]> git.zerfleddert.de Git - proxmark3-svn/blob - armsrc/iso14443a.c
projects / proxmark3-svn / blob
? search:


a02d7d42d4f7cfeb5264789205607303f00cbef1
[proxmark3-svn] / armsrc / iso14443a.c
1 //-----------------------------------------------------------------------------
2 // Routines to support ISO 14443 type A.
3 //
4 // Gerhard de Koning Gans - May 2008
5 //-----------------------------------------------------------------------------
6 #include <proxmark3.h>
7 #include "apps.h"
8 #include "../common/iso14443_crc.c"
9
10 static BYTE *trace = (BYTE *) BigBuf;
11 static int traceLen = 0;
12 static int rsamples = 0;
13
14 typedef enum {
15 SEC_D = 1,
16 SEC_E = 2,
17 SEC_F = 3,
18 SEC_X = 4,
19 SEC_Y = 5,
20 SEC_Z = 6
21 } SecType;
22
23 static const BYTE OddByteParity[256] = {
24 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
25 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
26 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
27 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
28 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
29 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
30 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
31 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
32 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
33 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
34 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
35 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
36 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
37 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
38 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
39 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1
40 };
41
42 //-----------------------------------------------------------------------------
43 // Generate the parity value for a byte sequence
44 //
45 //-----------------------------------------------------------------------------
46 DWORD GetParity(const BYTE * pbtCmd, int iLen)
47 {
48 int i;
49 DWORD dwPar = 0;
50
51 // Generate the encrypted data
52 for (i = 0; i < iLen; i++) {
53 // Save the encrypted parity bit
54 dwPar |= ((OddByteParity[pbtCmd[i]]) << i);
55 }
56 return dwPar;
57 }
58
59 //-----------------------------------------------------------------------------
60 // The software UART that receives commands from the reader, and its state
61 // variables.
62 //-----------------------------------------------------------------------------
63 static struct {
64 enum {
65 STATE_UNSYNCD,
66 STATE_START_OF_COMMUNICATION,
67 STATE_MILLER_X,
68 STATE_MILLER_Y,
69 STATE_MILLER_Z,
70 STATE_ERROR_WAIT
71 } state;
72 WORD shiftReg;
73 int bitCnt;
74 int byteCnt;
75 int byteCntMax;
76 int posCnt;
77 int syncBit;
78 int parityBits;
79 int samples;
80 int highCnt;
81 int bitBuffer;
82 enum {
83 DROP_NONE,
84 DROP_FIRST_HALF,
85 DROP_SECOND_HALF
86 } drop;
87 BYTE *output;
88 } Uart;
89
90 static BOOL MillerDecoding(int bit)
91 {
92 int error = 0;
93 int bitright;
94
95 if(!Uart.bitBuffer) {
96 Uart.bitBuffer = bit ^ 0xFF0;
97 return FALSE;
98 }
99 else {
100 Uart.bitBuffer <<= 4;
101 Uart.bitBuffer ^= bit;
102 }
103
104 BOOL EOC = FALSE;
105
106 if(Uart.state != STATE_UNSYNCD) {
107 Uart.posCnt++;
108
109 if((Uart.bitBuffer & Uart.syncBit) ^ Uart.syncBit) {
110 bit = 0x00;
111 }
112 else {
113 bit = 0x01;
114 }
115 if(((Uart.bitBuffer << 1) & Uart.syncBit) ^ Uart.syncBit) {
116 bitright = 0x00;
117 }
118 else {
119 bitright = 0x01;
120 }
121 if(bit != bitright) { bit = bitright; }
122
123 if(Uart.posCnt == 1) {
124 // measurement first half bitperiod
125 if(!bit) {
126 Uart.drop = DROP_FIRST_HALF;
127 }
128 }
129 else {
130 // measurement second half bitperiod
131 if(!bit & (Uart.drop == DROP_NONE)) {
132 Uart.drop = DROP_SECOND_HALF;
133 }
134 else if(!bit) {
135 // measured a drop in first and second half
136 // which should not be possible
137 Uart.state = STATE_ERROR_WAIT;
138 error = 0x01;
139 }
140
141 Uart.posCnt = 0;
142
143 switch(Uart.state) {
144 case STATE_START_OF_COMMUNICATION:
145 Uart.shiftReg = 0;
146 if(Uart.drop == DROP_SECOND_HALF) {
147 // error, should not happen in SOC
148 Uart.state = STATE_ERROR_WAIT;
149 error = 0x02;
150 }
151 else {
152 // correct SOC
153 Uart.state = STATE_MILLER_Z;
154 }
155 break;
156
157 case STATE_MILLER_Z:
158 Uart.bitCnt++;
159 Uart.shiftReg >>= 1;
160 if(Uart.drop == DROP_NONE) {
161 // logic '0' followed by sequence Y
162 // end of communication
163 Uart.state = STATE_UNSYNCD;
164 EOC = TRUE;
165 }
166 // if(Uart.drop == DROP_FIRST_HALF) {
167 // Uart.state = STATE_MILLER_Z; stay the same
168 // we see a logic '0' }
169 if(Uart.drop == DROP_SECOND_HALF) {
170 // we see a logic '1'
171 Uart.shiftReg |= 0x100;
172 Uart.state = STATE_MILLER_X;
173 }
174 break;
175
176 case STATE_MILLER_X:
177 Uart.shiftReg >>= 1;
178 if(Uart.drop == DROP_NONE) {
179 // sequence Y, we see a '0'
180 Uart.state = STATE_MILLER_Y;
181 Uart.bitCnt++;
182 }
183 if(Uart.drop == DROP_FIRST_HALF) {
184 // Would be STATE_MILLER_Z
185 // but Z does not follow X, so error
186 Uart.state = STATE_ERROR_WAIT;
187 error = 0x03;
188 }
189 if(Uart.drop == DROP_SECOND_HALF) {
190 // We see a '1' and stay in state X
191 Uart.shiftReg |= 0x100;
192 Uart.bitCnt++;
193 }
194 break;
195
196 case STATE_MILLER_Y:
197 Uart.bitCnt++;
198 Uart.shiftReg >>= 1;
199 if(Uart.drop == DROP_NONE) {
200 // logic '0' followed by sequence Y
201 // end of communication
202 Uart.state = STATE_UNSYNCD;
203 EOC = TRUE;
204 }
205 if(Uart.drop == DROP_FIRST_HALF) {
206 // we see a '0'
207 Uart.state = STATE_MILLER_Z;
208 }
209 if(Uart.drop == DROP_SECOND_HALF) {
210 // We see a '1' and go to state X
211 Uart.shiftReg |= 0x100;
212 Uart.state = STATE_MILLER_X;
213 }
214 break;
215
216 case STATE_ERROR_WAIT:
217 // That went wrong. Now wait for at least two bit periods
218 // and try to sync again
219 if(Uart.drop == DROP_NONE) {
220 Uart.highCnt = 6;
221 Uart.state = STATE_UNSYNCD;
222 }
223 break;
224
225 default:
226 Uart.state = STATE_UNSYNCD;
227 Uart.highCnt = 0;
228 break;
229 }
230
231 Uart.drop = DROP_NONE;
232
233 // should have received at least one whole byte...
234 if((Uart.bitCnt == 2) && EOC && (Uart.byteCnt > 0)) {
235 return TRUE;
236 }
237
238 if(Uart.bitCnt == 9) {
239 Uart.output[Uart.byteCnt] = (Uart.shiftReg & 0xff);
240 Uart.byteCnt++;
241
242 Uart.parityBits <<= 1;
243 Uart.parityBits ^= ((Uart.shiftReg >> 8) & 0x01);
244
245 if(EOC) {
246 // when End of Communication received and
247 // all data bits processed..
248 return TRUE;
249 }
250 Uart.bitCnt = 0;
251 }
252
253 /*if(error) {
254 Uart.output[Uart.byteCnt] = 0xAA;
255 Uart.byteCnt++;
256 Uart.output[Uart.byteCnt] = error & 0xFF;
257 Uart.byteCnt++;
258 Uart.output[Uart.byteCnt] = 0xAA;
259 Uart.byteCnt++;
260 Uart.output[Uart.byteCnt] = (Uart.bitBuffer >> 8) & 0xFF;
261 Uart.byteCnt++;
262 Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
263 Uart.byteCnt++;
264 Uart.output[Uart.byteCnt] = (Uart.syncBit >> 3) & 0xFF;
265 Uart.byteCnt++;
266 Uart.output[Uart.byteCnt] = 0xAA;
267 Uart.byteCnt++;
268 return TRUE;
269 }*/
270 }
271
272 }
273 else {
274 bit = Uart.bitBuffer & 0xf0;
275 bit >>= 4;
276 bit ^= 0x0F;
277 if(bit) {
278 // should have been high or at least (4 * 128) / fc
279 // according to ISO this should be at least (9 * 128 + 20) / fc
280 if(Uart.highCnt == 8) {
281 // we went low, so this could be start of communication
282 // it turns out to be safer to choose a less significant
283 // syncbit... so we check whether the neighbour also represents the drop
284 Uart.posCnt = 1; // apparently we are busy with our first half bit period
285 Uart.syncBit = bit & 8;
286 Uart.samples = 3;
287 if(!Uart.syncBit) { Uart.syncBit = bit & 4; Uart.samples = 2; }
288 else if(bit & 4) { Uart.syncBit = bit & 4; Uart.samples = 2; bit <<= 2; }
289 if(!Uart.syncBit) { Uart.syncBit = bit & 2; Uart.samples = 1; }
290 else if(bit & 2) { Uart.syncBit = bit & 2; Uart.samples = 1; bit <<= 1; }
291 if(!Uart.syncBit) { Uart.syncBit = bit & 1; Uart.samples = 0;
292 if(Uart.syncBit & (Uart.bitBuffer & 8)) {
293 Uart.syncBit = 8;
294
295 // the first half bit period is expected in next sample
296 Uart.posCnt = 0;
297 Uart.samples = 3;
298 }
299 }
300 else if(bit & 1) { Uart.syncBit = bit & 1; Uart.samples = 0; }
301
302 Uart.syncBit <<= 4;
303 Uart.state = STATE_START_OF_COMMUNICATION;
304 Uart.drop = DROP_FIRST_HALF;
305 Uart.bitCnt = 0;
306 Uart.byteCnt = 0;
307 Uart.parityBits = 0;
308 error = 0;
309 }
310 else {
311 Uart.highCnt = 0;
312 }
313 }
314 else {
315 if(Uart.highCnt < 8) {
316 Uart.highCnt++;
317 }
318 }
319 }
320
321 return FALSE;
322 }
323
324 //=============================================================================
325 // ISO 14443 Type A - Manchester
326 //=============================================================================
327
328 static struct {
329 enum {
330 DEMOD_UNSYNCD,
331 DEMOD_START_OF_COMMUNICATION,
332 DEMOD_MANCHESTER_D,
333 DEMOD_MANCHESTER_E,
334 DEMOD_MANCHESTER_F,
335 DEMOD_ERROR_WAIT
336 } state;
337 int bitCount;
338 int posCount;
339 int syncBit;
340 int parityBits;
341 WORD shiftReg;
342 int buffer;
343 int buff;
344 int samples;
345 int len;
346 enum {
347 SUB_NONE,
348 SUB_FIRST_HALF,
349 SUB_SECOND_HALF
350 } sub;
351 BYTE *output;
352 } Demod;
353
354 static BOOL ManchesterDecoding(int v)
355 {
356 int bit;
357 int modulation;
358 int error = 0;
359
360 if(!Demod.buff) {
361 Demod.buff = 1;
362 Demod.buffer = v;
363 return FALSE;
364 }
365 else {
366 bit = Demod.buffer;
367 Demod.buffer = v;
368 }
369
370 if(Demod.state==DEMOD_UNSYNCD) {
371 Demod.output[Demod.len] = 0xfa;
372 Demod.syncBit = 0;
373 //Demod.samples = 0;
374 Demod.posCount = 1; // This is the first half bit period, so after syncing handle the second part
375 if(bit & 0x08) { Demod.syncBit = 0x08; }
376 if(!Demod.syncBit) {
377 if(bit & 0x04) { Demod.syncBit = 0x04; }
378 }
379 else if(bit & 0x04) { Demod.syncBit = 0x04; bit <<= 4; }
380 if(!Demod.syncBit) {
381 if(bit & 0x02) { Demod.syncBit = 0x02; }
382 }
383 else if(bit & 0x02) { Demod.syncBit = 0x02; bit <<= 4; }
384 if(!Demod.syncBit) {
385 if(bit & 0x01) { Demod.syncBit = 0x01; }
386
387 if(Demod.syncBit & (Demod.buffer & 0x08)) {
388 Demod.syncBit = 0x08;
389
390 // The first half bitperiod is expected in next sample
391 Demod.posCount = 0;
392 Demod.output[Demod.len] = 0xfb;
393 }
394 }
395 else if(bit & 0x01) { Demod.syncBit = 0x01; }
396
397 if(Demod.syncBit) {
398 Demod.len = 0;
399 Demod.state = DEMOD_START_OF_COMMUNICATION;
400 Demod.sub = SUB_FIRST_HALF;
401 Demod.bitCount = 0;
402 Demod.shiftReg = 0;
403 Demod.parityBits = 0;
404 Demod.samples = 0;
405 if(Demod.posCount) {
406 switch(Demod.syncBit) {
407 case 0x08: Demod.samples = 3; break;
408 case 0x04: Demod.samples = 2; break;
409 case 0x02: Demod.samples = 1; break;
410 case 0x01: Demod.samples = 0; break;
411 }
412 }
413 error = 0;
414 }
415 }
416 else {
417 //modulation = bit & Demod.syncBit;
418 modulation = ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
419
420 Demod.samples += 4;
421
422 if(Demod.posCount==0) {
423 Demod.posCount = 1;
424 if(modulation) {
425 Demod.sub = SUB_FIRST_HALF;
426 }
427 else {
428 Demod.sub = SUB_NONE;
429 }
430 }
431 else {
432 Demod.posCount = 0;
433 if(modulation && (Demod.sub == SUB_FIRST_HALF)) {
434 if(Demod.state!=DEMOD_ERROR_WAIT) {
435 Demod.state = DEMOD_ERROR_WAIT;
436 Demod.output[Demod.len] = 0xaa;
437 error = 0x01;
438 }
439 }
440 else if(modulation) {
441 Demod.sub = SUB_SECOND_HALF;
442 }
443
444 switch(Demod.state) {
445 case DEMOD_START_OF_COMMUNICATION:
446 if(Demod.sub == SUB_FIRST_HALF) {
447 Demod.state = DEMOD_MANCHESTER_D;
448 }
449 else {
450 Demod.output[Demod.len] = 0xab;
451 Demod.state = DEMOD_ERROR_WAIT;
452 error = 0x02;
453 }
454 break;
455
456 case DEMOD_MANCHESTER_D:
457 case DEMOD_MANCHESTER_E:
458 if(Demod.sub == SUB_FIRST_HALF) {
459 Demod.bitCount++;
460 Demod.shiftReg = (Demod.shiftReg >> 1) ^ 0x100;
461 Demod.state = DEMOD_MANCHESTER_D;
462 }
463 else if(Demod.sub == SUB_SECOND_HALF) {
464 Demod.bitCount++;
465 Demod.shiftReg >>= 1;
466 Demod.state = DEMOD_MANCHESTER_E;
467 }
468 else {
469 Demod.state = DEMOD_MANCHESTER_F;
470 }
471 break;
472
473 case DEMOD_MANCHESTER_F:
474 // Tag response does not need to be a complete byte!
475 if(Demod.len > 0 || Demod.bitCount > 0) {
476 if(Demod.bitCount > 0) {
477 Demod.shiftReg >>= (9 - Demod.bitCount);
478 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
479 Demod.len++;
480 // No parity bit, so just shift a 0
481 Demod.parityBits <<= 1;
482 }
483
484 Demod.state = DEMOD_UNSYNCD;
485 return TRUE;
486 }
487 else {
488 Demod.output[Demod.len] = 0xad;
489 Demod.state = DEMOD_ERROR_WAIT;
490 error = 0x03;
491 }
492 break;
493
494 case DEMOD_ERROR_WAIT:
495 Demod.state = DEMOD_UNSYNCD;
496 break;
497
498 default:
499 Demod.output[Demod.len] = 0xdd;
500 Demod.state = DEMOD_UNSYNCD;
501 break;
502 }
503
504 if(Demod.bitCount>=9) {
505 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
506 Demod.len++;
507
508 Demod.parityBits <<= 1;
509 Demod.parityBits ^= ((Demod.shiftReg >> 8) & 0x01);
510
511 Demod.bitCount = 0;
512 Demod.shiftReg = 0;
513 }
514
515 /*if(error) {
516 Demod.output[Demod.len] = 0xBB;
517 Demod.len++;
518 Demod.output[Demod.len] = error & 0xFF;
519 Demod.len++;
520 Demod.output[Demod.len] = 0xBB;
521 Demod.len++;
522 Demod.output[Demod.len] = bit & 0xFF;
523 Demod.len++;
524 Demod.output[Demod.len] = Demod.buffer & 0xFF;
525 Demod.len++;
526 Demod.output[Demod.len] = Demod.syncBit & 0xFF;
527 Demod.len++;
528 Demod.output[Demod.len] = 0xBB;
529 Demod.len++;
530 return TRUE;
531 }*/
532
533 }
534
535 } // end (state != UNSYNCED)
536
537 return FALSE;
538 }
539
540 //=============================================================================
541 // Finally, a `sniffer' for ISO 14443 Type A
542 // Both sides of communication!
543 //=============================================================================
544
545 //-----------------------------------------------------------------------------
546 // Record the sequence of commands sent by the reader to the tag, with
547 // triggering so that we start recording at the point that the tag is moved
548 // near the reader.
549 //-----------------------------------------------------------------------------
550 void SnoopIso14443a(void)
551 {
552
553 // BIG CHANGE - UNDERSTAND THIS BEFORE WE COMMIT
554
555 #define RECV_CMD_OFFSET 3032
556 #define RECV_RES_OFFSET 3096
557 #define DMA_BUFFER_OFFSET 3160
558 #define DMA_BUFFER_SIZE 4096
559 #define TRACE_LENGTH 3000
560
561 // #define RECV_CMD_OFFSET 2032 // original (working as of 21/2/09) values
562 // #define RECV_RES_OFFSET 2096 // original (working as of 21/2/09) values
563 // #define DMA_BUFFER_OFFSET 2160 // original (working as of 21/2/09) values
564 // #define DMA_BUFFER_SIZE 4096 // original (working as of 21/2/09) values
565 // #define TRACE_LENGTH 2000 // original (working as of 21/2/09) values
566
567 // We won't start recording the frames that we acquire until we trigger;
568 // a good trigger condition to get started is probably when we see a
569 // response from the tag.
570 BOOL triggered = TRUE; // FALSE to wait first for card
571
572 // The command (reader -> tag) that we're receiving.
573 // The length of a received command will in most cases be no more than 18 bytes.
574 // So 32 should be enough!
575 BYTE *receivedCmd = (((BYTE *)BigBuf) + RECV_CMD_OFFSET);
576 // The response (tag -> reader) that we're receiving.
577 BYTE *receivedResponse = (((BYTE *)BigBuf) + RECV_RES_OFFSET);
578
579 // As we receive stuff, we copy it from receivedCmd or receivedResponse
580 // into trace, along with its length and other annotations.
581 //BYTE *trace = (BYTE *)BigBuf;
582 //int traceLen = 0;
583
584 // The DMA buffer, used to stream samples from the FPGA
585 SBYTE *dmaBuf = ((SBYTE *)BigBuf) + DMA_BUFFER_OFFSET;
586 int lastRxCounter;
587 SBYTE *upTo;
588 int smpl;
589 int maxBehindBy = 0;
590
591 // Count of samples received so far, so that we can include timing
592 // information in the trace buffer.
593 int samples = 0;
594 int rsamples = 0;
595
596 memset(trace, 0x44, RECV_CMD_OFFSET);
597
598 // Set up the demodulator for tag -> reader responses.
599 Demod.output = receivedResponse;
600 Demod.len = 0;
601 Demod.state = DEMOD_UNSYNCD;
602
603 // And the reader -> tag commands
604 memset(&Uart, 0, sizeof(Uart));
605 Uart.output = receivedCmd;
606 Uart.byteCntMax = 32; // was 100 (greg)////////////////////////////////////////////////////////////////////////
607 Uart.state = STATE_UNSYNCD;
608
609 // And put the FPGA in the appropriate mode
610 // Signal field is off with the appropriate LED
611 LED_D_OFF();
612 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER);
613 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
614
615 // Setup for the DMA.
616 FpgaSetupSsc();
617 upTo = dmaBuf;
618 lastRxCounter = DMA_BUFFER_SIZE;
619 FpgaSetupSscDma((BYTE *)dmaBuf, DMA_BUFFER_SIZE);
620
621 LED_A_ON();
622
623 // And now we loop, receiving samples.
624 for(;;) {
625 WDT_HIT();
626 int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) &
627 (DMA_BUFFER_SIZE-1);
628 if(behindBy > maxBehindBy) {
629 maxBehindBy = behindBy;
630 if(behindBy > 400) {
631 DbpString("blew circular buffer!");
632 goto done;
633 }
634 }
635 if(behindBy < 1) continue;
636
637 smpl = upTo[0];
638 upTo++;
639 lastRxCounter -= 1;
640 if(upTo - dmaBuf > DMA_BUFFER_SIZE) {
641 upTo -= DMA_BUFFER_SIZE;
642 lastRxCounter += DMA_BUFFER_SIZE;
643 AT91C_BASE_PDC_SSC->PDC_RNPR = (DWORD)upTo;
644 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
645 }
646
647 samples += 4;
648 #define HANDLE_BIT_IF_BODY \
649 LED_C_ON(); \
650 if(triggered) { \
651 trace[traceLen++] = ((rsamples >> 0) & 0xff); \
652 trace[traceLen++] = ((rsamples >> 8) & 0xff); \
653 trace[traceLen++] = ((rsamples >> 16) & 0xff); \
654 trace[traceLen++] = ((rsamples >> 24) & 0xff); \
655 trace[traceLen++] = ((Uart.parityBits >> 0) & 0xff); \
656 trace[traceLen++] = ((Uart.parityBits >> 8) & 0xff); \
657 trace[traceLen++] = ((Uart.parityBits >> 16) & 0xff); \
658 trace[traceLen++] = ((Uart.parityBits >> 24) & 0xff); \
659 trace[traceLen++] = Uart.byteCnt; \
660 memcpy(trace+traceLen, receivedCmd, Uart.byteCnt); \
661 traceLen += Uart.byteCnt; \
662 if(traceLen > TRACE_LENGTH) break; \
663 } \
664 /* And ready to receive another command. */ \
665 Uart.state = STATE_UNSYNCD; \
666 /* And also reset the demod code, which might have been */ \
667 /* false-triggered by the commands from the reader. */ \
668 Demod.state = DEMOD_UNSYNCD; \
669 LED_B_OFF(); \
670
671 if(MillerDecoding((smpl & 0xF0) >> 4)) {
672 rsamples = samples - Uart.samples;
673 HANDLE_BIT_IF_BODY
674 }
675 if(ManchesterDecoding(smpl & 0x0F)) {
676 rsamples = samples - Demod.samples;
677 LED_B_ON();
678
679 // timestamp, as a count of samples
680 trace[traceLen++] = ((rsamples >> 0) & 0xff);
681 trace[traceLen++] = ((rsamples >> 8) & 0xff);
682 trace[traceLen++] = ((rsamples >> 16) & 0xff);
683 trace[traceLen++] = 0x80 | ((rsamples >> 24) & 0xff);
684 trace[traceLen++] = ((Demod.parityBits >> 0) & 0xff);
685 trace[traceLen++] = ((Demod.parityBits >> 8) & 0xff);
686 trace[traceLen++] = ((Demod.parityBits >> 16) & 0xff);
687 trace[traceLen++] = ((Demod.parityBits >> 24) & 0xff);
688 // length
689 trace[traceLen++] = Demod.len;
690 memcpy(trace+traceLen, receivedResponse, Demod.len);
691 traceLen += Demod.len;
692 if(traceLen > TRACE_LENGTH) break;
693
694 triggered = TRUE;
695
696 // And ready to receive another response.
697 memset(&Demod, 0, sizeof(Demod));
698 Demod.output = receivedResponse;
699 Demod.state = DEMOD_UNSYNCD;
700 LED_C_OFF();
701 }
702
703 if(BUTTON_PRESS()) {
704 DbpString("cancelled_a");
705 goto done;
706 }
707 }
708
709 DbpString("COMMAND FINISHED");
710
711 DbpIntegers(maxBehindBy, Uart.state, Uart.byteCnt);
712 DbpIntegers(Uart.byteCntMax, traceLen, (int)Uart.output[0]);
713
714 done:
715 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
716 DbpIntegers(maxBehindBy, Uart.state, Uart.byteCnt);
717 DbpIntegers(Uart.byteCntMax, traceLen, (int)Uart.output[0]);
718 LED_A_OFF();
719 LED_B_OFF();
720 LED_C_OFF();
721 LED_D_OFF();
722 }
723
724 // Prepare communication bits to send to FPGA
725 void Sequence(SecType seq)
726 {
727 ToSendMax++;
728 switch(seq) {
729 // CARD TO READER
730 case SEC_D:
731 // Sequence D: 11110000
732 // modulation with subcarrier during first half
733 ToSend[ToSendMax] = 0xf0;
734 break;
735 case SEC_E:
736 // Sequence E: 00001111
737 // modulation with subcarrier during second half
738 ToSend[ToSendMax] = 0x0f;
739 break;
740 case SEC_F:
741 // Sequence F: 00000000
742 // no modulation with subcarrier
743 ToSend[ToSendMax] = 0x00;
744 break;
745 // READER TO CARD
746 case SEC_X:
747 // Sequence X: 00001100
748 // drop after half a period
749 ToSend[ToSendMax] = 0x0c;
750 break;
751 case SEC_Y:
752 default:
753 // Sequence Y: 00000000
754 // no drop
755 ToSend[ToSendMax] = 0x00;
756 break;
757 case SEC_Z:
758 // Sequence Z: 11000000
759 // drop at start
760 ToSend[ToSendMax] = 0xc0;
761 break;
762 }
763 }
764
765 //-----------------------------------------------------------------------------
766 // Prepare tag messages
767 //-----------------------------------------------------------------------------
768 static void CodeIso14443aAsTag(const BYTE *cmd, int len)
769 {
770 int i;
771 int oddparity;
772
773 ToSendReset();
774
775 // Correction bit, might be removed when not needed
776 ToSendStuffBit(0);
777 ToSendStuffBit(0);
778 ToSendStuffBit(0);
779 ToSendStuffBit(0);
780 ToSendStuffBit(1); // 1
781 ToSendStuffBit(0);
782 ToSendStuffBit(0);
783 ToSendStuffBit(0);
784
785 // Send startbit
786 Sequence(SEC_D);
787
788 for(i = 0; i < len; i++) {
789 int j;
790 BYTE b = cmd[i];
791
792 // Data bits
793 oddparity = 0x01;
794 for(j = 0; j < 8; j++) {
795 oddparity ^= (b & 1);
796 if(b & 1) {
797 Sequence(SEC_D);
798 } else {
799 Sequence(SEC_E);
800 }
801 b >>= 1;
802 }
803
804 // Parity bit
805 if(oddparity) {
806 Sequence(SEC_D);
807 } else {
808 Sequence(SEC_E);
809 }
810 }
811
812 // Send stopbit
813 Sequence(SEC_F);
814
815 // Flush the buffer in FPGA!!
816 for(i = 0; i < 5; i++) {
817 Sequence(SEC_F);
818 }
819
820 // Convert from last byte pos to length
821 ToSendMax++;
822
823 // Add a few more for slop
824 ToSend[ToSendMax++] = 0x00;
825 ToSend[ToSendMax++] = 0x00;
826 //ToSendMax += 2;
827 }
828
829 //-----------------------------------------------------------------------------
830 // This is to send a NACK kind of answer, its only 3 bits, I know it should be 4
831 //-----------------------------------------------------------------------------
832 static void CodeStrangeAnswer()
833 {
834 int i;
835
836 ToSendReset();
837
838 // Correction bit, might be removed when not needed
839 ToSendStuffBit(0);
840 ToSendStuffBit(0);
841 ToSendStuffBit(0);
842 ToSendStuffBit(0);
843 ToSendStuffBit(1); // 1
844 ToSendStuffBit(0);
845 ToSendStuffBit(0);
846 ToSendStuffBit(0);
847
848 // Send startbit
849 Sequence(SEC_D);
850
851 // 0
852 Sequence(SEC_E);
853
854 // 0
855 Sequence(SEC_E);
856
857 // 1
858 Sequence(SEC_D);
859
860 // Send stopbit
861 Sequence(SEC_F);
862
863 // Flush the buffer in FPGA!!
864 for(i = 0; i < 5; i++) {
865 Sequence(SEC_F);
866 }
867
868 // Convert from last byte pos to length
869 ToSendMax++;
870
871 // Add a few more for slop
872 ToSend[ToSendMax++] = 0x00;
873 ToSend[ToSendMax++] = 0x00;
874 //ToSendMax += 2;
875 }
876
877 int LogTrace(const BYTE * btBytes, int iLen, int iSamples, DWORD dwParity, BOOL bReader)
878 {
879 // Trace the random, i'm curious
880 rsamples += iSamples;
881 trace[traceLen++] = ((rsamples >> 0) & 0xff);
882 trace[traceLen++] = ((rsamples >> 8) & 0xff);
883 trace[traceLen++] = ((rsamples >> 16) & 0xff);
884 trace[traceLen++] = ((rsamples >> 24) & 0xff);
885 if (!bReader) {
886 trace[traceLen - 1] |= 0x80;
887 }
888 trace[traceLen++] = ((dwParity >> 0) & 0xff);
889 trace[traceLen++] = ((dwParity >> 8) & 0xff);
890 trace[traceLen++] = ((dwParity >> 16) & 0xff);
891 trace[traceLen++] = ((dwParity >> 24) & 0xff);
892 trace[traceLen++] = iLen;
893 memcpy(trace + traceLen, btBytes, iLen);
894 traceLen += iLen;
895 return (traceLen < TRACE_LENGTH);
896 }
897
898 //-----------------------------------------------------------------------------
899 // Wait for commands from reader
900 // Stop when button is pressed
901 // Or return TRUE when command is captured
902 //-----------------------------------------------------------------------------
903 static BOOL GetIso14443aCommandFromReader(BYTE *received, int *len, int maxLen)
904 {
905 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
906 // only, since we are receiving, not transmitting).
907 // Signal field is off with the appropriate LED
908 LED_D_OFF();
909 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
910
911 // Now run a `software UART' on the stream of incoming samples.
912 Uart.output = received;
913 Uart.byteCntMax = maxLen;
914 Uart.state = STATE_UNSYNCD;
915
916 for(;;) {
917 WDT_HIT();
918
919 if(BUTTON_PRESS()) return FALSE;
920
921 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
922 AT91C_BASE_SSC->SSC_THR = 0x00;
923 }
924 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
925 BYTE b = (BYTE)AT91C_BASE_SSC->SSC_RHR;
926 if(MillerDecoding((b & 0xf0) >> 4)) {
927 *len = Uart.byteCnt;
928 return TRUE;
929 }
930 if(MillerDecoding(b & 0x0f)) {
931 *len = Uart.byteCnt;
932 return TRUE;
933 }
934 }
935 }
936 }
937
938 //-----------------------------------------------------------------------------
939 // Main loop of simulated tag: receive commands from reader, decide what
940 // response to send, and send it.
941 //-----------------------------------------------------------------------------
942 void SimulateIso14443aTag(int tagType, int TagUid)
943 {
944 // This function contains the tag emulation
945
946 // Prepare protocol messages
947 // static const BYTE cmd1[] = { 0x26 };
948 // static const BYTE response1[] = { 0x02, 0x00 }; // Says: I am Mifare 4k - original line - greg
949 //
950 static const BYTE response1[] = { 0x44, 0x03 }; // Says: I am a DESFire Tag, ph33r me
951 // static const BYTE response1[] = { 0x44, 0x00 }; // Says: I am a ULTRALITE Tag, 0wn me
952
953 // UID response
954 // static const BYTE cmd2[] = { 0x93, 0x20 };
955 //static const BYTE response2[] = { 0x9a, 0xe5, 0xe4, 0x43, 0xd8 }; // original value - greg
956
957
958
959 // my desfire
960 static const BYTE response2[] = { 0x88, 0x04, 0x21, 0x3f, 0x4d }; // known uid - note cascade (0x88), 2nd byte (0x04) = NXP/Phillips
961
962
963 // When reader selects us during cascade1 it will send cmd3
964 //BYTE response3[] = { 0x04, 0x00, 0x00 }; // SAK Select (cascade1) successful response (ULTRALITE)
965 BYTE response3[] = { 0x24, 0x00, 0x00 }; // SAK Select (cascade1) successful response (DESFire)
966 ComputeCrc14443(CRC_14443_A, response3, 1, &response3[1], &response3[2]);
967
968 // send cascade2 2nd half of UID
969 static const BYTE response2a[] = { 0x51, 0x48, 0x1d, 0x80, 0x84 }; // uid - cascade2 - 2nd half (4 bytes) of UID+ BCCheck
970 // NOTE : THE CRC on the above may be wrong as I have obfuscated the actual UID
971
972
973 // When reader selects us during cascade2 it will send cmd3a
974 //BYTE response3a[] = { 0x00, 0x00, 0x00 }; // SAK Select (cascade2) successful response (ULTRALITE)
975 BYTE response3a[] = { 0x20, 0x00, 0x00 }; // SAK Select (cascade2) successful response (DESFire)
976 ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
977
978 static const BYTE response5[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce
979
980 BYTE *resp;
981 int respLen;
982
983 // Longest possible response will be 16 bytes + 2 CRC = 18 bytes
984 // This will need
985 // 144 data bits (18 * 8)
986 // 18 parity bits
987 // 2 Start and stop
988 // 1 Correction bit (Answer in 1172 or 1236 periods, see FPGA)
989 // 1 just for the case
990 // ----------- +
991 // 166
992 //
993 // 166 bytes, since every bit that needs to be send costs us a byte
994 //
995
996
997 // Respond with card type
998 BYTE *resp1 = (((BYTE *)BigBuf) + 800);
999 int resp1Len;
1000
1001 // Anticollision cascade1 - respond with uid
1002 BYTE *resp2 = (((BYTE *)BigBuf) + 970);
1003 int resp2Len;
1004
1005 // Anticollision cascade2 - respond with 2nd half of uid if asked
1006 // we're only going to be asked if we set the 1st byte of the UID (during cascade1) to 0x88
1007 BYTE *resp2a = (((BYTE *)BigBuf) + 1140);
1008 int resp2aLen;
1009
1010 // Acknowledge select - cascade 1
1011 BYTE *resp3 = (((BYTE *)BigBuf) + 1310);
1012 int resp3Len;
1013
1014 // Acknowledge select - cascade 2
1015 BYTE *resp3a = (((BYTE *)BigBuf) + 1480);
1016 int resp3aLen;
1017
1018 // Response to a read request - not implemented atm
1019 BYTE *resp4 = (((BYTE *)BigBuf) + 1550);
1020 int resp4Len;
1021
1022 // Authenticate response - nonce
1023 BYTE *resp5 = (((BYTE *)BigBuf) + 1720);
1024 int resp5Len;
1025
1026 BYTE *receivedCmd = (BYTE *)BigBuf;
1027 int len;
1028
1029 int i;
1030 int u;
1031 BYTE b;
1032
1033 // To control where we are in the protocol
1034 int order = 0;
1035 int lastorder;
1036
1037 // Just to allow some checks
1038 int happened = 0;
1039 int happened2 = 0;
1040
1041 int cmdsRecvd = 0;
1042
1043 BOOL fdt_indicator;
1044
1045 memset(receivedCmd, 0x44, 400);
1046
1047 // Prepare the responses of the anticollision phase
1048 // there will be not enough time to do this at the moment the reader sends it REQA
1049
1050 // Answer to request
1051 CodeIso14443aAsTag(response1, sizeof(response1));
1052 memcpy(resp1, ToSend, ToSendMax); resp1Len = ToSendMax;
1053
1054 // Send our UID (cascade 1)
1055 CodeIso14443aAsTag(response2, sizeof(response2));
1056 memcpy(resp2, ToSend, ToSendMax); resp2Len = ToSendMax;
1057
1058 // Answer to select (cascade1)
1059 CodeIso14443aAsTag(response3, sizeof(response3));
1060 memcpy(resp3, ToSend, ToSendMax); resp3Len = ToSendMax;
1061
1062 // Send the cascade 2 2nd part of the uid
1063 CodeIso14443aAsTag(response2a, sizeof(response2a));
1064 memcpy(resp2a, ToSend, ToSendMax); resp2aLen = ToSendMax;
1065
1066 // Answer to select (cascade 2)
1067 CodeIso14443aAsTag(response3a, sizeof(response3a));
1068 memcpy(resp3a, ToSend, ToSendMax); resp3aLen = ToSendMax;
1069
1070 // Strange answer is an example of rare message size (3 bits)
1071 CodeStrangeAnswer();
1072 memcpy(resp4, ToSend, ToSendMax); resp4Len = ToSendMax;
1073
1074 // Authentication answer (random nonce)
1075 CodeIso14443aAsTag(response5, sizeof(response5));
1076 memcpy(resp5, ToSend, ToSendMax); resp5Len = ToSendMax;
1077
1078 // We need to listen to the high-frequency, peak-detected path.
1079 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1080 FpgaSetupSsc();
1081
1082 cmdsRecvd = 0;
1083
1084 LED_A_ON();
1085 for(;;) {
1086
1087 if(!GetIso14443aCommandFromReader(receivedCmd, &len, 100)) {
1088 DbpString("button press");
1089 break;
1090 }
1091 // doob - added loads of debug strings so we can see what the reader is saying to us during the sim as hi14alist is not populated
1092 // Okay, look at the command now.
1093 lastorder = order;
1094 i = 1; // first byte transmitted
1095 if(receivedCmd[0] == 0x26) {
1096 // Received a REQUEST
1097 resp = resp1; respLen = resp1Len; order = 1;
1098 //DbpString("Hello request from reader:");
1099 } else if(receivedCmd[0] == 0x52) {
1100 // Received a WAKEUP
1101 resp = resp1; respLen = resp1Len; order = 6;
1102 // //DbpString("Wakeup request from reader:");
1103
1104 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x93) { // greg - cascade 1 anti-collision
1105 // Received request for UID (cascade 1)
1106 resp = resp2; respLen = resp2Len; order = 2;
1107 // DbpString("UID (cascade 1) request from reader:");
1108 // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1109
1110
1111 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] ==0x95) { // greg - cascade 2 anti-collision
1112 // Received request for UID (cascade 2)
1113 resp = resp2a; respLen = resp2aLen; order = 20;
1114 // DbpString("UID (cascade 2) request from reader:");
1115 // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1116
1117
1118 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x93) { // greg - cascade 1 select
1119 // Received a SELECT
1120 resp = resp3; respLen = resp3Len; order = 3;
1121 // DbpString("Select (cascade 1) request from reader:");
1122 // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1123
1124
1125 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x95) { // greg - cascade 2 select
1126 // Received a SELECT
1127 resp = resp3a; respLen = resp3aLen; order = 30;
1128 // DbpString("Select (cascade 2) request from reader:");
1129 // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1130
1131
1132 } else if(receivedCmd[0] == 0x30) {
1133 // Received a READ
1134 resp = resp4; respLen = resp4Len; order = 4; // Do nothing
1135 DbpString("Read request from reader:");
1136 DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1137
1138
1139 } else if(receivedCmd[0] == 0x50) {
1140 // Received a HALT
1141 resp = resp1; respLen = 0; order = 5; // Do nothing
1142 DbpString("Reader requested we HALT!:");
1143
1144 } else if(receivedCmd[0] == 0x60) {
1145 // Received an authentication request
1146 resp = resp5; respLen = resp5Len; order = 7;
1147 DbpString("Authenticate request from reader:");
1148 DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1149
1150 } else if(receivedCmd[0] == 0xE0) {
1151 // Received a RATS request
1152 resp = resp1; respLen = 0;order = 70;
1153 DbpString("RATS request from reader:");
1154 DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1155 } else {
1156 // Never seen this command before
1157 DbpString("Unknown command received from reader:");
1158 DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1159 DbpIntegers(receivedCmd[3], receivedCmd[4], receivedCmd[5]);
1160 DbpIntegers(receivedCmd[6], receivedCmd[7], receivedCmd[8]);
1161
1162 // Do not respond
1163 resp = resp1; respLen = 0; order = 0;
1164 }
1165
1166 // Count number of wakeups received after a halt
1167 if(order == 6 && lastorder == 5) { happened++; }
1168
1169 // Count number of other messages after a halt
1170 if(order != 6 && lastorder == 5) { happened2++; }
1171
1172 // Look at last parity bit to determine timing of answer
1173 if((Uart.parityBits & 0x01) || receivedCmd[0] == 0x52) {
1174 // 1236, so correction bit needed
1175 i = 0;
1176 }
1177
1178 memset(receivedCmd, 0x44, 32);
1179
1180 if(cmdsRecvd > 999) {
1181 DbpString("1000 commands later...");
1182 break;
1183 }
1184 else {
1185 cmdsRecvd++;
1186 }
1187
1188 if(respLen <= 0) continue;
1189
1190 // Modulate Manchester
1191 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD);
1192 AT91C_BASE_SSC->SSC_THR = 0x00;
1193 FpgaSetupSsc();
1194
1195 // ### Transmit the response ###
1196 u = 0;
1197 b = 0x00;
1198 fdt_indicator = FALSE;
1199 for(;;) {
1200 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1201 volatile BYTE b = (BYTE)AT91C_BASE_SSC->SSC_RHR;
1202 (void)b;
1203 }
1204 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1205 if(i > respLen) {
1206 b = 0x00;
1207 u++;
1208 } else {
1209 b = resp[i];
1210 i++;
1211 }
1212 AT91C_BASE_SSC->SSC_THR = b;
1213
1214 if(u > 4) {
1215 break;
1216 }
1217 }
1218 if(BUTTON_PRESS()) {
1219 break;
1220 }
1221 }
1222
1223 }
1224
1225 DbpIntegers(happened, happened2, cmdsRecvd);
1226 LED_A_OFF();
1227 }
1228
1229 //-----------------------------------------------------------------------------
1230 // Transmit the command (to the tag) that was placed in ToSend[].
1231 //-----------------------------------------------------------------------------
1232 static void TransmitFor14443a(const BYTE *cmd, int len, int *samples, int *wait)
1233 {
1234 int c;
1235
1236 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1237
1238 if(*wait < 10) { *wait = 10; }
1239
1240 for(c = 0; c < *wait;) {
1241 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1242 AT91C_BASE_SSC->SSC_THR = 0x00; // For exact timing!
1243 c++;
1244 }
1245 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1246 volatile DWORD r = AT91C_BASE_SSC->SSC_RHR;
1247 (void)r;
1248 }
1249 WDT_HIT();
1250 }
1251
1252 c = 0;
1253 for(;;) {
1254 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1255 AT91C_BASE_SSC->SSC_THR = cmd[c];
1256 c++;
1257 if(c >= len) {
1258 break;
1259 }
1260 }
1261 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1262 volatile DWORD r = AT91C_BASE_SSC->SSC_RHR;
1263 (void)r;
1264 }
1265 WDT_HIT();
1266 }
1267 *samples = (c + *wait) << 3;
1268 }
1269
1270 //-----------------------------------------------------------------------------
1271 // To generate an arbitrary stream from reader
1272 //
1273 //-----------------------------------------------------------------------------
1274 void ArbitraryFromReader(const BYTE *cmd, int parity, int len)
1275 {
1276 int i;
1277 int j;
1278 int last;
1279 BYTE b;
1280
1281 ToSendReset();
1282
1283 // Start of Communication (Seq. Z)
1284 Sequence(SEC_Z);
1285 last = 0;
1286
1287 for(i = 0; i < len; i++) {
1288 // Data bits
1289 b = cmd[i];
1290 for(j = 0; j < 8; j++) {
1291 if(b & 1) {
1292 // Sequence X
1293 Sequence(SEC_X);
1294 last = 1;
1295 } else {
1296 if(last == 0) {
1297 // Sequence Z
1298 Sequence(SEC_Z);
1299 }
1300 else {
1301 // Sequence Y
1302 Sequence(SEC_Y);
1303 last = 0;
1304 }
1305 }
1306 b >>= 1;
1307
1308 }
1309
1310 // Predefined parity bit, the flipper flips when needed, because of flips in byte sent
1311 if(((parity >> (len - i - 1)) & 1)) {
1312 // Sequence X
1313 Sequence(SEC_X);
1314 last = 1;
1315 } else {
1316 if(last == 0) {
1317 // Sequence Z
1318 Sequence(SEC_Z);
1319 }
1320 else {
1321 // Sequence Y
1322 Sequence(SEC_Y);
1323 last = 0;
1324 }
1325 }
1326 }
1327
1328 // End of Communication
1329 if(last == 0) {
1330 // Sequence Z
1331 Sequence(SEC_Z);
1332 }
1333 else {
1334 // Sequence Y
1335 Sequence(SEC_Y);
1336 last = 0;
1337 }
1338 // Sequence Y
1339 Sequence(SEC_Y);
1340
1341 // Just to be sure!
1342 Sequence(SEC_Y);
1343 Sequence(SEC_Y);
1344 Sequence(SEC_Y);
1345
1346 // Convert from last character reference to length
1347 ToSendMax++;
1348 }
1349
1350 //-----------------------------------------------------------------------------
1351 // Code a 7-bit command without parity bit
1352 // This is especially for 0x26 and 0x52 (REQA and WUPA)
1353 //-----------------------------------------------------------------------------
1354 void ShortFrameFromReader(const BYTE *cmd)
1355 {
1356 int j;
1357 int last;
1358 BYTE b;
1359
1360 ToSendReset();
1361
1362 // Start of Communication (Seq. Z)
1363 Sequence(SEC_Z);
1364 last = 0;
1365
1366 b = cmd[0];
1367 for(j = 0; j < 7; j++) {
1368 if(b & 1) {
1369 // Sequence X
1370 Sequence(SEC_X);
1371 last = 1;
1372 } else {
1373 if(last == 0) {
1374 // Sequence Z
1375 Sequence(SEC_Z);
1376 }
1377 else {
1378 // Sequence Y
1379 Sequence(SEC_Y);
1380 last = 0;
1381 }
1382 }
1383 b >>= 1;
1384 }
1385
1386 // End of Communication
1387 if(last == 0) {
1388 // Sequence Z
1389 Sequence(SEC_Z);
1390 }
1391 else {
1392 // Sequence Y
1393 Sequence(SEC_Y);
1394 last = 0;
1395 }
1396 // Sequence Y
1397 Sequence(SEC_Y);
1398
1399 // Just to be sure!
1400 Sequence(SEC_Y);
1401 Sequence(SEC_Y);
1402 Sequence(SEC_Y);
1403
1404 // Convert from last character reference to length
1405 ToSendMax++;
1406 }
1407
1408 //-----------------------------------------------------------------------------
1409 // Prepare reader command to send to FPGA
1410 //
1411 //-----------------------------------------------------------------------------
1412 void CodeIso14443aAsReader(const BYTE *cmd, int len)
1413 {
1414 int i, j;
1415 int last;
1416 int oddparity;
1417 BYTE b;
1418
1419 ToSendReset();
1420
1421 // Start of Communication (Seq. Z)
1422 Sequence(SEC_Z);
1423 last = 0;
1424
1425 for(i = 0; i < len; i++) {
1426 // Data bits
1427 b = cmd[i];
1428 oddparity = 0x01;
1429 for(j = 0; j < 8; j++) {
1430 oddparity ^= (b & 1);
1431 if(b & 1) {
1432 // Sequence X
1433 Sequence(SEC_X);
1434 last = 1;
1435 } else {
1436 if(last == 0) {
1437 // Sequence Z
1438 Sequence(SEC_Z);
1439 }
1440 else {
1441 // Sequence Y
1442 Sequence(SEC_Y);
1443 last = 0;
1444 }
1445 }
1446 b >>= 1;
1447 }
1448
1449 // Parity bit
1450 if(oddparity) {
1451 // Sequence X
1452 Sequence(SEC_X);
1453 last = 1;
1454 } else {
1455 if(last == 0) {
1456 // Sequence Z
1457 Sequence(SEC_Z);
1458 }
1459 else {
1460 // Sequence Y
1461 Sequence(SEC_Y);
1462 last = 0;
1463 }
1464 }
1465 }
1466
1467 // End of Communication
1468 if(last == 0) {
1469 // Sequence Z
1470 Sequence(SEC_Z);
1471 }
1472 else {
1473 // Sequence Y
1474 Sequence(SEC_Y);
1475 last = 0;
1476 }
1477 // Sequence Y
1478 Sequence(SEC_Y);
1479
1480 // Just to be sure!
1481 Sequence(SEC_Y);
1482 Sequence(SEC_Y);
1483 Sequence(SEC_Y);
1484
1485 // Convert from last character reference to length
1486 ToSendMax++;
1487 }
1488
1489
1490 //-----------------------------------------------------------------------------
1491 // Wait a certain time for tag response
1492 // If a response is captured return TRUE
1493 // If it takes to long return FALSE
1494 //-----------------------------------------------------------------------------
1495 static BOOL GetIso14443aAnswerFromTag(BYTE *receivedResponse, int maxLen, int *samples, int *elapsed) //BYTE *buffer
1496 {
1497 // buffer needs to be 512 bytes
1498 int c;
1499
1500 // Set FPGA mode to "reader listen mode", no modulation (listen
1501 // only, since we are receiving, not transmitting).
1502 // Signal field is on with the appropriate LED
1503 LED_D_ON();
1504 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_LISTEN);
1505
1506 // Now get the answer from the card
1507 Demod.output = receivedResponse;
1508 Demod.len = 0;
1509 Demod.state = DEMOD_UNSYNCD;
1510
1511 BYTE b;
1512 *elapsed = 0;
1513
1514 c = 0;
1515 for(;;) {
1516 WDT_HIT();
1517
1518 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1519 AT91C_BASE_SSC->SSC_THR = 0x00; // To make use of exact timing of next command from reader!!
1520 (*elapsed)++;
1521 }
1522 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1523 if(c < 512) { c++; } else { return FALSE; }
1524 b = (BYTE)AT91C_BASE_SSC->SSC_RHR;
1525 if(ManchesterDecoding((b & 0xf0) >> 4)) {
1526 *samples = ((c - 1) << 3) + 4;
1527 return TRUE;
1528 }
1529 if(ManchesterDecoding(b & 0x0f)) {
1530 *samples = c << 3;
1531 return TRUE;
1532 }
1533 }
1534 }
1535 }
1536
1537
1538
1539 //-----------------------------------------------------------------------------
1540 // Read an ISO 14443a tag. Send out commands and store answers.
1541 //
1542 //-----------------------------------------------------------------------------
1543 void ReaderIso14443a(DWORD parameter)
1544 {
1545 // Anticollision
1546 static const BYTE cmd1[] = { 0x52 }; // or 0x26
1547 static const BYTE cmd2[] = { 0x93,0x20 };
1548 // UID = 0x2a,0x69,0x8d,0x43,0x8d, last two bytes are CRC bytes
1549 BYTE cmd3[] = { 0x93,0x70,0x2a,0x69,0x8d,0x43,0x8d,0x52,0x55 };
1550
1551 // For Ultralight add an extra anticollission layer -> 95 20 and then 95 70
1552
1553 // greg - here we will add our cascade level 2 anticolission and select functions to deal with ultralight // and 7-byte UIDs in generall...
1554 BYTE cmd4[] = {0x95,0x20}; // ask for cascade 2 select
1555 // 95 20
1556 //BYTE cmd3a[] = { 0x95,0x70,0x2a,0x69,0x8d,0x43,0x8d,0x52,0x55 };
1557 // 95 70
1558
1559 // cascade 2 select
1560 BYTE cmd5[] = { 0x95,0x70,0x2a,0x69,0x8d,0x43,0x8d,0x52,0x55 };
1561
1562
1563 // RATS (request for answer to select)
1564 //BYTE cmd6[] = { 0xe0,0x50,0xbc,0xa5 }; // original RATS
1565 BYTE cmd6[] = { 0xe0,0x21,0xb2,0xc7 }; // Desfire RATS
1566
1567 // Mifare AUTH
1568 BYTE cmd7[] = { 0x60, 0x00, 0x00, 0x00 };
1569
1570 int reqaddr = 2024; // was 2024 - tied to other size changes
1571 int reqsize = 60;
1572
1573 BYTE *req1 = (((BYTE *)BigBuf) + reqaddr);
1574 int req1Len;
1575
1576 BYTE *req2 = (((BYTE *)BigBuf) + reqaddr + reqsize);
1577 int req2Len;
1578
1579 BYTE *req3 = (((BYTE *)BigBuf) + reqaddr + (reqsize * 2));
1580 int req3Len;
1581
1582 // greg added req 4 & 5 to deal with cascade 2 section
1583 BYTE *req4 = (((BYTE *)BigBuf) + reqaddr + (reqsize * 3));
1584 int req4Len;
1585
1586 BYTE *req5 = (((BYTE *)BigBuf) + reqaddr + (reqsize * 4));
1587 int req5Len;
1588
1589 BYTE *req6 = (((BYTE *)BigBuf) + reqaddr + (reqsize * 5));
1590 int req6Len;
1591
1592 BYTE *req7 = (((BYTE *)BigBuf) + reqaddr + (reqsize * 6));
1593 int req7Len;
1594
1595 BYTE *receivedAnswer = (((BYTE *)BigBuf) + 3560); // was 3560 - tied to other size changes
1596
1597 //BYTE *trace = (BYTE *)BigBuf;
1598 //int traceLen = 0;
1599 //int rsamples = 0;
1600 traceLen = 0;
1601
1602 memset(trace, 0x44, 2000); // was 2000 - tied to oter size chnages
1603 // setting it to 3000 causes no tag responses to be detected (2900 is ok)
1604 // setting it to 1000 causes no tag responses to be detected
1605
1606 // Prepare some commands!
1607 ShortFrameFromReader(cmd1);
1608 memcpy(req1, ToSend, ToSendMax); req1Len = ToSendMax;
1609
1610 CodeIso14443aAsReader(cmd2, sizeof(cmd2));
1611 memcpy(req2, ToSend, ToSendMax); req2Len = ToSendMax;
1612
1613 CodeIso14443aAsReader(cmd3, sizeof(cmd3));
1614 memcpy(req3, ToSend, ToSendMax); req3Len = ToSendMax;
1615
1616
1617 CodeIso14443aAsReader(cmd4, sizeof(cmd4)); // 4 is cascade 2 request
1618 memcpy(req4, ToSend, ToSendMax); req4Len = ToSendMax;
1619
1620
1621 CodeIso14443aAsReader(cmd5, sizeof(cmd5)); // 5 is cascade 2 select
1622 memcpy(req5, ToSend, ToSendMax); req5Len = ToSendMax;
1623
1624
1625 CodeIso14443aAsReader(cmd6, sizeof(cmd6));
1626 memcpy(req6, ToSend, ToSendMax); req6Len = ToSendMax;
1627
1628 // Setup SSC
1629 FpgaSetupSsc();
1630
1631 // Start from off (no field generated)
1632 // Signal field is off with the appropriate LED
1633 LED_D_OFF();
1634 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1635 SpinDelay(200);
1636
1637 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1638 FpgaSetupSsc();
1639
1640 // Now give it time to spin up.
1641 // Signal field is on with the appropriate LED
1642 LED_D_ON();
1643 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1644 SpinDelay(200);
1645
1646 LED_A_ON();
1647 LED_B_OFF();
1648 LED_C_OFF();
1649
1650 int samples = 0;
1651 int tsamples = 0;
1652 int wait = 0;
1653 int elapsed = 0;
1654
1655 while(1) {
1656 // Send WUPA (or REQA)
1657 TransmitFor14443a(req1, req1Len, &tsamples, &wait);
1658
1659 // Store reader command in buffer
1660 if (!LogTrace(cmd1,1,0,GetParity(cmd1,1),TRUE)) break;
1661
1662 // Test if the action was cancelled
1663 if(BUTTON_PRESS()) {
1664 break;
1665 }
1666
1667 if(!GetIso14443aAnswerFromTag(receivedAnswer, 100, &samples, &elapsed)) continue;
1668
1669 // Log the ATQA
1670 if (!LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE)) break;
1671
1672 // Store reader command in buffer
1673 if (!LogTrace(cmd2,2,0,GetParity(cmd2,2),TRUE)) break;
1674 TransmitFor14443a(req2, req2Len, &samples, &wait);
1675
1676 if(!GetIso14443aAnswerFromTag(receivedAnswer, 100, &samples, &elapsed)) continue;
1677
1678 // Log the uid
1679 if (!LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE)) break;
1680
1681 // Construct SELECT UID command
1682 // First copy the 5 bytes (Mifare Classic) after the 93 70
1683 memcpy(cmd3+2,receivedAnswer,5);
1684 // Secondly compute the two CRC bytes at the end
1685 ComputeCrc14443(CRC_14443_A, cmd3, 7, &cmd3[7], &cmd3[8]);
1686
1687 // Store reader command in buffer
1688 if (!LogTrace(cmd3,9,0,GetParity(cmd5,9),TRUE)) break;
1689
1690 CodeIso14443aAsReader(cmd3, sizeof(cmd3));
1691 memcpy(req3, ToSend, ToSendMax); req3Len = ToSendMax;
1692
1693 // Select the card
1694 TransmitFor14443a(req3, req3Len, &samples, &wait);
1695 if(!GetIso14443aAnswerFromTag(receivedAnswer, 100, &samples, &elapsed)) continue;
1696
1697 // Log the SAK
1698 if (!LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE)) break;
1699
1700 // OK we have selected at least at cascade 1, lets see if first byte of UID was 0x88 in
1701 // which case we need to make a cascade 2 request and select - this is a long UID
1702 if (receivedAnswer[0] == 0x88)
1703 {
1704 // Do cascade level 2 stuff
1705 ///////////////////////////////////////////////////////////////////
1706 // First issue a '95 20' identify request
1707 // Ask for card UID (part 2)
1708 TransmitFor14443a(req4, req4Len, &tsamples, &wait);
1709
1710 // Store reader command in buffer
1711 if (!LogTrace(cmd4,2,0,GetParity(cmd4,2),TRUE)) break;
1712
1713 if(!GetIso14443aAnswerFromTag(receivedAnswer, 100, &samples, &elapsed)) continue;
1714
1715 //////////////////////////////////////////////////////////////////
1716 // Then Construct SELECT UID (cascasde 2) command
1717 DbpString("Just about to copy the UID out of the cascade 2 id req");
1718 // First copy the 5 bytes (Mifare Classic) after the 95 70
1719 memcpy(cmd5+2,receivedAnswer,5);
1720 // Secondly compute the two CRC bytes at the end
1721 ComputeCrc14443(CRC_14443_A, cmd4, 7, &cmd5[7], &cmd5[8]);
1722
1723 // Store reader command in buffer
1724 if (!LogTrace(cmd5,9,0,GetParity(cmd5,9),TRUE)) break;
1725
1726 CodeIso14443aAsReader(cmd5, sizeof(cmd5));
1727 memcpy(req5, ToSend, ToSendMax); req5Len = ToSendMax;
1728
1729 // Select the card
1730 TransmitFor14443a(req4, req4Len, &samples, &wait);
1731 if(!GetIso14443aAnswerFromTag(receivedAnswer, 100, &samples, &elapsed)) continue;
1732
1733 // Log the SAK
1734 if (!LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE)) break;
1735 }
1736
1737 // Secondly compute the two CRC bytes at the end
1738 ComputeCrc14443(CRC_14443_A, cmd7, 2, &cmd7[2], &cmd7[3]);
1739 CodeIso14443aAsReader(cmd7, sizeof(cmd7));
1740 memcpy(req7, ToSend, ToSendMax); req7Len = ToSendMax;
1741
1742 // Send authentication request (Mifare Classic)
1743 TransmitFor14443a(req7, req7Len, &samples, &wait);
1744 // Store reader command in buffer
1745 if (!LogTrace(cmd7,4,0,GetParity(cmd7,4),TRUE)) break;
1746
1747 if(!GetIso14443aAnswerFromTag(receivedAnswer, 100, &samples, &elapsed)) continue;
1748
1749 // We received probably a random, continue and trace!
1750 if (!LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE)) break;
1751 }
1752
1753 // Thats it...
1754 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1755 LEDsoff();
1756 DbpIntegers(rsamples, 0xCC, 0xCC);
1757 DbpString("ready..");
1758 }
Proxmark3 GIT tracking
Impressum, Datenschutz