]> git.zerfleddert.de Git - proxmark3-svn/blob - armsrc/appmain.c
started fixing the paritiy == 0 special attack against chinese clones with bad prng...
[proxmark3-svn] / armsrc / appmain.c
1 //-----------------------------------------------------------------------------
2 // Jonathan Westhues, Mar 2006
3 // Edits by Gerhard de Koning Gans, Sep 2007 (##)
4 //
5 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
6 // at your option, any later version. See the LICENSE.txt file for the text of
7 // the license.
8 //-----------------------------------------------------------------------------
9 // The main application code. This is the first thing called after start.c
10 // executes.
11 //-----------------------------------------------------------------------------
12 #include "usb_cdc.h"
13 #include "cmd.h"
14 #include "proxmark3.h"
15 #include "apps.h"
16 #include "util.h"
17 #include "printf.h"
18 #include "string.h"
19 #include <stdarg.h>
20 #include "legicrf.h"
21 #include "hitag2.h"
22 #include "hitagS.h"
23 #include "lfsampling.h"
24 #include "BigBuf.h"
25 #include "mifareutil.h"
26 #include "pcf7931.h"
27
28 #ifdef WITH_LCD
29 #include "LCD.h"
30 #endif
31
32 // Craig Young - 14a stand-alone code
33 #ifdef WITH_ISO14443a_StandAlone
34 #include "iso14443a.h"
35 #include "protocols.h"
36 #endif
37
38 //=============================================================================
39 // A buffer where we can queue things up to be sent through the FPGA, for
40 // any purpose (fake tag, as reader, whatever). We go MSB first, since that
41 // is the order in which they go out on the wire.
42 //=============================================================================
43
44 #define TOSEND_BUFFER_SIZE (9*MAX_FRAME_SIZE + 1 + 1 + 2) // 8 data bits and 1 parity bit per payload byte, 1 correction bit, 1 SOC bit, 2 EOC bits
45 uint8_t ToSend[TOSEND_BUFFER_SIZE];
46 int ToSendMax = 0;
47 static int ToSendBit;
48 struct common_area common_area __attribute__((section(".commonarea")));
49
50 void ToSendReset(void)
51 {
52 ToSendMax = -1;
53 ToSendBit = 8;
54 }
55
56 void ToSendStuffBit(int b) {
57 if(ToSendBit >= 8) {
58 ++ToSendMax;
59 ToSend[ToSendMax] = 0;
60 ToSendBit = 0;
61 }
62
63 if(b)
64 ToSend[ToSendMax] |= (1 << (7 - ToSendBit));
65
66 ++ToSendBit;
67
68 if(ToSendMax >= sizeof(ToSend)) {
69 ToSendBit = 0;
70 DbpString("ToSendStuffBit overflowed!");
71 }
72 }
73
74 void PrintToSendBuffer(void){
75 DbpString("Printing ToSendBuffer:");
76 Dbhexdump(ToSendMax, ToSend, 0);
77 }
78
79 //=============================================================================
80 // Debug print functions, to go out over USB, to the usual PC-side client.
81 //=============================================================================
82
83 void DbpStringEx(char *str, uint32_t cmd){
84 byte_t len = strlen(str);
85 cmd_send(CMD_DEBUG_PRINT_STRING,len, cmd,0,(byte_t*)str,len);
86 }
87
88 void DbpString(char *str) {
89 DbpStringEx(str, 0);
90 }
91
92 #if 0
93 void DbpIntegers(int x1, int x2, int x3) {
94 cmd_send(CMD_DEBUG_PRINT_INTEGERS,x1,x2,x3,0,0);
95 }
96 #endif
97 void DbprintfEx(uint32_t cmd, const char *fmt, ...) {
98 // should probably limit size here; oh well, let's just use a big buffer
99 char output_string[128] = {0x00};
100 va_list ap;
101
102 va_start(ap, fmt);
103 kvsprintf(fmt, output_string, 10, ap);
104 va_end(ap);
105
106 DbpStringEx(output_string, cmd);
107 }
108
109 void Dbprintf(const char *fmt, ...) {
110 // should probably limit size here; oh well, let's just use a big buffer
111 char output_string[128] = {0x00};
112 va_list ap;
113
114 va_start(ap, fmt);
115 kvsprintf(fmt, output_string, 10, ap);
116 va_end(ap);
117
118 DbpString(output_string);
119 }
120
121 // prints HEX & ASCII
122 void Dbhexdump(int len, uint8_t *d, bool bAsci) {
123 int l=0, i;
124 char ascii[9];
125
126 while (len>0) {
127
128 l = (len>8) ? 8 : len;
129
130 memcpy(ascii,d,l);
131 ascii[l]=0;
132
133 // filter safe ascii
134 for (i=0; i<l; ++i)
135 if (ascii[i]<32 || ascii[i]>126) ascii[i]='.';
136
137 if (bAsci)
138 Dbprintf("%-8s %*D",ascii,l,d," ");
139 else
140 Dbprintf("%*D",l,d," ");
141
142 len -= 8;
143 d += 8;
144 }
145 }
146
147 //-----------------------------------------------------------------------------
148 // Read an ADC channel and block till it completes, then return the result
149 // in ADC units (0 to 1023). Also a routine to average 32 samples and
150 // return that.
151 //-----------------------------------------------------------------------------
152 static int ReadAdc(int ch)
153 {
154 uint32_t d;
155
156 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_SWRST;
157 AT91C_BASE_ADC->ADC_MR =
158 ADC_MODE_PRESCALE(63 /* was 32 */) | // ADC_CLK = MCK / ((63+1) * 2) = 48MHz / 128 = 375kHz
159 ADC_MODE_STARTUP_TIME(1 /* was 16 */) | // Startup Time = (1+1) * 8 / ADC_CLK = 16 / 375kHz = 42,7us Note: must be > 20us
160 ADC_MODE_SAMPLE_HOLD_TIME(15 /* was 8 */); // Sample & Hold Time SHTIM = 15 / ADC_CLK = 15 / 375kHz = 40us
161
162 // Note: ADC_MODE_PRESCALE and ADC_MODE_SAMPLE_HOLD_TIME are set to the maximum allowed value.
163 // Both AMPL_LO and AMPL_HI are very high impedance (10MOhm) outputs, the input capacitance of the ADC is 12pF (typical). This results in a time constant
164 // of RC = 10MOhm * 12pF = 120us. Even after the maximum configurable sample&hold time of 40us the input capacitor will not be fully charged.
165 //
166 // The maths are:
167 // If there is a voltage v_in at the input, the voltage v_cap at the capacitor (this is what we are measuring) will be
168 //
169 // v_cap = v_in * (1 - exp(-RC/SHTIM)) = v_in * (1 - exp(-3)) = v_in * 0,95 (i.e. an error of 5%)
170 //
171 // Note: with the "historic" values in the comments above, the error was 34% !!!
172
173 AT91C_BASE_ADC->ADC_CHER = ADC_CHANNEL(ch);
174
175 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
176
177 while (!(AT91C_BASE_ADC->ADC_SR & ADC_END_OF_CONVERSION(ch))) ;
178
179 d = AT91C_BASE_ADC->ADC_CDR[ch];
180 return d;
181 }
182
183 int AvgAdc(int ch) // was static - merlok
184 {
185 int i;
186 int a = 0;
187
188 for(i = 0; i < 32; ++i)
189 a += ReadAdc(ch);
190
191 return (a + 15) >> 5;
192 }
193
194 void MeasureAntennaTuning(void) {
195 uint8_t LF_Results[256];
196 int i, adcval = 0, peak = 0, peakv = 0, peakf = 0; //ptr = 0
197 int vLf125 = 0, vLf134 = 0, vHf = 0; // in mV
198
199 LED_B_ON();
200
201 /*
202 * Sweeps the useful LF range of the proxmark from
203 * 46.8kHz (divisor=255) to 600kHz (divisor=19) and
204 * read the voltage in the antenna, the result left
205 * in the buffer is a graph which should clearly show
206 * the resonating frequency of your LF antenna
207 * ( hopefully around 95 if it is tuned to 125kHz!)
208 */
209
210 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
211 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
212
213 for (i=255; i>=19; i--) {
214 WDT_HIT();
215 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, i);
216 SpinDelay(20);
217 adcval = ((MAX_ADC_LF_VOLTAGE * AvgAdc(ADC_CHAN_LF)) >> 10);
218 if (i==95) vLf125 = adcval; // voltage at 125Khz
219 if (i==89) vLf134 = adcval; // voltage at 134Khz
220
221 LF_Results[i] = adcval>>8; // scale int to fit in byte for graphing purposes
222 if(LF_Results[i] > peak) {
223 peakv = adcval;
224 peak = LF_Results[i];
225 peakf = i;
226 //ptr = i;
227 }
228 }
229
230 for (i=18; i >= 0; i--) LF_Results[i] = 0;
231
232 LED_A_ON();
233 // Let the FPGA drive the high-frequency antenna around 13.56 MHz.
234 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
235 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR);
236 SpinDelay(20);
237 vHf = (MAX_ADC_HF_VOLTAGE * AvgAdc(ADC_CHAN_HF)) >> 10;
238
239 cmd_send(CMD_MEASURED_ANTENNA_TUNING, vLf125 | (vLf134<<16), vHf, peakf | (peakv<<16), LF_Results, 256);
240 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
241
242 LEDsoff();
243 }
244
245 void MeasureAntennaTuningHf(void) {
246 int vHf = 0; // in mV
247 // Let the FPGA drive the high-frequency antenna around 13.56 MHz.
248 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
249 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR);
250
251 while ( !BUTTON_PRESS() ){
252 SpinDelay(20);
253 vHf = (MAX_ADC_HF_VOLTAGE * AvgAdc(ADC_CHAN_HF)) >> 10;
254 //Dbprintf("%d mV",vHf);
255 DbprintfEx(CMD_MEASURE_ANTENNA_TUNING_HF, "%d mV",vHf);
256 }
257 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
258 DbpString("cancelled");
259 }
260
261
262 void ReadMem(int addr) {
263 const uint8_t *data = ((uint8_t *)addr);
264
265 Dbprintf("%x: %02x %02x %02x %02x %02x %02x %02x %02x",
266 addr, data[0], data[1], data[2], data[3], data[4], data[5], data[6], data[7]);
267 }
268
269 /* osimage version information is linked in */
270 extern struct version_information version_information;
271 /* bootrom version information is pointed to from _bootphase1_version_pointer */
272 extern char *_bootphase1_version_pointer, _flash_start, _flash_end, _bootrom_start, _bootrom_end, __data_src_start__;
273 void SendVersion(void)
274 {
275 char temp[USB_CMD_DATA_SIZE]; /* Limited data payload in USB packets */
276 char VersionString[USB_CMD_DATA_SIZE] = { '\0' };
277
278 /* Try to find the bootrom version information. Expect to find a pointer at
279 * symbol _bootphase1_version_pointer, perform slight sanity checks on the
280 * pointer, then use it.
281 */
282 char *bootrom_version = *(char**)&_bootphase1_version_pointer;
283
284 if( bootrom_version < &_flash_start || bootrom_version >= &_flash_end ) {
285 strcat(VersionString, "bootrom version information appears invalid\n");
286 } else {
287 FormatVersionInformation(temp, sizeof(temp), "bootrom: ", bootrom_version);
288 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
289 }
290
291 FormatVersionInformation(temp, sizeof(temp), "os: ", &version_information);
292 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
293
294 FpgaGatherVersion(FPGA_BITSTREAM_LF, temp, sizeof(temp));
295 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
296
297 FpgaGatherVersion(FPGA_BITSTREAM_HF, temp, sizeof(temp));
298 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
299
300 // Send Chip ID and used flash memory
301 uint32_t text_and_rodata_section_size = (uint32_t)&__data_src_start__ - (uint32_t)&_flash_start;
302 uint32_t compressed_data_section_size = common_area.arg1;
303 cmd_send(CMD_ACK, *(AT91C_DBGU_CIDR), text_and_rodata_section_size + compressed_data_section_size, 0, VersionString, strlen(VersionString));
304 }
305
306 // measure the USB Speed by sending SpeedTestBufferSize bytes to client and measuring the elapsed time.
307 // Note: this mimics GetFromBigbuf(), i.e. we have the overhead of the UsbCommand structure included.
308 void printUSBSpeed(void)
309 {
310 Dbprintf("USB Speed:");
311 Dbprintf(" Sending USB packets to client...");
312
313 #define USB_SPEED_TEST_MIN_TIME 1500 // in milliseconds
314 uint8_t *test_data = BigBuf_get_addr();
315 uint32_t end_time;
316
317 uint32_t start_time = end_time = GetTickCount();
318 uint32_t bytes_transferred = 0;
319
320 LED_B_ON();
321 while(end_time < start_time + USB_SPEED_TEST_MIN_TIME) {
322 cmd_send(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K, 0, USB_CMD_DATA_SIZE, 0, test_data, USB_CMD_DATA_SIZE);
323 end_time = GetTickCount();
324 bytes_transferred += USB_CMD_DATA_SIZE;
325 }
326 LED_B_OFF();
327
328 Dbprintf(" Time elapsed: %dms", end_time - start_time);
329 Dbprintf(" Bytes transferred: %d", bytes_transferred);
330 Dbprintf(" USB Transfer Speed PM3 -> Client = %d Bytes/s",
331 1000 * bytes_transferred / (end_time - start_time));
332
333 }
334
335 /**
336 * Prints runtime information about the PM3.
337 **/
338 void SendStatus(void) {
339 BigBuf_print_status();
340 Fpga_print_status();
341 printConfig(); //LF Sampling config
342 printUSBSpeed();
343 Dbprintf("Various");
344 Dbprintf(" MF_DBGLEVEL........%d", MF_DBGLEVEL);
345 Dbprintf(" ToSendMax..........%d", ToSendMax);
346 Dbprintf(" ToSendBit..........%d", ToSendBit);
347 Dbprintf(" ToSend BUFFERSIZE..%d", TOSEND_BUFFER_SIZE);
348
349 cmd_send(CMD_ACK,1,0,0,0,0);
350 }
351
352 #if defined(WITH_ISO14443a_StandAlone) || defined(WITH_LF)
353
354 #define OPTS 2
355 void StandAloneMode()
356 {
357 DbpString("Stand-alone mode! No PC necessary.");
358 // Oooh pretty -- notify user we're in elite samy mode now
359 LED(LED_RED, 200);
360 LED(LED_ORANGE, 200);
361 LED(LED_GREEN, 200);
362 LED(LED_ORANGE, 200);
363 LED(LED_RED, 200);
364 LED(LED_ORANGE, 200);
365 LED(LED_GREEN, 200);
366 LED(LED_ORANGE, 200);
367 LED(LED_RED, 200);
368 }
369 #endif
370
371 #ifdef WITH_ISO14443a_StandAlone
372 void StandAloneMode14a()
373 {
374 StandAloneMode();
375 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
376
377 int selected = 0;
378 int playing = 0, iGotoRecord = 0, iGotoClone = 0;
379 int cardRead[OPTS] = {0};
380 uint8_t readUID[10] = {0};
381 uint32_t uid_1st[OPTS]={0};
382 uint32_t uid_2nd[OPTS]={0};
383 uint32_t uid_tmp1 = 0;
384 uint32_t uid_tmp2 = 0;
385 iso14a_card_select_t hi14a_card[OPTS];
386
387 uint8_t params = (MAGIC_SINGLE | MAGIC_DATAIN);
388
389 LED(selected + 1, 0);
390
391 for (;;)
392 {
393 usb_poll();
394 WDT_HIT();
395 SpinDelay(300);
396
397 if (iGotoRecord == 1 || cardRead[selected] == 0)
398 {
399 iGotoRecord = 0;
400 LEDsoff();
401 LED(selected + 1, 0);
402 LED(LED_RED2, 0);
403
404 // record
405 Dbprintf("Enabling iso14443a reader mode for [Bank: %u]...", selected);
406 /* need this delay to prevent catching some weird data */
407 SpinDelay(500);
408 /* Code for reading from 14a tag */
409 uint8_t uid[10] = {0};
410 uint32_t cuid = 0;
411 iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
412
413 for ( ; ; )
414 {
415 WDT_HIT();
416 if (BUTTON_PRESS()) {
417 if (cardRead[selected]) {
418 Dbprintf("Button press detected -- replaying card in bank[%d]", selected);
419 break;
420 }
421 else if (cardRead[(selected+1)%OPTS]) {
422 Dbprintf("Button press detected but no card in bank[%d] so playing from bank[%d]", selected, (selected+1)%OPTS);
423 selected = (selected+1)%OPTS;
424 break; // playing = 1;
425 }
426 else {
427 Dbprintf("Button press detected but no stored tag to play. (Ignoring button)");
428 SpinDelay(300);
429 }
430 }
431 if (!iso14443a_select_card(uid, &hi14a_card[selected], &cuid, true, 0))
432 continue;
433 else
434 {
435 Dbprintf("Read UID:"); Dbhexdump(10,uid,0);
436 memcpy(readUID,uid,10*sizeof(uint8_t));
437 uint8_t *dst = (uint8_t *)&uid_tmp1;
438 // Set UID byte order
439 for (int i=0; i<4; i++)
440 dst[i] = uid[3-i];
441 dst = (uint8_t *)&uid_tmp2;
442 for (int i=0; i<4; i++)
443 dst[i] = uid[7-i];
444 if (uid_1st[(selected+1)%OPTS] == uid_tmp1 && uid_2nd[(selected+1)%OPTS] == uid_tmp2) {
445 Dbprintf("Card selected has same UID as what is stored in the other bank. Skipping.");
446 }
447 else {
448 if (uid_tmp2) {
449 Dbprintf("Bank[%d] received a 7-byte UID",selected);
450 uid_1st[selected] = (uid_tmp1)>>8;
451 uid_2nd[selected] = (uid_tmp1<<24) + (uid_tmp2>>8);
452 }
453 else {
454 Dbprintf("Bank[%d] received a 4-byte UID",selected);
455 uid_1st[selected] = uid_tmp1;
456 uid_2nd[selected] = uid_tmp2;
457 }
458 break;
459 }
460 }
461 }
462 Dbprintf("ATQA = %02X%02X",hi14a_card[selected].atqa[0],hi14a_card[selected].atqa[1]);
463 Dbprintf("SAK = %02X",hi14a_card[selected].sak);
464 LEDsoff();
465 LED(LED_GREEN, 200);
466 LED(LED_ORANGE, 200);
467 LED(LED_GREEN, 200);
468 LED(LED_ORANGE, 200);
469
470 LEDsoff();
471 LED(selected + 1, 0);
472
473 // Next state is replay:
474 playing = 1;
475
476 cardRead[selected] = 1;
477 }
478 /* MF Classic UID clone */
479 else if (iGotoClone==1)
480 {
481 iGotoClone=0;
482 LEDsoff();
483 LED(selected + 1, 0);
484 LED(LED_ORANGE, 250);
485
486 // record
487 Dbprintf("Preparing to Clone card [Bank: %x]; uid: %08x", selected, uid_1st[selected]);
488
489 // wait for button to be released
490 // Delay cloning until card is in place
491 while(BUTTON_PRESS())
492 WDT_HIT();
493
494 Dbprintf("Starting clone. [Bank: %u]", selected);
495 // need this delay to prevent catching some weird data
496 SpinDelay(500);
497 // Begin clone function here:
498 /* Example from client/mifarehost.c for commanding a block write for "magic Chinese" cards:
499 UsbCommand c = {CMD_MIFARE_CSETBLOCK, {params & (0xFE | (uid == NULL ? 0:1)), blockNo, 0}};
500 memcpy(c.d.asBytes, data, 16);
501 SendCommand(&c);
502
503 Block read is similar:
504 UsbCommand c = {CMD_MIFARE_CGETBLOCK, {params, blockNo, 0}};
505 We need to imitate that call with blockNo 0 to set a uid.
506
507 The get and set commands are handled in this file:
508 // Work with "magic Chinese" card
509 case CMD_MIFARE_CSETBLOCK:
510 MifareCSetBlock(c->arg[0], c->arg[1], c->d.asBytes);
511 break;
512 case CMD_MIFARE_CGETBLOCK:
513 MifareCGetBlock(c->arg[0], c->arg[1], c->d.asBytes);
514 break;
515
516 mfCSetUID provides example logic for UID set workflow:
517 -Read block0 from card in field with MifareCGetBlock()
518 -Configure new values without replacing reserved bytes
519 memcpy(block0, uid, 4); // Copy UID bytes from byte array
520 // Mifare UID BCC
521 block0[4] = block0[0]^block0[1]^block0[2]^block0[3]; // BCC on byte 5
522 Bytes 5-7 are reserved SAK and ATQA for mifare classic
523 -Use mfCSetBlock(0, block0, oldUID, wantWipe, MAGIC_SINGLE) to write it
524 */
525 uint8_t oldBlock0[16] = {0}, newBlock0[16] = {0}, testBlock0[16] = {0};
526 // arg0 = Flags, arg1=blockNo
527 MifareCGetBlock(params, 0, oldBlock0);
528 if (oldBlock0[0] == 0 && oldBlock0[0] == oldBlock0[1] && oldBlock0[1] == oldBlock0[2] && oldBlock0[2] == oldBlock0[3]) {
529 Dbprintf("No changeable tag detected. Returning to replay mode for bank[%d]", selected);
530 playing = 1;
531 }
532 else {
533 Dbprintf("UID from target tag: %02X%02X%02X%02X", oldBlock0[0],oldBlock0[1],oldBlock0[2],oldBlock0[3]);
534 memcpy(newBlock0,oldBlock0,16);
535 // Copy uid_1st for bank (2nd is for longer UIDs not supported if classic)
536
537 newBlock0[0] = uid_1st[selected]>>24;
538 newBlock0[1] = 0xFF & (uid_1st[selected]>>16);
539 newBlock0[2] = 0xFF & (uid_1st[selected]>>8);
540 newBlock0[3] = 0xFF & (uid_1st[selected]);
541 newBlock0[4] = newBlock0[0]^newBlock0[1]^newBlock0[2]^newBlock0[3];
542
543 // arg0 = workFlags, arg1 = blockNo, datain
544 MifareCSetBlock(params, 0, newBlock0);
545 MifareCGetBlock(params, 0, testBlock0);
546
547 if (memcmp(testBlock0, newBlock0, 16)==0) {
548 DbpString("Cloned successfull!");
549 cardRead[selected] = 0; // Only if the card was cloned successfully should we clear it
550 playing = 0;
551 iGotoRecord = 1;
552 selected = (selected + 1) % OPTS;
553 } else {
554 Dbprintf("Clone failed. Back to replay mode on bank[%d]", selected);
555 playing = 1;
556 }
557 }
558 LEDsoff();
559 LED(selected + 1, 0);
560 }
561 // Change where to record (or begin playing)
562 else if (playing==1) // button_pressed == BUTTON_SINGLE_CLICK && cardRead[selected])
563 {
564 LEDsoff();
565 LED(selected + 1, 0);
566
567 // Begin transmitting
568 if (playing)
569 {
570 LED(LED_GREEN, 0);
571 DbpString("Playing");
572 for ( ; ; ) {
573 WDT_HIT();
574 int button_action = BUTTON_HELD(1000);
575 if (button_action == 0) { // No button action, proceed with sim
576 uint8_t data[512] = {0}; // in case there is a read command received we shouldn't break
577 uint8_t flags = ( uid_2nd[selected] > 0x00 ) ? FLAG_7B_UID_IN_DATA : FLAG_4B_UID_IN_DATA;
578 num_to_bytes(uid_1st[selected], 3, data);
579 num_to_bytes(uid_2nd[selected], 4, data);
580
581 Dbprintf("Simulating ISO14443a tag with uid[0]: %08x, uid[1]: %08x [Bank: %u]", uid_1st[selected],uid_2nd[selected],selected);
582 if (hi14a_card[selected].sak == 8 && hi14a_card[selected].atqa[0] == 4 && hi14a_card[selected].atqa[1] == 0) {
583 DbpString("Mifare Classic");
584 SimulateIso14443aTag(1, flags, data); // Mifare Classic
585 }
586 else if (hi14a_card[selected].sak == 0 && hi14a_card[selected].atqa[0] == 0x44 && hi14a_card[selected].atqa[1] == 0) {
587 DbpString("Mifare Ultralight");
588 SimulateIso14443aTag(2, flags, data); // Mifare Ultralight
589 }
590 else if (hi14a_card[selected].sak == 20 && hi14a_card[selected].atqa[0] == 0x44 && hi14a_card[selected].atqa[1] == 3) {
591 DbpString("Mifare DESFire");
592 SimulateIso14443aTag(3, flags, data); // Mifare DESFire
593 }
594 else {
595 Dbprintf("Unrecognized tag type -- defaulting to Mifare Classic emulation");
596 SimulateIso14443aTag(1, flags, data);
597 }
598 }
599 else if (button_action == BUTTON_SINGLE_CLICK) {
600 selected = (selected + 1) % OPTS;
601 Dbprintf("Done playing. Switching to record mode on bank %d",selected);
602 iGotoRecord = 1;
603 break;
604 }
605 else if (button_action == BUTTON_HOLD) {
606 Dbprintf("Playtime over. Begin cloning...");
607 iGotoClone = 1;
608 break;
609 }
610 WDT_HIT();
611 }
612
613 /* We pressed a button so ignore it here with a delay */
614 SpinDelay(300);
615 LEDsoff();
616 LED(selected + 1, 0);
617 }
618 else
619 while(BUTTON_PRESS())
620 WDT_HIT();
621 }
622 }
623 }
624 #elif WITH_LF
625 // samy's sniff and repeat routine
626 void SamyRun()
627 {
628 StandAloneMode();
629 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
630
631 int high[OPTS], low[OPTS];
632 int selected = 0;
633 int playing = 0;
634 int cardRead = 0;
635
636 // Turn on selected LED
637 LED(selected + 1, 0);
638
639 for (;;) {
640 usb_poll();
641 WDT_HIT();
642
643 // Was our button held down or pressed?
644 int button_pressed = BUTTON_HELD(1000);
645 SpinDelay(300);
646
647 // Button was held for a second, begin recording
648 if (button_pressed > 0 && cardRead == 0)
649 {
650 LEDsoff();
651 LED(selected + 1, 0);
652 LED(LED_RED2, 0);
653
654 // record
655 DbpString("Starting recording");
656
657 // wait for button to be released
658 while(BUTTON_PRESS())
659 WDT_HIT();
660
661 /* need this delay to prevent catching some weird data */
662 SpinDelay(500);
663
664 CmdHIDdemodFSK(1, &high[selected], &low[selected], 0);
665 Dbprintf("Recorded %x %x %08x", selected, high[selected], low[selected]);
666
667 LEDsoff();
668 LED(selected + 1, 0);
669 // Finished recording
670 // If we were previously playing, set playing off
671 // so next button push begins playing what we recorded
672 playing = 0;
673 cardRead = 1;
674 }
675 else if (button_pressed > 0 && cardRead == 1) {
676 LEDsoff();
677 LED(selected + 1, 0);
678 LED(LED_ORANGE, 0);
679
680 // record
681 Dbprintf("Cloning %x %x %08x", selected, high[selected], low[selected]);
682
683 // wait for button to be released
684 while(BUTTON_PRESS())
685 WDT_HIT();
686
687 /* need this delay to prevent catching some weird data */
688 SpinDelay(500);
689
690 CopyHIDtoT55x7(0, high[selected], low[selected], 0);
691 Dbprintf("Cloned %x %x %08x", selected, high[selected], low[selected]);
692
693 LEDsoff();
694 LED(selected + 1, 0);
695 // Finished recording
696
697 // If we were previously playing, set playing off
698 // so next button push begins playing what we recorded
699 playing = 0;
700 cardRead = 0;
701 }
702
703 // Change where to record (or begin playing)
704 else if (button_pressed) {
705 // Next option if we were previously playing
706 if (playing)
707 selected = (selected + 1) % OPTS;
708 playing = !playing;
709
710 LEDsoff();
711 LED(selected + 1, 0);
712
713 // Begin transmitting
714 if (playing)
715 {
716 LED(LED_GREEN, 0);
717 DbpString("Playing");
718 // wait for button to be released
719 while(BUTTON_PRESS())
720 WDT_HIT();
721
722 Dbprintf("%x %x %08x", selected, high[selected], low[selected]);
723 CmdHIDsimTAG(high[selected], low[selected], 0);
724 DbpString("Done playing");
725
726 if (BUTTON_HELD(1000) > 0) {
727 DbpString("Exiting");
728 LEDsoff();
729 return;
730 }
731
732 /* We pressed a button so ignore it here with a delay */
733 SpinDelay(300);
734
735 // when done, we're done playing, move to next option
736 selected = (selected + 1) % OPTS;
737 playing = !playing;
738 LEDsoff();
739 LED(selected + 1, 0);
740 }
741 else
742 while(BUTTON_PRESS())
743 WDT_HIT();
744 }
745 }
746 }
747
748 #endif
749 /*
750 OBJECTIVE
751 Listen and detect an external reader. Determine the best location
752 for the antenna.
753
754 INSTRUCTIONS:
755 Inside the ListenReaderField() function, there is two mode.
756 By default, when you call the function, you will enter mode 1.
757 If you press the PM3 button one time, you will enter mode 2.
758 If you press the PM3 button a second time, you will exit the function.
759
760 DESCRIPTION OF MODE 1:
761 This mode just listens for an external reader field and lights up green
762 for HF and/or red for LF. This is the original mode of the detectreader
763 function.
764
765 DESCRIPTION OF MODE 2:
766 This mode will visually represent, using the LEDs, the actual strength of the
767 current compared to the maximum current detected. Basically, once you know
768 what kind of external reader is present, it will help you spot the best location to place
769 your antenna. You will probably not get some good results if there is a LF and a HF reader
770 at the same place! :-)
771
772 LIGHT SCHEME USED:
773 */
774 static const char LIGHT_SCHEME[] = {
775 0x0, /* ---- | No field detected */
776 0x1, /* X--- | 14% of maximum current detected */
777 0x2, /* -X-- | 29% of maximum current detected */
778 0x4, /* --X- | 43% of maximum current detected */
779 0x8, /* ---X | 57% of maximum current detected */
780 0xC, /* --XX | 71% of maximum current detected */
781 0xE, /* -XXX | 86% of maximum current detected */
782 0xF, /* XXXX | 100% of maximum current detected */
783 };
784 static const int LIGHT_LEN = sizeof(LIGHT_SCHEME)/sizeof(LIGHT_SCHEME[0]);
785
786 void ListenReaderField(int limit) {
787 #define LF_ONLY 1
788 #define HF_ONLY 2
789 #define REPORT_CHANGE 10 // report new values only if they have changed at least by REPORT_CHANGE
790
791 int lf_av, lf_av_new, lf_baseline= 0, lf_max;
792 int hf_av, hf_av_new, hf_baseline= 0, hf_max;
793 int mode=1, display_val, display_max, i;
794
795 // switch off FPGA - we don't want to measure our own signal
796 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
797 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
798
799 LEDsoff();
800
801 lf_av = lf_max = AvgAdc(ADC_CHAN_LF);
802
803 if(limit != HF_ONLY) {
804 Dbprintf("LF 125/134kHz Baseline: %dmV", (MAX_ADC_LF_VOLTAGE * lf_av) >> 10);
805 lf_baseline = lf_av;
806 }
807
808 hf_av = hf_max = AvgAdc(ADC_CHAN_HF);
809
810 if (limit != LF_ONLY) {
811 Dbprintf("HF 13.56MHz Baseline: %dmV", (MAX_ADC_HF_VOLTAGE * hf_av) >> 10);
812 hf_baseline = hf_av;
813 }
814
815 for(;;) {
816 if (BUTTON_PRESS()) {
817 SpinDelay(500);
818 switch (mode) {
819 case 1:
820 mode=2;
821 DbpString("Signal Strength Mode");
822 break;
823 case 2:
824 default:
825 DbpString("Stopped");
826 LEDsoff();
827 return;
828 break;
829 }
830 }
831 WDT_HIT();
832
833 if (limit != HF_ONLY) {
834 if(mode == 1) {
835 if (ABS(lf_av - lf_baseline) > REPORT_CHANGE)
836 LED_D_ON();
837 else
838 LED_D_OFF();
839 }
840
841 lf_av_new = AvgAdc(ADC_CHAN_LF);
842 // see if there's a significant change
843 if(ABS(lf_av - lf_av_new) > REPORT_CHANGE) {
844 Dbprintf("LF 125/134kHz Field Change: %5dmV", (MAX_ADC_LF_VOLTAGE * lf_av_new) >> 10);
845 lf_av = lf_av_new;
846 if (lf_av > lf_max)
847 lf_max = lf_av;
848 }
849 }
850
851 if (limit != LF_ONLY) {
852 if (mode == 1){
853 if (ABS(hf_av - hf_baseline) > REPORT_CHANGE)
854 LED_B_ON();
855 else
856 LED_B_OFF();
857 }
858
859 hf_av_new = AvgAdc(ADC_CHAN_HF);
860 // see if there's a significant change
861 if(ABS(hf_av - hf_av_new) > REPORT_CHANGE) {
862 Dbprintf("HF 13.56MHz Field Change: %5dmV", (MAX_ADC_HF_VOLTAGE * hf_av_new) >> 10);
863 hf_av = hf_av_new;
864 if (hf_av > hf_max)
865 hf_max = hf_av;
866 }
867 }
868
869 if(mode == 2) {
870 if (limit == LF_ONLY) {
871 display_val = lf_av;
872 display_max = lf_max;
873 } else if (limit == HF_ONLY) {
874 display_val = hf_av;
875 display_max = hf_max;
876 } else { /* Pick one at random */
877 if( (hf_max - hf_baseline) > (lf_max - lf_baseline) ) {
878 display_val = hf_av;
879 display_max = hf_max;
880 } else {
881 display_val = lf_av;
882 display_max = lf_max;
883 }
884 }
885 for (i=0; i<LIGHT_LEN; i++) {
886 if (display_val >= ((display_max/LIGHT_LEN)*i) && display_val <= ((display_max/LIGHT_LEN)*(i+1))) {
887 if (LIGHT_SCHEME[i] & 0x1) LED_C_ON(); else LED_C_OFF();
888 if (LIGHT_SCHEME[i] & 0x2) LED_A_ON(); else LED_A_OFF();
889 if (LIGHT_SCHEME[i] & 0x4) LED_B_ON(); else LED_B_OFF();
890 if (LIGHT_SCHEME[i] & 0x8) LED_D_ON(); else LED_D_OFF();
891 break;
892 }
893 }
894 }
895 }
896 }
897
898 void UsbPacketReceived(uint8_t *packet, int len)
899 {
900 UsbCommand *c = (UsbCommand *)packet;
901
902 //Dbprintf("received %d bytes, with command: 0x%04x and args: %d %d %d",len,c->cmd,c->arg[0],c->arg[1],c->arg[2]);
903
904 switch(c->cmd) {
905 #ifdef WITH_LF
906 case CMD_SET_LF_SAMPLING_CONFIG:
907 setSamplingConfig((sample_config *) c->d.asBytes);
908 break;
909 case CMD_ACQUIRE_RAW_ADC_SAMPLES_125K:
910 cmd_send(CMD_ACK, SampleLF(c->arg[0]),0,0,0,0);
911 break;
912 case CMD_MOD_THEN_ACQUIRE_RAW_ADC_SAMPLES_125K:
913 ModThenAcquireRawAdcSamples125k(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
914 break;
915 case CMD_LF_SNOOP_RAW_ADC_SAMPLES:
916 cmd_send(CMD_ACK,SnoopLF(),0,0,0,0);
917 break;
918 case CMD_HID_DEMOD_FSK:
919 CmdHIDdemodFSK(c->arg[0], 0, 0, 1);
920 break;
921 case CMD_HID_SIM_TAG:
922 CmdHIDsimTAG(c->arg[0], c->arg[1], 1);
923 break;
924 case CMD_FSK_SIM_TAG:
925 CmdFSKsimTAG(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
926 break;
927 case CMD_ASK_SIM_TAG:
928 CmdASKsimTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
929 break;
930 case CMD_PSK_SIM_TAG:
931 CmdPSKsimTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
932 break;
933 case CMD_HID_CLONE_TAG:
934 CopyHIDtoT55x7(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]);
935 break;
936 case CMD_IO_DEMOD_FSK:
937 CmdIOdemodFSK(c->arg[0], 0, 0, 1);
938 break;
939 case CMD_IO_CLONE_TAG:
940 CopyIOtoT55x7(c->arg[0], c->arg[1]);
941 break;
942 case CMD_EM410X_DEMOD:
943 CmdEM410xdemod(c->arg[0], 0, 0, 1);
944 break;
945 case CMD_EM410X_WRITE_TAG:
946 WriteEM410x(c->arg[0], c->arg[1], c->arg[2]);
947 break;
948 case CMD_READ_TI_TYPE:
949 ReadTItag();
950 break;
951 case CMD_WRITE_TI_TYPE:
952 WriteTItag(c->arg[0],c->arg[1],c->arg[2]);
953 break;
954 case CMD_SIMULATE_TAG_125K:
955 LED_A_ON();
956 SimulateTagLowFrequency(c->arg[0], c->arg[1], 1);
957 LED_A_OFF();
958 break;
959 case CMD_LF_SIMULATE_BIDIR:
960 SimulateTagLowFrequencyBidir(c->arg[0], c->arg[1]);
961 break;
962 case CMD_INDALA_CLONE_TAG:
963 CopyIndala64toT55x7(c->arg[0], c->arg[1]);
964 break;
965 case CMD_INDALA_CLONE_TAG_L:
966 CopyIndala224toT55x7(c->d.asDwords[0], c->d.asDwords[1], c->d.asDwords[2], c->d.asDwords[3], c->d.asDwords[4], c->d.asDwords[5], c->d.asDwords[6]);
967 break;
968 case CMD_T55XX_READ_BLOCK:
969 T55xxReadBlock(c->arg[0], c->arg[1], c->arg[2]);
970 break;
971 case CMD_T55XX_WRITE_BLOCK:
972 T55xxWriteBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]);
973 break;
974 case CMD_T55XX_WAKEUP:
975 T55xxWakeUp(c->arg[0]);
976 break;
977 case CMD_T55XX_RESET_READ:
978 T55xxResetRead();
979 break;
980 case CMD_PCF7931_READ:
981 ReadPCF7931();
982 break;
983 case CMD_PCF7931_WRITE:
984 WritePCF7931(c->d.asBytes[0],c->d.asBytes[1],c->d.asBytes[2],c->d.asBytes[3],c->d.asBytes[4],c->d.asBytes[5],c->d.asBytes[6], c->d.asBytes[9], c->d.asBytes[7]-128,c->d.asBytes[8]-128, c->arg[0], c->arg[1], c->arg[2]);
985 break;
986 case CMD_EM4X_READ_WORD:
987 EM4xReadWord(c->arg[1], c->arg[2],c->d.asBytes[0]);
988 break;
989 case CMD_EM4X_WRITE_WORD:
990 EM4xWriteWord(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]);
991 break;
992 case CMD_AWID_DEMOD_FSK: // Set realtime AWID demodulation
993 CmdAWIDdemodFSK(c->arg[0], 0, 0, 1);
994 break;
995 case CMD_VIKING_CLONE_TAG:
996 CopyVikingtoT55xx(c->arg[0], c->arg[1], c->arg[2]);
997 break;
998 #endif
999
1000 #ifdef WITH_HITAG
1001 case CMD_SNOOP_HITAG: // Eavesdrop Hitag tag, args = type
1002 SnoopHitag(c->arg[0]);
1003 break;
1004 case CMD_SIMULATE_HITAG: // Simulate Hitag tag, args = memory content
1005 SimulateHitagTag((bool)c->arg[0],(byte_t*)c->d.asBytes);
1006 break;
1007 case CMD_READER_HITAG: // Reader for Hitag tags, args = type and function
1008 ReaderHitag((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes);
1009 break;
1010 case CMD_SIMULATE_HITAG_S:// Simulate Hitag s tag, args = memory content
1011 SimulateHitagSTag((bool)c->arg[0],(byte_t*)c->d.asBytes);
1012 break;
1013 case CMD_TEST_HITAGS_TRACES:// Tests every challenge within the given file
1014 check_challenges((bool)c->arg[0],(byte_t*)c->d.asBytes);
1015 break;
1016 case CMD_READ_HITAG_S: //Reader for only Hitag S tags, args = key or challenge
1017 ReadHitagS((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes);
1018 break;
1019 case CMD_WR_HITAG_S: //writer for Hitag tags args=data to write,page and key or challenge
1020 WritePageHitagS((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes,c->arg[2]);
1021 break;
1022 #endif
1023
1024 #ifdef WITH_ISO15693
1025 case CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_15693:
1026 AcquireRawAdcSamplesIso15693();
1027 break;
1028 case CMD_RECORD_RAW_ADC_SAMPLES_ISO_15693:
1029 RecordRawAdcSamplesIso15693();
1030 break;
1031
1032 case CMD_ISO_15693_COMMAND:
1033 DirectTag15693Command(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
1034 break;
1035
1036 case CMD_ISO_15693_FIND_AFI:
1037 BruteforceIso15693Afi(c->arg[0]);
1038 break;
1039
1040 case CMD_ISO_15693_DEBUG:
1041 SetDebugIso15693(c->arg[0]);
1042 break;
1043
1044 case CMD_READER_ISO_15693:
1045 ReaderIso15693(c->arg[0]);
1046 break;
1047 case CMD_SIMTAG_ISO_15693:
1048 SimTagIso15693(c->arg[0], c->d.asBytes);
1049 break;
1050 #endif
1051
1052 #ifdef WITH_LEGICRF
1053 case CMD_SIMULATE_TAG_LEGIC_RF:
1054 LegicRfSimulate(c->arg[0], c->arg[1], c->arg[2]);
1055 break;
1056
1057 case CMD_WRITER_LEGIC_RF:
1058 LegicRfWriter(c->arg[1], c->arg[0]);
1059 break;
1060
1061 case CMD_RAW_WRITER_LEGIC_RF:
1062 LegicRfRawWriter(c->arg[0], c->arg[1]);
1063 break;
1064
1065 case CMD_READER_LEGIC_RF:
1066 LegicRfReader(c->arg[0], c->arg[1]);
1067 break;
1068 #endif
1069
1070 #ifdef WITH_ISO14443b
1071 case CMD_READ_SRI_TAG:
1072 ReadSTMemoryIso14443b(c->arg[0]);
1073 break;
1074 case CMD_SNOOP_ISO_14443B:
1075 SnoopIso14443b();
1076 break;
1077 case CMD_SIMULATE_TAG_ISO_14443B:
1078 SimulateIso14443bTag(c->arg[0]);
1079 break;
1080 case CMD_ISO_14443B_COMMAND:
1081 //SendRawCommand14443B(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
1082 SendRawCommand14443B_Ex(c);
1083 break;
1084 #endif
1085
1086 #ifdef WITH_ISO14443a
1087 case CMD_SNOOP_ISO_14443a:
1088 SniffIso14443a(c->arg[0]);
1089 break;
1090 case CMD_READER_ISO_14443a:
1091 ReaderIso14443a(c);
1092 break;
1093 case CMD_SIMULATE_TAG_ISO_14443a:
1094 SimulateIso14443aTag(c->arg[0], c->arg[1], c->d.asBytes); // ## Simulate iso14443a tag - pass tag type & UID
1095 break;
1096 case CMD_EPA_PACE_COLLECT_NONCE:
1097 EPA_PACE_Collect_Nonce(c);
1098 break;
1099 case CMD_EPA_PACE_REPLAY:
1100 EPA_PACE_Replay(c);
1101 break;
1102 case CMD_READER_MIFARE:
1103 ReaderMifare(c->arg[0], c->arg[1], c->arg[2]);
1104 break;
1105 case CMD_MIFARE_READBL:
1106 MifareReadBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1107 break;
1108 case CMD_MIFAREU_READBL:
1109 MifareUReadBlock(c->arg[0],c->arg[1], c->d.asBytes);
1110 break;
1111 case CMD_MIFAREUC_AUTH:
1112 MifareUC_Auth(c->arg[0],c->d.asBytes);
1113 break;
1114 case CMD_MIFAREU_READCARD:
1115 MifareUReadCard(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1116 break;
1117 case CMD_MIFAREUC_SETPWD:
1118 MifareUSetPwd(c->arg[0], c->d.asBytes);
1119 break;
1120 case CMD_MIFARE_READSC:
1121 MifareReadSector(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1122 break;
1123 case CMD_MIFARE_WRITEBL:
1124 MifareWriteBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1125 break;
1126 //case CMD_MIFAREU_WRITEBL_COMPAT:
1127 //MifareUWriteBlockCompat(c->arg[0], c->d.asBytes);
1128 //break;
1129 case CMD_MIFAREU_WRITEBL:
1130 MifareUWriteBlock(c->arg[0], c->arg[1], c->d.asBytes);
1131 break;
1132 case CMD_MIFARE_ACQUIRE_ENCRYPTED_NONCES:
1133 MifareAcquireEncryptedNonces(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1134 break;
1135 case CMD_MIFARE_NESTED:
1136 MifareNested(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1137 break;
1138 case CMD_MIFARE_CHKKEYS:
1139 MifareChkKeys(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1140 break;
1141 case CMD_SIMULATE_MIFARE_CARD:
1142 Mifare1ksim(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1143 break;
1144
1145 // emulator
1146 case CMD_MIFARE_SET_DBGMODE:
1147 MifareSetDbgLvl(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1148 break;
1149 case CMD_MIFARE_EML_MEMCLR:
1150 MifareEMemClr(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1151 break;
1152 case CMD_MIFARE_EML_MEMSET:
1153 MifareEMemSet(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1154 break;
1155 case CMD_MIFARE_EML_MEMGET:
1156 MifareEMemGet(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1157 break;
1158 case CMD_MIFARE_EML_CARDLOAD:
1159 MifareECardLoad(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1160 break;
1161
1162 // Work with "magic Chinese" card
1163 case CMD_MIFARE_CSETBLOCK:
1164 MifareCSetBlock(c->arg[0], c->arg[1], c->d.asBytes);
1165 break;
1166 case CMD_MIFARE_CGETBLOCK:
1167 MifareCGetBlock(c->arg[0], c->arg[1], c->d.asBytes);
1168 break;
1169 case CMD_MIFARE_CIDENT:
1170 MifareCIdent();
1171 break;
1172
1173 // mifare sniffer
1174 case CMD_MIFARE_SNIFFER:
1175 SniffMifare(c->arg[0]);
1176 break;
1177
1178 //mifare desfire
1179 case CMD_MIFARE_DESFIRE_READBL: break;
1180 case CMD_MIFARE_DESFIRE_WRITEBL: break;
1181 case CMD_MIFARE_DESFIRE_AUTH1:
1182 MifareDES_Auth1(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1183 break;
1184 case CMD_MIFARE_DESFIRE_AUTH2:
1185 //MifareDES_Auth2(c->arg[0],c->d.asBytes);
1186 break;
1187 case CMD_MIFARE_DES_READER:
1188 //readermifaredes(c->arg[0], c->arg[1], c->d.asBytes);
1189 break;
1190 case CMD_MIFARE_DESFIRE_INFO:
1191 MifareDesfireGetInformation();
1192 break;
1193 case CMD_MIFARE_DESFIRE:
1194 MifareSendCommand(c->arg[0], c->arg[1], c->d.asBytes);
1195 break;
1196
1197 case CMD_MIFARE_COLLECT_NONCES:
1198 break;
1199 #endif
1200 #ifdef WITH_EMV
1201 case CMD_EMV_TRANSACTION:
1202 EMVTransaction();
1203 break;
1204 case CMD_EMV_GET_RANDOM_NUM:
1205 //EMVgetUDOL();
1206 break;
1207 case CMD_EMV_LOAD_VALUE:
1208 EMVloadvalue(c->arg[0], c->d.asBytes);
1209 break;
1210 case CMD_EMV_DUMP_CARD:
1211 EMVdumpcard();
1212 #endif
1213 #ifdef WITH_ICLASS
1214 // Makes use of ISO14443a FPGA Firmware
1215 case CMD_SNOOP_ICLASS:
1216 SnoopIClass();
1217 break;
1218 case CMD_SIMULATE_TAG_ICLASS:
1219 SimulateIClass(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1220 break;
1221 case CMD_READER_ICLASS:
1222 ReaderIClass(c->arg[0]);
1223 break;
1224 case CMD_READER_ICLASS_REPLAY:
1225 ReaderIClass_Replay(c->arg[0], c->d.asBytes);
1226 break;
1227 case CMD_ICLASS_EML_MEMSET:
1228 emlSet(c->d.asBytes,c->arg[0], c->arg[1]);
1229 break;
1230 case CMD_ICLASS_WRITEBLOCK:
1231 iClass_WriteBlock(c->arg[0], c->d.asBytes);
1232 break;
1233 case CMD_ICLASS_READCHECK: // auth step 1
1234 iClass_ReadCheck(c->arg[0], c->arg[1]);
1235 break;
1236 case CMD_ICLASS_READBLOCK:
1237 iClass_ReadBlk(c->arg[0]);
1238 break;
1239 case CMD_ICLASS_AUTHENTICATION: //check
1240 iClass_Authentication(c->d.asBytes);
1241 break;
1242 case CMD_ICLASS_DUMP:
1243 iClass_Dump(c->arg[0], c->arg[1]);
1244 break;
1245 case CMD_ICLASS_CLONE:
1246 iClass_Clone(c->arg[0], c->arg[1], c->d.asBytes);
1247 break;
1248 #endif
1249 #ifdef WITH_HFSNOOP
1250 case CMD_HF_SNIFFER:
1251 HfSnoop(c->arg[0], c->arg[1]);
1252 break;
1253 #endif
1254
1255 case CMD_BUFF_CLEAR:
1256 BigBuf_Clear();
1257 break;
1258
1259 case CMD_MEASURE_ANTENNA_TUNING:
1260 MeasureAntennaTuning();
1261 break;
1262
1263 case CMD_MEASURE_ANTENNA_TUNING_HF:
1264 MeasureAntennaTuningHf();
1265 break;
1266
1267 case CMD_LISTEN_READER_FIELD:
1268 ListenReaderField(c->arg[0]);
1269 break;
1270
1271 case CMD_FPGA_MAJOR_MODE_OFF: // ## FPGA Control
1272 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1273 SpinDelay(200);
1274 LED_D_OFF(); // LED D indicates field ON or OFF
1275 break;
1276
1277 case CMD_DOWNLOAD_RAW_ADC_SAMPLES_125K: {
1278 LED_B_ON();
1279 uint8_t *BigBuf = BigBuf_get_addr();
1280 size_t len = 0;
1281 for(size_t i=0; i<c->arg[1]; i += USB_CMD_DATA_SIZE) {
1282 len = MIN((c->arg[1] - i),USB_CMD_DATA_SIZE);
1283 cmd_send(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K,i,len,BigBuf_get_traceLen(),BigBuf+c->arg[0]+i,len);
1284 }
1285 // Trigger a finish downloading signal with an ACK frame
1286 cmd_send(CMD_ACK,1,0,BigBuf_get_traceLen(),getSamplingConfig(),sizeof(sample_config));
1287 LED_B_OFF();
1288 break;
1289 }
1290 case CMD_DOWNLOADED_SIM_SAMPLES_125K: {
1291 uint8_t *b = BigBuf_get_addr();
1292 memcpy( b + c->arg[0], c->d.asBytes, USB_CMD_DATA_SIZE);
1293 cmd_send(CMD_ACK,0,0,0,0,0);
1294 break;
1295 }
1296 case CMD_DOWNLOAD_EML_BIGBUF: {
1297 LED_B_ON();
1298 uint8_t *cardmem = BigBuf_get_EM_addr();
1299 size_t len = 0;
1300 for(size_t i=0; i < c->arg[1]; i += USB_CMD_DATA_SIZE) {
1301 len = MIN((c->arg[1] - i), USB_CMD_DATA_SIZE);
1302 cmd_send(CMD_DOWNLOADED_EML_BIGBUF, i, len, CARD_MEMORY_SIZE, cardmem + c->arg[0] + i, len);
1303 }
1304 // Trigger a finish downloading signal with an ACK frame
1305 cmd_send(CMD_ACK, 1, 0, CARD_MEMORY_SIZE, 0, 0);
1306 LED_B_OFF();
1307 break;
1308 }
1309 case CMD_READ_MEM:
1310 ReadMem(c->arg[0]);
1311 break;
1312
1313 case CMD_SET_LF_DIVISOR:
1314 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1315 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, c->arg[0]);
1316 break;
1317
1318 case CMD_SET_ADC_MUX:
1319 switch(c->arg[0]) {
1320 case 0: SetAdcMuxFor(GPIO_MUXSEL_LOPKD); break;
1321 case 1: SetAdcMuxFor(GPIO_MUXSEL_LORAW); break;
1322 case 2: SetAdcMuxFor(GPIO_MUXSEL_HIPKD); break;
1323 case 3: SetAdcMuxFor(GPIO_MUXSEL_HIRAW); break;
1324 }
1325 break;
1326
1327 case CMD_VERSION:
1328 SendVersion();
1329 break;
1330 case CMD_STATUS:
1331 SendStatus();
1332 break;
1333 case CMD_PING:
1334 cmd_send(CMD_ACK,0,0,0,0,0);
1335 break;
1336 #ifdef WITH_LCD
1337 case CMD_LCD_RESET:
1338 LCDReset();
1339 break;
1340 case CMD_LCD:
1341 LCDSend(c->arg[0]);
1342 break;
1343 #endif
1344 case CMD_SETUP_WRITE:
1345 case CMD_FINISH_WRITE:
1346 case CMD_HARDWARE_RESET:
1347 usb_disable();
1348 SpinDelay(2000);
1349 AT91C_BASE_RSTC->RSTC_RCR = RST_CONTROL_KEY | AT91C_RSTC_PROCRST;
1350 for(;;) {
1351 // We're going to reset, and the bootrom will take control.
1352 }
1353 break;
1354
1355 case CMD_START_FLASH:
1356 if(common_area.flags.bootrom_present) {
1357 common_area.command = COMMON_AREA_COMMAND_ENTER_FLASH_MODE;
1358 }
1359 usb_disable();
1360 AT91C_BASE_RSTC->RSTC_RCR = RST_CONTROL_KEY | AT91C_RSTC_PROCRST;
1361 for(;;);
1362 break;
1363
1364 case CMD_DEVICE_INFO: {
1365 uint32_t dev_info = DEVICE_INFO_FLAG_OSIMAGE_PRESENT | DEVICE_INFO_FLAG_CURRENT_MODE_OS;
1366 if(common_area.flags.bootrom_present) dev_info |= DEVICE_INFO_FLAG_BOOTROM_PRESENT;
1367 cmd_send(CMD_DEVICE_INFO,dev_info,0,0,0,0);
1368 break;
1369 }
1370 default:
1371 Dbprintf("%s: 0x%04x","unknown command:",c->cmd);
1372 break;
1373 }
1374 }
1375
1376 void __attribute__((noreturn)) AppMain(void)
1377 {
1378 SpinDelay(100);
1379 clear_trace();
1380 if(common_area.magic != COMMON_AREA_MAGIC || common_area.version != 1) {
1381 /* Initialize common area */
1382 memset(&common_area, 0, sizeof(common_area));
1383 common_area.magic = COMMON_AREA_MAGIC;
1384 common_area.version = 1;
1385 }
1386 common_area.flags.osimage_present = 1;
1387
1388 LED_D_OFF();
1389 LED_C_OFF();
1390 LED_B_OFF();
1391 LED_A_OFF();
1392
1393 // Init USB device
1394 usb_enable();
1395
1396 // The FPGA gets its clock from us from PCK0 output, so set that up.
1397 AT91C_BASE_PIOA->PIO_BSR = GPIO_PCK0;
1398 AT91C_BASE_PIOA->PIO_PDR = GPIO_PCK0;
1399 AT91C_BASE_PMC->PMC_SCER = AT91C_PMC_PCK0;
1400 // PCK0 is PLL clock / 4 = 96Mhz / 4 = 24Mhz
1401 AT91C_BASE_PMC->PMC_PCKR[0] = AT91C_PMC_CSS_PLL_CLK |
1402 AT91C_PMC_PRES_CLK_4; // 4 for 24Mhz pck0, 2 for 48 MHZ pck0
1403 AT91C_BASE_PIOA->PIO_OER = GPIO_PCK0;
1404
1405 // Reset SPI
1406 AT91C_BASE_SPI->SPI_CR = AT91C_SPI_SWRST;
1407 // Reset SSC
1408 AT91C_BASE_SSC->SSC_CR = AT91C_SSC_SWRST;
1409
1410 // Load the FPGA image, which we have stored in our flash.
1411 // (the HF version by default)
1412 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1413
1414 StartTickCount();
1415
1416 #ifdef WITH_LCD
1417 LCDInit();
1418 #endif
1419
1420 byte_t rx[sizeof(UsbCommand)];
1421 size_t rx_len;
1422
1423 for(;;) {
1424 if (usb_poll()) {
1425 rx_len = usb_read(rx,sizeof(UsbCommand));
1426 if (rx_len)
1427 UsbPacketReceived(rx,rx_len);
1428 }
1429 WDT_HIT();
1430
1431 #ifdef WITH_LF
1432 #ifndef WITH_ISO14443a_StandAlone
1433 if (BUTTON_HELD(1000) > 0)
1434 SamyRun();
1435 #endif
1436 #endif
1437 #ifdef WITH_ISO14443a
1438 #ifdef WITH_ISO14443a_StandAlone
1439 if (BUTTON_HELD(1000) > 0)
1440 StandAloneMode14a();
1441 #endif
1442 #endif
1443 }
1444 }
Impressum, Datenschutz