]> git.zerfleddert.de Git - proxmark3-svn/blob - armsrc/appmain.c
projects / proxmark3-svn / blob
? search:


c5c17867d708df5306739389327af9aad08cdfc2
[proxmark3-svn] / armsrc / appmain.c
1 //-----------------------------------------------------------------------------
2 // Jonathan Westhues, Mar 2006
3 // Edits by Gerhard de Koning Gans, Sep 2007 (##)
4 //
5 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
6 // at your option, any later version. See the LICENSE.txt file for the text of
7 // the license.
8 //-----------------------------------------------------------------------------
9 // The main application code. This is the first thing called after start.c
10 // executes.
11 //-----------------------------------------------------------------------------
12
13 #include <stdarg.h>
14
15 #include "usb_cdc.h"
16 #include "cmd.h"
17 #include "proxmark3.h"
18 #include "apps.h"
19 #include "fpga.h"
20 #include "util.h"
21 #include "printf.h"
22 #include "string.h"
23 #include "legicrf.h"
24 #include "legicrfsim.h"
25 #include "hitag2.h"
26 #include "hitagS.h"
27 #include "lfsampling.h"
28 #include "BigBuf.h"
29 #include "mifareutil.h"
30 #include "pcf7931.h"
31 #include "i2c.h"
32 #ifdef WITH_LCD
33 #include "LCD.h"
34 #endif
35
36
37 // Craig Young - 14a stand-alone code
38 #ifdef WITH_ISO14443a
39 #include "iso14443a.h"
40 #endif
41
42 //=============================================================================
43 // A buffer where we can queue things up to be sent through the FPGA, for
44 // any purpose (fake tag, as reader, whatever). We go MSB first, since that
45 // is the order in which they go out on the wire.
46 //=============================================================================
47
48 #define TOSEND_BUFFER_SIZE (9*MAX_FRAME_SIZE + 1 + 1 + 2) // 8 data bits and 1 parity bit per payload byte, 1 correction bit, 1 SOC bit, 2 EOC bits
49 uint8_t ToSend[TOSEND_BUFFER_SIZE];
50 int ToSendMax;
51 static int ToSendBit;
52 struct common_area common_area __attribute__((section(".commonarea")));
53
54 void ToSendReset(void)
55 {
56 ToSendMax = -1;
57 ToSendBit = 8;
58 }
59
60 void ToSendStuffBit(int b)
61 {
62 if(ToSendBit >= 8) {
63 ToSendMax++;
64 ToSend[ToSendMax] = 0;
65 ToSendBit = 0;
66 }
67
68 if(b) {
69 ToSend[ToSendMax] |= (1 << (7 - ToSendBit));
70 }
71
72 ToSendBit++;
73
74 if(ToSendMax >= sizeof(ToSend)) {
75 ToSendBit = 0;
76 DbpString("ToSendStuffBit overflowed!");
77 }
78 }
79
80 //=============================================================================
81 // Debug print functions, to go out over USB, to the usual PC-side client.
82 //=============================================================================
83
84 void DbpString(char *str)
85 {
86 byte_t len = strlen(str);
87 cmd_send(CMD_DEBUG_PRINT_STRING,len,0,0,(byte_t*)str,len);
88 }
89
90 #if 0
91 void DbpIntegers(int x1, int x2, int x3)
92 {
93 cmd_send(CMD_DEBUG_PRINT_INTEGERS,x1,x2,x3,0,0);
94 }
95 #endif
96
97 void Dbprintf(const char *fmt, ...) {
98 // should probably limit size here; oh well, let's just use a big buffer
99 char output_string[128];
100 va_list ap;
101
102 va_start(ap, fmt);
103 kvsprintf(fmt, output_string, 10, ap);
104 va_end(ap);
105
106 DbpString(output_string);
107 }
108
109 // prints HEX & ASCII
110 void Dbhexdump(int len, uint8_t *d, bool bAsci) {
111 int l=0,i;
112 char ascii[9];
113
114 while (len>0) {
115 if (len>8) l=8;
116 else l=len;
117
118 memcpy(ascii,d,l);
119 ascii[l]=0;
120
121 // filter safe ascii
122 for (i=0;i<l;i++)
123 if (ascii[i]<32 || ascii[i]>126) ascii[i]='.';
124
125 if (bAsci) {
126 Dbprintf("%-8s %*D",ascii,l,d," ");
127 } else {
128 Dbprintf("%*D",l,d," ");
129 }
130
131 len-=8;
132 d+=8;
133 }
134 }
135
136 //-----------------------------------------------------------------------------
137 // Read an ADC channel and block till it completes, then return the result
138 // in ADC units (0 to 1023). Also a routine to average 32 samples and
139 // return that.
140 //-----------------------------------------------------------------------------
141 static int ReadAdc(int ch)
142 {
143 // Note: ADC_MODE_PRESCALE and ADC_MODE_SAMPLE_HOLD_TIME are set to the maximum allowed value.
144 // AMPL_HI is a high impedance (10MOhm || 1MOhm) output, the input capacitance of the ADC is 12pF (typical). This results in a time constant
145 // of RC = (0.91MOhm) * 12pF = 10.9us. Even after the maximum configurable sample&hold time of 40us the input capacitor will not be fully charged.
146 //
147 // The maths are:
148 // If there is a voltage v_in at the input, the voltage v_cap at the capacitor (this is what we are measuring) will be
149 //
150 // v_cap = v_in * (1 - exp(-SHTIM/RC)) = v_in * (1 - exp(-40us/10.9us)) = v_in * 0,97 (i.e. an error of 3%)
151
152 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_SWRST;
153 AT91C_BASE_ADC->ADC_MR =
154 ADC_MODE_PRESCALE(63) | // ADC_CLK = MCK / ((63+1) * 2) = 48MHz / 128 = 375kHz
155 ADC_MODE_STARTUP_TIME(1) | // Startup Time = (1+1) * 8 / ADC_CLK = 16 / 375kHz = 42,7us Note: must be > 20us
156 ADC_MODE_SAMPLE_HOLD_TIME(15); // Sample & Hold Time SHTIM = 15 / ADC_CLK = 15 / 375kHz = 40us
157
158 AT91C_BASE_ADC->ADC_CHER = ADC_CHANNEL(ch);
159 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
160
161 while(!(AT91C_BASE_ADC->ADC_SR & ADC_END_OF_CONVERSION(ch))) {};
162
163 return AT91C_BASE_ADC->ADC_CDR[ch] & 0x3ff;
164 }
165
166 int AvgAdc(int ch) // was static - merlok
167 {
168 int i;
169 int a = 0;
170
171 for(i = 0; i < 32; i++) {
172 a += ReadAdc(ch);
173 }
174
175 return (a + 15) >> 5;
176 }
177
178 static int AvgAdc_Voltage_HF(void)
179 {
180 int AvgAdc_Voltage_Low, AvgAdc_Voltage_High;
181
182 AvgAdc_Voltage_Low= (MAX_ADC_HF_VOLTAGE_LOW * AvgAdc(ADC_CHAN_HF_LOW)) >> 10;
183 // if voltage range is about to be exceeded, use high voltage ADC channel if available (RDV40 only)
184 if (AvgAdc_Voltage_Low > MAX_ADC_HF_VOLTAGE_LOW - 300) {
185 AvgAdc_Voltage_High = (MAX_ADC_HF_VOLTAGE_HIGH * AvgAdc(ADC_CHAN_HF_HIGH)) >> 10;
186 if (AvgAdc_Voltage_High >= AvgAdc_Voltage_Low) {
187 return AvgAdc_Voltage_High;
188 }
189 }
190 return AvgAdc_Voltage_Low;
191 }
192
193 static int AvgAdc_Voltage_LF(void)
194 {
195 return (MAX_ADC_LF_VOLTAGE * AvgAdc(ADC_CHAN_LF)) >> 10;
196 }
197
198 void MeasureAntennaTuningLfOnly(int *vLf125, int *vLf134, int *peakf, int *peakv, uint8_t LF_Results[])
199 {
200 int i, adcval = 0, peak = 0;
201
202 /*
203 * Sweeps the useful LF range of the proxmark from
204 * 46.8kHz (divisor=255) to 600kHz (divisor=19) and
205 * read the voltage in the antenna, the result left
206 * in the buffer is a graph which should clearly show
207 * the resonating frequency of your LF antenna
208 * ( hopefully around 95 if it is tuned to 125kHz!)
209 */
210
211 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
212 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
213 SpinDelay(50);
214
215 for (i=255; i>=19; i--) {
216 WDT_HIT();
217 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, i);
218 SpinDelay(20);
219 adcval = AvgAdc_Voltage_LF();
220 if (i==95) *vLf125 = adcval; // voltage at 125Khz
221 if (i==89) *vLf134 = adcval; // voltage at 134Khz
222
223 LF_Results[i] = adcval >> 9; // scale int to fit in byte for graphing purposes
224 if(LF_Results[i] > peak) {
225 *peakv = adcval;
226 peak = LF_Results[i];
227 *peakf = i;
228 //ptr = i;
229 }
230 }
231
232 for (i=18; i >= 0; i--) LF_Results[i] = 0;
233
234 return;
235 }
236
237 void MeasureAntennaTuningHfOnly(int *vHf)
238 {
239 // Let the FPGA drive the high-frequency antenna around 13.56 MHz.
240 LED_A_ON();
241 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
242 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR);
243 SpinDelay(20);
244 *vHf = AvgAdc_Voltage_HF();
245 LED_A_OFF();
246 return;
247 }
248
249 void MeasureAntennaTuning(int mode)
250 {
251 uint8_t LF_Results[256] = {0};
252 int peakv = 0, peakf = 0;
253 int vLf125 = 0, vLf134 = 0, vHf = 0; // in mV
254
255 LED_B_ON();
256
257 if (((mode & FLAG_TUNE_ALL) == FLAG_TUNE_ALL) && (FpgaGetCurrent() == FPGA_BITSTREAM_HF)) {
258 // Reverse "standard" order if HF already loaded, to avoid unnecessary swap.
259 MeasureAntennaTuningHfOnly(&vHf);
260 MeasureAntennaTuningLfOnly(&vLf125, &vLf134, &peakf, &peakv, LF_Results);
261 } else {
262 if (mode & FLAG_TUNE_LF) {
263 MeasureAntennaTuningLfOnly(&vLf125, &vLf134, &peakf, &peakv, LF_Results);
264 }
265 if (mode & FLAG_TUNE_HF) {
266 MeasureAntennaTuningHfOnly(&vHf);
267 }
268 }
269
270 cmd_send(CMD_MEASURED_ANTENNA_TUNING, vLf125>>1 | (vLf134>>1<<16), vHf, peakf | (peakv>>1<<16), LF_Results, 256);
271 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
272 LED_B_OFF();
273 return;
274 }
275
276 void MeasureAntennaTuningHf(void)
277 {
278 int vHf = 0; // in mV
279
280 DbpString("Measuring HF antenna, press button to exit");
281
282 // Let the FPGA drive the high-frequency antenna around 13.56 MHz.
283 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
284 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR);
285
286 for (;;) {
287 SpinDelay(500);
288 vHf = AvgAdc_Voltage_HF();
289
290 Dbprintf("%d mV",vHf);
291 if (BUTTON_PRESS()) break;
292 }
293 DbpString("cancelled");
294
295 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
296
297 }
298
299
300 void ReadMem(int addr)
301 {
302 const uint8_t *data = ((uint8_t *)addr);
303
304 Dbprintf("%x: %02x %02x %02x %02x %02x %02x %02x %02x",
305 addr, data[0], data[1], data[2], data[3], data[4], data[5], data[6], data[7]);
306 }
307
308 /* osimage version information is linked in */
309 extern struct version_information version_information;
310 /* bootrom version information is pointed to from _bootphase1_version_pointer */
311 extern char *_bootphase1_version_pointer, _flash_start, _flash_end, _bootrom_start, _bootrom_end, __data_src_start__;
312
313
314 void SendVersion(void)
315 {
316 char temp[USB_CMD_DATA_SIZE]; /* Limited data payload in USB packets */
317 char VersionString[USB_CMD_DATA_SIZE] = { '\0' };
318
319 /* Try to find the bootrom version information. Expect to find a pointer at
320 * symbol _bootphase1_version_pointer, perform slight sanity checks on the
321 * pointer, then use it.
322 */
323 char *bootrom_version = *(char**)&_bootphase1_version_pointer;
324 if( bootrom_version < &_flash_start || bootrom_version >= &_flash_end ) {
325 strcat(VersionString, "bootrom version information appears invalid\n");
326 } else {
327 FormatVersionInformation(temp, sizeof(temp), "bootrom: ", bootrom_version);
328 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
329 }
330
331 FormatVersionInformation(temp, sizeof(temp), "os: ", &version_information);
332 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
333
334 for (int i = 0; i < fpga_bitstream_num; i++) {
335 strncat(VersionString, fpga_version_information[i], sizeof(VersionString) - strlen(VersionString) - 1);
336 strncat(VersionString, "\n", sizeof(VersionString) - strlen(VersionString) - 1);
337 }
338
339 // test availability of SmartCard slot
340 if (I2C_is_available()) {
341 strncat(VersionString, "SmartCard Slot: available\n", sizeof(VersionString) - strlen(VersionString) - 1);
342 } else {
343 strncat(VersionString, "SmartCard Slot: not available\n", sizeof(VersionString) - strlen(VersionString) - 1);
344 }
345
346 // Send Chip ID and used flash memory
347 uint32_t text_and_rodata_section_size = (uint32_t)&__data_src_start__ - (uint32_t)&_flash_start;
348 uint32_t compressed_data_section_size = common_area.arg1;
349 cmd_send(CMD_ACK, *(AT91C_DBGU_CIDR), text_and_rodata_section_size + compressed_data_section_size, 0, VersionString, strlen(VersionString));
350 }
351
352 // measure the USB Speed by sending SpeedTestBufferSize bytes to client and measuring the elapsed time.
353 // Note: this mimics GetFromBigbuf(), i.e. we have the overhead of the UsbCommand structure included.
354 void printUSBSpeed(void)
355 {
356 Dbprintf("USB Speed:");
357 Dbprintf(" Sending USB packets to client...");
358
359 #define USB_SPEED_TEST_MIN_TIME 1500 // in milliseconds
360 uint8_t *test_data = BigBuf_get_addr();
361 uint32_t end_time;
362
363 uint32_t start_time = end_time = GetTickCount();
364 uint32_t bytes_transferred = 0;
365
366 LED_B_ON();
367 while(end_time < start_time + USB_SPEED_TEST_MIN_TIME) {
368 cmd_send(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K, 0, USB_CMD_DATA_SIZE, 0, test_data, USB_CMD_DATA_SIZE);
369 end_time = GetTickCount();
370 bytes_transferred += USB_CMD_DATA_SIZE;
371 }
372 LED_B_OFF();
373
374 Dbprintf(" Time elapsed: %dms", end_time - start_time);
375 Dbprintf(" Bytes transferred: %d", bytes_transferred);
376 Dbprintf(" USB Transfer Speed PM3 -> Client = %d Bytes/s",
377 1000 * bytes_transferred / (end_time - start_time));
378
379 }
380
381 /**
382 * Prints runtime information about the PM3.
383 **/
384 void SendStatus(void)
385 {
386 BigBuf_print_status();
387 Fpga_print_status();
388 #ifdef WITH_SMARTCARD
389 I2C_print_status();
390 #endif
391 printConfig(); //LF Sampling config
392 printUSBSpeed();
393 Dbprintf("Various");
394 Dbprintf(" MF_DBGLEVEL........%d", MF_DBGLEVEL);
395 Dbprintf(" ToSendMax..........%d", ToSendMax);
396 Dbprintf(" ToSendBit..........%d", ToSendBit);
397
398 cmd_send(CMD_ACK,1,0,0,0,0);
399 }
400
401 #if defined(WITH_ISO14443a_StandAlone) || defined(WITH_LF_StandAlone)
402
403 #define OPTS 2
404
405 void StandAloneMode()
406 {
407 DbpString("Stand-alone mode! No PC necessary.");
408 // Oooh pretty -- notify user we're in elite samy mode now
409 LED(LED_RED, 200);
410 LED(LED_ORANGE, 200);
411 LED(LED_GREEN, 200);
412 LED(LED_ORANGE, 200);
413 LED(LED_RED, 200);
414 LED(LED_ORANGE, 200);
415 LED(LED_GREEN, 200);
416 LED(LED_ORANGE, 200);
417 LED(LED_RED, 200);
418
419 }
420
421 #endif
422
423
424
425 #ifdef WITH_ISO14443a_StandAlone
426 void StandAloneMode14a()
427 {
428 StandAloneMode();
429 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
430
431 int selected = 0;
432 bool playing = false, GotoRecord = false, GotoClone = false;
433 bool cardRead[OPTS] = {false};
434 uint8_t readUID[10] = {0};
435 uint32_t uid_1st[OPTS]={0};
436 uint32_t uid_2nd[OPTS]={0};
437 uint32_t uid_tmp1 = 0;
438 uint32_t uid_tmp2 = 0;
439 iso14a_card_select_t hi14a_card[OPTS];
440
441 LED(selected + 1, 0);
442
443 for (;;)
444 {
445 usb_poll();
446 WDT_HIT();
447 SpinDelay(300);
448
449 if (GotoRecord || !cardRead[selected])
450 {
451 GotoRecord = false;
452 LEDsoff();
453 LED(selected + 1, 0);
454 LED(LED_RED2, 0);
455
456 // record
457 Dbprintf("Enabling iso14443a reader mode for [Bank: %u]...", selected);
458 /* need this delay to prevent catching some weird data */
459 SpinDelay(500);
460 /* Code for reading from 14a tag */
461 uint8_t uid[10] ={0};
462 uint32_t cuid;
463 iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
464
465 for ( ; ; )
466 {
467 WDT_HIT();
468 if (BUTTON_PRESS()) {
469 if (cardRead[selected]) {
470 Dbprintf("Button press detected -- replaying card in bank[%d]", selected);
471 break;
472 }
473 else if (cardRead[(selected+1)%OPTS]) {
474 Dbprintf("Button press detected but no card in bank[%d] so playing from bank[%d]", selected, (selected+1)%OPTS);
475 selected = (selected+1)%OPTS;
476 break;
477 }
478 else {
479 Dbprintf("Button press detected but no stored tag to play. (Ignoring button)");
480 SpinDelay(300);
481 }
482 }
483 if (!iso14443a_select_card(uid, &hi14a_card[selected], &cuid, true, 0, true))
484 continue;
485 else
486 {
487 Dbprintf("Read UID:"); Dbhexdump(10,uid,0);
488 memcpy(readUID,uid,10*sizeof(uint8_t));
489 uint8_t *dst = (uint8_t *)&uid_tmp1;
490 // Set UID byte order
491 for (int i=0; i<4; i++)
492 dst[i] = uid[3-i];
493 dst = (uint8_t *)&uid_tmp2;
494 for (int i=0; i<4; i++)
495 dst[i] = uid[7-i];
496 if (uid_1st[(selected+1)%OPTS] == uid_tmp1 && uid_2nd[(selected+1)%OPTS] == uid_tmp2) {
497 Dbprintf("Card selected has same UID as what is stored in the other bank. Skipping.");
498 }
499 else {
500 if (uid_tmp2) {
501 Dbprintf("Bank[%d] received a 7-byte UID",selected);
502 uid_1st[selected] = (uid_tmp1)>>8;
503 uid_2nd[selected] = (uid_tmp1<<24) + (uid_tmp2>>8);
504 }
505 else {
506 Dbprintf("Bank[%d] received a 4-byte UID",selected);
507 uid_1st[selected] = uid_tmp1;
508 uid_2nd[selected] = uid_tmp2;
509 }
510 break;
511 }
512 }
513 }
514 Dbprintf("ATQA = %02X%02X",hi14a_card[selected].atqa[0],hi14a_card[selected].atqa[1]);
515 Dbprintf("SAK = %02X",hi14a_card[selected].sak);
516 LEDsoff();
517 LED(LED_GREEN, 200);
518 LED(LED_ORANGE, 200);
519 LED(LED_GREEN, 200);
520 LED(LED_ORANGE, 200);
521
522 LEDsoff();
523 LED(selected + 1, 0);
524
525 // Next state is replay:
526 playing = true;
527
528 cardRead[selected] = true;
529 }
530 /* MF Classic UID clone */
531 else if (GotoClone)
532 {
533 GotoClone=false;
534 LEDsoff();
535 LED(selected + 1, 0);
536 LED(LED_ORANGE, 250);
537
538
539 // record
540 Dbprintf("Preparing to Clone card [Bank: %x]; uid: %08x", selected, uid_1st[selected]);
541
542 // wait for button to be released
543 while(BUTTON_PRESS())
544 {
545 // Delay cloning until card is in place
546 WDT_HIT();
547 }
548 Dbprintf("Starting clone. [Bank: %u]", selected);
549 // need this delay to prevent catching some weird data
550 SpinDelay(500);
551 // Begin clone function here:
552 /* Example from client/mifarehost.c for commanding a block write for "magic Chinese" cards:
553 UsbCommand c = {CMD_MIFARE_CSETBLOCK, {wantWipe, params & (0xFE | (uid == NULL ? 0:1)), blockNo}};
554 memcpy(c.d.asBytes, data, 16);
555 SendCommand(&c);
556
557 Block read is similar:
558 UsbCommand c = {CMD_MIFARE_CGETBLOCK, {params, 0, blockNo}};
559 We need to imitate that call with blockNo 0 to set a uid.
560
561 The get and set commands are handled in this file:
562 // Work with "magic Chinese" card
563 case CMD_MIFARE_CSETBLOCK:
564 MifareCSetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
565 break;
566 case CMD_MIFARE_CGETBLOCK:
567 MifareCGetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
568 break;
569
570 mfCSetUID provides example logic for UID set workflow:
571 -Read block0 from card in field with MifareCGetBlock()
572 -Configure new values without replacing reserved bytes
573 memcpy(block0, uid, 4); // Copy UID bytes from byte array
574 // Mifare UID BCC
575 block0[4] = block0[0]^block0[1]^block0[2]^block0[3]; // BCC on byte 5
576 Bytes 5-7 are reserved SAK and ATQA for mifare classic
577 -Use mfCSetBlock(0, block0, oldUID, wantWipe, CSETBLOCK_SINGLE_OPER) to write it
578 */
579 uint8_t oldBlock0[16] = {0}, newBlock0[16] = {0}, testBlock0[16] = {0};
580 // arg0 = Flags == CSETBLOCK_SINGLE_OPER=0x1F, arg1=returnSlot, arg2=blockNo
581 MifareCGetBlock(0x3F, 1, 0, oldBlock0);
582 if (oldBlock0[0] == 0 && oldBlock0[0] == oldBlock0[1] && oldBlock0[1] == oldBlock0[2] && oldBlock0[2] == oldBlock0[3]) {
583 Dbprintf("No changeable tag detected. Returning to replay mode for bank[%d]", selected);
584 playing = true;
585 }
586 else {
587 Dbprintf("UID from target tag: %02X%02X%02X%02X", oldBlock0[0],oldBlock0[1],oldBlock0[2],oldBlock0[3]);
588 memcpy(newBlock0,oldBlock0,16);
589 // Copy uid_1st for bank (2nd is for longer UIDs not supported if classic)
590
591 newBlock0[0] = uid_1st[selected]>>24;
592 newBlock0[1] = 0xFF & (uid_1st[selected]>>16);
593 newBlock0[2] = 0xFF & (uid_1st[selected]>>8);
594 newBlock0[3] = 0xFF & (uid_1st[selected]);
595 newBlock0[4] = newBlock0[0]^newBlock0[1]^newBlock0[2]^newBlock0[3];
596 // arg0 = needWipe, arg1 = workFlags, arg2 = blockNo, datain
597 MifareCSetBlock(0, 0xFF,0, newBlock0);
598 MifareCGetBlock(0x3F, 1, 0, testBlock0);
599 if (memcmp(testBlock0,newBlock0,16)==0)
600 {
601 DbpString("Cloned successfull!");
602 cardRead[selected] = false; // Only if the card was cloned successfully should we clear it
603 playing = false;
604 GotoRecord = true;
605 selected = (selected+1) % OPTS;
606 }
607 else {
608 Dbprintf("Clone failed. Back to replay mode on bank[%d]", selected);
609 playing = true;
610 }
611 }
612 LEDsoff();
613 LED(selected + 1, 0);
614
615 }
616 // Change where to record (or begin playing)
617 else if (playing) // button_pressed == BUTTON_SINGLE_CLICK && cardRead[selected])
618 {
619 LEDsoff();
620 LED(selected + 1, 0);
621
622 // Begin transmitting
623 LED(LED_GREEN, 0);
624 DbpString("Playing");
625 for ( ; ; ) {
626 WDT_HIT();
627 int button_action = BUTTON_HELD(1000);
628 if (button_action == 0) { // No button action, proceed with sim
629 uint8_t data[512] = {0}; // in case there is a read command received we shouldn't break
630 Dbprintf("Simulating ISO14443a tag with uid[0]: %08x, uid[1]: %08x [Bank: %u]", uid_1st[selected],uid_2nd[selected],selected);
631 if (hi14a_card[selected].sak == 8 && hi14a_card[selected].atqa[0] == 4 && hi14a_card[selected].atqa[1] == 0) {
632 DbpString("Mifare Classic");
633 SimulateIso14443aTag(1,uid_1st[selected], uid_2nd[selected], data); // Mifare Classic
634 }
635 else if (hi14a_card[selected].sak == 0 && hi14a_card[selected].atqa[0] == 0x44 && hi14a_card[selected].atqa[1] == 0) {
636 DbpString("Mifare Ultralight");
637 SimulateIso14443aTag(2,uid_1st[selected],uid_2nd[selected],data); // Mifare Ultralight
638 }
639 else if (hi14a_card[selected].sak == 20 && hi14a_card[selected].atqa[0] == 0x44 && hi14a_card[selected].atqa[1] == 3) {
640 DbpString("Mifare DESFire");
641 SimulateIso14443aTag(3,uid_1st[selected],uid_2nd[selected],data); // Mifare DESFire
642 }
643 else {
644 Dbprintf("Unrecognized tag type -- defaulting to Mifare Classic emulation");
645 SimulateIso14443aTag(1,uid_1st[selected], uid_2nd[selected], data);
646 }
647 }
648 else if (button_action == BUTTON_SINGLE_CLICK) {
649 selected = (selected + 1) % OPTS;
650 Dbprintf("Done playing. Switching to record mode on bank %d",selected);
651 GotoRecord = true;
652 break;
653 }
654 else if (button_action == BUTTON_HOLD) {
655 Dbprintf("Playtime over. Begin cloning...");
656 GotoClone = true;
657 break;
658 }
659 WDT_HIT();
660 }
661
662 /* We pressed a button so ignore it here with a delay */
663 SpinDelay(300);
664 LEDsoff();
665 LED(selected + 1, 0);
666 }
667 }
668 }
669 #elif WITH_LF_StandAlone
670 // samy's sniff and repeat routine
671 void SamyRun()
672 {
673 StandAloneMode();
674 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
675
676 int tops[OPTS], high[OPTS], low[OPTS];
677 int selected = 0;
678 int playing = 0;
679 int cardRead = 0;
680
681 // Turn on selected LED
682 LED(selected + 1, 0);
683
684 for (;;)
685 {
686 usb_poll();
687 WDT_HIT();
688
689 // Was our button held down or pressed?
690 int button_pressed = BUTTON_HELD(1000);
691 SpinDelay(300);
692
693 // Button was held for a second, begin recording
694 if (button_pressed > 0 && cardRead == 0)
695 {
696 LEDsoff();
697 LED(selected + 1, 0);
698 LED(LED_RED2, 0);
699
700 // record
701 DbpString("Starting recording");
702
703 // wait for button to be released
704 while(BUTTON_PRESS())
705 WDT_HIT();
706
707 /* need this delay to prevent catching some weird data */
708 SpinDelay(500);
709
710 CmdHIDdemodFSK(1, &tops[selected], &high[selected], &low[selected], 0);
711 if (tops[selected] > 0)
712 Dbprintf("Recorded %x %x%08x%08x", selected, tops[selected], high[selected], low[selected]);
713 else
714 Dbprintf("Recorded %x %x%08x", selected, high[selected], low[selected]);
715
716 LEDsoff();
717 LED(selected + 1, 0);
718 // Finished recording
719
720 // If we were previously playing, set playing off
721 // so next button push begins playing what we recorded
722 playing = 0;
723
724 cardRead = 1;
725
726 }
727
728 else if (button_pressed > 0 && cardRead == 1)
729 {
730 LEDsoff();
731 LED(selected + 1, 0);
732 LED(LED_ORANGE, 0);
733
734 // record
735 if (tops[selected] > 0)
736 Dbprintf("Cloning %x %x%08x%08x", selected, tops[selected], high[selected], low[selected]);
737 else
738 Dbprintf("Cloning %x %x%08x", selected, high[selected], low[selected]);
739
740 // wait for button to be released
741 while(BUTTON_PRESS())
742 WDT_HIT();
743
744 /* need this delay to prevent catching some weird data */
745 SpinDelay(500);
746
747 CopyHIDtoT55x7(tops[selected] & 0x000FFFFF, high[selected], low[selected], (tops[selected] != 0 && ((high[selected]& 0xFFFFFFC0) != 0)), 0x1D);
748 if (tops[selected] > 0)
749 Dbprintf("Cloned %x %x%08x%08x", selected, tops[selected], high[selected], low[selected]);
750 else
751 Dbprintf("Cloned %x %x%08x", selected, high[selected], low[selected]);
752
753 LEDsoff();
754 LED(selected + 1, 0);
755 // Finished recording
756
757 // If we were previously playing, set playing off
758 // so next button push begins playing what we recorded
759 playing = 0;
760
761 cardRead = 0;
762
763 }
764
765 // Change where to record (or begin playing)
766 else if (button_pressed)
767 {
768 // Next option if we were previously playing
769 if (playing)
770 selected = (selected + 1) % OPTS;
771 playing = !playing;
772
773 LEDsoff();
774 LED(selected + 1, 0);
775
776 // Begin transmitting
777 if (playing)
778 {
779 LED(LED_GREEN, 0);
780 DbpString("Playing");
781 // wait for button to be released
782 while(BUTTON_PRESS())
783 WDT_HIT();
784 if (tops[selected] > 0)
785 Dbprintf("%x %x%08x%08x", selected, tops[selected], high[selected], low[selected]);
786 else
787 Dbprintf("%x %x%08x", selected, high[selected], low[selected]);
788
789 CmdHIDsimTAG(tops[selected], high[selected], low[selected], 0);
790 DbpString("Done playing");
791 if (BUTTON_HELD(1000) > 0)
792 {
793 DbpString("Exiting");
794 LEDsoff();
795 return;
796 }
797
798 /* We pressed a button so ignore it here with a delay */
799 SpinDelay(300);
800
801 // when done, we're done playing, move to next option
802 selected = (selected + 1) % OPTS;
803 playing = !playing;
804 LEDsoff();
805 LED(selected + 1, 0);
806 }
807 else
808 while(BUTTON_PRESS())
809 WDT_HIT();
810 }
811 }
812 }
813
814 #endif
815 /*
816 OBJECTIVE
817 Listen and detect an external reader. Determine the best location
818 for the antenna.
819
820 INSTRUCTIONS:
821 Inside the ListenReaderField() function, there is two mode.
822 By default, when you call the function, you will enter mode 1.
823 If you press the PM3 button one time, you will enter mode 2.
824 If you press the PM3 button a second time, you will exit the function.
825
826 DESCRIPTION OF MODE 1:
827 This mode just listens for an external reader field and lights up green
828 for HF and/or red for LF. This is the original mode of the detectreader
829 function.
830
831 DESCRIPTION OF MODE 2:
832 This mode will visually represent, using the LEDs, the actual strength of the
833 current compared to the maximum current detected. Basically, once you know
834 what kind of external reader is present, it will help you spot the best location to place
835 your antenna. You will probably not get some good results if there is a LF and a HF reader
836 at the same place! :-)
837
838 LIGHT SCHEME USED:
839 */
840 static const char LIGHT_SCHEME[] = {
841 0x0, /* ---- | No field detected */
842 0x1, /* X--- | 14% of maximum current detected */
843 0x2, /* -X-- | 29% of maximum current detected */
844 0x4, /* --X- | 43% of maximum current detected */
845 0x8, /* ---X | 57% of maximum current detected */
846 0xC, /* --XX | 71% of maximum current detected */
847 0xE, /* -XXX | 86% of maximum current detected */
848 0xF, /* XXXX | 100% of maximum current detected */
849 };
850 static const int LIGHT_LEN = sizeof(LIGHT_SCHEME)/sizeof(LIGHT_SCHEME[0]);
851
852 void ListenReaderField(int limit)
853 {
854 int lf_av, lf_av_new=0, lf_baseline= 0, lf_max;
855 int hf_av, hf_av_new=0, hf_baseline= 0, hf_max;
856 int mode=1, display_val, display_max, i;
857
858 #define LF_ONLY 1
859 #define HF_ONLY 2
860 #define REPORT_CHANGE_PERCENT 5 // report new values only if they have changed at least by REPORT_CHANGE_PERCENT
861 #define MIN_HF_FIELD 300 // in mode 1 signal HF field greater than MIN_HF_FIELD above baseline
862 #define MIN_LF_FIELD 1200 // in mode 1 signal LF field greater than MIN_LF_FIELD above baseline
863
864
865 // switch off FPGA - we don't want to measure our own signal
866 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
867 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
868
869 LEDsoff();
870
871 lf_av = lf_max = AvgAdc_Voltage_LF();
872
873 if(limit != HF_ONLY) {
874 Dbprintf("LF 125/134kHz Baseline: %dmV", lf_av);
875 lf_baseline = lf_av;
876 }
877
878 hf_av = hf_max = AvgAdc_Voltage_HF();
879
880 if (limit != LF_ONLY) {
881 Dbprintf("HF 13.56MHz Baseline: %dmV", hf_av);
882 hf_baseline = hf_av;
883 }
884
885 for(;;) {
886 SpinDelay(500);
887 if (BUTTON_PRESS()) {
888 switch (mode) {
889 case 1:
890 mode=2;
891 DbpString("Signal Strength Mode");
892 break;
893 case 2:
894 default:
895 DbpString("Stopped");
896 LEDsoff();
897 return;
898 break;
899 }
900 while (BUTTON_PRESS());
901 }
902 WDT_HIT();
903
904 if (limit != HF_ONLY) {
905 if(mode == 1) {
906 if (lf_av - lf_baseline > MIN_LF_FIELD)
907 LED_D_ON();
908 else
909 LED_D_OFF();
910 }
911
912 lf_av_new = AvgAdc_Voltage_LF();
913 // see if there's a significant change
914 if (ABS((lf_av - lf_av_new)*100/(lf_av?lf_av:1)) > REPORT_CHANGE_PERCENT) {
915 Dbprintf("LF 125/134kHz Field Change: %5dmV", lf_av_new);
916 lf_av = lf_av_new;
917 if (lf_av > lf_max)
918 lf_max = lf_av;
919 }
920 }
921
922 if (limit != LF_ONLY) {
923 if (mode == 1){
924 if (hf_av - hf_baseline > MIN_HF_FIELD)
925 LED_B_ON();
926 else
927 LED_B_OFF();
928 }
929
930 hf_av_new = AvgAdc_Voltage_HF();
931
932 // see if there's a significant change
933 if (ABS((hf_av - hf_av_new)*100/(hf_av?hf_av:1)) > REPORT_CHANGE_PERCENT) {
934 Dbprintf("HF 13.56MHz Field Change: %5dmV", hf_av_new);
935 hf_av = hf_av_new;
936 if (hf_av > hf_max)
937 hf_max = hf_av;
938 }
939 }
940
941 if(mode == 2) {
942 if (limit == LF_ONLY) {
943 display_val = lf_av;
944 display_max = lf_max;
945 } else if (limit == HF_ONLY) {
946 display_val = hf_av;
947 display_max = hf_max;
948 } else { /* Pick one at random */
949 if( (hf_max - hf_baseline) > (lf_max - lf_baseline) ) {
950 display_val = hf_av;
951 display_max = hf_max;
952 } else {
953 display_val = lf_av;
954 display_max = lf_max;
955 }
956 }
957 for (i=0; i<LIGHT_LEN; i++) {
958 if (display_val >= ((display_max/LIGHT_LEN)*i) && display_val <= ((display_max/LIGHT_LEN)*(i+1))) {
959 if (LIGHT_SCHEME[i] & 0x1) LED_C_ON(); else LED_C_OFF();
960 if (LIGHT_SCHEME[i] & 0x2) LED_A_ON(); else LED_A_OFF();
961 if (LIGHT_SCHEME[i] & 0x4) LED_B_ON(); else LED_B_OFF();
962 if (LIGHT_SCHEME[i] & 0x8) LED_D_ON(); else LED_D_OFF();
963 break;
964 }
965 }
966 }
967 }
968 }
969
970 void UsbPacketReceived(uint8_t *packet, int len)
971 {
972 UsbCommand *c = (UsbCommand *)packet;
973
974 // Dbprintf("received %d bytes, with command: 0x%04x and args: %d %d %d",len,c->cmd,c->arg[0],c->arg[1],c->arg[2]);
975
976 switch(c->cmd) {
977 #ifdef WITH_LF
978 case CMD_SET_LF_SAMPLING_CONFIG:
979 setSamplingConfig((sample_config *) c->d.asBytes);
980 break;
981 case CMD_ACQUIRE_RAW_ADC_SAMPLES_125K:
982 cmd_send(CMD_ACK,SampleLF(c->arg[0], c->arg[1]),0,0,0,0);
983 break;
984 case CMD_MOD_THEN_ACQUIRE_RAW_ADC_SAMPLES_125K:
985 ModThenAcquireRawAdcSamples125k(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
986 break;
987 case CMD_LF_SNOOP_RAW_ADC_SAMPLES:
988 cmd_send(CMD_ACK,SnoopLF(),0,0,0,0);
989 break;
990 case CMD_HID_DEMOD_FSK:
991 CmdHIDdemodFSK(c->arg[0], 0, 0, 0, 1);
992 break;
993 case CMD_HID_SIM_TAG:
994 CmdHIDsimTAG(c->arg[0], c->arg[1], c->arg[2], 1);
995 break;
996 case CMD_FSK_SIM_TAG:
997 CmdFSKsimTAG(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
998 break;
999 case CMD_ASK_SIM_TAG:
1000 CmdASKsimTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1001 break;
1002 case CMD_PSK_SIM_TAG:
1003 CmdPSKsimTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1004 break;
1005 case CMD_HID_CLONE_TAG:
1006 CopyHIDtoT55x7(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0], 0x1D);
1007 break;
1008 case CMD_PARADOX_CLONE_TAG:
1009 // Paradox cards are the same as HID, with a different preamble, so we can reuse the same function
1010 CopyHIDtoT55x7(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0], 0x0F);
1011 break;
1012 case CMD_IO_DEMOD_FSK:
1013 CmdIOdemodFSK(c->arg[0], 0, 0, 1);
1014 break;
1015 case CMD_IO_CLONE_TAG:
1016 CopyIOtoT55x7(c->arg[0], c->arg[1]);
1017 break;
1018 case CMD_EM410X_DEMOD:
1019 CmdEM410xdemod(c->arg[0], 0, 0, 1);
1020 break;
1021 case CMD_EM410X_WRITE_TAG:
1022 WriteEM410x(c->arg[0], c->arg[1], c->arg[2]);
1023 break;
1024 case CMD_READ_TI_TYPE:
1025 ReadTItag();
1026 break;
1027 case CMD_WRITE_TI_TYPE:
1028 WriteTItag(c->arg[0],c->arg[1],c->arg[2]);
1029 break;
1030 case CMD_SIMULATE_TAG_125K:
1031 LED_A_ON();
1032 SimulateTagLowFrequency(c->arg[0], c->arg[1], 1);
1033 LED_A_OFF();
1034 break;
1035 case CMD_LF_SIMULATE_BIDIR:
1036 SimulateTagLowFrequencyBidir(c->arg[0], c->arg[1]);
1037 break;
1038 case CMD_INDALA_CLONE_TAG:
1039 CopyIndala64toT55x7(c->arg[0], c->arg[1]);
1040 break;
1041 case CMD_INDALA_CLONE_TAG_L:
1042 CopyIndala224toT55x7(c->d.asDwords[0], c->d.asDwords[1], c->d.asDwords[2], c->d.asDwords[3], c->d.asDwords[4], c->d.asDwords[5], c->d.asDwords[6]);
1043 break;
1044 case CMD_T55XX_READ_BLOCK:
1045 T55xxReadBlock(c->arg[0], c->arg[1], c->arg[2]);
1046 break;
1047 case CMD_T55XX_WRITE_BLOCK:
1048 T55xxWriteBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]);
1049 break;
1050 case CMD_T55XX_WAKEUP:
1051 T55xxWakeUp(c->arg[0]);
1052 break;
1053 case CMD_T55XX_RESET_READ:
1054 T55xxResetRead();
1055 break;
1056 case CMD_PCF7931_READ:
1057 ReadPCF7931();
1058 break;
1059 case CMD_PCF7931_WRITE:
1060 WritePCF7931(c->d.asBytes[0],c->d.asBytes[1],c->d.asBytes[2],c->d.asBytes[3],c->d.asBytes[4],c->d.asBytes[5],c->d.asBytes[6], c->d.asBytes[9], c->d.asBytes[7]-128,c->d.asBytes[8]-128, c->arg[0], c->arg[1], c->arg[2]);
1061 break;
1062 case CMD_EM4X_READ_WORD:
1063 EM4xReadWord(c->arg[0], c->arg[1],c->arg[2]);
1064 break;
1065 case CMD_EM4X_WRITE_WORD:
1066 EM4xWriteWord(c->arg[0], c->arg[1], c->arg[2]);
1067 break;
1068 case CMD_AWID_DEMOD_FSK: // Set realtime AWID demodulation
1069 CmdAWIDdemodFSK(c->arg[0], 0, 0, 1);
1070 break;
1071 case CMD_VIKING_CLONE_TAG:
1072 CopyVikingtoT55xx(c->arg[0], c->arg[1], c->arg[2]);
1073 break;
1074 case CMD_COTAG:
1075 Cotag(c->arg[0]);
1076 break;
1077 #endif
1078
1079 #ifdef WITH_HITAG
1080 case CMD_SNOOP_HITAG: // Eavesdrop Hitag tag, args = type
1081 SnoopHitag(c->arg[0]);
1082 break;
1083 case CMD_SIMULATE_HITAG: // Simulate Hitag tag, args = memory content
1084 SimulateHitagTag((bool)c->arg[0],(byte_t*)c->d.asBytes);
1085 break;
1086 case CMD_READER_HITAG: // Reader for Hitag tags, args = type and function
1087 ReaderHitag((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes);
1088 break;
1089 case CMD_SIMULATE_HITAG_S:// Simulate Hitag s tag, args = memory content
1090 SimulateHitagSTag((bool)c->arg[0],(byte_t*)c->d.asBytes);
1091 break;
1092 case CMD_TEST_HITAGS_TRACES:// Tests every challenge within the given file
1093 check_challenges_cmd((bool)c->arg[0], (byte_t*)c->d.asBytes, (uint8_t)c->arg[1]);
1094 break;
1095 case CMD_READ_HITAG_S://Reader for only Hitag S tags, args = key or challenge
1096 ReadHitagSCmd((hitag_function)c->arg[0], (hitag_data*)c->d.asBytes, (uint8_t)c->arg[1], (uint8_t)c->arg[2], false);
1097 break;
1098 case CMD_READ_HITAG_S_BLK:
1099 ReadHitagSCmd((hitag_function)c->arg[0], (hitag_data*)c->d.asBytes, (uint8_t)c->arg[1], (uint8_t)c->arg[2], true);
1100 break;
1101 case CMD_WR_HITAG_S://writer for Hitag tags args=data to write,page and key or challenge
1102 if ((hitag_function)c->arg[0] < 10) {
1103 WritePageHitagS((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes,c->arg[2]);
1104 }
1105 else if ((hitag_function)c->arg[0] >= 10) {
1106 WriterHitag((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes, c->arg[2]);
1107 }
1108 break;
1109 #endif
1110
1111 #ifdef WITH_ISO15693
1112 case CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_15693:
1113 AcquireRawAdcSamplesIso15693();
1114 break;
1115 case CMD_RECORD_RAW_ADC_SAMPLES_ISO_15693:
1116 RecordRawAdcSamplesIso15693();
1117 break;
1118
1119 case CMD_ISO_15693_COMMAND:
1120 DirectTag15693Command(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
1121 break;
1122
1123 case CMD_ISO_15693_FIND_AFI:
1124 BruteforceIso15693Afi(c->arg[0]);
1125 break;
1126
1127 case CMD_ISO_15693_DEBUG:
1128 SetDebugIso15693(c->arg[0]);
1129 break;
1130
1131 case CMD_READER_ISO_15693:
1132 ReaderIso15693(c->arg[0]);
1133 break;
1134 case CMD_SIMTAG_ISO_15693:
1135 SimTagIso15693(c->arg[0], c->d.asBytes);
1136 break;
1137 #endif
1138
1139 #ifdef WITH_LEGICRF
1140 case CMD_SIMULATE_TAG_LEGIC_RF:
1141 LegicRfSimulate(c->arg[0]);
1142 break;
1143
1144 case CMD_WRITER_LEGIC_RF:
1145 LegicRfWriter(c->arg[1], c->arg[0]);
1146 break;
1147
1148 case CMD_READER_LEGIC_RF:
1149 LegicRfReader(c->arg[0], c->arg[1]);
1150 break;
1151 #endif
1152
1153 #ifdef WITH_ISO14443b
1154 case CMD_READ_SRI512_TAG:
1155 ReadSTMemoryIso14443b(0x0F);
1156 break;
1157 case CMD_READ_SRIX4K_TAG:
1158 ReadSTMemoryIso14443b(0x7F);
1159 break;
1160 case CMD_SNOOP_ISO_14443B:
1161 SnoopIso14443b();
1162 break;
1163 case CMD_SIMULATE_TAG_ISO_14443B:
1164 SimulateIso14443bTag();
1165 break;
1166 case CMD_ISO_14443B_COMMAND:
1167 SendRawCommand14443B(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
1168 break;
1169 #endif
1170
1171 #ifdef WITH_ISO14443a
1172 case CMD_SNOOP_ISO_14443a:
1173 SnoopIso14443a(c->arg[0]);
1174 break;
1175 case CMD_READER_ISO_14443a:
1176 ReaderIso14443a(c);
1177 break;
1178 case CMD_SIMULATE_TAG_ISO_14443a:
1179 SimulateIso14443aTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); // ## Simulate iso14443a tag - pass tag type & UID
1180 break;
1181
1182 case CMD_EPA_PACE_COLLECT_NONCE:
1183 EPA_PACE_Collect_Nonce(c);
1184 break;
1185 case CMD_EPA_PACE_REPLAY:
1186 EPA_PACE_Replay(c);
1187 break;
1188
1189 case CMD_READER_MIFARE:
1190 ReaderMifare(c->arg[0]);
1191 break;
1192 case CMD_MIFARE_READBL:
1193 MifareReadBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1194 break;
1195 case CMD_MIFAREU_READBL:
1196 MifareUReadBlock(c->arg[0],c->arg[1], c->d.asBytes);
1197 break;
1198 case CMD_MIFAREUC_AUTH:
1199 MifareUC_Auth(c->arg[0],c->d.asBytes);
1200 break;
1201 case CMD_MIFAREU_READCARD:
1202 MifareUReadCard(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1203 break;
1204 case CMD_MIFAREUC_SETPWD:
1205 MifareUSetPwd(c->arg[0], c->d.asBytes);
1206 break;
1207 case CMD_MIFARE_READSC:
1208 MifareReadSector(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1209 break;
1210 case CMD_MIFARE_WRITEBL:
1211 MifareWriteBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1212 break;
1213 //case CMD_MIFAREU_WRITEBL_COMPAT:
1214 //MifareUWriteBlockCompat(c->arg[0], c->d.asBytes);
1215 //break;
1216 case CMD_MIFAREU_WRITEBL:
1217 MifareUWriteBlock(c->arg[0], c->arg[1], c->d.asBytes);
1218 break;
1219 case CMD_MIFARE_ACQUIRE_ENCRYPTED_NONCES:
1220 MifareAcquireEncryptedNonces(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1221 break;
1222 case CMD_MIFARE_NESTED:
1223 MifareNested(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1224 break;
1225 case CMD_MIFARE_CHKKEYS:
1226 MifareChkKeys(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1227 break;
1228 case CMD_SIMULATE_MIFARE_CARD:
1229 Mifare1ksim(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1230 break;
1231
1232 // emulator
1233 case CMD_MIFARE_SET_DBGMODE:
1234 MifareSetDbgLvl(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1235 break;
1236 case CMD_MIFARE_EML_MEMCLR:
1237 MifareEMemClr(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1238 break;
1239 case CMD_MIFARE_EML_MEMSET:
1240 MifareEMemSet(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1241 break;
1242 case CMD_MIFARE_EML_MEMGET:
1243 MifareEMemGet(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1244 break;
1245 case CMD_MIFARE_EML_CARDLOAD:
1246 MifareECardLoad(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1247 break;
1248
1249 // Work with "magic Chinese" card
1250 case CMD_MIFARE_CWIPE:
1251 MifareCWipe(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1252 break;
1253 case CMD_MIFARE_CSETBLOCK:
1254 MifareCSetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1255 break;
1256 case CMD_MIFARE_CGETBLOCK:
1257 MifareCGetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1258 break;
1259 case CMD_MIFARE_CIDENT:
1260 MifareCIdent();
1261 break;
1262
1263 // mifare sniffer
1264 case CMD_MIFARE_SNIFFER:
1265 SniffMifare(c->arg[0]);
1266 break;
1267
1268 #endif
1269
1270 #ifdef WITH_ICLASS
1271 // Makes use of ISO14443a FPGA Firmware
1272 case CMD_SNOOP_ICLASS:
1273 SnoopIClass();
1274 break;
1275 case CMD_SIMULATE_TAG_ICLASS:
1276 SimulateIClass(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1277 break;
1278 case CMD_READER_ICLASS:
1279 ReaderIClass(c->arg[0]);
1280 break;
1281 case CMD_READER_ICLASS_REPLAY:
1282 ReaderIClass_Replay(c->arg[0], c->d.asBytes);
1283 break;
1284 case CMD_ICLASS_EML_MEMSET:
1285 emlSet(c->d.asBytes,c->arg[0], c->arg[1]);
1286 break;
1287 case CMD_ICLASS_WRITEBLOCK:
1288 iClass_WriteBlock(c->arg[0], c->d.asBytes);
1289 break;
1290 case CMD_ICLASS_READCHECK: // auth step 1
1291 iClass_ReadCheck(c->arg[0], c->arg[1]);
1292 break;
1293 case CMD_ICLASS_READBLOCK:
1294 iClass_ReadBlk(c->arg[0]);
1295 break;
1296 case CMD_ICLASS_AUTHENTICATION: //check
1297 iClass_Authentication(c->d.asBytes);
1298 break;
1299 case CMD_ICLASS_DUMP:
1300 iClass_Dump(c->arg[0], c->arg[1]);
1301 break;
1302 case CMD_ICLASS_CLONE:
1303 iClass_Clone(c->arg[0], c->arg[1], c->d.asBytes);
1304 break;
1305 #endif
1306 #ifdef WITH_HFSNOOP
1307 case CMD_HF_SNIFFER:
1308 HfSnoop(c->arg[0], c->arg[1]);
1309 break;
1310 #endif
1311 #ifdef WITH_SMARTCARD
1312 case CMD_SMART_ATR: {
1313 SmartCardAtr();
1314 break;
1315 }
1316 case CMD_SMART_SETCLOCK:{
1317 SmartCardSetClock(c->arg[0]);
1318 break;
1319 }
1320 case CMD_SMART_RAW: {
1321 SmartCardRaw(c->arg[0], c->arg[1], c->d.asBytes);
1322 break;
1323 }
1324 case CMD_SMART_UPLOAD: {
1325 // upload file from client
1326 uint8_t *mem = BigBuf_get_addr();
1327 memcpy( mem + c->arg[0], c->d.asBytes, USB_CMD_DATA_SIZE);
1328 cmd_send(CMD_ACK,1,0,0,0,0);
1329 break;
1330 }
1331 case CMD_SMART_UPGRADE: {
1332 SmartCardUpgrade(c->arg[0]);
1333 break;
1334 }
1335 #endif
1336
1337 case CMD_BUFF_CLEAR:
1338 BigBuf_Clear();
1339 break;
1340
1341 case CMD_MEASURE_ANTENNA_TUNING:
1342 MeasureAntennaTuning(c->arg[0]);
1343 break;
1344
1345 case CMD_MEASURE_ANTENNA_TUNING_HF:
1346 MeasureAntennaTuningHf();
1347 break;
1348
1349 case CMD_LISTEN_READER_FIELD:
1350 ListenReaderField(c->arg[0]);
1351 break;
1352
1353 case CMD_FPGA_MAJOR_MODE_OFF: // ## FPGA Control
1354 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1355 SpinDelay(200);
1356 LED_D_OFF(); // LED D indicates field ON or OFF
1357 break;
1358
1359 case CMD_DOWNLOAD_RAW_ADC_SAMPLES_125K:
1360
1361 LED_B_ON();
1362 uint8_t *BigBuf = BigBuf_get_addr();
1363 for(size_t i=0; i<c->arg[1]; i += USB_CMD_DATA_SIZE) {
1364 size_t len = MIN((c->arg[1] - i),USB_CMD_DATA_SIZE);
1365 cmd_send(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K,i,len,BigBuf_get_traceLen(),BigBuf+c->arg[0]+i,len);
1366 }
1367 // Trigger a finish downloading signal with an ACK frame
1368 cmd_send(CMD_ACK,1,0,BigBuf_get_traceLen(),getSamplingConfig(),sizeof(sample_config));
1369 LED_B_OFF();
1370 break;
1371
1372 case CMD_DOWNLOADED_SIM_SAMPLES_125K: {
1373 // iceman; since changing fpga_bitstreams clears bigbuff, Its better to call it before.
1374 // to be able to use this one for uploading data to device
1375 // arg1 = 0 upload for LF usage
1376 // 1 upload for HF usage
1377 if (c->arg[1] == 0)
1378 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1379 else
1380 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1381
1382 uint8_t *b = BigBuf_get_addr();
1383 memcpy(b+c->arg[0], c->d.asBytes, USB_CMD_DATA_SIZE);
1384 cmd_send(CMD_ACK,0,0,0,0,0);
1385 break;
1386 }
1387 case CMD_READ_MEM:
1388 ReadMem(c->arg[0]);
1389 break;
1390
1391 case CMD_SET_LF_DIVISOR:
1392 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1393 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, c->arg[0]);
1394 break;
1395
1396 case CMD_SET_ADC_MUX:
1397 switch(c->arg[0]) {
1398 case 0: SetAdcMuxFor(GPIO_MUXSEL_LOPKD); break;
1399 case 1: SetAdcMuxFor(GPIO_MUXSEL_LORAW); break;
1400 case 2: SetAdcMuxFor(GPIO_MUXSEL_HIPKD); break;
1401 case 3: SetAdcMuxFor(GPIO_MUXSEL_HIRAW); break;
1402 }
1403 break;
1404
1405 case CMD_VERSION:
1406 SendVersion();
1407 break;
1408 case CMD_STATUS:
1409 SendStatus();
1410 break;
1411 case CMD_PING:
1412 cmd_send(CMD_ACK,0,0,0,0,0);
1413 break;
1414 #ifdef WITH_LCD
1415 case CMD_LCD_RESET:
1416 LCDReset();
1417 break;
1418 case CMD_LCD:
1419 LCDSend(c->arg[0]);
1420 break;
1421 #endif
1422 case CMD_SETUP_WRITE:
1423 case CMD_FINISH_WRITE:
1424 case CMD_HARDWARE_RESET:
1425 usb_disable();
1426 SpinDelay(1000);
1427 SpinDelay(1000);
1428 AT91C_BASE_RSTC->RSTC_RCR = RST_CONTROL_KEY | AT91C_RSTC_PROCRST;
1429 for(;;) {
1430 // We're going to reset, and the bootrom will take control.
1431 }
1432 break;
1433
1434 case CMD_START_FLASH:
1435 if(common_area.flags.bootrom_present) {
1436 common_area.command = COMMON_AREA_COMMAND_ENTER_FLASH_MODE;
1437 }
1438 usb_disable();
1439 AT91C_BASE_RSTC->RSTC_RCR = RST_CONTROL_KEY | AT91C_RSTC_PROCRST;
1440 for(;;);
1441 break;
1442
1443 case CMD_DEVICE_INFO: {
1444 uint32_t dev_info = DEVICE_INFO_FLAG_OSIMAGE_PRESENT | DEVICE_INFO_FLAG_CURRENT_MODE_OS;
1445 if(common_area.flags.bootrom_present) dev_info |= DEVICE_INFO_FLAG_BOOTROM_PRESENT;
1446 cmd_send(CMD_DEVICE_INFO,dev_info,0,0,0,0);
1447 break;
1448 }
1449 default:
1450 Dbprintf("%s: 0x%04x","unknown command:",c->cmd);
1451 break;
1452 }
1453 }
1454
1455 void __attribute__((noreturn)) AppMain(void)
1456 {
1457 SpinDelay(100);
1458 clear_trace();
1459 if(common_area.magic != COMMON_AREA_MAGIC || common_area.version != 1) {
1460 /* Initialize common area */
1461 memset(&common_area, 0, sizeof(common_area));
1462 common_area.magic = COMMON_AREA_MAGIC;
1463 common_area.version = 1;
1464 }
1465 common_area.flags.osimage_present = 1;
1466
1467 LED_D_OFF();
1468 LED_C_OFF();
1469 LED_B_OFF();
1470 LED_A_OFF();
1471
1472 // Init USB device
1473 usb_enable();
1474
1475 // The FPGA gets its clock from us from PCK0 output, so set that up.
1476 AT91C_BASE_PIOA->PIO_BSR = GPIO_PCK0;
1477 AT91C_BASE_PIOA->PIO_PDR = GPIO_PCK0;
1478 AT91C_BASE_PMC->PMC_SCER = AT91C_PMC_PCK0;
1479 // PCK0 is PLL clock / 4 = 96Mhz / 4 = 24Mhz
1480 AT91C_BASE_PMC->PMC_PCKR[0] = AT91C_PMC_CSS_PLL_CLK |
1481 AT91C_PMC_PRES_CLK_4; // 4 for 24Mhz pck0, 2 for 48 MHZ pck0
1482 AT91C_BASE_PIOA->PIO_OER = GPIO_PCK0;
1483
1484 // Reset SPI
1485 AT91C_BASE_SPI->SPI_CR = AT91C_SPI_SWRST;
1486 // Reset SSC
1487 AT91C_BASE_SSC->SSC_CR = AT91C_SSC_SWRST;
1488
1489 // Load the FPGA image, which we have stored in our flash.
1490 // (the HF version by default)
1491 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1492
1493 StartTickCount();
1494
1495 #ifdef WITH_LCD
1496 LCDInit();
1497 #endif
1498
1499 byte_t rx[sizeof(UsbCommand)];
1500 size_t rx_len;
1501
1502 for(;;) {
1503 if (usb_poll()) {
1504 rx_len = usb_read(rx,sizeof(UsbCommand));
1505 if (rx_len) {
1506 UsbPacketReceived(rx,rx_len);
1507 }
1508 }
1509 WDT_HIT();
1510
1511 #ifdef WITH_LF_StandAlone
1512 #ifndef WITH_ISO14443a_StandAlone
1513 if (BUTTON_HELD(1000) > 0)
1514 SamyRun();
1515 #endif
1516 #endif
1517 #ifdef WITH_ISO14443a
1518 #ifdef WITH_ISO14443a_StandAlone
1519 if (BUTTON_HELD(1000) > 0)
1520 StandAloneMode14a();
1521 #endif
1522 #endif
1523 }
1524 }
Proxmark3 GIT tracking
Impressum, Datenschutz