//-----------------------------------------------------------------------------
// LEGIC RF simulation code
//-----------------------------------------------------------------------------
-
#include "legicrf.h"
static struct legic_frame {
//#define RWD_TIME_0 90 /* RWD_TIME_PAUSE off, 40us on = 60us */
//#define RWD_TIME_PAUSE 30 /* 20us */
-// testing calculating in ticks instead of (us) microseconds.
+// testing calculating in (us) microseconds.
#define RWD_TIME_1 120 // READER_TIME_PAUSE 20us off, 80us on = 100us 80 * 1.5 == 120ticks
#define RWD_TIME_0 60 // READER_TIME_PAUSE 20us off, 40us on = 60us 40 * 1.5 == 60ticks
#define RWD_TIME_PAUSE 30 // 20us == 20 * 1.5 == 30ticks */
#define FUZZ_EQUAL(value, target, fuzz) ((value) > ((target)-(fuzz)) && (value) < ((target)+(fuzz)))
#ifndef SHORT_COIL
-//#define LOW(x) AT91C_BASE_PIOA->PIO_CODR = (x)
# define SHORT_COIL LOW(GPIO_SSC_DOUT);
#endif
#ifndef OPEN_COIL
-//#define HIGH(x) AT91C_BASE_PIOA->PIO_SODR = (x)
# define OPEN_COIL HIGH(GPIO_SSC_DOUT);
#endif
-uint32_t stop_send_frame_us = 0;
+uint32_t sendFrameStop = 0;
// Pause pulse, off in 20us / 30ticks,
// ONE / ZERO bit pulse,
// one == 80us / 120ticks
// zero == 40us / 60ticks
#ifndef COIL_PULSE
-# define COIL_PULSE(x) { \
+# define COIL_PULSE(x) \
+ do { \
SHORT_COIL; \
- Wait(RWD_TIME_PAUSE); \
+ WaitTicks( (RWD_TIME_PAUSE) ); \
OPEN_COIL; \
- Wait((x)); \
- }
-#endif
-#ifndef GET_TICKS
-# define GET_TICKS AT91C_BASE_TC0->TC_CV
+ WaitTicks((x)); \
+ } while (0)
#endif
// ToDo: define a meaningful maximum size for auth_table. The bigger this is, the lower will be the available memory for traces.
#define LEGIC_CARD_MEMSIZE 1024
static uint8_t* cardmem;
-static void Wait(uint32_t time){
- if ( time == 0 ) return;
- time += GET_TICKS;
- while (GET_TICKS < time);
-}
-// Starts Clock and waits until its reset
-static void Reset(AT91PS_TC clock){
- clock->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
- while(clock->TC_CV > 1) ;
-}
-
-// Starts Clock and waits until its reset
-static void ResetClock(void){
- Reset(timer);
-}
-
static void frame_append_bit(struct legic_frame * const f, int bit) {
// Overflow, won't happen
if (f->bits >= 31) return;
// and while sending/receiving in bit frames (100, 60)
/*static void CalibratePrng( uint32_t time){
// Calculate Cycles based on timer 100us
- uint32_t i = (time - stop_send_frame_us) / 100 ;
+ uint32_t i = (time - sendFrameStop) / 100 ;
// substract cycles of finished frames
int k = i - legic_prng_count()+1;
*/
/* Generate Keystream */
-static uint32_t get_key_stream(int skip, int count)
-{
+uint32_t get_key_stream(int skip, int count) {
uint32_t key = 0;
int i;
legic_prng_bc += prng_timer->TC_CV;
// reset the prng timer.
- Reset(prng_timer);
+ ResetTimer(prng_timer);
/* If skip == -1, forward prng time based */
if(skip == -1) {
/* Send a frame in tag mode, the FPGA must have been set up by
* LegicRfSimulate
*/
-static void frame_send_tag(uint16_t response, uint8_t bits, uint8_t crypt) {
+void frame_send_tag(uint16_t response, uint8_t bits, uint8_t crypt) {
/* Bitbang the response */
LOW(GPIO_SSC_DOUT);
AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
}
/* Wait for the frame start */
- Wait( TAG_FRAME_WAIT );
+ WaitUS( TAG_FRAME_WAIT );
uint8_t bit = 0;
for(int i = 0; i < bits; i++) {
else
LOW(GPIO_SSC_DOUT);
- Wait(100);
+ WaitUS(100);
}
LOW(GPIO_SSC_DOUT);
}
/* Send a frame in reader mode, the FPGA must have been set up by
* LegicRfReader
*/
-static void frame_sendAsReader(uint32_t data, uint8_t bits){
+void frame_sendAsReader(uint32_t data, uint8_t bits){
uint32_t starttime = GET_TICKS, send = 0;
uint16_t mask = 1;
// Final pause to mark the end of the frame
COIL_PULSE(0);
- stop_send_frame_us = GET_TICKS;
+ sendFrameStop = GET_TICKS;
uint8_t cmdbytes[] = {
BYTEx(data, 0),
BYTEx(data, 1),
prng1,
legic_prng_count()
};
- LogTrace(cmdbytes, sizeof(cmdbytes), starttime, stop_send_frame_us, NULL, TRUE);
+ LogTrace(cmdbytes, sizeof(cmdbytes), starttime, sendFrameStop, NULL, TRUE);
}
/* Receive a frame from the card in reader emulation mode, the FPGA and
static void frame_receiveAsReader(struct legic_frame * const f, uint8_t bits) {
frame_clean(f);
+ if ( bits > 32 ) return;
- uint8_t i = 0, edges = 0;
+ uint8_t i = bits, edges = 0;
uint16_t lsfr = 0;
uint32_t the_bit = 1, next_bit_at = 0, data;
+
int old_level = 0, level = 0;
-
- if(bits > 32) bits = 32;
-
+
AT91C_BASE_PIOA->PIO_ODR = GPIO_SSC_DIN;
AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DIN;
data = lsfr;
//FIXED time between sending frame and now listening frame. 330us
- Wait( TAG_FRAME_WAIT );
+ //WaitTicks( TAG_FRAME_WAIT - (GET_TICKS - sendFrameStop ) );
+ WaitTicks( 495 );
uint32_t starttime = GET_TICKS;
-
next_bit_at = GET_TICKS + TAG_BIT_PERIOD;
-
- for( i = 0; i < bits; i++) {
+
+ while ( i-- ){
edges = 0;
+ uint8_t adjust = 0;
while ( GET_TICKS < next_bit_at) {
level = (AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_DIN);
++edges;
old_level = level;
- }
+
+ if(edges > 20 && adjust == 0) {
+ next_bit_at -= 15;
+ adjust = 1;
+ }
+ }
+
next_bit_at += TAG_BIT_PERIOD;
// We expect 42 edges == ONE
- if(edges > 20 && edges < 60) {
+ if(edges > 20 && edges < 64)
data ^= the_bit;
- }
- the_bit <<= 1;
+
+ the_bit <<= 1;
}
// output
f->bits = bits;
// log
- stop_send_frame_us = GET_TICKS;
+ sendFrameStop = GET_TICKS;
uint8_t cmdbytes[] = {
BYTEx(data,0),
bits,
BYTEx(lsfr,0),
BYTEx(lsfr,1),
+ BYTEx(data, 0) ^ BYTEx(lsfr,0),
+ BYTEx(data, 1) ^ BYTEx(lsfr,1),
prng_before,
legic_prng_count()
};
- LogTrace(cmdbytes, sizeof(cmdbytes), starttime, stop_send_frame_us, NULL, FALSE);
+ LogTrace(cmdbytes, sizeof(cmdbytes), starttime, sendFrameStop, NULL, FALSE);
}
// Setup pm3 as a Legic Reader
-static uint32_t perform_setup_phase_rwd(uint8_t iv) {
-
+static uint32_t setup_phase_reader(uint8_t iv) {
+
// Switch on carrier and let the tag charge for 1ms
HIGH(GPIO_SSC_DOUT);
- SpinDelay(40);
+ WaitUS(1000);
- ResetUSClock();
+ ResetTicks();
// no keystream yet
legic_prng_init(0);
frame_receiveAsReader(¤t_frame, 6);
// fixed delay before sending ack.
- Wait(TAG_FRAME_WAIT);
- legic_prng_forward(4);
+ WaitTicks(366); // 244us
+ legic_prng_forward(1); //240us / 100 == 2.4 iterations
// Send obsfuscated acknowledgment frame.
// 0x19 = 0x18 MIM22, 0x01 LSB READCMD
// 0x39 = 0x38 MIM256, MIM1024 0x01 LSB READCMD
switch ( current_frame.data ) {
- case 0x0D:
- frame_sendAsReader(0x19, 6);
- break;
- case 0x1D:
- case 0x3D:
- frame_sendAsReader(0x39, 6);
- break;
- default:
- break;
+ case 0x0D: frame_sendAsReader(0x19, 6); break;
+ case 0x1D:
+ case 0x3D: frame_sendAsReader(0x39, 6); break;
+ default: break;
}
return current_frame.data;
}
-static void LegicCommonInit(void) {
+static void LegicCommonInit(void) {
+
FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_TX);
SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
- FpgaSetupSsc();
/* Bitbang the transmitter */
LOW(GPIO_SSC_DOUT);
set_tracing(TRUE);
crc_init(&legic_crc, 4, 0x19 >> 1, 0x5, 0);
- StartCountUS();
+ StartTicks();
}
// Switch off carrier, make sure tag is reset
static void switch_off_tag_rwd(void) {
LOW(GPIO_SSC_DOUT);
- SpinDelay(10);
+ WaitUS(200);
WDT_HIT();
+ Dbprintf("Exit Switch_off_tag_rwd");
}
// calculate crc4 for a legic READ command
// 5,8,10 address size.
static uint32_t legic4Crc(uint8_t legicCmd, uint16_t byte_index, uint8_t value, uint8_t cmd_sz) {
crc_clear(&legic_crc);
- uint32_t temp = (value << cmd_sz) | (byte_index << 1) | legicCmd;
- crc_update(&legic_crc, temp, cmd_sz + 8 );
+ //uint32_t temp = (value << cmd_sz) | (byte_index << 1) | legicCmd;
+ //crc_update(&legic_crc, temp, cmd_sz + 8 );
+ crc_update(&legic_crc, 1, 1); /* CMD_READ */
+ crc_update(&legic_crc, byte_index, cmd_sz-1);
+ crc_update(&legic_crc, value, 8);
return crc_finish(&legic_crc);
}
int legic_read_byte(int byte_index, int cmd_sz) {
- uint8_t byte = 0, crc = 0;
- uint32_t calcCrc = 0;
+ // (us)| ticks
+ // -------------
+ // 330 | 495
+ // 460 | 690
+ // 258 | 387
+ // 244 | 366
+ WaitTicks(366);
+ legic_prng_forward(3); // 460 / 100 = 4.6 iterations
+
+ uint8_t byte = 0, crc = 0, calcCrc = 0;
uint32_t cmd = (byte_index << 1) | LEGIC_READ;
- Wait(TAG_FRAME_WAIT);
-
frame_sendAsReader(cmd, cmd_sz);
frame_receiveAsReader(¤t_frame, 12);
Dbprintf("!!! crc mismatch: expected %x but got %x !!!", calcCrc, crc);
return -1;
}
- legic_prng_forward(4);
+
+
+// legic_prng_forward(2); // 460 / 100 = 4.6 iterations
return byte;
}
legic_prng_forward(2); /* we wait anyways */
- Wait(TAG_FRAME_WAIT);
+ WaitUS(TAG_FRAME_WAIT);
frame_sendAsReader(cmd, cmd_sz);
int t, old_level = 0, edges = 0;
int next_bit_at = 0;
- Wait(TAG_FRAME_WAIT);
+ WaitUS(TAG_FRAME_WAIT);
for( t = 0; t < 80; ++t) {
edges = 0;
int t = timer->TC_CV;
int c = t / TAG_BIT_PERIOD;
- ResetClock();
+ ResetTimer(timer);
legic_prng_forward(c);
return 0;
}
}
- ResetClock();
+ ResetTimer(timer);
return -1;
}
uint16_t byte_index = 0;
uint8_t cmd_sz = 0;
int card_sz = 0;
-
+ uint8_t isOK = 1;
+
if ( MF_DBGLEVEL >= 2)
- Dbprintf("setting up legic card, IV = 0x%03.3x", iv);
+ Dbprintf("setting up legic card, IV = 0x%02x", iv);
LegicCommonInit();
- uint32_t tag_type = perform_setup_phase_rwd(iv);
+ uint32_t tag_type = setup_phase_reader(iv);
//we lose to mutch time with dprintf
switch_off_tag_rwd();
break;
default:
if ( MF_DBGLEVEL >= 1) Dbprintf("Unknown card format: %x", tag_type);
- return 1;
+ isOK = 0;
+ goto OUT;
+ break;
}
if (bytes == -1)
bytes = card_sz;
bytes = card_sz - offset;
// Start setup and read bytes.
- perform_setup_phase_rwd(iv);
-
+ setup_phase_reader(iv);
+
LED_B_ON();
while (byte_index < bytes) {
int r = legic_read_byte(byte_index + offset, cmd_sz);
if (r == -1 || BUTTON_PRESS()) {
- switch_off_tag_rwd();
- LEDsoff();
if ( MF_DBGLEVEL >= 2) DbpString("operation aborted");
- cmd_send(CMD_ACK,0,0,0,0,0);
- return 1;
+ isOK = 0;
+ goto OUT;
}
cardmem[++byte_index] = r;
- //byte_index++;
+ //byte_index++;
WDT_HIT();
}
+OUT:
switch_off_tag_rwd();
LEDsoff();
uint8_t len = (bytes & 0x3FF);
- cmd_send(CMD_ACK,1,len,0,0,0);
+ cmd_send(CMD_ACK,isOK,len,0,cardmem,len);
return 0;
}
int byte_index=0;
LED_B_ON();
- perform_setup_phase_rwd(iv);
+ setup_phase_reader(iv);
//legic_prng_forward(2);
while(byte_index < bytes) {
int r;
if ( MF_DBGLEVEL >= 2) DbpString("setting up legic card");
- uint32_t tag_type = perform_setup_phase_rwd(iv);
+ uint32_t tag_type = setup_phase_reader(iv);
switch_off_tag_rwd();
}
LED_B_ON();
- perform_setup_phase_rwd(iv);
+ setup_phase_reader(iv);
int r = 0;
while(byte_index < bytes) {
if ( MF_DBGLEVEL >= 2) DbpString("setting up legic card");
- uint32_t tag_type = perform_setup_phase_rwd(iv);
+ uint32_t tag_type = setup_phase_reader(iv);
switch_off_tag_rwd();
Dbprintf("integer value: %d address: %d addr_sz: %d", byte, address, addr_sz);
LED_B_ON();
- perform_setup_phase_rwd(iv);
+ setup_phase_reader(iv);
int r = legic_write_byte(byte, address, addr_sz);
LED_C_ON();
// Reset prng timer
- Reset(prng_timer);
+ ResetTimer(prng_timer);
legic_prng_init(f->data);
frame_send_tag(0x3d, 6, 1); /* 0x3d^0x26 = 0x1B */
legic_prng_iv = f->data;
- ResetClock();
- Wait(280);
+ ResetTimer(timer);
+ WaitUS(280);
return;
}
if((f->bits == 6) && (f->data == xored)) {
legic_state = STATE_CON;
- ResetClock();
- Wait(200);
+ ResetTimer(timer);
+ WaitUS(200);
return;
} else {
frame_send_tag(hash | data, 12, 1);
- ResetClock();
+ ResetTimer(timer);
legic_prng_forward(2);
- Wait(180);
+ WaitUS(180);
return;
}
}
LEDsoff();
}
-//-----------------------------------------------------------------------------
-//-----------------------------------------------------------------------------
-
-
//-----------------------------------------------------------------------------
// Code up a string of octets at layer 2 (including CRC, we don't generate
// that here) so that they can be transmitted to the reader. Doesn't transmit
projects / proxmark3-svn / blobdiff