X-Git-Url: https://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/62577a62ae4726ed57a8d6d1e65ce8c1a2c77211..fabef615ec2fbe1fbe4b69af9482931e781d8d08:/armsrc/legicrf.c?ds=sidebyside diff --git a/armsrc/legicrf.c b/armsrc/legicrf.c index 143a2de6..7f8c05a6 100644 --- a/armsrc/legicrf.c +++ b/armsrc/legicrf.c @@ -10,7 +10,7 @@ #include "legicrf.h" static struct legic_frame { - int bits; + uint8_t bits; uint32_t data; } current_frame; @@ -68,15 +68,11 @@ static void setup_timer(void) { */ // At TIMER_CLOCK3 (MCK/32) -//#define RWD_TIME_1 150 /* RWD_TIME_PAUSE off, 80us on = 100us */ -//#define RWD_TIME_0 90 /* RWD_TIME_PAUSE off, 40us on = 60us */ -//#define RWD_TIME_PAUSE 30 /* 20us */ - // testing calculating in (us) microseconds. #define RWD_TIME_1 120 // READER_TIME_PAUSE 20us off, 80us on = 100us 80 * 1.5 == 120ticks #define RWD_TIME_0 60 // READER_TIME_PAUSE 20us off, 40us on = 60us 40 * 1.5 == 60ticks #define RWD_TIME_PAUSE 30 // 20us == 20 * 1.5 == 30ticks */ -#define TAG_BIT_PERIOD 150 // 100us == 100 * 1.5 == 150ticks +#define TAG_BIT_PERIOD 143 // 100us == 100 * 1.5 == 150ticks #define TAG_FRAME_WAIT 495 // 330us from READER frame end to TAG frame start. 330 * 1.5 == 495 #define RWD_TIME_FUZZ 20 // rather generous 13us, since the peak detector + hysteresis fuzz quite a bit @@ -95,8 +91,6 @@ static void setup_timer(void) { # define OPEN_COIL HIGH(GPIO_SSC_DOUT); #endif -uint32_t sendFrameStop = 0; - // Pause pulse, off in 20us / 30ticks, // ONE / ZERO bit pulse, // one == 80us / 120ticks @@ -225,33 +219,23 @@ void frame_sendAsReader(uint32_t data, uint8_t bits){ uint32_t starttime = GET_TICKS, send = 0; uint16_t mask = 1; - uint8_t prngstart = legic_prng_count() ; // xor lsfr onto data. send = data ^ legic_prng_get_bits(bits); for (; mask < BITMASK(bits); mask <<= 1) { - if (send & mask) { + if (send & mask) COIL_PULSE(RWD_TIME_1); - } else { + else COIL_PULSE(RWD_TIME_0); - } } // Final pause to mark the end of the frame COIL_PULSE(0); - sendFrameStop = GET_TICKS; - uint8_t cmdbytes[] = { - bits, - BYTEx(data, 0), - BYTEx(data, 1), - BYTEx(send, 0), - BYTEx(send, 1), - prngstart, - legic_prng_count() - }; - LogTrace(cmdbytes, sizeof(cmdbytes), starttime, sendFrameStop, NULL, TRUE); + // log + uint8_t cmdbytes[] = {bits, BYTEx(data, 0), BYTEx(data, 1), BYTEx(send, 0), BYTEx(send, 1)}; + LogTrace(cmdbytes, sizeof(cmdbytes), starttime, GET_TICKS, NULL, TRUE); } /* Receive a frame from the card in reader emulation mode, the FPGA and @@ -277,40 +261,29 @@ void frame_sendAsReader(uint32_t data, uint8_t bits){ */ static void frame_receiveAsReader(struct legic_frame * const f, uint8_t bits) { - frame_clean(f); if ( bits > 32 ) return; uint8_t i = bits, edges = 0; uint16_t lsfr = 0; - uint32_t the_bit = 1, next_bit_at = 0, data; - - int old_level = 0, level = 0; + uint32_t the_bit = 1, next_bit_at = 0, data = 0; + uint32_t old_level = 0; + volatile uint32_t level = 0; + frame_clean(f); + AT91C_BASE_PIOA->PIO_ODR = GPIO_SSC_DIN; AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DIN; // calibrate the prng. - // legic_prng_forward(2); - - // precompute the cipher - uint8_t prngstart = legic_prng_count() ; - data = lsfr = legic_prng_get_bits(bits); //FIXED time between sending frame and now listening frame. 330us - // 387 = 0x19 0001 1001 - // 480 = 0x19 - // 500 = 0x1C 0001 1100 uint32_t starttime = GET_TICKS; - //uint16_t mywait = TAG_FRAME_WAIT - (starttime - sendFrameStop); - //uint16_t mywait = 495 - (starttime - sendFrameStop); if ( bits == 6) { - //Dbprintf("6 WAIT %d", 495 - 9 - 9 ); - WaitTicks( 495 - 9 - 9 ); + //WaitTicks( 495 - 9 - 9 ); + WaitTicks( 475 ); } else { - //Dbprintf("x WAIT %d", mywait ); - //WaitTicks( mywait ); WaitTicks( 450 ); } @@ -318,7 +291,6 @@ static void frame_receiveAsReader(struct legic_frame * const f, uint8_t bits) { while ( i-- ){ edges = 0; - uint8_t adjust = 0; while ( GET_TICKS < next_bit_at) { level = (AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_DIN); @@ -327,17 +299,11 @@ static void frame_receiveAsReader(struct legic_frame * const f, uint8_t bits) { ++edges; old_level = level; - - if(edges > 20 && adjust == 0) { - next_bit_at -= 15; - adjust = 1; - } } next_bit_at += TAG_BIT_PERIOD; - // We expect 42 edges == ONE - //if (edges > 20 && edges < 64) + // We expect 42 edges (ONE) if ( edges > 20 ) data ^= the_bit; @@ -348,15 +314,8 @@ static void frame_receiveAsReader(struct legic_frame * const f, uint8_t bits) { f->data = data; f->bits = bits; - uint8_t cmdbytes[] = { - bits, - BYTEx(data,0), - BYTEx(data,1), - BYTEx(data, 0) ^ BYTEx(lsfr,0), - BYTEx(data, 1) ^ BYTEx(lsfr,1), - prngstart, - legic_prng_count() - }; + // log + uint8_t cmdbytes[] = {bits, BYTEx(data, 0), BYTEx(data, 1)}; LogTrace(cmdbytes, sizeof(cmdbytes), starttime, GET_TICKS, NULL, FALSE); } @@ -380,9 +339,10 @@ static uint32_t setup_phase_reader(uint8_t iv) { frame_receiveAsReader(¤t_frame, 6); - // fixed delay before sending ack. - WaitTicks(366); // 244us - legic_prng_forward(1); //240us / 100 == 2.4 iterations + // 292us (438t) - fixed delay before sending ack. + // minus log and stuff 100tick? + WaitTicks(338); + legic_prng_forward(3); // Send obsfuscated acknowledgment frame. // 0x19 = 0x18 MIM22, 0x01 LSB READCMD @@ -393,6 +353,8 @@ static uint32_t setup_phase_reader(uint8_t iv) { case 0x3D: frame_sendAsReader(0x39, 6); break; default: break; } + + legic_prng_forward(2); return current_frame.data; } @@ -423,46 +385,38 @@ static void switch_off_tag_rwd(void) { LOW(GPIO_SSC_DOUT); WaitUS(20); WDT_HIT(); - set_tracing(FALSE); } // calculate crc4 for a legic READ command -// 5,8,10 address size. -static uint32_t legic4Crc(uint8_t legicCmd, uint16_t byte_index, uint8_t value, uint8_t cmd_sz) { +static uint32_t legic4Crc(uint8_t cmd, uint16_t byte_index, uint8_t value, uint8_t cmd_sz) { crc_clear(&legic_crc); - //uint32_t temp = (value << cmd_sz) | (byte_index << 1) | legicCmd; - //crc_update(&legic_crc, temp, cmd_sz + 8 ); - crc_update(&legic_crc, 1, 1); /* CMD_READ */ - crc_update(&legic_crc, byte_index, cmd_sz-1); - crc_update(&legic_crc, value, 8); + uint32_t temp = (value << cmd_sz) | (byte_index << 1) | cmd; + crc_update(&legic_crc, temp, cmd_sz + 8 ); return crc_finish(&legic_crc); } -int legic_read_byte(int byte_index, int cmd_sz) { +int legic_read_byte( uint16_t index, uint8_t cmd_sz) { - uint8_t byte = 0, crc = 0, calcCrc = 0; - uint32_t cmd = (byte_index << 1) | LEGIC_READ; - - // (us)| ticks - // ------------- - // 330 | 495 - // 460 | 690 - // 258 | 387 - // 244 | 366 - WaitTicks(387); - legic_prng_forward(4); // 460 / 100 = 4.6 iterations + uint8_t byte, crc, calcCrc = 0; + uint32_t cmd = (index << 1) | LEGIC_READ; + + WaitTicks(366); frame_sendAsReader(cmd, cmd_sz); frame_receiveAsReader(¤t_frame, 12); byte = BYTEx(current_frame.data, 0); - calcCrc = legic4Crc(LEGIC_READ, byte_index, byte, cmd_sz); crc = BYTEx(current_frame.data, 1); + + calcCrc = legic4Crc(LEGIC_READ, index, byte, cmd_sz); if( calcCrc != crc ) { Dbprintf("!!! crc mismatch: expected %x but got %x !!!", calcCrc, crc); return -1; } + + legic_prng_forward(4); + WaitTicks(50); return byte; } @@ -536,59 +490,38 @@ int legic_write_byte(uint8_t byte, uint16_t addr, uint8_t addr_sz) { return -1; } -int LegicRfReader(int offset, int bytes, int iv) { +int LegicRfReader(uint16_t offset, uint16_t len, uint8_t iv) { - uint16_t byte_index = 0; - uint8_t cmd_sz = 0, isOK = 1; - int card_sz = 0; + len &= 0x3FF; - LegicCommonInit(); - - uint32_t tag_type = setup_phase_reader(iv); + uint16_t i = 0; + uint8_t isOK = 1; + legic_card_select_t card; - switch_off_tag_rwd(); + LegicCommonInit(); - switch(tag_type) { - case 0x0d: - if ( MF_DBGLEVEL >= 2) DbpString("MIM22 card found, reading card"); - cmd_sz = 6; - card_sz = 22; - break; - case 0x1d: - if ( MF_DBGLEVEL >= 2) DbpString("MIM256 card found, reading card"); - cmd_sz = 9; - card_sz = 256; - break; - case 0x3d: - if ( MF_DBGLEVEL >= 2) DbpString("MIM1024 card found, reading card"); - cmd_sz = 11; - card_sz = 1024; - break; - default: - if ( MF_DBGLEVEL >= 1) Dbprintf("Unknown card format: %x", tag_type); - isOK = 0; - goto OUT; - break; + if ( legic_select_card_iv(&card, iv) ) { + isOK = 0; + goto OUT; } - if (bytes == -1) - bytes = card_sz; - if (bytes + offset >= card_sz) - bytes = card_sz - offset; + switch_off_tag_rwd(); + + if (len + offset >= card.cardsize) + len = card.cardsize - offset; - // Start setup and read bytes. setup_phase_reader(iv); - + LED_B_ON(); - while (byte_index < bytes) { - int r = legic_read_byte(byte_index + offset, cmd_sz); + while (i < len) { + int r = legic_read_byte(offset + i, card.cmdsize); if (r == -1 || BUTTON_PRESS()) { - if ( MF_DBGLEVEL >= 3) DbpString("operation aborted"); + if ( MF_DBGLEVEL >= 2) DbpString("operation aborted"); isOK = 0; goto OUT; } - cardmem[++byte_index] = r; + cardmem[i++] = r; WDT_HIT(); } @@ -596,7 +529,6 @@ OUT: WDT_HIT(); switch_off_tag_rwd(); LEDsoff(); - uint8_t len = (bytes & 0x3FF); cmd_send(CMD_ACK,isOK,len,0,cardmem,len); return 0; } @@ -642,25 +574,27 @@ OUT: return 0; }*/ -void LegicRfWriter(int offset, int bytes, int iv) { - - int byte_index = 0, addr_sz = 0; +void LegicRfWriter(uint16_t offset, uint16_t bytes, uint8_t iv) { - LegicCommonInit(); + int byte_index = 0; + uint8_t isOK = 1; + legic_card_select_t card; - if ( MF_DBGLEVEL >= 2) DbpString("setting up legic card"); + LegicCommonInit(); - uint32_t tag_type = setup_phase_reader(iv); + if ( legic_select_card_iv(&card, iv) ) { + isOK = 0; + goto OUT; + } switch_off_tag_rwd(); - switch(tag_type) { + switch(card.tagtype) { case 0x0d: if(offset+bytes > 22) { Dbprintf("Error: can not write to 0x%03.3x on MIM22", offset + bytes); return; } - addr_sz = 5; if ( MF_DBGLEVEL >= 2) Dbprintf("MIM22 card found, writing 0x%02.2x - 0x%02.2x ...", offset, offset + bytes); break; case 0x1d: @@ -668,7 +602,6 @@ void LegicRfWriter(int offset, int bytes, int iv) { Dbprintf("Error: can not write to 0x%03.3x on MIM256", offset + bytes); return; } - addr_sz = 8; if ( MF_DBGLEVEL >= 2) Dbprintf("MIM256 card found, writing 0x%02.2x - 0x%02.2x ...", offset, offset + bytes); break; case 0x3d: @@ -676,11 +609,9 @@ void LegicRfWriter(int offset, int bytes, int iv) { Dbprintf("Error: can not write to 0x%03.3x on MIM1024", offset + bytes); return; } - addr_sz = 10; if ( MF_DBGLEVEL >= 2) Dbprintf("MIM1024 card found, writing 0x%03.3x - 0x%03.3x ...", offset, offset + bytes); break; default: - Dbprintf("No or unknown card found, aborting"); return; } @@ -692,33 +623,35 @@ void LegicRfWriter(int offset, int bytes, int iv) { //check if the DCF should be changed if ( ((byte_index+offset) == 0x05) && (bytes >= 0x02) ) { //write DCF in reverse order (addr 0x06 before 0x05) - r = legic_write_byte(cardmem[(0x06-byte_index)], (0x06-byte_index), addr_sz); + r = legic_write_byte(cardmem[(0x06-byte_index)], (0x06-byte_index), card.addrsize); - // write second byte on success... + // write second byte on success if(r == 0) { byte_index++; - r = legic_write_byte(cardmem[(0x06-byte_index)], (0x06-byte_index), addr_sz); + r = legic_write_byte(cardmem[(0x06-byte_index)], (0x06-byte_index), card.addrsize); } } else { - r = legic_write_byte(cardmem[byte_index+offset], byte_index+offset, addr_sz); + r = legic_write_byte(cardmem[byte_index+offset], byte_index+offset, card.addrsize); } if ((r != 0) || BUTTON_PRESS()) { Dbprintf("operation aborted @ 0x%03.3x", byte_index); - switch_off_tag_rwd(); - LEDsoff(); - return; + isOK = 0; + goto OUT; } WDT_HIT(); byte_index++; } - LEDsoff(); - if ( MF_DBGLEVEL >= 1) DbpString("write successful"); + +OUT: + cmd_send(CMD_ACK, isOK, 0,0,0,0); + switch_off_tag_rwd(); + LEDsoff(); } -void LegicRfRawWriter(int address, int byte, int iv) { +void LegicRfRawWriter(int address, int byte, uint8_t iv) { int byte_index = 0, addr_sz = 0; @@ -778,47 +711,68 @@ void LegicRfRawWriter(int address, int byte, int iv) { if ( MF_DBGLEVEL >= 1) DbpString("write successful"); } -void LegicRfInfo(void){ +int legic_select_card_iv(legic_card_select_t *p_card, uint8_t iv){ - LegicCommonInit(); - uint32_t tag_type = setup_phase_reader(0x55); - uint8_t cmd_sz = 0; - uint16_t card_sz = 0; + if ( p_card == NULL ) return 1; - switch(tag_type) { + p_card->tagtype = setup_phase_reader(iv); + + switch(p_card->tagtype) { case 0x0d: - cmd_sz = 6; - card_sz = 22; + p_card->cmdsize = 6; + p_card->addrsize = 5; + p_card->cardsize = 22; break; case 0x1d: - cmd_sz = 9; - card_sz = 256; + p_card->cmdsize = 9; + p_card->addrsize = 8; + p_card->cardsize = 256; break; case 0x3d: - cmd_sz = 11; - card_sz = 1024; + p_card->cmdsize = 11; + p_card->addrsize = 10; + p_card->cardsize = 1024; break; default: - cmd_send(CMD_ACK,0,0,0,0,0); - goto OUT; + p_card->cmdsize = 0; + p_card->addrsize = 0; + p_card->cardsize = 0; + return 2; + break; + } + return 0; +} +int legic_select_card(legic_card_select_t *p_card){ + return legic_select_card_iv(p_card, 0x01); +} + +void LegicRfInfo(void){ + + uint8_t buf[sizeof(legic_card_select_t)] = {0x00}; + legic_card_select_t *card = (legic_card_select_t*) buf; + + LegicCommonInit(); + + if ( legic_select_card(card) ) { + cmd_send(CMD_ACK,0,0,0,0,0); + goto OUT; } - // read UID bytes. - uint8_t uid[] = {0,0,0,0}; - for ( uint8_t i = 0; i < sizeof(uid); ++i) { - int r = legic_read_byte(i, cmd_sz); + // read UID bytes + for ( uint8_t i = 0; i < sizeof(card->uid); ++i) { + int r = legic_read_byte(i, card->cmdsize); if ( r == -1 ) { cmd_send(CMD_ACK,0,0,0,0,0); goto OUT; } - uid[i] = r & 0xFF; + card->uid[i] = r & 0xFF; } - cmd_send(CMD_ACK,1,card_sz,0,uid,sizeof(uid)); -OUT: + cmd_send(CMD_ACK, 1, 0, 0, buf, sizeof(legic_card_select_t)); + +OUT: switch_off_tag_rwd(); LEDsoff(); - } /* Handle (whether to respond) a frame in tag mode