]> git.zerfleddert.de Git - proxmark3-svn/blob - armsrc/iso14443a.c
projects / proxmark3-svn / blob
? search:


d39fbdd4e51600e70903eb3bb721ae57bf376fda
[proxmark3-svn] / armsrc / iso14443a.c
1 //-----------------------------------------------------------------------------
2 // Routines to support ISO 14443 type A.
3 //
4 // Gerhard de Koning Gans - May 2008
5 //-----------------------------------------------------------------------------
6 #include <proxmark3.h>
7 #include "apps.h"
8 #include "../common/iso14443_crc.c"
9
10 static BYTE *trace = (BYTE *) BigBuf;
11 static int traceLen = 0;
12 static int rsamples = 0;
13
14 typedef enum {
15 SEC_D = 1,
16 SEC_E = 2,
17 SEC_F = 3,
18 SEC_X = 4,
19 SEC_Y = 5,
20 SEC_Z = 6
21 } SecType;
22
23 static const BYTE OddByteParity[256] = {
24 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
25 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
26 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
27 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
28 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
29 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
30 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
31 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
32 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
33 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
34 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
35 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
36 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
37 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
38 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
39 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1
40 };
41
42 // BIG CHANGE - UNDERSTAND THIS BEFORE WE COMMIT
43 #define RECV_CMD_OFFSET 3032
44 #define RECV_RES_OFFSET 3096
45 #define DMA_BUFFER_OFFSET 3160
46 #define DMA_BUFFER_SIZE 4096
47 #define TRACE_LENGTH 3000
48
49 //-----------------------------------------------------------------------------
50 // Generate the parity value for a byte sequence
51 //
52 //-----------------------------------------------------------------------------
53 DWORD GetParity(const BYTE * pbtCmd, int iLen)
54 {
55 int i;
56 DWORD dwPar = 0;
57
58 // Generate the encrypted data
59 for (i = 0; i < iLen; i++) {
60 // Save the encrypted parity bit
61 dwPar |= ((OddByteParity[pbtCmd[i]]) << i);
62 }
63 return dwPar;
64 }
65
66 static void AppendCrc14443a(BYTE* data, int len)
67 {
68 ComputeCrc14443(CRC_14443_A,data,len,data+len,data+len+1);
69 }
70
71 BOOL LogTrace(const BYTE * btBytes, int iLen, int iSamples, DWORD dwParity, BOOL bReader)
72 {
73 // Return when trace is full
74 if (traceLen >= TRACE_LENGTH) return FALSE;
75
76 // Trace the random, i'm curious
77 rsamples += iSamples;
78 trace[traceLen++] = ((rsamples >> 0) & 0xff);
79 trace[traceLen++] = ((rsamples >> 8) & 0xff);
80 trace[traceLen++] = ((rsamples >> 16) & 0xff);
81 trace[traceLen++] = ((rsamples >> 24) & 0xff);
82 if (!bReader) {
83 trace[traceLen - 1] |= 0x80;
84 }
85 trace[traceLen++] = ((dwParity >> 0) & 0xff);
86 trace[traceLen++] = ((dwParity >> 8) & 0xff);
87 trace[traceLen++] = ((dwParity >> 16) & 0xff);
88 trace[traceLen++] = ((dwParity >> 24) & 0xff);
89 trace[traceLen++] = iLen;
90 memcpy(trace + traceLen, btBytes, iLen);
91 traceLen += iLen;
92 return TRUE;
93 }
94
95 //-----------------------------------------------------------------------------
96 // The software UART that receives commands from the reader, and its state
97 // variables.
98 //-----------------------------------------------------------------------------
99 static struct {
100 enum {
101 STATE_UNSYNCD,
102 STATE_START_OF_COMMUNICATION,
103 STATE_MILLER_X,
104 STATE_MILLER_Y,
105 STATE_MILLER_Z,
106 STATE_ERROR_WAIT
107 } state;
108 WORD shiftReg;
109 int bitCnt;
110 int byteCnt;
111 int byteCntMax;
112 int posCnt;
113 int syncBit;
114 int parityBits;
115 int samples;
116 int highCnt;
117 int bitBuffer;
118 enum {
119 DROP_NONE,
120 DROP_FIRST_HALF,
121 DROP_SECOND_HALF
122 } drop;
123 BYTE *output;
124 } Uart;
125
126 static BOOL MillerDecoding(int bit)
127 {
128 int error = 0;
129 int bitright;
130
131 if(!Uart.bitBuffer) {
132 Uart.bitBuffer = bit ^ 0xFF0;
133 return FALSE;
134 }
135 else {
136 Uart.bitBuffer <<= 4;
137 Uart.bitBuffer ^= bit;
138 }
139
140 BOOL EOC = FALSE;
141
142 if(Uart.state != STATE_UNSYNCD) {
143 Uart.posCnt++;
144
145 if((Uart.bitBuffer & Uart.syncBit) ^ Uart.syncBit) {
146 bit = 0x00;
147 }
148 else {
149 bit = 0x01;
150 }
151 if(((Uart.bitBuffer << 1) & Uart.syncBit) ^ Uart.syncBit) {
152 bitright = 0x00;
153 }
154 else {
155 bitright = 0x01;
156 }
157 if(bit != bitright) { bit = bitright; }
158
159 if(Uart.posCnt == 1) {
160 // measurement first half bitperiod
161 if(!bit) {
162 Uart.drop = DROP_FIRST_HALF;
163 }
164 }
165 else {
166 // measurement second half bitperiod
167 if(!bit & (Uart.drop == DROP_NONE)) {
168 Uart.drop = DROP_SECOND_HALF;
169 }
170 else if(!bit) {
171 // measured a drop in first and second half
172 // which should not be possible
173 Uart.state = STATE_ERROR_WAIT;
174 error = 0x01;
175 }
176
177 Uart.posCnt = 0;
178
179 switch(Uart.state) {
180 case STATE_START_OF_COMMUNICATION:
181 Uart.shiftReg = 0;
182 if(Uart.drop == DROP_SECOND_HALF) {
183 // error, should not happen in SOC
184 Uart.state = STATE_ERROR_WAIT;
185 error = 0x02;
186 }
187 else {
188 // correct SOC
189 Uart.state = STATE_MILLER_Z;
190 }
191 break;
192
193 case STATE_MILLER_Z:
194 Uart.bitCnt++;
195 Uart.shiftReg >>= 1;
196 if(Uart.drop == DROP_NONE) {
197 // logic '0' followed by sequence Y
198 // end of communication
199 Uart.state = STATE_UNSYNCD;
200 EOC = TRUE;
201 }
202 // if(Uart.drop == DROP_FIRST_HALF) {
203 // Uart.state = STATE_MILLER_Z; stay the same
204 // we see a logic '0' }
205 if(Uart.drop == DROP_SECOND_HALF) {
206 // we see a logic '1'
207 Uart.shiftReg |= 0x100;
208 Uart.state = STATE_MILLER_X;
209 }
210 break;
211
212 case STATE_MILLER_X:
213 Uart.shiftReg >>= 1;
214 if(Uart.drop == DROP_NONE) {
215 // sequence Y, we see a '0'
216 Uart.state = STATE_MILLER_Y;
217 Uart.bitCnt++;
218 }
219 if(Uart.drop == DROP_FIRST_HALF) {
220 // Would be STATE_MILLER_Z
221 // but Z does not follow X, so error
222 Uart.state = STATE_ERROR_WAIT;
223 error = 0x03;
224 }
225 if(Uart.drop == DROP_SECOND_HALF) {
226 // We see a '1' and stay in state X
227 Uart.shiftReg |= 0x100;
228 Uart.bitCnt++;
229 }
230 break;
231
232 case STATE_MILLER_Y:
233 Uart.bitCnt++;
234 Uart.shiftReg >>= 1;
235 if(Uart.drop == DROP_NONE) {
236 // logic '0' followed by sequence Y
237 // end of communication
238 Uart.state = STATE_UNSYNCD;
239 EOC = TRUE;
240 }
241 if(Uart.drop == DROP_FIRST_HALF) {
242 // we see a '0'
243 Uart.state = STATE_MILLER_Z;
244 }
245 if(Uart.drop == DROP_SECOND_HALF) {
246 // We see a '1' and go to state X
247 Uart.shiftReg |= 0x100;
248 Uart.state = STATE_MILLER_X;
249 }
250 break;
251
252 case STATE_ERROR_WAIT:
253 // That went wrong. Now wait for at least two bit periods
254 // and try to sync again
255 if(Uart.drop == DROP_NONE) {
256 Uart.highCnt = 6;
257 Uart.state = STATE_UNSYNCD;
258 }
259 break;
260
261 default:
262 Uart.state = STATE_UNSYNCD;
263 Uart.highCnt = 0;
264 break;
265 }
266
267 Uart.drop = DROP_NONE;
268
269 // should have received at least one whole byte...
270 if((Uart.bitCnt == 2) && EOC && (Uart.byteCnt > 0)) {
271 return TRUE;
272 }
273
274 if(Uart.bitCnt == 9) {
275 Uart.output[Uart.byteCnt] = (Uart.shiftReg & 0xff);
276 Uart.byteCnt++;
277
278 Uart.parityBits <<= 1;
279 Uart.parityBits ^= ((Uart.shiftReg >> 8) & 0x01);
280
281 if(EOC) {
282 // when End of Communication received and
283 // all data bits processed..
284 return TRUE;
285 }
286 Uart.bitCnt = 0;
287 }
288
289 /*if(error) {
290 Uart.output[Uart.byteCnt] = 0xAA;
291 Uart.byteCnt++;
292 Uart.output[Uart.byteCnt] = error & 0xFF;
293 Uart.byteCnt++;
294 Uart.output[Uart.byteCnt] = 0xAA;
295 Uart.byteCnt++;
296 Uart.output[Uart.byteCnt] = (Uart.bitBuffer >> 8) & 0xFF;
297 Uart.byteCnt++;
298 Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
299 Uart.byteCnt++;
300 Uart.output[Uart.byteCnt] = (Uart.syncBit >> 3) & 0xFF;
301 Uart.byteCnt++;
302 Uart.output[Uart.byteCnt] = 0xAA;
303 Uart.byteCnt++;
304 return TRUE;
305 }*/
306 }
307
308 }
309 else {
310 bit = Uart.bitBuffer & 0xf0;
311 bit >>= 4;
312 bit ^= 0x0F;
313 if(bit) {
314 // should have been high or at least (4 * 128) / fc
315 // according to ISO this should be at least (9 * 128 + 20) / fc
316 if(Uart.highCnt == 8) {
317 // we went low, so this could be start of communication
318 // it turns out to be safer to choose a less significant
319 // syncbit... so we check whether the neighbour also represents the drop
320 Uart.posCnt = 1; // apparently we are busy with our first half bit period
321 Uart.syncBit = bit & 8;
322 Uart.samples = 3;
323 if(!Uart.syncBit) { Uart.syncBit = bit & 4; Uart.samples = 2; }
324 else if(bit & 4) { Uart.syncBit = bit & 4; Uart.samples = 2; bit <<= 2; }
325 if(!Uart.syncBit) { Uart.syncBit = bit & 2; Uart.samples = 1; }
326 else if(bit & 2) { Uart.syncBit = bit & 2; Uart.samples = 1; bit <<= 1; }
327 if(!Uart.syncBit) { Uart.syncBit = bit & 1; Uart.samples = 0;
328 if(Uart.syncBit & (Uart.bitBuffer & 8)) {
329 Uart.syncBit = 8;
330
331 // the first half bit period is expected in next sample
332 Uart.posCnt = 0;
333 Uart.samples = 3;
334 }
335 }
336 else if(bit & 1) { Uart.syncBit = bit & 1; Uart.samples = 0; }
337
338 Uart.syncBit <<= 4;
339 Uart.state = STATE_START_OF_COMMUNICATION;
340 Uart.drop = DROP_FIRST_HALF;
341 Uart.bitCnt = 0;
342 Uart.byteCnt = 0;
343 Uart.parityBits = 0;
344 error = 0;
345 }
346 else {
347 Uart.highCnt = 0;
348 }
349 }
350 else {
351 if(Uart.highCnt < 8) {
352 Uart.highCnt++;
353 }
354 }
355 }
356
357 return FALSE;
358 }
359
360 //=============================================================================
361 // ISO 14443 Type A - Manchester
362 //=============================================================================
363
364 static struct {
365 enum {
366 DEMOD_UNSYNCD,
367 DEMOD_START_OF_COMMUNICATION,
368 DEMOD_MANCHESTER_D,
369 DEMOD_MANCHESTER_E,
370 DEMOD_MANCHESTER_F,
371 DEMOD_ERROR_WAIT
372 } state;
373 int bitCount;
374 int posCount;
375 int syncBit;
376 int parityBits;
377 WORD shiftReg;
378 int buffer;
379 int buff;
380 int samples;
381 int len;
382 enum {
383 SUB_NONE,
384 SUB_FIRST_HALF,
385 SUB_SECOND_HALF
386 } sub;
387 BYTE *output;
388 } Demod;
389
390 static BOOL ManchesterDecoding(int v)
391 {
392 int bit;
393 int modulation;
394 int error = 0;
395
396 if(!Demod.buff) {
397 Demod.buff = 1;
398 Demod.buffer = v;
399 return FALSE;
400 }
401 else {
402 bit = Demod.buffer;
403 Demod.buffer = v;
404 }
405
406 if(Demod.state==DEMOD_UNSYNCD) {
407 Demod.output[Demod.len] = 0xfa;
408 Demod.syncBit = 0;
409 //Demod.samples = 0;
410 Demod.posCount = 1; // This is the first half bit period, so after syncing handle the second part
411 if(bit & 0x08) { Demod.syncBit = 0x08; }
412 if(!Demod.syncBit) {
413 if(bit & 0x04) { Demod.syncBit = 0x04; }
414 }
415 else if(bit & 0x04) { Demod.syncBit = 0x04; bit <<= 4; }
416 if(!Demod.syncBit) {
417 if(bit & 0x02) { Demod.syncBit = 0x02; }
418 }
419 else if(bit & 0x02) { Demod.syncBit = 0x02; bit <<= 4; }
420 if(!Demod.syncBit) {
421 if(bit & 0x01) { Demod.syncBit = 0x01; }
422
423 if(Demod.syncBit & (Demod.buffer & 0x08)) {
424 Demod.syncBit = 0x08;
425
426 // The first half bitperiod is expected in next sample
427 Demod.posCount = 0;
428 Demod.output[Demod.len] = 0xfb;
429 }
430 }
431 else if(bit & 0x01) { Demod.syncBit = 0x01; }
432
433 if(Demod.syncBit) {
434 Demod.len = 0;
435 Demod.state = DEMOD_START_OF_COMMUNICATION;
436 Demod.sub = SUB_FIRST_HALF;
437 Demod.bitCount = 0;
438 Demod.shiftReg = 0;
439 Demod.parityBits = 0;
440 Demod.samples = 0;
441 if(Demod.posCount) {
442 switch(Demod.syncBit) {
443 case 0x08: Demod.samples = 3; break;
444 case 0x04: Demod.samples = 2; break;
445 case 0x02: Demod.samples = 1; break;
446 case 0x01: Demod.samples = 0; break;
447 }
448 }
449 error = 0;
450 }
451 }
452 else {
453 //modulation = bit & Demod.syncBit;
454 modulation = ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
455
456 Demod.samples += 4;
457
458 if(Demod.posCount==0) {
459 Demod.posCount = 1;
460 if(modulation) {
461 Demod.sub = SUB_FIRST_HALF;
462 }
463 else {
464 Demod.sub = SUB_NONE;
465 }
466 }
467 else {
468 Demod.posCount = 0;
469 if(modulation && (Demod.sub == SUB_FIRST_HALF)) {
470 if(Demod.state!=DEMOD_ERROR_WAIT) {
471 Demod.state = DEMOD_ERROR_WAIT;
472 Demod.output[Demod.len] = 0xaa;
473 error = 0x01;
474 }
475 }
476 else if(modulation) {
477 Demod.sub = SUB_SECOND_HALF;
478 }
479
480 switch(Demod.state) {
481 case DEMOD_START_OF_COMMUNICATION:
482 if(Demod.sub == SUB_FIRST_HALF) {
483 Demod.state = DEMOD_MANCHESTER_D;
484 }
485 else {
486 Demod.output[Demod.len] = 0xab;
487 Demod.state = DEMOD_ERROR_WAIT;
488 error = 0x02;
489 }
490 break;
491
492 case DEMOD_MANCHESTER_D:
493 case DEMOD_MANCHESTER_E:
494 if(Demod.sub == SUB_FIRST_HALF) {
495 Demod.bitCount++;
496 Demod.shiftReg = (Demod.shiftReg >> 1) ^ 0x100;
497 Demod.state = DEMOD_MANCHESTER_D;
498 }
499 else if(Demod.sub == SUB_SECOND_HALF) {
500 Demod.bitCount++;
501 Demod.shiftReg >>= 1;
502 Demod.state = DEMOD_MANCHESTER_E;
503 }
504 else {
505 Demod.state = DEMOD_MANCHESTER_F;
506 }
507 break;
508
509 case DEMOD_MANCHESTER_F:
510 // Tag response does not need to be a complete byte!
511 if(Demod.len > 0 || Demod.bitCount > 0) {
512 if(Demod.bitCount > 0) {
513 Demod.shiftReg >>= (9 - Demod.bitCount);
514 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
515 Demod.len++;
516 // No parity bit, so just shift a 0
517 Demod.parityBits <<= 1;
518 }
519
520 Demod.state = DEMOD_UNSYNCD;
521 return TRUE;
522 }
523 else {
524 Demod.output[Demod.len] = 0xad;
525 Demod.state = DEMOD_ERROR_WAIT;
526 error = 0x03;
527 }
528 break;
529
530 case DEMOD_ERROR_WAIT:
531 Demod.state = DEMOD_UNSYNCD;
532 break;
533
534 default:
535 Demod.output[Demod.len] = 0xdd;
536 Demod.state = DEMOD_UNSYNCD;
537 break;
538 }
539
540 if(Demod.bitCount>=9) {
541 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
542 Demod.len++;
543
544 Demod.parityBits <<= 1;
545 Demod.parityBits ^= ((Demod.shiftReg >> 8) & 0x01);
546
547 Demod.bitCount = 0;
548 Demod.shiftReg = 0;
549 }
550
551 /*if(error) {
552 Demod.output[Demod.len] = 0xBB;
553 Demod.len++;
554 Demod.output[Demod.len] = error & 0xFF;
555 Demod.len++;
556 Demod.output[Demod.len] = 0xBB;
557 Demod.len++;
558 Demod.output[Demod.len] = bit & 0xFF;
559 Demod.len++;
560 Demod.output[Demod.len] = Demod.buffer & 0xFF;
561 Demod.len++;
562 Demod.output[Demod.len] = Demod.syncBit & 0xFF;
563 Demod.len++;
564 Demod.output[Demod.len] = 0xBB;
565 Demod.len++;
566 return TRUE;
567 }*/
568
569 }
570
571 } // end (state != UNSYNCED)
572
573 return FALSE;
574 }
575
576 //=============================================================================
577 // Finally, a `sniffer' for ISO 14443 Type A
578 // Both sides of communication!
579 //=============================================================================
580
581 //-----------------------------------------------------------------------------
582 // Record the sequence of commands sent by the reader to the tag, with
583 // triggering so that we start recording at the point that the tag is moved
584 // near the reader.
585 //-----------------------------------------------------------------------------
586 void SnoopIso14443a(void)
587 {
588 // #define RECV_CMD_OFFSET 2032 // original (working as of 21/2/09) values
589 // #define RECV_RES_OFFSET 2096 // original (working as of 21/2/09) values
590 // #define DMA_BUFFER_OFFSET 2160 // original (working as of 21/2/09) values
591 // #define DMA_BUFFER_SIZE 4096 // original (working as of 21/2/09) values
592 // #define TRACE_LENGTH 2000 // original (working as of 21/2/09) values
593
594 // We won't start recording the frames that we acquire until we trigger;
595 // a good trigger condition to get started is probably when we see a
596 // response from the tag.
597 BOOL triggered = TRUE; // FALSE to wait first for card
598
599 // The command (reader -> tag) that we're receiving.
600 // The length of a received command will in most cases be no more than 18 bytes.
601 // So 32 should be enough!
602 BYTE *receivedCmd = (((BYTE *)BigBuf) + RECV_CMD_OFFSET);
603 // The response (tag -> reader) that we're receiving.
604 BYTE *receivedResponse = (((BYTE *)BigBuf) + RECV_RES_OFFSET);
605
606 // As we receive stuff, we copy it from receivedCmd or receivedResponse
607 // into trace, along with its length and other annotations.
608 //BYTE *trace = (BYTE *)BigBuf;
609 //int traceLen = 0;
610
611 // The DMA buffer, used to stream samples from the FPGA
612 SBYTE *dmaBuf = ((SBYTE *)BigBuf) + DMA_BUFFER_OFFSET;
613 int lastRxCounter;
614 SBYTE *upTo;
615 int smpl;
616 int maxBehindBy = 0;
617
618 // Count of samples received so far, so that we can include timing
619 // information in the trace buffer.
620 int samples = 0;
621 int rsamples = 0;
622
623 memset(trace, 0x44, RECV_CMD_OFFSET);
624
625 // Set up the demodulator for tag -> reader responses.
626 Demod.output = receivedResponse;
627 Demod.len = 0;
628 Demod.state = DEMOD_UNSYNCD;
629
630 // And the reader -> tag commands
631 memset(&Uart, 0, sizeof(Uart));
632 Uart.output = receivedCmd;
633 Uart.byteCntMax = 32; // was 100 (greg)////////////////////////////////////////////////////////////////////////
634 Uart.state = STATE_UNSYNCD;
635
636 // And put the FPGA in the appropriate mode
637 // Signal field is off with the appropriate LED
638 LED_D_OFF();
639 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER);
640 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
641
642 // Setup for the DMA.
643 FpgaSetupSsc();
644 upTo = dmaBuf;
645 lastRxCounter = DMA_BUFFER_SIZE;
646 FpgaSetupSscDma((BYTE *)dmaBuf, DMA_BUFFER_SIZE);
647
648 LED_A_ON();
649
650 // And now we loop, receiving samples.
651 for(;;) {
652 WDT_HIT();
653 int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) &
654 (DMA_BUFFER_SIZE-1);
655 if(behindBy > maxBehindBy) {
656 maxBehindBy = behindBy;
657 if(behindBy > 400) {
658 DbpString("blew circular buffer!");
659 goto done;
660 }
661 }
662 if(behindBy < 1) continue;
663
664 smpl = upTo[0];
665 upTo++;
666 lastRxCounter -= 1;
667 if(upTo - dmaBuf > DMA_BUFFER_SIZE) {
668 upTo -= DMA_BUFFER_SIZE;
669 lastRxCounter += DMA_BUFFER_SIZE;
670 AT91C_BASE_PDC_SSC->PDC_RNPR = (DWORD)upTo;
671 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
672 }
673
674 samples += 4;
675 #define HANDLE_BIT_IF_BODY \
676 LED_C_ON(); \
677 if(triggered) { \
678 trace[traceLen++] = ((rsamples >> 0) & 0xff); \
679 trace[traceLen++] = ((rsamples >> 8) & 0xff); \
680 trace[traceLen++] = ((rsamples >> 16) & 0xff); \
681 trace[traceLen++] = ((rsamples >> 24) & 0xff); \
682 trace[traceLen++] = ((Uart.parityBits >> 0) & 0xff); \
683 trace[traceLen++] = ((Uart.parityBits >> 8) & 0xff); \
684 trace[traceLen++] = ((Uart.parityBits >> 16) & 0xff); \
685 trace[traceLen++] = ((Uart.parityBits >> 24) & 0xff); \
686 trace[traceLen++] = Uart.byteCnt; \
687 memcpy(trace+traceLen, receivedCmd, Uart.byteCnt); \
688 traceLen += Uart.byteCnt; \
689 if(traceLen > TRACE_LENGTH) break; \
690 } \
691 /* And ready to receive another command. */ \
692 Uart.state = STATE_UNSYNCD; \
693 /* And also reset the demod code, which might have been */ \
694 /* false-triggered by the commands from the reader. */ \
695 Demod.state = DEMOD_UNSYNCD; \
696 LED_B_OFF(); \
697
698 if(MillerDecoding((smpl & 0xF0) >> 4)) {
699 rsamples = samples - Uart.samples;
700 HANDLE_BIT_IF_BODY
701 }
702 if(ManchesterDecoding(smpl & 0x0F)) {
703 rsamples = samples - Demod.samples;
704 LED_B_ON();
705
706 // timestamp, as a count of samples
707 trace[traceLen++] = ((rsamples >> 0) & 0xff);
708 trace[traceLen++] = ((rsamples >> 8) & 0xff);
709 trace[traceLen++] = ((rsamples >> 16) & 0xff);
710 trace[traceLen++] = 0x80 | ((rsamples >> 24) & 0xff);
711 trace[traceLen++] = ((Demod.parityBits >> 0) & 0xff);
712 trace[traceLen++] = ((Demod.parityBits >> 8) & 0xff);
713 trace[traceLen++] = ((Demod.parityBits >> 16) & 0xff);
714 trace[traceLen++] = ((Demod.parityBits >> 24) & 0xff);
715 // length
716 trace[traceLen++] = Demod.len;
717 memcpy(trace+traceLen, receivedResponse, Demod.len);
718 traceLen += Demod.len;
719 if(traceLen > TRACE_LENGTH) break;
720
721 triggered = TRUE;
722
723 // And ready to receive another response.
724 memset(&Demod, 0, sizeof(Demod));
725 Demod.output = receivedResponse;
726 Demod.state = DEMOD_UNSYNCD;
727 LED_C_OFF();
728 }
729
730 if(BUTTON_PRESS()) {
731 DbpString("cancelled_a");
732 goto done;
733 }
734 }
735
736 DbpString("COMMAND FINISHED");
737
738 DbpIntegers(maxBehindBy, Uart.state, Uart.byteCnt);
739 DbpIntegers(Uart.byteCntMax, traceLen, (int)Uart.output[0]);
740
741 done:
742 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
743 DbpIntegers(maxBehindBy, Uart.state, Uart.byteCnt);
744 DbpIntegers(Uart.byteCntMax, traceLen, (int)Uart.output[0]);
745 LED_A_OFF();
746 LED_B_OFF();
747 LED_C_OFF();
748 LED_D_OFF();
749 }
750
751 // Prepare communication bits to send to FPGA
752 void Sequence(SecType seq)
753 {
754 ToSendMax++;
755 switch(seq) {
756 // CARD TO READER
757 case SEC_D:
758 // Sequence D: 11110000
759 // modulation with subcarrier during first half
760 ToSend[ToSendMax] = 0xf0;
761 break;
762 case SEC_E:
763 // Sequence E: 00001111
764 // modulation with subcarrier during second half
765 ToSend[ToSendMax] = 0x0f;
766 break;
767 case SEC_F:
768 // Sequence F: 00000000
769 // no modulation with subcarrier
770 ToSend[ToSendMax] = 0x00;
771 break;
772 // READER TO CARD
773 case SEC_X:
774 // Sequence X: 00001100
775 // drop after half a period
776 ToSend[ToSendMax] = 0x0c;
777 break;
778 case SEC_Y:
779 default:
780 // Sequence Y: 00000000
781 // no drop
782 ToSend[ToSendMax] = 0x00;
783 break;
784 case SEC_Z:
785 // Sequence Z: 11000000
786 // drop at start
787 ToSend[ToSendMax] = 0xc0;
788 break;
789 }
790 }
791
792 //-----------------------------------------------------------------------------
793 // Prepare tag messages
794 //-----------------------------------------------------------------------------
795 static void CodeIso14443aAsTag(const BYTE *cmd, int len)
796 {
797 int i;
798 int oddparity;
799
800 ToSendReset();
801
802 // Correction bit, might be removed when not needed
803 ToSendStuffBit(0);
804 ToSendStuffBit(0);
805 ToSendStuffBit(0);
806 ToSendStuffBit(0);
807 ToSendStuffBit(1); // 1
808 ToSendStuffBit(0);
809 ToSendStuffBit(0);
810 ToSendStuffBit(0);
811
812 // Send startbit
813 Sequence(SEC_D);
814
815 for(i = 0; i < len; i++) {
816 int j;
817 BYTE b = cmd[i];
818
819 // Data bits
820 oddparity = 0x01;
821 for(j = 0; j < 8; j++) {
822 oddparity ^= (b & 1);
823 if(b & 1) {
824 Sequence(SEC_D);
825 } else {
826 Sequence(SEC_E);
827 }
828 b >>= 1;
829 }
830
831 // Parity bit
832 if(oddparity) {
833 Sequence(SEC_D);
834 } else {
835 Sequence(SEC_E);
836 }
837 }
838
839 // Send stopbit
840 Sequence(SEC_F);
841
842 // Flush the buffer in FPGA!!
843 for(i = 0; i < 5; i++) {
844 Sequence(SEC_F);
845 }
846
847 // Convert from last byte pos to length
848 ToSendMax++;
849
850 // Add a few more for slop
851 ToSend[ToSendMax++] = 0x00;
852 ToSend[ToSendMax++] = 0x00;
853 //ToSendMax += 2;
854 }
855
856 //-----------------------------------------------------------------------------
857 // This is to send a NACK kind of answer, its only 3 bits, I know it should be 4
858 //-----------------------------------------------------------------------------
859 static void CodeStrangeAnswer()
860 {
861 int i;
862
863 ToSendReset();
864
865 // Correction bit, might be removed when not needed
866 ToSendStuffBit(0);
867 ToSendStuffBit(0);
868 ToSendStuffBit(0);
869 ToSendStuffBit(0);
870 ToSendStuffBit(1); // 1
871 ToSendStuffBit(0);
872 ToSendStuffBit(0);
873 ToSendStuffBit(0);
874
875 // Send startbit
876 Sequence(SEC_D);
877
878 // 0
879 Sequence(SEC_E);
880
881 // 0
882 Sequence(SEC_E);
883
884 // 1
885 Sequence(SEC_D);
886
887 // Send stopbit
888 Sequence(SEC_F);
889
890 // Flush the buffer in FPGA!!
891 for(i = 0; i < 5; i++) {
892 Sequence(SEC_F);
893 }
894
895 // Convert from last byte pos to length
896 ToSendMax++;
897
898 // Add a few more for slop
899 ToSend[ToSendMax++] = 0x00;
900 ToSend[ToSendMax++] = 0x00;
901 //ToSendMax += 2;
902 }
903
904 //-----------------------------------------------------------------------------
905 // Wait for commands from reader
906 // Stop when button is pressed
907 // Or return TRUE when command is captured
908 //-----------------------------------------------------------------------------
909 static BOOL GetIso14443aCommandFromReader(BYTE *received, int *len, int maxLen)
910 {
911 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
912 // only, since we are receiving, not transmitting).
913 // Signal field is off with the appropriate LED
914 LED_D_OFF();
915 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
916
917 // Now run a `software UART' on the stream of incoming samples.
918 Uart.output = received;
919 Uart.byteCntMax = maxLen;
920 Uart.state = STATE_UNSYNCD;
921
922 for(;;) {
923 WDT_HIT();
924
925 if(BUTTON_PRESS()) return FALSE;
926
927 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
928 AT91C_BASE_SSC->SSC_THR = 0x00;
929 }
930 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
931 BYTE b = (BYTE)AT91C_BASE_SSC->SSC_RHR;
932 if(MillerDecoding((b & 0xf0) >> 4)) {
933 *len = Uart.byteCnt;
934 return TRUE;
935 }
936 if(MillerDecoding(b & 0x0f)) {
937 *len = Uart.byteCnt;
938 return TRUE;
939 }
940 }
941 }
942 }
943
944 //-----------------------------------------------------------------------------
945 // Main loop of simulated tag: receive commands from reader, decide what
946 // response to send, and send it.
947 //-----------------------------------------------------------------------------
948 void SimulateIso14443aTag(int tagType, int TagUid)
949 {
950 // This function contains the tag emulation
951
952 // Prepare protocol messages
953 // static const BYTE cmd1[] = { 0x26 };
954 // static const BYTE response1[] = { 0x02, 0x00 }; // Says: I am Mifare 4k - original line - greg
955 //
956 static const BYTE response1[] = { 0x44, 0x03 }; // Says: I am a DESFire Tag, ph33r me
957 // static const BYTE response1[] = { 0x44, 0x00 }; // Says: I am a ULTRALITE Tag, 0wn me
958
959 // UID response
960 // static const BYTE cmd2[] = { 0x93, 0x20 };
961 //static const BYTE response2[] = { 0x9a, 0xe5, 0xe4, 0x43, 0xd8 }; // original value - greg
962
963
964
965 // my desfire
966 static const BYTE response2[] = { 0x88, 0x04, 0x21, 0x3f, 0x4d }; // known uid - note cascade (0x88), 2nd byte (0x04) = NXP/Phillips
967
968
969 // When reader selects us during cascade1 it will send cmd3
970 //BYTE response3[] = { 0x04, 0x00, 0x00 }; // SAK Select (cascade1) successful response (ULTRALITE)
971 BYTE response3[] = { 0x24, 0x00, 0x00 }; // SAK Select (cascade1) successful response (DESFire)
972 ComputeCrc14443(CRC_14443_A, response3, 1, &response3[1], &response3[2]);
973
974 // send cascade2 2nd half of UID
975 static const BYTE response2a[] = { 0x51, 0x48, 0x1d, 0x80, 0x84 }; // uid - cascade2 - 2nd half (4 bytes) of UID+ BCCheck
976 // NOTE : THE CRC on the above may be wrong as I have obfuscated the actual UID
977
978
979 // When reader selects us during cascade2 it will send cmd3a
980 //BYTE response3a[] = { 0x00, 0x00, 0x00 }; // SAK Select (cascade2) successful response (ULTRALITE)
981 BYTE response3a[] = { 0x20, 0x00, 0x00 }; // SAK Select (cascade2) successful response (DESFire)
982 ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
983
984 static const BYTE response5[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce
985
986 BYTE *resp;
987 int respLen;
988
989 // Longest possible response will be 16 bytes + 2 CRC = 18 bytes
990 // This will need
991 // 144 data bits (18 * 8)
992 // 18 parity bits
993 // 2 Start and stop
994 // 1 Correction bit (Answer in 1172 or 1236 periods, see FPGA)
995 // 1 just for the case
996 // ----------- +
997 // 166
998 //
999 // 166 bytes, since every bit that needs to be send costs us a byte
1000 //
1001
1002
1003 // Respond with card type
1004 BYTE *resp1 = (((BYTE *)BigBuf) + 800);
1005 int resp1Len;
1006
1007 // Anticollision cascade1 - respond with uid
1008 BYTE *resp2 = (((BYTE *)BigBuf) + 970);
1009 int resp2Len;
1010
1011 // Anticollision cascade2 - respond with 2nd half of uid if asked
1012 // we're only going to be asked if we set the 1st byte of the UID (during cascade1) to 0x88
1013 BYTE *resp2a = (((BYTE *)BigBuf) + 1140);
1014 int resp2aLen;
1015
1016 // Acknowledge select - cascade 1
1017 BYTE *resp3 = (((BYTE *)BigBuf) + 1310);
1018 int resp3Len;
1019
1020 // Acknowledge select - cascade 2
1021 BYTE *resp3a = (((BYTE *)BigBuf) + 1480);
1022 int resp3aLen;
1023
1024 // Response to a read request - not implemented atm
1025 BYTE *resp4 = (((BYTE *)BigBuf) + 1550);
1026 int resp4Len;
1027
1028 // Authenticate response - nonce
1029 BYTE *resp5 = (((BYTE *)BigBuf) + 1720);
1030 int resp5Len;
1031
1032 BYTE *receivedCmd = (BYTE *)BigBuf;
1033 int len;
1034
1035 int i;
1036 int u;
1037 BYTE b;
1038
1039 // To control where we are in the protocol
1040 int order = 0;
1041 int lastorder;
1042
1043 // Just to allow some checks
1044 int happened = 0;
1045 int happened2 = 0;
1046
1047 int cmdsRecvd = 0;
1048
1049 BOOL fdt_indicator;
1050
1051 memset(receivedCmd, 0x44, 400);
1052
1053 // Prepare the responses of the anticollision phase
1054 // there will be not enough time to do this at the moment the reader sends it REQA
1055
1056 // Answer to request
1057 CodeIso14443aAsTag(response1, sizeof(response1));
1058 memcpy(resp1, ToSend, ToSendMax); resp1Len = ToSendMax;
1059
1060 // Send our UID (cascade 1)
1061 CodeIso14443aAsTag(response2, sizeof(response2));
1062 memcpy(resp2, ToSend, ToSendMax); resp2Len = ToSendMax;
1063
1064 // Answer to select (cascade1)
1065 CodeIso14443aAsTag(response3, sizeof(response3));
1066 memcpy(resp3, ToSend, ToSendMax); resp3Len = ToSendMax;
1067
1068 // Send the cascade 2 2nd part of the uid
1069 CodeIso14443aAsTag(response2a, sizeof(response2a));
1070 memcpy(resp2a, ToSend, ToSendMax); resp2aLen = ToSendMax;
1071
1072 // Answer to select (cascade 2)
1073 CodeIso14443aAsTag(response3a, sizeof(response3a));
1074 memcpy(resp3a, ToSend, ToSendMax); resp3aLen = ToSendMax;
1075
1076 // Strange answer is an example of rare message size (3 bits)
1077 CodeStrangeAnswer();
1078 memcpy(resp4, ToSend, ToSendMax); resp4Len = ToSendMax;
1079
1080 // Authentication answer (random nonce)
1081 CodeIso14443aAsTag(response5, sizeof(response5));
1082 memcpy(resp5, ToSend, ToSendMax); resp5Len = ToSendMax;
1083
1084 // We need to listen to the high-frequency, peak-detected path.
1085 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1086 FpgaSetupSsc();
1087
1088 cmdsRecvd = 0;
1089
1090 LED_A_ON();
1091 for(;;) {
1092
1093 if(!GetIso14443aCommandFromReader(receivedCmd, &len, 100)) {
1094 DbpString("button press");
1095 break;
1096 }
1097 // doob - added loads of debug strings so we can see what the reader is saying to us during the sim as hi14alist is not populated
1098 // Okay, look at the command now.
1099 lastorder = order;
1100 i = 1; // first byte transmitted
1101 if(receivedCmd[0] == 0x26) {
1102 // Received a REQUEST
1103 resp = resp1; respLen = resp1Len; order = 1;
1104 //DbpString("Hello request from reader:");
1105 } else if(receivedCmd[0] == 0x52) {
1106 // Received a WAKEUP
1107 resp = resp1; respLen = resp1Len; order = 6;
1108 // //DbpString("Wakeup request from reader:");
1109
1110 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x93) { // greg - cascade 1 anti-collision
1111 // Received request for UID (cascade 1)
1112 resp = resp2; respLen = resp2Len; order = 2;
1113 // DbpString("UID (cascade 1) request from reader:");
1114 // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1115
1116
1117 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] ==0x95) { // greg - cascade 2 anti-collision
1118 // Received request for UID (cascade 2)
1119 resp = resp2a; respLen = resp2aLen; order = 20;
1120 // DbpString("UID (cascade 2) request from reader:");
1121 // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1122
1123
1124 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x93) { // greg - cascade 1 select
1125 // Received a SELECT
1126 resp = resp3; respLen = resp3Len; order = 3;
1127 // DbpString("Select (cascade 1) request from reader:");
1128 // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1129
1130
1131 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x95) { // greg - cascade 2 select
1132 // Received a SELECT
1133 resp = resp3a; respLen = resp3aLen; order = 30;
1134 // DbpString("Select (cascade 2) request from reader:");
1135 // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1136
1137
1138 } else if(receivedCmd[0] == 0x30) {
1139 // Received a READ
1140 resp = resp4; respLen = resp4Len; order = 4; // Do nothing
1141 DbpString("Read request from reader:");
1142 DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1143
1144
1145 } else if(receivedCmd[0] == 0x50) {
1146 // Received a HALT
1147 resp = resp1; respLen = 0; order = 5; // Do nothing
1148 DbpString("Reader requested we HALT!:");
1149
1150 } else if(receivedCmd[0] == 0x60) {
1151 // Received an authentication request
1152 resp = resp5; respLen = resp5Len; order = 7;
1153 DbpString("Authenticate request from reader:");
1154 DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1155
1156 } else if(receivedCmd[0] == 0xE0) {
1157 // Received a RATS request
1158 resp = resp1; respLen = 0;order = 70;
1159 DbpString("RATS request from reader:");
1160 DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1161 } else {
1162 // Never seen this command before
1163 DbpString("Unknown command received from reader:");
1164 DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1165 DbpIntegers(receivedCmd[3], receivedCmd[4], receivedCmd[5]);
1166 DbpIntegers(receivedCmd[6], receivedCmd[7], receivedCmd[8]);
1167
1168 // Do not respond
1169 resp = resp1; respLen = 0; order = 0;
1170 }
1171
1172 // Count number of wakeups received after a halt
1173 if(order == 6 && lastorder == 5) { happened++; }
1174
1175 // Count number of other messages after a halt
1176 if(order != 6 && lastorder == 5) { happened2++; }
1177
1178 // Look at last parity bit to determine timing of answer
1179 if((Uart.parityBits & 0x01) || receivedCmd[0] == 0x52) {
1180 // 1236, so correction bit needed
1181 i = 0;
1182 }
1183
1184 memset(receivedCmd, 0x44, 32);
1185
1186 if(cmdsRecvd > 999) {
1187 DbpString("1000 commands later...");
1188 break;
1189 }
1190 else {
1191 cmdsRecvd++;
1192 }
1193
1194 if(respLen <= 0) continue;
1195
1196 // Modulate Manchester
1197 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD);
1198 AT91C_BASE_SSC->SSC_THR = 0x00;
1199 FpgaSetupSsc();
1200
1201 // ### Transmit the response ###
1202 u = 0;
1203 b = 0x00;
1204 fdt_indicator = FALSE;
1205 for(;;) {
1206 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1207 volatile BYTE b = (BYTE)AT91C_BASE_SSC->SSC_RHR;
1208 (void)b;
1209 }
1210 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1211 if(i > respLen) {
1212 b = 0x00;
1213 u++;
1214 } else {
1215 b = resp[i];
1216 i++;
1217 }
1218 AT91C_BASE_SSC->SSC_THR = b;
1219
1220 if(u > 4) {
1221 break;
1222 }
1223 }
1224 if(BUTTON_PRESS()) {
1225 break;
1226 }
1227 }
1228
1229 }
1230
1231 DbpIntegers(happened, happened2, cmdsRecvd);
1232 LED_A_OFF();
1233 }
1234
1235 //-----------------------------------------------------------------------------
1236 // Transmit the command (to the tag) that was placed in ToSend[].
1237 //-----------------------------------------------------------------------------
1238 static void TransmitFor14443a(const BYTE *cmd, int len, int *samples, int *wait)
1239 {
1240 int c;
1241
1242 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1243
1244 if (wait)
1245 if(*wait < 10)
1246 *wait = 10;
1247
1248 for(c = 0; c < *wait;) {
1249 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1250 AT91C_BASE_SSC->SSC_THR = 0x00; // For exact timing!
1251 c++;
1252 }
1253 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1254 volatile DWORD r = AT91C_BASE_SSC->SSC_RHR;
1255 (void)r;
1256 }
1257 WDT_HIT();
1258 }
1259
1260 c = 0;
1261 for(;;) {
1262 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1263 AT91C_BASE_SSC->SSC_THR = cmd[c];
1264 c++;
1265 if(c >= len) {
1266 break;
1267 }
1268 }
1269 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1270 volatile DWORD r = AT91C_BASE_SSC->SSC_RHR;
1271 (void)r;
1272 }
1273 WDT_HIT();
1274 }
1275 if (samples) *samples = (c + *wait) << 3;
1276 }
1277
1278 //-----------------------------------------------------------------------------
1279 // To generate an arbitrary stream from reader
1280 //
1281 //-----------------------------------------------------------------------------
1282 void ArbitraryFromReader(const BYTE *cmd, int parity, int len)
1283 {
1284 int i;
1285 int j;
1286 int last;
1287 BYTE b;
1288
1289 ToSendReset();
1290
1291 // Start of Communication (Seq. Z)
1292 Sequence(SEC_Z);
1293 last = 0;
1294
1295 for(i = 0; i < len; i++) {
1296 // Data bits
1297 b = cmd[i];
1298 for(j = 0; j < 8; j++) {
1299 if(b & 1) {
1300 // Sequence X
1301 Sequence(SEC_X);
1302 last = 1;
1303 } else {
1304 if(last == 0) {
1305 // Sequence Z
1306 Sequence(SEC_Z);
1307 }
1308 else {
1309 // Sequence Y
1310 Sequence(SEC_Y);
1311 last = 0;
1312 }
1313 }
1314 b >>= 1;
1315
1316 }
1317
1318 // Predefined parity bit, the flipper flips when needed, because of flips in byte sent
1319 if(((parity >> (len - i - 1)) & 1)) {
1320 // Sequence X
1321 Sequence(SEC_X);
1322 last = 1;
1323 } else {
1324 if(last == 0) {
1325 // Sequence Z
1326 Sequence(SEC_Z);
1327 }
1328 else {
1329 // Sequence Y
1330 Sequence(SEC_Y);
1331 last = 0;
1332 }
1333 }
1334 }
1335
1336 // End of Communication
1337 if(last == 0) {
1338 // Sequence Z
1339 Sequence(SEC_Z);
1340 }
1341 else {
1342 // Sequence Y
1343 Sequence(SEC_Y);
1344 last = 0;
1345 }
1346 // Sequence Y
1347 Sequence(SEC_Y);
1348
1349 // Just to be sure!
1350 Sequence(SEC_Y);
1351 Sequence(SEC_Y);
1352 Sequence(SEC_Y);
1353
1354 // Convert from last character reference to length
1355 ToSendMax++;
1356 }
1357
1358 //-----------------------------------------------------------------------------
1359 // Code a 7-bit command without parity bit
1360 // This is especially for 0x26 and 0x52 (REQA and WUPA)
1361 //-----------------------------------------------------------------------------
1362 void ShortFrameFromReader(const BYTE bt)
1363 {
1364 int j;
1365 int last;
1366 BYTE b;
1367
1368 ToSendReset();
1369
1370 // Start of Communication (Seq. Z)
1371 Sequence(SEC_Z);
1372 last = 0;
1373
1374 b = bt;
1375 for(j = 0; j < 7; j++) {
1376 if(b & 1) {
1377 // Sequence X
1378 Sequence(SEC_X);
1379 last = 1;
1380 } else {
1381 if(last == 0) {
1382 // Sequence Z
1383 Sequence(SEC_Z);
1384 }
1385 else {
1386 // Sequence Y
1387 Sequence(SEC_Y);
1388 last = 0;
1389 }
1390 }
1391 b >>= 1;
1392 }
1393
1394 // End of Communication
1395 if(last == 0) {
1396 // Sequence Z
1397 Sequence(SEC_Z);
1398 }
1399 else {
1400 // Sequence Y
1401 Sequence(SEC_Y);
1402 last = 0;
1403 }
1404 // Sequence Y
1405 Sequence(SEC_Y);
1406
1407 // Just to be sure!
1408 Sequence(SEC_Y);
1409 Sequence(SEC_Y);
1410 Sequence(SEC_Y);
1411
1412 // Convert from last character reference to length
1413 ToSendMax++;
1414 }
1415
1416 //-----------------------------------------------------------------------------
1417 // Prepare reader command to send to FPGA
1418 //
1419 //-----------------------------------------------------------------------------
1420 void CodeIso14443aAsReaderPar(const BYTE * cmd, int len, DWORD dwParity)
1421 {
1422 int i, j;
1423 int last;
1424 BYTE b;
1425
1426 ToSendReset();
1427
1428 // Start of Communication (Seq. Z)
1429 Sequence(SEC_Z);
1430 last = 0;
1431
1432 // Generate send structure for the data bits
1433 for (i = 0; i < len; i++) {
1434 // Get the current byte to send
1435 b = cmd[i];
1436
1437 for (j = 0; j < 8; j++) {
1438 if (b & 1) {
1439 // Sequence X
1440 Sequence(SEC_X);
1441 last = 1;
1442 } else {
1443 if (last == 0) {
1444 // Sequence Z
1445 Sequence(SEC_Z);
1446 } else {
1447 // Sequence Y
1448 Sequence(SEC_Y);
1449 last = 0;
1450 }
1451 }
1452 b >>= 1;
1453 }
1454
1455 // Get the parity bit
1456 if ((dwParity >> i) & 0x01) {
1457 // Sequence X
1458 Sequence(SEC_X);
1459 last = 1;
1460 } else {
1461 if (last == 0) {
1462 // Sequence Z
1463 Sequence(SEC_Z);
1464 } else {
1465 // Sequence Y
1466 Sequence(SEC_Y);
1467 last = 0;
1468 }
1469 }
1470 }
1471
1472 // End of Communication
1473 if (last == 0) {
1474 // Sequence Z
1475 Sequence(SEC_Z);
1476 } else {
1477 // Sequence Y
1478 Sequence(SEC_Y);
1479 last = 0;
1480 }
1481 // Sequence Y
1482 Sequence(SEC_Y);
1483
1484 // Just to be sure!
1485 Sequence(SEC_Y);
1486 Sequence(SEC_Y);
1487 Sequence(SEC_Y);
1488
1489 // Convert from last character reference to length
1490 ToSendMax++;
1491 }
1492
1493 //-----------------------------------------------------------------------------
1494 // Wait a certain time for tag response
1495 // If a response is captured return TRUE
1496 // If it takes to long return FALSE
1497 //-----------------------------------------------------------------------------
1498 static BOOL GetIso14443aAnswerFromTag(BYTE *receivedResponse, int maxLen, int *samples, int *elapsed) //BYTE *buffer
1499 {
1500 // buffer needs to be 512 bytes
1501 int c;
1502
1503 // Set FPGA mode to "reader listen mode", no modulation (listen
1504 // only, since we are receiving, not transmitting).
1505 // Signal field is on with the appropriate LED
1506 LED_D_ON();
1507 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_LISTEN);
1508
1509 // Now get the answer from the card
1510 Demod.output = receivedResponse;
1511 Demod.len = 0;
1512 Demod.state = DEMOD_UNSYNCD;
1513
1514 BYTE b;
1515 if (elapsed) *elapsed = 0;
1516
1517 c = 0;
1518 for(;;) {
1519 WDT_HIT();
1520
1521 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1522 AT91C_BASE_SSC->SSC_THR = 0x00; // To make use of exact timing of next command from reader!!
1523 if (elapsed) (*elapsed)++;
1524 }
1525 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1526 if(c < 512) { c++; } else { return FALSE; }
1527 b = (BYTE)AT91C_BASE_SSC->SSC_RHR;
1528 if(ManchesterDecoding((b & 0xf0) >> 4)) {
1529 *samples = ((c - 1) << 3) + 4;
1530 return TRUE;
1531 }
1532 if(ManchesterDecoding(b & 0x0f)) {
1533 *samples = c << 3;
1534 return TRUE;
1535 }
1536 }
1537 }
1538 }
1539
1540 void ReaderTransmitShort(const BYTE* bt)
1541 {
1542 int wait = 0;
1543 int samples = 0;
1544
1545 ShortFrameFromReader(*bt);
1546
1547 // Select the card
1548 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
1549
1550 // Store reader command in buffer
1551 LogTrace(bt,1,0,GetParity(bt,1),TRUE);
1552 }
1553
1554 void ReaderTransmitPar(BYTE* frame, int len, DWORD par)
1555 {
1556 int wait = 0;
1557 int samples = 0;
1558
1559 // This is tied to other size changes
1560 // BYTE* frame_addr = ((BYTE*)BigBuf) + 2024;
1561
1562 CodeIso14443aAsReaderPar(frame,len,par);
1563
1564 // Select the card
1565 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
1566
1567 // Store reader command in buffer
1568 LogTrace(frame,len,0,par,TRUE);
1569 }
1570
1571
1572 void ReaderTransmit(BYTE* frame, int len)
1573 {
1574 // Generate parity and redirect
1575 ReaderTransmitPar(frame,len,GetParity(frame,len));
1576 }
1577
1578 BOOL ReaderReceive(BYTE* receivedAnswer)
1579 {
1580 int samples = 0;
1581 if (!GetIso14443aAnswerFromTag(receivedAnswer,100,&samples,0)) return FALSE;
1582 LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE);
1583 return TRUE;
1584 }
1585
1586 //-----------------------------------------------------------------------------
1587 // Read an ISO 14443a tag. Send out commands and store answers.
1588 //
1589 //-----------------------------------------------------------------------------
1590 void ReaderIso14443a(DWORD parameter)
1591 {
1592 // Anticollision
1593 BYTE wupa[] = { 0x52 };
1594 BYTE sel_all[] = { 0x93,0x20 };
1595 BYTE sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
1596 BYTE sel_all_c2[] = { 0x95,0x20 };
1597 BYTE sel_uid_c2[] = { 0x95,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
1598
1599 // Mifare AUTH
1600 BYTE mf_auth[] = { 0x60,0x00,0xf5,0x7b };
1601 // BYTE mf_nr_ar[] = { 0x00,0x00,0x00,0x00 };
1602
1603 BYTE* receivedAnswer = (((BYTE *)BigBuf) + 3560); // was 3560 - tied to other size changes
1604 traceLen = 0;
1605
1606 // Setup SSC
1607 FpgaSetupSsc();
1608
1609 // Start from off (no field generated)
1610 // Signal field is off with the appropriate LED
1611 LED_D_OFF();
1612 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1613 SpinDelay(200);
1614
1615 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1616 FpgaSetupSsc();
1617
1618 // Now give it time to spin up.
1619 // Signal field is on with the appropriate LED
1620 LED_D_ON();
1621 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1622 SpinDelay(200);
1623
1624 LED_A_ON();
1625 LED_B_OFF();
1626 LED_C_OFF();
1627
1628 while(traceLen < TRACE_LENGTH)
1629 {
1630 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1631 ReaderTransmitShort(wupa);
1632
1633 // Test if the action was cancelled
1634 if(BUTTON_PRESS()) {
1635 break;
1636 }
1637
1638 // Receive the ATQA
1639 if (!ReaderReceive(receivedAnswer)) continue;
1640
1641 // Transmit SELECT_ALL
1642 ReaderTransmit(sel_all,sizeof(sel_all));
1643
1644 // Receive the UID
1645 if (!ReaderReceive(receivedAnswer)) continue;
1646
1647 // Construct SELECT UID command
1648 // First copy the 5 bytes (Mifare Classic) after the 93 70
1649 memcpy(sel_uid+2,receivedAnswer,5);
1650 // Secondly compute the two CRC bytes at the end
1651 AppendCrc14443a(sel_uid,7);
1652
1653 // Transmit SELECT_UID
1654 ReaderTransmit(sel_uid,sizeof(sel_uid));
1655
1656 // Receive the SAK
1657 if (!ReaderReceive(receivedAnswer)) continue;
1658
1659 // OK we have selected at least at cascade 1, lets see if first byte of UID was 0x88 in
1660 // which case we need to make a cascade 2 request and select - this is a long UID
1661 // When the UID is not complete, the 3nd bit (from the right) is set in the SAK.
1662 if (receivedAnswer[0] &= 0x04)
1663 {
1664 // Transmit SELECT_ALL
1665 ReaderTransmit(sel_all_c2,sizeof(sel_all_c2));
1666
1667 // Receive the UID
1668 if (!ReaderReceive(receivedAnswer)) continue;
1669
1670 // Construct SELECT UID command
1671 memcpy(sel_uid_c2+2,receivedAnswer,5);
1672 // Secondly compute the two CRC bytes at the end
1673 AppendCrc14443a(sel_uid_c2,7);
1674
1675 // Transmit SELECT_UID
1676 ReaderTransmit(sel_uid_c2,sizeof(sel_uid_c2));
1677
1678 // Receive the SAK
1679 if (!ReaderReceive(receivedAnswer)) continue;
1680 }
1681
1682 // Transmit MIFARE_CLASSIC_AUTH
1683 ReaderTransmit(mf_auth,sizeof(mf_auth));
1684
1685 // Receive the (16 bit) "random" nonce
1686 if (!ReaderReceive(receivedAnswer)) continue;
1687 }
1688
1689 // Thats it...
1690 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1691 LEDsoff();
1692 DbpIntegers(rsamples, 0xCC, 0xCC);
1693 DbpString("ready..");
1694 }
Proxmark3 GIT tracking
Impressum, Datenschutz