]> cvs.zerfleddert.de Git - proxmark3-svn/blame - armsrc/iclass.c
fixed assignment vs. equals operator (issue 35)
[proxmark3-svn] / armsrc / iclass.c
CommitLineData
cee5a30d 1//-----------------------------------------------------------------------------
2// Gerhard de Koning Gans - May 2008
3// Hagen Fritsch - June 2010
4// Gerhard de Koning Gans - May 2011
5//
6// This code is licensed to you under the terms of the GNU GPL, version 2 or,
7// at your option, any later version. See the LICENSE.txt file for the text of
8// the license.
9//-----------------------------------------------------------------------------
10// Routines to support iClass.
11//-----------------------------------------------------------------------------
12// Based on ISO14443a implementation. Still in experimental phase.
13// Contribution made during a security research at Radboud University Nijmegen
14//
15// Please feel free to contribute and extend iClass support!!
16//-----------------------------------------------------------------------------
17//
18// TODO:
19// =====
20// - iClass emulation
21// - reader emulation
22//
23// FIX:
24// ====
25// We still have sometimes a demodulation error when snooping iClass communication.
26// The resulting trace of a read-block-03 command may look something like this:
27//
28// + 22279: : 0c 03 e8 01
29//
30// ...with an incorrect answer...
31//
32// + 85: 0: TAG ff! ff! ff! ff! ff! ff! ff! ff! bb 33 bb 00 01! 0e! 04! bb !crc
33//
34// We still left the error signalling bytes in the traces like 0xbb
35//
36// A correct trace should look like this:
37//
38// + 21112: : 0c 03 e8 01
39// + 85: 0: TAG ff ff ff ff ff ff ff ff ea f5
40//
41//-----------------------------------------------------------------------------
42
43#include "proxmark3.h"
44#include "apps.h"
45#include "util.h"
46#include "string.h"
7e67e42f 47#include "common.h"
cee5a30d 48
49static uint8_t *trace = (uint8_t *) BigBuf;
50static int traceLen = 0;
51static int rsamples = 0;
52
53// CARD TO READER
54// Sequence D: 11110000 modulation with subcarrier during first half
55// Sequence E: 00001111 modulation with subcarrier during second half
56// Sequence F: 00000000 no modulation with subcarrier
57// READER TO CARD
58// Sequence X: 00001100 drop after half a period
59// Sequence Y: 00000000 no drop
60// Sequence Z: 11000000 drop at start
61#define SEC_D 0xf0
62#define SEC_E 0x0f
63#define SEC_F 0x00
64#define SEC_X 0x0c
65#define SEC_Y 0x00
66#define SEC_Z 0xc0
67
68static const uint8_t OddByteParity[256] = {
69 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
70 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
71 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
72 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
73 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
74 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
75 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
76 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
77 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
78 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
79 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
80 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
81 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
82 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
83 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
84 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1
85};
86
87//static const uint8_t MajorityNibble[16] = { 0, 0, 0, 1, 0, 0, 1, 1, 0, 0, 0, 1, 1, 1, 1, 1 };
88//static const uint8_t MajorityNibble[16] = { 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1 };
89
90// BIG CHANGE - UNDERSTAND THIS BEFORE WE COMMIT
91#define RECV_CMD_OFFSET 3032
92#define RECV_RES_OFFSET 3096
93#define DMA_BUFFER_OFFSET 3160
94#define DMA_BUFFER_SIZE 4096
95#define TRACE_LENGTH 3000
96
97
98//-----------------------------------------------------------------------------
99// The software UART that receives commands from the reader, and its state
100// variables.
101//-----------------------------------------------------------------------------
102static struct {
103 enum {
104 STATE_UNSYNCD,
105 STATE_START_OF_COMMUNICATION,
106 STATE_RECEIVING
107 } state;
108 uint16_t shiftReg;
109 int bitCnt;
110 int byteCnt;
111 int byteCntMax;
112 int posCnt;
113 int nOutOfCnt;
114 int OutOfCnt;
115 int syncBit;
116 int parityBits;
117 int samples;
118 int highCnt;
119 int swapper;
120 int counter;
121 int bitBuffer;
122 int dropPosition;
123 uint8_t *output;
124} Uart;
125
126static RAMFUNC int MillerDecoding(int bit)
127{
128 int error = 0;
129 int bitright;
130
131 if(!Uart.bitBuffer) {
132 Uart.bitBuffer = bit ^ 0xFF0;
133 return FALSE;
134 }
135 else {
136 Uart.bitBuffer <<= 4;
137 Uart.bitBuffer ^= bit;
138 }
139
140 /*if(Uart.swapper) {
141 Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
142 Uart.byteCnt++;
143 Uart.swapper = 0;
144 if(Uart.byteCnt > 15) { return TRUE; }
145 }
146 else {
147 Uart.swapper = 1;
148 }*/
149
150 if(Uart.state != STATE_UNSYNCD) {
151 Uart.posCnt++;
152
153 if((Uart.bitBuffer & Uart.syncBit) ^ Uart.syncBit) {
154 bit = 0x00;
155 }
156 else {
157 bit = 0x01;
158 }
159 if(((Uart.bitBuffer << 1) & Uart.syncBit) ^ Uart.syncBit) {
160 bitright = 0x00;
161 }
162 else {
163 bitright = 0x01;
164 }
165 if(bit != bitright) { bit = bitright; }
166
167
168 // So, now we only have to deal with *bit*, lets see...
169 if(Uart.posCnt == 1) {
170 // measurement first half bitperiod
171 if(!bit) {
172 // Drop in first half means that we are either seeing
173 // an SOF or an EOF.
174
175 if(Uart.nOutOfCnt == 1) {
176 // End of Communication
177 Uart.state = STATE_UNSYNCD;
178 Uart.highCnt = 0;
179 if(Uart.byteCnt == 0) {
180 // Its not straightforward to show single EOFs
181 // So just leave it and do not return TRUE
182 Uart.output[Uart.byteCnt] = 0xf0;
183 Uart.byteCnt++;
184
185 // Calculate the parity bit for the client...
186 Uart.parityBits = 1;
187 }
188 else {
189 return TRUE;
190 }
191 }
192 else if(Uart.state != STATE_START_OF_COMMUNICATION) {
193 // When not part of SOF or EOF, it is an error
194 Uart.state = STATE_UNSYNCD;
195 Uart.highCnt = 0;
196 error = 4;
197 }
198 }
199 }
200 else {
201 // measurement second half bitperiod
202 // Count the bitslot we are in... (ISO 15693)
203 Uart.nOutOfCnt++;
204
205 if(!bit) {
206 if(Uart.dropPosition) {
207 if(Uart.state == STATE_START_OF_COMMUNICATION) {
208 error = 1;
209 }
210 else {
211 error = 7;
212 }
213 // It is an error if we already have seen a drop in current frame
214 Uart.state = STATE_UNSYNCD;
215 Uart.highCnt = 0;
216 }
217 else {
218 Uart.dropPosition = Uart.nOutOfCnt;
219 }
220 }
221
222 Uart.posCnt = 0;
223
224
225 if(Uart.nOutOfCnt == Uart.OutOfCnt && Uart.OutOfCnt == 4) {
226 Uart.nOutOfCnt = 0;
227
228 if(Uart.state == STATE_START_OF_COMMUNICATION) {
229 if(Uart.dropPosition == 4) {
230 Uart.state = STATE_RECEIVING;
231 Uart.OutOfCnt = 256;
232 }
233 else if(Uart.dropPosition == 3) {
234 Uart.state = STATE_RECEIVING;
235 Uart.OutOfCnt = 4;
236 //Uart.output[Uart.byteCnt] = 0xdd;
237 //Uart.byteCnt++;
238 }
239 else {
240 Uart.state = STATE_UNSYNCD;
241 Uart.highCnt = 0;
242 }
243 Uart.dropPosition = 0;
244 }
245 else {
246 // RECEIVING DATA
247 // 1 out of 4
248 if(!Uart.dropPosition) {
249 Uart.state = STATE_UNSYNCD;
250 Uart.highCnt = 0;
251 error = 9;
252 }
253 else {
254 Uart.shiftReg >>= 2;
255
256 // Swap bit order
257 Uart.dropPosition--;
258 //if(Uart.dropPosition == 1) { Uart.dropPosition = 2; }
259 //else if(Uart.dropPosition == 2) { Uart.dropPosition = 1; }
260
261 Uart.shiftReg ^= ((Uart.dropPosition & 0x03) << 6);
262 Uart.bitCnt += 2;
263 Uart.dropPosition = 0;
264
265 if(Uart.bitCnt == 8) {
266 Uart.output[Uart.byteCnt] = (Uart.shiftReg & 0xff);
267 Uart.byteCnt++;
268
269 // Calculate the parity bit for the client...
270 Uart.parityBits <<= 1;
271 Uart.parityBits ^= OddByteParity[(Uart.shiftReg & 0xff)];
272
273 Uart.bitCnt = 0;
274 Uart.shiftReg = 0;
275 }
276 }
277 }
278 }
279 else if(Uart.nOutOfCnt == Uart.OutOfCnt) {
280 // RECEIVING DATA
281 // 1 out of 256
282 if(!Uart.dropPosition) {
283 Uart.state = STATE_UNSYNCD;
284 Uart.highCnt = 0;
285 error = 3;
286 }
287 else {
288 Uart.dropPosition--;
289 Uart.output[Uart.byteCnt] = (Uart.dropPosition & 0xff);
290 Uart.byteCnt++;
291
292 // Calculate the parity bit for the client...
293 Uart.parityBits <<= 1;
294 Uart.parityBits ^= OddByteParity[(Uart.dropPosition & 0xff)];
295
296 Uart.bitCnt = 0;
297 Uart.shiftReg = 0;
298 Uart.nOutOfCnt = 0;
299 Uart.dropPosition = 0;
300 }
301 }
302
303 /*if(error) {
304 Uart.output[Uart.byteCnt] = 0xAA;
305 Uart.byteCnt++;
306 Uart.output[Uart.byteCnt] = error & 0xFF;
307 Uart.byteCnt++;
308 Uart.output[Uart.byteCnt] = 0xAA;
309 Uart.byteCnt++;
310 Uart.output[Uart.byteCnt] = (Uart.bitBuffer >> 8) & 0xFF;
311 Uart.byteCnt++;
312 Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
313 Uart.byteCnt++;
314 Uart.output[Uart.byteCnt] = (Uart.syncBit >> 3) & 0xFF;
315 Uart.byteCnt++;
316 Uart.output[Uart.byteCnt] = 0xAA;
317 Uart.byteCnt++;
318 return TRUE;
319 }*/
320 }
321
322 }
323 else {
324 bit = Uart.bitBuffer & 0xf0;
325 bit >>= 4;
326 bit ^= 0x0F; // drops become 1s ;-)
327 if(bit) {
328 // should have been high or at least (4 * 128) / fc
329 // according to ISO this should be at least (9 * 128 + 20) / fc
330 if(Uart.highCnt == 8) {
331 // we went low, so this could be start of communication
332 // it turns out to be safer to choose a less significant
333 // syncbit... so we check whether the neighbour also represents the drop
334 Uart.posCnt = 1; // apparently we are busy with our first half bit period
335 Uart.syncBit = bit & 8;
336 Uart.samples = 3;
337 if(!Uart.syncBit) { Uart.syncBit = bit & 4; Uart.samples = 2; }
338 else if(bit & 4) { Uart.syncBit = bit & 4; Uart.samples = 2; bit <<= 2; }
339 if(!Uart.syncBit) { Uart.syncBit = bit & 2; Uart.samples = 1; }
340 else if(bit & 2) { Uart.syncBit = bit & 2; Uart.samples = 1; bit <<= 1; }
341 if(!Uart.syncBit) { Uart.syncBit = bit & 1; Uart.samples = 0;
342 if(Uart.syncBit && (Uart.bitBuffer & 8)) {
343 Uart.syncBit = 8;
344
345 // the first half bit period is expected in next sample
346 Uart.posCnt = 0;
347 Uart.samples = 3;
348 }
349 }
350 else if(bit & 1) { Uart.syncBit = bit & 1; Uart.samples = 0; }
351
352 Uart.syncBit <<= 4;
353 Uart.state = STATE_START_OF_COMMUNICATION;
354 Uart.bitCnt = 0;
355 Uart.byteCnt = 0;
356 Uart.parityBits = 0;
357 Uart.nOutOfCnt = 0;
358 Uart.OutOfCnt = 4; // Start at 1/4, could switch to 1/256
359 Uart.dropPosition = 0;
360 Uart.shiftReg = 0;
361 error = 0;
362 }
363 else {
364 Uart.highCnt = 0;
365 }
366 }
367 else {
368 if(Uart.highCnt < 8) {
369 Uart.highCnt++;
370 }
371 }
372 }
373
374 return FALSE;
375}
376
377//=============================================================================
378// ISO 14443 Type A - Manchester
379//=============================================================================
380
381static struct {
382 enum {
383 DEMOD_UNSYNCD,
384 DEMOD_START_OF_COMMUNICATION,
385 DEMOD_START_OF_COMMUNICATION2,
386 DEMOD_START_OF_COMMUNICATION3,
387 DEMOD_SOF_COMPLETE,
388 DEMOD_MANCHESTER_D,
389 DEMOD_MANCHESTER_E,
390 DEMOD_END_OF_COMMUNICATION,
391 DEMOD_END_OF_COMMUNICATION2,
392 DEMOD_MANCHESTER_F,
393 DEMOD_ERROR_WAIT
394 } state;
395 int bitCount;
396 int posCount;
397 int syncBit;
398 int parityBits;
399 uint16_t shiftReg;
400 int buffer;
401 int buffer2;
402 int buffer3;
403 int buff;
404 int samples;
405 int len;
406 enum {
407 SUB_NONE,
408 SUB_FIRST_HALF,
409 SUB_SECOND_HALF,
410 SUB_BOTH
411 } sub;
412 uint8_t *output;
413} Demod;
414
415static RAMFUNC int ManchesterDecoding(int v)
416{
417 int bit;
418 int modulation;
419 int error = 0;
420
421 bit = Demod.buffer;
422 Demod.buffer = Demod.buffer2;
423 Demod.buffer2 = Demod.buffer3;
424 Demod.buffer3 = v;
425
426 if(Demod.buff < 3) {
427 Demod.buff++;
428 return FALSE;
429 }
430
431 if(Demod.state==DEMOD_UNSYNCD) {
432 Demod.output[Demod.len] = 0xfa;
433 Demod.syncBit = 0;
434 //Demod.samples = 0;
435 Demod.posCount = 1; // This is the first half bit period, so after syncing handle the second part
436 /* if(bit & 0x08) { Demod.syncBit = 0x08; }
437 if(!Demod.syncBit) {
438 if(bit & 0x04) { Demod.syncBit = 0x04; }
439 }
440 else if(bit & 0x04) { Demod.syncBit = 0x04; bit <<= 4; }
441 if(!Demod.syncBit) {
442 if(bit & 0x02) { Demod.syncBit = 0x02; }
443 }
444 else if(bit & 0x02) { Demod.syncBit = 0x02; bit <<= 4; }
445 if(!Demod.syncBit) {
446 if(bit & 0x01) { Demod.syncBit = 0x01; }
447
448 if(Demod.syncBit && (Demod.buffer & 0x08)) {
449 Demod.syncBit = 0x08;
450
451 // The first half bitperiod is expected in next sample
452 Demod.posCount = 0;
453 Demod.output[Demod.len] = 0xfb;
454 }
455 }
456 else if(bit & 0x01) { Demod.syncBit = 0x01; }
457 */
458
459 if(bit & 0x08) {
460 Demod.syncBit = 0x08;
461 }
462
463 if(bit & 0x04) {
464 if(Demod.syncBit) {
465 bit <<= 4;
466 }
467 Demod.syncBit = 0x04;
468 }
469
470 if(bit & 0x02) {
471 if(Demod.syncBit) {
472 bit <<= 2;
473 }
474 Demod.syncBit = 0x02;
475 }
476
477 if(bit & 0x01 && Demod.syncBit) {
478 Demod.syncBit = 0x01;
479 }
480
481 if(Demod.syncBit) {
482 Demod.len = 0;
483 Demod.state = DEMOD_START_OF_COMMUNICATION;
484 Demod.sub = SUB_FIRST_HALF;
485 Demod.bitCount = 0;
486 Demod.shiftReg = 0;
487 Demod.parityBits = 0;
488 Demod.samples = 0;
489 if(Demod.posCount) {
490 //if(trigger) LED_A_OFF(); // Not useful in this case...
491 switch(Demod.syncBit) {
492 case 0x08: Demod.samples = 3; break;
493 case 0x04: Demod.samples = 2; break;
494 case 0x02: Demod.samples = 1; break;
495 case 0x01: Demod.samples = 0; break;
496 }
497 // SOF must be long burst... otherwise stay unsynced!!!
498 if(!(Demod.buffer & Demod.syncBit) || !(Demod.buffer2 & Demod.syncBit)) {
499 Demod.state = DEMOD_UNSYNCD;
500 }
501 }
502 else {
503 // SOF must be long burst... otherwise stay unsynced!!!
504 if(!(Demod.buffer2 & Demod.syncBit) || !(Demod.buffer3 & Demod.syncBit)) {
505 Demod.state = DEMOD_UNSYNCD;
506 error = 0x88;
507 }
508
509 }
510 error = 0;
511
512 }
513 }
514 else {
515 modulation = bit & Demod.syncBit;
516 modulation |= ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
517 //modulation = ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
518
519 Demod.samples += 4;
520
521 if(Demod.posCount==0) {
522 Demod.posCount = 1;
523 if(modulation) {
524 Demod.sub = SUB_FIRST_HALF;
525 }
526 else {
527 Demod.sub = SUB_NONE;
528 }
529 }
530 else {
531 Demod.posCount = 0;
532 /*(modulation && (Demod.sub == SUB_FIRST_HALF)) {
533 if(Demod.state!=DEMOD_ERROR_WAIT) {
534 Demod.state = DEMOD_ERROR_WAIT;
535 Demod.output[Demod.len] = 0xaa;
536 error = 0x01;
537 }
538 }*/
539 //else if(modulation) {
540 if(modulation) {
541 if(Demod.sub == SUB_FIRST_HALF) {
542 Demod.sub = SUB_BOTH;
543 }
544 else {
545 Demod.sub = SUB_SECOND_HALF;
546 }
547 }
548 else if(Demod.sub == SUB_NONE) {
549 if(Demod.state == DEMOD_SOF_COMPLETE) {
550 Demod.output[Demod.len] = 0x0f;
551 Demod.len++;
552 Demod.parityBits <<= 1;
553 Demod.parityBits ^= OddByteParity[0x0f];
554 Demod.state = DEMOD_UNSYNCD;
555// error = 0x0f;
556 return TRUE;
557 }
558 else {
559 Demod.state = DEMOD_ERROR_WAIT;
560 error = 0x33;
561 }
562 /*if(Demod.state!=DEMOD_ERROR_WAIT) {
563 Demod.state = DEMOD_ERROR_WAIT;
564 Demod.output[Demod.len] = 0xaa;
565 error = 0x01;
566 }*/
567 }
568
569 switch(Demod.state) {
570 case DEMOD_START_OF_COMMUNICATION:
571 if(Demod.sub == SUB_BOTH) {
572 //Demod.state = DEMOD_MANCHESTER_D;
573 Demod.state = DEMOD_START_OF_COMMUNICATION2;
574 Demod.posCount = 1;
575 Demod.sub = SUB_NONE;
576 }
577 else {
578 Demod.output[Demod.len] = 0xab;
579 Demod.state = DEMOD_ERROR_WAIT;
580 error = 0xd2;
581 }
582 break;
583 case DEMOD_START_OF_COMMUNICATION2:
584 if(Demod.sub == SUB_SECOND_HALF) {
585 Demod.state = DEMOD_START_OF_COMMUNICATION3;
586 }
587 else {
588 Demod.output[Demod.len] = 0xab;
589 Demod.state = DEMOD_ERROR_WAIT;
590 error = 0xd3;
591 }
592 break;
593 case DEMOD_START_OF_COMMUNICATION3:
594 if(Demod.sub == SUB_SECOND_HALF) {
595// Demod.state = DEMOD_MANCHESTER_D;
596 Demod.state = DEMOD_SOF_COMPLETE;
597 //Demod.output[Demod.len] = Demod.syncBit & 0xFF;
598 //Demod.len++;
599 }
600 else {
601 Demod.output[Demod.len] = 0xab;
602 Demod.state = DEMOD_ERROR_WAIT;
603 error = 0xd4;
604 }
605 break;
606 case DEMOD_SOF_COMPLETE:
607 case DEMOD_MANCHESTER_D:
608 case DEMOD_MANCHESTER_E:
609 // OPPOSITE FROM ISO14443 - 11110000 = 0 (1 in 14443)
610 // 00001111 = 1 (0 in 14443)
611 if(Demod.sub == SUB_SECOND_HALF) { // SUB_FIRST_HALF
612 Demod.bitCount++;
613 Demod.shiftReg = (Demod.shiftReg >> 1) ^ 0x100;
614 Demod.state = DEMOD_MANCHESTER_D;
615 }
616 else if(Demod.sub == SUB_FIRST_HALF) { // SUB_SECOND_HALF
617 Demod.bitCount++;
618 Demod.shiftReg >>= 1;
619 Demod.state = DEMOD_MANCHESTER_E;
620 }
621 else if(Demod.sub == SUB_BOTH) {
622 Demod.state = DEMOD_MANCHESTER_F;
623 }
624 else {
625 Demod.state = DEMOD_ERROR_WAIT;
626 error = 0x55;
627 }
628 break;
629
630 case DEMOD_MANCHESTER_F:
631 // Tag response does not need to be a complete byte!
632 if(Demod.len > 0 || Demod.bitCount > 0) {
633 if(Demod.bitCount > 1) { // was > 0, do not interpret last closing bit, is part of EOF
634 Demod.shiftReg >>= (9 - Demod.bitCount);
635 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
636 Demod.len++;
637 // No parity bit, so just shift a 0
638 Demod.parityBits <<= 1;
639 }
640
641 Demod.state = DEMOD_UNSYNCD;
642 return TRUE;
643 }
644 else {
645 Demod.output[Demod.len] = 0xad;
646 Demod.state = DEMOD_ERROR_WAIT;
647 error = 0x03;
648 }
649 break;
650
651 case DEMOD_ERROR_WAIT:
652 Demod.state = DEMOD_UNSYNCD;
653 break;
654
655 default:
656 Demod.output[Demod.len] = 0xdd;
657 Demod.state = DEMOD_UNSYNCD;
658 break;
659 }
660
661 /*if(Demod.bitCount>=9) {
662 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
663 Demod.len++;
664
665 Demod.parityBits <<= 1;
666 Demod.parityBits ^= ((Demod.shiftReg >> 8) & 0x01);
667
668 Demod.bitCount = 0;
669 Demod.shiftReg = 0;
670 }*/
671 if(Demod.bitCount>=8) {
672 Demod.shiftReg >>= 1;
673 Demod.output[Demod.len] = (Demod.shiftReg & 0xff);
674 Demod.len++;
675
676 // FOR ISO15639 PARITY NOT SEND OTA, JUST CALCULATE IT FOR THE CLIENT
677 Demod.parityBits <<= 1;
678 Demod.parityBits ^= OddByteParity[(Demod.shiftReg & 0xff)];
679
680 Demod.bitCount = 0;
681 Demod.shiftReg = 0;
682 }
683
684 if(error) {
685 Demod.output[Demod.len] = 0xBB;
686 Demod.len++;
687 Demod.output[Demod.len] = error & 0xFF;
688 Demod.len++;
689 Demod.output[Demod.len] = 0xBB;
690 Demod.len++;
691 Demod.output[Demod.len] = bit & 0xFF;
692 Demod.len++;
693 Demod.output[Demod.len] = Demod.buffer & 0xFF;
694 Demod.len++;
695 // Look harder ;-)
696 Demod.output[Demod.len] = Demod.buffer2 & 0xFF;
697 Demod.len++;
698 Demod.output[Demod.len] = Demod.syncBit & 0xFF;
699 Demod.len++;
700 Demod.output[Demod.len] = 0xBB;
701 Demod.len++;
702 return TRUE;
703 }
704
705 }
706
707 } // end (state != UNSYNCED)
708
709 return FALSE;
710}
711
712//=============================================================================
713// Finally, a `sniffer' for ISO 14443 Type A
714// Both sides of communication!
715//=============================================================================
716
717//-----------------------------------------------------------------------------
718// Record the sequence of commands sent by the reader to the tag, with
719// triggering so that we start recording at the point that the tag is moved
720// near the reader.
721//-----------------------------------------------------------------------------
722void RAMFUNC SnoopIClass(void)
723{
724// #define RECV_CMD_OFFSET 2032 // original (working as of 21/2/09) values
725// #define RECV_RES_OFFSET 2096 // original (working as of 21/2/09) values
726// #define DMA_BUFFER_OFFSET 2160 // original (working as of 21/2/09) values
727// #define DMA_BUFFER_SIZE 4096 // original (working as of 21/2/09) values
728// #define TRACE_LENGTH 2000 // original (working as of 21/2/09) values
729
730 // We won't start recording the frames that we acquire until we trigger;
731 // a good trigger condition to get started is probably when we see a
732 // response from the tag.
733 int triggered = FALSE; // FALSE to wait first for card
734
735 // The command (reader -> tag) that we're receiving.
736 // The length of a received command will in most cases be no more than 18 bytes.
737 // So 32 should be enough!
738 uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
739 // The response (tag -> reader) that we're receiving.
740 uint8_t *receivedResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET);
741
742 // As we receive stuff, we copy it from receivedCmd or receivedResponse
743 // into trace, along with its length and other annotations.
744 //uint8_t *trace = (uint8_t *)BigBuf;
745
746 traceLen = 0; // uncommented to fix ISSUE 15 - gerhard - jan2011
747
748 // The DMA buffer, used to stream samples from the FPGA
749 int8_t *dmaBuf = ((int8_t *)BigBuf) + DMA_BUFFER_OFFSET;
750 int lastRxCounter;
751 int8_t *upTo;
752 int smpl;
753 int maxBehindBy = 0;
754
755 // Count of samples received so far, so that we can include timing
756 // information in the trace buffer.
757 int samples = 0;
758 rsamples = 0;
759
760 memset(trace, 0x44, RECV_CMD_OFFSET);
761
762 // Set up the demodulator for tag -> reader responses.
763 Demod.output = receivedResponse;
764 Demod.len = 0;
765 Demod.state = DEMOD_UNSYNCD;
766
767 // Setup for the DMA.
768 FpgaSetupSsc();
769 upTo = dmaBuf;
770 lastRxCounter = DMA_BUFFER_SIZE;
771 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
772
773 // And the reader -> tag commands
774 memset(&Uart, 0, sizeof(Uart));
775 Uart.output = receivedCmd;
776 Uart.byteCntMax = 32; // was 100 (greg)////////////////////////////////////////////////////////////////////////
777 Uart.state = STATE_UNSYNCD;
778
779 // And put the FPGA in the appropriate mode
780 // Signal field is off with the appropriate LED
781 LED_D_OFF();
782 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER);
783 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
784
785 int div = 0;
786 //int div2 = 0;
787 int decbyte = 0;
788 int decbyter = 0;
789
790 // And now we loop, receiving samples.
791 for(;;) {
792 LED_A_ON();
793 WDT_HIT();
794 int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) &
795 (DMA_BUFFER_SIZE-1);
796 if(behindBy > maxBehindBy) {
797 maxBehindBy = behindBy;
798 if(behindBy > 400) {
799 Dbprintf("blew circular buffer! behindBy=0x%x", behindBy);
800 goto done;
801 }
802 }
803 if(behindBy < 1) continue;
804
805 LED_A_OFF();
806 smpl = upTo[0];
807 upTo++;
808 lastRxCounter -= 1;
809 if(upTo - dmaBuf > DMA_BUFFER_SIZE) {
810 upTo -= DMA_BUFFER_SIZE;
811 lastRxCounter += DMA_BUFFER_SIZE;
812 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) upTo;
813 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
814 }
815
816 //samples += 4;
817 samples += 1;
818 //div2++;
819
820 //if(div2 > 3) {
821 //div2 = 0;
822 //decbyte ^= ((smpl & 0x01) << (3 - div));
823 //decbyte ^= (((smpl & 0x01) | ((smpl & 0x02) >> 1)) << (3 - div)); // better already...
824 //decbyte ^= (((smpl & 0x01) | ((smpl & 0x02) >> 1) | ((smpl & 0x04) >> 2)) << (3 - div)); // even better...
825 if(smpl & 0xF) {
826 decbyte ^= (1 << (3 - div));
827 }
828 //decbyte ^= (MajorityNibble[(smpl & 0x0F)] << (3 - div));
829
830 // FOR READER SIDE COMMUMICATION...
831 //decbyte ^= ((smpl & 0x10) << (3 - div));
832 decbyter <<= 2;
833 decbyter ^= (smpl & 0x30);
834
835 div++;
836
837 if((div + 1) % 2 == 0) {
838 smpl = decbyter;
839 if(MillerDecoding((smpl & 0xF0) >> 4)) {
840 rsamples = samples - Uart.samples;
841 LED_C_ON();
842 //if(triggered) {
843 trace[traceLen++] = ((rsamples >> 0) & 0xff);
844 trace[traceLen++] = ((rsamples >> 8) & 0xff);
845 trace[traceLen++] = ((rsamples >> 16) & 0xff);
846 trace[traceLen++] = ((rsamples >> 24) & 0xff);
847 trace[traceLen++] = ((Uart.parityBits >> 0) & 0xff);
848 trace[traceLen++] = ((Uart.parityBits >> 8) & 0xff);
849 trace[traceLen++] = ((Uart.parityBits >> 16) & 0xff);
850 trace[traceLen++] = ((Uart.parityBits >> 24) & 0xff);
851 trace[traceLen++] = Uart.byteCnt;
852 memcpy(trace+traceLen, receivedCmd, Uart.byteCnt);
853 traceLen += Uart.byteCnt;
854 if(traceLen > TRACE_LENGTH) break;
855 //}
856 /* And ready to receive another command. */
857 Uart.state = STATE_UNSYNCD;
858 /* And also reset the demod code, which might have been */
859 /* false-triggered by the commands from the reader. */
860 Demod.state = DEMOD_UNSYNCD;
861 LED_B_OFF();
862 Uart.byteCnt = 0;
863 }
864 decbyter = 0;
865 }
866
867 if(div > 3) {
868 smpl = decbyte;
869 if(ManchesterDecoding(smpl & 0x0F)) {
870 rsamples = samples - Demod.samples;
871 LED_B_ON();
872
873 // timestamp, as a count of samples
874 trace[traceLen++] = ((rsamples >> 0) & 0xff);
875 trace[traceLen++] = ((rsamples >> 8) & 0xff);
876 trace[traceLen++] = ((rsamples >> 16) & 0xff);
877 trace[traceLen++] = 0x80 | ((rsamples >> 24) & 0xff);
878 trace[traceLen++] = ((Demod.parityBits >> 0) & 0xff);
879 trace[traceLen++] = ((Demod.parityBits >> 8) & 0xff);
880 trace[traceLen++] = ((Demod.parityBits >> 16) & 0xff);
881 trace[traceLen++] = ((Demod.parityBits >> 24) & 0xff);
882 // length
883 trace[traceLen++] = Demod.len;
884 memcpy(trace+traceLen, receivedResponse, Demod.len);
885 traceLen += Demod.len;
886 if(traceLen > TRACE_LENGTH) break;
887
888 triggered = TRUE;
889
890 // And ready to receive another response.
891 memset(&Demod, 0, sizeof(Demod));
892 Demod.output = receivedResponse;
893 Demod.state = DEMOD_UNSYNCD;
894 LED_C_OFF();
895 }
896
897 div = 0;
898 decbyte = 0x00;
899 }
900 //}
901
902 if(BUTTON_PRESS()) {
903 DbpString("cancelled_a");
904 goto done;
905 }
906 }
907
908 DbpString("COMMAND FINISHED");
909
910 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
911 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
912
913done:
914 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
915 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
916 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
917 LED_A_OFF();
918 LED_B_OFF();
919 LED_C_OFF();
920 LED_D_OFF();
921}
922
Impressum, Datenschutz