From: etmatrix Date: Fri, 23 Oct 2015 13:29:12 +0000 (+0200) Subject: The great work of Enio hf snoop is now ported into latest version in git X-Git-Tag: v2.3.0~21^2~3 X-Git-Url: https://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/commitdiff_plain/0472d76de484018f2d11425417f3078a08a2e3d3?ds=sidebyside;hp=--cc The great work of Enio hf snoop is now ported into latest version in git you can find original work here https://github.com/EnioArda/proxmark3 --- 0472d76de484018f2d11425417f3078a08a2e3d3 diff --git a/armsrc/Makefile b/armsrc/Makefile index a59fa073..3c6c14c6 100644 --- a/armsrc/Makefile +++ b/armsrc/Makefile @@ -10,7 +10,7 @@ APP_INCLUDES = apps.h #remove one of the following defines and comment out the relevant line #in the next section to remove that particular feature from compilation -APP_CFLAGS = -DWITH_ISO14443a_StandAlone -DWITH_LF -DWITH_ISO15693 -DWITH_ISO14443a -DWITH_ISO14443b -DWITH_ICLASS -DWITH_LEGICRF -DWITH_HITAG -DWITH_CRC -DON_DEVICE \ +APP_CFLAGS = -DWITH_ISO14443a_StandAlone -DWITH_LF -DWITH_ISO15693 -DWITH_ISO14443a -DWITH_ISO14443b -DWITH_ICLASS -DWITH_LEGICRF -DWITH_HITAG -DWITH_CRC -DON_DEVICE -DWITH_HFSNOOP \ -fno-strict-aliasing -ffunction-sections -fdata-sections #-DWITH_LCD @@ -60,7 +60,8 @@ ARMSRC = fpgaloader.c \ legic_prng.c \ iclass.c \ BigBuf.c \ - optimized_cipher.c + optimized_cipher.c \ + hfsnoop.c # Do not move this inclusion before the definition of {THUMB,ASM,ARM}SRC include ../common/Makefile.common diff --git a/armsrc/appmain.c b/armsrc/appmain.c index 48c9caef..8c2aefbb 100644 --- a/armsrc/appmain.c +++ b/armsrc/appmain.c @@ -1202,6 +1202,11 @@ void UsbPacketReceived(uint8_t *packet, int len) iClass_Clone(c->arg[0], c->arg[1], c->d.asBytes); break; #endif +#ifdef WITH_HFSNOOP + case CMD_HF_SNIFFER: + HfSnoop(c->arg[0], c->arg[1]); + break; +#endif case CMD_BUFF_CLEAR: BigBuf_Clear(); @@ -1338,7 +1343,7 @@ void __attribute__((noreturn)) AppMain(void) AT91C_BASE_PMC->PMC_SCER = AT91C_PMC_PCK0; // PCK0 is PLL clock / 4 = 96Mhz / 4 = 24Mhz AT91C_BASE_PMC->PMC_PCKR[0] = AT91C_PMC_CSS_PLL_CLK | - AT91C_PMC_PRES_CLK_4; + AT91C_PMC_PRES_CLK_4; // 4 for 24Mhz pck0, 2 for 48 MHZ pck0 AT91C_BASE_PIOA->PIO_OER = GPIO_PCK0; // Reset SPI diff --git a/armsrc/apps.h b/armsrc/apps.h index 79c9da86..2cfd31d7 100644 --- a/armsrc/apps.h +++ b/armsrc/apps.h @@ -189,5 +189,6 @@ bool cmd_receive(UsbCommand* cmd); bool cmd_send(uint32_t cmd, uint32_t arg0, uint32_t arg1, uint32_t arg2, void* data, size_t len); /// util.h +void HfSnoop(int , int); #endif diff --git a/armsrc/fpgaloader.h b/armsrc/fpgaloader.h index 52d6c677..38724cdb 100644 --- a/armsrc/fpgaloader.h +++ b/armsrc/fpgaloader.h @@ -43,6 +43,7 @@ void SetAdcMuxFor(uint32_t whichGpio); #define FPGA_MAJOR_MODE_HF_READER_RX_XCORR (1<<5) #define FPGA_MAJOR_MODE_HF_SIMULATOR (2<<5) #define FPGA_MAJOR_MODE_HF_ISO14443A (3<<5) +#define FPGA_MAJOR_MODE_HF_SNOOP (4<<5) // BOTH #define FPGA_MAJOR_MODE_OFF (7<<5) // Options for LF_ADC diff --git a/armsrc/hfsnoop.c b/armsrc/hfsnoop.c new file mode 100644 index 00000000..5338bd0d --- /dev/null +++ b/armsrc/hfsnoop.c @@ -0,0 +1,74 @@ +#include "proxmark3.h" +#include "apps.h" +#include "BigBuf.h" +#include "util.h" + +static void RAMFUNC optimizedSnoop(void); + +static void RAMFUNC optimizedSnoop(void) +{ + BigBuf_free(); + int n = BigBuf_max_traceLen() / sizeof(uint16_t); // take all memory + + uint16_t *dest = (uint16_t *)BigBuf_get_addr(); + uint16_t *destend = dest + n; + + AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(16); // Setting Frame mode, 16 bits per word + // Reading data loop + while(dest <= destend) + { + if(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) + { + *dest = (uint16_t)(AT91C_BASE_SSC->SSC_RHR); + dest = dest + 1; + } + } + //Resetting Frame mode (First set in fpgaloader.c) + AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(8) | AT91C_SSC_MSBF | SSC_FRAME_MODE_WORDS_PER_TRANSFER(0); +} + +void HfSnoop(int samplesToSkip, int triggersToSkip) +{ + Dbprintf("Skipping first %d sample pairs, Skipping %d triggers.\n", samplesToSkip, triggersToSkip); + bool trigger_cnt; + LED_D_OFF(); + // Select correct configs + FpgaDownloadAndGo(FPGA_BITSTREAM_HF); + // Set up the synchronous serial port + FpgaSetupSsc(); + // connect Demodulated Signal to ADC: + SetAdcMuxFor(GPIO_MUXSEL_HIPKD); + FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SNOOP); + SpinDelay(100); + + AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(16); // Setting Frame Mode For better performance on high speed data transfer. + + trigger_cnt = 0; + uint16_t r; + for(;;) { + if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) { + r = (uint16_t)AT91C_BASE_SSC->SSC_RHR; + if (!(trigger_cnt == triggersToSkip) && ( (r >> 8) >= 240)) + { + Dbprintf("Trigger kicked! Value: %d.", r >> 8); + trigger_cnt++; + break; + } + } + } + Dbprintf("Trigger kicked! Value: %d, Dumping Samples Hispeed now.", r >> 8); + int waitcount = samplesToSkip; // lets wait 40000 ticks of pck0 + while(waitcount != 0) { + if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) { + waitcount--; + } + } + + // Snooooop!!! + optimizedSnoop(); + + DbpString("Done."); + FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); + LED_D_OFF(); +} + diff --git a/client/cmdhf.c b/client/cmdhf.c index 8406fe76..34bdc24f 100644 --- a/client/cmdhf.c +++ b/client/cmdhf.c @@ -576,6 +576,14 @@ int CmdHFSearch(const char *Cmd){ return 0; } +int CmdHFSnoop(const char *Cmd) +{ + char * pEnd; + UsbCommand c = {CMD_HF_SNIFFER, {strtol(Cmd, &pEnd,0),strtol(pEnd, &pEnd,0),0}}; + SendCommand(&c); + return 0; +} + static command_t CommandTable[] = { {"help", CmdHelp, 1, "This help"}, @@ -590,7 +598,8 @@ static command_t CommandTable[] = {"tune", CmdHFTune, 0, "Continuously measure HF antenna tuning"}, {"list", CmdHFList, 1, "List protocol data in trace buffer"}, {"search", CmdHFSearch, 1, "Search for known HF tags [preliminary]"}, - {NULL, NULL, 0, NULL} + {"snoop", CmdHFSnoop, 0, " Generic LF/HF Snoop in Testing stage"}, + {NULL, NULL, 0, NULL} }; int CmdHF(const char *Cmd) diff --git a/fpga/Makefile b/fpga/Makefile index fad2ff04..e58d6fc4 100644 --- a/fpga/Makefile +++ b/fpga/Makefile @@ -9,7 +9,7 @@ fpga_hf.ngc: fpga_hf.v fpga.ucf xst_hf.scr util.v hi_simulate.v hi_read_tx.v hi_ $(DELETE) $@ $(XILINX_TOOLS_PREFIX)xst -ifn xst_hf.scr -fpga_lf.ngc: fpga_lf.v fpga.ucf xst_lf.scr util.v clk_divider.v lo_edge_detect.v lo_read.v lo_passthru.v lp20khz_1MSa_iir_filter.v min_max_tracker.v lf_edge_detect.v +fpga_lf.ngc: fpga_lf.v fpga.ucf xst_lf.scr util.v clk_divider.v lo_edge_detect.v lo_read.v lo_passthru.v lp20khz_1MSa_iir_filter.v min_max_tracker.v lf_edge_detect.v hi_sniffer.v $(DELETE) $@ $(XILINX_TOOLS_PREFIX)xst -ifn xst_lf.scr diff --git a/fpga/fpga_hf.bit b/fpga/fpga_hf.bit index 50c7eef9..eea2083b 100644 Binary files a/fpga/fpga_hf.bit and b/fpga/fpga_hf.bit differ diff --git a/fpga/fpga_hf.v b/fpga/fpga_hf.v index 8a465e75..264e1b0c 100644 --- a/fpga/fpga_hf.v +++ b/fpga/fpga_hf.v @@ -17,6 +17,7 @@ `include "hi_read_rx_xcorr.v" `include "hi_simulate.v" `include "hi_iso14443a.v" +`include "hi_sniffer.v" `include "util.v" module fpga_hf( @@ -122,25 +123,36 @@ hi_iso14443a hisn( hi_simulate_mod_type ); +hi_sniffer he( + pck0, ck_1356meg, ck_1356megb, + he_pwr_lo, he_pwr_hi, he_pwr_oe1, he_pwr_oe2, he_pwr_oe3, he_pwr_oe4, + adc_d, he_adc_clk, + he_ssp_frame, he_ssp_din, ssp_dout, he_ssp_clk, + cross_hi, cross_lo, + he_dbg, + hi_read_rx_xcorr_848, hi_read_rx_xcorr_snoop, hi_read_rx_xcorr_quarter +); + // Major modes: // 000 -- HF reader, transmitting to tag; modulation depth selectable // 001 -- HF reader, receiving from tag, correlating as it goes; frequency selectable // 010 -- HF simulated tag // 011 -- HF ISO14443-A +// 100 -- HF Snoop // 111 -- everything off -mux8 mux_ssp_clk (major_mode, ssp_clk, ht_ssp_clk, hrxc_ssp_clk, hs_ssp_clk, hisn_ssp_clk, 1'b0, 1'b0, 1'b0, 1'b0); -mux8 mux_ssp_din (major_mode, ssp_din, ht_ssp_din, hrxc_ssp_din, hs_ssp_din, hisn_ssp_din, 1'b0, 1'b0, 1'b0, 1'b0); -mux8 mux_ssp_frame (major_mode, ssp_frame, ht_ssp_frame, hrxc_ssp_frame, hs_ssp_frame, hisn_ssp_frame, 1'b0, 1'b0, 1'b0, 1'b0); -mux8 mux_pwr_oe1 (major_mode, pwr_oe1, ht_pwr_oe1, hrxc_pwr_oe1, hs_pwr_oe1, hisn_pwr_oe1, 1'b0, 1'b0, 1'b0, 1'b0); -mux8 mux_pwr_oe2 (major_mode, pwr_oe2, ht_pwr_oe2, hrxc_pwr_oe2, hs_pwr_oe2, hisn_pwr_oe2, 1'b0, 1'b0, 1'b0, 1'b0); -mux8 mux_pwr_oe3 (major_mode, pwr_oe3, ht_pwr_oe3, hrxc_pwr_oe3, hs_pwr_oe3, hisn_pwr_oe3, 1'b0, 1'b0, 1'b0, 1'b0); -mux8 mux_pwr_oe4 (major_mode, pwr_oe4, ht_pwr_oe4, hrxc_pwr_oe4, hs_pwr_oe4, hisn_pwr_oe4, 1'b0, 1'b0, 1'b0, 1'b0); -mux8 mux_pwr_lo (major_mode, pwr_lo, ht_pwr_lo, hrxc_pwr_lo, hs_pwr_lo, hisn_pwr_lo, 1'b0, 1'b0, 1'b0, 1'b0); -mux8 mux_pwr_hi (major_mode, pwr_hi, ht_pwr_hi, hrxc_pwr_hi, hs_pwr_hi, hisn_pwr_hi, 1'b0, 1'b0, 1'b0, 1'b0); -mux8 mux_adc_clk (major_mode, adc_clk, ht_adc_clk, hrxc_adc_clk, hs_adc_clk, hisn_adc_clk, 1'b0, 1'b0, 1'b0, 1'b0); -mux8 mux_dbg (major_mode, dbg, ht_dbg, hrxc_dbg, hs_dbg, hisn_dbg, 1'b0, 1'b0, 1'b0, 1'b0); +mux8 mux_ssp_clk (major_mode, ssp_clk, ht_ssp_clk, hrxc_ssp_clk, hs_ssp_clk, hisn_ssp_clk, he_ssp_clk, 1'b0, 1'b0, 1'b0); +mux8 mux_ssp_din (major_mode, ssp_din, ht_ssp_din, hrxc_ssp_din, hs_ssp_din, hisn_ssp_din, he_ssp_din, 1'b0, 1'b0, 1'b0); +mux8 mux_ssp_frame (major_mode, ssp_frame, ht_ssp_frame, hrxc_ssp_frame, hs_ssp_frame, hisn_ssp_frame, he_ssp_frame, 1'b0, 1'b0, 1'b0); +mux8 mux_pwr_oe1 (major_mode, pwr_oe1, ht_pwr_oe1, hrxc_pwr_oe1, hs_pwr_oe1, hisn_pwr_oe1, he_pwr_oe1, 1'b0, 1'b0, 1'b0); +mux8 mux_pwr_oe2 (major_mode, pwr_oe2, ht_pwr_oe2, hrxc_pwr_oe2, hs_pwr_oe2, hisn_pwr_oe2, he_pwr_oe2, 1'b0, 1'b0, 1'b0); +mux8 mux_pwr_oe3 (major_mode, pwr_oe3, ht_pwr_oe3, hrxc_pwr_oe3, hs_pwr_oe3, hisn_pwr_oe3, he_pwr_oe3, 1'b0, 1'b0, 1'b0); +mux8 mux_pwr_oe4 (major_mode, pwr_oe4, ht_pwr_oe4, hrxc_pwr_oe4, hs_pwr_oe4, hisn_pwr_oe4, he_pwr_oe4, 1'b0, 1'b0, 1'b0); +mux8 mux_pwr_lo (major_mode, pwr_lo, ht_pwr_lo, hrxc_pwr_lo, hs_pwr_lo, hisn_pwr_lo, he_pwr_lo, 1'b0, 1'b0, 1'b0); +mux8 mux_pwr_hi (major_mode, pwr_hi, ht_pwr_hi, hrxc_pwr_hi, hs_pwr_hi, hisn_pwr_hi, he_pwr_hi, 1'b0, 1'b0, 1'b0); +mux8 mux_adc_clk (major_mode, adc_clk, ht_adc_clk, hrxc_adc_clk, hs_adc_clk, hisn_adc_clk, he_adc_clk, 1'b0, 1'b0, 1'b0); +mux8 mux_dbg (major_mode, dbg, ht_dbg, hrxc_dbg, hs_dbg, hisn_dbg, he_dbg, 1'b0, 1'b0, 1'b0); // In all modes, let the ADC's outputs be enabled. assign adc_noe = 1'b0; diff --git a/fpga/fpga_lf.bit b/fpga/fpga_lf.bit index bd4d821b..6a16e7bf 100644 Binary files a/fpga/fpga_lf.bit and b/fpga/fpga_lf.bit differ diff --git a/fpga/hi_sniffer.v b/fpga/hi_sniffer.v new file mode 100644 index 00000000..f9d8ba93 --- /dev/null +++ b/fpga/hi_sniffer.v @@ -0,0 +1,77 @@ + +module hi_sniffer( + pck0, ck_1356meg, ck_1356megb, + pwr_lo, pwr_hi, pwr_oe1, pwr_oe2, pwr_oe3, pwr_oe4, + adc_d, adc_clk, + ssp_frame, ssp_din, ssp_dout, ssp_clk, + cross_hi, cross_lo, + dbg, + xcorr_is_848, snoop, xcorr_quarter_freq // not used. +); + input pck0, ck_1356meg, ck_1356megb; + output pwr_lo, pwr_hi, pwr_oe1, pwr_oe2, pwr_oe3, pwr_oe4; + input [7:0] adc_d; + output adc_clk; + input ssp_dout; + output ssp_frame, ssp_din, ssp_clk; + input cross_hi, cross_lo; + output dbg; + input xcorr_is_848, snoop, xcorr_quarter_freq; // not used. + +// We are only snooping, all off. +assign pwr_hi = 1'b0;// ck_1356megb & (~snoop); +assign pwr_oe1 = 1'b0; +assign pwr_oe2 = 1'b0; +assign pwr_oe3 = 1'b0; +assign pwr_oe4 = 1'b0; + +reg ssp_clk = 1'b0; +reg ssp_frame; +reg adc_clk; +reg [7:0] adc_d_out = 8'd0; +reg [7:0] ssp_cnt = 8'd0; +reg [7:0] pck_divider = 8'd0; +reg ant_lo = 1'b0; +reg bit_to_send = 1'b0; + +always @(ck_1356meg, pck0) // should synthetisize to a mux.. + begin + adc_clk = ck_1356meg; + ssp_clk = ~ck_1356meg; + end + +reg [7:0] cnt_test = 8'd0; // test + +always @(posedge pck0) +begin + ant_lo <= 1'b0; +end + +always @(posedge ssp_clk) // ~1356 (hf) +begin + if(ssp_cnt[7:0] == 8'd255) // SSP counter for divides. + ssp_cnt[7:0] <= 8'd0; + else + ssp_cnt <= ssp_cnt + 1; + + if((ssp_cnt[2:0] == 3'b000) && !ant_lo) // To set frame length + begin + adc_d_out[7:0] = adc_d; // disable for test + bit_to_send = adc_d_out[0]; + ssp_frame <= 1'b1; + end + else + begin + adc_d_out[6:0] = adc_d_out[7:1]; + adc_d_out[7] = 1'b0; // according to old lf_read.v comment prevents gliches if not set. + bit_to_send = adc_d_out[0]; + ssp_frame <= 1'b0; + end +end + +assign ssp_din = bit_to_send && !ant_lo;//bit_to_send && !ant_lo; // && .. not needed i guess? + +assign pwr_lo = ant_lo; + + +endmodule diff --git a/include/usb_cmd.h b/include/usb_cmd.h index 0f649a69..88e2afe3 100644 --- a/include/usb_cmd.h +++ b/include/usb_cmd.h @@ -197,6 +197,8 @@ typedef struct{ #define CMD_MIFARE_DESFIRE_INFO 0x072d #define CMD_MIFARE_DESFIRE 0x072e +#define CMD_HF_SNIFFER 0x0800 + #define CMD_UNKNOWN 0xFFFF