From fb25b48308752a7ea8f49085956536d2fc2ff5d4 Mon Sep 17 00:00:00 2001 From: "edouard@lafargue.name" Date: Thu, 16 Apr 2009 08:37:24 +0000 Subject: [PATCH] Added a new function to read ISO14443-B ST Microelectronics SRI512 memory tags. I have a problem with CRC though: sometimes it works, sometimes not, I have no clue why, I must be doing something wrong with the CRC calculation routine... --- armsrc/appmain.c | 4 ++ armsrc/apps.h | 1 + armsrc/iso14443.c | 119 +++++++++++++++++++++++++++++++++++++-- common/iso14443_crc.c | 2 +- include/usb_cmd.h | 3 +- winsrc/command.cpp | 127 +++++++++++++++++++++++------------------- 6 files changed, 192 insertions(+), 64 deletions(-) diff --git a/armsrc/appmain.c b/armsrc/appmain.c index bb733fef..372bcf68 100644 --- a/armsrc/appmain.c +++ b/armsrc/appmain.c @@ -611,6 +611,10 @@ void UsbPacketReceived(BYTE *packet, int len) case CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_14443: AcquireRawAdcSamplesIso14443(c->ext1); break; + + case CMD_READ_SRI512_TAG: + ReadSRI512Iso14443(c->ext1); + break; case CMD_READER_ISO_14443a: ReaderIso14443a(c->ext1); diff --git a/armsrc/apps.h b/armsrc/apps.h index 84dd8fe2..1dc22e51 100644 --- a/armsrc/apps.h +++ b/armsrc/apps.h @@ -60,6 +60,7 @@ void SetAdcMuxFor(int whichGpio); /// iso14443.h void SimulateIso14443Tag(void); void AcquireRawAdcSamplesIso14443(DWORD parameter); +void ReadSRI512Iso14443(DWORD parameter); void SnoopIso14443(void); /// iso14443a.h diff --git a/armsrc/iso14443.c b/armsrc/iso14443.c index 2579b053..3a4a9ac1 100644 --- a/armsrc/iso14443.c +++ b/armsrc/iso14443.c @@ -575,7 +575,7 @@ static BOOL Handle14443SamplesDemod(int ci, int cq) return FALSE; } -static void GetSamplesFor14443Demod(BOOL weTx, int n) +static void GetSamplesFor14443Demod(BOOL weTx, int n, BOOL quiet) { int max = 0; BOOL gotFrame = FALSE; @@ -649,7 +649,7 @@ static void GetSamplesFor14443Demod(BOOL weTx, int n) } } PDC_CONTROL(SSC_BASE) = PDC_RX_DISABLE; - DbpIntegers(max, gotFrame, -1); + if (!quiet) DbpIntegers(max, gotFrame, Demod.len); } //----------------------------------------------------------------------------- @@ -787,11 +787,12 @@ void CodeIso14443bAsReader(const BYTE *cmd, int len) //----------------------------------------------------------------------------- // Read an ISO 14443 tag. We send it some set of commands, and record the -// responses. +// responses. +// The command name is misleading, it actually decodes the reponse in HEX +// into the output buffer (read the result using hexsamples, not hisamples) //----------------------------------------------------------------------------- void AcquireRawAdcSamplesIso14443(DWORD parameter) { -// BYTE cmd1[] = { 0x05, 0x00, 0x00, 0x71, 0xff }; BYTE cmd1[] = { 0x05, 0x00, 0x08, 0x39, 0x73 }; // Make sure that we start from off, since the tags are stateful; @@ -811,9 +812,117 @@ void AcquireRawAdcSamplesIso14443(DWORD parameter) CodeIso14443bAsReader(cmd1, sizeof(cmd1)); TransmitFor14443(); LED_A_ON(); - GetSamplesFor14443Demod(TRUE, 2000); + GetSamplesFor14443Demod(TRUE, 2000, FALSE); LED_A_OFF(); } + +//----------------------------------------------------------------------------- +// Read a SRI512 ISO 14443 tag. +// +// SRI512 tags are just simple memory tags, here we're looking at making a dump +// of the contents of the memory. No anticollision algorithm is done, we assume +// we have a single tag in the field. +// +// I tried to be systematic and check every answer of the tag, every CRC, etc... +//----------------------------------------------------------------------------- +void ReadSRI512Iso14443(DWORD parameter) +{ + BYTE i = 0x00; + + // Make sure that we start from off, since the tags are stateful; + // confusing things will happen if we don't reset them between reads. + LED_D_OFF(); + FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); + SpinDelay(200); + + SetAdcMuxFor(GPIO_MUXSEL_HIPKD); + FpgaSetupSsc(); + + // Now give it time to spin up. + FpgaWriteConfWord( + FPGA_MAJOR_MODE_HF_READER_RX_XCORR | FPGA_HF_READER_RX_XCORR_848_KHZ); + SpinDelay(200); + + // First command: wake up the tag using the INITIATE command + BYTE cmd1[] = { 0x06, 0x00, 0x97, 0x5b}; + CodeIso14443bAsReader(cmd1, sizeof(cmd1)); + TransmitFor14443(); + LED_A_ON(); + GetSamplesFor14443Demod(TRUE, 2000,TRUE); + LED_A_OFF(); + + if (Demod.len == 0) { + DbpString("No response from tag"); + return; + } else { + DbpString("Randomly generated UID from tag (+ 2 byte CRC):"); + DbpIntegers(Demod.output[0], Demod.output[1],Demod.output[2]); + } + // There is a response, SELECT the uid + DbpString("Now SELECT tag:"); + cmd1[0] = 0x0E; // 0x0E is SELECT + cmd1[1] = Demod.output[0]; + ComputeCrc14443(CRC_14443_B, cmd1, 2, &cmd1[2], &cmd1[3]); + CodeIso14443bAsReader(cmd1, sizeof(cmd1)); + TransmitFor14443(); + LED_A_ON(); + GetSamplesFor14443Demod(TRUE, 2000,TRUE); + LED_A_OFF(); + if (Demod.len != 3) { + DbpString("Expected 3 bytes from tag, got:"); + DbpIntegers(Demod.len,0x0,0x0); + return; + } + // Check the CRC of the answer: + ComputeCrc14443(CRC_14443_B, Demod.output, 1 , &cmd1[2], &cmd1[3]); + if(cmd1[2] != Demod.output[1] || cmd1[3] != Demod.output[2]) { + DbpString("CRC Error reading select response."); + return; + } + // Check response from the tag: should be the same UID as the command we just sent: + if (cmd1[1] != Demod.output[0]) { + DbpString("Bad response to SELECT from Tag, aborting:"); + DbpIntegers(cmd1[1],Demod.output[0],0x0); + return; + } + // Tag is now selected, + // loop to read all 16 blocks, address from 0 to 15 + DbpString("Tag memory dump, block 0 to 15"); + cmd1[0] = 0x08; + i = 0x00; + for (;;) { + if (i == 0x10) { + DbpString("System area block (0xff):"); + i = 0xff; + } + cmd1[1] = i; + ComputeCrc14443(CRC_14443_B, cmd1, 2, &cmd1[2], &cmd1[3]); + CodeIso14443bAsReader(cmd1, sizeof(cmd1)); + TransmitFor14443(); + LED_A_ON(); + GetSamplesFor14443Demod(TRUE, 2000,TRUE); + LED_A_OFF(); + if (Demod.len != 6) { // Check if we got an answer from the tag + DbpString("Expected 6 bytes from tag, got less..."); + return; + } + // The check the CRC of the answer (use cmd1 as temporary variable): + ComputeCrc14443(CRC_14443_B, Demod.output, 4, &cmd1[2], &cmd1[3]); + if(cmd1[2] != Demod.output[4] || cmd1[3] != Demod.output[5]) { + DbpString("CRC Error reading block! - Below: expected, got, 0x0: "); + DbpIntegers( (cmd1[2]<<8)+cmd1[3], (Demod.output[4]<<8)+Demod.output[5],0); + // Do not return;, let's go on... (we should retry, maybe ?) + } + // Now print out the memory location: + DbpString("Address , Contents, CRC"); + DbpIntegers(i, (Demod.output[0]<<24) + (Demod.output[1]<<16) + (Demod.output[2]<<8) + Demod.output[3], (Demod.output[4]<<8)+Demod.output[5]); + if (i == 0xff) { + break; + } + i++; + } +} + //============================================================================= // Finally, the `sniffer' combines elements from both the reader and diff --git a/common/iso14443_crc.c b/common/iso14443_crc.c index cf29d0e0..d688bf71 100644 --- a/common/iso14443_crc.c +++ b/common/iso14443_crc.c @@ -4,7 +4,7 @@ //----------------------------------------------------------------------------- #define CRC_14443_A 0x6363 /* ITU-V.41 */ -#define CRC_14443_B 0xFFFF /* ISO/IEC 13239 (formerly ISO/IEC 3309) */ +#define CRC_14443_B 0xFFFF /* ISO/IEC 13239 (formerly ISO/IEC 3309) */ static unsigned short UpdateCrc14443(unsigned char ch, unsigned short *lpwCrc) { diff --git a/include/usb_cmd.h b/include/usb_cmd.h index 540c15d1..54141f79 100644 --- a/include/usb_cmd.h +++ b/include/usb_cmd.h @@ -50,7 +50,8 @@ typedef struct { // For the 13.56 MHz tags #define CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_15693 0x0300 #define CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_14443 0x0301 -#define CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_14443_SIM 0x0302 +#define CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_14443_SIM 0x0302 +#define CMD_READ_SRI512_TAG 0x0303 #define CMD_READER_ISO_15693 0x0310 // ## New command to act like a 15693 reader - greg #define CMD_SIMTAG_ISO_15693 0x0311 // ## New command to act like a 15693 reader - greg diff --git a/winsrc/command.cpp b/winsrc/command.cpp index f947f45c..9c4990a3 100644 --- a/winsrc/command.cpp +++ b/winsrc/command.cpp @@ -75,6 +75,19 @@ static void CmdHi14read(char *str) c.ext1 = atoi(str); SendCommand(&c, FALSE); } + + +/* New command to read the contents of a SRI512 tag + * SRI512 tags are ISO14443-B modulated memory tags, + * this command just dumps the contents of the memory/ + */ +static void CmdSri512read(char *str) +{ + UsbCommand c; + c.cmd = CMD_READ_SRI512_TAG; + c.ext1 = atoi(str); + SendCommand(&c, FALSE); +} // ## New command static void CmdHi14areader(char *str) @@ -1845,69 +1858,69 @@ static void CmdSweepLF(char *str) } - typedef void HandlerFunction(char *cmdline); static struct { - char *name; - HandlerFunction *handler; - char *docString; + char *name; + HandlerFunction *handler; + int offline; // 1 if the command can be used when in offline mode + char *docString; } CommandTable[] = { - "tune", CmdTune, "measure antenna tuning", - "tiread", CmdTiread, "read a TI-type 134 kHz tag", - "tibits", CmdTibits, "get raw bits for TI-type LF tag", - "tidemod", CmdTidemod, "demod raw bits for TI-type LF tag", - "vchdemod", CmdVchdemod, "demod samples for VeriChip", - "plot", CmdPlot, "show graph window", - "hide", CmdHide, "hide graph window", - "losim", CmdLosim, "simulate LF tag", - "loread", CmdLoread, "read (125/134 kHz) LF ID-only tag", - "losamples", CmdLosamples, "get raw samples for LF tag", - "hisamples", CmdHisamples, "get raw samples for HF tag", - "hisampless", CmdHisampless, "get signed raw samples, HF tag", - "hisamplest", CmdHi14readt, "get samples HF, for testing", - "higet", CmdHi14read_sim, "get samples HF, 'analog'", - "bitsamples", CmdBitsamples, "get raw samples as bitstring", - "hexsamples", CmdHexsamples, "dump big buffer as hex bytes", - "hi15read", CmdHi15read, "read HF tag (ISO 15693)", - "hi15reader", CmdHi15reader, "act like an ISO15693 reader", // new command greg - "hi15sim", CmdHi15tag, "fake an ISO15693 tag", // new command greg - "hi14read", CmdHi14read, "read HF tag (ISO 14443)", - "hi14areader", CmdHi14areader, "act like an ISO14443 Type A reader", // ## New reader command - "hi15demod", CmdHi15demod, "demod ISO15693 from tag", - "hi14bdemod", CmdHi14bdemod, "demod ISO14443 Type B from tag", - "autocorr", CmdAutoCorr, "autocorrelation over window", - "norm", CmdNorm, "normalize max/min to +/-500", - "dec", CmdDec, "decimate", - "hpf", CmdHpf, "remove DC offset from trace", - "zerocrossings", CmdZerocrossings, "count time between zero-crossings", - "ltrim", CmdLtrim, "trim from left of trace", - "scale", CmdScale, "set cursor display scale", - "flexdemod", CmdFlexdemod, "demod samples for FlexPass", - "indalademod", CmdIndalademod, "demod samples for Indala", - "save", CmdSave, "save trace (from graph window)", - "load", CmdLoad, "load trace (to graph window", - "hisimlisten", CmdHisimlisten, "get HF samples as fake tag", - "hi14sim", CmdHi14sim, "fake ISO 14443 tag", - "hi14asim", CmdHi14asim, "fake ISO 14443a tag", // ## Simulate 14443a tag - "hi14snoop", CmdHi14snoop, "eavesdrop ISO 14443", - "hi14asnoop", CmdHi14asnoop, "eavesdrop ISO 14443 Type A", // ## New snoop command - "hi14list", CmdHi14list, "list ISO 14443 history", - "hi14alist", CmdHi14alist, "list ISO 14443a history", // ## New list command - "hiddemod", CmdHiddemod, "HID Prox Card II (not optimal)", - "hidfskdemod", CmdHIDdemodFSK, "HID FSK demodulator", - "askdemod", Cmdaskdemod, "Attempt to demodulate simple ASK tags", - "hidsimtag", CmdHIDsimTAG, "HID tag simulator", - "mandemod", Cmdmanchesterdemod, "Try a Manchester demodulation on a binary stream", - "fpgaoff", CmdFPGAOff, "set FPGA off", // ## FPGA Control - "lcdreset", CmdLcdReset, "Hardware reset LCD", - "lcd", CmdLcd, "Send command/data to LCD", - "test", CmdTest, "Placeholder command for testing new code", - "setlfdivisor", CmdSetDivisor, "Drive LF antenna at 12Mhz/(divisor+1)", - "sweeplf", CmdSweepLF, "Sweep through LF freq range and store results in buffer", - "quit", CmdQuit, "quit program" + "tune", CmdTune,0, "measure antenna tuning", + "tiread", CmdTiread,0, "read a TI-type 134 kHz tag", + "tibits", CmdTibits,0, "get raw bits for TI-type LF tag", + "tidemod", CmdTidemod,0, "demod raw bits for TI-type LF tag", + "vchdemod", CmdVchdemod,0, "demod samples for VeriChip", + "plot", CmdPlot,1, "show graph window", + "hide", CmdHide,1, "hide graph window", + "losim", CmdLosim,0, "simulate LF tag", + "loread", CmdLoread,0, "read (125/134 kHz) LF ID-only tag", + "losamples", CmdLosamples,0, "get raw samples for LF tag", + "hisamples", CmdHisamples,0, "get raw samples for HF tag", + "hisampless", CmdHisampless,0, "get signed raw samples, HF tag", + "hisamplest", CmdHi14readt,0, "get samples HF, for testing", + "higet", CmdHi14read_sim,0, "get samples HF, 'analog'", + "bitsamples", CmdBitsamples,0, "get raw samples as bitstring", + "hexsamples", CmdHexsamples,0, "dump big buffer as hex bytes", + "hi15read", CmdHi15read,0, "read HF tag (ISO 15693)", + "hi15reader", CmdHi15reader,0, "act like an ISO15693 reader", // new command greg + "hi15sim", CmdHi15tag,0, "fake an ISO15693 tag", // new command greg + "hi14read", CmdHi14read,0, "read HF tag (ISO 14443)", + "sri512read", CmdSri512read,0, "Read contents of a SRI512 tag", + "hi14areader", CmdHi14areader,0, "act like an ISO14443 Type A reader", // ## New reader command + "hi15demod", CmdHi15demod,1, "demod ISO15693 from tag", + "hi14bdemod", CmdHi14bdemod,1, "demod ISO14443 Type B from tag", + "autocorr", CmdAutoCorr,1, "autocorrelation over window", + "norm", CmdNorm,1, "normalize max/min to +/-500", + "dec", CmdDec,1, "decimate", + "hpf", CmdHpf,1, "remove DC offset from trace", + "zerocrossings", CmdZerocrossings,1, "count time between zero-crossings", + "ltrim", CmdLtrim,1, "trim from left of trace", + "scale", CmdScale,1, "set cursor display scale", + "flexdemod", CmdFlexdemod,1, "demod samples for FlexPass", + "save", CmdSave,1, "save trace (from graph window)", + "load", CmdLoad,1, "load trace (to graph window", + "hisimlisten", CmdHisimlisten,0, "get HF samples as fake tag", + "hi14sim", CmdHi14sim,0, "fake ISO 14443 tag", + "hi14asim", CmdHi14asim,0, "fake ISO 14443a tag", // ## Simulate 14443a tag + "hi14snoop", CmdHi14snoop,0, "eavesdrop ISO 14443", + "hi14asnoop", CmdHi14asnoop,0, "eavesdrop ISO 14443 Type A", // ## New snoop command + "hi14list", CmdHi14list,0, "list ISO 14443 history", + "hi14alist", CmdHi14alist,0, "list ISO 14443a history", // ## New list command + "hiddemod", CmdHiddemod,1, "HID Prox Card II (not optimal)", + "hidfskdemod", CmdHIDdemodFSK,0, "HID FSK demodulator", + "askdemod", Cmdaskdemod,1, "Attempt to demodulate simple ASK tags", + "hidsimtag", CmdHIDsimTAG,0, "HID tag simulator", + "mandemod", Cmdmanchesterdemod,1, "Try a Manchester demodulation on a binary stream", + "fpgaoff", CmdFPGAOff,0, "set FPGA off", // ## FPGA Control + "lcdreset", CmdLcdReset,0, "Hardware reset LCD", + "lcd", CmdLcd,0, "Send command/data to LCD", + "setlfdivisor", CmdSetDivisor,0, "Drive LF antenna at 12Mhz/(divisor+1)", + "sweeplf", CmdSweepLF,0, "Sweep through LF freq range and store results in buffer", + "quit", CmdQuit,0, "quit program" }; + //----------------------------------------------------------------------------- // Entry point into our code: called whenever the user types a command and // then presses Enter, which the full command line that they typed. -- 2.39.5