1 //-----------------------------------------------------------------------------
2 // Jonathan Westhues, Mar 2006
3 // Edits by Gerhard de Koning Gans, Sep 2007 (##)
5 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
6 // at your option, any later version. See the LICENSE.txt file for the text of
8 //-----------------------------------------------------------------------------
9 // The main application code. This is the first thing called after start.c
11 //-----------------------------------------------------------------------------
16 #include "proxmark3.h"
23 #include "legicrfsim.h"
27 #include "iso14443b.h"
29 #include "lfsampling.h"
31 #include "mifarecmd.h"
32 #include "mifareutil.h"
33 #include "mifaresim.h"
37 #include "fpgaloader.h"
42 static uint32_t hw_capabilities
;
44 // Craig Young - 14a stand-alone code
46 #include "iso14443a.h"
49 //=============================================================================
50 // A buffer where we can queue things up to be sent through the FPGA, for
51 // any purpose (fake tag, as reader, whatever). We go MSB first, since that
52 // is the order in which they go out on the wire.
53 //=============================================================================
55 #define TOSEND_BUFFER_SIZE (9*MAX_FRAME_SIZE + 1 + 1 + 2) // 8 data bits and 1 parity bit per payload byte, 1 correction bit, 1 SOC bit, 2 EOC bits
56 uint8_t ToSend
[TOSEND_BUFFER_SIZE
];
59 struct common_area common_area
__attribute__((section(".commonarea")));
61 void ToSendReset(void) {
66 void ToSendStuffBit(int b
) {
69 ToSend
[ToSendMax
] = 0;
74 ToSend
[ToSendMax
] |= (1 << (7 - ToSendBit
));
79 if (ToSendMax
>= sizeof(ToSend
)) {
81 DbpString("ToSendStuffBit overflowed!");
85 //=============================================================================
86 // Debug print functions, to go out over USB, to the usual PC-side client.
87 //=============================================================================
89 void DbpString(char *str
) {
90 uint8_t len
= strlen(str
);
91 cmd_send(CMD_DEBUG_PRINT_STRING
,len
,0,0,(uint8_t*)str
,len
);
94 void Dbprintf(const char *fmt
, ...) {
95 // should probably limit size here; oh well, let's just use a big buffer
96 char output_string
[128];
100 kvsprintf(fmt
, output_string
, 10, ap
);
103 DbpString(output_string
);
106 // prints HEX & ASCII
107 void Dbhexdump(int len
, uint8_t *d
, bool bAsci
) {
119 for (i
= 0; i
< l
; i
++)
120 if (ascii
[i
]<32 || ascii
[i
]>126) ascii
[i
] = '.';
123 Dbprintf("%-8s %*D",ascii
, l
, d
, " ");
125 Dbprintf("%*D", l
, d
, " ");
133 //-----------------------------------------------------------------------------
134 // Read an ADC channel and block till it completes, then return the result
135 // in ADC units (0 to 1023). Also a routine to average 32 samples and
137 //-----------------------------------------------------------------------------
138 static int ReadAdc(int ch
) {
139 // Note: ADC_MODE_PRESCALE and ADC_MODE_SAMPLE_HOLD_TIME are set to the maximum allowed value.
140 // AMPL_HI is a high impedance (10MOhm || 1MOhm) output, the input capacitance of the ADC is 12pF (typical). This results in a time constant
141 // of RC = (0.91MOhm) * 12pF = 10.9us. Even after the maximum configurable sample&hold time of 40us the input capacitor will not be fully charged.
144 // If there is a voltage v_in at the input, the voltage v_cap at the capacitor (this is what we are measuring) will be
146 // v_cap = v_in * (1 - exp(-SHTIM/RC)) = v_in * (1 - exp(-40us/10.9us)) = v_in * 0,97 (i.e. an error of 3%)
148 AT91C_BASE_ADC
->ADC_CR
= AT91C_ADC_SWRST
;
149 AT91C_BASE_ADC
->ADC_MR
=
150 ADC_MODE_PRESCALE(63) | // ADC_CLK = MCK / ((63+1) * 2) = 48MHz / 128 = 375kHz
151 ADC_MODE_STARTUP_TIME(1) | // Startup Time = (1+1) * 8 / ADC_CLK = 16 / 375kHz = 42,7us Note: must be > 20us
152 ADC_MODE_SAMPLE_HOLD_TIME(15); // Sample & Hold Time SHTIM = 15 / ADC_CLK = 15 / 375kHz = 40us
154 AT91C_BASE_ADC
->ADC_CHER
= ADC_CHANNEL(ch
);
155 AT91C_BASE_ADC
->ADC_CR
= AT91C_ADC_START
;
157 while(!(AT91C_BASE_ADC
->ADC_SR
& ADC_END_OF_CONVERSION(ch
))) {};
159 return AT91C_BASE_ADC
->ADC_CDR
[ch
] & 0x3ff;
162 int AvgAdc(int ch
) { // was static - merlok{
166 for(i
= 0; i
< 32; i
++) {
170 return (a
+ 15) >> 5;
173 static int AvgAdc_Voltage_HF(void) {
174 int AvgAdc_Voltage_Low
, AvgAdc_Voltage_High
;
176 AvgAdc_Voltage_Low
= (MAX_ADC_HF_VOLTAGE_LOW
* AvgAdc(ADC_CHAN_HF_LOW
)) >> 10;
177 // if voltage range is about to be exceeded, use high voltage ADC channel if available (RDV40 only)
178 if (AvgAdc_Voltage_Low
> MAX_ADC_HF_VOLTAGE_LOW
- 300) {
179 AvgAdc_Voltage_High
= (MAX_ADC_HF_VOLTAGE_HIGH
* AvgAdc(ADC_CHAN_HF_HIGH
)) >> 10;
180 if (AvgAdc_Voltage_High
>= AvgAdc_Voltage_Low
) {
181 return AvgAdc_Voltage_High
;
184 return AvgAdc_Voltage_Low
;
187 static int AvgAdc_Voltage_LF(void) {
188 return (MAX_ADC_LF_VOLTAGE
* AvgAdc(ADC_CHAN_LF
)) >> 10;
191 void MeasureAntennaTuningLfOnly(int *vLf125
, int *vLf134
, int *peakf
, int *peakv
, uint8_t LF_Results
[]) {
192 int i
, adcval
= 0, peak
= 0;
195 * Sweeps the useful LF range of the proxmark from
196 * 46.8kHz (divisor=255) to 600kHz (divisor=19) and
197 * read the voltage in the antenna, the result left
198 * in the buffer is a graph which should clearly show
199 * the resonating frequency of your LF antenna
200 * ( hopefully around 95 if it is tuned to 125kHz!)
203 FpgaDownloadAndGo(FPGA_BITSTREAM_LF
);
204 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC
| FPGA_LF_ADC_READER_FIELD
);
207 for (i
= 255; i
>= 19; i
--) {
209 FpgaSendCommand(FPGA_CMD_SET_DIVISOR
, i
);
211 adcval
= AvgAdc_Voltage_LF();
212 if (i
== 95) *vLf125
= adcval
; // voltage at 125Khz
213 if (i
== 89) *vLf134
= adcval
; // voltage at 134Khz
215 LF_Results
[i
] = adcval
>> 9; // scale int to fit in byte for graphing purposes
216 if (LF_Results
[i
] > peak
) {
218 peak
= LF_Results
[i
];
224 for (i
= 18; i
>= 0; i
--) LF_Results
[i
] = 0;
229 void MeasureAntennaTuningHfOnly(int *vHf
) {
230 // Let the FPGA drive the high-frequency antenna around 13.56 MHz.
232 FpgaDownloadAndGo(FPGA_BITSTREAM_HF
);
233 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER
);
235 *vHf
= AvgAdc_Voltage_HF();
240 void MeasureAntennaTuning(int mode
) {
241 uint8_t LF_Results
[256] = {0};
242 int peakv
= 0, peakf
= 0;
243 int vLf125
= 0, vLf134
= 0, vHf
= 0; // in mV
247 if (((mode
& FLAG_TUNE_ALL
) == FLAG_TUNE_ALL
) && (FpgaGetCurrent() == FPGA_BITSTREAM_HF
)) {
248 // Reverse "standard" order if HF already loaded, to avoid unnecessary swap.
249 MeasureAntennaTuningHfOnly(&vHf
);
250 MeasureAntennaTuningLfOnly(&vLf125
, &vLf134
, &peakf
, &peakv
, LF_Results
);
252 if (mode
& FLAG_TUNE_LF
) {
253 MeasureAntennaTuningLfOnly(&vLf125
, &vLf134
, &peakf
, &peakv
, LF_Results
);
255 if (mode
& FLAG_TUNE_HF
) {
256 MeasureAntennaTuningHfOnly(&vHf
);
260 cmd_send(CMD_MEASURED_ANTENNA_TUNING
, vLf125
>>1 | (vLf134
>>1<<16), vHf
, peakf
| (peakv
>>1<<16), LF_Results
, 256);
261 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
266 void MeasureAntennaTuningHf(void) {
267 int vHf
= 0; // in mV
269 DbpString("Measuring HF antenna, press button to exit");
271 // Let the FPGA drive the high-frequency antenna around 13.56 MHz.
272 FpgaDownloadAndGo(FPGA_BITSTREAM_HF
);
273 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER
);
277 vHf
= AvgAdc_Voltage_HF();
279 Dbprintf("%d mV",vHf
);
280 if (BUTTON_PRESS()) break;
282 DbpString("cancelled");
284 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
289 void ReadMem(int addr
) {
290 const uint8_t *data
= ((uint8_t *)addr
);
292 Dbprintf("%x: %02x %02x %02x %02x %02x %02x %02x %02x",
293 addr
, data
[0], data
[1], data
[2], data
[3], data
[4], data
[5], data
[6], data
[7]);
296 /* osimage version information is linked in */
297 extern struct version_information version_information
;
298 /* bootrom version information is pointed to from _bootphase1_version_pointer */
299 extern char *_bootphase1_version_pointer
, _flash_start
, _flash_end
, _bootrom_start
, _bootrom_end
, __data_src_start__
;
302 void set_hw_capabilities(void) {
303 if (I2C_is_available()) {
304 hw_capabilities
|= HAS_SMARTCARD_SLOT
;
307 if (false) { // TODO: implement a test
308 hw_capabilities
|= HAS_EXTRA_FLASH_MEM
;
313 void SendVersion(void) {
314 set_hw_capabilities();
316 char temp
[USB_CMD_DATA_SIZE
]; /* Limited data payload in USB packets */
317 char VersionString
[USB_CMD_DATA_SIZE
] = { '\0' };
319 /* Try to find the bootrom version information. Expect to find a pointer at
320 * symbol _bootphase1_version_pointer, perform slight sanity checks on the
321 * pointer, then use it.
323 char *bootrom_version
= *(char**)&_bootphase1_version_pointer
;
324 if (bootrom_version
< &_flash_start
|| bootrom_version
>= &_flash_end
) {
325 strcat(VersionString
, "bootrom version information appears invalid\n");
327 FormatVersionInformation(temp
, sizeof(temp
), "bootrom: ", bootrom_version
);
328 strncat(VersionString
, temp
, sizeof(VersionString
) - strlen(VersionString
) - 1);
331 FormatVersionInformation(temp
, sizeof(temp
), "os: ", &version_information
);
332 strncat(VersionString
, temp
, sizeof(VersionString
) - strlen(VersionString
) - 1);
334 for (int i
= 0; i
< fpga_bitstream_num
; i
++) {
335 strncat(VersionString
, fpga_version_information
[i
], sizeof(VersionString
) - strlen(VersionString
) - 1);
336 strncat(VersionString
, "\n", sizeof(VersionString
) - strlen(VersionString
) - 1);
339 // test availability of SmartCard slot
340 if (I2C_is_available()) {
341 strncat(VersionString
, "SmartCard Slot: available\n", sizeof(VersionString
) - strlen(VersionString
) - 1);
343 strncat(VersionString
, "SmartCard Slot: not available\n", sizeof(VersionString
) - strlen(VersionString
) - 1);
346 // Send Chip ID and used flash memory
347 uint32_t text_and_rodata_section_size
= (uint32_t)&__data_src_start__
- (uint32_t)&_flash_start
;
348 uint32_t compressed_data_section_size
= common_area
.arg1
;
349 cmd_send(CMD_ACK
, *(AT91C_DBGU_CIDR
), text_and_rodata_section_size
+ compressed_data_section_size
, hw_capabilities
, VersionString
, strlen(VersionString
) + 1);
352 // measure the USB Speed by sending SpeedTestBufferSize bytes to client and measuring the elapsed time.
353 // Note: this mimics GetFromBigbuf(), i.e. we have the overhead of the UsbCommand structure included.
354 void printUSBSpeed(void) {
355 Dbprintf("USB Speed:");
356 Dbprintf(" Sending USB packets to client...");
358 #define USB_SPEED_TEST_MIN_TIME 1500 // in milliseconds
359 uint8_t *test_data
= BigBuf_get_addr();
362 uint32_t start_time
= end_time
= GetTickCount();
363 uint32_t bytes_transferred
= 0;
366 while(end_time
< start_time
+ USB_SPEED_TEST_MIN_TIME
) {
367 cmd_send(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K
, 0, USB_CMD_DATA_SIZE
, 0, test_data
, USB_CMD_DATA_SIZE
);
368 end_time
= GetTickCount();
369 bytes_transferred
+= USB_CMD_DATA_SIZE
;
373 Dbprintf(" Time elapsed: %dms", end_time
- start_time
);
374 Dbprintf(" Bytes transferred: %d", bytes_transferred
);
375 Dbprintf(" USB Transfer Speed PM3 -> Client = %d Bytes/s",
376 1000 * bytes_transferred
/ (end_time
- start_time
));
381 * Prints runtime information about the PM3.
383 void SendStatus(void) {
384 BigBuf_print_status();
386 #ifdef WITH_SMARTCARD
389 printConfig(); //LF Sampling config
392 Dbprintf(" MF_DBGLEVEL........%d", MF_DBGLEVEL
);
393 Dbprintf(" ToSendMax..........%d", ToSendMax
);
394 Dbprintf(" ToSendBit..........%d", ToSendBit
);
396 cmd_send(CMD_ACK
,1,0,0,0,0);
399 #if defined(WITH_ISO14443a_StandAlone) || defined(WITH_LF_StandAlone)
403 void StandAloneMode() {
404 DbpString("Stand-alone mode! No PC necessary.");
405 // Oooh pretty -- notify user we're in elite samy mode now
407 LED(LED_ORANGE
, 200);
409 LED(LED_ORANGE
, 200);
411 LED(LED_ORANGE
, 200);
413 LED(LED_ORANGE
, 200);
421 #ifdef WITH_ISO14443a_StandAlone
422 void StandAloneMode14a() {
424 FpgaDownloadAndGo(FPGA_BITSTREAM_HF
);
427 bool playing
= false, GotoRecord
= false, GotoClone
= false;
428 bool cardRead
[OPTS
] = {false};
429 uint8_t readUID
[10] = {0};
430 uint32_t uid_1st
[OPTS
]={0};
431 uint32_t uid_2nd
[OPTS
]={0};
432 uint32_t uid_tmp1
= 0;
433 uint32_t uid_tmp2
= 0;
434 iso14a_card_select_t hi14a_card
[OPTS
];
436 LED(selected
+ 1, 0);
443 if (GotoRecord
|| !cardRead
[selected
]) {
446 LED(selected
+ 1, 0);
450 Dbprintf("Enabling iso14443a reader mode for [Bank: %u]...", selected
);
451 /* need this delay to prevent catching some weird data */
453 /* Code for reading from 14a tag */
454 uint8_t uid
[10] ={0};
456 iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD
);
460 if (BUTTON_PRESS()) {
461 if (cardRead
[selected
]) {
462 Dbprintf("Button press detected -- replaying card in bank[%d]", selected
);
464 } else if (cardRead
[(selected
+1)%OPTS
]) {
465 Dbprintf("Button press detected but no card in bank[%d] so playing from bank[%d]", selected
, (selected
+1)%OPTS
);
466 selected
= (selected
+1)%OPTS
;
469 Dbprintf("Button press detected but no stored tag to play. (Ignoring button)");
473 if (!iso14443a_select_card(uid
, &hi14a_card
[selected
], &cuid
, true, 0, true))
476 Dbprintf("Read UID:"); Dbhexdump(10,uid
,0);
477 memcpy(readUID
,uid
,10*sizeof(uint8_t));
478 uint8_t *dst
= (uint8_t *)&uid_tmp1
;
479 // Set UID byte order
480 for (int i
= 0; i
< 4; i
++)
482 dst
= (uint8_t *)&uid_tmp2
;
483 for (int i
= 0; i
< 4; i
++)
485 if (uid_1st
[(selected
+1) % OPTS
] == uid_tmp1
&& uid_2nd
[(selected
+1) % OPTS
] == uid_tmp2
) {
486 Dbprintf("Card selected has same UID as what is stored in the other bank. Skipping.");
489 Dbprintf("Bank[%d] received a 7-byte UID", selected
);
490 uid_1st
[selected
] = (uid_tmp1
)>>8;
491 uid_2nd
[selected
] = (uid_tmp1
<<24) + (uid_tmp2
>>8);
493 Dbprintf("Bank[%d] received a 4-byte UID", selected
);
494 uid_1st
[selected
] = uid_tmp1
;
495 uid_2nd
[selected
] = uid_tmp2
;
501 Dbprintf("ATQA = %02X%02X", hi14a_card
[selected
].atqa
[0], hi14a_card
[selected
].atqa
[1]);
502 Dbprintf("SAK = %02X", hi14a_card
[selected
].sak
);
505 LED(LED_ORANGE
, 200);
507 LED(LED_ORANGE
, 200);
510 LED(selected
+ 1, 0);
512 // Next state is replay:
515 cardRead
[selected
] = true;
516 } else if (GotoClone
) { /* MF Classic UID clone */
519 LED(selected
+ 1, 0);
520 LED(LED_ORANGE
, 250);
524 Dbprintf("Preparing to Clone card [Bank: %x]; uid: %08x", selected
, uid_1st
[selected
]);
526 // wait for button to be released
527 while(BUTTON_PRESS()) {
528 // Delay cloning until card is in place
531 Dbprintf("Starting clone. [Bank: %u]", selected
);
532 // need this delay to prevent catching some weird data
534 // Begin clone function here:
535 /* Example from client/mifarehost.c for commanding a block write for "magic Chinese" cards:
536 UsbCommand c = {CMD_MIFARE_CSETBLOCK, {wantWipe, params & (0xFE | (uid == NULL ? 0:1)), blockNo}};
537 memcpy(c.d.asBytes, data, 16);
540 Block read is similar:
541 UsbCommand c = {CMD_MIFARE_CGETBLOCK, {params, 0, blockNo}};
542 We need to imitate that call with blockNo 0 to set a uid.
544 The get and set commands are handled in this file:
545 // Work with "magic Chinese" card
546 case CMD_MIFARE_CSETBLOCK:
547 MifareCSetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
549 case CMD_MIFARE_CGETBLOCK:
550 MifareCGetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
553 mfCSetUID provides example logic for UID set workflow:
554 -Read block0 from card in field with MifareCGetBlock()
555 -Configure new values without replacing reserved bytes
556 memcpy(block0, uid, 4); // Copy UID bytes from byte array
558 block0[4] = block0[0]^block0[1]^block0[2]^block0[3]; // BCC on byte 5
559 Bytes 5-7 are reserved SAK and ATQA for mifare classic
560 -Use mfCSetBlock(0, block0, oldUID, wantWipe, CSETBLOCK_SINGLE_OPER) to write it
562 uint8_t oldBlock0
[16] = {0}, newBlock0
[16] = {0}, testBlock0
[16] = {0};
563 // arg0 = Flags == CSETBLOCK_SINGLE_OPER=0x1F, arg1=returnSlot, arg2=blockNo
564 MifareCGetBlock(0x3F, 1, 0, oldBlock0
);
565 if (oldBlock0
[0] == 0 && oldBlock0
[0] == oldBlock0
[1] && oldBlock0
[1] == oldBlock0
[2] && oldBlock0
[2] == oldBlock0
[3]) {
566 Dbprintf("No changeable tag detected. Returning to replay mode for bank[%d]", selected
);
569 Dbprintf("UID from target tag: %02X%02X%02X%02X", oldBlock0
[0], oldBlock0
[1], oldBlock0
[2], oldBlock0
[3]);
570 memcpy(newBlock0
, oldBlock0
, 16);
571 // Copy uid_1st for bank (2nd is for longer UIDs not supported if classic)
573 newBlock0
[0] = uid_1st
[selected
] >> 24;
574 newBlock0
[1] = 0xFF & (uid_1st
[selected
] >> 16);
575 newBlock0
[2] = 0xFF & (uid_1st
[selected
] >> 8);
576 newBlock0
[3] = 0xFF & (uid_1st
[selected
]);
577 newBlock0
[4] = newBlock0
[0] ^ newBlock0
[1] ^ newBlock0
[2] ^ newBlock0
[3];
578 // arg0 = needWipe, arg1 = workFlags, arg2 = blockNo, datain
579 MifareCSetBlock(0, 0xFF, 0, newBlock0
);
580 MifareCGetBlock(0x3F, 1, 0, testBlock0
);
581 if (memcmp(testBlock0
, newBlock0
, 16) == 0) {
582 DbpString("Cloned successfull!");
583 cardRead
[selected
] = false; // Only if the card was cloned successfully should we clear it
586 selected
= (selected
+1) % OPTS
;
588 Dbprintf("Clone failed. Back to replay mode on bank[%d]", selected
);
593 LED(selected
+ 1, 0);
595 } else if (playing
) {
596 // button_pressed == BUTTON_SINGLE_CLICK && cardRead[selected])
597 // Change where to record (or begin playing)
599 LED(selected
+ 1, 0);
601 // Begin transmitting
603 DbpString("Playing");
606 int button_action
= BUTTON_HELD(1000);
607 if (button_action
== 0) { // No button action, proceed with sim
608 uint8_t data
[512] = {0}; // in case there is a read command received we shouldn't break
609 Dbprintf("Simulating ISO14443a tag with uid[0]: %08x, uid[1]: %08x [Bank: %u]", uid_1st
[selected
], uid_2nd
[selected
], selected
);
610 if (hi14a_card
[selected
].sak
== 8 && hi14a_card
[selected
].atqa
[0] == 4 && hi14a_card
[selected
].atqa
[1] == 0) {
611 DbpString("Mifare Classic");
612 SimulateIso14443aTag(1, uid_1st
[selected
], uid_2nd
[selected
], data
); // Mifare Classic
613 } else if (hi14a_card
[selected
].sak
== 0 && hi14a_card
[selected
].atqa
[0] == 0x44 && hi14a_card
[selected
].atqa
[1] == 0) {
614 DbpString("Mifare Ultralight");
615 SimulateIso14443aTag(2, uid_1st
[selected
], uid_2nd
[selected
], data
); // Mifare Ultralight
616 } else if (hi14a_card
[selected
].sak
== 20 && hi14a_card
[selected
].atqa
[0] == 0x44 && hi14a_card
[selected
].atqa
[1] == 3) {
617 DbpString("Mifare DESFire");
618 SimulateIso14443aTag(3, uid_1st
[selected
], uid_2nd
[selected
], data
); // Mifare DESFire
620 Dbprintf("Unrecognized tag type -- defaulting to Mifare Classic emulation");
621 SimulateIso14443aTag(1, uid_1st
[selected
], uid_2nd
[selected
], data
);
623 } else if (button_action
== BUTTON_SINGLE_CLICK
) {
624 selected
= (selected
+ 1) % OPTS
;
625 Dbprintf("Done playing. Switching to record mode on bank %d",selected
);
628 } else if (button_action
== BUTTON_HOLD
) {
629 Dbprintf("Playtime over. Begin cloning...");
636 /* We pressed a button so ignore it here with a delay */
639 LED(selected
+ 1, 0);
644 #elif WITH_LF_StandAlone
646 // samy's sniff and repeat routine
649 FpgaDownloadAndGo(FPGA_BITSTREAM_LF
);
651 int tops
[OPTS
], high
[OPTS
], low
[OPTS
];
656 // Turn on selected LED
657 LED(selected
+ 1, 0);
663 // Was our button held down or pressed?
664 int button_pressed
= BUTTON_HELD(1000);
667 // Button was held for a second, begin recording
668 if (button_pressed
> 0 && cardRead
== 0) {
670 LED(selected
+ 1, 0);
674 DbpString("Starting recording");
676 // wait for button to be released
677 while(BUTTON_PRESS())
680 /* need this delay to prevent catching some weird data */
683 CmdHIDdemodFSK(1, &tops
[selected
], &high
[selected
], &low
[selected
], 0);
684 if (tops
[selected
] > 0)
685 Dbprintf("Recorded %x %x%08x%08x", selected
, tops
[selected
], high
[selected
], low
[selected
]);
687 Dbprintf("Recorded %x %x%08x", selected
, high
[selected
], low
[selected
]);
690 LED(selected
+ 1, 0);
691 // Finished recording
693 // If we were previously playing, set playing off
694 // so next button push begins playing what we recorded
699 } else if (button_pressed
> 0 && cardRead
== 1) {
701 LED(selected
+ 1, 0);
705 if (tops
[selected
] > 0)
706 Dbprintf("Cloning %x %x%08x%08x", selected
, tops
[selected
], high
[selected
], low
[selected
]);
708 Dbprintf("Cloning %x %x%08x", selected
, high
[selected
], low
[selected
]);
710 // wait for button to be released
711 while(BUTTON_PRESS())
714 /* need this delay to prevent catching some weird data */
717 CopyHIDtoT55x7(tops
[selected
] & 0x000FFFFF, high
[selected
], low
[selected
], (tops
[selected
] != 0 && ((high
[selected
]& 0xFFFFFFC0) != 0)), 0x1D);
718 if (tops
[selected
] > 0)
719 Dbprintf("Cloned %x %x%08x%08x", selected
, tops
[selected
], high
[selected
], low
[selected
]);
721 Dbprintf("Cloned %x %x%08x", selected
, high
[selected
], low
[selected
]);
724 LED(selected
+ 1, 0);
725 // Finished recording
727 // If we were previously playing, set playing off
728 // so next button push begins playing what we recorded
733 } else if (button_pressed
) {
735 // Change where to record (or begin playing)
736 // Next option if we were previously playing
738 selected
= (selected
+ 1) % OPTS
;
742 LED(selected
+ 1, 0);
744 // Begin transmitting
747 DbpString("Playing");
748 // wait for button to be released
749 while(BUTTON_PRESS())
751 if (tops
[selected
] > 0)
752 Dbprintf("%x %x%08x%08x", selected
, tops
[selected
], high
[selected
], low
[selected
]);
754 Dbprintf("%x %x%08x", selected
, high
[selected
], low
[selected
]);
756 CmdHIDsimTAG(tops
[selected
], high
[selected
], low
[selected
], 0);
757 DbpString("Done playing");
758 if (BUTTON_HELD(1000) > 0) {
759 DbpString("Exiting");
764 /* We pressed a button so ignore it here with a delay */
767 // when done, we're done playing, move to next option
768 selected
= (selected
+ 1) % OPTS
;
771 LED(selected
+ 1, 0);
773 while(BUTTON_PRESS())
783 Listen and detect an external reader. Determine the best location
787 Inside the ListenReaderField() function, there is two mode.
788 By default, when you call the function, you will enter mode 1.
789 If you press the PM3 button one time, you will enter mode 2.
790 If you press the PM3 button a second time, you will exit the function.
792 DESCRIPTION OF MODE 1:
793 This mode just listens for an external reader field and lights up green
794 for HF and/or red for LF. This is the original mode of the detectreader
797 DESCRIPTION OF MODE 2:
798 This mode will visually represent, using the LEDs, the actual strength of the
799 current compared to the maximum current detected. Basically, once you know
800 what kind of external reader is present, it will help you spot the best location to place
801 your antenna. You will probably not get some good results if there is a LF and a HF reader
802 at the same place! :-)
806 static const char LIGHT_SCHEME
[] = {
807 0x0, /* ---- | No field detected */
808 0x1, /* X--- | 14% of maximum current detected */
809 0x2, /* -X-- | 29% of maximum current detected */
810 0x4, /* --X- | 43% of maximum current detected */
811 0x8, /* ---X | 57% of maximum current detected */
812 0xC, /* --XX | 71% of maximum current detected */
813 0xE, /* -XXX | 86% of maximum current detected */
814 0xF, /* XXXX | 100% of maximum current detected */
817 static const int LIGHT_LEN
= sizeof(LIGHT_SCHEME
)/sizeof(LIGHT_SCHEME
[0]);
819 void ListenReaderField(int limit
) {
820 int lf_av
, lf_av_new
=0, lf_baseline
= 0, lf_max
;
821 int hf_av
, hf_av_new
=0, hf_baseline
= 0, hf_max
;
822 int mode
=1, display_val
, display_max
, i
;
826 #define REPORT_CHANGE_PERCENT 5 // report new values only if they have changed at least by REPORT_CHANGE_PERCENT
827 #define MIN_HF_FIELD 300 // in mode 1 signal HF field greater than MIN_HF_FIELD above baseline
828 #define MIN_LF_FIELD 1200 // in mode 1 signal LF field greater than MIN_LF_FIELD above baseline
831 // switch off FPGA - we don't want to measure our own signal
832 FpgaDownloadAndGo(FPGA_BITSTREAM_HF
);
833 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
837 lf_av
= lf_max
= AvgAdc_Voltage_LF();
839 if (limit
!= HF_ONLY
) {
840 Dbprintf("LF 125/134kHz Baseline: %dmV", lf_av
);
844 hf_av
= hf_max
= AvgAdc_Voltage_HF();
846 if (limit
!= LF_ONLY
) {
847 Dbprintf("HF 13.56MHz Baseline: %dmV", hf_av
);
853 if (BUTTON_PRESS()) {
857 DbpString("Signal Strength Mode");
861 DbpString("Stopped");
866 while (BUTTON_PRESS())
871 if (limit
!= HF_ONLY
) {
873 if (lf_av
- lf_baseline
> MIN_LF_FIELD
)
879 lf_av_new
= AvgAdc_Voltage_LF();
880 // see if there's a significant change
881 if (ABS((lf_av
- lf_av_new
) * 100 / (lf_av
?lf_av
:1)) > REPORT_CHANGE_PERCENT
) {
882 Dbprintf("LF 125/134kHz Field Change: %5dmV", lf_av_new
);
889 if (limit
!= LF_ONLY
) {
891 if (hf_av
- hf_baseline
> MIN_HF_FIELD
)
897 hf_av_new
= AvgAdc_Voltage_HF();
899 // see if there's a significant change
900 if (ABS((hf_av
- hf_av_new
) * 100 / (hf_av
?hf_av
:1)) > REPORT_CHANGE_PERCENT
) {
901 Dbprintf("HF 13.56MHz Field Change: %5dmV", hf_av_new
);
909 if (limit
== LF_ONLY
) {
911 display_max
= lf_max
;
912 } else if (limit
== HF_ONLY
) {
914 display_max
= hf_max
;
915 } else { /* Pick one at random */
916 if( (hf_max
- hf_baseline
) > (lf_max
- lf_baseline
) ) {
918 display_max
= hf_max
;
921 display_max
= lf_max
;
924 for (i
= 0; i
< LIGHT_LEN
; i
++) {
925 if (display_val
>= (display_max
/ LIGHT_LEN
* i
) && display_val
<= (display_max
/ LIGHT_LEN
* (i
+1))) {
926 if (LIGHT_SCHEME
[i
] & 0x1) LED_C_ON(); else LED_C_OFF();
927 if (LIGHT_SCHEME
[i
] & 0x2) LED_A_ON(); else LED_A_OFF();
928 if (LIGHT_SCHEME
[i
] & 0x4) LED_B_ON(); else LED_B_OFF();
929 if (LIGHT_SCHEME
[i
] & 0x8) LED_D_ON(); else LED_D_OFF();
938 void UsbPacketReceived(UsbCommand
*c
) {
940 // Dbprintf("received %d bytes, with command: 0x%04x and args: %d %d %d",len,c->cmd,c->arg[0],c->arg[1],c->arg[2]);
944 case CMD_SET_LF_SAMPLING_CONFIG
:
945 setSamplingConfig(c
->d
.asBytes
);
947 case CMD_ACQUIRE_RAW_ADC_SAMPLES_125K
:
948 cmd_send(CMD_ACK
,SampleLF(c
->arg
[0], c
->arg
[1]),0,0,0,0);
950 case CMD_MOD_THEN_ACQUIRE_RAW_ADC_SAMPLES_125K
:
951 ModThenAcquireRawAdcSamples125k(c
->arg
[0],c
->arg
[1],c
->arg
[2],c
->d
.asBytes
);
953 case CMD_LF_SNOOP_RAW_ADC_SAMPLES
:
954 cmd_send(CMD_ACK
,SnoopLF(),0,0,0,0);
956 case CMD_HID_DEMOD_FSK
:
957 CmdHIDdemodFSK(c
->arg
[0], 0, 0, 0, 1);
959 case CMD_HID_SIM_TAG
:
960 CmdHIDsimTAG(c
->arg
[0], c
->arg
[1], c
->arg
[2], 1);
962 case CMD_FSK_SIM_TAG
:
963 CmdFSKsimTAG(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
965 case CMD_ASK_SIM_TAG
:
966 CmdASKsimTag(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
968 case CMD_PSK_SIM_TAG
:
969 CmdPSKsimTag(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
971 case CMD_HID_CLONE_TAG
:
972 CopyHIDtoT55x7(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
[0], 0x1D);
974 case CMD_PARADOX_CLONE_TAG
:
975 // Paradox cards are the same as HID, with a different preamble, so we can reuse the same function
976 CopyHIDtoT55x7(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
[0], 0x0F);
978 case CMD_IO_DEMOD_FSK
:
979 CmdIOdemodFSK(c
->arg
[0], 0, 0, 1);
981 case CMD_IO_CLONE_TAG
:
982 CopyIOtoT55x7(c
->arg
[0], c
->arg
[1]);
984 case CMD_EM410X_DEMOD
:
985 CmdEM410xdemod(c
->arg
[0], 0, 0, 1);
987 case CMD_EM410X_WRITE_TAG
:
988 WriteEM410x(c
->arg
[0], c
->arg
[1], c
->arg
[2]);
990 case CMD_READ_TI_TYPE
:
993 case CMD_WRITE_TI_TYPE
:
994 WriteTItag(c
->arg
[0],c
->arg
[1],c
->arg
[2]);
996 case CMD_SIMULATE_TAG_125K
:
998 SimulateTagLowFrequency(c
->arg
[0], c
->arg
[1], 1);
1001 case CMD_LF_SIMULATE_BIDIR
:
1002 SimulateTagLowFrequencyBidir(c
->arg
[0], c
->arg
[1]);
1004 case CMD_INDALA_CLONE_TAG
:
1005 CopyIndala64toT55x7(c
->arg
[0], c
->arg
[1]);
1007 case CMD_INDALA_CLONE_TAG_L
:
1008 CopyIndala224toT55x7(c
->d
.asDwords
[0], c
->d
.asDwords
[1], c
->d
.asDwords
[2], c
->d
.asDwords
[3], c
->d
.asDwords
[4], c
->d
.asDwords
[5], c
->d
.asDwords
[6]);
1010 case CMD_T55XX_READ_BLOCK
:
1011 T55xxReadBlock(c
->arg
[0], c
->arg
[1], c
->arg
[2]);
1013 case CMD_T55XX_WRITE_BLOCK
:
1014 T55xxWriteBlock(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
[0]);
1016 case CMD_T55XX_WAKEUP
:
1017 T55xxWakeUp(c
->arg
[0]);
1019 case CMD_T55XX_RESET_READ
:
1022 case CMD_PCF7931_READ
:
1025 case CMD_PCF7931_WRITE
:
1026 WritePCF7931(c
->d
.asBytes
[0],c
->d
.asBytes
[1],c
->d
.asBytes
[2],c
->d
.asBytes
[3],c
->d
.asBytes
[4],c
->d
.asBytes
[5],c
->d
.asBytes
[6], c
->d
.asBytes
[9], c
->d
.asBytes
[7]-128,c
->d
.asBytes
[8]-128, c
->arg
[0], c
->arg
[1], c
->arg
[2]);
1028 case CMD_PCF7931_BRUTEFORCE
:
1029 BruteForcePCF7931(c
->arg
[0], (c
->arg
[1] & 0xFF), c
->d
.asBytes
[9], c
->d
.asBytes
[7]-128,c
->d
.asBytes
[8]-128);
1031 case CMD_EM4X_READ_WORD
:
1032 EM4xReadWord(c
->arg
[0], c
->arg
[1],c
->arg
[2]);
1034 case CMD_EM4X_WRITE_WORD
:
1035 EM4xWriteWord(c
->arg
[0], c
->arg
[1], c
->arg
[2]);
1037 case CMD_EM4X_PROTECT
:
1038 EM4xProtect(c
->arg
[0], c
->arg
[1], c
->arg
[2]);
1040 case CMD_AWID_DEMOD_FSK
: // Set realtime AWID demodulation
1041 CmdAWIDdemodFSK(c
->arg
[0], 0, 0, 1);
1043 case CMD_VIKING_CLONE_TAG
:
1044 CopyVikingtoT55xx(c
->arg
[0], c
->arg
[1], c
->arg
[2]);
1052 case CMD_SNOOP_HITAG
: // Eavesdrop Hitag tag, args = type
1053 SnoopHitag(c
->arg
[0]);
1055 case CMD_SIMULATE_HITAG
: // Simulate Hitag tag, args = memory content
1056 SimulateHitagTag((bool)c
->arg
[0], (uint8_t*)c
->d
.asBytes
);
1058 case CMD_READER_HITAG
: // Reader for Hitag tags, args = type and function
1059 ReaderHitag((hitag_function
)c
->arg
[0],(hitag_data
*)c
->d
.asBytes
);
1061 case CMD_SIMULATE_HITAG_S
:// Simulate Hitag s tag, args = memory content
1062 SimulateHitagSTag((bool)c
->arg
[0],(uint8_t*)c
->d
.asBytes
);
1064 case CMD_TEST_HITAGS_TRACES
:// Tests every challenge within the given file
1065 check_challenges_cmd((bool)c
->arg
[0], (uint8_t*)c
->d
.asBytes
, (uint8_t)c
->arg
[1]);
1067 case CMD_READ_HITAG_S
://Reader for only Hitag S tags, args = key or challenge
1068 ReadHitagSCmd((hitag_function
)c
->arg
[0], (hitag_data
*)c
->d
.asBytes
, (uint8_t)c
->arg
[1], (uint8_t)c
->arg
[2], false);
1070 case CMD_READ_HITAG_S_BLK
:
1071 ReadHitagSCmd((hitag_function
)c
->arg
[0], (hitag_data
*)c
->d
.asBytes
, (uint8_t)c
->arg
[1], (uint8_t)c
->arg
[2], true);
1073 case CMD_WR_HITAG_S
://writer for Hitag tags args=data to write,page and key or challenge
1074 if ((hitag_function
)c
->arg
[0] < 10) {
1075 WritePageHitagS((hitag_function
)c
->arg
[0],(hitag_data
*)c
->d
.asBytes
,c
->arg
[2]);
1077 else if ((hitag_function
)c
->arg
[0] >= 10) {
1078 WriterHitag((hitag_function
)c
->arg
[0],(hitag_data
*)c
->d
.asBytes
, c
->arg
[2]);
1083 #ifdef WITH_ISO15693
1084 case CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_15693
:
1085 AcquireRawAdcSamplesIso15693();
1088 case CMD_SNOOP_ISO_15693
:
1089 SnoopIso15693(0, NULL
);
1092 case CMD_ISO_15693_COMMAND
:
1093 DirectTag15693Command(c
->arg
[0],c
->arg
[1],c
->arg
[2],c
->d
.asBytes
);
1096 case CMD_ISO_15693_FIND_AFI
:
1097 BruteforceIso15693Afi(c
->arg
[0]);
1100 case CMD_ISO_15693_DEBUG
:
1101 SetDebugIso15693(c
->arg
[0]);
1104 case CMD_READER_ISO_15693
:
1105 ReaderIso15693(c
->arg
[0]);
1108 case CMD_SIMTAG_ISO_15693
:
1109 SimTagIso15693(c
->arg
[0], c
->d
.asBytes
);
1112 case CMD_CSETUID_ISO_15693
:
1113 SetTag15693Uid(c
->d
.asBytes
);
1118 case CMD_SIMULATE_TAG_LEGIC_RF
:
1119 LegicRfSimulate(c
->arg
[0]);
1122 case CMD_WRITER_LEGIC_RF
:
1123 LegicRfWriter(c
->arg
[1], c
->arg
[0]);
1126 case CMD_READER_LEGIC_RF
:
1127 LegicRfReader(c
->arg
[0], c
->arg
[1]);
1131 #ifdef WITH_ISO14443b
1132 case CMD_READ_SRI512_TAG
:
1133 ReadSTMemoryIso14443b(0x0F);
1135 case CMD_READ_SRIX4K_TAG
:
1136 ReadSTMemoryIso14443b(0x7F);
1138 case CMD_SNOOP_ISO_14443B
:
1141 case CMD_SIMULATE_TAG_ISO_14443B
:
1142 SimulateIso14443bTag();
1144 case CMD_ISO_14443B_COMMAND
:
1145 SendRawCommand14443B(c
->arg
[0],c
->arg
[1],c
->arg
[2],c
->d
.asBytes
);
1149 #ifdef WITH_ISO14443a
1150 case CMD_SNOOP_ISO_14443a
:
1151 SnoopIso14443a(c
->arg
[0]);
1153 case CMD_READER_ISO_14443a
:
1156 case CMD_SIMULATE_TAG_ISO_14443a
:
1157 SimulateIso14443aTag(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
); // ## Simulate iso14443a tag - pass tag type & UID
1160 case CMD_EPA_PACE_COLLECT_NONCE
:
1161 EPA_PACE_Collect_Nonce(c
);
1163 case CMD_EPA_PACE_REPLAY
:
1167 case CMD_READER_MIFARE
:
1168 ReaderMifare(c
->arg
[0]);
1170 case CMD_MIFARE_READBL
:
1171 MifareReadBlock(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
1173 case CMD_MIFAREU_READBL
:
1174 MifareUReadBlock(c
->arg
[0],c
->arg
[1], c
->d
.asBytes
);
1176 case CMD_MIFAREUC_AUTH
:
1177 MifareUC_Auth(c
->arg
[0],c
->d
.asBytes
);
1179 case CMD_MIFAREU_READCARD
:
1180 MifareUReadCard(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
1182 case CMD_MIFAREUC_SETPWD
:
1183 MifareUSetPwd(c
->arg
[0], c
->d
.asBytes
);
1185 case CMD_MIFARE_READSC
:
1186 MifareReadSector(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
1188 case CMD_MIFARE_WRITEBL
:
1189 MifareWriteBlock(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
1191 case CMD_MIFARE_PERSONALIZE_UID
:
1192 MifarePersonalizeUID(c
->arg
[0], c
->arg
[1], c
->d
.asBytes
);
1194 //case CMD_MIFAREU_WRITEBL_COMPAT:
1195 //MifareUWriteBlockCompat(c->arg[0], c->d.asBytes);
1197 case CMD_MIFAREU_WRITEBL
:
1198 MifareUWriteBlock(c
->arg
[0], c
->arg
[1], c
->d
.asBytes
);
1200 case CMD_MIFARE_ACQUIRE_ENCRYPTED_NONCES
:
1201 MifareAcquireEncryptedNonces(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
1203 case CMD_MIFARE_NESTED
:
1204 MifareNested(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
1206 case CMD_MIFARE_CHKKEYS
:
1207 MifareChkKeys(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
1209 case CMD_SIMULATE_MIFARE_CARD
:
1210 MifareSim(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
1214 case CMD_MIFARE_SET_DBGMODE
:
1215 MifareSetDbgLvl(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
1217 case CMD_MIFARE_EML_MEMCLR
:
1218 MifareEMemClr(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
1220 case CMD_MIFARE_EML_MEMSET
:
1221 MifareEMemSet(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
1223 case CMD_MIFARE_EML_MEMGET
:
1224 MifareEMemGet(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
1226 case CMD_MIFARE_EML_CARDLOAD
:
1227 MifareECardLoad(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
1230 // Work with "magic Chinese" card
1231 case CMD_MIFARE_CWIPE
:
1232 MifareCWipe(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
1234 case CMD_MIFARE_CSETBLOCK
:
1235 MifareCSetBlock(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
1237 case CMD_MIFARE_CGETBLOCK
:
1238 MifareCGetBlock(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
1240 case CMD_MIFARE_CIDENT
:
1245 case CMD_MIFARE_SNIFFER
:
1246 SniffMifare(c
->arg
[0]);
1252 // Makes use of ISO14443a FPGA Firmware
1253 case CMD_SNOOP_ICLASS
:
1254 SnoopIClass(c
->arg
[0], c
->d
.asBytes
);
1256 case CMD_SIMULATE_TAG_ICLASS
:
1257 SimulateIClass(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
1259 case CMD_READER_ICLASS
:
1260 ReaderIClass(c
->arg
[0]);
1262 case CMD_ICLASS_EML_MEMSET
:
1263 emlSet(c
->d
.asBytes
,c
->arg
[0], c
->arg
[1]);
1265 case CMD_ICLASS_WRITEBLOCK
:
1266 iClass_WriteBlock(c
->arg
[0], c
->d
.asBytes
);
1268 case CMD_ICLASS_READBLOCK
:
1269 iClass_ReadBlk(c
->arg
[0]);
1271 case CMD_ICLASS_CHECK
:
1272 iClass_Check(c
->d
.asBytes
);
1274 case CMD_ICLASS_READCHECK
:
1275 iClass_Readcheck(c
->arg
[0], c
->arg
[1]);
1277 case CMD_ICLASS_DUMP
:
1278 iClass_Dump(c
->arg
[0], c
->arg
[1]);
1280 case CMD_ICLASS_CLONE
:
1281 iClass_Clone(c
->arg
[0], c
->arg
[1], c
->d
.asBytes
);
1286 case CMD_HF_SNIFFER
:
1287 HfSnoop(c
->arg
[0], c
->arg
[1]);
1294 #ifdef WITH_SMARTCARD
1295 case CMD_SMART_ATR
: {
1299 case CMD_SMART_SETCLOCK
:{
1300 SmartCardSetClock(c
->arg
[0]);
1303 case CMD_SMART_RAW
: {
1304 SmartCardRaw(c
->arg
[0], c
->arg
[1], c
->d
.asBytes
);
1307 case CMD_SMART_UPLOAD
: {
1308 // upload file from client
1309 uint8_t *mem
= BigBuf_get_addr();
1310 memcpy( mem
+ c
->arg
[0], c
->d
.asBytes
, USB_CMD_DATA_SIZE
);
1311 cmd_send(CMD_ACK
,1,0,0,0,0);
1314 case CMD_SMART_UPGRADE
: {
1315 SmartCardUpgrade(c
->arg
[0]);
1320 case CMD_BUFF_CLEAR
:
1324 case CMD_MEASURE_ANTENNA_TUNING
:
1325 MeasureAntennaTuning(c
->arg
[0]);
1328 case CMD_MEASURE_ANTENNA_TUNING_HF
:
1329 MeasureAntennaTuningHf();
1332 case CMD_LISTEN_READER_FIELD
:
1333 ListenReaderField(c
->arg
[0]);
1336 case CMD_FPGA_MAJOR_MODE_OFF
: // ## FPGA Control
1337 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
1339 LED_D_OFF(); // LED D indicates field ON or OFF
1342 case CMD_DOWNLOAD_RAW_ADC_SAMPLES_125K
:
1344 uint8_t *BigBuf
= BigBuf_get_addr();
1345 for(size_t i
=0; i
<c
->arg
[1]; i
+= USB_CMD_DATA_SIZE
) {
1346 size_t len
= MIN((c
->arg
[1] - i
),USB_CMD_DATA_SIZE
);
1347 cmd_send(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K
,i
,len
,BigBuf_get_traceLen(),BigBuf
+c
->arg
[0]+i
,len
);
1349 // Trigger a finish downloading signal with an ACK frame
1350 cmd_send(CMD_ACK
,1,0,BigBuf_get_traceLen(),getSamplingConfig(),sizeof(sample_config
));
1354 case CMD_DOWNLOADED_SIM_SAMPLES_125K
: {
1355 // iceman; since changing fpga_bitstreams clears bigbuff, Its better to call it before.
1356 // to be able to use this one for uploading data to device
1357 // arg1 = 0 upload for LF usage
1358 // 1 upload for HF usage
1360 FpgaDownloadAndGo(FPGA_BITSTREAM_LF
);
1362 FpgaDownloadAndGo(FPGA_BITSTREAM_HF
);
1364 uint8_t *b
= BigBuf_get_addr();
1365 memcpy(b
+c
->arg
[0], c
->d
.asBytes
, USB_CMD_DATA_SIZE
);
1366 cmd_send(CMD_ACK
,0,0,0,0,0);
1373 case CMD_SET_LF_DIVISOR
:
1374 FpgaDownloadAndGo(FPGA_BITSTREAM_LF
);
1375 FpgaSendCommand(FPGA_CMD_SET_DIVISOR
, c
->arg
[0]);
1378 case CMD_SET_ADC_MUX
:
1380 case 0: SetAdcMuxFor(GPIO_MUXSEL_LOPKD
); break;
1381 case 1: SetAdcMuxFor(GPIO_MUXSEL_LORAW
); break;
1382 case 2: SetAdcMuxFor(GPIO_MUXSEL_HIPKD
); break;
1383 case 3: SetAdcMuxFor(GPIO_MUXSEL_HIRAW
); break;
1394 cmd_send(CMD_ACK
,0,0,0,0,0);
1404 case CMD_SETUP_WRITE
:
1405 case CMD_FINISH_WRITE
:
1406 case CMD_HARDWARE_RESET
:
1410 AT91C_BASE_RSTC
->RSTC_RCR
= RST_CONTROL_KEY
| AT91C_RSTC_PROCRST
;
1412 // We're going to reset, and the bootrom will take control.
1416 case CMD_START_FLASH
:
1417 if(common_area
.flags
.bootrom_present
) {
1418 common_area
.command
= COMMON_AREA_COMMAND_ENTER_FLASH_MODE
;
1421 AT91C_BASE_RSTC
->RSTC_RCR
= RST_CONTROL_KEY
| AT91C_RSTC_PROCRST
;
1425 case CMD_DEVICE_INFO
: {
1426 uint32_t dev_info
= DEVICE_INFO_FLAG_OSIMAGE_PRESENT
| DEVICE_INFO_FLAG_CURRENT_MODE_OS
;
1427 if(common_area
.flags
.bootrom_present
) dev_info
|= DEVICE_INFO_FLAG_BOOTROM_PRESENT
;
1428 cmd_send_old(CMD_DEVICE_INFO
,dev_info
,0,0,0,0);
1432 Dbprintf("%s: 0x%04x","unknown command:",c
->cmd
);
1438 void __attribute__((noreturn
)) AppMain(void) {
1442 if(common_area
.magic
!= COMMON_AREA_MAGIC
|| common_area
.version
!= 1) {
1443 /* Initialize common area */
1444 memset(&common_area
, 0, sizeof(common_area
));
1445 common_area
.magic
= COMMON_AREA_MAGIC
;
1446 common_area
.version
= 1;
1448 common_area
.flags
.osimage_present
= 1;
1455 // The FPGA gets its clock from us from PCK0 output, so set that up.
1456 AT91C_BASE_PIOA
->PIO_BSR
= GPIO_PCK0
;
1457 AT91C_BASE_PIOA
->PIO_PDR
= GPIO_PCK0
;
1458 AT91C_BASE_PMC
->PMC_SCER
= AT91C_PMC_PCK0
;
1459 // PCK0 is PLL clock / 4 = 96Mhz / 4 = 24Mhz
1460 AT91C_BASE_PMC
->PMC_PCKR
[0] = AT91C_PMC_CSS_PLL_CLK
|
1461 AT91C_PMC_PRES_CLK_4
; // 4 for 24Mhz pck0, 2 for 48 MHZ pck0
1462 AT91C_BASE_PIOA
->PIO_OER
= GPIO_PCK0
;
1465 AT91C_BASE_SPI
->SPI_CR
= AT91C_SPI_SWRST
;
1467 AT91C_BASE_SSC
->SSC_CR
= AT91C_SSC_SWRST
;
1469 // Load the FPGA image, which we have stored in our flash.
1470 // (the HF version by default)
1471 FpgaDownloadAndGo(FPGA_BITSTREAM_HF
);
1483 if (cmd_receive(&rx
)) {
1484 UsbPacketReceived(&rx
);
1486 #if defined(WITH_LF_StandAlone) && !defined(WITH_ISO14443a_StandAlone)
1487 if (BUTTON_HELD(1000) > 0)
1490 #if defined(WITH_ISO14443a) && defined(WITH_ISO14443a_StandAlone)
1491 if (BUTTON_HELD(1000) > 0)
1492 StandAloneMode14a();