]> git.zerfleddert.de Git - proxmark3-svn/blob - armsrc/iso14443a.c
Added offset feature to hexsamples command
[proxmark3-svn] / armsrc / iso14443a.c
1 //-----------------------------------------------------------------------------
2 // Routines to support ISO 14443 type A.
3 //
4 // Gerhard de Koning Gans - May 2008
5 //-----------------------------------------------------------------------------
6 #include <proxmark3.h>
7 #include "apps.h"
8 #include "../common/iso14443_crc.c"
9
10 static BYTE *trace = (BYTE *) BigBuf;
11 static int traceLen = 0;
12 static int rsamples = 0;
13 static BOOL tracing = TRUE;
14
15 typedef enum {
16 SEC_D = 1,
17 SEC_E = 2,
18 SEC_F = 3,
19 SEC_X = 4,
20 SEC_Y = 5,
21 SEC_Z = 6
22 } SecType;
23
24 static const BYTE OddByteParity[256] = {
25 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
26 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
27 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
28 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
29 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
30 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
31 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
32 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
33 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
34 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
35 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
36 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
37 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
38 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
39 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
40 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1
41 };
42
43 // BIG CHANGE - UNDERSTAND THIS BEFORE WE COMMIT
44 #define RECV_CMD_OFFSET 3032
45 #define RECV_RES_OFFSET 3096
46 #define DMA_BUFFER_OFFSET 3160
47 #define DMA_BUFFER_SIZE 4096
48 #define TRACE_LENGTH 3000
49
50 //-----------------------------------------------------------------------------
51 // Generate the parity value for a byte sequence
52 //
53 //-----------------------------------------------------------------------------
54 DWORD GetParity(const BYTE * pbtCmd, int iLen)
55 {
56 int i;
57 DWORD dwPar = 0;
58
59 // Generate the encrypted data
60 for (i = 0; i < iLen; i++) {
61 // Save the encrypted parity bit
62 dwPar |= ((OddByteParity[pbtCmd[i]]) << i);
63 }
64 return dwPar;
65 }
66
67 static void AppendCrc14443a(BYTE* data, int len)
68 {
69 ComputeCrc14443(CRC_14443_A,data,len,data+len,data+len+1);
70 }
71
72 BOOL LogTrace(const BYTE * btBytes, int iLen, int iSamples, DWORD dwParity, BOOL bReader)
73 {
74 // Return when trace is full
75 if (traceLen >= TRACE_LENGTH) return FALSE;
76
77 // Trace the random, i'm curious
78 rsamples += iSamples;
79 trace[traceLen++] = ((rsamples >> 0) & 0xff);
80 trace[traceLen++] = ((rsamples >> 8) & 0xff);
81 trace[traceLen++] = ((rsamples >> 16) & 0xff);
82 trace[traceLen++] = ((rsamples >> 24) & 0xff);
83 if (!bReader) {
84 trace[traceLen - 1] |= 0x80;
85 }
86 trace[traceLen++] = ((dwParity >> 0) & 0xff);
87 trace[traceLen++] = ((dwParity >> 8) & 0xff);
88 trace[traceLen++] = ((dwParity >> 16) & 0xff);
89 trace[traceLen++] = ((dwParity >> 24) & 0xff);
90 trace[traceLen++] = iLen;
91 memcpy(trace + traceLen, btBytes, iLen);
92 traceLen += iLen;
93 return TRUE;
94 }
95
96 BOOL LogTraceInfo(byte_t* data, size_t len)
97 {
98 return LogTrace(data,len,0,GetParity(data,len),TRUE);
99 }
100
101 //-----------------------------------------------------------------------------
102 // The software UART that receives commands from the reader, and its state
103 // variables.
104 //-----------------------------------------------------------------------------
105 static struct {
106 enum {
107 STATE_UNSYNCD,
108 STATE_START_OF_COMMUNICATION,
109 STATE_MILLER_X,
110 STATE_MILLER_Y,
111 STATE_MILLER_Z,
112 STATE_ERROR_WAIT
113 } state;
114 WORD shiftReg;
115 int bitCnt;
116 int byteCnt;
117 int byteCntMax;
118 int posCnt;
119 int syncBit;
120 int parityBits;
121 int samples;
122 int highCnt;
123 int bitBuffer;
124 enum {
125 DROP_NONE,
126 DROP_FIRST_HALF,
127 DROP_SECOND_HALF
128 } drop;
129 BYTE *output;
130 } Uart;
131
132 static BOOL MillerDecoding(int bit)
133 {
134 int error = 0;
135 int bitright;
136
137 if(!Uart.bitBuffer) {
138 Uart.bitBuffer = bit ^ 0xFF0;
139 return FALSE;
140 }
141 else {
142 Uart.bitBuffer <<= 4;
143 Uart.bitBuffer ^= bit;
144 }
145
146 BOOL EOC = FALSE;
147
148 if(Uart.state != STATE_UNSYNCD) {
149 Uart.posCnt++;
150
151 if((Uart.bitBuffer & Uart.syncBit) ^ Uart.syncBit) {
152 bit = 0x00;
153 }
154 else {
155 bit = 0x01;
156 }
157 if(((Uart.bitBuffer << 1) & Uart.syncBit) ^ Uart.syncBit) {
158 bitright = 0x00;
159 }
160 else {
161 bitright = 0x01;
162 }
163 if(bit != bitright) { bit = bitright; }
164
165 if(Uart.posCnt == 1) {
166 // measurement first half bitperiod
167 if(!bit) {
168 Uart.drop = DROP_FIRST_HALF;
169 }
170 }
171 else {
172 // measurement second half bitperiod
173 if(!bit & (Uart.drop == DROP_NONE)) {
174 Uart.drop = DROP_SECOND_HALF;
175 }
176 else if(!bit) {
177 // measured a drop in first and second half
178 // which should not be possible
179 Uart.state = STATE_ERROR_WAIT;
180 error = 0x01;
181 }
182
183 Uart.posCnt = 0;
184
185 switch(Uart.state) {
186 case STATE_START_OF_COMMUNICATION:
187 Uart.shiftReg = 0;
188 if(Uart.drop == DROP_SECOND_HALF) {
189 // error, should not happen in SOC
190 Uart.state = STATE_ERROR_WAIT;
191 error = 0x02;
192 }
193 else {
194 // correct SOC
195 Uart.state = STATE_MILLER_Z;
196 }
197 break;
198
199 case STATE_MILLER_Z:
200 Uart.bitCnt++;
201 Uart.shiftReg >>= 1;
202 if(Uart.drop == DROP_NONE) {
203 // logic '0' followed by sequence Y
204 // end of communication
205 Uart.state = STATE_UNSYNCD;
206 EOC = TRUE;
207 }
208 // if(Uart.drop == DROP_FIRST_HALF) {
209 // Uart.state = STATE_MILLER_Z; stay the same
210 // we see a logic '0' }
211 if(Uart.drop == DROP_SECOND_HALF) {
212 // we see a logic '1'
213 Uart.shiftReg |= 0x100;
214 Uart.state = STATE_MILLER_X;
215 }
216 break;
217
218 case STATE_MILLER_X:
219 Uart.shiftReg >>= 1;
220 if(Uart.drop == DROP_NONE) {
221 // sequence Y, we see a '0'
222 Uart.state = STATE_MILLER_Y;
223 Uart.bitCnt++;
224 }
225 if(Uart.drop == DROP_FIRST_HALF) {
226 // Would be STATE_MILLER_Z
227 // but Z does not follow X, so error
228 Uart.state = STATE_ERROR_WAIT;
229 error = 0x03;
230 }
231 if(Uart.drop == DROP_SECOND_HALF) {
232 // We see a '1' and stay in state X
233 Uart.shiftReg |= 0x100;
234 Uart.bitCnt++;
235 }
236 break;
237
238 case STATE_MILLER_Y:
239 Uart.bitCnt++;
240 Uart.shiftReg >>= 1;
241 if(Uart.drop == DROP_NONE) {
242 // logic '0' followed by sequence Y
243 // end of communication
244 Uart.state = STATE_UNSYNCD;
245 EOC = TRUE;
246 }
247 if(Uart.drop == DROP_FIRST_HALF) {
248 // we see a '0'
249 Uart.state = STATE_MILLER_Z;
250 }
251 if(Uart.drop == DROP_SECOND_HALF) {
252 // We see a '1' and go to state X
253 Uart.shiftReg |= 0x100;
254 Uart.state = STATE_MILLER_X;
255 }
256 break;
257
258 case STATE_ERROR_WAIT:
259 // That went wrong. Now wait for at least two bit periods
260 // and try to sync again
261 if(Uart.drop == DROP_NONE) {
262 Uart.highCnt = 6;
263 Uart.state = STATE_UNSYNCD;
264 }
265 break;
266
267 default:
268 Uart.state = STATE_UNSYNCD;
269 Uart.highCnt = 0;
270 break;
271 }
272
273 Uart.drop = DROP_NONE;
274
275 // should have received at least one whole byte...
276 if((Uart.bitCnt == 2) && EOC && (Uart.byteCnt > 0)) {
277 return TRUE;
278 }
279
280 if(Uart.bitCnt == 9) {
281 Uart.output[Uart.byteCnt] = (Uart.shiftReg & 0xff);
282 Uart.byteCnt++;
283
284 Uart.parityBits <<= 1;
285 Uart.parityBits ^= ((Uart.shiftReg >> 8) & 0x01);
286
287 if(EOC) {
288 // when End of Communication received and
289 // all data bits processed..
290 return TRUE;
291 }
292 Uart.bitCnt = 0;
293 }
294
295 /*if(error) {
296 Uart.output[Uart.byteCnt] = 0xAA;
297 Uart.byteCnt++;
298 Uart.output[Uart.byteCnt] = error & 0xFF;
299 Uart.byteCnt++;
300 Uart.output[Uart.byteCnt] = 0xAA;
301 Uart.byteCnt++;
302 Uart.output[Uart.byteCnt] = (Uart.bitBuffer >> 8) & 0xFF;
303 Uart.byteCnt++;
304 Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
305 Uart.byteCnt++;
306 Uart.output[Uart.byteCnt] = (Uart.syncBit >> 3) & 0xFF;
307 Uart.byteCnt++;
308 Uart.output[Uart.byteCnt] = 0xAA;
309 Uart.byteCnt++;
310 return TRUE;
311 }*/
312 }
313
314 }
315 else {
316 bit = Uart.bitBuffer & 0xf0;
317 bit >>= 4;
318 bit ^= 0x0F;
319 if(bit) {
320 // should have been high or at least (4 * 128) / fc
321 // according to ISO this should be at least (9 * 128 + 20) / fc
322 if(Uart.highCnt == 8) {
323 // we went low, so this could be start of communication
324 // it turns out to be safer to choose a less significant
325 // syncbit... so we check whether the neighbour also represents the drop
326 Uart.posCnt = 1; // apparently we are busy with our first half bit period
327 Uart.syncBit = bit & 8;
328 Uart.samples = 3;
329 if(!Uart.syncBit) { Uart.syncBit = bit & 4; Uart.samples = 2; }
330 else if(bit & 4) { Uart.syncBit = bit & 4; Uart.samples = 2; bit <<= 2; }
331 if(!Uart.syncBit) { Uart.syncBit = bit & 2; Uart.samples = 1; }
332 else if(bit & 2) { Uart.syncBit = bit & 2; Uart.samples = 1; bit <<= 1; }
333 if(!Uart.syncBit) { Uart.syncBit = bit & 1; Uart.samples = 0;
334 if(Uart.syncBit & (Uart.bitBuffer & 8)) {
335 Uart.syncBit = 8;
336
337 // the first half bit period is expected in next sample
338 Uart.posCnt = 0;
339 Uart.samples = 3;
340 }
341 }
342 else if(bit & 1) { Uart.syncBit = bit & 1; Uart.samples = 0; }
343
344 Uart.syncBit <<= 4;
345 Uart.state = STATE_START_OF_COMMUNICATION;
346 Uart.drop = DROP_FIRST_HALF;
347 Uart.bitCnt = 0;
348 Uart.byteCnt = 0;
349 Uart.parityBits = 0;
350 error = 0;
351 }
352 else {
353 Uart.highCnt = 0;
354 }
355 }
356 else {
357 if(Uart.highCnt < 8) {
358 Uart.highCnt++;
359 }
360 }
361 }
362
363 return FALSE;
364 }
365
366 //=============================================================================
367 // ISO 14443 Type A - Manchester
368 //=============================================================================
369
370 static struct {
371 enum {
372 DEMOD_UNSYNCD,
373 DEMOD_START_OF_COMMUNICATION,
374 DEMOD_MANCHESTER_D,
375 DEMOD_MANCHESTER_E,
376 DEMOD_MANCHESTER_F,
377 DEMOD_ERROR_WAIT
378 } state;
379 int bitCount;
380 int posCount;
381 int syncBit;
382 int parityBits;
383 WORD shiftReg;
384 int buffer;
385 int buff;
386 int samples;
387 int len;
388 enum {
389 SUB_NONE,
390 SUB_FIRST_HALF,
391 SUB_SECOND_HALF
392 } sub;
393 BYTE *output;
394 } Demod;
395
396 static BOOL ManchesterDecoding(int v)
397 {
398 int bit;
399 int modulation;
400 int error = 0;
401
402 if(!Demod.buff) {
403 Demod.buff = 1;
404 Demod.buffer = v;
405 return FALSE;
406 }
407 else {
408 bit = Demod.buffer;
409 Demod.buffer = v;
410 }
411
412 if(Demod.state==DEMOD_UNSYNCD) {
413 Demod.output[Demod.len] = 0xfa;
414 Demod.syncBit = 0;
415 //Demod.samples = 0;
416 Demod.posCount = 1; // This is the first half bit period, so after syncing handle the second part
417 if(bit & 0x08) { Demod.syncBit = 0x08; }
418 if(!Demod.syncBit) {
419 if(bit & 0x04) { Demod.syncBit = 0x04; }
420 }
421 else if(bit & 0x04) { Demod.syncBit = 0x04; bit <<= 4; }
422 if(!Demod.syncBit) {
423 if(bit & 0x02) { Demod.syncBit = 0x02; }
424 }
425 else if(bit & 0x02) { Demod.syncBit = 0x02; bit <<= 4; }
426 if(!Demod.syncBit) {
427 if(bit & 0x01) { Demod.syncBit = 0x01; }
428
429 if(Demod.syncBit & (Demod.buffer & 0x08)) {
430 Demod.syncBit = 0x08;
431
432 // The first half bitperiod is expected in next sample
433 Demod.posCount = 0;
434 Demod.output[Demod.len] = 0xfb;
435 }
436 }
437 else if(bit & 0x01) { Demod.syncBit = 0x01; }
438
439 if(Demod.syncBit) {
440 Demod.len = 0;
441 Demod.state = DEMOD_START_OF_COMMUNICATION;
442 Demod.sub = SUB_FIRST_HALF;
443 Demod.bitCount = 0;
444 Demod.shiftReg = 0;
445 Demod.parityBits = 0;
446 Demod.samples = 0;
447 if(Demod.posCount) {
448 switch(Demod.syncBit) {
449 case 0x08: Demod.samples = 3; break;
450 case 0x04: Demod.samples = 2; break;
451 case 0x02: Demod.samples = 1; break;
452 case 0x01: Demod.samples = 0; break;
453 }
454 }
455 error = 0;
456 }
457 }
458 else {
459 //modulation = bit & Demod.syncBit;
460 modulation = ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
461
462 Demod.samples += 4;
463
464 if(Demod.posCount==0) {
465 Demod.posCount = 1;
466 if(modulation) {
467 Demod.sub = SUB_FIRST_HALF;
468 }
469 else {
470 Demod.sub = SUB_NONE;
471 }
472 }
473 else {
474 Demod.posCount = 0;
475 if(modulation && (Demod.sub == SUB_FIRST_HALF)) {
476 if(Demod.state!=DEMOD_ERROR_WAIT) {
477 Demod.state = DEMOD_ERROR_WAIT;
478 Demod.output[Demod.len] = 0xaa;
479 error = 0x01;
480 }
481 }
482 else if(modulation) {
483 Demod.sub = SUB_SECOND_HALF;
484 }
485
486 switch(Demod.state) {
487 case DEMOD_START_OF_COMMUNICATION:
488 if(Demod.sub == SUB_FIRST_HALF) {
489 Demod.state = DEMOD_MANCHESTER_D;
490 }
491 else {
492 Demod.output[Demod.len] = 0xab;
493 Demod.state = DEMOD_ERROR_WAIT;
494 error = 0x02;
495 }
496 break;
497
498 case DEMOD_MANCHESTER_D:
499 case DEMOD_MANCHESTER_E:
500 if(Demod.sub == SUB_FIRST_HALF) {
501 Demod.bitCount++;
502 Demod.shiftReg = (Demod.shiftReg >> 1) ^ 0x100;
503 Demod.state = DEMOD_MANCHESTER_D;
504 }
505 else if(Demod.sub == SUB_SECOND_HALF) {
506 Demod.bitCount++;
507 Demod.shiftReg >>= 1;
508 Demod.state = DEMOD_MANCHESTER_E;
509 }
510 else {
511 Demod.state = DEMOD_MANCHESTER_F;
512 }
513 break;
514
515 case DEMOD_MANCHESTER_F:
516 // Tag response does not need to be a complete byte!
517 if(Demod.len > 0 || Demod.bitCount > 0) {
518 if(Demod.bitCount > 0) {
519 Demod.shiftReg >>= (9 - Demod.bitCount);
520 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
521 Demod.len++;
522 // No parity bit, so just shift a 0
523 Demod.parityBits <<= 1;
524 }
525
526 Demod.state = DEMOD_UNSYNCD;
527 return TRUE;
528 }
529 else {
530 Demod.output[Demod.len] = 0xad;
531 Demod.state = DEMOD_ERROR_WAIT;
532 error = 0x03;
533 }
534 break;
535
536 case DEMOD_ERROR_WAIT:
537 Demod.state = DEMOD_UNSYNCD;
538 break;
539
540 default:
541 Demod.output[Demod.len] = 0xdd;
542 Demod.state = DEMOD_UNSYNCD;
543 break;
544 }
545
546 if(Demod.bitCount>=9) {
547 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
548 Demod.len++;
549
550 Demod.parityBits <<= 1;
551 Demod.parityBits ^= ((Demod.shiftReg >> 8) & 0x01);
552
553 Demod.bitCount = 0;
554 Demod.shiftReg = 0;
555 }
556
557 /*if(error) {
558 Demod.output[Demod.len] = 0xBB;
559 Demod.len++;
560 Demod.output[Demod.len] = error & 0xFF;
561 Demod.len++;
562 Demod.output[Demod.len] = 0xBB;
563 Demod.len++;
564 Demod.output[Demod.len] = bit & 0xFF;
565 Demod.len++;
566 Demod.output[Demod.len] = Demod.buffer & 0xFF;
567 Demod.len++;
568 Demod.output[Demod.len] = Demod.syncBit & 0xFF;
569 Demod.len++;
570 Demod.output[Demod.len] = 0xBB;
571 Demod.len++;
572 return TRUE;
573 }*/
574
575 }
576
577 } // end (state != UNSYNCED)
578
579 return FALSE;
580 }
581
582 //=============================================================================
583 // Finally, a `sniffer' for ISO 14443 Type A
584 // Both sides of communication!
585 //=============================================================================
586
587 //-----------------------------------------------------------------------------
588 // Record the sequence of commands sent by the reader to the tag, with
589 // triggering so that we start recording at the point that the tag is moved
590 // near the reader.
591 //-----------------------------------------------------------------------------
592 void SnoopIso14443a(void)
593 {
594 // #define RECV_CMD_OFFSET 2032 // original (working as of 21/2/09) values
595 // #define RECV_RES_OFFSET 2096 // original (working as of 21/2/09) values
596 // #define DMA_BUFFER_OFFSET 2160 // original (working as of 21/2/09) values
597 // #define DMA_BUFFER_SIZE 4096 // original (working as of 21/2/09) values
598 // #define TRACE_LENGTH 2000 // original (working as of 21/2/09) values
599
600 // We won't start recording the frames that we acquire until we trigger;
601 // a good trigger condition to get started is probably when we see a
602 // response from the tag.
603 BOOL triggered = TRUE; // FALSE to wait first for card
604
605 // The command (reader -> tag) that we're receiving.
606 // The length of a received command will in most cases be no more than 18 bytes.
607 // So 32 should be enough!
608 BYTE *receivedCmd = (((BYTE *)BigBuf) + RECV_CMD_OFFSET);
609 // The response (tag -> reader) that we're receiving.
610 BYTE *receivedResponse = (((BYTE *)BigBuf) + RECV_RES_OFFSET);
611
612 // As we receive stuff, we copy it from receivedCmd or receivedResponse
613 // into trace, along with its length and other annotations.
614 //BYTE *trace = (BYTE *)BigBuf;
615 //int traceLen = 0;
616
617 // The DMA buffer, used to stream samples from the FPGA
618 SBYTE *dmaBuf = ((SBYTE *)BigBuf) + DMA_BUFFER_OFFSET;
619 int lastRxCounter;
620 SBYTE *upTo;
621 int smpl;
622 int maxBehindBy = 0;
623
624 // Count of samples received so far, so that we can include timing
625 // information in the trace buffer.
626 int samples = 0;
627 int rsamples = 0;
628
629 memset(trace, 0x44, RECV_CMD_OFFSET);
630
631 // Set up the demodulator for tag -> reader responses.
632 Demod.output = receivedResponse;
633 Demod.len = 0;
634 Demod.state = DEMOD_UNSYNCD;
635
636 // And the reader -> tag commands
637 memset(&Uart, 0, sizeof(Uart));
638 Uart.output = receivedCmd;
639 Uart.byteCntMax = 32; // was 100 (greg)////////////////////////////////////////////////////////////////////////
640 Uart.state = STATE_UNSYNCD;
641
642 // And put the FPGA in the appropriate mode
643 // Signal field is off with the appropriate LED
644 LED_D_OFF();
645 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER);
646 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
647
648 // Setup for the DMA.
649 FpgaSetupSsc();
650 upTo = dmaBuf;
651 lastRxCounter = DMA_BUFFER_SIZE;
652 FpgaSetupSscDma((BYTE *)dmaBuf, DMA_BUFFER_SIZE);
653
654 LED_A_ON();
655
656 // And now we loop, receiving samples.
657 for(;;) {
658 WDT_HIT();
659 int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) &
660 (DMA_BUFFER_SIZE-1);
661 if(behindBy > maxBehindBy) {
662 maxBehindBy = behindBy;
663 if(behindBy > 400) {
664 DbpString("blew circular buffer!");
665 goto done;
666 }
667 }
668 if(behindBy < 1) continue;
669
670 smpl = upTo[0];
671 upTo++;
672 lastRxCounter -= 1;
673 if(upTo - dmaBuf > DMA_BUFFER_SIZE) {
674 upTo -= DMA_BUFFER_SIZE;
675 lastRxCounter += DMA_BUFFER_SIZE;
676 AT91C_BASE_PDC_SSC->PDC_RNPR = (DWORD)upTo;
677 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
678 }
679
680 samples += 4;
681 #define HANDLE_BIT_IF_BODY \
682 LED_C_ON(); \
683 if(triggered) { \
684 trace[traceLen++] = ((rsamples >> 0) & 0xff); \
685 trace[traceLen++] = ((rsamples >> 8) & 0xff); \
686 trace[traceLen++] = ((rsamples >> 16) & 0xff); \
687 trace[traceLen++] = ((rsamples >> 24) & 0xff); \
688 trace[traceLen++] = ((Uart.parityBits >> 0) & 0xff); \
689 trace[traceLen++] = ((Uart.parityBits >> 8) & 0xff); \
690 trace[traceLen++] = ((Uart.parityBits >> 16) & 0xff); \
691 trace[traceLen++] = ((Uart.parityBits >> 24) & 0xff); \
692 trace[traceLen++] = Uart.byteCnt; \
693 memcpy(trace+traceLen, receivedCmd, Uart.byteCnt); \
694 traceLen += Uart.byteCnt; \
695 if(traceLen > TRACE_LENGTH) break; \
696 } \
697 /* And ready to receive another command. */ \
698 Uart.state = STATE_UNSYNCD; \
699 /* And also reset the demod code, which might have been */ \
700 /* false-triggered by the commands from the reader. */ \
701 Demod.state = DEMOD_UNSYNCD; \
702 LED_B_OFF(); \
703
704 if(MillerDecoding((smpl & 0xF0) >> 4)) {
705 rsamples = samples - Uart.samples;
706 HANDLE_BIT_IF_BODY
707 }
708 if(ManchesterDecoding(smpl & 0x0F)) {
709 rsamples = samples - Demod.samples;
710 LED_B_ON();
711
712 // timestamp, as a count of samples
713 trace[traceLen++] = ((rsamples >> 0) & 0xff);
714 trace[traceLen++] = ((rsamples >> 8) & 0xff);
715 trace[traceLen++] = ((rsamples >> 16) & 0xff);
716 trace[traceLen++] = 0x80 | ((rsamples >> 24) & 0xff);
717 trace[traceLen++] = ((Demod.parityBits >> 0) & 0xff);
718 trace[traceLen++] = ((Demod.parityBits >> 8) & 0xff);
719 trace[traceLen++] = ((Demod.parityBits >> 16) & 0xff);
720 trace[traceLen++] = ((Demod.parityBits >> 24) & 0xff);
721 // length
722 trace[traceLen++] = Demod.len;
723 memcpy(trace+traceLen, receivedResponse, Demod.len);
724 traceLen += Demod.len;
725 if(traceLen > TRACE_LENGTH) break;
726
727 triggered = TRUE;
728
729 // And ready to receive another response.
730 memset(&Demod, 0, sizeof(Demod));
731 Demod.output = receivedResponse;
732 Demod.state = DEMOD_UNSYNCD;
733 LED_C_OFF();
734 }
735
736 if(BUTTON_PRESS()) {
737 DbpString("cancelled_a");
738 goto done;
739 }
740 }
741
742 DbpString("COMMAND FINISHED");
743
744 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
745 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
746
747 done:
748 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
749 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
750 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
751 LED_A_OFF();
752 LED_B_OFF();
753 LED_C_OFF();
754 LED_D_OFF();
755 }
756
757 // Prepare communication bits to send to FPGA
758 void Sequence(SecType seq)
759 {
760 ToSendMax++;
761 switch(seq) {
762 // CARD TO READER
763 case SEC_D:
764 // Sequence D: 11110000
765 // modulation with subcarrier during first half
766 ToSend[ToSendMax] = 0xf0;
767 break;
768 case SEC_E:
769 // Sequence E: 00001111
770 // modulation with subcarrier during second half
771 ToSend[ToSendMax] = 0x0f;
772 break;
773 case SEC_F:
774 // Sequence F: 00000000
775 // no modulation with subcarrier
776 ToSend[ToSendMax] = 0x00;
777 break;
778 // READER TO CARD
779 case SEC_X:
780 // Sequence X: 00001100
781 // drop after half a period
782 ToSend[ToSendMax] = 0x0c;
783 break;
784 case SEC_Y:
785 default:
786 // Sequence Y: 00000000
787 // no drop
788 ToSend[ToSendMax] = 0x00;
789 break;
790 case SEC_Z:
791 // Sequence Z: 11000000
792 // drop at start
793 ToSend[ToSendMax] = 0xc0;
794 break;
795 }
796 }
797
798 //-----------------------------------------------------------------------------
799 // Prepare tag messages
800 //-----------------------------------------------------------------------------
801 static void CodeIso14443aAsTag(const BYTE *cmd, int len)
802 {
803 int i;
804 int oddparity;
805
806 ToSendReset();
807
808 // Correction bit, might be removed when not needed
809 ToSendStuffBit(0);
810 ToSendStuffBit(0);
811 ToSendStuffBit(0);
812 ToSendStuffBit(0);
813 ToSendStuffBit(1); // 1
814 ToSendStuffBit(0);
815 ToSendStuffBit(0);
816 ToSendStuffBit(0);
817
818 // Send startbit
819 Sequence(SEC_D);
820
821 for(i = 0; i < len; i++) {
822 int j;
823 BYTE b = cmd[i];
824
825 // Data bits
826 oddparity = 0x01;
827 for(j = 0; j < 8; j++) {
828 oddparity ^= (b & 1);
829 if(b & 1) {
830 Sequence(SEC_D);
831 } else {
832 Sequence(SEC_E);
833 }
834 b >>= 1;
835 }
836
837 // Parity bit
838 if(oddparity) {
839 Sequence(SEC_D);
840 } else {
841 Sequence(SEC_E);
842 }
843 }
844
845 // Send stopbit
846 Sequence(SEC_F);
847
848 // Flush the buffer in FPGA!!
849 for(i = 0; i < 5; i++) {
850 Sequence(SEC_F);
851 }
852
853 // Convert from last byte pos to length
854 ToSendMax++;
855
856 // Add a few more for slop
857 ToSend[ToSendMax++] = 0x00;
858 ToSend[ToSendMax++] = 0x00;
859 //ToSendMax += 2;
860 }
861
862 //-----------------------------------------------------------------------------
863 // This is to send a NACK kind of answer, its only 3 bits, I know it should be 4
864 //-----------------------------------------------------------------------------
865 static void CodeStrangeAnswer()
866 {
867 int i;
868
869 ToSendReset();
870
871 // Correction bit, might be removed when not needed
872 ToSendStuffBit(0);
873 ToSendStuffBit(0);
874 ToSendStuffBit(0);
875 ToSendStuffBit(0);
876 ToSendStuffBit(1); // 1
877 ToSendStuffBit(0);
878 ToSendStuffBit(0);
879 ToSendStuffBit(0);
880
881 // Send startbit
882 Sequence(SEC_D);
883
884 // 0
885 Sequence(SEC_E);
886
887 // 0
888 Sequence(SEC_E);
889
890 // 1
891 Sequence(SEC_D);
892
893 // Send stopbit
894 Sequence(SEC_F);
895
896 // Flush the buffer in FPGA!!
897 for(i = 0; i < 5; i++) {
898 Sequence(SEC_F);
899 }
900
901 // Convert from last byte pos to length
902 ToSendMax++;
903
904 // Add a few more for slop
905 ToSend[ToSendMax++] = 0x00;
906 ToSend[ToSendMax++] = 0x00;
907 //ToSendMax += 2;
908 }
909
910 //-----------------------------------------------------------------------------
911 // Wait for commands from reader
912 // Stop when button is pressed
913 // Or return TRUE when command is captured
914 //-----------------------------------------------------------------------------
915 static BOOL GetIso14443aCommandFromReader(BYTE *received, int *len, int maxLen)
916 {
917 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
918 // only, since we are receiving, not transmitting).
919 // Signal field is off with the appropriate LED
920 LED_D_OFF();
921 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
922
923 // Now run a `software UART' on the stream of incoming samples.
924 Uart.output = received;
925 Uart.byteCntMax = maxLen;
926 Uart.state = STATE_UNSYNCD;
927
928 for(;;) {
929 WDT_HIT();
930
931 if(BUTTON_PRESS()) return FALSE;
932
933 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
934 AT91C_BASE_SSC->SSC_THR = 0x00;
935 }
936 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
937 BYTE b = (BYTE)AT91C_BASE_SSC->SSC_RHR;
938 if(MillerDecoding((b & 0xf0) >> 4)) {
939 *len = Uart.byteCnt;
940 return TRUE;
941 }
942 if(MillerDecoding(b & 0x0f)) {
943 *len = Uart.byteCnt;
944 return TRUE;
945 }
946 }
947 }
948 }
949
950 //-----------------------------------------------------------------------------
951 // Main loop of simulated tag: receive commands from reader, decide what
952 // response to send, and send it.
953 //-----------------------------------------------------------------------------
954 void SimulateIso14443aTag(int tagType, int TagUid)
955 {
956 // This function contains the tag emulation
957
958 // Prepare protocol messages
959 // static const BYTE cmd1[] = { 0x26 };
960 // static const BYTE response1[] = { 0x02, 0x00 }; // Says: I am Mifare 4k - original line - greg
961 //
962 static const BYTE response1[] = { 0x44, 0x03 }; // Says: I am a DESFire Tag, ph33r me
963 // static const BYTE response1[] = { 0x44, 0x00 }; // Says: I am a ULTRALITE Tag, 0wn me
964
965 // UID response
966 // static const BYTE cmd2[] = { 0x93, 0x20 };
967 //static const BYTE response2[] = { 0x9a, 0xe5, 0xe4, 0x43, 0xd8 }; // original value - greg
968
969
970
971 // my desfire
972 static const BYTE response2[] = { 0x88, 0x04, 0x21, 0x3f, 0x4d }; // known uid - note cascade (0x88), 2nd byte (0x04) = NXP/Phillips
973
974
975 // When reader selects us during cascade1 it will send cmd3
976 //BYTE response3[] = { 0x04, 0x00, 0x00 }; // SAK Select (cascade1) successful response (ULTRALITE)
977 BYTE response3[] = { 0x24, 0x00, 0x00 }; // SAK Select (cascade1) successful response (DESFire)
978 ComputeCrc14443(CRC_14443_A, response3, 1, &response3[1], &response3[2]);
979
980 // send cascade2 2nd half of UID
981 static const BYTE response2a[] = { 0x51, 0x48, 0x1d, 0x80, 0x84 }; // uid - cascade2 - 2nd half (4 bytes) of UID+ BCCheck
982 // NOTE : THE CRC on the above may be wrong as I have obfuscated the actual UID
983
984
985 // When reader selects us during cascade2 it will send cmd3a
986 //BYTE response3a[] = { 0x00, 0x00, 0x00 }; // SAK Select (cascade2) successful response (ULTRALITE)
987 BYTE response3a[] = { 0x20, 0x00, 0x00 }; // SAK Select (cascade2) successful response (DESFire)
988 ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
989
990 static const BYTE response5[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce
991
992 BYTE *resp;
993 int respLen;
994
995 // Longest possible response will be 16 bytes + 2 CRC = 18 bytes
996 // This will need
997 // 144 data bits (18 * 8)
998 // 18 parity bits
999 // 2 Start and stop
1000 // 1 Correction bit (Answer in 1172 or 1236 periods, see FPGA)
1001 // 1 just for the case
1002 // ----------- +
1003 // 166
1004 //
1005 // 166 bytes, since every bit that needs to be send costs us a byte
1006 //
1007
1008
1009 // Respond with card type
1010 BYTE *resp1 = (((BYTE *)BigBuf) + 800);
1011 int resp1Len;
1012
1013 // Anticollision cascade1 - respond with uid
1014 BYTE *resp2 = (((BYTE *)BigBuf) + 970);
1015 int resp2Len;
1016
1017 // Anticollision cascade2 - respond with 2nd half of uid if asked
1018 // we're only going to be asked if we set the 1st byte of the UID (during cascade1) to 0x88
1019 BYTE *resp2a = (((BYTE *)BigBuf) + 1140);
1020 int resp2aLen;
1021
1022 // Acknowledge select - cascade 1
1023 BYTE *resp3 = (((BYTE *)BigBuf) + 1310);
1024 int resp3Len;
1025
1026 // Acknowledge select - cascade 2
1027 BYTE *resp3a = (((BYTE *)BigBuf) + 1480);
1028 int resp3aLen;
1029
1030 // Response to a read request - not implemented atm
1031 BYTE *resp4 = (((BYTE *)BigBuf) + 1550);
1032 int resp4Len;
1033
1034 // Authenticate response - nonce
1035 BYTE *resp5 = (((BYTE *)BigBuf) + 1720);
1036 int resp5Len;
1037
1038 BYTE *receivedCmd = (BYTE *)BigBuf;
1039 int len;
1040
1041 int i;
1042 int u;
1043 BYTE b;
1044
1045 // To control where we are in the protocol
1046 int order = 0;
1047 int lastorder;
1048
1049 // Just to allow some checks
1050 int happened = 0;
1051 int happened2 = 0;
1052
1053 int cmdsRecvd = 0;
1054
1055 BOOL fdt_indicator;
1056
1057 memset(receivedCmd, 0x44, 400);
1058
1059 // Prepare the responses of the anticollision phase
1060 // there will be not enough time to do this at the moment the reader sends it REQA
1061
1062 // Answer to request
1063 CodeIso14443aAsTag(response1, sizeof(response1));
1064 memcpy(resp1, ToSend, ToSendMax); resp1Len = ToSendMax;
1065
1066 // Send our UID (cascade 1)
1067 CodeIso14443aAsTag(response2, sizeof(response2));
1068 memcpy(resp2, ToSend, ToSendMax); resp2Len = ToSendMax;
1069
1070 // Answer to select (cascade1)
1071 CodeIso14443aAsTag(response3, sizeof(response3));
1072 memcpy(resp3, ToSend, ToSendMax); resp3Len = ToSendMax;
1073
1074 // Send the cascade 2 2nd part of the uid
1075 CodeIso14443aAsTag(response2a, sizeof(response2a));
1076 memcpy(resp2a, ToSend, ToSendMax); resp2aLen = ToSendMax;
1077
1078 // Answer to select (cascade 2)
1079 CodeIso14443aAsTag(response3a, sizeof(response3a));
1080 memcpy(resp3a, ToSend, ToSendMax); resp3aLen = ToSendMax;
1081
1082 // Strange answer is an example of rare message size (3 bits)
1083 CodeStrangeAnswer();
1084 memcpy(resp4, ToSend, ToSendMax); resp4Len = ToSendMax;
1085
1086 // Authentication answer (random nonce)
1087 CodeIso14443aAsTag(response5, sizeof(response5));
1088 memcpy(resp5, ToSend, ToSendMax); resp5Len = ToSendMax;
1089
1090 // We need to listen to the high-frequency, peak-detected path.
1091 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1092 FpgaSetupSsc();
1093
1094 cmdsRecvd = 0;
1095
1096 LED_A_ON();
1097 for(;;) {
1098
1099 if(!GetIso14443aCommandFromReader(receivedCmd, &len, 100)) {
1100 DbpString("button press");
1101 break;
1102 }
1103 // doob - added loads of debug strings so we can see what the reader is saying to us during the sim as hi14alist is not populated
1104 // Okay, look at the command now.
1105 lastorder = order;
1106 i = 1; // first byte transmitted
1107 if(receivedCmd[0] == 0x26) {
1108 // Received a REQUEST
1109 resp = resp1; respLen = resp1Len; order = 1;
1110 //DbpString("Hello request from reader:");
1111 } else if(receivedCmd[0] == 0x52) {
1112 // Received a WAKEUP
1113 resp = resp1; respLen = resp1Len; order = 6;
1114 // //DbpString("Wakeup request from reader:");
1115
1116 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x93) { // greg - cascade 1 anti-collision
1117 // Received request for UID (cascade 1)
1118 resp = resp2; respLen = resp2Len; order = 2;
1119 // DbpString("UID (cascade 1) request from reader:");
1120 // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1121
1122
1123 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] ==0x95) { // greg - cascade 2 anti-collision
1124 // Received request for UID (cascade 2)
1125 resp = resp2a; respLen = resp2aLen; order = 20;
1126 // DbpString("UID (cascade 2) request from reader:");
1127 // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1128
1129
1130 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x93) { // greg - cascade 1 select
1131 // Received a SELECT
1132 resp = resp3; respLen = resp3Len; order = 3;
1133 // DbpString("Select (cascade 1) request from reader:");
1134 // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1135
1136
1137 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x95) { // greg - cascade 2 select
1138 // Received a SELECT
1139 resp = resp3a; respLen = resp3aLen; order = 30;
1140 // DbpString("Select (cascade 2) request from reader:");
1141 // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1142
1143
1144 } else if(receivedCmd[0] == 0x30) {
1145 // Received a READ
1146 resp = resp4; respLen = resp4Len; order = 4; // Do nothing
1147 Dbprintf("Read request from reader: %x %x %x",
1148 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1149
1150
1151 } else if(receivedCmd[0] == 0x50) {
1152 // Received a HALT
1153 resp = resp1; respLen = 0; order = 5; // Do nothing
1154 DbpString("Reader requested we HALT!:");
1155
1156 } else if(receivedCmd[0] == 0x60) {
1157 // Received an authentication request
1158 resp = resp5; respLen = resp5Len; order = 7;
1159 Dbprintf("Authenticate request from reader: %x %x %x",
1160 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1161
1162 } else if(receivedCmd[0] == 0xE0) {
1163 // Received a RATS request
1164 resp = resp1; respLen = 0;order = 70;
1165 Dbprintf("RATS request from reader: %x %x %x",
1166 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1167 } else {
1168 // Never seen this command before
1169 Dbprintf("Unknown command received from reader: %x %x %x %x %x %x %x %x %x",
1170 receivedCmd[0], receivedCmd[1], receivedCmd[2],
1171 receivedCmd[3], receivedCmd[3], receivedCmd[4],
1172 receivedCmd[5], receivedCmd[6], receivedCmd[7]);
1173 // Do not respond
1174 resp = resp1; respLen = 0; order = 0;
1175 }
1176
1177 // Count number of wakeups received after a halt
1178 if(order == 6 && lastorder == 5) { happened++; }
1179
1180 // Count number of other messages after a halt
1181 if(order != 6 && lastorder == 5) { happened2++; }
1182
1183 // Look at last parity bit to determine timing of answer
1184 if((Uart.parityBits & 0x01) || receivedCmd[0] == 0x52) {
1185 // 1236, so correction bit needed
1186 i = 0;
1187 }
1188
1189 memset(receivedCmd, 0x44, 32);
1190
1191 if(cmdsRecvd > 999) {
1192 DbpString("1000 commands later...");
1193 break;
1194 }
1195 else {
1196 cmdsRecvd++;
1197 }
1198
1199 if(respLen <= 0) continue;
1200
1201 // Modulate Manchester
1202 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD);
1203 AT91C_BASE_SSC->SSC_THR = 0x00;
1204 FpgaSetupSsc();
1205
1206 // ### Transmit the response ###
1207 u = 0;
1208 b = 0x00;
1209 fdt_indicator = FALSE;
1210 for(;;) {
1211 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1212 volatile BYTE b = (BYTE)AT91C_BASE_SSC->SSC_RHR;
1213 (void)b;
1214 }
1215 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1216 if(i > respLen) {
1217 b = 0x00;
1218 u++;
1219 } else {
1220 b = resp[i];
1221 i++;
1222 }
1223 AT91C_BASE_SSC->SSC_THR = b;
1224
1225 if(u > 4) {
1226 break;
1227 }
1228 }
1229 if(BUTTON_PRESS()) {
1230 break;
1231 }
1232 }
1233
1234 }
1235
1236 Dbprintf("%x %x %x", happened, happened2, cmdsRecvd);
1237 LED_A_OFF();
1238 }
1239
1240 //-----------------------------------------------------------------------------
1241 // Transmit the command (to the tag) that was placed in ToSend[].
1242 //-----------------------------------------------------------------------------
1243 static void TransmitFor14443a(const BYTE *cmd, int len, int *samples, int *wait)
1244 {
1245 int c;
1246
1247 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1248
1249 if (wait)
1250 if(*wait < 10)
1251 *wait = 10;
1252
1253 for(c = 0; c < *wait;) {
1254 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1255 AT91C_BASE_SSC->SSC_THR = 0x00; // For exact timing!
1256 c++;
1257 }
1258 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1259 volatile DWORD r = AT91C_BASE_SSC->SSC_RHR;
1260 (void)r;
1261 }
1262 WDT_HIT();
1263 }
1264
1265 c = 0;
1266 for(;;) {
1267 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1268 AT91C_BASE_SSC->SSC_THR = cmd[c];
1269 c++;
1270 if(c >= len) {
1271 break;
1272 }
1273 }
1274 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1275 volatile DWORD r = AT91C_BASE_SSC->SSC_RHR;
1276 (void)r;
1277 }
1278 WDT_HIT();
1279 }
1280 if (samples) *samples = (c + *wait) << 3;
1281 }
1282
1283 //-----------------------------------------------------------------------------
1284 // To generate an arbitrary stream from reader
1285 //
1286 //-----------------------------------------------------------------------------
1287 void ArbitraryFromReader(const BYTE *cmd, int parity, int len)
1288 {
1289 int i;
1290 int j;
1291 int last;
1292 BYTE b;
1293
1294 ToSendReset();
1295
1296 // Start of Communication (Seq. Z)
1297 Sequence(SEC_Z);
1298 last = 0;
1299
1300 for(i = 0; i < len; i++) {
1301 // Data bits
1302 b = cmd[i];
1303 for(j = 0; j < 8; j++) {
1304 if(b & 1) {
1305 // Sequence X
1306 Sequence(SEC_X);
1307 last = 1;
1308 } else {
1309 if(last == 0) {
1310 // Sequence Z
1311 Sequence(SEC_Z);
1312 }
1313 else {
1314 // Sequence Y
1315 Sequence(SEC_Y);
1316 last = 0;
1317 }
1318 }
1319 b >>= 1;
1320
1321 }
1322
1323 // Predefined parity bit, the flipper flips when needed, because of flips in byte sent
1324 if(((parity >> (len - i - 1)) & 1)) {
1325 // Sequence X
1326 Sequence(SEC_X);
1327 last = 1;
1328 } else {
1329 if(last == 0) {
1330 // Sequence Z
1331 Sequence(SEC_Z);
1332 }
1333 else {
1334 // Sequence Y
1335 Sequence(SEC_Y);
1336 last = 0;
1337 }
1338 }
1339 }
1340
1341 // End of Communication
1342 if(last == 0) {
1343 // Sequence Z
1344 Sequence(SEC_Z);
1345 }
1346 else {
1347 // Sequence Y
1348 Sequence(SEC_Y);
1349 last = 0;
1350 }
1351 // Sequence Y
1352 Sequence(SEC_Y);
1353
1354 // Just to be sure!
1355 Sequence(SEC_Y);
1356 Sequence(SEC_Y);
1357 Sequence(SEC_Y);
1358
1359 // Convert from last character reference to length
1360 ToSendMax++;
1361 }
1362
1363 //-----------------------------------------------------------------------------
1364 // Code a 7-bit command without parity bit
1365 // This is especially for 0x26 and 0x52 (REQA and WUPA)
1366 //-----------------------------------------------------------------------------
1367 void ShortFrameFromReader(const BYTE bt)
1368 {
1369 int j;
1370 int last;
1371 BYTE b;
1372
1373 ToSendReset();
1374
1375 // Start of Communication (Seq. Z)
1376 Sequence(SEC_Z);
1377 last = 0;
1378
1379 b = bt;
1380 for(j = 0; j < 7; j++) {
1381 if(b & 1) {
1382 // Sequence X
1383 Sequence(SEC_X);
1384 last = 1;
1385 } else {
1386 if(last == 0) {
1387 // Sequence Z
1388 Sequence(SEC_Z);
1389 }
1390 else {
1391 // Sequence Y
1392 Sequence(SEC_Y);
1393 last = 0;
1394 }
1395 }
1396 b >>= 1;
1397 }
1398
1399 // End of Communication
1400 if(last == 0) {
1401 // Sequence Z
1402 Sequence(SEC_Z);
1403 }
1404 else {
1405 // Sequence Y
1406 Sequence(SEC_Y);
1407 last = 0;
1408 }
1409 // Sequence Y
1410 Sequence(SEC_Y);
1411
1412 // Just to be sure!
1413 Sequence(SEC_Y);
1414 Sequence(SEC_Y);
1415 Sequence(SEC_Y);
1416
1417 // Convert from last character reference to length
1418 ToSendMax++;
1419 }
1420
1421 //-----------------------------------------------------------------------------
1422 // Prepare reader command to send to FPGA
1423 //
1424 //-----------------------------------------------------------------------------
1425 void CodeIso14443aAsReaderPar(const BYTE * cmd, int len, DWORD dwParity)
1426 {
1427 int i, j;
1428 int last;
1429 BYTE b;
1430
1431 ToSendReset();
1432
1433 // Start of Communication (Seq. Z)
1434 Sequence(SEC_Z);
1435 last = 0;
1436
1437 // Generate send structure for the data bits
1438 for (i = 0; i < len; i++) {
1439 // Get the current byte to send
1440 b = cmd[i];
1441
1442 for (j = 0; j < 8; j++) {
1443 if (b & 1) {
1444 // Sequence X
1445 Sequence(SEC_X);
1446 last = 1;
1447 } else {
1448 if (last == 0) {
1449 // Sequence Z
1450 Sequence(SEC_Z);
1451 } else {
1452 // Sequence Y
1453 Sequence(SEC_Y);
1454 last = 0;
1455 }
1456 }
1457 b >>= 1;
1458 }
1459
1460 // Get the parity bit
1461 if ((dwParity >> i) & 0x01) {
1462 // Sequence X
1463 Sequence(SEC_X);
1464 last = 1;
1465 } else {
1466 if (last == 0) {
1467 // Sequence Z
1468 Sequence(SEC_Z);
1469 } else {
1470 // Sequence Y
1471 Sequence(SEC_Y);
1472 last = 0;
1473 }
1474 }
1475 }
1476
1477 // End of Communication
1478 if (last == 0) {
1479 // Sequence Z
1480 Sequence(SEC_Z);
1481 } else {
1482 // Sequence Y
1483 Sequence(SEC_Y);
1484 last = 0;
1485 }
1486 // Sequence Y
1487 Sequence(SEC_Y);
1488
1489 // Just to be sure!
1490 Sequence(SEC_Y);
1491 Sequence(SEC_Y);
1492 Sequence(SEC_Y);
1493
1494 // Convert from last character reference to length
1495 ToSendMax++;
1496 }
1497
1498 //-----------------------------------------------------------------------------
1499 // Wait a certain time for tag response
1500 // If a response is captured return TRUE
1501 // If it takes to long return FALSE
1502 //-----------------------------------------------------------------------------
1503 static BOOL GetIso14443aAnswerFromTag(BYTE *receivedResponse, int maxLen, int *samples, int *elapsed) //BYTE *buffer
1504 {
1505 // buffer needs to be 512 bytes
1506 int c;
1507
1508 // Set FPGA mode to "reader listen mode", no modulation (listen
1509 // only, since we are receiving, not transmitting).
1510 // Signal field is on with the appropriate LED
1511 LED_D_ON();
1512 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_LISTEN);
1513
1514 // Now get the answer from the card
1515 Demod.output = receivedResponse;
1516 Demod.len = 0;
1517 Demod.state = DEMOD_UNSYNCD;
1518
1519 BYTE b;
1520 if (elapsed) *elapsed = 0;
1521
1522 c = 0;
1523 for(;;) {
1524 WDT_HIT();
1525
1526 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1527 AT91C_BASE_SSC->SSC_THR = 0x00; // To make use of exact timing of next command from reader!!
1528 if (elapsed) (*elapsed)++;
1529 }
1530 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1531 if(c < 512) { c++; } else { return FALSE; }
1532 b = (BYTE)AT91C_BASE_SSC->SSC_RHR;
1533 if(ManchesterDecoding((b & 0xf0) >> 4)) {
1534 *samples = ((c - 1) << 3) + 4;
1535 return TRUE;
1536 }
1537 if(ManchesterDecoding(b & 0x0f)) {
1538 *samples = c << 3;
1539 return TRUE;
1540 }
1541 }
1542 }
1543 }
1544
1545 void ReaderTransmitShort(const BYTE* bt)
1546 {
1547 int wait = 0;
1548 int samples = 0;
1549
1550 ShortFrameFromReader(*bt);
1551
1552 // Select the card
1553 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
1554
1555 // Store reader command in buffer
1556 if (tracing) LogTrace(bt,1,0,GetParity(bt,1),TRUE);
1557 }
1558
1559 void ReaderTransmitPar(BYTE* frame, int len, DWORD par)
1560 {
1561 int wait = 0;
1562 int samples = 0;
1563
1564 // This is tied to other size changes
1565 // BYTE* frame_addr = ((BYTE*)BigBuf) + 2024;
1566 CodeIso14443aAsReaderPar(frame,len,par);
1567
1568 // Select the card
1569 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
1570
1571 // Store reader command in buffer
1572 if (tracing) LogTrace(frame,len,0,par,TRUE);
1573 }
1574
1575
1576 void ReaderTransmit(BYTE* frame, int len)
1577 {
1578 // Generate parity and redirect
1579 ReaderTransmitPar(frame,len,GetParity(frame,len));
1580 }
1581
1582 BOOL ReaderReceive(BYTE* receivedAnswer)
1583 {
1584 int samples = 0;
1585 if (!GetIso14443aAnswerFromTag(receivedAnswer,100,&samples,0)) return FALSE;
1586 if (tracing) LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE);
1587 return TRUE;
1588 }
1589
1590 //-----------------------------------------------------------------------------
1591 // Read an ISO 14443a tag. Send out commands and store answers.
1592 //
1593 //-----------------------------------------------------------------------------
1594 void ReaderIso14443a(DWORD parameter)
1595 {
1596 // Anticollision
1597 BYTE wupa[] = { 0x52 };
1598 BYTE sel_all[] = { 0x93,0x20 };
1599 BYTE sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
1600 BYTE sel_all_c2[] = { 0x95,0x20 };
1601 BYTE sel_uid_c2[] = { 0x95,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
1602
1603 // Mifare AUTH
1604 BYTE mf_auth[] = { 0x60,0x00,0xf5,0x7b };
1605 // BYTE mf_nr_ar[] = { 0x00,0x00,0x00,0x00 };
1606
1607 BYTE* receivedAnswer = (((BYTE *)BigBuf) + 3560); // was 3560 - tied to other size changes
1608 traceLen = 0;
1609
1610 // Setup SSC
1611 FpgaSetupSsc();
1612
1613 // Start from off (no field generated)
1614 // Signal field is off with the appropriate LED
1615 LED_D_OFF();
1616 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1617 SpinDelay(200);
1618
1619 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1620 FpgaSetupSsc();
1621
1622 // Now give it time to spin up.
1623 // Signal field is on with the appropriate LED
1624 LED_D_ON();
1625 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1626 SpinDelay(200);
1627
1628 LED_A_ON();
1629 LED_B_OFF();
1630 LED_C_OFF();
1631
1632 while(traceLen < TRACE_LENGTH)
1633 {
1634 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1635 ReaderTransmitShort(wupa);
1636
1637 // Test if the action was cancelled
1638 if(BUTTON_PRESS()) {
1639 break;
1640 }
1641
1642 // Receive the ATQA
1643 if (!ReaderReceive(receivedAnswer)) continue;
1644
1645 // Transmit SELECT_ALL
1646 ReaderTransmit(sel_all,sizeof(sel_all));
1647
1648 // Receive the UID
1649 if (!ReaderReceive(receivedAnswer)) continue;
1650
1651 // Construct SELECT UID command
1652 // First copy the 5 bytes (Mifare Classic) after the 93 70
1653 memcpy(sel_uid+2,receivedAnswer,5);
1654 // Secondly compute the two CRC bytes at the end
1655 AppendCrc14443a(sel_uid,7);
1656
1657 // Transmit SELECT_UID
1658 ReaderTransmit(sel_uid,sizeof(sel_uid));
1659
1660 // Receive the SAK
1661 if (!ReaderReceive(receivedAnswer)) continue;
1662
1663 // OK we have selected at least at cascade 1, lets see if first byte of UID was 0x88 in
1664 // which case we need to make a cascade 2 request and select - this is a long UID
1665 // When the UID is not complete, the 3nd bit (from the right) is set in the SAK.
1666 if (receivedAnswer[0] &= 0x04)
1667 {
1668 // Transmit SELECT_ALL
1669 ReaderTransmit(sel_all_c2,sizeof(sel_all_c2));
1670
1671 // Receive the UID
1672 if (!ReaderReceive(receivedAnswer)) continue;
1673
1674 // Construct SELECT UID command
1675 memcpy(sel_uid_c2+2,receivedAnswer,5);
1676 // Secondly compute the two CRC bytes at the end
1677 AppendCrc14443a(sel_uid_c2,7);
1678
1679 // Transmit SELECT_UID
1680 ReaderTransmit(sel_uid_c2,sizeof(sel_uid_c2));
1681
1682 // Receive the SAK
1683 if (!ReaderReceive(receivedAnswer)) continue;
1684 }
1685
1686 // Transmit MIFARE_CLASSIC_AUTH
1687 ReaderTransmit(mf_auth,sizeof(mf_auth));
1688
1689 // Receive the (16 bit) "random" nonce
1690 if (!ReaderReceive(receivedAnswer)) continue;
1691 }
1692
1693 // Thats it...
1694 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1695 LEDsoff();
1696 Dbprintf("%x %x %x", rsamples, 0xCC, 0xCC);
1697 DbpString("ready..");
1698 }
1699
1700 //-----------------------------------------------------------------------------
1701 // Read an ISO 14443a tag. Send out commands and store answers.
1702 //
1703 //-----------------------------------------------------------------------------
1704 void ReaderMifare(DWORD parameter)
1705 {
1706
1707 // Anticollision
1708 BYTE wupa[] = { 0x52 };
1709 BYTE sel_all[] = { 0x93,0x20 };
1710 BYTE sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
1711
1712 // Mifare AUTH
1713 BYTE mf_auth[] = { 0x60,0x00,0xf5,0x7b };
1714 BYTE mf_nr_ar[] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
1715
1716 BYTE* receivedAnswer = (((BYTE *)BigBuf) + 3560); // was 3560 - tied to other size changes
1717 traceLen = 0;
1718 tracing = false;
1719
1720 // Setup SSC
1721 FpgaSetupSsc();
1722
1723 // Start from off (no field generated)
1724 // Signal field is off with the appropriate LED
1725 LED_D_OFF();
1726 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1727 SpinDelay(200);
1728
1729 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1730 FpgaSetupSsc();
1731
1732 // Now give it time to spin up.
1733 // Signal field is on with the appropriate LED
1734 LED_D_ON();
1735 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1736 SpinDelay(200);
1737
1738 LED_A_ON();
1739 LED_B_OFF();
1740 LED_C_OFF();
1741
1742 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1743 ReaderTransmitShort(wupa);
1744 // Receive the ATQA
1745 ReaderReceive(receivedAnswer);
1746 // Transmit SELECT_ALL
1747 ReaderTransmit(sel_all,sizeof(sel_all));
1748 // Receive the UID
1749 ReaderReceive(receivedAnswer);
1750 // Construct SELECT UID command
1751 // First copy the 5 bytes (Mifare Classic) after the 93 70
1752 memcpy(sel_uid+2,receivedAnswer,5);
1753 // Secondly compute the two CRC bytes at the end
1754 AppendCrc14443a(sel_uid,7);
1755
1756 byte_t nt_diff = 0;
1757 LED_A_OFF();
1758 byte_t par = 0;
1759 byte_t par_mask = 0xff;
1760 byte_t par_low = 0;
1761 BOOL led_on = TRUE;
1762
1763 tracing = FALSE;
1764 byte_t nt[4];
1765 byte_t nt_attacked[4];
1766 byte_t par_list[8];
1767 byte_t ks_list[8];
1768 num_to_bytes(parameter,4,nt_attacked);
1769
1770 while(TRUE)
1771 {
1772 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1773 SpinDelay(200);
1774 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1775
1776 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1777 ReaderTransmitShort(wupa);
1778
1779 // Test if the action was cancelled
1780 if(BUTTON_PRESS()) {
1781 break;
1782 }
1783
1784 // Receive the ATQA
1785 if (!ReaderReceive(receivedAnswer)) continue;
1786
1787 // Transmit SELECT_ALL
1788 ReaderTransmit(sel_all,sizeof(sel_all));
1789
1790 // Receive the UID
1791 if (!ReaderReceive(receivedAnswer)) continue;
1792
1793 // Transmit SELECT_UID
1794 ReaderTransmit(sel_uid,sizeof(sel_uid));
1795
1796 // Receive the SAK
1797 if (!ReaderReceive(receivedAnswer)) continue;
1798
1799 // Transmit MIFARE_CLASSIC_AUTH
1800 ReaderTransmit(mf_auth,sizeof(mf_auth));
1801
1802 // Receive the (16 bit) "random" nonce
1803 if (!ReaderReceive(receivedAnswer)) continue;
1804 memcpy(nt,receivedAnswer,4);
1805
1806 // Transmit reader nonce and reader answer
1807 ReaderTransmitPar(mf_nr_ar,sizeof(mf_nr_ar),par);
1808
1809 // Receive 4 bit answer
1810 if (ReaderReceive(receivedAnswer))
1811 {
1812 if (nt_diff == 0)
1813 {
1814 LED_A_ON();
1815 memcpy(nt_attacked,nt,4);
1816 par_mask = 0xf8;
1817 par_low = par & 0x07;
1818 }
1819
1820 if (memcmp(nt,nt_attacked,4) != 0) continue;
1821
1822 led_on = !led_on;
1823 if(led_on) LED_B_ON(); else LED_B_OFF();
1824 par_list[nt_diff] = par;
1825 ks_list[nt_diff] = receivedAnswer[0]^0x05;
1826
1827 // Test if the information is complete
1828 if (nt_diff == 0x07) break;
1829
1830 nt_diff = (nt_diff+1) & 0x07;
1831 mf_nr_ar[3] = nt_diff << 5;
1832 par = par_low;
1833 } else {
1834 if (nt_diff == 0)
1835 {
1836 par++;
1837 } else {
1838 par = (((par>>3)+1) << 3) | par_low;
1839 }
1840 }
1841 }
1842
1843 LogTraceInfo(sel_uid+2,4);
1844 LogTraceInfo(nt,4);
1845 LogTraceInfo(par_list,8);
1846 LogTraceInfo(ks_list,8);
1847
1848 // Thats it...
1849 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1850 LEDsoff();
1851 tracing = TRUE;
1852 }
Impressum, Datenschutz