]> git.zerfleddert.de Git - proxmark3-svn/blob - armsrc/hitagS.c
projects / proxmark3-svn / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
FIX: Some Coverity Scan warnings. fread, not initialised etc etc
[proxmark3-svn] / armsrc / hitagS.c
1 //-----------------------------------------------------------------------------
2 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
3 // at your option, any later version. See the LICENSE.txt file for the text of
4 // the license.
5 //-----------------------------------------------------------------------------
6 // HitagS emulation (preliminary test version)
7 //
8 // (c) 2016 Oguzhan Cicek, Hendrik Schwartke, Ralf Spenneberg
9 // <info@os-s.de>
10 //-----------------------------------------------------------------------------
11 // Some code was copied from Hitag2.c
12 //-----------------------------------------------------------------------------
13 #include <stdio.h>
14 #include <stdlib.h>
15 #include "proxmark3.h"
16 #include "apps.h"
17 #include "util.h"
18 #include "hitagS.h"
19 #include "hitag2.h"
20 #include "string.h"
21 #include "BigBuf.h"
22
23 #define CRC_PRESET 0xFF
24 #define CRC_POLYNOM 0x1D
25
26 #define u8 uint8_t
27 #define u32 uint32_t
28 #define u64 uint64_t
29 #define rev8(x) ((((x)>>7)&1)+((((x)>>6)&1)<<1)+((((x)>>5)&1)<<2)+((((x)>>4)&1)<<3)+((((x)>>3)&1)<<4)+((((x)>>2)&1)<<5)+((((x)>>1)&1)<<6)+(((x)&1)<<7))
30 #define rev16(x) (rev8 (x)+(rev8 (x>> 8)<< 8))
31 #define rev32(x) (rev16(x)+(rev16(x>>16)<<16))
32 #define rev64(x) (rev32(x)+(rev32(x>>32)<<32))
33 #define bit(x,n) (((x)>>(n))&1)
34 #define bit32(x,n) ((((x)[(n)>>5])>>((n)))&1)
35 #define inv32(x,i,n) ((x)[(i)>>5]^=((u32)(n))<<((i)&31))
36 #define rotl64(x, n) ((((u64)(x))<<((n)&63))+(((u64)(x))>>((0-(n))&63)))
37
38 static bool bQuiet;
39 static bool bSuccessful;
40 static struct hitagS_tag tag;
41 static byte_t page_to_be_written = 0;
42 static int block_data_left = 0;
43 typedef enum modulation {
44 AC2K = 0,
45 AC4K,
46 MC4K,
47 MC8K
48 } MOD;
49 static MOD m = AC2K; //used modulation
50 static uint32_t temp_uid;
51 static int temp2 = 0;
52 static int sof_bits; //number of start-of-frame bits
53 static byte_t pwdh0, pwdl0, pwdl1; //password bytes
54 static uint32_t rnd = 0x74124485; //randomnumber
55 static int test = 0;
56 size_t blocknr;
57 bool end=false;
58
59 // Single bit Hitag2 functions:
60 #define i4(x,a,b,c,d) ((u32)((((x)>>(a))&1)+(((x)>>(b))&1)*2+(((x)>>(c))&1)*4+(((x)>>(d))&1)*8))
61 static const u32 ht2_f4a = 0x2C79; // 0010 1100 0111 1001
62 static const u32 ht2_f4b = 0x6671; // 0110 0110 0111 0001
63 static const u32 ht2_f5c = 0x7907287B; // 0111 1001 0000 0111 0010 1000 0111 1011
64 #define ht2bs_4a(a,b,c,d) (~(((a|b)&c)^(a|d)^b))
65 #define ht2bs_4b(a,b,c,d) (~(((d|c)&(a^b))^(d|a|b)))
66 #define ht2bs_5c(a,b,c,d,e) (~((((((c^e)|d)&a)^b)&(c^b))^(((d^e)|a)&((d^b)|c))))
67 #define uf20bs u32
68
69 static u32 f20(const u64 x) {
70 u32 i5;
71
72 i5 = ((ht2_f4a >> i4(x, 1, 2, 4, 5)) & 1) * 1
73 + ((ht2_f4b >> i4(x, 7, 11, 13, 14)) & 1) * 2
74 + ((ht2_f4b >> i4(x, 16, 20, 22, 25)) & 1) * 4
75 + ((ht2_f4b >> i4(x, 27, 28, 30, 32)) & 1) * 8
76 + ((ht2_f4a >> i4(x, 33, 42, 43, 45)) & 1) * 16;
77
78 return (ht2_f5c >> i5) & 1;
79 }
80 static u64 hitag2_round(u64 *state) {
81 u64 x = *state;
82
83 x = (x >> 1)
84 + ((((x >> 0) ^ (x >> 2) ^ (x >> 3) ^ (x >> 6) ^ (x >> 7) ^ (x >> 8)
85 ^ (x >> 16) ^ (x >> 22) ^ (x >> 23) ^ (x >> 26) ^ (x >> 30)
86 ^ (x >> 41) ^ (x >> 42) ^ (x >> 43) ^ (x >> 46) ^ (x >> 47))
87 & 1) << 47);
88
89 *state = x;
90 return f20(x);
91 }
92 static u64 hitag2_init(const u64 key, const u32 serial, const u32 IV) {
93 u32 i;
94 u64 x = ((key & 0xFFFF) << 32) + serial;
95 for (i = 0; i < 32; i++) {
96 x >>= 1;
97 x += (u64) (f20(x) ^ (((IV >> i) ^ (key >> (i + 16))) & 1)) << 47;
98 }
99 return x;
100 }
101 static u32 hitag2_byte(u64 *x) {
102 u32 i, c;
103
104 for (i = 0, c = 0; i < 8; i++)
105 c += (u32) hitag2_round(x) << (i ^ 7);
106 return c;
107 }
108
109 // Sam7s has several timers, we will use the source TIMER_CLOCK1 (aka AT91C_TC_CLKS_TIMER_DIV1_CLOCK)
110 // TIMER_CLOCK1 = MCK/2, MCK is running at 48 MHz, Timer is running at 48/2 = 24 MHz
111 // Hitag units (T0) have duration of 8 microseconds (us), which is 1/125000 per second (carrier)
112 // T0 = TIMER_CLOCK1 / 125000 = 192
113 #define T0 192
114
115 #define SHORT_COIL() LOW(GPIO_SSC_DOUT)
116 #define OPEN_COIL() HIGH(GPIO_SSC_DOUT)
117
118 #define HITAG_FRAME_LEN 20
119 #define HITAG_T_STOP 36 /* T_EOF should be > 36 */
120 #define HITAG_T_LOW 8 /* T_LOW should be 4..10 */
121 #define HITAG_T_0_MIN 15 /* T[0] should be 18..22 */
122 #define HITAG_T_1_MIN 25 /* T[1] should be 26..30 */
123 //#define HITAG_T_EOF 40 /* T_EOF should be > 36 */
124 #define HITAG_T_EOF 80 /* T_EOF should be > 36 */
125 #define HITAG_T_WAIT_1 200 /* T_wresp should be 199..206 */
126 #define HITAG_T_WAIT_2 90 /* T_wresp should be 199..206 */
127 #define HITAG_T_WAIT_MAX 300 /* bit more than HITAG_T_WAIT_1 + HITAG_T_WAIT_2 */
128
129 #define HITAG_T_TAG_ONE_HALF_PERIOD 10
130 #define HITAG_T_TAG_TWO_HALF_PERIOD 25
131 #define HITAG_T_TAG_THREE_HALF_PERIOD 41
132 #define HITAG_T_TAG_FOUR_HALF_PERIOD 57
133
134 #define HITAG_T_TAG_HALF_PERIOD 16
135 #define HITAG_T_TAG_FULL_PERIOD 32
136
137 #define HITAG_T_TAG_CAPTURE_ONE_HALF 13
138 #define HITAG_T_TAG_CAPTURE_TWO_HALF 25
139 #define HITAG_T_TAG_CAPTURE_THREE_HALF 41
140 #define HITAG_T_TAG_CAPTURE_FOUR_HALF 57
141
142 #define DEBUG 0
143
144 /*
145 * Implementation of the crc8 calculation from Hitag S
146 * from http://www.proxmark.org/files/Documents/125%20kHz%20-%20Hitag/HitagS.V11.pdf
147 */
148 void calc_crc(unsigned char * crc, unsigned char data, unsigned char Bitcount) {
149 *crc ^= data; // crc = crc (exor) data
150 do {
151 if (*crc & 0x80) // if (MSB-CRC == 1)
152 {
153 *crc <<= 1; // CRC = CRC Bit-shift left
154 *crc ^= CRC_POLYNOM; // CRC = CRC (exor) CRC_POLYNOM
155 } else {
156 *crc <<= 1; // CRC = CRC Bit-shift left
157 }
158 } while (--Bitcount);
159 }
160
161 static void hitag_send_bit(int bit) {
162 LED_A_ON();
163 // Reset clock for the next bit
164 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
165
166 switch (m) {
167 case AC2K:
168 if (bit == 0) {
169 // AC Coding --__
170 HIGH(GPIO_SSC_DOUT);
171 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
172 ;
173 LOW(GPIO_SSC_DOUT);
174 while (AT91C_BASE_TC0->TC_CV < T0 * 64)
175 ;
176 } else {
177 // AC coding -_-_
178 HIGH(GPIO_SSC_DOUT);
179 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
180 ;
181 LOW(GPIO_SSC_DOUT);
182 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
183 ;
184 HIGH(GPIO_SSC_DOUT);
185 while (AT91C_BASE_TC0->TC_CV < T0 * 48)
186 ;
187 LOW(GPIO_SSC_DOUT);
188 while (AT91C_BASE_TC0->TC_CV < T0 * 64)
189 ;;
190 }
191 LED_A_OFF();
192 break;
193 case AC4K:
194 if (bit == 0) {
195 // AC Coding --__
196 HIGH(GPIO_SSC_DOUT);
197 while (AT91C_BASE_TC0->TC_CV < T0 * HITAG_T_TAG_HALF_PERIOD)
198 ;
199 LOW(GPIO_SSC_DOUT);
200 while (AT91C_BASE_TC0->TC_CV < T0 * HITAG_T_TAG_FULL_PERIOD)
201 ;
202 } else {
203 // AC coding -_-_
204 HIGH(GPIO_SSC_DOUT);
205 while (AT91C_BASE_TC0->TC_CV < T0 * 8)
206 ;
207 LOW(GPIO_SSC_DOUT);
208 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
209 ;
210 HIGH(GPIO_SSC_DOUT);
211 while (AT91C_BASE_TC0->TC_CV < T0 * 24)
212 ;
213 LOW(GPIO_SSC_DOUT);
214 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
215 ;;
216 }
217 LED_A_OFF();
218 break;
219 case MC4K:
220 if (bit == 0) {
221 // Manchester: Unloaded, then loaded |__--|
222 LOW(GPIO_SSC_DOUT);
223 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
224 ;
225 HIGH(GPIO_SSC_DOUT);
226 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
227 ;
228 } else {
229 // Manchester: Loaded, then unloaded |--__|
230 HIGH(GPIO_SSC_DOUT);
231 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
232 ;
233 LOW(GPIO_SSC_DOUT);
234 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
235 ;
236 }
237 LED_A_OFF();
238 break;
239 case MC8K:
240 if (bit == 0) {
241 // Manchester: Unloaded, then loaded |__--|
242 LOW(GPIO_SSC_DOUT);
243 while (AT91C_BASE_TC0->TC_CV < T0 * 8)
244 ;
245 HIGH(GPIO_SSC_DOUT);
246 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
247 ;
248 } else {
249 // Manchester: Loaded, then unloaded |--__|
250 HIGH(GPIO_SSC_DOUT);
251 while (AT91C_BASE_TC0->TC_CV < T0 * 8)
252 ;
253 LOW(GPIO_SSC_DOUT);
254 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
255 ;
256 }
257 LED_A_OFF();
258 break;
259 default:
260 break;
261 }
262 }
263
264 static void hitag_send_frame(const byte_t* frame, size_t frame_len) {
265 // Send start of frame
266
267 for (size_t i = 0; i < sof_bits; i++) {
268 hitag_send_bit(1);
269 }
270
271 // Send the content of the frame
272 for (size_t i = 0; i < frame_len; i++) {
273 hitag_send_bit((frame[i / 8] >> (7 - (i % 8))) & 1);
274 }
275 // Drop the modulation
276 LOW(GPIO_SSC_DOUT);
277 }
278
279 static void hitag_reader_send_bit(int bit) {
280 //Dbprintf("BIT: %d",bit);
281 LED_A_ON();
282 // Reset clock for the next bit
283 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
284
285 // Binary puls length modulation (BPLM) is used to encode the data stream
286 // This means that a transmission of a one takes longer than that of a zero
287
288 // Enable modulation, which means, drop the the field
289 HIGH(GPIO_SSC_DOUT);
290 if (test == 1) {
291 // Wait for 4-10 times the carrier period
292 while (AT91C_BASE_TC0->TC_CV < T0 * 6)
293 ;
294 // SpinDelayUs(8*8);
295
296 // Disable modulation, just activates the field again
297 LOW(GPIO_SSC_DOUT);
298
299 if (bit == 0) {
300 // Zero bit: |_-|
301 while (AT91C_BASE_TC0->TC_CV < T0 * 11)
302 ;
303 // SpinDelayUs(16*8);
304 } else {
305 // One bit: |_--|
306 while (AT91C_BASE_TC0->TC_CV < T0 * 14)
307 ;
308 // SpinDelayUs(22*8);
309 }
310 } else {
311 // Wait for 4-10 times the carrier period
312 while (AT91C_BASE_TC0->TC_CV < T0 * 6)
313 ;
314 // SpinDelayUs(8*8);
315
316 // Disable modulation, just activates the field again
317 LOW(GPIO_SSC_DOUT);
318
319 if (bit == 0) {
320 // Zero bit: |_-|
321 while (AT91C_BASE_TC0->TC_CV < T0 * 22)
322 ;
323 // SpinDelayUs(16*8);
324 } else {
325 // One bit: |_--|
326 while (AT91C_BASE_TC0->TC_CV < T0 * 28)
327 ;
328 // SpinDelayUs(22*8);
329 }
330 }
331
332 LED_A_OFF();
333 }
334
335 static void hitag_reader_send_frame(const byte_t* frame, size_t frame_len) {
336 // Send the content of the frame
337 for (size_t i = 0; i < frame_len; i++) {
338 if (frame[0] == 0xf8) {
339 //Dbprintf("BIT: %d",(frame[i / 8] >> (7 - (i % 8))) & 1);
340 }
341 hitag_reader_send_bit((frame[i / 8] >> (7 - (i % 8))) & 1);
342 }
343 // Send EOF
344 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
345 // Enable modulation, which means, drop the the field
346 HIGH(GPIO_SSC_DOUT);
347 // Wait for 4-10 times the carrier period
348 while (AT91C_BASE_TC0->TC_CV < T0 * 6)
349 ;
350 // Disable modulation, just activates the field again
351 LOW(GPIO_SSC_DOUT);
352 }
353
354 /*
355 * to check if the right uid was selected
356 */
357 static int check_select(byte_t* rx, uint32_t uid) {
358 unsigned char resp[48];
359 int i;
360 uint32_t ans = 0x0;
361 for (i = 0; i < 48; i++)
362 resp[i] = (rx[i / 8] >> (7 - (i % 8))) & 0x1;
363 for (i = 0; i < 32; i++)
364 ans += resp[5 + i] << (31 - i);
365 /*if (rx[0] == 0x01 && rx[1] == 0x15 && rx[2] == 0xc1 && rx[3] == 0x14
366 && rx[4] == 0x65 && rx[5] == 0x38)
367 Dbprintf("got uid %X", ans);*/
368 temp_uid = ans;
369 if (ans == tag.uid)
370 return 1;
371 return 0;
372 }
373
374 /*
375 * handles all commands from a reader
376 */
377 static void hitagS_handle_reader_command(byte_t* rx, const size_t rxlen,
378 byte_t* tx, size_t* txlen) {
379 byte_t rx_air[HITAG_FRAME_LEN];
380 byte_t page;
381 int i;
382 u64 state;
383 unsigned char crc;
384
385 // Copy the (original) received frame how it is send over the air
386 memcpy(rx_air, rx, nbytes(rxlen));
387 // Reset the transmission frame length
388 *txlen = 0;
389 // Try to find out which command was send by selecting on length (in bits)
390 switch (rxlen) {
391 case 5: {
392 //UID request with a selected response protocol mode
393 tag.pstate = HT_READY;
394 tag.tstate = HT_NO_OP;
395 if ((rx[0] & 0xf0) == 0x30) {
396 tag.mode = HT_STANDARD;
397 sof_bits = 1;
398 m = AC2K;
399 }
400 if ((rx[0] & 0xf0) == 0xc0) {
401 tag.mode = HT_ADVANCED;
402 sof_bits = 3;
403 m = AC2K;
404 }
405
406 if ((rx[0] & 0xf0) == 0xd0) {
407 tag.mode = HT_FAST_ADVANCED;
408 sof_bits = 3;
409 m = AC4K;
410 }
411 //send uid as a response
412 *txlen = 32;
413 for (i = 0; i < 4; i++)
414 tx[i] = (tag.uid >> (24 - (i * 8))) & 0xff;
415 }
416 break;
417 case 45: {
418 //select command from reader received
419 if (check_select(rx, tag.uid) == 1) {
420 //if the right tag was selected
421 *txlen = 32;
422 switch (tag.mode) {
423 case HT_STANDARD:
424 sof_bits = 1;
425 m = MC4K;
426 break;
427 case HT_ADVANCED:
428 sof_bits = 6;
429 m = MC4K;
430 break;
431 case HT_FAST_ADVANCED:
432 sof_bits = 6;
433 m = MC8K;
434 break;
435 default:
436 break;
437 }
438
439 //send configuration
440 for (i = 0; i < 4; i++)
441 tx[i] = (tag.pages[0][1] >> (i * 8)) & 0xff;
442 tx[3] = 0xff;
443 if (tag.mode != HT_STANDARD) {
444 *txlen = 40;
445 crc = CRC_PRESET;
446 for (i = 0; i < 4; i++)
447 calc_crc(&crc, tx[i], 8);
448 tx[4] = crc;
449 }
450 }
451 }
452 break;
453 case 64: {
454 //challenge message received
455 Dbprintf("Challenge for UID: %X", temp_uid);
456 temp2++;
457 *txlen = 32;
458 state = hitag2_init(rev64(tag.key), rev32(tag.pages[0][0]),
459 rev32(((rx[3] << 24) + (rx[2] << 16) + (rx[1] << 8) + rx[0])));
460 Dbprintf(
461 ",{0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X}",
462 rx[0], rx[1], rx[2], rx[3], rx[4], rx[5], rx[6], rx[7]);
463 switch (tag.mode) {
464 case HT_STANDARD:
465 sof_bits = 1;
466 m = MC4K;
467 break;
468 case HT_ADVANCED:
469 sof_bits = 6;
470 m = MC4K;
471 break;
472 case HT_FAST_ADVANCED:
473 sof_bits = 6;
474 m = MC8K;
475 break;
476 default:
477 break;
478 }
479
480 for (i = 0; i < 4; i++)
481 hitag2_byte(&state);
482 //send con2,pwdh0,pwdl0,pwdl1 encrypted as a response
483 tx[0] = hitag2_byte(&state) ^ ((tag.pages[0][1] >> 16) & 0xff);
484 tx[1] = hitag2_byte(&state) ^ tag.pwdh0;
485 tx[2] = hitag2_byte(&state) ^ tag.pwdl0;
486 tx[3] = hitag2_byte(&state) ^ tag.pwdl1;
487 if (tag.mode != HT_STANDARD) {
488 //add crc8
489 *txlen = 40;
490 crc = CRC_PRESET;
491 calc_crc(&crc, ((tag.pages[0][1] >> 16) & 0xff), 8);
492 calc_crc(&crc, tag.pwdh0, 8);
493 calc_crc(&crc, tag.pwdl0, 8);
494 calc_crc(&crc, tag.pwdl1, 8);
495 tx[4] = (crc ^ hitag2_byte(&state));
496 }
497 /*
498 * some readers do not allow to authenticate multiple times in a row with the same tag.
499 * use this to change the uid between authentications.
500 */
501
502 /*
503 if (temp2 % 2 == 0) {
504 tag.uid = 0x11223344;
505 tag.pages[0][0] = 0x44332211;
506 } else {
507 tag.uid = 0x55667788;
508 tag.pages[0][0] = 0x88776655;
509 }
510 */
511 }
512 case 40:
513 //data received to be written
514 if (tag.tstate == HT_WRITING_PAGE_DATA) {
515 tag.tstate = HT_NO_OP;
516 tag.pages[page_to_be_written / 4][page_to_be_written % 4] = (rx[0]
517 << 0) + (rx[1] << 8) + (rx[2] << 16) + (rx[3] << 24);
518 //send ack
519 *txlen = 2;
520 tx[0] = 0x40;
521 page_to_be_written = 0;
522 switch (tag.mode) {
523 case HT_STANDARD:
524 sof_bits = 1;
525 m = MC4K;
526 break;
527 case HT_ADVANCED:
528 sof_bits = 6;
529 m = MC4K;
530 break;
531 case HT_FAST_ADVANCED:
532 sof_bits = 6;
533 m = MC8K;
534 break;
535 default:
536 break;
537 }
538 } else if (tag.tstate == HT_WRITING_BLOCK_DATA) {
539 tag.pages[page_to_be_written / 4][page_to_be_written % 4] = (rx[0]
540 << 24) + (rx[1] << 16) + (rx[2] << 8) + rx[3];
541 //send ack
542 *txlen = 2;
543 tx[0] = 0x40;
544 switch (tag.mode) {
545 case HT_STANDARD:
546 sof_bits = 1;
547 m = MC4K;
548 break;
549 case HT_ADVANCED:
550 sof_bits = 6;
551 m = MC4K;
552 break;
553 case HT_FAST_ADVANCED:
554 sof_bits = 6;
555 m = MC8K;
556 break;
557 default:
558 break;
559 }
560 page_to_be_written++;
561 block_data_left--;
562 if (block_data_left == 0) {
563 tag.tstate = HT_NO_OP;
564 page_to_be_written = 0;
565 }
566 }
567 break;
568 case 20: {
569 //write page, write block, read page or read block command received
570 if ((rx[0] & 0xf0) == 0xc0) //read page
571 {
572 //send page data
573 page = ((rx[0] & 0x0f) * 16) + ((rx[1] & 0xf0) / 16);
574 *txlen = 32;
575 tx[0] = (tag.pages[page / 4][page % 4]) & 0xff;
576 tx[1] = (tag.pages[page / 4][page % 4] >> 8) & 0xff;
577 tx[2] = (tag.pages[page / 4][page % 4] >> 16) & 0xff;
578 tx[3] = (tag.pages[page / 4][page % 4] >> 24) & 0xff;
579 if (tag.LKP && page == 1)
580 tx[3] = 0xff;
581
582 switch (tag.mode) {
583 case HT_STANDARD:
584 sof_bits = 1;
585 m = MC4K;
586 break;
587 case HT_ADVANCED:
588 sof_bits = 6;
589 m = MC4K;
590 break;
591 case HT_FAST_ADVANCED:
592 sof_bits = 6;
593 m = MC8K;
594 break;
595 default:
596 break;
597 }
598
599 if (tag.mode != HT_STANDARD) {
600 //add crc8
601 *txlen = 40;
602 crc = CRC_PRESET;
603 for (i = 0; i < 4; i++)
604 calc_crc(&crc, tx[i], 8);
605 tx[4] = crc;
606 }
607
608 if (tag.LKP && (page == 2 || page == 3)) {
609 //if reader asks for key or password and the LKP-mark is set do not respond
610 sof_bits = 0;
611 *txlen = 0;
612 }
613 } else if ((rx[0] & 0xf0) == 0xd0) //read block
614 {
615 page = ((rx[0] & 0x0f) * 16) + ((rx[1] & 0xf0) / 16);
616 *txlen = 32 * 4;
617 //send page,...,page+3 data
618 for (i = 0; i < 4; i++) {
619 tx[0 + i * 4] = (tag.pages[page / 4][page % 4]) & 0xff;
620 tx[1 + i * 4] = (tag.pages[page / 4][page % 4] >> 8) & 0xff;
621 tx[2 + i * 4] = (tag.pages[page / 4][page % 4] >> 16) & 0xff;
622 tx[3 + i * 4] = (tag.pages[page / 4][page % 4] >> 24) & 0xff;
623 page++;
624 }
625
626 switch (tag.mode) {
627 case HT_STANDARD:
628 sof_bits = 1;
629 m = MC4K;
630 break;
631 case HT_ADVANCED:
632 sof_bits = 6;
633 m = MC4K;
634 break;
635 case HT_FAST_ADVANCED:
636 sof_bits = 6;
637 m = MC8K;
638 break;
639 default:
640 break;
641 }
642
643 if (tag.mode != HT_STANDARD) {
644 //add crc8
645 *txlen = 32 * 4 + 8;
646 crc = CRC_PRESET;
647 for (i = 0; i < 16; i++)
648 calc_crc(&crc, tx[i], 8);
649 tx[16] = crc;
650 }
651
652 if ((page - 4) % 4 != 0 || (tag.LKP && (page - 4) == 0)) {
653 sof_bits = 0;
654 *txlen = 0;
655 }
656 } else if ((rx[0] & 0xf0) == 0x80) //write page
657 {
658 page = ((rx[0] & 0x0f) * 16) + ((rx[1] & 0xf0) / 16);
659
660 switch (tag.mode) {
661 case HT_STANDARD:
662 sof_bits = 1;
663 m = MC4K;
664 break;
665 case HT_ADVANCED:
666 sof_bits = 6;
667 m = MC4K;
668 break;
669 case HT_FAST_ADVANCED:
670 sof_bits = 6;
671 m = MC8K;
672 break;
673 default:
674 break;
675 }
676 if ((tag.LCON && page == 1)
677 || (tag.LKP && (page == 2 || page == 3))) {
678 //deny
679 *txlen = 0;
680 } else {
681 //allow
682 *txlen = 2;
683 tx[0] = 0x40;
684 page_to_be_written = page;
685 tag.tstate = HT_WRITING_PAGE_DATA;
686 }
687
688 } else if ((rx[0] & 0xf0) == 0x90) //write block
689 {
690 page = ((rx[0] & 0x0f) * 6) + ((rx[1] & 0xf0) / 16);
691 switch (tag.mode) {
692 case HT_STANDARD:
693 sof_bits = 1;
694 m = MC4K;
695 break;
696 case HT_ADVANCED:
697 sof_bits = 6;
698 m = MC4K;
699 break;
700 case HT_FAST_ADVANCED:
701 sof_bits = 6;
702 m = MC8K;
703 break;
704 default:
705 break;
706 }
707 if (page % 4 != 0 || page == 0) {
708 //deny
709 *txlen = 0;
710 } else {
711 //allow
712 *txlen = 2;
713 tx[0] = 0x40;
714 page_to_be_written = page;
715 block_data_left = 4;
716 tag.tstate = HT_WRITING_BLOCK_DATA;
717 }
718 }
719 }
720 break;
721 default:
722
723 break;
724 }
725 }
726
727 /*
728 * to autenticate to a tag with the given key or challenge
729 */
730 static int hitagS_handle_tag_auth(hitag_function htf,uint64_t key, uint64_t NrAr, byte_t* rx, const size_t rxlen, byte_t* tx,
731 size_t* txlen) {
732 byte_t rx_air[HITAG_FRAME_LEN];
733 int response_bit[200];
734 int i, j, z, k;
735 unsigned char mask = 1;
736 unsigned char uid[32];
737 byte_t uid1 = 0x00, uid2 = 0x00, uid3 = 0x00, uid4 = 0x00;
738 unsigned char crc;
739 u64 state;
740 byte_t auth_ks[4];
741 byte_t conf_pages[3];
742 memcpy(rx_air, rx, nbytes(rxlen));
743 *txlen = 0;
744
745 if (tag.pstate == HT_READY && rxlen >= 67) {
746 //received uid
747 if(end==true) {
748 Dbprintf("authentication failed!");
749 return -1;
750 }
751 z = 0;
752 for (i = 0; i < 10; i++) {
753 for (j = 0; j < 8; j++) {
754 response_bit[z] = 0;
755 if ((rx[i] & ((mask << 7) >> j)) != 0)
756 response_bit[z] = 1;
757 z++;
758 }
759 }
760 k = 0;
761 for (i = 5; i < z; i += 2) {
762 uid[k] = response_bit[i];
763 k++;
764 if (k > 31)
765 break;
766 }
767 uid1 = (uid[0] << 7) | (uid[1] << 6) | (uid[2] << 5) | (uid[3] << 4)
768 | (uid[4] << 3) | (uid[5] << 2) | (uid[6] << 1) | uid[7];
769 uid2 = (uid[8] << 7) | (uid[9] << 6) | (uid[10] << 5) | (uid[11] << 4)
770 | (uid[12] << 3) | (uid[13] << 2) | (uid[14] << 1) | uid[15];
771 uid3 = (uid[16] << 7) | (uid[17] << 6) | (uid[18] << 5) | (uid[19] << 4)
772 | (uid[20] << 3) | (uid[21] << 2) | (uid[22] << 1) | uid[23];
773 uid4 = (uid[24] << 7) | (uid[25] << 6) | (uid[26] << 5) | (uid[27] << 4)
774 | (uid[28] << 3) | (uid[29] << 2) | (uid[30] << 1) | uid[31];
775 if (DEBUG)
776 Dbprintf("UID: %02X %02X %02X %02X", uid1, uid2, uid3, uid4);
777 tag.uid = (uid4 << 24 | uid3 << 16 | uid2 << 8 | uid1);
778
779 //select uid
780 *txlen = 45;
781 crc = CRC_PRESET;
782 calc_crc(&crc, 0x00, 5);
783 calc_crc(&crc, uid1, 8);
784 calc_crc(&crc, uid2, 8);
785 calc_crc(&crc, uid3, 8);
786 calc_crc(&crc, uid4, 8);
787 for (i = 0; i < 100; i++) {
788 response_bit[i] = 0;
789 }
790 for (i = 0; i < 5; i++) {
791 response_bit[i] = 0;
792 }
793 for (i = 5; i < 37; i++) {
794 response_bit[i] = uid[i - 5];
795 }
796 for (j = 0; j < 8; j++) {
797 response_bit[i] = 0;
798 if ((crc & ((mask << 7) >> j)) != 0)
799 response_bit[i] = 1;
800 i++;
801 }
802 k = 0;
803 for (i = 0; i < 6; i++) {
804 tx[i] = (response_bit[k] << 7) | (response_bit[k + 1] << 6)
805 | (response_bit[k + 2] << 5) | (response_bit[k + 3] << 4)
806 | (response_bit[k + 4] << 3) | (response_bit[k + 5] << 2)
807 | (response_bit[k + 6] << 1) | response_bit[k + 7];
808 k += 8;
809 }
810 tag.pstate = HT_INIT;
811 } else if (tag.pstate == HT_INIT && rxlen == 44) {
812 // received configuration after select command
813 z = 0;
814 for (i = 0; i < 6; i++) {
815 for (j = 0; j < 8; j++) {
816 response_bit[z] = 0;
817 if ((rx[i] & ((mask << 7) >> j)) != 0)
818 response_bit[z] = 1;
819 z++;
820 }
821 }
822 conf_pages[0] = ((response_bit[4] << 7) | (response_bit[5] << 6)
823 | (response_bit[6] << 5) | (response_bit[7] << 4)
824 | (response_bit[8] << 3) | (response_bit[9] << 2)
825 | (response_bit[10] << 1) | response_bit[11]);
826 //check wich memorysize this tag has
827 if (response_bit[10] == 0 && response_bit[11] == 0)
828 tag.max_page = 32 / 32;
829 if (response_bit[10] == 0 && response_bit[11] == 1)
830 tag.max_page = 256 / 32;
831 if (response_bit[10] == 1 && response_bit[11] == 0)
832 tag.max_page = 2048 / 32;
833 conf_pages[1] = ((response_bit[12] << 7) | (response_bit[13] << 6)
834 | (response_bit[14] << 5) | (response_bit[15] << 4)
835 | (response_bit[16] << 3) | (response_bit[17] << 2)
836 | (response_bit[18] << 1) | response_bit[19]);
837 tag.auth = response_bit[12];
838 tag.TTFC = response_bit[13];
839 //tag.TTFDR in response_bit[14] and response_bit[15]
840 //tag.TTFM in response_bit[16] and response_bit[17]
841 tag.LCON = response_bit[18];
842 tag.LKP = response_bit[19];
843 conf_pages[2] = ((response_bit[20] << 7) | (response_bit[21] << 6)
844 | (response_bit[22] << 5) | (response_bit[23] << 4)
845 | (response_bit[24] << 3) | (response_bit[25] << 2)
846 | (response_bit[26] << 1) | response_bit[27]);
847 tag.LCK7 = response_bit[20];
848 tag.LCK6 = response_bit[21];
849 tag.LCK5 = response_bit[22];
850 tag.LCK4 = response_bit[23];
851 tag.LCK3 = response_bit[24];
852 tag.LCK2 = response_bit[25];
853 tag.LCK1 = response_bit[26];
854 tag.LCK0 = response_bit[27];
855
856 if (DEBUG)
857 Dbprintf("conf0: %02X conf1: %02X conf2: %02X", conf_pages[0],
858 conf_pages[1], conf_pages[2]);
859 if (tag.auth == 1) {
860 //if the tag is in authentication mode try the key or challenge
861 *txlen = 64;
862 if(end!=true){
863 if(htf==02||htf==04){ //RHTS_KEY //WHTS_KEY
864 state = hitag2_init(rev64(key), rev32(tag.uid),
865 rev32(rnd));
866
867 for (i = 0; i < 4; i++) {
868 auth_ks[i] = hitag2_byte(&state) ^ 0xff;
869 }
870 *txlen = 64;
871 tx[0] = rnd & 0xff;
872 tx[1] = (rnd >> 8) & 0xff;
873 tx[2] = (rnd >> 16) & 0xff;
874 tx[3] = (rnd >> 24) & 0xff;
875
876 tx[4] = auth_ks[0];
877 tx[5] = auth_ks[1];
878 tx[6] = auth_ks[2];
879 tx[7] = auth_ks[3];
880 if (DEBUG)
881 Dbprintf("%02X %02X %02X %02X %02X %02X %02X %02X", tx[0],
882 tx[1], tx[2], tx[3], tx[4], tx[5], tx[6], tx[7]);
883 } else if(htf==01 || htf==03) { //RHTS_CHALLENGE //WHTS_CHALLENGE
884 for (i = 0; i < 8; i++)
885 tx[i]=((NrAr>>(56-(i*8)))&0xff);
886 }
887 end=true;
888 tag.pstate = HT_AUTHENTICATE;
889 } else {
890 Dbprintf("authentication failed!");
891 return -1;
892 }
893 } else if (tag.auth == 0) {
894 tag.pstate = HT_SELECTED;
895 }
896
897 } else if (tag.pstate == HT_AUTHENTICATE && rxlen == 44) {
898 //encrypted con2,password received.
899 crc = CRC_PRESET;
900 calc_crc(&crc, 0x80, 1);
901 calc_crc(&crc, ((rx[0] & 0x0f) * 16 + ((rx[1] & 0xf0) / 16)), 8);
902 calc_crc(&crc, ((rx[1] & 0x0f) * 16 + ((rx[2] & 0xf0) / 16)), 8);
903 calc_crc(&crc, ((rx[2] & 0x0f) * 16 + ((rx[3] & 0xf0) / 16)), 8);
904 calc_crc(&crc, ((rx[3] & 0x0f) * 16 + ((rx[4] & 0xf0) / 16)), 8);
905 if (DEBUG) {
906 Dbprintf("UID:::%X", tag.uid);
907 Dbprintf("RND:::%X", rnd);
908 }
909
910 //decrypt password
911 pwdh0=0;
912 pwdl0=0;
913 pwdl1=0;
914 if(htf==02 || htf==04){ //RHTS_KEY //WHTS_KEY
915 {
916 state = hitag2_init(rev64(key), rev32(tag.uid), rev32(rnd));
917 for (i = 0; i < 5; i++)
918 hitag2_byte(&state);
919 pwdh0 = ((rx[1] & 0x0f) * 16 + ((rx[2] & 0xf0) / 16))
920 ^ hitag2_byte(&state);
921 pwdl0 = ((rx[2] & 0x0f) * 16 + ((rx[3] & 0xf0) / 16))
922 ^ hitag2_byte(&state);
923 pwdl1 = ((rx[3] & 0x0f) * 16 + ((rx[4] & 0xf0) / 16))
924 ^ hitag2_byte(&state);
925 }
926
927 if (DEBUG)
928 Dbprintf("pwdh0 %02X pwdl0 %02X pwdl1 %02X", pwdh0, pwdl0, pwdl1);
929
930
931 //Dbprintf("%X %02X", rnd, ((rx[4] & 0x0f) * 16) + ((rx[5] & 0xf0) / 16));
932 //rnd += 1;
933 }
934 tag.pstate = HT_SELECTED; //tag is now ready for read/write commands
935 }
936 return 0;
937
938 }
939
940 /*
941 * Emulates a Hitag S Tag with the given data from the .hts file
942 */
943 void SimulateHitagSTag(bool tag_mem_supplied, byte_t* data) {
944 int frame_count;
945 int response;
946 int overflow;
947 int i, j;
948 byte_t rx[HITAG_FRAME_LEN];
949 size_t rxlen = 0;
950 //bool bQuitTraceFull = false;
951 bQuiet = false;
952 byte_t txbuf[HITAG_FRAME_LEN];
953 byte_t* tx = txbuf;
954 size_t txlen = 0;
955 // free eventually allocated BigBuf memory
956 BigBuf_free(); BigBuf_Clear_ext(false);
957
958 // Clean up trace and prepare it for storing frames
959 set_tracing(TRUE);
960 clear_trace();
961
962 DbpString("Starting HitagS simulation");
963 LED_D_ON();
964
965 tag.pstate = HT_READY;
966 tag.tstate = HT_NO_OP;
967 tag.tstate = HT_NO_OP;
968 for (i = 0; i < 16; i++)
969 for (j = 0; j < 4; j++)
970 tag.pages[i][j] = 0x0;
971 //read tag data into memory
972 if (tag_mem_supplied) {
973 DbpString("Loading hitagS memory...");
974 memcpy((byte_t*)tag.pages,data,4*64);
975 }
976 tag.uid=(uint32_t)tag.pages[0];
977 Dbprintf("Hitag S simulation started");
978 tag.key=(intptr_t)tag.pages[3];
979 tag.key<<=16;
980 tag.key+=((tag.pages[2][0])<<8)+tag.pages[2][1];
981 tag.pwdl0=tag.pages[2][3];
982 tag.pwdl1=tag.pages[2][2];
983 tag.pwdh0=tag.pages[1][0];
984 //con0
985 tag.max_page=64;
986 if((tag.pages[1][3]&0x2)==0 && (tag.pages[1][3]&0x1)==1)
987 tag.max_page=8;
988 if((tag.pages[1][3]&0x2)==0 && (tag.pages[1][3]&0x1)==0)
989 tag.max_page=0;
990 //con1
991 tag.auth=0;
992 if((tag.pages[1][2]&0x80)==1)
993 tag.auth=1;
994 tag.LCON=0;
995 if((tag.pages[1][2]&0x2)==1)
996 tag.LCON=1;
997 tag.LKP=0;
998 if((tag.pages[1][2]&0x1)==1)
999 tag.LKP=1;
1000 //con2
1001 //0=read write 1=read only
1002 tag.LCK7=0;
1003 if((tag.pages[1][1]&0x80)==1)
1004 tag.LCK7=1;
1005 tag.LCK6=0;
1006 if((tag.pages[1][1]&0x40)==1)
1007 tag.LCK6=1;
1008 tag.LCK5=0;
1009 if((tag.pages[1][1]&0x20)==1)
1010 tag.LCK5=1;
1011 tag.LCK4=0;
1012 if((tag.pages[1][1]&0x10)==1)
1013 tag.LCK4=1;
1014 tag.LCK3=0;
1015 if((tag.pages[1][1]&0x8)==1)
1016 tag.LCK3=1;
1017 tag.LCK2=0;
1018 if((tag.pages[1][1]&0x4)==1)
1019 tag.LCK2=1;
1020 tag.LCK1=0;
1021 if((tag.pages[1][1]&0x2)==1)
1022 tag.LCK1=1;
1023 tag.LCK0=0;
1024 if((tag.pages[1][1]&0x1)==1)
1025 tag.LCK0=1;
1026
1027 // Set up simulator mode, frequency divisor which will drive the FPGA
1028 // and analog mux selection.
1029 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1030 FpgaWriteConfWord(
1031 FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD);
1032 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
1033 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
1034 RELAY_OFF();
1035
1036 // Configure output pin that is connected to the FPGA (for modulating)
1037 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
1038 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
1039
1040 // Disable modulation at default, which means release resistance
1041 LOW(GPIO_SSC_DOUT);
1042
1043 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
1044 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
1045
1046 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the reader frames
1047 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
1048 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
1049
1050 // Disable timer during configuration
1051 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1052
1053 // Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
1054 // external trigger rising edge, load RA on rising edge of TIOA.
1055 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK
1056 | AT91C_TC_ETRGEDG_RISING | AT91C_TC_ABETRG | AT91C_TC_LDRA_RISING;
1057
1058 // Reset the received frame, frame count and timing info
1059 memset(rx, 0x00, sizeof(rx));
1060 frame_count = 0;
1061 response = 0;
1062 overflow = 0;
1063
1064 // Enable and reset counter
1065 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1066
1067 while (!BUTTON_PRESS()) {
1068 // Watchdog hit
1069 WDT_HIT();
1070
1071 // Receive frame, watch for at most T0*EOF periods
1072 while (AT91C_BASE_TC1->TC_CV < T0 * HITAG_T_EOF) {
1073 // Check if rising edge in modulation is detected
1074 if (AT91C_BASE_TC1->TC_SR & AT91C_TC_LDRAS) {
1075 // Retrieve the new timing values
1076 int ra = (AT91C_BASE_TC1->TC_RA / T0) + overflow;
1077 overflow = 0;
1078
1079 // Reset timer every frame, we have to capture the last edge for timing
1080 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1081
1082 LED_B_ON();
1083
1084 // Capture reader frame
1085 if (ra >= HITAG_T_STOP) {
1086 if (rxlen != 0) {
1087 //DbpString("wierd0?");
1088 }
1089 // Capture the T0 periods that have passed since last communication or field drop (reset)
1090 response = (ra - HITAG_T_LOW);
1091 } else if (ra >= HITAG_T_1_MIN) {
1092 // '1' bit
1093 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
1094 rxlen++;
1095 } else if (ra >= HITAG_T_0_MIN) {
1096 // '0' bit
1097 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
1098 rxlen++;
1099 } else {
1100 // Ignore wierd value, is to small to mean anything
1101 }
1102 }
1103 }
1104
1105 // Check if frame was captured
1106 if (rxlen > 0) {
1107 frame_count++;
1108 if (!bQuiet) {
1109 if (!LogTraceHitag(rx, rxlen, response, 0, true)) {
1110 DbpString("Trace full");
1111 clear_trace();
1112 }
1113 }
1114
1115 // Disable timer 1 with external trigger to avoid triggers during our own modulation
1116 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1117
1118 // Process the incoming frame (rx) and prepare the outgoing frame (tx)
1119 hitagS_handle_reader_command(rx, rxlen, tx, &txlen);
1120
1121 // Wait for HITAG_T_WAIT_1 carrier periods after the last reader bit,
1122 // not that since the clock counts since the rising edge, but T_Wait1 is
1123 // with respect to the falling edge, we need to wait actually (T_Wait1 - T_Low)
1124 // periods. The gap time T_Low varies (4..10). All timer values are in
1125 // terms of T0 units
1126 while (AT91C_BASE_TC0->TC_CV < T0 * (HITAG_T_WAIT_1 - HITAG_T_LOW))
1127 ;
1128
1129 // Send and store the tag answer (if there is any)
1130 if (txlen > 0) {
1131 // Transmit the tag frame
1132 hitag_send_frame(tx, txlen);
1133 // Store the frame in the trace
1134 if (!bQuiet) {
1135 if (!LogTraceHitag(tx, txlen, 0, 0, false)) {
1136 DbpString("Trace full");
1137 clear_trace();
1138 }
1139 }
1140 }
1141
1142 // Reset the received frame and response timing info
1143 memset(rx, 0x00, sizeof(rx));
1144 response = 0;
1145
1146 // Enable and reset external trigger in timer for capturing future frames
1147 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1148 LED_B_OFF();
1149 }
1150 // Reset the frame length
1151 rxlen = 0;
1152 // Save the timer overflow, will be 0 when frame was received
1153 overflow += (AT91C_BASE_TC1->TC_CV / T0);
1154 // Reset the timer to restart while-loop that receives frames
1155 AT91C_BASE_TC1->TC_CCR = AT91C_TC_SWTRG;
1156 }
1157 LED_B_OFF();
1158 LED_D_OFF();
1159 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1160 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
1161 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1162 }
1163
1164 /*
1165 * Authenticates to the Tag with the given key or challenge.
1166 * If the key was given the password will be decrypted.
1167 * Reads every page of a hitag S transpoder.
1168 */
1169 void ReadHitagS(hitag_function htf, hitag_data* htd) {
1170 int i, j, z, k;
1171 int frame_count;
1172 int response_bit[200];
1173 int response;
1174 byte_t rx[HITAG_FRAME_LEN];
1175 size_t rxlen = 0;
1176 byte_t txbuf[HITAG_FRAME_LEN];
1177 byte_t* tx = txbuf;
1178 size_t txlen = 0;
1179 int lastbit;
1180 bool bSkip;
1181 int reset_sof;
1182 int tag_sof;
1183 int t_wait = HITAG_T_WAIT_MAX;
1184 bool bStop;
1185 bool bQuitTraceFull = false;
1186 int sendNum = 0;
1187 unsigned char mask = 1;
1188 unsigned char crc;
1189 unsigned char pageData[32];
1190 page_to_be_written = 0;
1191
1192 //read given key/challenge
1193 byte_t NrAr_[8];
1194 uint64_t key=0;
1195 uint64_t NrAr=0;
1196 byte_t key_[6];
1197 switch(htf) {
1198 case 01: { //RHTS_CHALLENGE
1199 DbpString("Authenticating using nr,ar pair:");
1200 memcpy(NrAr_,htd->auth.NrAr,8);
1201 Dbhexdump(8,NrAr_,false);
1202 NrAr=NrAr_[7] | ((uint64_t)NrAr_[6]) << 8 | ((uint64_t)NrAr_[5]) << 16 | ((uint64_t)NrAr_[4]) << 24 | ((uint64_t)NrAr_[3]) << 32 |
1203 ((uint64_t)NrAr_[2]) << 40| ((uint64_t)NrAr_[1]) << 48 | ((uint64_t)NrAr_[0]) << 56;
1204 } break;
1205 case 02: { //RHTS_KEY
1206 DbpString("Authenticating using key:");
1207 memcpy(key_,htd->crypto.key,6);
1208 Dbhexdump(6,key_,false);
1209 key=key_[5] | ((uint64_t)key_[4]) << 8 | ((uint64_t)key_[3]) << 16 | ((uint64_t)key_[2]) << 24 | ((uint64_t)key_[1]) << 32 | ((uint64_t)key_[0]) << 40;
1210 } break;
1211 default: {
1212 Dbprintf("Error , unknown function: %d",htf);
1213 return;
1214 } break;
1215 }
1216
1217
1218
1219 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1220 // Reset the return status
1221 bSuccessful = false;
1222
1223 // Clean up trace and prepare it for storing frames
1224 set_tracing(TRUE);
1225 clear_trace();
1226
1227 bQuiet = false;
1228 bQuitTraceFull = true;
1229
1230 LED_D_ON();
1231
1232 // Configure output and enable pin that is connected to the FPGA (for modulating)
1233 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
1234 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
1235
1236 // Set fpga in edge detect with reader field, we can modulate as reader now
1237 FpgaWriteConfWord(
1238 FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD);
1239
1240 // Set Frequency divisor which will drive the FPGA and analog mux selection
1241 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
1242 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
1243 RELAY_OFF();
1244
1245 // Disable modulation at default, which means enable the field
1246 LOW(GPIO_SSC_DOUT);
1247
1248 // Give it a bit of time for the resonant antenna to settle.
1249 SpinDelay(30);
1250
1251 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
1252 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
1253
1254 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the tag frames
1255 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
1256 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
1257
1258 // Disable timer during configuration
1259 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1260
1261 // Capture mode, defaul timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
1262 // external trigger rising edge, load RA on falling edge of TIOA.
1263 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK
1264
1265 | AT91C_TC_ETRGEDG_FALLING | AT91C_TC_ABETRG | AT91C_TC_LDRA_FALLING;
1266
1267 // Enable and reset counters
1268 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1269 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1270
1271 // Reset the received frame, frame count and timing info
1272 frame_count = 0;
1273 response = 0;
1274 lastbit = 1;
1275 bStop = false;
1276
1277 reset_sof = 1;
1278 t_wait = 200;
1279
1280 while (!bStop && !BUTTON_PRESS()) {
1281 // Watchdog hit
1282 WDT_HIT();
1283
1284 // Check if frame was captured and store it
1285 if (rxlen > 0) {
1286 frame_count++;
1287 if (!bQuiet) {
1288 if (!LogTraceHitag(rx, rxlen, response, 0, false)) {
1289 DbpString("Trace full");
1290 if (bQuitTraceFull) {
1291 break;
1292 } else {
1293 bQuiet = true;
1294 }
1295 }
1296 }
1297 }
1298
1299 // By default reset the transmission buffer
1300 tx = txbuf;
1301 txlen = 0;
1302
1303 if (rxlen == 0) {
1304 //start authentication
1305 txlen = 5;
1306 memcpy(tx, "\xc0", nbytes(txlen));
1307 tag.pstate = HT_READY;
1308 tag.tstate = HT_NO_OP;
1309 } else if (tag.pstate != HT_SELECTED) {
1310 if (hitagS_handle_tag_auth(htf, key,NrAr,rx, rxlen, tx, &txlen) == -1)
1311 bStop = !false;
1312 }
1313 if (tag.pstate == HT_SELECTED && tag.tstate == HT_NO_OP && rxlen > 0) {
1314 //send read request
1315 tag.tstate = HT_READING_PAGE;
1316 txlen = 20;
1317 crc = CRC_PRESET;
1318 tx[0] = 0xc0 + (sendNum / 16);
1319 calc_crc(&crc, tx[0], 8);
1320 calc_crc(&crc, 0x00 + ((sendNum % 16) * 16), 4);
1321 tx[1] = 0x00 + ((sendNum % 16) * 16) + (crc / 16);
1322 tx[2] = 0x00 + (crc % 16) * 16;
1323 } else if (tag.pstate == HT_SELECTED && tag.tstate == HT_READING_PAGE
1324 && rxlen > 0) {
1325 //save received data
1326 z = 0;
1327 for (i = 0; i < 5; i++) {
1328 for (j = 0; j < 8; j++) {
1329 response_bit[z] = 0;
1330 if ((rx[i] & ((mask << 7) >> j)) != 0)
1331 response_bit[z] = 1;
1332 z++;
1333 }
1334 }
1335 k = 0;
1336 for (i = 4; i < 36; i++) {
1337 pageData[k] = response_bit[i];
1338 k++;
1339 }
1340 for (i = 0; i < 4; i++)
1341 tag.pages[sendNum / 4][sendNum % 4] = 0x0;
1342 for (i = 0; i < 4; i++) {
1343 tag.pages[sendNum / 4][sendNum % 4] += ((pageData[i * 8] << 7)
1344 | (pageData[1 + (i * 8)] << 6)
1345 | (pageData[2 + (i * 8)] << 5)
1346 | (pageData[3 + (i * 8)] << 4)
1347 | (pageData[4 + (i * 8)] << 3)
1348 | (pageData[5 + (i * 8)] << 2)
1349 | (pageData[6 + (i * 8)] << 1) | pageData[7 + (i * 8)])
1350 << (i * 8);
1351 }
1352 if (tag.auth && tag.LKP && sendNum == 1) {
1353 Dbprintf("Page[%2d]: %02X %02X %02X %02X", sendNum, pwdh0,
1354 (tag.pages[sendNum / 4][sendNum % 4] >> 16) & 0xff,
1355 (tag.pages[sendNum / 4][sendNum % 4] >> 8) & 0xff,
1356 tag.pages[sendNum / 4][sendNum % 4] & 0xff);
1357 } else {
1358 Dbprintf("Page[%2d]: %02X %02X %02X %02X", sendNum,
1359 (tag.pages[sendNum / 4][sendNum % 4] >> 24) & 0xff,
1360 (tag.pages[sendNum / 4][sendNum % 4] >> 16) & 0xff,
1361 (tag.pages[sendNum / 4][sendNum % 4] >> 8) & 0xff,
1362 tag.pages[sendNum / 4][sendNum % 4] & 0xff);
1363 }
1364
1365 sendNum++;
1366 //display key and password if possible
1367 if (sendNum == 2 && tag.auth == 1 && tag.LKP) {
1368 if (htf == 02) { //RHTS_KEY
1369 Dbprintf("Page[ 2]: %02X %02X %02X %02X",
1370 (byte_t)(key >> 8) & 0xff,
1371 (byte_t) key & 0xff, pwdl1, pwdl0);
1372 Dbprintf("Page[ 3]: %02X %02X %02X %02X",
1373 (byte_t)(key >> 40) & 0xff,
1374 (byte_t)(key >> 32) & 0xff,
1375 (byte_t)(key >> 24) & 0xff,
1376 (byte_t)(key >> 16) & 0xff);
1377 } else {
1378 //if the authentication is done with a challenge the key and password are unknown
1379 Dbprintf("Page[ 2]: __ __ __ __");
1380 Dbprintf("Page[ 3]: __ __ __ __");
1381 }
1382 }
1383
1384 txlen = 20;
1385 crc = CRC_PRESET;
1386 tx[0] = 0xc0 + (sendNum / 16);
1387 calc_crc(&crc, tx[0], 8);
1388 calc_crc(&crc, 0x00 + ((sendNum % 16) * 16), 4);
1389 tx[1] = 0x00 + ((sendNum % 16) * 16) + (crc / 16);
1390 tx[2] = 0x00 + (crc % 16) * 16;
1391 if (sendNum >= tag.max_page) {
1392 bStop = !false;
1393 }
1394 }
1395
1396 // Send and store the reader command
1397 // Disable timer 1 with external trigger to avoid triggers during our own modulation
1398 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1399
1400 // Wait for HITAG_T_WAIT_2 carrier periods after the last tag bit before transmitting,
1401 // Since the clock counts since the last falling edge, a 'one' means that the
1402 // falling edge occured halfway the period. with respect to this falling edge,
1403 // we need to wait (T_Wait2 + half_tag_period) when the last was a 'one'.
1404 // All timer values are in terms of T0 units
1405
1406 while (AT91C_BASE_TC0->TC_CV
1407 < T0 * (t_wait + (HITAG_T_TAG_HALF_PERIOD * lastbit)))
1408 ;
1409
1410 // Transmit the reader frame
1411 hitag_reader_send_frame(tx, txlen);
1412
1413 // Enable and reset external trigger in timer for capturing future frames
1414 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1415
1416 // Add transmitted frame to total count
1417 if (txlen > 0) {
1418 frame_count++;
1419 if (!bQuiet) {
1420 // Store the frame in the trace
1421 if (!LogTraceHitag(tx, txlen, HITAG_T_WAIT_2, 0, true)) {
1422 if (bQuitTraceFull) {
1423 DbpString("Trace full");
1424 break;
1425 } else {
1426 bQuiet = true;
1427 }
1428 }
1429 }
1430 }
1431
1432 // Reset values for receiving frames
1433 memset(rx, 0x00, sizeof(rx));
1434 rxlen = 0;
1435 lastbit = 1;
1436 bSkip = true;
1437 tag_sof = reset_sof;
1438 response = 0;
1439
1440 // Receive frame, watch for at most T0*EOF periods
1441 while (AT91C_BASE_TC1->TC_CV < T0 * HITAG_T_WAIT_MAX) {
1442 // Check if falling edge in tag modulation is detected
1443 if (AT91C_BASE_TC1->TC_SR & AT91C_TC_LDRAS) {
1444 // Retrieve the new timing values
1445 int ra = (AT91C_BASE_TC1->TC_RA / T0);
1446
1447 // Reset timer every frame, we have to capture the last edge for timing
1448 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
1449
1450 LED_B_ON();
1451
1452 // Capture tag frame (manchester decoding using only falling edges)
1453 if (ra >= HITAG_T_EOF) {
1454 if (rxlen != 0) {
1455 //DbpString("wierd1?");
1456 }
1457 // Capture the T0 periods that have passed since last communication or field drop (reset)
1458 // We always recieve a 'one' first, which has the falling edge after a half period |-_|
1459 response = ra - HITAG_T_TAG_HALF_PERIOD;
1460 } else if (ra >= HITAG_T_TAG_CAPTURE_FOUR_HALF) {
1461 // Manchester coding example |-_|_-|-_| (101)
1462 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
1463 rxlen++;
1464 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
1465 rxlen++;
1466 } else if (ra >= HITAG_T_TAG_CAPTURE_THREE_HALF) {
1467 // Manchester coding example |_-|...|_-|-_| (0...01)
1468 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
1469 rxlen++;
1470 // We have to skip this half period at start and add the 'one' the second time
1471 if (!bSkip) {
1472 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
1473 rxlen++;
1474 }
1475 lastbit = !lastbit;
1476 bSkip = !bSkip;
1477 } else if (ra >= HITAG_T_TAG_CAPTURE_TWO_HALF) {
1478 // Manchester coding example |_-|_-| (00) or |-_|-_| (11)
1479 if (tag_sof) {
1480 // Ignore bits that are transmitted during SOF
1481 tag_sof--;
1482 } else {
1483 // bit is same as last bit
1484 rx[rxlen / 8] |= lastbit << (7 - (rxlen % 8));
1485 rxlen++;
1486 }
1487 } else {
1488 // Ignore wierd value, is to small to mean anything
1489 }
1490 }
1491
1492 // We can break this loop if we received the last bit from a frame
1493 if (AT91C_BASE_TC1->TC_CV > T0 * HITAG_T_EOF) {
1494 if (rxlen > 0)
1495 break;
1496 }
1497 }
1498 }
1499 end=false;
1500 LED_B_OFF();
1501 LED_D_OFF();
1502 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1503 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
1504 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1505 cmd_send(CMD_ACK, bSuccessful, 0, 0, 0, 0);
1506 }
1507
1508 /*
1509 * Authenticates to the Tag with the given Key or Challenge.
1510 * Writes the given 32Bit data into page_
1511 */
1512 void WritePageHitagS(hitag_function htf, hitag_data* htd,int page_) {
1513 int frame_count;
1514 int response;
1515 byte_t rx[HITAG_FRAME_LEN];
1516 size_t rxlen = 0;
1517 byte_t txbuf[HITAG_FRAME_LEN];
1518 byte_t* tx = txbuf;
1519 size_t txlen = 0;
1520 int lastbit;
1521 bool bSkip;
1522 int reset_sof;
1523 int tag_sof;
1524 int t_wait = HITAG_T_WAIT_MAX;
1525 bool bStop;
1526 bool bQuitTraceFull = false;
1527 int page = page_;
1528 unsigned char crc;
1529 byte_t data[4]= {0,0,0,0};
1530
1531 //read given key/challenge, the page and the data
1532 byte_t NrAr_[8];
1533 uint64_t key=0;
1534 uint64_t NrAr=0;
1535 byte_t key_[6];
1536 switch(htf) {
1537 case 03: { //WHTS_CHALLENGE
1538 memcpy(data,htd->auth.data,4);
1539 DbpString("Authenticating using nr,ar pair:");
1540 memcpy(NrAr_,htd->auth.NrAr,8);
1541 Dbhexdump(8,NrAr_,false);
1542 NrAr=NrAr_[7] | ((uint64_t)NrAr_[6]) << 8 | ((uint64_t)NrAr_[5]) << 16 | ((uint64_t)NrAr_[4]) << 24 | ((uint64_t)NrAr_[3]) << 32 |
1543 ((uint64_t)NrAr_[2]) << 40| ((uint64_t)NrAr_[1]) << 48 | ((uint64_t)NrAr_[0]) << 56;
1544 } break;
1545 case 04: { //WHTS_KEY
1546 memcpy(data,htd->crypto.data,4);
1547 DbpString("Authenticating using key:");
1548 memcpy(key_,htd->crypto.key,6);
1549 Dbhexdump(6,key_,false);
1550 key=key_[5] | ((uint64_t)key_[4]) << 8 | ((uint64_t)key_[3]) << 16 | ((uint64_t)key_[2]) << 24 | ((uint64_t)key_[1]) << 32 | ((uint64_t)key_[0]) << 40;
1551 } break;
1552 default: {
1553 Dbprintf("Error , unknown function: %d",htf);
1554 return;
1555 } break;
1556 }
1557
1558 Dbprintf("Page: %d",page_);
1559 Dbprintf("DATA: %02X %02X %02X %02X", data[0], data[1], data[2], data[3]);
1560 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1561 // Reset the return status
1562 bSuccessful = false;
1563
1564 tag.pstate = HT_READY;
1565 tag.tstate = HT_NO_OP;
1566
1567 // Clean up trace and prepare it for storing frames
1568 set_tracing(TRUE);
1569 clear_trace();
1570
1571 bQuiet = false;
1572 bQuitTraceFull = true;
1573
1574 LED_D_ON();
1575
1576 // Configure output and enable pin that is connected to the FPGA (for modulating)
1577 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
1578 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
1579
1580 // Set fpga in edge detect with reader field, we can modulate as reader now
1581 FpgaWriteConfWord(
1582 FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD);
1583
1584 // Set Frequency divisor which will drive the FPGA and analog mux selection
1585 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
1586 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
1587 RELAY_OFF();
1588
1589 // Disable modulation at default, which means enable the field
1590 LOW(GPIO_SSC_DOUT);
1591
1592 // Give it a bit of time for the resonant antenna to settle.
1593 SpinDelay(30);
1594
1595 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
1596 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
1597
1598 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the tag frames
1599 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
1600 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
1601
1602 // Disable timer during configuration
1603 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1604
1605 // Capture mode, defaul timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
1606 // external trigger rising edge, load RA on falling edge of TIOA.
1607 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK
1608 | AT91C_TC_ETRGEDG_FALLING | AT91C_TC_ABETRG
1609 | AT91C_TC_LDRA_FALLING;
1610
1611 // Enable and reset counters
1612 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1613 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1614
1615 // Reset the received frame, frame count and timing info
1616 frame_count = 0;
1617 response = 0;
1618 lastbit = 1;
1619 bStop = false;
1620
1621 reset_sof = 1;
1622 t_wait = 200;
1623
1624 while (!bStop && !BUTTON_PRESS()) {
1625 // Watchdog hit
1626 WDT_HIT();
1627
1628 // Check if frame was captured and store it
1629 if (rxlen > 0) {
1630 frame_count++;
1631 if (!bQuiet) {
1632 if (!LogTraceHitag(rx, rxlen, response, 0, false)) {
1633 DbpString("Trace full");
1634 if (bQuitTraceFull) {
1635 break;
1636 } else {
1637 bQuiet = true;
1638 }
1639 }
1640 }
1641 }
1642
1643 //check for valid input
1644 if (page == 0) {
1645 Dbprintf(
1646 "usage: lf hitag writer [03 | 04] [CHALLENGE | KEY] [page] [byte0] [byte1] [byte2] [byte3]");
1647 bStop = !false;
1648 }
1649
1650 // By default reset the transmission buffer
1651 tx = txbuf;
1652 txlen = 0;
1653
1654 if (rxlen == 0 && tag.tstate == HT_WRITING_PAGE_ACK) {
1655 //no write access on this page
1656 Dbprintf("no write access on page %d", page_);
1657 bStop = !false;
1658 } else if (rxlen == 0 && tag.tstate != HT_WRITING_PAGE_DATA) {
1659 //start the authetication
1660 txlen = 5;
1661 memcpy(tx, "\xc0", nbytes(txlen));
1662 tag.pstate = HT_READY;
1663 tag.tstate = HT_NO_OP;
1664 } else if (tag.pstate != HT_SELECTED) {
1665 //try to authenticate with the given key or challenge
1666 if (hitagS_handle_tag_auth(htf,key,NrAr,rx, rxlen, tx, &txlen) == -1)
1667 bStop = !false;
1668 }
1669 if (tag.pstate == HT_SELECTED && tag.tstate == HT_NO_OP && rxlen > 0) {
1670 //check if the given page exists
1671 if (page > tag.max_page) {
1672 Dbprintf("page number too big");
1673 bStop = !false;
1674 }
1675 //ask Tag for write permission
1676 tag.tstate = HT_WRITING_PAGE_ACK;
1677 txlen = 20;
1678 crc = CRC_PRESET;
1679 tx[0] = 0x90 + (page / 16);
1680 calc_crc(&crc, tx[0], 8);
1681 calc_crc(&crc, 0x00 + ((page % 16) * 16), 4);
1682 tx[1] = 0x00 + ((page % 16) * 16) + (crc / 16);
1683 tx[2] = 0x00 + (crc % 16) * 16;
1684 } else if (tag.pstate == HT_SELECTED && tag.tstate == HT_WRITING_PAGE_ACK
1685 && rxlen == 6 && rx[0] == 0xf4) {
1686 //ACK recieved to write the page. send data
1687 tag.tstate = HT_WRITING_PAGE_DATA;
1688 txlen = 40;
1689 crc = CRC_PRESET;
1690 calc_crc(&crc, data[3], 8);
1691 calc_crc(&crc, data[2], 8);
1692 calc_crc(&crc, data[1], 8);
1693 calc_crc(&crc, data[0], 8);
1694 tx[0] = data[3];
1695 tx[1] = data[2];
1696 tx[2] = data[1];
1697 tx[3] = data[0];
1698 tx[4] = crc;
1699 } else if (tag.pstate == HT_SELECTED && tag.tstate == HT_WRITING_PAGE_DATA
1700 && rxlen == 6 && rx[0] == 0xf4) {
1701 //received ACK
1702 Dbprintf("Successful!");
1703 bStop = !false;
1704 }
1705
1706 // Send and store the reader command
1707 // Disable timer 1 with external trigger to avoid triggers during our own modulation
1708 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1709
1710 // Wait for HITAG_T_WAIT_2 carrier periods after the last tag bit before transmitting,
1711 // Since the clock counts since the last falling edge, a 'one' means that the
1712 // falling edge occured halfway the period. with respect to this falling edge,
1713 // we need to wait (T_Wait2 + half_tag_period) when the last was a 'one'.
1714 // All timer values are in terms of T0 units
1715
1716 while (AT91C_BASE_TC0->TC_CV
1717 < T0 * (t_wait + (HITAG_T_TAG_HALF_PERIOD * lastbit)))
1718 ;
1719
1720 // Transmit the reader frame
1721 hitag_reader_send_frame(tx, txlen);
1722
1723 // Enable and reset external trigger in timer for capturing future frames
1724 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1725
1726 // Add transmitted frame to total count
1727 if (txlen > 0) {
1728 frame_count++;
1729 if (!bQuiet) {
1730 // Store the frame in the trace
1731 if (!LogTraceHitag(tx, txlen, HITAG_T_WAIT_2, 0, true)) {
1732 if (bQuitTraceFull) {
1733 DbpString("Trace full");
1734 break;
1735 } else {
1736 bQuiet = true;
1737 }
1738 }
1739 }
1740 }
1741
1742 // Reset values for receiving frames
1743 memset(rx, 0x00, sizeof(rx));
1744 rxlen = 0;
1745 lastbit = 1;
1746 bSkip = true;
1747 tag_sof = reset_sof;
1748 response = 0;
1749
1750 // Receive frame, watch for at most T0*EOF periods
1751 while (AT91C_BASE_TC1->TC_CV < T0 * HITAG_T_WAIT_MAX) {
1752 // Check if falling edge in tag modulation is detected
1753 if (AT91C_BASE_TC1->TC_SR & AT91C_TC_LDRAS) {
1754 // Retrieve the new timing values
1755 int ra = (AT91C_BASE_TC1->TC_RA / T0);
1756
1757 // Reset timer every frame, we have to capture the last edge for timing
1758 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
1759
1760 LED_B_ON();
1761
1762 // Capture tag frame (manchester decoding using only falling edges)
1763 if (ra >= HITAG_T_EOF) {
1764 if (rxlen != 0) {
1765 //DbpString("wierd1?");
1766 }
1767 // Capture the T0 periods that have passed since last communication or field drop (reset)
1768 // We always recieve a 'one' first, which has the falling edge after a half period |-_|
1769 response = ra - HITAG_T_TAG_HALF_PERIOD;
1770 } else if (ra >= HITAG_T_TAG_CAPTURE_FOUR_HALF) {
1771 // Manchester coding example |-_|_-|-_| (101)
1772 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
1773 rxlen++;
1774 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
1775 rxlen++;
1776 } else if (ra >= HITAG_T_TAG_CAPTURE_THREE_HALF) {
1777 // Manchester coding example |_-|...|_-|-_| (0...01)
1778 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
1779 rxlen++;
1780 // We have to skip this half period at start and add the 'one' the second time
1781 if (!bSkip) {
1782 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
1783 rxlen++;
1784 }
1785 lastbit = !lastbit;
1786 bSkip = !bSkip;
1787 } else if (ra >= HITAG_T_TAG_CAPTURE_TWO_HALF) {
1788 // Manchester coding example |_-|_-| (00) or |-_|-_| (11)
1789 if (tag_sof) {
1790 // Ignore bits that are transmitted during SOF
1791 tag_sof--;
1792 } else {
1793 // bit is same as last bit
1794 rx[rxlen / 8] |= lastbit << (7 - (rxlen % 8));
1795 rxlen++;
1796 }
1797 } else {
1798 // Ignore wierd value, is to small to mean anything
1799 }
1800 }
1801
1802 // We can break this loop if we received the last bit from a frame
1803 if (AT91C_BASE_TC1->TC_CV > T0 * HITAG_T_EOF) {
1804 if (rxlen > 0)
1805 break;
1806 }
1807 }
1808 }
1809 end=false;
1810 LED_B_OFF();
1811 LED_D_OFF();
1812 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1813 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
1814 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1815 cmd_send(CMD_ACK, bSuccessful, 0, 0, 0, 0);
1816 }
1817
1818 /*
1819 * Tries to authenticate to a Hitag S Transponder with the given challenges from a .cc file.
1820 * Displays all Challenges that failed.
1821 * When collecting Challenges to break the key it is possible that some data
1822 * is not received correctly due to Antenna problems. This function
1823 * detects these challenges.
1824 */
1825 void check_challenges(bool file_given, byte_t* data) {
1826 int i, j, z, k;
1827 byte_t uid_byte[4];
1828 int frame_count;
1829 int response;
1830 byte_t rx[HITAG_FRAME_LEN];
1831 byte_t unlocker[60][8];
1832 int u1 = 0;
1833 size_t rxlen = 0;
1834 byte_t txbuf[HITAG_FRAME_LEN];
1835 byte_t* tx = txbuf;
1836 size_t txlen = 0;
1837 int lastbit;
1838 bool bSkip;
1839 int reset_sof;
1840 int tag_sof;
1841 int t_wait = HITAG_T_WAIT_MAX;
1842 int STATE = 0;
1843 bool bStop;
1844 bool bQuitTraceFull = false;
1845 int response_bit[200];
1846 unsigned char mask = 1;
1847 unsigned char uid[32];
1848 unsigned char crc;
1849
1850 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1851 // Reset the return status
1852 bSuccessful = false;
1853
1854 // Clean up trace and prepare it for storing frames
1855 set_tracing(TRUE);
1856 clear_trace();
1857
1858 bQuiet = false;
1859 bQuitTraceFull = true;
1860
1861 LED_D_ON();
1862
1863 // Configure output and enable pin that is connected to the FPGA (for modulating)
1864 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
1865 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
1866
1867 // Set fpga in edge detect with reader field, we can modulate as reader now
1868 FpgaWriteConfWord(
1869 FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD);
1870
1871 // Set Frequency divisor which will drive the FPGA and analog mux selection
1872 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
1873 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
1874 RELAY_OFF();
1875
1876 // Disable modulation at default, which means enable the field
1877 LOW(GPIO_SSC_DOUT);
1878
1879 // Give it a bit of time for the resonant antenna to settle.
1880 SpinDelay(30);
1881
1882 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
1883 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
1884
1885 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the tag frames
1886 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
1887 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
1888
1889 // Disable timer during configuration
1890 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1891
1892 // Capture mode, defaul timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
1893 // external trigger rising edge, load RA on falling edge of TIOA.
1894 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK
1895
1896 | AT91C_TC_ETRGEDG_FALLING | AT91C_TC_ABETRG | AT91C_TC_LDRA_FALLING;
1897
1898 // Enable and reset counters
1899 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1900 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1901
1902 // Reset the received frame, frame count and timing info
1903 frame_count = 0;
1904 response = 0;
1905 lastbit = 1;
1906 bStop = false;
1907
1908 reset_sof = 1;
1909 t_wait = 200;
1910
1911 if (file_given) {
1912 DbpString("Loading challenges...");
1913 memcpy((byte_t*)unlocker,data,60*8);
1914 }
1915
1916 while (file_given && !bStop && !BUTTON_PRESS()) {
1917 // Watchdog hit
1918 WDT_HIT();
1919
1920 // Check if frame was captured and store it
1921 if (rxlen > 0) {
1922 frame_count++;
1923 if (!bQuiet) {
1924 if (!LogTraceHitag(rx, rxlen, response, 0, false)) {
1925 DbpString("Trace full");
1926 if (bQuitTraceFull) {
1927 break;
1928 } else {
1929 bQuiet = true;
1930 }
1931 }
1932 }
1933 }
1934
1935 tx = txbuf;
1936 txlen = 0;
1937 if (rxlen == 0) {
1938 if (STATE == 2)
1939 // challenge failed
1940 Dbprintf("Challenge failed: %02X %02X %02X %02X %02X %02X %02X %02X",
1941 unlocker[u1 - 1][0], unlocker[u1 - 1][1],
1942 unlocker[u1 - 1][2], unlocker[u1 - 1][3],
1943 unlocker[u1 - 1][4], unlocker[u1 - 1][5],
1944 unlocker[u1 - 1][6], unlocker[u1 - 1][7]);
1945 STATE = 0;
1946 txlen = 5;
1947 //start new authentication
1948 memcpy(tx, "\xc0", nbytes(txlen));
1949 } else if (rxlen >= 67 && STATE == 0) {
1950 //received uid
1951 z = 0;
1952 for (i = 0; i < 10; i++) {
1953 for (j = 0; j < 8; j++) {
1954 response_bit[z] = 0;
1955 if ((rx[i] & ((mask << 7) >> j)) != 0)
1956 response_bit[z] = 1;
1957 z++;
1958 }
1959 }
1960 k = 0;
1961 for (i = 5; i < z; i += 2) {
1962 uid[k] = response_bit[i];
1963 k++;
1964 if (k > 31)
1965 break;
1966 }
1967 uid_byte[0] = (uid[0] << 7) | (uid[1] << 6) | (uid[2] << 5)
1968 | (uid[3] << 4) | (uid[4] << 3) | (uid[5] << 2)
1969 | (uid[6] << 1) | uid[7];
1970 uid_byte[1] = (uid[8] << 7) | (uid[9] << 6) | (uid[10] << 5)
1971 | (uid[11] << 4) | (uid[12] << 3) | (uid[13] << 2)
1972 | (uid[14] << 1) | uid[15];
1973 uid_byte[2] = (uid[16] << 7) | (uid[17] << 6) | (uid[18] << 5)
1974 | (uid[19] << 4) | (uid[20] << 3) | (uid[21] << 2)
1975 | (uid[22] << 1) | uid[23];
1976 uid_byte[3] = (uid[24] << 7) | (uid[25] << 6) | (uid[26] << 5)
1977 | (uid[27] << 4) | (uid[28] << 3) | (uid[29] << 2)
1978 | (uid[30] << 1) | uid[31];
1979 //Dbhexdump(10, rx, rxlen);
1980 STATE = 1;
1981 txlen = 45;
1982 crc = CRC_PRESET;
1983 calc_crc(&crc, 0x00, 5);
1984 calc_crc(&crc, uid_byte[0], 8);
1985 calc_crc(&crc, uid_byte[1], 8);
1986 calc_crc(&crc, uid_byte[2], 8);
1987 calc_crc(&crc, uid_byte[3], 8);
1988 for (i = 0; i < 100; i++) {
1989 response_bit[i] = 0;
1990 }
1991 for (i = 0; i < 5; i++) {
1992 response_bit[i] = 0;
1993 }
1994 for (i = 5; i < 37; i++) {
1995 response_bit[i] = uid[i - 5];
1996 }
1997 for (j = 0; j < 8; j++) {
1998 response_bit[i] = 0;
1999 if ((crc & ((mask << 7) >> j)) != 0)
2000 response_bit[i] = 1;
2001 i++;
2002 }
2003 k = 0;
2004 for (i = 0; i < 6; i++) {
2005 tx[i] = (response_bit[k] << 7) | (response_bit[k + 1] << 6)
2006 | (response_bit[k + 2] << 5)
2007 | (response_bit[k + 3] << 4)
2008 | (response_bit[k + 4] << 3)
2009 | (response_bit[k + 5] << 2)
2010 | (response_bit[k + 6] << 1) | response_bit[k + 7];
2011 k += 8;
2012 }
2013
2014 } else if (STATE == 1 && rxlen == 44) {
2015 //received configuration
2016 STATE = 2;
2017 z = 0;
2018 for (i = 0; i < 6; i++) {
2019 for (j = 0; j < 8; j++) {
2020 response_bit[z] = 0;
2021 if ((rx[i] & ((mask << 7) >> j)) != 0)
2022 response_bit[z] = 1;
2023 z++;
2024 }
2025 }
2026 txlen = 64;
2027
2028 if (u1 >= (sizeof(unlocker) / sizeof(unlocker[0])))
2029 bStop = !false;
2030 for (i = 0; i < 8; i++)
2031 tx[i] = unlocker[u1][i];
2032 u1++;
2033
2034 } else if (STATE == 2 && rxlen >= 44) {
2035 STATE = 0;
2036 }
2037
2038 // Send and store the reader command
2039 // Disable timer 1 with external trigger to avoid triggers during our own modulation
2040 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
2041
2042 // Wait for HITAG_T_WAIT_2 carrier periods after the last tag bit before transmitting,
2043 // Since the clock counts since the last falling edge, a 'one' means that the
2044 // falling edge occured halfway the period. with respect to this falling edge,
2045 // we need to wait (T_Wait2 + half_tag_period) when the last was a 'one'.
2046 // All timer values are in terms of T0 units
2047
2048 while (AT91C_BASE_TC0->TC_CV
2049 < T0 * (t_wait + (HITAG_T_TAG_HALF_PERIOD * lastbit)))
2050 ;
2051
2052 // Transmit the reader frame
2053 hitag_reader_send_frame(tx, txlen);
2054
2055 // Enable and reset external trigger in timer for capturing future frames
2056 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
2057
2058 // Add transmitted frame to total count
2059 if (txlen > 0) {
2060 frame_count++;
2061 if (!bQuiet) {
2062 // Store the frame in the trace
2063 if (!LogTraceHitag(tx, txlen, HITAG_T_WAIT_2, 0, true)) {
2064 if (bQuitTraceFull) {
2065 DbpString("Trace full");
2066 break;
2067 } else {
2068 bQuiet = true;
2069 }
2070 }
2071 }
2072 }
2073
2074 // Reset values for receiving frames
2075 memset(rx, 0x00, sizeof(rx));
2076 rxlen = 0;
2077 lastbit = 1;
2078 bSkip = true;
2079 tag_sof = reset_sof;
2080 response = 0;
2081
2082 // Receive frame, watch for at most T0*EOF periods
2083 while (AT91C_BASE_TC1->TC_CV < T0 * HITAG_T_WAIT_MAX) {
2084 // Check if falling edge in tag modulation is detected
2085 if (AT91C_BASE_TC1->TC_SR & AT91C_TC_LDRAS) {
2086 // Retrieve the new timing values
2087 int ra = (AT91C_BASE_TC1->TC_RA / T0);
2088
2089 // Reset timer every frame, we have to capture the last edge for timing
2090 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
2091
2092 LED_B_ON();
2093
2094 // Capture tag frame (manchester decoding using only falling edges)
2095 if (ra >= HITAG_T_EOF) {
2096 if (rxlen != 0) {
2097 //DbpString("wierd1?");
2098 }
2099 // Capture the T0 periods that have passed since last communication or field drop (reset)
2100 // We always recieve a 'one' first, which has the falling edge after a half period |-_|
2101 response = ra - HITAG_T_TAG_HALF_PERIOD;
2102 } else if (ra >= HITAG_T_TAG_CAPTURE_FOUR_HALF) {
2103 // Manchester coding example |-_|_-|-_| (101)
2104 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
2105 rxlen++;
2106 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
2107 rxlen++;
2108 } else if (ra >= HITAG_T_TAG_CAPTURE_THREE_HALF) {
2109 // Manchester coding example |_-|...|_-|-_| (0...01)
2110 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
2111 rxlen++;
2112 // We have to skip this half period at start and add the 'one' the second time
2113 if (!bSkip) {
2114 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
2115 rxlen++;
2116 }
2117 lastbit = !lastbit;
2118 bSkip = !bSkip;
2119 } else if (ra >= HITAG_T_TAG_CAPTURE_TWO_HALF) {
2120 // Manchester coding example |_-|_-| (00) or |-_|-_| (11)
2121 if (tag_sof) {
2122 // Ignore bits that are transmitted during SOF
2123 tag_sof--;
2124 } else {
2125 // bit is same as last bit
2126 rx[rxlen / 8] |= lastbit << (7 - (rxlen % 8));
2127 rxlen++;
2128 }
2129 } else {
2130 // Ignore wierd value, is to small to mean anything
2131 }
2132 }
2133
2134 // We can break this loop if we received the last bit from a frame
2135 if (AT91C_BASE_TC1->TC_CV > T0 * HITAG_T_EOF) {
2136 if (rxlen > 0)
2137 break;
2138 }
2139 }
2140 }
2141 LED_B_OFF();
2142 LED_D_OFF();
2143 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
2144 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
2145 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2146 cmd_send(CMD_ACK, bSuccessful, 0, 0, 0, 0);
2147 }
2148
2149
2150
Proxmark3 GIT tracking
Impressum, Datenschutz