]> git.zerfleddert.de Git - proxmark3-svn/blob - armsrc/hitagS.c
projects / proxmark3-svn / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
CHG: Added calling clear bigbuff to zero out it also, instead of just "free" it.
[proxmark3-svn] / armsrc / hitagS.c
1 //-----------------------------------------------------------------------------
2 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
3 // at your option, any later version. See the LICENSE.txt file for the text of
4 // the license.
5 //-----------------------------------------------------------------------------
6 // HitagS emulation (preliminary test version)
7 //
8 // (c) 2016 Oguzhan Cicek, Hendrik Schwartke, Ralf Spenneberg
9 // <info@os-s.de>
10 //-----------------------------------------------------------------------------
11 // Some code was copied from Hitag2.c
12 //-----------------------------------------------------------------------------
13
14
15 #include <stdio.h>
16 #include <stdlib.h>
17 #include "proxmark3.h"
18 #include "apps.h"
19 #include "util.h"
20 #include "hitagS.h"
21 #include "hitag2.h"
22 #include "string.h"
23 #include "BigBuf.h"
24
25 #define CRC_PRESET 0xFF
26 #define CRC_POLYNOM 0x1D
27
28 #define u8 uint8_t
29 #define u32 uint32_t
30 #define u64 uint64_t
31 #define rev8(x) ((((x)>>7)&1)+((((x)>>6)&1)<<1)+((((x)>>5)&1)<<2)+((((x)>>4)&1)<<3)+((((x)>>3)&1)<<4)+((((x)>>2)&1)<<5)+((((x)>>1)&1)<<6)+(((x)&1)<<7))
32 #define rev16(x) (rev8 (x)+(rev8 (x>> 8)<< 8))
33 #define rev32(x) (rev16(x)+(rev16(x>>16)<<16))
34 #define rev64(x) (rev32(x)+(rev32(x>>32)<<32))
35 #define bit(x,n) (((x)>>(n))&1)
36 #define bit32(x,n) ((((x)[(n)>>5])>>((n)))&1)
37 #define inv32(x,i,n) ((x)[(i)>>5]^=((u32)(n))<<((i)&31))
38 #define rotl64(x, n) ((((u64)(x))<<((n)&63))+(((u64)(x))>>((0-(n))&63)))
39
40 static bool bQuiet;
41 static bool bSuccessful;
42 static struct hitagS_tag tag;
43 static byte_t page_to_be_written = 0;
44 static int block_data_left = 0;
45 typedef enum modulation {
46 AC2K = 0,
47 AC4K,
48 MC4K,
49 MC8K
50 } MOD;
51 static MOD m = AC2K; //used modulation
52 static uint32_t temp_uid;
53 static int temp2 = 0;
54 static int sof_bits; //number of start-of-frame bits
55 static byte_t pwdh0, pwdl0, pwdl1; //password bytes
56 static uint32_t rnd = 0x74124485; //randomnumber
57 static int test = 0;
58 size_t blocknr;
59 bool end=false;
60
61 // Single bit Hitag2 functions:
62 #define i4(x,a,b,c,d) ((u32)((((x)>>(a))&1)+(((x)>>(b))&1)*2+(((x)>>(c))&1)*4+(((x)>>(d))&1)*8))
63 static const u32 ht2_f4a = 0x2C79; // 0010 1100 0111 1001
64 static const u32 ht2_f4b = 0x6671; // 0110 0110 0111 0001
65 static const u32 ht2_f5c = 0x7907287B; // 0111 1001 0000 0111 0010 1000 0111 1011
66 #define ht2bs_4a(a,b,c,d) (~(((a|b)&c)^(a|d)^b))
67 #define ht2bs_4b(a,b,c,d) (~(((d|c)&(a^b))^(d|a|b)))
68 #define ht2bs_5c(a,b,c,d,e) (~((((((c^e)|d)&a)^b)&(c^b))^(((d^e)|a)&((d^b)|c))))
69 #define uf20bs u32
70
71 static u32 f20(const u64 x) {
72 u32 i5;
73
74 i5 = ((ht2_f4a >> i4(x, 1, 2, 4, 5)) & 1) * 1
75 + ((ht2_f4b >> i4(x, 7, 11, 13, 14)) & 1) * 2
76 + ((ht2_f4b >> i4(x, 16, 20, 22, 25)) & 1) * 4
77 + ((ht2_f4b >> i4(x, 27, 28, 30, 32)) & 1) * 8
78 + ((ht2_f4a >> i4(x, 33, 42, 43, 45)) & 1) * 16;
79
80 return (ht2_f5c >> i5) & 1;
81 }
82 static u64 hitag2_round(u64 *state) {
83 u64 x = *state;
84
85 x = (x >> 1)
86 + ((((x >> 0) ^ (x >> 2) ^ (x >> 3) ^ (x >> 6) ^ (x >> 7) ^ (x >> 8)
87 ^ (x >> 16) ^ (x >> 22) ^ (x >> 23) ^ (x >> 26) ^ (x >> 30)
88 ^ (x >> 41) ^ (x >> 42) ^ (x >> 43) ^ (x >> 46) ^ (x >> 47))
89 & 1) << 47);
90
91 *state = x;
92 return f20(x);
93 }
94 static u64 hitag2_init(const u64 key, const u32 serial, const u32 IV) {
95 u32 i;
96 u64 x = ((key & 0xFFFF) << 32) + serial;
97 for (i = 0; i < 32; i++) {
98 x >>= 1;
99 x += (u64) (f20(x) ^ (((IV >> i) ^ (key >> (i + 16))) & 1)) << 47;
100 }
101 return x;
102 }
103 static u32 hitag2_byte(u64 *x) {
104 u32 i, c;
105
106 for (i = 0, c = 0; i < 8; i++)
107 c += (u32) hitag2_round(x) << (i ^ 7);
108 return c;
109 }
110
111 // Sam7s has several timers, we will use the source TIMER_CLOCK1 (aka AT91C_TC_CLKS_TIMER_DIV1_CLOCK)
112 // TIMER_CLOCK1 = MCK/2, MCK is running at 48 MHz, Timer is running at 48/2 = 24 MHz
113 // Hitag units (T0) have duration of 8 microseconds (us), which is 1/125000 per second (carrier)
114 // T0 = TIMER_CLOCK1 / 125000 = 192
115 #define T0 192
116
117 #define SHORT_COIL() LOW(GPIO_SSC_DOUT)
118 #define OPEN_COIL() HIGH(GPIO_SSC_DOUT)
119
120 #define HITAG_FRAME_LEN 20
121 #define HITAG_T_STOP 36 /* T_EOF should be > 36 */
122 #define HITAG_T_LOW 8 /* T_LOW should be 4..10 */
123 #define HITAG_T_0_MIN 15 /* T[0] should be 18..22 */
124 #define HITAG_T_1_MIN 25 /* T[1] should be 26..30 */
125 //#define HITAG_T_EOF 40 /* T_EOF should be > 36 */
126 #define HITAG_T_EOF 80 /* T_EOF should be > 36 */
127 #define HITAG_T_WAIT_1 200 /* T_wresp should be 199..206 */
128 #define HITAG_T_WAIT_2 90 /* T_wresp should be 199..206 */
129 #define HITAG_T_WAIT_MAX 300 /* bit more than HITAG_T_WAIT_1 + HITAG_T_WAIT_2 */
130
131 #define HITAG_T_TAG_ONE_HALF_PERIOD 10
132 #define HITAG_T_TAG_TWO_HALF_PERIOD 25
133 #define HITAG_T_TAG_THREE_HALF_PERIOD 41
134 #define HITAG_T_TAG_FOUR_HALF_PERIOD 57
135
136 #define HITAG_T_TAG_HALF_PERIOD 16
137 #define HITAG_T_TAG_FULL_PERIOD 32
138
139 #define HITAG_T_TAG_CAPTURE_ONE_HALF 13
140 #define HITAG_T_TAG_CAPTURE_TWO_HALF 25
141 #define HITAG_T_TAG_CAPTURE_THREE_HALF 41
142 #define HITAG_T_TAG_CAPTURE_FOUR_HALF 57
143
144 #define DEBUG 0
145
146 /*
147 * Implementation of the crc8 calculation from Hitag S
148 * from http://www.proxmark.org/files/Documents/125%20kHz%20-%20Hitag/HitagS.V11.pdf
149 */
150 void calc_crc(unsigned char * crc, unsigned char data, unsigned char Bitcount) {
151 *crc ^= data; // crc = crc (exor) data
152 do {
153 if (*crc & 0x80) // if (MSB-CRC == 1)
154 {
155 *crc <<= 1; // CRC = CRC Bit-shift left
156 *crc ^= CRC_POLYNOM; // CRC = CRC (exor) CRC_POLYNOM
157 } else {
158 *crc <<= 1; // CRC = CRC Bit-shift left
159 }
160 } while (--Bitcount);
161 }
162
163 static void hitag_send_bit(int bit) {
164 LED_A_ON();
165 // Reset clock for the next bit
166 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
167
168 switch (m) {
169 case AC2K:
170 if (bit == 0) {
171 // AC Coding --__
172 HIGH(GPIO_SSC_DOUT);
173 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
174 ;
175 LOW(GPIO_SSC_DOUT);
176 while (AT91C_BASE_TC0->TC_CV < T0 * 64)
177 ;
178 } else {
179 // AC coding -_-_
180 HIGH(GPIO_SSC_DOUT);
181 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
182 ;
183 LOW(GPIO_SSC_DOUT);
184 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
185 ;
186 HIGH(GPIO_SSC_DOUT);
187 while (AT91C_BASE_TC0->TC_CV < T0 * 48)
188 ;
189 LOW(GPIO_SSC_DOUT);
190 while (AT91C_BASE_TC0->TC_CV < T0 * 64)
191 ;;
192 }
193 LED_A_OFF();
194 break;
195 case AC4K:
196 if (bit == 0) {
197 // AC Coding --__
198 HIGH(GPIO_SSC_DOUT);
199 while (AT91C_BASE_TC0->TC_CV < T0 * HITAG_T_TAG_HALF_PERIOD)
200 ;
201 LOW(GPIO_SSC_DOUT);
202 while (AT91C_BASE_TC0->TC_CV < T0 * HITAG_T_TAG_FULL_PERIOD)
203 ;
204 } else {
205 // AC coding -_-_
206 HIGH(GPIO_SSC_DOUT);
207 while (AT91C_BASE_TC0->TC_CV < T0 * 8)
208 ;
209 LOW(GPIO_SSC_DOUT);
210 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
211 ;
212 HIGH(GPIO_SSC_DOUT);
213 while (AT91C_BASE_TC0->TC_CV < T0 * 24)
214 ;
215 LOW(GPIO_SSC_DOUT);
216 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
217 ;;
218 }
219 LED_A_OFF();
220 break;
221 case MC4K:
222 if (bit == 0) {
223 // Manchester: Unloaded, then loaded |__--|
224 LOW(GPIO_SSC_DOUT);
225 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
226 ;
227 HIGH(GPIO_SSC_DOUT);
228 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
229 ;
230 } else {
231 // Manchester: Loaded, then unloaded |--__|
232 HIGH(GPIO_SSC_DOUT);
233 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
234 ;
235 LOW(GPIO_SSC_DOUT);
236 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
237 ;
238 }
239 LED_A_OFF();
240 break;
241 case MC8K:
242 if (bit == 0) {
243 // Manchester: Unloaded, then loaded |__--|
244 LOW(GPIO_SSC_DOUT);
245 while (AT91C_BASE_TC0->TC_CV < T0 * 8)
246 ;
247 HIGH(GPIO_SSC_DOUT);
248 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
249 ;
250 } else {
251 // Manchester: Loaded, then unloaded |--__|
252 HIGH(GPIO_SSC_DOUT);
253 while (AT91C_BASE_TC0->TC_CV < T0 * 8)
254 ;
255 LOW(GPIO_SSC_DOUT);
256 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
257 ;
258 }
259 LED_A_OFF();
260 break;
261 default:
262 break;
263 }
264 }
265
266 static void hitag_send_frame(const byte_t* frame, size_t frame_len) {
267 // Send start of frame
268
269 for (size_t i = 0; i < sof_bits; i++) {
270 hitag_send_bit(1);
271 }
272
273 // Send the content of the frame
274 for (size_t i = 0; i < frame_len; i++) {
275 hitag_send_bit((frame[i / 8] >> (7 - (i % 8))) & 1);
276 }
277 // Drop the modulation
278 LOW(GPIO_SSC_DOUT);
279 }
280
281 static void hitag_reader_send_bit(int bit) {
282 //Dbprintf("BIT: %d",bit);
283 LED_A_ON();
284 // Reset clock for the next bit
285 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
286
287 // Binary puls length modulation (BPLM) is used to encode the data stream
288 // This means that a transmission of a one takes longer than that of a zero
289
290 // Enable modulation, which means, drop the the field
291 HIGH(GPIO_SSC_DOUT);
292 if (test == 1) {
293 // Wait for 4-10 times the carrier period
294 while (AT91C_BASE_TC0->TC_CV < T0 * 6)
295 ;
296 // SpinDelayUs(8*8);
297
298 // Disable modulation, just activates the field again
299 LOW(GPIO_SSC_DOUT);
300
301 if (bit == 0) {
302 // Zero bit: |_-|
303 while (AT91C_BASE_TC0->TC_CV < T0 * 11)
304 ;
305 // SpinDelayUs(16*8);
306 } else {
307 // One bit: |_--|
308 while (AT91C_BASE_TC0->TC_CV < T0 * 14)
309 ;
310 // SpinDelayUs(22*8);
311 }
312 } else {
313 // Wait for 4-10 times the carrier period
314 while (AT91C_BASE_TC0->TC_CV < T0 * 6)
315 ;
316 // SpinDelayUs(8*8);
317
318 // Disable modulation, just activates the field again
319 LOW(GPIO_SSC_DOUT);
320
321 if (bit == 0) {
322 // Zero bit: |_-|
323 while (AT91C_BASE_TC0->TC_CV < T0 * 22)
324 ;
325 // SpinDelayUs(16*8);
326 } else {
327 // One bit: |_--|
328 while (AT91C_BASE_TC0->TC_CV < T0 * 28)
329 ;
330 // SpinDelayUs(22*8);
331 }
332 }
333
334 LED_A_OFF();
335 }
336
337 static void hitag_reader_send_frame(const byte_t* frame, size_t frame_len) {
338 // Send the content of the frame
339 for (size_t i = 0; i < frame_len; i++) {
340 if (frame[0] == 0xf8) {
341 //Dbprintf("BIT: %d",(frame[i / 8] >> (7 - (i % 8))) & 1);
342 }
343 hitag_reader_send_bit((frame[i / 8] >> (7 - (i % 8))) & 1);
344 }
345 // Send EOF
346 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
347 // Enable modulation, which means, drop the the field
348 HIGH(GPIO_SSC_DOUT);
349 // Wait for 4-10 times the carrier period
350 while (AT91C_BASE_TC0->TC_CV < T0 * 6)
351 ;
352 // Disable modulation, just activates the field again
353 LOW(GPIO_SSC_DOUT);
354 }
355
356 /*
357 * to check if the right uid was selected
358 */
359 static int check_select(byte_t* rx, uint32_t uid) {
360 unsigned char resp[48];
361 int i;
362 uint32_t ans = 0x0;
363 for (i = 0; i < 48; i++)
364 resp[i] = (rx[i / 8] >> (7 - (i % 8))) & 0x1;
365 for (i = 0; i < 32; i++)
366 ans += resp[5 + i] << (31 - i);
367 /*if (rx[0] == 0x01 && rx[1] == 0x15 && rx[2] == 0xc1 && rx[3] == 0x14
368 && rx[4] == 0x65 && rx[5] == 0x38)
369 Dbprintf("got uid %X", ans);*/
370 temp_uid = ans;
371 if (ans == tag.uid)
372 return 1;
373 return 0;
374 }
375
376 /*
377 * handles all commands from a reader
378 */
379 static void hitagS_handle_reader_command(byte_t* rx, const size_t rxlen,
380 byte_t* tx, size_t* txlen) {
381 byte_t rx_air[HITAG_FRAME_LEN];
382 byte_t page;
383 int i;
384 u64 state;
385 unsigned char crc;
386
387 // Copy the (original) received frame how it is send over the air
388 memcpy(rx_air, rx, nbytes(rxlen));
389 // Reset the transmission frame length
390 *txlen = 0;
391 // Try to find out which command was send by selecting on length (in bits)
392 switch (rxlen) {
393 case 5: {
394 //UID request with a selected response protocol mode
395 tag.pstate = HT_READY;
396 tag.tstate = HT_NO_OP;
397 if ((rx[0] & 0xf0) == 0x30) {
398 tag.mode = HT_STANDARD;
399 sof_bits = 1;
400 m = AC2K;
401 }
402 if ((rx[0] & 0xf0) == 0xc0) {
403 tag.mode = HT_ADVANCED;
404 sof_bits = 3;
405 m = AC2K;
406 }
407
408 if ((rx[0] & 0xf0) == 0xd0) {
409 tag.mode = HT_FAST_ADVANCED;
410 sof_bits = 3;
411 m = AC4K;
412 }
413 //send uid as a response
414 *txlen = 32;
415 for (i = 0; i < 4; i++)
416 tx[i] = (tag.uid >> (24 - (i * 8))) & 0xff;
417 }
418 break;
419 case 45: {
420 //select command from reader received
421 if (check_select(rx, tag.uid) == 1) {
422 //if the right tag was selected
423 *txlen = 32;
424 switch (tag.mode) {
425 case HT_STANDARD:
426 sof_bits = 1;
427 m = MC4K;
428 break;
429 case HT_ADVANCED:
430 sof_bits = 6;
431 m = MC4K;
432 break;
433 case HT_FAST_ADVANCED:
434 sof_bits = 6;
435 m = MC8K;
436 break;
437 default:
438 break;
439 }
440
441 //send configuration
442 for (i = 0; i < 4; i++)
443 tx[i] = (tag.pages[0][1] >> (i * 8)) & 0xff;
444 tx[3] = 0xff;
445 if (tag.mode != HT_STANDARD) {
446 *txlen = 40;
447 crc = CRC_PRESET;
448 for (i = 0; i < 4; i++)
449 calc_crc(&crc, tx[i], 8);
450 tx[4] = crc;
451 }
452 }
453 }
454 break;
455 case 64: {
456 //challenge message received
457 Dbprintf("Challenge for UID: %X", temp_uid);
458 temp2++;
459 *txlen = 32;
460 state = hitag2_init(rev64(tag.key), rev32(tag.pages[0][0]),
461 rev32(((rx[3] << 24) + (rx[2] << 16) + (rx[1] << 8) + rx[0])));
462 Dbprintf(
463 ",{0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X}",
464 rx[0], rx[1], rx[2], rx[3], rx[4], rx[5], rx[6], rx[7]);
465 switch (tag.mode) {
466 case HT_STANDARD:
467 sof_bits = 1;
468 m = MC4K;
469 break;
470 case HT_ADVANCED:
471 sof_bits = 6;
472 m = MC4K;
473 break;
474 case HT_FAST_ADVANCED:
475 sof_bits = 6;
476 m = MC8K;
477 break;
478 default:
479 break;
480 }
481
482 for (i = 0; i < 4; i++)
483 hitag2_byte(&state);
484 //send con2,pwdh0,pwdl0,pwdl1 encrypted as a response
485 tx[0] = hitag2_byte(&state) ^ ((tag.pages[0][1] >> 16) & 0xff);
486 tx[1] = hitag2_byte(&state) ^ tag.pwdh0;
487 tx[2] = hitag2_byte(&state) ^ tag.pwdl0;
488 tx[3] = hitag2_byte(&state) ^ tag.pwdl1;
489 if (tag.mode != HT_STANDARD) {
490 //add crc8
491 *txlen = 40;
492 crc = CRC_PRESET;
493 calc_crc(&crc, ((tag.pages[0][1] >> 16) & 0xff), 8);
494 calc_crc(&crc, tag.pwdh0, 8);
495 calc_crc(&crc, tag.pwdl0, 8);
496 calc_crc(&crc, tag.pwdl1, 8);
497 tx[4] = (crc ^ hitag2_byte(&state));
498 }
499 /*
500 * some readers do not allow to authenticate multiple times in a row with the same tag.
501 * use this to change the uid between authentications.
502 */
503
504 /*
505 if (temp2 % 2 == 0) {
506 tag.uid = 0x11223344;
507 tag.pages[0][0] = 0x44332211;
508 } else {
509 tag.uid = 0x55667788;
510 tag.pages[0][0] = 0x88776655;
511 }
512 */
513 }
514 case 40:
515 //data received to be written
516 if (tag.tstate == HT_WRITING_PAGE_DATA) {
517 tag.tstate = HT_NO_OP;
518 tag.pages[page_to_be_written / 4][page_to_be_written % 4] = (rx[0]
519 << 0) + (rx[1] << 8) + (rx[2] << 16) + (rx[3] << 24);
520 //send ack
521 *txlen = 2;
522 tx[0] = 0x40;
523 page_to_be_written = 0;
524 switch (tag.mode) {
525 case HT_STANDARD:
526 sof_bits = 1;
527 m = MC4K;
528 break;
529 case HT_ADVANCED:
530 sof_bits = 6;
531 m = MC4K;
532 break;
533 case HT_FAST_ADVANCED:
534 sof_bits = 6;
535 m = MC8K;
536 break;
537 default:
538 break;
539 }
540 } else if (tag.tstate == HT_WRITING_BLOCK_DATA) {
541 tag.pages[page_to_be_written / 4][page_to_be_written % 4] = (rx[0]
542 << 24) + (rx[1] << 16) + (rx[2] << 8) + rx[3];
543 //send ack
544 *txlen = 2;
545 tx[0] = 0x40;
546 switch (tag.mode) {
547 case HT_STANDARD:
548 sof_bits = 1;
549 m = MC4K;
550 break;
551 case HT_ADVANCED:
552 sof_bits = 6;
553 m = MC4K;
554 break;
555 case HT_FAST_ADVANCED:
556 sof_bits = 6;
557 m = MC8K;
558 break;
559 default:
560 break;
561 }
562 page_to_be_written++;
563 block_data_left--;
564 if (block_data_left == 0) {
565 tag.tstate = HT_NO_OP;
566 page_to_be_written = 0;
567 }
568 }
569 break;
570 case 20: {
571 //write page, write block, read page or read block command received
572 if ((rx[0] & 0xf0) == 0xc0) //read page
573 {
574 //send page data
575 page = ((rx[0] & 0x0f) * 16) + ((rx[1] & 0xf0) / 16);
576 *txlen = 32;
577 tx[0] = (tag.pages[page / 4][page % 4]) & 0xff;
578 tx[1] = (tag.pages[page / 4][page % 4] >> 8) & 0xff;
579 tx[2] = (tag.pages[page / 4][page % 4] >> 16) & 0xff;
580 tx[3] = (tag.pages[page / 4][page % 4] >> 24) & 0xff;
581 if (tag.LKP && page == 1)
582 tx[3] = 0xff;
583
584 switch (tag.mode) {
585 case HT_STANDARD:
586 sof_bits = 1;
587 m = MC4K;
588 break;
589 case HT_ADVANCED:
590 sof_bits = 6;
591 m = MC4K;
592 break;
593 case HT_FAST_ADVANCED:
594 sof_bits = 6;
595 m = MC8K;
596 break;
597 default:
598 break;
599 }
600
601 if (tag.mode != HT_STANDARD) {
602 //add crc8
603 *txlen = 40;
604 crc = CRC_PRESET;
605 for (i = 0; i < 4; i++)
606 calc_crc(&crc, tx[i], 8);
607 tx[4] = crc;
608 }
609
610 if (tag.LKP && (page == 2 || page == 3)) {
611 //if reader asks for key or password and the LKP-mark is set do not respond
612 sof_bits = 0;
613 *txlen = 0;
614 }
615 } else if ((rx[0] & 0xf0) == 0xd0) //read block
616 {
617 page = ((rx[0] & 0x0f) * 16) + ((rx[1] & 0xf0) / 16);
618 *txlen = 32 * 4;
619 //send page,...,page+3 data
620 for (i = 0; i < 4; i++) {
621 tx[0 + i * 4] = (tag.pages[page / 4][page % 4]) & 0xff;
622 tx[1 + i * 4] = (tag.pages[page / 4][page % 4] >> 8) & 0xff;
623 tx[2 + i * 4] = (tag.pages[page / 4][page % 4] >> 16) & 0xff;
624 tx[3 + i * 4] = (tag.pages[page / 4][page % 4] >> 24) & 0xff;
625 page++;
626 }
627
628 switch (tag.mode) {
629 case HT_STANDARD:
630 sof_bits = 1;
631 m = MC4K;
632 break;
633 case HT_ADVANCED:
634 sof_bits = 6;
635 m = MC4K;
636 break;
637 case HT_FAST_ADVANCED:
638 sof_bits = 6;
639 m = MC8K;
640 break;
641 default:
642 break;
643 }
644
645 if (tag.mode != HT_STANDARD) {
646 //add crc8
647 *txlen = 32 * 4 + 8;
648 crc = CRC_PRESET;
649 for (i = 0; i < 16; i++)
650 calc_crc(&crc, tx[i], 8);
651 tx[16] = crc;
652 }
653
654 if ((page - 4) % 4 != 0 || (tag.LKP && (page - 4) == 0)) {
655 sof_bits = 0;
656 *txlen = 0;
657 }
658 } else if ((rx[0] & 0xf0) == 0x80) //write page
659 {
660 page = ((rx[0] & 0x0f) * 16) + ((rx[1] & 0xf0) / 16);
661
662 switch (tag.mode) {
663 case HT_STANDARD:
664 sof_bits = 1;
665 m = MC4K;
666 break;
667 case HT_ADVANCED:
668 sof_bits = 6;
669 m = MC4K;
670 break;
671 case HT_FAST_ADVANCED:
672 sof_bits = 6;
673 m = MC8K;
674 break;
675 default:
676 break;
677 }
678 if ((tag.LCON && page == 1)
679 || (tag.LKP && (page == 2 || page == 3))) {
680 //deny
681 *txlen = 0;
682 } else {
683 //allow
684 *txlen = 2;
685 tx[0] = 0x40;
686 page_to_be_written = page;
687 tag.tstate = HT_WRITING_PAGE_DATA;
688 }
689
690 } else if ((rx[0] & 0xf0) == 0x90) //write block
691 {
692 page = ((rx[0] & 0x0f) * 6) + ((rx[1] & 0xf0) / 16);
693 switch (tag.mode) {
694 case HT_STANDARD:
695 sof_bits = 1;
696 m = MC4K;
697 break;
698 case HT_ADVANCED:
699 sof_bits = 6;
700 m = MC4K;
701 break;
702 case HT_FAST_ADVANCED:
703 sof_bits = 6;
704 m = MC8K;
705 break;
706 default:
707 break;
708 }
709 if (page % 4 != 0 || page == 0) {
710 //deny
711 *txlen = 0;
712 } else {
713 //allow
714 *txlen = 2;
715 tx[0] = 0x40;
716 page_to_be_written = page;
717 block_data_left = 4;
718 tag.tstate = HT_WRITING_BLOCK_DATA;
719 }
720 }
721 }
722 break;
723 default:
724
725 break;
726 }
727 }
728
729 /*
730 * to autenticate to a tag with the given key or challenge
731 */
732 static int hitagS_handle_tag_auth(hitag_function htf,uint64_t key, uint64_t NrAr, byte_t* rx, const size_t rxlen, byte_t* tx,
733 size_t* txlen) {
734 byte_t rx_air[HITAG_FRAME_LEN];
735 int response_bit[200];
736 int i, j, z, k;
737 unsigned char mask = 1;
738 unsigned char uid[32];
739 byte_t uid1 = 0x00, uid2 = 0x00, uid3 = 0x00, uid4 = 0x00;
740 unsigned char crc;
741 u64 state;
742 byte_t auth_ks[4];
743 byte_t conf_pages[3];
744 memcpy(rx_air, rx, nbytes(rxlen));
745 *txlen = 0;
746
747 if (tag.pstate == HT_READY && rxlen >= 67) {
748 //received uid
749 if(end==true) {
750 Dbprintf("authentication failed!");
751 return -1;
752 }
753 z = 0;
754 for (i = 0; i < 10; i++) {
755 for (j = 0; j < 8; j++) {
756 response_bit[z] = 0;
757 if ((rx[i] & ((mask << 7) >> j)) != 0)
758 response_bit[z] = 1;
759 z++;
760 }
761 }
762 k = 0;
763 for (i = 5; i < z; i += 2) {
764 uid[k] = response_bit[i];
765 k++;
766 if (k > 31)
767 break;
768 }
769 uid1 = (uid[0] << 7) | (uid[1] << 6) | (uid[2] << 5) | (uid[3] << 4)
770 | (uid[4] << 3) | (uid[5] << 2) | (uid[6] << 1) | uid[7];
771 uid2 = (uid[8] << 7) | (uid[9] << 6) | (uid[10] << 5) | (uid[11] << 4)
772 | (uid[12] << 3) | (uid[13] << 2) | (uid[14] << 1) | uid[15];
773 uid3 = (uid[16] << 7) | (uid[17] << 6) | (uid[18] << 5) | (uid[19] << 4)
774 | (uid[20] << 3) | (uid[21] << 2) | (uid[22] << 1) | uid[23];
775 uid4 = (uid[24] << 7) | (uid[25] << 6) | (uid[26] << 5) | (uid[27] << 4)
776 | (uid[28] << 3) | (uid[29] << 2) | (uid[30] << 1) | uid[31];
777 if (DEBUG)
778 Dbprintf("UID: %02X %02X %02X %02X", uid1, uid2, uid3, uid4);
779 tag.uid = (uid4 << 24 | uid3 << 16 | uid2 << 8 | uid1);
780
781 //select uid
782 *txlen = 45;
783 crc = CRC_PRESET;
784 calc_crc(&crc, 0x00, 5);
785 calc_crc(&crc, uid1, 8);
786 calc_crc(&crc, uid2, 8);
787 calc_crc(&crc, uid3, 8);
788 calc_crc(&crc, uid4, 8);
789 for (i = 0; i < 100; i++) {
790 response_bit[i] = 0;
791 }
792 for (i = 0; i < 5; i++) {
793 response_bit[i] = 0;
794 }
795 for (i = 5; i < 37; i++) {
796 response_bit[i] = uid[i - 5];
797 }
798 for (j = 0; j < 8; j++) {
799 response_bit[i] = 0;
800 if ((crc & ((mask << 7) >> j)) != 0)
801 response_bit[i] = 1;
802 i++;
803 }
804 k = 0;
805 for (i = 0; i < 6; i++) {
806 tx[i] = (response_bit[k] << 7) | (response_bit[k + 1] << 6)
807 | (response_bit[k + 2] << 5) | (response_bit[k + 3] << 4)
808 | (response_bit[k + 4] << 3) | (response_bit[k + 5] << 2)
809 | (response_bit[k + 6] << 1) | response_bit[k + 7];
810 k += 8;
811 }
812 tag.pstate = HT_INIT;
813 } else if (tag.pstate == HT_INIT && rxlen == 44) {
814 // received configuration after select command
815 z = 0;
816 for (i = 0; i < 6; i++) {
817 for (j = 0; j < 8; j++) {
818 response_bit[z] = 0;
819 if ((rx[i] & ((mask << 7) >> j)) != 0)
820 response_bit[z] = 1;
821 z++;
822 }
823 }
824 conf_pages[0] = ((response_bit[4] << 7) | (response_bit[5] << 6)
825 | (response_bit[6] << 5) | (response_bit[7] << 4)
826 | (response_bit[8] << 3) | (response_bit[9] << 2)
827 | (response_bit[10] << 1) | response_bit[11]);
828 //check wich memorysize this tag has
829 if (response_bit[10] == 0 && response_bit[11] == 0)
830 tag.max_page = 32 / 32;
831 if (response_bit[10] == 0 && response_bit[11] == 1)
832 tag.max_page = 256 / 32;
833 if (response_bit[10] == 1 && response_bit[11] == 0)
834 tag.max_page = 2048 / 32;
835 conf_pages[1] = ((response_bit[12] << 7) | (response_bit[13] << 6)
836 | (response_bit[14] << 5) | (response_bit[15] << 4)
837 | (response_bit[16] << 3) | (response_bit[17] << 2)
838 | (response_bit[18] << 1) | response_bit[19]);
839 tag.auth = response_bit[12];
840 tag.TTFC = response_bit[13];
841 //tag.TTFDR in response_bit[14] and response_bit[15]
842 //tag.TTFM in response_bit[16] and response_bit[17]
843 tag.LCON = response_bit[18];
844 tag.LKP = response_bit[19];
845 conf_pages[2] = ((response_bit[20] << 7) | (response_bit[21] << 6)
846 | (response_bit[22] << 5) | (response_bit[23] << 4)
847 | (response_bit[24] << 3) | (response_bit[25] << 2)
848 | (response_bit[26] << 1) | response_bit[27]);
849 tag.LCK7 = response_bit[20];
850 tag.LCK6 = response_bit[21];
851 tag.LCK5 = response_bit[22];
852 tag.LCK4 = response_bit[23];
853 tag.LCK3 = response_bit[24];
854 tag.LCK2 = response_bit[25];
855 tag.LCK1 = response_bit[26];
856 tag.LCK0 = response_bit[27];
857
858 if (DEBUG)
859 Dbprintf("conf0: %02X conf1: %02X conf2: %02X", conf_pages[0],
860 conf_pages[1], conf_pages[2]);
861 if (tag.auth == 1) {
862 //if the tag is in authentication mode try the key or challenge
863 *txlen = 64;
864 if(end!=true){
865 if(htf==02||htf==04){ //RHTS_KEY //WHTS_KEY
866 state = hitag2_init(rev64(key), rev32(tag.uid),
867 rev32(rnd));
868
869 for (i = 0; i < 4; i++) {
870 auth_ks[i] = hitag2_byte(&state) ^ 0xff;
871 }
872 *txlen = 64;
873 tx[0] = rnd & 0xff;
874 tx[1] = (rnd >> 8) & 0xff;
875 tx[2] = (rnd >> 16) & 0xff;
876 tx[3] = (rnd >> 24) & 0xff;
877
878 tx[4] = auth_ks[0];
879 tx[5] = auth_ks[1];
880 tx[6] = auth_ks[2];
881 tx[7] = auth_ks[3];
882 if (DEBUG)
883 Dbprintf("%02X %02X %02X %02X %02X %02X %02X %02X", tx[0],
884 tx[1], tx[2], tx[3], tx[4], tx[5], tx[6], tx[7]);
885 } else if(htf==01 || htf==03) { //RHTS_CHALLENGE //WHTS_CHALLENGE
886 for (i = 0; i < 8; i++)
887 tx[i]=((NrAr>>(56-(i*8)))&0xff);
888 }
889 end=true;
890 tag.pstate = HT_AUTHENTICATE;
891 } else {
892 Dbprintf("authentication failed!");
893 return -1;
894 }
895 } else if (tag.auth == 0) {
896 tag.pstate = HT_SELECTED;
897 }
898
899 } else if (tag.pstate == HT_AUTHENTICATE && rxlen == 44) {
900 //encrypted con2,password received.
901 crc = CRC_PRESET;
902 calc_crc(&crc, 0x80, 1);
903 calc_crc(&crc, ((rx[0] & 0x0f) * 16 + ((rx[1] & 0xf0) / 16)), 8);
904 calc_crc(&crc, ((rx[1] & 0x0f) * 16 + ((rx[2] & 0xf0) / 16)), 8);
905 calc_crc(&crc, ((rx[2] & 0x0f) * 16 + ((rx[3] & 0xf0) / 16)), 8);
906 calc_crc(&crc, ((rx[3] & 0x0f) * 16 + ((rx[4] & 0xf0) / 16)), 8);
907 if (DEBUG) {
908 Dbprintf("UID:::%X", tag.uid);
909 Dbprintf("RND:::%X", rnd);
910 }
911
912 //decrypt password
913 pwdh0=0;
914 pwdl0=0;
915 pwdl1=0;
916 if(htf==02 || htf==04){ //RHTS_KEY //WHTS_KEY
917 {
918 state = hitag2_init(rev64(key), rev32(tag.uid), rev32(rnd));
919 for (i = 0; i < 5; i++)
920 hitag2_byte(&state);
921 pwdh0 = ((rx[1] & 0x0f) * 16 + ((rx[2] & 0xf0) / 16))
922 ^ hitag2_byte(&state);
923 pwdl0 = ((rx[2] & 0x0f) * 16 + ((rx[3] & 0xf0) / 16))
924 ^ hitag2_byte(&state);
925 pwdl1 = ((rx[3] & 0x0f) * 16 + ((rx[4] & 0xf0) / 16))
926 ^ hitag2_byte(&state);
927 }
928
929 if (DEBUG)
930 Dbprintf("pwdh0 %02X pwdl0 %02X pwdl1 %02X", pwdh0, pwdl0, pwdl1);
931
932
933 //Dbprintf("%X %02X", rnd, ((rx[4] & 0x0f) * 16) + ((rx[5] & 0xf0) / 16));
934 //rnd += 1;
935 }
936 tag.pstate = HT_SELECTED; //tag is now ready for read/write commands
937 }
938 return 0;
939
940 }
941
942 /*
943 * Emulates a Hitag S Tag with the given data from the .hts file
944 */
945 void SimulateHitagSTag(bool tag_mem_supplied, byte_t* data) {
946 int frame_count;
947 int response;
948 int overflow;
949 int i, j;
950 byte_t rx[HITAG_FRAME_LEN];
951 size_t rxlen = 0;
952 //bool bQuitTraceFull = false;
953 bQuiet = false;
954 byte_t txbuf[HITAG_FRAME_LEN];
955 byte_t* tx = txbuf;
956 size_t txlen = 0;
957 // free eventually allocated BigBuf memory
958 BigBuf_free(); BigBuf_Clear_ext(false);
959
960 // Clean up trace and prepare it for storing frames
961 set_tracing(TRUE);
962 clear_trace();
963
964 DbpString("Starting HitagS simulation");
965 LED_D_ON();
966
967 tag.pstate = HT_READY;
968 tag.tstate = HT_NO_OP;
969 tag.tstate = HT_NO_OP;
970 for (i = 0; i < 16; i++)
971 for (j = 0; j < 4; j++)
972 tag.pages[i][j] = 0x0;
973 //read tag data into memory
974 if (tag_mem_supplied) {
975 DbpString("Loading hitagS memory...");
976 memcpy((byte_t*)tag.pages,data,4*64);
977 }
978 tag.uid=(uint32_t)tag.pages[0];
979 Dbprintf("Hitag S simulation started");
980 tag.key=(intptr_t)tag.pages[3];
981 tag.key<<=16;
982 tag.key+=((tag.pages[2][0])<<8)+tag.pages[2][1];
983 tag.pwdl0=tag.pages[2][3];
984 tag.pwdl1=tag.pages[2][2];
985 tag.pwdh0=tag.pages[1][0];
986 //con0
987 tag.max_page=64;
988 if((tag.pages[1][3]&0x2)==0 && (tag.pages[1][3]&0x1)==1)
989 tag.max_page=8;
990 if((tag.pages[1][3]&0x2)==0 && (tag.pages[1][3]&0x1)==0)
991 tag.max_page=0;
992 //con1
993 tag.auth=0;
994 if((tag.pages[1][2]&0x80)==1)
995 tag.auth=1;
996 tag.LCON=0;
997 if((tag.pages[1][2]&0x2)==1)
998 tag.LCON=1;
999 tag.LKP=0;
1000 if((tag.pages[1][2]&0x1)==1)
1001 tag.LKP=1;
1002 //con2
1003 //0=read write 1=read only
1004 tag.LCK7=0;
1005 if((tag.pages[1][1]&0x80)==1)
1006 tag.LCK7=1;
1007 tag.LCK6=0;
1008 if((tag.pages[1][1]&0x40)==1)
1009 tag.LCK6=1;
1010 tag.LCK5=0;
1011 if((tag.pages[1][1]&0x20)==1)
1012 tag.LCK5=1;
1013 tag.LCK4=0;
1014 if((tag.pages[1][1]&0x10)==1)
1015 tag.LCK4=1;
1016 tag.LCK3=0;
1017 if((tag.pages[1][1]&0x8)==1)
1018 tag.LCK3=1;
1019 tag.LCK2=0;
1020 if((tag.pages[1][1]&0x4)==1)
1021 tag.LCK2=1;
1022 tag.LCK1=0;
1023 if((tag.pages[1][1]&0x2)==1)
1024 tag.LCK1=1;
1025 tag.LCK0=0;
1026 if((tag.pages[1][1]&0x1)==1)
1027 tag.LCK0=1;
1028
1029 // Set up simulator mode, frequency divisor which will drive the FPGA
1030 // and analog mux selection.
1031 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1032 FpgaWriteConfWord(
1033 FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD);
1034 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
1035 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
1036 RELAY_OFF();
1037
1038 // Configure output pin that is connected to the FPGA (for modulating)
1039 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
1040 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
1041
1042 // Disable modulation at default, which means release resistance
1043 LOW(GPIO_SSC_DOUT);
1044
1045 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
1046 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
1047
1048 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the reader frames
1049 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
1050 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
1051
1052 // Disable timer during configuration
1053 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1054
1055 // Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
1056 // external trigger rising edge, load RA on rising edge of TIOA.
1057 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK
1058 | AT91C_TC_ETRGEDG_RISING | AT91C_TC_ABETRG | AT91C_TC_LDRA_RISING;
1059
1060 // Reset the received frame, frame count and timing info
1061 memset(rx, 0x00, sizeof(rx));
1062 frame_count = 0;
1063 response = 0;
1064 overflow = 0;
1065
1066 // Enable and reset counter
1067 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1068
1069 while (!BUTTON_PRESS()) {
1070 // Watchdog hit
1071 WDT_HIT();
1072
1073 // Receive frame, watch for at most T0*EOF periods
1074 while (AT91C_BASE_TC1->TC_CV < T0 * HITAG_T_EOF) {
1075 // Check if rising edge in modulation is detected
1076 if (AT91C_BASE_TC1->TC_SR & AT91C_TC_LDRAS) {
1077 // Retrieve the new timing values
1078 int ra = (AT91C_BASE_TC1->TC_RA / T0) + overflow;
1079 overflow = 0;
1080
1081 // Reset timer every frame, we have to capture the last edge for timing
1082 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1083
1084 LED_B_ON();
1085
1086 // Capture reader frame
1087 if (ra >= HITAG_T_STOP) {
1088 if (rxlen != 0) {
1089 //DbpString("wierd0?");
1090 }
1091 // Capture the T0 periods that have passed since last communication or field drop (reset)
1092 response = (ra - HITAG_T_LOW);
1093 } else if (ra >= HITAG_T_1_MIN) {
1094 // '1' bit
1095 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
1096 rxlen++;
1097 } else if (ra >= HITAG_T_0_MIN) {
1098 // '0' bit
1099 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
1100 rxlen++;
1101 } else {
1102 // Ignore wierd value, is to small to mean anything
1103 }
1104 }
1105 }
1106
1107 // Check if frame was captured
1108 if (rxlen > 0) {
1109 frame_count++;
1110 if (!bQuiet) {
1111 if (!LogTraceHitag(rx, rxlen, response, 0, true)) {
1112 DbpString("Trace full");
1113 clear_trace();
1114 }
1115 }
1116
1117 // Disable timer 1 with external trigger to avoid triggers during our own modulation
1118 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1119
1120 // Process the incoming frame (rx) and prepare the outgoing frame (tx)
1121 hitagS_handle_reader_command(rx, rxlen, tx, &txlen);
1122
1123 // Wait for HITAG_T_WAIT_1 carrier periods after the last reader bit,
1124 // not that since the clock counts since the rising edge, but T_Wait1 is
1125 // with respect to the falling edge, we need to wait actually (T_Wait1 - T_Low)
1126 // periods. The gap time T_Low varies (4..10). All timer values are in
1127 // terms of T0 units
1128 while (AT91C_BASE_TC0->TC_CV < T0 * (HITAG_T_WAIT_1 - HITAG_T_LOW))
1129 ;
1130
1131 // Send and store the tag answer (if there is any)
1132 if (txlen > 0) {
1133 // Transmit the tag frame
1134 hitag_send_frame(tx, txlen);
1135 // Store the frame in the trace
1136 if (!bQuiet) {
1137 if (!LogTraceHitag(tx, txlen, 0, 0, false)) {
1138 DbpString("Trace full");
1139 clear_trace();
1140 }
1141 }
1142 }
1143
1144 // Reset the received frame and response timing info
1145 memset(rx, 0x00, sizeof(rx));
1146 response = 0;
1147
1148 // Enable and reset external trigger in timer for capturing future frames
1149 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1150 LED_B_OFF();
1151 }
1152 // Reset the frame length
1153 rxlen = 0;
1154 // Save the timer overflow, will be 0 when frame was received
1155 overflow += (AT91C_BASE_TC1->TC_CV / T0);
1156 // Reset the timer to restart while-loop that receives frames
1157 AT91C_BASE_TC1->TC_CCR = AT91C_TC_SWTRG;
1158 }
1159 LED_B_OFF();
1160 LED_D_OFF();
1161 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1162 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
1163 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1164 }
1165
1166 /*
1167 * Authenticates to the Tag with the given key or challenge.
1168 * If the key was given the password will be decrypted.
1169 * Reads every page of a hitag S transpoder.
1170 */
1171 void ReadHitagS(hitag_function htf, hitag_data* htd) {
1172 int i, j, z, k;
1173 int frame_count;
1174 int response_bit[200];
1175 int response;
1176 byte_t rx[HITAG_FRAME_LEN];
1177 size_t rxlen = 0;
1178 byte_t txbuf[HITAG_FRAME_LEN];
1179 byte_t* tx = txbuf;
1180 size_t txlen = 0;
1181 int lastbit;
1182 bool bSkip;
1183 int reset_sof;
1184 int tag_sof;
1185 int t_wait = HITAG_T_WAIT_MAX;
1186 bool bStop;
1187 bool bQuitTraceFull = false;
1188 int sendNum = 0;
1189 unsigned char mask = 1;
1190 unsigned char crc;
1191 unsigned char pageData[32];
1192 page_to_be_written = 0;
1193
1194 //read given key/challenge
1195 byte_t NrAr_[8];
1196 uint64_t key=0;
1197 uint64_t NrAr=0;
1198 byte_t key_[6];
1199 switch(htf) {
1200 case 01: { //RHTS_CHALLENGE
1201 DbpString("Authenticating using nr,ar pair:");
1202 memcpy(NrAr_,htd->auth.NrAr,8);
1203 Dbhexdump(8,NrAr_,false);
1204 NrAr=NrAr_[7] | ((uint64_t)NrAr_[6]) << 8 | ((uint64_t)NrAr_[5]) << 16 | ((uint64_t)NrAr_[4]) << 24 | ((uint64_t)NrAr_[3]) << 32 |
1205 ((uint64_t)NrAr_[2]) << 40| ((uint64_t)NrAr_[1]) << 48 | ((uint64_t)NrAr_[0]) << 56;
1206 } break;
1207 case 02: { //RHTS_KEY
1208 DbpString("Authenticating using key:");
1209 memcpy(key_,htd->crypto.key,6);
1210 Dbhexdump(6,key_,false);
1211 key=key_[5] | ((uint64_t)key_[4]) << 8 | ((uint64_t)key_[3]) << 16 | ((uint64_t)key_[2]) << 24 | ((uint64_t)key_[1]) << 32 | ((uint64_t)key_[0]) << 40;
1212 } break;
1213 default: {
1214 Dbprintf("Error , unknown function: %d",htf);
1215 return;
1216 } break;
1217 }
1218
1219
1220
1221 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1222 // Reset the return status
1223 bSuccessful = false;
1224
1225 // Clean up trace and prepare it for storing frames
1226 set_tracing(TRUE);
1227 clear_trace();
1228
1229 bQuiet = false;
1230 bQuitTraceFull = true;
1231
1232 LED_D_ON();
1233
1234 // Configure output and enable pin that is connected to the FPGA (for modulating)
1235 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
1236 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
1237
1238 // Set fpga in edge detect with reader field, we can modulate as reader now
1239 FpgaWriteConfWord(
1240 FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD);
1241
1242 // Set Frequency divisor which will drive the FPGA and analog mux selection
1243 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
1244 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
1245 RELAY_OFF();
1246
1247 // Disable modulation at default, which means enable the field
1248 LOW(GPIO_SSC_DOUT);
1249
1250 // Give it a bit of time for the resonant antenna to settle.
1251 SpinDelay(30);
1252
1253 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
1254 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
1255
1256 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the tag frames
1257 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
1258 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
1259
1260 // Disable timer during configuration
1261 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1262
1263 // Capture mode, defaul timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
1264 // external trigger rising edge, load RA on falling edge of TIOA.
1265 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK
1266
1267 | AT91C_TC_ETRGEDG_FALLING | AT91C_TC_ABETRG | AT91C_TC_LDRA_FALLING;
1268
1269 // Enable and reset counters
1270 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1271 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1272
1273 // Reset the received frame, frame count and timing info
1274 frame_count = 0;
1275 response = 0;
1276 lastbit = 1;
1277 bStop = false;
1278
1279 reset_sof = 1;
1280 t_wait = 200;
1281
1282 while (!bStop && !BUTTON_PRESS()) {
1283 // Watchdog hit
1284 WDT_HIT();
1285
1286 // Check if frame was captured and store it
1287 if (rxlen > 0) {
1288 frame_count++;
1289 if (!bQuiet) {
1290 if (!LogTraceHitag(rx, rxlen, response, 0, false)) {
1291 DbpString("Trace full");
1292 if (bQuitTraceFull) {
1293 break;
1294 } else {
1295 bQuiet = true;
1296 }
1297 }
1298 }
1299 }
1300
1301 // By default reset the transmission buffer
1302 tx = txbuf;
1303 txlen = 0;
1304
1305 if (rxlen == 0) {
1306 //start authentication
1307 txlen = 5;
1308 memcpy(tx, "\xc0", nbytes(txlen));
1309 tag.pstate = HT_READY;
1310 tag.tstate = HT_NO_OP;
1311 } else if (tag.pstate != HT_SELECTED) {
1312 if (hitagS_handle_tag_auth(htf, key,NrAr,rx, rxlen, tx, &txlen) == -1)
1313 bStop = !false;
1314 }
1315 if (tag.pstate == HT_SELECTED && tag.tstate == HT_NO_OP && rxlen > 0) {
1316 //send read request
1317 tag.tstate = HT_READING_PAGE;
1318 txlen = 20;
1319 crc = CRC_PRESET;
1320 tx[0] = 0xc0 + (sendNum / 16);
1321 calc_crc(&crc, tx[0], 8);
1322 calc_crc(&crc, 0x00 + ((sendNum % 16) * 16), 4);
1323 tx[1] = 0x00 + ((sendNum % 16) * 16) + (crc / 16);
1324 tx[2] = 0x00 + (crc % 16) * 16;
1325 } else if (tag.pstate == HT_SELECTED && tag.tstate == HT_READING_PAGE
1326 && rxlen > 0) {
1327 //save received data
1328 z = 0;
1329 for (i = 0; i < 5; i++) {
1330 for (j = 0; j < 8; j++) {
1331 response_bit[z] = 0;
1332 if ((rx[i] & ((mask << 7) >> j)) != 0)
1333 response_bit[z] = 1;
1334 z++;
1335 }
1336 }
1337 k = 0;
1338 for (i = 4; i < 36; i++) {
1339 pageData[k] = response_bit[i];
1340 k++;
1341 }
1342 for (i = 0; i < 4; i++)
1343 tag.pages[sendNum / 4][sendNum % 4] = 0x0;
1344 for (i = 0; i < 4; i++) {
1345 tag.pages[sendNum / 4][sendNum % 4] += ((pageData[i * 8] << 7)
1346 | (pageData[1 + (i * 8)] << 6)
1347 | (pageData[2 + (i * 8)] << 5)
1348 | (pageData[3 + (i * 8)] << 4)
1349 | (pageData[4 + (i * 8)] << 3)
1350 | (pageData[5 + (i * 8)] << 2)
1351 | (pageData[6 + (i * 8)] << 1) | pageData[7 + (i * 8)])
1352 << (i * 8);
1353 }
1354 if (tag.auth && tag.LKP && sendNum == 1) {
1355 Dbprintf("Page[%2d]: %02X %02X %02X %02X", sendNum, pwdh0,
1356 (tag.pages[sendNum / 4][sendNum % 4] >> 16) & 0xff,
1357 (tag.pages[sendNum / 4][sendNum % 4] >> 8) & 0xff,
1358 tag.pages[sendNum / 4][sendNum % 4] & 0xff);
1359 } else {
1360 Dbprintf("Page[%2d]: %02X %02X %02X %02X", sendNum,
1361 (tag.pages[sendNum / 4][sendNum % 4] >> 24) & 0xff,
1362 (tag.pages[sendNum / 4][sendNum % 4] >> 16) & 0xff,
1363 (tag.pages[sendNum / 4][sendNum % 4] >> 8) & 0xff,
1364 tag.pages[sendNum / 4][sendNum % 4] & 0xff);
1365 }
1366
1367 sendNum++;
1368 //display key and password if possible
1369 if (sendNum == 2 && tag.auth == 1 && tag.LKP) {
1370 if (htf == 02) { //RHTS_KEY
1371 Dbprintf("Page[ 2]: %02X %02X %02X %02X",
1372 (byte_t)(key >> 8) & 0xff,
1373 (byte_t) key & 0xff, pwdl1, pwdl0);
1374 Dbprintf("Page[ 3]: %02X %02X %02X %02X",
1375 (byte_t)(key >> 40) & 0xff,
1376 (byte_t)(key >> 32) & 0xff,
1377 (byte_t)(key >> 24) & 0xff,
1378 (byte_t)(key >> 16) & 0xff);
1379 } else {
1380 //if the authentication is done with a challenge the key and password are unknown
1381 Dbprintf("Page[ 2]: __ __ __ __");
1382 Dbprintf("Page[ 3]: __ __ __ __");
1383 }
1384 }
1385
1386 txlen = 20;
1387 crc = CRC_PRESET;
1388 tx[0] = 0xc0 + (sendNum / 16);
1389 calc_crc(&crc, tx[0], 8);
1390 calc_crc(&crc, 0x00 + ((sendNum % 16) * 16), 4);
1391 tx[1] = 0x00 + ((sendNum % 16) * 16) + (crc / 16);
1392 tx[2] = 0x00 + (crc % 16) * 16;
1393 if (sendNum >= tag.max_page) {
1394 bStop = !false;
1395 }
1396 }
1397
1398 // Send and store the reader command
1399 // Disable timer 1 with external trigger to avoid triggers during our own modulation
1400 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1401
1402 // Wait for HITAG_T_WAIT_2 carrier periods after the last tag bit before transmitting,
1403 // Since the clock counts since the last falling edge, a 'one' means that the
1404 // falling edge occured halfway the period. with respect to this falling edge,
1405 // we need to wait (T_Wait2 + half_tag_period) when the last was a 'one'.
1406 // All timer values are in terms of T0 units
1407
1408 while (AT91C_BASE_TC0->TC_CV
1409 < T0 * (t_wait + (HITAG_T_TAG_HALF_PERIOD * lastbit)))
1410 ;
1411
1412 // Transmit the reader frame
1413 hitag_reader_send_frame(tx, txlen);
1414
1415 // Enable and reset external trigger in timer for capturing future frames
1416 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1417
1418 // Add transmitted frame to total count
1419 if (txlen > 0) {
1420 frame_count++;
1421 if (!bQuiet) {
1422 // Store the frame in the trace
1423 if (!LogTraceHitag(tx, txlen, HITAG_T_WAIT_2, 0, true)) {
1424 if (bQuitTraceFull) {
1425 DbpString("Trace full");
1426 break;
1427 } else {
1428 bQuiet = true;
1429 }
1430 }
1431 }
1432 }
1433
1434 // Reset values for receiving frames
1435 memset(rx, 0x00, sizeof(rx));
1436 rxlen = 0;
1437 lastbit = 1;
1438 bSkip = true;
1439 tag_sof = reset_sof;
1440 response = 0;
1441
1442 // Receive frame, watch for at most T0*EOF periods
1443 while (AT91C_BASE_TC1->TC_CV < T0 * HITAG_T_WAIT_MAX) {
1444 // Check if falling edge in tag modulation is detected
1445 if (AT91C_BASE_TC1->TC_SR & AT91C_TC_LDRAS) {
1446 // Retrieve the new timing values
1447 int ra = (AT91C_BASE_TC1->TC_RA / T0);
1448
1449 // Reset timer every frame, we have to capture the last edge for timing
1450 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
1451
1452 LED_B_ON();
1453
1454 // Capture tag frame (manchester decoding using only falling edges)
1455 if (ra >= HITAG_T_EOF) {
1456 if (rxlen != 0) {
1457 //DbpString("wierd1?");
1458 }
1459 // Capture the T0 periods that have passed since last communication or field drop (reset)
1460 // We always recieve a 'one' first, which has the falling edge after a half period |-_|
1461 response = ra - HITAG_T_TAG_HALF_PERIOD;
1462 } else if (ra >= HITAG_T_TAG_CAPTURE_FOUR_HALF) {
1463 // Manchester coding example |-_|_-|-_| (101)
1464 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
1465 rxlen++;
1466 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
1467 rxlen++;
1468 } else if (ra >= HITAG_T_TAG_CAPTURE_THREE_HALF) {
1469 // Manchester coding example |_-|...|_-|-_| (0...01)
1470 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
1471 rxlen++;
1472 // We have to skip this half period at start and add the 'one' the second time
1473 if (!bSkip) {
1474 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
1475 rxlen++;
1476 }
1477 lastbit = !lastbit;
1478 bSkip = !bSkip;
1479 } else if (ra >= HITAG_T_TAG_CAPTURE_TWO_HALF) {
1480 // Manchester coding example |_-|_-| (00) or |-_|-_| (11)
1481 if (tag_sof) {
1482 // Ignore bits that are transmitted during SOF
1483 tag_sof--;
1484 } else {
1485 // bit is same as last bit
1486 rx[rxlen / 8] |= lastbit << (7 - (rxlen % 8));
1487 rxlen++;
1488 }
1489 } else {
1490 // Ignore wierd value, is to small to mean anything
1491 }
1492 }
1493
1494 // We can break this loop if we received the last bit from a frame
1495 if (AT91C_BASE_TC1->TC_CV > T0 * HITAG_T_EOF) {
1496 if (rxlen > 0)
1497 break;
1498 }
1499 }
1500 }
1501 end=false;
1502 LED_B_OFF();
1503 LED_D_OFF();
1504 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1505 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
1506 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1507 cmd_send(CMD_ACK, bSuccessful, 0, 0, 0, 0);
1508 }
1509
1510 /*
1511 * Authenticates to the Tag with the given Key or Challenge.
1512 * Writes the given 32Bit data into page_
1513 */
1514 void WritePageHitagS(hitag_function htf, hitag_data* htd,int page_) {
1515 int frame_count;
1516 int response;
1517 byte_t rx[HITAG_FRAME_LEN];
1518 size_t rxlen = 0;
1519 byte_t txbuf[HITAG_FRAME_LEN];
1520 byte_t* tx = txbuf;
1521 size_t txlen = 0;
1522 int lastbit;
1523 bool bSkip;
1524 int reset_sof;
1525 int tag_sof;
1526 int t_wait = HITAG_T_WAIT_MAX;
1527 bool bStop;
1528 bool bQuitTraceFull = false;
1529 int page = page_;
1530 unsigned char crc;
1531 byte_t data[4]= {0,0,0,0};
1532
1533 //read given key/challenge, the page and the data
1534 byte_t NrAr_[8];
1535 uint64_t key=0;
1536 uint64_t NrAr=0;
1537 byte_t key_[6];
1538 switch(htf) {
1539 case 03: { //WHTS_CHALLENGE
1540 memcpy(data,htd->auth.data,4);
1541 DbpString("Authenticating using nr,ar pair:");
1542 memcpy(NrAr_,htd->auth.NrAr,8);
1543 Dbhexdump(8,NrAr_,false);
1544 NrAr=NrAr_[7] | ((uint64_t)NrAr_[6]) << 8 | ((uint64_t)NrAr_[5]) << 16 | ((uint64_t)NrAr_[4]) << 24 | ((uint64_t)NrAr_[3]) << 32 |
1545 ((uint64_t)NrAr_[2]) << 40| ((uint64_t)NrAr_[1]) << 48 | ((uint64_t)NrAr_[0]) << 56;
1546 } break;
1547 case 04: { //WHTS_KEY
1548 memcpy(data,htd->crypto.data,4);
1549 DbpString("Authenticating using key:");
1550 memcpy(key_,htd->crypto.key,6);
1551 Dbhexdump(6,key_,false);
1552 key=key_[5] | ((uint64_t)key_[4]) << 8 | ((uint64_t)key_[3]) << 16 | ((uint64_t)key_[2]) << 24 | ((uint64_t)key_[1]) << 32 | ((uint64_t)key_[0]) << 40;
1553 } break;
1554 default: {
1555 Dbprintf("Error , unknown function: %d",htf);
1556 return;
1557 } break;
1558 }
1559
1560 Dbprintf("Page: %d",page_);
1561 Dbprintf("DATA: %02X %02X %02X %02X", data[0], data[1], data[2], data[3]);
1562 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1563 // Reset the return status
1564 bSuccessful = false;
1565
1566 tag.pstate = HT_READY;
1567 tag.tstate = HT_NO_OP;
1568
1569 // Clean up trace and prepare it for storing frames
1570 set_tracing(TRUE);
1571 clear_trace();
1572
1573 bQuiet = false;
1574 bQuitTraceFull = true;
1575
1576 LED_D_ON();
1577
1578 // Configure output and enable pin that is connected to the FPGA (for modulating)
1579 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
1580 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
1581
1582 // Set fpga in edge detect with reader field, we can modulate as reader now
1583 FpgaWriteConfWord(
1584 FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD);
1585
1586 // Set Frequency divisor which will drive the FPGA and analog mux selection
1587 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
1588 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
1589 RELAY_OFF();
1590
1591 // Disable modulation at default, which means enable the field
1592 LOW(GPIO_SSC_DOUT);
1593
1594 // Give it a bit of time for the resonant antenna to settle.
1595 SpinDelay(30);
1596
1597 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
1598 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
1599
1600 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the tag frames
1601 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
1602 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
1603
1604 // Disable timer during configuration
1605 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1606
1607 // Capture mode, defaul timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
1608 // external trigger rising edge, load RA on falling edge of TIOA.
1609 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK
1610 | AT91C_TC_ETRGEDG_FALLING | AT91C_TC_ABETRG
1611 | AT91C_TC_LDRA_FALLING;
1612
1613 // Enable and reset counters
1614 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1615 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1616
1617 // Reset the received frame, frame count and timing info
1618 frame_count = 0;
1619 response = 0;
1620 lastbit = 1;
1621 bStop = false;
1622
1623 reset_sof = 1;
1624 t_wait = 200;
1625
1626 while (!bStop && !BUTTON_PRESS()) {
1627 // Watchdog hit
1628 WDT_HIT();
1629
1630 // Check if frame was captured and store it
1631 if (rxlen > 0) {
1632 frame_count++;
1633 if (!bQuiet) {
1634 if (!LogTraceHitag(rx, rxlen, response, 0, false)) {
1635 DbpString("Trace full");
1636 if (bQuitTraceFull) {
1637 break;
1638 } else {
1639 bQuiet = true;
1640 }
1641 }
1642 }
1643 }
1644
1645 //check for valid input
1646 if (page == 0) {
1647 Dbprintf(
1648 "usage: lf hitag writer [03 | 04] [CHALLENGE | KEY] [page] [byte0] [byte1] [byte2] [byte3]");
1649 bStop = !false;
1650 }
1651
1652 // By default reset the transmission buffer
1653 tx = txbuf;
1654 txlen = 0;
1655
1656 if (rxlen == 0 && tag.tstate == HT_WRITING_PAGE_ACK) {
1657 //no write access on this page
1658 Dbprintf("no write access on page %d", page_);
1659 bStop = !false;
1660 } else if (rxlen == 0 && tag.tstate != HT_WRITING_PAGE_DATA) {
1661 //start the authetication
1662 txlen = 5;
1663 memcpy(tx, "\xc0", nbytes(txlen));
1664 tag.pstate = HT_READY;
1665 tag.tstate = HT_NO_OP;
1666 } else if (tag.pstate != HT_SELECTED) {
1667 //try to authenticate with the given key or challenge
1668 if (hitagS_handle_tag_auth(htf,key,NrAr,rx, rxlen, tx, &txlen) == -1)
1669 bStop = !false;
1670 }
1671 if (tag.pstate == HT_SELECTED && tag.tstate == HT_NO_OP && rxlen > 0) {
1672 //check if the given page exists
1673 if (page > tag.max_page) {
1674 Dbprintf("page number too big");
1675 bStop = !false;
1676 }
1677 //ask Tag for write permission
1678 tag.tstate = HT_WRITING_PAGE_ACK;
1679 txlen = 20;
1680 crc = CRC_PRESET;
1681 tx[0] = 0x90 + (page / 16);
1682 calc_crc(&crc, tx[0], 8);
1683 calc_crc(&crc, 0x00 + ((page % 16) * 16), 4);
1684 tx[1] = 0x00 + ((page % 16) * 16) + (crc / 16);
1685 tx[2] = 0x00 + (crc % 16) * 16;
1686 } else if (tag.pstate == HT_SELECTED && tag.tstate == HT_WRITING_PAGE_ACK
1687 && rxlen == 6 && rx[0] == 0xf4) {
1688 //ACK recieved to write the page. send data
1689 tag.tstate = HT_WRITING_PAGE_DATA;
1690 txlen = 40;
1691 crc = CRC_PRESET;
1692 calc_crc(&crc, data[3], 8);
1693 calc_crc(&crc, data[2], 8);
1694 calc_crc(&crc, data[1], 8);
1695 calc_crc(&crc, data[0], 8);
1696 tx[0] = data[3];
1697 tx[1] = data[2];
1698 tx[2] = data[1];
1699 tx[3] = data[0];
1700 tx[4] = crc;
1701 } else if (tag.pstate == HT_SELECTED && tag.tstate == HT_WRITING_PAGE_DATA
1702 && rxlen == 6 && rx[0] == 0xf4) {
1703 //received ACK
1704 Dbprintf("Successful!");
1705 bStop = !false;
1706 }
1707
1708 // Send and store the reader command
1709 // Disable timer 1 with external trigger to avoid triggers during our own modulation
1710 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1711
1712 // Wait for HITAG_T_WAIT_2 carrier periods after the last tag bit before transmitting,
1713 // Since the clock counts since the last falling edge, a 'one' means that the
1714 // falling edge occured halfway the period. with respect to this falling edge,
1715 // we need to wait (T_Wait2 + half_tag_period) when the last was a 'one'.
1716 // All timer values are in terms of T0 units
1717
1718 while (AT91C_BASE_TC0->TC_CV
1719 < T0 * (t_wait + (HITAG_T_TAG_HALF_PERIOD * lastbit)))
1720 ;
1721
1722 // Transmit the reader frame
1723 hitag_reader_send_frame(tx, txlen);
1724
1725 // Enable and reset external trigger in timer for capturing future frames
1726 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1727
1728 // Add transmitted frame to total count
1729 if (txlen > 0) {
1730 frame_count++;
1731 if (!bQuiet) {
1732 // Store the frame in the trace
1733 if (!LogTraceHitag(tx, txlen, HITAG_T_WAIT_2, 0, true)) {
1734 if (bQuitTraceFull) {
1735 DbpString("Trace full");
1736 break;
1737 } else {
1738 bQuiet = true;
1739 }
1740 }
1741 }
1742 }
1743
1744 // Reset values for receiving frames
1745 memset(rx, 0x00, sizeof(rx));
1746 rxlen = 0;
1747 lastbit = 1;
1748 bSkip = true;
1749 tag_sof = reset_sof;
1750 response = 0;
1751
1752 // Receive frame, watch for at most T0*EOF periods
1753 while (AT91C_BASE_TC1->TC_CV < T0 * HITAG_T_WAIT_MAX) {
1754 // Check if falling edge in tag modulation is detected
1755 if (AT91C_BASE_TC1->TC_SR & AT91C_TC_LDRAS) {
1756 // Retrieve the new timing values
1757 int ra = (AT91C_BASE_TC1->TC_RA / T0);
1758
1759 // Reset timer every frame, we have to capture the last edge for timing
1760 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
1761
1762 LED_B_ON();
1763
1764 // Capture tag frame (manchester decoding using only falling edges)
1765 if (ra >= HITAG_T_EOF) {
1766 if (rxlen != 0) {
1767 //DbpString("wierd1?");
1768 }
1769 // Capture the T0 periods that have passed since last communication or field drop (reset)
1770 // We always recieve a 'one' first, which has the falling edge after a half period |-_|
1771 response = ra - HITAG_T_TAG_HALF_PERIOD;
1772 } else if (ra >= HITAG_T_TAG_CAPTURE_FOUR_HALF) {
1773 // Manchester coding example |-_|_-|-_| (101)
1774 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
1775 rxlen++;
1776 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
1777 rxlen++;
1778 } else if (ra >= HITAG_T_TAG_CAPTURE_THREE_HALF) {
1779 // Manchester coding example |_-|...|_-|-_| (0...01)
1780 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
1781 rxlen++;
1782 // We have to skip this half period at start and add the 'one' the second time
1783 if (!bSkip) {
1784 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
1785 rxlen++;
1786 }
1787 lastbit = !lastbit;
1788 bSkip = !bSkip;
1789 } else if (ra >= HITAG_T_TAG_CAPTURE_TWO_HALF) {
1790 // Manchester coding example |_-|_-| (00) or |-_|-_| (11)
1791 if (tag_sof) {
1792 // Ignore bits that are transmitted during SOF
1793 tag_sof--;
1794 } else {
1795 // bit is same as last bit
1796 rx[rxlen / 8] |= lastbit << (7 - (rxlen % 8));
1797 rxlen++;
1798 }
1799 } else {
1800 // Ignore wierd value, is to small to mean anything
1801 }
1802 }
1803
1804 // We can break this loop if we received the last bit from a frame
1805 if (AT91C_BASE_TC1->TC_CV > T0 * HITAG_T_EOF) {
1806 if (rxlen > 0)
1807 break;
1808 }
1809 }
1810 }
1811 end=false;
1812 LED_B_OFF();
1813 LED_D_OFF();
1814 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1815 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
1816 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1817 cmd_send(CMD_ACK, bSuccessful, 0, 0, 0, 0);
1818 }
1819
1820 /*
1821 * Tries to authenticate to a Hitag S Transponder with the given challenges from a .cc file.
1822 * Displays all Challenges that failed.
1823 * When collecting Challenges to break the key it is possible that some data
1824 * is not received correctly due to Antenna problems. This function
1825 * detects these challenges.
1826 */
1827 void check_challenges(bool file_given, byte_t* data) {
1828 int i, j, z, k;
1829 byte_t uid_byte[4];
1830 int frame_count;
1831 int response;
1832 byte_t rx[HITAG_FRAME_LEN];
1833 byte_t unlocker[60][8];
1834 int u1 = 0;
1835 size_t rxlen = 0;
1836 byte_t txbuf[HITAG_FRAME_LEN];
1837 byte_t* tx = txbuf;
1838 size_t txlen = 0;
1839 int lastbit;
1840 bool bSkip;
1841 int reset_sof;
1842 int tag_sof;
1843 int t_wait = HITAG_T_WAIT_MAX;
1844 int STATE = 0;
1845 bool bStop;
1846 bool bQuitTraceFull = false;
1847 int response_bit[200];
1848 unsigned char mask = 1;
1849 unsigned char uid[32];
1850 unsigned char crc;
1851
1852 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1853 // Reset the return status
1854 bSuccessful = false;
1855
1856 // Clean up trace and prepare it for storing frames
1857 set_tracing(TRUE);
1858 clear_trace();
1859
1860 bQuiet = false;
1861 bQuitTraceFull = true;
1862
1863 LED_D_ON();
1864
1865 // Configure output and enable pin that is connected to the FPGA (for modulating)
1866 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
1867 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
1868
1869 // Set fpga in edge detect with reader field, we can modulate as reader now
1870 FpgaWriteConfWord(
1871 FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD);
1872
1873 // Set Frequency divisor which will drive the FPGA and analog mux selection
1874 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
1875 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
1876 RELAY_OFF();
1877
1878 // Disable modulation at default, which means enable the field
1879 LOW(GPIO_SSC_DOUT);
1880
1881 // Give it a bit of time for the resonant antenna to settle.
1882 SpinDelay(30);
1883
1884 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
1885 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
1886
1887 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the tag frames
1888 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
1889 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
1890
1891 // Disable timer during configuration
1892 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1893
1894 // Capture mode, defaul timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
1895 // external trigger rising edge, load RA on falling edge of TIOA.
1896 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK
1897
1898 | AT91C_TC_ETRGEDG_FALLING | AT91C_TC_ABETRG | AT91C_TC_LDRA_FALLING;
1899
1900 // Enable and reset counters
1901 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1902 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1903
1904 // Reset the received frame, frame count and timing info
1905 frame_count = 0;
1906 response = 0;
1907 lastbit = 1;
1908 bStop = false;
1909
1910 reset_sof = 1;
1911 t_wait = 200;
1912
1913 if (file_given) {
1914 DbpString("Loading challenges...");
1915 memcpy((byte_t*)unlocker,data,60*8);
1916 }
1917
1918 while (file_given && !bStop && !BUTTON_PRESS()) {
1919 // Watchdog hit
1920 WDT_HIT();
1921
1922 // Check if frame was captured and store it
1923 if (rxlen > 0) {
1924 frame_count++;
1925 if (!bQuiet) {
1926 if (!LogTraceHitag(rx, rxlen, response, 0, false)) {
1927 DbpString("Trace full");
1928 if (bQuitTraceFull) {
1929 break;
1930 } else {
1931 bQuiet = true;
1932 }
1933 }
1934 }
1935 }
1936
1937 tx = txbuf;
1938 txlen = 0;
1939 if (rxlen == 0) {
1940 if (STATE == 2)
1941 // challenge failed
1942 Dbprintf("Challenge failed: %02X %02X %02X %02X %02X %02X %02X %02X",
1943 unlocker[u1 - 1][0], unlocker[u1 - 1][1],
1944 unlocker[u1 - 1][2], unlocker[u1 - 1][3],
1945 unlocker[u1 - 1][4], unlocker[u1 - 1][5],
1946 unlocker[u1 - 1][6], unlocker[u1 - 1][7]);
1947 STATE = 0;
1948 txlen = 5;
1949 //start new authentication
1950 memcpy(tx, "\xc0", nbytes(txlen));
1951 } else if (rxlen >= 67 && STATE == 0) {
1952 //received uid
1953 z = 0;
1954 for (i = 0; i < 10; i++) {
1955 for (j = 0; j < 8; j++) {
1956 response_bit[z] = 0;
1957 if ((rx[i] & ((mask << 7) >> j)) != 0)
1958 response_bit[z] = 1;
1959 z++;
1960 }
1961 }
1962 k = 0;
1963 for (i = 5; i < z; i += 2) {
1964 uid[k] = response_bit[i];
1965 k++;
1966 if (k > 31)
1967 break;
1968 }
1969 uid_byte[0] = (uid[0] << 7) | (uid[1] << 6) | (uid[2] << 5)
1970 | (uid[3] << 4) | (uid[4] << 3) | (uid[5] << 2)
1971 | (uid[6] << 1) | uid[7];
1972 uid_byte[1] = (uid[8] << 7) | (uid[9] << 6) | (uid[10] << 5)
1973 | (uid[11] << 4) | (uid[12] << 3) | (uid[13] << 2)
1974 | (uid[14] << 1) | uid[15];
1975 uid_byte[2] = (uid[16] << 7) | (uid[17] << 6) | (uid[18] << 5)
1976 | (uid[19] << 4) | (uid[20] << 3) | (uid[21] << 2)
1977 | (uid[22] << 1) | uid[23];
1978 uid_byte[3] = (uid[24] << 7) | (uid[25] << 6) | (uid[26] << 5)
1979 | (uid[27] << 4) | (uid[28] << 3) | (uid[29] << 2)
1980 | (uid[30] << 1) | uid[31];
1981 //Dbhexdump(10, rx, rxlen);
1982 STATE = 1;
1983 txlen = 45;
1984 crc = CRC_PRESET;
1985 calc_crc(&crc, 0x00, 5);
1986 calc_crc(&crc, uid_byte[0], 8);
1987 calc_crc(&crc, uid_byte[1], 8);
1988 calc_crc(&crc, uid_byte[2], 8);
1989 calc_crc(&crc, uid_byte[3], 8);
1990 for (i = 0; i < 100; i++) {
1991 response_bit[i] = 0;
1992 }
1993 for (i = 0; i < 5; i++) {
1994 response_bit[i] = 0;
1995 }
1996 for (i = 5; i < 37; i++) {
1997 response_bit[i] = uid[i - 5];
1998 }
1999 for (j = 0; j < 8; j++) {
2000 response_bit[i] = 0;
2001 if ((crc & ((mask << 7) >> j)) != 0)
2002 response_bit[i] = 1;
2003 i++;
2004 }
2005 k = 0;
2006 for (i = 0; i < 6; i++) {
2007 tx[i] = (response_bit[k] << 7) | (response_bit[k + 1] << 6)
2008 | (response_bit[k + 2] << 5)
2009 | (response_bit[k + 3] << 4)
2010 | (response_bit[k + 4] << 3)
2011 | (response_bit[k + 5] << 2)
2012 | (response_bit[k + 6] << 1) | response_bit[k + 7];
2013 k += 8;
2014 }
2015
2016 } else if (STATE == 1 && rxlen == 44) {
2017 //received configuration
2018 STATE = 2;
2019 z = 0;
2020 for (i = 0; i < 6; i++) {
2021 for (j = 0; j < 8; j++) {
2022 response_bit[z] = 0;
2023 if ((rx[i] & ((mask << 7) >> j)) != 0)
2024 response_bit[z] = 1;
2025 z++;
2026 }
2027 }
2028 txlen = 64;
2029
2030 if (u1 >= (sizeof(unlocker) / sizeof(unlocker[0])))
2031 bStop = !false;
2032 for (i = 0; i < 8; i++)
2033 tx[i] = unlocker[u1][i];
2034 u1++;
2035
2036 } else if (STATE == 2 && rxlen >= 44) {
2037 STATE = 0;
2038 }
2039
2040 // Send and store the reader command
2041 // Disable timer 1 with external trigger to avoid triggers during our own modulation
2042 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
2043
2044 // Wait for HITAG_T_WAIT_2 carrier periods after the last tag bit before transmitting,
2045 // Since the clock counts since the last falling edge, a 'one' means that the
2046 // falling edge occured halfway the period. with respect to this falling edge,
2047 // we need to wait (T_Wait2 + half_tag_period) when the last was a 'one'.
2048 // All timer values are in terms of T0 units
2049
2050 while (AT91C_BASE_TC0->TC_CV
2051 < T0 * (t_wait + (HITAG_T_TAG_HALF_PERIOD * lastbit)))
2052 ;
2053
2054 // Transmit the reader frame
2055 hitag_reader_send_frame(tx, txlen);
2056
2057 // Enable and reset external trigger in timer for capturing future frames
2058 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
2059
2060 // Add transmitted frame to total count
2061 if (txlen > 0) {
2062 frame_count++;
2063 if (!bQuiet) {
2064 // Store the frame in the trace
2065 if (!LogTraceHitag(tx, txlen, HITAG_T_WAIT_2, 0, true)) {
2066 if (bQuitTraceFull) {
2067 DbpString("Trace full");
2068 break;
2069 } else {
2070 bQuiet = true;
2071 }
2072 }
2073 }
2074 }
2075
2076 // Reset values for receiving frames
2077 memset(rx, 0x00, sizeof(rx));
2078 rxlen = 0;
2079 lastbit = 1;
2080 bSkip = true;
2081 tag_sof = reset_sof;
2082 response = 0;
2083
2084 // Receive frame, watch for at most T0*EOF periods
2085 while (AT91C_BASE_TC1->TC_CV < T0 * HITAG_T_WAIT_MAX) {
2086 // Check if falling edge in tag modulation is detected
2087 if (AT91C_BASE_TC1->TC_SR & AT91C_TC_LDRAS) {
2088 // Retrieve the new timing values
2089 int ra = (AT91C_BASE_TC1->TC_RA / T0);
2090
2091 // Reset timer every frame, we have to capture the last edge for timing
2092 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
2093
2094 LED_B_ON();
2095
2096 // Capture tag frame (manchester decoding using only falling edges)
2097 if (ra >= HITAG_T_EOF) {
2098 if (rxlen != 0) {
2099 //DbpString("wierd1?");
2100 }
2101 // Capture the T0 periods that have passed since last communication or field drop (reset)
2102 // We always recieve a 'one' first, which has the falling edge after a half period |-_|
2103 response = ra - HITAG_T_TAG_HALF_PERIOD;
2104 } else if (ra >= HITAG_T_TAG_CAPTURE_FOUR_HALF) {
2105 // Manchester coding example |-_|_-|-_| (101)
2106 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
2107 rxlen++;
2108 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
2109 rxlen++;
2110 } else if (ra >= HITAG_T_TAG_CAPTURE_THREE_HALF) {
2111 // Manchester coding example |_-|...|_-|-_| (0...01)
2112 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
2113 rxlen++;
2114 // We have to skip this half period at start and add the 'one' the second time
2115 if (!bSkip) {
2116 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
2117 rxlen++;
2118 }
2119 lastbit = !lastbit;
2120 bSkip = !bSkip;
2121 } else if (ra >= HITAG_T_TAG_CAPTURE_TWO_HALF) {
2122 // Manchester coding example |_-|_-| (00) or |-_|-_| (11)
2123 if (tag_sof) {
2124 // Ignore bits that are transmitted during SOF
2125 tag_sof--;
2126 } else {
2127 // bit is same as last bit
2128 rx[rxlen / 8] |= lastbit << (7 - (rxlen % 8));
2129 rxlen++;
2130 }
2131 } else {
2132 // Ignore wierd value, is to small to mean anything
2133 }
2134 }
2135
2136 // We can break this loop if we received the last bit from a frame
2137 if (AT91C_BASE_TC1->TC_CV > T0 * HITAG_T_EOF) {
2138 if (rxlen > 0)
2139 break;
2140 }
2141 }
2142 }
2143 LED_B_OFF();
2144 LED_D_OFF();
2145 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
2146 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
2147 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2148 cmd_send(CMD_ACK, bSuccessful, 0, 0, 0, 0);
2149 }
2150
2151
2152
Proxmark3 GIT tracking
Impressum, Datenschutz