1 //-----------------------------------------------------------------------------
2 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
3 // at your option, any later version. See the LICENSE.txt file for the text of
5 //-----------------------------------------------------------------------------
6 // HitagS emulation (preliminary test version)
8 // (c) 2016 Oguzhan Cicek, Hendrik Schwartke, Ralf Spenneberg
10 //-----------------------------------------------------------------------------
11 // Some code was copied from Hitag2.c
12 //-----------------------------------------------------------------------------
15 #include "proxmark3.h"
23 #define CRC_PRESET 0xFF
24 #define CRC_POLYNOM 0x1D
29 #define rev8(x) ((((x)>>7)&1)+((((x)>>6)&1)<<1)+((((x)>>5)&1)<<2)+((((x)>>4)&1)<<3)+((((x)>>3)&1)<<4)+((((x)>>2)&1)<<5)+((((x)>>1)&1)<<6)+(((x)&1)<<7))
30 #define rev16(x) (rev8 (x)+(rev8 (x>> 8)<< 8))
31 #define rev32(x) (rev16(x)+(rev16(x>>16)<<16))
32 #define rev64(x) (rev32(x)+(rev32(x>>32)<<32))
33 #define bit(x,n) (((x)>>(n))&1)
34 #define bit32(x,n) ((((x)[(n)>>5])>>((n)))&1)
35 #define inv32(x,i,n) ((x)[(i)>>5]^=((u32)(n))<<((i)&31))
36 #define rotl64(x, n) ((((u64)(x))<<((n)&63))+(((u64)(x))>>((0-(n))&63)))
39 static bool bSuccessful
;
40 static struct hitagS_tag tag
;
41 static byte_t page_to_be_written
= 0;
42 static int block_data_left
= 0;
43 typedef enum modulation
{
49 static MOD m
= AC2K
; //used modulation
50 static uint32_t temp_uid
;
52 static int sof_bits
; //number of start-of-frame bits
53 static byte_t pwdh0
, pwdl0
, pwdl1
; //password bytes
54 static uint32_t rnd
= 0x74124485; //randomnumber
59 // Single bit Hitag2 functions:
60 #define i4(x,a,b,c,d) ((u32)((((x)>>(a))&1)+(((x)>>(b))&1)*2+(((x)>>(c))&1)*4+(((x)>>(d))&1)*8))
61 static const u32 ht2_f4a
= 0x2C79; // 0010 1100 0111 1001
62 static const u32 ht2_f4b
= 0x6671; // 0110 0110 0111 0001
63 static const u32 ht2_f5c
= 0x7907287B; // 0111 1001 0000 0111 0010 1000 0111 1011
64 #define ht2bs_4a(a,b,c,d) (~(((a|b)&c)^(a|d)^b))
65 #define ht2bs_4b(a,b,c,d) (~(((d|c)&(a^b))^(d|a|b)))
66 #define ht2bs_5c(a,b,c,d,e) (~((((((c^e)|d)&a)^b)&(c^b))^(((d^e)|a)&((d^b)|c))))
69 static u32
f20(const u64 x
) {
72 i5
= ((ht2_f4a
>> i4(x
, 1, 2, 4, 5)) & 1) * 1
73 + ((ht2_f4b
>> i4(x
, 7, 11, 13, 14)) & 1) * 2
74 + ((ht2_f4b
>> i4(x
, 16, 20, 22, 25)) & 1) * 4
75 + ((ht2_f4b
>> i4(x
, 27, 28, 30, 32)) & 1) * 8
76 + ((ht2_f4a
>> i4(x
, 33, 42, 43, 45)) & 1) * 16;
78 return (ht2_f5c
>> i5
) & 1;
80 static u64
hitag2_round(u64
*state
) {
84 + ((((x
>> 0) ^ (x
>> 2) ^ (x
>> 3) ^ (x
>> 6) ^ (x
>> 7) ^ (x
>> 8)
85 ^ (x
>> 16) ^ (x
>> 22) ^ (x
>> 23) ^ (x
>> 26) ^ (x
>> 30)
86 ^ (x
>> 41) ^ (x
>> 42) ^ (x
>> 43) ^ (x
>> 46) ^ (x
>> 47))
92 static u64
hitag2_init(const u64 key
, const u32 serial
, const u32 IV
) {
94 u64 x
= ((key
& 0xFFFF) << 32) + serial
;
95 for (i
= 0; i
< 32; i
++) {
97 x
+= (u64
) (f20(x
) ^ (((IV
>> i
) ^ (key
>> (i
+ 16))) & 1)) << 47;
101 static u32
hitag2_byte(u64
*x
) {
104 for (i
= 0, c
= 0; i
< 8; i
++)
105 c
+= (u32
) hitag2_round(x
) << (i
^ 7);
109 // Sam7s has several timers, we will use the source TIMER_CLOCK1 (aka AT91C_TC_CLKS_TIMER_DIV1_CLOCK)
110 // TIMER_CLOCK1 = MCK/2, MCK is running at 48 MHz, Timer is running at 48/2 = 24 MHz
111 // Hitag units (T0) have duration of 8 microseconds (us), which is 1/125000 per second (carrier)
112 // T0 = TIMER_CLOCK1 / 125000 = 192
115 #define SHORT_COIL() LOW(GPIO_SSC_DOUT)
116 #define OPEN_COIL() HIGH(GPIO_SSC_DOUT)
118 #define HITAG_FRAME_LEN 20
119 #define HITAG_T_STOP 36 /* T_EOF should be > 36 */
120 #define HITAG_T_LOW 8 /* T_LOW should be 4..10 */
121 #define HITAG_T_0_MIN 15 /* T[0] should be 18..22 */
122 #define HITAG_T_1_MIN 25 /* T[1] should be 26..30 */
123 //#define HITAG_T_EOF 40 /* T_EOF should be > 36 */
124 #define HITAG_T_EOF 80 /* T_EOF should be > 36 */
125 #define HITAG_T_WAIT_1 200 /* T_wresp should be 199..206 */
126 #define HITAG_T_WAIT_2 90 /* T_wresp should be 199..206 */
127 #define HITAG_T_WAIT_MAX 300 /* bit more than HITAG_T_WAIT_1 + HITAG_T_WAIT_2 */
129 #define HITAG_T_TAG_ONE_HALF_PERIOD 10
130 #define HITAG_T_TAG_TWO_HALF_PERIOD 25
131 #define HITAG_T_TAG_THREE_HALF_PERIOD 41
132 #define HITAG_T_TAG_FOUR_HALF_PERIOD 57
134 #define HITAG_T_TAG_HALF_PERIOD 16
135 #define HITAG_T_TAG_FULL_PERIOD 32
137 #define HITAG_T_TAG_CAPTURE_ONE_HALF 13
138 #define HITAG_T_TAG_CAPTURE_TWO_HALF 25
139 #define HITAG_T_TAG_CAPTURE_THREE_HALF 41
140 #define HITAG_T_TAG_CAPTURE_FOUR_HALF 57
145 * Implementation of the crc8 calculation from Hitag S
146 * from http://www.proxmark.org/files/Documents/125%20kHz%20-%20Hitag/HitagS.V11.pdf
148 void calc_crc(unsigned char * crc
, unsigned char data
, unsigned char Bitcount
) {
149 *crc
^= data
; // crc = crc (exor) data
151 if (*crc
& 0x80) // if (MSB-CRC == 1)
153 *crc
<<= 1; // CRC = CRC Bit-shift left
154 *crc
^= CRC_POLYNOM
; // CRC = CRC (exor) CRC_POLYNOM
156 *crc
<<= 1; // CRC = CRC Bit-shift left
158 } while (--Bitcount
);
161 static void hitag_send_bit(int bit
) {
163 // Reset clock for the next bit
164 AT91C_BASE_TC0
->TC_CCR
= AT91C_TC_SWTRG
;
171 while (AT91C_BASE_TC0
->TC_CV
< T0
* 32)
174 while (AT91C_BASE_TC0
->TC_CV
< T0
* 64)
179 while (AT91C_BASE_TC0
->TC_CV
< T0
* 16)
182 while (AT91C_BASE_TC0
->TC_CV
< T0
* 32)
185 while (AT91C_BASE_TC0
->TC_CV
< T0
* 48)
188 while (AT91C_BASE_TC0
->TC_CV
< T0
* 64)
197 while (AT91C_BASE_TC0
->TC_CV
< T0
* HITAG_T_TAG_HALF_PERIOD
)
200 while (AT91C_BASE_TC0
->TC_CV
< T0
* HITAG_T_TAG_FULL_PERIOD
)
205 while (AT91C_BASE_TC0
->TC_CV
< T0
* 8)
208 while (AT91C_BASE_TC0
->TC_CV
< T0
* 16)
211 while (AT91C_BASE_TC0
->TC_CV
< T0
* 24)
214 while (AT91C_BASE_TC0
->TC_CV
< T0
* 32)
221 // Manchester: Unloaded, then loaded |__--|
223 while (AT91C_BASE_TC0
->TC_CV
< T0
* 16)
226 while (AT91C_BASE_TC0
->TC_CV
< T0
* 32)
229 // Manchester: Loaded, then unloaded |--__|
231 while (AT91C_BASE_TC0
->TC_CV
< T0
* 16)
234 while (AT91C_BASE_TC0
->TC_CV
< T0
* 32)
241 // Manchester: Unloaded, then loaded |__--|
243 while (AT91C_BASE_TC0
->TC_CV
< T0
* 8)
246 while (AT91C_BASE_TC0
->TC_CV
< T0
* 16)
249 // Manchester: Loaded, then unloaded |--__|
251 while (AT91C_BASE_TC0
->TC_CV
< T0
* 8)
254 while (AT91C_BASE_TC0
->TC_CV
< T0
* 16)
264 static void hitag_send_frame(const byte_t
* frame
, size_t frame_len
) {
265 // Send start of frame
267 for (size_t i
= 0; i
< sof_bits
; i
++) {
271 // Send the content of the frame
272 for (size_t i
= 0; i
< frame_len
; i
++) {
273 hitag_send_bit((frame
[i
/ 8] >> (7 - (i
% 8))) & 1);
275 // Drop the modulation
279 static void hitag_reader_send_bit(int bit
) {
280 //Dbprintf("BIT: %d",bit);
282 // Reset clock for the next bit
283 AT91C_BASE_TC0
->TC_CCR
= AT91C_TC_SWTRG
;
285 // Binary puls length modulation (BPLM) is used to encode the data stream
286 // This means that a transmission of a one takes longer than that of a zero
288 // Enable modulation, which means, drop the the field
291 // Wait for 4-10 times the carrier period
292 while (AT91C_BASE_TC0
->TC_CV
< T0
* 6)
296 // Disable modulation, just activates the field again
301 while (AT91C_BASE_TC0
->TC_CV
< T0
* 11)
303 // SpinDelayUs(16*8);
306 while (AT91C_BASE_TC0
->TC_CV
< T0
* 14)
308 // SpinDelayUs(22*8);
311 // Wait for 4-10 times the carrier period
312 while (AT91C_BASE_TC0
->TC_CV
< T0
* 6)
316 // Disable modulation, just activates the field again
321 while (AT91C_BASE_TC0
->TC_CV
< T0
* 22)
323 // SpinDelayUs(16*8);
326 while (AT91C_BASE_TC0
->TC_CV
< T0
* 28)
328 // SpinDelayUs(22*8);
335 static void hitag_reader_send_frame(const byte_t
* frame
, size_t frame_len
) {
336 // Send the content of the frame
337 for (size_t i
= 0; i
< frame_len
; i
++) {
338 if (frame
[0] == 0xf8) {
339 //Dbprintf("BIT: %d",(frame[i / 8] >> (7 - (i % 8))) & 1);
341 hitag_reader_send_bit((frame
[i
/ 8] >> (7 - (i
% 8))) & 1);
344 AT91C_BASE_TC0
->TC_CCR
= AT91C_TC_SWTRG
;
345 // Enable modulation, which means, drop the the field
347 // Wait for 4-10 times the carrier period
348 while (AT91C_BASE_TC0
->TC_CV
< T0
* 6)
350 // Disable modulation, just activates the field again
355 * to check if the right uid was selected
357 static int check_select(byte_t
* rx
, uint32_t uid
) {
358 unsigned char resp
[48];
361 for (i
= 0; i
< 48; i
++)
362 resp
[i
] = (rx
[i
/ 8] >> (7 - (i
% 8))) & 0x1;
363 for (i
= 0; i
< 32; i
++)
364 ans
+= resp
[5 + i
] << (31 - i
);
365 /*if (rx[0] == 0x01 && rx[1] == 0x15 && rx[2] == 0xc1 && rx[3] == 0x14
366 && rx[4] == 0x65 && rx[5] == 0x38)
367 Dbprintf("got uid %X", ans);*/
375 * handles all commands from a reader
377 static void hitagS_handle_reader_command(byte_t
* rx
, const size_t rxlen
,
378 byte_t
* tx
, size_t* txlen
) {
379 byte_t rx_air
[HITAG_FRAME_LEN
];
385 // Copy the (original) received frame how it is send over the air
386 memcpy(rx_air
, rx
, nbytes(rxlen
));
387 // Reset the transmission frame length
389 // Try to find out which command was send by selecting on length (in bits)
392 //UID request with a selected response protocol mode
393 tag
.pstate
= HT_READY
;
394 tag
.tstate
= HT_NO_OP
;
395 if ((rx
[0] & 0xf0) == 0x30) {
396 tag
.mode
= HT_STANDARD
;
400 if ((rx
[0] & 0xf0) == 0xc0) {
401 tag
.mode
= HT_ADVANCED
;
406 if ((rx
[0] & 0xf0) == 0xd0) {
407 tag
.mode
= HT_FAST_ADVANCED
;
411 //send uid as a response
413 for (i
= 0; i
< 4; i
++)
414 tx
[i
] = (tag
.uid
>> (24 - (i
* 8))) & 0xff;
418 //select command from reader received
419 if (check_select(rx
, tag
.uid
) == 1) {
420 //if the right tag was selected
431 case HT_FAST_ADVANCED
:
440 for (i
= 0; i
< 4; i
++)
441 tx
[i
] = (tag
.pages
[0][1] >> (i
* 8)) & 0xff;
443 if (tag
.mode
!= HT_STANDARD
) {
446 for (i
= 0; i
< 4; i
++)
447 calc_crc(&crc
, tx
[i
], 8);
454 //challenge message received
455 Dbprintf("Challenge for UID: %X", temp_uid
);
458 state
= hitag2_init(rev64(tag
.key
), rev32(tag
.pages
[0][0]),
459 rev32(((rx
[3] << 24) + (rx
[2] << 16) + (rx
[1] << 8) + rx
[0])));
461 ",{0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X}",
462 rx
[0], rx
[1], rx
[2], rx
[3], rx
[4], rx
[5], rx
[6], rx
[7]);
472 case HT_FAST_ADVANCED
:
480 for (i
= 0; i
< 4; i
++)
482 //send con2,pwdh0,pwdl0,pwdl1 encrypted as a response
483 tx
[0] = hitag2_byte(&state
) ^ ((tag
.pages
[0][1] >> 16) & 0xff);
484 tx
[1] = hitag2_byte(&state
) ^ tag
.pwdh0
;
485 tx
[2] = hitag2_byte(&state
) ^ tag
.pwdl0
;
486 tx
[3] = hitag2_byte(&state
) ^ tag
.pwdl1
;
487 if (tag
.mode
!= HT_STANDARD
) {
491 calc_crc(&crc
, ((tag
.pages
[0][1] >> 16) & 0xff), 8);
492 calc_crc(&crc
, tag
.pwdh0
, 8);
493 calc_crc(&crc
, tag
.pwdl0
, 8);
494 calc_crc(&crc
, tag
.pwdl1
, 8);
495 tx
[4] = (crc
^ hitag2_byte(&state
));
498 * some readers do not allow to authenticate multiple times in a row with the same tag.
499 * use this to change the uid between authentications.
503 if (temp2 % 2 == 0) {
504 tag.uid = 0x11223344;
505 tag.pages[0][0] = 0x44332211;
507 tag.uid = 0x55667788;
508 tag.pages[0][0] = 0x88776655;
513 //data received to be written
514 if (tag
.tstate
== HT_WRITING_PAGE_DATA
) {
515 tag
.tstate
= HT_NO_OP
;
516 tag
.pages
[page_to_be_written
/ 4][page_to_be_written
% 4] = (rx
[0]
517 << 0) + (rx
[1] << 8) + (rx
[2] << 16) + (rx
[3] << 24);
521 page_to_be_written
= 0;
531 case HT_FAST_ADVANCED
:
538 } else if (tag
.tstate
== HT_WRITING_BLOCK_DATA
) {
539 tag
.pages
[page_to_be_written
/ 4][page_to_be_written
% 4] = (rx
[0]
540 << 24) + (rx
[1] << 16) + (rx
[2] << 8) + rx
[3];
553 case HT_FAST_ADVANCED
:
560 page_to_be_written
++;
562 if (block_data_left
== 0) {
563 tag
.tstate
= HT_NO_OP
;
564 page_to_be_written
= 0;
569 //write page, write block, read page or read block command received
570 if ((rx
[0] & 0xf0) == 0xc0) //read page
573 page
= ((rx
[0] & 0x0f) * 16) + ((rx
[1] & 0xf0) / 16);
575 tx
[0] = (tag
.pages
[page
/ 4][page
% 4]) & 0xff;
576 tx
[1] = (tag
.pages
[page
/ 4][page
% 4] >> 8) & 0xff;
577 tx
[2] = (tag
.pages
[page
/ 4][page
% 4] >> 16) & 0xff;
578 tx
[3] = (tag
.pages
[page
/ 4][page
% 4] >> 24) & 0xff;
579 if (tag
.LKP
&& page
== 1)
591 case HT_FAST_ADVANCED
:
599 if (tag
.mode
!= HT_STANDARD
) {
603 for (i
= 0; i
< 4; i
++)
604 calc_crc(&crc
, tx
[i
], 8);
608 if (tag
.LKP
&& (page
== 2 || page
== 3)) {
609 //if reader asks for key or password and the LKP-mark is set do not respond
613 } else if ((rx
[0] & 0xf0) == 0xd0) //read block
615 page
= ((rx
[0] & 0x0f) * 16) + ((rx
[1] & 0xf0) / 16);
617 //send page,...,page+3 data
618 for (i
= 0; i
< 4; i
++) {
619 tx
[0 + i
* 4] = (tag
.pages
[page
/ 4][page
% 4]) & 0xff;
620 tx
[1 + i
* 4] = (tag
.pages
[page
/ 4][page
% 4] >> 8) & 0xff;
621 tx
[2 + i
* 4] = (tag
.pages
[page
/ 4][page
% 4] >> 16) & 0xff;
622 tx
[3 + i
* 4] = (tag
.pages
[page
/ 4][page
% 4] >> 24) & 0xff;
635 case HT_FAST_ADVANCED
:
643 if (tag
.mode
!= HT_STANDARD
) {
647 for (i
= 0; i
< 16; i
++)
648 calc_crc(&crc
, tx
[i
], 8);
652 if ((page
- 4) % 4 != 0 || (tag
.LKP
&& (page
- 4) == 0)) {
656 } else if ((rx
[0] & 0xf0) == 0x80) //write page
658 page
= ((rx
[0] & 0x0f) * 16) + ((rx
[1] & 0xf0) / 16);
669 case HT_FAST_ADVANCED
:
676 if ((tag
.LCON
&& page
== 1)
677 || (tag
.LKP
&& (page
== 2 || page
== 3))) {
684 page_to_be_written
= page
;
685 tag
.tstate
= HT_WRITING_PAGE_DATA
;
688 } else if ((rx
[0] & 0xf0) == 0x90) //write block
690 page
= ((rx
[0] & 0x0f) * 6) + ((rx
[1] & 0xf0) / 16);
700 case HT_FAST_ADVANCED
:
707 if (page
% 4 != 0 || page
== 0) {
714 page_to_be_written
= page
;
716 tag
.tstate
= HT_WRITING_BLOCK_DATA
;
728 * to autenticate to a tag with the given key or challenge
730 static int hitagS_handle_tag_auth(hitag_function htf
,uint64_t key
, uint64_t NrAr
, byte_t
* rx
, const size_t rxlen
, byte_t
* tx
,
732 byte_t rx_air
[HITAG_FRAME_LEN
];
733 int response_bit
[200];
735 unsigned char mask
= 1;
736 unsigned char uid
[32];
737 byte_t uid1
= 0x00, uid2
= 0x00, uid3
= 0x00, uid4
= 0x00;
741 byte_t conf_pages
[3];
742 memcpy(rx_air
, rx
, nbytes(rxlen
));
745 if (tag
.pstate
== HT_READY
&& rxlen
>= 67) {
748 Dbprintf("authentication failed!");
752 for (i
= 0; i
< 10; i
++) {
753 for (j
= 0; j
< 8; j
++) {
755 if ((rx
[i
] & ((mask
<< 7) >> j
)) != 0)
761 for (i
= 5; i
< z
; i
+= 2) {
762 uid
[k
] = response_bit
[i
];
767 uid1
= (uid
[0] << 7) | (uid
[1] << 6) | (uid
[2] << 5) | (uid
[3] << 4)
768 | (uid
[4] << 3) | (uid
[5] << 2) | (uid
[6] << 1) | uid
[7];
769 uid2
= (uid
[8] << 7) | (uid
[9] << 6) | (uid
[10] << 5) | (uid
[11] << 4)
770 | (uid
[12] << 3) | (uid
[13] << 2) | (uid
[14] << 1) | uid
[15];
771 uid3
= (uid
[16] << 7) | (uid
[17] << 6) | (uid
[18] << 5) | (uid
[19] << 4)
772 | (uid
[20] << 3) | (uid
[21] << 2) | (uid
[22] << 1) | uid
[23];
773 uid4
= (uid
[24] << 7) | (uid
[25] << 6) | (uid
[26] << 5) | (uid
[27] << 4)
774 | (uid
[28] << 3) | (uid
[29] << 2) | (uid
[30] << 1) | uid
[31];
776 Dbprintf("UID: %02X %02X %02X %02X", uid1
, uid2
, uid3
, uid4
);
777 tag
.uid
= (uid4
<< 24 | uid3
<< 16 | uid2
<< 8 | uid1
);
782 calc_crc(&crc
, 0x00, 5);
783 calc_crc(&crc
, uid1
, 8);
784 calc_crc(&crc
, uid2
, 8);
785 calc_crc(&crc
, uid3
, 8);
786 calc_crc(&crc
, uid4
, 8);
787 for (i
= 0; i
< 100; i
++) {
790 for (i
= 0; i
< 5; i
++) {
793 for (i
= 5; i
< 37; i
++) {
794 response_bit
[i
] = uid
[i
- 5];
796 for (j
= 0; j
< 8; j
++) {
798 if ((crc
& ((mask
<< 7) >> j
)) != 0)
803 for (i
= 0; i
< 6; i
++) {
804 tx
[i
] = (response_bit
[k
] << 7) | (response_bit
[k
+ 1] << 6)
805 | (response_bit
[k
+ 2] << 5) | (response_bit
[k
+ 3] << 4)
806 | (response_bit
[k
+ 4] << 3) | (response_bit
[k
+ 5] << 2)
807 | (response_bit
[k
+ 6] << 1) | response_bit
[k
+ 7];
810 tag
.pstate
= HT_INIT
;
811 } else if (tag
.pstate
== HT_INIT
&& rxlen
== 44) {
812 // received configuration after select command
814 for (i
= 0; i
< 6; i
++) {
815 for (j
= 0; j
< 8; j
++) {
817 if ((rx
[i
] & ((mask
<< 7) >> j
)) != 0)
822 conf_pages
[0] = ((response_bit
[4] << 7) | (response_bit
[5] << 6)
823 | (response_bit
[6] << 5) | (response_bit
[7] << 4)
824 | (response_bit
[8] << 3) | (response_bit
[9] << 2)
825 | (response_bit
[10] << 1) | response_bit
[11]);
826 //check wich memorysize this tag has
827 if (response_bit
[10] == 0 && response_bit
[11] == 0)
828 tag
.max_page
= 32 / 32;
829 if (response_bit
[10] == 0 && response_bit
[11] == 1)
830 tag
.max_page
= 256 / 32;
831 if (response_bit
[10] == 1 && response_bit
[11] == 0)
832 tag
.max_page
= 2048 / 32;
833 conf_pages
[1] = ((response_bit
[12] << 7) | (response_bit
[13] << 6)
834 | (response_bit
[14] << 5) | (response_bit
[15] << 4)
835 | (response_bit
[16] << 3) | (response_bit
[17] << 2)
836 | (response_bit
[18] << 1) | response_bit
[19]);
837 tag
.auth
= response_bit
[12];
838 tag
.TTFC
= response_bit
[13];
839 //tag.TTFDR in response_bit[14] and response_bit[15]
840 //tag.TTFM in response_bit[16] and response_bit[17]
841 tag
.LCON
= response_bit
[18];
842 tag
.LKP
= response_bit
[19];
843 conf_pages
[2] = ((response_bit
[20] << 7) | (response_bit
[21] << 6)
844 | (response_bit
[22] << 5) | (response_bit
[23] << 4)
845 | (response_bit
[24] << 3) | (response_bit
[25] << 2)
846 | (response_bit
[26] << 1) | response_bit
[27]);
847 tag
.LCK7
= response_bit
[20];
848 tag
.LCK6
= response_bit
[21];
849 tag
.LCK5
= response_bit
[22];
850 tag
.LCK4
= response_bit
[23];
851 tag
.LCK3
= response_bit
[24];
852 tag
.LCK2
= response_bit
[25];
853 tag
.LCK1
= response_bit
[26];
854 tag
.LCK0
= response_bit
[27];
857 Dbprintf("conf0: %02X conf1: %02X conf2: %02X", conf_pages
[0],
858 conf_pages
[1], conf_pages
[2]);
860 //if the tag is in authentication mode try the key or challenge
863 if(htf
==02||htf
==04){ //RHTS_KEY //WHTS_KEY
864 state
= hitag2_init(rev64(key
), rev32(tag
.uid
),
867 for (i
= 0; i
< 4; i
++) {
868 auth_ks
[i
] = hitag2_byte(&state
) ^ 0xff;
872 tx
[1] = (rnd
>> 8) & 0xff;
873 tx
[2] = (rnd
>> 16) & 0xff;
874 tx
[3] = (rnd
>> 24) & 0xff;
881 Dbprintf("%02X %02X %02X %02X %02X %02X %02X %02X", tx
[0],
882 tx
[1], tx
[2], tx
[3], tx
[4], tx
[5], tx
[6], tx
[7]);
883 } else if(htf
==01 || htf
==03) { //RHTS_CHALLENGE //WHTS_CHALLENGE
884 for (i
= 0; i
< 8; i
++)
885 tx
[i
]=((NrAr
>>(56-(i
*8)))&0xff);
888 tag
.pstate
= HT_AUTHENTICATE
;
890 Dbprintf("authentication failed!");
893 } else if (tag
.auth
== 0) {
894 tag
.pstate
= HT_SELECTED
;
897 } else if (tag
.pstate
== HT_AUTHENTICATE
&& rxlen
== 44) {
898 //encrypted con2,password received.
900 calc_crc(&crc
, 0x80, 1);
901 calc_crc(&crc
, ((rx
[0] & 0x0f) * 16 + ((rx
[1] & 0xf0) / 16)), 8);
902 calc_crc(&crc
, ((rx
[1] & 0x0f) * 16 + ((rx
[2] & 0xf0) / 16)), 8);
903 calc_crc(&crc
, ((rx
[2] & 0x0f) * 16 + ((rx
[3] & 0xf0) / 16)), 8);
904 calc_crc(&crc
, ((rx
[3] & 0x0f) * 16 + ((rx
[4] & 0xf0) / 16)), 8);
906 Dbprintf("UID:::%X", tag
.uid
);
907 Dbprintf("RND:::%X", rnd
);
914 if(htf
==02 || htf
==04){ //RHTS_KEY //WHTS_KEY
916 state
= hitag2_init(rev64(key
), rev32(tag
.uid
), rev32(rnd
));
917 for (i
= 0; i
< 5; i
++)
919 pwdh0
= ((rx
[1] & 0x0f) * 16 + ((rx
[2] & 0xf0) / 16))
920 ^ hitag2_byte(&state
);
921 pwdl0
= ((rx
[2] & 0x0f) * 16 + ((rx
[3] & 0xf0) / 16))
922 ^ hitag2_byte(&state
);
923 pwdl1
= ((rx
[3] & 0x0f) * 16 + ((rx
[4] & 0xf0) / 16))
924 ^ hitag2_byte(&state
);
928 Dbprintf("pwdh0 %02X pwdl0 %02X pwdl1 %02X", pwdh0
, pwdl0
, pwdl1
);
931 //Dbprintf("%X %02X", rnd, ((rx[4] & 0x0f) * 16) + ((rx[5] & 0xf0) / 16));
934 tag
.pstate
= HT_SELECTED
; //tag is now ready for read/write commands
941 * Emulates a Hitag S Tag with the given data from the .hts file
943 void SimulateHitagSTag(bool tag_mem_supplied
, byte_t
* data
) {
948 byte_t rx
[HITAG_FRAME_LEN
];
950 //bool bQuitTraceFull = false;
952 byte_t txbuf
[HITAG_FRAME_LEN
];
955 // free eventually allocated BigBuf memory
956 BigBuf_free(); BigBuf_Clear_ext(false);
958 // Clean up trace and prepare it for storing frames
962 DbpString("Starting HitagS simulation");
965 tag
.pstate
= HT_READY
;
966 tag
.tstate
= HT_NO_OP
;
967 tag
.tstate
= HT_NO_OP
;
968 for (i
= 0; i
< 16; i
++)
969 for (j
= 0; j
< 4; j
++)
970 tag
.pages
[i
][j
] = 0x0;
971 //read tag data into memory
972 if (tag_mem_supplied
) {
973 DbpString("Loading hitagS memory...");
974 memcpy((byte_t
*)tag
.pages
,data
,4*64);
976 tag
.uid
=(uint32_t)tag
.pages
[0];
977 Dbprintf("Hitag S simulation started");
978 tag
.key
=(intptr_t)tag
.pages
[3];
980 tag
.key
+=((tag
.pages
[2][0])<<8)+tag
.pages
[2][1];
981 tag
.pwdl0
=tag
.pages
[2][3];
982 tag
.pwdl1
=tag
.pages
[2][2];
983 tag
.pwdh0
=tag
.pages
[1][0];
986 if((tag
.pages
[1][3]&0x2)==0 && (tag
.pages
[1][3]&0x1)==1)
988 if((tag
.pages
[1][3]&0x2)==0 && (tag
.pages
[1][3]&0x1)==0)
992 if((tag
.pages
[1][2]&0x80)==1)
995 if((tag
.pages
[1][2]&0x2)==1)
998 if((tag
.pages
[1][2]&0x1)==1)
1001 //0=read write 1=read only
1003 if((tag
.pages
[1][1]&0x80)==1)
1006 if((tag
.pages
[1][1]&0x40)==1)
1009 if((tag
.pages
[1][1]&0x20)==1)
1012 if((tag
.pages
[1][1]&0x10)==1)
1015 if((tag
.pages
[1][1]&0x8)==1)
1018 if((tag
.pages
[1][1]&0x4)==1)
1021 if((tag
.pages
[1][1]&0x2)==1)
1024 if((tag
.pages
[1][1]&0x1)==1)
1027 // Set up simulator mode, frequency divisor which will drive the FPGA
1028 // and analog mux selection.
1029 FpgaDownloadAndGo(FPGA_BITSTREAM_LF
);
1031 FPGA_MAJOR_MODE_LF_EDGE_DETECT
| FPGA_LF_EDGE_DETECT_READER_FIELD
);
1032 FpgaSendCommand(FPGA_CMD_SET_DIVISOR
, 95); //125Khz
1033 SetAdcMuxFor(GPIO_MUXSEL_LOPKD
);
1036 // Configure output pin that is connected to the FPGA (for modulating)
1037 AT91C_BASE_PIOA
->PIO_OER
= GPIO_SSC_DOUT
;
1038 AT91C_BASE_PIOA
->PIO_PER
= GPIO_SSC_DOUT
;
1040 // Disable modulation at default, which means release resistance
1043 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
1044 AT91C_BASE_PMC
->PMC_PCER
= (1 << AT91C_ID_TC0
);
1046 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the reader frames
1047 AT91C_BASE_PMC
->PMC_PCER
= (1 << AT91C_ID_TC1
);
1048 AT91C_BASE_PIOA
->PIO_BSR
= GPIO_SSC_FRAME
;
1050 // Disable timer during configuration
1051 AT91C_BASE_TC1
->TC_CCR
= AT91C_TC_CLKDIS
;
1053 // Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
1054 // external trigger rising edge, load RA on rising edge of TIOA.
1055 AT91C_BASE_TC1
->TC_CMR
= AT91C_TC_CLKS_TIMER_DIV1_CLOCK
1056 | AT91C_TC_ETRGEDG_RISING
| AT91C_TC_ABETRG
| AT91C_TC_LDRA_RISING
;
1058 // Reset the received frame, frame count and timing info
1059 memset(rx
, 0x00, sizeof(rx
));
1064 // Enable and reset counter
1065 AT91C_BASE_TC1
->TC_CCR
= AT91C_TC_CLKEN
| AT91C_TC_SWTRG
;
1067 while (!BUTTON_PRESS()) {
1071 // Receive frame, watch for at most T0*EOF periods
1072 while (AT91C_BASE_TC1
->TC_CV
< T0
* HITAG_T_EOF
) {
1073 // Check if rising edge in modulation is detected
1074 if (AT91C_BASE_TC1
->TC_SR
& AT91C_TC_LDRAS
) {
1075 // Retrieve the new timing values
1076 int ra
= (AT91C_BASE_TC1
->TC_RA
/ T0
) + overflow
;
1079 // Reset timer every frame, we have to capture the last edge for timing
1080 AT91C_BASE_TC0
->TC_CCR
= AT91C_TC_CLKEN
| AT91C_TC_SWTRG
;
1084 // Capture reader frame
1085 if (ra
>= HITAG_T_STOP
) {
1087 //DbpString("wierd0?");
1089 // Capture the T0 periods that have passed since last communication or field drop (reset)
1090 response
= (ra
- HITAG_T_LOW
);
1091 } else if (ra
>= HITAG_T_1_MIN
) {
1093 rx
[rxlen
/ 8] |= 1 << (7 - (rxlen
% 8));
1095 } else if (ra
>= HITAG_T_0_MIN
) {
1097 rx
[rxlen
/ 8] |= 0 << (7 - (rxlen
% 8));
1100 // Ignore wierd value, is to small to mean anything
1105 // Check if frame was captured
1109 if (!LogTraceHitag(rx
, rxlen
, response
, 0, true)) {
1110 DbpString("Trace full");
1115 // Disable timer 1 with external trigger to avoid triggers during our own modulation
1116 AT91C_BASE_TC1
->TC_CCR
= AT91C_TC_CLKDIS
;
1118 // Process the incoming frame (rx) and prepare the outgoing frame (tx)
1119 hitagS_handle_reader_command(rx
, rxlen
, tx
, &txlen
);
1121 // Wait for HITAG_T_WAIT_1 carrier periods after the last reader bit,
1122 // not that since the clock counts since the rising edge, but T_Wait1 is
1123 // with respect to the falling edge, we need to wait actually (T_Wait1 - T_Low)
1124 // periods. The gap time T_Low varies (4..10). All timer values are in
1125 // terms of T0 units
1126 while (AT91C_BASE_TC0
->TC_CV
< T0
* (HITAG_T_WAIT_1
- HITAG_T_LOW
))
1129 // Send and store the tag answer (if there is any)
1131 // Transmit the tag frame
1132 hitag_send_frame(tx
, txlen
);
1133 // Store the frame in the trace
1135 if (!LogTraceHitag(tx
, txlen
, 0, 0, false)) {
1136 DbpString("Trace full");
1142 // Reset the received frame and response timing info
1143 memset(rx
, 0x00, sizeof(rx
));
1146 // Enable and reset external trigger in timer for capturing future frames
1147 AT91C_BASE_TC1
->TC_CCR
= AT91C_TC_CLKEN
| AT91C_TC_SWTRG
;
1150 // Reset the frame length
1152 // Save the timer overflow, will be 0 when frame was received
1153 overflow
+= (AT91C_BASE_TC1
->TC_CV
/ T0
);
1154 // Reset the timer to restart while-loop that receives frames
1155 AT91C_BASE_TC1
->TC_CCR
= AT91C_TC_SWTRG
;
1159 AT91C_BASE_TC1
->TC_CCR
= AT91C_TC_CLKDIS
;
1160 AT91C_BASE_TC0
->TC_CCR
= AT91C_TC_CLKDIS
;
1161 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
1165 * Authenticates to the Tag with the given key or challenge.
1166 * If the key was given the password will be decrypted.
1167 * Reads every page of a hitag S transpoder.
1169 void ReadHitagS(hitag_function htf
, hitag_data
* htd
) {
1172 int response_bit
[200];
1174 byte_t rx
[HITAG_FRAME_LEN
];
1176 byte_t txbuf
[HITAG_FRAME_LEN
];
1183 int t_wait
= HITAG_T_WAIT_MAX
;
1185 bool bQuitTraceFull
= false;
1187 unsigned char mask
= 1;
1189 unsigned char pageData
[32];
1190 page_to_be_written
= 0;
1192 //read given key/challenge
1198 case 01: { //RHTS_CHALLENGE
1199 DbpString("Authenticating using nr,ar pair:");
1200 memcpy(NrAr_
,htd
->auth
.NrAr
,8);
1201 Dbhexdump(8,NrAr_
,false);
1202 NrAr
=NrAr_
[7] | ((uint64_t)NrAr_
[6]) << 8 | ((uint64_t)NrAr_
[5]) << 16 | ((uint64_t)NrAr_
[4]) << 24 | ((uint64_t)NrAr_
[3]) << 32 |
1203 ((uint64_t)NrAr_
[2]) << 40| ((uint64_t)NrAr_
[1]) << 48 | ((uint64_t)NrAr_
[0]) << 56;
1205 case 02: { //RHTS_KEY
1206 DbpString("Authenticating using key:");
1207 memcpy(key_
,htd
->crypto
.key
,6);
1208 Dbhexdump(6,key_
,false);
1209 key
=key_
[5] | ((uint64_t)key_
[4]) << 8 | ((uint64_t)key_
[3]) << 16 | ((uint64_t)key_
[2]) << 24 | ((uint64_t)key_
[1]) << 32 | ((uint64_t)key_
[0]) << 40;
1212 Dbprintf("Error , unknown function: %d",htf
);
1219 FpgaDownloadAndGo(FPGA_BITSTREAM_LF
);
1220 // Reset the return status
1221 bSuccessful
= false;
1223 // Clean up trace and prepare it for storing frames
1228 bQuitTraceFull
= true;
1232 // Configure output and enable pin that is connected to the FPGA (for modulating)
1233 AT91C_BASE_PIOA
->PIO_OER
= GPIO_SSC_DOUT
;
1234 AT91C_BASE_PIOA
->PIO_PER
= GPIO_SSC_DOUT
;
1236 // Set fpga in edge detect with reader field, we can modulate as reader now
1238 FPGA_MAJOR_MODE_LF_EDGE_DETECT
| FPGA_LF_EDGE_DETECT_READER_FIELD
);
1240 // Set Frequency divisor which will drive the FPGA and analog mux selection
1241 FpgaSendCommand(FPGA_CMD_SET_DIVISOR
, 95); //125Khz
1242 SetAdcMuxFor(GPIO_MUXSEL_LOPKD
);
1245 // Disable modulation at default, which means enable the field
1248 // Give it a bit of time for the resonant antenna to settle.
1251 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
1252 AT91C_BASE_PMC
->PMC_PCER
= (1 << AT91C_ID_TC0
);
1254 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the tag frames
1255 AT91C_BASE_PMC
->PMC_PCER
= (1 << AT91C_ID_TC1
);
1256 AT91C_BASE_PIOA
->PIO_BSR
= GPIO_SSC_FRAME
;
1258 // Disable timer during configuration
1259 AT91C_BASE_TC1
->TC_CCR
= AT91C_TC_CLKDIS
;
1261 // Capture mode, defaul timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
1262 // external trigger rising edge, load RA on falling edge of TIOA.
1263 AT91C_BASE_TC1
->TC_CMR
= AT91C_TC_CLKS_TIMER_DIV1_CLOCK
1265 | AT91C_TC_ETRGEDG_FALLING
| AT91C_TC_ABETRG
| AT91C_TC_LDRA_FALLING
;
1267 // Enable and reset counters
1268 AT91C_BASE_TC0
->TC_CCR
= AT91C_TC_CLKEN
| AT91C_TC_SWTRG
;
1269 AT91C_BASE_TC1
->TC_CCR
= AT91C_TC_CLKEN
| AT91C_TC_SWTRG
;
1271 // Reset the received frame, frame count and timing info
1280 while (!bStop
&& !BUTTON_PRESS()) {
1284 // Check if frame was captured and store it
1288 if (!LogTraceHitag(rx
, rxlen
, response
, 0, false)) {
1289 DbpString("Trace full");
1290 if (bQuitTraceFull
) {
1299 // By default reset the transmission buffer
1304 //start authentication
1306 memcpy(tx
, "\xc0", nbytes(txlen
));
1307 tag
.pstate
= HT_READY
;
1308 tag
.tstate
= HT_NO_OP
;
1309 } else if (tag
.pstate
!= HT_SELECTED
) {
1310 if (hitagS_handle_tag_auth(htf
, key
,NrAr
,rx
, rxlen
, tx
, &txlen
) == -1)
1313 if (tag
.pstate
== HT_SELECTED
&& tag
.tstate
== HT_NO_OP
&& rxlen
> 0) {
1315 tag
.tstate
= HT_READING_PAGE
;
1318 tx
[0] = 0xc0 + (sendNum
/ 16);
1319 calc_crc(&crc
, tx
[0], 8);
1320 calc_crc(&crc
, 0x00 + ((sendNum
% 16) * 16), 4);
1321 tx
[1] = 0x00 + ((sendNum
% 16) * 16) + (crc
/ 16);
1322 tx
[2] = 0x00 + (crc
% 16) * 16;
1323 } else if (tag
.pstate
== HT_SELECTED
&& tag
.tstate
== HT_READING_PAGE
1325 //save received data
1327 for (i
= 0; i
< 5; i
++) {
1328 for (j
= 0; j
< 8; j
++) {
1329 response_bit
[z
] = 0;
1330 if ((rx
[i
] & ((mask
<< 7) >> j
)) != 0)
1331 response_bit
[z
] = 1;
1336 for (i
= 4; i
< 36; i
++) {
1337 pageData
[k
] = response_bit
[i
];
1340 for (i
= 0; i
< 4; i
++)
1341 tag
.pages
[sendNum
/ 4][sendNum
% 4] = 0x0;
1342 for (i
= 0; i
< 4; i
++) {
1343 tag
.pages
[sendNum
/ 4][sendNum
% 4] += ((pageData
[i
* 8] << 7)
1344 | (pageData
[1 + (i
* 8)] << 6)
1345 | (pageData
[2 + (i
* 8)] << 5)
1346 | (pageData
[3 + (i
* 8)] << 4)
1347 | (pageData
[4 + (i
* 8)] << 3)
1348 | (pageData
[5 + (i
* 8)] << 2)
1349 | (pageData
[6 + (i
* 8)] << 1) | pageData
[7 + (i
* 8)])
1352 if (tag
.auth
&& tag
.LKP
&& sendNum
== 1) {
1353 Dbprintf("Page[%2d]: %02X %02X %02X %02X", sendNum
, pwdh0
,
1354 (tag
.pages
[sendNum
/ 4][sendNum
% 4] >> 16) & 0xff,
1355 (tag
.pages
[sendNum
/ 4][sendNum
% 4] >> 8) & 0xff,
1356 tag
.pages
[sendNum
/ 4][sendNum
% 4] & 0xff);
1358 Dbprintf("Page[%2d]: %02X %02X %02X %02X", sendNum
,
1359 (tag
.pages
[sendNum
/ 4][sendNum
% 4] >> 24) & 0xff,
1360 (tag
.pages
[sendNum
/ 4][sendNum
% 4] >> 16) & 0xff,
1361 (tag
.pages
[sendNum
/ 4][sendNum
% 4] >> 8) & 0xff,
1362 tag
.pages
[sendNum
/ 4][sendNum
% 4] & 0xff);
1366 //display key and password if possible
1367 if (sendNum
== 2 && tag
.auth
== 1 && tag
.LKP
) {
1368 if (htf
== 02) { //RHTS_KEY
1369 Dbprintf("Page[ 2]: %02X %02X %02X %02X",
1370 (byte_t
)(key
>> 8) & 0xff,
1371 (byte_t
) key
& 0xff, pwdl1
, pwdl0
);
1372 Dbprintf("Page[ 3]: %02X %02X %02X %02X",
1373 (byte_t
)(key
>> 40) & 0xff,
1374 (byte_t
)(key
>> 32) & 0xff,
1375 (byte_t
)(key
>> 24) & 0xff,
1376 (byte_t
)(key
>> 16) & 0xff);
1378 //if the authentication is done with a challenge the key and password are unknown
1379 Dbprintf("Page[ 2]: __ __ __ __");
1380 Dbprintf("Page[ 3]: __ __ __ __");
1386 tx
[0] = 0xc0 + (sendNum
/ 16);
1387 calc_crc(&crc
, tx
[0], 8);
1388 calc_crc(&crc
, 0x00 + ((sendNum
% 16) * 16), 4);
1389 tx
[1] = 0x00 + ((sendNum
% 16) * 16) + (crc
/ 16);
1390 tx
[2] = 0x00 + (crc
% 16) * 16;
1391 if (sendNum
>= tag
.max_page
) {
1396 // Send and store the reader command
1397 // Disable timer 1 with external trigger to avoid triggers during our own modulation
1398 AT91C_BASE_TC1
->TC_CCR
= AT91C_TC_CLKDIS
;
1400 // Wait for HITAG_T_WAIT_2 carrier periods after the last tag bit before transmitting,
1401 // Since the clock counts since the last falling edge, a 'one' means that the
1402 // falling edge occured halfway the period. with respect to this falling edge,
1403 // we need to wait (T_Wait2 + half_tag_period) when the last was a 'one'.
1404 // All timer values are in terms of T0 units
1406 while (AT91C_BASE_TC0
->TC_CV
1407 < T0
* (t_wait
+ (HITAG_T_TAG_HALF_PERIOD
* lastbit
)))
1410 // Transmit the reader frame
1411 hitag_reader_send_frame(tx
, txlen
);
1413 // Enable and reset external trigger in timer for capturing future frames
1414 AT91C_BASE_TC1
->TC_CCR
= AT91C_TC_CLKEN
| AT91C_TC_SWTRG
;
1416 // Add transmitted frame to total count
1420 // Store the frame in the trace
1421 if (!LogTraceHitag(tx
, txlen
, HITAG_T_WAIT_2
, 0, true)) {
1422 if (bQuitTraceFull
) {
1423 DbpString("Trace full");
1432 // Reset values for receiving frames
1433 memset(rx
, 0x00, sizeof(rx
));
1437 tag_sof
= reset_sof
;
1440 // Receive frame, watch for at most T0*EOF periods
1441 while (AT91C_BASE_TC1
->TC_CV
< T0
* HITAG_T_WAIT_MAX
) {
1442 // Check if falling edge in tag modulation is detected
1443 if (AT91C_BASE_TC1
->TC_SR
& AT91C_TC_LDRAS
) {
1444 // Retrieve the new timing values
1445 int ra
= (AT91C_BASE_TC1
->TC_RA
/ T0
);
1447 // Reset timer every frame, we have to capture the last edge for timing
1448 AT91C_BASE_TC0
->TC_CCR
= AT91C_TC_SWTRG
;
1452 // Capture tag frame (manchester decoding using only falling edges)
1453 if (ra
>= HITAG_T_EOF
) {
1455 //DbpString("wierd1?");
1457 // Capture the T0 periods that have passed since last communication or field drop (reset)
1458 // We always recieve a 'one' first, which has the falling edge after a half period |-_|
1459 response
= ra
- HITAG_T_TAG_HALF_PERIOD
;
1460 } else if (ra
>= HITAG_T_TAG_CAPTURE_FOUR_HALF
) {
1461 // Manchester coding example |-_|_-|-_| (101)
1462 rx
[rxlen
/ 8] |= 0 << (7 - (rxlen
% 8));
1464 rx
[rxlen
/ 8] |= 1 << (7 - (rxlen
% 8));
1466 } else if (ra
>= HITAG_T_TAG_CAPTURE_THREE_HALF
) {
1467 // Manchester coding example |_-|...|_-|-_| (0...01)
1468 rx
[rxlen
/ 8] |= 0 << (7 - (rxlen
% 8));
1470 // We have to skip this half period at start and add the 'one' the second time
1472 rx
[rxlen
/ 8] |= 1 << (7 - (rxlen
% 8));
1477 } else if (ra
>= HITAG_T_TAG_CAPTURE_TWO_HALF
) {
1478 // Manchester coding example |_-|_-| (00) or |-_|-_| (11)
1480 // Ignore bits that are transmitted during SOF
1483 // bit is same as last bit
1484 rx
[rxlen
/ 8] |= lastbit
<< (7 - (rxlen
% 8));
1488 // Ignore wierd value, is to small to mean anything
1492 // We can break this loop if we received the last bit from a frame
1493 if (AT91C_BASE_TC1
->TC_CV
> T0
* HITAG_T_EOF
) {
1502 AT91C_BASE_TC1
->TC_CCR
= AT91C_TC_CLKDIS
;
1503 AT91C_BASE_TC0
->TC_CCR
= AT91C_TC_CLKDIS
;
1504 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
1505 cmd_send(CMD_ACK
, bSuccessful
, 0, 0, 0, 0);
1509 * Authenticates to the Tag with the given Key or Challenge.
1510 * Writes the given 32Bit data into page_
1512 void WritePageHitagS(hitag_function htf
, hitag_data
* htd
,int page_
) {
1515 byte_t rx
[HITAG_FRAME_LEN
];
1517 byte_t txbuf
[HITAG_FRAME_LEN
];
1524 int t_wait
= HITAG_T_WAIT_MAX
;
1526 bool bQuitTraceFull
= false;
1529 byte_t data
[4]= {0,0,0,0};
1531 //read given key/challenge, the page and the data
1537 case 03: { //WHTS_CHALLENGE
1538 memcpy(data
,htd
->auth
.data
,4);
1539 DbpString("Authenticating using nr,ar pair:");
1540 memcpy(NrAr_
,htd
->auth
.NrAr
,8);
1541 Dbhexdump(8,NrAr_
,false);
1542 NrAr
=NrAr_
[7] | ((uint64_t)NrAr_
[6]) << 8 | ((uint64_t)NrAr_
[5]) << 16 | ((uint64_t)NrAr_
[4]) << 24 | ((uint64_t)NrAr_
[3]) << 32 |
1543 ((uint64_t)NrAr_
[2]) << 40| ((uint64_t)NrAr_
[1]) << 48 | ((uint64_t)NrAr_
[0]) << 56;
1545 case 04: { //WHTS_KEY
1546 memcpy(data
,htd
->crypto
.data
,4);
1547 DbpString("Authenticating using key:");
1548 memcpy(key_
,htd
->crypto
.key
,6);
1549 Dbhexdump(6,key_
,false);
1550 key
=key_
[5] | ((uint64_t)key_
[4]) << 8 | ((uint64_t)key_
[3]) << 16 | ((uint64_t)key_
[2]) << 24 | ((uint64_t)key_
[1]) << 32 | ((uint64_t)key_
[0]) << 40;
1553 Dbprintf("Error , unknown function: %d",htf
);
1558 Dbprintf("Page: %d",page_
);
1559 Dbprintf("DATA: %02X %02X %02X %02X", data
[0], data
[1], data
[2], data
[3]);
1560 FpgaDownloadAndGo(FPGA_BITSTREAM_LF
);
1561 // Reset the return status
1562 bSuccessful
= false;
1564 tag
.pstate
= HT_READY
;
1565 tag
.tstate
= HT_NO_OP
;
1567 // Clean up trace and prepare it for storing frames
1572 bQuitTraceFull
= true;
1576 // Configure output and enable pin that is connected to the FPGA (for modulating)
1577 AT91C_BASE_PIOA
->PIO_OER
= GPIO_SSC_DOUT
;
1578 AT91C_BASE_PIOA
->PIO_PER
= GPIO_SSC_DOUT
;
1580 // Set fpga in edge detect with reader field, we can modulate as reader now
1582 FPGA_MAJOR_MODE_LF_EDGE_DETECT
| FPGA_LF_EDGE_DETECT_READER_FIELD
);
1584 // Set Frequency divisor which will drive the FPGA and analog mux selection
1585 FpgaSendCommand(FPGA_CMD_SET_DIVISOR
, 95); //125Khz
1586 SetAdcMuxFor(GPIO_MUXSEL_LOPKD
);
1589 // Disable modulation at default, which means enable the field
1592 // Give it a bit of time for the resonant antenna to settle.
1595 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
1596 AT91C_BASE_PMC
->PMC_PCER
= (1 << AT91C_ID_TC0
);
1598 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the tag frames
1599 AT91C_BASE_PMC
->PMC_PCER
= (1 << AT91C_ID_TC1
);
1600 AT91C_BASE_PIOA
->PIO_BSR
= GPIO_SSC_FRAME
;
1602 // Disable timer during configuration
1603 AT91C_BASE_TC1
->TC_CCR
= AT91C_TC_CLKDIS
;
1605 // Capture mode, defaul timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
1606 // external trigger rising edge, load RA on falling edge of TIOA.
1607 AT91C_BASE_TC1
->TC_CMR
= AT91C_TC_CLKS_TIMER_DIV1_CLOCK
1608 | AT91C_TC_ETRGEDG_FALLING
| AT91C_TC_ABETRG
1609 | AT91C_TC_LDRA_FALLING
;
1611 // Enable and reset counters
1612 AT91C_BASE_TC0
->TC_CCR
= AT91C_TC_CLKEN
| AT91C_TC_SWTRG
;
1613 AT91C_BASE_TC1
->TC_CCR
= AT91C_TC_CLKEN
| AT91C_TC_SWTRG
;
1615 // Reset the received frame, frame count and timing info
1624 while (!bStop
&& !BUTTON_PRESS()) {
1628 // Check if frame was captured and store it
1632 if (!LogTraceHitag(rx
, rxlen
, response
, 0, false)) {
1633 DbpString("Trace full");
1634 if (bQuitTraceFull
) {
1643 //check for valid input
1646 "usage: lf hitag writer [03 | 04] [CHALLENGE | KEY] [page] [byte0] [byte1] [byte2] [byte3]");
1650 // By default reset the transmission buffer
1654 if (rxlen
== 0 && tag
.tstate
== HT_WRITING_PAGE_ACK
) {
1655 //no write access on this page
1656 Dbprintf("no write access on page %d", page_
);
1658 } else if (rxlen
== 0 && tag
.tstate
!= HT_WRITING_PAGE_DATA
) {
1659 //start the authetication
1661 memcpy(tx
, "\xc0", nbytes(txlen
));
1662 tag
.pstate
= HT_READY
;
1663 tag
.tstate
= HT_NO_OP
;
1664 } else if (tag
.pstate
!= HT_SELECTED
) {
1665 //try to authenticate with the given key or challenge
1666 if (hitagS_handle_tag_auth(htf
,key
,NrAr
,rx
, rxlen
, tx
, &txlen
) == -1)
1669 if (tag
.pstate
== HT_SELECTED
&& tag
.tstate
== HT_NO_OP
&& rxlen
> 0) {
1670 //check if the given page exists
1671 if (page
> tag
.max_page
) {
1672 Dbprintf("page number too big");
1675 //ask Tag for write permission
1676 tag
.tstate
= HT_WRITING_PAGE_ACK
;
1679 tx
[0] = 0x90 + (page
/ 16);
1680 calc_crc(&crc
, tx
[0], 8);
1681 calc_crc(&crc
, 0x00 + ((page
% 16) * 16), 4);
1682 tx
[1] = 0x00 + ((page
% 16) * 16) + (crc
/ 16);
1683 tx
[2] = 0x00 + (crc
% 16) * 16;
1684 } else if (tag
.pstate
== HT_SELECTED
&& tag
.tstate
== HT_WRITING_PAGE_ACK
1685 && rxlen
== 6 && rx
[0] == 0xf4) {
1686 //ACK recieved to write the page. send data
1687 tag
.tstate
= HT_WRITING_PAGE_DATA
;
1690 calc_crc(&crc
, data
[3], 8);
1691 calc_crc(&crc
, data
[2], 8);
1692 calc_crc(&crc
, data
[1], 8);
1693 calc_crc(&crc
, data
[0], 8);
1699 } else if (tag
.pstate
== HT_SELECTED
&& tag
.tstate
== HT_WRITING_PAGE_DATA
1700 && rxlen
== 6 && rx
[0] == 0xf4) {
1702 Dbprintf("Successful!");
1706 // Send and store the reader command
1707 // Disable timer 1 with external trigger to avoid triggers during our own modulation
1708 AT91C_BASE_TC1
->TC_CCR
= AT91C_TC_CLKDIS
;
1710 // Wait for HITAG_T_WAIT_2 carrier periods after the last tag bit before transmitting,
1711 // Since the clock counts since the last falling edge, a 'one' means that the
1712 // falling edge occured halfway the period. with respect to this falling edge,
1713 // we need to wait (T_Wait2 + half_tag_period) when the last was a 'one'.
1714 // All timer values are in terms of T0 units
1716 while (AT91C_BASE_TC0
->TC_CV
1717 < T0
* (t_wait
+ (HITAG_T_TAG_HALF_PERIOD
* lastbit
)))
1720 // Transmit the reader frame
1721 hitag_reader_send_frame(tx
, txlen
);
1723 // Enable and reset external trigger in timer for capturing future frames
1724 AT91C_BASE_TC1
->TC_CCR
= AT91C_TC_CLKEN
| AT91C_TC_SWTRG
;
1726 // Add transmitted frame to total count
1730 // Store the frame in the trace
1731 if (!LogTraceHitag(tx
, txlen
, HITAG_T_WAIT_2
, 0, true)) {
1732 if (bQuitTraceFull
) {
1733 DbpString("Trace full");
1742 // Reset values for receiving frames
1743 memset(rx
, 0x00, sizeof(rx
));
1747 tag_sof
= reset_sof
;
1750 // Receive frame, watch for at most T0*EOF periods
1751 while (AT91C_BASE_TC1
->TC_CV
< T0
* HITAG_T_WAIT_MAX
) {
1752 // Check if falling edge in tag modulation is detected
1753 if (AT91C_BASE_TC1
->TC_SR
& AT91C_TC_LDRAS
) {
1754 // Retrieve the new timing values
1755 int ra
= (AT91C_BASE_TC1
->TC_RA
/ T0
);
1757 // Reset timer every frame, we have to capture the last edge for timing
1758 AT91C_BASE_TC0
->TC_CCR
= AT91C_TC_SWTRG
;
1762 // Capture tag frame (manchester decoding using only falling edges)
1763 if (ra
>= HITAG_T_EOF
) {
1765 //DbpString("wierd1?");
1767 // Capture the T0 periods that have passed since last communication or field drop (reset)
1768 // We always recieve a 'one' first, which has the falling edge after a half period |-_|
1769 response
= ra
- HITAG_T_TAG_HALF_PERIOD
;
1770 } else if (ra
>= HITAG_T_TAG_CAPTURE_FOUR_HALF
) {
1771 // Manchester coding example |-_|_-|-_| (101)
1772 rx
[rxlen
/ 8] |= 0 << (7 - (rxlen
% 8));
1774 rx
[rxlen
/ 8] |= 1 << (7 - (rxlen
% 8));
1776 } else if (ra
>= HITAG_T_TAG_CAPTURE_THREE_HALF
) {
1777 // Manchester coding example |_-|...|_-|-_| (0...01)
1778 rx
[rxlen
/ 8] |= 0 << (7 - (rxlen
% 8));
1780 // We have to skip this half period at start and add the 'one' the second time
1782 rx
[rxlen
/ 8] |= 1 << (7 - (rxlen
% 8));
1787 } else if (ra
>= HITAG_T_TAG_CAPTURE_TWO_HALF
) {
1788 // Manchester coding example |_-|_-| (00) or |-_|-_| (11)
1790 // Ignore bits that are transmitted during SOF
1793 // bit is same as last bit
1794 rx
[rxlen
/ 8] |= lastbit
<< (7 - (rxlen
% 8));
1798 // Ignore wierd value, is to small to mean anything
1802 // We can break this loop if we received the last bit from a frame
1803 if (AT91C_BASE_TC1
->TC_CV
> T0
* HITAG_T_EOF
) {
1812 AT91C_BASE_TC1
->TC_CCR
= AT91C_TC_CLKDIS
;
1813 AT91C_BASE_TC0
->TC_CCR
= AT91C_TC_CLKDIS
;
1814 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
1815 cmd_send(CMD_ACK
, bSuccessful
, 0, 0, 0, 0);
1819 * Tries to authenticate to a Hitag S Transponder with the given challenges from a .cc file.
1820 * Displays all Challenges that failed.
1821 * When collecting Challenges to break the key it is possible that some data
1822 * is not received correctly due to Antenna problems. This function
1823 * detects these challenges.
1825 void check_challenges(bool file_given
, byte_t
* data
) {
1830 byte_t rx
[HITAG_FRAME_LEN
];
1831 byte_t unlocker
[60][8];
1834 byte_t txbuf
[HITAG_FRAME_LEN
];
1841 int t_wait
= HITAG_T_WAIT_MAX
;
1844 bool bQuitTraceFull
= false;
1845 int response_bit
[200];
1846 unsigned char mask
= 1;
1847 unsigned char uid
[32];
1850 FpgaDownloadAndGo(FPGA_BITSTREAM_LF
);
1851 // Reset the return status
1852 bSuccessful
= false;
1854 // Clean up trace and prepare it for storing frames
1859 bQuitTraceFull
= true;
1863 // Configure output and enable pin that is connected to the FPGA (for modulating)
1864 AT91C_BASE_PIOA
->PIO_OER
= GPIO_SSC_DOUT
;
1865 AT91C_BASE_PIOA
->PIO_PER
= GPIO_SSC_DOUT
;
1867 // Set fpga in edge detect with reader field, we can modulate as reader now
1869 FPGA_MAJOR_MODE_LF_EDGE_DETECT
| FPGA_LF_EDGE_DETECT_READER_FIELD
);
1871 // Set Frequency divisor which will drive the FPGA and analog mux selection
1872 FpgaSendCommand(FPGA_CMD_SET_DIVISOR
, 95); //125Khz
1873 SetAdcMuxFor(GPIO_MUXSEL_LOPKD
);
1876 // Disable modulation at default, which means enable the field
1879 // Give it a bit of time for the resonant antenna to settle.
1882 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
1883 AT91C_BASE_PMC
->PMC_PCER
= (1 << AT91C_ID_TC0
);
1885 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the tag frames
1886 AT91C_BASE_PMC
->PMC_PCER
= (1 << AT91C_ID_TC1
);
1887 AT91C_BASE_PIOA
->PIO_BSR
= GPIO_SSC_FRAME
;
1889 // Disable timer during configuration
1890 AT91C_BASE_TC1
->TC_CCR
= AT91C_TC_CLKDIS
;
1892 // Capture mode, defaul timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
1893 // external trigger rising edge, load RA on falling edge of TIOA.
1894 AT91C_BASE_TC1
->TC_CMR
= AT91C_TC_CLKS_TIMER_DIV1_CLOCK
1896 | AT91C_TC_ETRGEDG_FALLING
| AT91C_TC_ABETRG
| AT91C_TC_LDRA_FALLING
;
1898 // Enable and reset counters
1899 AT91C_BASE_TC0
->TC_CCR
= AT91C_TC_CLKEN
| AT91C_TC_SWTRG
;
1900 AT91C_BASE_TC1
->TC_CCR
= AT91C_TC_CLKEN
| AT91C_TC_SWTRG
;
1902 // Reset the received frame, frame count and timing info
1912 DbpString("Loading challenges...");
1913 memcpy((byte_t
*)unlocker
,data
,60*8);
1916 while (file_given
&& !bStop
&& !BUTTON_PRESS()) {
1920 // Check if frame was captured and store it
1924 if (!LogTraceHitag(rx
, rxlen
, response
, 0, false)) {
1925 DbpString("Trace full");
1926 if (bQuitTraceFull
) {
1940 Dbprintf("Challenge failed: %02X %02X %02X %02X %02X %02X %02X %02X",
1941 unlocker
[u1
- 1][0], unlocker
[u1
- 1][1],
1942 unlocker
[u1
- 1][2], unlocker
[u1
- 1][3],
1943 unlocker
[u1
- 1][4], unlocker
[u1
- 1][5],
1944 unlocker
[u1
- 1][6], unlocker
[u1
- 1][7]);
1947 //start new authentication
1948 memcpy(tx
, "\xc0", nbytes(txlen
));
1949 } else if (rxlen
>= 67 && STATE
== 0) {
1952 for (i
= 0; i
< 10; i
++) {
1953 for (j
= 0; j
< 8; j
++) {
1954 response_bit
[z
] = 0;
1955 if ((rx
[i
] & ((mask
<< 7) >> j
)) != 0)
1956 response_bit
[z
] = 1;
1961 for (i
= 5; i
< z
; i
+= 2) {
1962 uid
[k
] = response_bit
[i
];
1967 uid_byte
[0] = (uid
[0] << 7) | (uid
[1] << 6) | (uid
[2] << 5)
1968 | (uid
[3] << 4) | (uid
[4] << 3) | (uid
[5] << 2)
1969 | (uid
[6] << 1) | uid
[7];
1970 uid_byte
[1] = (uid
[8] << 7) | (uid
[9] << 6) | (uid
[10] << 5)
1971 | (uid
[11] << 4) | (uid
[12] << 3) | (uid
[13] << 2)
1972 | (uid
[14] << 1) | uid
[15];
1973 uid_byte
[2] = (uid
[16] << 7) | (uid
[17] << 6) | (uid
[18] << 5)
1974 | (uid
[19] << 4) | (uid
[20] << 3) | (uid
[21] << 2)
1975 | (uid
[22] << 1) | uid
[23];
1976 uid_byte
[3] = (uid
[24] << 7) | (uid
[25] << 6) | (uid
[26] << 5)
1977 | (uid
[27] << 4) | (uid
[28] << 3) | (uid
[29] << 2)
1978 | (uid
[30] << 1) | uid
[31];
1979 //Dbhexdump(10, rx, rxlen);
1983 calc_crc(&crc
, 0x00, 5);
1984 calc_crc(&crc
, uid_byte
[0], 8);
1985 calc_crc(&crc
, uid_byte
[1], 8);
1986 calc_crc(&crc
, uid_byte
[2], 8);
1987 calc_crc(&crc
, uid_byte
[3], 8);
1988 for (i
= 0; i
< 100; i
++) {
1989 response_bit
[i
] = 0;
1991 for (i
= 0; i
< 5; i
++) {
1992 response_bit
[i
] = 0;
1994 for (i
= 5; i
< 37; i
++) {
1995 response_bit
[i
] = uid
[i
- 5];
1997 for (j
= 0; j
< 8; j
++) {
1998 response_bit
[i
] = 0;
1999 if ((crc
& ((mask
<< 7) >> j
)) != 0)
2000 response_bit
[i
] = 1;
2004 for (i
= 0; i
< 6; i
++) {
2005 tx
[i
] = (response_bit
[k
] << 7) | (response_bit
[k
+ 1] << 6)
2006 | (response_bit
[k
+ 2] << 5)
2007 | (response_bit
[k
+ 3] << 4)
2008 | (response_bit
[k
+ 4] << 3)
2009 | (response_bit
[k
+ 5] << 2)
2010 | (response_bit
[k
+ 6] << 1) | response_bit
[k
+ 7];
2014 } else if (STATE
== 1 && rxlen
== 44) {
2015 //received configuration
2018 for (i
= 0; i
< 6; i
++) {
2019 for (j
= 0; j
< 8; j
++) {
2020 response_bit
[z
] = 0;
2021 if ((rx
[i
] & ((mask
<< 7) >> j
)) != 0)
2022 response_bit
[z
] = 1;
2028 if (u1
>= (sizeof(unlocker
) / sizeof(unlocker
[0])))
2030 for (i
= 0; i
< 8; i
++)
2031 tx
[i
] = unlocker
[u1
][i
];
2034 } else if (STATE
== 2 && rxlen
>= 44) {
2038 // Send and store the reader command
2039 // Disable timer 1 with external trigger to avoid triggers during our own modulation
2040 AT91C_BASE_TC1
->TC_CCR
= AT91C_TC_CLKDIS
;
2042 // Wait for HITAG_T_WAIT_2 carrier periods after the last tag bit before transmitting,
2043 // Since the clock counts since the last falling edge, a 'one' means that the
2044 // falling edge occured halfway the period. with respect to this falling edge,
2045 // we need to wait (T_Wait2 + half_tag_period) when the last was a 'one'.
2046 // All timer values are in terms of T0 units
2048 while (AT91C_BASE_TC0
->TC_CV
2049 < T0
* (t_wait
+ (HITAG_T_TAG_HALF_PERIOD
* lastbit
)))
2052 // Transmit the reader frame
2053 hitag_reader_send_frame(tx
, txlen
);
2055 // Enable and reset external trigger in timer for capturing future frames
2056 AT91C_BASE_TC1
->TC_CCR
= AT91C_TC_CLKEN
| AT91C_TC_SWTRG
;
2058 // Add transmitted frame to total count
2062 // Store the frame in the trace
2063 if (!LogTraceHitag(tx
, txlen
, HITAG_T_WAIT_2
, 0, true)) {
2064 if (bQuitTraceFull
) {
2065 DbpString("Trace full");
2074 // Reset values for receiving frames
2075 memset(rx
, 0x00, sizeof(rx
));
2079 tag_sof
= reset_sof
;
2082 // Receive frame, watch for at most T0*EOF periods
2083 while (AT91C_BASE_TC1
->TC_CV
< T0
* HITAG_T_WAIT_MAX
) {
2084 // Check if falling edge in tag modulation is detected
2085 if (AT91C_BASE_TC1
->TC_SR
& AT91C_TC_LDRAS
) {
2086 // Retrieve the new timing values
2087 int ra
= (AT91C_BASE_TC1
->TC_RA
/ T0
);
2089 // Reset timer every frame, we have to capture the last edge for timing
2090 AT91C_BASE_TC0
->TC_CCR
= AT91C_TC_SWTRG
;
2094 // Capture tag frame (manchester decoding using only falling edges)
2095 if (ra
>= HITAG_T_EOF
) {
2097 //DbpString("wierd1?");
2099 // Capture the T0 periods that have passed since last communication or field drop (reset)
2100 // We always recieve a 'one' first, which has the falling edge after a half period |-_|
2101 response
= ra
- HITAG_T_TAG_HALF_PERIOD
;
2102 } else if (ra
>= HITAG_T_TAG_CAPTURE_FOUR_HALF
) {
2103 // Manchester coding example |-_|_-|-_| (101)
2104 rx
[rxlen
/ 8] |= 0 << (7 - (rxlen
% 8));
2106 rx
[rxlen
/ 8] |= 1 << (7 - (rxlen
% 8));
2108 } else if (ra
>= HITAG_T_TAG_CAPTURE_THREE_HALF
) {
2109 // Manchester coding example |_-|...|_-|-_| (0...01)
2110 rx
[rxlen
/ 8] |= 0 << (7 - (rxlen
% 8));
2112 // We have to skip this half period at start and add the 'one' the second time
2114 rx
[rxlen
/ 8] |= 1 << (7 - (rxlen
% 8));
2119 } else if (ra
>= HITAG_T_TAG_CAPTURE_TWO_HALF
) {
2120 // Manchester coding example |_-|_-| (00) or |-_|-_| (11)
2122 // Ignore bits that are transmitted during SOF
2125 // bit is same as last bit
2126 rx
[rxlen
/ 8] |= lastbit
<< (7 - (rxlen
% 8));
2130 // Ignore wierd value, is to small to mean anything
2134 // We can break this loop if we received the last bit from a frame
2135 if (AT91C_BASE_TC1
->TC_CV
> T0
* HITAG_T_EOF
) {
2143 AT91C_BASE_TC1
->TC_CCR
= AT91C_TC_CLKDIS
;
2144 AT91C_BASE_TC0
->TC_CCR
= AT91C_TC_CLKDIS
;
2145 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
2146 cmd_send(CMD_ACK
, bSuccessful
, 0, 0, 0, 0);