1 //-----------------------------------------------------------------------------
3 // Edits by Iceman, July 2018
5 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
6 // at your option, any later version. See the LICENSE.txt file for the text of
8 //-----------------------------------------------------------------------------
9 // The main i2c code, for communications with smart card module
10 //-----------------------------------------------------------------------------
16 #include "string.h" //for memset memcmp
17 #include "proxmark3.h"
18 #include "mifareutil.h" // for MF_DBGLEVEL
23 #include "smartcard.h"
27 #define GPIO_RST AT91C_PIO_PA1
28 #define GPIO_SCL AT91C_PIO_PA5
29 #define GPIO_SDA AT91C_PIO_PA7
31 #define SCL_H HIGH(GPIO_SCL)
32 #define SCL_L LOW(GPIO_SCL)
33 #define SDA_H HIGH(GPIO_SDA)
34 #define SDA_L LOW(GPIO_SDA)
36 #define SCL_read (AT91C_BASE_PIOA->PIO_PDSR & GPIO_SCL)
37 #define SDA_read (AT91C_BASE_PIOA->PIO_PDSR & GPIO_SDA)
39 #define I2C_ERROR "I2C_WaitAck Error"
41 static volatile unsigned long c
;
43 // Ö±½ÓʹÓÃÑ»·À´ÑÓʱ£¬Ò»¸öÑ»· 6 ÌõÖ¸Á48M£¬ Delay=1 ´ó¸ÅΪ 200kbps
45 // I2CSpinDelayClk(4) = 12.31us
46 // I2CSpinDelayClk(1) = 3.07us
47 static void __attribute__((optimize("O0"))) I2CSpinDelayClk(uint16_t delay
) {
48 for (c
= delay
* 2; c
; c
--) {};
51 // communication delay functions
52 #define I2C_DELAY_1CLK I2CSpinDelayClk(1)
53 #define I2C_DELAY_2CLK I2CSpinDelayClk(2)
54 #define I2C_DELAY_XCLK(x) I2CSpinDelayClk((x))
56 #define ISO7618_MAX_FRAME 255
58 // try i2c bus recovery at 100kHz = 5uS high, 5uS low
59 static void I2C_recovery(void) {
61 DbpString("Performing i2c bus recovery");
66 //9nth cycle acts as NACK
67 for (int i
= 0; i
< 10; i
++) {
72 //a STOP signal (SDA from low to high while CLK is high)
77 bool isok
= (SCL_read
&& SDA_read
);
79 DbpString("I2C bus recovery error: SDA still LOW");
81 DbpString("I2C bus recovery error: SCL still LOW");
83 DbpString("I2C bus recovery complete");
86 static void I2C_init(void) {
87 // Configure reset pin
88 AT91C_BASE_PIOA
->PIO_PPUDR
= GPIO_RST
; // disable pull up resistor
89 AT91C_BASE_PIOA
->PIO_MDDR
= GPIO_RST
; // push-pull output (multidriver disabled)
91 // Configure SCL and SDA pins
92 AT91C_BASE_PIOA
->PIO_PPUER
|= (GPIO_SCL
| GPIO_SDA
); // enable pull up resistor
93 AT91C_BASE_PIOA
->PIO_MDER
|= (GPIO_SCL
| GPIO_SDA
); // open drain output (multidriver enabled) - requires external pull up resistor
95 // set all three outputs to high
96 AT91C_BASE_PIOA
->PIO_SODR
|= (GPIO_SCL
| GPIO_SDA
| GPIO_RST
);
98 // configure all three pins as output, controlled by PIOA
99 AT91C_BASE_PIOA
->PIO_OER
|= (GPIO_SCL
| GPIO_SDA
| GPIO_RST
);
100 AT91C_BASE_PIOA
->PIO_PER
|= (GPIO_SCL
| GPIO_SDA
| GPIO_RST
);
102 bool isok
= (SCL_read
&& SDA_read
);
108 // set the reset state
109 static void I2C_SetResetStatus(uint8_t LineRST
, uint8_t LineSCK
, uint8_t LineSDA
) {
126 // Reset the SIM_Adapter, then enter the main program
127 // Note: the SIM_Adapter will not enter the main program after power up. Please run this function before use SIM_Adapter.
128 static void I2C_Reset_EnterMainProgram(void) {
131 I2C_SetResetStatus(0, 0, 0);
133 I2C_SetResetStatus(1, 0, 0);
135 I2C_SetResetStatus(1, 1, 1);
139 // Wait for the clock to go High.
140 static bool WaitSCL_H_delay(uint32_t delay
) {
150 // 15000 * 3.07us = 46050us. 46.05ms
151 static bool WaitSCL_H(void) {
152 return WaitSCL_H_delay(15000);
155 bool WaitSCL_L_delay(uint32_t delay
) {
165 bool WaitSCL_L(void) {
166 return WaitSCL_L_delay(15000);
169 static bool I2C_Start(void) {
172 SDA_H
; I2C_DELAY_1CLK
;
174 if (!WaitSCL_H()) return false;
178 if (!SCL_read
) return false;
179 if (!SDA_read
) return false;
181 SDA_L
; I2C_DELAY_2CLK
;
186 static void I2C_Stop(void) {
187 SCL_L
; I2C_DELAY_2CLK
;
188 SDA_L
; I2C_DELAY_2CLK
;
189 SCL_H
; I2C_DELAY_2CLK
;
190 if (!WaitSCL_H()) return;
195 static bool I2C_WaitAck(void) {
196 SCL_L
; I2C_DELAY_1CLK
;
197 SDA_H
; I2C_DELAY_1CLK
;
212 static void I2C_SendByte(uint8_t data
) {
237 bool I2C_is_available(void) {
238 I2C_Reset_EnterMainProgram();
239 if (!I2C_Start()) // some other device is active on the bus
241 I2C_SendByte(I2C_DEVICE_ADDRESS_MAIN
& 0xFE);
242 if (!I2C_WaitAck()) { // no response from smartcard reader
250 #ifdef WITH_SMARTCARD
251 // Reset the SIM_Adapter, then enter the bootloader program
252 // Reserve£ºFor firmware update.
253 static void I2C_Reset_EnterBootloader(void) {
254 I2C_SetResetStatus(0, 1, 1);
256 I2C_SetResetStatus(1, 1, 1);
260 // Wait max 300ms or until SCL goes LOW.
261 // Which ever comes first
262 static bool WaitSCL_L_300ms(void) {
263 volatile uint16_t delay
= 310;
274 static bool I2C_WaitForSim() {
275 // variable delay here.
276 if (!WaitSCL_L_300ms())
279 // 8051 speaks with smart card.
280 // 1000*50*3.07 = 153.5ms
281 // 1byte transfer == 1ms with max frame being 256bytes
282 if (!WaitSCL_H_delay(10 * 1000 * 50))
289 static void I2C_Ack(void) {
290 SCL_L
; I2C_DELAY_2CLK
;
291 SDA_L
; I2C_DELAY_2CLK
;
292 SCL_H
; I2C_DELAY_2CLK
;
293 if (!WaitSCL_H()) return;
294 SCL_L
; I2C_DELAY_2CLK
;
298 static void I2C_NoAck(void) {
299 SCL_L
; I2C_DELAY_2CLK
;
300 SDA_H
; I2C_DELAY_2CLK
;
301 SCL_H
; I2C_DELAY_2CLK
;
302 if (!WaitSCL_H()) return;
303 SCL_L
; I2C_DELAY_2CLK
;
306 static int16_t I2C_ReadByte(void) {
307 uint8_t bits
= 8, b
= 0;
313 if (!WaitSCL_L()) return -2;
318 if (!WaitSCL_H()) return -1;
328 // Sends one byte ( command to be written, SlaveDevice address)
329 static bool I2C_WriteCmd(uint8_t device_cmd
, uint8_t device_address
) {
335 I2C_SendByte(device_address
& 0xFE);
339 I2C_SendByte(device_cmd
);
348 if ( MF_DBGLEVEL
> 3 ) DbpString(I2C_ERROR
);
354 // Sends 1 byte data (Data to be written, command to be written , SlaveDevice address ).
355 static bool I2C_WriteByte(uint8_t data
, uint8_t device_cmd
, uint8_t device_address
) {
361 I2C_SendByte(device_address
& 0xFE);
365 I2C_SendByte(device_cmd
);
378 if ( MF_DBGLEVEL
> 3 ) DbpString(I2C_ERROR
);
384 //Sends a string of data (Array, length, command to be written , SlaveDevice address ).
385 // len = uint8 (max buffer to write 256bytes)
386 static bool I2C_BufferWrite(uint8_t *data
, uint8_t len
, uint8_t device_cmd
, uint8_t device_address
) {
392 I2C_SendByte(device_address
& 0xFE);
396 I2C_SendByte(device_cmd
);
416 if ( MF_DBGLEVEL
> 3 ) DbpString(I2C_ERROR
);
422 // read 1 strings of data (Data array, Readout length, command to be written , SlaveDevice address ).
423 // len = uint8 (max buffer to read 256bytes)
424 static int16_t I2C_BufferRead(uint8_t *data
, uint8_t len
, uint8_t device_cmd
, uint8_t device_address
) {
426 if ( !data
|| len
== 0 )
429 // extra wait 500us (514us measured)
430 // 200us (xx measured)
433 uint16_t readcount
= 0;
439 // 0xB0 / 0xC0 == i2c write
440 I2C_SendByte(device_address
& 0xFE);
444 I2C_SendByte(device_cmd
);
448 // 0xB1 / 0xC1 == i2c read
450 I2C_SendByte(device_address
| 1);
459 if ( MF_DBGLEVEL
> 3 ) DbpString(I2C_ERROR
);
465 int16_t tmp
= I2C_ReadByte();
469 *data
= (uint8_t)tmp
& 0xFF;
473 // ¶ÁÈ¡µÄµÚÒ»¸ö×Ö½ÚΪºóÐø³¤¶È
474 // The first byte in response is the message length
475 if (!readcount
&& (len
> *data
)) {
482 // acknowledgements. After last byte send NACK.
491 // return bytecount - first byte (which is length byte)
495 static int16_t I2C_ReadFW(uint8_t *data
, uint8_t len
, uint8_t msb
, uint8_t lsb
, uint8_t device_address
) {
496 //START, 0xB0, 0x00, 0x00, START, 0xB1, xx, yy, zz, ......, STOP
498 uint8_t readcount
= 0;
505 // 0xB0 / 0xC0 i2c write
506 I2C_SendByte(device_address
& 0xFE);
518 // 0xB1 / 0xC1 i2c read
520 I2C_SendByte(device_address
| 1);
529 if ( MF_DBGLEVEL
> 3 ) DbpString(I2C_ERROR
);
536 int16_t tmp
= I2C_ReadByte();
540 *data
= (uint8_t)tmp
& 0xFF;
546 // acknowledgements. After last byte send NACK.
557 static bool I2C_WriteFW(uint8_t *data
, uint8_t len
, uint8_t msb
, uint8_t lsb
, uint8_t device_address
) {
558 //START, 0xB0, 0x00, 0x00, xx, yy, zz, ......, STOP
566 I2C_SendByte(device_address
& 0xFE);
593 if ( MF_DBGLEVEL
> 3 ) DbpString(I2C_ERROR
);
599 void I2C_print_status(void) {
600 DbpString("Smart card module (ISO 7816)");
601 uint8_t resp
[] = {0,0,0,0};
602 I2C_Reset_EnterMainProgram();
603 uint8_t len
= I2C_BufferRead(resp
, sizeof(resp
), I2C_DEVICE_CMD_GETVERSION
, I2C_DEVICE_ADDRESS_MAIN
);
605 Dbprintf(" version.................v%x.%02x", resp
[0], resp
[1]);
607 DbpString(" version.................FAILED");
610 // Will read response from smart card module, retries 3 times to get the data.
611 static bool sc_rx_bytes(uint8_t* dest
, uint8_t *destlen
) {
618 len
= I2C_BufferRead(dest
, *destlen
, I2C_DEVICE_CMD_READ
, I2C_DEVICE_ADDRESS_MAIN
);
622 } else if ( len
== 1 ) {
624 } else if ( len
<= 0 ) {
632 *destlen
= (uint8_t)len
& 0xFF;
636 static bool GetATR(smart_card_atr_t
*card_ptr
) {
642 card_ptr
->atr_len
= 0;
643 memset(card_ptr
->atr
, 0, sizeof(card_ptr
->atr
));
646 // start [C0 01] stop start C1 len aa bb cc stop]
647 I2C_WriteCmd(I2C_DEVICE_CMD_GENERATE_ATR
, I2C_DEVICE_ADDRESS_MAIN
);
649 // wait for sim card to answer.
650 // 1byte = 1ms, max frame 256bytes. Should wait 256ms at least just in case.
651 if (!I2C_WaitForSim())
654 // read bytes from module
655 uint8_t len
= sizeof(card_ptr
->atr
);
656 if ( !sc_rx_bytes(card_ptr
->atr
, &len
) )
660 if ( (card_ptr
->atr
[1] & 0x10) == 0x10) pos_td
++;
661 if ( (card_ptr
->atr
[1] & 0x20) == 0x20) pos_td
++;
662 if ( (card_ptr
->atr
[1] & 0x40) == 0x40) pos_td
++;
664 // T0 indicate presence T=0 vs T=1. T=1 has checksum TCK
665 if ( (card_ptr
->atr
[1] & 0x80) == 0x80) {
669 // 1 == T1 , presence of checksum TCK
670 if ( (card_ptr
->atr
[pos_td
] & 0x01) == 0x01) {
672 // xor property. will be zero when xored with chksum.
673 for (uint8_t i
= 1; i
< len
; ++i
)
674 chksum
^= card_ptr
->atr
[i
];
676 if ( MF_DBGLEVEL
> 2) DbpString("Wrong ATR checksum");
681 card_ptr
->atr_len
= len
;
682 LogTrace(card_ptr
->atr
, card_ptr
->atr_len
, 0, 0, NULL
, false);
687 void SmartCardAtr(void) {
688 smart_card_atr_t card
;
692 I2C_Reset_EnterMainProgram();
693 bool isOK
= GetATR( &card
);
694 cmd_send(CMD_ACK
, isOK
, sizeof(smart_card_atr_t
), 0, &card
, sizeof(smart_card_atr_t
));
699 void SmartCardRaw( uint64_t arg0
, uint64_t arg1
, uint8_t *data
) {
704 uint8_t *resp
= BigBuf_malloc(ISO7618_MAX_FRAME
);
705 smartcard_command_t flags
= arg0
;
707 if ((flags
& SC_CONNECT
))
712 if ((flags
& SC_CONNECT
)) {
714 I2C_Reset_EnterMainProgram();
716 if ((flags
& SC_SELECT
)) {
717 smart_card_atr_t card
;
718 bool gotATR
= GetATR( &card
);
719 //cmd_send(CMD_ACK, gotATR, sizeof(smart_card_atr_t), 0, &card, sizeof(smart_card_atr_t));
725 if ((flags
& SC_RAW
) || (flags
& SC_RAW_T0
)) {
727 LogTrace(data
, arg1
, 0, 0, NULL
, true);
730 // asBytes = A0 A4 00 00 02
732 bool res
= I2C_BufferWrite(data
, arg1
, ((flags
& SC_RAW_T0
) ? I2C_DEVICE_CMD_SEND_T0
: I2C_DEVICE_CMD_SEND
), I2C_DEVICE_ADDRESS_MAIN
);
733 if ( !res
&& MF_DBGLEVEL
> 3 ) DbpString(I2C_ERROR
);
735 // read bytes from module
736 len
= ISO7618_MAX_FRAME
;
737 res
= sc_rx_bytes(resp
, &len
);
739 LogTrace(resp
, len
, 0, 0, NULL
, false);
745 cmd_send(CMD_ACK
, len
, 0, 0, resp
, len
);
751 void SmartCardUpgrade(uint64_t arg0
) {
755 #define I2C_BLOCK_SIZE 128
756 // write. Sector0, with 11,22,33,44
757 // erase is 128bytes, and takes 50ms to execute
759 I2C_Reset_EnterBootloader();
763 uint16_t length
= arg0
;
765 uint8_t *fwdata
= BigBuf_get_addr();
766 uint8_t *verfiydata
= BigBuf_malloc(I2C_BLOCK_SIZE
);
770 uint8_t msb
= (pos
>> 8) & 0xFF;
771 uint8_t lsb
= pos
& 0xFF;
773 Dbprintf("FW %02X%02X", msb
, lsb
);
775 size_t size
= MIN(I2C_BLOCK_SIZE
, length
);
778 res
= I2C_WriteFW(fwdata
+pos
, size
, msb
, lsb
, I2C_DEVICE_ADDRESS_BOOT
);
780 DbpString("Writing failed");
785 // writing takes time.
789 res
= I2C_ReadFW(verfiydata
, size
, msb
, lsb
, I2C_DEVICE_ADDRESS_BOOT
);
791 DbpString("Reading back failed");
797 if ( 0 != memcmp(fwdata
+pos
, verfiydata
, size
)) {
798 DbpString("not equal data");
806 cmd_send(CMD_ACK
, isOK
, pos
, 0, 0, 0);
811 // unfinished (or not needed?)
812 //void SmartCardSetBaud(uint64_t arg0) {
815 void SmartCardSetClock(uint64_t arg0
) {
818 I2C_Reset_EnterMainProgram();
821 // start [C0 05 xx] stop
822 I2C_WriteByte(arg0
, I2C_DEVICE_CMD_SIM_CLC
, I2C_DEVICE_ADDRESS_MAIN
);
824 cmd_send(CMD_ACK
, 1, 0, 0, 0, 0);