]> cvs.zerfleddert.de Git - proxmark3-svn/blame - armsrc/iso14443a.c
changed -elf to -eabi in install-gnuarm4.sh ARMLIB suggestion
[proxmark3-svn] / armsrc / iso14443a.c
CommitLineData
15c4dc5a 1//-----------------------------------------------------------------------------
f89c7050 2// Merlok - June 2011
15c4dc5a 3// Gerhard de Koning Gans - May 2008
534983d7 4// Hagen Fritsch - June 2010
bd20f8f4 5//
6// This code is licensed to you under the terms of the GNU GPL, version 2 or,
7// at your option, any later version. See the LICENSE.txt file for the text of
8// the license.
15c4dc5a 9//-----------------------------------------------------------------------------
bd20f8f4 10// Routines to support ISO 14443 type A.
11//-----------------------------------------------------------------------------
12
e30c654b 13#include "proxmark3.h"
15c4dc5a 14#include "apps.h"
f7e3ed82 15#include "util.h"
9ab7a6c7 16#include "string.h"
17
15c4dc5a 18#include "iso14443crc.h"
534983d7 19#include "iso14443a.h"
20f9a2a1
M
20#include "crapto1.h"
21#include "mifareutil.h"
15c4dc5a 22
534983d7 23static uint32_t iso14a_timeout;
1e262141 24uint8_t *trace = (uint8_t *) BigBuf;
25int traceLen = 0;
26int rsamples = 0;
27int tracing = TRUE;
28uint8_t trigger = 0;
15c4dc5a 29
8f51ddb0 30// CARD TO READER - manchester
72934aa3 31// Sequence D: 11110000 modulation with subcarrier during first half
32// Sequence E: 00001111 modulation with subcarrier during second half
33// Sequence F: 00000000 no modulation with subcarrier
8f51ddb0 34// READER TO CARD - miller
72934aa3 35// Sequence X: 00001100 drop after half a period
36// Sequence Y: 00000000 no drop
37// Sequence Z: 11000000 drop at start
38#define SEC_D 0xf0
39#define SEC_E 0x0f
40#define SEC_F 0x00
41#define SEC_X 0x0c
42#define SEC_Y 0x00
43#define SEC_Z 0xc0
15c4dc5a 44
1e262141 45const uint8_t OddByteParity[256] = {
15c4dc5a 46 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
47 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
48 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
49 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
50 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
51 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
52 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
53 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
54 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
55 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
56 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
57 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
58 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
59 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
60 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
61 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1
62};
63
1e262141 64
534983d7 65void iso14a_set_trigger(int enable) {
66 trigger = enable;
67}
68
8556b852
M
69void iso14a_clear_tracelen(void) {
70 traceLen = 0;
71}
72void iso14a_set_tracing(int enable) {
73 tracing = enable;
74}
75
15c4dc5a 76//-----------------------------------------------------------------------------
77// Generate the parity value for a byte sequence
e30c654b 78//
15c4dc5a 79//-----------------------------------------------------------------------------
20f9a2a1
M
80byte_t oddparity (const byte_t bt)
81{
82 return OddByteParity[bt];
83}
84
f7e3ed82 85uint32_t GetParity(const uint8_t * pbtCmd, int iLen)
15c4dc5a 86{
87 int i;
f7e3ed82 88 uint32_t dwPar = 0;
72934aa3 89
15c4dc5a 90 // Generate the encrypted data
91 for (i = 0; i < iLen; i++) {
92 // Save the encrypted parity bit
93 dwPar |= ((OddByteParity[pbtCmd[i]]) << i);
94 }
95 return dwPar;
96}
97
534983d7 98void AppendCrc14443a(uint8_t* data, int len)
15c4dc5a 99{
100 ComputeCrc14443(CRC_14443_A,data,len,data+len,data+len+1);
101}
102
1e262141 103// The function LogTrace() is also used by the iClass implementation in iClass.c
ed82636b 104int LogTrace(const uint8_t * btBytes, int iLen, int iSamples, uint32_t dwParity, int bReader)
15c4dc5a 105{
106 // Return when trace is full
81cd0474 107 if (traceLen >= TRACE_SIZE) return FALSE;
e30c654b 108
15c4dc5a 109 // Trace the random, i'm curious
110 rsamples += iSamples;
111 trace[traceLen++] = ((rsamples >> 0) & 0xff);
112 trace[traceLen++] = ((rsamples >> 8) & 0xff);
113 trace[traceLen++] = ((rsamples >> 16) & 0xff);
114 trace[traceLen++] = ((rsamples >> 24) & 0xff);
115 if (!bReader) {
116 trace[traceLen - 1] |= 0x80;
117 }
118 trace[traceLen++] = ((dwParity >> 0) & 0xff);
119 trace[traceLen++] = ((dwParity >> 8) & 0xff);
120 trace[traceLen++] = ((dwParity >> 16) & 0xff);
121 trace[traceLen++] = ((dwParity >> 24) & 0xff);
122 trace[traceLen++] = iLen;
123 memcpy(trace + traceLen, btBytes, iLen);
124 traceLen += iLen;
125 return TRUE;
126}
127
15c4dc5a 128//-----------------------------------------------------------------------------
129// The software UART that receives commands from the reader, and its state
130// variables.
131//-----------------------------------------------------------------------------
132static struct {
133 enum {
134 STATE_UNSYNCD,
135 STATE_START_OF_COMMUNICATION,
136 STATE_MILLER_X,
137 STATE_MILLER_Y,
138 STATE_MILLER_Z,
139 STATE_ERROR_WAIT
140 } state;
f7e3ed82 141 uint16_t shiftReg;
15c4dc5a 142 int bitCnt;
143 int byteCnt;
144 int byteCntMax;
145 int posCnt;
146 int syncBit;
147 int parityBits;
148 int samples;
149 int highCnt;
150 int bitBuffer;
151 enum {
152 DROP_NONE,
153 DROP_FIRST_HALF,
154 DROP_SECOND_HALF
155 } drop;
f7e3ed82 156 uint8_t *output;
15c4dc5a 157} Uart;
158
6c1e2d95 159static RAMFUNC int MillerDecoding(int bit)
15c4dc5a 160{
9f693930 161 //int error = 0;
15c4dc5a 162 int bitright;
163
164 if(!Uart.bitBuffer) {
165 Uart.bitBuffer = bit ^ 0xFF0;
166 return FALSE;
167 }
168 else {
169 Uart.bitBuffer <<= 4;
170 Uart.bitBuffer ^= bit;
171 }
172
f7e3ed82 173 int EOC = FALSE;
15c4dc5a 174
175 if(Uart.state != STATE_UNSYNCD) {
176 Uart.posCnt++;
177
178 if((Uart.bitBuffer & Uart.syncBit) ^ Uart.syncBit) {
179 bit = 0x00;
180 }
181 else {
182 bit = 0x01;
183 }
184 if(((Uart.bitBuffer << 1) & Uart.syncBit) ^ Uart.syncBit) {
185 bitright = 0x00;
186 }
187 else {
188 bitright = 0x01;
189 }
190 if(bit != bitright) { bit = bitright; }
191
192 if(Uart.posCnt == 1) {
193 // measurement first half bitperiod
194 if(!bit) {
195 Uart.drop = DROP_FIRST_HALF;
196 }
197 }
198 else {
199 // measurement second half bitperiod
200 if(!bit & (Uart.drop == DROP_NONE)) {
201 Uart.drop = DROP_SECOND_HALF;
202 }
203 else if(!bit) {
204 // measured a drop in first and second half
205 // which should not be possible
206 Uart.state = STATE_ERROR_WAIT;
9f693930 207 //error = 0x01;
15c4dc5a 208 }
209
210 Uart.posCnt = 0;
211
212 switch(Uart.state) {
213 case STATE_START_OF_COMMUNICATION:
214 Uart.shiftReg = 0;
215 if(Uart.drop == DROP_SECOND_HALF) {
216 // error, should not happen in SOC
217 Uart.state = STATE_ERROR_WAIT;
9f693930 218 //error = 0x02;
15c4dc5a 219 }
220 else {
221 // correct SOC
222 Uart.state = STATE_MILLER_Z;
223 }
224 break;
225
226 case STATE_MILLER_Z:
227 Uart.bitCnt++;
228 Uart.shiftReg >>= 1;
229 if(Uart.drop == DROP_NONE) {
230 // logic '0' followed by sequence Y
231 // end of communication
232 Uart.state = STATE_UNSYNCD;
233 EOC = TRUE;
234 }
235 // if(Uart.drop == DROP_FIRST_HALF) {
236 // Uart.state = STATE_MILLER_Z; stay the same
237 // we see a logic '0' }
238 if(Uart.drop == DROP_SECOND_HALF) {
239 // we see a logic '1'
240 Uart.shiftReg |= 0x100;
241 Uart.state = STATE_MILLER_X;
242 }
243 break;
244
245 case STATE_MILLER_X:
246 Uart.shiftReg >>= 1;
247 if(Uart.drop == DROP_NONE) {
248 // sequence Y, we see a '0'
249 Uart.state = STATE_MILLER_Y;
250 Uart.bitCnt++;
251 }
252 if(Uart.drop == DROP_FIRST_HALF) {
253 // Would be STATE_MILLER_Z
254 // but Z does not follow X, so error
255 Uart.state = STATE_ERROR_WAIT;
9f693930 256 //error = 0x03;
15c4dc5a 257 }
258 if(Uart.drop == DROP_SECOND_HALF) {
259 // We see a '1' and stay in state X
260 Uart.shiftReg |= 0x100;
261 Uart.bitCnt++;
262 }
263 break;
264
265 case STATE_MILLER_Y:
266 Uart.bitCnt++;
267 Uart.shiftReg >>= 1;
268 if(Uart.drop == DROP_NONE) {
269 // logic '0' followed by sequence Y
270 // end of communication
271 Uart.state = STATE_UNSYNCD;
272 EOC = TRUE;
273 }
274 if(Uart.drop == DROP_FIRST_HALF) {
275 // we see a '0'
276 Uart.state = STATE_MILLER_Z;
277 }
278 if(Uart.drop == DROP_SECOND_HALF) {
279 // We see a '1' and go to state X
280 Uart.shiftReg |= 0x100;
281 Uart.state = STATE_MILLER_X;
282 }
283 break;
284
285 case STATE_ERROR_WAIT:
286 // That went wrong. Now wait for at least two bit periods
287 // and try to sync again
288 if(Uart.drop == DROP_NONE) {
289 Uart.highCnt = 6;
290 Uart.state = STATE_UNSYNCD;
291 }
292 break;
293
294 default:
295 Uart.state = STATE_UNSYNCD;
296 Uart.highCnt = 0;
297 break;
298 }
299
300 Uart.drop = DROP_NONE;
301
302 // should have received at least one whole byte...
303 if((Uart.bitCnt == 2) && EOC && (Uart.byteCnt > 0)) {
304 return TRUE;
305 }
306
307 if(Uart.bitCnt == 9) {
308 Uart.output[Uart.byteCnt] = (Uart.shiftReg & 0xff);
309 Uart.byteCnt++;
310
311 Uart.parityBits <<= 1;
312 Uart.parityBits ^= ((Uart.shiftReg >> 8) & 0x01);
313
314 if(EOC) {
315 // when End of Communication received and
316 // all data bits processed..
317 return TRUE;
318 }
319 Uart.bitCnt = 0;
320 }
321
322 /*if(error) {
323 Uart.output[Uart.byteCnt] = 0xAA;
324 Uart.byteCnt++;
325 Uart.output[Uart.byteCnt] = error & 0xFF;
326 Uart.byteCnt++;
327 Uart.output[Uart.byteCnt] = 0xAA;
328 Uart.byteCnt++;
329 Uart.output[Uart.byteCnt] = (Uart.bitBuffer >> 8) & 0xFF;
330 Uart.byteCnt++;
331 Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
332 Uart.byteCnt++;
333 Uart.output[Uart.byteCnt] = (Uart.syncBit >> 3) & 0xFF;
334 Uart.byteCnt++;
335 Uart.output[Uart.byteCnt] = 0xAA;
336 Uart.byteCnt++;
337 return TRUE;
338 }*/
339 }
340
341 }
342 else {
343 bit = Uart.bitBuffer & 0xf0;
344 bit >>= 4;
345 bit ^= 0x0F;
346 if(bit) {
347 // should have been high or at least (4 * 128) / fc
348 // according to ISO this should be at least (9 * 128 + 20) / fc
349 if(Uart.highCnt == 8) {
350 // we went low, so this could be start of communication
351 // it turns out to be safer to choose a less significant
352 // syncbit... so we check whether the neighbour also represents the drop
353 Uart.posCnt = 1; // apparently we are busy with our first half bit period
354 Uart.syncBit = bit & 8;
355 Uart.samples = 3;
356 if(!Uart.syncBit) { Uart.syncBit = bit & 4; Uart.samples = 2; }
357 else if(bit & 4) { Uart.syncBit = bit & 4; Uart.samples = 2; bit <<= 2; }
358 if(!Uart.syncBit) { Uart.syncBit = bit & 2; Uart.samples = 1; }
359 else if(bit & 2) { Uart.syncBit = bit & 2; Uart.samples = 1; bit <<= 1; }
360 if(!Uart.syncBit) { Uart.syncBit = bit & 1; Uart.samples = 0;
2f2d9fc5 361 if(Uart.syncBit && (Uart.bitBuffer & 8)) {
15c4dc5a 362 Uart.syncBit = 8;
363
364 // the first half bit period is expected in next sample
365 Uart.posCnt = 0;
366 Uart.samples = 3;
367 }
368 }
369 else if(bit & 1) { Uart.syncBit = bit & 1; Uart.samples = 0; }
370
371 Uart.syncBit <<= 4;
372 Uart.state = STATE_START_OF_COMMUNICATION;
373 Uart.drop = DROP_FIRST_HALF;
374 Uart.bitCnt = 0;
375 Uart.byteCnt = 0;
376 Uart.parityBits = 0;
9f693930 377 //error = 0;
15c4dc5a 378 }
379 else {
380 Uart.highCnt = 0;
381 }
382 }
383 else {
384 if(Uart.highCnt < 8) {
385 Uart.highCnt++;
386 }
387 }
388 }
389
390 return FALSE;
391}
392
393//=============================================================================
394// ISO 14443 Type A - Manchester
395//=============================================================================
396
397static struct {
398 enum {
399 DEMOD_UNSYNCD,
400 DEMOD_START_OF_COMMUNICATION,
401 DEMOD_MANCHESTER_D,
402 DEMOD_MANCHESTER_E,
403 DEMOD_MANCHESTER_F,
404 DEMOD_ERROR_WAIT
405 } state;
406 int bitCount;
407 int posCount;
408 int syncBit;
409 int parityBits;
f7e3ed82 410 uint16_t shiftReg;
15c4dc5a 411 int buffer;
412 int buff;
413 int samples;
414 int len;
415 enum {
416 SUB_NONE,
417 SUB_FIRST_HALF,
418 SUB_SECOND_HALF
419 } sub;
f7e3ed82 420 uint8_t *output;
15c4dc5a 421} Demod;
422
6c1e2d95 423static RAMFUNC int ManchesterDecoding(int v)
15c4dc5a 424{
425 int bit;
426 int modulation;
9f693930 427 //int error = 0;
15c4dc5a 428
429 if(!Demod.buff) {
430 Demod.buff = 1;
431 Demod.buffer = v;
432 return FALSE;
433 }
434 else {
435 bit = Demod.buffer;
436 Demod.buffer = v;
437 }
438
439 if(Demod.state==DEMOD_UNSYNCD) {
440 Demod.output[Demod.len] = 0xfa;
441 Demod.syncBit = 0;
442 //Demod.samples = 0;
443 Demod.posCount = 1; // This is the first half bit period, so after syncing handle the second part
2f2d9fc5 444
445 if(bit & 0x08) {
446 Demod.syncBit = 0x08;
15c4dc5a 447 }
15c4dc5a 448
2f2d9fc5 449 if(bit & 0x04) {
450 if(Demod.syncBit) {
451 bit <<= 4;
452 }
453 Demod.syncBit = 0x04;
454 }
15c4dc5a 455
2f2d9fc5 456 if(bit & 0x02) {
457 if(Demod.syncBit) {
458 bit <<= 2;
15c4dc5a 459 }
2f2d9fc5 460 Demod.syncBit = 0x02;
15c4dc5a 461 }
15c4dc5a 462
593924e7 463 if(bit & 0x01 && Demod.syncBit) {
2f2d9fc5 464 Demod.syncBit = 0x01;
465 }
466
15c4dc5a 467 if(Demod.syncBit) {
468 Demod.len = 0;
469 Demod.state = DEMOD_START_OF_COMMUNICATION;
470 Demod.sub = SUB_FIRST_HALF;
471 Demod.bitCount = 0;
472 Demod.shiftReg = 0;
473 Demod.parityBits = 0;
474 Demod.samples = 0;
475 if(Demod.posCount) {
534983d7 476 if(trigger) LED_A_OFF();
15c4dc5a 477 switch(Demod.syncBit) {
478 case 0x08: Demod.samples = 3; break;
479 case 0x04: Demod.samples = 2; break;
480 case 0x02: Demod.samples = 1; break;
481 case 0x01: Demod.samples = 0; break;
482 }
483 }
9f693930 484 //error = 0;
15c4dc5a 485 }
486 }
487 else {
488 //modulation = bit & Demod.syncBit;
489 modulation = ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
490
491 Demod.samples += 4;
492
493 if(Demod.posCount==0) {
494 Demod.posCount = 1;
495 if(modulation) {
496 Demod.sub = SUB_FIRST_HALF;
497 }
498 else {
499 Demod.sub = SUB_NONE;
500 }
501 }
502 else {
503 Demod.posCount = 0;
504 if(modulation && (Demod.sub == SUB_FIRST_HALF)) {
505 if(Demod.state!=DEMOD_ERROR_WAIT) {
506 Demod.state = DEMOD_ERROR_WAIT;
507 Demod.output[Demod.len] = 0xaa;
9f693930 508 //error = 0x01;
15c4dc5a 509 }
510 }
511 else if(modulation) {
512 Demod.sub = SUB_SECOND_HALF;
513 }
514
515 switch(Demod.state) {
516 case DEMOD_START_OF_COMMUNICATION:
517 if(Demod.sub == SUB_FIRST_HALF) {
518 Demod.state = DEMOD_MANCHESTER_D;
519 }
520 else {
521 Demod.output[Demod.len] = 0xab;
522 Demod.state = DEMOD_ERROR_WAIT;
9f693930 523 //error = 0x02;
15c4dc5a 524 }
525 break;
526
527 case DEMOD_MANCHESTER_D:
528 case DEMOD_MANCHESTER_E:
529 if(Demod.sub == SUB_FIRST_HALF) {
530 Demod.bitCount++;
531 Demod.shiftReg = (Demod.shiftReg >> 1) ^ 0x100;
532 Demod.state = DEMOD_MANCHESTER_D;
533 }
534 else if(Demod.sub == SUB_SECOND_HALF) {
535 Demod.bitCount++;
536 Demod.shiftReg >>= 1;
537 Demod.state = DEMOD_MANCHESTER_E;
538 }
539 else {
540 Demod.state = DEMOD_MANCHESTER_F;
541 }
542 break;
543
544 case DEMOD_MANCHESTER_F:
545 // Tag response does not need to be a complete byte!
546 if(Demod.len > 0 || Demod.bitCount > 0) {
547 if(Demod.bitCount > 0) {
548 Demod.shiftReg >>= (9 - Demod.bitCount);
549 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
550 Demod.len++;
551 // No parity bit, so just shift a 0
552 Demod.parityBits <<= 1;
553 }
554
555 Demod.state = DEMOD_UNSYNCD;
556 return TRUE;
557 }
558 else {
559 Demod.output[Demod.len] = 0xad;
560 Demod.state = DEMOD_ERROR_WAIT;
9f693930 561 //error = 0x03;
15c4dc5a 562 }
563 break;
564
565 case DEMOD_ERROR_WAIT:
566 Demod.state = DEMOD_UNSYNCD;
567 break;
568
569 default:
570 Demod.output[Demod.len] = 0xdd;
571 Demod.state = DEMOD_UNSYNCD;
572 break;
573 }
574
575 if(Demod.bitCount>=9) {
576 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
577 Demod.len++;
578
579 Demod.parityBits <<= 1;
580 Demod.parityBits ^= ((Demod.shiftReg >> 8) & 0x01);
581
582 Demod.bitCount = 0;
583 Demod.shiftReg = 0;
584 }
585
586 /*if(error) {
587 Demod.output[Demod.len] = 0xBB;
588 Demod.len++;
589 Demod.output[Demod.len] = error & 0xFF;
590 Demod.len++;
591 Demod.output[Demod.len] = 0xBB;
592 Demod.len++;
593 Demod.output[Demod.len] = bit & 0xFF;
594 Demod.len++;
595 Demod.output[Demod.len] = Demod.buffer & 0xFF;
596 Demod.len++;
597 Demod.output[Demod.len] = Demod.syncBit & 0xFF;
598 Demod.len++;
599 Demod.output[Demod.len] = 0xBB;
600 Demod.len++;
601 return TRUE;
602 }*/
603
604 }
605
606 } // end (state != UNSYNCED)
607
608 return FALSE;
609}
610
611//=============================================================================
612// Finally, a `sniffer' for ISO 14443 Type A
613// Both sides of communication!
614//=============================================================================
615
616//-----------------------------------------------------------------------------
617// Record the sequence of commands sent by the reader to the tag, with
618// triggering so that we start recording at the point that the tag is moved
619// near the reader.
620//-----------------------------------------------------------------------------
6c1e2d95 621void RAMFUNC SnoopIso14443a(void)
15c4dc5a 622{
623// #define RECV_CMD_OFFSET 2032 // original (working as of 21/2/09) values
624// #define RECV_RES_OFFSET 2096 // original (working as of 21/2/09) values
625// #define DMA_BUFFER_OFFSET 2160 // original (working as of 21/2/09) values
626// #define DMA_BUFFER_SIZE 4096 // original (working as of 21/2/09) values
81cd0474 627// #define TRACE_SIZE 2000 // original (working as of 21/2/09) values
15c4dc5a 628
629 // We won't start recording the frames that we acquire until we trigger;
630 // a good trigger condition to get started is probably when we see a
631 // response from the tag.
7e758047 632 int triggered = FALSE; // FALSE to wait first for card
15c4dc5a 633
634 // The command (reader -> tag) that we're receiving.
635 // The length of a received command will in most cases be no more than 18 bytes.
636 // So 32 should be enough!
f7e3ed82 637 uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
15c4dc5a 638 // The response (tag -> reader) that we're receiving.
f7e3ed82 639 uint8_t *receivedResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET);
15c4dc5a 640
641 // As we receive stuff, we copy it from receivedCmd or receivedResponse
642 // into trace, along with its length and other annotations.
f7e3ed82 643 //uint8_t *trace = (uint8_t *)BigBuf;
d82c6ebb 644
645 traceLen = 0; // uncommented to fix ISSUE 15 - gerhard - jan2011
15c4dc5a 646
647 // The DMA buffer, used to stream samples from the FPGA
f7e3ed82 648 int8_t *dmaBuf = ((int8_t *)BigBuf) + DMA_BUFFER_OFFSET;
15c4dc5a 649 int lastRxCounter;
f7e3ed82 650 int8_t *upTo;
15c4dc5a 651 int smpl;
652 int maxBehindBy = 0;
653
654 // Count of samples received so far, so that we can include timing
655 // information in the trace buffer.
656 int samples = 0;
cee5a30d 657 int rsamples = 0;
15c4dc5a 658
81cd0474 659 memset(trace, 0x44, TRACE_SIZE);
15c4dc5a 660
661 // Set up the demodulator for tag -> reader responses.
662 Demod.output = receivedResponse;
663 Demod.len = 0;
664 Demod.state = DEMOD_UNSYNCD;
665
7e758047 666 // Setup for the DMA.
667 FpgaSetupSsc();
668 upTo = dmaBuf;
669 lastRxCounter = DMA_BUFFER_SIZE;
670 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
671
15c4dc5a 672 // And the reader -> tag commands
673 memset(&Uart, 0, sizeof(Uart));
674 Uart.output = receivedCmd;
675 Uart.byteCntMax = 32; // was 100 (greg)////////////////////////////////////////////////////////////////////////
676 Uart.state = STATE_UNSYNCD;
677
678 // And put the FPGA in the appropriate mode
679 // Signal field is off with the appropriate LED
680 LED_D_OFF();
681 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER);
682 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
683
15c4dc5a 684
685 // And now we loop, receiving samples.
686 for(;;) {
7e758047 687 LED_A_ON();
688 WDT_HIT();
15c4dc5a 689 int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) &
690 (DMA_BUFFER_SIZE-1);
691 if(behindBy > maxBehindBy) {
692 maxBehindBy = behindBy;
693 if(behindBy > 400) {
7e758047 694 Dbprintf("blew circular buffer! behindBy=0x%x", behindBy);
15c4dc5a 695 goto done;
696 }
697 }
698 if(behindBy < 1) continue;
699
7e758047 700 LED_A_OFF();
15c4dc5a 701 smpl = upTo[0];
702 upTo++;
703 lastRxCounter -= 1;
704 if(upTo - dmaBuf > DMA_BUFFER_SIZE) {
705 upTo -= DMA_BUFFER_SIZE;
706 lastRxCounter += DMA_BUFFER_SIZE;
f7e3ed82 707 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) upTo;
15c4dc5a 708 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
709 }
710
711 samples += 4;
7e758047 712 if(MillerDecoding((smpl & 0xF0) >> 4)) {
15c4dc5a 713 rsamples = samples - Uart.samples;
72934aa3 714 LED_C_ON();
7e758047 715 if(triggered) {
716 trace[traceLen++] = ((rsamples >> 0) & 0xff);
72934aa3 717 trace[traceLen++] = ((rsamples >> 8) & 0xff);
718 trace[traceLen++] = ((rsamples >> 16) & 0xff);
719 trace[traceLen++] = ((rsamples >> 24) & 0xff);
7e758047 720 trace[traceLen++] = ((Uart.parityBits >> 0) & 0xff);
721 trace[traceLen++] = ((Uart.parityBits >> 8) & 0xff);
722 trace[traceLen++] = ((Uart.parityBits >> 16) & 0xff);
723 trace[traceLen++] = ((Uart.parityBits >> 24) & 0xff);
72934aa3 724 trace[traceLen++] = Uart.byteCnt;
725 memcpy(trace+traceLen, receivedCmd, Uart.byteCnt);
726 traceLen += Uart.byteCnt;
81cd0474 727 if(traceLen > TRACE_SIZE) break;
72934aa3 728 }
729 /* And ready to receive another command. */
730 Uart.state = STATE_UNSYNCD;
731 /* And also reset the demod code, which might have been */
732 /* false-triggered by the commands from the reader. */
733 Demod.state = DEMOD_UNSYNCD;
7e758047 734 LED_B_OFF();
15c4dc5a 735 }
7e758047 736
737 if(ManchesterDecoding(smpl & 0x0F)) {
738 rsamples = samples - Demod.samples;
739 LED_B_ON();
740
741 // timestamp, as a count of samples
742 trace[traceLen++] = ((rsamples >> 0) & 0xff);
743 trace[traceLen++] = ((rsamples >> 8) & 0xff);
744 trace[traceLen++] = ((rsamples >> 16) & 0xff);
745 trace[traceLen++] = 0x80 | ((rsamples >> 24) & 0xff);
746 trace[traceLen++] = ((Demod.parityBits >> 0) & 0xff);
747 trace[traceLen++] = ((Demod.parityBits >> 8) & 0xff);
748 trace[traceLen++] = ((Demod.parityBits >> 16) & 0xff);
749 trace[traceLen++] = ((Demod.parityBits >> 24) & 0xff);
750 // length
751 trace[traceLen++] = Demod.len;
752 memcpy(trace+traceLen, receivedResponse, Demod.len);
753 traceLen += Demod.len;
81cd0474 754 if(traceLen > TRACE_SIZE) break;
7e758047 755
756 triggered = TRUE;
15c4dc5a 757
758 // And ready to receive another response.
759 memset(&Demod, 0, sizeof(Demod));
760 Demod.output = receivedResponse;
761 Demod.state = DEMOD_UNSYNCD;
7e758047 762 LED_C_OFF();
763 }
15c4dc5a 764
765 if(BUTTON_PRESS()) {
766 DbpString("cancelled_a");
767 goto done;
768 }
769 }
770
771 DbpString("COMMAND FINISHED");
772
15c4dc5a 773done:
774 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
13d8c68d 775 Dbprintf("maxBehindBy=%x, Uart.state=%x, Uart.byteCnt=%x", maxBehindBy, Uart.state, Uart.byteCnt);
776 Dbprintf("Uart.byteCntMax=%x, traceLen=%x, Uart.output[0]=%x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
15c4dc5a 777 LED_A_OFF();
778 LED_B_OFF();
779 LED_C_OFF();
780 LED_D_OFF();
781}
782
15c4dc5a 783//-----------------------------------------------------------------------------
784// Prepare tag messages
785//-----------------------------------------------------------------------------
8f51ddb0 786static void CodeIso14443aAsTagPar(const uint8_t *cmd, int len, uint32_t dwParity)
15c4dc5a 787{
8f51ddb0 788 int i;
15c4dc5a 789
8f51ddb0 790 ToSendReset();
15c4dc5a 791
792 // Correction bit, might be removed when not needed
793 ToSendStuffBit(0);
794 ToSendStuffBit(0);
795 ToSendStuffBit(0);
796 ToSendStuffBit(0);
797 ToSendStuffBit(1); // 1
798 ToSendStuffBit(0);
799 ToSendStuffBit(0);
800 ToSendStuffBit(0);
8f51ddb0 801
15c4dc5a 802 // Send startbit
72934aa3 803 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 804
8f51ddb0
M
805 for(i = 0; i < len; i++) {
806 int j;
807 uint8_t b = cmd[i];
15c4dc5a 808
809 // Data bits
15c4dc5a 810 for(j = 0; j < 8; j++) {
15c4dc5a 811 if(b & 1) {
72934aa3 812 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 813 } else {
72934aa3 814 ToSend[++ToSendMax] = SEC_E;
8f51ddb0
M
815 }
816 b >>= 1;
817 }
15c4dc5a 818
0014cb46 819 // Get the parity bit
8f51ddb0
M
820 if ((dwParity >> i) & 0x01) {
821 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 822 } else {
72934aa3 823 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 824 }
8f51ddb0 825 }
15c4dc5a 826
8f51ddb0
M
827 // Send stopbit
828 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 829
8f51ddb0
M
830 // Convert from last byte pos to length
831 ToSendMax++;
8f51ddb0
M
832}
833
834static void CodeIso14443aAsTag(const uint8_t *cmd, int len){
835 CodeIso14443aAsTagPar(cmd, len, GetParity(cmd, len));
15c4dc5a 836}
837
838//-----------------------------------------------------------------------------
839// This is to send a NACK kind of answer, its only 3 bits, I know it should be 4
840//-----------------------------------------------------------------------------
8f51ddb0 841static void CodeStrangeAnswerAsTag()
15c4dc5a 842{
843 int i;
844
845 ToSendReset();
846
847 // Correction bit, might be removed when not needed
848 ToSendStuffBit(0);
849 ToSendStuffBit(0);
850 ToSendStuffBit(0);
851 ToSendStuffBit(0);
852 ToSendStuffBit(1); // 1
853 ToSendStuffBit(0);
854 ToSendStuffBit(0);
855 ToSendStuffBit(0);
856
857 // Send startbit
72934aa3 858 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 859
860 // 0
72934aa3 861 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 862
863 // 0
72934aa3 864 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 865
866 // 1
72934aa3 867 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 868
869 // Send stopbit
72934aa3 870 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 871
872 // Flush the buffer in FPGA!!
873 for(i = 0; i < 5; i++) {
72934aa3 874 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 875 }
876
877 // Convert from last byte pos to length
878 ToSendMax++;
8f51ddb0 879}
15c4dc5a 880
8f51ddb0
M
881static void Code4bitAnswerAsTag(uint8_t cmd)
882{
883 int i;
884
885 ToSendReset();
886
887 // Correction bit, might be removed when not needed
888 ToSendStuffBit(0);
889 ToSendStuffBit(0);
890 ToSendStuffBit(0);
891 ToSendStuffBit(0);
892 ToSendStuffBit(1); // 1
893 ToSendStuffBit(0);
894 ToSendStuffBit(0);
895 ToSendStuffBit(0);
896
897 // Send startbit
898 ToSend[++ToSendMax] = SEC_D;
899
900 uint8_t b = cmd;
901 for(i = 0; i < 4; i++) {
902 if(b & 1) {
903 ToSend[++ToSendMax] = SEC_D;
904 } else {
905 ToSend[++ToSendMax] = SEC_E;
906 }
907 b >>= 1;
908 }
909
910 // Send stopbit
911 ToSend[++ToSendMax] = SEC_F;
912
913 // Flush the buffer in FPGA!!
914 for(i = 0; i < 5; i++) {
915 ToSend[++ToSendMax] = SEC_F;
916 }
917
918 // Convert from last byte pos to length
919 ToSendMax++;
15c4dc5a 920}
921
922//-----------------------------------------------------------------------------
923// Wait for commands from reader
924// Stop when button is pressed
925// Or return TRUE when command is captured
926//-----------------------------------------------------------------------------
f7e3ed82 927static int GetIso14443aCommandFromReader(uint8_t *received, int *len, int maxLen)
15c4dc5a 928{
929 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
930 // only, since we are receiving, not transmitting).
931 // Signal field is off with the appropriate LED
932 LED_D_OFF();
933 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
934
935 // Now run a `software UART' on the stream of incoming samples.
936 Uart.output = received;
937 Uart.byteCntMax = maxLen;
938 Uart.state = STATE_UNSYNCD;
939
940 for(;;) {
941 WDT_HIT();
942
943 if(BUTTON_PRESS()) return FALSE;
944
945 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
946 AT91C_BASE_SSC->SSC_THR = 0x00;
947 }
948 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 949 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 950 if(MillerDecoding((b & 0xf0) >> 4)) {
951 *len = Uart.byteCnt;
952 return TRUE;
953 }
954 if(MillerDecoding(b & 0x0f)) {
955 *len = Uart.byteCnt;
956 return TRUE;
957 }
958 }
959 }
960}
9ca155ba 961static int EmSendCmd14443aRaw(uint8_t *resp, int respLen, int correctionNeeded);
15c4dc5a 962
963//-----------------------------------------------------------------------------
964// Main loop of simulated tag: receive commands from reader, decide what
965// response to send, and send it.
966//-----------------------------------------------------------------------------
81cd0474 967void SimulateIso14443aTag(int tagType, int uid_1st, int uid_2nd)
15c4dc5a 968{
81cd0474 969 // Enable and clear the trace
970 tracing = TRUE;
971 traceLen = 0;
972 memset(trace, 0x44, TRACE_SIZE);
973
15c4dc5a 974 // This function contains the tag emulation
81cd0474 975 uint8_t sak;
976
977 // The first response contains the ATQA (note: bytes are transmitted in reverse order).
978 uint8_t response1[2];
979
980 switch (tagType) {
981 case 1: { // MIFARE Classic
982 // Says: I am Mifare 1k - original line
983 response1[0] = 0x04;
984 response1[1] = 0x00;
985 sak = 0x08;
986 } break;
987 case 2: { // MIFARE Ultralight
988 // Says: I am a stupid memory tag, no crypto
989 response1[0] = 0x04;
990 response1[1] = 0x00;
991 sak = 0x00;
992 } break;
993 case 3: { // MIFARE DESFire
994 // Says: I am a DESFire tag, ph33r me
995 response1[0] = 0x04;
996 response1[1] = 0x03;
997 sak = 0x20;
998 } break;
999 case 4: { // ISO/IEC 14443-4
1000 // Says: I am a javacard (JCOP)
1001 response1[0] = 0x04;
1002 response1[1] = 0x00;
1003 sak = 0x28;
1004 } break;
1005 default: {
1006 Dbprintf("Error: unkown tagtype (%d)",tagType);
1007 return;
1008 } break;
1009 }
1010
1011 // The second response contains the (mandatory) first 24 bits of the UID
1012 uint8_t response2[5];
1013
1014 // Check if the uid uses the (optional) part
1015 uint8_t response2a[5];
1016 if (uid_2nd) {
1017 response2[0] = 0x88;
1018 num_to_bytes(uid_1st,3,response2+1);
1019 num_to_bytes(uid_2nd,4,response2a);
1020 response2a[4] = response2a[0] ^ response2a[1] ^ response2a[2] ^ response2a[3];
1021
1022 // Configure the ATQA and SAK accordingly
1023 response1[0] |= 0x40;
1024 sak |= 0x04;
1025 } else {
1026 num_to_bytes(uid_1st,4,response2);
1027 // Configure the ATQA and SAK accordingly
1028 response1[0] &= 0xBF;
1029 sak &= 0xFB;
1030 }
1031
1032 // Calculate the BitCountCheck (BCC) for the first 4 bytes of the UID.
1033 response2[4] = response2[0] ^ response2[1] ^ response2[2] ^ response2[3];
1034
1035 // Prepare the mandatory SAK (for 4 and 7 byte UID)
1036 uint8_t response3[3];
1037 response3[0] = sak;
1038 ComputeCrc14443(CRC_14443_A, response3, 1, &response3[1], &response3[2]);
1039
1040 // Prepare the optional second SAK (for 7 byte UID), drop the cascade bit
1041 uint8_t response3a[3];
1042 response3a[0] = sak & 0xFB;
1043 ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
1044
254b70a4 1045 uint8_t response5[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce
1046 uint8_t response6[] = { 0x03, 0x3B, 0x00, 0x00, 0x00 }; // dummy ATS (pseudo-ATR), answer to RATS
1047 ComputeCrc14443(CRC_14443_A, response6, 3, &response6[3], &response6[4]);
81cd0474 1048
254b70a4 1049 uint8_t *resp;
1050 int respLen;
15c4dc5a 1051
81cd0474 1052 // Longest possible response will be 16 bytes + 2 CRC = 18 bytes
15c4dc5a 1053 // This will need
1054 // 144 data bits (18 * 8)
1055 // 18 parity bits
1056 // 2 Start and stop
1057 // 1 Correction bit (Answer in 1172 or 1236 periods, see FPGA)
1058 // 1 just for the case
1059 // ----------- +
1060 // 166
1061 //
1062 // 166 bytes, since every bit that needs to be send costs us a byte
1063 //
1064
254b70a4 1065 // Respond with card type
1066 uint8_t *resp1 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET);
1067 int resp1Len;
15c4dc5a 1068
254b70a4 1069 // Anticollision cascade1 - respond with uid
1070 uint8_t *resp2 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + 166);
1071 int resp2Len;
15c4dc5a 1072
254b70a4 1073 // Anticollision cascade2 - respond with 2nd half of uid if asked
1074 // we're only going to be asked if we set the 1st byte of the UID (during cascade1) to 0x88
1075 uint8_t *resp2a = (((uint8_t *)BigBuf) + 1140);
1076 int resp2aLen;
15c4dc5a 1077
254b70a4 1078 // Acknowledge select - cascade 1
1079 uint8_t *resp3 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + (166*2));
1080 int resp3Len;
15c4dc5a 1081
254b70a4 1082 // Acknowledge select - cascade 2
1083 uint8_t *resp3a = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + (166*3));
1084 int resp3aLen;
15c4dc5a 1085
254b70a4 1086 // Response to a read request - not implemented atm
1087 uint8_t *resp4 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + (166*4));
1088 int resp4Len;
15c4dc5a 1089
254b70a4 1090 // Authenticate response - nonce
1091 uint8_t *resp5 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + (166*5));
1092 int resp5Len;
15c4dc5a 1093
254b70a4 1094 // Authenticate response - nonce
1095 uint8_t *resp6 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + (166*6));
1096 int resp6Len;
15c4dc5a 1097
254b70a4 1098 uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
1099 int len;
15c4dc5a 1100
1101 // To control where we are in the protocol
1102 int order = 0;
1103 int lastorder;
1104
1105 // Just to allow some checks
1106 int happened = 0;
1107 int happened2 = 0;
1108
81cd0474 1109 int cmdsRecvd = 0;
1110 uint8_t* respdata = NULL;
1111 int respsize = 0;
1112 uint8_t nack = 0x04;
15c4dc5a 1113
81cd0474 1114 memset(receivedCmd, 0x44, RECV_CMD_SIZE);
15c4dc5a 1115
1116 // Prepare the responses of the anticollision phase
1117 // there will be not enough time to do this at the moment the reader sends it REQA
1118
1119 // Answer to request
1120 CodeIso14443aAsTag(response1, sizeof(response1));
254b70a4 1121 memcpy(resp1, ToSend, ToSendMax); resp1Len = ToSendMax;
15c4dc5a 1122
1123 // Send our UID (cascade 1)
1124 CodeIso14443aAsTag(response2, sizeof(response2));
254b70a4 1125 memcpy(resp2, ToSend, ToSendMax); resp2Len = ToSendMax;
15c4dc5a 1126
1127 // Answer to select (cascade1)
1128 CodeIso14443aAsTag(response3, sizeof(response3));
254b70a4 1129 memcpy(resp3, ToSend, ToSendMax); resp3Len = ToSendMax;
15c4dc5a 1130
1131 // Send the cascade 2 2nd part of the uid
1132 CodeIso14443aAsTag(response2a, sizeof(response2a));
254b70a4 1133 memcpy(resp2a, ToSend, ToSendMax); resp2aLen = ToSendMax;
15c4dc5a 1134
1135 // Answer to select (cascade 2)
1136 CodeIso14443aAsTag(response3a, sizeof(response3a));
254b70a4 1137 memcpy(resp3a, ToSend, ToSendMax); resp3aLen = ToSendMax;
15c4dc5a 1138
1139 // Strange answer is an example of rare message size (3 bits)
8f51ddb0 1140 CodeStrangeAnswerAsTag();
15c4dc5a 1141 memcpy(resp4, ToSend, ToSendMax); resp4Len = ToSendMax;
1142
1143 // Authentication answer (random nonce)
1144 CodeIso14443aAsTag(response5, sizeof(response5));
254b70a4 1145 memcpy(resp5, ToSend, ToSendMax); resp5Len = ToSendMax;
15c4dc5a 1146
254b70a4 1147 // dummy ATS (pseudo-ATR), answer to RATS
1148 CodeIso14443aAsTag(response6, sizeof(response6));
1149 memcpy(resp6, ToSend, ToSendMax); resp6Len = ToSendMax;
15c4dc5a 1150
254b70a4 1151 // We need to listen to the high-frequency, peak-detected path.
1152 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1153 FpgaSetupSsc();
15c4dc5a 1154
254b70a4 1155 cmdsRecvd = 0;
15c4dc5a 1156
254b70a4 1157 LED_A_ON();
1158 for(;;) {
1159
81cd0474 1160 if(!GetIso14443aCommandFromReader(receivedCmd, &len, RECV_CMD_SIZE)) {
254b70a4 1161 DbpString("button press");
1162 break;
1163 }
1164 // doob - added loads of debug strings so we can see what the reader is saying to us during the sim as hi14alist is not populated
1165 // Okay, look at the command now.
1166 lastorder = order;
1167 if(receivedCmd[0] == 0x26) { // Received a REQUEST
15c4dc5a 1168 resp = resp1; respLen = resp1Len; order = 1;
81cd0474 1169 respdata = response1;
1170 respsize = sizeof(response1);
254b70a4 1171 } else if(receivedCmd[0] == 0x52) { // Received a WAKEUP
15c4dc5a 1172 resp = resp1; respLen = resp1Len; order = 6;
81cd0474 1173 respdata = response1;
1174 respsize = sizeof(response1);
254b70a4 1175 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x93) { // Received request for UID (cascade 1)
15c4dc5a 1176 resp = resp2; respLen = resp2Len; order = 2;
81cd0474 1177 respdata = response2;
1178 respsize = sizeof(response2);
254b70a4 1179 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x95) { // Received request for UID (cascade 2)
15c4dc5a 1180 resp = resp2a; respLen = resp2aLen; order = 20;
81cd0474 1181 respdata = response2a;
1182 respsize = sizeof(response2a);
254b70a4 1183 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] == 0x93) { // Received a SELECT (cascade 1)
15c4dc5a 1184 resp = resp3; respLen = resp3Len; order = 3;
81cd0474 1185 respdata = response3;
1186 respsize = sizeof(response3);
254b70a4 1187 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] == 0x95) { // Received a SELECT (cascade 2)
15c4dc5a 1188 resp = resp3a; respLen = resp3aLen; order = 30;
81cd0474 1189 respdata = response3a;
1190 respsize = sizeof(response3a);
254b70a4 1191 } else if(receivedCmd[0] == 0x30) { // Received a (plain) READ
15c4dc5a 1192 resp = resp4; respLen = resp4Len; order = 4; // Do nothing
254b70a4 1193 Dbprintf("Read request from reader: %x %x",receivedCmd[0],receivedCmd[1]);
81cd0474 1194 respdata = &nack;
1195 respsize = sizeof(nack); // 4-bit answer
254b70a4 1196 } else if(receivedCmd[0] == 0x50) { // Received a HALT
15c4dc5a 1197 DbpString("Reader requested we HALT!:");
254b70a4 1198 // Do not respond
1199 resp = resp1; respLen = 0; order = 0;
81cd0474 1200 respdata = NULL;
1201 respsize = 0;
254b70a4 1202 } else if(receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61) { // Received an authentication request
15c4dc5a 1203 resp = resp5; respLen = resp5Len; order = 7;
254b70a4 1204 respdata = response5;
1205 respsize = sizeof(response5);
1206 } else if(receivedCmd[0] == 0xE0) { // Received a RATS request
1207 resp = resp6; respLen = resp6Len; order = 70;
1208 respdata = response6;
1209 respsize = sizeof(response6);
81cd0474 1210 } else {
1211 // Never seen this command before
7862f4ad 1212 Dbprintf("Received (len=%d): %02x %02x %02x %02x %02x %02x %02x %02x %02x",
20f9a2a1 1213 len,
15c4dc5a 1214 receivedCmd[0], receivedCmd[1], receivedCmd[2],
20f9a2a1
M
1215 receivedCmd[3], receivedCmd[4], receivedCmd[5],
1216 receivedCmd[6], receivedCmd[7], receivedCmd[8]);
15c4dc5a 1217 // Do not respond
1218 resp = resp1; respLen = 0; order = 0;
81cd0474 1219 respdata = NULL;
1220 respsize = 0;
1221 }
15c4dc5a 1222
1223 // Count number of wakeups received after a halt
1224 if(order == 6 && lastorder == 5) { happened++; }
1225
1226 // Count number of other messages after a halt
1227 if(order != 6 && lastorder == 5) { happened2++; }
1228
1229 // Look at last parity bit to determine timing of answer
1230 if((Uart.parityBits & 0x01) || receivedCmd[0] == 0x52) {
1231 // 1236, so correction bit needed
9f693930 1232 //i = 0;
15c4dc5a 1233 }
1234
15c4dc5a 1235 if(cmdsRecvd > 999) {
1236 DbpString("1000 commands later...");
254b70a4 1237 break;
1238 } else {
15c4dc5a 1239 cmdsRecvd++;
1240 }
1241
81cd0474 1242 if(respLen > 0) {
81cd0474 1243 EmSendCmd14443aRaw(resp, respLen, receivedCmd[0] == 0x52);
1244 }
1245
1246 if (tracing) {
1247 LogTrace(receivedCmd,len, 0, Uart.parityBits, TRUE);
1248 if (respdata != NULL) {
1249 LogTrace(respdata,respsize, 0, SwapBits(GetParity(respdata,respsize),respsize), FALSE);
1250 }
4ab4336a 1251 if(traceLen > TRACE_SIZE) {
1252 DbpString("Trace full");
1253 break;
1254 }
81cd0474 1255 }
15c4dc5a 1256
81cd0474 1257 memset(receivedCmd, 0x44, RECV_CMD_SIZE);
254b70a4 1258 }
15c4dc5a 1259
1260 Dbprintf("%x %x %x", happened, happened2, cmdsRecvd);
1261 LED_A_OFF();
1262}
1263
1264//-----------------------------------------------------------------------------
1265// Transmit the command (to the tag) that was placed in ToSend[].
1266//-----------------------------------------------------------------------------
f7e3ed82 1267static void TransmitFor14443a(const uint8_t *cmd, int len, int *samples, int *wait)
15c4dc5a 1268{
1269 int c;
e30c654b 1270
15c4dc5a 1271 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
e30c654b 1272
15c4dc5a 1273 if (wait)
1274 if(*wait < 10)
1275 *wait = 10;
e30c654b 1276
15c4dc5a 1277 for(c = 0; c < *wait;) {
1278 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1279 AT91C_BASE_SSC->SSC_THR = 0x00; // For exact timing!
1280 c++;
1281 }
1282 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 1283 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1284 (void)r;
1285 }
1286 WDT_HIT();
1287 }
e30c654b 1288
15c4dc5a 1289 c = 0;
1290 for(;;) {
1291 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1292 AT91C_BASE_SSC->SSC_THR = cmd[c];
1293 c++;
1294 if(c >= len) {
1295 break;
1296 }
1297 }
1298 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 1299 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1300 (void)r;
1301 }
1302 WDT_HIT();
1303 }
1304 if (samples) *samples = (c + *wait) << 3;
1305}
1306
15c4dc5a 1307//-----------------------------------------------------------------------------
1308// Code a 7-bit command without parity bit
1309// This is especially for 0x26 and 0x52 (REQA and WUPA)
1310//-----------------------------------------------------------------------------
f7e3ed82 1311void ShortFrameFromReader(const uint8_t bt)
15c4dc5a 1312{
1313 int j;
1314 int last;
f7e3ed82 1315 uint8_t b;
15c4dc5a 1316
1317 ToSendReset();
1318
1319 // Start of Communication (Seq. Z)
72934aa3 1320 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1321 last = 0;
1322
1323 b = bt;
1324 for(j = 0; j < 7; j++) {
1325 if(b & 1) {
1326 // Sequence X
72934aa3 1327 ToSend[++ToSendMax] = SEC_X;
15c4dc5a 1328 last = 1;
1329 } else {
1330 if(last == 0) {
1331 // Sequence Z
72934aa3 1332 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1333 }
1334 else {
1335 // Sequence Y
72934aa3 1336 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1337 last = 0;
1338 }
1339 }
1340 b >>= 1;
1341 }
1342
1343 // End of Communication
1344 if(last == 0) {
1345 // Sequence Z
72934aa3 1346 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1347 }
1348 else {
1349 // Sequence Y
72934aa3 1350 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1351 last = 0;
1352 }
1353 // Sequence Y
72934aa3 1354 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1355
1356 // Just to be sure!
72934aa3 1357 ToSend[++ToSendMax] = SEC_Y;
1358 ToSend[++ToSendMax] = SEC_Y;
1359 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1360
1361 // Convert from last character reference to length
1362 ToSendMax++;
1363}
1364
1365//-----------------------------------------------------------------------------
1366// Prepare reader command to send to FPGA
e30c654b 1367//
15c4dc5a 1368//-----------------------------------------------------------------------------
f7e3ed82 1369void CodeIso14443aAsReaderPar(const uint8_t * cmd, int len, uint32_t dwParity)
15c4dc5a 1370{
1371 int i, j;
1372 int last;
f7e3ed82 1373 uint8_t b;
e30c654b 1374
15c4dc5a 1375 ToSendReset();
e30c654b 1376
15c4dc5a 1377 // Start of Communication (Seq. Z)
72934aa3 1378 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1379 last = 0;
e30c654b 1380
15c4dc5a 1381 // Generate send structure for the data bits
1382 for (i = 0; i < len; i++) {
1383 // Get the current byte to send
1384 b = cmd[i];
e30c654b 1385
15c4dc5a 1386 for (j = 0; j < 8; j++) {
1387 if (b & 1) {
1388 // Sequence X
72934aa3 1389 ToSend[++ToSendMax] = SEC_X;
15c4dc5a 1390 last = 1;
1391 } else {
1392 if (last == 0) {
1393 // Sequence Z
72934aa3 1394 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1395 } else {
1396 // Sequence Y
72934aa3 1397 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1398 last = 0;
1399 }
1400 }
1401 b >>= 1;
1402 }
e30c654b 1403
15c4dc5a 1404 // Get the parity bit
1405 if ((dwParity >> i) & 0x01) {
1406 // Sequence X
72934aa3 1407 ToSend[++ToSendMax] = SEC_X;
15c4dc5a 1408 last = 1;
1409 } else {
1410 if (last == 0) {
1411 // Sequence Z
72934aa3 1412 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1413 } else {
1414 // Sequence Y
72934aa3 1415 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1416 last = 0;
1417 }
1418 }
1419 }
e30c654b 1420
15c4dc5a 1421 // End of Communication
1422 if (last == 0) {
1423 // Sequence Z
72934aa3 1424 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1425 } else {
1426 // Sequence Y
72934aa3 1427 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1428 last = 0;
1429 }
1430 // Sequence Y
72934aa3 1431 ToSend[++ToSendMax] = SEC_Y;
e30c654b 1432
15c4dc5a 1433 // Just to be sure!
72934aa3 1434 ToSend[++ToSendMax] = SEC_Y;
1435 ToSend[++ToSendMax] = SEC_Y;
1436 ToSend[++ToSendMax] = SEC_Y;
e30c654b 1437
15c4dc5a 1438 // Convert from last character reference to length
1439 ToSendMax++;
1440}
1441
9ca155ba
M
1442//-----------------------------------------------------------------------------
1443// Wait for commands from reader
1444// Stop when button is pressed (return 1) or field was gone (return 2)
1445// Or return 0 when command is captured
1446//-----------------------------------------------------------------------------
1447static int EmGetCmd(uint8_t *received, int *len, int maxLen)
1448{
1449 *len = 0;
1450
1451 uint32_t timer = 0, vtime = 0;
1452 int analogCnt = 0;
1453 int analogAVG = 0;
1454
1455 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
1456 // only, since we are receiving, not transmitting).
1457 // Signal field is off with the appropriate LED
1458 LED_D_OFF();
1459 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
1460
1461 // Set ADC to read field strength
1462 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_SWRST;
1463 AT91C_BASE_ADC->ADC_MR =
1464 ADC_MODE_PRESCALE(32) |
1465 ADC_MODE_STARTUP_TIME(16) |
1466 ADC_MODE_SAMPLE_HOLD_TIME(8);
1467 AT91C_BASE_ADC->ADC_CHER = ADC_CHANNEL(ADC_CHAN_HF);
1468 // start ADC
1469 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
1470
1471 // Now run a 'software UART' on the stream of incoming samples.
1472 Uart.output = received;
1473 Uart.byteCntMax = maxLen;
1474 Uart.state = STATE_UNSYNCD;
1475
1476 for(;;) {
1477 WDT_HIT();
1478
1479 if (BUTTON_PRESS()) return 1;
1480
1481 // test if the field exists
1482 if (AT91C_BASE_ADC->ADC_SR & ADC_END_OF_CONVERSION(ADC_CHAN_HF)) {
1483 analogCnt++;
1484 analogAVG += AT91C_BASE_ADC->ADC_CDR[ADC_CHAN_HF];
1485 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
1486 if (analogCnt >= 32) {
1487 if ((33000 * (analogAVG / analogCnt) >> 10) < MF_MINFIELDV) {
1488 vtime = GetTickCount();
1489 if (!timer) timer = vtime;
1490 // 50ms no field --> card to idle state
1491 if (vtime - timer > 50) return 2;
1492 } else
1493 if (timer) timer = 0;
1494 analogCnt = 0;
1495 analogAVG = 0;
1496 }
1497 }
1498 // transmit none
1499 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1500 AT91C_BASE_SSC->SSC_THR = 0x00;
1501 }
1502 // receive and test the miller decoding
1503 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1504 volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1505 if(MillerDecoding((b & 0xf0) >> 4)) {
1506 *len = Uart.byteCnt;
8f51ddb0 1507 if (tracing) LogTrace(received, *len, GetDeltaCountUS(), Uart.parityBits, TRUE);
9ca155ba
M
1508 return 0;
1509 }
1510 if(MillerDecoding(b & 0x0f)) {
1511 *len = Uart.byteCnt;
8f51ddb0 1512 if (tracing) LogTrace(received, *len, GetDeltaCountUS(), Uart.parityBits, TRUE);
9ca155ba
M
1513 return 0;
1514 }
1515 }
1516 }
1517}
1518
1519static int EmSendCmd14443aRaw(uint8_t *resp, int respLen, int correctionNeeded)
1520{
1521 int i, u = 0;
1522 uint8_t b = 0;
1523
1524 // Modulate Manchester
1525 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD);
1526 AT91C_BASE_SSC->SSC_THR = 0x00;
1527 FpgaSetupSsc();
1528
1529 // include correction bit
1530 i = 1;
1531 if((Uart.parityBits & 0x01) || correctionNeeded) {
1532 // 1236, so correction bit needed
1533 i = 0;
1534 }
1535
1536 // send cycle
1537 for(;;) {
1538 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1539 volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1540 (void)b;
1541 }
1542 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1543 if(i > respLen) {
8f51ddb0 1544 b = 0xff; // was 0x00
9ca155ba
M
1545 u++;
1546 } else {
1547 b = resp[i];
1548 i++;
1549 }
1550 AT91C_BASE_SSC->SSC_THR = b;
1551
1552 if(u > 4) break;
1553 }
1554 if(BUTTON_PRESS()) {
1555 break;
1556 }
1557 }
1558
1559 return 0;
1560}
1561
8f51ddb0
M
1562int EmSend4bitEx(uint8_t resp, int correctionNeeded){
1563 Code4bitAnswerAsTag(resp);
0a39986e 1564 int res = EmSendCmd14443aRaw(ToSend, ToSendMax, correctionNeeded);
8f51ddb0 1565 if (tracing) LogTrace(&resp, 1, GetDeltaCountUS(), GetParity(&resp, 1), FALSE);
0a39986e 1566 return res;
9ca155ba
M
1567}
1568
8f51ddb0
M
1569int EmSend4bit(uint8_t resp){
1570 return EmSend4bitEx(resp, 0);
1571}
1572
1573int EmSendCmdExPar(uint8_t *resp, int respLen, int correctionNeeded, uint32_t par){
1574 CodeIso14443aAsTagPar(resp, respLen, par);
1575 int res = EmSendCmd14443aRaw(ToSend, ToSendMax, correctionNeeded);
1576 if (tracing) LogTrace(resp, respLen, GetDeltaCountUS(), par, FALSE);
1577 return res;
1578}
1579
1580int EmSendCmdEx(uint8_t *resp, int respLen, int correctionNeeded){
1581 return EmSendCmdExPar(resp, respLen, correctionNeeded, GetParity(resp, respLen));
1582}
1583
1584int EmSendCmd(uint8_t *resp, int respLen){
1585 return EmSendCmdExPar(resp, respLen, 0, GetParity(resp, respLen));
1586}
1587
1588int EmSendCmdPar(uint8_t *resp, int respLen, uint32_t par){
1589 return EmSendCmdExPar(resp, respLen, 0, par);
9ca155ba
M
1590}
1591
15c4dc5a 1592//-----------------------------------------------------------------------------
1593// Wait a certain time for tag response
1594// If a response is captured return TRUE
1595// If it takes to long return FALSE
1596//-----------------------------------------------------------------------------
f7e3ed82 1597static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse, int maxLen, int *samples, int *elapsed) //uint8_t *buffer
15c4dc5a 1598{
1599 // buffer needs to be 512 bytes
1600 int c;
1601
1602 // Set FPGA mode to "reader listen mode", no modulation (listen
534983d7 1603 // only, since we are receiving, not transmitting).
1604 // Signal field is on with the appropriate LED
1605 LED_D_ON();
1606 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_LISTEN);
15c4dc5a 1607
534983d7 1608 // Now get the answer from the card
1609 Demod.output = receivedResponse;
1610 Demod.len = 0;
1611 Demod.state = DEMOD_UNSYNCD;
15c4dc5a 1612
f7e3ed82 1613 uint8_t b;
15c4dc5a 1614 if (elapsed) *elapsed = 0;
1615
1616 c = 0;
1617 for(;;) {
534983d7 1618 WDT_HIT();
15c4dc5a 1619
534983d7 1620 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1621 AT91C_BASE_SSC->SSC_THR = 0x00; // To make use of exact timing of next command from reader!!
15c4dc5a 1622 if (elapsed) (*elapsed)++;
534983d7 1623 }
1624 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1625 if(c < iso14a_timeout) { c++; } else { return FALSE; }
1626 b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
72934aa3 1627 if(ManchesterDecoding((b>>4) & 0xf)) {
15c4dc5a 1628 *samples = ((c - 1) << 3) + 4;
1629 return TRUE;
1630 }
1631 if(ManchesterDecoding(b & 0x0f)) {
1632 *samples = c << 3;
1633 return TRUE;
1634 }
534983d7 1635 }
1636 }
15c4dc5a 1637}
1638
f7e3ed82 1639void ReaderTransmitShort(const uint8_t* bt)
15c4dc5a 1640{
1641 int wait = 0;
1642 int samples = 0;
1643
1644 ShortFrameFromReader(*bt);
e30c654b 1645
15c4dc5a 1646 // Select the card
e30c654b 1647 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
1648
15c4dc5a 1649 // Store reader command in buffer
1650 if (tracing) LogTrace(bt,1,0,GetParity(bt,1),TRUE);
1651}
1652
f7e3ed82 1653void ReaderTransmitPar(uint8_t* frame, int len, uint32_t par)
15c4dc5a 1654{
1655 int wait = 0;
1656 int samples = 0;
e30c654b 1657
15c4dc5a 1658 // This is tied to other size changes
f7e3ed82 1659 // uint8_t* frame_addr = ((uint8_t*)BigBuf) + 2024;
15c4dc5a 1660 CodeIso14443aAsReaderPar(frame,len,par);
e30c654b 1661
15c4dc5a 1662 // Select the card
e30c654b 1663 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
534983d7 1664 if(trigger)
1665 LED_A_ON();
e30c654b 1666
15c4dc5a 1667 // Store reader command in buffer
1668 if (tracing) LogTrace(frame,len,0,par,TRUE);
1669}
1670
1671
f7e3ed82 1672void ReaderTransmit(uint8_t* frame, int len)
15c4dc5a 1673{
1674 // Generate parity and redirect
1675 ReaderTransmitPar(frame,len,GetParity(frame,len));
1676}
1677
f7e3ed82 1678int ReaderReceive(uint8_t* receivedAnswer)
15c4dc5a 1679{
1680 int samples = 0;
20f9a2a1 1681 if (!GetIso14443aAnswerFromTag(receivedAnswer,160,&samples,0)) return FALSE;
15c4dc5a 1682 if (tracing) LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE);
7e758047 1683 if(samples == 0) return FALSE;
1684 return Demod.len;
15c4dc5a 1685}
1686
f89c7050
M
1687int ReaderReceivePar(uint8_t* receivedAnswer, uint32_t * parptr)
1688{
1689 int samples = 0;
1690 if (!GetIso14443aAnswerFromTag(receivedAnswer,160,&samples,0)) return FALSE;
1691 if (tracing) LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE);
1692 *parptr = Demod.parityBits;
1693 if(samples == 0) return FALSE;
1694 return Demod.len;
1695}
1696
7e758047 1697/* performs iso14443a anticolision procedure
534983d7 1698 * fills the uid pointer unless NULL
1699 * fills resp_data unless NULL */
20f9a2a1
M
1700int iso14443a_select_card(uint8_t * uid_ptr, iso14a_card_select_t * resp_data, uint32_t * cuid_ptr) {
1701 uint8_t wupa[] = { 0x52 }; // 0x26 - REQA 0x52 - WAKE-UP
f7e3ed82 1702 uint8_t sel_all[] = { 0x93,0x20 };
1703 uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
7e758047 1704 uint8_t rats[] = { 0xE0,0x80,0x00,0x00 }; // FSD=256, FSDI=8, CID=0
15c4dc5a 1705
7e758047 1706 uint8_t* resp = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
15c4dc5a 1707
534983d7 1708 uint8_t sak = 0x04; // cascade uid
1709 int cascade_level = 0;
1710
7e758047 1711 int len;
20f9a2a1
M
1712
1713 // clear uid
1714 memset(uid_ptr, 0, 8);
15c4dc5a 1715
7e758047 1716 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1717 ReaderTransmitShort(wupa);
1718 // Receive the ATQA
1719 if(!ReaderReceive(resp)) return 0;
15c4dc5a 1720
534983d7 1721 if(resp_data)
1722 memcpy(resp_data->atqa, resp, 2);
1723
534983d7 1724 // OK we will select at least at cascade 1, lets see if first byte of UID was 0x88 in
7e758047 1725 // which case we need to make a cascade 2 request and select - this is a long UID
534983d7 1726 // While the UID is not complete, the 3nd bit (from the right) is set in the SAK.
1727 for(; sak & 0x04; cascade_level++)
7e758047 1728 {
534983d7 1729 // SELECT_* (L1: 0x93, L2: 0x95, L3: 0x97)
1730 sel_uid[0] = sel_all[0] = 0x93 + cascade_level * 2;
1731
1732 // SELECT_ALL
1733 ReaderTransmit(sel_all,sizeof(sel_all));
1734 if (!ReaderReceive(resp)) return 0;
1735 if(uid_ptr) memcpy(uid_ptr + cascade_level*4, resp, 4);
20f9a2a1
M
1736
1737 // calculate crypto UID
1738 if(cuid_ptr) *cuid_ptr = bytes_to_num(resp, 4);
e30c654b 1739
7e758047 1740 // Construct SELECT UID command
534983d7 1741 memcpy(sel_uid+2,resp,5);
1742 AppendCrc14443a(sel_uid,7);
1743 ReaderTransmit(sel_uid,sizeof(sel_uid));
1744
7e758047 1745 // Receive the SAK
1746 if (!ReaderReceive(resp)) return 0;
534983d7 1747 sak = resp[0];
7e758047 1748 }
534983d7 1749 if(resp_data) {
1750 resp_data->sak = sak;
1751 resp_data->ats_len = 0;
1752 }
20f9a2a1
M
1753 //-- this byte not UID, it CT. http://www.nxp.com/documents/application_note/AN10927.pdf page 3
1754 if (uid_ptr[0] == 0x88) {
1755 memcpy(uid_ptr, uid_ptr + 1, 7);
1756 uid_ptr[7] = 0;
1757 }
534983d7 1758
1759 if( (sak & 0x20) == 0)
7e758047 1760 return 2; // non iso14443a compliant tag
534983d7 1761
7e758047 1762 // Request for answer to select
20f9a2a1
M
1763 if(resp_data) { // JCOP cards - if reader sent RATS then there is no MIFARE session at all!!!
1764 AppendCrc14443a(rats, 2);
1765 ReaderTransmit(rats, sizeof(rats));
1766
1767 if (!(len = ReaderReceive(resp))) return 0;
1768
534983d7 1769 memcpy(resp_data->ats, resp, sizeof(resp_data->ats));
1770 resp_data->ats_len = len;
1771 }
20f9a2a1 1772
7e758047 1773 return 1;
1774}
15c4dc5a 1775
7e758047 1776void iso14443a_setup() {
1777 // Setup SSC
1778 FpgaSetupSsc();
1779 // Start from off (no field generated)
1780 // Signal field is off with the appropriate LED
1781 LED_D_OFF();
1782 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1783 SpinDelay(200);
15c4dc5a 1784
7e758047 1785 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
e30c654b 1786
7e758047 1787 // Now give it time to spin up.
1788 // Signal field is on with the appropriate LED
1789 LED_D_ON();
1790 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1791 SpinDelay(200);
534983d7 1792
1793 iso14a_timeout = 2048; //default
7e758047 1794}
15c4dc5a 1795
534983d7 1796int iso14_apdu(uint8_t * cmd, size_t cmd_len, void * data) {
1797 uint8_t real_cmd[cmd_len+4];
1798 real_cmd[0] = 0x0a; //I-Block
1799 real_cmd[1] = 0x00; //CID: 0 //FIXME: allow multiple selected cards
1800 memcpy(real_cmd+2, cmd, cmd_len);
1801 AppendCrc14443a(real_cmd,cmd_len+2);
1802
1803 ReaderTransmit(real_cmd, cmd_len+4);
1804 size_t len = ReaderReceive(data);
1805 if(!len)
1806 return -1; //DATA LINK ERROR
1807
1808 return len;
1809}
1810
1811
7e758047 1812//-----------------------------------------------------------------------------
1813// Read an ISO 14443a tag. Send out commands and store answers.
1814//
1815//-----------------------------------------------------------------------------
534983d7 1816void ReaderIso14443a(UsbCommand * c, UsbCommand * ack)
7e758047 1817{
534983d7 1818 iso14a_command_t param = c->arg[0];
1819 uint8_t * cmd = c->d.asBytes;
1820 size_t len = c->arg[1];
e30c654b 1821
534983d7 1822 if(param & ISO14A_REQUEST_TRIGGER) iso14a_set_trigger(1);
15c4dc5a 1823
534983d7 1824 if(param & ISO14A_CONNECT) {
1825 iso14443a_setup();
20f9a2a1 1826 ack->arg[0] = iso14443a_select_card(ack->d.asBytes, (iso14a_card_select_t *) (ack->d.asBytes+12), NULL);
534983d7 1827 UsbSendPacket((void *)ack, sizeof(UsbCommand));
1828 }
e30c654b 1829
534983d7 1830 if(param & ISO14A_SET_TIMEOUT) {
1831 iso14a_timeout = c->arg[2];
1832 }
e30c654b 1833
534983d7 1834 if(param & ISO14A_SET_TIMEOUT) {
1835 iso14a_timeout = c->arg[2];
1836 }
e30c654b 1837
534983d7 1838 if(param & ISO14A_APDU) {
1839 ack->arg[0] = iso14_apdu(cmd, len, ack->d.asBytes);
1840 UsbSendPacket((void *)ack, sizeof(UsbCommand));
1841 }
e30c654b 1842
534983d7 1843 if(param & ISO14A_RAW) {
1844 if(param & ISO14A_APPEND_CRC) {
1845 AppendCrc14443a(cmd,len);
1846 len += 2;
15c4dc5a 1847 }
534983d7 1848 ReaderTransmit(cmd,len);
1849 ack->arg[0] = ReaderReceive(ack->d.asBytes);
1850 UsbSendPacket((void *)ack, sizeof(UsbCommand));
1851 }
15c4dc5a 1852
534983d7 1853 if(param & ISO14A_REQUEST_TRIGGER) iso14a_set_trigger(0);
15c4dc5a 1854
534983d7 1855 if(param & ISO14A_NO_DISCONNECT)
1856 return;
15c4dc5a 1857
15c4dc5a 1858 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1859 LEDsoff();
15c4dc5a 1860}
15c4dc5a 1861//-----------------------------------------------------------------------------
1862// Read an ISO 14443a tag. Send out commands and store answers.
1863//
1864//-----------------------------------------------------------------------------
f7e3ed82 1865void ReaderMifare(uint32_t parameter)
15c4dc5a 1866{
15c4dc5a 1867 // Mifare AUTH
f7e3ed82 1868 uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b };
f89c7050 1869 uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
e30c654b 1870
f89c7050
M
1871 uint8_t* receivedAnswer = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
1872 traceLen = 0;
1873 tracing = false;
e30c654b 1874
7e758047 1875 iso14443a_setup();
e30c654b 1876
15c4dc5a 1877 LED_A_ON();
1878 LED_B_OFF();
1879 LED_C_OFF();
e30c654b 1880
f89c7050
M
1881 byte_t nt_diff = 0;
1882 LED_A_OFF();
1883 byte_t par = 0;
9f693930 1884 //byte_t par_mask = 0xff;
f89c7050
M
1885 byte_t par_low = 0;
1886 int led_on = TRUE;
50193c1e 1887 uint8_t uid[8];
f89c7050 1888 uint32_t cuid;
e30c654b 1889
f89c7050
M
1890 tracing = FALSE;
1891 byte_t nt[4] = {0,0,0,0};
f397b5cc 1892 byte_t nt_attacked[4], nt_noattack[4];
f89c7050
M
1893 byte_t par_list[8] = {0,0,0,0,0,0,0,0};
1894 byte_t ks_list[8] = {0,0,0,0,0,0,0,0};
f397b5cc 1895 num_to_bytes(parameter, 4, nt_noattack);
50193c1e 1896 int isOK = 0, isNULL = 0;
f397b5cc 1897
f89c7050
M
1898 while(TRUE)
1899 {
50193c1e 1900 LED_C_ON();
f89c7050
M
1901 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1902 SpinDelay(200);
1903 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
50193c1e 1904 LED_C_OFF();
e30c654b 1905
f89c7050
M
1906 // Test if the action was cancelled
1907 if(BUTTON_PRESS()) {
1908 break;
1909 }
e30c654b 1910
f89c7050 1911 if(!iso14443a_select_card(uid, NULL, &cuid)) continue;
e30c654b 1912
f89c7050
M
1913 // Transmit MIFARE_CLASSIC_AUTH
1914 ReaderTransmit(mf_auth, sizeof(mf_auth));
15c4dc5a 1915
f89c7050
M
1916 // Receive the (16 bit) "random" nonce
1917 if (!ReaderReceive(receivedAnswer)) continue;
1918 memcpy(nt, receivedAnswer, 4);
e30c654b 1919
f89c7050
M
1920 // Transmit reader nonce and reader answer
1921 ReaderTransmitPar(mf_nr_ar, sizeof(mf_nr_ar),par);
15c4dc5a 1922
f89c7050
M
1923 // Receive 4 bit answer
1924 if (ReaderReceive(receivedAnswer))
1925 {
f397b5cc
M
1926 if ( (parameter != 0) && (memcmp(nt, nt_noattack, 4) == 0) ) continue;
1927
db389d52 1928 isNULL = (nt_attacked[0] == 0) && (nt_attacked[1] == 0) && (nt_attacked[2] == 0) && (nt_attacked[3] == 0);
50193c1e
M
1929 if ( (isNULL != 0 ) && (memcmp(nt, nt_attacked, 4) != 0) ) continue;
1930
f89c7050
M
1931 if (nt_diff == 0)
1932 {
1933 LED_A_ON();
1934 memcpy(nt_attacked, nt, 4);
9f693930 1935 //par_mask = 0xf8;
f89c7050
M
1936 par_low = par & 0x07;
1937 }
15c4dc5a 1938
f89c7050
M
1939 led_on = !led_on;
1940 if(led_on) LED_B_ON(); else LED_B_OFF();
1941 par_list[nt_diff] = par;
1942 ks_list[nt_diff] = receivedAnswer[0] ^ 0x05;
e30c654b 1943
f89c7050
M
1944 // Test if the information is complete
1945 if (nt_diff == 0x07) {
1946 isOK = 1;
1947 break;
1948 }
1949
1950 nt_diff = (nt_diff + 1) & 0x07;
1951 mf_nr_ar[3] = nt_diff << 5;
1952 par = par_low;
1953 } else {
1954 if (nt_diff == 0)
1955 {
1956 par++;
1957 } else {
1958 par = (((par >> 3) + 1) << 3) | par_low;
1959 }
1960 }
1961 }
e30c654b 1962
f89c7050
M
1963 LogTrace(nt, 4, 0, GetParity(nt, 4), TRUE);
1964 LogTrace(par_list, 8, 0, GetParity(par_list, 8), TRUE);
1965 LogTrace(ks_list, 8, 0, GetParity(ks_list, 8), TRUE);
e30c654b 1966
f89c7050
M
1967 UsbCommand ack = {CMD_ACK, {isOK, 0, 0}};
1968 memcpy(ack.d.asBytes + 0, uid, 4);
1969 memcpy(ack.d.asBytes + 4, nt, 4);
1970 memcpy(ack.d.asBytes + 8, par_list, 8);
1971 memcpy(ack.d.asBytes + 16, ks_list, 8);
1972
1973 LED_B_ON();
1974 UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
1975 LED_B_OFF();
1976
1977 // Thats it...
15c4dc5a 1978 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1979 LEDsoff();
f89c7050
M
1980 tracing = TRUE;
1981
f397b5cc 1982 if (MF_DBGLEVEL >= 1) DbpString("COMMAND mifare FINISHED");
20f9a2a1
M
1983}
1984
20f9a2a1
M
1985
1986//-----------------------------------------------------------------------------
1987// MIFARE 1K simulate.
1988//
1989//-----------------------------------------------------------------------------
1990void Mifare1ksim(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
1991{
50193c1e 1992 int cardSTATE = MFEMUL_NOFIELD;
8556b852 1993 int _7BUID = 0;
9ca155ba 1994 int vHf = 0; // in mV
9f693930 1995 //int nextCycleTimeout = 0;
8f51ddb0 1996 int res;
51969283 1997// uint32_t timer = 0;
0a39986e
M
1998 uint32_t selTimer = 0;
1999 uint32_t authTimer = 0;
2000 uint32_t par = 0;
9ca155ba 2001 int len = 0;
8f51ddb0 2002 uint8_t cardWRBL = 0;
9ca155ba
M
2003 uint8_t cardAUTHSC = 0;
2004 uint8_t cardAUTHKEY = 0xff; // no authentication
9f693930 2005 //uint32_t cardRn = 0;
51969283 2006 uint32_t cardRr = 0;
9ca155ba 2007 uint32_t cuid = 0;
9f693930 2008 //uint32_t rn_enc = 0;
51969283 2009 uint32_t ans = 0;
0014cb46
M
2010 uint32_t cardINTREG = 0;
2011 uint8_t cardINTBLOCK = 0;
9ca155ba
M
2012 struct Crypto1State mpcs = {0, 0};
2013 struct Crypto1State *pcs;
2014 pcs = &mpcs;
2015
8f51ddb0
M
2016 uint8_t* receivedCmd = eml_get_bigbufptr_recbuf();
2017 uint8_t *response = eml_get_bigbufptr_sendbuf();
9ca155ba 2018
8556b852 2019 static uint8_t rATQA[] = {0x04, 0x00}; // Mifare classic 1k 4BUID
9ca155ba 2020
0a39986e
M
2021 static uint8_t rUIDBCC1[] = {0xde, 0xad, 0xbe, 0xaf, 0x62};
2022 static uint8_t rUIDBCC2[] = {0xde, 0xad, 0xbe, 0xaf, 0x62}; // !!!
9ca155ba 2023
0a39986e 2024 static uint8_t rSAK[] = {0x08, 0xb6, 0xdd};
8556b852 2025 static uint8_t rSAK1[] = {0x04, 0xda, 0x17};
9ca155ba 2026
0014cb46
M
2027 static uint8_t rAUTH_NT[] = {0x01, 0x02, 0x03, 0x04};
2028// static uint8_t rAUTH_NT[] = {0x1a, 0xac, 0xff, 0x4f};
0a39986e 2029 static uint8_t rAUTH_AT[] = {0x00, 0x00, 0x00, 0x00};
0014cb46 2030
0a39986e
M
2031 // clear trace
2032 traceLen = 0;
2033 tracing = true;
51969283
M
2034
2035 // Authenticate response - nonce
2036 uint32_t nonce = bytes_to_num(rAUTH_NT, 4);
9ca155ba 2037
8556b852
M
2038 // get UID from emul memory
2039 emlGetMemBt(receivedCmd, 7, 1);
2040 _7BUID = !(receivedCmd[0] == 0x00);
2041 if (!_7BUID) { // ---------- 4BUID
2042 rATQA[0] = 0x04;
2043
2044 emlGetMemBt(rUIDBCC1, 0, 4);
2045 rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
2046 } else { // ---------- 7BUID
2047 rATQA[0] = 0x44;
2048
2049 rUIDBCC1[0] = 0x88;
2050 emlGetMemBt(&rUIDBCC1[1], 0, 3);
2051 rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
2052 emlGetMemBt(rUIDBCC2, 3, 4);
2053 rUIDBCC2[4] = rUIDBCC2[0] ^ rUIDBCC2[1] ^ rUIDBCC2[2] ^ rUIDBCC2[3];
2054 }
2055
9ca155ba 2056// -------------------------------------- test area
50193c1e 2057
9ca155ba 2058// -------------------------------------- END test area
8f51ddb0
M
2059 // start mkseconds counter
2060 StartCountUS();
9ca155ba
M
2061
2062 // We need to listen to the high-frequency, peak-detected path.
2063 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
2064 FpgaSetupSsc();
2065
2066 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
2067 SpinDelay(200);
2068
0014cb46 2069 if (MF_DBGLEVEL >= 1) Dbprintf("Started. 7buid=%d", _7BUID);
8f51ddb0
M
2070 // calibrate mkseconds counter
2071 GetDeltaCountUS();
9ca155ba
M
2072 while (true) {
2073 WDT_HIT();
9ca155ba 2074
8f51ddb0
M
2075 if(BUTTON_PRESS()) {
2076 break;
2077 }
2078
9ca155ba
M
2079 // find reader field
2080 // Vref = 3300mV, and an 10:1 voltage divider on the input
2081 // can measure voltages up to 33000 mV
2082 if (cardSTATE == MFEMUL_NOFIELD) {
2083 vHf = (33000 * AvgAdc(ADC_CHAN_HF)) >> 10;
2084 if (vHf > MF_MINFIELDV) {
0014cb46 2085 cardSTATE_TO_IDLE();
9ca155ba
M
2086 LED_A_ON();
2087 }
2088 }
2089
2090 if (cardSTATE != MFEMUL_NOFIELD) {
81cd0474 2091 res = EmGetCmd(receivedCmd, &len, RECV_CMD_SIZE); // (+ nextCycleTimeout)
9ca155ba
M
2092 if (res == 2) {
2093 cardSTATE = MFEMUL_NOFIELD;
2094 LEDsoff();
2095 continue;
2096 }
2097 if(res) break;
2098 }
2099
9f693930 2100 //nextCycleTimeout = 0;
8f51ddb0 2101
9ca155ba 2102// if (len) Dbprintf("len:%d cmd: %02x %02x %02x %02x", len, receivedCmd[0], receivedCmd[1], receivedCmd[2], receivedCmd[3]);
0a39986e
M
2103
2104 if (len != 4 && cardSTATE != MFEMUL_NOFIELD) { // len != 4 <---- speed up the code 4 authentication
8f51ddb0 2105 // REQ or WUP request in ANY state and WUP in HALTED state
0a39986e
M
2106 if (len == 1 && ((receivedCmd[0] == 0x26 && cardSTATE != MFEMUL_HALTED) || receivedCmd[0] == 0x52)) {
2107 selTimer = GetTickCount();
2108 EmSendCmdEx(rATQA, sizeof(rATQA), (receivedCmd[0] == 0x52));
2109 cardSTATE = MFEMUL_SELECT1;
2110
2111 // init crypto block
2112 LED_B_OFF();
2113 LED_C_OFF();
2114 crypto1_destroy(pcs);
2115 cardAUTHKEY = 0xff;
2116 }
2117 }
9ca155ba 2118
50193c1e
M
2119 switch (cardSTATE) {
2120 case MFEMUL_NOFIELD:{
2121 break;
2122 }
9ca155ba 2123 case MFEMUL_HALTED:{
0a39986e 2124 break;
9ca155ba 2125 }
50193c1e
M
2126 case MFEMUL_IDLE:{
2127 break;
2128 }
2129 case MFEMUL_SELECT1:{
9ca155ba
M
2130 // select all
2131 if (len == 2 && (receivedCmd[0] == 0x93 && receivedCmd[1] == 0x20)) {
2132 EmSendCmd(rUIDBCC1, sizeof(rUIDBCC1));
0014cb46 2133 break;
9ca155ba
M
2134 }
2135
2136 // select card
0a39986e
M
2137 if (len == 9 &&
2138 (receivedCmd[0] == 0x93 && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], rUIDBCC1, 4) == 0)) {
8556b852
M
2139 if (!_7BUID)
2140 EmSendCmd(rSAK, sizeof(rSAK));
2141 else
2142 EmSendCmd(rSAK1, sizeof(rSAK1));
9ca155ba
M
2143
2144 cuid = bytes_to_num(rUIDBCC1, 4);
8556b852
M
2145 if (!_7BUID) {
2146 cardSTATE = MFEMUL_WORK;
0014cb46
M
2147 LED_B_ON();
2148 if (MF_DBGLEVEL >= 4) Dbprintf("--> WORK. anticol1 time: %d", GetTickCount() - selTimer);
2149 break;
8556b852
M
2150 } else {
2151 cardSTATE = MFEMUL_SELECT2;
2152 break;
2153 }
9ca155ba
M
2154 }
2155
50193c1e
M
2156 break;
2157 }
2158 case MFEMUL_SELECT2:{
0014cb46
M
2159 if (!len) break;
2160
8556b852 2161 if (len == 2 && (receivedCmd[0] == 0x95 && receivedCmd[1] == 0x20)) {
9ca155ba 2162 EmSendCmd(rUIDBCC2, sizeof(rUIDBCC2));
8556b852
M
2163 break;
2164 }
9ca155ba 2165
8556b852
M
2166 // select 2 card
2167 if (len == 9 &&
2168 (receivedCmd[0] == 0x95 && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], rUIDBCC2, 4) == 0)) {
2169 EmSendCmd(rSAK, sizeof(rSAK));
2170
2171 cuid = bytes_to_num(rUIDBCC2, 4);
2172 cardSTATE = MFEMUL_WORK;
2173 LED_B_ON();
0014cb46 2174 if (MF_DBGLEVEL >= 4) Dbprintf("--> WORK. anticol2 time: %d", GetTickCount() - selTimer);
8556b852
M
2175 break;
2176 }
0014cb46
M
2177
2178 // i guess there is a command). go into the work state.
2179 if (len != 4) break;
2180 cardSTATE = MFEMUL_WORK;
2181 goto lbWORK;
50193c1e
M
2182 }
2183 case MFEMUL_AUTH1:{
9ca155ba 2184 if (len == 8) {
51969283 2185 // --- crypto
9f693930
GY
2186 //rn_enc = bytes_to_num(receivedCmd, 4);
2187 //cardRn = rn_enc ^ crypto1_word(pcs, rn_enc , 1);
51969283
M
2188 cardRr = bytes_to_num(&receivedCmd[4], 4) ^ crypto1_word(pcs, 0, 0);
2189 // test if auth OK
2190 if (cardRr != prng_successor(nonce, 64)){
0014cb46
M
2191 if (MF_DBGLEVEL >= 4) Dbprintf("AUTH FAILED. cardRr=%08x, succ=%08x", cardRr, prng_successor(nonce, 64));
2192 cardSTATE_TO_IDLE();
51969283
M
2193 break;
2194 }
2195 ans = prng_successor(nonce, 96) ^ crypto1_word(pcs, 0, 0);
2196 num_to_bytes(ans, 4, rAUTH_AT);
2197 // --- crypto
2198 EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
0a39986e
M
2199 cardSTATE = MFEMUL_AUTH2;
2200 } else {
0014cb46 2201 cardSTATE_TO_IDLE();
9ca155ba 2202 }
0a39986e 2203 if (cardSTATE != MFEMUL_AUTH2) break;
50193c1e
M
2204 }
2205 case MFEMUL_AUTH2:{
9ca155ba 2206 LED_C_ON();
0a39986e 2207 cardSTATE = MFEMUL_WORK;
0014cb46 2208 if (MF_DBGLEVEL >= 4) Dbprintf("AUTH COMPLETED. sec=%d, key=%d time=%d", cardAUTHSC, cardAUTHKEY, GetTickCount() - authTimer);
50193c1e
M
2209 break;
2210 }
9ca155ba 2211 case MFEMUL_WORK:{
0014cb46 2212lbWORK: if (len == 0) break;
0a39986e 2213
51969283
M
2214 if (cardAUTHKEY == 0xff) {
2215 // first authentication
2216 if (len == 4 && (receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61)) {
2217 authTimer = GetTickCount();
2218
2219 cardAUTHSC = receivedCmd[1] / 4; // received block num
2220 cardAUTHKEY = receivedCmd[0] - 0x60;
2221
2222 // --- crypto
2223 crypto1_create(pcs, emlGetKey(cardAUTHSC, cardAUTHKEY));
2224 ans = nonce ^ crypto1_word(pcs, cuid ^ nonce, 0);
2225 num_to_bytes(nonce, 4, rAUTH_AT);
2226 EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
2227 // --- crypto
2228
2229// last working revision
2230// EmSendCmd14443aRaw(resp1, resp1Len, 0);
2231// LogTrace(NULL, 0, GetDeltaCountUS(), 0, true);
2232
2233 cardSTATE = MFEMUL_AUTH1;
9f693930 2234 //nextCycleTimeout = 10;
51969283
M
2235 break;
2236 }
2237 } else {
2238 // decrypt seqence
2239 mf_crypto1_decrypt(pcs, receivedCmd, len);
2240
2241 // nested authentication
2242 if (len == 4 && (receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61)) {
2243 authTimer = GetTickCount();
2244
2245 cardAUTHSC = receivedCmd[1] / 4; // received block num
2246 cardAUTHKEY = receivedCmd[0] - 0x60;
2247
2248 // --- crypto
2249 crypto1_create(pcs, emlGetKey(cardAUTHSC, cardAUTHKEY));
2250 ans = nonce ^ crypto1_word(pcs, cuid ^ nonce, 0);
2251 num_to_bytes(ans, 4, rAUTH_AT);
2252 EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
2253 // --- crypto
2254
2255 cardSTATE = MFEMUL_AUTH1;
9f693930 2256 //nextCycleTimeout = 10;
51969283
M
2257 break;
2258 }
2259 }
0a39986e 2260
8f51ddb0
M
2261 // rule 13 of 7.5.3. in ISO 14443-4. chaining shall be continued
2262 // BUT... ACK --> NACK
2263 if (len == 1 && receivedCmd[0] == CARD_ACK) {
2264 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2265 break;
2266 }
2267
2268 // rule 12 of 7.5.3. in ISO 14443-4. R(NAK) --> R(ACK)
2269 if (len == 1 && receivedCmd[0] == CARD_NACK_NA) {
2270 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
2271 break;
0a39986e
M
2272 }
2273
2274 // read block
2275 if (len == 4 && receivedCmd[0] == 0x30) {
51969283 2276 if (receivedCmd[1] >= 16 * 4 || receivedCmd[1] / 4 != cardAUTHSC) {
8f51ddb0
M
2277 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2278 break;
2279 }
2280 emlGetMem(response, receivedCmd[1], 1);
2281 AppendCrc14443a(response, 16);
2282 mf_crypto1_encrypt(pcs, response, 18, &par);
2283 EmSendCmdPar(response, 18, par);
0a39986e
M
2284 break;
2285 }
2286
2287 // write block
2288 if (len == 4 && receivedCmd[0] == 0xA0) {
51969283 2289 if (receivedCmd[1] >= 16 * 4 || receivedCmd[1] / 4 != cardAUTHSC) {
8f51ddb0
M
2290 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2291 break;
2292 }
2293 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
9f693930 2294 //nextCycleTimeout = 50;
8f51ddb0
M
2295 cardSTATE = MFEMUL_WRITEBL2;
2296 cardWRBL = receivedCmd[1];
0a39986e 2297 break;
9ca155ba 2298 }
8f51ddb0 2299
0014cb46
M
2300 // works with cardINTREG
2301
2302 // increment, decrement, restore
2303 if (len == 4 && (receivedCmd[0] == 0xC0 || receivedCmd[0] == 0xC1 || receivedCmd[0] == 0xC2)) {
2304 if (receivedCmd[1] >= 16 * 4 ||
2305 receivedCmd[1] / 4 != cardAUTHSC ||
2306 emlCheckValBl(receivedCmd[1])) {
2307 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2308 break;
2309 }
2310 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
2311 if (receivedCmd[0] == 0xC1)
2312 cardSTATE = MFEMUL_INTREG_INC;
2313 if (receivedCmd[0] == 0xC0)
2314 cardSTATE = MFEMUL_INTREG_DEC;
2315 if (receivedCmd[0] == 0xC2)
2316 cardSTATE = MFEMUL_INTREG_REST;
2317 cardWRBL = receivedCmd[1];
2318
2319 break;
2320 }
2321
2322
2323 // transfer
2324 if (len == 4 && receivedCmd[0] == 0xB0) {
2325 if (receivedCmd[1] >= 16 * 4 || receivedCmd[1] / 4 != cardAUTHSC) {
2326 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2327 break;
2328 }
2329
2330 if (emlSetValBl(cardINTREG, cardINTBLOCK, receivedCmd[1]))
2331 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2332 else
2333 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
2334
2335 break;
2336 }
2337
9ca155ba 2338 // halt
0a39986e 2339 if (len == 4 && (receivedCmd[0] == 0x50 && receivedCmd[1] == 0x00)) {
9ca155ba 2340 LED_B_OFF();
0a39986e 2341 LED_C_OFF();
0014cb46
M
2342 cardSTATE = MFEMUL_HALTED;
2343 if (MF_DBGLEVEL >= 4) Dbprintf("--> HALTED. Selected time: %d ms", GetTickCount() - selTimer);
0a39986e 2344 break;
9ca155ba 2345 }
51969283 2346
8f51ddb0
M
2347 // command not allowed
2348 if (len == 4) {
2349 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2350 break;
2351 }
51969283
M
2352
2353 // case break
2354 break;
8f51ddb0
M
2355 }
2356 case MFEMUL_WRITEBL2:{
2357 if (len == 18){
2358 mf_crypto1_decrypt(pcs, receivedCmd, len);
2359 emlSetMem(receivedCmd, cardWRBL, 1);
2360 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
2361 cardSTATE = MFEMUL_WORK;
2362 break;
51969283 2363 } else {
0014cb46 2364 cardSTATE_TO_IDLE();
51969283 2365 break;
8f51ddb0 2366 }
8f51ddb0 2367 break;
50193c1e 2368 }
0014cb46
M
2369
2370 case MFEMUL_INTREG_INC:{
2371 mf_crypto1_decrypt(pcs, receivedCmd, len);
2372 memcpy(&ans, receivedCmd, 4);
2373 if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
2374 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2375 cardSTATE_TO_IDLE();
2376 break;
2377 }
2378 cardINTREG = cardINTREG + ans;
2379 cardSTATE = MFEMUL_WORK;
2380 break;
2381 }
2382 case MFEMUL_INTREG_DEC:{
2383 mf_crypto1_decrypt(pcs, receivedCmd, len);
2384 memcpy(&ans, receivedCmd, 4);
2385 if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
2386 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2387 cardSTATE_TO_IDLE();
2388 break;
2389 }
2390 cardINTREG = cardINTREG - ans;
2391 cardSTATE = MFEMUL_WORK;
2392 break;
2393 }
2394 case MFEMUL_INTREG_REST:{
2395 mf_crypto1_decrypt(pcs, receivedCmd, len);
2396 memcpy(&ans, receivedCmd, 4);
2397 if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
2398 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2399 cardSTATE_TO_IDLE();
2400 break;
2401 }
2402 cardSTATE = MFEMUL_WORK;
2403 break;
2404 }
50193c1e
M
2405
2406 }
2407
2408 }
2409
9ca155ba
M
2410 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2411 LEDsoff();
2412
0a39986e 2413 // add trace trailer
8f51ddb0 2414 memset(rAUTH_NT, 0x44, 4);
0a39986e
M
2415 LogTrace(rAUTH_NT, 4, 0, 0, TRUE);
2416
0014cb46 2417 if (MF_DBGLEVEL >= 1) Dbprintf("Emulator stopped. Tracing: %d trace length: %d ", tracing, traceLen);
15c4dc5a 2418}
Impressum, Datenschutz