]> git.zerfleddert.de Git - proxmark3-svn/blobdiff - armsrc/iclass.c
FIX: fixed a little bug I introduced from last commit in fskdemod
[proxmark3-svn] / armsrc / iclass.c
index 7289abbc2a465250a222cb3f07a6e111a4f1fe9a..74705b4935acb63832d653e45b13b33ab33fefe0 100644 (file)
 //
 //-----------------------------------------------------------------------------
 
-#include "proxmark3.h"
+#include "../include/proxmark3.h"
 #include "apps.h"
 #include "util.h"
 #include "string.h"
 #include "common.h"
+#include "cmd.h"
 // Needed for CRC in emulation mode;
 // same construction as in ISO 14443;
 // different initial value (CRC_ICLASS)
-#include "iso14443crc.h"
+#include "../common/iso14443crc.h"
+#include "../common/iso15693tools.h"
+#include "iso15693tools.h"
+
 
 static int timeout = 4096;
 
@@ -69,14 +73,13 @@ static struct {
     int     nOutOfCnt;
     int     OutOfCnt;
     int     syncBit;
-    int     parityBits;
     int     samples;
     int     highCnt;
     int     swapper;
     int     counter;
     int     bitBuffer;
     int     dropPosition;
-    uint8_t   *output;
+    uint8_t *output;
 } Uart;
 
 static RAMFUNC int OutOfNDecoding(int bit)
@@ -135,11 +138,8 @@ static RAMFUNC int OutOfNDecoding(int bit)
                                        if(Uart.byteCnt == 0) {
                                                // Its not straightforward to show single EOFs
                                                // So just leave it and do not return TRUE
-                                               Uart.output[Uart.byteCnt] = 0xf0;
+                                               Uart.output[0] = 0xf0;
                                                Uart.byteCnt++;
-
-                                               // Calculate the parity bit for the client...
-                                               Uart.parityBits = 1;
                                        }
                                        else {
                                                return TRUE;
@@ -221,11 +221,6 @@ static RAMFUNC int OutOfNDecoding(int bit)
                                                if(Uart.bitCnt == 8) {
                                                        Uart.output[Uart.byteCnt] = (Uart.shiftReg & 0xff);
                                                        Uart.byteCnt++;
-
-                                                       // Calculate the parity bit for the client...
-                                                       Uart.parityBits <<= 1;
-                                                       Uart.parityBits ^= OddByteParity[(Uart.shiftReg & 0xff)];
-
                                                        Uart.bitCnt = 0;
                                                        Uart.shiftReg = 0;
                                                }
@@ -244,11 +239,6 @@ static RAMFUNC int OutOfNDecoding(int bit)
                                        Uart.dropPosition--;
                                        Uart.output[Uart.byteCnt] = (Uart.dropPosition & 0xff);
                                        Uart.byteCnt++;
-
-                                       // Calculate the parity bit for the client...
-                                       Uart.parityBits <<= 1;
-                                       Uart.parityBits ^= OddByteParity[(Uart.dropPosition & 0xff)];
-
                                        Uart.bitCnt = 0;
                                        Uart.shiftReg = 0;
                                        Uart.nOutOfCnt = 0;
@@ -309,7 +299,6 @@ static RAMFUNC int OutOfNDecoding(int bit)
                                Uart.state = STATE_START_OF_COMMUNICATION;
                                Uart.bitCnt = 0;
                                Uart.byteCnt = 0;
-                               Uart.parityBits = 0;
                                Uart.nOutOfCnt = 0;
                                Uart.OutOfCnt = 4; // Start at 1/4, could switch to 1/256
                                Uart.dropPosition = 0;
@@ -351,7 +340,6 @@ static struct {
     int     bitCount;
     int     posCount;
        int     syncBit;
-       int     parityBits;
     uint16_t    shiftReg;
        int     buffer;
        int     buffer2;
@@ -418,7 +406,6 @@ static RAMFUNC int ManchesterDecoding(int v)
                        Demod.sub = SUB_FIRST_HALF;
                        Demod.bitCount = 0;
                        Demod.shiftReg = 0;
-                       Demod.parityBits = 0;
                        Demod.samples = 0;
                        if(Demod.posCount) {
                                //if(trigger) LED_A_OFF();  // Not useful in this case...
@@ -448,8 +435,7 @@ static RAMFUNC int ManchesterDecoding(int v)
        else {
                modulation = bit & Demod.syncBit;
                modulation |= ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
-               //modulation = ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
-
+       
                Demod.samples += 4;
 
                if(Demod.posCount==0) {
@@ -483,8 +469,6 @@ static RAMFUNC int ManchesterDecoding(int v)
                                if(Demod.state == DEMOD_SOF_COMPLETE) {
                                        Demod.output[Demod.len] = 0x0f;
                                        Demod.len++;
-                                       Demod.parityBits <<= 1;
-                                       Demod.parityBits ^= OddByteParity[0x0f];
                                        Demod.state = DEMOD_UNSYNCD;
 //                                     error = 0x0f;
                                        return TRUE;
@@ -565,11 +549,9 @@ static RAMFUNC int ManchesterDecoding(int v)
                                        // Tag response does not need to be a complete byte!
                                        if(Demod.len > 0 || Demod.bitCount > 0) {
                                                if(Demod.bitCount > 1) {  // was > 0, do not interpret last closing bit, is part of EOF
-                                                       Demod.shiftReg >>= (9 - Demod.bitCount);
+                                                       Demod.shiftReg >>= (9 - Demod.bitCount);        // right align data
                                                        Demod.output[Demod.len] = Demod.shiftReg & 0xff;
                                                        Demod.len++;
-                                                       // No parity bit, so just shift a 0
-                                                       Demod.parityBits <<= 1;
                                                }
 
                                                Demod.state = DEMOD_UNSYNCD;
@@ -606,11 +588,6 @@ static RAMFUNC int ManchesterDecoding(int v)
                                Demod.shiftReg >>= 1;
                                Demod.output[Demod.len] = (Demod.shiftReg & 0xff);
                                Demod.len++;
-
-                               // FOR ISO15639 PARITY NOT SEND OTA, JUST CALCULATE IT FOR THE CLIENT
-                               Demod.parityBits <<= 1;
-                               Demod.parityBits ^= OddByteParity[(Demod.shiftReg & 0xff)];
-
                                Demod.bitCount = 0;
                                Demod.shiftReg = 0;
                        }
@@ -667,8 +644,10 @@ void RAMFUNC SnoopIClass(void)
        // So 32 should be enough!
        uint8_t *readerToTagCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
     // The response (tag -> reader) that we're receiving.
-       uint8_t *tagToReaderResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET);
+       uint8_t *tagToReaderResponse = (((uint8_t *)BigBuf) + RECV_RESP_OFFSET);
 
+    FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
     // reset traceLen to 0
     iso14a_set_tracing(TRUE);
     iso14a_clear_trace();
@@ -765,10 +744,10 @@ void RAMFUNC SnoopIClass(void)
 
                        //if(!LogTrace(Uart.output,Uart.byteCnt, rsamples, Uart.parityBits,TRUE)) break;
                        //if(!LogTrace(NULL, 0, Uart.endTime*16 - DELAY_READER_AIR2ARM_AS_SNIFFER, 0, TRUE)) break;
-                       if(tracing)
-                       {
-                               LogTrace(Uart.output,Uart.byteCnt, (GetCountSspClk()-time_0) << 4, Uart.parityBits,TRUE);
-                               LogTrace(NULL, 0, (GetCountSspClk()-time_0) << 4, 0, TRUE);
+                       if(tracing) {
+                               uint8_t parity[MAX_PARITY_SIZE];
+                               GetParity(Uart.output, Uart.byteCnt, parity);
+                               LogTrace(Uart.output,Uart.byteCnt, (GetCountSspClk()-time_0) << 4, (GetCountSspClk()-time_0) << 4, parity, TRUE);
                        }
 
 
@@ -789,10 +768,10 @@ void RAMFUNC SnoopIClass(void)
                    rsamples = samples - Demod.samples;
                    LED_B_ON();
 
-                       if(tracing)
-                       {
-                               LogTrace(Demod.output,Demod.len, (GetCountSspClk()-time_0) << 4 , Demod.parityBits,FALSE);
-                               LogTrace(NULL, 0, (GetCountSspClk()-time_0) << 4, 0, FALSE);
+                       if(tracing) {
+                               uint8_t parity[MAX_PARITY_SIZE];
+                               GetParity(Demod.output, Demod.len, parity);
+                               LogTrace(Demod.output, Demod.len, (GetCountSspClk()-time_0) << 4, (GetCountSspClk()-time_0) << 4, parity, FALSE);
                        }
 
 
@@ -864,10 +843,7 @@ static int GetIClassCommandFromReader(uint8_t *received, int *len, int maxLen)
         }
         if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
             uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
-                       /*if(OutOfNDecoding((b & 0xf0) >> 4)) {
-                               *len = Uart.byteCnt;
-                               return TRUE;
-                       }*/
+
                        if(OutOfNDecoding(b & 0x0f)) {
                                *len = Uart.byteCnt;
                                return TRUE;
@@ -954,7 +930,7 @@ static void CodeIClassTagSOF()
        // Convert from last byte pos to length
        ToSendMax++;
 }
-
+int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader_mac_buf);
 /**
  * @brief SimulateIClass simulates an iClass card.
  * @param arg0 type of simulation
@@ -971,43 +947,49 @@ void SimulateIClass(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain
 {
        uint32_t simType = arg0;
        uint32_t numberOfCSNS = arg1;
+       FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
 
        // Enable and clear the trace
        iso14a_set_tracing(TRUE);
        iso14a_clear_trace();
 
        uint8_t csn_crc[] = { 0x03, 0x1f, 0xec, 0x8a, 0xf7, 0xff, 0x12, 0xe0, 0x00, 0x00 };
-
        if(simType == 0) {
                // Use the CSN from commandline
                memcpy(csn_crc, datain, 8);
-               doIClassSimulation(csn_crc,0);
+               doIClassSimulation(csn_crc,0,NULL);
        }else if(simType == 1)
        {
-               doIClassSimulation(csn_crc,0);
+               doIClassSimulation(csn_crc,0,NULL);
        }
        else if(simType == 2)
        {
-               Dbprintf("Going into attack mode");
+
+               uint8_t mac_responses[64] = { 0 };
+               Dbprintf("Going into attack mode, %d CSNS sent", numberOfCSNS);
                // In this mode, a number of csns are within datain. We'll simulate each one, one at a time
                // in order to collect MAC's from the reader. This can later be used in an offlne-attack
                // in order to obtain the keys, as in the "dismantling iclass"-paper.
-               for(int i = 0 ; i < numberOfCSNS && i*8+8 < USB_CMD_DATA_SIZE; i++)
+               int i = 0;
+               for( ; i < numberOfCSNS && i*8+8 < USB_CMD_DATA_SIZE; i++)
                {
                        // The usb data is 512 bytes, fitting 65 8-byte CSNs in there.
 
                        memcpy(csn_crc, datain+(i*8), 8);
-                       if(doIClassSimulation(csn_crc,1))
+                       if(doIClassSimulation(csn_crc,1,mac_responses+i*8))
                        {
                                return; // Button pressed
                        }
                }
+               cmd_send(CMD_ACK,CMD_SIMULATE_TAG_ICLASS,i,0,mac_responses,i*8);
+
        }
        else{
                // We may want a mode here where we hardcode the csns to use (from proxclone).
                // That will speed things up a little, but not required just yet.
                Dbprintf("The mode is not implemented, reserved for future use");
        }
+       Dbprintf("Done...");
 
 }
 /**
@@ -1015,9 +997,8 @@ void SimulateIClass(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain
  * @param csn - csn to use
  * @param breakAfterMacReceived if true, returns after reader MAC has been received.
  */
-int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived)
+int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader_mac_buf)
 {
-
        // CSN followed by two CRC bytes
        uint8_t response2[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
        uint8_t response3[] = { 0,0,0,0,0,0,0,0,0,0};
@@ -1068,7 +1049,7 @@ int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived)
 
        // + 1720..
        uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
-       memset(receivedCmd, 0x44, RECV_CMD_SIZE);
+       memset(receivedCmd, 0x44, MAX_FRAME_SIZE);
        int len;
 
        // Prepare card messages
@@ -1092,10 +1073,11 @@ int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived)
 
 
        // Start from off (no field generated)
-       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
-       SpinDelay(200);
-
-
+       //FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+       //SpinDelay(200);
+       FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
+       SpinDelay(100);
+       StartCountSspClk();
        // We need to listen to the high-frequency, peak-detected path.
        SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
        FpgaSetupSsc();
@@ -1107,10 +1089,14 @@ int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived)
        uint32_t r2t_time =0;
 
        LED_A_ON();
-       bool displayDebug = true;
        bool buttonPressed = false;
+
+       /** Hack  for testing
+       memcpy(reader_mac_buf,csn,8);
+       exitLoop = true;
+       end hack **/
+
        while(!exitLoop) {
-               displayDebug = true;
 
                LED_B_OFF();
                //Signal tracer
@@ -1131,13 +1117,11 @@ int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived)
                        resp = resp1; respLen = resp1Len; //order = 1;
                        respdata = &sof;
                        respsize = sizeof(sof);
-                       displayDebug = false;
                } else if(receivedCmd[0] == 0x0c) {
                        // Reader asks for anticollission CSN
                        resp = resp2; respLen = resp2Len; //order = 2;
                        respdata = response2;
                        respsize = sizeof(response2);
-                       //displayDebug = false;
                        //DbpString("Reader requests anticollission CSN:");
                } else if(receivedCmd[0] == 0x81) {
                        // Reader selects anticollission CSN.
@@ -1155,18 +1139,22 @@ int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived)
                } else if(receivedCmd[0] == 0x05) {
                        // Reader random and reader MAC!!!
                        // Do not respond
-                       // We do not know what to answer, so lets keep quit
+            // We do not know what to answer, so lets keep quiet
                        resp = resp1; respLen = 0; //order = 5;
                        respdata = NULL;
                        respsize = 0;
                        if (breakAfterMacReceived){
-                               // TODO, actually return this to the caller instead of just
                                // dbprintf:ing ...
-                               Dbprintf("CSN: %02x %02x %02x %02x %02x %02x %02x %02x");
+                               Dbprintf("CSN: %02x %02x %02x %02x %02x %02x %02x %02x"
+                                                  ,csn[0],csn[1],csn[2],csn[3],csn[4],csn[5],csn[6],csn[7]);
                                Dbprintf("RDR:  (len=%02d): %02x %02x %02x %02x %02x %02x %02x %02x %02x",len,
-                                                receivedCmd[0], receivedCmd[1], receivedCmd[2],
+                                               receivedCmd[0], receivedCmd[1], receivedCmd[2],
                                                receivedCmd[3], receivedCmd[4], receivedCmd[5],
                                                receivedCmd[6], receivedCmd[7], receivedCmd[8]);
+                               if (reader_mac_buf != NULL)
+                               {
+                                       memcpy(reader_mac_buf,receivedCmd+1,8);
+                               }
                                exitLoop = true;
                        }
                } else if(receivedCmd[0] == 0x00 && len == 1) {
@@ -1190,7 +1178,7 @@ int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived)
 
                if(cmdsRecvd >  100) {
                        //DbpString("100 commands later...");
-                       break;
+                       //break;
                }
                else {
                        cmdsRecvd++;
@@ -1199,33 +1187,16 @@ int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived)
                if(respLen > 0) {
                        SendIClassAnswer(resp, respLen, 21);
                        t2r_time = GetCountSspClk();
-
-//                     }
-                       if(displayDebug) Dbprintf("R2T:(len=%d): %x %x %x %x %x %x %x %x %x\nT2R: (total/data =%d/%d): %x %x %x %x %x %x %x %x %x",
-                       len,
-                       receivedCmd[0], receivedCmd[1], receivedCmd[2],
-                       receivedCmd[3], receivedCmd[4], receivedCmd[5],
-                       receivedCmd[6], receivedCmd[7], receivedCmd[8],
-                       respLen,respsize,
-                       resp[0], resp[1], resp[2],
-                       resp[3], resp[4], resp[5],
-                       resp[6], resp[7], resp[8]);
-
                }
 
                if (tracing) {
-                       //LogTrace(receivedCmd,len, rsamples, Uart.parityBits, TRUE);
-
-                       LogTrace(receivedCmd,len, (r2t_time-time_0)<< 4, Uart.parityBits,TRUE);
-                       LogTrace(NULL,0, (r2t_time-time_0) << 4, 0,TRUE);
+                       uint8_t parity[MAX_PARITY_SIZE];
+                       GetParity(receivedCmd, len, parity);
+                       LogTrace(receivedCmd,len, (r2t_time-time_0)<< 4, (r2t_time-time_0) << 4, parity, TRUE);
 
                        if (respdata != NULL) {
-                               //LogTrace(respdata,respsize, rsamples, SwapBits(GetParity(respdata,respsize),respsize), FALSE);
-                               //if(!LogTrace(resp,respLen, rsamples,SwapBits(GetParity(respdata,respsize),respsize),FALSE))
-                               LogTrace(respdata,respsize, (t2r_time-time_0) << 4,SwapBits(GetParity(respdata,respsize),respsize),FALSE);
-                               LogTrace(NULL,0, (t2r_time-time_0) << 4,0,FALSE);
-
-
+                               GetParity(respdata, respsize, parity);
+                               LogTrace(respdata, respsize, (t2r_time-time_0) << 4, (t2r_time-time_0) << 4, parity, FALSE);
                        }
                        if(!tracing) {
                                DbpString("Trace full");
@@ -1233,10 +1204,10 @@ int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived)
                        }
 
                }
-               memset(receivedCmd, 0x44, RECV_CMD_SIZE);
+               memset(receivedCmd, 0x44, MAX_FRAME_SIZE);
        }
 
-       Dbprintf("%x", cmdsRecvd);
+       //Dbprintf("%x", cmdsRecvd);
        LED_A_OFF();
        LED_B_OFF();
        if(buttonPressed)
@@ -1294,8 +1265,8 @@ static void TransmitIClassCommand(const uint8_t *cmd, int len, int *samples, int
   FpgaSetupSsc();
 
    if (wait)
-    if(*wait < 10)
-      *wait = 10;
+   {
+     if(*wait < 10) *wait = 10;
 
   for(c = 0; c < *wait;) {
     if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
@@ -1309,6 +1280,9 @@ static void TransmitIClassCommand(const uint8_t *cmd, int len, int *samples, int
     WDT_HIT();
   }
 
+   }
+
+
   uint8_t sendbyte;
   bool firstpart = TRUE;
   c = 0;
@@ -1389,10 +1363,8 @@ void ReaderTransmitIClass(uint8_t* frame, int len)
 {
   int wait = 0;
   int samples = 0;
-  int par = 0;
 
   // This is tied to other size changes
-  //   uint8_t* frame_addr = ((uint8_t*)BigBuf) + 2024;
   CodeIClassCommand(frame,len);
 
   // Select the card
@@ -1401,7 +1373,11 @@ void ReaderTransmitIClass(uint8_t* frame, int len)
        LED_A_ON();
 
   // Store reader command in buffer
-  if (tracing) LogTrace(frame,len,rsamples,par,TRUE);
+  if (tracing) {
+               uint8_t par[MAX_PARITY_SIZE];
+               GetParity(frame, len, par);
+               LogTrace(frame, len, rsamples, rsamples, par, TRUE);
+       }
 }
 
 //-----------------------------------------------------------------------------
@@ -1432,7 +1408,7 @@ static int GetIClassAnswer(uint8_t *receivedResponse, int maxLen, int *samples,
        for(;;) {
                WDT_HIT();
 
-               if(BUTTON_PRESS()) return FALSE;
+           if(BUTTON_PRESS()) return FALSE;
 
                if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
                        AT91C_BASE_SSC->SSC_THR = 0x00;  // To make use of exact timing of next command from reader!!
@@ -1443,10 +1419,7 @@ static int GetIClassAnswer(uint8_t *receivedResponse, int maxLen, int *samples,
                        b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
                        skip = !skip;
                        if(skip) continue;
-                       /*if(ManchesterDecoding((b>>4) & 0xf)) {
-                               *samples = ((c - 1) << 3) + 4;
-                               return TRUE;
-                       }*/
+               
                        if(ManchesterDecoding(b & 0x0f)) {
                                *samples = c << 3;
                                return  TRUE;
@@ -1460,18 +1433,261 @@ int ReaderReceiveIClass(uint8_t* receivedAnswer)
   int samples = 0;
   if (!GetIClassAnswer(receivedAnswer,160,&samples,0)) return FALSE;
   rsamples += samples;
-  if (tracing) LogTrace(receivedAnswer,Demod.len,rsamples,Demod.parityBits,FALSE);
+  if (tracing){
+               uint8_t parity[MAX_PARITY_SIZE];
+               GetParity(receivedAnswer, Demod.len, parity);
+               LogTrace(receivedAnswer,Demod.len,rsamples,rsamples,parity,FALSE);
+  }
   if(samples == 0) return FALSE;
   return Demod.len;
 }
 
+void setupIclassReader()
+{
+    FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
+    // Reset trace buffer
+    iso14a_set_tracing(TRUE);
+    iso14a_clear_trace();
+
+    // Setup SSC
+    FpgaSetupSsc();
+    // Start from off (no field generated)
+    // Signal field is off with the appropriate LED
+    LED_D_OFF();
+    FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+    SpinDelay(200);
+
+    SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
+
+    // Now give it time to spin up.
+    // Signal field is on with the appropriate LED
+    FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
+    SpinDelay(200);
+    LED_A_ON();
+
+}
+
 // Reader iClass Anticollission
 void ReaderIClass(uint8_t arg0) {
        uint8_t act_all[]     = { 0x0a };
        uint8_t identify[]    = { 0x0c };
        uint8_t select[]      = { 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
+    uint8_t readcheck_cc[]= { 0x88, 0x02 };
+
+    uint8_t card_data[24]={0};
+    uint8_t last_csn[8]={0};
+
+       uint8_t *resp = (((uint8_t *)BigBuf) + RECV_RESP_OFFSET);
+
+    int read_status= 0;
+    bool abort_after_read = arg0 & FLAG_ICLASS_READER_ONLY_ONCE;
+
+    setupIclassReader();
+
+    size_t datasize = 0;
+    while(!BUTTON_PRESS())
+    {
+        WDT_HIT();
+
+        // Send act_all
+        ReaderTransmitIClass(act_all, 1);
+        // Card present?
+        if(ReaderReceiveIClass(resp)) {
+
+            ReaderTransmitIClass(identify, 1);
+
+            if(ReaderReceiveIClass(resp) == 10) {
+                //Copy the Anti-collision CSN to our select-packet
+                memcpy(&select[1],resp,8);
+                //Dbprintf("Anti-collision CSN: %02x %02x %02x %02x %02x %02x %02x %02x",resp[0], resp[1], resp[2],
+                //        resp[3], resp[4], resp[5],
+                //        resp[6], resp[7]);
+                //Select the card
+                ReaderTransmitIClass(select, sizeof(select));
+
+                if(ReaderReceiveIClass(resp) == 10) {
+                    //Save CSN in response data
+                    memcpy(card_data,resp,8);
+                    datasize += 8;
+                    //Flag that we got to at least stage 1, read CSN
+                    read_status = 1;
+
+                    // Card selected
+                    //Dbprintf("Readcheck on Sector 2");
+                    ReaderTransmitIClass(readcheck_cc, sizeof(readcheck_cc));
+                    if(ReaderReceiveIClass(resp) == 8) {
+                        //Save CC (e-purse) in response data
+                        memcpy(card_data+8,resp,8);
+                        datasize += 8;
+                        //Got both
+                        read_status = 2;
+                    }
+
+                    LED_B_ON();
+                    //Send back to client, but don't bother if we already sent this
+                    if(memcmp(last_csn, card_data, 8) != 0)
+                        cmd_send(CMD_ACK,read_status,0,0,card_data,datasize);
+
+                    //Save that we already sent this....
+                    if(read_status ==  2)
+                        memcpy(last_csn, card_data, 8);
+
+                    LED_B_OFF();
+
+                    if(abort_after_read) break;
+                }
+            }
+        }
+
+        if(traceLen > TRACE_SIZE) {
+            DbpString("Trace full");
+            break;
+        }
+    }
+    LED_A_OFF();
+}
+
+void ReaderIClass_Replay(uint8_t arg0, uint8_t *MAC) {
+       uint8_t act_all[]     = { 0x0a };
+       uint8_t identify[]    = { 0x0c };
+       uint8_t select[]      = { 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
+       uint8_t readcheck_cc[]= { 0x88, 0x02 };
+       uint8_t check[]       = { 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
+       uint8_t read[]        = { 0x0c, 0x00, 0x00, 0x00 };
+       
+    uint16_t crc = 0;
+       uint8_t cardsize=0;
+       bool read_success=false;
+       uint8_t mem=0;
+       
+       static struct memory_t{
+         int k16;
+         int book;
+         int k2;
+         int lockauth;
+         int keyaccess;
+       } memory;
+       
+       uint8_t* resp = (((uint8_t *)BigBuf) + RECV_RESP_OFFSET);
+
+    setupIclassReader();
 
-       uint8_t* resp = (((uint8_t *)BigBuf) + 3560);   // was 3560 - tied to other size changes
+
+       for(int i=0;i<1;i++) {
+       
+               if(traceLen > TRACE_SIZE) {
+                       DbpString("Trace full");
+                       break;
+               }
+               
+               if (BUTTON_PRESS()) break;
+
+               // Send act_all
+               ReaderTransmitIClass(act_all, 1);
+               // Card present?
+               if(ReaderReceiveIClass(resp)) {
+                       ReaderTransmitIClass(identify, 1);
+                       if(ReaderReceiveIClass(resp) == 10) {
+                               // Select card          
+                               memcpy(&select[1],resp,8);
+                               ReaderTransmitIClass(select, sizeof(select));
+
+                               if(ReaderReceiveIClass(resp) == 10) {
+                                       Dbprintf("     Selected CSN: %02x %02x %02x %02x %02x %02x %02x %02x",
+                                       resp[0], resp[1], resp[2],
+                                       resp[3], resp[4], resp[5],
+                                       resp[6], resp[7]);
+                               }
+                               // Card selected
+                               Dbprintf("Readcheck on Sector 2");
+                               ReaderTransmitIClass(readcheck_cc, sizeof(readcheck_cc));
+                               if(ReaderReceiveIClass(resp) == 8) {
+                                  Dbprintf("     CC: %02x %02x %02x %02x %02x %02x %02x %02x",
+                                       resp[0], resp[1], resp[2],
+                                       resp[3], resp[4], resp[5],
+                                       resp[6], resp[7]);
+                               }else return;
+                               Dbprintf("Authenticate");
+                               //for now replay captured auth (as cc not updated)
+                               memcpy(check+5,MAC,4);
+                //Dbprintf("     AA: %02x %02x %02x %02x",
+                //     check[5], check[6], check[7],check[8]);
+                               ReaderTransmitIClass(check, sizeof(check));
+                               if(ReaderReceiveIClass(resp) == 4) {
+                                  Dbprintf("     AR: %02x %02x %02x %02x",
+                                       resp[0], resp[1], resp[2],resp[3]);
+                               }else {
+                                 Dbprintf("Error: Authentication Fail!");
+                                 return;
+                               }
+                               Dbprintf("Dump Contents");
+                               //first get configuration block
+                               read_success=false;
+                               read[1]=1;
+                               uint8_t *blockno=&read[1];
+                               crc = iclass_crc16((char *)blockno,1);
+                               read[2] = crc >> 8;
+                               read[3] = crc & 0xff;
+                               while(!read_success){
+                                     ReaderTransmitIClass(read, sizeof(read));
+                                     if(ReaderReceiveIClass(resp) == 10) {
+                                        read_success=true;
+                                        mem=resp[5];
+                                        memory.k16= (mem & 0x80);
+                                        memory.book= (mem & 0x20);
+                                        memory.k2= (mem & 0x8);
+                                        memory.lockauth= (mem & 0x2);
+                                        memory.keyaccess= (mem & 0x1);
+
+                                     }
+                               }
+                               if (memory.k16){
+                                 cardsize=255;
+                               }else cardsize=32;
+                               //then loop around remaining blocks
+                               for(uint8_t j=0; j<cardsize; j++){
+                                   read_success=false;
+                                   uint8_t *blockno=&j;
+                                   //crc_data[0]=j;
+                                   read[1]=j;
+                                   crc = iclass_crc16((char *)blockno,1);
+                                   read[2] = crc >> 8;
+                                   read[3] = crc & 0xff;
+                                   while(!read_success){
+                                     ReaderTransmitIClass(read, sizeof(read));
+                                     if(ReaderReceiveIClass(resp) == 10) {
+                                        read_success=true;
+                                        Dbprintf("     %02x: %02x %02x %02x %02x %02x %02x %02x %02x",
+                                         j, resp[0], resp[1], resp[2],
+                                         resp[3], resp[4], resp[5],
+                                         resp[6], resp[7]);
+                                     }
+                                   }
+                               }
+                       }
+               }
+               WDT_HIT();
+       }
+       
+       LED_A_OFF();
+}
+
+//2. Create Read method (cut-down from above) based off responses from 1. 
+//   Since we have the MAC could continue to use replay function.
+//3. Create Write method
+/*
+void IClass_iso14443A_write(uint8_t arg0, uint8_t blockNo, uint8_t *data, uint8_t *MAC) {
+       uint8_t act_all[]     = { 0x0a };
+       uint8_t identify[]    = { 0x0c };
+       uint8_t select[]      = { 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
+       uint8_t readcheck_cc[]= { 0x88, 0x02 };
+       uint8_t check[]       = { 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
+       uint8_t read[]        = { 0x0c, 0x00, 0x00, 0x00 };
+       uint8_t write[]       = { 0x87, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
+       
+    uint16_t crc = 0;
+       
+       uint8_t* resp = (((uint8_t *)BigBuf) + RECV_RESP_OFFSET);
 
        // Reset trace buffer
        memset(trace, 0x44, RECV_CMD_OFFSET);
@@ -1494,7 +1710,7 @@ void ReaderIClass(uint8_t arg0) {
 
        LED_A_ON();
 
-       for(;;) {
+       for(int i=0;i<1;i++) {
        
                if(traceLen > TRACE_SIZE) {
                        DbpString("Trace full");
@@ -1519,13 +1735,67 @@ void ReaderIClass(uint8_t arg0) {
                                        resp[3], resp[4], resp[5],
                                        resp[6], resp[7]);
                                }
-                               // Card selected, whats next... ;-)
-                       }
+                               // Card selected
+                               Dbprintf("Readcheck on Sector 2");
+                               ReaderTransmitIClass(readcheck_cc, sizeof(readcheck_cc));
+                               if(ReaderReceiveIClass(resp) == 8) {
+                                  Dbprintf("     CC: %02x %02x %02x %02x %02x %02x %02x %02x",
+                                       resp[0], resp[1], resp[2],
+                                       resp[3], resp[4], resp[5],
+                                       resp[6], resp[7]);
+                               }else return;
+                               Dbprintf("Authenticate");
+                               //for now replay captured auth (as cc not updated)
+                               memcpy(check+5,MAC,4);
+                               Dbprintf("     AA: %02x %02x %02x %02x",
+                                       check[5], check[6], check[7],check[8]);
+                               ReaderTransmitIClass(check, sizeof(check));
+                               if(ReaderReceiveIClass(resp) == 4) {
+                                  Dbprintf("     AR: %02x %02x %02x %02x",
+                                       resp[0], resp[1], resp[2],resp[3]);
+                               }else {
+                                 Dbprintf("Error: Authentication Fail!");
+                                 return;
+                               }
+                               Dbprintf("Write Block");
+                               
+                               //read configuration for max block number
+                               read_success=false;
+                               read[1]=1;
+                               uint8_t *blockno=&read[1];
+                               crc = iclass_crc16((char *)blockno,1);
+                               read[2] = crc >> 8;
+                               read[3] = crc & 0xff;
+                               while(!read_success){
+                                     ReaderTransmitIClass(read, sizeof(read));
+                                     if(ReaderReceiveIClass(resp) == 10) {
+                                        read_success=true;
+                                        mem=resp[5];
+                                        memory.k16= (mem & 0x80);
+                                        memory.book= (mem & 0x20);
+                                        memory.k2= (mem & 0x8);
+                                        memory.lockauth= (mem & 0x2);
+                                        memory.keyaccess= (mem & 0x1);
+
+                                     }
+                               }
+                               if (memory.k16){
+                                 cardsize=255;
+                               }else cardsize=32;
+                               //check card_size
+                               
+                               memcpy(write+1,blockNo,1);
+                               memcpy(write+2,data,8);
+                               memcpy(write+10,mac,4);
+                               while(!send_success){
+                                 ReaderTransmitIClass(write, sizeof(write));
+                                 if(ReaderReceiveIClass(resp) == 10) {
+                                   write_success=true;
+                               }
+                       }//
                }
                WDT_HIT();
        }
        
        LED_A_OFF();
-}
-
-
+}*/
Impressum, Datenschutz