnt;
877 return TRUE;
878 }
879 }
880 }
881 }
882
883
884 //-----------------------------------------------------------------------------
885 // Prepare tag messages
886 //-----------------------------------------------------------------------------
887 static void CodeIClassTagAnswer(const uint8_t *cmd, int len)
888 {
889 //So far a dummy implementation, not used
890 //int lastProxToAirDuration =0;
891 int i;
892
893 ToSendReset();
894
895 // Send SOF
896 ToSend[++ToSendMax] = 0x00;
897 ToSend[++ToSendMax] = 0x00;
898 ToSend[++ToSendMax] = 0x00;
899 ToSend[++ToSendMax] = 0xff;//Proxtoair duration starts here
900 ToSend[++ToSendMax] = 0xff;
901 ToSend[++ToSendMax] = 0xff;
902 ToSend[++ToSendMax] = 0x00;
903 ToSend[++ToSendMax] = 0xff;
904
905 for(i = 0; i < len; i++) {
906 int j;
907 uint8_t b = cmd[i];
908
909 // Data bits
910 for(j = 0; j < 8; j++) {
911 if(b & 1) {
912 ToSend[++ToSendMax] = 0x00;
913 ToSend[++ToSendMax] = 0xff;
914 } else {
915 ToSend[++ToSendMax] = 0xff;
916 ToSend[++ToSendMax] = 0x00;
917 }
918 b >>= 1;
919 }
920 }
921
922 // Send EOF
923 ToSend[++ToSendMax] = 0xff;
924 ToSend[++ToSendMax] = 0x00;
925 ToSend[++ToSendMax] = 0xff;
926 ToSend[++ToSendMax] = 0xff;
927 ToSend[++ToSendMax] = 0xff;
928 ToSend[++ToSendMax] = 0x00;
929 ToSend[++ToSendMax] = 0x00;
930 ToSend[++ToSendMax] = 0x00;
931
932 //lastProxToAirDuration = 8*ToSendMax - 3*8 - 3*8;//Not counting zeroes in the beginning or end
933
934 // Convert from last byte pos to length
935 ToSendMax++;
936 }
937
938 // Only SOF
939 static void CodeIClassTagSOF()
940 {
941 //So far a dummy implementation, not used
942 //int lastProxToAirDuration =0;
943
944 ToSendReset();
945 // Send SOF
946 ToSend[++ToSendMax] = 0x00;
947 ToSend[++ToSendMax] = 0x00;
948 ToSend[++ToSendMax] = 0x00;
949 ToSend[++ToSendMax] = 0xff;
950 ToSend[++ToSendMax] = 0xff;
951 ToSend[++ToSendMax] = 0xff;
952 ToSend[++ToSendMax] = 0x00;
953 ToSend[++ToSendMax] = 0xff;
954
955 // lastProxToAirDuration = 8*ToSendMax - 3*8;//Not counting zeroes in the beginning
956
957
958 // Convert from last byte pos to length
959 ToSendMax++;
960 }
961 int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader_mac_buf);
962 /**
963 * @brief SimulateIClass simulates an iClass card.
964 * @param arg0 type of simulation
965 * - 0 uses the first 8 bytes in usb data as CSN
966 * - 2 "dismantling iclass"-attack. This mode iterates through all CSN's specified
967 * in the usb data. This mode collects MAC from the reader, in order to do an offline
968 * attack on the keys. For more info, see "dismantling iclass" and proxclone.com.
969 * - Other : Uses the default CSN (031fec8af7ff12e0)
970 * @param arg1 - number of CSN's contained in datain (applicable for mode 2 only)
971 * @param arg2
972 * @param datain
973 */
974 void SimulateIClass(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain)
975 {
976 uint32_t simType = arg0;
977 uint32_t numberOfCSNS = arg1;
978 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
979
980 // Enable and clear the trace
981 iso14a_set_tracing(TRUE);
982 iso14a_clear_trace();
983
984 uint8_t csn_crc[] = { 0x03, 0x1f, 0xec, 0x8a, 0xf7, 0xff, 0x12, 0xe0, 0x00, 0x00 };
985 if(simType == 0) {
986 // Use the CSN from commandline
987 memcpy(csn_crc, datain, 8);
988 doIClassSimulation(csn_crc,0,NULL);
989 }else if(simType == 1)
990 {
991 doIClassSimulation(csn_crc,0,NULL);
992 }
993 else if(simType == 2)
994 {
995
996 uint8_t mac_responses[64] = { 0 };
997 Dbprintf("Going into attack mode");
998 // In this mode, a number of csns are within datain. We'll simulate each one, one at a time
999 // in order to collect MAC's from the reader. This can later be used in an offlne-attack
1000 // in order to obtain the keys, as in the "dismantling iclass"-paper.
1001 int i = 0;
1002 for( ; i < numberOfCSNS && i*8+8 < USB_CMD_DATA_SIZE; i++)
1003 {
1004 // The usb data is 512 bytes, fitting 65 8-byte CSNs in there.
1005
1006 memcpy(csn_crc, datain+(i*8), 8);
1007 if(doIClassSimulation(csn_crc,1,mac_responses))
1008 {
1009 return; // Button pressed
1010 }
1011 }
1012 cmd_send(CMD_ACK,CMD_SIMULATE_TAG_ICLASS,i,0,mac_responses,i*8);
1013
1014 }
1015 else{
1016 // We may want a mode here where we hardcode the csns to use (from proxclone).
1017 // That will speed things up a little, but not required just yet.
1018 Dbprintf("The mode is not implemented, reserved for future use");
1019 }
1020 Dbprintf("Done...");
1021
1022 }
1023 /**
1024 * @brief Does the actual simulation
1025 * @param csn - csn to use
1026 * @param breakAfterMacReceived if true, returns after reader MAC has been received.
1027 */
1028 int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader_mac_buf)
1029 {
1030
1031
1032 // CSN followed by two CRC bytes
1033 uint8_t response2[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
1034 uint8_t response3[] = { 0,0,0,0,0,0,0,0,0,0};
1035 memcpy(response3,csn,sizeof(response3));
1036 Dbprintf("Simulating CSN %02x%02x%02x%02x%02x%02x%02x%02x",csn[0],csn[1],csn[2],csn[3],csn[4],csn[5],csn[6],csn[7]);
1037 // e-Purse
1038 uint8_t response4[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
1039
1040 // Construct anticollision-CSN
1041 rotateCSN(response3,response2);
1042
1043 // Compute CRC on both CSNs
1044 ComputeCrc14443(CRC_ICLASS, response2, 8, &response2[8], &response2[9]);
1045 ComputeCrc14443(CRC_ICLASS, response3, 8, &response3[8], &response3[9]);
1046
1047 int exitLoop = 0;
1048 // Reader 0a
1049 // Tag 0f
1050 // Reader 0c
1051 // Tag anticoll. CSN
1052 // Reader 81 anticoll. CSN
1053 // Tag CSN
1054
1055 uint8_t *resp;
1056 int respLen;
1057 uint8_t* respdata = NULL;
1058 int respsize = 0;
1059 uint8_t sof = 0x0f;
1060
1061 // Respond SOF -- takes 8 bytes
1062 uint8_t *resp1 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET);
1063 int resp1Len;
1064
1065 // Anticollision CSN (rotated CSN)
1066 // 176: Takes 16 bytes for SOF/EOF and 10 * 16 = 160 bytes (2 bytes/bit)
1067 uint8_t *resp2 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + 10);
1068 int resp2Len;
1069
1070 // CSN
1071 // 176: Takes 16 bytes for SOF/EOF and 10 * 16 = 160 bytes (2 bytes/bit)
1072 uint8_t *resp3 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + 190);
1073 int resp3Len;
1074
1075 // e-Purse
1076 // 144: Takes 16 bytes for SOF/EOF and 8 * 16 = 128 bytes (2 bytes/bit)
1077 uint8_t *resp4 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + 370);
1078 int resp4Len;
1079
1080 // + 1720..
1081 uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
1082 memset(receivedCmd, 0x44, RECV_CMD_SIZE);
1083 int len;
1084
1085 // Prepare card messages
1086 ToSendMax = 0;
1087
1088 // First card answer: SOF
1089 CodeIClassTagSOF();
1090 memcpy(resp1, ToSend, ToSendMax); resp1Len = ToSendMax;
1091
1092 // Anticollision CSN
1093 CodeIClassTagAnswer(response2, sizeof(response2));
1094 memcpy(resp2, ToSend, ToSendMax); resp2Len = ToSendMax;
1095
1096 // CSN
1097 CodeIClassTagAnswer(response3, sizeof(response3));
1098 memcpy(resp3, ToSend, ToSendMax); resp3Len = ToSendMax;
1099
1100 // e-Purse
1101 CodeIClassTagAnswer(response4, sizeof(response4));
1102 memcpy(resp4, ToSend, ToSendMax); resp4Len = ToSendMax;
1103
1104
1105 // Start from off (no field generated)
1106 //FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1107 //SpinDelay(200);
1108 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
1109 SpinDelay(100);
1110 StartCountSspClk();
1111 // We need to listen to the high-frequency, peak-detected path.
1112 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1113 FpgaSetupSsc();
1114
1115 // To control where we are in the protocol
1116 int cmdsRecvd = 0;
1117 uint32_t time_0 = GetCountSspClk();
1118 uint32_t t2r_time =0;
1119 uint32_t r2t_time =0;
1120
1121 LED_A_ON();
1122 bool buttonPressed = false;
1123
1124 /** Hack for testing
1125 memcpy(reader_mac_buf,csn,8);
1126 exitLoop = true;
1127 end hack **/
1128
1129 while(!exitLoop) {
1130
1131 LED_B_OFF();
1132 //Signal tracer
1133 // Can be used to get a trigger for an oscilloscope..
1134 LED_C_OFF();
1135
1136 if(!GetIClassCommandFromReader(receivedCmd, &len, 100)) {
1137 buttonPressed = true;
1138 break;
1139 }
1140 r2t_time = GetCountSspClk();
1141 //Signal tracer
1142 LED_C_ON();
1143
1144 // Okay, look at the command now.
1145 if(receivedCmd[0] == 0x0a ) {
1146 // Reader in anticollission phase
1147 resp = resp1; respLen = resp1Len; //order = 1;
1148 respdata = &sof;
1149 respsize = sizeof(sof);
1150 } else if(receivedCmd[0] == 0x0c) {
1151 // Reader asks for anticollission CSN
1152 resp = resp2; respLen = resp2Len; //order = 2;
1153 respdata = response2;
1154 respsize = sizeof(response2);
1155 //DbpString("Reader requests anticollission CSN:");
1156 } else if(receivedCmd[0] == 0x81) {
1157 // Reader selects anticollission CSN.
1158 // Tag sends the corresponding real CSN
1159 resp = resp3; respLen = resp3Len; //order = 3;
1160 respdata = response3;
1161 respsize = sizeof(response3);
1162 //DbpString("Reader selects anticollission CSN:");
1163 } else if(receivedCmd[0] == 0x88) {
1164 // Read e-purse (88 02)
1165 resp = resp4; respLen = resp4Len; //order = 4;
1166 respdata = response4;
1167 respsize = sizeof(response4);
1168 LED_B_ON();
1169 } else if(receivedCmd[0] == 0x05) {
1170 // Reader random and reader MAC!!!
1171 // Do not respond
1172 // We do not know what to answer, so lets keep quit
1173 resp = resp1; respLen = 0; //order = 5;
1174 respdata = NULL;
1175 respsize = 0;
1176 if (breakAfterMacReceived){
1177 // TODO, actually return this to the caller instead of just
1178 // dbprintf:ing ...
1179 Dbprintf("CSN: %02x %02x %02x %02x %02x %02x %02x %02x",csn[0],csn[1],csn[2],csn[3],csn[4],csn[5],csn[6],csn[7]);
1180 Dbprintf("RDR: (len=%02d): %02x %02x %02x %02x %02x %02x %02x %02x %02x",len,
1181 receivedCmd[0], receivedCmd[1], receivedCmd[2],
1182 receivedCmd[3], receivedCmd[4], receivedCmd[5],
1183 receivedCmd[6], receivedCmd[7], receivedCmd[8]);
1184 if (reader_mac_buf != NULL)
1185 {
1186 memcpy(reader_mac_buf,receivedCmd+1,8);
1187 }
1188 exitLoop = true;
1189 }
1190 } else if(receivedCmd[0] == 0x00 && len == 1) {
1191 // Reader ends the session
1192 resp = resp1; respLen = 0; //order = 0;
1193 respdata = NULL;
1194 respsize = 0;
1195 } else {
1196 //#db# Unknown command received from reader (len=5): 26 1 0 f6 a 44 44 44 44
1197 // Never seen this command before
1198 Dbprintf("Unknown command received from reader (len=%d): %x %x %x %x %x %x %x %x %x",
1199 len,
1200 receivedCmd[0], receivedCmd[1], receivedCmd[2],
1201 receivedCmd[3], receivedCmd[4], receivedCmd[5],
1202 receivedCmd[6], receivedCmd[7], receivedCmd[8]);
1203 // Do not respond
1204 resp = resp1; respLen = 0; //order = 0;
1205 respdata = NULL;
1206 respsize = 0;
1207 }
1208
1209 if(cmdsRecvd > 100) {
1210 //DbpString("100 commands later...");
1211 //break;
1212 }
1213 else {
1214 cmdsRecvd++;
1215 }
1216
1217 if(respLen > 0) {
1218 SendIClassAnswer(resp, respLen, 21);
1219 t2r_time = GetCountSspClk();
1220 }
1221
1222 if (tracing) {
1223 LogTrace(receivedCmd,len, (r2t_time-time_0)<< 4, Uart.parityBits,TRUE);
1224 LogTrace(NULL,0, (r2t_time-time_0) << 4, 0,TRUE);
1225
1226 if (respdata != NULL) {
1227 LogTrace(respdata,respsize, (t2r_time-time_0) << 4,SwapBits(GetParity(respdata,respsize),respsize),FALSE);
1228 LogTrace(NULL,0, (t2r_time-time_0) << 4,0,FALSE);
1229
1230
1231 }
1232 if(!tracing) {
1233 DbpString("Trace full");
1234 //break;
1235 }
1236
1237 }
1238 memset(receivedCmd, 0x44, RECV_CMD_SIZE);
1239 }
1240
1241 //Dbprintf("%x", cmdsRecvd);
1242 LED_A_OFF();
1243 LED_B_OFF();
1244 if(buttonPressed)
1245 {
1246 DbpString("Button pressed");
1247 }
1248 return buttonPressed;
1249 }
1250
1251 static int SendIClassAnswer(uint8_t *resp, int respLen, int delay)
1252 {
1253 int i = 0, d=0;//, u = 0, d = 0;
1254 uint8_t b = 0;
1255
1256 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR|FPGA_HF_SIMULATOR_MODULATE_424K);
1257
1258 AT91C_BASE_SSC->SSC_THR = 0x00;
1259 FpgaSetupSsc();
1260 while(!BUTTON_PRESS()) {
1261 if((AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY)){
1262 b = AT91C_BASE_SSC->SSC_RHR; (void) b;
1263 }
1264 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)){
1265 b = 0x00;
1266 if(d < delay) {
1267 d++;
1268 }
1269 else {
1270 if( i < respLen){
1271 b = resp[i];
1272 //Hack
1273 //b = 0xAC;
1274 }
1275 i++;
1276 }
1277 AT91C_BASE_SSC->SSC_THR = b;
1278 }
1279
1280 if (i > respLen +4) break;
1281 }
1282
1283 return 0;
1284 }
1285
1286 /// THE READER CODE
1287
1288 //-----------------------------------------------------------------------------
1289 // Transmit the command (to the tag) that was placed in ToSend[].
1290 //-----------------------------------------------------------------------------
1291 static void TransmitIClassCommand(const uint8_t *cmd, int len, int *samples, int *wait)
1292 {
1293 int c;
1294 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1295 AT91C_BASE_SSC->SSC_THR = 0x00;
1296 FpgaSetupSsc();
1297
1298 if (wait)
1299 if(*wait < 10)
1300 *wait = 10;
1301
1302 for(c = 0; c < *wait;) {
1303 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1304 AT91C_BASE_SSC->SSC_THR = 0x00; // For exact timing!
1305 c++;
1306 }
1307 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1308 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
1309 (void)r;
1310 }
1311 WDT_HIT();
1312 }
1313
1314 uint8_t sendbyte;
1315 bool firstpart = TRUE;
1316 c = 0;
1317 for(;;) {
1318 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1319
1320 // DOUBLE THE SAMPLES!
1321 if(firstpart) {
1322 sendbyte = (cmd[c] & 0xf0) | (cmd[c] >> 4);
1323 }
1324 else {
1325 sendbyte = (cmd[c] & 0x0f) | (cmd[c] << 4);
1326 c++;
1327 }
1328 if(sendbyte == 0xff) {
1329 sendbyte = 0xfe;
1330 }
1331 AT91C_BASE_SSC->SSC_THR = sendbyte;
1332 firstpart = !firstpart;
1333
1334 if(c >= len) {
1335 break;
1336 }
1337 }
1338 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1339 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
1340 (void)r;
1341 }
1342 WDT_HIT();
1343 }
1344 if (samples) *samples = (c + *wait) << 3;
1345 }
1346
1347
1348 //-----------------------------------------------------------------------------
1349 // Prepare iClass reader command to send to FPGA
1350 //-----------------------------------------------------------------------------
1351 void CodeIClassCommand(const uint8_t * cmd, int len)
1352 {
1353 int i, j, k;
1354 uint8_t b;
1355
1356 ToSendReset();
1357
1358 // Start of Communication: 1 out of 4
1359 ToSend[++ToSendMax] = 0xf0;
1360 ToSend[++ToSendMax] = 0x00;
1361 ToSend[++ToSendMax] = 0x0f;
1362 ToSend[++ToSendMax] = 0x00;
1363
1364 // Modulate the bytes
1365 for (i = 0; i < len; i++) {
1366 b = cmd[i];
1367 for(j = 0; j < 4; j++) {
1368 for(k = 0; k < 4; k++) {
1369 if(k == (b & 3)) {
1370 ToSend[++ToSendMax] = 0x0f;
1371 }
1372 else {
1373 ToSend[++ToSendMax] = 0x00;
1374 }
1375 }
1376 b >>= 2;
1377 }
1378 }
1379
1380 // End of Communication
1381 ToSend[++ToSendMax] = 0x00;
1382 ToSend[++ToSendMax] = 0x00;
1383 ToSend[++ToSendMax] = 0xf0;
1384 ToSend[++ToSendMax] = 0x00;
1385
1386 // Convert from last character reference to length
1387 ToSendMax++;
1388 }
1389
1390 void ReaderTransmitIClass(uint8_t* frame, int len)
1391 {
1392 int wait = 0;
1393 int samples = 0;
1394 int par = 0;
1395
1396 // This is tied to other size changes
1397 // uint8_t* frame_addr = ((uint8_t*)BigBuf) + 2024;
1398 CodeIClassCommand(frame,len);
1399
1400 // Select the card
1401 TransmitIClassCommand(ToSend, ToSendMax, &samples, &wait);
1402 if(trigger)
1403 LED_A_ON();
1404
1405 // Store reader command in buffer
1406 if (tracing) LogTrace(frame,len,rsamples,par,TRUE);
1407 }
1408
1409 //-----------------------------------------------------------------------------
1410 // Wait a certain time for tag response
1411 // If a response is captured return TRUE
1412 // If it takes too long return FALSE
1413 //-----------------------------------------------------------------------------
1414 static int GetIClassAnswer(uint8_t *receivedResponse, int maxLen, int *samples, int *elapsed) //uint8_t *buffer
1415 {
1416 // buffer needs to be 512 bytes
1417 int c;
1418
1419 // Set FPGA mode to "reader listen mode", no modulation (listen
1420 // only, since we are receiving, not transmitting).
1421 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_LISTEN);
1422
1423 // Now get the answer from the card
1424 Demod.output = receivedResponse;
1425 Demod.len = 0;
1426 Demod.state = DEMOD_UNSYNCD;
1427
1428 uint8_t b;
1429 if (elapsed) *elapsed = 0;
1430
1431 bool skip = FALSE;
1432
1433 c = 0;
1434 for(;;) {
1435 WDT_HIT();
1436
1437 if(BUTTON_PRESS()) return FALSE;
1438
1439 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1440 AT91C_BASE_SSC->SSC_THR = 0x00; // To make use of exact timing of next command from reader!!
1441 if (elapsed) (*elapsed)++;
1442 }
1443 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1444 if(c < timeout) { c++; } else { return FALSE; }
1445 b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1446 skip = !skip;
1447 if(skip) continue;
1448 /*if(ManchesterDecoding((b>>4) & 0xf)) {
1449 *samples = ((c - 1) << 3) + 4;
1450 return TRUE;
1451 }*/
1452 if(ManchesterDecoding(b & 0x0f)) {
1453 *samples = c << 3;
1454 return TRUE;
1455 }
1456 }
1457 }
1458 }
1459
1460 int ReaderReceiveIClass(uint8_t* receivedAnswer)
1461 {
1462 int samples = 0;
1463 if (!GetIClassAnswer(receivedAnswer,160,&samples,0)) return FALSE;
1464 rsamples += samples;
1465 if (tracing) LogTrace(receivedAnswer,Demod.len,rsamples,Demod.parityBits,FALSE);
1466 if(samples == 0) return FALSE;
1467 return Demod.len;
1468 }
1469
1470 // Reader iClass Anticollission
1471 void ReaderIClass(uint8_t arg0) {
1472 uint8_t act_all[] = { 0x0a };
1473 uint8_t identify[] = { 0x0c };
1474 uint8_t select[] = { 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
1475
1476 uint8_t* resp = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
1477
1478 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1479
1480 // Reset trace buffer
1481 memset(trace, 0x44, RECV_CMD_OFFSET);
1482 traceLen = 0;
1483
1484 // Setup SSC
1485 FpgaSetupSsc();
1486 // Start from off (no field generated)
1487 // Signal field is off with the appropriate LED
1488 LED_D_OFF();
1489 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1490 SpinDelay(200);
1491
1492 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1493
1494 // Now give it time to spin up.
1495 // Signal field is on with the appropriate LED
1496 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1497 SpinDelay(200);
1498
1499 LED_A_ON();
1500
1501 for(;;) {
1502
1503 if(traceLen > TRACE_SIZE) {
1504 DbpString("Trace full");
1505 break;
1506 }
1507
1508 if (BUTTON_PRESS()) break;
1509
1510 // Send act_all
1511 ReaderTransmitIClass(act_all, 1);
1512 // Card present?
1513 if(ReaderReceiveIClass(resp)) {
1514 ReaderTransmitIClass(identify, 1);
1515 if(ReaderReceiveIClass(resp) == 10) {
1516 // Select card
1517 memcpy(&select[1],resp,8);
1518 ReaderTransmitIClass(select, sizeof(select));
1519
1520 if(ReaderReceiveIClass(resp) == 10) {
1521 Dbprintf(" Selected CSN: %02x %02x %02x %02x %02x %02x %02x %02x",
1522 resp[0], resp[1], resp[2],
1523 resp[3], resp[4], resp[5],
1524 resp[6], resp[7]);
1525 }
1526 // Card selected, whats next... ;-)
1527 }
1528 }
1529 WDT_HIT();
1530 }
1531
1532 LED_A_OFF();
1533 }
1534
1535 void ReaderIClass_Replay(uint8_t arg0, uint8_t *MAC) {
1536 uint8_t act_all[] = { 0x0a };
1537 uint8_t identify[] = { 0x0c };
1538 uint8_t select[] = { 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
1539 uint8_t readcheck_cc[]= { 0x88, 0x02 };
1540 uint8_t check[] = { 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
1541 uint8_t read[] = { 0x0c, 0x00, 0x00, 0x00 };
1542
1543 uint16_t crc = 0;
1544 uint8_t cardsize=0;
1545 bool read_success=false;
1546 uint8_t mem=0;
1547
1548 static struct memory_t{
1549 int k16;
1550 int book;
1551 int k2;
1552 int lockauth;
1553 int keyaccess;
1554 } memory;
1555
1556 uint8_t* resp = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
1557
1558 // Reset trace buffer
1559 memset(trace, 0x44, RECV_CMD_OFFSET);
1560 traceLen = 0;
1561
1562 // Setup SSC
1563 FpgaSetupSsc();
1564 // Start from off (no field generated)
1565 // Signal field is off with the appropriate LED
1566 LED_D_OFF();
1567 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1568 SpinDelay(200);
1569
1570 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1571
1572 // Now give it time to spin up.
1573 // Signal field is on with the appropriate LED
1574 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1575 SpinDelay(200);
1576
1577 LED_A_ON();
1578
1579 for(int i=0;i<1;i++) {
1580
1581 if(traceLen > TRACE_SIZE) {
1582 DbpString("Trace full");
1583 break;
1584 }
1585
1586 if (BUTTON_PRESS()) break;
1587
1588 // Send act_all
1589 ReaderTransmitIClass(act_all, 1);
1590 // Card present?
1591 if(ReaderReceiveIClass(resp)) {
1592 ReaderTransmitIClass(identify, 1);
1593 if(ReaderReceiveIClass(resp) == 10) {
1594 // Select card
1595 memcpy(&select[1],resp,8);
1596 ReaderTransmitIClass(select, sizeof(select));
1597
1598 if(ReaderReceiveIClass(resp) == 10) {
1599 Dbprintf(" Selected CSN: %02x %02x %02x %02x %02x %02x %02x %02x",
1600 resp[0], resp[1], resp[2],
1601 resp[3], resp[4], resp[5],
1602 resp[6], resp[7]);
1603 }
1604 // Card selected
1605 Dbprintf("Readcheck on Sector 2");
1606 ReaderTransmitIClass(readcheck_cc, sizeof(readcheck_cc));
1607 if(ReaderReceiveIClass(resp) == 8) {
1608 Dbprintf(" CC: %02x %02x %02x %02x %02x %02x %02x %02x",
1609 resp[0], resp[1], resp[2],
1610 resp[3], resp[4], resp[5],
1611 resp[6], resp[7]);
1612 }else return;
1613 Dbprintf("Authenticate");
1614 //for now replay captured auth (as cc not updated)
1615 memcpy(check+5,MAC,4);
1616 Dbprintf(" AA: %02x %02x %02x %02x",
1617 check[5], check[6], check[7],check[8]);
1618 ReaderTransmitIClass(check, sizeof(check));
1619 if(ReaderReceiveIClass(resp) == 4) {
1620 Dbprintf(" AR: %02x %02x %02x %02x",
1621 resp[0], resp[1], resp[2],resp[3]);
1622 }else {
1623 Dbprintf("Error: Authentication Fail!");
1624 return;
1625 }
1626 Dbprintf("Dump Contents");
1627 //first get configuration block
1628 read_success=false;
1629 read[1]=1;
1630 uint8_t *blockno=&read[1];
1631 crc = iclass_crc16((char *)blockno,1);
1632 read[2] = crc >> 8;
1633 read[3] = crc & 0xff;
1634 while(!read_success){
1635 ReaderTransmitIClass(read, sizeof(read));
1636 if(ReaderReceiveIClass(resp) == 10) {
1637 read_success=true;
1638 mem=resp[5];
1639 memory.k16= (mem & 0x80);
1640 memory.book= (mem & 0x20);
1641 memory.k2= (mem & 0x8);
1642 memory.lockauth= (mem & 0x2);
1643 memory.keyaccess= (mem & 0x1);
1644
1645 }
1646 }
1647 if (memory.k16){
1648 cardsize=255;
1649 }else cardsize=32;
1650 //then loop around remaining blocks
1651 for(uint8_t j=0; j<cardsize; j++){
1652 read_success=false;
1653 uint8_t *blockno=&j;
1654 //crc_data[0]=j;
1655 read[1]=j;
1656 crc = iclass_crc16((char *)blockno,1);
1657 read[2] = crc >> 8;
1658 read[3] = crc & 0xff;
1659 while(!read_success){
1660 ReaderTransmitIClass(read, sizeof(read));
1661 if(ReaderReceiveIClass(resp) == 10) {
1662 read_success=true;
1663 Dbprintf(" %02x: %02x %02x %02x %02x %02x %02x %02x %02x",
1664 j, resp[0], resp[1], resp[2],
1665 resp[3], resp[4], resp[5],
1666 resp[6], resp[7]);
1667 }
1668 }
1669 }
1670 }
1671 }
1672 WDT_HIT();
1673 }
1674
1675 LED_A_OFF();
1676 }
1677
1678 //1. Create Method to Read sectors/blocks 0,1,2 and Send to client
1679 void IClass_iso14443A_GetPublic(uint8_t arg0) {
1680 uint8_t act_all[] = { 0x0a };
1681 uint8_t identify[] = { 0x0c };
1682 uint8_t select[] = { 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
1683 uint8_t readcheck_cc[]= { 0x88, 0x02 };
1684 //uint8_t read[] = { 0x0c, 0x00, 0x00, 0x00 };
1685 uint8_t card_data[24]={0};
1686
1687 //bool read_success=false;
1688 uint8_t* resp = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
1689
1690 // Reset trace buffer
1691 memset(trace, 0x44, RECV_CMD_OFFSET);
1692 traceLen = 0;
1693
1694 // Setup SSC
1695 FpgaSetupSsc();
1696 // Start from off (no field generated)
1697 // Signal field is off with the appropriate LED
1698 LED_D_OFF();
1699 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1700 SpinDelay(200);
1701
1702 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1703
1704 // Now give it time to spin up.
1705 // Signal field is on with the appropriate LED
1706 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1707 SpinDelay(200);
1708
1709 LED_A_ON();
1710
1711 for(int i=0;i<1;i++) {
1712
1713 if(traceLen > TRACE_SIZE) {
1714 DbpString("Trace full");
1715 break;
1716 }
1717
1718 if (BUTTON_PRESS()) break;
1719
1720 // Send act_all
1721 ReaderTransmitIClass(act_all, 1);
1722 // Card present?
1723 if(ReaderReceiveIClass(resp)) {
1724 ReaderTransmitIClass(identify, 1);
1725 if(ReaderReceiveIClass(resp) == 10) {
1726 // Select card
1727 memcpy(&select[1],resp,8);
1728 ReaderTransmitIClass(select, sizeof(select));
1729
1730 if(ReaderReceiveIClass(resp) == 10) {
1731 Dbprintf(" Selected CSN: %02x %02x %02x %02x %02x %02x %02x %02x",
1732 resp[0], resp[1], resp[2],
1733 resp[3], resp[4], resp[5],
1734 resp[6], resp[7]);
1735 }
1736 memcpy(card_data,resp,8);
1737 // Card selected
1738 Dbprintf("Readcheck on Sector 2");
1739 ReaderTransmitIClass(readcheck_cc, sizeof(readcheck_cc));
1740 if(ReaderReceiveIClass(resp) == 8) {
1741 Dbprintf(" CC: %02x %02x %02x %02x %02x %02x %02x %02x",
1742 resp[0], resp[1], resp[2],
1743 resp[3], resp[4], resp[5],
1744 resp[6], resp[7]);
1745 }
1746 memcpy(card_data+8,resp,8);
1747 //prep to read config block
1748 /* read card configuration block
1749 while(!read_success){
1750 uint8_t sector_config=0x01;
1751 memcpy(read+1,&sector_config,1);
1752 ReaderTransmitIClass(read, sizeof(read));
1753 if(ReaderReceiveIClass(resp) == 8) {
1754 Dbprintf(" CC: %02x %02x %02x %02x %02x %02x %02x %02x",
1755 resp[0], resp[1], resp[2],
1756 resp[3], resp[4], resp[5],
1757 resp[6], resp[7]);
1758 read_success=true;
1759 memcpy(card_data+16,resp,8);
1760 }
1761 }*/
1762 }
1763 }
1764 WDT_HIT();
1765 }
1766 //Dbprintf("DEBUG: %02x%02x%02x%02x%02x%02x%02x%02x",card_data[0],card_data[1],card_data[2],card_data[3],card_data[4],card_data[5],card_data[6],card_data[7]);
1767 //Dbprintf("DEBUG: %02x%02x%02x%02x%02x%02x%02x%02x",card_data[8],card_data[9],card_data[10],card_data[11],card_data[12],card_data[13],card_data[14],card_data[15]);
1768 LED_A_OFF();
1769 LED_B_ON();
1770 //send data back to the client
1771 cmd_send(CMD_ACK,0,0,0,card_data,16);
1772 LED_B_OFF();
1773 }
1774
1775 //2. Create Read method (cut-down from above) based off responses from 1.
1776 // Since we have the MAC could continue to use replay function.
1777 //3. Create Write method
1778 /*
1779 void IClass_iso14443A_write(uint8_t arg0, uint8_t blockNo, uint8_t *data, uint8_t *MAC) {
1780 uint8_t act_all[] = { 0x0a };
1781 uint8_t identify[] = { 0x0c };
1782 uint8_t select[] = { 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
1783 uint8_t readcheck_cc[]= { 0x88, 0x02 };
1784 uint8_t check[] = { 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
1785 uint8_t read[] = { 0x0c, 0x00, 0x00, 0x00 };
1786 uint8_t write[] = { 0x87, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
1787
1788 uint16_t crc = 0;
1789
1790 uint8_t* resp = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
1791
1792 // Reset trace buffer
1793 memset(trace, 0x44, RECV_CMD_OFFSET);
1794 traceLen = 0;
1795
1796 // Setup SSC
1797 FpgaSetupSsc();
1798 // Start from off (no field generated)
1799 // Signal field is off with the appropriate LED
1800 LED_D_OFF();
1801 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1802 SpinDelay(200);
1803
1804 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1805
1806 // Now give it time to spin up.
1807 // Signal field is on with the appropriate LED
1808 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1809 SpinDelay(200);
1810
1811 LED_A_ON();
1812
1813 for(int i=0;i<1;i++) {
1814
1815 if(traceLen > TRACE_SIZE) {
1816 DbpString("Trace full");
1817 break;
1818 }
1819
1820 if (BUTTON_PRESS()) break;
1821
1822 // Send act_all
1823 ReaderTransmitIClass(act_all, 1);
1824 // Card present?
1825 if(ReaderReceiveIClass(resp)) {
1826 ReaderTransmitIClass(identify, 1);
1827 if(ReaderReceiveIClass(resp) == 10) {
1828 // Select card
1829 memcpy(&select[1],resp,8);
1830 ReaderTransmitIClass(select, sizeof(select));
1831
1832 if(ReaderReceiveIClass(resp) == 10) {
1833 Dbprintf(" Selected CSN: %02x %02x %02x %02x %02x %02x %02x %02x",
1834 resp[0], resp[1], resp[2],
1835 resp[3], resp[4], resp[5],
1836 resp[6], resp[7]);
1837 }
1838 // Card selected
1839 Dbprintf("Readcheck on Sector 2");
1840 ReaderTransmitIClass(readcheck_cc, sizeof(readcheck_cc));
1841 if(ReaderReceiveIClass(resp) == 8) {
1842 Dbprintf(" CC: %02x %02x %02x %02x %02x %02x %02x %02x",
1843 resp[0], resp[1], resp[2],
1844 resp[3], resp[4], resp[5],
1845 resp[6], resp[7]);
1846 }else return;
1847 Dbprintf("Authenticate");
1848 //for now replay captured auth (as cc not updated)
1849 memcpy(check+5,MAC,4);
1850 Dbprintf(" AA: %02x %02x %02x %02x",
1851 check[5], check[6], check[7],check[8]);
1852 ReaderTransmitIClass(check, sizeof(check));
1853 if(ReaderReceiveIClass(resp) == 4) {
1854 Dbprintf(" AR: %02x %02x %02x %02x",
1855 resp[0], resp[1], resp[2],resp[3]);
1856 }else {
1857 Dbprintf("Error: Authentication Fail!");
1858 return;
1859 }
1860 Dbprintf("Write Block");
1861
1862 //read configuration for max block number
1863 read_success=false;
1864 read[1]=1;
1865 uint8_t *blockno=&read[1];
1866 crc = iclass_crc16((char *)blockno,1);
1867 read[2] = crc >> 8;
1868 read[3] = crc & 0xff;
1869 while(!read_success){
1870 ReaderTransmitIClass(read, sizeof(read));
1871 if(ReaderReceiveIClass(resp) == 10) {
1872 read_success=true;
1873 mem=resp[5];
1874 memory.k16= (mem & 0x80);
1875 memory.book= (mem & 0x20);
1876 memory.k2= (mem & 0x8);
1877 memory.lockauth= (mem & 0x2);
1878 memory.keyaccess= (mem & 0x1);
1879
1880 }
1881 }
1882 if (memory.k16){
1883 cardsize=255;
1884 }else cardsize=32;
1885 //check card_size
1886
1887 memcpy(write+1,blockNo,1);
1888 memcpy(write+2,data,8);
1889 memcpy(write+10,mac,4);
1890 while(!send_success){
1891 ReaderTransmitIClass(write, sizeof(write));
1892 if(ReaderReceiveIClass(resp) == 10) {
1893 write_success=true;
1894 }
1895 }//
1896 }
1897 WDT_HIT();
1898 }
1899
1900 LED_A_OFF();
1901 }*/
Impressum, Datenschutz