From: iceman1001 Date: Sun, 21 Jun 2015 09:07:05 +0000 (+0200) Subject: ADD: @marshmellow42 fudan detection in hf mfu X-Git-Url: https://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/commitdiff_plain/22e2470051913380bbfa50b0ef9b7ad999364cdc ADD: @marshmellow42 fudan detection in hf mfu ADD: @marshmellow42 14b reader changes. ADD: @pwpiwi 14b fixes --- diff --git a/armsrc/appmain.c b/armsrc/appmain.c index c7061aab..9db69f0c 100644 --- a/armsrc/appmain.c +++ b/armsrc/appmain.c @@ -18,12 +18,13 @@ #include "util.h" #include "printf.h" #include "string.h" + #include + #include "legicrf.h" #include #include "lfsampling.h" #include "BigBuf.h" - #ifdef WITH_LCD #include "LCD.h" #endif @@ -249,55 +250,6 @@ void MeasureAntennaTuningHf(void) } -void SimulateTagHfListen(void) -{ - // ToDo: historically this used the free buffer, which was 2744 Bytes long. - // There might be a better size to be defined: - #define HF_14B_SNOOP_BUFFER_SIZE 2744 - uint8_t *dest = BigBuf_malloc(HF_14B_SNOOP_BUFFER_SIZE); - uint8_t v = 0; - int i; - int p = 0; - - // We're using this mode just so that I can test it out; the simulated - // tag mode would work just as well and be simpler. - FpgaDownloadAndGo(FPGA_BITSTREAM_HF); - FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR | FPGA_HF_READER_RX_XCORR_848_KHZ | FPGA_HF_READER_RX_XCORR_SNOOP); - - // We need to listen to the high-frequency, peak-detected path. - SetAdcMuxFor(GPIO_MUXSEL_HIPKD); - - FpgaSetupSsc(); - - i = 0; - for(;;) { - if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) { - AT91C_BASE_SSC->SSC_THR = 0xff; - } - if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) { - uint8_t r = (uint8_t)AT91C_BASE_SSC->SSC_RHR; - - v <<= 1; - if(r & 1) { - v |= 1; - } - p++; - - if(p >= 8) { - dest[i] = v; - v = 0; - p = 0; - i++; - - if(i >= HF_14B_SNOOP_BUFFER_SIZE) { - break; - } - } - } - } - DbpString("simulate tag (now type bitsamples)"); -} - void ReadMem(int addr) { const uint8_t *data = ((uint8_t *)addr); @@ -781,19 +733,16 @@ void UsbPacketReceived(uint8_t *packet, int len) #endif #ifdef WITH_ISO14443b - case CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_14443: - AcquireRawAdcSamplesIso14443b(c->arg[0]); - break; case CMD_READ_SRI512_TAG: ReadSTMemoryIso14443b(0x0F); break; case CMD_READ_SRIX4K_TAG: ReadSTMemoryIso14443b(0x7F); break; - case CMD_SNOOP_ISO_14443: + case CMD_SNOOP_ISO_14443B: SnoopIso14443b(); break; - case CMD_SIMULATE_TAG_ISO_14443: + case CMD_SIMULATE_TAG_ISO_14443B: SimulateIso14443bTag(); break; case CMD_ISO_14443B_COMMAND: @@ -816,10 +765,6 @@ void UsbPacketReceived(uint8_t *packet, int len) EPA_PACE_Collect_Nonce(c); break; - // case CMD_EPA_: - // EpaFoo(c); - // break; - case CMD_READER_MIFARE: ReaderMifare(c->arg[0]); break; @@ -936,10 +881,6 @@ void UsbPacketReceived(uint8_t *packet, int len) break; #endif - case CMD_SIMULATE_TAG_HF_LISTEN: - SimulateTagHfListen(); - break; - case CMD_BUFF_CLEAR: BigBuf_Clear(); break; diff --git a/armsrc/iso14443b.c b/armsrc/iso14443b.c index 160ec1ec..53f7e74d 100644 --- a/armsrc/iso14443b.c +++ b/armsrc/iso14443b.c @@ -17,7 +17,6 @@ #include "iso14443crc.h" #define RECEIVE_SAMPLES_TIMEOUT 2000 -#define ISO14443B_DMA_BUFFER_SIZE 512 //============================================================================= // An ISO 14443 Type B tag. We listen for commands from the reader, using @@ -238,7 +237,11 @@ static int Handle14443bUartBit(int bit) } else if(Uart.shiftReg == 0x000) { // this is an EOF byte LED_A_OFF(); // Finished receiving + if (Uart.byteCnt != 0) { return TRUE; + } + Uart.posCnt = 0; + Uart.state = STATE_ERROR_WAIT; } else { // this is an error Uart.posCnt = 0; @@ -715,38 +718,38 @@ static void GetSamplesFor14443bDemod(int n, bool quiet) uint8_t *receivedResponse = BigBuf_malloc(MAX_FRAME_SIZE); // The DMA buffer, used to stream samples from the FPGA - int8_t *dmaBuf = (int8_t*) BigBuf_malloc(ISO14443B_DMA_BUFFER_SIZE); + int8_t *dmaBuf = (int8_t*) BigBuf_malloc(DMA_BUFFER_SIZE); // Set up the demodulator for tag -> reader responses. DemodInit(receivedResponse); // Setup and start DMA. - FpgaSetupSscDma((uint8_t*) dmaBuf, ISO14443B_DMA_BUFFER_SIZE); + FpgaSetupSscDma((uint8_t*) dmaBuf, DMA_BUFFER_SIZE); int8_t *upTo = dmaBuf; - lastRxCounter = ISO14443B_DMA_BUFFER_SIZE; + lastRxCounter = DMA_BUFFER_SIZE; // Signal field is ON with the appropriate LED: LED_D_ON(); // And put the FPGA in the appropriate mode - FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR); + FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR | FPGA_HF_READER_RX_XCORR_848_KHZ); for(;;) { int behindBy = lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR; if(behindBy > max) max = behindBy; - while(((lastRxCounter-AT91C_BASE_PDC_SSC->PDC_RCR) & (ISO14443B_DMA_BUFFER_SIZE-1)) > 2) { + while(((lastRxCounter-AT91C_BASE_PDC_SSC->PDC_RCR) & (DMA_BUFFER_SIZE-1)) > 2) { ci = upTo[0]; cq = upTo[1]; upTo += 2; - if(upTo >= dmaBuf + ISO14443B_DMA_BUFFER_SIZE) { + if(upTo >= dmaBuf + DMA_BUFFER_SIZE) { upTo = dmaBuf; AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) upTo; - AT91C_BASE_PDC_SSC->PDC_RNCR = ISO14443B_DMA_BUFFER_SIZE; + AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE; } lastRxCounter -= 2; if(lastRxCounter <= 0) { - lastRxCounter += ISO14443B_DMA_BUFFER_SIZE; + lastRxCounter += DMA_BUFFER_SIZE; } samples += 2; @@ -768,7 +771,7 @@ static void GetSamplesFor14443bDemod(int n, bool quiet) //Tracing if (tracing && Demod.len > 0) { uint8_t parity[MAX_PARITY_SIZE]; - GetParity(Demod.output, Demod.len, parity); + //GetParity(Demod.output, Demod.len, parity); LogTrace(Demod.output, Demod.len, 0, 0, parity, FALSE); } } @@ -881,22 +884,6 @@ static void CodeIso14443bAsReader(const uint8_t *cmd, int len) } -//----------------------------------------------------------------------------- -// Read an ISO 14443B tag. We send it some set of commands, and record the -// responses. -// The command name is misleading, it actually decodes the reponse in HEX -// into the output buffer (read the result using hexsamples, not hisamples) -// -// obsolete function only for test -//----------------------------------------------------------------------------- -void AcquireRawAdcSamplesIso14443b(uint32_t parameter) -{ - uint8_t cmd1[] = { 0x05, 0x00, 0x08, 0x39, 0x73 }; // REQB with AFI=0, Request All, N=0 - - SendRawCommand14443B(sizeof(cmd1),1,1,cmd1); -} - - /** Convenience function to encode, transmit and trace iso 14443b comms **/ @@ -941,8 +928,7 @@ void ReadSTMemoryIso14443b(uint32_t dwLast) // Now give it time to spin up. // Signal field is on with the appropriate LED LED_D_ON(); - FpgaWriteConfWord( - FPGA_MAJOR_MODE_HF_READER_RX_XCORR | FPGA_HF_READER_RX_XCORR_848_KHZ); + FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR | FPGA_HF_READER_RX_XCORR_848_KHZ); SpinDelay(200); // First command: wake up the tag using the INITIATE command @@ -954,10 +940,10 @@ void ReadSTMemoryIso14443b(uint32_t dwLast) // LED_A_OFF(); if (Demod.len == 0) { - DbpString("No response from tag"); - return; + DbpString("No response from tag"); + return; } else { - Dbprintf("Randomly generated UID from tag (+ 2 byte CRC): %x %x %x", + Dbprintf("Randomly generated UID from tag (+ 2 byte CRC): %02x %02x %02x", Demod.output[0], Demod.output[1],Demod.output[2]); } // There is a response, SELECT the uid @@ -971,19 +957,19 @@ void ReadSTMemoryIso14443b(uint32_t dwLast) GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, TRUE); // LED_A_OFF(); if (Demod.len != 3) { - Dbprintf("Expected 3 bytes from tag, got %d", Demod.len); - return; + Dbprintf("Expected 3 bytes from tag, got %d", Demod.len); + return; } // Check the CRC of the answer: ComputeCrc14443(CRC_14443_B, Demod.output, 1 , &cmd1[2], &cmd1[3]); if(cmd1[2] != Demod.output[1] || cmd1[3] != Demod.output[2]) { - DbpString("CRC Error reading select response."); - return; + DbpString("CRC Error reading select response."); + return; } // Check response from the tag: should be the same UID as the command we just sent: if (cmd1[1] != Demod.output[0]) { - Dbprintf("Bad response to SELECT from Tag, aborting: %x %x", cmd1[1], Demod.output[0]); - return; + Dbprintf("Bad response to SELECT from Tag, aborting: %02x %02x", cmd1[1], Demod.output[0]); + return; } // Tag is now selected, // First get the tag's UID: @@ -995,19 +981,21 @@ void ReadSTMemoryIso14443b(uint32_t dwLast) GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, TRUE); // LED_A_OFF(); if (Demod.len != 10) { - Dbprintf("Expected 10 bytes from tag, got %d", Demod.len); - return; + Dbprintf("Expected 10 bytes from tag, got %d", Demod.len); + return; } // The check the CRC of the answer (use cmd1 as temporary variable): ComputeCrc14443(CRC_14443_B, Demod.output, 8, &cmd1[2], &cmd1[3]); - if(cmd1[2] != Demod.output[8] || cmd1[3] != Demod.output[9]) { - Dbprintf("CRC Error reading block! - Below: expected, got %x %x", - (cmd1[2]<<8)+cmd1[3], (Demod.output[8]<<8)+Demod.output[9]); + if(cmd1[2] != Demod.output[8] || cmd1[3] != Demod.output[9]) { + Dbprintf("CRC Error reading block! Expected: %04x got: %04x", + (cmd1[2]<<8)+cmd1[3], + (Demod.output[8]<<8)+Demod.output[9] + ); // Do not return;, let's go on... (we should retry, maybe ?) } Dbprintf("Tag UID (64 bits): %08x %08x", - (Demod.output[7]<<24) + (Demod.output[6]<<16) + (Demod.output[5]<<8) + Demod.output[4], - (Demod.output[3]<<24) + (Demod.output[2]<<16) + (Demod.output[1]<<8) + Demod.output[0]); + (Demod.output[7]<<24) + (Demod.output[6]<<16) + (Demod.output[5]<<8) + Demod.output[4], + (Demod.output[3]<<24) + (Demod.output[2]<<16) + (Demod.output[1]<<8) + Demod.output[0]); // Now loop to read all 16 blocks, address from 0 to last block Dbprintf("Tag memory dump, block 0 to %d",dwLast); @@ -1033,17 +1021,18 @@ void ReadSTMemoryIso14443b(uint32_t dwLast) // The check the CRC of the answer (use cmd1 as temporary variable): ComputeCrc14443(CRC_14443_B, Demod.output, 4, &cmd1[2], &cmd1[3]); if(cmd1[2] != Demod.output[4] || cmd1[3] != Demod.output[5]) { - Dbprintf("CRC Error reading block! - Below: expected, got %x %x", - (cmd1[2]<<8)+cmd1[3], (Demod.output[4]<<8)+Demod.output[5]); + Dbprintf("CRC Error reading block! Expected: %04x got: %04x", + (cmd1[2]<<8)+cmd1[3], + (Demod.output[4]<<8)+Demod.output[5] + ); // Do not return;, let's go on... (we should retry, maybe ?) } // Now print out the memory location: - Dbprintf("Address=%x, Contents=%x, CRC=%x", i, - (Demod.output[3]<<24) + (Demod.output[2]<<16) + (Demod.output[1]<<8) + Demod.output[0], - (Demod.output[4]<<8)+Demod.output[5]); - if (i == 0xff) { - break; - } + Dbprintf("Address=%02x, Contents=%08x, CRC=%04x", i, + (Demod.output[3]<<24) + (Demod.output[2]<<16) + (Demod.output[1]<<8) + Demod.output[0], + (Demod.output[4]<<8)+Demod.output[5] + ); + if (i == 0xff) break; i++; } } @@ -1063,7 +1052,7 @@ void ReadSTMemoryIso14443b(uint32_t dwLast) * Memory usage for this function, (within BigBuf) * Last Received command (reader->tag) - MAX_FRAME_SIZE * Last Received command (tag->reader) - MAX_FRAME_SIZE - * DMA Buffer - ISO14443B_DMA_BUFFER_SIZE + * DMA Buffer - DMA_BUFFER_SIZE * Demodulated samples received - all the rest */ void RAMFUNC SnoopIso14443b(void) @@ -1080,7 +1069,7 @@ void RAMFUNC SnoopIso14443b(void) set_tracing(TRUE); // The DMA buffer, used to stream samples from the FPGA - int8_t *dmaBuf = (int8_t*) BigBuf_malloc(ISO14443B_DMA_BUFFER_SIZE); + int8_t *dmaBuf = (int8_t*) BigBuf_malloc(DMA_BUFFER_SIZE); int lastRxCounter; int8_t *upTo; int ci, cq; @@ -1098,22 +1087,20 @@ void RAMFUNC SnoopIso14443b(void) Dbprintf(" Trace: %i bytes", BigBuf_max_traceLen()); Dbprintf(" Reader -> tag: %i bytes", MAX_FRAME_SIZE); Dbprintf(" tag -> Reader: %i bytes", MAX_FRAME_SIZE); - Dbprintf(" DMA: %i bytes", ISO14443B_DMA_BUFFER_SIZE); + Dbprintf(" DMA: %i bytes", DMA_BUFFER_SIZE); // Signal field is off, no reader signal, no tag signal LEDsoff(); // And put the FPGA in the appropriate mode - FpgaWriteConfWord( - FPGA_MAJOR_MODE_HF_READER_RX_XCORR | FPGA_HF_READER_RX_XCORR_848_KHZ | - FPGA_HF_READER_RX_XCORR_SNOOP); + FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR | FPGA_HF_READER_RX_XCORR_848_KHZ | FPGA_HF_READER_RX_XCORR_SNOOP); SetAdcMuxFor(GPIO_MUXSEL_HIPKD); // Setup for the DMA. FpgaSetupSsc(); upTo = dmaBuf; - lastRxCounter = ISO14443B_DMA_BUFFER_SIZE; - FpgaSetupSscDma((uint8_t*) dmaBuf, ISO14443B_DMA_BUFFER_SIZE); + lastRxCounter = DMA_BUFFER_SIZE; + FpgaSetupSscDma((uint8_t*) dmaBuf, DMA_BUFFER_SIZE); uint8_t parity[MAX_PARITY_SIZE]; bool TagIsActive = FALSE; @@ -1122,7 +1109,7 @@ void RAMFUNC SnoopIso14443b(void) // And now we loop, receiving samples. for(;;) { int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) & - (ISO14443B_DMA_BUFFER_SIZE-1); + (DMA_BUFFER_SIZE-1); if(behindBy > maxBehindBy) { maxBehindBy = behindBy; } @@ -1133,14 +1120,14 @@ void RAMFUNC SnoopIso14443b(void) cq = upTo[1]; upTo += 2; lastRxCounter -= 2; - if(upTo >= dmaBuf + ISO14443B_DMA_BUFFER_SIZE) { + if(upTo >= dmaBuf + DMA_BUFFER_SIZE) { upTo = dmaBuf; - lastRxCounter += ISO14443B_DMA_BUFFER_SIZE; + lastRxCounter += DMA_BUFFER_SIZE; AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dmaBuf; - AT91C_BASE_PDC_SSC->PDC_RNCR = ISO14443B_DMA_BUFFER_SIZE; + AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE; WDT_HIT(); - if(behindBy > (9*ISO14443B_DMA_BUFFER_SIZE/10)) { // TODO: understand whether we can increase/decrease as we want or not? - Dbprintf("blew circular buffer! behindBy=0x%x", behindBy); + if(behindBy > (9*DMA_BUFFER_SIZE/10)) { // TODO: understand whether we can increase/decrease as we want or not? + Dbprintf("blew circular buffer! behindBy=%d", behindBy); break; } if(!tracing) { @@ -1158,7 +1145,7 @@ void RAMFUNC SnoopIso14443b(void) if (!TagIsActive) { // no need to try decoding reader data if the tag is sending if(Handle14443bUartBit(ci & 0x01)) { if(triggered && tracing) { - GetParity(Uart.output, Uart.byteCnt, parity); + //GetParity(Uart.output, Uart.byteCnt, parity); LogTrace(Uart.output,Uart.byteCnt,samples, samples,parity,TRUE); } /* And ready to receive another command. */ @@ -1169,7 +1156,7 @@ void RAMFUNC SnoopIso14443b(void) } if(Handle14443bUartBit(cq & 0x01)) { if(triggered && tracing) { - GetParity(Uart.output, Uart.byteCnt, parity); + //GetParity(Uart.output, Uart.byteCnt, parity); LogTrace(Uart.output,Uart.byteCnt,samples, samples, parity, TRUE); } /* And ready to receive another command. */ @@ -1182,13 +1169,13 @@ void RAMFUNC SnoopIso14443b(void) } if(!ReaderIsActive) { // no need to try decoding tag data if the reader is sending - and we cannot afford the time - if(Handle14443bSamplesDemod(ci & 0xFE, cq & 0xFE)) { + if(Handle14443bSamplesDemod(ci, cq)) { //Use samples as a time measurement if(tracing) { uint8_t parity[MAX_PARITY_SIZE]; - GetParity(Demod.output, Demod.len, parity); + //GetParity(Demod.output, Demod.len, parity); LogTrace(Demod.output, Demod.len,samples, samples, parity, FALSE); } triggered = TRUE; @@ -1196,7 +1183,7 @@ void RAMFUNC SnoopIso14443b(void) // And ready to receive another response. DemodReset(); } - TagIsActive = (Demod.state > DEMOD_PHASE_REF_TRAINING); + TagIsActive = (Demod.state > DEMOD_GOT_FALLING_EDGE_OF_SOF); } } @@ -1243,7 +1230,7 @@ void SendRawCommand14443B(uint32_t datalen, uint32_t recv, uint8_t powerfield, u */ // if(!GETBIT(GPIO_LED_D)) { // if field is off - // FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR); + // FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR | FPGA_HF_READER_RX_XCORR_848_KHZ); // // Signal field is on with the appropriate LED // LED_D_ON(); // SpinDelay(200); diff --git a/client/cmdhf.c b/client/cmdhf.c index 614dcdc4..4efa55bf 100644 --- a/client/cmdhf.c +++ b/client/cmdhf.c @@ -36,6 +36,7 @@ int CmdHFTune(const char *Cmd) return 0; } + void annotateIso14443a(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize) { switch(cmd[0]) @@ -92,7 +93,6 @@ void annotateIso14443a(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize) else snprintf(exp,size,"PWD-AUTH"); break; - case MIFARE_ULEV1_FASTREAD : { if ( cmdsize >=3 && cmd[2] <= 0xE6) snprintf(exp,size,"READ RANGE (%d-%d)",cmd[1],cmd[2]); @@ -483,11 +483,13 @@ uint16_t printTraceLine(uint16_t tracepos, uint16_t traceLen, uint8_t *trace, ui oddparity ^= (((frame[j] & 0xFF) >> k) & 0x01); } uint8_t parityBits = parityBytes[j>>3]; - if (isResponse && (oddparity != ((parityBits >> (7-(j&0x0007))) & 0x01))) { + if (protocol != ISO_14443B && isResponse && (oddparity != ((parityBits >> (7-(j&0x0007))) & 0x01))) { snprintf(line[j/16]+(( j % 16) * 4),110, "%02x! ", frame[j]); + } else { snprintf(line[j/16]+(( j % 16) * 4),110, "%02x ", frame[j]); } + } if (markCRCBytes) { @@ -663,6 +665,11 @@ int CmdHFSearch(const char *Cmd){ PrintAndLog("\nValid ISO14443A Tag Found - Quiting Search\n"); return ans; } + ans = HF14BReader(false); + if (ans) { + PrintAndLog("\nValid ISO14443B Tag Found - Quiting Search\n"); + return ans; + } ans = HFiClassReader("", false, false); if (ans) { PrintAndLog("\nValid iClass Tag (or PicoPass Tag) Found - Quiting Search\n"); @@ -673,12 +680,7 @@ int CmdHFSearch(const char *Cmd){ PrintAndLog("\nValid ISO15693 Tag Found - Quiting Search\n"); return ans; } - - - //14b has issues currently... - //ans = CmdHF14BRead(Cmd); - //if (ans > 0) return ans; - + PrintAndLog("\nno known/supported 13.56 MHz tags found\n"); return 0; } @@ -697,7 +699,7 @@ static command_t CommandTable[] = {"topaz", CmdHFTopaz, 1, "{ TOPAZ (NFC Type 1) RFIDs... }"}, {"tune", CmdHFTune, 0, "Continuously measure HF antenna tuning"}, {"list", CmdHFList, 1, "List protocol data in trace buffer"}, - {"search", CmdHFSearch, 1, "Search for known HF tags [preliminary]"}, + {"search", CmdHFSearch, 1, "Search for known HF tags"}, {NULL, NULL, 0, NULL} }; diff --git a/client/cmdhf14b.c b/client/cmdhf14b.c index 52888bfd..0144111e 100644 --- a/client/cmdhf14b.c +++ b/client/cmdhf14b.c @@ -23,129 +23,9 @@ #include "cmdhf14b.h" #include "cmdmain.h" #include "cmdhf14a.h" -//#include "sleep.h" -#include "cmddata.h" static int CmdHelp(const char *Cmd); -int CmdHF14BDemod(const char *Cmd) -{ - int i, j, iold; - int isum, qsum; - int outOfWeakAt; - bool negateI, negateQ; - - uint8_t data[256]; - int dataLen = 0; - - // As received, the samples are pairs, correlations against I and Q - // square waves. So estimate angle of initial carrier (or just - // quadrant, actually), and then do the demod. - - // First, estimate where the tag starts modulating. - for (i = 0; i < GraphTraceLen; i += 2) { - if (abs(GraphBuffer[i]) + abs(GraphBuffer[i + 1]) > 40) { - break; - } - } - if (i >= GraphTraceLen) { - PrintAndLog("too weak to sync"); - return 0; - } - PrintAndLog("out of weak at %d", i); - outOfWeakAt = i; - - // Now, estimate the phase in the initial modulation of the tag - isum = 0; - qsum = 0; - for (; i < (outOfWeakAt + 16); i += 2) { - isum += GraphBuffer[i + 0]; - qsum += GraphBuffer[i + 1]; - } - negateI = (isum < 0); - negateQ = (qsum < 0); - - // Turn the correlation pairs into soft decisions on the bit. - j = 0; - for (i = 0; i < GraphTraceLen / 2; i++) { - int si = GraphBuffer[j]; - int sq = GraphBuffer[j + 1]; - if (negateI) si = -si; - if (negateQ) sq = -sq; - GraphBuffer[i] = si + sq; - j += 2; - } - GraphTraceLen = i; - - i = outOfWeakAt / 2; - while (GraphBuffer[i] > 0 && i < GraphTraceLen) - i++; - if (i >= GraphTraceLen) goto demodError; - - iold = i; - while (GraphBuffer[i] < 0 && i < GraphTraceLen) - i++; - if (i >= GraphTraceLen) goto demodError; - if ((i - iold) > 23) goto demodError; - - PrintAndLog("make it to demod loop"); - - for (;;) { - iold = i; - while (GraphBuffer[i] >= 0 && i < GraphTraceLen) - i++; - if (i >= GraphTraceLen) goto demodError; - if ((i - iold) > 6) goto demodError; - - uint16_t shiftReg = 0; - if (i + 20 >= GraphTraceLen) goto demodError; - - for (j = 0; j < 10; j++) { - int soft = GraphBuffer[i] + GraphBuffer[i + 1]; - - if (abs(soft) < (abs(isum) + abs(qsum)) / 20) { - PrintAndLog("weak bit"); - } - - shiftReg >>= 1; - if(GraphBuffer[i] + GraphBuffer[i+1] >= 0) { - shiftReg |= 0x200; - } - - i+= 2; - } - - if ((shiftReg & 0x200) && !(shiftReg & 0x001)) - { - // valid data byte, start and stop bits okay - PrintAndLog(" %02x", (shiftReg >> 1) & 0xff); - data[dataLen++] = (shiftReg >> 1) & 0xff; - if (dataLen >= sizeof(data)) { - return 0; - } - } else if (shiftReg == 0x000) { - // this is EOF - break; - } else { - goto demodError; - } - } - - uint8_t first, second; - ComputeCrc14443(CRC_14443_B, data, dataLen-2, &first, &second); - PrintAndLog("CRC: %02x %02x (%s)\n", first, second, - (first == data[dataLen-2] && second == data[dataLen-1]) ? - "ok" : "****FAIL****"); - - RepaintGraphWindow(); - return 0; - -demodError: - PrintAndLog("demod error"); - RepaintGraphWindow(); - return 0; -} - int CmdHF14BList(const char *Cmd) { PrintAndLog("Deprecated command, use 'hf list 14b' instead"); @@ -153,28 +33,20 @@ int CmdHF14BList(const char *Cmd) return 0; } -int CmdHF14Sim(const char *Cmd) -{ - UsbCommand c={CMD_SIMULATE_TAG_ISO_14443}; - clearCommandBuffer(); - SendCommand(&c); - return 0; -} - -int CmdHFSimlisten(const char *Cmd) +int CmdHF14BSim(const char *Cmd) { - UsbCommand c = {CMD_SIMULATE_TAG_HF_LISTEN}; + UsbCommand c={CMD_SIMULATE_TAG_ISO_14443B}; clearCommandBuffer(); - SendCommand(&c); - return 0; + SendCommand(&c); + return 0; } int CmdHF14BSnoop(const char *Cmd) { - UsbCommand c = {CMD_SNOOP_ISO_14443}; + UsbCommand c = {CMD_SNOOP_ISO_14443B}; clearCommandBuffer(); - SendCommand(&c); - return 0; + SendCommand(&c); + return 0; } /* New command to read the contents of a SRI512 tag @@ -183,10 +55,10 @@ int CmdHF14BSnoop(const char *Cmd) */ int CmdSri512Read(const char *Cmd) { - UsbCommand c = {CMD_READ_SRI512_TAG, {strtol(Cmd, NULL, 0), 0, 0}}; + UsbCommand c = {CMD_READ_SRI512_TAG, {strtol(Cmd, NULL, 0), 0, 0}}; clearCommandBuffer(); - SendCommand(&c); - return 0; + SendCommand(&c); + return 0; } /* New command to read the contents of a SRIX4K tag @@ -195,14 +67,14 @@ int CmdSri512Read(const char *Cmd) */ int CmdSrix4kRead(const char *Cmd) { - UsbCommand c = {CMD_READ_SRIX4K_TAG, {strtol(Cmd, NULL, 0), 0, 0}}; + UsbCommand c = {CMD_READ_SRIX4K_TAG, {strtol(Cmd, NULL, 0), 0, 0}}; clearCommandBuffer(); - SendCommand(&c); - return 0; + SendCommand(&c); + return 0; } int rawClose(void){ - UsbCommand resp; + UsbCommand resp; UsbCommand c = {CMD_ISO_14443B_COMMAND, {0, 0, 0}}; clearCommandBuffer(); SendCommand(&c); @@ -212,54 +84,54 @@ int rawClose(void){ return 0; } -int HF14BCmdRaw(bool reply, bool *crc, uint8_t power_trace, uint8_t *data, uint8_t *datalen, bool verbose){ +int HF14BCmdRaw(bool reply, bool *crc, bool power, uint8_t *data, uint8_t *datalen, bool verbose){ UsbCommand resp; - UsbCommand c = {CMD_ISO_14443B_COMMAND, {0, 0, 0}}; // len,recv,power/trace - if(*crc) - { - uint8_t first, second; - ComputeCrc14443(CRC_14443_B, data, *datalen, &first, &second); - data[*datalen] = first; - data[*datalen + 1] = second; - *datalen += 2; - } - - c.arg[0] = *datalen; - c.arg[1] = reply; - c.arg[2] = power_trace; - memcpy(c.d.asBytes,data,*datalen); + UsbCommand c = {CMD_ISO_14443B_COMMAND, {0, 0, 0}}; // len,recv,power + if(*crc) + { + uint8_t first, second; + ComputeCrc14443(CRC_14443_B, data, *datalen, &first, &second); + data[*datalen] = first; + data[*datalen + 1] = second; + *datalen += 2; + } + + c.arg[0] = *datalen; + c.arg[1] = reply; + c.arg[2] = power; + memcpy(c.d.asBytes,data,*datalen); clearCommandBuffer(); - SendCommand(&c); - - if (!reply) return 1; - - if (!WaitForResponseTimeout(CMD_ACK,&resp,1000)) { - if (verbose) PrintAndLog("timeout while waiting for reply."); - return 0; - } - *datalen = resp.arg[0]; - if (verbose) PrintAndLog("received %u octets", *datalen); - if(*datalen<2) return 0; - - memcpy(data, resp.d.asBytes, *datalen); - if (verbose) PrintAndLog("%s", sprint_hex(data, *datalen)); - - uint8_t first, second; - ComputeCrc14443(CRC_14443_B, data, *datalen-2, &first, &second); - if(data[*datalen-2] == first && data[*datalen-1] == second) { - if (verbose) PrintAndLog("CRC OK"); - *crc = true; - } else { - if (verbose) PrintAndLog("CRC failed"); - *crc = false; - } - return 1; + SendCommand(&c); + + if (!reply) return 1; + + if (!WaitForResponseTimeout(CMD_ACK,&resp,1000)) { + if (verbose) PrintAndLog("timeout while waiting for reply."); + return 0; + } + *datalen = resp.arg[0]; + if (verbose) PrintAndLog("received %u octets", *datalen); + if(*datalen<2) return 0; + + memcpy(data, resp.d.asBytes, *datalen); + if (verbose) PrintAndLog("%s", sprint_hex(data, *datalen)); + + uint8_t first, second; + ComputeCrc14443(CRC_14443_B, data, *datalen-2, &first, &second); + if(data[*datalen-2] == first && data[*datalen-1] == second) { + if (verbose) PrintAndLog("CRC OK"); + *crc = true; + } else { + if (verbose) PrintAndLog("CRC failed"); + *crc = false; + } + return 1; } int CmdHF14BCmdRaw (const char *Cmd) { bool reply = true; bool crc = false; - uint8_t power_trace = 0; + bool power = false; char buf[5]=""; uint8_t data[100] = {0x00}; uint8_t datalen = 0; @@ -290,7 +162,7 @@ int CmdHF14BCmdRaw (const char *Cmd) { break; case 'p': case 'P': - power_trace |= 1; + power = true; break; default: PrintAndLog("Invalid option"); @@ -322,55 +194,41 @@ int CmdHF14BCmdRaw (const char *Cmd) { return 0; } - return HF14BCmdRaw(reply, &crc, power_trace, data, &datalen, true); + return HF14BCmdRaw(reply, &crc, power, data, &datalen, true); } static void print_atqb_resp(uint8_t *data){ - PrintAndLog (" UID: %s", sprint_hex(data+1,4)); - PrintAndLog (" App Data: %s", sprint_hex(data+5,4)); - PrintAndLog (" Protocol: %s", sprint_hex(data+9,3)); - uint8_t BitRate = data[9]; - if (!BitRate) - PrintAndLog (" Bit Rate: 106 kbit/s only PICC <-> PCD"); - if (BitRate & 0x10) - PrintAndLog (" Bit Rate: 212 kbit/s PICC -> PCD supported"); - if (BitRate & 0x20) - PrintAndLog (" Bit Rate: 424 kbit/s PICC -> PCD supported"); - if (BitRate & 0x40) - PrintAndLog (" Bit Rate: 847 kbit/s PICC -> PCD supported"); - if (BitRate & 0x01) - PrintAndLog (" Bit Rate: 212 kbit/s PICC <- PCD supported"); - if (BitRate & 0x02) - PrintAndLog (" Bit Rate: 424 kbit/s PICC <- PCD supported"); - if (BitRate & 0x04) - PrintAndLog (" Bit Rate: 847 kbit/s PICC <- PCD supported"); - if (BitRate & 0x80) - PrintAndLog (" Same bit rate <-> required"); - - uint16_t maxFrame = data[10]>>4; - if (maxFrame < 5) - maxFrame = 8*maxFrame + 16; - else if (maxFrame == 5) - maxFrame = 64; - else if (maxFrame == 6) - maxFrame = 96; - else if (maxFrame == 7) - maxFrame = 128; - else if (maxFrame == 8) - maxFrame = 256; - else - maxFrame = 257; - - PrintAndLog ("Max Frame Size: %d%s",maxFrame, (maxFrame == 257) ? "+ RFU" : ""); - - uint8_t protocolT = data[10] & 0xF; - PrintAndLog (" Protocol Type: Protocol is %scompliant with ISO/IEC 14443-4",(protocolT) ? "" : "not " ); - PrintAndLog ("Frame Wait Int: %d", data[11]>>4); - PrintAndLog (" App Data Code: Application is %s",(data[11]&4) ? "Standard" : "Proprietary"); - PrintAndLog (" Frame Options: NAD is %ssupported",(data[11]&2) ? "" : "not "); - PrintAndLog (" Frame Options: CID is %ssupported",(data[11]&1) ? "" : "not "); - - return; + PrintAndLog (" UID: %s", sprint_hex(data+1,4)); + PrintAndLog (" App Data: %s", sprint_hex(data+5,4)); + PrintAndLog (" Protocol: %s", sprint_hex(data+9,3)); + uint8_t BitRate = data[9]; + if (!BitRate) PrintAndLog (" Bit Rate: 106 kbit/s only PICC <-> PCD"); + if (BitRate & 0x10) PrintAndLog (" Bit Rate: 212 kbit/s PICC -> PCD supported"); + if (BitRate & 0x20) PrintAndLog (" Bit Rate: 424 kbit/s PICC -> PCD supported"); + if (BitRate & 0x40) PrintAndLog (" Bit Rate: 847 kbit/s PICC -> PCD supported"); + if (BitRate & 0x01) PrintAndLog (" Bit Rate: 212 kbit/s PICC <- PCD supported"); + if (BitRate & 0x02) PrintAndLog (" Bit Rate: 424 kbit/s PICC <- PCD supported"); + if (BitRate & 0x04) PrintAndLog (" Bit Rate: 847 kbit/s PICC <- PCD supported"); + if (BitRate & 0x80) PrintAndLog (" Same bit rate <-> required"); + + uint16_t maxFrame = data[10]>>4; + if (maxFrame < 5) maxFrame = 8 * maxFrame + 16; + else if (maxFrame == 5) maxFrame = 64; + else if (maxFrame == 6) maxFrame = 96; + else if (maxFrame == 7) maxFrame = 128; + else if (maxFrame == 8) maxFrame = 256; + else maxFrame = 257; + + PrintAndLog ("Max Frame Size: %d%s", maxFrame, (maxFrame == 257) ? "+ RFU" : ""); + + uint8_t protocolT = data[10] & 0xF; + PrintAndLog (" Protocol Type: Protocol is %scompliant with ISO/IEC 14443-4",(protocolT) ? "" : "not " ); + PrintAndLog ("Frame Wait Int: %d", data[11]>>4); + PrintAndLog (" App Data Code: Application is %s",(data[11]&4) ? "Standard" : "Proprietary"); + PrintAndLog (" Frame Options: NAD is %ssupported",(data[11]&2) ? "" : "not "); + PrintAndLog (" Frame Options: CID is %ssupported",(data[11]&1) ? "" : "not "); + + return; } char *get_ST_Chip_Model(uint8_t data){ @@ -393,79 +251,149 @@ char *get_ST_Chip_Model(uint8_t data){ static void print_st_info(uint8_t *data){ //uid = first 8 bytes in data - PrintAndLog(" UID: %s", sprint_hex(data,8)); - PrintAndLog(" MFG: %02X, %s", data[1], getTagInfo(data[1])); - PrintAndLog("Chip: %02X, %s", data[2]>>2, get_ST_Chip_Model(data[2]>>2)); + PrintAndLog(" UID: %s", sprint_hex(SwapEndian64(data,8,8),8)); + PrintAndLog(" MFG: %02X, %s", data[6], getTagInfo(data[6])); + PrintAndLog("Chip: %02X, %s", data[5]>>2, get_ST_Chip_Model(data[5]>>2)); return; } -int HF14BStdRead(uint8_t *data, uint8_t *datalen){ - bool crc = true; - *datalen = 3; - //std read cmd - data[0] = 0x05; - data[1] = 0x00; - data[2] = 0x08; - - if (HF14BCmdRaw(true, &crc, 0, data, datalen, false)==0) return 0; +int HF14BStdReader(uint8_t *data, uint8_t *datalen){ + + //05 00 00 = find one tag in field + //1d xx xx xx xx 20 00 08 01 00 = attrib xx=crc + //a3 = ? (resp 03 e2 c2) + //02 = ? (resp 02 6a d3) + // 022b (resp 02 67 00 [29 5b]) + // 0200a40400 (resp 02 67 00 [29 5b]) + // 0200a4040c07a0000002480300 (resp 02 67 00 [29 5b]) + // 0200a4040c07a0000002480200 (resp 02 67 00 [29 5b]) + // 0200a4040006a0000000010100 (resp 02 6a 82 [4b 4c]) + // 0200a4040c09d27600002545500200 (resp 02 67 00 [29 5b]) + // 0200a404000cd2760001354b414e4d30310000 (resp 02 6a 82 [4b 4c]) + // 0200a404000ca000000063504b43532d313500 (resp 02 6a 82 [4b 4c]) + // 0200a4040010a000000018300301000000000000000000 (resp 02 6a 82 [4b 4c]) + //03 = ? (resp 03 [e3 c2]) + //c2 = ? (resp c2 [66 15]) + //b2 = ? (resp a3 [e9 67]) + bool crc = true; + *datalen = 3; + //std read cmd + data[0] = 0x05; + data[1] = 0x00; + data[2] = 0x00; + + if (HF14BCmdRaw(true, &crc, false, data, datalen, false)==0) return 0; if (data[0] != 0x50 || *datalen != 14 || !crc) return 0; - PrintAndLog ("\n14443-3b tag found:"); - print_atqb_resp(data); + PrintAndLog ("\n14443-3b tag found:"); + print_atqb_resp(data); - return 1; -} + return 1; + } -int HF14B_ST_Read(uint8_t *data, uint8_t *datalen){ - bool crc = true; - *datalen = 2; +int HF14B_ST_Reader(uint8_t *data, uint8_t *datalen){ + bool crc = true; + *datalen = 2; //wake cmd - data[0] = 0x06; - data[1] = 0x00; + data[0] = 0x06; + data[1] = 0x00; //leave power on // verbose on for now for testing - turn off when functional - if (HF14BCmdRaw(true, &crc, 1, data, datalen, true)==0) return rawClose(); + if (HF14BCmdRaw(true, &crc, true, data, datalen, false)==0) return rawClose(); if (*datalen != 3 || !crc) return rawClose(); - uint8_t chipID = data[0]; + uint8_t chipID = data[0]; // select - data[0] = 0x0E; - data[1] = chipID; - *datalen = 2; + data[0] = 0x0E; + data[1] = chipID; + *datalen = 2; //leave power on // verbose on for now for testing - turn off when functional - if (HF14BCmdRaw(true, &crc, 1, data, datalen, true)==0) return rawClose(); + if (HF14BCmdRaw(true, &crc, true, data, datalen, false)==0) return rawClose(); if (*datalen != 3 || !crc || data[0] != chipID) return rawClose(); // get uid - data[0] = 0x0B; - *datalen = 1; + data[0] = 0x0B; + *datalen = 1; //power off // verbose on for now for testing - turn off when functional - if (HF14BCmdRaw(true, &crc, 1, data, datalen, true)==0) return 0; + if (HF14BCmdRaw(true, &crc, true, data, datalen, false)==0) return 0; rawClose(); if (*datalen != 10 || !crc) return 0; PrintAndLog("\n14443-3b ST tag found:"); print_st_info(data); - return 1; + return 1; +} + +// test for other 14b type tags (mimic another reader - don't have tags to identify) +int HF14B_Other_Reader(uint8_t *data, uint8_t *datalen){ + bool crc = true; + *datalen = 4; + //std read cmd + data[0] = 0x00; + data[1] = 0x0b; + data[2] = 0x3f; + data[3] = 0x80; + + if (HF14BCmdRaw(true, &crc, false, data, datalen, false)!=0) { + if (*datalen > 2 || !crc) { + PrintAndLog ("\n14443-3b tag found:"); + PrintAndLog ("Unknown tag type answered to a 0x000b3f80 command ans:"); + PrintAndLog ("%s",sprint_hex(data,*datalen)); + return 1; + } + } + + crc = false; + *datalen = 1; + data[0] = 0x0a; + + if (HF14BCmdRaw(true, &crc, false, data, datalen, false)!=0) { + if (*datalen > 0) { + PrintAndLog ("\n14443-3b tag found:"); + PrintAndLog ("Unknown tag type answered to a 0x0A command ans:"); + PrintAndLog ("%s",sprint_hex(data,*datalen)); + return 1; + } + } + + crc = false; + *datalen = 1; + data[0] = 0x0c; + + if (HF14BCmdRaw(true, &crc, false, data, datalen, false)!=0) { + if (*datalen > 0) { + PrintAndLog ("\n14443-3b tag found:"); + PrintAndLog ("Unknown tag type answered to a 0x0C command ans:"); + PrintAndLog ("%s",sprint_hex(data,*datalen)); + return 1; + } + } + + return 0; + } int HF14BReader(bool verbose){ - uint8_t data[100]; - uint8_t datalen = 5; - - // try std 14b (atqb) - if (HF14BStdRead(data, &datalen)) return 1; + uint8_t data[100]; + uint8_t datalen = 5; + + // try std 14b (atqb) + if (HF14BStdReader(data, &datalen)) return 1; + + // try st 14b + if (HF14B_ST_Reader(data, &datalen)) return 1; - // try st 14b - if (HF14B_ST_Read(data, &datalen)) return 1; + // try unknown 14b read commands (to be identified later) + // could be read of calypso, CEPAS, moneo, or pico pass. + if (HF14B_Other_Reader(data, &datalen)) return 1; if (verbose) PrintAndLog("no 14443B tag found"); return 0; @@ -475,19 +403,6 @@ int CmdHF14BReader(const char *Cmd){ return HF14BReader(true); } -int CmdHFRawSamples(const char *Cmd){ - UsbCommand resp; - UsbCommand c = {CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_14443, {strtol(Cmd,NULL,0), 0, 0}}; - SendCommand(&c); - - if (!WaitForResponseTimeout(CMD_ACK,&resp,1000)) { - PrintAndLog("timeout while waiting for reply."); - return 0; - } - getSamples("39999", true); - return 1; -} - int CmdHF14BWrite( const char *Cmd){ /* * For SRIX4K blocks 00 - 7F @@ -557,29 +472,27 @@ int CmdHF14BWrite( const char *Cmd){ static command_t CommandTable[] = { - {"help", CmdHelp, 1, "This help"}, - {"demod", CmdHF14BDemod, 1, "Demodulate ISO14443 Type B from tag"}, - {"getsamples", CmdHFRawSamples,0, "[atqb=0 or ST=1] Send wake cmd and Get raw HF samples to GraphBuffer"}, - {"list", CmdHF14BList, 0, "[Deprecated] List ISO 14443b history"}, - {"reader", CmdHF14BReader, 0, "Find 14b tag (HF ISO 14443b)"}, - {"sim", CmdHF14Sim, 0, "Fake ISO 14443 tag"}, - {"simlisten", CmdHFSimlisten, 0, "Get HF samples as fake tag"}, - {"snoop", CmdHF14BSnoop, 0, "Eavesdrop ISO 14443"}, - {"sri512read", CmdSri512Read, 0, "Read contents of a SRI512 tag"}, - {"srix4kread", CmdSrix4kRead, 0, "Read contents of a SRIX4K tag"}, - {"raw", CmdHF14BCmdRaw, 0, "Send raw hex data to tag"}, - {"write", CmdHF14BWrite, 0, "Write data to a SRI512 | SRIX4K tag"}, - {NULL, NULL, 0, NULL} + {"help", CmdHelp, 1, "This help"}, + {"list", CmdHF14BList, 0, "[Deprecated] List ISO 14443b history"}, + {"reader", CmdHF14BReader, 0, "Find 14b tag (HF ISO 14443b)"}, + {"sim", CmdHF14BSim, 0, "Fake ISO 14443B tag"}, + + {"snoop", CmdHF14BSnoop, 0, "Eavesdrop ISO 14443B"}, + {"sri512read", CmdSri512Read, 0, "Read contents of a SRI512 tag"}, + {"srix4kread", CmdSrix4kRead, 0, "Read contents of a SRIX4K tag"}, + {"raw", CmdHF14BCmdRaw, 0, "Send raw hex data to tag"}, + {"write", CmdHF14BWrite, 0, "Write data to a SRI512 | SRIX4K tag"}, + {NULL, NULL, 0, NULL} }; int CmdHF14B(const char *Cmd) { - CmdsParse(CommandTable, Cmd); - return 0; + CmdsParse(CommandTable, Cmd); + return 0; } int CmdHelp(const char *Cmd) { - CmdsHelp(CommandTable); - return 0; + CmdsHelp(CommandTable); + return 0; } diff --git a/client/cmdhf14b.h b/client/cmdhf14b.h index 66fd430f..ef79317a 100644 --- a/client/cmdhf14b.h +++ b/client/cmdhf14b.h @@ -12,16 +12,13 @@ #define CMDHF14B_H__ int CmdHF14B(const char *Cmd); - -int CmdHF14BDemod(const char *Cmd); int CmdHF14BList(const char *Cmd); int CmdHF14BReader(const char *Cmd); -int HF14BReader(bool verbose); -int CmdHF14Sim(const char *Cmd); -int CmdHFSimlisten(const char *Cmd); +int CmdHF14BSim(const char *Cmd); int CmdHF14BSnoop(const char *Cmd); int CmdSri512Read(const char *Cmd); int CmdSrix4kRead(const char *Cmd); int CmdHF14BWrite( const char *cmd); +int HF14BReader(bool verbose); #endif diff --git a/client/cmdhfmfu.c b/client/cmdhfmfu.c index 8b5dca82..e10c6519 100644 --- a/client/cmdhfmfu.c +++ b/client/cmdhfmfu.c @@ -57,13 +57,13 @@ uint8_t default_pwd_pack[KEYS_PWD_COUNT][4] = { {0x32,0x0C,0x16,0x17}, // PACK 0x80,0x80 -- AMiiboo (sniffed) }; -#define MAX_UL_TYPES 17 -uint16_t UL_TYPES_ARRAY[MAX_UL_TYPES] = {UNKNOWN, UL, UL_C, UL_EV1_48, UL_EV1_128, NTAG, NTAG_203, - NTAG_210, NTAG_212, NTAG_213, NTAG_215, NTAG_216, MY_D, MY_D_NFC, MY_D_MOVE, MY_D_MOVE_NFC, MY_D_MOVE_LEAN}; +#define MAX_UL_TYPES 18 +uint32_t UL_TYPES_ARRAY[MAX_UL_TYPES] = {UNKNOWN, UL, UL_C, UL_EV1_48, UL_EV1_128, NTAG, NTAG_203, + NTAG_210, NTAG_212, NTAG_213, NTAG_215, NTAG_216, MY_D, MY_D_NFC, MY_D_MOVE, MY_D_MOVE_NFC, MY_D_MOVE_LEAN, FUDAN_UL}; uint8_t UL_MEMORY_ARRAY[MAX_UL_TYPES] = {MAX_UL_BLOCKS, MAX_UL_BLOCKS, MAX_ULC_BLOCKS, MAX_ULEV1a_BLOCKS, MAX_ULEV1b_BLOCKS, MAX_NTAG_203, MAX_NTAG_203, MAX_NTAG_210, MAX_NTAG_212, MAX_NTAG_213, - MAX_NTAG_215, MAX_NTAG_216, MAX_UL_BLOCKS, MAX_MY_D_NFC, MAX_MY_D_MOVE, MAX_MY_D_MOVE, MAX_MY_D_MOVE_LEAN}; + MAX_NTAG_215, MAX_NTAG_216, MAX_UL_BLOCKS, MAX_MY_D_NFC, MAX_MY_D_MOVE, MAX_MY_D_MOVE, MAX_MY_D_MOVE_LEAN, MAX_UL_BLOCKS}; static int CmdHelp(const char *Cmd); @@ -259,6 +259,25 @@ static int ulev1_readSignature( uint8_t *response, uint16_t responseLength ){ return len; } +//make sure field is off before calling this function +static int ul_fudan_check( void ){ + iso14a_card_select_t card; + if ( !ul_select(&card) ) + return UL_ERROR; + + UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_RAW | ISO14A_NO_DISCONNECT, 4, 0}}; + + uint8_t cmd[4] = {0x30,0x00,0x02,0xa7}; //wrong crc on purpose should be 0xa8 + memcpy(c.d.asBytes, cmd, 4); + clearCommandBuffer(); + SendCommand(&c); + UsbCommand resp; + if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500)) return UL_ERROR; + if (resp.arg[0] != 1) return UL_ERROR; + + return (!resp.d.asBytes[0]) ? FUDAN_UL : UL; //if response == 0x00 then Fudan, else Genuine NXP +} + static int ul_print_default( uint8_t *data){ uint8_t uid[7]; @@ -365,15 +384,17 @@ int ul_print_type(uint32_t tagtype, uint8_t spaces){ else if ( tagtype & NTAG_I2C_2K ) PrintAndLog("%sTYPE : NTAG I%sC 1904bytes (NT3H1201FHK)", spacer, "\xFD"); else if ( tagtype & MY_D ) - PrintAndLog("%sTYPE : INFINEON my-d\0153 (SLE 66RxxS)", spacer); + PrintAndLog("%sTYPE : INFINEON my-d\x99 (SLE 66RxxS)", spacer); else if ( tagtype & MY_D_NFC ) - PrintAndLog("%sTYPE : INFINEON my-d\0153 NFC (SLE 66RxxP)", spacer); + PrintAndLog("%sTYPE : INFINEON my-d\x99 NFC (SLE 66RxxP)", spacer); else if ( tagtype & MY_D_MOVE ) - PrintAndLog("%sTYPE : INFINEON my-d\0153 move (SLE 66R01P)", spacer); + PrintAndLog("%sTYPE : INFINEON my-d\x99 move (SLE 66R01P)", spacer); else if ( tagtype & MY_D_MOVE_NFC ) - PrintAndLog("%sTYPE : INFINEON my-d\0153 move NFC (SLE 66R01P)", spacer); + PrintAndLog("%sTYPE : INFINEON my-d\x99 move NFC (SLE 66R01P)", spacer); else if ( tagtype & MY_D_MOVE_LEAN ) PrintAndLog("%sTYPE : INFINEON my-d\x99 move lean (SLE 66R01L)", spacer); + else if ( tagtype & FUDAN_UL ) + PrintAndLog("%sTYPE : FUDAN Ultralight Compatible (or other compatible) %s", spacer, (tagtype & MAGIC) ? "" : "" ); else PrintAndLog("%sTYPE : Unknown %06x", spacer, tagtype); return 0; @@ -607,6 +628,10 @@ uint32_t GetHF14AMfU_Type(void){ ul_switch_off_field(); } } + if (tagtype & UL) { + tagtype = ul_fudan_check(); + ul_switch_off_field(); + } } else { ul_switch_off_field(); // Infinition MY-D tests Exam high nibble diff --git a/client/cmdhfmfu.h b/client/cmdhfmfu.h index 132e4f90..6c9e3ea1 100644 --- a/client/cmdhfmfu.h +++ b/client/cmdhfmfu.h @@ -45,7 +45,8 @@ typedef enum TAGTYPE_UL { MY_D_MOVE_LEAN= 0x008000, NTAG_I2C_1K = 0x010000, NTAG_I2C_2K = 0x020000, - MAGIC = 0x040000, + FUDAN_UL = 0x040000, + MAGIC = 0x080000, UL_MAGIC = UL | MAGIC, UL_C_MAGIC = UL_C | MAGIC, UL_ERROR = 0xFFFFFF, diff --git a/client/lualibs/commands.lua b/client/lualibs/commands.lua index bedb8367..fd186fb7 100644 --- a/client/lualibs/commands.lua +++ b/client/lualibs/commands.lua @@ -59,7 +59,6 @@ local _commands = { --// For the 13.56 MHz tags CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_15693 = 0x0300, - CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_14443 = 0x0301, CMD_READ_SRI512_TAG = 0x0303, CMD_READ_SRIX4K_TAG = 0x0304, CMD_READER_ISO_15693 = 0x0310, @@ -76,9 +75,8 @@ local _commands = { CMD_SIMULATE_HITAG = 0x0371, CMD_READER_HITAG = 0x0372, - CMD_SIMULATE_TAG_HF_LISTEN = 0x0380, - CMD_SIMULATE_TAG_ISO_14443 = 0x0381, - CMD_SNOOP_ISO_14443 = 0x0382, + CMD_SIMULATE_TAG_ISO_14443B = 0x0381, + CMD_SNOOP_ISO_14443B = 0x0382, CMD_SNOOP_ISO_14443a = 0x0383, CMD_SIMULATE_TAG_ISO_14443a = 0x0384, CMD_READER_ISO_14443a = 0x0385, diff --git a/cp2tau b/cp2tau deleted file mode 100644 index 8b6ee4b4..00000000 --- a/cp2tau +++ /dev/null @@ -1,4 +0,0 @@ -cp armsrc/obj/*.elf /z -cp armsrc/obj/*.s19 /z -cp bootrom/obj/*.elf /z -cp bootrom/obj/*.s19 /z diff --git a/fpga/fpga_hf.bit b/fpga/fpga_hf.bit index 53078a78..49bec224 100644 Binary files a/fpga/fpga_hf.bit and b/fpga/fpga_hf.bit differ diff --git a/fpga/fpga_hf.v b/fpga/fpga_hf.v index a2100df6..8a465e75 100644 --- a/fpga/fpga_hf.v +++ b/fpga/fpga_hf.v @@ -73,9 +73,6 @@ wire hi_read_rx_xcorr_848 = conf_word[0]; // and whether to drive the coil (reader) or just short it (snooper) wire hi_read_rx_xcorr_snoop = conf_word[1]; -// Divide the expected subcarrier frequency for hi_read_rx_xcorr by 4 -wire hi_read_rx_xcorr_quarter = conf_word[2]; - // For the high-frequency simulated tag: what kind of modulation to use. wire [2:0] hi_simulate_mod_type = conf_word[2:0]; @@ -102,7 +99,7 @@ hi_read_rx_xcorr hrxc( hrxc_ssp_frame, hrxc_ssp_din, ssp_dout, hrxc_ssp_clk, cross_hi, cross_lo, hrxc_dbg, - hi_read_rx_xcorr_848, hi_read_rx_xcorr_snoop, hi_read_rx_xcorr_quarter + hi_read_rx_xcorr_848, hi_read_rx_xcorr_snoop ); hi_simulate hs( diff --git a/fpga/hi_read_rx_xcorr.v b/fpga/hi_read_rx_xcorr.v index 06142637..bb151554 100644 --- a/fpga/hi_read_rx_xcorr.v +++ b/fpga/hi_read_rx_xcorr.v @@ -10,7 +10,7 @@ module hi_read_rx_xcorr( ssp_frame, ssp_din, ssp_dout, ssp_clk, cross_hi, cross_lo, dbg, - xcorr_is_848, snoop, xcorr_quarter_freq + xcorr_is_848, snoop ); input pck0, ck_1356meg, ck_1356megb; output pwr_lo, pwr_hi, pwr_oe1, pwr_oe2, pwr_oe3, pwr_oe4; @@ -20,58 +20,34 @@ module hi_read_rx_xcorr( output ssp_frame, ssp_din, ssp_clk; input cross_hi, cross_lo; output dbg; - input xcorr_is_848, snoop, xcorr_quarter_freq; + input xcorr_is_848, snoop; // Carrier is steady on through this, unless we're snooping. assign pwr_hi = ck_1356megb & (~snoop); assign pwr_oe1 = 1'b0; -assign pwr_oe2 = 1'b0; assign pwr_oe3 = 1'b0; assign pwr_oe4 = 1'b0; -reg ssp_clk; -reg ssp_frame; - -reg fc_div_2; -always @(posedge ck_1356meg) - fc_div_2 = ~fc_div_2; - -reg fc_div_4; -always @(posedge fc_div_2) - fc_div_4 = ~fc_div_4; - -reg fc_div_8; -always @(posedge fc_div_4) - fc_div_8 = ~fc_div_8; +(* clock_signal = "yes" *) reg fc_div_2; +always @(negedge ck_1356megb) + fc_div_2 <= fc_div_2 + 1; -reg adc_clk; - -always @(xcorr_is_848 or xcorr_quarter_freq or ck_1356meg) - if(~xcorr_quarter_freq) - begin +(* clock_signal = "yes" *) reg adc_clk; +always @(xcorr_is_848, ck_1356megb, fc_div_2) if(xcorr_is_848) // The subcarrier frequency is fc/16; we will sample at fc, so that // means the subcarrier is 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 1 1 ... - adc_clk <= ck_1356meg; + adc_clk <= ck_1356megb; else // The subcarrier frequency is fc/32; we will sample at fc/2, and // the subcarrier will look identical. adc_clk <= fc_div_2; - end - else - begin - if(xcorr_is_848) - // The subcarrier frequency is fc/64 - adc_clk <= fc_div_4; - else - // The subcarrier frequency is fc/128 - adc_clk <= fc_div_8; - end + // When we're a reader, we just need to do the BPSK demod; but when we're an // eavesdropper, we also need to pick out the commands sent by the reader, // using AM. Do this the same way that we do it for the simulated tag. -reg after_hysteresis, after_hysteresis_prev; +reg after_hysteresis, after_hysteresis_prev, after_hysteresis_prev_prev; reg [11:0] has_been_low_for; always @(negedge adc_clk) begin @@ -97,7 +73,6 @@ end // Let us report a correlation every 4 subcarrier cycles, or 4*16 samples, // so we need a 6-bit counter. reg [5:0] corr_i_cnt; -reg [5:0] corr_q_cnt; // And a couple of registers in which to accumulate the correlations. // we would add at most 32 times adc_d, the result can be held in 13 bits. // Need one additional bit because it can be negative as well @@ -105,32 +80,38 @@ reg signed [13:0] corr_i_accum; reg signed [13:0] corr_q_accum; reg signed [7:0] corr_i_out; reg signed [7:0] corr_q_out; +// clock and frame signal for communication to ARM +reg ssp_clk; +reg ssp_frame; + + // ADC data appears on the rising edge, so sample it on the falling edge always @(negedge adc_clk) begin + corr_i_cnt <= corr_i_cnt + 1; + // These are the correlators: we correlate against in-phase and quadrature // versions of our reference signal, and keep the (signed) result to // send out later over the SSP. - if(corr_i_cnt == 7'd63) + if(corr_i_cnt == 7'd0) begin if(snoop) begin - // highest 7 significant bits of tag signal (signed), 1 bit reader signal: - corr_i_out <= {corr_i_accum[13:7], after_hysteresis_prev}; - corr_q_out <= {corr_q_accum[13:7], after_hysteresis}; + // 7 most significant bits of tag signal (signed), 1 bit reader signal: + corr_i_out <= {corr_i_accum[13:7], after_hysteresis_prev_prev}; + corr_q_out <= {corr_q_accum[13:7], after_hysteresis_prev}; + after_hysteresis_prev_prev <= after_hysteresis; end else begin - // highest 8 significant bits of tag signal + // 8 most significant bits of tag signal corr_i_out <= corr_i_accum[13:6]; corr_q_out <= corr_q_accum[13:6]; end corr_i_accum <= adc_d; corr_q_accum <= adc_d; - corr_q_cnt <= 4; - corr_i_cnt <= 0; end else begin @@ -139,13 +120,11 @@ begin else corr_i_accum <= corr_i_accum + adc_d; - if(corr_q_cnt[3]) - corr_q_accum <= corr_q_accum - adc_d; - else + if(corr_i_cnt[3] == corr_i_cnt[2]) // phase shifted by pi/2 corr_q_accum <= corr_q_accum + adc_d; + else + corr_q_accum <= corr_q_accum - adc_d; - corr_i_cnt <= corr_i_cnt + 1; - corr_q_cnt <= corr_q_cnt + 1; end // The logic in hi_simulate.v reports 4 samples per bit. We report two @@ -172,7 +151,7 @@ begin end // set ssp_frame signal for corr_i_cnt = 0..3 and corr_i_cnt = 32..35 - // (two frames with 8 Bits each) + // (send two frames with 8 Bits each) if(corr_i_cnt[5:2] == 4'b0000 || corr_i_cnt[5:2] == 4'b1000) ssp_frame = 1'b1; else @@ -186,5 +165,6 @@ assign dbg = corr_i_cnt[3]; // Unused. assign pwr_lo = 1'b0; +assign pwr_oe2 = 1'b0; endmodule diff --git a/include/mifare.h b/include/mifare.h index 89ff758e..ad86886d 100644 --- a/include/mifare.h +++ b/include/mifare.h @@ -11,7 +11,7 @@ #ifndef _MIFARE_H_ #define _MIFARE_H_ -#include "../include/common.h" +#include "common.h" //----------------------------------------------------------------------------- // ISO 14443A diff --git a/include/usb_cmd.h b/include/usb_cmd.h index 345793ec..2080f2de 100644 --- a/include/usb_cmd.h +++ b/include/usb_cmd.h @@ -100,7 +100,6 @@ typedef struct{ // For the 13.56 MHz tags #define CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_15693 0x0300 -#define CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_14443 0x0301 #define CMD_READ_SRI512_TAG 0x0303 #define CMD_READ_SRIX4K_TAG 0x0304 #define CMD_ISO_14443B_COMMAND 0x0305 @@ -118,9 +117,8 @@ typedef struct{ #define CMD_SIMULATE_HITAG 0x0371 #define CMD_READER_HITAG 0x0372 -#define CMD_SIMULATE_TAG_HF_LISTEN 0x0380 -#define CMD_SIMULATE_TAG_ISO_14443 0x0381 -#define CMD_SNOOP_ISO_14443 0x0382 +#define CMD_SIMULATE_TAG_ISO_14443B 0x0381 +#define CMD_SNOOP_ISO_14443B 0x0382 #define CMD_SNOOP_ISO_14443a 0x0383 #define CMD_SIMULATE_TAG_ISO_14443a 0x0384 #define CMD_READER_ISO_14443a 0x0385 @@ -128,7 +126,6 @@ typedef struct{ #define CMD_READER_LEGIC_RF 0x0388 #define CMD_WRITER_LEGIC_RF 0x0389 #define CMD_EPA_PACE_COLLECT_NONCE 0x038A -//#define CMD_EPA_ 0x038B #define CMD_SNOOP_ICLASS 0x0392 #define CMD_SIMULATE_TAG_ICLASS 0x0393