]> git.zerfleddert.de Git - proxmark3-svn/blob - armsrc/hitagS.c
projects / proxmark3-svn / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
DEL: removed the homebrews script. It needed a seperate gitproject.
[proxmark3-svn] / armsrc / hitagS.c
1 //-----------------------------------------------------------------------------
2 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
3 // at your option, any later version. See the LICENSE.txt file for the text of
4 // the license.
5 //-----------------------------------------------------------------------------
6 // HitagS emulation (preliminary test version)
7 //
8 // (c) 2016 Oguzhan Cicek, Hendrik Schwartke, Ralf Spenneberg
9 // <info@os-s.de>
10 //-----------------------------------------------------------------------------
11 // Some code was copied from Hitag2.c
12 //-----------------------------------------------------------------------------
13 #include <stdlib.h>
14 #include "proxmark3.h"
15 #include "apps.h"
16 #include "util.h"
17 #include "hitagS.h"
18 #include "hitag2.h"
19 #include "string.h"
20 #include "BigBuf.h"
21
22 #define CRC_PRESET 0xFF
23 #define CRC_POLYNOM 0x1D
24
25 #define u8 uint8_t
26 #define u32 uint32_t
27 #define u64 uint64_t
28 #define rev8(x) ((((x)>>7)&1)+((((x)>>6)&1)<<1)+((((x)>>5)&1)<<2)+((((x)>>4)&1)<<3)+((((x)>>3)&1)<<4)+((((x)>>2)&1)<<5)+((((x)>>1)&1)<<6)+(((x)&1)<<7))
29 #define rev16(x) (rev8 (x)+(rev8 (x>> 8)<< 8))
30 #define rev32(x) (rev16(x)+(rev16(x>>16)<<16))
31 #define rev64(x) (rev32(x)+(rev32(x>>32)<<32))
32 #define bit(x,n) (((x)>>(n))&1)
33 #define bit32(x,n) ((((x)[(n)>>5])>>((n)))&1)
34 #define inv32(x,i,n) ((x)[(i)>>5]^=((u32)(n))<<((i)&31))
35 #define rotl64(x, n) ((((u64)(x))<<((n)&63))+(((u64)(x))>>((0-(n))&63)))
36
37 static bool bQuiet;
38 static bool bSuccessful;
39 static struct hitagS_tag tag;
40 static byte_t page_to_be_written = 0;
41 static int block_data_left = 0;
42 typedef enum modulation {
43 AC2K = 0,
44 AC4K,
45 MC4K,
46 MC8K
47 } MOD;
48 static MOD m = AC2K; //used modulation
49 static uint32_t temp_uid;
50 static int temp2 = 0;
51 static int sof_bits; //number of start-of-frame bits
52 static byte_t pwdh0, pwdl0, pwdl1; //password bytes
53 static uint32_t rnd = 0x74124485; //randomnumber
54 static int test = 0;
55 size_t blocknr;
56 bool end=false;
57
58 // Single bit Hitag2 functions:
59 #define i4(x,a,b,c,d) ((u32)((((x)>>(a))&1)+(((x)>>(b))&1)*2+(((x)>>(c))&1)*4+(((x)>>(d))&1)*8))
60 static const u32 ht2_f4a = 0x2C79; // 0010 1100 0111 1001
61 static const u32 ht2_f4b = 0x6671; // 0110 0110 0111 0001
62 static const u32 ht2_f5c = 0x7907287B; // 0111 1001 0000 0111 0010 1000 0111 1011
63 #define ht2bs_4a(a,b,c,d) (~(((a|b)&c)^(a|d)^b))
64 #define ht2bs_4b(a,b,c,d) (~(((d|c)&(a^b))^(d|a|b)))
65 #define ht2bs_5c(a,b,c,d,e) (~((((((c^e)|d)&a)^b)&(c^b))^(((d^e)|a)&((d^b)|c))))
66 #define uf20bs u32
67
68 static u32 f20(const u64 x) {
69 u32 i5;
70
71 i5 = ((ht2_f4a >> i4(x, 1, 2, 4, 5)) & 1) * 1
72 + ((ht2_f4b >> i4(x, 7, 11, 13, 14)) & 1) * 2
73 + ((ht2_f4b >> i4(x, 16, 20, 22, 25)) & 1) * 4
74 + ((ht2_f4b >> i4(x, 27, 28, 30, 32)) & 1) * 8
75 + ((ht2_f4a >> i4(x, 33, 42, 43, 45)) & 1) * 16;
76
77 return (ht2_f5c >> i5) & 1;
78 }
79 static u64 hitag2_round(u64 *state) {
80 u64 x = *state;
81
82 x = (x >> 1)
83 + ((((x >> 0) ^ (x >> 2) ^ (x >> 3) ^ (x >> 6) ^ (x >> 7) ^ (x >> 8)
84 ^ (x >> 16) ^ (x >> 22) ^ (x >> 23) ^ (x >> 26) ^ (x >> 30)
85 ^ (x >> 41) ^ (x >> 42) ^ (x >> 43) ^ (x >> 46) ^ (x >> 47))
86 & 1) << 47);
87
88 *state = x;
89 return f20(x);
90 }
91 static u64 hitag2_init(const u64 key, const u32 serial, const u32 IV) {
92 u32 i;
93 u64 x = ((key & 0xFFFF) << 32) + serial;
94 for (i = 0; i < 32; i++) {
95 x >>= 1;
96 x += (u64) (f20(x) ^ (((IV >> i) ^ (key >> (i + 16))) & 1)) << 47;
97 }
98 return x;
99 }
100 static u32 hitag2_byte(u64 *x) {
101 u32 i, c;
102
103 for (i = 0, c = 0; i < 8; i++)
104 c += (u32) hitag2_round(x) << (i ^ 7);
105 return c;
106 }
107
108 // Sam7s has several timers, we will use the source TIMER_CLOCK1 (aka AT91C_TC_CLKS_TIMER_DIV1_CLOCK)
109 // TIMER_CLOCK1 = MCK/2, MCK is running at 48 MHz, Timer is running at 48/2 = 24 MHz
110 // Hitag units (T0) have duration of 8 microseconds (us), which is 1/125000 per second (carrier)
111 // T0 = TIMER_CLOCK1 / 125000 = 192
112 #define T0 192
113
114 #define SHORT_COIL() LOW(GPIO_SSC_DOUT)
115 #define OPEN_COIL() HIGH(GPIO_SSC_DOUT)
116
117 #define HITAG_FRAME_LEN 20
118 #define HITAG_T_STOP 36 /* T_EOF should be > 36 */
119 #define HITAG_T_LOW 8 /* T_LOW should be 4..10 */
120 #define HITAG_T_0_MIN 15 /* T[0] should be 18..22 */
121 #define HITAG_T_1_MIN 25 /* T[1] should be 26..30 */
122 //#define HITAG_T_EOF 40 /* T_EOF should be > 36 */
123 #define HITAG_T_EOF 80 /* T_EOF should be > 36 */
124 #define HITAG_T_WAIT_1 200 /* T_wresp should be 199..206 */
125 #define HITAG_T_WAIT_2 90 /* T_wresp should be 199..206 */
126 #define HITAG_T_WAIT_MAX 300 /* bit more than HITAG_T_WAIT_1 + HITAG_T_WAIT_2 */
127
128 #define HITAG_T_TAG_ONE_HALF_PERIOD 10
129 #define HITAG_T_TAG_TWO_HALF_PERIOD 25
130 #define HITAG_T_TAG_THREE_HALF_PERIOD 41
131 #define HITAG_T_TAG_FOUR_HALF_PERIOD 57
132
133 #define HITAG_T_TAG_HALF_PERIOD 16
134 #define HITAG_T_TAG_FULL_PERIOD 32
135
136 #define HITAG_T_TAG_CAPTURE_ONE_HALF 13
137 #define HITAG_T_TAG_CAPTURE_TWO_HALF 25
138 #define HITAG_T_TAG_CAPTURE_THREE_HALF 41
139 #define HITAG_T_TAG_CAPTURE_FOUR_HALF 57
140
141 #define DEBUG 0
142
143 /*
144 * Implementation of the crc8 calculation from Hitag S
145 * from http://www.proxmark.org/files/Documents/125%20kHz%20-%20Hitag/HitagS.V11.pdf
146 */
147 void calc_crc(unsigned char * crc, unsigned char data, unsigned char Bitcount) {
148 *crc ^= data; // crc = crc (exor) data
149 do {
150 if (*crc & 0x80) // if (MSB-CRC == 1)
151 {
152 *crc <<= 1; // CRC = CRC Bit-shift left
153 *crc ^= CRC_POLYNOM; // CRC = CRC (exor) CRC_POLYNOM
154 } else {
155 *crc <<= 1; // CRC = CRC Bit-shift left
156 }
157 } while (--Bitcount);
158 }
159
160 static void hitag_send_bit(int bit) {
161 LED_A_ON();
162 // Reset clock for the next bit
163 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
164
165 switch (m) {
166 case AC2K:
167 if (bit == 0) {
168 // AC Coding --__
169 HIGH(GPIO_SSC_DOUT);
170 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
171 ;
172 LOW(GPIO_SSC_DOUT);
173 while (AT91C_BASE_TC0->TC_CV < T0 * 64)
174 ;
175 } else {
176 // AC coding -_-_
177 HIGH(GPIO_SSC_DOUT);
178 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
179 ;
180 LOW(GPIO_SSC_DOUT);
181 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
182 ;
183 HIGH(GPIO_SSC_DOUT);
184 while (AT91C_BASE_TC0->TC_CV < T0 * 48)
185 ;
186 LOW(GPIO_SSC_DOUT);
187 while (AT91C_BASE_TC0->TC_CV < T0 * 64)
188 ;;
189 }
190 LED_A_OFF();
191 break;
192 case AC4K:
193 if (bit == 0) {
194 // AC Coding --__
195 HIGH(GPIO_SSC_DOUT);
196 while (AT91C_BASE_TC0->TC_CV < T0 * HITAG_T_TAG_HALF_PERIOD)
197 ;
198 LOW(GPIO_SSC_DOUT);
199 while (AT91C_BASE_TC0->TC_CV < T0 * HITAG_T_TAG_FULL_PERIOD)
200 ;
201 } else {
202 // AC coding -_-_
203 HIGH(GPIO_SSC_DOUT);
204 while (AT91C_BASE_TC0->TC_CV < T0 * 8)
205 ;
206 LOW(GPIO_SSC_DOUT);
207 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
208 ;
209 HIGH(GPIO_SSC_DOUT);
210 while (AT91C_BASE_TC0->TC_CV < T0 * 24)
211 ;
212 LOW(GPIO_SSC_DOUT);
213 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
214 ;;
215 }
216 LED_A_OFF();
217 break;
218 case MC4K:
219 if (bit == 0) {
220 // Manchester: Unloaded, then loaded |__--|
221 LOW(GPIO_SSC_DOUT);
222 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
223 ;
224 HIGH(GPIO_SSC_DOUT);
225 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
226 ;
227 } else {
228 // Manchester: Loaded, then unloaded |--__|
229 HIGH(GPIO_SSC_DOUT);
230 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
231 ;
232 LOW(GPIO_SSC_DOUT);
233 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
234 ;
235 }
236 LED_A_OFF();
237 break;
238 case MC8K:
239 if (bit == 0) {
240 // Manchester: Unloaded, then loaded |__--|
241 LOW(GPIO_SSC_DOUT);
242 while (AT91C_BASE_TC0->TC_CV < T0 * 8)
243 ;
244 HIGH(GPIO_SSC_DOUT);
245 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
246 ;
247 } else {
248 // Manchester: Loaded, then unloaded |--__|
249 HIGH(GPIO_SSC_DOUT);
250 while (AT91C_BASE_TC0->TC_CV < T0 * 8)
251 ;
252 LOW(GPIO_SSC_DOUT);
253 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
254 ;
255 }
256 LED_A_OFF();
257 break;
258 default:
259 break;
260 }
261 }
262
263 static void hitag_send_frame(const byte_t* frame, size_t frame_len) {
264 // Send start of frame
265
266 for (size_t i = 0; i < sof_bits; i++) {
267 hitag_send_bit(1);
268 }
269
270 // Send the content of the frame
271 for (size_t i = 0; i < frame_len; i++) {
272 hitag_send_bit((frame[i / 8] >> (7 - (i % 8))) & 1);
273 }
274 // Drop the modulation
275 LOW(GPIO_SSC_DOUT);
276 }
277
278 static void hitag_reader_send_bit(int bit) {
279 //Dbprintf("BIT: %d",bit);
280 LED_A_ON();
281 // Reset clock for the next bit
282 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
283
284 // Binary puls length modulation (BPLM) is used to encode the data stream
285 // This means that a transmission of a one takes longer than that of a zero
286
287 // Enable modulation, which means, drop the the field
288 HIGH(GPIO_SSC_DOUT);
289 if (test == 1) {
290 // Wait for 4-10 times the carrier period
291 while (AT91C_BASE_TC0->TC_CV < T0 * 6)
292 ;
293 // SpinDelayUs(8*8);
294
295 // Disable modulation, just activates the field again
296 LOW(GPIO_SSC_DOUT);
297
298 if (bit == 0) {
299 // Zero bit: |_-|
300 while (AT91C_BASE_TC0->TC_CV < T0 * 11)
301 ;
302 // SpinDelayUs(16*8);
303 } else {
304 // One bit: |_--|
305 while (AT91C_BASE_TC0->TC_CV < T0 * 14)
306 ;
307 // SpinDelayUs(22*8);
308 }
309 } else {
310 // Wait for 4-10 times the carrier period
311 while (AT91C_BASE_TC0->TC_CV < T0 * 6)
312 ;
313 // SpinDelayUs(8*8);
314
315 // Disable modulation, just activates the field again
316 LOW(GPIO_SSC_DOUT);
317
318 if (bit == 0) {
319 // Zero bit: |_-|
320 while (AT91C_BASE_TC0->TC_CV < T0 * 22)
321 ;
322 // SpinDelayUs(16*8);
323 } else {
324 // One bit: |_--|
325 while (AT91C_BASE_TC0->TC_CV < T0 * 28)
326 ;
327 // SpinDelayUs(22*8);
328 }
329 }
330
331 LED_A_OFF();
332 }
333
334 static void hitag_reader_send_frame(const byte_t* frame, size_t frame_len) {
335 // Send the content of the frame
336 for (size_t i = 0; i < frame_len; i++) {
337 if (frame[0] == 0xf8) {
338 //Dbprintf("BIT: %d",(frame[i / 8] >> (7 - (i % 8))) & 1);
339 }
340 hitag_reader_send_bit((frame[i / 8] >> (7 - (i % 8))) & 1);
341 }
342 // Send EOF
343 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
344 // Enable modulation, which means, drop the the field
345 HIGH(GPIO_SSC_DOUT);
346 // Wait for 4-10 times the carrier period
347 while (AT91C_BASE_TC0->TC_CV < T0 * 6)
348 ;
349 // Disable modulation, just activates the field again
350 LOW(GPIO_SSC_DOUT);
351 }
352
353 /*
354 * to check if the right uid was selected
355 */
356 static int check_select(byte_t* rx, uint32_t uid) {
357 unsigned char resp[48];
358 int i;
359 uint32_t ans = 0x0;
360 for (i = 0; i < 48; i++)
361 resp[i] = (rx[i / 8] >> (7 - (i % 8))) & 0x1;
362 for (i = 0; i < 32; i++)
363 ans += resp[5 + i] << (31 - i);
364 /*if (rx[0] == 0x01 && rx[1] == 0x15 && rx[2] == 0xc1 && rx[3] == 0x14
365 && rx[4] == 0x65 && rx[5] == 0x38)
366 Dbprintf("got uid %X", ans);*/
367 temp_uid = ans;
368 if (ans == tag.uid)
369 return 1;
370 return 0;
371 }
372
373 /*
374 * handles all commands from a reader
375 */
376 static void hitagS_handle_reader_command(byte_t* rx, const size_t rxlen,
377 byte_t* tx, size_t* txlen) {
378 byte_t rx_air[HITAG_FRAME_LEN];
379 byte_t page;
380 int i;
381 u64 state;
382 unsigned char crc;
383
384 // Copy the (original) received frame how it is send over the air
385 memcpy(rx_air, rx, nbytes(rxlen));
386 // Reset the transmission frame length
387 *txlen = 0;
388 // Try to find out which command was send by selecting on length (in bits)
389 switch (rxlen) {
390 case 5: {
391 //UID request with a selected response protocol mode
392 tag.pstate = HT_READY;
393 tag.tstate = HT_NO_OP;
394 if ((rx[0] & 0xf0) == 0x30) {
395 tag.mode = HT_STANDARD;
396 sof_bits = 1;
397 m = AC2K;
398 }
399 if ((rx[0] & 0xf0) == 0xc0) {
400 tag.mode = HT_ADVANCED;
401 sof_bits = 3;
402 m = AC2K;
403 }
404
405 if ((rx[0] & 0xf0) == 0xd0) {
406 tag.mode = HT_FAST_ADVANCED;
407 sof_bits = 3;
408 m = AC4K;
409 }
410 //send uid as a response
411 *txlen = 32;
412 for (i = 0; i < 4; i++)
413 tx[i] = (tag.uid >> (24 - (i * 8))) & 0xff;
414 }
415 break;
416 case 45: {
417 //select command from reader received
418 if (check_select(rx, tag.uid) == 1) {
419 //if the right tag was selected
420 *txlen = 32;
421 switch (tag.mode) {
422 case HT_STANDARD:
423 sof_bits = 1;
424 m = MC4K;
425 break;
426 case HT_ADVANCED:
427 sof_bits = 6;
428 m = MC4K;
429 break;
430 case HT_FAST_ADVANCED:
431 sof_bits = 6;
432 m = MC8K;
433 break;
434 default:
435 break;
436 }
437
438 //send configuration
439 for (i = 0; i < 4; i++)
440 tx[i] = (tag.pages[0][1] >> (i * 8)) & 0xff;
441 tx[3] = 0xff;
442 if (tag.mode != HT_STANDARD) {
443 *txlen = 40;
444 crc = CRC_PRESET;
445 for (i = 0; i < 4; i++)
446 calc_crc(&crc, tx[i], 8);
447 tx[4] = crc;
448 }
449 }
450 }
451 break;
452 case 64: {
453 //challenge message received
454 Dbprintf("Challenge for UID: %X", temp_uid);
455 temp2++;
456 *txlen = 32;
457 state = hitag2_init(rev64(tag.key), rev32(tag.pages[0][0]),
458 rev32(((rx[3] << 24) + (rx[2] << 16) + (rx[1] << 8) + rx[0])));
459 Dbprintf(
460 ",{0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X}",
461 rx[0], rx[1], rx[2], rx[3], rx[4], rx[5], rx[6], rx[7]);
462 switch (tag.mode) {
463 case HT_STANDARD:
464 sof_bits = 1;
465 m = MC4K;
466 break;
467 case HT_ADVANCED:
468 sof_bits = 6;
469 m = MC4K;
470 break;
471 case HT_FAST_ADVANCED:
472 sof_bits = 6;
473 m = MC8K;
474 break;
475 default:
476 break;
477 }
478
479 for (i = 0; i < 4; i++)
480 hitag2_byte(&state);
481 //send con2,pwdh0,pwdl0,pwdl1 encrypted as a response
482 tx[0] = hitag2_byte(&state) ^ ((tag.pages[0][1] >> 16) & 0xff);
483 tx[1] = hitag2_byte(&state) ^ tag.pwdh0;
484 tx[2] = hitag2_byte(&state) ^ tag.pwdl0;
485 tx[3] = hitag2_byte(&state) ^ tag.pwdl1;
486 if (tag.mode != HT_STANDARD) {
487 //add crc8
488 *txlen = 40;
489 crc = CRC_PRESET;
490 calc_crc(&crc, ((tag.pages[0][1] >> 16) & 0xff), 8);
491 calc_crc(&crc, tag.pwdh0, 8);
492 calc_crc(&crc, tag.pwdl0, 8);
493 calc_crc(&crc, tag.pwdl1, 8);
494 tx[4] = (crc ^ hitag2_byte(&state));
495 }
496 /*
497 * some readers do not allow to authenticate multiple times in a row with the same tag.
498 * use this to change the uid between authentications.
499 */
500
501 /*
502 if (temp2 % 2 == 0) {
503 tag.uid = 0x11223344;
504 tag.pages[0][0] = 0x44332211;
505 } else {
506 tag.uid = 0x55667788;
507 tag.pages[0][0] = 0x88776655;
508 }
509 */
510 }
511 case 40:
512 //data received to be written
513 if (tag.tstate == HT_WRITING_PAGE_DATA) {
514 tag.tstate = HT_NO_OP;
515 tag.pages[page_to_be_written / 4][page_to_be_written % 4] = (rx[0]
516 << 0) + (rx[1] << 8) + (rx[2] << 16) + (rx[3] << 24);
517 //send ack
518 *txlen = 2;
519 tx[0] = 0x40;
520 page_to_be_written = 0;
521 switch (tag.mode) {
522 case HT_STANDARD:
523 sof_bits = 1;
524 m = MC4K;
525 break;
526 case HT_ADVANCED:
527 sof_bits = 6;
528 m = MC4K;
529 break;
530 case HT_FAST_ADVANCED:
531 sof_bits = 6;
532 m = MC8K;
533 break;
534 default:
535 break;
536 }
537 } else if (tag.tstate == HT_WRITING_BLOCK_DATA) {
538 tag.pages[page_to_be_written / 4][page_to_be_written % 4] = (rx[0]
539 << 24) + (rx[1] << 16) + (rx[2] << 8) + rx[3];
540 //send ack
541 *txlen = 2;
542 tx[0] = 0x40;
543 switch (tag.mode) {
544 case HT_STANDARD:
545 sof_bits = 1;
546 m = MC4K;
547 break;
548 case HT_ADVANCED:
549 sof_bits = 6;
550 m = MC4K;
551 break;
552 case HT_FAST_ADVANCED:
553 sof_bits = 6;
554 m = MC8K;
555 break;
556 default:
557 break;
558 }
559 page_to_be_written++;
560 block_data_left--;
561 if (block_data_left == 0) {
562 tag.tstate = HT_NO_OP;
563 page_to_be_written = 0;
564 }
565 }
566 break;
567 case 20: {
568 //write page, write block, read page or read block command received
569 if ((rx[0] & 0xf0) == 0xc0) //read page
570 {
571 //send page data
572 page = ((rx[0] & 0x0f) * 16) + ((rx[1] & 0xf0) / 16);
573 *txlen = 32;
574 tx[0] = (tag.pages[page / 4][page % 4]) & 0xff;
575 tx[1] = (tag.pages[page / 4][page % 4] >> 8) & 0xff;
576 tx[2] = (tag.pages[page / 4][page % 4] >> 16) & 0xff;
577 tx[3] = (tag.pages[page / 4][page % 4] >> 24) & 0xff;
578 if (tag.LKP && page == 1)
579 tx[3] = 0xff;
580
581 switch (tag.mode) {
582 case HT_STANDARD:
583 sof_bits = 1;
584 m = MC4K;
585 break;
586 case HT_ADVANCED:
587 sof_bits = 6;
588 m = MC4K;
589 break;
590 case HT_FAST_ADVANCED:
591 sof_bits = 6;
592 m = MC8K;
593 break;
594 default:
595 break;
596 }
597
598 if (tag.mode != HT_STANDARD) {
599 //add crc8
600 *txlen = 40;
601 crc = CRC_PRESET;
602 for (i = 0; i < 4; i++)
603 calc_crc(&crc, tx[i], 8);
604 tx[4] = crc;
605 }
606
607 if (tag.LKP && (page == 2 || page == 3)) {
608 //if reader asks for key or password and the LKP-mark is set do not respond
609 sof_bits = 0;
610 *txlen = 0;
611 }
612 } else if ((rx[0] & 0xf0) == 0xd0) //read block
613 {
614 page = ((rx[0] & 0x0f) * 16) + ((rx[1] & 0xf0) / 16);
615 *txlen = 32 * 4;
616 //send page,...,page+3 data
617 for (i = 0; i < 4; i++) {
618 tx[0 + i * 4] = (tag.pages[page / 4][page % 4]) & 0xff;
619 tx[1 + i * 4] = (tag.pages[page / 4][page % 4] >> 8) & 0xff;
620 tx[2 + i * 4] = (tag.pages[page / 4][page % 4] >> 16) & 0xff;
621 tx[3 + i * 4] = (tag.pages[page / 4][page % 4] >> 24) & 0xff;
622 page++;
623 }
624
625 switch (tag.mode) {
626 case HT_STANDARD:
627 sof_bits = 1;
628 m = MC4K;
629 break;
630 case HT_ADVANCED:
631 sof_bits = 6;
632 m = MC4K;
633 break;
634 case HT_FAST_ADVANCED:
635 sof_bits = 6;
636 m = MC8K;
637 break;
638 default:
639 break;
640 }
641
642 if (tag.mode != HT_STANDARD) {
643 //add crc8
644 *txlen = 32 * 4 + 8;
645 crc = CRC_PRESET;
646 for (i = 0; i < 16; i++)
647 calc_crc(&crc, tx[i], 8);
648 tx[16] = crc;
649 }
650
651 if ((page - 4) % 4 != 0 || (tag.LKP && (page - 4) == 0)) {
652 sof_bits = 0;
653 *txlen = 0;
654 }
655 } else if ((rx[0] & 0xf0) == 0x80) //write page
656 {
657 page = ((rx[0] & 0x0f) * 16) + ((rx[1] & 0xf0) / 16);
658
659 switch (tag.mode) {
660 case HT_STANDARD:
661 sof_bits = 1;
662 m = MC4K;
663 break;
664 case HT_ADVANCED:
665 sof_bits = 6;
666 m = MC4K;
667 break;
668 case HT_FAST_ADVANCED:
669 sof_bits = 6;
670 m = MC8K;
671 break;
672 default:
673 break;
674 }
675 if ((tag.LCON && page == 1)
676 || (tag.LKP && (page == 2 || page == 3))) {
677 //deny
678 *txlen = 0;
679 } else {
680 //allow
681 *txlen = 2;
682 tx[0] = 0x40;
683 page_to_be_written = page;
684 tag.tstate = HT_WRITING_PAGE_DATA;
685 }
686
687 } else if ((rx[0] & 0xf0) == 0x90) //write block
688 {
689 page = ((rx[0] & 0x0f) * 6) + ((rx[1] & 0xf0) / 16);
690 switch (tag.mode) {
691 case HT_STANDARD:
692 sof_bits = 1;
693 m = MC4K;
694 break;
695 case HT_ADVANCED:
696 sof_bits = 6;
697 m = MC4K;
698 break;
699 case HT_FAST_ADVANCED:
700 sof_bits = 6;
701 m = MC8K;
702 break;
703 default:
704 break;
705 }
706 if (page % 4 != 0 || page == 0) {
707 //deny
708 *txlen = 0;
709 } else {
710 //allow
711 *txlen = 2;
712 tx[0] = 0x40;
713 page_to_be_written = page;
714 block_data_left = 4;
715 tag.tstate = HT_WRITING_BLOCK_DATA;
716 }
717 }
718 }
719 break;
720 default:
721
722 break;
723 }
724 }
725
726 /*
727 * to autenticate to a tag with the given key or challenge
728 */
729 static int hitagS_handle_tag_auth(hitag_function htf,uint64_t key, uint64_t NrAr, byte_t* rx, const size_t rxlen, byte_t* tx,
730 size_t* txlen) {
731 byte_t rx_air[HITAG_FRAME_LEN];
732 int response_bit[200];
733 int i, j, z, k;
734 unsigned char mask = 1;
735 unsigned char uid[32];
736 byte_t uid1 = 0x00, uid2 = 0x00, uid3 = 0x00, uid4 = 0x00;
737 unsigned char crc;
738 u64 state;
739 byte_t auth_ks[4];
740 byte_t conf_pages[3];
741 memcpy(rx_air, rx, nbytes(rxlen));
742 *txlen = 0;
743
744 if (tag.pstate == HT_READY && rxlen >= 67) {
745 //received uid
746 if(end==true) {
747 Dbprintf("authentication failed!");
748 return -1;
749 }
750 z = 0;
751 for (i = 0; i < 10; i++) {
752 for (j = 0; j < 8; j++) {
753 response_bit[z] = 0;
754 if ((rx[i] & ((mask << 7) >> j)) != 0)
755 response_bit[z] = 1;
756 z++;
757 }
758 }
759 k = 0;
760 for (i = 5; i < z; i += 2) {
761 uid[k] = response_bit[i];
762 k++;
763 if (k > 31)
764 break;
765 }
766 uid1 = (uid[0] << 7) | (uid[1] << 6) | (uid[2] << 5) | (uid[3] << 4)
767 | (uid[4] << 3) | (uid[5] << 2) | (uid[6] << 1) | uid[7];
768 uid2 = (uid[8] << 7) | (uid[9] << 6) | (uid[10] << 5) | (uid[11] << 4)
769 | (uid[12] << 3) | (uid[13] << 2) | (uid[14] << 1) | uid[15];
770 uid3 = (uid[16] << 7) | (uid[17] << 6) | (uid[18] << 5) | (uid[19] << 4)
771 | (uid[20] << 3) | (uid[21] << 2) | (uid[22] << 1) | uid[23];
772 uid4 = (uid[24] << 7) | (uid[25] << 6) | (uid[26] << 5) | (uid[27] << 4)
773 | (uid[28] << 3) | (uid[29] << 2) | (uid[30] << 1) | uid[31];
774 if (DEBUG)
775 Dbprintf("UID: %02X %02X %02X %02X", uid1, uid2, uid3, uid4);
776 tag.uid = (uid4 << 24 | uid3 << 16 | uid2 << 8 | uid1);
777
778 //select uid
779 *txlen = 45;
780 crc = CRC_PRESET;
781 calc_crc(&crc, 0x00, 5);
782 calc_crc(&crc, uid1, 8);
783 calc_crc(&crc, uid2, 8);
784 calc_crc(&crc, uid3, 8);
785 calc_crc(&crc, uid4, 8);
786 for (i = 0; i < 100; i++) {
787 response_bit[i] = 0;
788 }
789 for (i = 0; i < 5; i++) {
790 response_bit[i] = 0;
791 }
792 for (i = 5; i < 37; i++) {
793 response_bit[i] = uid[i - 5];
794 }
795 for (j = 0; j < 8; j++) {
796 response_bit[i] = 0;
797 if ((crc & ((mask << 7) >> j)) != 0)
798 response_bit[i] = 1;
799 i++;
800 }
801 k = 0;
802 for (i = 0; i < 6; i++) {
803 tx[i] = (response_bit[k] << 7) | (response_bit[k + 1] << 6)
804 | (response_bit[k + 2] << 5) | (response_bit[k + 3] << 4)
805 | (response_bit[k + 4] << 3) | (response_bit[k + 5] << 2)
806 | (response_bit[k + 6] << 1) | response_bit[k + 7];
807 k += 8;
808 }
809 tag.pstate = HT_INIT;
810 } else if (tag.pstate == HT_INIT && rxlen == 44) {
811 // received configuration after select command
812 z = 0;
813 for (i = 0; i < 6; i++) {
814 for (j = 0; j < 8; j++) {
815 response_bit[z] = 0;
816 if ((rx[i] & ((mask << 7) >> j)) != 0)
817 response_bit[z] = 1;
818 z++;
819 }
820 }
821 conf_pages[0] = ((response_bit[4] << 7) | (response_bit[5] << 6)
822 | (response_bit[6] << 5) | (response_bit[7] << 4)
823 | (response_bit[8] << 3) | (response_bit[9] << 2)
824 | (response_bit[10] << 1) | response_bit[11]);
825 //check wich memorysize this tag has
826 if (response_bit[10] == 0 && response_bit[11] == 0)
827 tag.max_page = 32 / 32;
828 if (response_bit[10] == 0 && response_bit[11] == 1)
829 tag.max_page = 256 / 32;
830 if (response_bit[10] == 1 && response_bit[11] == 0)
831 tag.max_page = 2048 / 32;
832 conf_pages[1] = ((response_bit[12] << 7) | (response_bit[13] << 6)
833 | (response_bit[14] << 5) | (response_bit[15] << 4)
834 | (response_bit[16] << 3) | (response_bit[17] << 2)
835 | (response_bit[18] << 1) | response_bit[19]);
836 tag.auth = response_bit[12];
837 tag.TTFC = response_bit[13];
838 //tag.TTFDR in response_bit[14] and response_bit[15]
839 //tag.TTFM in response_bit[16] and response_bit[17]
840 tag.LCON = response_bit[18];
841 tag.LKP = response_bit[19];
842 conf_pages[2] = ((response_bit[20] << 7) | (response_bit[21] << 6)
843 | (response_bit[22] << 5) | (response_bit[23] << 4)
844 | (response_bit[24] << 3) | (response_bit[25] << 2)
845 | (response_bit[26] << 1) | response_bit[27]);
846 tag.LCK7 = response_bit[20];
847 tag.LCK6 = response_bit[21];
848 tag.LCK5 = response_bit[22];
849 tag.LCK4 = response_bit[23];
850 tag.LCK3 = response_bit[24];
851 tag.LCK2 = response_bit[25];
852 tag.LCK1 = response_bit[26];
853 tag.LCK0 = response_bit[27];
854
855 if (DEBUG)
856 Dbprintf("conf0: %02X conf1: %02X conf2: %02X", conf_pages[0],
857 conf_pages[1], conf_pages[2]);
858 if (tag.auth == 1) {
859 //if the tag is in authentication mode try the key or challenge
860 *txlen = 64;
861 if(end!=true){
862 if(htf==02||htf==04){ //RHTS_KEY //WHTS_KEY
863 state = hitag2_init(rev64(key), rev32(tag.uid),
864 rev32(rnd));
865
866 for (i = 0; i < 4; i++) {
867 auth_ks[i] = hitag2_byte(&state) ^ 0xff;
868 }
869 *txlen = 64;
870 tx[0] = rnd & 0xff;
871 tx[1] = (rnd >> 8) & 0xff;
872 tx[2] = (rnd >> 16) & 0xff;
873 tx[3] = (rnd >> 24) & 0xff;
874
875 tx[4] = auth_ks[0];
876 tx[5] = auth_ks[1];
877 tx[6] = auth_ks[2];
878 tx[7] = auth_ks[3];
879 if (DEBUG)
880 Dbprintf("%02X %02X %02X %02X %02X %02X %02X %02X", tx[0],
881 tx[1], tx[2], tx[3], tx[4], tx[5], tx[6], tx[7]);
882 } else if(htf==01 || htf==03) { //RHTS_CHALLENGE //WHTS_CHALLENGE
883 for (i = 0; i < 8; i++)
884 tx[i]=((NrAr>>(56-(i*8)))&0xff);
885 }
886 end=true;
887 tag.pstate = HT_AUTHENTICATE;
888 } else {
889 Dbprintf("authentication failed!");
890 return -1;
891 }
892 } else if (tag.auth == 0) {
893 tag.pstate = HT_SELECTED;
894 }
895
896 } else if (tag.pstate == HT_AUTHENTICATE && rxlen == 44) {
897 //encrypted con2,password received.
898 crc = CRC_PRESET;
899 calc_crc(&crc, 0x80, 1);
900 calc_crc(&crc, ((rx[0] & 0x0f) * 16 + ((rx[1] & 0xf0) / 16)), 8);
901 calc_crc(&crc, ((rx[1] & 0x0f) * 16 + ((rx[2] & 0xf0) / 16)), 8);
902 calc_crc(&crc, ((rx[2] & 0x0f) * 16 + ((rx[3] & 0xf0) / 16)), 8);
903 calc_crc(&crc, ((rx[3] & 0x0f) * 16 + ((rx[4] & 0xf0) / 16)), 8);
904 if (DEBUG) {
905 Dbprintf("UID:::%X", tag.uid);
906 Dbprintf("RND:::%X", rnd);
907 }
908
909 //decrypt password
910 pwdh0=0;
911 pwdl0=0;
912 pwdl1=0;
913 if(htf==02 || htf==04){ //RHTS_KEY //WHTS_KEY
914 {
915 state = hitag2_init(rev64(key), rev32(tag.uid), rev32(rnd));
916 for (i = 0; i < 5; i++)
917 hitag2_byte(&state);
918 pwdh0 = ((rx[1] & 0x0f) * 16 + ((rx[2] & 0xf0) / 16))
919 ^ hitag2_byte(&state);
920 pwdl0 = ((rx[2] & 0x0f) * 16 + ((rx[3] & 0xf0) / 16))
921 ^ hitag2_byte(&state);
922 pwdl1 = ((rx[3] & 0x0f) * 16 + ((rx[4] & 0xf0) / 16))
923 ^ hitag2_byte(&state);
924 }
925
926 if (DEBUG)
927 Dbprintf("pwdh0 %02X pwdl0 %02X pwdl1 %02X", pwdh0, pwdl0, pwdl1);
928
929
930 //Dbprintf("%X %02X", rnd, ((rx[4] & 0x0f) * 16) + ((rx[5] & 0xf0) / 16));
931 //rnd += 1;
932 }
933 tag.pstate = HT_SELECTED; //tag is now ready for read/write commands
934 }
935 return 0;
936
937 }
938
939 /*
940 * Emulates a Hitag S Tag with the given data from the .hts file
941 */
942 void SimulateHitagSTag(bool tag_mem_supplied, byte_t* data) {
943 int frame_count;
944 int response;
945 int overflow;
946 int i, j;
947 byte_t rx[HITAG_FRAME_LEN];
948 size_t rxlen = 0;
949 //bool bQuitTraceFull = false;
950 bQuiet = false;
951 byte_t txbuf[HITAG_FRAME_LEN];
952 byte_t* tx = txbuf;
953 size_t txlen = 0;
954 // free eventually allocated BigBuf memory
955 BigBuf_free(); BigBuf_Clear_ext(false);
956
957 // Clean up trace and prepare it for storing frames
958 set_tracing(TRUE);
959 clear_trace();
960
961 DbpString("Starting HitagS simulation");
962 LED_D_ON();
963
964 tag.pstate = HT_READY;
965 tag.tstate = HT_NO_OP;
966 tag.tstate = HT_NO_OP;
967 for (i = 0; i < 16; i++)
968 for (j = 0; j < 4; j++)
969 tag.pages[i][j] = 0x0;
970 //read tag data into memory
971 if (tag_mem_supplied) {
972 DbpString("Loading hitagS memory...");
973 memcpy((byte_t*)tag.pages,data,4*64);
974 }
975 tag.uid=(uint32_t)tag.pages[0];
976 Dbprintf("Hitag S simulation started");
977 tag.key=(intptr_t)tag.pages[3];
978 tag.key<<=16;
979 tag.key+=((tag.pages[2][0])<<8)+tag.pages[2][1];
980 tag.pwdl0=tag.pages[2][3];
981 tag.pwdl1=tag.pages[2][2];
982 tag.pwdh0=tag.pages[1][0];
983 //con0
984 tag.max_page=64;
985 if((tag.pages[1][3]&0x2)==0 && (tag.pages[1][3]&0x1)==1)
986 tag.max_page=8;
987 if((tag.pages[1][3]&0x2)==0 && (tag.pages[1][3]&0x1)==0)
988 tag.max_page=0;
989 //con1
990 tag.auth=0;
991 if((tag.pages[1][2]&0x80)==1)
992 tag.auth=1;
993 tag.LCON=0;
994 if((tag.pages[1][2]&0x2)==1)
995 tag.LCON=1;
996 tag.LKP=0;
997 if((tag.pages[1][2]&0x1)==1)
998 tag.LKP=1;
999 //con2
1000 //0=read write 1=read only
1001 tag.LCK7=0;
1002 if((tag.pages[1][1]&0x80)==1)
1003 tag.LCK7=1;
1004 tag.LCK6=0;
1005 if((tag.pages[1][1]&0x40)==1)
1006 tag.LCK6=1;
1007 tag.LCK5=0;
1008 if((tag.pages[1][1]&0x20)==1)
1009 tag.LCK5=1;
1010 tag.LCK4=0;
1011 if((tag.pages[1][1]&0x10)==1)
1012 tag.LCK4=1;
1013 tag.LCK3=0;
1014 if((tag.pages[1][1]&0x8)==1)
1015 tag.LCK3=1;
1016 tag.LCK2=0;
1017 if((tag.pages[1][1]&0x4)==1)
1018 tag.LCK2=1;
1019 tag.LCK1=0;
1020 if((tag.pages[1][1]&0x2)==1)
1021 tag.LCK1=1;
1022 tag.LCK0=0;
1023 if((tag.pages[1][1]&0x1)==1)
1024 tag.LCK0=1;
1025
1026 // Set up simulator mode, frequency divisor which will drive the FPGA
1027 // and analog mux selection.
1028 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1029 FpgaWriteConfWord(
1030 FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD);
1031 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
1032 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
1033 RELAY_OFF();
1034
1035 // Configure output pin that is connected to the FPGA (for modulating)
1036 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
1037 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
1038
1039 // Disable modulation at default, which means release resistance
1040 LOW(GPIO_SSC_DOUT);
1041
1042 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
1043 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
1044
1045 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the reader frames
1046 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
1047 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
1048
1049 // Disable timer during configuration
1050 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1051
1052 // Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
1053 // external trigger rising edge, load RA on rising edge of TIOA.
1054 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK
1055 | AT91C_TC_ETRGEDG_RISING | AT91C_TC_ABETRG | AT91C_TC_LDRA_RISING;
1056
1057 // Reset the received frame, frame count and timing info
1058 memset(rx, 0x00, sizeof(rx));
1059 frame_count = 0;
1060 response = 0;
1061 overflow = 0;
1062
1063 // Enable and reset counter
1064 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1065
1066 while (!BUTTON_PRESS()) {
1067 // Watchdog hit
1068 WDT_HIT();
1069
1070 // Receive frame, watch for at most T0*EOF periods
1071 while (AT91C_BASE_TC1->TC_CV < T0 * HITAG_T_EOF) {
1072 // Check if rising edge in modulation is detected
1073 if (AT91C_BASE_TC1->TC_SR & AT91C_TC_LDRAS) {
1074 // Retrieve the new timing values
1075 int ra = (AT91C_BASE_TC1->TC_RA / T0) + overflow;
1076 overflow = 0;
1077
1078 // Reset timer every frame, we have to capture the last edge for timing
1079 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1080
1081 LED_B_ON();
1082
1083 // Capture reader frame
1084 if (ra >= HITAG_T_STOP) {
1085 if (rxlen != 0) {
1086 //DbpString("wierd0?");
1087 }
1088 // Capture the T0 periods that have passed since last communication or field drop (reset)
1089 response = (ra - HITAG_T_LOW);
1090 } else if (ra >= HITAG_T_1_MIN) {
1091 // '1' bit
1092 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
1093 rxlen++;
1094 } else if (ra >= HITAG_T_0_MIN) {
1095 // '0' bit
1096 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
1097 rxlen++;
1098 } else {
1099 // Ignore wierd value, is to small to mean anything
1100 }
1101 }
1102 }
1103
1104 // Check if frame was captured
1105 if (rxlen > 0) {
1106 frame_count++;
1107 if (!bQuiet) {
1108 if (!LogTraceHitag(rx, rxlen, response, 0, true)) {
1109 DbpString("Trace full");
1110 clear_trace();
1111 }
1112 }
1113
1114 // Disable timer 1 with external trigger to avoid triggers during our own modulation
1115 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1116
1117 // Process the incoming frame (rx) and prepare the outgoing frame (tx)
1118 hitagS_handle_reader_command(rx, rxlen, tx, &txlen);
1119
1120 // Wait for HITAG_T_WAIT_1 carrier periods after the last reader bit,
1121 // not that since the clock counts since the rising edge, but T_Wait1 is
1122 // with respect to the falling edge, we need to wait actually (T_Wait1 - T_Low)
1123 // periods. The gap time T_Low varies (4..10). All timer values are in
1124 // terms of T0 units
1125 while (AT91C_BASE_TC0->TC_CV < T0 * (HITAG_T_WAIT_1 - HITAG_T_LOW))
1126 ;
1127
1128 // Send and store the tag answer (if there is any)
1129 if (txlen > 0) {
1130 // Transmit the tag frame
1131 hitag_send_frame(tx, txlen);
1132 // Store the frame in the trace
1133 if (!bQuiet) {
1134 if (!LogTraceHitag(tx, txlen, 0, 0, false)) {
1135 DbpString("Trace full");
1136 clear_trace();
1137 }
1138 }
1139 }
1140
1141 // Reset the received frame and response timing info
1142 memset(rx, 0x00, sizeof(rx));
1143 response = 0;
1144
1145 // Enable and reset external trigger in timer for capturing future frames
1146 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1147 LED_B_OFF();
1148 }
1149 // Reset the frame length
1150 rxlen = 0;
1151 // Save the timer overflow, will be 0 when frame was received
1152 overflow += (AT91C_BASE_TC1->TC_CV / T0);
1153 // Reset the timer to restart while-loop that receives frames
1154 AT91C_BASE_TC1->TC_CCR = AT91C_TC_SWTRG;
1155 }
1156 LED_B_OFF();
1157 LED_D_OFF();
1158 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1159 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
1160 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1161 }
1162
1163 /*
1164 * Authenticates to the Tag with the given key or challenge.
1165 * If the key was given the password will be decrypted.
1166 * Reads every page of a hitag S transpoder.
1167 */
1168 void ReadHitagS(hitag_function htf, hitag_data* htd) {
1169 int i, j, z, k;
1170 int frame_count;
1171 int response_bit[200];
1172 int response;
1173 byte_t rx[HITAG_FRAME_LEN];
1174 size_t rxlen = 0;
1175 byte_t txbuf[HITAG_FRAME_LEN];
1176 byte_t* tx = txbuf;
1177 size_t txlen = 0;
1178 int lastbit;
1179 bool bSkip;
1180 int reset_sof;
1181 int tag_sof;
1182 int t_wait = HITAG_T_WAIT_MAX;
1183 bool bStop;
1184 bool bQuitTraceFull = false;
1185 int sendNum = 0;
1186 unsigned char mask = 1;
1187 unsigned char crc;
1188 unsigned char pageData[32];
1189 page_to_be_written = 0;
1190
1191 //read given key/challenge
1192 byte_t NrAr_[8];
1193 uint64_t key=0;
1194 uint64_t NrAr=0;
1195 byte_t key_[6];
1196 switch(htf) {
1197 case 01: { //RHTS_CHALLENGE
1198 DbpString("Authenticating using nr,ar pair:");
1199 memcpy(NrAr_,htd->auth.NrAr,8);
1200 Dbhexdump(8,NrAr_,false);
1201 NrAr=NrAr_[7] | ((uint64_t)NrAr_[6]) << 8 | ((uint64_t)NrAr_[5]) << 16 | ((uint64_t)NrAr_[4]) << 24 | ((uint64_t)NrAr_[3]) << 32 |
1202 ((uint64_t)NrAr_[2]) << 40| ((uint64_t)NrAr_[1]) << 48 | ((uint64_t)NrAr_[0]) << 56;
1203 } break;
1204 case 02: { //RHTS_KEY
1205 DbpString("Authenticating using key:");
1206 memcpy(key_,htd->crypto.key,6);
1207 Dbhexdump(6,key_,false);
1208 key=key_[5] | ((uint64_t)key_[4]) << 8 | ((uint64_t)key_[3]) << 16 | ((uint64_t)key_[2]) << 24 | ((uint64_t)key_[1]) << 32 | ((uint64_t)key_[0]) << 40;
1209 } break;
1210 default: {
1211 Dbprintf("Error , unknown function: %d",htf);
1212 return;
1213 } break;
1214 }
1215
1216
1217
1218 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1219 // Reset the return status
1220 bSuccessful = false;
1221
1222 // Clean up trace and prepare it for storing frames
1223 set_tracing(TRUE);
1224 clear_trace();
1225
1226 bQuiet = false;
1227 bQuitTraceFull = true;
1228
1229 LED_D_ON();
1230
1231 // Configure output and enable pin that is connected to the FPGA (for modulating)
1232 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
1233 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
1234
1235 // Set fpga in edge detect with reader field, we can modulate as reader now
1236 FpgaWriteConfWord(
1237 FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD);
1238
1239 // Set Frequency divisor which will drive the FPGA and analog mux selection
1240 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
1241 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
1242 RELAY_OFF();
1243
1244 // Disable modulation at default, which means enable the field
1245 LOW(GPIO_SSC_DOUT);
1246
1247 // Give it a bit of time for the resonant antenna to settle.
1248 SpinDelay(30);
1249
1250 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
1251 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
1252
1253 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the tag frames
1254 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
1255 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
1256
1257 // Disable timer during configuration
1258 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1259
1260 // Capture mode, defaul timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
1261 // external trigger rising edge, load RA on falling edge of TIOA.
1262 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK
1263
1264 | AT91C_TC_ETRGEDG_FALLING | AT91C_TC_ABETRG | AT91C_TC_LDRA_FALLING;
1265
1266 // Enable and reset counters
1267 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1268 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1269
1270 // Reset the received frame, frame count and timing info
1271 frame_count = 0;
1272 response = 0;
1273 lastbit = 1;
1274 bStop = false;
1275
1276 reset_sof = 1;
1277 t_wait = 200;
1278
1279 while (!bStop && !BUTTON_PRESS()) {
1280 // Watchdog hit
1281 WDT_HIT();
1282
1283 // Check if frame was captured and store it
1284 if (rxlen > 0) {
1285 frame_count++;
1286 if (!bQuiet) {
1287 if (!LogTraceHitag(rx, rxlen, response, 0, false)) {
1288 DbpString("Trace full");
1289 if (bQuitTraceFull) {
1290 break;
1291 } else {
1292 bQuiet = true;
1293 }
1294 }
1295 }
1296 }
1297
1298 // By default reset the transmission buffer
1299 tx = txbuf;
1300 txlen = 0;
1301
1302 if (rxlen == 0) {
1303 //start authentication
1304 txlen = 5;
1305 memcpy(tx, "\xc0", nbytes(txlen));
1306 tag.pstate = HT_READY;
1307 tag.tstate = HT_NO_OP;
1308 } else if (tag.pstate != HT_SELECTED) {
1309 if (hitagS_handle_tag_auth(htf, key,NrAr,rx, rxlen, tx, &txlen) == -1)
1310 bStop = !false;
1311 }
1312 if (tag.pstate == HT_SELECTED && tag.tstate == HT_NO_OP && rxlen > 0) {
1313 //send read request
1314 tag.tstate = HT_READING_PAGE;
1315 txlen = 20;
1316 crc = CRC_PRESET;
1317 tx[0] = 0xc0 + (sendNum / 16);
1318 calc_crc(&crc, tx[0], 8);
1319 calc_crc(&crc, 0x00 + ((sendNum % 16) * 16), 4);
1320 tx[1] = 0x00 + ((sendNum % 16) * 16) + (crc / 16);
1321 tx[2] = 0x00 + (crc % 16) * 16;
1322 } else if (tag.pstate == HT_SELECTED && tag.tstate == HT_READING_PAGE
1323 && rxlen > 0) {
1324 //save received data
1325 z = 0;
1326 for (i = 0; i < 5; i++) {
1327 for (j = 0; j < 8; j++) {
1328 response_bit[z] = 0;
1329 if ((rx[i] & ((mask << 7) >> j)) != 0)
1330 response_bit[z] = 1;
1331 z++;
1332 }
1333 }
1334 k = 0;
1335 for (i = 4; i < 36; i++) {
1336 pageData[k] = response_bit[i];
1337 k++;
1338 }
1339 for (i = 0; i < 4; i++)
1340 tag.pages[sendNum / 4][sendNum % 4] = 0x0;
1341 for (i = 0; i < 4; i++) {
1342 tag.pages[sendNum / 4][sendNum % 4] += ((pageData[i * 8] << 7)
1343 | (pageData[1 + (i * 8)] << 6)
1344 | (pageData[2 + (i * 8)] << 5)
1345 | (pageData[3 + (i * 8)] << 4)
1346 | (pageData[4 + (i * 8)] << 3)
1347 | (pageData[5 + (i * 8)] << 2)
1348 | (pageData[6 + (i * 8)] << 1) | pageData[7 + (i * 8)])
1349 << (i * 8);
1350 }
1351 if (tag.auth && tag.LKP && sendNum == 1) {
1352 Dbprintf("Page[%2d]: %02X %02X %02X %02X", sendNum, pwdh0,
1353 (tag.pages[sendNum / 4][sendNum % 4] >> 16) & 0xff,
1354 (tag.pages[sendNum / 4][sendNum % 4] >> 8) & 0xff,
1355 tag.pages[sendNum / 4][sendNum % 4] & 0xff);
1356 } else {
1357 Dbprintf("Page[%2d]: %02X %02X %02X %02X", sendNum,
1358 (tag.pages[sendNum / 4][sendNum % 4] >> 24) & 0xff,
1359 (tag.pages[sendNum / 4][sendNum % 4] >> 16) & 0xff,
1360 (tag.pages[sendNum / 4][sendNum % 4] >> 8) & 0xff,
1361 tag.pages[sendNum / 4][sendNum % 4] & 0xff);
1362 }
1363
1364 sendNum++;
1365 //display key and password if possible
1366 if (sendNum == 2 && tag.auth == 1 && tag.LKP) {
1367 if (htf == 02) { //RHTS_KEY
1368 Dbprintf("Page[ 2]: %02X %02X %02X %02X",
1369 (byte_t)(key >> 8) & 0xff,
1370 (byte_t) key & 0xff, pwdl1, pwdl0);
1371 Dbprintf("Page[ 3]: %02X %02X %02X %02X",
1372 (byte_t)(key >> 40) & 0xff,
1373 (byte_t)(key >> 32) & 0xff,
1374 (byte_t)(key >> 24) & 0xff,
1375 (byte_t)(key >> 16) & 0xff);
1376 } else {
1377 //if the authentication is done with a challenge the key and password are unknown
1378 Dbprintf("Page[ 2]: __ __ __ __");
1379 Dbprintf("Page[ 3]: __ __ __ __");
1380 }
1381 }
1382
1383 txlen = 20;
1384 crc = CRC_PRESET;
1385 tx[0] = 0xc0 + (sendNum / 16);
1386 calc_crc(&crc, tx[0], 8);
1387 calc_crc(&crc, 0x00 + ((sendNum % 16) * 16), 4);
1388 tx[1] = 0x00 + ((sendNum % 16) * 16) + (crc / 16);
1389 tx[2] = 0x00 + (crc % 16) * 16;
1390 if (sendNum >= tag.max_page) {
1391 bStop = !false;
1392 }
1393 }
1394
1395 // Send and store the reader command
1396 // Disable timer 1 with external trigger to avoid triggers during our own modulation
1397 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1398
1399 // Wait for HITAG_T_WAIT_2 carrier periods after the last tag bit before transmitting,
1400 // Since the clock counts since the last falling edge, a 'one' means that the
1401 // falling edge occured halfway the period. with respect to this falling edge,
1402 // we need to wait (T_Wait2 + half_tag_period) when the last was a 'one'.
1403 // All timer values are in terms of T0 units
1404
1405 while (AT91C_BASE_TC0->TC_CV
1406 < T0 * (t_wait + (HITAG_T_TAG_HALF_PERIOD * lastbit)))
1407 ;
1408
1409 // Transmit the reader frame
1410 hitag_reader_send_frame(tx, txlen);
1411
1412 // Enable and reset external trigger in timer for capturing future frames
1413 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1414
1415 // Add transmitted frame to total count
1416 if (txlen > 0) {
1417 frame_count++;
1418 if (!bQuiet) {
1419 // Store the frame in the trace
1420 if (!LogTraceHitag(tx, txlen, HITAG_T_WAIT_2, 0, true)) {
1421 if (bQuitTraceFull) {
1422 DbpString("Trace full");
1423 break;
1424 } else {
1425 bQuiet = true;
1426 }
1427 }
1428 }
1429 }
1430
1431 // Reset values for receiving frames
1432 memset(rx, 0x00, sizeof(rx));
1433 rxlen = 0;
1434 lastbit = 1;
1435 bSkip = true;
1436 tag_sof = reset_sof;
1437 response = 0;
1438
1439 // Receive frame, watch for at most T0*EOF periods
1440 while (AT91C_BASE_TC1->TC_CV < T0 * HITAG_T_WAIT_MAX) {
1441 // Check if falling edge in tag modulation is detected
1442 if (AT91C_BASE_TC1->TC_SR & AT91C_TC_LDRAS) {
1443 // Retrieve the new timing values
1444 int ra = (AT91C_BASE_TC1->TC_RA / T0);
1445
1446 // Reset timer every frame, we have to capture the last edge for timing
1447 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
1448
1449 LED_B_ON();
1450
1451 // Capture tag frame (manchester decoding using only falling edges)
1452 if (ra >= HITAG_T_EOF) {
1453 if (rxlen != 0) {
1454 //DbpString("wierd1?");
1455 }
1456 // Capture the T0 periods that have passed since last communication or field drop (reset)
1457 // We always recieve a 'one' first, which has the falling edge after a half period |-_|
1458 response = ra - HITAG_T_TAG_HALF_PERIOD;
1459 } else if (ra >= HITAG_T_TAG_CAPTURE_FOUR_HALF) {
1460 // Manchester coding example |-_|_-|-_| (101)
1461 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
1462 rxlen++;
1463 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
1464 rxlen++;
1465 } else if (ra >= HITAG_T_TAG_CAPTURE_THREE_HALF) {
1466 // Manchester coding example |_-|...|_-|-_| (0...01)
1467 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
1468 rxlen++;
1469 // We have to skip this half period at start and add the 'one' the second time
1470 if (!bSkip) {
1471 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
1472 rxlen++;
1473 }
1474 lastbit = !lastbit;
1475 bSkip = !bSkip;
1476 } else if (ra >= HITAG_T_TAG_CAPTURE_TWO_HALF) {
1477 // Manchester coding example |_-|_-| (00) or |-_|-_| (11)
1478 if (tag_sof) {
1479 // Ignore bits that are transmitted during SOF
1480 tag_sof--;
1481 } else {
1482 // bit is same as last bit
1483 rx[rxlen / 8] |= lastbit << (7 - (rxlen % 8));
1484 rxlen++;
1485 }
1486 } else {
1487 // Ignore wierd value, is to small to mean anything
1488 }
1489 }
1490
1491 // We can break this loop if we received the last bit from a frame
1492 if (AT91C_BASE_TC1->TC_CV > T0 * HITAG_T_EOF) {
1493 if (rxlen > 0)
1494 break;
1495 }
1496 }
1497 }
1498 end=false;
1499 LED_B_OFF();
1500 LED_D_OFF();
1501 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1502 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
1503 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1504 cmd_send(CMD_ACK, bSuccessful, 0, 0, 0, 0);
1505 }
1506
1507 /*
1508 * Authenticates to the Tag with the given Key or Challenge.
1509 * Writes the given 32Bit data into page_
1510 */
1511 void WritePageHitagS(hitag_function htf, hitag_data* htd,int page_) {
1512 int frame_count;
1513 int response;
1514 byte_t rx[HITAG_FRAME_LEN];
1515 size_t rxlen = 0;
1516 byte_t txbuf[HITAG_FRAME_LEN];
1517 byte_t* tx = txbuf;
1518 size_t txlen = 0;
1519 int lastbit;
1520 bool bSkip;
1521 int reset_sof;
1522 int tag_sof;
1523 int t_wait = HITAG_T_WAIT_MAX;
1524 bool bStop;
1525 bool bQuitTraceFull = false;
1526 int page = page_;
1527 unsigned char crc;
1528 byte_t data[4]= {0,0,0,0};
1529
1530 //read given key/challenge, the page and the data
1531 byte_t NrAr_[8];
1532 uint64_t key=0;
1533 uint64_t NrAr=0;
1534 byte_t key_[6];
1535 switch(htf) {
1536 case 03: { //WHTS_CHALLENGE
1537 memcpy(data,htd->auth.data,4);
1538 DbpString("Authenticating using nr,ar pair:");
1539 memcpy(NrAr_,htd->auth.NrAr,8);
1540 Dbhexdump(8,NrAr_,false);
1541 NrAr=NrAr_[7] | ((uint64_t)NrAr_[6]) << 8 | ((uint64_t)NrAr_[5]) << 16 | ((uint64_t)NrAr_[4]) << 24 | ((uint64_t)NrAr_[3]) << 32 |
1542 ((uint64_t)NrAr_[2]) << 40| ((uint64_t)NrAr_[1]) << 48 | ((uint64_t)NrAr_[0]) << 56;
1543 } break;
1544 case 04: { //WHTS_KEY
1545 memcpy(data,htd->crypto.data,4);
1546 DbpString("Authenticating using key:");
1547 memcpy(key_,htd->crypto.key,6);
1548 Dbhexdump(6,key_,false);
1549 key=key_[5] | ((uint64_t)key_[4]) << 8 | ((uint64_t)key_[3]) << 16 | ((uint64_t)key_[2]) << 24 | ((uint64_t)key_[1]) << 32 | ((uint64_t)key_[0]) << 40;
1550 } break;
1551 default: {
1552 Dbprintf("Error , unknown function: %d",htf);
1553 return;
1554 } break;
1555 }
1556
1557 Dbprintf("Page: %d",page_);
1558 Dbprintf("DATA: %02X %02X %02X %02X", data[0], data[1], data[2], data[3]);
1559 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1560 // Reset the return status
1561 bSuccessful = false;
1562
1563 tag.pstate = HT_READY;
1564 tag.tstate = HT_NO_OP;
1565
1566 // Clean up trace and prepare it for storing frames
1567 set_tracing(TRUE);
1568 clear_trace();
1569
1570 bQuiet = false;
1571 bQuitTraceFull = true;
1572
1573 LED_D_ON();
1574
1575 // Configure output and enable pin that is connected to the FPGA (for modulating)
1576 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
1577 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
1578
1579 // Set fpga in edge detect with reader field, we can modulate as reader now
1580 FpgaWriteConfWord(
1581 FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD);
1582
1583 // Set Frequency divisor which will drive the FPGA and analog mux selection
1584 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
1585 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
1586 RELAY_OFF();
1587
1588 // Disable modulation at default, which means enable the field
1589 LOW(GPIO_SSC_DOUT);
1590
1591 // Give it a bit of time for the resonant antenna to settle.
1592 SpinDelay(30);
1593
1594 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
1595 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
1596
1597 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the tag frames
1598 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
1599 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
1600
1601 // Disable timer during configuration
1602 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1603
1604 // Capture mode, defaul timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
1605 // external trigger rising edge, load RA on falling edge of TIOA.
1606 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK
1607 | AT91C_TC_ETRGEDG_FALLING | AT91C_TC_ABETRG
1608 | AT91C_TC_LDRA_FALLING;
1609
1610 // Enable and reset counters
1611 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1612 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1613
1614 // Reset the received frame, frame count and timing info
1615 frame_count = 0;
1616 response = 0;
1617 lastbit = 1;
1618 bStop = false;
1619
1620 reset_sof = 1;
1621 t_wait = 200;
1622
1623 while (!bStop && !BUTTON_PRESS()) {
1624 // Watchdog hit
1625 WDT_HIT();
1626
1627 // Check if frame was captured and store it
1628 if (rxlen > 0) {
1629 frame_count++;
1630 if (!bQuiet) {
1631 if (!LogTraceHitag(rx, rxlen, response, 0, false)) {
1632 DbpString("Trace full");
1633 if (bQuitTraceFull) {
1634 break;
1635 } else {
1636 bQuiet = true;
1637 }
1638 }
1639 }
1640 }
1641
1642 //check for valid input
1643 if (page == 0) {
1644 Dbprintf(
1645 "usage: lf hitag writer [03 | 04] [CHALLENGE | KEY] [page] [byte0] [byte1] [byte2] [byte3]");
1646 bStop = !false;
1647 }
1648
1649 // By default reset the transmission buffer
1650 tx = txbuf;
1651 txlen = 0;
1652
1653 if (rxlen == 0 && tag.tstate == HT_WRITING_PAGE_ACK) {
1654 //no write access on this page
1655 Dbprintf("no write access on page %d", page_);
1656 bStop = !false;
1657 } else if (rxlen == 0 && tag.tstate != HT_WRITING_PAGE_DATA) {
1658 //start the authetication
1659 txlen = 5;
1660 memcpy(tx, "\xc0", nbytes(txlen));
1661 tag.pstate = HT_READY;
1662 tag.tstate = HT_NO_OP;
1663 } else if (tag.pstate != HT_SELECTED) {
1664 //try to authenticate with the given key or challenge
1665 if (hitagS_handle_tag_auth(htf,key,NrAr,rx, rxlen, tx, &txlen) == -1)
1666 bStop = !false;
1667 }
1668 if (tag.pstate == HT_SELECTED && tag.tstate == HT_NO_OP && rxlen > 0) {
1669 //check if the given page exists
1670 if (page > tag.max_page) {
1671 Dbprintf("page number too big");
1672 bStop = !false;
1673 }
1674 //ask Tag for write permission
1675 tag.tstate = HT_WRITING_PAGE_ACK;
1676 txlen = 20;
1677 crc = CRC_PRESET;
1678 tx[0] = 0x90 + (page / 16);
1679 calc_crc(&crc, tx[0], 8);
1680 calc_crc(&crc, 0x00 + ((page % 16) * 16), 4);
1681 tx[1] = 0x00 + ((page % 16) * 16) + (crc / 16);
1682 tx[2] = 0x00 + (crc % 16) * 16;
1683 } else if (tag.pstate == HT_SELECTED && tag.tstate == HT_WRITING_PAGE_ACK
1684 && rxlen == 6 && rx[0] == 0xf4) {
1685 //ACK recieved to write the page. send data
1686 tag.tstate = HT_WRITING_PAGE_DATA;
1687 txlen = 40;
1688 crc = CRC_PRESET;
1689 calc_crc(&crc, data[3], 8);
1690 calc_crc(&crc, data[2], 8);
1691 calc_crc(&crc, data[1], 8);
1692 calc_crc(&crc, data[0], 8);
1693 tx[0] = data[3];
1694 tx[1] = data[2];
1695 tx[2] = data[1];
1696 tx[3] = data[0];
1697 tx[4] = crc;
1698 } else if (tag.pstate == HT_SELECTED && tag.tstate == HT_WRITING_PAGE_DATA
1699 && rxlen == 6 && rx[0] == 0xf4) {
1700 //received ACK
1701 Dbprintf("Successful!");
1702 bStop = !false;
1703 }
1704
1705 // Send and store the reader command
1706 // Disable timer 1 with external trigger to avoid triggers during our own modulation
1707 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1708
1709 // Wait for HITAG_T_WAIT_2 carrier periods after the last tag bit before transmitting,
1710 // Since the clock counts since the last falling edge, a 'one' means that the
1711 // falling edge occured halfway the period. with respect to this falling edge,
1712 // we need to wait (T_Wait2 + half_tag_period) when the last was a 'one'.
1713 // All timer values are in terms of T0 units
1714
1715 while (AT91C_BASE_TC0->TC_CV
1716 < T0 * (t_wait + (HITAG_T_TAG_HALF_PERIOD * lastbit)))
1717 ;
1718
1719 // Transmit the reader frame
1720 hitag_reader_send_frame(tx, txlen);
1721
1722 // Enable and reset external trigger in timer for capturing future frames
1723 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1724
1725 // Add transmitted frame to total count
1726 if (txlen > 0) {
1727 frame_count++;
1728 if (!bQuiet) {
1729 // Store the frame in the trace
1730 if (!LogTraceHitag(tx, txlen, HITAG_T_WAIT_2, 0, true)) {
1731 if (bQuitTraceFull) {
1732 DbpString("Trace full");
1733 break;
1734 } else {
1735 bQuiet = true;
1736 }
1737 }
1738 }
1739 }
1740
1741 // Reset values for receiving frames
1742 memset(rx, 0x00, sizeof(rx));
1743 rxlen = 0;
1744 lastbit = 1;
1745 bSkip = true;
1746 tag_sof = reset_sof;
1747 response = 0;
1748
1749 // Receive frame, watch for at most T0*EOF periods
1750 while (AT91C_BASE_TC1->TC_CV < T0 * HITAG_T_WAIT_MAX) {
1751 // Check if falling edge in tag modulation is detected
1752 if (AT91C_BASE_TC1->TC_SR & AT91C_TC_LDRAS) {
1753 // Retrieve the new timing values
1754 int ra = (AT91C_BASE_TC1->TC_RA / T0);
1755
1756 // Reset timer every frame, we have to capture the last edge for timing
1757 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
1758
1759 LED_B_ON();
1760
1761 // Capture tag frame (manchester decoding using only falling edges)
1762 if (ra >= HITAG_T_EOF) {
1763 if (rxlen != 0) {
1764 //DbpString("wierd1?");
1765 }
1766 // Capture the T0 periods that have passed since last communication or field drop (reset)
1767 // We always recieve a 'one' first, which has the falling edge after a half period |-_|
1768 response = ra - HITAG_T_TAG_HALF_PERIOD;
1769 } else if (ra >= HITAG_T_TAG_CAPTURE_FOUR_HALF) {
1770 // Manchester coding example |-_|_-|-_| (101)
1771 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
1772 rxlen++;
1773 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
1774 rxlen++;
1775 } else if (ra >= HITAG_T_TAG_CAPTURE_THREE_HALF) {
1776 // Manchester coding example |_-|...|_-|-_| (0...01)
1777 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
1778 rxlen++;
1779 // We have to skip this half period at start and add the 'one' the second time
1780 if (!bSkip) {
1781 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
1782 rxlen++;
1783 }
1784 lastbit = !lastbit;
1785 bSkip = !bSkip;
1786 } else if (ra >= HITAG_T_TAG_CAPTURE_TWO_HALF) {
1787 // Manchester coding example |_-|_-| (00) or |-_|-_| (11)
1788 if (tag_sof) {
1789 // Ignore bits that are transmitted during SOF
1790 tag_sof--;
1791 } else {
1792 // bit is same as last bit
1793 rx[rxlen / 8] |= lastbit << (7 - (rxlen % 8));
1794 rxlen++;
1795 }
1796 } else {
1797 // Ignore wierd value, is to small to mean anything
1798 }
1799 }
1800
1801 // We can break this loop if we received the last bit from a frame
1802 if (AT91C_BASE_TC1->TC_CV > T0 * HITAG_T_EOF) {
1803 if (rxlen > 0)
1804 break;
1805 }
1806 }
1807 }
1808 end=false;
1809 LED_B_OFF();
1810 LED_D_OFF();
1811 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1812 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
1813 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1814 cmd_send(CMD_ACK, bSuccessful, 0, 0, 0, 0);
1815 }
1816
1817 /*
1818 * Tries to authenticate to a Hitag S Transponder with the given challenges from a .cc file.
1819 * Displays all Challenges that failed.
1820 * When collecting Challenges to break the key it is possible that some data
1821 * is not received correctly due to Antenna problems. This function
1822 * detects these challenges.
1823 */
1824 void check_challenges(bool file_given, byte_t* data) {
1825 int i, j, z, k;
1826 byte_t uid_byte[4];
1827 int frame_count;
1828 int response;
1829 byte_t rx[HITAG_FRAME_LEN];
1830 byte_t unlocker[60][8];
1831 int u1 = 0;
1832 size_t rxlen = 0;
1833 byte_t txbuf[HITAG_FRAME_LEN];
1834 byte_t* tx = txbuf;
1835 size_t txlen = 0;
1836 int lastbit;
1837 bool bSkip;
1838 int reset_sof;
1839 int tag_sof;
1840 int t_wait = HITAG_T_WAIT_MAX;
1841 int STATE = 0;
1842 bool bStop;
1843 bool bQuitTraceFull = false;
1844 int response_bit[200];
1845 unsigned char mask = 1;
1846 unsigned char uid[32];
1847 unsigned char crc;
1848
1849 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1850 // Reset the return status
1851 bSuccessful = false;
1852
1853 // Clean up trace and prepare it for storing frames
1854 set_tracing(TRUE);
1855 clear_trace();
1856
1857 bQuiet = false;
1858 bQuitTraceFull = true;
1859
1860 LED_D_ON();
1861
1862 // Configure output and enable pin that is connected to the FPGA (for modulating)
1863 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
1864 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
1865
1866 // Set fpga in edge detect with reader field, we can modulate as reader now
1867 FpgaWriteConfWord(
1868 FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD);
1869
1870 // Set Frequency divisor which will drive the FPGA and analog mux selection
1871 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
1872 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
1873 RELAY_OFF();
1874
1875 // Disable modulation at default, which means enable the field
1876 LOW(GPIO_SSC_DOUT);
1877
1878 // Give it a bit of time for the resonant antenna to settle.
1879 SpinDelay(30);
1880
1881 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
1882 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
1883
1884 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the tag frames
1885 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
1886 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
1887
1888 // Disable timer during configuration
1889 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1890
1891 // Capture mode, defaul timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
1892 // external trigger rising edge, load RA on falling edge of TIOA.
1893 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK
1894
1895 | AT91C_TC_ETRGEDG_FALLING | AT91C_TC_ABETRG | AT91C_TC_LDRA_FALLING;
1896
1897 // Enable and reset counters
1898 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1899 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1900
1901 // Reset the received frame, frame count and timing info
1902 frame_count = 0;
1903 response = 0;
1904 lastbit = 1;
1905 bStop = false;
1906
1907 reset_sof = 1;
1908 t_wait = 200;
1909
1910 if (file_given) {
1911 DbpString("Loading challenges...");
1912 memcpy((byte_t*)unlocker,data,60*8);
1913 }
1914
1915 while (file_given && !bStop && !BUTTON_PRESS()) {
1916 // Watchdog hit
1917 WDT_HIT();
1918
1919 // Check if frame was captured and store it
1920 if (rxlen > 0) {
1921 frame_count++;
1922 if (!bQuiet) {
1923 if (!LogTraceHitag(rx, rxlen, response, 0, false)) {
1924 DbpString("Trace full");
1925 if (bQuitTraceFull) {
1926 break;
1927 } else {
1928 bQuiet = true;
1929 }
1930 }
1931 }
1932 }
1933
1934 tx = txbuf;
1935 txlen = 0;
1936 if (rxlen == 0) {
1937 if (STATE == 2)
1938 // challenge failed
1939 Dbprintf("Challenge failed: %02X %02X %02X %02X %02X %02X %02X %02X",
1940 unlocker[u1 - 1][0], unlocker[u1 - 1][1],
1941 unlocker[u1 - 1][2], unlocker[u1 - 1][3],
1942 unlocker[u1 - 1][4], unlocker[u1 - 1][5],
1943 unlocker[u1 - 1][6], unlocker[u1 - 1][7]);
1944 STATE = 0;
1945 txlen = 5;
1946 //start new authentication
1947 memcpy(tx, "\xc0", nbytes(txlen));
1948 } else if (rxlen >= 67 && STATE == 0) {
1949 //received uid
1950 z = 0;
1951 for (i = 0; i < 10; i++) {
1952 for (j = 0; j < 8; j++) {
1953 response_bit[z] = 0;
1954 if ((rx[i] & ((mask << 7) >> j)) != 0)
1955 response_bit[z] = 1;
1956 z++;
1957 }
1958 }
1959 k = 0;
1960 for (i = 5; i < z; i += 2) {
1961 uid[k] = response_bit[i];
1962 k++;
1963 if (k > 31)
1964 break;
1965 }
1966 uid_byte[0] = (uid[0] << 7) | (uid[1] << 6) | (uid[2] << 5)
1967 | (uid[3] << 4) | (uid[4] << 3) | (uid[5] << 2)
1968 | (uid[6] << 1) | uid[7];
1969 uid_byte[1] = (uid[8] << 7) | (uid[9] << 6) | (uid[10] << 5)
1970 | (uid[11] << 4) | (uid[12] << 3) | (uid[13] << 2)
1971 | (uid[14] << 1) | uid[15];
1972 uid_byte[2] = (uid[16] << 7) | (uid[17] << 6) | (uid[18] << 5)
1973 | (uid[19] << 4) | (uid[20] << 3) | (uid[21] << 2)
1974 | (uid[22] << 1) | uid[23];
1975 uid_byte[3] = (uid[24] << 7) | (uid[25] << 6) | (uid[26] << 5)
1976 | (uid[27] << 4) | (uid[28] << 3) | (uid[29] << 2)
1977 | (uid[30] << 1) | uid[31];
1978 //Dbhexdump(10, rx, rxlen);
1979 STATE = 1;
1980 txlen = 45;
1981 crc = CRC_PRESET;
1982 calc_crc(&crc, 0x00, 5);
1983 calc_crc(&crc, uid_byte[0], 8);
1984 calc_crc(&crc, uid_byte[1], 8);
1985 calc_crc(&crc, uid_byte[2], 8);
1986 calc_crc(&crc, uid_byte[3], 8);
1987 for (i = 0; i < 100; i++) {
1988 response_bit[i] = 0;
1989 }
1990 for (i = 0; i < 5; i++) {
1991 response_bit[i] = 0;
1992 }
1993 for (i = 5; i < 37; i++) {
1994 response_bit[i] = uid[i - 5];
1995 }
1996 for (j = 0; j < 8; j++) {
1997 response_bit[i] = 0;
1998 if ((crc & ((mask << 7) >> j)) != 0)
1999 response_bit[i] = 1;
2000 i++;
2001 }
2002 k = 0;
2003 for (i = 0; i < 6; i++) {
2004 tx[i] = (response_bit[k] << 7) | (response_bit[k + 1] << 6)
2005 | (response_bit[k + 2] << 5)
2006 | (response_bit[k + 3] << 4)
2007 | (response_bit[k + 4] << 3)
2008 | (response_bit[k + 5] << 2)
2009 | (response_bit[k + 6] << 1) | response_bit[k + 7];
2010 k += 8;
2011 }
2012
2013 } else if (STATE == 1 && rxlen == 44) {
2014 //received configuration
2015 STATE = 2;
2016 z = 0;
2017 for (i = 0; i < 6; i++) {
2018 for (j = 0; j < 8; j++) {
2019 response_bit[z] = 0;
2020 if ((rx[i] & ((mask << 7) >> j)) != 0)
2021 response_bit[z] = 1;
2022 z++;
2023 }
2024 }
2025 txlen = 64;
2026
2027 if (u1 >= (sizeof(unlocker) / sizeof(unlocker[0])))
2028 bStop = !false;
2029 for (i = 0; i < 8; i++)
2030 tx[i] = unlocker[u1][i];
2031 u1++;
2032
2033 } else if (STATE == 2 && rxlen >= 44) {
2034 STATE = 0;
2035 }
2036
2037 // Send and store the reader command
2038 // Disable timer 1 with external trigger to avoid triggers during our own modulation
2039 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
2040
2041 // Wait for HITAG_T_WAIT_2 carrier periods after the last tag bit before transmitting,
2042 // Since the clock counts since the last falling edge, a 'one' means that the
2043 // falling edge occured halfway the period. with respect to this falling edge,
2044 // we need to wait (T_Wait2 + half_tag_period) when the last was a 'one'.
2045 // All timer values are in terms of T0 units
2046
2047 while (AT91C_BASE_TC0->TC_CV
2048 < T0 * (t_wait + (HITAG_T_TAG_HALF_PERIOD * lastbit)))
2049 ;
2050
2051 // Transmit the reader frame
2052 hitag_reader_send_frame(tx, txlen);
2053
2054 // Enable and reset external trigger in timer for capturing future frames
2055 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
2056
2057 // Add transmitted frame to total count
2058 if (txlen > 0) {
2059 frame_count++;
2060 if (!bQuiet) {
2061 // Store the frame in the trace
2062 if (!LogTraceHitag(tx, txlen, HITAG_T_WAIT_2, 0, true)) {
2063 if (bQuitTraceFull) {
2064 DbpString("Trace full");
2065 break;
2066 } else {
2067 bQuiet = true;
2068 }
2069 }
2070 }
2071 }
2072
2073 // Reset values for receiving frames
2074 memset(rx, 0x00, sizeof(rx));
2075 rxlen = 0;
2076 lastbit = 1;
2077 bSkip = true;
2078 tag_sof = reset_sof;
2079 response = 0;
2080
2081 // Receive frame, watch for at most T0*EOF periods
2082 while (AT91C_BASE_TC1->TC_CV < T0 * HITAG_T_WAIT_MAX) {
2083 // Check if falling edge in tag modulation is detected
2084 if (AT91C_BASE_TC1->TC_SR & AT91C_TC_LDRAS) {
2085 // Retrieve the new timing values
2086 int ra = (AT91C_BASE_TC1->TC_RA / T0);
2087
2088 // Reset timer every frame, we have to capture the last edge for timing
2089 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
2090
2091 LED_B_ON();
2092
2093 // Capture tag frame (manchester decoding using only falling edges)
2094 if (ra >= HITAG_T_EOF) {
2095 if (rxlen != 0) {
2096 //DbpString("wierd1?");
2097 }
2098 // Capture the T0 periods that have passed since last communication or field drop (reset)
2099 // We always recieve a 'one' first, which has the falling edge after a half period |-_|
2100 response = ra - HITAG_T_TAG_HALF_PERIOD;
2101 } else if (ra >= HITAG_T_TAG_CAPTURE_FOUR_HALF) {
2102 // Manchester coding example |-_|_-|-_| (101)
2103 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
2104 rxlen++;
2105 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
2106 rxlen++;
2107 } else if (ra >= HITAG_T_TAG_CAPTURE_THREE_HALF) {
2108 // Manchester coding example |_-|...|_-|-_| (0...01)
2109 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
2110 rxlen++;
2111 // We have to skip this half period at start and add the 'one' the second time
2112 if (!bSkip) {
2113 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
2114 rxlen++;
2115 }
2116 lastbit = !lastbit;
2117 bSkip = !bSkip;
2118 } else if (ra >= HITAG_T_TAG_CAPTURE_TWO_HALF) {
2119 // Manchester coding example |_-|_-| (00) or |-_|-_| (11)
2120 if (tag_sof) {
2121 // Ignore bits that are transmitted during SOF
2122 tag_sof--;
2123 } else {
2124 // bit is same as last bit
2125 rx[rxlen / 8] |= lastbit << (7 - (rxlen % 8));
2126 rxlen++;
2127 }
2128 } else {
2129 // Ignore wierd value, is to small to mean anything
2130 }
2131 }
2132
2133 // We can break this loop if we received the last bit from a frame
2134 if (AT91C_BASE_TC1->TC_CV > T0 * HITAG_T_EOF) {
2135 if (rxlen > 0)
2136 break;
2137 }
2138 }
2139 }
2140 LED_B_OFF();
2141 LED_D_OFF();
2142 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
2143 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
2144 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2145 cmd_send(CMD_ACK, bSuccessful, 0, 0, 0, 0);
2146 }
2147
2148
2149
Proxmark3 GIT tracking
Impressum, Datenschutz