[proxmark3-svn] / armsrc / iso14443a.c

//-----------------------------------------------------------------------------\r
// Routines to support ISO 14443 type A.\r
//\r
// Gerhard de Koning Gans - May 2008\r
//-----------------------------------------------------------------------------\r
#include <proxmark3.h>\r
#include "apps.h"\r
#include "../common/iso14443_crc.c"\r
\r
typedef enum {\r
	SEC_D = 1,\r
	SEC_E = 2,\r
	SEC_F = 3,\r
	SEC_X = 4,\r
	SEC_Y = 5,\r
	SEC_Z = 6\r
} SecType;\r
\r
//-----------------------------------------------------------------------------\r
// The software UART that receives commands from the reader, and its state\r
// variables.\r
//-----------------------------------------------------------------------------\r
static struct {\r
    enum {\r
        STATE_UNSYNCD,\r
        STATE_START_OF_COMMUNICATION,\r
		STATE_MILLER_X,\r
		STATE_MILLER_Y,\r
		STATE_MILLER_Z,\r
        STATE_ERROR_WAIT\r
    }       state;\r
    WORD    shiftReg;\r
    int     bitCnt;\r
    int     byteCnt;\r
    int     byteCntMax;\r
    int     posCnt;\r
    int     syncBit;\r
	int     parityBits;\r
	int     samples;\r
    int     highCnt;\r
    int     bitBuffer;\r
	enum {\r
		DROP_NONE,\r
		DROP_FIRST_HALF,\r
		DROP_SECOND_HALF\r
	}		drop;\r
    BYTE   *output;\r
} Uart;\r
\r
static BOOL MillerDecoding(int bit)\r
{\r
	int error = 0;\r
	int bitright;\r
\r
	if(!Uart.bitBuffer) {\r
		Uart.bitBuffer = bit ^ 0xFF0;\r
		return FALSE;\r
	}\r
	else {\r
		Uart.bitBuffer <<= 4;\r
		Uart.bitBuffer ^= bit;\r
	}\r
\r
	BOOL EOC = FALSE;\r
\r
	if(Uart.state != STATE_UNSYNCD) {\r
		Uart.posCnt++;\r
\r
		if((Uart.bitBuffer & Uart.syncBit) ^ Uart.syncBit) {\r
			bit = 0x00;\r
		}\r
		else {\r
			bit = 0x01;\r
		}\r
		if(((Uart.bitBuffer << 1) & Uart.syncBit) ^ Uart.syncBit) {\r
			bitright = 0x00;\r
		}\r
		else {\r
			bitright = 0x01;\r
		}\r
		if(bit != bitright) { bit = bitright; }\r
\r
		if(Uart.posCnt == 1) {\r
			// measurement first half bitperiod\r
			if(!bit) {\r
				Uart.drop = DROP_FIRST_HALF;\r
			}\r
		}\r
		else {\r
			// measurement second half bitperiod\r
			if(!bit & (Uart.drop == DROP_NONE)) {\r
				Uart.drop = DROP_SECOND_HALF;\r
			}\r
			else if(!bit) {\r
				// measured a drop in first and second half\r
				// which should not be possible\r
				Uart.state = STATE_ERROR_WAIT;\r
				error = 0x01;\r
			}\r
\r
			Uart.posCnt = 0;\r
\r
			switch(Uart.state) {\r
				case STATE_START_OF_COMMUNICATION:\r
					Uart.shiftReg = 0;\r
					if(Uart.drop == DROP_SECOND_HALF) {\r
						// error, should not happen in SOC\r
						Uart.state = STATE_ERROR_WAIT;\r
						error = 0x02;\r
					}\r
					else {\r
						// correct SOC\r
						Uart.state = STATE_MILLER_Z;\r
					}\r
					break;\r
\r
				case STATE_MILLER_Z:\r
					Uart.bitCnt++;\r
					Uart.shiftReg >>= 1;\r
					if(Uart.drop == DROP_NONE) {\r
						// logic '0' followed by sequence Y\r
						// end of communication\r
						Uart.state = STATE_UNSYNCD;\r
						EOC = TRUE;\r
					}\r
					// if(Uart.drop == DROP_FIRST_HALF) {\r
					// 	Uart.state = STATE_MILLER_Z; stay the same\r
					// 	we see a logic '0' }\r
					if(Uart.drop == DROP_SECOND_HALF) {\r
						// we see a logic '1'\r
						Uart.shiftReg |= 0x100;\r
						Uart.state = STATE_MILLER_X;\r
					}\r
					break;\r
\r
				case STATE_MILLER_X:\r
					Uart.shiftReg >>= 1;\r
					if(Uart.drop == DROP_NONE) {\r
						// sequence Y, we see a '0'\r
						Uart.state = STATE_MILLER_Y;\r
						Uart.bitCnt++;\r
					}\r
					if(Uart.drop == DROP_FIRST_HALF) {\r
						// Would be STATE_MILLER_Z\r
						// but Z does not follow X, so error\r
						Uart.state = STATE_ERROR_WAIT;\r
						error = 0x03;\r
					}\r
					if(Uart.drop == DROP_SECOND_HALF) {\r
						// We see a '1' and stay in state X\r
						Uart.shiftReg |= 0x100;\r
						Uart.bitCnt++;\r
					}\r
					break;\r
\r
				case STATE_MILLER_Y:\r
					Uart.bitCnt++;\r
					Uart.shiftReg >>= 1;\r
					if(Uart.drop == DROP_NONE) {\r
						// logic '0' followed by sequence Y\r
						// end of communication\r
						Uart.state = STATE_UNSYNCD;\r
						EOC = TRUE;\r
					}\r
					if(Uart.drop == DROP_FIRST_HALF) {\r
						// we see a '0'\r
						Uart.state = STATE_MILLER_Z;\r
					}\r
					if(Uart.drop == DROP_SECOND_HALF) {\r
						// We see a '1' and go to state X\r
						Uart.shiftReg |= 0x100;\r
						Uart.state = STATE_MILLER_X;\r
					}\r
					break;\r
\r
				case STATE_ERROR_WAIT:\r
					// That went wrong. Now wait for at least two bit periods\r
					// and try to sync again\r
					if(Uart.drop == DROP_NONE) {\r
						Uart.highCnt = 6;\r
						Uart.state = STATE_UNSYNCD;\r
					}\r
					break;\r
\r
				default:\r
					Uart.state = STATE_UNSYNCD;\r
					Uart.highCnt = 0;\r
					break;\r
			}\r
\r
			Uart.drop = DROP_NONE;\r
\r
			// should have received at least one whole byte...\r
			if((Uart.bitCnt == 2) && EOC && (Uart.byteCnt > 0)) {\r
				return TRUE;\r
			}\r
\r
			if(Uart.bitCnt == 9) {\r
				Uart.output[Uart.byteCnt] = (Uart.shiftReg & 0xff);\r
				Uart.byteCnt++;\r
\r
				Uart.parityBits <<= 1;\r
				Uart.parityBits ^= ((Uart.shiftReg >> 8) & 0x01);\r
\r
				if(EOC) {\r
					// when End of Communication received and\r
					// all data bits processed..\r
					return TRUE;\r
				}\r
				Uart.bitCnt = 0;\r
			}\r
\r
			/*if(error) {\r
				Uart.output[Uart.byteCnt] = 0xAA;\r
				Uart.byteCnt++;\r
				Uart.output[Uart.byteCnt] = error & 0xFF;\r
				Uart.byteCnt++;\r
				Uart.output[Uart.byteCnt] = 0xAA;\r
				Uart.byteCnt++;\r
				Uart.output[Uart.byteCnt] = (Uart.bitBuffer >> 8) & 0xFF;\r
				Uart.byteCnt++;\r
				Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;\r
				Uart.byteCnt++;\r
				Uart.output[Uart.byteCnt] = (Uart.syncBit >> 3) & 0xFF;\r
				Uart.byteCnt++;\r
				Uart.output[Uart.byteCnt] = 0xAA;\r
				Uart.byteCnt++;\r
				return TRUE;\r
			}*/\r
		}\r
\r
	}\r
	else {\r
		bit = Uart.bitBuffer & 0xf0;\r
		bit >>= 4;\r
		bit ^= 0x0F;\r
		if(bit) {\r
			// should have been high or at least (4 * 128) / fc\r
			// according to ISO this should be at least (9 * 128 + 20) / fc\r
			if(Uart.highCnt == 8) {\r
				// we went low, so this could be start of communication\r
				// it turns out to be safer to choose a less significant\r
				// syncbit... so we check whether the neighbour also represents the drop\r
				Uart.posCnt = 1;   // apparently we are busy with our first half bit period\r
				Uart.syncBit = bit & 8;\r
				Uart.samples = 3;\r
				if(!Uart.syncBit)	{ Uart.syncBit = bit & 4; Uart.samples = 2; }\r
				else if(bit & 4)	{ Uart.syncBit = bit & 4; Uart.samples = 2; bit <<= 2; }\r
				if(!Uart.syncBit)	{ Uart.syncBit = bit & 2; Uart.samples = 1; }\r
				else if(bit & 2)	{ Uart.syncBit = bit & 2; Uart.samples = 1; bit <<= 1; }\r
				if(!Uart.syncBit)	{ Uart.syncBit = bit & 1; Uart.samples = 0;\r
					if(Uart.syncBit & (Uart.bitBuffer & 8)) {\r
						Uart.syncBit = 8;\r
\r
						// the first half bit period is expected in next sample\r
						Uart.posCnt = 0;\r
						Uart.samples = 3;\r
					}\r
				}\r
				else if(bit & 1)	{ Uart.syncBit = bit & 1; Uart.samples = 0; }\r
\r
				Uart.syncBit <<= 4;\r
				Uart.state = STATE_START_OF_COMMUNICATION;\r
				Uart.drop = DROP_FIRST_HALF;\r
				Uart.bitCnt = 0;\r
				Uart.byteCnt = 0;\r
				Uart.parityBits = 0;\r
				error = 0;\r
			}\r
			else {\r
				Uart.highCnt = 0;\r
			}\r
		}\r
		else {\r
			if(Uart.highCnt < 8) {\r
				Uart.highCnt++;\r
			}\r
		}\r
	}\r
\r
    return FALSE;\r
}\r
\r
//=============================================================================\r
// ISO 14443 Type A - Manchester\r
//=============================================================================\r
\r
static struct {\r
    enum {\r
        DEMOD_UNSYNCD,\r
		DEMOD_START_OF_COMMUNICATION,\r
		DEMOD_MANCHESTER_D,\r
		DEMOD_MANCHESTER_E,\r
		DEMOD_MANCHESTER_F,\r
        DEMOD_ERROR_WAIT\r
    }       state;\r
    int     bitCount;\r
    int     posCount;\r
	int     syncBit;\r
	int     parityBits;\r
    WORD    shiftReg;\r
	int     buffer;\r
	int     buff;\r
	int     samples;\r
    int     len;\r
	enum {\r
		SUB_NONE,\r
		SUB_FIRST_HALF,\r
		SUB_SECOND_HALF\r
	}		sub;\r
    BYTE   *output;\r
} Demod;\r
\r
static BOOL ManchesterDecoding(int v)\r
{\r
	int bit;\r
	int modulation;\r
	int error = 0;\r
\r
	if(!Demod.buff) {\r
		Demod.buff = 1;\r
		Demod.buffer = v;\r
		return FALSE;\r
	}\r
	else {\r
		bit = Demod.buffer;\r
		Demod.buffer = v;\r
	}\r
\r
	if(Demod.state==DEMOD_UNSYNCD) {\r
		Demod.output[Demod.len] = 0xfa;\r
		Demod.syncBit = 0;\r
		//Demod.samples = 0;\r
		Demod.posCount = 1;		// This is the first half bit period, so after syncing handle the second part\r
		if(bit & 0x08) { Demod.syncBit = 0x08; }\r
		if(!Demod.syncBit)	{\r
			if(bit & 0x04) { Demod.syncBit = 0x04; }\r
		}\r
		else if(bit & 0x04) { Demod.syncBit = 0x04; bit <<= 4; }\r
		if(!Demod.syncBit)	{\r
			if(bit & 0x02) { Demod.syncBit = 0x02; }\r
		}\r
		else if(bit & 0x02) { Demod.syncBit = 0x02; bit <<= 4; }\r
		if(!Demod.syncBit)	{\r
			if(bit & 0x01) { Demod.syncBit = 0x01; }\r
\r
			if(Demod.syncBit & (Demod.buffer & 0x08)) {\r
				Demod.syncBit = 0x08;\r
\r
				// The first half bitperiod is expected in next sample\r
				Demod.posCount = 0;\r
				Demod.output[Demod.len] = 0xfb;\r
			}\r
		}\r
		else if(bit & 0x01) { Demod.syncBit = 0x01; }\r
\r
		if(Demod.syncBit) {\r
			Demod.len = 0;\r
			Demod.state = DEMOD_START_OF_COMMUNICATION;\r
			Demod.sub = SUB_FIRST_HALF;\r
			Demod.bitCount = 0;\r
			Demod.shiftReg = 0;\r
			Demod.parityBits = 0;\r
			Demod.samples = 0;\r
			if(Demod.posCount) {\r
				switch(Demod.syncBit) {\r
					case 0x08: Demod.samples = 3; break;\r
					case 0x04: Demod.samples = 2; break;\r
					case 0x02: Demod.samples = 1; break;\r
					case 0x01: Demod.samples = 0; break;\r
				}\r
			}\r
			error = 0;\r
		}\r
	}\r
	else {\r
		//modulation = bit & Demod.syncBit;\r
		modulation = ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;\r
\r
		Demod.samples += 4;\r
\r
		if(Demod.posCount==0) {\r
			Demod.posCount = 1;\r
			if(modulation) {\r
				Demod.sub = SUB_FIRST_HALF;\r
			}\r
			else {\r
				Demod.sub = SUB_NONE;\r
			}\r
		}\r
		else {\r
			Demod.posCount = 0;\r
			if(modulation && (Demod.sub == SUB_FIRST_HALF)) {\r
				if(Demod.state!=DEMOD_ERROR_WAIT) {\r
					Demod.state = DEMOD_ERROR_WAIT;\r
					Demod.output[Demod.len] = 0xaa;\r
					error = 0x01;\r
				}\r
			}\r
			else if(modulation) {\r
				Demod.sub = SUB_SECOND_HALF;\r
			}\r
\r
			switch(Demod.state) {\r
				case DEMOD_START_OF_COMMUNICATION:\r
					if(Demod.sub == SUB_FIRST_HALF) {\r
						Demod.state = DEMOD_MANCHESTER_D;\r
					}\r
					else {\r
						Demod.output[Demod.len] = 0xab;\r
						Demod.state = DEMOD_ERROR_WAIT;\r
						error = 0x02;\r
					}\r
					break;\r
\r
				case DEMOD_MANCHESTER_D:\r
				case DEMOD_MANCHESTER_E:\r
					if(Demod.sub == SUB_FIRST_HALF) {\r
						Demod.bitCount++;\r
						Demod.shiftReg = (Demod.shiftReg >> 1) ^ 0x100;\r
						Demod.state = DEMOD_MANCHESTER_D;\r
					}\r
					else if(Demod.sub == SUB_SECOND_HALF) {\r
						Demod.bitCount++;\r
						Demod.shiftReg >>= 1;\r
						Demod.state = DEMOD_MANCHESTER_E;\r
					}\r
					else {\r
						Demod.state = DEMOD_MANCHESTER_F;\r
					}\r
					break;\r
\r
				case DEMOD_MANCHESTER_F:\r
					// Tag response does not need to be a complete byte!\r
					if(Demod.len > 0 || Demod.bitCount > 0) {\r
						if(Demod.bitCount > 0) {\r
							Demod.shiftReg >>= (9 - Demod.bitCount);\r
							Demod.output[Demod.len] = Demod.shiftReg & 0xff;\r
							Demod.len++;\r
							// No parity bit, so just shift a 0\r
							Demod.parityBits <<= 1;\r
						}\r
\r
						Demod.state = DEMOD_UNSYNCD;\r
						return TRUE;\r
					}\r
					else {\r
						Demod.output[Demod.len] = 0xad;\r
						Demod.state = DEMOD_ERROR_WAIT;\r
						error = 0x03;\r
					}\r
					break;\r
\r
				case DEMOD_ERROR_WAIT:\r
					Demod.state = DEMOD_UNSYNCD;\r
					break;\r
\r
				default:\r
					Demod.output[Demod.len] = 0xdd;\r
					Demod.state = DEMOD_UNSYNCD;\r
					break;\r
			}\r
\r
			if(Demod.bitCount>=9) {\r
				Demod.output[Demod.len] = Demod.shiftReg & 0xff;\r
				Demod.len++;\r
\r
				Demod.parityBits <<= 1;\r
				Demod.parityBits ^= ((Demod.shiftReg >> 8) & 0x01);\r
\r
				Demod.bitCount = 0;\r
				Demod.shiftReg = 0;\r
			}\r
\r
			/*if(error) {\r
				Demod.output[Demod.len] = 0xBB;\r
				Demod.len++;\r
				Demod.output[Demod.len] = error & 0xFF;\r
				Demod.len++;\r
				Demod.output[Demod.len] = 0xBB;\r
				Demod.len++;\r
				Demod.output[Demod.len] = bit & 0xFF;\r
				Demod.len++;\r
				Demod.output[Demod.len] = Demod.buffer & 0xFF;\r
				Demod.len++;\r
				Demod.output[Demod.len] = Demod.syncBit & 0xFF;\r
				Demod.len++;\r
				Demod.output[Demod.len] = 0xBB;\r
				Demod.len++;\r
				return TRUE;\r
			}*/\r
\r
		}\r
\r
	} // end (state != UNSYNCED)\r
\r
    return FALSE;\r
}\r
\r
//=============================================================================\r
// Finally, a `sniffer' for ISO 14443 Type A\r
// Both sides of communication!\r
//=============================================================================\r
\r
//-----------------------------------------------------------------------------\r
// Record the sequence of commands sent by the reader to the tag, with\r
// triggering so that we start recording at the point that the tag is moved\r
// near the reader.\r
//-----------------------------------------------------------------------------\r
void SnoopIso14443a(void)\r
{\r
\r
	// BIG CHANGE - UNDERSTAND THIS BEFORE WE COMMIT\r
\r
	#define RECV_CMD_OFFSET 	3032\r
	#define RECV_RES_OFFSET		3096\r
	#define DMA_BUFFER_OFFSET	3160\r
	#define DMA_BUFFER_SIZE 	4096\r
	#define TRACE_LENGTH	 	3000\r
\r
//	#define RECV_CMD_OFFSET 	2032	// original (working as of 21/2/09) values\r
//	#define RECV_RES_OFFSET		2096	// original (working as of 21/2/09) values\r
//	#define DMA_BUFFER_OFFSET	2160	// original (working as of 21/2/09) values\r
//	#define DMA_BUFFER_SIZE 	4096	// original (working as of 21/2/09) values\r
//	#define TRACE_LENGTH	 	2000	// original (working as of 21/2/09) values\r
\r
    // We won't start recording the frames that we acquire until we trigger;\r
    // a good trigger condition to get started is probably when we see a\r
    // response from the tag.\r
    BOOL triggered = TRUE; // FALSE to wait first for card\r
\r
    // The command (reader -> tag) that we're receiving.\r
	// The length of a received command will in most cases be no more than 18 bytes.\r
	// So 32 should be enough!\r
    BYTE *receivedCmd = (((BYTE *)BigBuf) + RECV_CMD_OFFSET);\r
    // The response (tag -> reader) that we're receiving.\r
    BYTE *receivedResponse = (((BYTE *)BigBuf) + RECV_RES_OFFSET);\r
\r
    // As we receive stuff, we copy it from receivedCmd or receivedResponse\r
    // into trace, along with its length and other annotations.\r
    BYTE *trace = (BYTE *)BigBuf;\r
    int traceLen = 0;\r
\r
    // The DMA buffer, used to stream samples from the FPGA\r
    SBYTE *dmaBuf = ((SBYTE *)BigBuf) + DMA_BUFFER_OFFSET;\r
    int lastRxCounter;\r
    SBYTE *upTo;\r
    int smpl;\r
    int maxBehindBy = 0;\r
\r
    // Count of samples received so far, so that we can include timing\r
    // information in the trace buffer.\r
    int samples = 0;\r
	int rsamples = 0;\r
\r
    memset(trace, 0x44, RECV_CMD_OFFSET);\r
\r
    // Set up the demodulator for tag -> reader responses.\r
    Demod.output = receivedResponse;\r
    Demod.len = 0;\r
    Demod.state = DEMOD_UNSYNCD;\r
\r
    // And the reader -> tag commands\r
    memset(&Uart, 0, sizeof(Uart));\r
    Uart.output = receivedCmd;\r
    Uart.byteCntMax = 32; // was 100 (greg)////////////////////////////////////////////////////////////////////////\r
    Uart.state = STATE_UNSYNCD;\r
\r
    // And put the FPGA in the appropriate mode\r
    // Signal field is off with the appropriate LED\r
    LED_D_OFF();\r
    FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER);\r
    SetAdcMuxFor(GPIO_MUXSEL_HIPKD);\r
\r
	// Setup for the DMA.\r
    FpgaSetupSsc();\r
    upTo = dmaBuf;\r
    lastRxCounter = DMA_BUFFER_SIZE;\r
    FpgaSetupSscDma((BYTE *)dmaBuf, DMA_BUFFER_SIZE);\r
\r
    LED_A_ON();\r
\r
    // And now we loop, receiving samples.\r
    for(;;) {\r
		WDT_HIT();\r
        int behindBy = (lastRxCounter - PDC_RX_COUNTER(SSC_BASE)) &\r
                                (DMA_BUFFER_SIZE-1);\r
        if(behindBy > maxBehindBy) {\r
            maxBehindBy = behindBy;\r
            if(behindBy > 400) {\r
                DbpString("blew circular buffer!");\r
                goto done;\r
            }\r
        }\r
        if(behindBy < 1) continue;\r
\r
        smpl = upTo[0];\r
        upTo++;\r
        lastRxCounter -= 1;\r
        if(upTo - dmaBuf > DMA_BUFFER_SIZE) {\r
            upTo -= DMA_BUFFER_SIZE;\r
            lastRxCounter += DMA_BUFFER_SIZE;\r
            PDC_RX_NEXT_POINTER(SSC_BASE) = (DWORD)upTo;\r
            PDC_RX_NEXT_COUNTER(SSC_BASE) = DMA_BUFFER_SIZE;\r
        }\r
\r
        samples += 4;\r
#define HANDLE_BIT_IF_BODY \\r
            LED_C_ON(); \\r
			if(triggered) { \\r
				trace[traceLen++] = ((rsamples >>  0) & 0xff); \\r
                trace[traceLen++] = ((rsamples >>  8) & 0xff); \\r
                trace[traceLen++] = ((rsamples >> 16) & 0xff); \\r
                trace[traceLen++] = ((rsamples >> 24) & 0xff); \\r
				trace[traceLen++] = ((Uart.parityBits >>  0) & 0xff); \\r
				trace[traceLen++] = ((Uart.parityBits >>  8) & 0xff); \\r
				trace[traceLen++] = ((Uart.parityBits >> 16) & 0xff); \\r
				trace[traceLen++] = ((Uart.parityBits >> 24) & 0xff); \\r
                trace[traceLen++] = Uart.byteCnt; \\r
                memcpy(trace+traceLen, receivedCmd, Uart.byteCnt); \\r
                traceLen += Uart.byteCnt; \\r
                if(traceLen > TRACE_LENGTH) break; \\r
            } \\r
            /* And ready to receive another command. */ \\r
            Uart.state = STATE_UNSYNCD; \\r
            /* And also reset the demod code, which might have been */ \\r
            /* false-triggered by the commands from the reader. */ \\r
            Demod.state = DEMOD_UNSYNCD; \\r
			LED_B_OFF(); \\r
\r
		if(MillerDecoding((smpl & 0xF0) >> 4)) {\r
            rsamples = samples - Uart.samples;\r
			HANDLE_BIT_IF_BODY\r
        }\r
		if(ManchesterDecoding(smpl & 0x0F)) {\r
			rsamples = samples - Demod.samples;\r
			LED_B_ON();\r
\r
			// timestamp, as a count of samples\r
			trace[traceLen++] = ((rsamples >>  0) & 0xff);\r
			trace[traceLen++] = ((rsamples >>  8) & 0xff);\r
			trace[traceLen++] = ((rsamples >> 16) & 0xff);\r
			trace[traceLen++] = 0x80 | ((rsamples >> 24) & 0xff);\r
			trace[traceLen++] = ((Demod.parityBits >>  0) & 0xff);\r
			trace[traceLen++] = ((Demod.parityBits >>  8) & 0xff);\r
			trace[traceLen++] = ((Demod.parityBits >> 16) & 0xff);\r
			trace[traceLen++] = ((Demod.parityBits >> 24) & 0xff);\r
			// length\r
			trace[traceLen++] = Demod.len;\r
			memcpy(trace+traceLen, receivedResponse, Demod.len);\r
			traceLen += Demod.len;\r
			if(traceLen > TRACE_LENGTH) break;\r
\r
           	triggered = TRUE;\r
\r
            // And ready to receive another response.\r
            memset(&Demod, 0, sizeof(Demod));\r
            Demod.output = receivedResponse;\r
            Demod.state = DEMOD_UNSYNCD;\r
			LED_C_OFF();\r
		}\r
\r
        if(BUTTON_PRESS()) {\r
            DbpString("cancelled_a");\r
            goto done;\r
        }\r
    }\r
\r
    DbpString("COMMAND FINISHED");\r
\r
    DbpIntegers(maxBehindBy, Uart.state, Uart.byteCnt);\r
    DbpIntegers(Uart.byteCntMax, traceLen, (int)Uart.output[0]);\r
\r
done:\r
    PDC_CONTROL(SSC_BASE) = PDC_RX_DISABLE;\r
    DbpIntegers(maxBehindBy, Uart.state, Uart.byteCnt);\r
    DbpIntegers(Uart.byteCntMax, traceLen, (int)Uart.output[0]);\r
    LED_A_OFF();\r
    LED_B_OFF();\r
	LED_C_OFF();\r
	LED_D_OFF();\r
}\r
\r
// Prepare communication bits to send to FPGA\r
void Sequence(SecType seq)\r
{\r
	ToSendMax++;\r
	switch(seq) {\r
	// CARD TO READER\r
	case SEC_D:\r
		// Sequence D: 11110000\r
		// modulation with subcarrier during first half\r
        ToSend[ToSendMax] = 0xf0;\r
		break;\r
	case SEC_E:\r
		// Sequence E: 00001111\r
		// modulation with subcarrier during second half\r
        ToSend[ToSendMax] = 0x0f;\r
		break;\r
	case SEC_F:\r
		// Sequence F: 00000000\r
		// no modulation with subcarrier\r
        ToSend[ToSendMax] = 0x00;\r
		break;\r
	// READER TO CARD\r
	case SEC_X:\r
		// Sequence X: 00001100\r
		// drop after half a period\r
        ToSend[ToSendMax] = 0x0c;\r
		break;\r
	case SEC_Y:\r
	default:\r
		// Sequence Y: 00000000\r
		// no drop\r
        ToSend[ToSendMax] = 0x00;\r
		break;\r
	case SEC_Z:\r
		// Sequence Z: 11000000\r
		// drop at start\r
        ToSend[ToSendMax] = 0xc0;\r
		break;\r
	}\r
}\r
\r
//-----------------------------------------------------------------------------\r
// Prepare tag messages\r
//-----------------------------------------------------------------------------\r
static void CodeIso14443aAsTag(const BYTE *cmd, int len)\r
{\r
    int i;\r
	int oddparity;\r
\r
    ToSendReset();\r
\r
	// Correction bit, might be removed when not needed\r
	ToSendStuffBit(0);\r
	ToSendStuffBit(0);\r
	ToSendStuffBit(0);\r
	ToSendStuffBit(0);\r
	ToSendStuffBit(1);  // 1\r
	ToSendStuffBit(0);\r
	ToSendStuffBit(0);\r
	ToSendStuffBit(0);\r
\r
	// Send startbit\r
	Sequence(SEC_D);\r
\r
    for(i = 0; i < len; i++) {\r
        int j;\r
        BYTE b = cmd[i];\r
\r
		// Data bits\r
        oddparity = 0x01;\r
		for(j = 0; j < 8; j++) {\r
            oddparity ^= (b & 1);\r
			if(b & 1) {\r
				Sequence(SEC_D);\r
			} else {\r
				Sequence(SEC_E);\r
            }\r
            b >>= 1;\r
        }\r
\r
        // Parity bit\r
        if(oddparity) {\r
			Sequence(SEC_D);\r
		} else {\r
			Sequence(SEC_E);\r
		}\r
    }\r
\r
    // Send stopbit\r
	Sequence(SEC_F);\r
\r
	// Flush the buffer in FPGA!!\r
	for(i = 0; i < 5; i++) {\r
		Sequence(SEC_F);\r
	}\r
\r
    // Convert from last byte pos to length\r
    ToSendMax++;\r
\r
    // Add a few more for slop\r
    ToSend[ToSendMax++] = 0x00;\r
	ToSend[ToSendMax++] = 0x00;\r
    //ToSendMax += 2;\r
}\r
\r
//-----------------------------------------------------------------------------\r
// This is to send a NACK kind of answer, its only 3 bits, I know it should be 4\r
//-----------------------------------------------------------------------------\r
static void CodeStrangeAnswer()\r
{\r
	int i;\r
\r
    ToSendReset();\r
\r
	// Correction bit, might be removed when not needed\r
	ToSendStuffBit(0);\r
	ToSendStuffBit(0);\r
	ToSendStuffBit(0);\r
	ToSendStuffBit(0);\r
	ToSendStuffBit(1);  // 1\r
	ToSendStuffBit(0);\r
	ToSendStuffBit(0);\r
	ToSendStuffBit(0);\r
\r
	// Send startbit\r
	Sequence(SEC_D);\r
\r
	// 0\r
	Sequence(SEC_E);\r
\r
	// 0\r
	Sequence(SEC_E);\r
\r
	// 1\r
	Sequence(SEC_D);\r
\r
    // Send stopbit\r
	Sequence(SEC_F);\r
\r
	// Flush the buffer in FPGA!!\r
	for(i = 0; i < 5; i++) {\r
		Sequence(SEC_F);\r
	}\r
\r
    // Convert from last byte pos to length\r
    ToSendMax++;\r
\r
    // Add a few more for slop\r
    ToSend[ToSendMax++] = 0x00;\r
	ToSend[ToSendMax++] = 0x00;\r
    //ToSendMax += 2;\r
}\r
\r
//-----------------------------------------------------------------------------\r
// Wait for commands from reader\r
// Stop when button is pressed\r
// Or return TRUE when command is captured\r
//-----------------------------------------------------------------------------\r
static BOOL GetIso14443aCommandFromReader(BYTE *received, int *len, int maxLen)\r
{\r
    // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen\r
    // only, since we are receiving, not transmitting).\r
    // Signal field is off with the appropriate LED\r
    LED_D_OFF();\r
    FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);\r
\r
    // Now run a `software UART' on the stream of incoming samples.\r
    Uart.output = received;\r
    Uart.byteCntMax = maxLen;\r
    Uart.state = STATE_UNSYNCD;\r
\r
    for(;;) {\r
        WDT_HIT();\r
\r
        if(BUTTON_PRESS()) return FALSE;\r
\r
        if(SSC_STATUS & (SSC_STATUS_TX_READY)) {\r
            SSC_TRANSMIT_HOLDING = 0x00;\r
        }\r
        if(SSC_STATUS & (SSC_STATUS_RX_READY)) {\r
            BYTE b = (BYTE)SSC_RECEIVE_HOLDING;\r
			if(MillerDecoding((b & 0xf0) >> 4)) {\r
				*len = Uart.byteCnt;\r
				return TRUE;\r
			}\r
			if(MillerDecoding(b & 0x0f)) {\r
				*len = Uart.byteCnt;\r
				return TRUE;\r
			}\r
        }\r
    }\r
}\r
\r
//-----------------------------------------------------------------------------\r
// Main loop of simulated tag: receive commands from reader, decide what\r
// response to send, and send it.\r
//-----------------------------------------------------------------------------\r
void SimulateIso14443aTag(int tagType, int TagUid)\r
{\r
	// This function contains the tag emulation\r
\r
	// Prepare protocol messages\r
    // static const BYTE cmd1[] = { 0x26 };\r
//     static const BYTE response1[] = { 0x02, 0x00 }; // Says: I am Mifare 4k - original line - greg\r
//\r
	static const BYTE response1[] = { 0x44, 0x03 }; // Says: I am a DESFire Tag, ph33r me\r
//	static const BYTE response1[] = { 0x44, 0x00 }; // Says: I am a ULTRALITE Tag, 0wn me\r
\r
	// UID response\r
    // static const BYTE cmd2[] = { 0x93, 0x20 };\r
    //static const BYTE response2[] = { 0x9a, 0xe5, 0xe4, 0x43, 0xd8 }; // original value - greg\r
\r
\r
\r
// my desfire\r
    static const BYTE response2[] = { 0x88, 0x04, 0x21, 0x3f, 0x4d }; // known uid - note cascade (0x88), 2nd byte (0x04) = NXP/Phillips\r
\r
\r
// When reader selects us during cascade1 it will send cmd3\r
//BYTE response3[] = { 0x04, 0x00, 0x00 }; // SAK Select (cascade1) successful response (ULTRALITE)\r
BYTE response3[] = { 0x24, 0x00, 0x00 }; // SAK Select (cascade1) successful response (DESFire)\r
ComputeCrc14443(CRC_14443_A, response3, 1, &response3[1], &response3[2]);\r
\r
// send cascade2 2nd half of UID\r
static const BYTE response2a[] = { 0x51, 0x48, 0x1d, 0x80, 0x84 }; //  uid - cascade2 - 2nd half (4 bytes) of UID+ BCCheck\r
// NOTE : THE CRC on the above may be wrong as I have obfuscated the actual UID\r
\r
\r
// When reader selects us during cascade2 it will send cmd3a\r
//BYTE response3a[] = { 0x00, 0x00, 0x00 }; // SAK Select (cascade2) successful response (ULTRALITE)\r
BYTE response3a[] = { 0x20, 0x00, 0x00 }; // SAK Select (cascade2) successful response (DESFire)\r
ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);\r
\r
    static const BYTE response5[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce\r
\r
    BYTE *resp;\r
    int respLen;\r
\r
    // Longest possible response will be 16 bytes + 2 CRC = 18 bytes\r
	// This will need\r
	//    144        data bits (18 * 8)\r
	//     18        parity bits\r
	//      2        Start and stop\r
	//      1        Correction bit (Answer in 1172 or 1236 periods, see FPGA)\r
	//      1        just for the case\r
	// ----------- +\r
	//    166\r
	//\r
	// 166 bytes, since every bit that needs to be send costs us a byte\r
	//\r
\r
\r
    // Respond with card type\r
    BYTE *resp1 = (((BYTE *)BigBuf) + 800);\r
    int resp1Len;\r
\r
    // Anticollision cascade1 - respond with uid\r
    BYTE *resp2 = (((BYTE *)BigBuf) + 970);\r
    int resp2Len;\r
\r
    // Anticollision cascade2 - respond with 2nd half of uid if asked\r
    // we're only going to be asked if we set the 1st byte of the UID (during cascade1) to 0x88\r
    BYTE *resp2a = (((BYTE *)BigBuf) + 1140);\r
    int resp2aLen;\r
\r
    // Acknowledge select - cascade 1\r
    BYTE *resp3 = (((BYTE *)BigBuf) + 1310);\r
    int resp3Len;\r
\r
    // Acknowledge select - cascade 2\r
    BYTE *resp3a = (((BYTE *)BigBuf) + 1480);\r
    int resp3aLen;\r
\r
    // Response to a read request - not implemented atm\r
    BYTE *resp4 = (((BYTE *)BigBuf) + 1550);\r
    int resp4Len;\r
\r
    // Authenticate response - nonce\r
    BYTE *resp5 = (((BYTE *)BigBuf) + 1720);\r
    int resp5Len;\r
\r
    BYTE *receivedCmd = (BYTE *)BigBuf;\r
    int len;\r
\r
    int i;\r
	int u;\r
	BYTE b;\r
\r
	// To control where we are in the protocol\r
	int order = 0;\r
	int lastorder;\r
\r
	// Just to allow some checks\r
	int happened = 0;\r
	int happened2 = 0;\r
\r
    int cmdsRecvd = 0;\r
\r
	BOOL fdt_indicator;\r
\r
    memset(receivedCmd, 0x44, 400);\r
\r
	// Prepare the responses of the anticollision phase\r
	// there will be not enough time to do this at the moment the reader sends it REQA\r
\r
	// Answer to request\r
	CodeIso14443aAsTag(response1, sizeof(response1));\r
    memcpy(resp1, ToSend, ToSendMax); resp1Len = ToSendMax;\r
\r
	// Send our UID (cascade 1)\r
	CodeIso14443aAsTag(response2, sizeof(response2));\r
    memcpy(resp2, ToSend, ToSendMax); resp2Len = ToSendMax;\r
\r
	// Answer to select (cascade1)\r
	CodeIso14443aAsTag(response3, sizeof(response3));\r
    memcpy(resp3, ToSend, ToSendMax); resp3Len = ToSendMax;\r
\r
	// Send the cascade 2 2nd part of the uid\r
	CodeIso14443aAsTag(response2a, sizeof(response2a));\r
    memcpy(resp2a, ToSend, ToSendMax); resp2aLen = ToSendMax;\r
\r
	// Answer to select (cascade 2)\r
	CodeIso14443aAsTag(response3a, sizeof(response3a));\r
    memcpy(resp3a, ToSend, ToSendMax); resp3aLen = ToSendMax;\r
\r
	// Strange answer is an example of rare message size (3 bits)\r
	CodeStrangeAnswer();\r
	memcpy(resp4, ToSend, ToSendMax); resp4Len = ToSendMax;\r
\r
	// Authentication answer (random nonce)\r
	CodeIso14443aAsTag(response5, sizeof(response5));\r
    memcpy(resp5, ToSend, ToSendMax); resp5Len = ToSendMax;\r
\r
    // We need to listen to the high-frequency, peak-detected path.\r
    SetAdcMuxFor(GPIO_MUXSEL_HIPKD);\r
    FpgaSetupSsc();\r
\r
    cmdsRecvd = 0;\r
\r
    LED_A_ON();\r
	for(;;) {\r
\r
		if(!GetIso14443aCommandFromReader(receivedCmd, &len, 100)) {\r
            DbpString("button press");\r
            break;\r
        }\r
	// doob - added loads of debug strings so we can see what the reader is saying to us during the sim as hi14alist is not populated\r
        // Okay, look at the command now.\r
        lastorder = order;\r
		i = 1; // first byte transmitted\r
        if(receivedCmd[0] == 0x26) {\r
			// Received a REQUEST\r
			resp = resp1; respLen = resp1Len; order = 1;\r
			//DbpString("Hello request from reader:");\r
		} else if(receivedCmd[0] == 0x52) {\r
			// Received a WAKEUP\r
			resp = resp1; respLen = resp1Len; order = 6;\r
//			//DbpString("Wakeup request from reader:");\r
\r
		} else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x93) {	// greg - cascade 1 anti-collision\r
			// Received request for UID (cascade 1)\r
			resp = resp2; respLen = resp2Len; order = 2;\r
//			DbpString("UID (cascade 1) request from reader:");\r
//			DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);\r
\r
\r
		} else if(receivedCmd[1] == 0x20 && receivedCmd[0] ==0x95) {	// greg - cascade 2 anti-collision\r
			// Received request for UID (cascade 2)\r
			resp = resp2a; respLen = resp2aLen; order = 20;\r
//			DbpString("UID (cascade 2) request from reader:");\r
//			DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);\r
\r
\r
		} else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x93) {	// greg - cascade 1 select\r
			// Received a SELECT\r
			resp = resp3; respLen = resp3Len; order = 3;\r
//			DbpString("Select (cascade 1) request from reader:");\r
//			DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);\r
\r
\r
		} else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x95) {	// greg - cascade 2 select\r
			// Received a SELECT\r
			resp = resp3a; respLen = resp3aLen; order = 30;\r
//			DbpString("Select (cascade 2) request from reader:");\r
//			DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);\r
\r
\r
		} else if(receivedCmd[0] == 0x30) {\r
			// Received a READ\r
			resp = resp4; respLen = resp4Len; order = 4; // Do nothing\r
			DbpString("Read request from reader:");\r
			DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);\r
\r
\r
		} else if(receivedCmd[0] == 0x50) {\r
			// Received a HALT\r
			resp = resp1; respLen = 0; order = 5; // Do nothing\r
			DbpString("Reader requested we HALT!:");\r
\r
		} else if(receivedCmd[0] == 0x60) {\r
			// Received an authentication request\r
			resp = resp5; respLen = resp5Len; order = 7;\r
			DbpString("Authenticate request from reader:");\r
			DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);\r
\r
		} else if(receivedCmd[0] == 0xE0) {\r
			// Received a RATS request\r
			resp = resp1; respLen = 0;order = 70;\r
			DbpString("RATS request from reader:");\r
			DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);\r
        } else {\r
            // Never seen this command before\r
			DbpString("Unknown command received from reader:");\r
			DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);\r
			DbpIntegers(receivedCmd[3], receivedCmd[4], receivedCmd[5]);\r
			DbpIntegers(receivedCmd[6], receivedCmd[7], receivedCmd[8]);\r
\r
			// Do not respond\r
			resp = resp1; respLen = 0; order = 0;\r
        }\r
\r
		// Count number of wakeups received after a halt\r
		if(order == 6 && lastorder == 5) { happened++; }\r
\r
		// Count number of other messages after a halt\r
		if(order != 6 && lastorder == 5) { happened2++; }\r
\r
		// Look at last parity bit to determine timing of answer\r
		if((Uart.parityBits & 0x01) || receivedCmd[0] == 0x52) {\r
			// 1236, so correction bit needed\r
			i = 0;\r
		}\r
\r
        memset(receivedCmd, 0x44, 32);\r
\r
		if(cmdsRecvd > 999) {\r
			DbpString("1000 commands later...");\r
            break;\r
        }\r
		else {\r
			cmdsRecvd++;\r
		}\r
\r
        if(respLen <= 0) continue;\r
\r
        // Modulate Manchester\r
		FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD);\r
        SSC_TRANSMIT_HOLDING = 0x00;\r
        FpgaSetupSsc();\r
\r
		// ### Transmit the response ###\r
		u = 0;\r
		b = 0x00;\r
		fdt_indicator = FALSE;\r
        for(;;) {\r
            if(SSC_STATUS & (SSC_STATUS_RX_READY)) {\r
				volatile BYTE b = (BYTE)SSC_RECEIVE_HOLDING;\r
                (void)b;\r
            }\r
            if(SSC_STATUS & (SSC_STATUS_TX_READY)) {\r
				if(i > respLen) {\r
					b = 0x00;\r
					u++;\r
				} else {\r
					b = resp[i];\r
					i++;\r
				}\r
				SSC_TRANSMIT_HOLDING = b;\r
\r
                if(u > 4) {\r
                    break;\r
                }\r
            }\r
			if(BUTTON_PRESS()) {\r
			    break;\r
			}\r
        }\r
\r
    }\r
\r
	DbpIntegers(happened, happened2, cmdsRecvd);\r
	LED_A_OFF();\r
}\r
\r
//-----------------------------------------------------------------------------\r
// Transmit the command (to the tag) that was placed in ToSend[].\r
//-----------------------------------------------------------------------------\r
static void TransmitFor14443a(const BYTE *cmd, int len, int *samples, int *wait)\r
{\r
    int c;\r
\r
    FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);\r
\r
	if(*wait < 10) { *wait = 10; }\r
\r
    for(c = 0; c < *wait;) {\r
        if(SSC_STATUS & (SSC_STATUS_TX_READY)) {\r
            SSC_TRANSMIT_HOLDING = 0x00;		// For exact timing!\r
            c++;\r
        }\r
        if(SSC_STATUS & (SSC_STATUS_RX_READY)) {\r
            volatile DWORD r = SSC_RECEIVE_HOLDING;\r
            (void)r;\r
        }\r
        WDT_HIT();\r
    }\r
\r
    c = 0;\r
    for(;;) {\r
        if(SSC_STATUS & (SSC_STATUS_TX_READY)) {\r
            SSC_TRANSMIT_HOLDING = cmd[c];\r
            c++;\r
            if(c >= len) {\r
                break;\r
            }\r
        }\r
        if(SSC_STATUS & (SSC_STATUS_RX_READY)) {\r
            volatile DWORD r = SSC_RECEIVE_HOLDING;\r
            (void)r;\r
        }\r
        WDT_HIT();\r
    }\r
	*samples = (c + *wait) << 3;\r
}\r
\r
//-----------------------------------------------------------------------------\r
// To generate an arbitrary stream from reader\r
//\r
//-----------------------------------------------------------------------------\r
void ArbitraryFromReader(const BYTE *cmd, int parity, int len)\r
{\r
	int i;\r
	int j;\r
	int last;\r
    BYTE b;\r
\r
	ToSendReset();\r
\r
	// Start of Communication (Seq. Z)\r
	Sequence(SEC_Z);\r
	last = 0;\r
\r
	for(i = 0; i < len; i++) {\r
        // Data bits\r
        b = cmd[i];\r
		for(j = 0; j < 8; j++) {\r
			if(b & 1) {\r
				// Sequence X\r
				Sequence(SEC_X);\r
				last = 1;\r
			} else {\r
				if(last == 0) {\r
					// Sequence Z\r
					Sequence(SEC_Z);\r
				}\r
				else {\r
					// Sequence Y\r
					Sequence(SEC_Y);\r
					last = 0;\r
				}\r
			}\r
			b >>= 1;\r
\r
		}\r
\r
		// Predefined parity bit, the flipper flips when needed, because of flips in byte sent\r
		if(((parity >> (len - i - 1)) & 1)) {\r
			// Sequence X\r
			Sequence(SEC_X);\r
			last = 1;\r
		} else {\r
			if(last == 0) {\r
				// Sequence Z\r
				Sequence(SEC_Z);\r
			}\r
			else {\r
				// Sequence Y\r
				Sequence(SEC_Y);\r
				last = 0;\r
			}\r
		}\r
	}\r
\r
	// End of Communication\r
	if(last == 0) {\r
		// Sequence Z\r
		Sequence(SEC_Z);\r
	}\r
	else {\r
		// Sequence Y\r
		Sequence(SEC_Y);\r
		last = 0;\r
	}\r
	// Sequence Y\r
	Sequence(SEC_Y);\r
\r
	// Just to be sure!\r
	Sequence(SEC_Y);\r
	Sequence(SEC_Y);\r
	Sequence(SEC_Y);\r
\r
    // Convert from last character reference to length\r
    ToSendMax++;\r
}\r
\r
//-----------------------------------------------------------------------------\r
// Code a 7-bit command without parity bit\r
// This is especially for 0x26 and 0x52 (REQA and WUPA)\r
//-----------------------------------------------------------------------------\r
void ShortFrameFromReader(const BYTE *cmd)\r
{\r
	int j;\r
	int last;\r
    BYTE b;\r
\r
	ToSendReset();\r
\r
	// Start of Communication (Seq. Z)\r
	Sequence(SEC_Z);\r
	last = 0;\r
\r
	b = cmd[0];\r
	for(j = 0; j < 7; j++) {\r
		if(b & 1) {\r
			// Sequence X\r
			Sequence(SEC_X);\r
			last = 1;\r
		} else {\r
			if(last == 0) {\r
				// Sequence Z\r
				Sequence(SEC_Z);\r
			}\r
			else {\r
				// Sequence Y\r
				Sequence(SEC_Y);\r
				last = 0;\r
			}\r
		}\r
		b >>= 1;\r
	}\r
\r
	// End of Communication\r
	if(last == 0) {\r
		// Sequence Z\r
		Sequence(SEC_Z);\r
	}\r
	else {\r
		// Sequence Y\r
		Sequence(SEC_Y);\r
		last = 0;\r
	}\r
	// Sequence Y\r
	Sequence(SEC_Y);\r
\r
	// Just to be sure!\r
	Sequence(SEC_Y);\r
	Sequence(SEC_Y);\r
	Sequence(SEC_Y);\r
\r
    // Convert from last character reference to length\r
    ToSendMax++;\r
}\r
\r
//-----------------------------------------------------------------------------\r
// Prepare reader command to send to FPGA\r
//\r
//-----------------------------------------------------------------------------\r
void CodeIso14443aAsReader(const BYTE *cmd, int len)\r
{\r
    int i, j;\r
	int last;\r
	int oddparity;\r
    BYTE b;\r
\r
    ToSendReset();\r
\r
	// Start of Communication (Seq. Z)\r
	Sequence(SEC_Z);\r
	last = 0;\r
\r
	for(i = 0; i < len; i++) {\r
        // Data bits\r
        b = cmd[i];\r
        oddparity = 0x01;\r
        for(j = 0; j < 8; j++) {\r
            oddparity ^= (b & 1);\r
            if(b & 1) {\r
				// Sequence X\r
				Sequence(SEC_X);\r
				last = 1;\r
            } else {\r
                if(last == 0) {\r
					// Sequence Z\r
					Sequence(SEC_Z);\r
				}\r
				else {\r
					// Sequence Y\r
					Sequence(SEC_Y);\r
					last = 0;\r
				}\r
            }\r
            b >>= 1;\r
        }\r
\r
		// Parity bit\r
		if(oddparity) {\r
			// Sequence X\r
			Sequence(SEC_X);\r
			last = 1;\r
		} else {\r
			if(last == 0) {\r
				// Sequence Z\r
				Sequence(SEC_Z);\r
			}\r
			else {\r
				// Sequence Y\r
				Sequence(SEC_Y);\r
				last = 0;\r
			}\r
		}\r
    }\r
\r
	// End of Communication\r
	if(last == 0) {\r
		// Sequence Z\r
		Sequence(SEC_Z);\r
	}\r
	else {\r
		// Sequence Y\r
		Sequence(SEC_Y);\r
		last = 0;\r
	}\r
	// Sequence Y\r
	Sequence(SEC_Y);\r
\r
	// Just to be sure!\r
	Sequence(SEC_Y);\r
	Sequence(SEC_Y);\r
	Sequence(SEC_Y);\r
\r
    // Convert from last character reference to length\r
    ToSendMax++;\r
}\r
\r
\r
//-----------------------------------------------------------------------------\r
// Wait a certain time for tag response\r
//  If a response is captured return TRUE\r
//  If it takes to long return FALSE\r
//-----------------------------------------------------------------------------\r
static BOOL GetIso14443aAnswerFromTag(BYTE *receivedResponse, int maxLen, int *samples, int *elapsed) //BYTE *buffer\r
{\r
	// buffer needs to be 512 bytes\r
	int c;\r
\r
	// Set FPGA mode to "reader listen mode", no modulation (listen\r
    // only, since we are receiving, not transmitting).\r
    // Signal field is on with the appropriate LED\r
    LED_D_ON();\r
    FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_LISTEN);\r
\r
    // Now get the answer from the card\r
    Demod.output = receivedResponse;\r
    Demod.len = 0;\r
    Demod.state = DEMOD_UNSYNCD;\r
\r
	BYTE b;\r
	*elapsed = 0;\r
\r
	c = 0;\r
	for(;;) {\r
        WDT_HIT();\r
\r
        if(SSC_STATUS & (SSC_STATUS_TX_READY)) {\r
            SSC_TRANSMIT_HOLDING = 0x00;  // To make use of exact timing of next command from reader!!\r
			(*elapsed)++;\r
        }\r
        if(SSC_STATUS & (SSC_STATUS_RX_READY)) {\r
			if(c < 512) { c++; } else { return FALSE; }\r
            b = (BYTE)SSC_RECEIVE_HOLDING;\r
			if(ManchesterDecoding((b & 0xf0) >> 4)) {\r
				*samples = ((c - 1) << 3) + 4;\r
				return TRUE;\r
			}\r
			if(ManchesterDecoding(b & 0x0f)) {\r
				*samples = c << 3;\r
				return TRUE;\r
			}\r
        }\r
    }\r
}\r
\r
//-----------------------------------------------------------------------------\r
// Read an ISO 14443a tag. Send out commands and store answers.\r
//\r
//-----------------------------------------------------------------------------\r
void ReaderIso14443a(DWORD parameter)\r
{\r
	// Anticollision\r
	static const BYTE cmd1[]       = { 0x52 }; // or 0x26\r
	static const BYTE cmd2[]       = { 0x93,0x20 };\r
	// UID = 0x2a,0x69,0x8d,0x43,0x8d, last two bytes are CRC bytes\r
	BYTE cmd3[] = { 0x93,0x70,0x2a,0x69,0x8d,0x43,0x8d,0x52,0x55 };\r
\r
	// For Ultralight add an extra anticollission layer -> 95 20 and then 95 70\r
\r
	// greg - here we will add our cascade level 2 anticolission and select functions to deal with ultralight 		// and 7-byte UIDs in generall...\r
	BYTE cmd4[] = {0x95,0x20};	// ask for cascade 2 select\r
	// 95 20\r
	//BYTE cmd3a[] = { 0x95,0x70,0x2a,0x69,0x8d,0x43,0x8d,0x52,0x55 };\r
	// 95 70\r
\r
	// cascade 2 select\r
	BYTE cmd5[] = { 0x95,0x70,0x2a,0x69,0x8d,0x43,0x8d,0x52,0x55 };\r
\r
\r
	// RATS (request for answer to select)\r
	//BYTE cmd6[] = { 0xe0,0x50,0xbc,0xa5 };  // original RATS\r
	BYTE cmd6[] = { 0xe0,0x21,0xb2,0xc7 };  // Desfire RATS\r
\r
	// Mifare AUTH\r
	BYTE cmd7[] = { 0x60, 0x00, 0x00, 0x00 };\r
\r
	int reqaddr = 2024;					// was 2024 - tied to other size changes\r
	int reqsize = 60;\r
\r
	BYTE *req1 = (((BYTE *)BigBuf) + reqaddr);\r
    int req1Len;\r
\r
    BYTE *req2 = (((BYTE *)BigBuf) + reqaddr + reqsize);\r
    int req2Len;\r
\r
    BYTE *req3 = (((BYTE *)BigBuf) + reqaddr + (reqsize * 2));\r
    int req3Len;\r
\r
// greg added req 4 & 5 to deal with cascade 2 section\r
    BYTE *req4 = (((BYTE *)BigBuf) + reqaddr + (reqsize * 3));\r
    int req4Len;\r
\r
    BYTE *req5 = (((BYTE *)BigBuf) + reqaddr + (reqsize * 4));\r
    int req5Len;\r
\r
    BYTE *req6 = (((BYTE *)BigBuf) + reqaddr + (reqsize * 5));\r
    int req6Len;\r
\r
    BYTE *req7 = (((BYTE *)BigBuf) + reqaddr + (reqsize * 6));\r
    int req7Len;\r
\r
	BYTE *receivedAnswer = (((BYTE *)BigBuf) + 3560);	// was 3560 - tied to other size changes\r
\r
	BYTE *trace = (BYTE *)BigBuf;\r
	int traceLen = 0;\r
	int rsamples = 0;\r
\r
	memset(trace, 0x44, 2000);				// was 2000 - tied to oter size chnages\r
	// setting it to 3000 causes no tag responses to be detected (2900 is ok)\r
	// setting it to 1000 causes no tag responses to be detected\r
\r
	// Prepare some commands!\r
    ShortFrameFromReader(cmd1);\r
    memcpy(req1, ToSend, ToSendMax); req1Len = ToSendMax;\r
\r
	CodeIso14443aAsReader(cmd2, sizeof(cmd2));\r
    memcpy(req2, ToSend, ToSendMax); req2Len = ToSendMax;\r
\r
	CodeIso14443aAsReader(cmd3, sizeof(cmd3));\r
    memcpy(req3, ToSend, ToSendMax); req3Len = ToSendMax;\r
\r
\r
	CodeIso14443aAsReader(cmd4, sizeof(cmd4));		// 4 is cascade 2 request\r
    memcpy(req4, ToSend, ToSendMax); req4Len = ToSendMax;\r
\r
\r
	CodeIso14443aAsReader(cmd5, sizeof(cmd5));	// 5 is cascade 2 select\r
    memcpy(req5, ToSend, ToSendMax); req5Len = ToSendMax;\r
\r
\r
	CodeIso14443aAsReader(cmd6, sizeof(cmd6));\r
    memcpy(req6, ToSend, ToSendMax); req6Len = ToSendMax;\r
\r
	// Setup SSC\r
	FpgaSetupSsc();\r
\r
	// Start from off (no field generated)\r
    // Signal field is off with the appropriate LED\r
    LED_D_OFF();\r
    FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
    SpinDelay(200);\r
\r
    SetAdcMuxFor(GPIO_MUXSEL_HIPKD);\r
    FpgaSetupSsc();\r
\r
	// Now give it time to spin up.\r
    // Signal field is on with the appropriate LED\r
    LED_D_ON();\r
    FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);\r
	SpinDelay(200);\r
\r
	LED_A_ON();\r
	LED_B_OFF();\r
	LED_C_OFF();\r
\r
	int samples = 0;\r
	int tsamples = 0;\r
	int wait = 0;\r
	int elapsed = 0;\r
\r
	for(;;) {\r
		// Send WUPA (or REQA)\r
		TransmitFor14443a(req1, req1Len, &tsamples, &wait);\r
		// Store answer in buffer\r
		trace[traceLen++] = 0; trace[traceLen++] = 0; trace[traceLen++] = 0; trace[traceLen++] = 0;\r
		trace[traceLen++] = 0; trace[traceLen++] = 0; trace[traceLen++] = 0; trace[traceLen++] = 0;\r
		trace[traceLen++] = 1;\r
		memcpy(trace+traceLen, cmd1, 1);\r
		traceLen += 1;\r
		if(traceLen > TRACE_LENGTH) goto done;\r
\r
		while(!GetIso14443aAnswerFromTag(receivedAnswer, 100, &samples, &elapsed)) {\r
			if(BUTTON_PRESS()) goto done;\r
\r
			// No answer, just continue polling\r
			TransmitFor14443a(req1, req1Len, &tsamples, &wait);\r
			// Store answer in buffer\r
			trace[traceLen++] = 0; trace[traceLen++] = 0; trace[traceLen++] = 0; trace[traceLen++] = 0;\r
			trace[traceLen++] = 0; trace[traceLen++] = 0; trace[traceLen++] = 0; trace[traceLen++] = 0;\r
			trace[traceLen++] = 1;\r
			memcpy(trace+traceLen, cmd1, 1);\r
			traceLen += 1;\r
			if(traceLen > TRACE_LENGTH) goto done;\r
		}\r
\r
		// Store answer in buffer\r
		rsamples = rsamples + (samples - Demod.samples);\r
		trace[traceLen++] = ((rsamples >>  0) & 0xff);\r
		trace[traceLen++] = ((rsamples >>  8) & 0xff);\r
		trace[traceLen++] = ((rsamples >> 16) & 0xff);\r
		trace[traceLen++] = 0x80 | ((rsamples >> 24) & 0xff);\r
		trace[traceLen++] = ((Demod.parityBits >>  0) & 0xff);\r
		trace[traceLen++] = ((Demod.parityBits >>  8) & 0xff);\r
		trace[traceLen++] = ((Demod.parityBits >> 16) & 0xff);\r
		trace[traceLen++] = ((Demod.parityBits >> 24) & 0xff);\r
		trace[traceLen++] = Demod.len;\r
		memcpy(trace+traceLen, receivedAnswer, Demod.len);\r
		traceLen += Demod.len;\r
		if(traceLen > TRACE_LENGTH) goto done;\r
\r
		// Ask for card UID\r
		TransmitFor14443a(req2, req2Len, &tsamples, &wait);\r
		// Store answer in buffer\r
		trace[traceLen++] = 0; trace[traceLen++] = 0; trace[traceLen++] = 0; trace[traceLen++] = 0;\r
		trace[traceLen++] = 0; trace[traceLen++] = 0; trace[traceLen++] = 0; trace[traceLen++] = 0;\r
		trace[traceLen++] = 2;\r
		memcpy(trace+traceLen, cmd2, 2);\r
		traceLen += 2;\r
		if(traceLen > TRACE_LENGTH) goto done;\r
\r
		if(!GetIso14443aAnswerFromTag(receivedAnswer, 100, &samples, &elapsed)) {\r
			continue;\r
		}\r
\r
		// Store answer in buffer\r
		rsamples = rsamples + (samples - Demod.samples);\r
		trace[traceLen++] = ((rsamples >>  0) & 0xff);\r
		trace[traceLen++] = ((rsamples >>  8) & 0xff);\r
		trace[traceLen++] = ((rsamples >> 16) & 0xff);\r
		trace[traceLen++] = 0x80 | ((rsamples >> 24) & 0xff);\r
		trace[traceLen++] = ((Demod.parityBits >>  0) & 0xff);\r
		trace[traceLen++] = ((Demod.parityBits >>  8) & 0xff);\r
		trace[traceLen++] = ((Demod.parityBits >> 16) & 0xff);\r
		trace[traceLen++] = ((Demod.parityBits >> 24) & 0xff);\r
		trace[traceLen++] = Demod.len;\r
		memcpy(trace+traceLen, receivedAnswer, Demod.len);\r
		traceLen += Demod.len;\r
		if(traceLen > TRACE_LENGTH) goto done;\r
\r
		// Construct SELECT UID command\r
		// First copy the 5 bytes (Mifare Classic) after the 93 70\r
		memcpy(cmd3+2,receivedAnswer,5);\r
		// Secondly compute the two CRC bytes at the end\r
		ComputeCrc14443(CRC_14443_A, cmd3, 7, &cmd3[7], &cmd3[8]);\r
		// Prepare the bit sequence to modulate the subcarrier\r
		// Store answer in buffer\r
		trace[traceLen++] = 0; trace[traceLen++] = 0; trace[traceLen++] = 0; trace[traceLen++] = 0;\r
		trace[traceLen++] = 0; trace[traceLen++] = 0; trace[traceLen++] = 0; trace[traceLen++] = 0;\r
		trace[traceLen++] = 9;\r
		memcpy(trace+traceLen, cmd3, 9);\r
		traceLen += 9;\r
		if(traceLen > TRACE_LENGTH) goto done;\r
		CodeIso14443aAsReader(cmd3, sizeof(cmd3));\r
		memcpy(req3, ToSend, ToSendMax); req3Len = ToSendMax;\r
\r
		// Select the card\r
		TransmitFor14443a(req3, req3Len, &samples, &wait);\r
		if(!GetIso14443aAnswerFromTag(receivedAnswer, 100, &samples, &elapsed)) {\r
			continue;\r
		}\r
\r
		// Store answer in buffer\r
		rsamples = rsamples + (samples - Demod.samples);\r
		trace[traceLen++] = ((rsamples >>  0) & 0xff);\r
		trace[traceLen++] = ((rsamples >>  8) & 0xff);\r
		trace[traceLen++] = ((rsamples >> 16) & 0xff);\r
		trace[traceLen++] = 0x80 | ((rsamples >> 24) & 0xff);\r
		trace[traceLen++] = ((Demod.parityBits >>  0) & 0xff);\r
		trace[traceLen++] = ((Demod.parityBits >>  8) & 0xff);\r
		trace[traceLen++] = ((Demod.parityBits >> 16) & 0xff);\r
		trace[traceLen++] = ((Demod.parityBits >> 24) & 0xff);\r
		trace[traceLen++] = Demod.len;\r
		memcpy(trace+traceLen, receivedAnswer, Demod.len);\r
		traceLen += Demod.len;\r
		if(traceLen > TRACE_LENGTH) goto done;\r
\r
// OK we have selected at least at cascade 1, lets see if first byte of UID was 0x88 in\r
// which case we need to make a cascade 2 request and select - this is a long UID\r
		if (receivedAnswer[0] == 0x88)\r
		{\r
		// Do cascade level 2 stuff\r
		///////////////////////////////////////////////////////////////////\r
		// First issue a '95 20' identify request\r
		// Ask for card UID (part 2)\r
		TransmitFor14443a(req4, req4Len, &tsamples, &wait);\r
		// Store answer in buffer\r
		trace[traceLen++] = 0; trace[traceLen++] = 0; trace[traceLen++] = 0; trace[traceLen++] = 0;\r
		trace[traceLen++] = 0; trace[traceLen++] = 0; trace[traceLen++] = 0; trace[traceLen++] = 0;\r
		trace[traceLen++] = 2;\r
		memcpy(trace+traceLen, cmd4, 2);\r
		traceLen += 2;\r
		if(traceLen > TRACE_LENGTH) {\r
		DbpString("Bugging out, just popped tracelength");\r
		goto done;}\r
\r
		if(!GetIso14443aAnswerFromTag(receivedAnswer, 100, &samples, &elapsed)) {\r
			continue;\r
		}\r
		// Store answer in buffer\r
		rsamples = rsamples + (samples - Demod.samples);\r
		trace[traceLen++] = ((rsamples >>  0) & 0xff);\r
		trace[traceLen++] = ((rsamples >>  8) & 0xff);\r
		trace[traceLen++] = ((rsamples >> 16) & 0xff);\r
		trace[traceLen++] = 0x80 | ((rsamples >> 24) & 0xff);\r
		trace[traceLen++] = ((Demod.parityBits >>  0) & 0xff);\r
		trace[traceLen++] = ((Demod.parityBits >>  8) & 0xff);\r
		trace[traceLen++] = ((Demod.parityBits >> 16) & 0xff);\r
		trace[traceLen++] = ((Demod.parityBits >> 24) & 0xff);\r
		trace[traceLen++] = Demod.len;\r
		memcpy(trace+traceLen, receivedAnswer, Demod.len);\r
		traceLen += Demod.len;\r
		if(traceLen > TRACE_LENGTH) goto done;\r
		//////////////////////////////////////////////////////////////////\r
		// Then Construct SELECT UID (cascasde 2) command\r
		DbpString("Just about to copy the UID out of the cascade 2 id req");\r
		// First copy the 5 bytes (Mifare Classic) after the 95 70\r
		memcpy(cmd5+2,receivedAnswer,5);\r
		// Secondly compute the two CRC bytes at the end\r
		ComputeCrc14443(CRC_14443_A, cmd4, 7, &cmd5[7], &cmd5[8]);\r
		// Prepare the bit sequence to modulate the subcarrier\r
		// Store answer in buffer\r
		trace[traceLen++] = 0; trace[traceLen++] = 0; trace[traceLen++] = 0; trace[traceLen++] = 0;\r
		trace[traceLen++] = 0; trace[traceLen++] = 0; trace[traceLen++] = 0; trace[traceLen++] = 0;\r
		trace[traceLen++] = 9;\r
		memcpy(trace+traceLen, cmd5, 9);\r
		traceLen += 9;\r
		if(traceLen > TRACE_LENGTH) goto done;\r
		CodeIso14443aAsReader(cmd5, sizeof(cmd5));\r
		memcpy(req5, ToSend, ToSendMax); req5Len = ToSendMax;\r
\r
		// Select the card\r
		TransmitFor14443a(req4, req4Len, &samples, &wait);\r
		if(!GetIso14443aAnswerFromTag(receivedAnswer, 100, &samples, &elapsed)) {\r
			continue;\r
		}\r
\r
		// Store answer in buffer\r
		rsamples = rsamples + (samples - Demod.samples);\r
		trace[traceLen++] = ((rsamples >>  0) & 0xff);\r
		trace[traceLen++] = ((rsamples >>  8) & 0xff);\r
		trace[traceLen++] = ((rsamples >> 16) & 0xff);\r
		trace[traceLen++] = 0x80 | ((rsamples >> 24) & 0xff);\r
		trace[traceLen++] = ((Demod.parityBits >>  0) & 0xff);\r
		trace[traceLen++] = ((Demod.parityBits >>  8) & 0xff);\r
		trace[traceLen++] = ((Demod.parityBits >> 16) & 0xff);\r
		trace[traceLen++] = ((Demod.parityBits >> 24) & 0xff);\r
		trace[traceLen++] = Demod.len;\r
		memcpy(trace+traceLen, receivedAnswer, Demod.len);\r
		traceLen += Demod.len;\r
		if(traceLen > TRACE_LENGTH) goto done;\r
\r
		}\r
\r
		// Secondly compute the two CRC bytes at the end\r
		ComputeCrc14443(CRC_14443_A, cmd7, 2, &cmd7[2], &cmd7[3]);\r
		CodeIso14443aAsReader(cmd7, sizeof(cmd7));\r
		memcpy(req7, ToSend, ToSendMax); req7Len = ToSendMax;\r
		// Send authentication request (Mifare Classic)\r
		TransmitFor14443a(req7, req7Len, &samples, &wait);\r
		trace[traceLen++] = 0; trace[traceLen++] = 0; trace[traceLen++] = 0; trace[traceLen++] = 0;\r
		trace[traceLen++] = 0; trace[traceLen++] = 0; trace[traceLen++] = 0; trace[traceLen++] = 0;\r
		trace[traceLen++] = 4;\r
		memcpy(trace+traceLen, cmd7, 4);\r
		traceLen += 4;\r
		if(traceLen > TRACE_LENGTH) goto done;\r
		if(GetIso14443aAnswerFromTag(receivedAnswer, 100, &samples, &elapsed)) {\r
			rsamples++;\r
			// We received probably a random, continue and trace!\r
		}\r
		else {\r
			// Received nothing\r
			continue;\r
		}\r
\r
		// Trace the random, i'm curious\r
		rsamples = rsamples + (samples - Demod.samples);\r
		trace[traceLen++] = ((rsamples >>  0) & 0xff);\r
		trace[traceLen++] = ((rsamples >>  8) & 0xff);\r
		trace[traceLen++] = ((rsamples >> 16) & 0xff);\r
		trace[traceLen++] = 0x80 | ((rsamples >> 24) & 0xff);\r
		trace[traceLen++] = ((Demod.parityBits >>  0) & 0xff);\r
		trace[traceLen++] = ((Demod.parityBits >>  8) & 0xff);\r
		trace[traceLen++] = ((Demod.parityBits >> 16) & 0xff);\r
		trace[traceLen++] = ((Demod.parityBits >> 24) & 0xff);\r
		trace[traceLen++] = Demod.len;\r
		memcpy(trace+traceLen, receivedAnswer, Demod.len);\r
		traceLen += Demod.len;\r
		if(traceLen > TRACE_LENGTH) goto done;\r
\r
		// Thats it...\r
	}\r
\r
done:\r
	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
	LEDsoff();\r
	DbpIntegers(rsamples, 0xCC, 0xCC);\r
	DbpString("ready..");\r
}\r