X-Git-Url: https://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/db44e049b05060bf42f9059d0fdaf0e6959bc018..25d52dd261bc454dafeedc31c9b3d62b8832b23a:/armsrc/legicrf.c diff --git a/armsrc/legicrf.c b/armsrc/legicrf.c index 530970de..b1378b81 100644 --- a/armsrc/legicrf.c +++ b/armsrc/legicrf.c @@ -7,7 +7,6 @@ //----------------------------------------------------------------------------- // LEGIC RF simulation code //----------------------------------------------------------------------------- - #include "legicrf.h" static struct legic_frame { @@ -30,8 +29,6 @@ static int legic_phase_drift; static int legic_frame_drift; static int legic_reqresp_drift; -int timestamp; - AT91PS_TC timer; AT91PS_TC prng_timer; @@ -56,24 +53,33 @@ static void setup_timer(void) { prng_timer->TC_CMR = AT91C_TC_CLKS_TIMER_DIV2_CLOCK; prng_timer->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG; } + + AT91C_BASE_PMC->PMC_PCER |= (0x1 << 12) | (0x1 << 13) | (0x1 << 14); + AT91C_BASE_TCB->TCB_BMR = AT91C_TCB_TC0XC0S_NONE | AT91C_TCB_TC1XC1S_TIOA0 | AT91C_TCB_TC2XC2S_NONE; + + // fast clock + AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS; // timer disable + AT91C_BASE_TC0->TC_CMR = AT91C_TC_CLKS_TIMER_DIV3_CLOCK | // MCK(48MHz)/32 -- tick=1.5mks + AT91C_TC_WAVE | AT91C_TC_WAVESEL_UP_AUTO | AT91C_TC_ACPA_CLEAR | + AT91C_TC_ACPC_SET | AT91C_TC_ASWTRG_SET; + AT91C_BASE_TC0->TC_RA = 1; + AT91C_BASE_TC0->TC_RC = 0xBFFF + 1; // 0xC000 + */ // At TIMER_CLOCK3 (MCK/32) //#define RWD_TIME_1 150 /* RWD_TIME_PAUSE off, 80us on = 100us */ //#define RWD_TIME_0 90 /* RWD_TIME_PAUSE off, 40us on = 60us */ //#define RWD_TIME_PAUSE 30 /* 20us */ -#define US_CALIBRATION 4 -#define RWD_TIME_1 80-US_CALIBRATION /* READER_TIME_PAUSE off, 80us on = 100us */ -#define RWD_TIME_0 40-US_CALIBRATION /* READER_TIME_PAUSE off, 40us on = 60us */ -#define RWD_TIME_PAUSE 20-US_CALIBRATION /* 20us */ -#define TAG_BIT_PERIOD 100-US_CALIBRATION // 100us for every bit - -#define RWD_TIME_FUZZ 20 /* rather generous 13us, since the peak detector + hysteresis fuzz quite a bit */ - -#define TAG_TIME_WAIT 330 - US_CALIBRATION // 330us from READER frame end to TAG frame start, experimentally determined (490) -#define RDW_TIME_WAIT 258 // +// testing calculating in (us) microseconds. +#define RWD_TIME_1 120 // READER_TIME_PAUSE 20us off, 80us on = 100us 80 * 1.5 == 120ticks +#define RWD_TIME_0 60 // READER_TIME_PAUSE 20us off, 40us on = 60us 40 * 1.5 == 60ticks +#define RWD_TIME_PAUSE 30 // 20us == 20 * 1.5 == 30ticks */ +#define TAG_BIT_PERIOD 150 // 100us == 100 * 1.5 == 150ticks +#define TAG_FRAME_WAIT 495 // 330us from READER frame end to TAG frame start. 330 * 1.5 == 495 +#define RWD_TIME_FUZZ 20 // rather generous 13us, since the peak detector + hysteresis fuzz quite a bit #define SIM_DIVISOR 586 /* prng_time/SIM_DIVISOR count prng needs to be forwared */ #define SIM_SHIFT 900 /* prng_time+SIM_SHIFT shift of delayed start */ @@ -83,37 +89,33 @@ static void setup_timer(void) { #define FUZZ_EQUAL(value, target, fuzz) ((value) > ((target)-(fuzz)) && (value) < ((target)+(fuzz))) #ifndef SHORT_COIL -//#define LOW(x) AT91C_BASE_PIOA->PIO_CODR = (x) # define SHORT_COIL LOW(GPIO_SSC_DOUT); #endif #ifndef OPEN_COIL -//#define HIGH(x) AT91C_BASE_PIOA->PIO_SODR = (x) # define OPEN_COIL HIGH(GPIO_SSC_DOUT); #endif -uint32_t stop_send_frame_us = 0; - -// ~ 258us + 100us*delay -#define WAIT(delay) SpinDelayCountUs((delay)); -#define COIL_PULSE(x) { SHORT_COIL; WAIT(RWD_TIME_PAUSE); OPEN_COIL; WAIT((x)); } -#define COIL_PULSE_PAUSE { SHORT_COIL; WAIT(RWD_TIME_PAUSE); OPEN_COIL; } +uint32_t sendFrameStop = 0; + +// Pause pulse, off in 20us / 30ticks, +// ONE / ZERO bit pulse, +// one == 80us / 120ticks +// zero == 40us / 60ticks +#ifndef COIL_PULSE +# define COIL_PULSE(x) \ + do { \ + SHORT_COIL; \ + WaitTicks( (RWD_TIME_PAUSE) ); \ + OPEN_COIL; \ + WaitTicks((x)); \ + } while (0) +#endif // ToDo: define a meaningful maximum size for auth_table. The bigger this is, the lower will be the available memory for traces. // Historically it used to be FREE_BUFFER_SIZE, which was 2744. #define LEGIC_CARD_MEMSIZE 1024 static uint8_t* cardmem; -// Starts Clock and waits until its reset -static void Reset(AT91PS_TC clock){ - clock->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG; - while(clock->TC_CV > 1) ; -} - -// Starts Clock and waits until its reset -static void ResetClock(void){ - Reset(timer); -} - static void frame_append_bit(struct legic_frame * const f, int bit) { // Overflow, won't happen if (f->bits >= 31) return; @@ -131,7 +133,7 @@ static void frame_clean(struct legic_frame * const f) { // and while sending/receiving in bit frames (100, 60) /*static void CalibratePrng( uint32_t time){ // Calculate Cycles based on timer 100us - uint32_t i = (time - stop_send_frame_us) / 100 ; + uint32_t i = (time - sendFrameStop) / 100 ; // substract cycles of finished frames int k = i - legic_prng_count()+1; @@ -143,8 +145,7 @@ static void frame_clean(struct legic_frame * const f) { */ /* Generate Keystream */ -static uint32_t get_key_stream(int skip, int count) -{ +uint32_t get_key_stream(int skip, int count) { uint32_t key = 0; int i; @@ -152,7 +153,7 @@ static uint32_t get_key_stream(int skip, int count) legic_prng_bc += prng_timer->TC_CV; // reset the prng timer. - Reset(prng_timer); + ResetTimer(prng_timer); /* If skip == -1, forward prng time based */ if(skip == -1) { @@ -186,7 +187,7 @@ static uint32_t get_key_stream(int skip, int count) /* Send a frame in tag mode, the FPGA must have been set up by * LegicRfSimulate */ -static void frame_send_tag(uint16_t response, uint8_t bits, uint8_t crypt) { +void frame_send_tag(uint16_t response, uint8_t bits, uint8_t crypt) { /* Bitbang the response */ LOW(GPIO_SSC_DOUT); AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT; @@ -194,12 +195,12 @@ static void frame_send_tag(uint16_t response, uint8_t bits, uint8_t crypt) { /* Use time to crypt frame */ if(crypt) { - legic_prng_forward(2); /* TAG_TIME_WAIT -> shift by 2 */ + legic_prng_forward(2); /* TAG_FRAME_WAIT -> shift by 2 */ response ^= legic_prng_get_bits(bits); } /* Wait for the frame start */ - WAIT( TAG_TIME_WAIT ) + WaitUS( TAG_FRAME_WAIT ); uint8_t bit = 0; for(int i = 0; i < bits; i++) { @@ -212,7 +213,7 @@ static void frame_send_tag(uint16_t response, uint8_t bits, uint8_t crypt) { else LOW(GPIO_SSC_DOUT); - WAIT(100) + WaitUS(100); } LOW(GPIO_SSC_DOUT); } @@ -220,39 +221,35 @@ static void frame_send_tag(uint16_t response, uint8_t bits, uint8_t crypt) { /* Send a frame in reader mode, the FPGA must have been set up by * LegicRfReader */ -static void frame_sendAsReader(uint32_t data, uint8_t bits){ +void frame_sendAsReader(uint32_t data, uint8_t bits){ - uint32_t starttime = GetCountUS(); - uint32_t send = data; - uint8_t prng1 = legic_prng_count() ; + uint32_t starttime = GET_TICKS, send = 0; uint16_t mask = 1; - uint16_t lfsr = legic_prng_get_bits(bits); - - // xor the lsfr onto data. - send ^= lfsr; + uint8_t prng1 = legic_prng_count() ; + + // xor lsfr onto data. + send = data ^ legic_prng_get_bits(bits); for (; mask < BITMASK(bits); mask <<= 1) { if (send & mask) { - COIL_PULSE(RWD_TIME_1); + COIL_PULSE(RWD_TIME_1); } else { - COIL_PULSE(RWD_TIME_0); + COIL_PULSE(RWD_TIME_0); } } - // One final pause to mark the end of the frame - COIL_PULSE_PAUSE; + // Final pause to mark the end of the frame + COIL_PULSE(0); - stop_send_frame_us = GetCountUS(); + sendFrameStop = GET_TICKS; uint8_t cmdbytes[] = { - data & 0xFF, - (data >> 8) & 0xFF, + BYTEx(data, 0), + BYTEx(data, 1), bits, - lfsr & 0xFF, - (lfsr >> 8) & 0xFF, prng1, legic_prng_count() }; - LogTrace(cmdbytes, sizeof(cmdbytes), starttime, stop_send_frame_us, NULL, TRUE); + LogTrace(cmdbytes, sizeof(cmdbytes), starttime, sendFrameStop, NULL, TRUE); } /* Receive a frame from the card in reader emulation mode, the FPGA and @@ -276,44 +273,41 @@ static void frame_sendAsReader(uint32_t data, uint8_t bits){ * the range is severely reduced (and you'll probably also need a good antenna). * So this should be fixed some time in the future for a proper receiver. */ -static void frame_receiveAsReader(struct legic_frame * const f, uint8_t bits, uint8_t crypt) { +static void frame_receiveAsReader(struct legic_frame * const f, uint8_t bits) { - uint32_t starttime = GetCountUS(); - frame_clean(f); + if ( bits > 32 ) return; - uint8_t i = 0, edges = 0; + uint8_t i = bits, edges = 0; uint16_t lsfr = 0; uint32_t the_bit = 1, next_bit_at = 0, data; + int old_level = 0, level = 0; - - if(bits > 32) bits = 32; - + AT91C_BASE_PIOA->PIO_ODR = GPIO_SSC_DIN; AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DIN; // calibrate the prng. legic_prng_forward(2); - //CalibratePrng( starttime ); // precompute the cipher uint8_t prng_before = legic_prng_count() ; - if(crypt) - lsfr = legic_prng_get_bits(bits); + lsfr = legic_prng_get_bits(bits); data = lsfr; //FIXED time between sending frame and now listening frame. 330us - uint32_t icetime = TAG_TIME_WAIT - ( GetCountUS() - stop_send_frame_us ); - WAIT( icetime ); // 8-10us - - next_bit_at = GetCountUS(); - next_bit_at += TAG_BIT_PERIOD; - - for( i = 0; i < bits; i++) { + //WaitTicks( TAG_FRAME_WAIT - (GET_TICKS - sendFrameStop ) ); + WaitTicks( 495 ); + + uint32_t starttime = GET_TICKS; + next_bit_at = GET_TICKS + TAG_BIT_PERIOD; + + while ( i-- ){ edges = 0; - while ( GetCountUS() < next_bit_at) { + uint8_t adjust = 0; + while ( GET_TICKS < next_bit_at) { level = (AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_DIN); @@ -321,14 +315,20 @@ static void frame_receiveAsReader(struct legic_frame * const f, uint8_t bits, ui ++edges; old_level = level; - } + + if(edges > 20 && adjust == 0) { + next_bit_at -= 15; + adjust = 1; + } + } + next_bit_at += TAG_BIT_PERIOD; // We expect 42 edges == ONE - if(edges > 20 && edges < 60) + if(edges > 20 && edges < 64) data ^= the_bit; - the_bit <<= 1; + the_bit <<= 1; } // output @@ -336,31 +336,30 @@ static void frame_receiveAsReader(struct legic_frame * const f, uint8_t bits, ui f->bits = bits; // log - stop_send_frame_us = GetCountUS(); + sendFrameStop = GET_TICKS; uint8_t cmdbytes[] = { - (data & 0xFF), - (data >> 8) & 0xFF, + BYTEx(data,0), + BYTEx(data,1), bits, - (lsfr & 0xFF), - (lsfr >> 8) & 0xFF, + BYTEx(lsfr,0), + BYTEx(lsfr,1), + BYTEx(data, 0) ^ BYTEx(lsfr,0), + BYTEx(data, 1) ^ BYTEx(lsfr,1), prng_before, - legic_prng_count(), - icetime & 0xff, - (icetime >> 8) & 0xFF + legic_prng_count() }; - LogTrace(cmdbytes, sizeof(cmdbytes), starttime, stop_send_frame_us, NULL, FALSE); - + LogTrace(cmdbytes, sizeof(cmdbytes), starttime, sendFrameStop, NULL, FALSE); } // Setup pm3 as a Legic Reader -static uint32_t perform_setup_phase_rwd(uint8_t iv) { - +static uint32_t setup_phase_reader(uint8_t iv) { + // Switch on carrier and let the tag charge for 1ms HIGH(GPIO_SSC_DOUT); - SpinDelay(20); + WaitUS(1000); - ResetUSClock(); + ResetTicks(); // no keystream yet legic_prng_init(0); @@ -371,35 +370,29 @@ static uint32_t perform_setup_phase_rwd(uint8_t iv) { // Now both tag and reader has same IV. Prng can start. legic_prng_init(iv); - frame_receiveAsReader(¤t_frame, 6, 1); + frame_receiveAsReader(¤t_frame, 6); // fixed delay before sending ack. - WAIT(TAG_BIT_PERIOD); + WaitTicks(366); // 244us + legic_prng_forward(1); //240us / 100 == 2.4 iterations // Send obsfuscated acknowledgment frame. // 0x19 = 0x18 MIM22, 0x01 LSB READCMD // 0x39 = 0x38 MIM256, MIM1024 0x01 LSB READCMD switch ( current_frame.data ) { - case 0x0D: - frame_sendAsReader(0x19, 6); - break; - case 0x1D: - case 0x3D: - frame_sendAsReader(0x39, 6); - break; - default: - break; + case 0x0D: frame_sendAsReader(0x19, 6); break; + case 0x1D: + case 0x3D: frame_sendAsReader(0x39, 6); break; + default: break; } return current_frame.data; - - // End of Setup Phase. } -static void LegicCommonInit(void) { +static void LegicCommonInit(void) { + FpgaDownloadAndGo(FPGA_BITSTREAM_HF); FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_TX); SetAdcMuxFor(GPIO_MUXSEL_HIPKD); - FpgaSetupSsc(); /* Bitbang the transmitter */ LOW(GPIO_SSC_DOUT); @@ -412,55 +405,59 @@ static void LegicCommonInit(void) { clear_trace(); set_tracing(TRUE); - crc_init(&legic_crc, 4, 0x19 >> 1, 0x5, 0); - StartCountUS(); + StartTicks(); } -/* Switch off carrier, make sure tag is reset */ +// Switch off carrier, make sure tag is reset static void switch_off_tag_rwd(void) { LOW(GPIO_SSC_DOUT); - SpinDelay(10); + WaitUS(200); WDT_HIT(); - set_tracing(FALSE); + Dbprintf("Exit Switch_off_tag_rwd"); } // calculate crc4 for a legic READ command // 5,8,10 address size. -static uint32_t LegicCRC(uint16_t byte_index, uint8_t value, uint8_t cmd_sz) { +static uint32_t legic4Crc(uint8_t legicCmd, uint16_t byte_index, uint8_t value, uint8_t cmd_sz) { crc_clear(&legic_crc); - uint32_t temp = (value << cmd_sz) | (byte_index << 1) | LEGIC_READ; - crc_update(&legic_crc, temp, cmd_sz + 8 ); - // crc_update(&legic_crc, LEGIC_READ, 1); - // crc_update(&legic_crc, byte_index, cmd_sz-1); - // crc_update(&legic_crc, value, 8); + //uint32_t temp = (value << cmd_sz) | (byte_index << 1) | legicCmd; + //crc_update(&legic_crc, temp, cmd_sz + 8 ); + crc_update(&legic_crc, 1, 1); /* CMD_READ */ + crc_update(&legic_crc, byte_index, cmd_sz-1); + crc_update(&legic_crc, value, 8); return crc_finish(&legic_crc); } int legic_read_byte(int byte_index, int cmd_sz) { - uint8_t byte = 0, crc = 0; - uint32_t calcCrc = 0; + // (us)| ticks + // ------------- + // 330 | 495 + // 460 | 690 + // 258 | 387 + // 244 | 366 + WaitTicks(366); + legic_prng_forward(3); // 460 / 100 = 4.6 iterations + + uint8_t byte = 0, crc = 0, calcCrc = 0; uint32_t cmd = (byte_index << 1) | LEGIC_READ; - legic_prng_forward(3); - WAIT(TAG_TIME_WAIT) - frame_sendAsReader(cmd, cmd_sz); + frame_receiveAsReader(¤t_frame, 12); - frame_receiveAsReader(¤t_frame, 12, 1); - - byte = current_frame.data & 0xFF; - - calcCrc = LegicCRC(byte_index, byte, cmd_sz); - crc = (current_frame.data >> 8); + byte = BYTEx(current_frame.data, 0); + calcCrc = legic4Crc(LEGIC_READ, byte_index, byte, cmd_sz); + crc = BYTEx(current_frame.data, 1); if( calcCrc != crc ) { Dbprintf("!!! crc mismatch: expected %x but got %x !!!", calcCrc, crc); return -1; } + +// legic_prng_forward(2); // 460 / 100 = 4.6 iterations return byte; } @@ -470,10 +467,10 @@ int legic_read_byte(int byte_index, int cmd_sz) { * - forward the prng based on the timing */ //int legic_write_byte(int byte, int addr, int addr_sz, int PrngCorrection) { -int legic_write_byte(int byte, int addr, int addr_sz) { +int legic_write_byte(uint8_t byte, uint16_t addr, uint8_t addr_sz) { //do not write UID, CRC at offset 0-4. - if(addr <= 0x04) return 0; + if (addr <= 4) return 0; // crc crc_clear(&legic_crc); @@ -482,120 +479,125 @@ int legic_write_byte(int byte, int addr, int addr_sz) { crc_update(&legic_crc, byte, 8); uint32_t crc = crc_finish(&legic_crc); + uint32_t crc2 = legic4Crc(LEGIC_WRITE, addr, byte, addr_sz+1); + if ( crc != crc2 ) + Dbprintf("crc is missmatch"); + // send write command uint32_t cmd = ((crc <<(addr_sz+1+8)) //CRC |(byte <<(addr_sz+1)) //Data |(addr <<1) //Address - |(0x00 <<0)); //CMD = W + | LEGIC_WRITE); //CMD = Write + uint32_t cmd_sz = addr_sz+1+8+4; //crc+data+cmd legic_prng_forward(2); /* we wait anyways */ - while(timer->TC_CV < 387) ; /* ~ 258us */ + WaitUS(TAG_FRAME_WAIT); frame_sendAsReader(cmd, cmd_sz); -// wllm-rbnt doesnt have these -// AT91C_BASE_PIOA->PIO_ODR = GPIO_SSC_DIN; -// AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DIN; + // wllm-rbnt doesnt have these + AT91C_BASE_PIOA->PIO_ODR = GPIO_SSC_DIN; + AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DIN; // wait for ack int t, old_level = 0, edges = 0; int next_bit_at = 0; - while(timer->TC_CV < 387) ; /* ~ 258us */ + WaitUS(TAG_FRAME_WAIT); - for( t = 0; t < 80; t++) { + for( t = 0; t < 80; ++t) { edges = 0; next_bit_at += TAG_BIT_PERIOD; while(timer->TC_CV < next_bit_at) { int level = (AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_DIN); - if(level != old_level) { + if(level != old_level) edges++; - } + old_level = level; } if(edges > 20 && edges < 60) { /* expected are 42 edges */ int t = timer->TC_CV; int c = t / TAG_BIT_PERIOD; - ResetClock(); + ResetTimer(timer); legic_prng_forward(c); return 0; } } - ResetClock(); + ResetTimer(timer); return -1; } int LegicRfReader(int offset, int bytes, int iv) { - int byte_index = 0, cmd_sz = 0, card_sz = 0; - - if ( MF_DBGLEVEL >= 2) { - Dbprintf("setting up legic card, IV = %x", iv); - - Dbprintf("ONE %d ZERO %d PAUSE %d", RWD_TIME_1 , RWD_TIME_0 , RWD_TIME_PAUSE); - Dbprintf("TAG BIT PERIOD %d FUZZ %d TAG WAIT TIME %d", TAG_BIT_PERIOD, RWD_TIME_FUZZ, TAG_TIME_WAIT); - } + uint16_t byte_index = 0; + uint8_t cmd_sz = 0; + int card_sz = 0; + uint8_t isOK = 1; + + if ( MF_DBGLEVEL >= 2) + Dbprintf("setting up legic card, IV = 0x%02x", iv); LegicCommonInit(); - uint32_t tag_type = perform_setup_phase_rwd(iv); + uint32_t tag_type = setup_phase_reader(iv); //we lose to mutch time with dprintf switch_off_tag_rwd(); switch(tag_type) { case 0x0d: - if ( MF_DBGLEVEL >= 2) DbpString("MIM22 card found, reading card ..."); + if ( MF_DBGLEVEL >= 2) DbpString("MIM22 card found, reading card"); cmd_sz = 6; card_sz = 22; break; case 0x1d: - if ( MF_DBGLEVEL >= 2) DbpString("MIM256 card found, reading card ..."); + if ( MF_DBGLEVEL >= 2) DbpString("MIM256 card found, reading card"); cmd_sz = 9; card_sz = 256; break; case 0x3d: - if ( MF_DBGLEVEL >= 2) DbpString("MIM1024 card found, reading card ..."); + if ( MF_DBGLEVEL >= 2) DbpString("MIM1024 card found, reading card"); cmd_sz = 11; card_sz = 1024; break; default: - if ( MF_DBGLEVEL >= 1) Dbprintf("Unknown card format: %x",tag_type); - return 1; + if ( MF_DBGLEVEL >= 1) Dbprintf("Unknown card format: %x", tag_type); + isOK = 0; + goto OUT; + break; } - if(bytes == -1) + if (bytes == -1) bytes = card_sz; - if(bytes+offset >= card_sz) + if (bytes + offset >= card_sz) bytes = card_sz - offset; // Start setup and read bytes. - perform_setup_phase_rwd(iv); - + setup_phase_reader(iv); + LED_B_ON(); while (byte_index < bytes) { - int r = legic_read_byte(byte_index+offset, cmd_sz); + int r = legic_read_byte(byte_index + offset, cmd_sz); if (r == -1 || BUTTON_PRESS()) { - switch_off_tag_rwd(); - LEDsoff(); if ( MF_DBGLEVEL >= 2) DbpString("operation aborted"); - cmd_send(CMD_ACK,0,0,0,0,0); - return 1; + isOK = 0; + goto OUT; } - cardmem[byte_index] = r; + cardmem[++byte_index] = r; + //byte_index++; WDT_HIT(); - byte_index++; } +OUT: switch_off_tag_rwd(); LEDsoff(); uint8_t len = (bytes & 0x3FF); - cmd_send(CMD_ACK,1,len,0,0,0); + cmd_send(CMD_ACK,isOK,len,0,cardmem,len); return 0; } @@ -603,7 +605,7 @@ int LegicRfReader(int offset, int bytes, int iv) { int byte_index=0; LED_B_ON(); - perform_setup_phase_rwd(iv); + setup_phase_reader(iv); //legic_prng_forward(2); while(byte_index < bytes) { int r; @@ -648,34 +650,34 @@ void LegicRfWriter(int offset, int bytes, int iv) { if ( MF_DBGLEVEL >= 2) DbpString("setting up legic card"); - uint32_t tag_type = perform_setup_phase_rwd(iv); + uint32_t tag_type = setup_phase_reader(iv); switch_off_tag_rwd(); switch(tag_type) { case 0x0d: if(offset+bytes > 22) { - Dbprintf("Error: can not write to 0x%03.3x on MIM22", offset+bytes); + Dbprintf("Error: can not write to 0x%03.3x on MIM22", offset + bytes); return; } addr_sz = 5; - if ( MF_DBGLEVEL >= 2) Dbprintf("MIM22 card found, writing 0x%02.2x - 0x%02.2x ...", offset, offset+bytes); + if ( MF_DBGLEVEL >= 2) Dbprintf("MIM22 card found, writing 0x%02.2x - 0x%02.2x ...", offset, offset + bytes); break; case 0x1d: if(offset+bytes > 0x100) { - Dbprintf("Error: can not write to 0x%03.3x on MIM256", offset+bytes); + Dbprintf("Error: can not write to 0x%03.3x on MIM256", offset + bytes); return; } addr_sz = 8; - if ( MF_DBGLEVEL >= 2) Dbprintf("MIM256 card found, writing 0x%02.2x - 0x%02.2x ...", offset, offset+bytes); + if ( MF_DBGLEVEL >= 2) Dbprintf("MIM256 card found, writing 0x%02.2x - 0x%02.2x ...", offset, offset + bytes); break; case 0x3d: if(offset+bytes > 0x400) { - Dbprintf("Error: can not write to 0x%03.3x on MIM1024", offset+bytes); + Dbprintf("Error: can not write to 0x%03.3x on MIM1024", offset + bytes); return; } addr_sz = 10; - if ( MF_DBGLEVEL >= 2) Dbprintf("MIM1024 card found, writing 0x%03.3x - 0x%03.3x ...", offset, offset+bytes); + if ( MF_DBGLEVEL >= 2) Dbprintf("MIM1024 card found, writing 0x%03.3x - 0x%03.3x ...", offset, offset + bytes); break; default: Dbprintf("No or unknown card found, aborting"); @@ -683,9 +685,9 @@ void LegicRfWriter(int offset, int bytes, int iv) { } LED_B_ON(); - perform_setup_phase_rwd(iv); + setup_phase_reader(iv); + int r = 0; while(byte_index < bytes) { - int r; //check if the DCF should be changed if ( ((byte_index+offset) == 0x05) && (bytes >= 0x02) ) { @@ -702,7 +704,7 @@ void LegicRfWriter(int offset, int bytes, int iv) { r = legic_write_byte(cardmem[byte_index+offset], byte_index+offset, addr_sz); } - if((r != 0) || BUTTON_PRESS()) { + if ((r != 0) || BUTTON_PRESS()) { Dbprintf("operation aborted @ 0x%03.3x", byte_index); switch_off_tag_rwd(); LEDsoff(); @@ -724,7 +726,7 @@ void LegicRfRawWriter(int address, int byte, int iv) { if ( MF_DBGLEVEL >= 2) DbpString("setting up legic card"); - uint32_t tag_type = perform_setup_phase_rwd(iv); + uint32_t tag_type = setup_phase_reader(iv); switch_off_tag_rwd(); @@ -761,9 +763,8 @@ void LegicRfRawWriter(int address, int byte, int iv) { Dbprintf("integer value: %d address: %d addr_sz: %d", byte, address, addr_sz); LED_B_ON(); - perform_setup_phase_rwd(iv); - //legic_prng_forward(2); - + setup_phase_reader(iv); + int r = legic_write_byte(byte, address, addr_sz); if((r != 0) || BUTTON_PRESS()) { @@ -790,7 +791,7 @@ static void frame_handle_tag(struct legic_frame const * const f) LED_C_ON(); // Reset prng timer - Reset(prng_timer); + ResetTimer(prng_timer); legic_prng_init(f->data); frame_send_tag(0x3d, 6, 1); /* 0x3d^0x26 = 0x1B */ @@ -799,11 +800,9 @@ static void frame_handle_tag(struct legic_frame const * const f) legic_prng_bc = 0; legic_prng_iv = f->data; - /* TIMEOUT */ - ResetClock(); - - //while(timer->TC_CV < 280); - WAIT(280) + + ResetTimer(timer); + WaitUS(280); return; } @@ -814,14 +813,11 @@ static void frame_handle_tag(struct legic_frame const * const f) if((f->bits == 6) && (f->data == xored)) { legic_state = STATE_CON; - /* TIMEOUT */ - ResetClock(); - - //while(timer->TC_CV < 200); - WAIT(200) - + ResetTimer(timer); + WaitUS(200); return; - } else { + + } else { legic_state = STATE_DISCON; LED_C_OFF(); Dbprintf("iv: %02x frame: %02x key: %02x xored: %02x", legic_prng_iv, f->data, local_key, xored); @@ -835,7 +831,7 @@ static void frame_handle_tag(struct legic_frame const * const f) int key = get_key_stream(2, 11); //legic_phase_drift, 11); int addr = f->data ^ key; addr = addr >> 1; int data = BigBuf[addr]; - int hash = LegicCRC(addr, data, 11) << 8; + int hash = legic4Crc(LEGIC_READ, addr, data, 11) << 8; BigBuf[OFFSET_LOG+legic_read_count] = (uint8_t)addr; legic_read_count++; @@ -844,13 +840,9 @@ static void frame_handle_tag(struct legic_frame const * const f) frame_send_tag(hash | data, 12, 1); - /* TIMEOUT */ - ResetClock(); - + ResetTimer(timer); legic_prng_forward(2); - //while(timer->TC_CV < 180); - WAIT(180) - + WaitUS(180); return; } } @@ -1001,10 +993,6 @@ void LegicRfSimulate(int phase, int frame, int reqresp) LEDsoff(); } -//----------------------------------------------------------------------------- -//----------------------------------------------------------------------------- - - //----------------------------------------------------------------------------- // Code up a string of octets at layer 2 (including CRC, we don't generate // that here) so that they can be transmitted to the reader. Doesn't transmit