]>
Commit | Line | Data |
---|---|---|
15c4dc5a | 1 | //----------------------------------------------------------------------------- |
f89c7050 | 2 | // Merlok - June 2011 |
15c4dc5a | 3 | // Gerhard de Koning Gans - May 2008 |
534983d7 | 4 | // Hagen Fritsch - June 2010 |
bd20f8f4 | 5 | // |
6 | // This code is licensed to you under the terms of the GNU GPL, version 2 or, | |
7 | // at your option, any later version. See the LICENSE.txt file for the text of | |
8 | // the license. | |
15c4dc5a | 9 | //----------------------------------------------------------------------------- |
bd20f8f4 | 10 | // Routines to support ISO 14443 type A. |
11 | //----------------------------------------------------------------------------- | |
12 | ||
e30c654b | 13 | #include "proxmark3.h" |
15c4dc5a | 14 | #include "apps.h" |
f7e3ed82 | 15 | #include "util.h" |
9ab7a6c7 | 16 | #include "string.h" |
17 | ||
15c4dc5a | 18 | #include "iso14443crc.h" |
534983d7 | 19 | #include "iso14443a.h" |
20f9a2a1 M |
20 | #include "crapto1.h" |
21 | #include "mifareutil.h" | |
15c4dc5a | 22 | |
534983d7 | 23 | static uint32_t iso14a_timeout; |
1e262141 | 24 | uint8_t *trace = (uint8_t *) BigBuf; |
25 | int traceLen = 0; | |
26 | int rsamples = 0; | |
27 | int tracing = TRUE; | |
28 | uint8_t trigger = 0; | |
15c4dc5a | 29 | |
8f51ddb0 | 30 | // CARD TO READER - manchester |
72934aa3 | 31 | // Sequence D: 11110000 modulation with subcarrier during first half |
32 | // Sequence E: 00001111 modulation with subcarrier during second half | |
33 | // Sequence F: 00000000 no modulation with subcarrier | |
8f51ddb0 | 34 | // READER TO CARD - miller |
72934aa3 | 35 | // Sequence X: 00001100 drop after half a period |
36 | // Sequence Y: 00000000 no drop | |
37 | // Sequence Z: 11000000 drop at start | |
38 | #define SEC_D 0xf0 | |
39 | #define SEC_E 0x0f | |
40 | #define SEC_F 0x00 | |
41 | #define SEC_X 0x0c | |
42 | #define SEC_Y 0x00 | |
43 | #define SEC_Z 0xc0 | |
15c4dc5a | 44 | |
1e262141 | 45 | const uint8_t OddByteParity[256] = { |
15c4dc5a | 46 | 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1, |
47 | 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0, | |
48 | 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0, | |
49 | 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1, | |
50 | 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0, | |
51 | 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1, | |
52 | 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1, | |
53 | 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0, | |
54 | 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0, | |
55 | 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1, | |
56 | 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1, | |
57 | 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0, | |
58 | 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1, | |
59 | 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0, | |
60 | 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0, | |
61 | 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1 | |
62 | }; | |
63 | ||
1e262141 | 64 | |
534983d7 | 65 | void iso14a_set_trigger(int enable) { |
66 | trigger = enable; | |
67 | } | |
68 | ||
8556b852 M |
69 | void iso14a_clear_tracelen(void) { |
70 | traceLen = 0; | |
71 | } | |
72 | void iso14a_set_tracing(int enable) { | |
73 | tracing = enable; | |
74 | } | |
75 | ||
15c4dc5a | 76 | //----------------------------------------------------------------------------- |
77 | // Generate the parity value for a byte sequence | |
e30c654b | 78 | // |
15c4dc5a | 79 | //----------------------------------------------------------------------------- |
20f9a2a1 M |
80 | byte_t oddparity (const byte_t bt) |
81 | { | |
82 | return OddByteParity[bt]; | |
83 | } | |
84 | ||
f7e3ed82 | 85 | uint32_t GetParity(const uint8_t * pbtCmd, int iLen) |
15c4dc5a | 86 | { |
87 | int i; | |
f7e3ed82 | 88 | uint32_t dwPar = 0; |
72934aa3 | 89 | |
15c4dc5a | 90 | // Generate the encrypted data |
91 | for (i = 0; i < iLen; i++) { | |
92 | // Save the encrypted parity bit | |
93 | dwPar |= ((OddByteParity[pbtCmd[i]]) << i); | |
94 | } | |
95 | return dwPar; | |
96 | } | |
97 | ||
534983d7 | 98 | void AppendCrc14443a(uint8_t* data, int len) |
15c4dc5a | 99 | { |
100 | ComputeCrc14443(CRC_14443_A,data,len,data+len,data+len+1); | |
101 | } | |
102 | ||
1e262141 | 103 | // The function LogTrace() is also used by the iClass implementation in iClass.c |
ed82636b | 104 | int LogTrace(const uint8_t * btBytes, int iLen, int iSamples, uint32_t dwParity, int bReader) |
15c4dc5a | 105 | { |
106 | // Return when trace is full | |
81cd0474 | 107 | if (traceLen >= TRACE_SIZE) return FALSE; |
e30c654b | 108 | |
15c4dc5a | 109 | // Trace the random, i'm curious |
110 | rsamples += iSamples; | |
111 | trace[traceLen++] = ((rsamples >> 0) & 0xff); | |
112 | trace[traceLen++] = ((rsamples >> 8) & 0xff); | |
113 | trace[traceLen++] = ((rsamples >> 16) & 0xff); | |
114 | trace[traceLen++] = ((rsamples >> 24) & 0xff); | |
115 | if (!bReader) { | |
116 | trace[traceLen - 1] |= 0x80; | |
117 | } | |
118 | trace[traceLen++] = ((dwParity >> 0) & 0xff); | |
119 | trace[traceLen++] = ((dwParity >> 8) & 0xff); | |
120 | trace[traceLen++] = ((dwParity >> 16) & 0xff); | |
121 | trace[traceLen++] = ((dwParity >> 24) & 0xff); | |
122 | trace[traceLen++] = iLen; | |
123 | memcpy(trace + traceLen, btBytes, iLen); | |
124 | traceLen += iLen; | |
125 | return TRUE; | |
126 | } | |
127 | ||
15c4dc5a | 128 | //----------------------------------------------------------------------------- |
129 | // The software UART that receives commands from the reader, and its state | |
130 | // variables. | |
131 | //----------------------------------------------------------------------------- | |
132 | static struct { | |
133 | enum { | |
134 | STATE_UNSYNCD, | |
135 | STATE_START_OF_COMMUNICATION, | |
136 | STATE_MILLER_X, | |
137 | STATE_MILLER_Y, | |
138 | STATE_MILLER_Z, | |
139 | STATE_ERROR_WAIT | |
140 | } state; | |
f7e3ed82 | 141 | uint16_t shiftReg; |
15c4dc5a | 142 | int bitCnt; |
143 | int byteCnt; | |
144 | int byteCntMax; | |
145 | int posCnt; | |
146 | int syncBit; | |
147 | int parityBits; | |
148 | int samples; | |
149 | int highCnt; | |
150 | int bitBuffer; | |
151 | enum { | |
152 | DROP_NONE, | |
153 | DROP_FIRST_HALF, | |
154 | DROP_SECOND_HALF | |
155 | } drop; | |
f7e3ed82 | 156 | uint8_t *output; |
15c4dc5a | 157 | } Uart; |
158 | ||
6c1e2d95 | 159 | static RAMFUNC int MillerDecoding(int bit) |
15c4dc5a | 160 | { |
9f693930 | 161 | //int error = 0; |
15c4dc5a | 162 | int bitright; |
163 | ||
164 | if(!Uart.bitBuffer) { | |
165 | Uart.bitBuffer = bit ^ 0xFF0; | |
166 | return FALSE; | |
167 | } | |
168 | else { | |
169 | Uart.bitBuffer <<= 4; | |
170 | Uart.bitBuffer ^= bit; | |
171 | } | |
172 | ||
f7e3ed82 | 173 | int EOC = FALSE; |
15c4dc5a | 174 | |
175 | if(Uart.state != STATE_UNSYNCD) { | |
176 | Uart.posCnt++; | |
177 | ||
178 | if((Uart.bitBuffer & Uart.syncBit) ^ Uart.syncBit) { | |
179 | bit = 0x00; | |
180 | } | |
181 | else { | |
182 | bit = 0x01; | |
183 | } | |
184 | if(((Uart.bitBuffer << 1) & Uart.syncBit) ^ Uart.syncBit) { | |
185 | bitright = 0x00; | |
186 | } | |
187 | else { | |
188 | bitright = 0x01; | |
189 | } | |
190 | if(bit != bitright) { bit = bitright; } | |
191 | ||
192 | if(Uart.posCnt == 1) { | |
193 | // measurement first half bitperiod | |
194 | if(!bit) { | |
195 | Uart.drop = DROP_FIRST_HALF; | |
196 | } | |
197 | } | |
198 | else { | |
199 | // measurement second half bitperiod | |
200 | if(!bit & (Uart.drop == DROP_NONE)) { | |
201 | Uart.drop = DROP_SECOND_HALF; | |
202 | } | |
203 | else if(!bit) { | |
204 | // measured a drop in first and second half | |
205 | // which should not be possible | |
206 | Uart.state = STATE_ERROR_WAIT; | |
9f693930 | 207 | //error = 0x01; |
15c4dc5a | 208 | } |
209 | ||
210 | Uart.posCnt = 0; | |
211 | ||
212 | switch(Uart.state) { | |
213 | case STATE_START_OF_COMMUNICATION: | |
214 | Uart.shiftReg = 0; | |
215 | if(Uart.drop == DROP_SECOND_HALF) { | |
216 | // error, should not happen in SOC | |
217 | Uart.state = STATE_ERROR_WAIT; | |
9f693930 | 218 | //error = 0x02; |
15c4dc5a | 219 | } |
220 | else { | |
221 | // correct SOC | |
222 | Uart.state = STATE_MILLER_Z; | |
223 | } | |
224 | break; | |
225 | ||
226 | case STATE_MILLER_Z: | |
227 | Uart.bitCnt++; | |
228 | Uart.shiftReg >>= 1; | |
229 | if(Uart.drop == DROP_NONE) { | |
230 | // logic '0' followed by sequence Y | |
231 | // end of communication | |
232 | Uart.state = STATE_UNSYNCD; | |
233 | EOC = TRUE; | |
234 | } | |
235 | // if(Uart.drop == DROP_FIRST_HALF) { | |
236 | // Uart.state = STATE_MILLER_Z; stay the same | |
237 | // we see a logic '0' } | |
238 | if(Uart.drop == DROP_SECOND_HALF) { | |
239 | // we see a logic '1' | |
240 | Uart.shiftReg |= 0x100; | |
241 | Uart.state = STATE_MILLER_X; | |
242 | } | |
243 | break; | |
244 | ||
245 | case STATE_MILLER_X: | |
246 | Uart.shiftReg >>= 1; | |
247 | if(Uart.drop == DROP_NONE) { | |
248 | // sequence Y, we see a '0' | |
249 | Uart.state = STATE_MILLER_Y; | |
250 | Uart.bitCnt++; | |
251 | } | |
252 | if(Uart.drop == DROP_FIRST_HALF) { | |
253 | // Would be STATE_MILLER_Z | |
254 | // but Z does not follow X, so error | |
255 | Uart.state = STATE_ERROR_WAIT; | |
9f693930 | 256 | //error = 0x03; |
15c4dc5a | 257 | } |
258 | if(Uart.drop == DROP_SECOND_HALF) { | |
259 | // We see a '1' and stay in state X | |
260 | Uart.shiftReg |= 0x100; | |
261 | Uart.bitCnt++; | |
262 | } | |
263 | break; | |
264 | ||
265 | case STATE_MILLER_Y: | |
266 | Uart.bitCnt++; | |
267 | Uart.shiftReg >>= 1; | |
268 | if(Uart.drop == DROP_NONE) { | |
269 | // logic '0' followed by sequence Y | |
270 | // end of communication | |
271 | Uart.state = STATE_UNSYNCD; | |
272 | EOC = TRUE; | |
273 | } | |
274 | if(Uart.drop == DROP_FIRST_HALF) { | |
275 | // we see a '0' | |
276 | Uart.state = STATE_MILLER_Z; | |
277 | } | |
278 | if(Uart.drop == DROP_SECOND_HALF) { | |
279 | // We see a '1' and go to state X | |
280 | Uart.shiftReg |= 0x100; | |
281 | Uart.state = STATE_MILLER_X; | |
282 | } | |
283 | break; | |
284 | ||
285 | case STATE_ERROR_WAIT: | |
286 | // That went wrong. Now wait for at least two bit periods | |
287 | // and try to sync again | |
288 | if(Uart.drop == DROP_NONE) { | |
289 | Uart.highCnt = 6; | |
290 | Uart.state = STATE_UNSYNCD; | |
291 | } | |
292 | break; | |
293 | ||
294 | default: | |
295 | Uart.state = STATE_UNSYNCD; | |
296 | Uart.highCnt = 0; | |
297 | break; | |
298 | } | |
299 | ||
300 | Uart.drop = DROP_NONE; | |
301 | ||
302 | // should have received at least one whole byte... | |
303 | if((Uart.bitCnt == 2) && EOC && (Uart.byteCnt > 0)) { | |
304 | return TRUE; | |
305 | } | |
306 | ||
307 | if(Uart.bitCnt == 9) { | |
308 | Uart.output[Uart.byteCnt] = (Uart.shiftReg & 0xff); | |
309 | Uart.byteCnt++; | |
310 | ||
311 | Uart.parityBits <<= 1; | |
312 | Uart.parityBits ^= ((Uart.shiftReg >> 8) & 0x01); | |
313 | ||
314 | if(EOC) { | |
315 | // when End of Communication received and | |
316 | // all data bits processed.. | |
317 | return TRUE; | |
318 | } | |
319 | Uart.bitCnt = 0; | |
320 | } | |
321 | ||
322 | /*if(error) { | |
323 | Uart.output[Uart.byteCnt] = 0xAA; | |
324 | Uart.byteCnt++; | |
325 | Uart.output[Uart.byteCnt] = error & 0xFF; | |
326 | Uart.byteCnt++; | |
327 | Uart.output[Uart.byteCnt] = 0xAA; | |
328 | Uart.byteCnt++; | |
329 | Uart.output[Uart.byteCnt] = (Uart.bitBuffer >> 8) & 0xFF; | |
330 | Uart.byteCnt++; | |
331 | Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF; | |
332 | Uart.byteCnt++; | |
333 | Uart.output[Uart.byteCnt] = (Uart.syncBit >> 3) & 0xFF; | |
334 | Uart.byteCnt++; | |
335 | Uart.output[Uart.byteCnt] = 0xAA; | |
336 | Uart.byteCnt++; | |
337 | return TRUE; | |
338 | }*/ | |
339 | } | |
340 | ||
341 | } | |
342 | else { | |
343 | bit = Uart.bitBuffer & 0xf0; | |
344 | bit >>= 4; | |
345 | bit ^= 0x0F; | |
346 | if(bit) { | |
347 | // should have been high or at least (4 * 128) / fc | |
348 | // according to ISO this should be at least (9 * 128 + 20) / fc | |
349 | if(Uart.highCnt == 8) { | |
350 | // we went low, so this could be start of communication | |
351 | // it turns out to be safer to choose a less significant | |
352 | // syncbit... so we check whether the neighbour also represents the drop | |
353 | Uart.posCnt = 1; // apparently we are busy with our first half bit period | |
354 | Uart.syncBit = bit & 8; | |
355 | Uart.samples = 3; | |
356 | if(!Uart.syncBit) { Uart.syncBit = bit & 4; Uart.samples = 2; } | |
357 | else if(bit & 4) { Uart.syncBit = bit & 4; Uart.samples = 2; bit <<= 2; } | |
358 | if(!Uart.syncBit) { Uart.syncBit = bit & 2; Uart.samples = 1; } | |
359 | else if(bit & 2) { Uart.syncBit = bit & 2; Uart.samples = 1; bit <<= 1; } | |
360 | if(!Uart.syncBit) { Uart.syncBit = bit & 1; Uart.samples = 0; | |
2f2d9fc5 | 361 | if(Uart.syncBit && (Uart.bitBuffer & 8)) { |
15c4dc5a | 362 | Uart.syncBit = 8; |
363 | ||
364 | // the first half bit period is expected in next sample | |
365 | Uart.posCnt = 0; | |
366 | Uart.samples = 3; | |
367 | } | |
368 | } | |
369 | else if(bit & 1) { Uart.syncBit = bit & 1; Uart.samples = 0; } | |
370 | ||
371 | Uart.syncBit <<= 4; | |
372 | Uart.state = STATE_START_OF_COMMUNICATION; | |
373 | Uart.drop = DROP_FIRST_HALF; | |
374 | Uart.bitCnt = 0; | |
375 | Uart.byteCnt = 0; | |
376 | Uart.parityBits = 0; | |
9f693930 | 377 | //error = 0; |
15c4dc5a | 378 | } |
379 | else { | |
380 | Uart.highCnt = 0; | |
381 | } | |
382 | } | |
383 | else { | |
384 | if(Uart.highCnt < 8) { | |
385 | Uart.highCnt++; | |
386 | } | |
387 | } | |
388 | } | |
389 | ||
390 | return FALSE; | |
391 | } | |
392 | ||
393 | //============================================================================= | |
394 | // ISO 14443 Type A - Manchester | |
395 | //============================================================================= | |
396 | ||
397 | static struct { | |
398 | enum { | |
399 | DEMOD_UNSYNCD, | |
400 | DEMOD_START_OF_COMMUNICATION, | |
401 | DEMOD_MANCHESTER_D, | |
402 | DEMOD_MANCHESTER_E, | |
403 | DEMOD_MANCHESTER_F, | |
404 | DEMOD_ERROR_WAIT | |
405 | } state; | |
406 | int bitCount; | |
407 | int posCount; | |
408 | int syncBit; | |
409 | int parityBits; | |
f7e3ed82 | 410 | uint16_t shiftReg; |
15c4dc5a | 411 | int buffer; |
412 | int buff; | |
413 | int samples; | |
414 | int len; | |
415 | enum { | |
416 | SUB_NONE, | |
417 | SUB_FIRST_HALF, | |
418 | SUB_SECOND_HALF | |
419 | } sub; | |
f7e3ed82 | 420 | uint8_t *output; |
15c4dc5a | 421 | } Demod; |
422 | ||
6c1e2d95 | 423 | static RAMFUNC int ManchesterDecoding(int v) |
15c4dc5a | 424 | { |
425 | int bit; | |
426 | int modulation; | |
9f693930 | 427 | //int error = 0; |
15c4dc5a | 428 | |
429 | if(!Demod.buff) { | |
430 | Demod.buff = 1; | |
431 | Demod.buffer = v; | |
432 | return FALSE; | |
433 | } | |
434 | else { | |
435 | bit = Demod.buffer; | |
436 | Demod.buffer = v; | |
437 | } | |
438 | ||
439 | if(Demod.state==DEMOD_UNSYNCD) { | |
440 | Demod.output[Demod.len] = 0xfa; | |
441 | Demod.syncBit = 0; | |
442 | //Demod.samples = 0; | |
443 | Demod.posCount = 1; // This is the first half bit period, so after syncing handle the second part | |
2f2d9fc5 | 444 | |
445 | if(bit & 0x08) { | |
446 | Demod.syncBit = 0x08; | |
15c4dc5a | 447 | } |
15c4dc5a | 448 | |
2f2d9fc5 | 449 | if(bit & 0x04) { |
450 | if(Demod.syncBit) { | |
451 | bit <<= 4; | |
452 | } | |
453 | Demod.syncBit = 0x04; | |
454 | } | |
15c4dc5a | 455 | |
2f2d9fc5 | 456 | if(bit & 0x02) { |
457 | if(Demod.syncBit) { | |
458 | bit <<= 2; | |
15c4dc5a | 459 | } |
2f2d9fc5 | 460 | Demod.syncBit = 0x02; |
15c4dc5a | 461 | } |
15c4dc5a | 462 | |
593924e7 | 463 | if(bit & 0x01 && Demod.syncBit) { |
2f2d9fc5 | 464 | Demod.syncBit = 0x01; |
465 | } | |
466 | ||
15c4dc5a | 467 | if(Demod.syncBit) { |
468 | Demod.len = 0; | |
469 | Demod.state = DEMOD_START_OF_COMMUNICATION; | |
470 | Demod.sub = SUB_FIRST_HALF; | |
471 | Demod.bitCount = 0; | |
472 | Demod.shiftReg = 0; | |
473 | Demod.parityBits = 0; | |
474 | Demod.samples = 0; | |
475 | if(Demod.posCount) { | |
534983d7 | 476 | if(trigger) LED_A_OFF(); |
15c4dc5a | 477 | switch(Demod.syncBit) { |
478 | case 0x08: Demod.samples = 3; break; | |
479 | case 0x04: Demod.samples = 2; break; | |
480 | case 0x02: Demod.samples = 1; break; | |
481 | case 0x01: Demod.samples = 0; break; | |
482 | } | |
483 | } | |
9f693930 | 484 | //error = 0; |
15c4dc5a | 485 | } |
486 | } | |
487 | else { | |
488 | //modulation = bit & Demod.syncBit; | |
489 | modulation = ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit; | |
490 | ||
491 | Demod.samples += 4; | |
492 | ||
493 | if(Demod.posCount==0) { | |
494 | Demod.posCount = 1; | |
495 | if(modulation) { | |
496 | Demod.sub = SUB_FIRST_HALF; | |
497 | } | |
498 | else { | |
499 | Demod.sub = SUB_NONE; | |
500 | } | |
501 | } | |
502 | else { | |
503 | Demod.posCount = 0; | |
504 | if(modulation && (Demod.sub == SUB_FIRST_HALF)) { | |
505 | if(Demod.state!=DEMOD_ERROR_WAIT) { | |
506 | Demod.state = DEMOD_ERROR_WAIT; | |
507 | Demod.output[Demod.len] = 0xaa; | |
9f693930 | 508 | //error = 0x01; |
15c4dc5a | 509 | } |
510 | } | |
511 | else if(modulation) { | |
512 | Demod.sub = SUB_SECOND_HALF; | |
513 | } | |
514 | ||
515 | switch(Demod.state) { | |
516 | case DEMOD_START_OF_COMMUNICATION: | |
517 | if(Demod.sub == SUB_FIRST_HALF) { | |
518 | Demod.state = DEMOD_MANCHESTER_D; | |
519 | } | |
520 | else { | |
521 | Demod.output[Demod.len] = 0xab; | |
522 | Demod.state = DEMOD_ERROR_WAIT; | |
9f693930 | 523 | //error = 0x02; |
15c4dc5a | 524 | } |
525 | break; | |
526 | ||
527 | case DEMOD_MANCHESTER_D: | |
528 | case DEMOD_MANCHESTER_E: | |
529 | if(Demod.sub == SUB_FIRST_HALF) { | |
530 | Demod.bitCount++; | |
531 | Demod.shiftReg = (Demod.shiftReg >> 1) ^ 0x100; | |
532 | Demod.state = DEMOD_MANCHESTER_D; | |
533 | } | |
534 | else if(Demod.sub == SUB_SECOND_HALF) { | |
535 | Demod.bitCount++; | |
536 | Demod.shiftReg >>= 1; | |
537 | Demod.state = DEMOD_MANCHESTER_E; | |
538 | } | |
539 | else { | |
540 | Demod.state = DEMOD_MANCHESTER_F; | |
541 | } | |
542 | break; | |
543 | ||
544 | case DEMOD_MANCHESTER_F: | |
545 | // Tag response does not need to be a complete byte! | |
546 | if(Demod.len > 0 || Demod.bitCount > 0) { | |
547 | if(Demod.bitCount > 0) { | |
548 | Demod.shiftReg >>= (9 - Demod.bitCount); | |
549 | Demod.output[Demod.len] = Demod.shiftReg & 0xff; | |
550 | Demod.len++; | |
551 | // No parity bit, so just shift a 0 | |
552 | Demod.parityBits <<= 1; | |
553 | } | |
554 | ||
555 | Demod.state = DEMOD_UNSYNCD; | |
556 | return TRUE; | |
557 | } | |
558 | else { | |
559 | Demod.output[Demod.len] = 0xad; | |
560 | Demod.state = DEMOD_ERROR_WAIT; | |
9f693930 | 561 | //error = 0x03; |
15c4dc5a | 562 | } |
563 | break; | |
564 | ||
565 | case DEMOD_ERROR_WAIT: | |
566 | Demod.state = DEMOD_UNSYNCD; | |
567 | break; | |
568 | ||
569 | default: | |
570 | Demod.output[Demod.len] = 0xdd; | |
571 | Demod.state = DEMOD_UNSYNCD; | |
572 | break; | |
573 | } | |
574 | ||
575 | if(Demod.bitCount>=9) { | |
576 | Demod.output[Demod.len] = Demod.shiftReg & 0xff; | |
577 | Demod.len++; | |
578 | ||
579 | Demod.parityBits <<= 1; | |
580 | Demod.parityBits ^= ((Demod.shiftReg >> 8) & 0x01); | |
581 | ||
582 | Demod.bitCount = 0; | |
583 | Demod.shiftReg = 0; | |
584 | } | |
585 | ||
586 | /*if(error) { | |
587 | Demod.output[Demod.len] = 0xBB; | |
588 | Demod.len++; | |
589 | Demod.output[Demod.len] = error & 0xFF; | |
590 | Demod.len++; | |
591 | Demod.output[Demod.len] = 0xBB; | |
592 | Demod.len++; | |
593 | Demod.output[Demod.len] = bit & 0xFF; | |
594 | Demod.len++; | |
595 | Demod.output[Demod.len] = Demod.buffer & 0xFF; | |
596 | Demod.len++; | |
597 | Demod.output[Demod.len] = Demod.syncBit & 0xFF; | |
598 | Demod.len++; | |
599 | Demod.output[Demod.len] = 0xBB; | |
600 | Demod.len++; | |
601 | return TRUE; | |
602 | }*/ | |
603 | ||
604 | } | |
605 | ||
606 | } // end (state != UNSYNCED) | |
607 | ||
608 | return FALSE; | |
609 | } | |
610 | ||
611 | //============================================================================= | |
612 | // Finally, a `sniffer' for ISO 14443 Type A | |
613 | // Both sides of communication! | |
614 | //============================================================================= | |
615 | ||
616 | //----------------------------------------------------------------------------- | |
617 | // Record the sequence of commands sent by the reader to the tag, with | |
618 | // triggering so that we start recording at the point that the tag is moved | |
619 | // near the reader. | |
620 | //----------------------------------------------------------------------------- | |
6c1e2d95 | 621 | void RAMFUNC SnoopIso14443a(void) |
15c4dc5a | 622 | { |
623 | // #define RECV_CMD_OFFSET 2032 // original (working as of 21/2/09) values | |
624 | // #define RECV_RES_OFFSET 2096 // original (working as of 21/2/09) values | |
625 | // #define DMA_BUFFER_OFFSET 2160 // original (working as of 21/2/09) values | |
626 | // #define DMA_BUFFER_SIZE 4096 // original (working as of 21/2/09) values | |
81cd0474 | 627 | // #define TRACE_SIZE 2000 // original (working as of 21/2/09) values |
15c4dc5a | 628 | |
629 | // We won't start recording the frames that we acquire until we trigger; | |
630 | // a good trigger condition to get started is probably when we see a | |
631 | // response from the tag. | |
7e758047 | 632 | int triggered = FALSE; // FALSE to wait first for card |
15c4dc5a | 633 | |
634 | // The command (reader -> tag) that we're receiving. | |
635 | // The length of a received command will in most cases be no more than 18 bytes. | |
636 | // So 32 should be enough! | |
f7e3ed82 | 637 | uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET); |
15c4dc5a | 638 | // The response (tag -> reader) that we're receiving. |
f7e3ed82 | 639 | uint8_t *receivedResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET); |
15c4dc5a | 640 | |
641 | // As we receive stuff, we copy it from receivedCmd or receivedResponse | |
642 | // into trace, along with its length and other annotations. | |
f7e3ed82 | 643 | //uint8_t *trace = (uint8_t *)BigBuf; |
d82c6ebb | 644 | |
645 | traceLen = 0; // uncommented to fix ISSUE 15 - gerhard - jan2011 | |
15c4dc5a | 646 | |
647 | // The DMA buffer, used to stream samples from the FPGA | |
f7e3ed82 | 648 | int8_t *dmaBuf = ((int8_t *)BigBuf) + DMA_BUFFER_OFFSET; |
15c4dc5a | 649 | int lastRxCounter; |
f7e3ed82 | 650 | int8_t *upTo; |
15c4dc5a | 651 | int smpl; |
652 | int maxBehindBy = 0; | |
653 | ||
654 | // Count of samples received so far, so that we can include timing | |
655 | // information in the trace buffer. | |
656 | int samples = 0; | |
cee5a30d | 657 | int rsamples = 0; |
15c4dc5a | 658 | |
81cd0474 | 659 | memset(trace, 0x44, TRACE_SIZE); |
15c4dc5a | 660 | |
661 | // Set up the demodulator for tag -> reader responses. | |
662 | Demod.output = receivedResponse; | |
663 | Demod.len = 0; | |
664 | Demod.state = DEMOD_UNSYNCD; | |
665 | ||
7e758047 | 666 | // Setup for the DMA. |
667 | FpgaSetupSsc(); | |
668 | upTo = dmaBuf; | |
669 | lastRxCounter = DMA_BUFFER_SIZE; | |
670 | FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE); | |
671 | ||
15c4dc5a | 672 | // And the reader -> tag commands |
673 | memset(&Uart, 0, sizeof(Uart)); | |
674 | Uart.output = receivedCmd; | |
675 | Uart.byteCntMax = 32; // was 100 (greg)//////////////////////////////////////////////////////////////////////// | |
676 | Uart.state = STATE_UNSYNCD; | |
677 | ||
678 | // And put the FPGA in the appropriate mode | |
679 | // Signal field is off with the appropriate LED | |
680 | LED_D_OFF(); | |
681 | FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER); | |
682 | SetAdcMuxFor(GPIO_MUXSEL_HIPKD); | |
683 | ||
15c4dc5a | 684 | |
685 | // And now we loop, receiving samples. | |
686 | for(;;) { | |
7e758047 | 687 | LED_A_ON(); |
688 | WDT_HIT(); | |
15c4dc5a | 689 | int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) & |
690 | (DMA_BUFFER_SIZE-1); | |
691 | if(behindBy > maxBehindBy) { | |
692 | maxBehindBy = behindBy; | |
693 | if(behindBy > 400) { | |
7e758047 | 694 | Dbprintf("blew circular buffer! behindBy=0x%x", behindBy); |
15c4dc5a | 695 | goto done; |
696 | } | |
697 | } | |
698 | if(behindBy < 1) continue; | |
699 | ||
7e758047 | 700 | LED_A_OFF(); |
15c4dc5a | 701 | smpl = upTo[0]; |
702 | upTo++; | |
703 | lastRxCounter -= 1; | |
704 | if(upTo - dmaBuf > DMA_BUFFER_SIZE) { | |
705 | upTo -= DMA_BUFFER_SIZE; | |
706 | lastRxCounter += DMA_BUFFER_SIZE; | |
f7e3ed82 | 707 | AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) upTo; |
15c4dc5a | 708 | AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE; |
709 | } | |
710 | ||
711 | samples += 4; | |
7e758047 | 712 | if(MillerDecoding((smpl & 0xF0) >> 4)) { |
15c4dc5a | 713 | rsamples = samples - Uart.samples; |
72934aa3 | 714 | LED_C_ON(); |
7e758047 | 715 | if(triggered) { |
716 | trace[traceLen++] = ((rsamples >> 0) & 0xff); | |
72934aa3 | 717 | trace[traceLen++] = ((rsamples >> 8) & 0xff); |
718 | trace[traceLen++] = ((rsamples >> 16) & 0xff); | |
719 | trace[traceLen++] = ((rsamples >> 24) & 0xff); | |
7e758047 | 720 | trace[traceLen++] = ((Uart.parityBits >> 0) & 0xff); |
721 | trace[traceLen++] = ((Uart.parityBits >> 8) & 0xff); | |
722 | trace[traceLen++] = ((Uart.parityBits >> 16) & 0xff); | |
723 | trace[traceLen++] = ((Uart.parityBits >> 24) & 0xff); | |
72934aa3 | 724 | trace[traceLen++] = Uart.byteCnt; |
725 | memcpy(trace+traceLen, receivedCmd, Uart.byteCnt); | |
726 | traceLen += Uart.byteCnt; | |
81cd0474 | 727 | if(traceLen > TRACE_SIZE) break; |
72934aa3 | 728 | } |
729 | /* And ready to receive another command. */ | |
730 | Uart.state = STATE_UNSYNCD; | |
731 | /* And also reset the demod code, which might have been */ | |
732 | /* false-triggered by the commands from the reader. */ | |
733 | Demod.state = DEMOD_UNSYNCD; | |
7e758047 | 734 | LED_B_OFF(); |
15c4dc5a | 735 | } |
7e758047 | 736 | |
737 | if(ManchesterDecoding(smpl & 0x0F)) { | |
738 | rsamples = samples - Demod.samples; | |
739 | LED_B_ON(); | |
740 | ||
741 | // timestamp, as a count of samples | |
742 | trace[traceLen++] = ((rsamples >> 0) & 0xff); | |
743 | trace[traceLen++] = ((rsamples >> 8) & 0xff); | |
744 | trace[traceLen++] = ((rsamples >> 16) & 0xff); | |
745 | trace[traceLen++] = 0x80 | ((rsamples >> 24) & 0xff); | |
746 | trace[traceLen++] = ((Demod.parityBits >> 0) & 0xff); | |
747 | trace[traceLen++] = ((Demod.parityBits >> 8) & 0xff); | |
748 | trace[traceLen++] = ((Demod.parityBits >> 16) & 0xff); | |
749 | trace[traceLen++] = ((Demod.parityBits >> 24) & 0xff); | |
750 | // length | |
751 | trace[traceLen++] = Demod.len; | |
752 | memcpy(trace+traceLen, receivedResponse, Demod.len); | |
753 | traceLen += Demod.len; | |
81cd0474 | 754 | if(traceLen > TRACE_SIZE) break; |
7e758047 | 755 | |
756 | triggered = TRUE; | |
15c4dc5a | 757 | |
758 | // And ready to receive another response. | |
759 | memset(&Demod, 0, sizeof(Demod)); | |
760 | Demod.output = receivedResponse; | |
761 | Demod.state = DEMOD_UNSYNCD; | |
7e758047 | 762 | LED_C_OFF(); |
763 | } | |
15c4dc5a | 764 | |
765 | if(BUTTON_PRESS()) { | |
766 | DbpString("cancelled_a"); | |
767 | goto done; | |
768 | } | |
769 | } | |
770 | ||
771 | DbpString("COMMAND FINISHED"); | |
772 | ||
15c4dc5a | 773 | done: |
774 | AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS; | |
13d8c68d | 775 | Dbprintf("maxBehindBy=%x, Uart.state=%x, Uart.byteCnt=%x", maxBehindBy, Uart.state, Uart.byteCnt); |
776 | Dbprintf("Uart.byteCntMax=%x, traceLen=%x, Uart.output[0]=%x", Uart.byteCntMax, traceLen, (int)Uart.output[0]); | |
15c4dc5a | 777 | LED_A_OFF(); |
778 | LED_B_OFF(); | |
779 | LED_C_OFF(); | |
780 | LED_D_OFF(); | |
781 | } | |
782 | ||
15c4dc5a | 783 | //----------------------------------------------------------------------------- |
784 | // Prepare tag messages | |
785 | //----------------------------------------------------------------------------- | |
8f51ddb0 | 786 | static void CodeIso14443aAsTagPar(const uint8_t *cmd, int len, uint32_t dwParity) |
15c4dc5a | 787 | { |
8f51ddb0 | 788 | int i; |
15c4dc5a | 789 | |
8f51ddb0 | 790 | ToSendReset(); |
15c4dc5a | 791 | |
792 | // Correction bit, might be removed when not needed | |
793 | ToSendStuffBit(0); | |
794 | ToSendStuffBit(0); | |
795 | ToSendStuffBit(0); | |
796 | ToSendStuffBit(0); | |
797 | ToSendStuffBit(1); // 1 | |
798 | ToSendStuffBit(0); | |
799 | ToSendStuffBit(0); | |
800 | ToSendStuffBit(0); | |
8f51ddb0 | 801 | |
15c4dc5a | 802 | // Send startbit |
72934aa3 | 803 | ToSend[++ToSendMax] = SEC_D; |
15c4dc5a | 804 | |
8f51ddb0 M |
805 | for(i = 0; i < len; i++) { |
806 | int j; | |
807 | uint8_t b = cmd[i]; | |
15c4dc5a | 808 | |
809 | // Data bits | |
15c4dc5a | 810 | for(j = 0; j < 8; j++) { |
15c4dc5a | 811 | if(b & 1) { |
72934aa3 | 812 | ToSend[++ToSendMax] = SEC_D; |
15c4dc5a | 813 | } else { |
72934aa3 | 814 | ToSend[++ToSendMax] = SEC_E; |
8f51ddb0 M |
815 | } |
816 | b >>= 1; | |
817 | } | |
15c4dc5a | 818 | |
0014cb46 | 819 | // Get the parity bit |
8f51ddb0 M |
820 | if ((dwParity >> i) & 0x01) { |
821 | ToSend[++ToSendMax] = SEC_D; | |
15c4dc5a | 822 | } else { |
72934aa3 | 823 | ToSend[++ToSendMax] = SEC_E; |
15c4dc5a | 824 | } |
8f51ddb0 | 825 | } |
15c4dc5a | 826 | |
8f51ddb0 M |
827 | // Send stopbit |
828 | ToSend[++ToSendMax] = SEC_F; | |
15c4dc5a | 829 | |
8f51ddb0 M |
830 | // Convert from last byte pos to length |
831 | ToSendMax++; | |
8f51ddb0 M |
832 | } |
833 | ||
834 | static void CodeIso14443aAsTag(const uint8_t *cmd, int len){ | |
835 | CodeIso14443aAsTagPar(cmd, len, GetParity(cmd, len)); | |
15c4dc5a | 836 | } |
837 | ||
838 | //----------------------------------------------------------------------------- | |
839 | // This is to send a NACK kind of answer, its only 3 bits, I know it should be 4 | |
840 | //----------------------------------------------------------------------------- | |
8f51ddb0 | 841 | static void CodeStrangeAnswerAsTag() |
15c4dc5a | 842 | { |
843 | int i; | |
844 | ||
845 | ToSendReset(); | |
846 | ||
847 | // Correction bit, might be removed when not needed | |
848 | ToSendStuffBit(0); | |
849 | ToSendStuffBit(0); | |
850 | ToSendStuffBit(0); | |
851 | ToSendStuffBit(0); | |
852 | ToSendStuffBit(1); // 1 | |
853 | ToSendStuffBit(0); | |
854 | ToSendStuffBit(0); | |
855 | ToSendStuffBit(0); | |
856 | ||
857 | // Send startbit | |
72934aa3 | 858 | ToSend[++ToSendMax] = SEC_D; |
15c4dc5a | 859 | |
860 | // 0 | |
72934aa3 | 861 | ToSend[++ToSendMax] = SEC_E; |
15c4dc5a | 862 | |
863 | // 0 | |
72934aa3 | 864 | ToSend[++ToSendMax] = SEC_E; |
15c4dc5a | 865 | |
866 | // 1 | |
72934aa3 | 867 | ToSend[++ToSendMax] = SEC_D; |
15c4dc5a | 868 | |
869 | // Send stopbit | |
72934aa3 | 870 | ToSend[++ToSendMax] = SEC_F; |
15c4dc5a | 871 | |
872 | // Flush the buffer in FPGA!! | |
873 | for(i = 0; i < 5; i++) { | |
72934aa3 | 874 | ToSend[++ToSendMax] = SEC_F; |
15c4dc5a | 875 | } |
876 | ||
877 | // Convert from last byte pos to length | |
878 | ToSendMax++; | |
8f51ddb0 | 879 | } |
15c4dc5a | 880 | |
8f51ddb0 M |
881 | static void Code4bitAnswerAsTag(uint8_t cmd) |
882 | { | |
883 | int i; | |
884 | ||
885 | ToSendReset(); | |
886 | ||
887 | // Correction bit, might be removed when not needed | |
888 | ToSendStuffBit(0); | |
889 | ToSendStuffBit(0); | |
890 | ToSendStuffBit(0); | |
891 | ToSendStuffBit(0); | |
892 | ToSendStuffBit(1); // 1 | |
893 | ToSendStuffBit(0); | |
894 | ToSendStuffBit(0); | |
895 | ToSendStuffBit(0); | |
896 | ||
897 | // Send startbit | |
898 | ToSend[++ToSendMax] = SEC_D; | |
899 | ||
900 | uint8_t b = cmd; | |
901 | for(i = 0; i < 4; i++) { | |
902 | if(b & 1) { | |
903 | ToSend[++ToSendMax] = SEC_D; | |
904 | } else { | |
905 | ToSend[++ToSendMax] = SEC_E; | |
906 | } | |
907 | b >>= 1; | |
908 | } | |
909 | ||
910 | // Send stopbit | |
911 | ToSend[++ToSendMax] = SEC_F; | |
912 | ||
913 | // Flush the buffer in FPGA!! | |
914 | for(i = 0; i < 5; i++) { | |
915 | ToSend[++ToSendMax] = SEC_F; | |
916 | } | |
917 | ||
918 | // Convert from last byte pos to length | |
919 | ToSendMax++; | |
15c4dc5a | 920 | } |
921 | ||
922 | //----------------------------------------------------------------------------- | |
923 | // Wait for commands from reader | |
924 | // Stop when button is pressed | |
925 | // Or return TRUE when command is captured | |
926 | //----------------------------------------------------------------------------- | |
f7e3ed82 | 927 | static int GetIso14443aCommandFromReader(uint8_t *received, int *len, int maxLen) |
15c4dc5a | 928 | { |
929 | // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen | |
930 | // only, since we are receiving, not transmitting). | |
931 | // Signal field is off with the appropriate LED | |
932 | LED_D_OFF(); | |
933 | FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN); | |
934 | ||
935 | // Now run a `software UART' on the stream of incoming samples. | |
936 | Uart.output = received; | |
937 | Uart.byteCntMax = maxLen; | |
938 | Uart.state = STATE_UNSYNCD; | |
939 | ||
940 | for(;;) { | |
941 | WDT_HIT(); | |
942 | ||
943 | if(BUTTON_PRESS()) return FALSE; | |
944 | ||
945 | if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) { | |
946 | AT91C_BASE_SSC->SSC_THR = 0x00; | |
947 | } | |
948 | if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) { | |
f7e3ed82 | 949 | uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR; |
15c4dc5a | 950 | if(MillerDecoding((b & 0xf0) >> 4)) { |
951 | *len = Uart.byteCnt; | |
952 | return TRUE; | |
953 | } | |
954 | if(MillerDecoding(b & 0x0f)) { | |
955 | *len = Uart.byteCnt; | |
956 | return TRUE; | |
957 | } | |
958 | } | |
959 | } | |
960 | } | |
9ca155ba | 961 | static int EmSendCmd14443aRaw(uint8_t *resp, int respLen, int correctionNeeded); |
15c4dc5a | 962 | |
963 | //----------------------------------------------------------------------------- | |
964 | // Main loop of simulated tag: receive commands from reader, decide what | |
965 | // response to send, and send it. | |
966 | //----------------------------------------------------------------------------- | |
81cd0474 | 967 | void SimulateIso14443aTag(int tagType, int uid_1st, int uid_2nd) |
15c4dc5a | 968 | { |
81cd0474 | 969 | // Enable and clear the trace |
970 | tracing = TRUE; | |
971 | traceLen = 0; | |
972 | memset(trace, 0x44, TRACE_SIZE); | |
973 | ||
15c4dc5a | 974 | // This function contains the tag emulation |
81cd0474 | 975 | uint8_t sak; |
976 | ||
977 | // The first response contains the ATQA (note: bytes are transmitted in reverse order). | |
978 | uint8_t response1[2]; | |
979 | ||
980 | switch (tagType) { | |
981 | case 1: { // MIFARE Classic | |
982 | // Says: I am Mifare 1k - original line | |
983 | response1[0] = 0x04; | |
984 | response1[1] = 0x00; | |
985 | sak = 0x08; | |
986 | } break; | |
987 | case 2: { // MIFARE Ultralight | |
988 | // Says: I am a stupid memory tag, no crypto | |
989 | response1[0] = 0x04; | |
990 | response1[1] = 0x00; | |
991 | sak = 0x00; | |
992 | } break; | |
993 | case 3: { // MIFARE DESFire | |
994 | // Says: I am a DESFire tag, ph33r me | |
995 | response1[0] = 0x04; | |
996 | response1[1] = 0x03; | |
997 | sak = 0x20; | |
998 | } break; | |
999 | case 4: { // ISO/IEC 14443-4 | |
1000 | // Says: I am a javacard (JCOP) | |
1001 | response1[0] = 0x04; | |
1002 | response1[1] = 0x00; | |
1003 | sak = 0x28; | |
1004 | } break; | |
1005 | default: { | |
1006 | Dbprintf("Error: unkown tagtype (%d)",tagType); | |
1007 | return; | |
1008 | } break; | |
1009 | } | |
1010 | ||
1011 | // The second response contains the (mandatory) first 24 bits of the UID | |
1012 | uint8_t response2[5]; | |
1013 | ||
1014 | // Check if the uid uses the (optional) part | |
1015 | uint8_t response2a[5]; | |
1016 | if (uid_2nd) { | |
1017 | response2[0] = 0x88; | |
1018 | num_to_bytes(uid_1st,3,response2+1); | |
1019 | num_to_bytes(uid_2nd,4,response2a); | |
1020 | response2a[4] = response2a[0] ^ response2a[1] ^ response2a[2] ^ response2a[3]; | |
1021 | ||
1022 | // Configure the ATQA and SAK accordingly | |
1023 | response1[0] |= 0x40; | |
1024 | sak |= 0x04; | |
1025 | } else { | |
1026 | num_to_bytes(uid_1st,4,response2); | |
1027 | // Configure the ATQA and SAK accordingly | |
1028 | response1[0] &= 0xBF; | |
1029 | sak &= 0xFB; | |
1030 | } | |
1031 | ||
1032 | // Calculate the BitCountCheck (BCC) for the first 4 bytes of the UID. | |
1033 | response2[4] = response2[0] ^ response2[1] ^ response2[2] ^ response2[3]; | |
1034 | ||
1035 | // Prepare the mandatory SAK (for 4 and 7 byte UID) | |
1036 | uint8_t response3[3]; | |
1037 | response3[0] = sak; | |
1038 | ComputeCrc14443(CRC_14443_A, response3, 1, &response3[1], &response3[2]); | |
1039 | ||
1040 | // Prepare the optional second SAK (for 7 byte UID), drop the cascade bit | |
1041 | uint8_t response3a[3]; | |
1042 | response3a[0] = sak & 0xFB; | |
1043 | ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]); | |
1044 | ||
254b70a4 | 1045 | uint8_t response5[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce |
1046 | uint8_t response6[] = { 0x03, 0x3B, 0x00, 0x00, 0x00 }; // dummy ATS (pseudo-ATR), answer to RATS | |
1047 | ComputeCrc14443(CRC_14443_A, response6, 3, &response6[3], &response6[4]); | |
81cd0474 | 1048 | |
254b70a4 | 1049 | uint8_t *resp; |
1050 | int respLen; | |
15c4dc5a | 1051 | |
81cd0474 | 1052 | // Longest possible response will be 16 bytes + 2 CRC = 18 bytes |
15c4dc5a | 1053 | // This will need |
1054 | // 144 data bits (18 * 8) | |
1055 | // 18 parity bits | |
1056 | // 2 Start and stop | |
1057 | // 1 Correction bit (Answer in 1172 or 1236 periods, see FPGA) | |
1058 | // 1 just for the case | |
1059 | // ----------- + | |
1060 | // 166 | |
1061 | // | |
1062 | // 166 bytes, since every bit that needs to be send costs us a byte | |
1063 | // | |
1064 | ||
254b70a4 | 1065 | // Respond with card type |
1066 | uint8_t *resp1 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET); | |
1067 | int resp1Len; | |
15c4dc5a | 1068 | |
254b70a4 | 1069 | // Anticollision cascade1 - respond with uid |
1070 | uint8_t *resp2 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + 166); | |
1071 | int resp2Len; | |
15c4dc5a | 1072 | |
254b70a4 | 1073 | // Anticollision cascade2 - respond with 2nd half of uid if asked |
1074 | // we're only going to be asked if we set the 1st byte of the UID (during cascade1) to 0x88 | |
1075 | uint8_t *resp2a = (((uint8_t *)BigBuf) + 1140); | |
1076 | int resp2aLen; | |
15c4dc5a | 1077 | |
254b70a4 | 1078 | // Acknowledge select - cascade 1 |
1079 | uint8_t *resp3 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + (166*2)); | |
1080 | int resp3Len; | |
15c4dc5a | 1081 | |
254b70a4 | 1082 | // Acknowledge select - cascade 2 |
1083 | uint8_t *resp3a = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + (166*3)); | |
1084 | int resp3aLen; | |
15c4dc5a | 1085 | |
254b70a4 | 1086 | // Response to a read request - not implemented atm |
1087 | uint8_t *resp4 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + (166*4)); | |
1088 | int resp4Len; | |
15c4dc5a | 1089 | |
254b70a4 | 1090 | // Authenticate response - nonce |
1091 | uint8_t *resp5 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + (166*5)); | |
1092 | int resp5Len; | |
15c4dc5a | 1093 | |
254b70a4 | 1094 | // Authenticate response - nonce |
1095 | uint8_t *resp6 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + (166*6)); | |
1096 | int resp6Len; | |
15c4dc5a | 1097 | |
254b70a4 | 1098 | uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET); |
1099 | int len; | |
15c4dc5a | 1100 | |
1101 | // To control where we are in the protocol | |
1102 | int order = 0; | |
1103 | int lastorder; | |
1104 | ||
1105 | // Just to allow some checks | |
1106 | int happened = 0; | |
1107 | int happened2 = 0; | |
1108 | ||
81cd0474 | 1109 | int cmdsRecvd = 0; |
1110 | uint8_t* respdata = NULL; | |
1111 | int respsize = 0; | |
1112 | uint8_t nack = 0x04; | |
15c4dc5a | 1113 | |
81cd0474 | 1114 | memset(receivedCmd, 0x44, RECV_CMD_SIZE); |
15c4dc5a | 1115 | |
1116 | // Prepare the responses of the anticollision phase | |
1117 | // there will be not enough time to do this at the moment the reader sends it REQA | |
1118 | ||
1119 | // Answer to request | |
1120 | CodeIso14443aAsTag(response1, sizeof(response1)); | |
254b70a4 | 1121 | memcpy(resp1, ToSend, ToSendMax); resp1Len = ToSendMax; |
15c4dc5a | 1122 | |
1123 | // Send our UID (cascade 1) | |
1124 | CodeIso14443aAsTag(response2, sizeof(response2)); | |
254b70a4 | 1125 | memcpy(resp2, ToSend, ToSendMax); resp2Len = ToSendMax; |
15c4dc5a | 1126 | |
1127 | // Answer to select (cascade1) | |
1128 | CodeIso14443aAsTag(response3, sizeof(response3)); | |
254b70a4 | 1129 | memcpy(resp3, ToSend, ToSendMax); resp3Len = ToSendMax; |
15c4dc5a | 1130 | |
1131 | // Send the cascade 2 2nd part of the uid | |
1132 | CodeIso14443aAsTag(response2a, sizeof(response2a)); | |
254b70a4 | 1133 | memcpy(resp2a, ToSend, ToSendMax); resp2aLen = ToSendMax; |
15c4dc5a | 1134 | |
1135 | // Answer to select (cascade 2) | |
1136 | CodeIso14443aAsTag(response3a, sizeof(response3a)); | |
254b70a4 | 1137 | memcpy(resp3a, ToSend, ToSendMax); resp3aLen = ToSendMax; |
15c4dc5a | 1138 | |
1139 | // Strange answer is an example of rare message size (3 bits) | |
8f51ddb0 | 1140 | CodeStrangeAnswerAsTag(); |
15c4dc5a | 1141 | memcpy(resp4, ToSend, ToSendMax); resp4Len = ToSendMax; |
1142 | ||
1143 | // Authentication answer (random nonce) | |
1144 | CodeIso14443aAsTag(response5, sizeof(response5)); | |
254b70a4 | 1145 | memcpy(resp5, ToSend, ToSendMax); resp5Len = ToSendMax; |
15c4dc5a | 1146 | |
254b70a4 | 1147 | // dummy ATS (pseudo-ATR), answer to RATS |
1148 | CodeIso14443aAsTag(response6, sizeof(response6)); | |
1149 | memcpy(resp6, ToSend, ToSendMax); resp6Len = ToSendMax; | |
15c4dc5a | 1150 | |
254b70a4 | 1151 | // We need to listen to the high-frequency, peak-detected path. |
1152 | SetAdcMuxFor(GPIO_MUXSEL_HIPKD); | |
1153 | FpgaSetupSsc(); | |
15c4dc5a | 1154 | |
254b70a4 | 1155 | cmdsRecvd = 0; |
15c4dc5a | 1156 | |
254b70a4 | 1157 | LED_A_ON(); |
1158 | for(;;) { | |
1159 | ||
81cd0474 | 1160 | if(!GetIso14443aCommandFromReader(receivedCmd, &len, RECV_CMD_SIZE)) { |
254b70a4 | 1161 | DbpString("button press"); |
1162 | break; | |
1163 | } | |
1164 | // doob - added loads of debug strings so we can see what the reader is saying to us during the sim as hi14alist is not populated | |
1165 | // Okay, look at the command now. | |
1166 | lastorder = order; | |
1167 | if(receivedCmd[0] == 0x26) { // Received a REQUEST | |
15c4dc5a | 1168 | resp = resp1; respLen = resp1Len; order = 1; |
81cd0474 | 1169 | respdata = response1; |
1170 | respsize = sizeof(response1); | |
254b70a4 | 1171 | } else if(receivedCmd[0] == 0x52) { // Received a WAKEUP |
15c4dc5a | 1172 | resp = resp1; respLen = resp1Len; order = 6; |
81cd0474 | 1173 | respdata = response1; |
1174 | respsize = sizeof(response1); | |
254b70a4 | 1175 | } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x93) { // Received request for UID (cascade 1) |
15c4dc5a | 1176 | resp = resp2; respLen = resp2Len; order = 2; |
81cd0474 | 1177 | respdata = response2; |
1178 | respsize = sizeof(response2); | |
254b70a4 | 1179 | } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x95) { // Received request for UID (cascade 2) |
15c4dc5a | 1180 | resp = resp2a; respLen = resp2aLen; order = 20; |
81cd0474 | 1181 | respdata = response2a; |
1182 | respsize = sizeof(response2a); | |
254b70a4 | 1183 | } else if(receivedCmd[1] == 0x70 && receivedCmd[0] == 0x93) { // Received a SELECT (cascade 1) |
15c4dc5a | 1184 | resp = resp3; respLen = resp3Len; order = 3; |
81cd0474 | 1185 | respdata = response3; |
1186 | respsize = sizeof(response3); | |
254b70a4 | 1187 | } else if(receivedCmd[1] == 0x70 && receivedCmd[0] == 0x95) { // Received a SELECT (cascade 2) |
15c4dc5a | 1188 | resp = resp3a; respLen = resp3aLen; order = 30; |
81cd0474 | 1189 | respdata = response3a; |
1190 | respsize = sizeof(response3a); | |
254b70a4 | 1191 | } else if(receivedCmd[0] == 0x30) { // Received a (plain) READ |
15c4dc5a | 1192 | resp = resp4; respLen = resp4Len; order = 4; // Do nothing |
254b70a4 | 1193 | Dbprintf("Read request from reader: %x %x",receivedCmd[0],receivedCmd[1]); |
81cd0474 | 1194 | respdata = &nack; |
1195 | respsize = sizeof(nack); // 4-bit answer | |
254b70a4 | 1196 | } else if(receivedCmd[0] == 0x50) { // Received a HALT |
15c4dc5a | 1197 | DbpString("Reader requested we HALT!:"); |
254b70a4 | 1198 | // Do not respond |
1199 | resp = resp1; respLen = 0; order = 0; | |
81cd0474 | 1200 | respdata = NULL; |
1201 | respsize = 0; | |
254b70a4 | 1202 | } else if(receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61) { // Received an authentication request |
15c4dc5a | 1203 | resp = resp5; respLen = resp5Len; order = 7; |
254b70a4 | 1204 | respdata = response5; |
1205 | respsize = sizeof(response5); | |
1206 | } else if(receivedCmd[0] == 0xE0) { // Received a RATS request | |
1207 | resp = resp6; respLen = resp6Len; order = 70; | |
1208 | respdata = response6; | |
1209 | respsize = sizeof(response6); | |
81cd0474 | 1210 | } else { |
1211 | // Never seen this command before | |
7862f4ad | 1212 | Dbprintf("Received (len=%d): %02x %02x %02x %02x %02x %02x %02x %02x %02x", |
20f9a2a1 | 1213 | len, |
15c4dc5a | 1214 | receivedCmd[0], receivedCmd[1], receivedCmd[2], |
20f9a2a1 M |
1215 | receivedCmd[3], receivedCmd[4], receivedCmd[5], |
1216 | receivedCmd[6], receivedCmd[7], receivedCmd[8]); | |
15c4dc5a | 1217 | // Do not respond |
1218 | resp = resp1; respLen = 0; order = 0; | |
81cd0474 | 1219 | respdata = NULL; |
1220 | respsize = 0; | |
1221 | } | |
15c4dc5a | 1222 | |
1223 | // Count number of wakeups received after a halt | |
1224 | if(order == 6 && lastorder == 5) { happened++; } | |
1225 | ||
1226 | // Count number of other messages after a halt | |
1227 | if(order != 6 && lastorder == 5) { happened2++; } | |
1228 | ||
1229 | // Look at last parity bit to determine timing of answer | |
1230 | if((Uart.parityBits & 0x01) || receivedCmd[0] == 0x52) { | |
1231 | // 1236, so correction bit needed | |
9f693930 | 1232 | //i = 0; |
15c4dc5a | 1233 | } |
1234 | ||
15c4dc5a | 1235 | if(cmdsRecvd > 999) { |
1236 | DbpString("1000 commands later..."); | |
254b70a4 | 1237 | break; |
1238 | } else { | |
15c4dc5a | 1239 | cmdsRecvd++; |
1240 | } | |
1241 | ||
81cd0474 | 1242 | if(respLen > 0) { |
81cd0474 | 1243 | EmSendCmd14443aRaw(resp, respLen, receivedCmd[0] == 0x52); |
1244 | } | |
1245 | ||
1246 | if (tracing) { | |
1247 | LogTrace(receivedCmd,len, 0, Uart.parityBits, TRUE); | |
1248 | if (respdata != NULL) { | |
1249 | LogTrace(respdata,respsize, 0, SwapBits(GetParity(respdata,respsize),respsize), FALSE); | |
1250 | } | |
4ab4336a | 1251 | if(traceLen > TRACE_SIZE) { |
1252 | DbpString("Trace full"); | |
1253 | break; | |
1254 | } | |
81cd0474 | 1255 | } |
15c4dc5a | 1256 | |
81cd0474 | 1257 | memset(receivedCmd, 0x44, RECV_CMD_SIZE); |
254b70a4 | 1258 | } |
15c4dc5a | 1259 | |
1260 | Dbprintf("%x %x %x", happened, happened2, cmdsRecvd); | |
1261 | LED_A_OFF(); | |
1262 | } | |
1263 | ||
1264 | //----------------------------------------------------------------------------- | |
1265 | // Transmit the command (to the tag) that was placed in ToSend[]. | |
1266 | //----------------------------------------------------------------------------- | |
f7e3ed82 | 1267 | static void TransmitFor14443a(const uint8_t *cmd, int len, int *samples, int *wait) |
15c4dc5a | 1268 | { |
1269 | int c; | |
e30c654b | 1270 | |
15c4dc5a | 1271 | FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD); |
e30c654b | 1272 | |
15c4dc5a | 1273 | if (wait) |
1274 | if(*wait < 10) | |
1275 | *wait = 10; | |
e30c654b | 1276 | |
15c4dc5a | 1277 | for(c = 0; c < *wait;) { |
1278 | if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) { | |
1279 | AT91C_BASE_SSC->SSC_THR = 0x00; // For exact timing! | |
1280 | c++; | |
1281 | } | |
1282 | if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) { | |
f7e3ed82 | 1283 | volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR; |
15c4dc5a | 1284 | (void)r; |
1285 | } | |
1286 | WDT_HIT(); | |
1287 | } | |
e30c654b | 1288 | |
15c4dc5a | 1289 | c = 0; |
1290 | for(;;) { | |
1291 | if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) { | |
1292 | AT91C_BASE_SSC->SSC_THR = cmd[c]; | |
1293 | c++; | |
1294 | if(c >= len) { | |
1295 | break; | |
1296 | } | |
1297 | } | |
1298 | if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) { | |
f7e3ed82 | 1299 | volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR; |
15c4dc5a | 1300 | (void)r; |
1301 | } | |
1302 | WDT_HIT(); | |
1303 | } | |
1304 | if (samples) *samples = (c + *wait) << 3; | |
1305 | } | |
1306 | ||
15c4dc5a | 1307 | //----------------------------------------------------------------------------- |
1308 | // Code a 7-bit command without parity bit | |
1309 | // This is especially for 0x26 and 0x52 (REQA and WUPA) | |
1310 | //----------------------------------------------------------------------------- | |
f7e3ed82 | 1311 | void ShortFrameFromReader(const uint8_t bt) |
15c4dc5a | 1312 | { |
1313 | int j; | |
1314 | int last; | |
f7e3ed82 | 1315 | uint8_t b; |
15c4dc5a | 1316 | |
1317 | ToSendReset(); | |
1318 | ||
1319 | // Start of Communication (Seq. Z) | |
72934aa3 | 1320 | ToSend[++ToSendMax] = SEC_Z; |
15c4dc5a | 1321 | last = 0; |
1322 | ||
1323 | b = bt; | |
1324 | for(j = 0; j < 7; j++) { | |
1325 | if(b & 1) { | |
1326 | // Sequence X | |
72934aa3 | 1327 | ToSend[++ToSendMax] = SEC_X; |
15c4dc5a | 1328 | last = 1; |
1329 | } else { | |
1330 | if(last == 0) { | |
1331 | // Sequence Z | |
72934aa3 | 1332 | ToSend[++ToSendMax] = SEC_Z; |
15c4dc5a | 1333 | } |
1334 | else { | |
1335 | // Sequence Y | |
72934aa3 | 1336 | ToSend[++ToSendMax] = SEC_Y; |
15c4dc5a | 1337 | last = 0; |
1338 | } | |
1339 | } | |
1340 | b >>= 1; | |
1341 | } | |
1342 | ||
1343 | // End of Communication | |
1344 | if(last == 0) { | |
1345 | // Sequence Z | |
72934aa3 | 1346 | ToSend[++ToSendMax] = SEC_Z; |
15c4dc5a | 1347 | } |
1348 | else { | |
1349 | // Sequence Y | |
72934aa3 | 1350 | ToSend[++ToSendMax] = SEC_Y; |
15c4dc5a | 1351 | last = 0; |
1352 | } | |
1353 | // Sequence Y | |
72934aa3 | 1354 | ToSend[++ToSendMax] = SEC_Y; |
15c4dc5a | 1355 | |
1356 | // Just to be sure! | |
72934aa3 | 1357 | ToSend[++ToSendMax] = SEC_Y; |
1358 | ToSend[++ToSendMax] = SEC_Y; | |
1359 | ToSend[++ToSendMax] = SEC_Y; | |
15c4dc5a | 1360 | |
1361 | // Convert from last character reference to length | |
1362 | ToSendMax++; | |
1363 | } | |
1364 | ||
1365 | //----------------------------------------------------------------------------- | |
1366 | // Prepare reader command to send to FPGA | |
e30c654b | 1367 | // |
15c4dc5a | 1368 | //----------------------------------------------------------------------------- |
f7e3ed82 | 1369 | void CodeIso14443aAsReaderPar(const uint8_t * cmd, int len, uint32_t dwParity) |
15c4dc5a | 1370 | { |
1371 | int i, j; | |
1372 | int last; | |
f7e3ed82 | 1373 | uint8_t b; |
e30c654b | 1374 | |
15c4dc5a | 1375 | ToSendReset(); |
e30c654b | 1376 | |
15c4dc5a | 1377 | // Start of Communication (Seq. Z) |
72934aa3 | 1378 | ToSend[++ToSendMax] = SEC_Z; |
15c4dc5a | 1379 | last = 0; |
e30c654b | 1380 | |
15c4dc5a | 1381 | // Generate send structure for the data bits |
1382 | for (i = 0; i < len; i++) { | |
1383 | // Get the current byte to send | |
1384 | b = cmd[i]; | |
e30c654b | 1385 | |
15c4dc5a | 1386 | for (j = 0; j < 8; j++) { |
1387 | if (b & 1) { | |
1388 | // Sequence X | |
72934aa3 | 1389 | ToSend[++ToSendMax] = SEC_X; |
15c4dc5a | 1390 | last = 1; |
1391 | } else { | |
1392 | if (last == 0) { | |
1393 | // Sequence Z | |
72934aa3 | 1394 | ToSend[++ToSendMax] = SEC_Z; |
15c4dc5a | 1395 | } else { |
1396 | // Sequence Y | |
72934aa3 | 1397 | ToSend[++ToSendMax] = SEC_Y; |
15c4dc5a | 1398 | last = 0; |
1399 | } | |
1400 | } | |
1401 | b >>= 1; | |
1402 | } | |
e30c654b | 1403 | |
15c4dc5a | 1404 | // Get the parity bit |
1405 | if ((dwParity >> i) & 0x01) { | |
1406 | // Sequence X | |
72934aa3 | 1407 | ToSend[++ToSendMax] = SEC_X; |
15c4dc5a | 1408 | last = 1; |
1409 | } else { | |
1410 | if (last == 0) { | |
1411 | // Sequence Z | |
72934aa3 | 1412 | ToSend[++ToSendMax] = SEC_Z; |
15c4dc5a | 1413 | } else { |
1414 | // Sequence Y | |
72934aa3 | 1415 | ToSend[++ToSendMax] = SEC_Y; |
15c4dc5a | 1416 | last = 0; |
1417 | } | |
1418 | } | |
1419 | } | |
e30c654b | 1420 | |
15c4dc5a | 1421 | // End of Communication |
1422 | if (last == 0) { | |
1423 | // Sequence Z | |
72934aa3 | 1424 | ToSend[++ToSendMax] = SEC_Z; |
15c4dc5a | 1425 | } else { |
1426 | // Sequence Y | |
72934aa3 | 1427 | ToSend[++ToSendMax] = SEC_Y; |
15c4dc5a | 1428 | last = 0; |
1429 | } | |
1430 | // Sequence Y | |
72934aa3 | 1431 | ToSend[++ToSendMax] = SEC_Y; |
e30c654b | 1432 | |
15c4dc5a | 1433 | // Just to be sure! |
72934aa3 | 1434 | ToSend[++ToSendMax] = SEC_Y; |
1435 | ToSend[++ToSendMax] = SEC_Y; | |
1436 | ToSend[++ToSendMax] = SEC_Y; | |
e30c654b | 1437 | |
15c4dc5a | 1438 | // Convert from last character reference to length |
1439 | ToSendMax++; | |
1440 | } | |
1441 | ||
9ca155ba M |
1442 | //----------------------------------------------------------------------------- |
1443 | // Wait for commands from reader | |
1444 | // Stop when button is pressed (return 1) or field was gone (return 2) | |
1445 | // Or return 0 when command is captured | |
1446 | //----------------------------------------------------------------------------- | |
1447 | static int EmGetCmd(uint8_t *received, int *len, int maxLen) | |
1448 | { | |
1449 | *len = 0; | |
1450 | ||
1451 | uint32_t timer = 0, vtime = 0; | |
1452 | int analogCnt = 0; | |
1453 | int analogAVG = 0; | |
1454 | ||
1455 | // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen | |
1456 | // only, since we are receiving, not transmitting). | |
1457 | // Signal field is off with the appropriate LED | |
1458 | LED_D_OFF(); | |
1459 | FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN); | |
1460 | ||
1461 | // Set ADC to read field strength | |
1462 | AT91C_BASE_ADC->ADC_CR = AT91C_ADC_SWRST; | |
1463 | AT91C_BASE_ADC->ADC_MR = | |
1464 | ADC_MODE_PRESCALE(32) | | |
1465 | ADC_MODE_STARTUP_TIME(16) | | |
1466 | ADC_MODE_SAMPLE_HOLD_TIME(8); | |
1467 | AT91C_BASE_ADC->ADC_CHER = ADC_CHANNEL(ADC_CHAN_HF); | |
1468 | // start ADC | |
1469 | AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START; | |
1470 | ||
1471 | // Now run a 'software UART' on the stream of incoming samples. | |
1472 | Uart.output = received; | |
1473 | Uart.byteCntMax = maxLen; | |
1474 | Uart.state = STATE_UNSYNCD; | |
1475 | ||
1476 | for(;;) { | |
1477 | WDT_HIT(); | |
1478 | ||
1479 | if (BUTTON_PRESS()) return 1; | |
1480 | ||
1481 | // test if the field exists | |
1482 | if (AT91C_BASE_ADC->ADC_SR & ADC_END_OF_CONVERSION(ADC_CHAN_HF)) { | |
1483 | analogCnt++; | |
1484 | analogAVG += AT91C_BASE_ADC->ADC_CDR[ADC_CHAN_HF]; | |
1485 | AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START; | |
1486 | if (analogCnt >= 32) { | |
1487 | if ((33000 * (analogAVG / analogCnt) >> 10) < MF_MINFIELDV) { | |
1488 | vtime = GetTickCount(); | |
1489 | if (!timer) timer = vtime; | |
1490 | // 50ms no field --> card to idle state | |
1491 | if (vtime - timer > 50) return 2; | |
1492 | } else | |
1493 | if (timer) timer = 0; | |
1494 | analogCnt = 0; | |
1495 | analogAVG = 0; | |
1496 | } | |
1497 | } | |
1498 | // transmit none | |
1499 | if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) { | |
1500 | AT91C_BASE_SSC->SSC_THR = 0x00; | |
1501 | } | |
1502 | // receive and test the miller decoding | |
1503 | if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) { | |
1504 | volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR; | |
1505 | if(MillerDecoding((b & 0xf0) >> 4)) { | |
1506 | *len = Uart.byteCnt; | |
8f51ddb0 | 1507 | if (tracing) LogTrace(received, *len, GetDeltaCountUS(), Uart.parityBits, TRUE); |
9ca155ba M |
1508 | return 0; |
1509 | } | |
1510 | if(MillerDecoding(b & 0x0f)) { | |
1511 | *len = Uart.byteCnt; | |
8f51ddb0 | 1512 | if (tracing) LogTrace(received, *len, GetDeltaCountUS(), Uart.parityBits, TRUE); |
9ca155ba M |
1513 | return 0; |
1514 | } | |
1515 | } | |
1516 | } | |
1517 | } | |
1518 | ||
1519 | static int EmSendCmd14443aRaw(uint8_t *resp, int respLen, int correctionNeeded) | |
1520 | { | |
1521 | int i, u = 0; | |
1522 | uint8_t b = 0; | |
1523 | ||
1524 | // Modulate Manchester | |
1525 | FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD); | |
1526 | AT91C_BASE_SSC->SSC_THR = 0x00; | |
1527 | FpgaSetupSsc(); | |
1528 | ||
1529 | // include correction bit | |
1530 | i = 1; | |
1531 | if((Uart.parityBits & 0x01) || correctionNeeded) { | |
1532 | // 1236, so correction bit needed | |
1533 | i = 0; | |
1534 | } | |
1535 | ||
1536 | // send cycle | |
1537 | for(;;) { | |
1538 | if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) { | |
1539 | volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR; | |
1540 | (void)b; | |
1541 | } | |
1542 | if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) { | |
1543 | if(i > respLen) { | |
8f51ddb0 | 1544 | b = 0xff; // was 0x00 |
9ca155ba M |
1545 | u++; |
1546 | } else { | |
1547 | b = resp[i]; | |
1548 | i++; | |
1549 | } | |
1550 | AT91C_BASE_SSC->SSC_THR = b; | |
1551 | ||
1552 | if(u > 4) break; | |
1553 | } | |
1554 | if(BUTTON_PRESS()) { | |
1555 | break; | |
1556 | } | |
1557 | } | |
1558 | ||
1559 | return 0; | |
1560 | } | |
1561 | ||
8f51ddb0 M |
1562 | int EmSend4bitEx(uint8_t resp, int correctionNeeded){ |
1563 | Code4bitAnswerAsTag(resp); | |
0a39986e | 1564 | int res = EmSendCmd14443aRaw(ToSend, ToSendMax, correctionNeeded); |
8f51ddb0 | 1565 | if (tracing) LogTrace(&resp, 1, GetDeltaCountUS(), GetParity(&resp, 1), FALSE); |
0a39986e | 1566 | return res; |
9ca155ba M |
1567 | } |
1568 | ||
8f51ddb0 M |
1569 | int EmSend4bit(uint8_t resp){ |
1570 | return EmSend4bitEx(resp, 0); | |
1571 | } | |
1572 | ||
1573 | int EmSendCmdExPar(uint8_t *resp, int respLen, int correctionNeeded, uint32_t par){ | |
1574 | CodeIso14443aAsTagPar(resp, respLen, par); | |
1575 | int res = EmSendCmd14443aRaw(ToSend, ToSendMax, correctionNeeded); | |
1576 | if (tracing) LogTrace(resp, respLen, GetDeltaCountUS(), par, FALSE); | |
1577 | return res; | |
1578 | } | |
1579 | ||
1580 | int EmSendCmdEx(uint8_t *resp, int respLen, int correctionNeeded){ | |
1581 | return EmSendCmdExPar(resp, respLen, correctionNeeded, GetParity(resp, respLen)); | |
1582 | } | |
1583 | ||
1584 | int EmSendCmd(uint8_t *resp, int respLen){ | |
1585 | return EmSendCmdExPar(resp, respLen, 0, GetParity(resp, respLen)); | |
1586 | } | |
1587 | ||
1588 | int EmSendCmdPar(uint8_t *resp, int respLen, uint32_t par){ | |
1589 | return EmSendCmdExPar(resp, respLen, 0, par); | |
9ca155ba M |
1590 | } |
1591 | ||
15c4dc5a | 1592 | //----------------------------------------------------------------------------- |
1593 | // Wait a certain time for tag response | |
1594 | // If a response is captured return TRUE | |
1595 | // If it takes to long return FALSE | |
1596 | //----------------------------------------------------------------------------- | |
f7e3ed82 | 1597 | static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse, int maxLen, int *samples, int *elapsed) //uint8_t *buffer |
15c4dc5a | 1598 | { |
1599 | // buffer needs to be 512 bytes | |
1600 | int c; | |
1601 | ||
1602 | // Set FPGA mode to "reader listen mode", no modulation (listen | |
534983d7 | 1603 | // only, since we are receiving, not transmitting). |
1604 | // Signal field is on with the appropriate LED | |
1605 | LED_D_ON(); | |
1606 | FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_LISTEN); | |
15c4dc5a | 1607 | |
534983d7 | 1608 | // Now get the answer from the card |
1609 | Demod.output = receivedResponse; | |
1610 | Demod.len = 0; | |
1611 | Demod.state = DEMOD_UNSYNCD; | |
15c4dc5a | 1612 | |
f7e3ed82 | 1613 | uint8_t b; |
15c4dc5a | 1614 | if (elapsed) *elapsed = 0; |
1615 | ||
1616 | c = 0; | |
1617 | for(;;) { | |
534983d7 | 1618 | WDT_HIT(); |
15c4dc5a | 1619 | |
534983d7 | 1620 | if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) { |
1621 | AT91C_BASE_SSC->SSC_THR = 0x00; // To make use of exact timing of next command from reader!! | |
15c4dc5a | 1622 | if (elapsed) (*elapsed)++; |
534983d7 | 1623 | } |
1624 | if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) { | |
1625 | if(c < iso14a_timeout) { c++; } else { return FALSE; } | |
1626 | b = (uint8_t)AT91C_BASE_SSC->SSC_RHR; | |
72934aa3 | 1627 | if(ManchesterDecoding((b>>4) & 0xf)) { |
15c4dc5a | 1628 | *samples = ((c - 1) << 3) + 4; |
1629 | return TRUE; | |
1630 | } | |
1631 | if(ManchesterDecoding(b & 0x0f)) { | |
1632 | *samples = c << 3; | |
1633 | return TRUE; | |
1634 | } | |
534983d7 | 1635 | } |
1636 | } | |
15c4dc5a | 1637 | } |
1638 | ||
f7e3ed82 | 1639 | void ReaderTransmitShort(const uint8_t* bt) |
15c4dc5a | 1640 | { |
1641 | int wait = 0; | |
1642 | int samples = 0; | |
1643 | ||
1644 | ShortFrameFromReader(*bt); | |
e30c654b | 1645 | |
15c4dc5a | 1646 | // Select the card |
e30c654b | 1647 | TransmitFor14443a(ToSend, ToSendMax, &samples, &wait); |
1648 | ||
15c4dc5a | 1649 | // Store reader command in buffer |
1650 | if (tracing) LogTrace(bt,1,0,GetParity(bt,1),TRUE); | |
1651 | } | |
1652 | ||
f7e3ed82 | 1653 | void ReaderTransmitPar(uint8_t* frame, int len, uint32_t par) |
15c4dc5a | 1654 | { |
1655 | int wait = 0; | |
1656 | int samples = 0; | |
e30c654b | 1657 | |
15c4dc5a | 1658 | // This is tied to other size changes |
f7e3ed82 | 1659 | // uint8_t* frame_addr = ((uint8_t*)BigBuf) + 2024; |
15c4dc5a | 1660 | CodeIso14443aAsReaderPar(frame,len,par); |
e30c654b | 1661 | |
15c4dc5a | 1662 | // Select the card |
e30c654b | 1663 | TransmitFor14443a(ToSend, ToSendMax, &samples, &wait); |
534983d7 | 1664 | if(trigger) |
1665 | LED_A_ON(); | |
e30c654b | 1666 | |
15c4dc5a | 1667 | // Store reader command in buffer |
1668 | if (tracing) LogTrace(frame,len,0,par,TRUE); | |
1669 | } | |
1670 | ||
1671 | ||
f7e3ed82 | 1672 | void ReaderTransmit(uint8_t* frame, int len) |
15c4dc5a | 1673 | { |
1674 | // Generate parity and redirect | |
1675 | ReaderTransmitPar(frame,len,GetParity(frame,len)); | |
1676 | } | |
1677 | ||
f7e3ed82 | 1678 | int ReaderReceive(uint8_t* receivedAnswer) |
15c4dc5a | 1679 | { |
1680 | int samples = 0; | |
20f9a2a1 | 1681 | if (!GetIso14443aAnswerFromTag(receivedAnswer,160,&samples,0)) return FALSE; |
15c4dc5a | 1682 | if (tracing) LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE); |
7e758047 | 1683 | if(samples == 0) return FALSE; |
1684 | return Demod.len; | |
15c4dc5a | 1685 | } |
1686 | ||
f89c7050 M |
1687 | int ReaderReceivePar(uint8_t* receivedAnswer, uint32_t * parptr) |
1688 | { | |
1689 | int samples = 0; | |
1690 | if (!GetIso14443aAnswerFromTag(receivedAnswer,160,&samples,0)) return FALSE; | |
1691 | if (tracing) LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE); | |
1692 | *parptr = Demod.parityBits; | |
1693 | if(samples == 0) return FALSE; | |
1694 | return Demod.len; | |
1695 | } | |
1696 | ||
7e758047 | 1697 | /* performs iso14443a anticolision procedure |
534983d7 | 1698 | * fills the uid pointer unless NULL |
1699 | * fills resp_data unless NULL */ | |
20f9a2a1 M |
1700 | int iso14443a_select_card(uint8_t * uid_ptr, iso14a_card_select_t * resp_data, uint32_t * cuid_ptr) { |
1701 | uint8_t wupa[] = { 0x52 }; // 0x26 - REQA 0x52 - WAKE-UP | |
f7e3ed82 | 1702 | uint8_t sel_all[] = { 0x93,0x20 }; |
1703 | uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 }; | |
7e758047 | 1704 | uint8_t rats[] = { 0xE0,0x80,0x00,0x00 }; // FSD=256, FSDI=8, CID=0 |
15c4dc5a | 1705 | |
7e758047 | 1706 | uint8_t* resp = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes |
15c4dc5a | 1707 | |
534983d7 | 1708 | uint8_t sak = 0x04; // cascade uid |
1709 | int cascade_level = 0; | |
1710 | ||
7e758047 | 1711 | int len; |
20f9a2a1 M |
1712 | |
1713 | // clear uid | |
1714 | memset(uid_ptr, 0, 8); | |
15c4dc5a | 1715 | |
7e758047 | 1716 | // Broadcast for a card, WUPA (0x52) will force response from all cards in the field |
1717 | ReaderTransmitShort(wupa); | |
1718 | // Receive the ATQA | |
1719 | if(!ReaderReceive(resp)) return 0; | |
15c4dc5a | 1720 | |
534983d7 | 1721 | if(resp_data) |
1722 | memcpy(resp_data->atqa, resp, 2); | |
1723 | ||
534983d7 | 1724 | // OK we will select at least at cascade 1, lets see if first byte of UID was 0x88 in |
7e758047 | 1725 | // which case we need to make a cascade 2 request and select - this is a long UID |
534983d7 | 1726 | // While the UID is not complete, the 3nd bit (from the right) is set in the SAK. |
1727 | for(; sak & 0x04; cascade_level++) | |
7e758047 | 1728 | { |
534983d7 | 1729 | // SELECT_* (L1: 0x93, L2: 0x95, L3: 0x97) |
1730 | sel_uid[0] = sel_all[0] = 0x93 + cascade_level * 2; | |
1731 | ||
1732 | // SELECT_ALL | |
1733 | ReaderTransmit(sel_all,sizeof(sel_all)); | |
1734 | if (!ReaderReceive(resp)) return 0; | |
1735 | if(uid_ptr) memcpy(uid_ptr + cascade_level*4, resp, 4); | |
20f9a2a1 M |
1736 | |
1737 | // calculate crypto UID | |
1738 | if(cuid_ptr) *cuid_ptr = bytes_to_num(resp, 4); | |
e30c654b | 1739 | |
7e758047 | 1740 | // Construct SELECT UID command |
534983d7 | 1741 | memcpy(sel_uid+2,resp,5); |
1742 | AppendCrc14443a(sel_uid,7); | |
1743 | ReaderTransmit(sel_uid,sizeof(sel_uid)); | |
1744 | ||
7e758047 | 1745 | // Receive the SAK |
1746 | if (!ReaderReceive(resp)) return 0; | |
534983d7 | 1747 | sak = resp[0]; |
7e758047 | 1748 | } |
534983d7 | 1749 | if(resp_data) { |
1750 | resp_data->sak = sak; | |
1751 | resp_data->ats_len = 0; | |
1752 | } | |
20f9a2a1 M |
1753 | //-- this byte not UID, it CT. http://www.nxp.com/documents/application_note/AN10927.pdf page 3 |
1754 | if (uid_ptr[0] == 0x88) { | |
1755 | memcpy(uid_ptr, uid_ptr + 1, 7); | |
1756 | uid_ptr[7] = 0; | |
1757 | } | |
534983d7 | 1758 | |
1759 | if( (sak & 0x20) == 0) | |
7e758047 | 1760 | return 2; // non iso14443a compliant tag |
534983d7 | 1761 | |
7e758047 | 1762 | // Request for answer to select |
20f9a2a1 M |
1763 | if(resp_data) { // JCOP cards - if reader sent RATS then there is no MIFARE session at all!!! |
1764 | AppendCrc14443a(rats, 2); | |
1765 | ReaderTransmit(rats, sizeof(rats)); | |
1766 | ||
1767 | if (!(len = ReaderReceive(resp))) return 0; | |
1768 | ||
534983d7 | 1769 | memcpy(resp_data->ats, resp, sizeof(resp_data->ats)); |
1770 | resp_data->ats_len = len; | |
1771 | } | |
20f9a2a1 | 1772 | |
7e758047 | 1773 | return 1; |
1774 | } | |
15c4dc5a | 1775 | |
7e758047 | 1776 | void iso14443a_setup() { |
1777 | // Setup SSC | |
1778 | FpgaSetupSsc(); | |
1779 | // Start from off (no field generated) | |
1780 | // Signal field is off with the appropriate LED | |
1781 | LED_D_OFF(); | |
1782 | FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); | |
1783 | SpinDelay(200); | |
15c4dc5a | 1784 | |
7e758047 | 1785 | SetAdcMuxFor(GPIO_MUXSEL_HIPKD); |
e30c654b | 1786 | |
7e758047 | 1787 | // Now give it time to spin up. |
1788 | // Signal field is on with the appropriate LED | |
1789 | LED_D_ON(); | |
1790 | FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD); | |
1791 | SpinDelay(200); | |
534983d7 | 1792 | |
1793 | iso14a_timeout = 2048; //default | |
7e758047 | 1794 | } |
15c4dc5a | 1795 | |
534983d7 | 1796 | int iso14_apdu(uint8_t * cmd, size_t cmd_len, void * data) { |
1797 | uint8_t real_cmd[cmd_len+4]; | |
1798 | real_cmd[0] = 0x0a; //I-Block | |
1799 | real_cmd[1] = 0x00; //CID: 0 //FIXME: allow multiple selected cards | |
1800 | memcpy(real_cmd+2, cmd, cmd_len); | |
1801 | AppendCrc14443a(real_cmd,cmd_len+2); | |
1802 | ||
1803 | ReaderTransmit(real_cmd, cmd_len+4); | |
1804 | size_t len = ReaderReceive(data); | |
1805 | if(!len) | |
1806 | return -1; //DATA LINK ERROR | |
1807 | ||
1808 | return len; | |
1809 | } | |
1810 | ||
1811 | ||
7e758047 | 1812 | //----------------------------------------------------------------------------- |
1813 | // Read an ISO 14443a tag. Send out commands and store answers. | |
1814 | // | |
1815 | //----------------------------------------------------------------------------- | |
534983d7 | 1816 | void ReaderIso14443a(UsbCommand * c, UsbCommand * ack) |
7e758047 | 1817 | { |
534983d7 | 1818 | iso14a_command_t param = c->arg[0]; |
1819 | uint8_t * cmd = c->d.asBytes; | |
1820 | size_t len = c->arg[1]; | |
e30c654b | 1821 | |
534983d7 | 1822 | if(param & ISO14A_REQUEST_TRIGGER) iso14a_set_trigger(1); |
15c4dc5a | 1823 | |
534983d7 | 1824 | if(param & ISO14A_CONNECT) { |
1825 | iso14443a_setup(); | |
20f9a2a1 | 1826 | ack->arg[0] = iso14443a_select_card(ack->d.asBytes, (iso14a_card_select_t *) (ack->d.asBytes+12), NULL); |
534983d7 | 1827 | UsbSendPacket((void *)ack, sizeof(UsbCommand)); |
1828 | } | |
e30c654b | 1829 | |
534983d7 | 1830 | if(param & ISO14A_SET_TIMEOUT) { |
1831 | iso14a_timeout = c->arg[2]; | |
1832 | } | |
e30c654b | 1833 | |
534983d7 | 1834 | if(param & ISO14A_SET_TIMEOUT) { |
1835 | iso14a_timeout = c->arg[2]; | |
1836 | } | |
e30c654b | 1837 | |
534983d7 | 1838 | if(param & ISO14A_APDU) { |
1839 | ack->arg[0] = iso14_apdu(cmd, len, ack->d.asBytes); | |
1840 | UsbSendPacket((void *)ack, sizeof(UsbCommand)); | |
1841 | } | |
e30c654b | 1842 | |
534983d7 | 1843 | if(param & ISO14A_RAW) { |
1844 | if(param & ISO14A_APPEND_CRC) { | |
1845 | AppendCrc14443a(cmd,len); | |
1846 | len += 2; | |
15c4dc5a | 1847 | } |
534983d7 | 1848 | ReaderTransmit(cmd,len); |
1849 | ack->arg[0] = ReaderReceive(ack->d.asBytes); | |
1850 | UsbSendPacket((void *)ack, sizeof(UsbCommand)); | |
1851 | } | |
15c4dc5a | 1852 | |
534983d7 | 1853 | if(param & ISO14A_REQUEST_TRIGGER) iso14a_set_trigger(0); |
15c4dc5a | 1854 | |
534983d7 | 1855 | if(param & ISO14A_NO_DISCONNECT) |
1856 | return; | |
15c4dc5a | 1857 | |
15c4dc5a | 1858 | FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); |
1859 | LEDsoff(); | |
15c4dc5a | 1860 | } |
15c4dc5a | 1861 | //----------------------------------------------------------------------------- |
1862 | // Read an ISO 14443a tag. Send out commands and store answers. | |
1863 | // | |
1864 | //----------------------------------------------------------------------------- | |
f7e3ed82 | 1865 | void ReaderMifare(uint32_t parameter) |
15c4dc5a | 1866 | { |
15c4dc5a | 1867 | // Mifare AUTH |
f7e3ed82 | 1868 | uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b }; |
f89c7050 | 1869 | uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 }; |
e30c654b | 1870 | |
f89c7050 M |
1871 | uint8_t* receivedAnswer = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes |
1872 | traceLen = 0; | |
1873 | tracing = false; | |
e30c654b | 1874 | |
7e758047 | 1875 | iso14443a_setup(); |
e30c654b | 1876 | |
15c4dc5a | 1877 | LED_A_ON(); |
1878 | LED_B_OFF(); | |
1879 | LED_C_OFF(); | |
e30c654b | 1880 | |
f89c7050 M |
1881 | byte_t nt_diff = 0; |
1882 | LED_A_OFF(); | |
1883 | byte_t par = 0; | |
9f693930 | 1884 | //byte_t par_mask = 0xff; |
f89c7050 M |
1885 | byte_t par_low = 0; |
1886 | int led_on = TRUE; | |
50193c1e | 1887 | uint8_t uid[8]; |
f89c7050 | 1888 | uint32_t cuid; |
e30c654b | 1889 | |
f89c7050 M |
1890 | tracing = FALSE; |
1891 | byte_t nt[4] = {0,0,0,0}; | |
f397b5cc | 1892 | byte_t nt_attacked[4], nt_noattack[4]; |
f89c7050 M |
1893 | byte_t par_list[8] = {0,0,0,0,0,0,0,0}; |
1894 | byte_t ks_list[8] = {0,0,0,0,0,0,0,0}; | |
f397b5cc | 1895 | num_to_bytes(parameter, 4, nt_noattack); |
50193c1e | 1896 | int isOK = 0, isNULL = 0; |
f397b5cc | 1897 | |
f89c7050 M |
1898 | while(TRUE) |
1899 | { | |
50193c1e | 1900 | LED_C_ON(); |
f89c7050 M |
1901 | FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); |
1902 | SpinDelay(200); | |
1903 | FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD); | |
50193c1e | 1904 | LED_C_OFF(); |
e30c654b | 1905 | |
f89c7050 M |
1906 | // Test if the action was cancelled |
1907 | if(BUTTON_PRESS()) { | |
1908 | break; | |
1909 | } | |
e30c654b | 1910 | |
f89c7050 | 1911 | if(!iso14443a_select_card(uid, NULL, &cuid)) continue; |
e30c654b | 1912 | |
f89c7050 M |
1913 | // Transmit MIFARE_CLASSIC_AUTH |
1914 | ReaderTransmit(mf_auth, sizeof(mf_auth)); | |
15c4dc5a | 1915 | |
f89c7050 M |
1916 | // Receive the (16 bit) "random" nonce |
1917 | if (!ReaderReceive(receivedAnswer)) continue; | |
1918 | memcpy(nt, receivedAnswer, 4); | |
e30c654b | 1919 | |
f89c7050 M |
1920 | // Transmit reader nonce and reader answer |
1921 | ReaderTransmitPar(mf_nr_ar, sizeof(mf_nr_ar),par); | |
15c4dc5a | 1922 | |
f89c7050 M |
1923 | // Receive 4 bit answer |
1924 | if (ReaderReceive(receivedAnswer)) | |
1925 | { | |
f397b5cc M |
1926 | if ( (parameter != 0) && (memcmp(nt, nt_noattack, 4) == 0) ) continue; |
1927 | ||
db389d52 | 1928 | isNULL = (nt_attacked[0] == 0) && (nt_attacked[1] == 0) && (nt_attacked[2] == 0) && (nt_attacked[3] == 0); |
50193c1e M |
1929 | if ( (isNULL != 0 ) && (memcmp(nt, nt_attacked, 4) != 0) ) continue; |
1930 | ||
f89c7050 M |
1931 | if (nt_diff == 0) |
1932 | { | |
1933 | LED_A_ON(); | |
1934 | memcpy(nt_attacked, nt, 4); | |
9f693930 | 1935 | //par_mask = 0xf8; |
f89c7050 M |
1936 | par_low = par & 0x07; |
1937 | } | |
15c4dc5a | 1938 | |
f89c7050 M |
1939 | led_on = !led_on; |
1940 | if(led_on) LED_B_ON(); else LED_B_OFF(); | |
1941 | par_list[nt_diff] = par; | |
1942 | ks_list[nt_diff] = receivedAnswer[0] ^ 0x05; | |
e30c654b | 1943 | |
f89c7050 M |
1944 | // Test if the information is complete |
1945 | if (nt_diff == 0x07) { | |
1946 | isOK = 1; | |
1947 | break; | |
1948 | } | |
1949 | ||
1950 | nt_diff = (nt_diff + 1) & 0x07; | |
1951 | mf_nr_ar[3] = nt_diff << 5; | |
1952 | par = par_low; | |
1953 | } else { | |
1954 | if (nt_diff == 0) | |
1955 | { | |
1956 | par++; | |
1957 | } else { | |
1958 | par = (((par >> 3) + 1) << 3) | par_low; | |
1959 | } | |
1960 | } | |
1961 | } | |
e30c654b | 1962 | |
f89c7050 M |
1963 | LogTrace(nt, 4, 0, GetParity(nt, 4), TRUE); |
1964 | LogTrace(par_list, 8, 0, GetParity(par_list, 8), TRUE); | |
1965 | LogTrace(ks_list, 8, 0, GetParity(ks_list, 8), TRUE); | |
e30c654b | 1966 | |
f89c7050 M |
1967 | UsbCommand ack = {CMD_ACK, {isOK, 0, 0}}; |
1968 | memcpy(ack.d.asBytes + 0, uid, 4); | |
1969 | memcpy(ack.d.asBytes + 4, nt, 4); | |
1970 | memcpy(ack.d.asBytes + 8, par_list, 8); | |
1971 | memcpy(ack.d.asBytes + 16, ks_list, 8); | |
1972 | ||
1973 | LED_B_ON(); | |
1974 | UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand)); | |
1975 | LED_B_OFF(); | |
1976 | ||
1977 | // Thats it... | |
15c4dc5a | 1978 | FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); |
1979 | LEDsoff(); | |
f89c7050 M |
1980 | tracing = TRUE; |
1981 | ||
f397b5cc | 1982 | if (MF_DBGLEVEL >= 1) DbpString("COMMAND mifare FINISHED"); |
20f9a2a1 M |
1983 | } |
1984 | ||
20f9a2a1 M |
1985 | |
1986 | //----------------------------------------------------------------------------- | |
1987 | // MIFARE 1K simulate. | |
1988 | // | |
1989 | //----------------------------------------------------------------------------- | |
1990 | void Mifare1ksim(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) | |
1991 | { | |
50193c1e | 1992 | int cardSTATE = MFEMUL_NOFIELD; |
8556b852 | 1993 | int _7BUID = 0; |
9ca155ba | 1994 | int vHf = 0; // in mV |
9f693930 | 1995 | //int nextCycleTimeout = 0; |
8f51ddb0 | 1996 | int res; |
51969283 | 1997 | // uint32_t timer = 0; |
0a39986e M |
1998 | uint32_t selTimer = 0; |
1999 | uint32_t authTimer = 0; | |
2000 | uint32_t par = 0; | |
9ca155ba | 2001 | int len = 0; |
8f51ddb0 | 2002 | uint8_t cardWRBL = 0; |
9ca155ba M |
2003 | uint8_t cardAUTHSC = 0; |
2004 | uint8_t cardAUTHKEY = 0xff; // no authentication | |
9f693930 | 2005 | //uint32_t cardRn = 0; |
51969283 | 2006 | uint32_t cardRr = 0; |
9ca155ba | 2007 | uint32_t cuid = 0; |
9f693930 | 2008 | //uint32_t rn_enc = 0; |
51969283 | 2009 | uint32_t ans = 0; |
0014cb46 M |
2010 | uint32_t cardINTREG = 0; |
2011 | uint8_t cardINTBLOCK = 0; | |
9ca155ba M |
2012 | struct Crypto1State mpcs = {0, 0}; |
2013 | struct Crypto1State *pcs; | |
2014 | pcs = &mpcs; | |
2015 | ||
8f51ddb0 M |
2016 | uint8_t* receivedCmd = eml_get_bigbufptr_recbuf(); |
2017 | uint8_t *response = eml_get_bigbufptr_sendbuf(); | |
9ca155ba | 2018 | |
8556b852 | 2019 | static uint8_t rATQA[] = {0x04, 0x00}; // Mifare classic 1k 4BUID |
9ca155ba | 2020 | |
0a39986e M |
2021 | static uint8_t rUIDBCC1[] = {0xde, 0xad, 0xbe, 0xaf, 0x62}; |
2022 | static uint8_t rUIDBCC2[] = {0xde, 0xad, 0xbe, 0xaf, 0x62}; // !!! | |
9ca155ba | 2023 | |
0a39986e | 2024 | static uint8_t rSAK[] = {0x08, 0xb6, 0xdd}; |
8556b852 | 2025 | static uint8_t rSAK1[] = {0x04, 0xda, 0x17}; |
9ca155ba | 2026 | |
0014cb46 M |
2027 | static uint8_t rAUTH_NT[] = {0x01, 0x02, 0x03, 0x04}; |
2028 | // static uint8_t rAUTH_NT[] = {0x1a, 0xac, 0xff, 0x4f}; | |
0a39986e | 2029 | static uint8_t rAUTH_AT[] = {0x00, 0x00, 0x00, 0x00}; |
0014cb46 | 2030 | |
0a39986e M |
2031 | // clear trace |
2032 | traceLen = 0; | |
2033 | tracing = true; | |
51969283 M |
2034 | |
2035 | // Authenticate response - nonce | |
2036 | uint32_t nonce = bytes_to_num(rAUTH_NT, 4); | |
9ca155ba | 2037 | |
8556b852 M |
2038 | // get UID from emul memory |
2039 | emlGetMemBt(receivedCmd, 7, 1); | |
2040 | _7BUID = !(receivedCmd[0] == 0x00); | |
2041 | if (!_7BUID) { // ---------- 4BUID | |
2042 | rATQA[0] = 0x04; | |
2043 | ||
2044 | emlGetMemBt(rUIDBCC1, 0, 4); | |
2045 | rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3]; | |
2046 | } else { // ---------- 7BUID | |
2047 | rATQA[0] = 0x44; | |
2048 | ||
2049 | rUIDBCC1[0] = 0x88; | |
2050 | emlGetMemBt(&rUIDBCC1[1], 0, 3); | |
2051 | rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3]; | |
2052 | emlGetMemBt(rUIDBCC2, 3, 4); | |
2053 | rUIDBCC2[4] = rUIDBCC2[0] ^ rUIDBCC2[1] ^ rUIDBCC2[2] ^ rUIDBCC2[3]; | |
2054 | } | |
2055 | ||
9ca155ba | 2056 | // -------------------------------------- test area |
50193c1e | 2057 | |
9ca155ba | 2058 | // -------------------------------------- END test area |
8f51ddb0 M |
2059 | // start mkseconds counter |
2060 | StartCountUS(); | |
9ca155ba M |
2061 | |
2062 | // We need to listen to the high-frequency, peak-detected path. | |
2063 | SetAdcMuxFor(GPIO_MUXSEL_HIPKD); | |
2064 | FpgaSetupSsc(); | |
2065 | ||
2066 | FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN); | |
2067 | SpinDelay(200); | |
2068 | ||
0014cb46 | 2069 | if (MF_DBGLEVEL >= 1) Dbprintf("Started. 7buid=%d", _7BUID); |
8f51ddb0 M |
2070 | // calibrate mkseconds counter |
2071 | GetDeltaCountUS(); | |
9ca155ba M |
2072 | while (true) { |
2073 | WDT_HIT(); | |
9ca155ba | 2074 | |
8f51ddb0 M |
2075 | if(BUTTON_PRESS()) { |
2076 | break; | |
2077 | } | |
2078 | ||
9ca155ba M |
2079 | // find reader field |
2080 | // Vref = 3300mV, and an 10:1 voltage divider on the input | |
2081 | // can measure voltages up to 33000 mV | |
2082 | if (cardSTATE == MFEMUL_NOFIELD) { | |
2083 | vHf = (33000 * AvgAdc(ADC_CHAN_HF)) >> 10; | |
2084 | if (vHf > MF_MINFIELDV) { | |
0014cb46 | 2085 | cardSTATE_TO_IDLE(); |
9ca155ba M |
2086 | LED_A_ON(); |
2087 | } | |
2088 | } | |
2089 | ||
2090 | if (cardSTATE != MFEMUL_NOFIELD) { | |
81cd0474 | 2091 | res = EmGetCmd(receivedCmd, &len, RECV_CMD_SIZE); // (+ nextCycleTimeout) |
9ca155ba M |
2092 | if (res == 2) { |
2093 | cardSTATE = MFEMUL_NOFIELD; | |
2094 | LEDsoff(); | |
2095 | continue; | |
2096 | } | |
2097 | if(res) break; | |
2098 | } | |
2099 | ||
9f693930 | 2100 | //nextCycleTimeout = 0; |
8f51ddb0 | 2101 | |
9ca155ba | 2102 | // if (len) Dbprintf("len:%d cmd: %02x %02x %02x %02x", len, receivedCmd[0], receivedCmd[1], receivedCmd[2], receivedCmd[3]); |
0a39986e M |
2103 | |
2104 | if (len != 4 && cardSTATE != MFEMUL_NOFIELD) { // len != 4 <---- speed up the code 4 authentication | |
8f51ddb0 | 2105 | // REQ or WUP request in ANY state and WUP in HALTED state |
0a39986e M |
2106 | if (len == 1 && ((receivedCmd[0] == 0x26 && cardSTATE != MFEMUL_HALTED) || receivedCmd[0] == 0x52)) { |
2107 | selTimer = GetTickCount(); | |
2108 | EmSendCmdEx(rATQA, sizeof(rATQA), (receivedCmd[0] == 0x52)); | |
2109 | cardSTATE = MFEMUL_SELECT1; | |
2110 | ||
2111 | // init crypto block | |
2112 | LED_B_OFF(); | |
2113 | LED_C_OFF(); | |
2114 | crypto1_destroy(pcs); | |
2115 | cardAUTHKEY = 0xff; | |
2116 | } | |
2117 | } | |
9ca155ba | 2118 | |
50193c1e M |
2119 | switch (cardSTATE) { |
2120 | case MFEMUL_NOFIELD:{ | |
2121 | break; | |
2122 | } | |
9ca155ba | 2123 | case MFEMUL_HALTED:{ |
0a39986e | 2124 | break; |
9ca155ba | 2125 | } |
50193c1e M |
2126 | case MFEMUL_IDLE:{ |
2127 | break; | |
2128 | } | |
2129 | case MFEMUL_SELECT1:{ | |
9ca155ba M |
2130 | // select all |
2131 | if (len == 2 && (receivedCmd[0] == 0x93 && receivedCmd[1] == 0x20)) { | |
2132 | EmSendCmd(rUIDBCC1, sizeof(rUIDBCC1)); | |
0014cb46 | 2133 | break; |
9ca155ba M |
2134 | } |
2135 | ||
2136 | // select card | |
0a39986e M |
2137 | if (len == 9 && |
2138 | (receivedCmd[0] == 0x93 && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], rUIDBCC1, 4) == 0)) { | |
8556b852 M |
2139 | if (!_7BUID) |
2140 | EmSendCmd(rSAK, sizeof(rSAK)); | |
2141 | else | |
2142 | EmSendCmd(rSAK1, sizeof(rSAK1)); | |
9ca155ba M |
2143 | |
2144 | cuid = bytes_to_num(rUIDBCC1, 4); | |
8556b852 M |
2145 | if (!_7BUID) { |
2146 | cardSTATE = MFEMUL_WORK; | |
0014cb46 M |
2147 | LED_B_ON(); |
2148 | if (MF_DBGLEVEL >= 4) Dbprintf("--> WORK. anticol1 time: %d", GetTickCount() - selTimer); | |
2149 | break; | |
8556b852 M |
2150 | } else { |
2151 | cardSTATE = MFEMUL_SELECT2; | |
2152 | break; | |
2153 | } | |
9ca155ba M |
2154 | } |
2155 | ||
50193c1e M |
2156 | break; |
2157 | } | |
2158 | case MFEMUL_SELECT2:{ | |
0014cb46 M |
2159 | if (!len) break; |
2160 | ||
8556b852 | 2161 | if (len == 2 && (receivedCmd[0] == 0x95 && receivedCmd[1] == 0x20)) { |
9ca155ba | 2162 | EmSendCmd(rUIDBCC2, sizeof(rUIDBCC2)); |
8556b852 M |
2163 | break; |
2164 | } | |
9ca155ba | 2165 | |
8556b852 M |
2166 | // select 2 card |
2167 | if (len == 9 && | |
2168 | (receivedCmd[0] == 0x95 && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], rUIDBCC2, 4) == 0)) { | |
2169 | EmSendCmd(rSAK, sizeof(rSAK)); | |
2170 | ||
2171 | cuid = bytes_to_num(rUIDBCC2, 4); | |
2172 | cardSTATE = MFEMUL_WORK; | |
2173 | LED_B_ON(); | |
0014cb46 | 2174 | if (MF_DBGLEVEL >= 4) Dbprintf("--> WORK. anticol2 time: %d", GetTickCount() - selTimer); |
8556b852 M |
2175 | break; |
2176 | } | |
0014cb46 M |
2177 | |
2178 | // i guess there is a command). go into the work state. | |
2179 | if (len != 4) break; | |
2180 | cardSTATE = MFEMUL_WORK; | |
2181 | goto lbWORK; | |
50193c1e M |
2182 | } |
2183 | case MFEMUL_AUTH1:{ | |
9ca155ba | 2184 | if (len == 8) { |
51969283 | 2185 | // --- crypto |
9f693930 GY |
2186 | //rn_enc = bytes_to_num(receivedCmd, 4); |
2187 | //cardRn = rn_enc ^ crypto1_word(pcs, rn_enc , 1); | |
51969283 M |
2188 | cardRr = bytes_to_num(&receivedCmd[4], 4) ^ crypto1_word(pcs, 0, 0); |
2189 | // test if auth OK | |
2190 | if (cardRr != prng_successor(nonce, 64)){ | |
0014cb46 M |
2191 | if (MF_DBGLEVEL >= 4) Dbprintf("AUTH FAILED. cardRr=%08x, succ=%08x", cardRr, prng_successor(nonce, 64)); |
2192 | cardSTATE_TO_IDLE(); | |
51969283 M |
2193 | break; |
2194 | } | |
2195 | ans = prng_successor(nonce, 96) ^ crypto1_word(pcs, 0, 0); | |
2196 | num_to_bytes(ans, 4, rAUTH_AT); | |
2197 | // --- crypto | |
2198 | EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT)); | |
0a39986e M |
2199 | cardSTATE = MFEMUL_AUTH2; |
2200 | } else { | |
0014cb46 | 2201 | cardSTATE_TO_IDLE(); |
9ca155ba | 2202 | } |
0a39986e | 2203 | if (cardSTATE != MFEMUL_AUTH2) break; |
50193c1e M |
2204 | } |
2205 | case MFEMUL_AUTH2:{ | |
9ca155ba | 2206 | LED_C_ON(); |
0a39986e | 2207 | cardSTATE = MFEMUL_WORK; |
0014cb46 | 2208 | if (MF_DBGLEVEL >= 4) Dbprintf("AUTH COMPLETED. sec=%d, key=%d time=%d", cardAUTHSC, cardAUTHKEY, GetTickCount() - authTimer); |
50193c1e M |
2209 | break; |
2210 | } | |
9ca155ba | 2211 | case MFEMUL_WORK:{ |
0014cb46 | 2212 | lbWORK: if (len == 0) break; |
0a39986e | 2213 | |
51969283 M |
2214 | if (cardAUTHKEY == 0xff) { |
2215 | // first authentication | |
2216 | if (len == 4 && (receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61)) { | |
2217 | authTimer = GetTickCount(); | |
2218 | ||
2219 | cardAUTHSC = receivedCmd[1] / 4; // received block num | |
2220 | cardAUTHKEY = receivedCmd[0] - 0x60; | |
2221 | ||
2222 | // --- crypto | |
2223 | crypto1_create(pcs, emlGetKey(cardAUTHSC, cardAUTHKEY)); | |
2224 | ans = nonce ^ crypto1_word(pcs, cuid ^ nonce, 0); | |
2225 | num_to_bytes(nonce, 4, rAUTH_AT); | |
2226 | EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT)); | |
2227 | // --- crypto | |
2228 | ||
2229 | // last working revision | |
2230 | // EmSendCmd14443aRaw(resp1, resp1Len, 0); | |
2231 | // LogTrace(NULL, 0, GetDeltaCountUS(), 0, true); | |
2232 | ||
2233 | cardSTATE = MFEMUL_AUTH1; | |
9f693930 | 2234 | //nextCycleTimeout = 10; |
51969283 M |
2235 | break; |
2236 | } | |
2237 | } else { | |
2238 | // decrypt seqence | |
2239 | mf_crypto1_decrypt(pcs, receivedCmd, len); | |
2240 | ||
2241 | // nested authentication | |
2242 | if (len == 4 && (receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61)) { | |
2243 | authTimer = GetTickCount(); | |
2244 | ||
2245 | cardAUTHSC = receivedCmd[1] / 4; // received block num | |
2246 | cardAUTHKEY = receivedCmd[0] - 0x60; | |
2247 | ||
2248 | // --- crypto | |
2249 | crypto1_create(pcs, emlGetKey(cardAUTHSC, cardAUTHKEY)); | |
2250 | ans = nonce ^ crypto1_word(pcs, cuid ^ nonce, 0); | |
2251 | num_to_bytes(ans, 4, rAUTH_AT); | |
2252 | EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT)); | |
2253 | // --- crypto | |
2254 | ||
2255 | cardSTATE = MFEMUL_AUTH1; | |
9f693930 | 2256 | //nextCycleTimeout = 10; |
51969283 M |
2257 | break; |
2258 | } | |
2259 | } | |
0a39986e | 2260 | |
8f51ddb0 M |
2261 | // rule 13 of 7.5.3. in ISO 14443-4. chaining shall be continued |
2262 | // BUT... ACK --> NACK | |
2263 | if (len == 1 && receivedCmd[0] == CARD_ACK) { | |
2264 | EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA)); | |
2265 | break; | |
2266 | } | |
2267 | ||
2268 | // rule 12 of 7.5.3. in ISO 14443-4. R(NAK) --> R(ACK) | |
2269 | if (len == 1 && receivedCmd[0] == CARD_NACK_NA) { | |
2270 | EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK)); | |
2271 | break; | |
0a39986e M |
2272 | } |
2273 | ||
2274 | // read block | |
2275 | if (len == 4 && receivedCmd[0] == 0x30) { | |
51969283 | 2276 | if (receivedCmd[1] >= 16 * 4 || receivedCmd[1] / 4 != cardAUTHSC) { |
8f51ddb0 M |
2277 | EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA)); |
2278 | break; | |
2279 | } | |
2280 | emlGetMem(response, receivedCmd[1], 1); | |
2281 | AppendCrc14443a(response, 16); | |
2282 | mf_crypto1_encrypt(pcs, response, 18, &par); | |
2283 | EmSendCmdPar(response, 18, par); | |
0a39986e M |
2284 | break; |
2285 | } | |
2286 | ||
2287 | // write block | |
2288 | if (len == 4 && receivedCmd[0] == 0xA0) { | |
51969283 | 2289 | if (receivedCmd[1] >= 16 * 4 || receivedCmd[1] / 4 != cardAUTHSC) { |
8f51ddb0 M |
2290 | EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA)); |
2291 | break; | |
2292 | } | |
2293 | EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK)); | |
9f693930 | 2294 | //nextCycleTimeout = 50; |
8f51ddb0 M |
2295 | cardSTATE = MFEMUL_WRITEBL2; |
2296 | cardWRBL = receivedCmd[1]; | |
0a39986e | 2297 | break; |
9ca155ba | 2298 | } |
8f51ddb0 | 2299 | |
0014cb46 M |
2300 | // works with cardINTREG |
2301 | ||
2302 | // increment, decrement, restore | |
2303 | if (len == 4 && (receivedCmd[0] == 0xC0 || receivedCmd[0] == 0xC1 || receivedCmd[0] == 0xC2)) { | |
2304 | if (receivedCmd[1] >= 16 * 4 || | |
2305 | receivedCmd[1] / 4 != cardAUTHSC || | |
2306 | emlCheckValBl(receivedCmd[1])) { | |
2307 | EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA)); | |
2308 | break; | |
2309 | } | |
2310 | EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK)); | |
2311 | if (receivedCmd[0] == 0xC1) | |
2312 | cardSTATE = MFEMUL_INTREG_INC; | |
2313 | if (receivedCmd[0] == 0xC0) | |
2314 | cardSTATE = MFEMUL_INTREG_DEC; | |
2315 | if (receivedCmd[0] == 0xC2) | |
2316 | cardSTATE = MFEMUL_INTREG_REST; | |
2317 | cardWRBL = receivedCmd[1]; | |
2318 | ||
2319 | break; | |
2320 | } | |
2321 | ||
2322 | ||
2323 | // transfer | |
2324 | if (len == 4 && receivedCmd[0] == 0xB0) { | |
2325 | if (receivedCmd[1] >= 16 * 4 || receivedCmd[1] / 4 != cardAUTHSC) { | |
2326 | EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA)); | |
2327 | break; | |
2328 | } | |
2329 | ||
2330 | if (emlSetValBl(cardINTREG, cardINTBLOCK, receivedCmd[1])) | |
2331 | EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA)); | |
2332 | else | |
2333 | EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK)); | |
2334 | ||
2335 | break; | |
2336 | } | |
2337 | ||
9ca155ba | 2338 | // halt |
0a39986e | 2339 | if (len == 4 && (receivedCmd[0] == 0x50 && receivedCmd[1] == 0x00)) { |
9ca155ba | 2340 | LED_B_OFF(); |
0a39986e | 2341 | LED_C_OFF(); |
0014cb46 M |
2342 | cardSTATE = MFEMUL_HALTED; |
2343 | if (MF_DBGLEVEL >= 4) Dbprintf("--> HALTED. Selected time: %d ms", GetTickCount() - selTimer); | |
0a39986e | 2344 | break; |
9ca155ba | 2345 | } |
51969283 | 2346 | |
8f51ddb0 M |
2347 | // command not allowed |
2348 | if (len == 4) { | |
2349 | EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA)); | |
2350 | break; | |
2351 | } | |
51969283 M |
2352 | |
2353 | // case break | |
2354 | break; | |
8f51ddb0 M |
2355 | } |
2356 | case MFEMUL_WRITEBL2:{ | |
2357 | if (len == 18){ | |
2358 | mf_crypto1_decrypt(pcs, receivedCmd, len); | |
2359 | emlSetMem(receivedCmd, cardWRBL, 1); | |
2360 | EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK)); | |
2361 | cardSTATE = MFEMUL_WORK; | |
2362 | break; | |
51969283 | 2363 | } else { |
0014cb46 | 2364 | cardSTATE_TO_IDLE(); |
51969283 | 2365 | break; |
8f51ddb0 | 2366 | } |
8f51ddb0 | 2367 | break; |
50193c1e | 2368 | } |
0014cb46 M |
2369 | |
2370 | case MFEMUL_INTREG_INC:{ | |
2371 | mf_crypto1_decrypt(pcs, receivedCmd, len); | |
2372 | memcpy(&ans, receivedCmd, 4); | |
2373 | if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) { | |
2374 | EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA)); | |
2375 | cardSTATE_TO_IDLE(); | |
2376 | break; | |
2377 | } | |
2378 | cardINTREG = cardINTREG + ans; | |
2379 | cardSTATE = MFEMUL_WORK; | |
2380 | break; | |
2381 | } | |
2382 | case MFEMUL_INTREG_DEC:{ | |
2383 | mf_crypto1_decrypt(pcs, receivedCmd, len); | |
2384 | memcpy(&ans, receivedCmd, 4); | |
2385 | if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) { | |
2386 | EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA)); | |
2387 | cardSTATE_TO_IDLE(); | |
2388 | break; | |
2389 | } | |
2390 | cardINTREG = cardINTREG - ans; | |
2391 | cardSTATE = MFEMUL_WORK; | |
2392 | break; | |
2393 | } | |
2394 | case MFEMUL_INTREG_REST:{ | |
2395 | mf_crypto1_decrypt(pcs, receivedCmd, len); | |
2396 | memcpy(&ans, receivedCmd, 4); | |
2397 | if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) { | |
2398 | EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA)); | |
2399 | cardSTATE_TO_IDLE(); | |
2400 | break; | |
2401 | } | |
2402 | cardSTATE = MFEMUL_WORK; | |
2403 | break; | |
2404 | } | |
50193c1e M |
2405 | |
2406 | } | |
2407 | ||
2408 | } | |
2409 | ||
9ca155ba M |
2410 | FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); |
2411 | LEDsoff(); | |
2412 | ||
0a39986e | 2413 | // add trace trailer |
8f51ddb0 | 2414 | memset(rAUTH_NT, 0x44, 4); |
0a39986e M |
2415 | LogTrace(rAUTH_NT, 4, 0, 0, TRUE); |
2416 | ||
0014cb46 | 2417 | if (MF_DBGLEVEL >= 1) Dbprintf("Emulator stopped. Tracing: %d trace length: %d ", tracing, traceLen); |
15c4dc5a | 2418 | } |