1 //-----------------------------------------------------------------------------
2 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
3 // at your option, any later version. See the LICENSE.txt file for the text of
5 //-----------------------------------------------------------------------------
6 // HitagS emulation (preliminary test version)
8 // (c) 2016 Oguzhan Cicek, Hendrik Schwartke, Ralf Spenneberg
10 //-----------------------------------------------------------------------------
11 // Some code was copied from Hitag2.c
12 //-----------------------------------------------------------------------------
18 #include "proxmark3.h"
24 #include "fpgaloader.h"
26 #define CRC_PRESET 0xFF
27 #define CRC_POLYNOM 0x1D
32 #define rev8(x) ((((x)>>7)&1)+((((x)>>6)&1)<<1)+((((x)>>5)&1)<<2)+((((x)>>4)&1)<<3)+((((x)>>3)&1)<<4)+((((x)>>2)&1)<<5)+((((x)>>1)&1)<<6)+(((x)&1)<<7))
33 #define rev16(x) (rev8 (x)+(rev8 (x>> 8)<< 8))
34 #define rev32(x) (rev16(x)+(rev16(x>>16)<<16))
35 #define rev64(x) (rev32(x)+(rev32(x>>32)<<32))
36 #define bit(x,n) (((x)>>(n))&1)
37 #define bit32(x,n) ((((x)[(n)>>5])>>((n)))&1)
38 #define inv32(x,i,n) ((x)[(i)>>5]^=((u32)(n))<<((i)&31))
39 #define rotl64(x, n) ((((u64)(x))<<((n)&63))+(((u64)(x))>>((0-(n))&63)))
42 static bool bSuccessful
;
43 static struct hitagS_tag tag
;
44 static byte_t page_to_be_written
= 0;
45 static int block_data_left
= 0;
46 typedef enum modulation
{
47 AC2K
= 0, AC4K
, MC4K
, MC8K
49 static MOD m
= AC2K
; //used modulation
50 static uint32_t temp_uid
;
52 static int sof_bits
; //number of start-of-frame bits
53 static byte_t pwdh0
, pwdl0
, pwdl1
; //password bytes
54 static uint32_t rnd
= 0x74124485; //randomnumber
59 // Single bit Hitag2 functions:
60 #define i4(x,a,b,c,d) ((u32)((((x)>>(a))&1)+(((x)>>(b))&1)*2+(((x)>>(c))&1)*4+(((x)>>(d))&1)*8))
61 static const u32 ht2_f4a
= 0x2C79; // 0010 1100 0111 1001
62 static const u32 ht2_f4b
= 0x6671; // 0110 0110 0111 0001
63 static const u32 ht2_f5c
= 0x7907287B; // 0111 1001 0000 0111 0010 1000 0111 1011
64 #define ht2bs_4a(a,b,c,d) (~(((a|b)&c)^(a|d)^b))
65 #define ht2bs_4b(a,b,c,d) (~(((d|c)&(a^b))^(d|a|b)))
66 #define ht2bs_5c(a,b,c,d,e) (~((((((c^e)|d)&a)^b)&(c^b))^(((d^e)|a)&((d^b)|c))))
69 static u32
f20(const u64 x
) {
72 i5
= ((ht2_f4a
>> i4(x
, 1, 2, 4, 5)) & 1) * 1
73 + ((ht2_f4b
>> i4(x
, 7, 11, 13, 14)) & 1) * 2
74 + ((ht2_f4b
>> i4(x
, 16, 20, 22, 25)) & 1) * 4
75 + ((ht2_f4b
>> i4(x
, 27, 28, 30, 32)) & 1) * 8
76 + ((ht2_f4a
>> i4(x
, 33, 42, 43, 45)) & 1) * 16;
78 return (ht2_f5c
>> i5
) & 1;
80 static u64
hitag2_round(u64
*state
) {
84 + ((((x
>> 0) ^ (x
>> 2) ^ (x
>> 3) ^ (x
>> 6) ^ (x
>> 7) ^ (x
>> 8)
85 ^ (x
>> 16) ^ (x
>> 22) ^ (x
>> 23) ^ (x
>> 26) ^ (x
>> 30)
86 ^ (x
>> 41) ^ (x
>> 42) ^ (x
>> 43) ^ (x
>> 46) ^ (x
>> 47))
92 static u64
hitag2_init(const u64 key
, const u32 serial
, const u32 IV
) {
94 u64 x
= ((key
& 0xFFFF) << 32) + serial
;
95 for (i
= 0; i
< 32; i
++) {
97 x
+= (u64
) (f20(x
) ^ (((IV
>> i
) ^ (key
>> (i
+ 16))) & 1)) << 47;
101 static u32
hitag2_byte(u64
*x
) {
104 for (i
= 0, c
= 0; i
< 8; i
++)
105 c
+= (u32
) hitag2_round(x
) << (i
^ 7);
109 // Sam7s has several timers, we will use the source TIMER_CLOCK1 (aka AT91C_TC_CLKS_TIMER_DIV1_CLOCK)
110 // TIMER_CLOCK1 = MCK/2, MCK is running at 48 MHz, Timer is running at 48/2 = 24 MHz
111 // Hitag units (T0) have duration of 8 microseconds (us), which is 1/125000 per second (carrier)
112 // T0 = TIMER_CLOCK1 / 125000 = 192
115 #define SHORT_COIL() LOW(GPIO_SSC_DOUT)
116 #define OPEN_COIL() HIGH(GPIO_SSC_DOUT)
118 #define HITAG_FRAME_LEN 20
119 #define HITAG_T_STOP 36 /* T_EOF should be > 36 */
120 #define HITAG_T_LOW 8 /* T_LOW should be 4..10 */
121 #define HITAG_T_0_MIN 15 /* T[0] should be 18..22 */
122 #define HITAG_T_1_MIN 25 /* T[1] should be 26..30 */
123 //#define HITAG_T_EOF 40 /* T_EOF should be > 36 */
124 #define HITAG_T_EOF 80 /* T_EOF should be > 36 */
125 #define HITAG_T_WAIT_1 200 /* T_wresp should be 199..206 */
126 #define HITAG_T_WAIT_2 90 /* T_wresp should be 199..206 */
127 #define HITAG_T_WAIT_MAX 300 /* bit more than HITAG_T_WAIT_1 + HITAG_T_WAIT_2 */
129 #define HITAG_T_TAG_ONE_HALF_PERIOD 10
130 #define HITAG_T_TAG_TWO_HALF_PERIOD 25
131 #define HITAG_T_TAG_THREE_HALF_PERIOD 41
132 #define HITAG_T_TAG_FOUR_HALF_PERIOD 57
134 #define HITAG_T_TAG_HALF_PERIOD 16
135 #define HITAG_T_TAG_FULL_PERIOD 32
137 #define HITAG_T_TAG_CAPTURE_ONE_HALF 13
138 #define HITAG_T_TAG_CAPTURE_TWO_HALF 25
139 #define HITAG_T_TAG_CAPTURE_THREE_HALF 41
140 #define HITAG_T_TAG_CAPTURE_FOUR_HALF 57
145 * Implementation of the crc8 calculation from Hitag S
146 * from http://www.proxmark.org/files/Documents/125%20kHz%20-%20Hitag/HitagS.V11.pdf
148 void calc_crc(unsigned char * crc
, unsigned char data
, unsigned char Bitcount
) {
149 *crc
^= data
; // crc = crc (exor) data
151 if (*crc
& 0x80) // if (MSB-CRC == 1)
153 *crc
<<= 1; // CRC = CRC Bit-shift left
154 *crc
^= CRC_POLYNOM
; // CRC = CRC (exor) CRC_POLYNOM
156 *crc
<<= 1; // CRC = CRC Bit-shift left
158 } while (--Bitcount
);
162 static void hitag_send_bit(int bit
) {
164 // Reset clock for the next bit
165 AT91C_BASE_TC0
->TC_CCR
= AT91C_TC_SWTRG
;
172 while (AT91C_BASE_TC0
->TC_CV
< T0
* 32)
175 while (AT91C_BASE_TC0
->TC_CV
< T0
* 64)
180 while (AT91C_BASE_TC0
->TC_CV
< T0
* 16)
183 while (AT91C_BASE_TC0
->TC_CV
< T0
* 32)
186 while (AT91C_BASE_TC0
->TC_CV
< T0
* 48)
189 while (AT91C_BASE_TC0
->TC_CV
< T0
* 64)
198 while (AT91C_BASE_TC0
->TC_CV
< T0
* HITAG_T_TAG_HALF_PERIOD
)
201 while (AT91C_BASE_TC0
->TC_CV
< T0
* HITAG_T_TAG_FULL_PERIOD
)
206 while (AT91C_BASE_TC0
->TC_CV
< T0
* 8)
209 while (AT91C_BASE_TC0
->TC_CV
< T0
* 16)
212 while (AT91C_BASE_TC0
->TC_CV
< T0
* 24)
215 while (AT91C_BASE_TC0
->TC_CV
< T0
* 32)
222 // Manchester: Unloaded, then loaded |__--|
224 while (AT91C_BASE_TC0
->TC_CV
< T0
* 16)
227 while (AT91C_BASE_TC0
->TC_CV
< T0
* 32)
230 // Manchester: Loaded, then unloaded |--__|
232 while (AT91C_BASE_TC0
->TC_CV
< T0
* 16)
235 while (AT91C_BASE_TC0
->TC_CV
< T0
* 32)
242 // Manchester: Unloaded, then loaded |__--|
244 while (AT91C_BASE_TC0
->TC_CV
< T0
* 8)
247 while (AT91C_BASE_TC0
->TC_CV
< T0
* 16)
250 // Manchester: Loaded, then unloaded |--__|
252 while (AT91C_BASE_TC0
->TC_CV
< T0
* 8)
255 while (AT91C_BASE_TC0
->TC_CV
< T0
* 16)
265 static void hitag_tag_send_frame(const byte_t
* frame
, size_t frame_len
) {
266 // Send start of frame
267 for (size_t i
= 0; i
< sof_bits
; i
++) {
271 // Send the content of the frame
272 for (size_t i
= 0; i
< frame_len
; i
++) {
273 hitag_send_bit((frame
[i
/ 8] >> (7 - (i
% 8))) & 1);
275 // Drop the modulation
279 static void hitag_reader_send_bit(int bit
) {
280 //Dbprintf("BIT: %d",bit);
282 // Reset clock for the next bit
283 AT91C_BASE_TC0
->TC_CCR
= AT91C_TC_SWTRG
;
285 // Binary puls length modulation (BPLM) is used to encode the data stream
286 // This means that a transmission of a one takes longer than that of a zero
288 // Enable modulation, which means, drop the the field
291 // Wait for 4-10 times the carrier period
292 while (AT91C_BASE_TC0
->TC_CV
< T0
* 6)
296 // Disable modulation, just activates the field again
301 while (AT91C_BASE_TC0
->TC_CV
< T0
* 11)
303 // SpinDelayUs(16*8);
306 while (AT91C_BASE_TC0
->TC_CV
< T0
* 14)
308 // SpinDelayUs(22*8);
311 // Wait for 4-10 times the carrier period
312 while (AT91C_BASE_TC0
->TC_CV
< T0
* 6)
316 // Disable modulation, just activates the field again
321 while (AT91C_BASE_TC0
->TC_CV
< T0
* 22)
323 // SpinDelayUs(16*8);
326 while (AT91C_BASE_TC0
->TC_CV
< T0
* 28)
328 // SpinDelayUs(22*8);
335 static void hitag_reader_send_frame(const byte_t
* frame
, size_t frame_len
) {
336 // Send the content of the frame
337 for (size_t i
= 0; i
< frame_len
; i
++) {
338 if (frame
[0] == 0xf8) {
339 //Dbprintf("BIT: %d",(frame[i / 8] >> (7 - (i % 8))) & 1);
341 hitag_reader_send_bit(((frame
[i
/ 8] >> (7 - (i
% 8))) & 1));
344 AT91C_BASE_TC0
->TC_CCR
= AT91C_TC_SWTRG
;
345 // Enable modulation, which means, drop the the field
347 // Wait for 4-10 times the carrier period
348 while (AT91C_BASE_TC0
->TC_CV
< T0
* 6)
350 // Disable modulation, just activates the field again
354 static void hitag_decode_frame_MC(int bitRate
, int sofBits
, byte_t
* rx
, size_t* rxlenOrg
, int* response
, int rawMod
[], int rawLen
) {
364 for (int i
=0; i
< rawLen
; i
++) {
366 if (ra
>= HITAG_T_EOF
) {
368 //DbpString("wierd1?");
372 // Capture the T0 periods that have passed since last communication or field drop (reset)
373 // We always recieve a 'one' first, which has the falling edge after a half period |-_|
374 *response
= ra
- HITAG_T_TAG_HALF_PERIOD
;
375 } else if (ra
>= HITAG_T_TAG_CAPTURE_FOUR_HALF
/ timing
) {
377 // Manchester coding example |-_|_-|-_| (101)
378 rx
[rxlen
/ 8] |= 0 << (7 - (rxlen
% 8));
380 rx
[rxlen
/ 8] |= 1 << (7 - (rxlen
% 8));
382 } else if (ra
>= HITAG_T_TAG_CAPTURE_THREE_HALF
/ timing
) {
384 // Manchester coding example |_-|...|_-|-_| (0...01)
385 rx
[rxlen
/ 8] |= 0 << (7 - (rxlen
% 8));
387 // We have to skip this half period at start and add the 'one' the second time
389 rx
[rxlen
/ 8] |= 1 << (7 - (rxlen
% 8));
394 } else if (ra
>= HITAG_T_TAG_CAPTURE_TWO_HALF
/ timing
) {
395 // Manchester coding example |_-|_-| (00) or |-_|-_| (11)
397 // Ignore bits that are transmitted during SOF
400 // bit is same as last bit
401 rx
[rxlen
/ 8] |= lastbit
<< (7 - (rxlen
% 8));
405 // Ignore wierd value, is to small to mean anything
412 static void hitag_decode_frame_AC2K_rising(byte_t* rx, size_t* rxlenOrg, int* response, int rawMod[], int rawLen) {
413 int tag_sof = 1; //skip start of frame
416 for (int i=0; i < rawLen; i++) {
418 if (ra >= HITAG_T_EOF) {
420 //DbpString("wierd1?");
422 // Capture the T0 periods that have passed since last communication or field drop (reset)
423 // We always recieve a 'one' first, which has the falling edge after a half period |-_|
425 *response = ra - HITAG_T_TAG_HALF_PERIOD;
426 } else if (ra >= HITAG_T_TAG_CAPTURE_FOUR_HALF) {
427 // AC coding example |--__|--__| means 0
428 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
430 if (rawMod[i+1] == 0) { //TODO: this is weird - may we miss one capture with current configuration
431 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
433 i++; //drop next capture
435 } else if (ra >= HITAG_T_TAG_CAPTURE_TWO_HALF) {
437 // Ignore bits that are transmitted during SOF
440 // AC coding example |-_-_|-_-_| which means 1
441 //check if another high is coming (only -_-_ = 1) except end of the frame (support 0)
442 if (rawMod[i+1] == 0 || rawMod[i+1] >= HITAG_T_TAG_CAPTURE_TWO_HALF) {
443 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
445 i++; //drop next capture
447 Dbprintf("got weird high - %d,%d", ra, rawMod[i+1]);
451 // Ignore wierd value, is to small to mean anything
458 static void hitag_decode_frame_AC(int bitRate
, int sofBits
, byte_t
* rx
, size_t* rxlenOrg
, int* response
, int rawMod
[], int rawLen
) {
467 for (int i
=0; i
< rawLen
; i
++) {
469 if (ra
>= HITAG_T_EOF
) {
471 //DbpString("wierd1?");
474 // Capture the T0 periods that have passed since last communication or field drop (reset)
475 // We always recieve a 'one' first, which has the falling edge after a half period |-_|
477 *response
= ra
- HITAG_T_TAG_HALF_PERIOD
;
478 } else if (ra
>= HITAG_T_TAG_CAPTURE_FOUR_HALF
/ timing
) {
481 // AC coding example |--__|--__| means 0
482 rx
[rxlen
/ 8] |= 0 << (7 - (rxlen
% 8));
484 } else if (ra
>= HITAG_T_TAG_CAPTURE_THREE_HALF
/ timing
) {
487 if (rawMod
[i
-1] >= HITAG_T_TAG_CAPTURE_THREE_HALF
/ timing
) {
488 //treat like HITAG_T_TAG_CAPTURE_TWO_HALF
489 if (rawMod
[i
+1] >= HITAG_T_TAG_CAPTURE_TWO_HALF
/ timing
) {
490 rx
[rxlen
/ 8] |= 1 << (7 - (rxlen
% 8));
492 i
++; //drop next capture
494 Dbprintf("got weird value - %d,%d", ra
, rawMod
[i
+1]);
497 //treat like HITAG_T_TAG_CAPTURE_FOUR_HALF
498 rx
[rxlen
/ 8] |= 0 << (7 - (rxlen
% 8));
501 } else if (ra
>= HITAG_T_TAG_CAPTURE_TWO_HALF
/ timing
) {
503 // Ignore bits that are transmitted during SOF
506 // AC coding example |-_-_|-_-_| which means 1
507 //check if another high is coming (only -_-_ = 1) except end of the frame (support 0)
508 if (rawMod
[i
+1] == 0 || rawMod
[i
+1] >= HITAG_T_TAG_CAPTURE_TWO_HALF
/ timing
) {
509 rx
[rxlen
/ 8] |= 1 << (7 - (rxlen
% 8));
511 i
++; //drop next capture
513 Dbprintf("got weird value - %d,%d", ra
, rawMod
[i
+1]);
517 // Ignore wierd value, is to small to mean anything
523 static void hitag_receive_frame(byte_t
* rx
, size_t* rxlen
, int* response
) {
524 int rawMod
[200] = {0};
530 if (tag
.pstate
== READY
) {
538 sofBits
= 5; //3 sof bits but 5 captures
542 sofBits
= 5; //3 sof bits but 5 captures
551 sofBits
= 0; //in theory 1
555 sofBits
= 5; //in theory 6
559 sofBits
= 5; //in theory 6
566 //rising AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK | AT91C_TC_ETRGEDG_RISING | AT91C_TC_ABETRG | AT91C_TC_LDRA_RISING;
567 AT91C_BASE_TC1
->TC_CMR
= AT91C_TC_CLKS_TIMER_DIV1_CLOCK
| AT91C_TC_ETRGEDG_FALLING
| AT91C_TC_ABETRG
| AT91C_TC_LDRA_FALLING
;
570 //first capture timing values
571 while (AT91C_BASE_TC1
->TC_CV
< T0
* HITAG_T_WAIT_MAX
) {
572 // Check if rising edge in modulation is detected
573 if (AT91C_BASE_TC1
->TC_SR
& AT91C_TC_LDRAS
) {
574 // Retrieve the new timing values
575 int ra
= (AT91C_BASE_TC1
->TC_RA
/ T0
);
578 // Reset timer every frame, we have to capture the last edge for timing
579 AT91C_BASE_TC0
->TC_CCR
= AT91C_TC_CLKEN
| AT91C_TC_SWTRG
;
580 //AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
582 if (rawLen
>= 200) { //avoid exception
588 // We can break this loop if we received the last bit from a frame
589 if (AT91C_BASE_TC1
->TC_CV
> T0
* HITAG_T_EOF
) {
591 if (DEBUG
>= 2) { Dbprintf("AT91C_BASE_TC1->TC_CV > T0 * HITAG_T_EOF breaking (%d)", rawLen
); }
599 for (i
=0; i
< rawLen
; i
+=20) {
600 Dbprintf("raw modulation: - %d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d",
601 rawMod
[i
],rawMod
[i
+1],rawMod
[i
+2],rawMod
[i
+3], rawMod
[i
+4],rawMod
[i
+5],rawMod
[i
+6],rawMod
[i
+7],
602 rawMod
[i
+8],rawMod
[i
+9],rawMod
[i
+10],rawMod
[i
+11], rawMod
[i
+12],rawMod
[i
+13],rawMod
[i
+14],rawMod
[i
+15],
603 rawMod
[i
+16],rawMod
[i
+17],rawMod
[i
+18],rawMod
[i
+19]
609 // DATA | 1 | 0 | 1 | 1 | 0 |
610 // Manchester |--__|__--|--__|--__|__--|
611 // Anti Collision |-_-_|--__|-_-_|-_-_|--__|
615 if (DEBUG
>= 2) { Dbprintf("decoding frame with modulation AC2K"); }
616 hitag_decode_frame_AC(2, sofBits
, rx
, rxlen
, response
, rawMod
, rawLen
);
619 if (DEBUG
>= 2) { Dbprintf("decoding frame with modulation AC4K"); }
620 hitag_decode_frame_AC(4, sofBits
, rx
, rxlen
, response
, rawMod
, rawLen
);
623 if (DEBUG
>= 2) { Dbprintf("decoding frame with modulation MC4K"); }
624 hitag_decode_frame_MC(4, sofBits
, rx
, rxlen
, response
, rawMod
, rawLen
);
627 if (DEBUG
>= 2) { Dbprintf("decoding frame with modulation MC8K"); }
628 hitag_decode_frame_MC(8, sofBits
, rx
, rxlen
, response
, rawMod
, rawLen
);
634 int rb
[200] = {0}; int z
= 0;
635 for (i
= 0; i
< 16; i
++) { for (int j
= 0; j
< 8; j
++) {
637 if ((rx
[i
] & ((1 << 7) >> j
)) != 0) { rb
[z
] = 1; }
640 for (i
=0; i
< z
; i
+=8) {
641 Dbprintf("raw bit: - %d%d%d%d%d%d%d%d", rb
[i
],rb
[i
+1],rb
[i
+2],rb
[i
+3],rb
[i
+4],rb
[i
+5],rb
[i
+6],rb
[i
+7] );
646 static void hitag_start_auth(byte_t
* tx
, size_t* txlen
) {
650 //00110 - 0x30 - STANDARD MODE
651 memcpy(tx
, "\x30", nbytes(*txlen
));
654 //11000 - 0xc0 - Advance Mode
655 memcpy(tx
, "\xc0", nbytes(*txlen
));
660 default: //STANDARD MODE
661 memcpy(tx
, "\x30", nbytes(*txlen
));
668 static int hitag_read_page(hitag_function htf
, uint64_t key
, byte_t
* rx
, size_t* rxlen
, byte_t
* tx
, size_t* txlen
, int pageNum
) {
670 int response_bit
[200];
671 unsigned char mask
= 1;
673 unsigned char pageData
[32];
675 if (pageNum
>= tag
.max_page
) {
678 if (tag
.pstate
== SELECTED
&& tag
.tstate
== NO_OP
&& *rxlen
> 0) {
680 tag
.tstate
= READING_PAGE
;
683 tx
[0] = 0xc0 + (pageNum
/ 16);
684 calc_crc(&crc
, tx
[0], 8);
685 calc_crc(&crc
, 0x00 + ((pageNum
% 16) * 16), 4);
686 tx
[1] = 0x00 + ((pageNum
% 16) * 16) + (crc
/ 16);
687 tx
[2] = 0x00 + (crc
% 16) * 16;
688 } else if (tag
.pstate
== SELECTED
&& tag
.tstate
== READING_PAGE
&& *rxlen
> 0) {
691 for (i
= 0; i
< 4; i
++) {
692 for (j
= 0; j
< 8; j
++) {
694 if ((rx
[i
] & ((mask
<< 7) >> j
)) != 0) {
698 pageData
[z
] = response_bit
[z
];
704 for (i
= 0; i
< 4; i
++) {
705 tag
.pages
[pageNum
][i
] = 0x0;
707 for (i
= 0; i
< 4; i
++) {
708 tag
.pages
[pageNum
][i
] += ((pageData
[i
* 8] << 7) | (pageData
[1 + (i
* 8)] << 6) |
709 (pageData
[2 + (i
* 8)] << 5) | (pageData
[3 + (i
* 8)] << 4) |
710 (pageData
[4 + (i
* 8)] << 3) | (pageData
[5 + (i
* 8)] << 2) |
711 (pageData
[6 + (i
* 8)]
712 << 1) | pageData
[7 + (i
* 8)]);
714 if (tag
.auth
&& tag
.LKP
&& pageNum
== 1) {
715 Dbprintf("Page[%2d]: %02X %02X %02X %02X", pageNum
, pwdh0
,
716 tag
.pages
[pageNum
][2], tag
.pages
[pageNum
][1], tag
.pages
[pageNum
][0]);
718 Dbprintf("Page[%2d]: %02X %02X %02X %02X", pageNum
,
719 tag
.pages
[pageNum
][3], tag
.pages
[pageNum
][2],
720 tag
.pages
[pageNum
][1], tag
.pages
[pageNum
][0]);
724 //display key and password if possible
725 if (pageNum
== 1 && tag
.auth
== 1 && tag
.LKP
) {
726 if (htf
== 02) { //RHTS_KEY
727 Dbprintf("Page[ 2]: %02X %02X %02X %02X",
728 (byte_t
)(key
>> 8) & 0xff,
729 (byte_t
) key
& 0xff, pwdl1
, pwdl0
);
730 Dbprintf("Page[ 3]: %02X %02X %02X %02X",
731 (byte_t
)(key
>> 40) & 0xff,
732 (byte_t
)(key
>> 32) & 0xff,
733 (byte_t
)(key
>> 24) & 0xff,
734 (byte_t
)(key
>> 16) & 0xff);
736 //if the authentication is done with a challenge the key and password are unknown
737 Dbprintf("Page[ 2]: __ __ __ __");
738 Dbprintf("Page[ 3]: __ __ __ __");
744 tx
[0] = 0xc0 + ((pageNum
+1) / 16);
745 calc_crc(&crc
, tx
[0], 8);
746 calc_crc(&crc
, 0x00 + (((pageNum
+1) % 16) * 16), 4);
747 tx
[1] = 0x00 + (((pageNum
+1) % 16) * 16) + (crc
/ 16);
748 tx
[2] = 0x00 + (crc
% 16) * 16;
755 static int hitag_read_block(hitag_function htf
, uint64_t key
, byte_t
* rx
, size_t* rxlen
, byte_t
* tx
, size_t* txlen
, int blockNum
) {
757 int response_bit
[200];
758 unsigned char mask
= 1;
760 unsigned char blockData
[128];
762 if (blockNum
+4 >= tag
.max_page
) { //block always = 4 pages
766 if (tag
.pstate
== SELECTED
&& tag
.tstate
== NO_OP
&& *rxlen
> 0) {
768 tag
.tstate
= READING_BLOCK
;
771 tx
[0] = 0xd0 + (blockNum
/ 16);
772 calc_crc(&crc
, tx
[0], 8);
773 calc_crc(&crc
, 0x00 + ((blockNum
% 16) * 16), 4);
774 tx
[1] = 0x00 + ((blockNum
% 16) * 16) + (crc
/ 16);
775 tx
[2] = 0x00 + (crc
% 16) * 16;
776 } else if (tag
.pstate
== SELECTED
&& tag
.tstate
== READING_BLOCK
&& *rxlen
> 0) {
779 for (i
= 0; i
< 16; i
++) {
780 for (j
= 0; j
< 8; j
++) {
782 if ((rx
[i
] & ((mask
<< 7) >> j
)) != 0) {
786 blockData
[z
] = response_bit
[z
];
792 for (z
= 0; z
< 4; z
++) { //4 pages
793 for (i
= 0; i
< 4; i
++) {
794 tag
.pages
[blockNum
+z
][i
] = 0x0;
797 for (z
= 0; z
< 4; z
++) { //4 pages
798 for (i
= 0; i
< 4; i
++) {
799 j
= (i
* 8) + (z
*32); //bit in page + pageStart
800 tag
.pages
[blockNum
+z
][i
] = ((blockData
[j
] << 7) | (blockData
[1 + j
] << 6) |
801 (blockData
[2 + j
] << 5) | (blockData
[3 + j
] << 4) |
802 (blockData
[4 + j
] << 3) | (blockData
[5 + j
] << 2) |
803 (blockData
[6 + j
] << 1) | blockData
[7 + j
]);
807 for (z
= 0; z
< 4; z
++) {
808 Dbprintf("Page[%2d]: %02X %02X %02X %02X", blockNum
+z
,
809 tag
.pages
[blockNum
+z
][3], tag
.pages
[blockNum
+z
][2],
810 tag
.pages
[blockNum
+z
][1], tag
.pages
[blockNum
+z
][0]);
813 Dbprintf("Block[%2d]: %02X %02X %02X %02X - %02X %02X %02X %02X - %02X %02X %02X %02X - %02X %02X %02X %02X", blockNum
,
814 tag
.pages
[blockNum
][3], tag
.pages
[blockNum
][2], tag
.pages
[blockNum
][1], tag
.pages
[blockNum
][0],
815 tag
.pages
[blockNum
+1][3], tag
.pages
[blockNum
+1][2], tag
.pages
[blockNum
+1][1], tag
.pages
[blockNum
+1][0],
816 tag
.pages
[blockNum
+2][3], tag
.pages
[blockNum
+2][2], tag
.pages
[blockNum
+2][1], tag
.pages
[blockNum
+2][0],
817 tag
.pages
[blockNum
+3][3], tag
.pages
[blockNum
+3][2], tag
.pages
[blockNum
+3][1], tag
.pages
[blockNum
+3][0]);
821 tx
[0] = 0xd0 + ((blockNum
+4) / 16);
822 calc_crc(&crc
, tx
[0], 8);
823 calc_crc(&crc
, 0x00 + (((blockNum
+4) % 16) * 16), 4);
824 tx
[1] = 0x00 + (((blockNum
+4) % 16) * 16) + (crc
/ 16);
825 tx
[2] = 0x00 + (crc
% 16) * 16;
834 * to check if the right uid was selected
836 static int check_select(byte_t
* rx
, uint32_t uid
) {
837 unsigned char resp
[48];
840 for (i
= 0; i
< 48; i
++)
841 resp
[i
] = (rx
[i
/ 8] >> (7 - (i
% 8))) & 0x1;
842 for (i
= 0; i
< 32; i
++)
843 ans
+= resp
[5 + i
] << (31 - i
);
844 /*if (rx[0] == 0x01 && rx[1] == 0x15 && rx[2] == 0xc1 && rx[3] == 0x14
845 && rx[4] == 0x65 && rx[5] == 0x38)
846 Dbprintf("got uid %X", ans);*/
854 * handles all commands from a reader
856 static void hitagS_handle_reader_command(byte_t
* rx
, const size_t rxlen
,
857 byte_t
* tx
, size_t* txlen
) {
858 byte_t rx_air
[HITAG_FRAME_LEN
];
864 // Copy the (original) received frame how it is send over the air
865 memcpy(rx_air
, rx
, nbytes(rxlen
));
866 // Reset the transmission frame length
868 // Try to find out which command was send by selecting on length (in bits)
871 //UID request with a selected response protocol mode
874 if ((rx
[0] & 0xf0) == 0x30) {
875 Dbprintf("recieved uid request in Standard Mode");
880 if ((rx
[0] & 0xf0) == 0xc0) {
881 Dbprintf("recieved uid request in ADVANCE Mode");
886 if ((rx
[0] & 0xf0) == 0xd0) {
887 Dbprintf("recieved uid request in FAST_ADVANCE Mode");
888 tag
.mode
= FAST_ADVANCED
;
892 //send uid as a response
894 for (i
= 0; i
< 4; i
++) {
895 tx
[i
] = (tag
.uid
>> (24 - (i
* 8))) & 0xff;
900 //select command from reader received
901 if (check_select(rx
, tag
.uid
) == 1) {
902 //if the right tag was selected
906 Dbprintf("uid selected in Standard Mode");
911 Dbprintf("uid selected in ADVANCE Mode");
916 Dbprintf("uid selected in FAST_ADVANCE Mode");
925 tx
[0] = tag
.pages
[1][3];
926 tx
[1] = tag
.pages
[1][2];
927 tx
[2] = tag
.pages
[1][1];
929 if (tag
.mode
!= STANDARD
) {
932 for (i
= 0; i
< 4; i
++)
933 calc_crc(&crc
, tx
[i
], 8);
956 //challenge message received
957 Dbprintf("Challenge for UID: %X", temp_uid
);
959 state
= hitag2_init(rev64(tag
.key
), rev32(tag
.pages
[0][0]),
960 rev32(((rx
[3] << 24) + (rx
[2] << 16) + (rx
[1] << 8) + rx
[0])));
962 ",{0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X}",
963 rx
[0], rx
[1], rx
[2], rx
[3], rx
[4], rx
[5], rx
[6], rx
[7]);
965 for (i
= 0; i
< 4; i
++) {
970 //send con2,pwdh0,pwdl0,pwdl1 encrypted as a response
971 tx
[0] = hitag2_byte(&state
) ^ tag
.pages
[1][1];
972 tx
[1] = hitag2_byte(&state
) ^ tag
.pwdh0
;
973 tx
[2] = hitag2_byte(&state
) ^ tag
.pwdl0
;
974 tx
[3] = hitag2_byte(&state
) ^ tag
.pwdl1
;
975 if (tag
.mode
!= STANDARD
) {
979 calc_crc(&crc
, tag
.pages
[1][1], 8);
980 calc_crc(&crc
, tag
.pwdh0
, 8);
981 calc_crc(&crc
, tag
.pwdl0
, 8);
982 calc_crc(&crc
, tag
.pwdl1
, 8);
983 tx
[4] = (crc
^ hitag2_byte(&state
));
987 //data received to be written
988 if (tag
.tstate
== WRITING_PAGE_DATA
) {
990 tag
.pages
[page_to_be_written
][0] = rx
[3];
991 tag
.pages
[page_to_be_written
][1] = rx
[2];
992 tag
.pages
[page_to_be_written
][2] = rx
[1];
993 tag
.pages
[page_to_be_written
][3] = rx
[0];
998 page_to_be_written
= 0;
1015 } else if (tag
.tstate
== WRITING_BLOCK_DATA
) {
1016 tag
.pages
[page_to_be_written
][0] = rx
[0];
1017 tag
.pages
[page_to_be_written
][1] = rx
[1];
1018 tag
.pages
[page_to_be_written
][2] = rx
[2];
1019 tag
.pages
[page_to_be_written
][3] = rx
[3];
1040 page_to_be_written
++;
1042 if (block_data_left
== 0) {
1044 page_to_be_written
= 0;
1049 //write page, write block, read page or read block command received
1050 if ((rx
[0] & 0xf0) == 0xc0) { //read page
1052 page
= ((rx
[0] & 0x0f) * 16) + ((rx
[1] & 0xf0) / 16);
1053 Dbprintf("reading page %d", page
);
1055 tx
[0] = tag
.pages
[page
][0];
1056 tx
[1] = tag
.pages
[page
][1];
1057 tx
[2] = tag
.pages
[page
][2];
1058 tx
[3] = tag
.pages
[page
][3];
1060 if (tag
.LKP
&& page
== 1)
1080 if (tag
.mode
!= STANDARD
) {
1084 for (i
= 0; i
< 4; i
++)
1085 calc_crc(&crc
, tx
[i
], 8);
1089 if (tag
.LKP
&& (page
== 2 || page
== 3)) {
1090 //if reader asks for key or password and the LKP-mark is set do not respond
1094 } else if ((rx
[0] & 0xf0) == 0xd0) { //read block
1095 page
= ((rx
[0] & 0x0f) * 16) + ((rx
[1] & 0xf0) / 16);
1096 Dbprintf("reading block %d", page
);
1098 //send page,...,page+3 data
1099 for (i
= 0; i
< 4; i
++) {
1100 tx
[0 + (i
* 4)] = tag
.pages
[page
][0];
1101 tx
[1 + (i
* 4)] = tag
.pages
[page
][1];
1102 tx
[2 + (i
* 4)] = tag
.pages
[page
][2];
1103 tx
[3 + (i
* 4)] = tag
.pages
[page
][3];
1124 if (tag
.mode
!= STANDARD
) {
1126 *txlen
= 32 * 4 + 8;
1128 for (i
= 0; i
< 16; i
++)
1129 calc_crc(&crc
, tx
[i
], 8);
1133 if ((page
- 4) % 4 != 0 || (tag
.LKP
&& (page
- 4) == 0)) {
1137 } else if ((rx
[0] & 0xf0) == 0x80) { //write page
1138 page
= ((rx
[0] & 0x0f) * 16) + ((rx
[1] & 0xf0) / 16);
1156 if ((tag
.LCON
&& page
== 1)
1157 || (tag
.LKP
&& (page
== 2 || page
== 3))) {
1164 page_to_be_written
= page
;
1165 tag
.tstate
= WRITING_PAGE_DATA
;
1168 } else if ((rx
[0] & 0xf0) == 0x90) { //write block
1169 page
= ((rx
[0] & 0x0f) * 6) + ((rx
[1] & 0xf0) / 16);
1186 if (page
% 4 != 0 || page
== 0) {
1193 page_to_be_written
= page
;
1194 block_data_left
= 4;
1195 tag
.tstate
= WRITING_BLOCK_DATA
;
1208 * to autenticate to a tag with the given key or challenge
1210 static int hitagS_handle_tag_auth(hitag_function htf
,uint64_t key
, uint64_t NrAr
, byte_t
* rx
,
1211 const size_t rxlen
, byte_t
* tx
, size_t* txlen
) {
1212 byte_t rx_air
[HITAG_FRAME_LEN
];
1213 int response_bit
[200] = {0};
1215 unsigned char mask
= 1;
1216 unsigned char uid
[32];
1217 byte_t uid1
= 0x00, uid2
= 0x00, uid3
= 0x00, uid4
= 0x00;
1221 byte_t conf_pages
[3];
1222 memcpy(rx_air
, rx
, nbytes(rxlen
));
1226 Dbprintf("START hitagS_handle_tag_auth - rxlen: %d, tagstate=%d", rxlen
, (int)tag
.pstate
);
1229 if (tag
.pstate
== READY
&& rxlen
>= 32) {
1232 Dbprintf("authentication failed!");
1236 for (i
= 0; i
< 10; i
++) {
1237 for (j
= 0; j
< 8; j
++) {
1238 response_bit
[z
] = 0;
1239 if ((rx
[i
] & ((mask
<< 7) >> j
)) != 0)
1240 response_bit
[z
] = 1;
1244 for (i
= 0; i
< 32; i
++) {
1245 uid
[i
] = response_bit
[i
];
1248 uid1
= (uid
[0] << 7) | (uid
[1] << 6) | (uid
[2] << 5) | (uid
[3] << 4)
1249 | (uid
[4] << 3) | (uid
[5] << 2) | (uid
[6] << 1) | uid
[7];
1250 uid2
= (uid
[8] << 7) | (uid
[9] << 6) | (uid
[10] << 5) | (uid
[11] << 4)
1251 | (uid
[12] << 3) | (uid
[13] << 2) | (uid
[14] << 1) | uid
[15];
1252 uid3
= (uid
[16] << 7) | (uid
[17] << 6) | (uid
[18] << 5) | (uid
[19] << 4)
1253 | (uid
[20] << 3) | (uid
[21] << 2) | (uid
[22] << 1) | uid
[23];
1254 uid4
= (uid
[24] << 7) | (uid
[25] << 6) | (uid
[26] << 5) | (uid
[27] << 4)
1255 | (uid
[28] << 3) | (uid
[29] << 2) | (uid
[30] << 1) | uid
[31];
1256 Dbprintf("UID: %02X %02X %02X %02X", uid1
, uid2
, uid3
, uid4
);
1257 tag
.uid
= (uid4
<< 24 | uid3
<< 16 | uid2
<< 8 | uid1
);
1261 calc_crc(&crc
, 0x00, 5);
1262 calc_crc(&crc
, uid1
, 8);
1263 calc_crc(&crc
, uid2
, 8);
1264 calc_crc(&crc
, uid3
, 8);
1265 calc_crc(&crc
, uid4
, 8);
1266 Dbprintf("crc: %02X", crc
);
1268 //resetting response bit
1269 for (i
= 0; i
< 100; i
++) {
1270 response_bit
[i
] = 0;
1274 for (i
= 5; i
< 37; i
++) {
1275 response_bit
[i
] = uid
[i
- 5];
1278 for (j
= 0; j
< 8; j
++) {
1279 response_bit
[i
] = 0;
1280 if ((crc
& ((mask
<< 7) >> j
)) != 0)
1281 response_bit
[i
] = 1;
1286 for (i
= 0; i
< 6; i
++) {
1287 tx
[i
] = (response_bit
[k
] << 7) | (response_bit
[k
+ 1] << 6)
1288 | (response_bit
[k
+ 2] << 5) | (response_bit
[k
+ 3] << 4)
1289 | (response_bit
[k
+ 4] << 3) | (response_bit
[k
+ 5] << 2)
1290 | (response_bit
[k
+ 6] << 1) | response_bit
[k
+ 7];
1295 } else if (tag
.pstate
== INIT
&& rxlen
> 24) {
1296 // received configuration after select command
1298 for (i
= 0; i
< 4; i
++) {
1299 for (j
= 0; j
< 8; j
++) {
1300 response_bit
[z
] = 0;
1301 if ((rx
[i
] & ((mask
<< 7) >> j
)) != 0) {
1302 response_bit
[z
] = 1;
1308 //check wich memorysize this tag has
1310 if (response_bit
[6] == 0 && response_bit
[7] == 0)
1311 tag
.max_page
= 32 / 32;
1312 if (response_bit
[6] == 0 && response_bit
[7] == 1)
1313 tag
.max_page
= 256 / 32;
1314 if (response_bit
[6] == 1 && response_bit
[7] == 0)
1315 tag
.max_page
= 2048 / 32;
1316 if (response_bit
[6] == 1 && response_bit
[7] == 1) //reserved but some tags got this setting
1317 tag
.max_page
= 2048 / 32;
1320 tag
.auth
= response_bit
[8];
1321 tag
.TTFC
= response_bit
[9];
1322 //tag.TTFDR in response_bit[10] and response_bit[11]
1323 //tag.TTFM in response_bit[12] and response_bit[13]
1324 tag
.LCON
= response_bit
[14];
1325 tag
.LKP
= response_bit
[15];
1328 tag
.LCK7
= response_bit
[16];
1329 tag
.LCK6
= response_bit
[17];
1330 tag
.LCK5
= response_bit
[18];
1331 tag
.LCK4
= response_bit
[19];
1332 tag
.LCK3
= response_bit
[20];
1333 tag
.LCK2
= response_bit
[21];
1334 tag
.LCK1
= response_bit
[22];
1335 tag
.LCK0
= response_bit
[23];
1338 conf_pages
[0] = ((response_bit
[0] << 7) | (response_bit
[1] << 6)
1339 | (response_bit
[2] << 5) | (response_bit
[3] << 4)
1340 | (response_bit
[4] << 3) | (response_bit
[5] << 2)
1341 | (response_bit
[6] << 1) | response_bit
[7]);
1342 conf_pages
[1] = ((response_bit
[8] << 7) | (response_bit
[9] << 6)
1343 | (response_bit
[10] << 5) | (response_bit
[11] << 4)
1344 | (response_bit
[12] << 3) | (response_bit
[13] << 2)
1345 | (response_bit
[14] << 1) | response_bit
[15]);
1346 conf_pages
[2] = ((response_bit
[16] << 7) | (response_bit
[17] << 6)
1347 | (response_bit
[18] << 5) | (response_bit
[19] << 4)
1348 | (response_bit
[20] << 3) | (response_bit
[21] << 2)
1349 | (response_bit
[22] << 1) | response_bit
[23]);
1350 Dbprintf("conf0: %02X conf1: %02X conf2: %02X", conf_pages
[0], conf_pages
[1], conf_pages
[2]);
1351 Dbprintf("tag.max_page: %d, tag.auth: %d", tag
.max_page
, tag
.auth
);
1354 if (tag
.auth
== 1) {
1355 //if the tag is in authentication mode try the key or challenge
1358 if(htf
==02||htf
==04){ //RHTS_KEY //WHTS_KEY
1359 state
= hitag2_init(rev64(key
), rev32(tag
.uid
), rev32(rnd
));
1361 Dbprintf("key: %02X %02X\n\n", key, rev64(key));
1362 Dbprintf("tag.uid: %02X %02X\n\n", tag.uid, rev32(tag.uid));
1363 Dbprintf("rnd: %02X %02X\n\n", rnd, rev32(rnd));
1365 for (i
= 0; i
< 4; i
++) {
1366 auth_ks
[i
] = hitag2_byte(&state
) ^ 0xff;
1370 tx
[1] = (rnd
>> 8) & 0xff;
1371 tx
[2] = (rnd
>> 16) & 0xff;
1372 tx
[3] = (rnd
>> 24) & 0xff;
1379 Dbprintf("%02X %02X %02X %02X %02X %02X %02X %02X", tx
[0],
1380 tx
[1], tx
[2], tx
[3], tx
[4], tx
[5], tx
[6], tx
[7]);
1381 } else if(htf
==01 || htf
==03) { //RHTS_CHALLENGE //WHTS_CHALLENGE
1382 for (i
= 0; i
< 8; i
++)
1383 tx
[i
]=((NrAr
>>(56-(i
*8)))&0xff);
1386 tag
.pstate
= AUTHENTICATE
;
1388 Dbprintf("authentication failed!");
1391 } else if (tag
.auth
== 0) {
1392 tag
.pstate
= SELECTED
;
1395 } else if (tag
.pstate
== AUTHENTICATE
&& rxlen
>= 32) {
1396 //encrypted con2,password received.
1398 Dbprintf("UID:::%X", tag
.uid
);
1399 Dbprintf("RND:::%X", rnd
);
1406 if(htf
==02 || htf
==04) { //RHTS_KEY //WHTS_KEY
1407 state
= hitag2_init(rev64(key
), rev32(tag
.uid
), rev32(rnd
));
1408 for (i
= 0; i
< 5; i
++) {
1409 hitag2_byte(&state
);
1411 pwdh0
= ((rx
[1] & 0x0f) * 16 + ((rx
[2] & 0xf0) / 16)) ^ hitag2_byte(&state
);
1412 pwdl0
= ((rx
[2] & 0x0f) * 16 + ((rx
[3] & 0xf0) / 16)) ^ hitag2_byte(&state
);
1413 pwdl1
= ((rx
[3] & 0x0f) * 16 + ((rx
[4] & 0xf0) / 16)) ^ hitag2_byte(&state
);
1415 Dbprintf("pwdh0 %02X pwdl0 %02X pwdl1 %02X", pwdh0
, pwdl0
, pwdl1
);
1418 tag
.pstate
= SELECTED
; //tag is now ready for read/write commands
1422 Dbprintf("END hitagS_handle_tag_auth - tagstate=%d", (int)tag
.pstate
);
1429 * Emulates a Hitag S Tag with the given data from the .hts file
1431 void SimulateHitagSTag(bool tag_mem_supplied
, byte_t
* data
) {
1436 byte_t rx
[HITAG_FRAME_LEN
];
1439 byte_t txbuf
[HITAG_FRAME_LEN
];
1442 uint8_t con0
, con1
, con2
;
1445 // Clean up trace and prepare it for storing frames
1449 DbpString("Starting HitagS simulation");
1454 //read tag data into memory
1455 if (tag_mem_supplied
) {
1456 DbpString("Loading hitagS memory...");
1457 for (i
= 0; i
< 64; i
++) {
1458 for (j
= 0; j
< 4; j
++) {
1459 tag
.pages
[i
][j
] = 0x0;
1463 for (i
= 0; i
< 64; i
++) {
1464 for (j
= 0; j
< 4; j
++) {
1465 tag
.pages
[i
][j
] = data
[(i
*4)+j
];
1469 tag
.uid
= (tag
.pages
[0][3] << 24 | tag
.pages
[0][2] << 16 | tag
.pages
[0][1] << 8 | tag
.pages
[0][0]);
1470 con0
= tag
.pages
[1][3];
1471 con1
= tag
.pages
[1][2];
1472 con2
= tag
.pages
[1][1];
1473 Dbprintf("UID: %X", tag
.uid
);
1474 Dbprintf("Hitag S simulation started");
1476 //0x01 plain mode - Reserved, CON2, CON1, CON0
1477 //0x01 auth mode - PWDH 0, CON2, CON1, CON0
1478 //0x02 auth mode - KEYH 1, KEYH 0, PWDL 1, PWDL 0
1479 //0x03 auth mode - KEYL 3, KEYL 2, KEYL 1, KEYL 0
1482 tag
.max_page
= 2048 / 32;
1483 if ((con0
& 0x2) == 0 && (con0
& 0x1) == 1)
1484 tag
.max_page
= 256 / 32;
1485 if ((con0
& 0x2) == 0 && (con0
& 0x1) == 0)
1486 tag
.max_page
= 32 / 32;
1489 tag
.auth
= ((con1
& 0x80) == 0x80) ? 1 : 0;
1490 tag
.TTFC
= ((con1
& 0x40) == 0x40) ? 1 : 0;
1491 //tag.TTFDR in response_bit[10] and response_bit[11]
1492 //tag.TTFM in response_bit[12] and response_bit[13]
1493 tag
.LCON
= ((con1
& 0x2) == 0x2) ? 1 : 0;
1494 tag
.LKP
= ((con1
& 0x1) == 0x1) ? 1 : 0;
1497 tag
.LCK7
= ((con2
& 0x80) == 0x80) ? 1 : 0;
1498 tag
.LCK6
= ((con2
& 0x40) == 0x40) ? 1 : 0;
1499 tag
.LCK5
= ((con2
& 0x20) == 0x20) ? 1 : 0;
1500 tag
.LCK4
= ((con2
& 0x10) == 0x10) ? 1 : 0;
1501 tag
.LCK3
= ((con2
& 0x8) == 0x8) ? 1 : 0;
1502 tag
.LCK2
= ((con2
& 0x4) == 0x4) ? 1 : 0;
1503 tag
.LCK1
= ((con2
& 0x2) == 0x2) ? 1 : 0;
1504 tag
.LCK0
= ((con2
& 0x1) == 0x1) ? 1 : 0;
1506 if (tag
.auth
== 1) {
1507 //TODO check if this working :D
1508 tag
.key
=(intptr_t)tag
.pages
[3];
1510 tag
.key
+=((tag
.pages
[2][0])<<8)+tag
.pages
[2][1];
1511 tag
.pwdl0
=tag
.pages
[2][3];
1512 tag
.pwdl1
=tag
.pages
[2][2];
1513 tag
.pwdh0
=tag
.pages
[1][0];
1516 // Set up simulator mode, frequency divisor which will drive the FPGA
1517 // and analog mux selection.
1518 FpgaDownloadAndGo(FPGA_BITSTREAM_LF
);
1519 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT
);
1520 FpgaSendCommand(FPGA_CMD_SET_DIVISOR
, 95); //125Khz
1521 SetAdcMuxFor(GPIO_MUXSEL_LOPKD
);
1524 // Configure output pin that is connected to the FPGA (for modulating)
1525 AT91C_BASE_PIOA
->PIO_OER
= GPIO_SSC_DOUT
;
1526 AT91C_BASE_PIOA
->PIO_PER
= GPIO_SSC_DOUT
;
1528 // Disable modulation at default, which means release resistance
1531 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
1532 AT91C_BASE_PMC
->PMC_PCER
= (1 << AT91C_ID_TC0
);
1534 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the reader frames
1535 AT91C_BASE_PMC
->PMC_PCER
= (1 << AT91C_ID_TC1
);
1536 AT91C_BASE_PIOA
->PIO_BSR
= GPIO_SSC_FRAME
;
1538 // Disable timer during configuration
1539 AT91C_BASE_TC0
->TC_CCR
= AT91C_TC_CLKDIS
;
1540 AT91C_BASE_TC1
->TC_CCR
= AT91C_TC_CLKDIS
;
1542 // TC0: Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), no triggers
1543 AT91C_BASE_TC0
->TC_CMR
= AT91C_TC_CLKS_TIMER_DIV1_CLOCK
;
1545 // TC1: Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
1546 // external trigger rising edge, load RA on rising edge of TIOA.
1547 AT91C_BASE_TC1
->TC_CMR
= AT91C_TC_CLKS_TIMER_DIV1_CLOCK
| AT91C_TC_ETRGEDG_RISING
| AT91C_TC_ABETRG
| AT91C_TC_LDRA_RISING
;
1549 // Reset the received frame, frame count and timing info
1550 memset(rx
, 0x00, sizeof(rx
));
1555 // Enable and reset counter
1556 AT91C_BASE_TC1
->TC_CCR
= AT91C_TC_CLKEN
| AT91C_TC_SWTRG
;
1558 while (!BUTTON_PRESS()) {
1562 // Receive frame, watch for at most T0*EOF periods
1564 while (AT91C_BASE_TC1
->TC_CV
< T0
* HITAG_T_EOF
) {
1565 // Check if rising edge in modulation is detected
1566 if (AT91C_BASE_TC1
->TC_SR
& AT91C_TC_LDRAS
) {
1567 // Retrieve the new timing values
1568 int ra
= (AT91C_BASE_TC1
->TC_RA
/ T0
) + overflow
;
1571 // Reset timer every frame, we have to capture the last edge for timing
1572 AT91C_BASE_TC0
->TC_CCR
= AT91C_TC_CLKEN
| AT91C_TC_SWTRG
;
1576 // Capture reader frame
1577 if (ra
>= HITAG_T_STOP
) {
1579 //DbpString("wierd0?");
1581 // Capture the T0 periods that have passed since last communication or field drop (reset)
1582 response
= (ra
- HITAG_T_LOW
);
1583 } else if (ra
>= HITAG_T_1_MIN
) {
1585 rx
[rxlen
/ 8] |= 1 << (7 - (rxlen
% 8));
1587 } else if (ra
>= HITAG_T_0_MIN
) {
1589 rx
[rxlen
/ 8] |= 0 << (7 - (rxlen
% 8));
1592 // Ignore wierd value, is to small to mean anything
1597 // Check if frame was captured
1601 if (!LogTraceHitag(rx
, rxlen
, response
, 0, true)) {
1602 DbpString("Trace full");
1607 // Disable timer 1 with external trigger to avoid triggers during our own modulation
1608 AT91C_BASE_TC1
->TC_CCR
= AT91C_TC_CLKDIS
;
1610 // Process the incoming frame (rx) and prepare the outgoing frame (tx)
1611 hitagS_handle_reader_command(rx
, rxlen
, tx
, &txlen
);
1613 // Wait for HITAG_T_WAIT_1 carrier periods after the last reader bit,
1614 // not that since the clock counts since the rising edge, but T_Wait1 is
1615 // with respect to the falling edge, we need to wait actually (T_Wait1 - T_Low)
1616 // periods. The gap time T_Low varies (4..10). All timer values are in
1617 // terms of T0 units
1618 while (AT91C_BASE_TC0
->TC_CV
< T0
* (HITAG_T_WAIT_1
- HITAG_T_LOW
)) { }
1620 // Send and store the tag answer (if there is any)
1622 // Transmit the tag frame
1623 hitag_tag_send_frame(tx
, txlen
);
1625 // Store the frame in the trace
1627 if (!LogTraceHitag(tx
, txlen
, 0, 0, false)) {
1628 DbpString("Trace full");
1634 // Enable and reset external trigger in timer for capturing future frames
1635 AT91C_BASE_TC1
->TC_CCR
= AT91C_TC_CLKEN
| AT91C_TC_SWTRG
;
1637 // Reset the received frame and response timing info
1638 memset(rx
, 0x00, sizeof(rx
));
1643 // Reset the frame length
1645 // Save the timer overflow, will be 0 when frame was received
1646 overflow
+= (AT91C_BASE_TC1
->TC_CV
/ T0
);
1647 // Reset the timer to restart while-loop that receives frames
1648 AT91C_BASE_TC1
->TC_CCR
= AT91C_TC_SWTRG
;
1650 Dbprintf("Hitag S simulation stopped");
1653 AT91C_BASE_TC1
->TC_CCR
= AT91C_TC_CLKDIS
;
1654 AT91C_BASE_TC0
->TC_CCR
= AT91C_TC_CLKDIS
;
1655 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
1659 * Authenticates to the Tag with the given key or challenge.
1660 * If the key was given the password will be decrypted.
1661 * Reads every page of a hitag S transpoder.
1663 void ReadHitagSintern(hitag_function htf
, hitag_data
* htd
, stype tagMode
, int startPage
, bool readBlock
) {
1666 int sendNum
= startPage
;
1670 //int response_bit[200];
1671 //unsigned char mask = 1;
1674 byte_t rx
[HITAG_FRAME_LEN
];
1676 byte_t txbuf
[HITAG_FRAME_LEN
];
1680 int t_wait
= HITAG_T_WAIT_MAX
;
1682 bool bQuitTraceFull
= false;
1684 page_to_be_written
= 0;
1686 //read given key/challenge
1693 case 03: { //RHTS_CHALLENGE
1694 DbpString("Authenticating using nr,ar pair:");
1695 memcpy(NrAr_
,htd
->auth
.NrAr
,8);
1696 Dbhexdump(8,NrAr_
,false);
1697 NrAr
=NrAr_
[7] | ((uint64_t)NrAr_
[6]) << 8 | ((uint64_t)NrAr_
[5]) << 16 | ((uint64_t)NrAr_
[4]) << 24 | ((uint64_t)NrAr_
[3]) << 32 |
1698 ((uint64_t)NrAr_
[2]) << 40| ((uint64_t)NrAr_
[1]) << 48 | ((uint64_t)NrAr_
[0]) << 56;
1701 case 04: { //RHTS_KEY
1702 DbpString("Authenticating using key:");
1703 memcpy(key_
,htd
->crypto
.key
,6);
1704 Dbhexdump(6,key_
,false);
1705 key
=key_
[5] | ((uint64_t)key_
[4]) << 8 | ((uint64_t)key_
[3]) << 16 | ((uint64_t)key_
[2]) << 24 | ((uint64_t)key_
[1]) << 32 | ((uint64_t)key_
[0]) << 40;
1708 Dbprintf("Error , unknown function: %d",htf
);
1715 FpgaDownloadAndGo(FPGA_BITSTREAM_LF
);
1716 // Reset the return status
1717 bSuccessful
= false;
1719 // Clean up trace and prepare it for storing frames
1727 // Configure output and enable pin that is connected to the FPGA (for modulating)
1728 AT91C_BASE_PIOA
->PIO_OER
= GPIO_SSC_DOUT
;
1729 AT91C_BASE_PIOA
->PIO_PER
= GPIO_SSC_DOUT
;
1731 // Set fpga in edge detect with reader field, we can modulate as reader now
1732 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT
| FPGA_LF_EDGE_DETECT_READER_FIELD
);
1734 // Set Frequency divisor which will drive the FPGA and analog mux selection
1735 FpgaSendCommand(FPGA_CMD_SET_DIVISOR
, 95); //125Khz
1736 SetAdcMuxFor(GPIO_MUXSEL_LOPKD
);
1739 // Disable modulation at default, which means enable the field
1742 // Give it a bit of time for the resonant antenna to settle.
1745 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
1746 AT91C_BASE_PMC
->PMC_PCER
= (1 << AT91C_ID_TC0
);
1748 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the tag frames
1749 AT91C_BASE_PMC
->PMC_PCER
= (1 << AT91C_ID_TC1
);
1750 AT91C_BASE_PIOA
->PIO_BSR
= GPIO_SSC_FRAME
;
1752 // Disable timer during configuration
1753 AT91C_BASE_TC0
->TC_CCR
= AT91C_TC_CLKDIS
;
1754 AT91C_BASE_TC1
->TC_CCR
= AT91C_TC_CLKDIS
;
1756 // TC0: Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), no triggers
1757 AT91C_BASE_TC0
->TC_CMR
= AT91C_TC_CLKS_TIMER_DIV1_CLOCK
;
1759 // TC1: Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
1760 // external trigger rising edge, load RA on falling edge of TIOA.
1761 AT91C_BASE_TC1
->TC_CMR
= AT91C_TC_CLKS_TIMER_DIV1_CLOCK
| AT91C_TC_ETRGEDG_FALLING
| AT91C_TC_ABETRG
| AT91C_TC_LDRA_FALLING
;
1763 // Enable and reset counters
1764 AT91C_BASE_TC0
->TC_CCR
= AT91C_TC_CLKEN
| AT91C_TC_SWTRG
;
1765 AT91C_BASE_TC1
->TC_CCR
= AT91C_TC_CLKEN
| AT91C_TC_SWTRG
;
1767 // Reset the received frame, frame count and timing info
1774 while (!bStop
&& !BUTTON_PRESS()) {
1779 // Add transmitted frame to total count
1783 if (tag
.pstate
== READY
&& rxlen
< 1) {
1784 //skip logging starting auths if no response
1787 // Store the frame in the trace
1788 if (!LogTraceHitag(tx
, txlen
, HITAG_T_WAIT_2
, 0, true)) {
1789 if (bQuitTraceFull
) {
1790 DbpString("Trace full");
1800 // Check if frame was captured and store it
1804 if (!LogTraceHitag(rx
, rxlen
, response
, 0, false)) {
1805 DbpString("Trace full");
1806 if (bQuitTraceFull
) {
1815 // By default reset the transmission buffer
1820 Dbprintf("FRO %d rxlen: %d, pstate=%d, tstate=%d", frame_count
, rxlen
, (int)tag
.pstate
, (int)tag
.tstate
);
1824 //start authentication
1825 hitag_start_auth(tx
, &txlen
);
1826 } else if (tag
.pstate
!= SELECTED
) {
1827 if (hitagS_handle_tag_auth(htf
, key
,NrAr
,rx
, rxlen
, tx
, &txlen
) == -1) {
1828 Dbprintf("hitagS_handle_tag_auth - bStop = !false");
1835 if (readBlock
&& tag
.pstate
== SELECTED
&& (tag
.tstate
== READING_BLOCK
|| tag
.tstate
== NO_OP
) && rxlen
> 0) {
1836 i
= hitag_read_block(htf
, key
, rx
, &rxlen
, tx
, &txlen
, sendNum
);
1837 if (i
> 0) { sendNum
+=4; }
1838 if (sendNum
+4 >= tag
.max_page
) {
1841 } else if (!readBlock
&& tag
.pstate
== SELECTED
&& (tag
.tstate
== READING_PAGE
|| tag
.tstate
== NO_OP
) && rxlen
> 0) {
1842 i
= hitag_read_page(htf
, key
, rx
, &rxlen
, tx
, &txlen
, sendNum
);
1843 if (i
> 0) { sendNum
++; }
1844 if (sendNum
>= tag
.max_page
) {
1849 // Send and store the reader command
1850 // Disable timer 1 with external trigger to avoid triggers during our own modulation
1851 AT91C_BASE_TC1
->TC_CCR
= AT91C_TC_CLKDIS
;
1853 // Wait for HITAG_T_WAIT_2 carrier periods after the last tag bit before transmitting,
1854 // Since the clock counts since the last falling edge, a 'one' means that the
1855 // falling edge occured halfway the period. with respect to this falling edge,
1856 // we need to wait (T_Wait2 + half_tag_period) when the last was a 'one'.
1857 // All timer values are in terms of T0 units
1859 while (AT91C_BASE_TC0
->TC_CV
< T0
* (t_wait
+ (HITAG_T_TAG_HALF_PERIOD
* lastbit
))) { }
1861 // Transmit the reader frame
1862 hitag_reader_send_frame(tx
, txlen
);
1865 // Enable and reset external trigger in timer for capturing future frames
1866 AT91C_BASE_TC1
->TC_CCR
= AT91C_TC_CLKEN
| AT91C_TC_SWTRG
;
1869 // Reset values for receiving frames
1870 memset(rx
, 0x00, sizeof(rx
));
1875 // get tag id in anti-collision mode (proprietary data format, so switch off manchester and read at double the data rate, for 4 x the data bits)
1876 hitag_receive_frame(rx
, &rxlen
, &response
);
1881 AT91C_BASE_TC1
->TC_CCR
= AT91C_TC_CLKDIS
;
1882 AT91C_BASE_TC0
->TC_CCR
= AT91C_TC_CLKDIS
;
1883 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
1884 cmd_send(CMD_ACK
, bSuccessful
, 0, 0, 0, 0);
1887 void ReadHitagSCmd(hitag_function htf
, hitag_data
* htd
, uint64_t startPage
, uint64_t tagMode
, bool readBlock
) {
1889 Dbprintf("ReadHitagS in mode=ADVANCED, blockRead=%d, startPage=%d", readBlock
, startPage
);
1890 ReadHitagSintern(htf
, htd
, ADVANCED
, (int)startPage
, readBlock
);
1891 } else if (tagMode
== 2) {
1892 Dbprintf("ReadHitagS in mode=FAST_ADVANCED, blockRead=%d, startPage=%d", readBlock
, startPage
);
1893 ReadHitagSintern(htf
, htd
, FAST_ADVANCED
, (int)startPage
, readBlock
);
1895 Dbprintf("ReadHitagS in mode=STANDARD, blockRead=%d, startPage=%d", readBlock
, startPage
);
1896 ReadHitagSintern(htf
, htd
, STANDARD
, (int)startPage
, readBlock
);
1903 * Authenticates to the Tag with the given Key or Challenge.
1904 * Writes the given 32Bit data into page_
1906 void WritePageHitagS(hitag_function htf
, hitag_data
* htd
,int page_
) {
1909 byte_t rx
[HITAG_FRAME_LEN
];
1911 byte_t txbuf
[HITAG_FRAME_LEN
];
1915 int t_wait
= HITAG_T_WAIT_MAX
;
1917 bool bQuitTraceFull
= false;
1920 byte_t data
[4]= {0,0,0,0};
1922 //read given key/challenge, the page and the data
1928 case 03: { //WHTS_CHALLENGE
1929 memcpy(data
,htd
->auth
.data
,4);
1930 DbpString("Authenticating using nr,ar pair:");
1931 memcpy(NrAr_
,htd
->auth
.NrAr
,8);
1932 Dbhexdump(8,NrAr_
,false);
1933 NrAr
=NrAr_
[7] | ((uint64_t)NrAr_
[6]) << 8 | ((uint64_t)NrAr_
[5]) << 16 | ((uint64_t)NrAr_
[4]) << 24 | ((uint64_t)NrAr_
[3]) << 32 |
1934 ((uint64_t)NrAr_
[2]) << 40| ((uint64_t)NrAr_
[1]) << 48 | ((uint64_t)NrAr_
[0]) << 56;
1936 case 04: { //WHTS_KEY
1937 memcpy(data
,htd
->crypto
.data
,4);
1938 DbpString("Authenticating using key:");
1939 memcpy(key_
,htd
->crypto
.key
,6);
1940 Dbhexdump(6,key_
,false);
1941 key
=key_
[5] | ((uint64_t)key_
[4]) << 8 | ((uint64_t)key_
[3]) << 16 | ((uint64_t)key_
[2]) << 24 | ((uint64_t)key_
[1]) << 32 | ((uint64_t)key_
[0]) << 40;
1944 Dbprintf("Error , unknown function: %d",htf
);
1949 Dbprintf("Page: %d",page_
);
1950 Dbprintf("DATA: %02X %02X %02X %02X", data
[0], data
[1], data
[2], data
[3]);
1951 FpgaDownloadAndGo(FPGA_BITSTREAM_LF
);
1952 // Reset the return status
1953 bSuccessful
= false;
1958 // Clean up trace and prepare it for storing frames
1966 // Configure output and enable pin that is connected to the FPGA (for modulating)
1967 AT91C_BASE_PIOA
->PIO_OER
= GPIO_SSC_DOUT
;
1968 AT91C_BASE_PIOA
->PIO_PER
= GPIO_SSC_DOUT
;
1970 // Set fpga in edge detect with reader field, we can modulate as reader now
1971 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT
| FPGA_LF_EDGE_DETECT_READER_FIELD
);
1973 // Set Frequency divisor which will drive the FPGA and analog mux selection
1974 FpgaSendCommand(FPGA_CMD_SET_DIVISOR
, 95); //125Khz
1975 SetAdcMuxFor(GPIO_MUXSEL_LOPKD
);
1978 // Disable modulation at default, which means enable the field
1981 // Give it a bit of time for the resonant antenna to settle.
1984 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
1985 AT91C_BASE_PMC
->PMC_PCER
= (1 << AT91C_ID_TC0
);
1987 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the tag frames
1988 AT91C_BASE_PMC
->PMC_PCER
= (1 << AT91C_ID_TC1
);
1989 AT91C_BASE_PIOA
->PIO_BSR
= GPIO_SSC_FRAME
;
1991 // Disable timer during configuration
1992 AT91C_BASE_TC0
->TC_CCR
= AT91C_TC_CLKDIS
;
1993 AT91C_BASE_TC1
->TC_CCR
= AT91C_TC_CLKDIS
;
1995 // TC0: Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), no triggers
1996 AT91C_BASE_TC0
->TC_CMR
= AT91C_TC_CLKS_TIMER_DIV1_CLOCK
;
1998 // TC1: Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
1999 // external trigger rising edge, load RA on falling edge of TIOA.
2000 AT91C_BASE_TC1
->TC_CMR
= AT91C_TC_CLKS_TIMER_DIV1_CLOCK
2001 | AT91C_TC_ETRGEDG_FALLING
| AT91C_TC_ABETRG
2002 | AT91C_TC_LDRA_FALLING
;
2004 // Enable and reset counters
2005 AT91C_BASE_TC0
->TC_CCR
= AT91C_TC_CLKEN
| AT91C_TC_SWTRG
;
2006 AT91C_BASE_TC1
->TC_CCR
= AT91C_TC_CLKEN
| AT91C_TC_SWTRG
;
2008 // Reset the received frame, frame count and timing info
2015 while (!bStop
&& !BUTTON_PRESS()) {
2019 // Check if frame was captured and store it
2023 if (!LogTraceHitag(rx
, rxlen
, response
, 0, false)) {
2024 DbpString("Trace full");
2025 if (bQuitTraceFull
) {
2034 //check for valid input
2037 Dbprintf("usage: lf hitag writer [03 | 04] [CHALLENGE | KEY] [page] [byte0] [byte1] [byte2] [byte3]");
2042 // By default reset the transmission buffer
2046 if (rxlen
== 0 && tag
.tstate
== WRITING_PAGE_ACK
) {
2047 //no write access on this page
2048 Dbprintf("no write access on page %d", page_
);
2050 } else if (rxlen
== 0 && tag
.tstate
!= WRITING_PAGE_DATA
) {
2051 //start the authetication
2052 //tag.mode = ADVANCED;
2053 tag
.mode
= STANDARD
;
2054 hitag_start_auth(tx
, &txlen
);
2056 } else if (tag
.pstate
!= SELECTED
) {
2057 //try to authenticate with the given key or challenge
2058 if (hitagS_handle_tag_auth(htf
,key
,NrAr
,rx
, rxlen
, tx
, &txlen
) == -1) {
2064 if (tag
.pstate
== SELECTED
&& tag
.tstate
== NO_OP
&& rxlen
> 0) {
2065 //check if the given page exists
2066 if (page
> tag
.max_page
) {
2067 Dbprintf("page number too big");
2070 //ask Tag for write permission
2071 tag
.tstate
= WRITING_PAGE_ACK
;
2074 tx
[0] = 0x90 + (page
/ 16);
2075 calc_crc(&crc
, tx
[0], 8);
2076 calc_crc(&crc
, 0x00 + ((page
% 16) * 16), 4);
2077 tx
[1] = 0x00 + ((page
% 16) * 16) + (crc
/ 16);
2078 tx
[2] = 0x00 + (crc
% 16) * 16;
2079 } else if (tag
.pstate
== SELECTED
&& tag
.tstate
== WRITING_PAGE_ACK
2080 && rxlen
== 2 && rx
[0] == 0x40) {
2081 //ACK recieved to write the page. send data
2082 tag
.tstate
= WRITING_PAGE_DATA
;
2085 calc_crc(&crc
, data
[3], 8);
2086 calc_crc(&crc
, data
[2], 8);
2087 calc_crc(&crc
, data
[1], 8);
2088 calc_crc(&crc
, data
[0], 8);
2094 } else if (tag
.pstate
== SELECTED
&& tag
.tstate
== WRITING_PAGE_DATA
2095 && rxlen
== 2 && rx
[0] == 0x40) {
2097 Dbprintf("Successful!");
2101 // Send and store the reader command
2102 // Disable timer 1 with external trigger to avoid triggers during our own modulation
2103 AT91C_BASE_TC1
->TC_CCR
= AT91C_TC_CLKDIS
;
2105 // Wait for HITAG_T_WAIT_2 carrier periods after the last tag bit before transmitting,
2106 // Since the clock counts since the last falling edge, a 'one' means that the
2107 // falling edge occured halfway the period. with respect to this falling edge,
2108 // we need to wait (T_Wait2 + half_tag_period) when the last was a 'one'.
2109 // All timer values are in terms of T0 units
2111 while (AT91C_BASE_TC0
->TC_CV
2112 < T0
* (t_wait
+ (HITAG_T_TAG_HALF_PERIOD
* lastbit
)))
2115 // Transmit the reader frame
2116 hitag_reader_send_frame(tx
, txlen
);
2118 // Enable and reset external trigger in timer for capturing future frames
2119 AT91C_BASE_TC1
->TC_CCR
= AT91C_TC_CLKEN
| AT91C_TC_SWTRG
;
2121 // Add transmitted frame to total count
2125 // Store the frame in the trace
2126 if (!LogTraceHitag(tx
, txlen
, HITAG_T_WAIT_2
, 0, true)) {
2127 if (bQuitTraceFull
) {
2128 DbpString("Trace full");
2137 // Reset values for receiving frames
2138 memset(rx
, 0x00, sizeof(rx
));
2143 hitag_receive_frame(rx
, &rxlen
, &response
);
2148 AT91C_BASE_TC1
->TC_CCR
= AT91C_TC_CLKDIS
;
2149 AT91C_BASE_TC0
->TC_CCR
= AT91C_TC_CLKDIS
;
2150 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
2151 cmd_send(CMD_ACK
, bSuccessful
, 0, 0, 0, 0);
2156 * Tries to authenticate to a Hitag S Transponder with the given challenges from a .cc file.
2157 * Displays all Challenges that failed.
2158 * When collecting Challenges to break the key it is possible that some data
2159 * is not received correctly due to Antenna problems. This function
2160 * detects these challenges.
2162 void check_challenges_cmd(bool file_given
, byte_t
* data
, uint64_t tagMode
) {
2167 byte_t rx
[HITAG_FRAME_LEN
];
2168 byte_t unlocker
[60][8];
2171 byte_t txbuf
[HITAG_FRAME_LEN
];
2175 int t_wait
= HITAG_T_WAIT_MAX
;
2178 bool bQuitTraceFull
= false;
2179 int response_bit
[200];
2180 unsigned char mask
= 1;
2181 unsigned char uid
[32];
2185 Dbprintf("check_challenges in mode=ADVANCED");
2186 tag
.mode
= ADVANCED
;
2187 } else if (tagMode
== 2) {
2188 Dbprintf("check_challenges in mode=FAST_ADVANCED");
2189 tag
.mode
= FAST_ADVANCED
;
2191 Dbprintf("check_challenges in mode=STANDARD");
2192 tag
.mode
= STANDARD
;
2196 FpgaDownloadAndGo(FPGA_BITSTREAM_LF
);
2197 // Reset the return status
2198 bSuccessful
= false;
2200 // Clean up trace and prepare it for storing frames
2208 // Configure output and enable pin that is connected to the FPGA (for modulating)
2209 AT91C_BASE_PIOA
->PIO_OER
= GPIO_SSC_DOUT
;
2210 AT91C_BASE_PIOA
->PIO_PER
= GPIO_SSC_DOUT
;
2212 // Set fpga in edge detect with reader field, we can modulate as reader now
2214 FPGA_MAJOR_MODE_LF_EDGE_DETECT
| FPGA_LF_EDGE_DETECT_READER_FIELD
);
2216 // Set Frequency divisor which will drive the FPGA and analog mux selection
2217 FpgaSendCommand(FPGA_CMD_SET_DIVISOR
, 95); //125Khz
2218 SetAdcMuxFor(GPIO_MUXSEL_LOPKD
);
2221 // Disable modulation at default, which means enable the field
2224 // Give it a bit of time for the resonant antenna to settle.
2227 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
2228 AT91C_BASE_PMC
->PMC_PCER
= (1 << AT91C_ID_TC0
);
2230 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the tag frames
2231 AT91C_BASE_PMC
->PMC_PCER
= (1 << AT91C_ID_TC1
);
2232 AT91C_BASE_PIOA
->PIO_BSR
= GPIO_SSC_FRAME
;
2234 // Disable timer during configuration
2235 AT91C_BASE_TC0
->TC_CCR
= AT91C_TC_CLKDIS
;
2236 AT91C_BASE_TC1
->TC_CCR
= AT91C_TC_CLKDIS
;
2238 // TC0: Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), no triggers
2239 AT91C_BASE_TC0
->TC_CMR
= AT91C_TC_CLKS_TIMER_DIV1_CLOCK
;
2241 // TC1: Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
2242 // external trigger rising edge, load RA on falling edge of TIOA.
2243 AT91C_BASE_TC1
->TC_CMR
= AT91C_TC_CLKS_TIMER_DIV1_CLOCK
| AT91C_TC_ETRGEDG_FALLING
| AT91C_TC_ABETRG
| AT91C_TC_LDRA_FALLING
;
2245 // Enable and reset counters
2246 AT91C_BASE_TC0
->TC_CCR
= AT91C_TC_CLKEN
| AT91C_TC_SWTRG
;
2247 AT91C_BASE_TC1
->TC_CCR
= AT91C_TC_CLKEN
| AT91C_TC_SWTRG
;
2249 // Reset the received frame, frame count and timing info
2258 DbpString("Loading challenges...");
2259 memcpy((byte_t
*)unlocker
,data
,60*8);
2262 while (file_given
&& !bStop
&& !BUTTON_PRESS()) {
2266 // Check if frame was captured and store it
2270 if (!LogTraceHitag(rx
, rxlen
, response
, 0, false)) {
2271 DbpString("Trace full");
2272 if (bQuitTraceFull
) {
2286 Dbprintf("Challenge failed: %02X %02X %02X %02X %02X %02X %02X %02X",
2287 unlocker
[u1
- 1][0], unlocker
[u1
- 1][1],
2288 unlocker
[u1
- 1][2], unlocker
[u1
- 1][3],
2289 unlocker
[u1
- 1][4], unlocker
[u1
- 1][5],
2290 unlocker
[u1
- 1][6], unlocker
[u1
- 1][7]);
2293 hitag_start_auth(tx
, &txlen
);
2294 } else if (rxlen
>= 32 && STATE
== 0) {
2297 for (i
= 0; i
< 10; i
++) {
2298 for (j
= 0; j
< 8; j
++) {
2299 response_bit
[z
] = 0;
2300 if ((rx
[i
] & ((mask
<< 7) >> j
)) != 0)
2301 response_bit
[z
] = 1;
2305 for (i
= 0; i
< 32; i
++) {
2306 uid
[i
] = response_bit
[i
];
2309 uid_byte
[0] = (uid
[0] << 7) | (uid
[1] << 6) | (uid
[2] << 5)
2310 | (uid
[3] << 4) | (uid
[4] << 3) | (uid
[5] << 2)
2311 | (uid
[6] << 1) | uid
[7];
2312 uid_byte
[1] = (uid
[8] << 7) | (uid
[9] << 6) | (uid
[10] << 5)
2313 | (uid
[11] << 4) | (uid
[12] << 3) | (uid
[13] << 2)
2314 | (uid
[14] << 1) | uid
[15];
2315 uid_byte
[2] = (uid
[16] << 7) | (uid
[17] << 6) | (uid
[18] << 5)
2316 | (uid
[19] << 4) | (uid
[20] << 3) | (uid
[21] << 2)
2317 | (uid
[22] << 1) | uid
[23];
2318 uid_byte
[3] = (uid
[24] << 7) | (uid
[25] << 6) | (uid
[26] << 5)
2319 | (uid
[27] << 4) | (uid
[28] << 3) | (uid
[29] << 2)
2320 | (uid
[30] << 1) | uid
[31];
2321 //Dbhexdump(10, rx, rxlen);
2325 calc_crc(&crc
, 0x00, 5);
2326 calc_crc(&crc
, uid_byte
[0], 8);
2327 calc_crc(&crc
, uid_byte
[1], 8);
2328 calc_crc(&crc
, uid_byte
[2], 8);
2329 calc_crc(&crc
, uid_byte
[3], 8);
2330 for (i
= 0; i
< 100; i
++) {
2331 response_bit
[i
] = 0;
2333 for (i
= 0; i
< 5; i
++) {
2334 response_bit
[i
] = 0;
2336 for (i
= 5; i
< 37; i
++) {
2337 response_bit
[i
] = uid
[i
- 5];
2339 for (j
= 0; j
< 8; j
++) {
2340 response_bit
[i
] = 0;
2341 if ((crc
& ((mask
<< 7) >> j
)) != 0)
2342 response_bit
[i
] = 1;
2346 for (i
= 0; i
< 6; i
++) {
2347 tx
[i
] = (response_bit
[k
] << 7) | (response_bit
[k
+ 1] << 6)
2348 | (response_bit
[k
+ 2] << 5)
2349 | (response_bit
[k
+ 3] << 4)
2350 | (response_bit
[k
+ 4] << 3)
2351 | (response_bit
[k
+ 5] << 2)
2352 | (response_bit
[k
+ 6] << 1) | response_bit
[k
+ 7];
2358 } else if (STATE
== 1 && rxlen
> 24) {
2359 //received configuration
2362 for (i
= 0; i
< 6; i
++) {
2363 for (j
= 0; j
< 8; j
++) {
2364 response_bit
[z
] = 0;
2365 if ((rx
[i
] & ((mask
<< 7) >> j
)) != 0)
2366 response_bit
[z
] = 1;
2372 if (u1
>= (sizeof(unlocker
) / sizeof(unlocker
[0])))
2374 for (i
= 0; i
< 8; i
++)
2375 tx
[i
] = unlocker
[u1
][i
];
2378 tag
.pstate
= SELECTED
;
2379 } else if (STATE
== 2 && rxlen
>= 32) {
2383 // Send and store the reader command
2384 // Disable timer 1 with external trigger to avoid triggers during our own modulation
2385 AT91C_BASE_TC1
->TC_CCR
= AT91C_TC_CLKDIS
;
2387 // Wait for HITAG_T_WAIT_2 carrier periods after the last tag bit before transmitting,
2388 // Since the clock counts since the last falling edge, a 'one' means that the
2389 // falling edge occured halfway the period. with respect to this falling edge,
2390 // we need to wait (T_Wait2 + half_tag_period) when the last was a 'one'.
2391 // All timer values are in terms of T0 units
2392 while (AT91C_BASE_TC0
->TC_CV
< T0
* (t_wait
+ (HITAG_T_TAG_HALF_PERIOD
* lastbit
))) { }
2394 // Transmit the reader frame
2395 hitag_reader_send_frame(tx
, txlen
);
2397 // Enable and reset external trigger in timer for capturing future frames
2398 AT91C_BASE_TC1
->TC_CCR
= AT91C_TC_CLKEN
| AT91C_TC_SWTRG
;
2400 // Add transmitted frame to total count
2404 // Store the frame in the trace
2405 if (!LogTraceHitag(tx
, txlen
, HITAG_T_WAIT_2
, 0, true)) {
2406 if (bQuitTraceFull
) {
2407 DbpString("Trace full");
2416 // Reset values for receiving frames
2417 memset(rx
, 0x00, sizeof(rx
));
2422 hitag_receive_frame(rx
, &rxlen
, &response
);
2426 AT91C_BASE_TC1
->TC_CCR
= AT91C_TC_CLKDIS
;
2427 AT91C_BASE_TC0
->TC_CCR
= AT91C_TC_CLKDIS
;
2428 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
2429 cmd_send(CMD_ACK
, bSuccessful
, 0, 0, 0, 0);
2433 Backward compatibility
2435 void check_challenges(bool file_given
, byte_t
* data
) {
2436 check_challenges_cmd(file_given
, data
, 1);
2439 void ReadHitagS(hitag_function htf
, hitag_data
* htd
) {
2440 ReadHitagSintern(htf
, htd
, ADVANCED
, 0, false);