]> cvs.zerfleddert.de Git - proxmark3-svn/blame - armsrc/iso14443a.c
Improved 'hf list iclass' a bit, better understanding of the protocol and when to...
[proxmark3-svn] / armsrc / iso14443a.c
CommitLineData
15c4dc5a 1//-----------------------------------------------------------------------------
b62a5a84 2// Merlok - June 2011, 2012
15c4dc5a 3// Gerhard de Koning Gans - May 2008
534983d7 4// Hagen Fritsch - June 2010
bd20f8f4 5//
6// This code is licensed to you under the terms of the GNU GPL, version 2 or,
7// at your option, any later version. See the LICENSE.txt file for the text of
8// the license.
15c4dc5a 9//-----------------------------------------------------------------------------
bd20f8f4 10// Routines to support ISO 14443 type A.
11//-----------------------------------------------------------------------------
12
e30c654b 13#include "proxmark3.h"
15c4dc5a 14#include "apps.h"
f7e3ed82 15#include "util.h"
9ab7a6c7 16#include "string.h"
902cb3c0 17#include "cmd.h"
9ab7a6c7 18
15c4dc5a 19#include "iso14443crc.h"
534983d7 20#include "iso14443a.h"
20f9a2a1
M
21#include "crapto1.h"
22#include "mifareutil.h"
15c4dc5a 23
534983d7 24static uint32_t iso14a_timeout;
d19929cb 25uint8_t *trace = (uint8_t *) BigBuf+TRACE_OFFSET;
1e262141 26int rsamples = 0;
7bc95e2e 27int traceLen = 0;
1e262141 28int tracing = TRUE;
29uint8_t trigger = 0;
b0127e65 30// the block number for the ISO14443-4 PCB
31static uint8_t iso14_pcb_blocknum = 0;
15c4dc5a 32
7bc95e2e 33//
34// ISO14443 timing:
35//
36// minimum time between the start bits of consecutive transfers from reader to tag: 7000 carrier (13.56Mhz) cycles
37#define REQUEST_GUARD_TIME (7000/16 + 1)
38// minimum time between last modulation of tag and next start bit from reader to tag: 1172 carrier cycles
39#define FRAME_DELAY_TIME_PICC_TO_PCD (1172/16 + 1)
40// bool LastCommandWasRequest = FALSE;
41
42//
43// Total delays including SSC-Transfers between ARM and FPGA. These are in carrier clock cycles (1/13,56MHz)
44//
d714d3ef 45// When the PM acts as reader and is receiving tag data, it takes
46// 3 ticks delay in the AD converter
47// 16 ticks until the modulation detector completes and sets curbit
48// 8 ticks until bit_to_arm is assigned from curbit
49// 8*16 ticks for the transfer from FPGA to ARM
7bc95e2e 50// 4*16 ticks until we measure the time
51// - 8*16 ticks because we measure the time of the previous transfer
d714d3ef 52#define DELAY_AIR2ARM_AS_READER (3 + 16 + 8 + 8*16 + 4*16 - 8*16)
7bc95e2e 53
54// When the PM acts as a reader and is sending, it takes
55// 4*16 ticks until we can write data to the sending hold register
56// 8*16 ticks until the SHR is transferred to the Sending Shift Register
57// 8 ticks until the first transfer starts
58// 8 ticks later the FPGA samples the data
59// 1 tick to assign mod_sig_coil
60#define DELAY_ARM2AIR_AS_READER (4*16 + 8*16 + 8 + 8 + 1)
61
62// When the PM acts as tag and is receiving it takes
d714d3ef 63// 2 ticks delay in the RF part (for the first falling edge),
7bc95e2e 64// 3 ticks for the A/D conversion,
65// 8 ticks on average until the start of the SSC transfer,
66// 8 ticks until the SSC samples the first data
67// 7*16 ticks to complete the transfer from FPGA to ARM
68// 8 ticks until the next ssp_clk rising edge
d714d3ef 69// 4*16 ticks until we measure the time
7bc95e2e 70// - 8*16 ticks because we measure the time of the previous transfer
d714d3ef 71#define DELAY_AIR2ARM_AS_TAG (2 + 3 + 8 + 8 + 7*16 + 8 + 4*16 - 8*16)
7bc95e2e 72
73// The FPGA will report its internal sending delay in
74uint16_t FpgaSendQueueDelay;
75// the 5 first bits are the number of bits buffered in mod_sig_buf
76// the last three bits are the remaining ticks/2 after the mod_sig_buf shift
77#define DELAY_FPGA_QUEUE (FpgaSendQueueDelay<<1)
78
79// When the PM acts as tag and is sending, it takes
d714d3ef 80// 4*16 ticks until we can write data to the sending hold register
7bc95e2e 81// 8*16 ticks until the SHR is transferred to the Sending Shift Register
82// 8 ticks until the first transfer starts
83// 8 ticks later the FPGA samples the data
84// + a varying number of ticks in the FPGA Delay Queue (mod_sig_buf)
85// + 1 tick to assign mod_sig_coil
d714d3ef 86#define DELAY_ARM2AIR_AS_TAG (4*16 + 8*16 + 8 + 8 + DELAY_FPGA_QUEUE + 1)
7bc95e2e 87
88// When the PM acts as sniffer and is receiving tag data, it takes
89// 3 ticks A/D conversion
d714d3ef 90// 14 ticks to complete the modulation detection
91// 8 ticks (on average) until the result is stored in to_arm
7bc95e2e 92// + the delays in transferring data - which is the same for
93// sniffing reader and tag data and therefore not relevant
d714d3ef 94#define DELAY_TAG_AIR2ARM_AS_SNIFFER (3 + 14 + 8)
7bc95e2e 95
d714d3ef 96// When the PM acts as sniffer and is receiving reader data, it takes
97// 2 ticks delay in analogue RF receiver (for the falling edge of the
98// start bit, which marks the start of the communication)
7bc95e2e 99// 3 ticks A/D conversion
d714d3ef 100// 8 ticks on average until the data is stored in to_arm.
7bc95e2e 101// + the delays in transferring data - which is the same for
102// sniffing reader and tag data and therefore not relevant
d714d3ef 103#define DELAY_READER_AIR2ARM_AS_SNIFFER (2 + 3 + 8)
7bc95e2e 104
105//variables used for timing purposes:
106//these are in ssp_clk cycles:
6a1f2d82 107static uint32_t NextTransferTime;
108static uint32_t LastTimeProxToAirStart;
109static uint32_t LastProxToAirDuration;
7bc95e2e 110
111
112
8f51ddb0 113// CARD TO READER - manchester
72934aa3 114// Sequence D: 11110000 modulation with subcarrier during first half
115// Sequence E: 00001111 modulation with subcarrier during second half
116// Sequence F: 00000000 no modulation with subcarrier
8f51ddb0 117// READER TO CARD - miller
72934aa3 118// Sequence X: 00001100 drop after half a period
119// Sequence Y: 00000000 no drop
120// Sequence Z: 11000000 drop at start
121#define SEC_D 0xf0
122#define SEC_E 0x0f
123#define SEC_F 0x00
124#define SEC_X 0x0c
125#define SEC_Y 0x00
126#define SEC_Z 0xc0
15c4dc5a 127
1e262141 128const uint8_t OddByteParity[256] = {
15c4dc5a 129 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
130 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
131 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
132 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
133 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
134 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
135 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
136 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
137 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
138 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
139 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
140 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
141 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
142 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
143 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
144 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1
145};
146
902cb3c0 147void iso14a_set_trigger(bool enable) {
534983d7 148 trigger = enable;
149}
150
902cb3c0 151void iso14a_clear_trace() {
7bc95e2e 152 memset(trace, 0x44, TRACE_SIZE);
8556b852
M
153 traceLen = 0;
154}
d19929cb 155
902cb3c0 156void iso14a_set_tracing(bool enable) {
8556b852
M
157 tracing = enable;
158}
d19929cb 159
b0127e65 160void iso14a_set_timeout(uint32_t timeout) {
161 iso14a_timeout = timeout;
162}
8556b852 163
15c4dc5a 164//-----------------------------------------------------------------------------
165// Generate the parity value for a byte sequence
e30c654b 166//
15c4dc5a 167//-----------------------------------------------------------------------------
20f9a2a1
M
168byte_t oddparity (const byte_t bt)
169{
5f6d6c90 170 return OddByteParity[bt];
20f9a2a1
M
171}
172
6a1f2d82 173void GetParity(const uint8_t *pbtCmd, uint16_t iLen, uint8_t *par)
15c4dc5a 174{
6a1f2d82 175 uint16_t paritybit_cnt = 0;
176 uint16_t paritybyte_cnt = 0;
177 uint8_t parityBits = 0;
178
179 for (uint16_t i = 0; i < iLen; i++) {
180 // Generate the parity bits
181 parityBits |= ((OddByteParity[pbtCmd[i]]) << (7-paritybit_cnt));
182 if (paritybit_cnt == 7) {
183 par[paritybyte_cnt] = parityBits; // save 8 Bits parity
184 parityBits = 0; // and advance to next Parity Byte
185 paritybyte_cnt++;
186 paritybit_cnt = 0;
187 } else {
188 paritybit_cnt++;
189 }
5f6d6c90 190 }
6a1f2d82 191
192 // save remaining parity bits
193 par[paritybyte_cnt] = parityBits;
194
15c4dc5a 195}
196
534983d7 197void AppendCrc14443a(uint8_t* data, int len)
15c4dc5a 198{
5f6d6c90 199 ComputeCrc14443(CRC_14443_A,data,len,data+len,data+len+1);
15c4dc5a 200}
201
1e262141 202// The function LogTrace() is also used by the iClass implementation in iClass.c
6a1f2d82 203bool RAMFUNC LogTrace(const uint8_t *btBytes, uint16_t iLen, uint32_t timestamp_start, uint32_t timestamp_end, uint8_t *parity, bool readerToTag)
15c4dc5a 204{
fdcd43eb 205 if (!tracing) return FALSE;
6a1f2d82 206
207 uint16_t num_paritybytes = (iLen-1)/8 + 1; // number of valid paritybytes in *parity
208 uint16_t duration = timestamp_end - timestamp_start;
209
7bc95e2e 210 // Return when trace is full
6a1f2d82 211 if (traceLen + sizeof(iLen) + sizeof(timestamp_start) + sizeof(duration) + num_paritybytes + iLen >= TRACE_SIZE) {
7bc95e2e 212 tracing = FALSE; // don't trace any more
213 return FALSE;
214 }
215
6a1f2d82 216 // Traceformat:
217 // 32 bits timestamp (little endian)
218 // 16 bits duration (little endian)
219 // 16 bits data length (little endian, Highest Bit used as readerToTag flag)
220 // y Bytes data
221 // x Bytes parity (one byte per 8 bytes data)
222
223 // timestamp (start)
224 trace[traceLen++] = ((timestamp_start >> 0) & 0xff);
225 trace[traceLen++] = ((timestamp_start >> 8) & 0xff);
226 trace[traceLen++] = ((timestamp_start >> 16) & 0xff);
227 trace[traceLen++] = ((timestamp_start >> 24) & 0xff);
228
229 // duration
230 trace[traceLen++] = ((duration >> 0) & 0xff);
231 trace[traceLen++] = ((duration >> 8) & 0xff);
232
233 // data length
234 trace[traceLen++] = ((iLen >> 0) & 0xff);
235 trace[traceLen++] = ((iLen >> 8) & 0xff);
17cba269 236
6a1f2d82 237 // readerToTag flag
17cba269 238 if (!readerToTag) {
7bc95e2e 239 trace[traceLen - 1] |= 0x80;
240 }
6a1f2d82 241
242 // data bytes
7bc95e2e 243 if (btBytes != NULL && iLen != 0) {
244 memcpy(trace + traceLen, btBytes, iLen);
245 }
246 traceLen += iLen;
6a1f2d82 247
248 // parity bytes
249 if (parity != NULL && iLen != 0) {
250 memcpy(trace + traceLen, parity, num_paritybytes);
251 }
252 traceLen += num_paritybytes;
253
7bc95e2e 254 return TRUE;
15c4dc5a 255}
256
7bc95e2e 257//=============================================================================
258// ISO 14443 Type A - Miller decoder
259//=============================================================================
260// Basics:
261// This decoder is used when the PM3 acts as a tag.
262// The reader will generate "pauses" by temporarily switching of the field.
263// At the PM3 antenna we will therefore measure a modulated antenna voltage.
264// The FPGA does a comparison with a threshold and would deliver e.g.:
265// ........ 1 1 1 1 1 1 0 0 1 1 1 1 1 1 1 1 1 1 0 0 1 1 1 1 1 1 1 1 1 1 .......
266// The Miller decoder needs to identify the following sequences:
267// 2 (or 3) ticks pause followed by 6 (or 5) ticks unmodulated: pause at beginning - Sequence Z ("start of communication" or a "0")
268// 8 ticks without a modulation: no pause - Sequence Y (a "0" or "end of communication" or "no information")
269// 4 ticks unmodulated followed by 2 (or 3) ticks pause: pause in second half - Sequence X (a "1")
270// Note 1: the bitstream may start at any time. We therefore need to sync.
271// Note 2: the interpretation of Sequence Y and Z depends on the preceding sequence.
15c4dc5a 272//-----------------------------------------------------------------------------
b62a5a84 273static tUart Uart;
15c4dc5a 274
d7aa3739 275// Lookup-Table to decide if 4 raw bits are a modulation.
276// We accept two or three consecutive "0" in any position with the rest "1"
277const bool Mod_Miller_LUT[] = {
278 TRUE, TRUE, FALSE, TRUE, FALSE, FALSE, FALSE, FALSE,
279 TRUE, TRUE, FALSE, FALSE, TRUE, FALSE, FALSE, FALSE
280};
281#define IsMillerModulationNibble1(b) (Mod_Miller_LUT[(b & 0x00F0) >> 4])
282#define IsMillerModulationNibble2(b) (Mod_Miller_LUT[(b & 0x000F)])
283
7bc95e2e 284void UartReset()
15c4dc5a 285{
7bc95e2e 286 Uart.state = STATE_UNSYNCD;
287 Uart.bitCount = 0;
288 Uart.len = 0; // number of decoded data bytes
6a1f2d82 289 Uart.parityLen = 0; // number of decoded parity bytes
7bc95e2e 290 Uart.shiftReg = 0; // shiftreg to hold decoded data bits
6a1f2d82 291 Uart.parityBits = 0; // holds 8 parity bits
7bc95e2e 292 Uart.twoBits = 0x0000; // buffer for 2 Bits
293 Uart.highCnt = 0;
294 Uart.startTime = 0;
295 Uart.endTime = 0;
296}
15c4dc5a 297
6a1f2d82 298void UartInit(uint8_t *data, uint8_t *parity)
299{
300 Uart.output = data;
301 Uart.parity = parity;
302 UartReset();
303}
d714d3ef 304
7bc95e2e 305// use parameter non_real_time to provide a timestamp. Set to 0 if the decoder should measure real time
306static RAMFUNC bool MillerDecoding(uint8_t bit, uint32_t non_real_time)
307{
15c4dc5a 308
7bc95e2e 309 Uart.twoBits = (Uart.twoBits << 8) | bit;
310
311 if (Uart.state == STATE_UNSYNCD) { // not yet synced
3fe4ff4f 312
7bc95e2e 313 if (Uart.highCnt < 7) { // wait for a stable unmodulated signal
314 if (Uart.twoBits == 0xffff) {
315 Uart.highCnt++;
316 } else {
317 Uart.highCnt = 0;
15c4dc5a 318 }
7bc95e2e 319 } else {
320 Uart.syncBit = 0xFFFF; // not set
321 // look for 00xx1111 (the start bit)
322 if ((Uart.twoBits & 0x6780) == 0x0780) Uart.syncBit = 7;
323 else if ((Uart.twoBits & 0x33C0) == 0x03C0) Uart.syncBit = 6;
324 else if ((Uart.twoBits & 0x19E0) == 0x01E0) Uart.syncBit = 5;
325 else if ((Uart.twoBits & 0x0CF0) == 0x00F0) Uart.syncBit = 4;
326 else if ((Uart.twoBits & 0x0678) == 0x0078) Uart.syncBit = 3;
327 else if ((Uart.twoBits & 0x033C) == 0x003C) Uart.syncBit = 2;
328 else if ((Uart.twoBits & 0x019E) == 0x001E) Uart.syncBit = 1;
329 else if ((Uart.twoBits & 0x00CF) == 0x000F) Uart.syncBit = 0;
330 if (Uart.syncBit != 0xFFFF) {
331 Uart.startTime = non_real_time?non_real_time:(GetCountSspClk() & 0xfffffff8);
332 Uart.startTime -= Uart.syncBit;
d7aa3739 333 Uart.endTime = Uart.startTime;
7bc95e2e 334 Uart.state = STATE_START_OF_COMMUNICATION;
15c4dc5a 335 }
7bc95e2e 336 }
15c4dc5a 337
7bc95e2e 338 } else {
15c4dc5a 339
d7aa3739 340 if (IsMillerModulationNibble1(Uart.twoBits >> Uart.syncBit)) {
341 if (IsMillerModulationNibble2(Uart.twoBits >> Uart.syncBit)) { // Modulation in both halves - error
342 UartReset();
343 Uart.highCnt = 6;
344 } else { // Modulation in first half = Sequence Z = logic "0"
7bc95e2e 345 if (Uart.state == STATE_MILLER_X) { // error - must not follow after X
346 UartReset();
347 Uart.highCnt = 6;
348 } else {
349 Uart.bitCount++;
350 Uart.shiftReg = (Uart.shiftReg >> 1); // add a 0 to the shiftreg
351 Uart.state = STATE_MILLER_Z;
352 Uart.endTime = Uart.startTime + 8*(9*Uart.len + Uart.bitCount + 1) - 6;
353 if(Uart.bitCount >= 9) { // if we decoded a full byte (including parity)
354 Uart.output[Uart.len++] = (Uart.shiftReg & 0xff);
355 Uart.parityBits <<= 1; // make room for the parity bit
356 Uart.parityBits |= ((Uart.shiftReg >> 8) & 0x01); // store parity bit
357 Uart.bitCount = 0;
358 Uart.shiftReg = 0;
6a1f2d82 359 if((Uart.len&0x0007) == 0) { // every 8 data bytes
360 Uart.parity[Uart.parityLen++] = Uart.parityBits; // store 8 parity bits
361 Uart.parityBits = 0;
362 }
15c4dc5a 363 }
7bc95e2e 364 }
d7aa3739 365 }
366 } else {
367 if (IsMillerModulationNibble2(Uart.twoBits >> Uart.syncBit)) { // Modulation second half = Sequence X = logic "1"
7bc95e2e 368 Uart.bitCount++;
369 Uart.shiftReg = (Uart.shiftReg >> 1) | 0x100; // add a 1 to the shiftreg
370 Uart.state = STATE_MILLER_X;
371 Uart.endTime = Uart.startTime + 8*(9*Uart.len + Uart.bitCount + 1) - 2;
372 if(Uart.bitCount >= 9) { // if we decoded a full byte (including parity)
373 Uart.output[Uart.len++] = (Uart.shiftReg & 0xff);
374 Uart.parityBits <<= 1; // make room for the new parity bit
375 Uart.parityBits |= ((Uart.shiftReg >> 8) & 0x01); // store parity bit
376 Uart.bitCount = 0;
377 Uart.shiftReg = 0;
6a1f2d82 378 if ((Uart.len&0x0007) == 0) { // every 8 data bytes
379 Uart.parity[Uart.parityLen++] = Uart.parityBits; // store 8 parity bits
380 Uart.parityBits = 0;
381 }
7bc95e2e 382 }
d7aa3739 383 } else { // no modulation in both halves - Sequence Y
7bc95e2e 384 if (Uart.state == STATE_MILLER_Z || Uart.state == STATE_MILLER_Y) { // Y after logic "0" - End of Communication
15c4dc5a 385 Uart.state = STATE_UNSYNCD;
6a1f2d82 386 Uart.bitCount--; // last "0" was part of EOC sequence
387 Uart.shiftReg <<= 1; // drop it
388 if(Uart.bitCount > 0) { // if we decoded some bits
389 Uart.shiftReg >>= (9 - Uart.bitCount); // right align them
390 Uart.output[Uart.len++] = (Uart.shiftReg & 0xff); // add last byte to the output
391 Uart.parityBits <<= 1; // add a (void) parity bit
392 Uart.parityBits <<= (8 - (Uart.len&0x0007)); // left align parity bits
393 Uart.parity[Uart.parityLen++] = Uart.parityBits; // and store it
394 return TRUE;
395 } else if (Uart.len & 0x0007) { // there are some parity bits to store
396 Uart.parityBits <<= (8 - (Uart.len&0x0007)); // left align remaining parity bits
397 Uart.parity[Uart.parityLen++] = Uart.parityBits; // and store them
52bfb955 398 }
399 if (Uart.len) {
6a1f2d82 400 return TRUE; // we are finished with decoding the raw data sequence
52bfb955 401 } else {
3fe4ff4f 402 UartReset(); // Nothing receiver - start over
7bc95e2e 403 }
15c4dc5a 404 }
7bc95e2e 405 if (Uart.state == STATE_START_OF_COMMUNICATION) { // error - must not follow directly after SOC
406 UartReset();
407 Uart.highCnt = 6;
408 } else { // a logic "0"
409 Uart.bitCount++;
410 Uart.shiftReg = (Uart.shiftReg >> 1); // add a 0 to the shiftreg
411 Uart.state = STATE_MILLER_Y;
412 if(Uart.bitCount >= 9) { // if we decoded a full byte (including parity)
413 Uart.output[Uart.len++] = (Uart.shiftReg & 0xff);
414 Uart.parityBits <<= 1; // make room for the parity bit
415 Uart.parityBits |= ((Uart.shiftReg >> 8) & 0x01); // store parity bit
416 Uart.bitCount = 0;
417 Uart.shiftReg = 0;
6a1f2d82 418 if ((Uart.len&0x0007) == 0) { // every 8 data bytes
419 Uart.parity[Uart.parityLen++] = Uart.parityBits; // store 8 parity bits
420 Uart.parityBits = 0;
421 }
15c4dc5a 422 }
423 }
d7aa3739 424 }
15c4dc5a 425 }
7bc95e2e 426
427 }
15c4dc5a 428
7bc95e2e 429 return FALSE; // not finished yet, need more data
15c4dc5a 430}
431
7bc95e2e 432
433
15c4dc5a 434//=============================================================================
e691fc45 435// ISO 14443 Type A - Manchester decoder
15c4dc5a 436//=============================================================================
e691fc45 437// Basics:
7bc95e2e 438// This decoder is used when the PM3 acts as a reader.
e691fc45 439// The tag will modulate the reader field by asserting different loads to it. As a consequence, the voltage
440// at the reader antenna will be modulated as well. The FPGA detects the modulation for us and would deliver e.g. the following:
441// ........ 0 0 1 1 1 1 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 .......
442// The Manchester decoder needs to identify the following sequences:
443// 4 ticks modulated followed by 4 ticks unmodulated: Sequence D = 1 (also used as "start of communication")
444// 4 ticks unmodulated followed by 4 ticks modulated: Sequence E = 0
445// 8 ticks unmodulated: Sequence F = end of communication
446// 8 ticks modulated: A collision. Save the collision position and treat as Sequence D
7bc95e2e 447// Note 1: the bitstream may start at any time. We therefore need to sync.
e691fc45 448// Note 2: parameter offset is used to determine the position of the parity bits (required for the anticollision command only)
b62a5a84 449static tDemod Demod;
15c4dc5a 450
d7aa3739 451// Lookup-Table to decide if 4 raw bits are a modulation.
d714d3ef 452// We accept three or four "1" in any position
7bc95e2e 453const bool Mod_Manchester_LUT[] = {
d7aa3739 454 FALSE, FALSE, FALSE, FALSE, FALSE, FALSE, FALSE, TRUE,
d714d3ef 455 FALSE, FALSE, FALSE, TRUE, FALSE, TRUE, TRUE, TRUE
7bc95e2e 456};
457
458#define IsManchesterModulationNibble1(b) (Mod_Manchester_LUT[(b & 0x00F0) >> 4])
459#define IsManchesterModulationNibble2(b) (Mod_Manchester_LUT[(b & 0x000F)])
15c4dc5a 460
2f2d9fc5 461
7bc95e2e 462void DemodReset()
e691fc45 463{
7bc95e2e 464 Demod.state = DEMOD_UNSYNCD;
465 Demod.len = 0; // number of decoded data bytes
6a1f2d82 466 Demod.parityLen = 0;
7bc95e2e 467 Demod.shiftReg = 0; // shiftreg to hold decoded data bits
468 Demod.parityBits = 0; //
469 Demod.collisionPos = 0; // Position of collision bit
470 Demod.twoBits = 0xffff; // buffer for 2 Bits
471 Demod.highCnt = 0;
472 Demod.startTime = 0;
473 Demod.endTime = 0;
e691fc45 474}
15c4dc5a 475
6a1f2d82 476void DemodInit(uint8_t *data, uint8_t *parity)
477{
478 Demod.output = data;
479 Demod.parity = parity;
480 DemodReset();
481}
482
7bc95e2e 483// use parameter non_real_time to provide a timestamp. Set to 0 if the decoder should measure real time
484static RAMFUNC int ManchesterDecoding(uint8_t bit, uint16_t offset, uint32_t non_real_time)
e691fc45 485{
7bc95e2e 486
487 Demod.twoBits = (Demod.twoBits << 8) | bit;
e691fc45 488
7bc95e2e 489 if (Demod.state == DEMOD_UNSYNCD) {
490
491 if (Demod.highCnt < 2) { // wait for a stable unmodulated signal
492 if (Demod.twoBits == 0x0000) {
493 Demod.highCnt++;
494 } else {
495 Demod.highCnt = 0;
496 }
497 } else {
498 Demod.syncBit = 0xFFFF; // not set
499 if ((Demod.twoBits & 0x7700) == 0x7000) Demod.syncBit = 7;
500 else if ((Demod.twoBits & 0x3B80) == 0x3800) Demod.syncBit = 6;
501 else if ((Demod.twoBits & 0x1DC0) == 0x1C00) Demod.syncBit = 5;
502 else if ((Demod.twoBits & 0x0EE0) == 0x0E00) Demod.syncBit = 4;
503 else if ((Demod.twoBits & 0x0770) == 0x0700) Demod.syncBit = 3;
504 else if ((Demod.twoBits & 0x03B8) == 0x0380) Demod.syncBit = 2;
505 else if ((Demod.twoBits & 0x01DC) == 0x01C0) Demod.syncBit = 1;
506 else if ((Demod.twoBits & 0x00EE) == 0x00E0) Demod.syncBit = 0;
d7aa3739 507 if (Demod.syncBit != 0xFFFF) {
7bc95e2e 508 Demod.startTime = non_real_time?non_real_time:(GetCountSspClk() & 0xfffffff8);
509 Demod.startTime -= Demod.syncBit;
510 Demod.bitCount = offset; // number of decoded data bits
e691fc45 511 Demod.state = DEMOD_MANCHESTER_DATA;
2f2d9fc5 512 }
7bc95e2e 513 }
15c4dc5a 514
7bc95e2e 515 } else {
15c4dc5a 516
7bc95e2e 517 if (IsManchesterModulationNibble1(Demod.twoBits >> Demod.syncBit)) { // modulation in first half
518 if (IsManchesterModulationNibble2(Demod.twoBits >> Demod.syncBit)) { // ... and in second half = collision
e691fc45 519 if (!Demod.collisionPos) {
520 Demod.collisionPos = (Demod.len << 3) + Demod.bitCount;
521 }
522 } // modulation in first half only - Sequence D = 1
7bc95e2e 523 Demod.bitCount++;
524 Demod.shiftReg = (Demod.shiftReg >> 1) | 0x100; // in both cases, add a 1 to the shiftreg
525 if(Demod.bitCount == 9) { // if we decoded a full byte (including parity)
e691fc45 526 Demod.output[Demod.len++] = (Demod.shiftReg & 0xff);
7bc95e2e 527 Demod.parityBits <<= 1; // make room for the parity bit
e691fc45 528 Demod.parityBits |= ((Demod.shiftReg >> 8) & 0x01); // store parity bit
529 Demod.bitCount = 0;
530 Demod.shiftReg = 0;
6a1f2d82 531 if((Demod.len&0x0007) == 0) { // every 8 data bytes
532 Demod.parity[Demod.parityLen++] = Demod.parityBits; // store 8 parity bits
533 Demod.parityBits = 0;
534 }
15c4dc5a 535 }
7bc95e2e 536 Demod.endTime = Demod.startTime + 8*(9*Demod.len + Demod.bitCount + 1) - 4;
537 } else { // no modulation in first half
538 if (IsManchesterModulationNibble2(Demod.twoBits >> Demod.syncBit)) { // and modulation in second half = Sequence E = 0
e691fc45 539 Demod.bitCount++;
7bc95e2e 540 Demod.shiftReg = (Demod.shiftReg >> 1); // add a 0 to the shiftreg
e691fc45 541 if(Demod.bitCount >= 9) { // if we decoded a full byte (including parity)
e691fc45 542 Demod.output[Demod.len++] = (Demod.shiftReg & 0xff);
7bc95e2e 543 Demod.parityBits <<= 1; // make room for the new parity bit
e691fc45 544 Demod.parityBits |= ((Demod.shiftReg >> 8) & 0x01); // store parity bit
545 Demod.bitCount = 0;
546 Demod.shiftReg = 0;
6a1f2d82 547 if ((Demod.len&0x0007) == 0) { // every 8 data bytes
548 Demod.parity[Demod.parityLen++] = Demod.parityBits; // store 8 parity bits1
549 Demod.parityBits = 0;
550 }
15c4dc5a 551 }
7bc95e2e 552 Demod.endTime = Demod.startTime + 8*(9*Demod.len + Demod.bitCount + 1);
e691fc45 553 } else { // no modulation in both halves - End of communication
6a1f2d82 554 if(Demod.bitCount > 0) { // there are some remaining data bits
555 Demod.shiftReg >>= (9 - Demod.bitCount); // right align the decoded bits
556 Demod.output[Demod.len++] = Demod.shiftReg & 0xff; // and add them to the output
557 Demod.parityBits <<= 1; // add a (void) parity bit
558 Demod.parityBits <<= (8 - (Demod.len&0x0007)); // left align remaining parity bits
559 Demod.parity[Demod.parityLen++] = Demod.parityBits; // and store them
560 return TRUE;
561 } else if (Demod.len & 0x0007) { // there are some parity bits to store
562 Demod.parityBits <<= (8 - (Demod.len&0x0007)); // left align remaining parity bits
563 Demod.parity[Demod.parityLen++] = Demod.parityBits; // and store them
52bfb955 564 }
565 if (Demod.len) {
d7aa3739 566 return TRUE; // we are finished with decoding the raw data sequence
567 } else { // nothing received. Start over
568 DemodReset();
e691fc45 569 }
15c4dc5a 570 }
7bc95e2e 571 }
e691fc45 572
573 }
15c4dc5a 574
e691fc45 575 return FALSE; // not finished yet, need more data
15c4dc5a 576}
577
578//=============================================================================
579// Finally, a `sniffer' for ISO 14443 Type A
580// Both sides of communication!
581//=============================================================================
582
583//-----------------------------------------------------------------------------
584// Record the sequence of commands sent by the reader to the tag, with
585// triggering so that we start recording at the point that the tag is moved
586// near the reader.
587//-----------------------------------------------------------------------------
5cd9ec01
M
588void RAMFUNC SnoopIso14443a(uint8_t param) {
589 // param:
590 // bit 0 - trigger from first card answer
591 // bit 1 - trigger from first reader 7-bit request
592
593 LEDsoff();
594 // init trace buffer
5f6d6c90 595 iso14a_clear_trace();
991f13f2 596 iso14a_set_tracing(TRUE);
5cd9ec01
M
597
598 // We won't start recording the frames that we acquire until we trigger;
599 // a good trigger condition to get started is probably when we see a
600 // response from the tag.
601 // triggered == FALSE -- to wait first for card
7bc95e2e 602 bool triggered = !(param & 0x03);
603
5cd9ec01 604 // The command (reader -> tag) that we're receiving.
15c4dc5a 605 // The length of a received command will in most cases be no more than 18 bytes.
606 // So 32 should be enough!
6a1f2d82 607 uint8_t *receivedCmd = ((uint8_t *)BigBuf) + RECV_CMD_OFFSET;
608 uint8_t *receivedCmdPar = ((uint8_t *)BigBuf) + RECV_CMD_PAR_OFFSET;
609
5cd9ec01 610 // The response (tag -> reader) that we're receiving.
6a1f2d82 611 uint8_t *receivedResponse = ((uint8_t *)BigBuf) + RECV_RESP_OFFSET;
612 uint8_t *receivedResponsePar = ((uint8_t *)BigBuf) + RECV_RESP_PAR_OFFSET;
613
5cd9ec01
M
614 // As we receive stuff, we copy it from receivedCmd or receivedResponse
615 // into trace, along with its length and other annotations.
616 //uint8_t *trace = (uint8_t *)BigBuf;
617
618 // The DMA buffer, used to stream samples from the FPGA
7bc95e2e 619 uint8_t *dmaBuf = ((uint8_t *)BigBuf) + DMA_BUFFER_OFFSET;
620 uint8_t *data = dmaBuf;
621 uint8_t previous_data = 0;
5cd9ec01
M
622 int maxDataLen = 0;
623 int dataLen = 0;
7bc95e2e 624 bool TagIsActive = FALSE;
625 bool ReaderIsActive = FALSE;
626
627 iso14443a_setup(FPGA_HF_ISO14443A_SNIFFER);
15c4dc5a 628
5cd9ec01 629 // Set up the demodulator for tag -> reader responses.
6a1f2d82 630 DemodInit(receivedResponse, receivedResponsePar);
631
5cd9ec01 632 // Set up the demodulator for the reader -> tag commands
6a1f2d82 633 UartInit(receivedCmd, receivedCmdPar);
634
7bc95e2e 635 // Setup and start DMA.
5cd9ec01 636 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
7bc95e2e 637
5cd9ec01 638 // And now we loop, receiving samples.
7bc95e2e 639 for(uint32_t rsamples = 0; TRUE; ) {
640
5cd9ec01
M
641 if(BUTTON_PRESS()) {
642 DbpString("cancelled by button");
7bc95e2e 643 break;
5cd9ec01 644 }
15c4dc5a 645
5cd9ec01
M
646 LED_A_ON();
647 WDT_HIT();
15c4dc5a 648
5cd9ec01
M
649 int register readBufDataP = data - dmaBuf;
650 int register dmaBufDataP = DMA_BUFFER_SIZE - AT91C_BASE_PDC_SSC->PDC_RCR;
651 if (readBufDataP <= dmaBufDataP){
652 dataLen = dmaBufDataP - readBufDataP;
653 } else {
7bc95e2e 654 dataLen = DMA_BUFFER_SIZE - readBufDataP + dmaBufDataP;
5cd9ec01
M
655 }
656 // test for length of buffer
657 if(dataLen > maxDataLen) {
658 maxDataLen = dataLen;
659 if(dataLen > 400) {
7bc95e2e 660 Dbprintf("blew circular buffer! dataLen=%d", dataLen);
661 break;
5cd9ec01
M
662 }
663 }
664 if(dataLen < 1) continue;
665
666 // primary buffer was stopped( <-- we lost data!
667 if (!AT91C_BASE_PDC_SSC->PDC_RCR) {
668 AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) dmaBuf;
669 AT91C_BASE_PDC_SSC->PDC_RCR = DMA_BUFFER_SIZE;
7bc95e2e 670 Dbprintf("RxEmpty ERROR!!! data length:%d", dataLen); // temporary
5cd9ec01
M
671 }
672 // secondary buffer sets as primary, secondary buffer was stopped
673 if (!AT91C_BASE_PDC_SSC->PDC_RNCR) {
674 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dmaBuf;
675 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
676 }
677
678 LED_A_OFF();
7bc95e2e 679
680 if (rsamples & 0x01) { // Need two samples to feed Miller and Manchester-Decoder
3be2a5ae 681
7bc95e2e 682 if(!TagIsActive) { // no need to try decoding reader data if the tag is sending
683 uint8_t readerdata = (previous_data & 0xF0) | (*data >> 4);
684 if (MillerDecoding(readerdata, (rsamples-1)*4)) {
685 LED_C_ON();
5cd9ec01 686
7bc95e2e 687 // check - if there is a short 7bit request from reader
688 if ((!triggered) && (param & 0x02) && (Uart.len == 1) && (Uart.bitCount == 7)) triggered = TRUE;
5cd9ec01 689
7bc95e2e 690 if(triggered) {
6a1f2d82 691 if (!LogTrace(receivedCmd,
692 Uart.len,
693 Uart.startTime*16 - DELAY_READER_AIR2ARM_AS_SNIFFER,
694 Uart.endTime*16 - DELAY_READER_AIR2ARM_AS_SNIFFER,
695 Uart.parity,
696 TRUE)) break;
7bc95e2e 697 }
698 /* And ready to receive another command. */
699 UartReset();
700 /* And also reset the demod code, which might have been */
701 /* false-triggered by the commands from the reader. */
702 DemodReset();
703 LED_B_OFF();
704 }
705 ReaderIsActive = (Uart.state != STATE_UNSYNCD);
5cd9ec01 706 }
3be2a5ae 707
7bc95e2e 708 if(!ReaderIsActive) { // no need to try decoding tag data if the reader is sending - and we cannot afford the time
709 uint8_t tagdata = (previous_data << 4) | (*data & 0x0F);
710 if(ManchesterDecoding(tagdata, 0, (rsamples-1)*4)) {
711 LED_B_ON();
5cd9ec01 712
6a1f2d82 713 if (!LogTrace(receivedResponse,
714 Demod.len,
715 Demod.startTime*16 - DELAY_TAG_AIR2ARM_AS_SNIFFER,
716 Demod.endTime*16 - DELAY_TAG_AIR2ARM_AS_SNIFFER,
717 Demod.parity,
718 FALSE)) break;
5cd9ec01 719
7bc95e2e 720 if ((!triggered) && (param & 0x01)) triggered = TRUE;
5cd9ec01 721
7bc95e2e 722 // And ready to receive another response.
723 DemodReset();
724 LED_C_OFF();
725 }
726 TagIsActive = (Demod.state != DEMOD_UNSYNCD);
727 }
5cd9ec01
M
728 }
729
7bc95e2e 730 previous_data = *data;
731 rsamples++;
5cd9ec01 732 data++;
d714d3ef 733 if(data == dmaBuf + DMA_BUFFER_SIZE) {
5cd9ec01
M
734 data = dmaBuf;
735 }
736 } // main cycle
737
738 DbpString("COMMAND FINISHED");
15c4dc5a 739
7bc95e2e 740 FpgaDisableSscDma();
741 Dbprintf("maxDataLen=%d, Uart.state=%x, Uart.len=%d", maxDataLen, Uart.state, Uart.len);
742 Dbprintf("traceLen=%d, Uart.output[0]=%08x", traceLen, (uint32_t)Uart.output[0]);
5cd9ec01 743 LEDsoff();
15c4dc5a 744}
745
15c4dc5a 746//-----------------------------------------------------------------------------
747// Prepare tag messages
748//-----------------------------------------------------------------------------
6a1f2d82 749static void CodeIso14443aAsTagPar(const uint8_t *cmd, uint16_t len, uint8_t *parity)
15c4dc5a 750{
8f51ddb0 751 ToSendReset();
15c4dc5a 752
753 // Correction bit, might be removed when not needed
754 ToSendStuffBit(0);
755 ToSendStuffBit(0);
756 ToSendStuffBit(0);
757 ToSendStuffBit(0);
758 ToSendStuffBit(1); // 1
759 ToSendStuffBit(0);
760 ToSendStuffBit(0);
761 ToSendStuffBit(0);
8f51ddb0 762
15c4dc5a 763 // Send startbit
72934aa3 764 ToSend[++ToSendMax] = SEC_D;
7bc95e2e 765 LastProxToAirDuration = 8 * ToSendMax - 4;
15c4dc5a 766
6a1f2d82 767 for(uint16_t i = 0; i < len; i++) {
8f51ddb0 768 uint8_t b = cmd[i];
15c4dc5a 769
770 // Data bits
6a1f2d82 771 for(uint16_t j = 0; j < 8; j++) {
15c4dc5a 772 if(b & 1) {
72934aa3 773 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 774 } else {
72934aa3 775 ToSend[++ToSendMax] = SEC_E;
8f51ddb0
M
776 }
777 b >>= 1;
778 }
15c4dc5a 779
0014cb46 780 // Get the parity bit
6a1f2d82 781 if (parity[i>>3] & (0x80>>(i&0x0007))) {
8f51ddb0 782 ToSend[++ToSendMax] = SEC_D;
7bc95e2e 783 LastProxToAirDuration = 8 * ToSendMax - 4;
15c4dc5a 784 } else {
72934aa3 785 ToSend[++ToSendMax] = SEC_E;
7bc95e2e 786 LastProxToAirDuration = 8 * ToSendMax;
15c4dc5a 787 }
8f51ddb0 788 }
15c4dc5a 789
8f51ddb0
M
790 // Send stopbit
791 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 792
8f51ddb0
M
793 // Convert from last byte pos to length
794 ToSendMax++;
8f51ddb0
M
795}
796
6a1f2d82 797static void CodeIso14443aAsTag(const uint8_t *cmd, uint16_t len)
798{
799 uint8_t par[MAX_PARITY_SIZE];
800
801 GetParity(cmd, len, par);
802 CodeIso14443aAsTagPar(cmd, len, par);
15c4dc5a 803}
804
15c4dc5a 805
8f51ddb0
M
806static void Code4bitAnswerAsTag(uint8_t cmd)
807{
808 int i;
809
5f6d6c90 810 ToSendReset();
8f51ddb0
M
811
812 // Correction bit, might be removed when not needed
813 ToSendStuffBit(0);
814 ToSendStuffBit(0);
815 ToSendStuffBit(0);
816 ToSendStuffBit(0);
817 ToSendStuffBit(1); // 1
818 ToSendStuffBit(0);
819 ToSendStuffBit(0);
820 ToSendStuffBit(0);
821
822 // Send startbit
823 ToSend[++ToSendMax] = SEC_D;
824
825 uint8_t b = cmd;
826 for(i = 0; i < 4; i++) {
827 if(b & 1) {
828 ToSend[++ToSendMax] = SEC_D;
7bc95e2e 829 LastProxToAirDuration = 8 * ToSendMax - 4;
8f51ddb0
M
830 } else {
831 ToSend[++ToSendMax] = SEC_E;
7bc95e2e 832 LastProxToAirDuration = 8 * ToSendMax;
8f51ddb0
M
833 }
834 b >>= 1;
835 }
836
837 // Send stopbit
838 ToSend[++ToSendMax] = SEC_F;
839
5f6d6c90 840 // Convert from last byte pos to length
841 ToSendMax++;
15c4dc5a 842}
843
844//-----------------------------------------------------------------------------
845// Wait for commands from reader
846// Stop when button is pressed
847// Or return TRUE when command is captured
848//-----------------------------------------------------------------------------
6a1f2d82 849static int GetIso14443aCommandFromReader(uint8_t *received, uint8_t *parity, int *len)
15c4dc5a 850{
851 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
852 // only, since we are receiving, not transmitting).
853 // Signal field is off with the appropriate LED
854 LED_D_OFF();
855 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
856
857 // Now run a `software UART' on the stream of incoming samples.
6a1f2d82 858 UartInit(received, parity);
7bc95e2e 859
860 // clear RXRDY:
861 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 862
863 for(;;) {
864 WDT_HIT();
865
866 if(BUTTON_PRESS()) return FALSE;
7bc95e2e 867
15c4dc5a 868 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
7bc95e2e 869 b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
870 if(MillerDecoding(b, 0)) {
871 *len = Uart.len;
15c4dc5a 872 return TRUE;
873 }
7bc95e2e 874 }
15c4dc5a 875 }
876}
28afbd2b 877
6a1f2d82 878static int EmSendCmd14443aRaw(uint8_t *resp, uint16_t respLen, bool correctionNeeded);
7bc95e2e 879int EmSend4bitEx(uint8_t resp, bool correctionNeeded);
28afbd2b 880int EmSend4bit(uint8_t resp);
6a1f2d82 881int EmSendCmdExPar(uint8_t *resp, uint16_t respLen, bool correctionNeeded, uint8_t *par);
882int EmSendCmdEx(uint8_t *resp, uint16_t respLen, bool correctionNeeded);
883int EmSendCmd(uint8_t *resp, uint16_t respLen);
884int EmSendCmdPar(uint8_t *resp, uint16_t respLen, uint8_t *par);
885bool EmLogTrace(uint8_t *reader_data, uint16_t reader_len, uint32_t reader_StartTime, uint32_t reader_EndTime, uint8_t *reader_Parity,
886 uint8_t *tag_data, uint16_t tag_len, uint32_t tag_StartTime, uint32_t tag_EndTime, uint8_t *tag_Parity);
15c4dc5a 887
ce02f6f9 888static uint8_t* free_buffer_pointer = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET);
889
890typedef struct {
891 uint8_t* response;
892 size_t response_n;
893 uint8_t* modulation;
894 size_t modulation_n;
7bc95e2e 895 uint32_t ProxToAirDuration;
ce02f6f9 896} tag_response_info_t;
897
898void reset_free_buffer() {
899 free_buffer_pointer = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET);
900}
901
902bool prepare_tag_modulation(tag_response_info_t* response_info, size_t max_buffer_size) {
7bc95e2e 903 // Example response, answer to MIFARE Classic read block will be 16 bytes + 2 CRC = 18 bytes
ce02f6f9 904 // This will need the following byte array for a modulation sequence
905 // 144 data bits (18 * 8)
906 // 18 parity bits
907 // 2 Start and stop
908 // 1 Correction bit (Answer in 1172 or 1236 periods, see FPGA)
909 // 1 just for the case
910 // ----------- +
911 // 166 bytes, since every bit that needs to be send costs us a byte
912 //
913
914 // Prepare the tag modulation bits from the message
915 CodeIso14443aAsTag(response_info->response,response_info->response_n);
916
917 // Make sure we do not exceed the free buffer space
918 if (ToSendMax > max_buffer_size) {
919 Dbprintf("Out of memory, when modulating bits for tag answer:");
920 Dbhexdump(response_info->response_n,response_info->response,false);
921 return false;
922 }
923
924 // Copy the byte array, used for this modulation to the buffer position
925 memcpy(response_info->modulation,ToSend,ToSendMax);
926
7bc95e2e 927 // Store the number of bytes that were used for encoding/modulation and the time needed to transfer them
ce02f6f9 928 response_info->modulation_n = ToSendMax;
7bc95e2e 929 response_info->ProxToAirDuration = LastProxToAirDuration;
ce02f6f9 930
931 return true;
932}
933
934bool prepare_allocated_tag_modulation(tag_response_info_t* response_info) {
935 // Retrieve and store the current buffer index
936 response_info->modulation = free_buffer_pointer;
937
938 // Determine the maximum size we can use from our buffer
6a1f2d82 939 size_t max_buffer_size = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + FREE_BUFFER_SIZE) - free_buffer_pointer;
ce02f6f9 940
941 // Forward the prepare tag modulation function to the inner function
942 if (prepare_tag_modulation(response_info,max_buffer_size)) {
943 // Update the free buffer offset
944 free_buffer_pointer += ToSendMax;
945 return true;
946 } else {
947 return false;
948 }
949}
950
15c4dc5a 951//-----------------------------------------------------------------------------
952// Main loop of simulated tag: receive commands from reader, decide what
953// response to send, and send it.
954//-----------------------------------------------------------------------------
28afbd2b 955void SimulateIso14443aTag(int tagType, int uid_1st, int uid_2nd, byte_t* data)
15c4dc5a 956{
5f6d6c90 957 // Enable and clear the trace
5f6d6c90 958 iso14a_clear_trace();
7bc95e2e 959 iso14a_set_tracing(TRUE);
81cd0474 960
81cd0474 961 uint8_t sak;
962
963 // The first response contains the ATQA (note: bytes are transmitted in reverse order).
964 uint8_t response1[2];
965
966 switch (tagType) {
967 case 1: { // MIFARE Classic
968 // Says: I am Mifare 1k - original line
969 response1[0] = 0x04;
970 response1[1] = 0x00;
971 sak = 0x08;
972 } break;
973 case 2: { // MIFARE Ultralight
974 // Says: I am a stupid memory tag, no crypto
975 response1[0] = 0x04;
976 response1[1] = 0x00;
977 sak = 0x00;
978 } break;
979 case 3: { // MIFARE DESFire
980 // Says: I am a DESFire tag, ph33r me
981 response1[0] = 0x04;
982 response1[1] = 0x03;
983 sak = 0x20;
984 } break;
985 case 4: { // ISO/IEC 14443-4
986 // Says: I am a javacard (JCOP)
987 response1[0] = 0x04;
988 response1[1] = 0x00;
989 sak = 0x28;
990 } break;
3fe4ff4f 991 case 5: { // MIFARE TNP3XXX
992 // Says: I am a toy
993 response1[0] = 0x01;
994 response1[1] = 0x0f;
995 sak = 0x01;
996 } break;
81cd0474 997 default: {
998 Dbprintf("Error: unkown tagtype (%d)",tagType);
999 return;
1000 } break;
1001 }
1002
1003 // The second response contains the (mandatory) first 24 bits of the UID
1004 uint8_t response2[5];
1005
1006 // Check if the uid uses the (optional) part
1007 uint8_t response2a[5];
1008 if (uid_2nd) {
1009 response2[0] = 0x88;
1010 num_to_bytes(uid_1st,3,response2+1);
1011 num_to_bytes(uid_2nd,4,response2a);
1012 response2a[4] = response2a[0] ^ response2a[1] ^ response2a[2] ^ response2a[3];
1013
1014 // Configure the ATQA and SAK accordingly
1015 response1[0] |= 0x40;
1016 sak |= 0x04;
1017 } else {
1018 num_to_bytes(uid_1st,4,response2);
1019 // Configure the ATQA and SAK accordingly
1020 response1[0] &= 0xBF;
1021 sak &= 0xFB;
1022 }
1023
1024 // Calculate the BitCountCheck (BCC) for the first 4 bytes of the UID.
1025 response2[4] = response2[0] ^ response2[1] ^ response2[2] ^ response2[3];
1026
1027 // Prepare the mandatory SAK (for 4 and 7 byte UID)
1028 uint8_t response3[3];
1029 response3[0] = sak;
1030 ComputeCrc14443(CRC_14443_A, response3, 1, &response3[1], &response3[2]);
1031
1032 // Prepare the optional second SAK (for 7 byte UID), drop the cascade bit
1033 uint8_t response3a[3];
1034 response3a[0] = sak & 0xFB;
1035 ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
1036
254b70a4 1037 uint8_t response5[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce
6a1f2d82 1038 uint8_t response6[] = { 0x04, 0x58, 0x80, 0x02, 0x00, 0x00 }; // dummy ATS (pseudo-ATR), answer to RATS:
1039 // Format byte = 0x58: FSCI=0x08 (FSC=256), TA(1) and TC(1) present,
1040 // TA(1) = 0x80: different divisors not supported, DR = 1, DS = 1
1041 // TB(1) = not present. Defaults: FWI = 4 (FWT = 256 * 16 * 2^4 * 1/fc = 4833us), SFGI = 0 (SFG = 256 * 16 * 2^0 * 1/fc = 302us)
1042 // TC(1) = 0x02: CID supported, NAD not supported
ce02f6f9 1043 ComputeCrc14443(CRC_14443_A, response6, 4, &response6[4], &response6[5]);
1044
7bc95e2e 1045 #define TAG_RESPONSE_COUNT 7
1046 tag_response_info_t responses[TAG_RESPONSE_COUNT] = {
1047 { .response = response1, .response_n = sizeof(response1) }, // Answer to request - respond with card type
1048 { .response = response2, .response_n = sizeof(response2) }, // Anticollision cascade1 - respond with uid
1049 { .response = response2a, .response_n = sizeof(response2a) }, // Anticollision cascade2 - respond with 2nd half of uid if asked
1050 { .response = response3, .response_n = sizeof(response3) }, // Acknowledge select - cascade 1
1051 { .response = response3a, .response_n = sizeof(response3a) }, // Acknowledge select - cascade 2
1052 { .response = response5, .response_n = sizeof(response5) }, // Authentication answer (random nonce)
1053 { .response = response6, .response_n = sizeof(response6) }, // dummy ATS (pseudo-ATR), answer to RATS
1054 };
1055
1056 // Allocate 512 bytes for the dynamic modulation, created when the reader queries for it
1057 // Such a response is less time critical, so we can prepare them on the fly
1058 #define DYNAMIC_RESPONSE_BUFFER_SIZE 64
1059 #define DYNAMIC_MODULATION_BUFFER_SIZE 512
1060 uint8_t dynamic_response_buffer[DYNAMIC_RESPONSE_BUFFER_SIZE];
1061 uint8_t dynamic_modulation_buffer[DYNAMIC_MODULATION_BUFFER_SIZE];
1062 tag_response_info_t dynamic_response_info = {
1063 .response = dynamic_response_buffer,
1064 .response_n = 0,
1065 .modulation = dynamic_modulation_buffer,
1066 .modulation_n = 0
1067 };
ce02f6f9 1068
7bc95e2e 1069 // Reset the offset pointer of the free buffer
1070 reset_free_buffer();
ce02f6f9 1071
7bc95e2e 1072 // Prepare the responses of the anticollision phase
ce02f6f9 1073 // there will be not enough time to do this at the moment the reader sends it REQA
7bc95e2e 1074 for (size_t i=0; i<TAG_RESPONSE_COUNT; i++) {
1075 prepare_allocated_tag_modulation(&responses[i]);
1076 }
15c4dc5a 1077
7bc95e2e 1078 int len = 0;
15c4dc5a 1079
1080 // To control where we are in the protocol
1081 int order = 0;
1082 int lastorder;
1083
1084 // Just to allow some checks
1085 int happened = 0;
1086 int happened2 = 0;
81cd0474 1087 int cmdsRecvd = 0;
15c4dc5a 1088
254b70a4 1089 // We need to listen to the high-frequency, peak-detected path.
7bc95e2e 1090 iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN);
15c4dc5a 1091
6a1f2d82 1092 // buffers used on software Uart:
1093 uint8_t *receivedCmd = ((uint8_t *)BigBuf) + RECV_CMD_OFFSET;
1094 uint8_t *receivedCmdPar = ((uint8_t *)BigBuf) + RECV_CMD_PAR_OFFSET;
1095
254b70a4 1096 cmdsRecvd = 0;
7bc95e2e 1097 tag_response_info_t* p_response;
15c4dc5a 1098
254b70a4 1099 LED_A_ON();
1100 for(;;) {
7bc95e2e 1101 // Clean receive command buffer
1102
6a1f2d82 1103 if(!GetIso14443aCommandFromReader(receivedCmd, receivedCmdPar, &len)) {
ce02f6f9 1104 DbpString("Button press");
254b70a4 1105 break;
1106 }
7bc95e2e 1107
1108 p_response = NULL;
1109
254b70a4 1110 // Okay, look at the command now.
1111 lastorder = order;
1112 if(receivedCmd[0] == 0x26) { // Received a REQUEST
ce02f6f9 1113 p_response = &responses[0]; order = 1;
254b70a4 1114 } else if(receivedCmd[0] == 0x52) { // Received a WAKEUP
ce02f6f9 1115 p_response = &responses[0]; order = 6;
254b70a4 1116 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x93) { // Received request for UID (cascade 1)
ce02f6f9 1117 p_response = &responses[1]; order = 2;
6a1f2d82 1118 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x95) { // Received request for UID (cascade 2)
ce02f6f9 1119 p_response = &responses[2]; order = 20;
254b70a4 1120 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] == 0x93) { // Received a SELECT (cascade 1)
ce02f6f9 1121 p_response = &responses[3]; order = 3;
254b70a4 1122 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] == 0x95) { // Received a SELECT (cascade 2)
ce02f6f9 1123 p_response = &responses[4]; order = 30;
254b70a4 1124 } else if(receivedCmd[0] == 0x30) { // Received a (plain) READ
6a1f2d82 1125 EmSendCmdEx(data+(4*receivedCmd[1]),16,false);
7bc95e2e 1126 // Dbprintf("Read request from reader: %x %x",receivedCmd[0],receivedCmd[1]);
5f6d6c90 1127 // We already responded, do not send anything with the EmSendCmd14443aRaw() that is called below
7bc95e2e 1128 p_response = NULL;
254b70a4 1129 } else if(receivedCmd[0] == 0x50) { // Received a HALT
3fe4ff4f 1130
7bc95e2e 1131 if (tracing) {
6a1f2d82 1132 LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
7bc95e2e 1133 }
1134 p_response = NULL;
254b70a4 1135 } else if(receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61) { // Received an authentication request
ce02f6f9 1136 p_response = &responses[5]; order = 7;
254b70a4 1137 } else if(receivedCmd[0] == 0xE0) { // Received a RATS request
7bc95e2e 1138 if (tagType == 1 || tagType == 2) { // RATS not supported
1139 EmSend4bit(CARD_NACK_NA);
1140 p_response = NULL;
1141 } else {
1142 p_response = &responses[6]; order = 70;
1143 }
6a1f2d82 1144 } else if (order == 7 && len == 8) { // Received {nr] and {ar} (part of authentication)
7bc95e2e 1145 if (tracing) {
6a1f2d82 1146 LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
7bc95e2e 1147 }
1148 uint32_t nr = bytes_to_num(receivedCmd,4);
1149 uint32_t ar = bytes_to_num(receivedCmd+4,4);
1150 Dbprintf("Auth attempt {nr}{ar}: %08x %08x",nr,ar);
1151 } else {
1152 // Check for ISO 14443A-4 compliant commands, look at left nibble
1153 switch (receivedCmd[0]) {
1154
1155 case 0x0B:
1156 case 0x0A: { // IBlock (command)
1157 dynamic_response_info.response[0] = receivedCmd[0];
1158 dynamic_response_info.response[1] = 0x00;
1159 dynamic_response_info.response[2] = 0x90;
1160 dynamic_response_info.response[3] = 0x00;
1161 dynamic_response_info.response_n = 4;
1162 } break;
1163
1164 case 0x1A:
1165 case 0x1B: { // Chaining command
1166 dynamic_response_info.response[0] = 0xaa | ((receivedCmd[0]) & 1);
1167 dynamic_response_info.response_n = 2;
1168 } break;
1169
1170 case 0xaa:
1171 case 0xbb: {
1172 dynamic_response_info.response[0] = receivedCmd[0] ^ 0x11;
1173 dynamic_response_info.response_n = 2;
1174 } break;
1175
1176 case 0xBA: { //
1177 memcpy(dynamic_response_info.response,"\xAB\x00",2);
1178 dynamic_response_info.response_n = 2;
1179 } break;
1180
1181 case 0xCA:
1182 case 0xC2: { // Readers sends deselect command
1183 memcpy(dynamic_response_info.response,"\xCA\x00",2);
1184 dynamic_response_info.response_n = 2;
1185 } break;
1186
1187 default: {
1188 // Never seen this command before
1189 if (tracing) {
6a1f2d82 1190 LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
7bc95e2e 1191 }
1192 Dbprintf("Received unknown command (len=%d):",len);
1193 Dbhexdump(len,receivedCmd,false);
1194 // Do not respond
1195 dynamic_response_info.response_n = 0;
1196 } break;
1197 }
ce02f6f9 1198
7bc95e2e 1199 if (dynamic_response_info.response_n > 0) {
1200 // Copy the CID from the reader query
1201 dynamic_response_info.response[1] = receivedCmd[1];
ce02f6f9 1202
7bc95e2e 1203 // Add CRC bytes, always used in ISO 14443A-4 compliant cards
1204 AppendCrc14443a(dynamic_response_info.response,dynamic_response_info.response_n);
1205 dynamic_response_info.response_n += 2;
ce02f6f9 1206
7bc95e2e 1207 if (prepare_tag_modulation(&dynamic_response_info,DYNAMIC_MODULATION_BUFFER_SIZE) == false) {
1208 Dbprintf("Error preparing tag response");
1209 if (tracing) {
6a1f2d82 1210 LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
7bc95e2e 1211 }
1212 break;
1213 }
1214 p_response = &dynamic_response_info;
1215 }
81cd0474 1216 }
15c4dc5a 1217
1218 // Count number of wakeups received after a halt
1219 if(order == 6 && lastorder == 5) { happened++; }
1220
1221 // Count number of other messages after a halt
1222 if(order != 6 && lastorder == 5) { happened2++; }
1223
15c4dc5a 1224 if(cmdsRecvd > 999) {
1225 DbpString("1000 commands later...");
254b70a4 1226 break;
15c4dc5a 1227 }
ce02f6f9 1228 cmdsRecvd++;
1229
1230 if (p_response != NULL) {
7bc95e2e 1231 EmSendCmd14443aRaw(p_response->modulation, p_response->modulation_n, receivedCmd[0] == 0x52);
1232 // do the tracing for the previous reader request and this tag answer:
6a1f2d82 1233 uint8_t par[MAX_PARITY_SIZE];
1234 GetParity(p_response->response, p_response->response_n, par);
3fe4ff4f 1235
7bc95e2e 1236 EmLogTrace(Uart.output,
1237 Uart.len,
1238 Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG,
1239 Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG,
6a1f2d82 1240 Uart.parity,
7bc95e2e 1241 p_response->response,
1242 p_response->response_n,
1243 LastTimeProxToAirStart*16 + DELAY_ARM2AIR_AS_TAG,
1244 (LastTimeProxToAirStart + p_response->ProxToAirDuration)*16 + DELAY_ARM2AIR_AS_TAG,
6a1f2d82 1245 par);
7bc95e2e 1246 }
1247
1248 if (!tracing) {
1249 Dbprintf("Trace Full. Simulation stopped.");
1250 break;
1251 }
1252 }
15c4dc5a 1253
1254 Dbprintf("%x %x %x", happened, happened2, cmdsRecvd);
1255 LED_A_OFF();
1256}
1257
9492e0b0 1258
1259// prepare a delayed transfer. This simply shifts ToSend[] by a number
1260// of bits specified in the delay parameter.
1261void PrepareDelayedTransfer(uint16_t delay)
1262{
1263 uint8_t bitmask = 0;
1264 uint8_t bits_to_shift = 0;
1265 uint8_t bits_shifted = 0;
1266
1267 delay &= 0x07;
1268 if (delay) {
1269 for (uint16_t i = 0; i < delay; i++) {
1270 bitmask |= (0x01 << i);
1271 }
7bc95e2e 1272 ToSend[ToSendMax++] = 0x00;
9492e0b0 1273 for (uint16_t i = 0; i < ToSendMax; i++) {
1274 bits_to_shift = ToSend[i] & bitmask;
1275 ToSend[i] = ToSend[i] >> delay;
1276 ToSend[i] = ToSend[i] | (bits_shifted << (8 - delay));
1277 bits_shifted = bits_to_shift;
1278 }
1279 }
1280}
1281
7bc95e2e 1282
1283//-------------------------------------------------------------------------------------
15c4dc5a 1284// Transmit the command (to the tag) that was placed in ToSend[].
9492e0b0 1285// Parameter timing:
7bc95e2e 1286// if NULL: transfer at next possible time, taking into account
1287// request guard time and frame delay time
1288// if == 0: transfer immediately and return time of transfer
9492e0b0 1289// if != 0: delay transfer until time specified
7bc95e2e 1290//-------------------------------------------------------------------------------------
6a1f2d82 1291static void TransmitFor14443a(const uint8_t *cmd, uint16_t len, uint32_t *timing)
15c4dc5a 1292{
7bc95e2e 1293
9492e0b0 1294 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
e30c654b 1295
7bc95e2e 1296 uint32_t ThisTransferTime = 0;
e30c654b 1297
9492e0b0 1298 if (timing) {
1299 if(*timing == 0) { // Measure time
7bc95e2e 1300 *timing = (GetCountSspClk() + 8) & 0xfffffff8;
9492e0b0 1301 } else {
1302 PrepareDelayedTransfer(*timing & 0x00000007); // Delay transfer (fine tuning - up to 7 MF clock ticks)
1303 }
7bc95e2e 1304 if(MF_DBGLEVEL >= 4 && GetCountSspClk() >= (*timing & 0xfffffff8)) Dbprintf("TransmitFor14443a: Missed timing");
1305 while(GetCountSspClk() < (*timing & 0xfffffff8)); // Delay transfer (multiple of 8 MF clock ticks)
1306 LastTimeProxToAirStart = *timing;
1307 } else {
1308 ThisTransferTime = ((MAX(NextTransferTime, GetCountSspClk()) & 0xfffffff8) + 8);
1309 while(GetCountSspClk() < ThisTransferTime);
1310 LastTimeProxToAirStart = ThisTransferTime;
9492e0b0 1311 }
1312
7bc95e2e 1313 // clear TXRDY
1314 AT91C_BASE_SSC->SSC_THR = SEC_Y;
1315
7bc95e2e 1316 uint16_t c = 0;
9492e0b0 1317 for(;;) {
1318 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1319 AT91C_BASE_SSC->SSC_THR = cmd[c];
1320 c++;
1321 if(c >= len) {
1322 break;
1323 }
1324 }
1325 }
7bc95e2e 1326
1327 NextTransferTime = MAX(NextTransferTime, LastTimeProxToAirStart + REQUEST_GUARD_TIME);
15c4dc5a 1328}
1329
7bc95e2e 1330
15c4dc5a 1331//-----------------------------------------------------------------------------
195af472 1332// Prepare reader command (in bits, support short frames) to send to FPGA
15c4dc5a 1333//-----------------------------------------------------------------------------
6a1f2d82 1334void CodeIso14443aBitsAsReaderPar(const uint8_t *cmd, uint16_t bits, const uint8_t *parity)
15c4dc5a 1335{
7bc95e2e 1336 int i, j;
1337 int last;
1338 uint8_t b;
e30c654b 1339
7bc95e2e 1340 ToSendReset();
e30c654b 1341
7bc95e2e 1342 // Start of Communication (Seq. Z)
1343 ToSend[++ToSendMax] = SEC_Z;
1344 LastProxToAirDuration = 8 * (ToSendMax+1) - 6;
1345 last = 0;
1346
1347 size_t bytecount = nbytes(bits);
1348 // Generate send structure for the data bits
1349 for (i = 0; i < bytecount; i++) {
1350 // Get the current byte to send
1351 b = cmd[i];
1352 size_t bitsleft = MIN((bits-(i*8)),8);
1353
1354 for (j = 0; j < bitsleft; j++) {
1355 if (b & 1) {
1356 // Sequence X
1357 ToSend[++ToSendMax] = SEC_X;
1358 LastProxToAirDuration = 8 * (ToSendMax+1) - 2;
1359 last = 1;
1360 } else {
1361 if (last == 0) {
1362 // Sequence Z
1363 ToSend[++ToSendMax] = SEC_Z;
1364 LastProxToAirDuration = 8 * (ToSendMax+1) - 6;
1365 } else {
1366 // Sequence Y
1367 ToSend[++ToSendMax] = SEC_Y;
1368 last = 0;
1369 }
1370 }
1371 b >>= 1;
1372 }
1373
6a1f2d82 1374 // Only transmit parity bit if we transmitted a complete byte
7bc95e2e 1375 if (j == 8) {
1376 // Get the parity bit
6a1f2d82 1377 if (parity[i>>3] & (0x80 >> (i&0x0007))) {
7bc95e2e 1378 // Sequence X
1379 ToSend[++ToSendMax] = SEC_X;
1380 LastProxToAirDuration = 8 * (ToSendMax+1) - 2;
1381 last = 1;
1382 } else {
1383 if (last == 0) {
1384 // Sequence Z
1385 ToSend[++ToSendMax] = SEC_Z;
1386 LastProxToAirDuration = 8 * (ToSendMax+1) - 6;
1387 } else {
1388 // Sequence Y
1389 ToSend[++ToSendMax] = SEC_Y;
1390 last = 0;
1391 }
1392 }
1393 }
1394 }
e30c654b 1395
7bc95e2e 1396 // End of Communication: Logic 0 followed by Sequence Y
1397 if (last == 0) {
1398 // Sequence Z
1399 ToSend[++ToSendMax] = SEC_Z;
1400 LastProxToAirDuration = 8 * (ToSendMax+1) - 6;
1401 } else {
1402 // Sequence Y
1403 ToSend[++ToSendMax] = SEC_Y;
1404 last = 0;
1405 }
1406 ToSend[++ToSendMax] = SEC_Y;
e30c654b 1407
7bc95e2e 1408 // Convert to length of command:
1409 ToSendMax++;
15c4dc5a 1410}
1411
195af472 1412//-----------------------------------------------------------------------------
1413// Prepare reader command to send to FPGA
1414//-----------------------------------------------------------------------------
6a1f2d82 1415void CodeIso14443aAsReaderPar(const uint8_t *cmd, uint16_t len, const uint8_t *parity)
195af472 1416{
6a1f2d82 1417 CodeIso14443aBitsAsReaderPar(cmd, len*8, parity);
195af472 1418}
1419
9ca155ba
M
1420//-----------------------------------------------------------------------------
1421// Wait for commands from reader
1422// Stop when button is pressed (return 1) or field was gone (return 2)
1423// Or return 0 when command is captured
1424//-----------------------------------------------------------------------------
6a1f2d82 1425static int EmGetCmd(uint8_t *received, uint16_t *len, uint8_t *parity)
9ca155ba
M
1426{
1427 *len = 0;
1428
1429 uint32_t timer = 0, vtime = 0;
1430 int analogCnt = 0;
1431 int analogAVG = 0;
1432
1433 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
1434 // only, since we are receiving, not transmitting).
1435 // Signal field is off with the appropriate LED
1436 LED_D_OFF();
1437 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
1438
1439 // Set ADC to read field strength
1440 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_SWRST;
1441 AT91C_BASE_ADC->ADC_MR =
1442 ADC_MODE_PRESCALE(32) |
1443 ADC_MODE_STARTUP_TIME(16) |
1444 ADC_MODE_SAMPLE_HOLD_TIME(8);
1445 AT91C_BASE_ADC->ADC_CHER = ADC_CHANNEL(ADC_CHAN_HF);
1446 // start ADC
1447 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
1448
1449 // Now run a 'software UART' on the stream of incoming samples.
6a1f2d82 1450 UartInit(received, parity);
7bc95e2e 1451
1452 // Clear RXRDY:
1453 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
9ca155ba
M
1454
1455 for(;;) {
1456 WDT_HIT();
1457
1458 if (BUTTON_PRESS()) return 1;
1459
1460 // test if the field exists
1461 if (AT91C_BASE_ADC->ADC_SR & ADC_END_OF_CONVERSION(ADC_CHAN_HF)) {
1462 analogCnt++;
1463 analogAVG += AT91C_BASE_ADC->ADC_CDR[ADC_CHAN_HF];
1464 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
1465 if (analogCnt >= 32) {
1466 if ((33000 * (analogAVG / analogCnt) >> 10) < MF_MINFIELDV) {
1467 vtime = GetTickCount();
1468 if (!timer) timer = vtime;
1469 // 50ms no field --> card to idle state
1470 if (vtime - timer > 50) return 2;
1471 } else
1472 if (timer) timer = 0;
1473 analogCnt = 0;
1474 analogAVG = 0;
1475 }
1476 }
7bc95e2e 1477
9ca155ba 1478 // receive and test the miller decoding
7bc95e2e 1479 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1480 b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1481 if(MillerDecoding(b, 0)) {
1482 *len = Uart.len;
9ca155ba
M
1483 return 0;
1484 }
7bc95e2e 1485 }
1486
9ca155ba
M
1487 }
1488}
1489
9ca155ba 1490
6a1f2d82 1491static int EmSendCmd14443aRaw(uint8_t *resp, uint16_t respLen, bool correctionNeeded)
7bc95e2e 1492{
1493 uint8_t b;
1494 uint16_t i = 0;
1495 uint32_t ThisTransferTime;
1496
9ca155ba
M
1497 // Modulate Manchester
1498 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD);
7bc95e2e 1499
1500 // include correction bit if necessary
1501 if (Uart.parityBits & 0x01) {
1502 correctionNeeded = TRUE;
1503 }
1504 if(correctionNeeded) {
9ca155ba
M
1505 // 1236, so correction bit needed
1506 i = 0;
7bc95e2e 1507 } else {
1508 i = 1;
9ca155ba 1509 }
7bc95e2e 1510
d714d3ef 1511 // clear receiving shift register and holding register
7bc95e2e 1512 while(!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY));
1513 b = AT91C_BASE_SSC->SSC_RHR; (void) b;
1514 while(!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY));
1515 b = AT91C_BASE_SSC->SSC_RHR; (void) b;
9ca155ba 1516
7bc95e2e 1517 // wait for the FPGA to signal fdt_indicator == 1 (the FPGA is ready to queue new data in its delay line)
1518 for (uint16_t j = 0; j < 5; j++) { // allow timeout - better late than never
1519 while(!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY));
1520 if (AT91C_BASE_SSC->SSC_RHR) break;
1521 }
1522
1523 while ((ThisTransferTime = GetCountSspClk()) & 0x00000007);
1524
1525 // Clear TXRDY:
1526 AT91C_BASE_SSC->SSC_THR = SEC_F;
1527
9ca155ba 1528 // send cycle
7bc95e2e 1529 for(; i <= respLen; ) {
9ca155ba 1530 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
7bc95e2e 1531 AT91C_BASE_SSC->SSC_THR = resp[i++];
1532 FpgaSendQueueDelay = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
9ca155ba 1533 }
7bc95e2e 1534
9ca155ba
M
1535 if(BUTTON_PRESS()) {
1536 break;
1537 }
1538 }
1539
7bc95e2e 1540 // Ensure that the FPGA Delay Queue is empty before we switch to TAGSIM_LISTEN again:
1541 for (i = 0; i < 2 ; ) {
1542 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1543 AT91C_BASE_SSC->SSC_THR = SEC_F;
1544 FpgaSendQueueDelay = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1545 i++;
1546 }
1547 }
1548
1549 LastTimeProxToAirStart = ThisTransferTime + (correctionNeeded?8:0);
1550
9ca155ba
M
1551 return 0;
1552}
1553
7bc95e2e 1554int EmSend4bitEx(uint8_t resp, bool correctionNeeded){
1555 Code4bitAnswerAsTag(resp);
0a39986e 1556 int res = EmSendCmd14443aRaw(ToSend, ToSendMax, correctionNeeded);
7bc95e2e 1557 // do the tracing for the previous reader request and this tag answer:
6a1f2d82 1558 uint8_t par[1];
1559 GetParity(&resp, 1, par);
7bc95e2e 1560 EmLogTrace(Uart.output,
1561 Uart.len,
1562 Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG,
1563 Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG,
6a1f2d82 1564 Uart.parity,
7bc95e2e 1565 &resp,
1566 1,
1567 LastTimeProxToAirStart*16 + DELAY_ARM2AIR_AS_TAG,
1568 (LastTimeProxToAirStart + LastProxToAirDuration)*16 + DELAY_ARM2AIR_AS_TAG,
6a1f2d82 1569 par);
0a39986e 1570 return res;
9ca155ba
M
1571}
1572
8f51ddb0 1573int EmSend4bit(uint8_t resp){
7bc95e2e 1574 return EmSend4bitEx(resp, false);
8f51ddb0
M
1575}
1576
6a1f2d82 1577int EmSendCmdExPar(uint8_t *resp, uint16_t respLen, bool correctionNeeded, uint8_t *par){
7bc95e2e 1578 CodeIso14443aAsTagPar(resp, respLen, par);
8f51ddb0 1579 int res = EmSendCmd14443aRaw(ToSend, ToSendMax, correctionNeeded);
7bc95e2e 1580 // do the tracing for the previous reader request and this tag answer:
1581 EmLogTrace(Uart.output,
1582 Uart.len,
1583 Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG,
1584 Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG,
6a1f2d82 1585 Uart.parity,
7bc95e2e 1586 resp,
1587 respLen,
1588 LastTimeProxToAirStart*16 + DELAY_ARM2AIR_AS_TAG,
1589 (LastTimeProxToAirStart + LastProxToAirDuration)*16 + DELAY_ARM2AIR_AS_TAG,
6a1f2d82 1590 par);
8f51ddb0
M
1591 return res;
1592}
1593
6a1f2d82 1594int EmSendCmdEx(uint8_t *resp, uint16_t respLen, bool correctionNeeded){
1595 uint8_t par[MAX_PARITY_SIZE];
1596 GetParity(resp, respLen, par);
1597 return EmSendCmdExPar(resp, respLen, correctionNeeded, par);
8f51ddb0
M
1598}
1599
6a1f2d82 1600int EmSendCmd(uint8_t *resp, uint16_t respLen){
1601 uint8_t par[MAX_PARITY_SIZE];
1602 GetParity(resp, respLen, par);
1603 return EmSendCmdExPar(resp, respLen, false, par);
8f51ddb0
M
1604}
1605
6a1f2d82 1606int EmSendCmdPar(uint8_t *resp, uint16_t respLen, uint8_t *par){
7bc95e2e 1607 return EmSendCmdExPar(resp, respLen, false, par);
1608}
1609
6a1f2d82 1610bool EmLogTrace(uint8_t *reader_data, uint16_t reader_len, uint32_t reader_StartTime, uint32_t reader_EndTime, uint8_t *reader_Parity,
1611 uint8_t *tag_data, uint16_t tag_len, uint32_t tag_StartTime, uint32_t tag_EndTime, uint8_t *tag_Parity)
7bc95e2e 1612{
1613 if (tracing) {
1614 // we cannot exactly measure the end and start of a received command from reader. However we know that the delay from
1615 // end of the received command to start of the tag's (simulated by us) answer is n*128+20 or n*128+84 resp.
1616 // with n >= 9. The start of the tags answer can be measured and therefore the end of the received command be calculated:
1617 uint16_t reader_modlen = reader_EndTime - reader_StartTime;
1618 uint16_t approx_fdt = tag_StartTime - reader_EndTime;
1619 uint16_t exact_fdt = (approx_fdt - 20 + 32)/64 * 64 + 20;
1620 reader_EndTime = tag_StartTime - exact_fdt;
1621 reader_StartTime = reader_EndTime - reader_modlen;
6a1f2d82 1622 if (!LogTrace(reader_data, reader_len, reader_StartTime, reader_EndTime, reader_Parity, TRUE)) {
7bc95e2e 1623 return FALSE;
6a1f2d82 1624 } else return(!LogTrace(tag_data, tag_len, tag_StartTime, tag_EndTime, tag_Parity, FALSE));
7bc95e2e 1625 } else {
1626 return TRUE;
1627 }
9ca155ba
M
1628}
1629
15c4dc5a 1630//-----------------------------------------------------------------------------
1631// Wait a certain time for tag response
1632// If a response is captured return TRUE
e691fc45 1633// If it takes too long return FALSE
15c4dc5a 1634//-----------------------------------------------------------------------------
6a1f2d82 1635static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse, uint8_t *receivedResponsePar, uint16_t offset)
15c4dc5a 1636{
52bfb955 1637 uint32_t c;
e691fc45 1638
15c4dc5a 1639 // Set FPGA mode to "reader listen mode", no modulation (listen
534983d7 1640 // only, since we are receiving, not transmitting).
1641 // Signal field is on with the appropriate LED
1642 LED_D_ON();
1643 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_LISTEN);
1c611bbd 1644
534983d7 1645 // Now get the answer from the card
6a1f2d82 1646 DemodInit(receivedResponse, receivedResponsePar);
15c4dc5a 1647
7bc95e2e 1648 // clear RXRDY:
1649 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1650
15c4dc5a 1651 c = 0;
1652 for(;;) {
534983d7 1653 WDT_HIT();
15c4dc5a 1654
534983d7 1655 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
534983d7 1656 b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
7bc95e2e 1657 if(ManchesterDecoding(b, offset, 0)) {
1658 NextTransferTime = MAX(NextTransferTime, Demod.endTime - (DELAY_AIR2ARM_AS_READER + DELAY_ARM2AIR_AS_READER)/16 + FRAME_DELAY_TIME_PICC_TO_PCD);
15c4dc5a 1659 return TRUE;
6a1f2d82 1660 } else if (c++ > iso14a_timeout) {
7bc95e2e 1661 return FALSE;
15c4dc5a 1662 }
534983d7 1663 }
1664 }
15c4dc5a 1665}
1666
6a1f2d82 1667void ReaderTransmitBitsPar(uint8_t* frame, uint16_t bits, uint8_t *par, uint32_t *timing)
15c4dc5a 1668{
6a1f2d82 1669 CodeIso14443aBitsAsReaderPar(frame, bits, par);
dfc3c505 1670
7bc95e2e 1671 // Send command to tag
1672 TransmitFor14443a(ToSend, ToSendMax, timing);
1673 if(trigger)
1674 LED_A_ON();
dfc3c505 1675
7bc95e2e 1676 // Log reader command in trace buffer
1677 if (tracing) {
6a1f2d82 1678 LogTrace(frame, nbytes(bits), LastTimeProxToAirStart*16 + DELAY_ARM2AIR_AS_READER, (LastTimeProxToAirStart + LastProxToAirDuration)*16 + DELAY_ARM2AIR_AS_READER, par, TRUE);
7bc95e2e 1679 }
15c4dc5a 1680}
1681
6a1f2d82 1682void ReaderTransmitPar(uint8_t* frame, uint16_t len, uint8_t *par, uint32_t *timing)
dfc3c505 1683{
6a1f2d82 1684 ReaderTransmitBitsPar(frame, len*8, par, timing);
dfc3c505 1685}
15c4dc5a 1686
6a1f2d82 1687void ReaderTransmitBits(uint8_t* frame, uint16_t len, uint32_t *timing)
e691fc45 1688{
1689 // Generate parity and redirect
6a1f2d82 1690 uint8_t par[MAX_PARITY_SIZE];
1691 GetParity(frame, len/8, par);
1692 ReaderTransmitBitsPar(frame, len, par, timing);
e691fc45 1693}
1694
6a1f2d82 1695void ReaderTransmit(uint8_t* frame, uint16_t len, uint32_t *timing)
15c4dc5a 1696{
1697 // Generate parity and redirect
6a1f2d82 1698 uint8_t par[MAX_PARITY_SIZE];
1699 GetParity(frame, len, par);
1700 ReaderTransmitBitsPar(frame, len*8, par, timing);
15c4dc5a 1701}
1702
6a1f2d82 1703int ReaderReceiveOffset(uint8_t* receivedAnswer, uint16_t offset, uint8_t *parity)
e691fc45 1704{
6a1f2d82 1705 if (!GetIso14443aAnswerFromTag(receivedAnswer, parity, offset)) return FALSE;
7bc95e2e 1706 if (tracing) {
6a1f2d82 1707 LogTrace(receivedAnswer, Demod.len, Demod.startTime*16 - DELAY_AIR2ARM_AS_READER, Demod.endTime*16 - DELAY_AIR2ARM_AS_READER, parity, FALSE);
7bc95e2e 1708 }
e691fc45 1709 return Demod.len;
1710}
1711
6a1f2d82 1712int ReaderReceive(uint8_t *receivedAnswer, uint8_t *parity)
15c4dc5a 1713{
6a1f2d82 1714 if (!GetIso14443aAnswerFromTag(receivedAnswer, parity, 0)) return FALSE;
7bc95e2e 1715 if (tracing) {
6a1f2d82 1716 LogTrace(receivedAnswer, Demod.len, Demod.startTime*16 - DELAY_AIR2ARM_AS_READER, Demod.endTime*16 - DELAY_AIR2ARM_AS_READER, parity, FALSE);
7bc95e2e 1717 }
e691fc45 1718 return Demod.len;
f89c7050
M
1719}
1720
e691fc45 1721/* performs iso14443a anticollision procedure
534983d7 1722 * fills the uid pointer unless NULL
1723 * fills resp_data unless NULL */
6a1f2d82 1724int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, uint32_t *cuid_ptr) {
1725 uint8_t wupa[] = { 0x52 }; // 0x26 - REQA 0x52 - WAKE-UP
1726 uint8_t sel_all[] = { 0x93,0x20 };
1727 uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
1728 uint8_t rats[] = { 0xE0,0x80,0x00,0x00 }; // FSD=256, FSDI=8, CID=0
1729 uint8_t *resp = ((uint8_t *)BigBuf) + RECV_RESP_OFFSET;
1730 uint8_t *resp_par = ((uint8_t *)BigBuf) + RECV_RESP_PAR_OFFSET;
1731 byte_t uid_resp[4];
1732 size_t uid_resp_len;
1733
1734 uint8_t sak = 0x04; // cascade uid
1735 int cascade_level = 0;
1736 int len;
1737
1738 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
9492e0b0 1739 ReaderTransmitBitsPar(wupa,7,0, NULL);
7bc95e2e 1740
6a1f2d82 1741 // Receive the ATQA
1742 if(!ReaderReceive(resp, resp_par)) return 0;
6a1f2d82 1743
1744 if(p_hi14a_card) {
1745 memcpy(p_hi14a_card->atqa, resp, 2);
1746 p_hi14a_card->uidlen = 0;
1747 memset(p_hi14a_card->uid,0,10);
1748 }
5f6d6c90 1749
6a1f2d82 1750 // clear uid
1751 if (uid_ptr) {
1752 memset(uid_ptr,0,10);
1753 }
79a73ab2 1754
6a1f2d82 1755 // OK we will select at least at cascade 1, lets see if first byte of UID was 0x88 in
1756 // which case we need to make a cascade 2 request and select - this is a long UID
1757 // While the UID is not complete, the 3nd bit (from the right) is set in the SAK.
1758 for(; sak & 0x04; cascade_level++) {
1759 // SELECT_* (L1: 0x93, L2: 0x95, L3: 0x97)
1760 sel_uid[0] = sel_all[0] = 0x93 + cascade_level * 2;
1761
1762 // SELECT_ALL
1763 ReaderTransmit(sel_all, sizeof(sel_all), NULL);
1764 if (!ReaderReceive(resp, resp_par)) return 0;
1765
1766 if (Demod.collisionPos) { // we had a collision and need to construct the UID bit by bit
1767 memset(uid_resp, 0, 4);
1768 uint16_t uid_resp_bits = 0;
1769 uint16_t collision_answer_offset = 0;
1770 // anti-collision-loop:
1771 while (Demod.collisionPos) {
1772 Dbprintf("Multiple tags detected. Collision after Bit %d", Demod.collisionPos);
1773 for (uint16_t i = collision_answer_offset; i < Demod.collisionPos; i++, uid_resp_bits++) { // add valid UID bits before collision point
1774 uint16_t UIDbit = (resp[i/8] >> (i % 8)) & 0x01;
758f1fd1 1775 uid_resp[uid_resp_bits / 8] |= UIDbit << (uid_resp_bits % 8);
6a1f2d82 1776 }
1777 uid_resp[uid_resp_bits/8] |= 1 << (uid_resp_bits % 8); // next time select the card(s) with a 1 in the collision position
1778 uid_resp_bits++;
1779 // construct anticollosion command:
1780 sel_uid[1] = ((2 + uid_resp_bits/8) << 4) | (uid_resp_bits & 0x07); // length of data in bytes and bits
1781 for (uint16_t i = 0; i <= uid_resp_bits/8; i++) {
1782 sel_uid[2+i] = uid_resp[i];
1783 }
1784 collision_answer_offset = uid_resp_bits%8;
1785 ReaderTransmitBits(sel_uid, 16 + uid_resp_bits, NULL);
1786 if (!ReaderReceiveOffset(resp, collision_answer_offset, resp_par)) return 0;
e691fc45 1787 }
6a1f2d82 1788 // finally, add the last bits and BCC of the UID
1789 for (uint16_t i = collision_answer_offset; i < (Demod.len-1)*8; i++, uid_resp_bits++) {
1790 uint16_t UIDbit = (resp[i/8] >> (i%8)) & 0x01;
1791 uid_resp[uid_resp_bits/8] |= UIDbit << (uid_resp_bits % 8);
e691fc45 1792 }
e691fc45 1793
6a1f2d82 1794 } else { // no collision, use the response to SELECT_ALL as current uid
1795 memcpy(uid_resp, resp, 4);
1796 }
1797 uid_resp_len = 4;
5f6d6c90 1798
6a1f2d82 1799 // calculate crypto UID. Always use last 4 Bytes.
1800 if(cuid_ptr) {
1801 *cuid_ptr = bytes_to_num(uid_resp, 4);
1802 }
e30c654b 1803
6a1f2d82 1804 // Construct SELECT UID command
1805 sel_uid[1] = 0x70; // transmitting a full UID (1 Byte cmd, 1 Byte NVB, 4 Byte UID, 1 Byte BCC, 2 Bytes CRC)
1806 memcpy(sel_uid+2, uid_resp, 4); // the UID
1807 sel_uid[6] = sel_uid[2] ^ sel_uid[3] ^ sel_uid[4] ^ sel_uid[5]; // calculate and add BCC
1808 AppendCrc14443a(sel_uid, 7); // calculate and add CRC
1809 ReaderTransmit(sel_uid, sizeof(sel_uid), NULL);
1810
1811 // Receive the SAK
1812 if (!ReaderReceive(resp, resp_par)) return 0;
1813 sak = resp[0];
1814
52ab55ab 1815 // Test if more parts of the uid are coming
6a1f2d82 1816 if ((sak & 0x04) /* && uid_resp[0] == 0x88 */) {
1817 // Remove first byte, 0x88 is not an UID byte, it CT, see page 3 of:
1818 // http://www.nxp.com/documents/application_note/AN10927.pdf
6a1f2d82 1819 uid_resp[0] = uid_resp[1];
1820 uid_resp[1] = uid_resp[2];
1821 uid_resp[2] = uid_resp[3];
1822
1823 uid_resp_len = 3;
1824 }
5f6d6c90 1825
6a1f2d82 1826 if(uid_ptr) {
1827 memcpy(uid_ptr + (cascade_level*3), uid_resp, uid_resp_len);
1828 }
5f6d6c90 1829
6a1f2d82 1830 if(p_hi14a_card) {
1831 memcpy(p_hi14a_card->uid + (cascade_level*3), uid_resp, uid_resp_len);
1832 p_hi14a_card->uidlen += uid_resp_len;
1833 }
1834 }
79a73ab2 1835
6a1f2d82 1836 if(p_hi14a_card) {
1837 p_hi14a_card->sak = sak;
1838 p_hi14a_card->ats_len = 0;
1839 }
534983d7 1840
3fe4ff4f 1841 // non iso14443a compliant tag
1842 if( (sak & 0x20) == 0) return 2;
534983d7 1843
6a1f2d82 1844 // Request for answer to select
1845 AppendCrc14443a(rats, 2);
1846 ReaderTransmit(rats, sizeof(rats), NULL);
1c611bbd 1847
6a1f2d82 1848 if (!(len = ReaderReceive(resp, resp_par))) return 0;
5191b3d1 1849
3fe4ff4f 1850
6a1f2d82 1851 if(p_hi14a_card) {
1852 memcpy(p_hi14a_card->ats, resp, sizeof(p_hi14a_card->ats));
1853 p_hi14a_card->ats_len = len;
1854 }
5f6d6c90 1855
6a1f2d82 1856 // reset the PCB block number
1857 iso14_pcb_blocknum = 0;
6a1f2d82 1858 return 1;
7e758047 1859}
15c4dc5a 1860
7bc95e2e 1861void iso14443a_setup(uint8_t fpga_minor_mode) {
7cc204bf 1862 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
9492e0b0 1863 // Set up the synchronous serial port
1864 FpgaSetupSsc();
7bc95e2e 1865 // connect Demodulated Signal to ADC:
7e758047 1866 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
e30c654b 1867
7e758047 1868 // Signal field is on with the appropriate LED
7bc95e2e 1869 if (fpga_minor_mode == FPGA_HF_ISO14443A_READER_MOD
1870 || fpga_minor_mode == FPGA_HF_ISO14443A_READER_LISTEN) {
1871 LED_D_ON();
1872 } else {
1873 LED_D_OFF();
1874 }
1875 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | fpga_minor_mode);
534983d7 1876
7bc95e2e 1877 // Start the timer
1878 StartCountSspClk();
1879
1880 DemodReset();
1881 UartReset();
1882 NextTransferTime = 2*DELAY_ARM2AIR_AS_READER;
1883 iso14a_set_timeout(1050); // 10ms default
7e758047 1884}
15c4dc5a 1885
6a1f2d82 1886int iso14_apdu(uint8_t *cmd, uint16_t cmd_len, void *data) {
1887 uint8_t parity[MAX_PARITY_SIZE];
534983d7 1888 uint8_t real_cmd[cmd_len+4];
1889 real_cmd[0] = 0x0a; //I-Block
b0127e65 1890 // put block number into the PCB
1891 real_cmd[0] |= iso14_pcb_blocknum;
534983d7 1892 real_cmd[1] = 0x00; //CID: 0 //FIXME: allow multiple selected cards
1893 memcpy(real_cmd+2, cmd, cmd_len);
1894 AppendCrc14443a(real_cmd,cmd_len+2);
1895
9492e0b0 1896 ReaderTransmit(real_cmd, cmd_len+4, NULL);
6a1f2d82 1897 size_t len = ReaderReceive(data, parity);
1898 uint8_t *data_bytes = (uint8_t *) data;
b0127e65 1899 if (!len)
1900 return 0; //DATA LINK ERROR
1901 // if we received an I- or R(ACK)-Block with a block number equal to the
1902 // current block number, toggle the current block number
1903 else if (len >= 4 // PCB+CID+CRC = 4 bytes
1904 && ((data_bytes[0] & 0xC0) == 0 // I-Block
1905 || (data_bytes[0] & 0xD0) == 0x80) // R-Block with ACK bit set to 0
1906 && (data_bytes[0] & 0x01) == iso14_pcb_blocknum) // equal block numbers
1907 {
1908 iso14_pcb_blocknum ^= 1;
1909 }
1910
534983d7 1911 return len;
1912}
1913
7e758047 1914//-----------------------------------------------------------------------------
1915// Read an ISO 14443a tag. Send out commands and store answers.
1916//
1917//-----------------------------------------------------------------------------
7bc95e2e 1918void ReaderIso14443a(UsbCommand *c)
7e758047 1919{
534983d7 1920 iso14a_command_t param = c->arg[0];
7bc95e2e 1921 uint8_t *cmd = c->d.asBytes;
534983d7 1922 size_t len = c->arg[1];
5f6d6c90 1923 size_t lenbits = c->arg[2];
9492e0b0 1924 uint32_t arg0 = 0;
1925 byte_t buf[USB_CMD_DATA_SIZE];
6a1f2d82 1926 uint8_t par[MAX_PARITY_SIZE];
902cb3c0 1927
5f6d6c90 1928 if(param & ISO14A_CONNECT) {
1929 iso14a_clear_trace();
1930 }
e691fc45 1931
7bc95e2e 1932 iso14a_set_tracing(TRUE);
e30c654b 1933
79a73ab2 1934 if(param & ISO14A_REQUEST_TRIGGER) {
7bc95e2e 1935 iso14a_set_trigger(TRUE);
9492e0b0 1936 }
15c4dc5a 1937
534983d7 1938 if(param & ISO14A_CONNECT) {
7bc95e2e 1939 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
5f6d6c90 1940 if(!(param & ISO14A_NO_SELECT)) {
1941 iso14a_card_select_t *card = (iso14a_card_select_t*)buf;
1942 arg0 = iso14443a_select_card(NULL,card,NULL);
1943 cmd_send(CMD_ACK,arg0,card->uidlen,0,buf,sizeof(iso14a_card_select_t));
1944 }
534983d7 1945 }
e30c654b 1946
534983d7 1947 if(param & ISO14A_SET_TIMEOUT) {
3fe4ff4f 1948 iso14a_set_timeout(c->arg[2]);
534983d7 1949 }
e30c654b 1950
534983d7 1951 if(param & ISO14A_APDU) {
902cb3c0 1952 arg0 = iso14_apdu(cmd, len, buf);
79a73ab2 1953 cmd_send(CMD_ACK,arg0,0,0,buf,sizeof(buf));
534983d7 1954 }
e30c654b 1955
534983d7 1956 if(param & ISO14A_RAW) {
1957 if(param & ISO14A_APPEND_CRC) {
1958 AppendCrc14443a(cmd,len);
1959 len += 2;
c7324bef 1960 if (lenbits) lenbits += 16;
15c4dc5a 1961 }
5f6d6c90 1962 if(lenbits>0) {
6a1f2d82 1963 GetParity(cmd, lenbits/8, par);
1964 ReaderTransmitBitsPar(cmd, lenbits, par, NULL);
5f6d6c90 1965 } else {
1966 ReaderTransmit(cmd,len, NULL);
1967 }
6a1f2d82 1968 arg0 = ReaderReceive(buf, par);
9492e0b0 1969 cmd_send(CMD_ACK,arg0,0,0,buf,sizeof(buf));
534983d7 1970 }
15c4dc5a 1971
79a73ab2 1972 if(param & ISO14A_REQUEST_TRIGGER) {
7bc95e2e 1973 iso14a_set_trigger(FALSE);
9492e0b0 1974 }
15c4dc5a 1975
79a73ab2 1976 if(param & ISO14A_NO_DISCONNECT) {
534983d7 1977 return;
9492e0b0 1978 }
15c4dc5a 1979
15c4dc5a 1980 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1981 LEDsoff();
15c4dc5a 1982}
b0127e65 1983
1c611bbd 1984
1c611bbd 1985// Determine the distance between two nonces.
1986// Assume that the difference is small, but we don't know which is first.
1987// Therefore try in alternating directions.
1988int32_t dist_nt(uint32_t nt1, uint32_t nt2) {
1989
1990 uint16_t i;
1991 uint32_t nttmp1, nttmp2;
e772353f 1992
1c611bbd 1993 if (nt1 == nt2) return 0;
1994
1995 nttmp1 = nt1;
1996 nttmp2 = nt2;
1997
1998 for (i = 1; i < 32768; i++) {
1999 nttmp1 = prng_successor(nttmp1, 1);
2000 if (nttmp1 == nt2) return i;
2001 nttmp2 = prng_successor(nttmp2, 1);
2002 if (nttmp2 == nt1) return -i;
2003 }
2004
2005 return(-99999); // either nt1 or nt2 are invalid nonces
e772353f 2006}
2007
e772353f 2008
1c611bbd 2009//-----------------------------------------------------------------------------
2010// Recover several bits of the cypher stream. This implements (first stages of)
2011// the algorithm described in "The Dark Side of Security by Obscurity and
2012// Cloning MiFare Classic Rail and Building Passes, Anywhere, Anytime"
2013// (article by Nicolas T. Courtois, 2009)
2014//-----------------------------------------------------------------------------
2015void ReaderMifare(bool first_try)
2016{
2017 // Mifare AUTH
2018 uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b };
2019 uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
2020 static uint8_t mf_nr_ar3;
e772353f 2021
6a1f2d82 2022 uint8_t* receivedAnswer = (((uint8_t *)BigBuf) + RECV_RESP_OFFSET);
2023 uint8_t* receivedAnswerPar = (((uint8_t *)BigBuf) + RECV_RESP_PAR_OFFSET);
7bc95e2e 2024
d2f487af 2025 iso14a_clear_trace();
7bc95e2e 2026 iso14a_set_tracing(TRUE);
e772353f 2027
1c611bbd 2028 byte_t nt_diff = 0;
6a1f2d82 2029 uint8_t par[1] = {0}; // maximum 8 Bytes to be sent here, 1 byte parity is therefore enough
1c611bbd 2030 static byte_t par_low = 0;
2031 bool led_on = TRUE;
ca4714cd 2032 uint8_t uid[10] ={0};
1c611bbd 2033 uint32_t cuid;
e772353f 2034
6a1f2d82 2035 uint32_t nt = 0;
2ed270a8 2036 uint32_t previous_nt = 0;
1c611bbd 2037 static uint32_t nt_attacked = 0;
3fe4ff4f 2038 byte_t par_list[8] = {0x00};
2039 byte_t ks_list[8] = {0x00};
e772353f 2040
1c611bbd 2041 static uint32_t sync_time;
2042 static uint32_t sync_cycles;
2043 int catch_up_cycles = 0;
2044 int last_catch_up = 0;
2045 uint16_t consecutive_resyncs = 0;
2046 int isOK = 0;
e772353f 2047
1c611bbd 2048 if (first_try) {
1c611bbd 2049 mf_nr_ar3 = 0;
7bc95e2e 2050 iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
2051 sync_time = GetCountSspClk() & 0xfffffff8;
1c611bbd 2052 sync_cycles = 65536; // theory: Mifare Classic's random generator repeats every 2^16 cycles (and so do the nonces).
2053 nt_attacked = 0;
2054 nt = 0;
6a1f2d82 2055 par[0] = 0;
1c611bbd 2056 }
2057 else {
2058 // we were unsuccessful on a previous call. Try another READER nonce (first 3 parity bits remain the same)
1c611bbd 2059 mf_nr_ar3++;
2060 mf_nr_ar[3] = mf_nr_ar3;
6a1f2d82 2061 par[0] = par_low;
1c611bbd 2062 }
e30c654b 2063
15c4dc5a 2064 LED_A_ON();
2065 LED_B_OFF();
2066 LED_C_OFF();
1c611bbd 2067
7bc95e2e 2068
1c611bbd 2069 for(uint16_t i = 0; TRUE; i++) {
2070
2071 WDT_HIT();
e30c654b 2072
1c611bbd 2073 // Test if the action was cancelled
2074 if(BUTTON_PRESS()) {
2075 break;
2076 }
2077
2078 LED_C_ON();
e30c654b 2079
1c611bbd 2080 if(!iso14443a_select_card(uid, NULL, &cuid)) {
9492e0b0 2081 if (MF_DBGLEVEL >= 1) Dbprintf("Mifare: Can't select card");
1c611bbd 2082 continue;
2083 }
2084
9492e0b0 2085 sync_time = (sync_time & 0xfffffff8) + sync_cycles + catch_up_cycles;
1c611bbd 2086 catch_up_cycles = 0;
2087
2088 // if we missed the sync time already, advance to the next nonce repeat
7bc95e2e 2089 while(GetCountSspClk() > sync_time) {
9492e0b0 2090 sync_time = (sync_time & 0xfffffff8) + sync_cycles;
1c611bbd 2091 }
e30c654b 2092
9492e0b0 2093 // Transmit MIFARE_CLASSIC_AUTH at synctime. Should result in returning the same tag nonce (== nt_attacked)
2094 ReaderTransmit(mf_auth, sizeof(mf_auth), &sync_time);
f89c7050 2095
1c611bbd 2096 // Receive the (4 Byte) "random" nonce
6a1f2d82 2097 if (!ReaderReceive(receivedAnswer, receivedAnswerPar)) {
9492e0b0 2098 if (MF_DBGLEVEL >= 1) Dbprintf("Mifare: Couldn't receive tag nonce");
1c611bbd 2099 continue;
2100 }
2101
1c611bbd 2102 previous_nt = nt;
2103 nt = bytes_to_num(receivedAnswer, 4);
2104
2105 // Transmit reader nonce with fake par
9492e0b0 2106 ReaderTransmitPar(mf_nr_ar, sizeof(mf_nr_ar), par, NULL);
1c611bbd 2107
2108 if (first_try && previous_nt && !nt_attacked) { // we didn't calibrate our clock yet
2109 int nt_distance = dist_nt(previous_nt, nt);
2110 if (nt_distance == 0) {
2111 nt_attacked = nt;
2112 }
2113 else {
2114 if (nt_distance == -99999) { // invalid nonce received, try again
2115 continue;
2116 }
2117 sync_cycles = (sync_cycles - nt_distance);
9492e0b0 2118 if (MF_DBGLEVEL >= 3) Dbprintf("calibrating in cycle %d. nt_distance=%d, Sync_cycles: %d\n", i, nt_distance, sync_cycles);
1c611bbd 2119 continue;
2120 }
2121 }
2122
2123 if ((nt != nt_attacked) && nt_attacked) { // we somehow lost sync. Try to catch up again...
2124 catch_up_cycles = -dist_nt(nt_attacked, nt);
2125 if (catch_up_cycles == 99999) { // invalid nonce received. Don't resync on that one.
2126 catch_up_cycles = 0;
2127 continue;
2128 }
2129 if (catch_up_cycles == last_catch_up) {
2130 consecutive_resyncs++;
2131 }
2132 else {
2133 last_catch_up = catch_up_cycles;
2134 consecutive_resyncs = 0;
2135 }
2136 if (consecutive_resyncs < 3) {
9492e0b0 2137 if (MF_DBGLEVEL >= 3) Dbprintf("Lost sync in cycle %d. nt_distance=%d. Consecutive Resyncs = %d. Trying one time catch up...\n", i, -catch_up_cycles, consecutive_resyncs);
1c611bbd 2138 }
2139 else {
2140 sync_cycles = sync_cycles + catch_up_cycles;
9492e0b0 2141 if (MF_DBGLEVEL >= 3) Dbprintf("Lost sync in cycle %d for the fourth time consecutively (nt_distance = %d). Adjusting sync_cycles to %d.\n", i, -catch_up_cycles, sync_cycles);
1c611bbd 2142 }
2143 continue;
2144 }
2145
2146 consecutive_resyncs = 0;
2147
2148 // Receive answer. This will be a 4 Bit NACK when the 8 parity bits are OK after decoding
6a1f2d82 2149 if (ReaderReceive(receivedAnswer, receivedAnswerPar))
1c611bbd 2150 {
9492e0b0 2151 catch_up_cycles = 8; // the PRNG is delayed by 8 cycles due to the NAC (4Bits = 0x05 encrypted) transfer
1c611bbd 2152
2153 if (nt_diff == 0)
2154 {
6a1f2d82 2155 par_low = par[0] & 0xE0; // there is no need to check all parities for other nt_diff. Parity Bits for mf_nr_ar[0..2] won't change
1c611bbd 2156 }
2157
2158 led_on = !led_on;
2159 if(led_on) LED_B_ON(); else LED_B_OFF();
2160
6a1f2d82 2161 par_list[nt_diff] = SwapBits(par[0], 8);
1c611bbd 2162 ks_list[nt_diff] = receivedAnswer[0] ^ 0x05;
2163
2164 // Test if the information is complete
2165 if (nt_diff == 0x07) {
2166 isOK = 1;
2167 break;
2168 }
2169
2170 nt_diff = (nt_diff + 1) & 0x07;
2171 mf_nr_ar[3] = (mf_nr_ar[3] & 0x1F) | (nt_diff << 5);
6a1f2d82 2172 par[0] = par_low;
1c611bbd 2173 } else {
2174 if (nt_diff == 0 && first_try)
2175 {
6a1f2d82 2176 par[0]++;
1c611bbd 2177 } else {
6a1f2d82 2178 par[0] = ((par[0] & 0x1F) + 1) | par_low;
1c611bbd 2179 }
2180 }
2181 }
2182
1c611bbd 2183
2184 mf_nr_ar[3] &= 0x1F;
2185
2186 byte_t buf[28];
2187 memcpy(buf + 0, uid, 4);
2188 num_to_bytes(nt, 4, buf + 4);
2189 memcpy(buf + 8, par_list, 8);
2190 memcpy(buf + 16, ks_list, 8);
2191 memcpy(buf + 24, mf_nr_ar, 4);
2192
2193 cmd_send(CMD_ACK,isOK,0,0,buf,28);
2194
2195 // Thats it...
2196 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2197 LEDsoff();
7bc95e2e 2198
2199 iso14a_set_tracing(FALSE);
20f9a2a1 2200}
1c611bbd 2201
d2f487af 2202/**
2203 *MIFARE 1K simulate.
2204 *
2205 *@param flags :
2206 * FLAG_INTERACTIVE - In interactive mode, we are expected to finish the operation with an ACK
2207 * 4B_FLAG_UID_IN_DATA - means that there is a 4-byte UID in the data-section, we're expected to use that
2208 * 7B_FLAG_UID_IN_DATA - means that there is a 7-byte UID in the data-section, we're expected to use that
2209 * FLAG_NR_AR_ATTACK - means we should collect NR_AR responses for bruteforcing later
2210 *@param exitAfterNReads, exit simulation after n blocks have been read, 0 is inifite
2211 */
2212void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *datain)
20f9a2a1 2213{
50193c1e 2214 int cardSTATE = MFEMUL_NOFIELD;
8556b852 2215 int _7BUID = 0;
9ca155ba 2216 int vHf = 0; // in mV
8f51ddb0 2217 int res;
0a39986e
M
2218 uint32_t selTimer = 0;
2219 uint32_t authTimer = 0;
6a1f2d82 2220 uint16_t len = 0;
8f51ddb0 2221 uint8_t cardWRBL = 0;
9ca155ba
M
2222 uint8_t cardAUTHSC = 0;
2223 uint8_t cardAUTHKEY = 0xff; // no authentication
51969283 2224 uint32_t cardRr = 0;
9ca155ba 2225 uint32_t cuid = 0;
d2f487af 2226 //uint32_t rn_enc = 0;
51969283 2227 uint32_t ans = 0;
0014cb46
M
2228 uint32_t cardINTREG = 0;
2229 uint8_t cardINTBLOCK = 0;
9ca155ba
M
2230 struct Crypto1State mpcs = {0, 0};
2231 struct Crypto1State *pcs;
2232 pcs = &mpcs;
d2f487af 2233 uint32_t numReads = 0;//Counts numer of times reader read a block
6a1f2d82 2234 uint8_t* receivedCmd = get_bigbufptr_recvcmdbuf();
2235 uint8_t* receivedCmd_par = receivedCmd + MAX_FRAME_SIZE;
2236 uint8_t* response = get_bigbufptr_recvrespbuf();
2237 uint8_t* response_par = response + MAX_FRAME_SIZE;
9ca155ba 2238
d2f487af 2239 uint8_t rATQA[] = {0x04, 0x00}; // Mifare classic 1k 4BUID
2240 uint8_t rUIDBCC1[] = {0xde, 0xad, 0xbe, 0xaf, 0x62};
2241 uint8_t rUIDBCC2[] = {0xde, 0xad, 0xbe, 0xaf, 0x62}; // !!!
2242 uint8_t rSAK[] = {0x08, 0xb6, 0xdd};
2243 uint8_t rSAK1[] = {0x04, 0xda, 0x17};
9ca155ba 2244
d2f487af 2245 uint8_t rAUTH_NT[] = {0x01, 0x02, 0x03, 0x04};
2246 uint8_t rAUTH_AT[] = {0x00, 0x00, 0x00, 0x00};
7bc95e2e 2247
d2f487af 2248 //Here, we collect UID,NT,AR,NR,UID2,NT2,AR2,NR2
2249 // This can be used in a reader-only attack.
2250 // (it can also be retrieved via 'hf 14a list', but hey...
2251 uint32_t ar_nr_responses[] = {0,0,0,0,0,0,0,0};
2252 uint8_t ar_nr_collected = 0;
0014cb46 2253
0a39986e 2254 // clear trace
7bc95e2e 2255 iso14a_clear_trace();
2256 iso14a_set_tracing(TRUE);
51969283 2257
7bc95e2e 2258 // Authenticate response - nonce
51969283 2259 uint32_t nonce = bytes_to_num(rAUTH_NT, 4);
7bc95e2e 2260
d2f487af 2261 //-- Determine the UID
2262 // Can be set from emulator memory, incoming data
2263 // and can be 7 or 4 bytes long
7bc95e2e 2264 if (flags & FLAG_4B_UID_IN_DATA)
d2f487af 2265 {
2266 // 4B uid comes from data-portion of packet
2267 memcpy(rUIDBCC1,datain,4);
8556b852 2268 rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
8556b852 2269
7bc95e2e 2270 } else if (flags & FLAG_7B_UID_IN_DATA) {
d2f487af 2271 // 7B uid comes from data-portion of packet
2272 memcpy(&rUIDBCC1[1],datain,3);
2273 memcpy(rUIDBCC2, datain+3, 4);
2274 _7BUID = true;
7bc95e2e 2275 } else {
d2f487af 2276 // get UID from emul memory
2277 emlGetMemBt(receivedCmd, 7, 1);
2278 _7BUID = !(receivedCmd[0] == 0x00);
2279 if (!_7BUID) { // ---------- 4BUID
2280 emlGetMemBt(rUIDBCC1, 0, 4);
2281 } else { // ---------- 7BUID
2282 emlGetMemBt(&rUIDBCC1[1], 0, 3);
2283 emlGetMemBt(rUIDBCC2, 3, 4);
2284 }
2285 }
7bc95e2e 2286
d2f487af 2287 /*
2288 * Regardless of what method was used to set the UID, set fifth byte and modify
2289 * the ATQA for 4 or 7-byte UID
2290 */
d2f487af 2291 rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
7bc95e2e 2292 if (_7BUID) {
d2f487af 2293 rATQA[0] = 0x44;
8556b852 2294 rUIDBCC1[0] = 0x88;
8556b852
M
2295 rUIDBCC2[4] = rUIDBCC2[0] ^ rUIDBCC2[1] ^ rUIDBCC2[2] ^ rUIDBCC2[3];
2296 }
2297
9ca155ba 2298 // We need to listen to the high-frequency, peak-detected path.
7bc95e2e 2299 iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN);
9ca155ba 2300
9ca155ba 2301
d2f487af 2302 if (MF_DBGLEVEL >= 1) {
2303 if (!_7BUID) {
b03c0f2d 2304 Dbprintf("4B UID: %02x%02x%02x%02x",
2305 rUIDBCC1[0], rUIDBCC1[1], rUIDBCC1[2], rUIDBCC1[3]);
7bc95e2e 2306 } else {
b03c0f2d 2307 Dbprintf("7B UID: (%02x)%02x%02x%02x%02x%02x%02x%02x",
2308 rUIDBCC1[0], rUIDBCC1[1], rUIDBCC1[2], rUIDBCC1[3],
2309 rUIDBCC2[0], rUIDBCC2[1] ,rUIDBCC2[2], rUIDBCC2[3]);
d2f487af 2310 }
2311 }
7bc95e2e 2312
2313 bool finished = FALSE;
d2f487af 2314 while (!BUTTON_PRESS() && !finished) {
9ca155ba 2315 WDT_HIT();
9ca155ba
M
2316
2317 // find reader field
2318 // Vref = 3300mV, and an 10:1 voltage divider on the input
2319 // can measure voltages up to 33000 mV
2320 if (cardSTATE == MFEMUL_NOFIELD) {
2321 vHf = (33000 * AvgAdc(ADC_CHAN_HF)) >> 10;
2322 if (vHf > MF_MINFIELDV) {
0014cb46 2323 cardSTATE_TO_IDLE();
9ca155ba
M
2324 LED_A_ON();
2325 }
2326 }
d2f487af 2327 if(cardSTATE == MFEMUL_NOFIELD) continue;
9ca155ba 2328
d2f487af 2329 //Now, get data
2330
6a1f2d82 2331 res = EmGetCmd(receivedCmd, &len, receivedCmd_par);
d2f487af 2332 if (res == 2) { //Field is off!
2333 cardSTATE = MFEMUL_NOFIELD;
2334 LEDsoff();
2335 continue;
7bc95e2e 2336 } else if (res == 1) {
2337 break; //return value 1 means button press
2338 }
2339
d2f487af 2340 // REQ or WUP request in ANY state and WUP in HALTED state
2341 if (len == 1 && ((receivedCmd[0] == 0x26 && cardSTATE != MFEMUL_HALTED) || receivedCmd[0] == 0x52)) {
2342 selTimer = GetTickCount();
2343 EmSendCmdEx(rATQA, sizeof(rATQA), (receivedCmd[0] == 0x52));
2344 cardSTATE = MFEMUL_SELECT1;
2345
2346 // init crypto block
2347 LED_B_OFF();
2348 LED_C_OFF();
2349 crypto1_destroy(pcs);
2350 cardAUTHKEY = 0xff;
2351 continue;
0a39986e 2352 }
7bc95e2e 2353
50193c1e 2354 switch (cardSTATE) {
d2f487af 2355 case MFEMUL_NOFIELD:
2356 case MFEMUL_HALTED:
50193c1e 2357 case MFEMUL_IDLE:{
6a1f2d82 2358 LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
50193c1e
M
2359 break;
2360 }
2361 case MFEMUL_SELECT1:{
9ca155ba
M
2362 // select all
2363 if (len == 2 && (receivedCmd[0] == 0x93 && receivedCmd[1] == 0x20)) {
d2f487af 2364 if (MF_DBGLEVEL >= 4) Dbprintf("SELECT ALL received");
9ca155ba 2365 EmSendCmd(rUIDBCC1, sizeof(rUIDBCC1));
0014cb46 2366 break;
9ca155ba
M
2367 }
2368
d2f487af 2369 if (MF_DBGLEVEL >= 4 && len == 9 && receivedCmd[0] == 0x93 && receivedCmd[1] == 0x70 )
2370 {
2371 Dbprintf("SELECT %02x%02x%02x%02x received",receivedCmd[2],receivedCmd[3],receivedCmd[4],receivedCmd[5]);
2372 }
9ca155ba 2373 // select card
0a39986e
M
2374 if (len == 9 &&
2375 (receivedCmd[0] == 0x93 && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], rUIDBCC1, 4) == 0)) {
bfb6a143 2376 EmSendCmd(_7BUID?rSAK1:rSAK, _7BUID?sizeof(rSAK1):sizeof(rSAK));
9ca155ba 2377 cuid = bytes_to_num(rUIDBCC1, 4);
8556b852
M
2378 if (!_7BUID) {
2379 cardSTATE = MFEMUL_WORK;
0014cb46
M
2380 LED_B_ON();
2381 if (MF_DBGLEVEL >= 4) Dbprintf("--> WORK. anticol1 time: %d", GetTickCount() - selTimer);
2382 break;
8556b852
M
2383 } else {
2384 cardSTATE = MFEMUL_SELECT2;
8556b852 2385 }
9ca155ba 2386 }
50193c1e
M
2387 break;
2388 }
d2f487af 2389 case MFEMUL_AUTH1:{
2390 if( len != 8)
2391 {
2392 cardSTATE_TO_IDLE();
6a1f2d82 2393 LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
d2f487af 2394 break;
2395 }
2396 uint32_t ar = bytes_to_num(receivedCmd, 4);
6a1f2d82 2397 uint32_t nr = bytes_to_num(&receivedCmd[4], 4);
d2f487af 2398
2399 //Collect AR/NR
2400 if(ar_nr_collected < 2){
273b57a7 2401 if(ar_nr_responses[2] != ar)
2402 {// Avoid duplicates... probably not necessary, ar should vary.
d2f487af 2403 ar_nr_responses[ar_nr_collected*4] = cuid;
2404 ar_nr_responses[ar_nr_collected*4+1] = nonce;
2405 ar_nr_responses[ar_nr_collected*4+2] = ar;
2406 ar_nr_responses[ar_nr_collected*4+3] = nr;
273b57a7 2407 ar_nr_collected++;
d2f487af 2408 }
2409 }
2410
2411 // --- crypto
2412 crypto1_word(pcs, ar , 1);
2413 cardRr = nr ^ crypto1_word(pcs, 0, 0);
2414
2415 // test if auth OK
2416 if (cardRr != prng_successor(nonce, 64)){
b03c0f2d 2417 if (MF_DBGLEVEL >= 2) Dbprintf("AUTH FAILED for sector %d with key %c. cardRr=%08x, succ=%08x",
2418 cardAUTHSC, cardAUTHKEY == 0 ? 'A' : 'B',
2419 cardRr, prng_successor(nonce, 64));
7bc95e2e 2420 // Shouldn't we respond anything here?
d2f487af 2421 // Right now, we don't nack or anything, which causes the
2422 // reader to do a WUPA after a while. /Martin
b03c0f2d 2423 // -- which is the correct response. /piwi
d2f487af 2424 cardSTATE_TO_IDLE();
6a1f2d82 2425 LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
d2f487af 2426 break;
2427 }
2428
2429 ans = prng_successor(nonce, 96) ^ crypto1_word(pcs, 0, 0);
2430
2431 num_to_bytes(ans, 4, rAUTH_AT);
2432 // --- crypto
2433 EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
2434 LED_C_ON();
2435 cardSTATE = MFEMUL_WORK;
b03c0f2d 2436 if (MF_DBGLEVEL >= 4) Dbprintf("AUTH COMPLETED for sector %d with key %c. time=%d",
2437 cardAUTHSC, cardAUTHKEY == 0 ? 'A' : 'B',
2438 GetTickCount() - authTimer);
d2f487af 2439 break;
2440 }
50193c1e 2441 case MFEMUL_SELECT2:{
7bc95e2e 2442 if (!len) {
6a1f2d82 2443 LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
7bc95e2e 2444 break;
2445 }
8556b852 2446 if (len == 2 && (receivedCmd[0] == 0x95 && receivedCmd[1] == 0x20)) {
9ca155ba 2447 EmSendCmd(rUIDBCC2, sizeof(rUIDBCC2));
8556b852
M
2448 break;
2449 }
9ca155ba 2450
8556b852
M
2451 // select 2 card
2452 if (len == 9 &&
2453 (receivedCmd[0] == 0x95 && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], rUIDBCC2, 4) == 0)) {
2454 EmSendCmd(rSAK, sizeof(rSAK));
8556b852
M
2455 cuid = bytes_to_num(rUIDBCC2, 4);
2456 cardSTATE = MFEMUL_WORK;
2457 LED_B_ON();
0014cb46 2458 if (MF_DBGLEVEL >= 4) Dbprintf("--> WORK. anticol2 time: %d", GetTickCount() - selTimer);
8556b852
M
2459 break;
2460 }
0014cb46
M
2461
2462 // i guess there is a command). go into the work state.
7bc95e2e 2463 if (len != 4) {
6a1f2d82 2464 LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
7bc95e2e 2465 break;
2466 }
0014cb46 2467 cardSTATE = MFEMUL_WORK;
d2f487af 2468 //goto lbWORK;
2469 //intentional fall-through to the next case-stmt
50193c1e 2470 }
51969283 2471
7bc95e2e 2472 case MFEMUL_WORK:{
2473 if (len == 0) {
6a1f2d82 2474 LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
7bc95e2e 2475 break;
2476 }
2477
d2f487af 2478 bool encrypted_data = (cardAUTHKEY != 0xFF) ;
2479
7bc95e2e 2480 if(encrypted_data) {
51969283
M
2481 // decrypt seqence
2482 mf_crypto1_decrypt(pcs, receivedCmd, len);
d2f487af 2483 }
7bc95e2e 2484
d2f487af 2485 if (len == 4 && (receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61)) {
2486 authTimer = GetTickCount();
2487 cardAUTHSC = receivedCmd[1] / 4; // received block num
2488 cardAUTHKEY = receivedCmd[0] - 0x60;
2489 crypto1_destroy(pcs);//Added by martin
2490 crypto1_create(pcs, emlGetKey(cardAUTHSC, cardAUTHKEY));
51969283 2491
d2f487af 2492 if (!encrypted_data) { // first authentication
b03c0f2d 2493 if (MF_DBGLEVEL >= 4) Dbprintf("Reader authenticating for block %d (0x%02x) with key %d",receivedCmd[1] ,receivedCmd[1],cardAUTHKEY );
51969283 2494
d2f487af 2495 crypto1_word(pcs, cuid ^ nonce, 0);//Update crypto state
2496 num_to_bytes(nonce, 4, rAUTH_AT); // Send nonce
7bc95e2e 2497 } else { // nested authentication
b03c0f2d 2498 if (MF_DBGLEVEL >= 4) Dbprintf("Reader doing nested authentication for block %d (0x%02x) with key %d",receivedCmd[1] ,receivedCmd[1],cardAUTHKEY );
7bc95e2e 2499 ans = nonce ^ crypto1_word(pcs, cuid ^ nonce, 0);
d2f487af 2500 num_to_bytes(ans, 4, rAUTH_AT);
2501 }
2502 EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
2503 //Dbprintf("Sending rAUTH %02x%02x%02x%02x", rAUTH_AT[0],rAUTH_AT[1],rAUTH_AT[2],rAUTH_AT[3]);
2504 cardSTATE = MFEMUL_AUTH1;
2505 break;
51969283 2506 }
7bc95e2e 2507
8f51ddb0
M
2508 // rule 13 of 7.5.3. in ISO 14443-4. chaining shall be continued
2509 // BUT... ACK --> NACK
2510 if (len == 1 && receivedCmd[0] == CARD_ACK) {
2511 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2512 break;
2513 }
2514
2515 // rule 12 of 7.5.3. in ISO 14443-4. R(NAK) --> R(ACK)
2516 if (len == 1 && receivedCmd[0] == CARD_NACK_NA) {
2517 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
2518 break;
0a39986e
M
2519 }
2520
7bc95e2e 2521 if(len != 4) {
6a1f2d82 2522 LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
7bc95e2e 2523 break;
2524 }
d2f487af 2525
2526 if(receivedCmd[0] == 0x30 // read block
2527 || receivedCmd[0] == 0xA0 // write block
b03c0f2d 2528 || receivedCmd[0] == 0xC0 // inc
2529 || receivedCmd[0] == 0xC1 // dec
2530 || receivedCmd[0] == 0xC2 // restore
7bc95e2e 2531 || receivedCmd[0] == 0xB0) { // transfer
2532 if (receivedCmd[1] >= 16 * 4) {
d2f487af 2533 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2534 if (MF_DBGLEVEL >= 2) Dbprintf("Reader tried to operate (0x%02) on out of range block: %d (0x%02x), nacking",receivedCmd[0],receivedCmd[1],receivedCmd[1]);
2535 break;
2536 }
2537
7bc95e2e 2538 if (receivedCmd[1] / 4 != cardAUTHSC) {
8f51ddb0 2539 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
d2f487af 2540 if (MF_DBGLEVEL >= 2) Dbprintf("Reader tried to operate (0x%02) on block (0x%02x) not authenticated for (0x%02x), nacking",receivedCmd[0],receivedCmd[1],cardAUTHSC);
8f51ddb0
M
2541 break;
2542 }
d2f487af 2543 }
2544 // read block
2545 if (receivedCmd[0] == 0x30) {
b03c0f2d 2546 if (MF_DBGLEVEL >= 4) {
d2f487af 2547 Dbprintf("Reader reading block %d (0x%02x)",receivedCmd[1],receivedCmd[1]);
2548 }
8f51ddb0
M
2549 emlGetMem(response, receivedCmd[1], 1);
2550 AppendCrc14443a(response, 16);
6a1f2d82 2551 mf_crypto1_encrypt(pcs, response, 18, response_par);
2552 EmSendCmdPar(response, 18, response_par);
d2f487af 2553 numReads++;
7bc95e2e 2554 if(exitAfterNReads > 0 && numReads == exitAfterNReads) {
d2f487af 2555 Dbprintf("%d reads done, exiting", numReads);
2556 finished = true;
2557 }
0a39986e
M
2558 break;
2559 }
0a39986e 2560 // write block
d2f487af 2561 if (receivedCmd[0] == 0xA0) {
b03c0f2d 2562 if (MF_DBGLEVEL >= 4) Dbprintf("RECV 0xA0 write block %d (%02x)",receivedCmd[1],receivedCmd[1]);
8f51ddb0 2563 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
8f51ddb0
M
2564 cardSTATE = MFEMUL_WRITEBL2;
2565 cardWRBL = receivedCmd[1];
0a39986e 2566 break;
7bc95e2e 2567 }
0014cb46 2568 // increment, decrement, restore
d2f487af 2569 if (receivedCmd[0] == 0xC0 || receivedCmd[0] == 0xC1 || receivedCmd[0] == 0xC2) {
b03c0f2d 2570 if (MF_DBGLEVEL >= 4) Dbprintf("RECV 0x%02x inc(0xC1)/dec(0xC0)/restore(0xC2) block %d (%02x)",receivedCmd[0],receivedCmd[1],receivedCmd[1]);
d2f487af 2571 if (emlCheckValBl(receivedCmd[1])) {
2572 if (MF_DBGLEVEL >= 2) Dbprintf("Reader tried to operate on block, but emlCheckValBl failed, nacking");
0014cb46
M
2573 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2574 break;
2575 }
2576 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
2577 if (receivedCmd[0] == 0xC1)
2578 cardSTATE = MFEMUL_INTREG_INC;
2579 if (receivedCmd[0] == 0xC0)
2580 cardSTATE = MFEMUL_INTREG_DEC;
2581 if (receivedCmd[0] == 0xC2)
2582 cardSTATE = MFEMUL_INTREG_REST;
2583 cardWRBL = receivedCmd[1];
0014cb46
M
2584 break;
2585 }
0014cb46 2586 // transfer
d2f487af 2587 if (receivedCmd[0] == 0xB0) {
b03c0f2d 2588 if (MF_DBGLEVEL >= 4) Dbprintf("RECV 0x%02x transfer block %d (%02x)",receivedCmd[0],receivedCmd[1],receivedCmd[1]);
0014cb46
M
2589 if (emlSetValBl(cardINTREG, cardINTBLOCK, receivedCmd[1]))
2590 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2591 else
2592 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
0014cb46
M
2593 break;
2594 }
9ca155ba 2595 // halt
d2f487af 2596 if (receivedCmd[0] == 0x50 && receivedCmd[1] == 0x00) {
9ca155ba 2597 LED_B_OFF();
0a39986e 2598 LED_C_OFF();
0014cb46
M
2599 cardSTATE = MFEMUL_HALTED;
2600 if (MF_DBGLEVEL >= 4) Dbprintf("--> HALTED. Selected time: %d ms", GetTickCount() - selTimer);
6a1f2d82 2601 LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
0a39986e 2602 break;
9ca155ba 2603 }
d2f487af 2604 // RATS
2605 if (receivedCmd[0] == 0xe0) {//RATS
8f51ddb0
M
2606 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2607 break;
2608 }
d2f487af 2609 // command not allowed
2610 if (MF_DBGLEVEL >= 4) Dbprintf("Received command not allowed, nacking");
2611 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
51969283 2612 break;
8f51ddb0
M
2613 }
2614 case MFEMUL_WRITEBL2:{
2615 if (len == 18){
2616 mf_crypto1_decrypt(pcs, receivedCmd, len);
2617 emlSetMem(receivedCmd, cardWRBL, 1);
2618 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
2619 cardSTATE = MFEMUL_WORK;
51969283 2620 } else {
0014cb46 2621 cardSTATE_TO_IDLE();
6a1f2d82 2622 LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
8f51ddb0 2623 }
8f51ddb0 2624 break;
50193c1e 2625 }
0014cb46
M
2626
2627 case MFEMUL_INTREG_INC:{
2628 mf_crypto1_decrypt(pcs, receivedCmd, len);
2629 memcpy(&ans, receivedCmd, 4);
2630 if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
2631 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2632 cardSTATE_TO_IDLE();
2633 break;
7bc95e2e 2634 }
6a1f2d82 2635 LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
0014cb46
M
2636 cardINTREG = cardINTREG + ans;
2637 cardSTATE = MFEMUL_WORK;
2638 break;
2639 }
2640 case MFEMUL_INTREG_DEC:{
2641 mf_crypto1_decrypt(pcs, receivedCmd, len);
2642 memcpy(&ans, receivedCmd, 4);
2643 if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
2644 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2645 cardSTATE_TO_IDLE();
2646 break;
2647 }
6a1f2d82 2648 LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
0014cb46
M
2649 cardINTREG = cardINTREG - ans;
2650 cardSTATE = MFEMUL_WORK;
2651 break;
2652 }
2653 case MFEMUL_INTREG_REST:{
2654 mf_crypto1_decrypt(pcs, receivedCmd, len);
2655 memcpy(&ans, receivedCmd, 4);
2656 if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
2657 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2658 cardSTATE_TO_IDLE();
2659 break;
2660 }
6a1f2d82 2661 LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
0014cb46
M
2662 cardSTATE = MFEMUL_WORK;
2663 break;
2664 }
50193c1e 2665 }
50193c1e
M
2666 }
2667
9ca155ba
M
2668 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2669 LEDsoff();
2670
d2f487af 2671 if(flags & FLAG_INTERACTIVE)// Interactive mode flag, means we need to send ACK
2672 {
2673 //May just aswell send the collected ar_nr in the response aswell
2674 cmd_send(CMD_ACK,CMD_SIMULATE_MIFARE_CARD,0,0,&ar_nr_responses,ar_nr_collected*4*4);
2675 }
d714d3ef 2676
d2f487af 2677 if(flags & FLAG_NR_AR_ATTACK)
2678 {
7bc95e2e 2679 if(ar_nr_collected > 1) {
d2f487af 2680 Dbprintf("Collected two pairs of AR/NR which can be used to extract keys from reader:");
d714d3ef 2681 Dbprintf("../tools/mfkey/mfkey32 %08x %08x %08x %08x %08x %08x",
d2f487af 2682 ar_nr_responses[0], // UID
2683 ar_nr_responses[1], //NT
2684 ar_nr_responses[2], //AR1
2685 ar_nr_responses[3], //NR1
2686 ar_nr_responses[6], //AR2
2687 ar_nr_responses[7] //NR2
2688 );
7bc95e2e 2689 } else {
d2f487af 2690 Dbprintf("Failed to obtain two AR/NR pairs!");
7bc95e2e 2691 if(ar_nr_collected >0) {
d714d3ef 2692 Dbprintf("Only got these: UID=%08x, nonce=%08x, AR1=%08x, NR1=%08x",
d2f487af 2693 ar_nr_responses[0], // UID
2694 ar_nr_responses[1], //NT
2695 ar_nr_responses[2], //AR1
2696 ar_nr_responses[3] //NR1
2697 );
2698 }
2699 }
2700 }
0014cb46 2701 if (MF_DBGLEVEL >= 1) Dbprintf("Emulator stopped. Tracing: %d trace length: %d ", tracing, traceLen);
15c4dc5a 2702}
b62a5a84 2703
d2f487af 2704
2705
b62a5a84
M
2706//-----------------------------------------------------------------------------
2707// MIFARE sniffer.
2708//
2709//-----------------------------------------------------------------------------
5cd9ec01
M
2710void RAMFUNC SniffMifare(uint8_t param) {
2711 // param:
2712 // bit 0 - trigger from first card answer
2713 // bit 1 - trigger from first reader 7-bit request
39864b0b
M
2714
2715 // C(red) A(yellow) B(green)
b62a5a84
M
2716 LEDsoff();
2717 // init trace buffer
991f13f2 2718 iso14a_clear_trace();
2719 iso14a_set_tracing(TRUE);
b62a5a84 2720
b62a5a84
M
2721 // The command (reader -> tag) that we're receiving.
2722 // The length of a received command will in most cases be no more than 18 bytes.
2723 // So 32 should be enough!
2724 uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
6a1f2d82 2725 uint8_t *receivedCmdPar = ((uint8_t *)BigBuf) + RECV_CMD_PAR_OFFSET;
b62a5a84 2726 // The response (tag -> reader) that we're receiving.
6a1f2d82 2727 uint8_t *receivedResponse = (((uint8_t *)BigBuf) + RECV_RESP_OFFSET);
2728 uint8_t *receivedResponsePar = ((uint8_t *)BigBuf) + RECV_RESP_PAR_OFFSET;
b62a5a84
M
2729
2730 // As we receive stuff, we copy it from receivedCmd or receivedResponse
2731 // into trace, along with its length and other annotations.
2732 //uint8_t *trace = (uint8_t *)BigBuf;
2733
2734 // The DMA buffer, used to stream samples from the FPGA
7bc95e2e 2735 uint8_t *dmaBuf = ((uint8_t *)BigBuf) + DMA_BUFFER_OFFSET;
2736 uint8_t *data = dmaBuf;
2737 uint8_t previous_data = 0;
5cd9ec01
M
2738 int maxDataLen = 0;
2739 int dataLen = 0;
7bc95e2e 2740 bool ReaderIsActive = FALSE;
2741 bool TagIsActive = FALSE;
2742
2743 iso14443a_setup(FPGA_HF_ISO14443A_SNIFFER);
b62a5a84
M
2744
2745 // Set up the demodulator for tag -> reader responses.
6a1f2d82 2746 DemodInit(receivedResponse, receivedResponsePar);
b62a5a84
M
2747
2748 // Set up the demodulator for the reader -> tag commands
6a1f2d82 2749 UartInit(receivedCmd, receivedCmdPar);
b62a5a84
M
2750
2751 // Setup for the DMA.
7bc95e2e 2752 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE); // set transfer address and number of bytes. Start transfer.
b62a5a84 2753
b62a5a84 2754 LED_D_OFF();
39864b0b
M
2755
2756 // init sniffer
2757 MfSniffInit();
b62a5a84 2758
b62a5a84 2759 // And now we loop, receiving samples.
7bc95e2e 2760 for(uint32_t sniffCounter = 0; TRUE; ) {
2761
5cd9ec01
M
2762 if(BUTTON_PRESS()) {
2763 DbpString("cancelled by button");
7bc95e2e 2764 break;
5cd9ec01
M
2765 }
2766
b62a5a84
M
2767 LED_A_ON();
2768 WDT_HIT();
39864b0b 2769
7bc95e2e 2770 if ((sniffCounter & 0x0000FFFF) == 0) { // from time to time
2771 // check if a transaction is completed (timeout after 2000ms).
2772 // if yes, stop the DMA transfer and send what we have so far to the client
2773 if (MfSniffSend(2000)) {
2774 // Reset everything - we missed some sniffed data anyway while the DMA was stopped
2775 sniffCounter = 0;
2776 data = dmaBuf;
2777 maxDataLen = 0;
2778 ReaderIsActive = FALSE;
2779 TagIsActive = FALSE;
2780 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE); // set transfer address and number of bytes. Start transfer.
39864b0b 2781 }
39864b0b 2782 }
7bc95e2e 2783
2784 int register readBufDataP = data - dmaBuf; // number of bytes we have processed so far
2785 int register dmaBufDataP = DMA_BUFFER_SIZE - AT91C_BASE_PDC_SSC->PDC_RCR; // number of bytes already transferred
2786 if (readBufDataP <= dmaBufDataP){ // we are processing the same block of data which is currently being transferred
2787 dataLen = dmaBufDataP - readBufDataP; // number of bytes still to be processed
2788 } else {
2789 dataLen = DMA_BUFFER_SIZE - readBufDataP + dmaBufDataP; // number of bytes still to be processed
5cd9ec01
M
2790 }
2791 // test for length of buffer
7bc95e2e 2792 if(dataLen > maxDataLen) { // we are more behind than ever...
2793 maxDataLen = dataLen;
5cd9ec01
M
2794 if(dataLen > 400) {
2795 Dbprintf("blew circular buffer! dataLen=0x%x", dataLen);
7bc95e2e 2796 break;
b62a5a84
M
2797 }
2798 }
5cd9ec01 2799 if(dataLen < 1) continue;
b62a5a84 2800
7bc95e2e 2801 // primary buffer was stopped ( <-- we lost data!
5cd9ec01
M
2802 if (!AT91C_BASE_PDC_SSC->PDC_RCR) {
2803 AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) dmaBuf;
2804 AT91C_BASE_PDC_SSC->PDC_RCR = DMA_BUFFER_SIZE;
55acbb2a 2805 Dbprintf("RxEmpty ERROR!!! data length:%d", dataLen); // temporary
5cd9ec01
M
2806 }
2807 // secondary buffer sets as primary, secondary buffer was stopped
2808 if (!AT91C_BASE_PDC_SSC->PDC_RNCR) {
2809 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dmaBuf;
b62a5a84
M
2810 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
2811 }
5cd9ec01
M
2812
2813 LED_A_OFF();
b62a5a84 2814
7bc95e2e 2815 if (sniffCounter & 0x01) {
b62a5a84 2816
7bc95e2e 2817 if(!TagIsActive) { // no need to try decoding tag data if the reader is sending
2818 uint8_t readerdata = (previous_data & 0xF0) | (*data >> 4);
2819 if(MillerDecoding(readerdata, (sniffCounter-1)*4)) {
2820 LED_C_INV();
6a1f2d82 2821 if (MfSniffLogic(receivedCmd, Uart.len, Uart.parity, Uart.bitCount, TRUE)) break;
b62a5a84 2822
7bc95e2e 2823 /* And ready to receive another command. */
2824 UartReset();
2825
2826 /* And also reset the demod code */
2827 DemodReset();
2828 }
2829 ReaderIsActive = (Uart.state != STATE_UNSYNCD);
2830 }
2831
2832 if(!ReaderIsActive) { // no need to try decoding tag data if the reader is sending
2833 uint8_t tagdata = (previous_data << 4) | (*data & 0x0F);
2834 if(ManchesterDecoding(tagdata, 0, (sniffCounter-1)*4)) {
2835 LED_C_INV();
b62a5a84 2836
6a1f2d82 2837 if (MfSniffLogic(receivedResponse, Demod.len, Demod.parity, Demod.bitCount, FALSE)) break;
39864b0b 2838
7bc95e2e 2839 // And ready to receive another response.
2840 DemodReset();
2841 }
2842 TagIsActive = (Demod.state != DEMOD_UNSYNCD);
2843 }
b62a5a84
M
2844 }
2845
7bc95e2e 2846 previous_data = *data;
2847 sniffCounter++;
5cd9ec01 2848 data++;
d714d3ef 2849 if(data == dmaBuf + DMA_BUFFER_SIZE) {
5cd9ec01 2850 data = dmaBuf;
b62a5a84 2851 }
7bc95e2e 2852
b62a5a84
M
2853 } // main cycle
2854
2855 DbpString("COMMAND FINISHED");
2856
55acbb2a 2857 FpgaDisableSscDma();
39864b0b
M
2858 MfSniffEnd();
2859
7bc95e2e 2860 Dbprintf("maxDataLen=%x, Uart.state=%x, Uart.len=%x", maxDataLen, Uart.state, Uart.len);
b62a5a84 2861 LEDsoff();
3803d529 2862}
Impressum, Datenschutz