]> cvs.zerfleddert.de Git - proxmark3-svn/blob - armsrc/appmain.c
projects / proxmark3-svn / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
FIX: the HF MFU CREAD command on deviceside now can do a proper ATUTHENTICATION...
[proxmark3-svn] / armsrc / appmain.c
1 //-----------------------------------------------------------------------------
2 // Jonathan Westhues, Mar 2006
3 // Edits by Gerhard de Koning Gans, Sep 2007 (##)
4 //
5 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
6 // at your option, any later version. See the LICENSE.txt file for the text of
7 // the license.
8 //-----------------------------------------------------------------------------
9 // The main application code. This is the first thing called after start.c
10 // executes.
11 //-----------------------------------------------------------------------------
12
13 #include "../common/usb_cdc.h"
14 #include "../common/cmd.h"
15 #include "../include/proxmark3.h"
16 #include "../include/hitag2.h"
17 #include "apps.h"
18 #include "util.h"
19 #include "printf.h"
20 #include "string.h"
21 #include <stdarg.h>
22 #include "legicrf.h"
23 #include "lfsampling.h"
24 #include "BigBuf.h"
25
26 #ifdef WITH_LCD
27 #include "LCD.h"
28 #endif
29
30 #define abs(x) ( ((x)<0) ? -(x) : (x) )
31
32 //=============================================================================
33 // A buffer where we can queue things up to be sent through the FPGA, for
34 // any purpose (fake tag, as reader, whatever). We go MSB first, since that
35 // is the order in which they go out on the wire.
36 //=============================================================================
37
38 #define TOSEND_BUFFER_SIZE (9*MAX_FRAME_SIZE + 1 + 1 + 2) // 8 data bits and 1 parity bit per payload byte, 1 correction bit, 1 SOC bit, 2 EOC bits
39 uint8_t ToSend[TOSEND_BUFFER_SIZE];
40 int ToSendMax;
41 static int ToSendBit;
42 struct common_area common_area __attribute__((section(".commonarea")));
43
44 void ToSendReset(void)
45 {
46 ToSendMax = -1;
47 ToSendBit = 8;
48 }
49
50 void ToSendStuffBit(int b)
51 {
52 if(ToSendBit >= 8) {
53 ToSendMax++;
54 ToSend[ToSendMax] = 0;
55 ToSendBit = 0;
56 }
57
58 if(b) {
59 ToSend[ToSendMax] |= (1 << (7 - ToSendBit));
60 }
61
62 ToSendBit++;
63
64 if(ToSendMax >= sizeof(ToSend)) {
65 ToSendBit = 0;
66 DbpString("ToSendStuffBit overflowed!");
67 }
68 }
69
70 //=============================================================================
71 // Debug print functions, to go out over USB, to the usual PC-side client.
72 //=============================================================================
73
74 void DbpString(char *str)
75 {
76 byte_t len = strlen(str);
77 cmd_send(CMD_DEBUG_PRINT_STRING,len,0,0,(byte_t*)str,len);
78 }
79
80 #if 0
81 void DbpIntegers(int x1, int x2, int x3)
82 {
83 cmd_send(CMD_DEBUG_PRINT_INTEGERS,x1,x2,x3,0,0);
84 }
85 #endif
86
87 void Dbprintf(const char *fmt, ...) {
88 // should probably limit size here; oh well, let's just use a big buffer
89 char output_string[128];
90 va_list ap;
91
92 va_start(ap, fmt);
93 kvsprintf(fmt, output_string, 10, ap);
94 va_end(ap);
95
96 DbpString(output_string);
97 }
98
99 // prints HEX & ASCII
100 void Dbhexdump(int len, uint8_t *d, bool bAsci) {
101 int l=0,i;
102 char ascii[9];
103
104 while (len>0) {
105 if (len>8) l=8;
106 else l=len;
107
108 memcpy(ascii,d,l);
109 ascii[l]=0;
110
111 // filter safe ascii
112 for (i=0;i<l;i++)
113 if (ascii[i]<32 || ascii[i]>126) ascii[i]='.';
114
115 if (bAsci) {
116 Dbprintf("%-8s %*D",ascii,l,d," ");
117 } else {
118 Dbprintf("%*D",l,d," ");
119 }
120
121 len-=8;
122 d+=8;
123 }
124 }
125
126 //-----------------------------------------------------------------------------
127 // Read an ADC channel and block till it completes, then return the result
128 // in ADC units (0 to 1023). Also a routine to average 32 samples and
129 // return that.
130 //-----------------------------------------------------------------------------
131 static int ReadAdc(int ch)
132 {
133 uint32_t d;
134
135 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_SWRST;
136 AT91C_BASE_ADC->ADC_MR =
137 ADC_MODE_PRESCALE(63 /* was 32 */) | // ADC_CLK = MCK / ((63+1) * 2) = 48MHz / 128 = 375kHz
138 ADC_MODE_STARTUP_TIME(1 /* was 16 */) | // Startup Time = (1+1) * 8 / ADC_CLK = 16 / 375kHz = 42,7us Note: must be > 20us
139 ADC_MODE_SAMPLE_HOLD_TIME(15 /* was 8 */); // Sample & Hold Time SHTIM = 15 / ADC_CLK = 15 / 375kHz = 40us
140
141 // Note: ADC_MODE_PRESCALE and ADC_MODE_SAMPLE_HOLD_TIME are set to the maximum allowed value.
142 // Both AMPL_LO and AMPL_HI are very high impedance (10MOhm) outputs, the input capacitance of the ADC is 12pF (typical). This results in a time constant
143 // of RC = 10MOhm * 12pF = 120us. Even after the maximum configurable sample&hold time of 40us the input capacitor will not be fully charged.
144 //
145 // The maths are:
146 // If there is a voltage v_in at the input, the voltage v_cap at the capacitor (this is what we are measuring) will be
147 //
148 // v_cap = v_in * (1 - exp(-RC/SHTIM)) = v_in * (1 - exp(-3)) = v_in * 0,95 (i.e. an error of 5%)
149 //
150 // Note: with the "historic" values in the comments above, the error was 34% !!!
151
152 AT91C_BASE_ADC->ADC_CHER = ADC_CHANNEL(ch);
153
154 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
155
156 while(!(AT91C_BASE_ADC->ADC_SR & ADC_END_OF_CONVERSION(ch)))
157 ;
158 d = AT91C_BASE_ADC->ADC_CDR[ch];
159
160 return d;
161 }
162
163 int AvgAdc(int ch) // was static - merlok
164 {
165 int i;
166 int a = 0;
167
168 for(i = 0; i < 32; i++) {
169 a += ReadAdc(ch);
170 }
171
172 return (a + 15) >> 5;
173 }
174
175 void MeasureAntennaTuning(void)
176 {
177 uint8_t LF_Results[256];
178 int i, adcval = 0, peak = 0, peakv = 0, peakf = 0; //ptr = 0
179 int vLf125 = 0, vLf134 = 0, vHf = 0; // in mV
180
181 LED_B_ON();
182
183 /*
184 * Sweeps the useful LF range of the proxmark from
185 * 46.8kHz (divisor=255) to 600kHz (divisor=19) and
186 * read the voltage in the antenna, the result left
187 * in the buffer is a graph which should clearly show
188 * the resonating frequency of your LF antenna
189 * ( hopefully around 95 if it is tuned to 125kHz!)
190 */
191
192 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
193 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
194 for (i=255; i>=19; i--) {
195 WDT_HIT();
196 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, i);
197 SpinDelay(20);
198 adcval = ((MAX_ADC_LF_VOLTAGE * AvgAdc(ADC_CHAN_LF)) >> 10);
199 if (i==95) vLf125 = adcval; // voltage at 125Khz
200 if (i==89) vLf134 = adcval; // voltage at 134Khz
201
202 LF_Results[i] = adcval>>8; // scale int to fit in byte for graphing purposes
203 if(LF_Results[i] > peak) {
204 peakv = adcval;
205 peak = LF_Results[i];
206 peakf = i;
207 //ptr = i;
208 }
209 }
210
211 for (i=18; i >= 0; i--) LF_Results[i] = 0;
212
213 LED_A_ON();
214 // Let the FPGA drive the high-frequency antenna around 13.56 MHz.
215 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
216 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR);
217 SpinDelay(20);
218 vHf = (MAX_ADC_HF_VOLTAGE * AvgAdc(ADC_CHAN_HF)) >> 10;
219
220 cmd_send(CMD_MEASURED_ANTENNA_TUNING, vLf125 | (vLf134<<16), vHf, peakf | (peakv<<16), LF_Results, 256);
221 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
222 LED_A_OFF();
223 LED_B_OFF();
224 return;
225 }
226
227 void MeasureAntennaTuningHf(void)
228 {
229 int vHf = 0; // in mV
230
231 DbpString("Measuring HF antenna, press button to exit");
232
233 // Let the FPGA drive the high-frequency antenna around 13.56 MHz.
234 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
235 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR);
236
237 for (;;) {
238 SpinDelay(20);
239 vHf = (MAX_ADC_HF_VOLTAGE * AvgAdc(ADC_CHAN_HF)) >> 10;
240
241 Dbprintf("%d mV",vHf);
242 if (BUTTON_PRESS()) break;
243 }
244 DbpString("cancelled");
245
246 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
247
248 }
249
250
251 void SimulateTagHfListen(void)
252 {
253 // ToDo: historically this used the free buffer, which was 2744 Bytes long.
254 // There might be a better size to be defined:
255 #define HF_14B_SNOOP_BUFFER_SIZE 2744
256 uint8_t *dest = BigBuf_malloc(HF_14B_SNOOP_BUFFER_SIZE);
257 uint8_t v = 0;
258 int i;
259 int p = 0;
260
261 // We're using this mode just so that I can test it out; the simulated
262 // tag mode would work just as well and be simpler.
263 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
264 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR | FPGA_HF_READER_RX_XCORR_848_KHZ | FPGA_HF_READER_RX_XCORR_SNOOP);
265
266 // We need to listen to the high-frequency, peak-detected path.
267 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
268
269 FpgaSetupSsc();
270
271 i = 0;
272 for(;;) {
273 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
274 AT91C_BASE_SSC->SSC_THR = 0xff;
275 }
276 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
277 uint8_t r = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
278
279 v <<= 1;
280 if(r & 1) {
281 v |= 1;
282 }
283 p++;
284
285 if(p >= 8) {
286 dest[i] = v;
287 v = 0;
288 p = 0;
289 i++;
290
291 if(i >= HF_14B_SNOOP_BUFFER_SIZE) {
292 break;
293 }
294 }
295 }
296 }
297 DbpString("simulate tag (now type bitsamples)");
298 }
299
300 void ReadMem(int addr)
301 {
302 const uint8_t *data = ((uint8_t *)addr);
303
304 Dbprintf("%x: %02x %02x %02x %02x %02x %02x %02x %02x",
305 addr, data[0], data[1], data[2], data[3], data[4], data[5], data[6], data[7]);
306 }
307
308 /* osimage version information is linked in */
309 extern struct version_information version_information;
310 /* bootrom version information is pointed to from _bootphase1_version_pointer */
311 extern char *_bootphase1_version_pointer, _flash_start, _flash_end;
312 void SendVersion(void)
313 {
314 char temp[512]; /* Limited data payload in USB packets */
315 DbpString("Prox/RFID mark3 RFID instrument");
316
317 /* Try to find the bootrom version information. Expect to find a pointer at
318 * symbol _bootphase1_version_pointer, perform slight sanity checks on the
319 * pointer, then use it.
320 */
321 char *bootrom_version = *(char**)&_bootphase1_version_pointer;
322 if( bootrom_version < &_flash_start || bootrom_version >= &_flash_end ) {
323 DbpString("bootrom version information appears invalid");
324 } else {
325 FormatVersionInformation(temp, sizeof(temp), "bootrom: ", bootrom_version);
326 DbpString(temp);
327 }
328
329 FormatVersionInformation(temp, sizeof(temp), "os: ", &version_information);
330 DbpString(temp);
331
332 FpgaGatherVersion(temp, sizeof(temp));
333 DbpString(temp);
334 // Send Chip ID
335 cmd_send(CMD_ACK,*(AT91C_DBGU_CIDR),0,0,NULL,0);
336 }
337
338 #ifdef WITH_LF
339 // samy's sniff and repeat routine
340 void SamyRun()
341 {
342 DbpString("Stand-alone mode! No PC necessary.");
343 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
344
345 // 3 possible options? no just 2 for now
346 #define OPTS 2
347
348 int high[OPTS], low[OPTS];
349
350 // Oooh pretty -- notify user we're in elite samy mode now
351 LED(LED_RED, 200);
352 LED(LED_ORANGE, 200);
353 LED(LED_GREEN, 200);
354 LED(LED_ORANGE, 200);
355 LED(LED_RED, 200);
356 LED(LED_ORANGE, 200);
357 LED(LED_GREEN, 200);
358 LED(LED_ORANGE, 200);
359 LED(LED_RED, 200);
360
361 int selected = 0;
362 int playing = 0;
363 int cardRead = 0;
364
365 // Turn on selected LED
366 LED(selected + 1, 0);
367
368 for (;;)
369 {
370 usb_poll();
371 WDT_HIT();
372
373 // Was our button held down or pressed?
374 int button_pressed = BUTTON_HELD(1000);
375 SpinDelay(300);
376
377 // Button was held for a second, begin recording
378 if (button_pressed > 0 && cardRead == 0)
379 {
380 LEDsoff();
381 LED(selected + 1, 0);
382 LED(LED_RED2, 0);
383
384 // record
385 DbpString("Starting recording");
386
387 // wait for button to be released
388 while(BUTTON_PRESS())
389 WDT_HIT();
390
391 /* need this delay to prevent catching some weird data */
392 SpinDelay(500);
393
394 CmdHIDdemodFSK(1, &high[selected], &low[selected], 0);
395 Dbprintf("Recorded %x %x %x", selected, high[selected], low[selected]);
396
397 LEDsoff();
398 LED(selected + 1, 0);
399 // Finished recording
400
401 // If we were previously playing, set playing off
402 // so next button push begins playing what we recorded
403 playing = 0;
404
405 cardRead = 1;
406
407 }
408
409 else if (button_pressed > 0 && cardRead == 1)
410 {
411 LEDsoff();
412 LED(selected + 1, 0);
413 LED(LED_ORANGE, 0);
414
415 // record
416 Dbprintf("Cloning %x %x %x", selected, high[selected], low[selected]);
417
418 // wait for button to be released
419 while(BUTTON_PRESS())
420 WDT_HIT();
421
422 /* need this delay to prevent catching some weird data */
423 SpinDelay(500);
424
425 CopyHIDtoT55x7(high[selected], low[selected], 0, 0);
426 Dbprintf("Cloned %x %x %x", selected, high[selected], low[selected]);
427
428 LEDsoff();
429 LED(selected + 1, 0);
430 // Finished recording
431
432 // If we were previously playing, set playing off
433 // so next button push begins playing what we recorded
434 playing = 0;
435
436 cardRead = 0;
437
438 }
439
440 // Change where to record (or begin playing)
441 else if (button_pressed)
442 {
443 // Next option if we were previously playing
444 if (playing)
445 selected = (selected + 1) % OPTS;
446 playing = !playing;
447
448 LEDsoff();
449 LED(selected + 1, 0);
450
451 // Begin transmitting
452 if (playing)
453 {
454 LED(LED_GREEN, 0);
455 DbpString("Playing");
456 // wait for button to be released
457 while(BUTTON_PRESS())
458 WDT_HIT();
459 Dbprintf("%x %x %x", selected, high[selected], low[selected]);
460 CmdHIDsimTAG(high[selected], low[selected], 0);
461 DbpString("Done playing");
462 if (BUTTON_HELD(1000) > 0)
463 {
464 DbpString("Exiting");
465 LEDsoff();
466 return;
467 }
468
469 /* We pressed a button so ignore it here with a delay */
470 SpinDelay(300);
471
472 // when done, we're done playing, move to next option
473 selected = (selected + 1) % OPTS;
474 playing = !playing;
475 LEDsoff();
476 LED(selected + 1, 0);
477 }
478 else
479 while(BUTTON_PRESS())
480 WDT_HIT();
481 }
482 }
483 }
484 #endif
485
486 /*
487 OBJECTIVE
488 Listen and detect an external reader. Determine the best location
489 for the antenna.
490
491 INSTRUCTIONS:
492 Inside the ListenReaderField() function, there is two mode.
493 By default, when you call the function, you will enter mode 1.
494 If you press the PM3 button one time, you will enter mode 2.
495 If you press the PM3 button a second time, you will exit the function.
496
497 DESCRIPTION OF MODE 1:
498 This mode just listens for an external reader field and lights up green
499 for HF and/or red for LF. This is the original mode of the detectreader
500 function.
501
502 DESCRIPTION OF MODE 2:
503 This mode will visually represent, using the LEDs, the actual strength of the
504 current compared to the maximum current detected. Basically, once you know
505 what kind of external reader is present, it will help you spot the best location to place
506 your antenna. You will probably not get some good results if there is a LF and a HF reader
507 at the same place! :-)
508
509 LIGHT SCHEME USED:
510 */
511 static const char LIGHT_SCHEME[] = {
512 0x0, /* ---- | No field detected */
513 0x1, /* X--- | 14% of maximum current detected */
514 0x2, /* -X-- | 29% of maximum current detected */
515 0x4, /* --X- | 43% of maximum current detected */
516 0x8, /* ---X | 57% of maximum current detected */
517 0xC, /* --XX | 71% of maximum current detected */
518 0xE, /* -XXX | 86% of maximum current detected */
519 0xF, /* XXXX | 100% of maximum current detected */
520 };
521 static const int LIGHT_LEN = sizeof(LIGHT_SCHEME)/sizeof(LIGHT_SCHEME[0]);
522
523 void ListenReaderField(int limit)
524 {
525 int lf_av, lf_av_new, lf_baseline= 0, lf_max;
526 int hf_av, hf_av_new, hf_baseline= 0, hf_max;
527 int mode=1, display_val, display_max, i;
528
529 #define LF_ONLY 1
530 #define HF_ONLY 2
531 #define REPORT_CHANGE 10 // report new values only if they have changed at least by REPORT_CHANGE
532
533
534 // switch off FPGA - we don't want to measure our own signal
535 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
536 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
537
538 LEDsoff();
539
540 lf_av = lf_max = AvgAdc(ADC_CHAN_LF);
541
542 if(limit != HF_ONLY) {
543 Dbprintf("LF 125/134kHz Baseline: %dmV", (MAX_ADC_LF_VOLTAGE * lf_av) >> 10);
544 lf_baseline = lf_av;
545 }
546
547 hf_av = hf_max = AvgAdc(ADC_CHAN_HF);
548
549 if (limit != LF_ONLY) {
550 Dbprintf("HF 13.56MHz Baseline: %dmV", (MAX_ADC_HF_VOLTAGE * hf_av) >> 10);
551 hf_baseline = hf_av;
552 }
553
554 for(;;) {
555 if (BUTTON_PRESS()) {
556 SpinDelay(500);
557 switch (mode) {
558 case 1:
559 mode=2;
560 DbpString("Signal Strength Mode");
561 break;
562 case 2:
563 default:
564 DbpString("Stopped");
565 LEDsoff();
566 return;
567 break;
568 }
569 }
570 WDT_HIT();
571
572 if (limit != HF_ONLY) {
573 if(mode == 1) {
574 if (abs(lf_av - lf_baseline) > REPORT_CHANGE)
575 LED_D_ON();
576 else
577 LED_D_OFF();
578 }
579
580 lf_av_new = AvgAdc(ADC_CHAN_LF);
581 // see if there's a significant change
582 if(abs(lf_av - lf_av_new) > REPORT_CHANGE) {
583 Dbprintf("LF 125/134kHz Field Change: %5dmV", (MAX_ADC_LF_VOLTAGE * lf_av_new) >> 10);
584 lf_av = lf_av_new;
585 if (lf_av > lf_max)
586 lf_max = lf_av;
587 }
588 }
589
590 if (limit != LF_ONLY) {
591 if (mode == 1){
592 if (abs(hf_av - hf_baseline) > REPORT_CHANGE)
593 LED_B_ON();
594 else
595 LED_B_OFF();
596 }
597
598 hf_av_new = AvgAdc(ADC_CHAN_HF);
599 // see if there's a significant change
600 if(abs(hf_av - hf_av_new) > REPORT_CHANGE) {
601 Dbprintf("HF 13.56MHz Field Change: %5dmV", (MAX_ADC_HF_VOLTAGE * hf_av_new) >> 10);
602 hf_av = hf_av_new;
603 if (hf_av > hf_max)
604 hf_max = hf_av;
605 }
606 }
607
608 if(mode == 2) {
609 if (limit == LF_ONLY) {
610 display_val = lf_av;
611 display_max = lf_max;
612 } else if (limit == HF_ONLY) {
613 display_val = hf_av;
614 display_max = hf_max;
615 } else { /* Pick one at random */
616 if( (hf_max - hf_baseline) > (lf_max - lf_baseline) ) {
617 display_val = hf_av;
618 display_max = hf_max;
619 } else {
620 display_val = lf_av;
621 display_max = lf_max;
622 }
623 }
624 for (i=0; i<LIGHT_LEN; i++) {
625 if (display_val >= ((display_max/LIGHT_LEN)*i) && display_val <= ((display_max/LIGHT_LEN)*(i+1))) {
626 if (LIGHT_SCHEME[i] & 0x1) LED_C_ON(); else LED_C_OFF();
627 if (LIGHT_SCHEME[i] & 0x2) LED_A_ON(); else LED_A_OFF();
628 if (LIGHT_SCHEME[i] & 0x4) LED_B_ON(); else LED_B_OFF();
629 if (LIGHT_SCHEME[i] & 0x8) LED_D_ON(); else LED_D_OFF();
630 break;
631 }
632 }
633 }
634 }
635 }
636
637 void UsbPacketReceived(uint8_t *packet, int len)
638 {
639 UsbCommand *c = (UsbCommand *)packet;
640
641 //Dbprintf("received %d bytes, with command: 0x%04x and args: %d %d %d",len,c->cmd,c->arg[0],c->arg[1],c->arg[2]);
642
643 switch(c->cmd) {
644 #ifdef WITH_LF
645 case CMD_SET_LF_SAMPLING_CONFIG:
646 setSamplingConfig((sample_config *) c->d.asBytes);
647 break;
648 case CMD_ACQUIRE_RAW_ADC_SAMPLES_125K:
649 cmd_send(CMD_ACK,SampleLF(c->arg[0]),0,0,0,0);
650 break;
651 case CMD_MOD_THEN_ACQUIRE_RAW_ADC_SAMPLES_125K:
652 ModThenAcquireRawAdcSamples125k(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
653 break;
654 case CMD_LF_SNOOP_RAW_ADC_SAMPLES:
655 cmd_send(CMD_ACK,SnoopLF(),0,0,0,0);
656 break;
657 case CMD_HID_DEMOD_FSK:
658 CmdHIDdemodFSK(c->arg[0], 0, 0, 1);
659 break;
660 case CMD_HID_SIM_TAG:
661 CmdHIDsimTAG(c->arg[0], c->arg[1], 1);
662 break;
663 case CMD_FSK_SIM_TAG:
664 CmdFSKsimTAG(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
665 break;
666 case CMD_ASK_SIM_TAG:
667 CmdASKsimTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
668 break;
669 case CMD_PSK_SIM_TAG:
670 CmdPSKsimTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
671 break;
672 case CMD_HID_CLONE_TAG:
673 CopyHIDtoT55x7(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]);
674 break;
675 case CMD_IO_DEMOD_FSK:
676 CmdIOdemodFSK(c->arg[0], 0, 0, 1);
677 break;
678 case CMD_IO_CLONE_TAG:
679 CopyIOtoT55x7(c->arg[0], c->arg[1], c->d.asBytes[0]);
680 break;
681 case CMD_EM410X_DEMOD:
682 CmdEM410xdemod(c->arg[0], 0, 0, 1);
683 break;
684 case CMD_EM410X_WRITE_TAG:
685 WriteEM410x(c->arg[0], c->arg[1], c->arg[2]);
686 break;
687 case CMD_READ_TI_TYPE:
688 ReadTItag();
689 break;
690 case CMD_WRITE_TI_TYPE:
691 WriteTItag(c->arg[0],c->arg[1],c->arg[2]);
692 break;
693 case CMD_SIMULATE_TAG_125K:
694 SimulateTagLowFrequency(c->arg[0], c->arg[1], 0);
695 //SimulateTagLowFrequencyA(c->arg[0], c->arg[1]);
696 break;
697 case CMD_LF_SIMULATE_BIDIR:
698 SimulateTagLowFrequencyBidir(c->arg[0], c->arg[1]);
699 break;
700 case CMD_INDALA_CLONE_TAG:
701 CopyIndala64toT55x7(c->arg[0], c->arg[1]);
702 break;
703 case CMD_INDALA_CLONE_TAG_L:
704 CopyIndala224toT55x7(c->d.asDwords[0], c->d.asDwords[1], c->d.asDwords[2], c->d.asDwords[3], c->d.asDwords[4], c->d.asDwords[5], c->d.asDwords[6]);
705 break;
706 case CMD_T55XX_READ_BLOCK:
707 T55xxReadBlock(c->arg[1], c->arg[2],c->d.asBytes[0]);
708 break;
709 case CMD_T55XX_WRITE_BLOCK:
710 T55xxWriteBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]);
711 break;
712 case CMD_T55XX_READ_TRACE:
713 T55xxReadTrace();
714 break;
715 case CMD_PCF7931_READ:
716 ReadPCF7931();
717 cmd_send(CMD_ACK,0,0,0,0,0);
718 break;
719 case CMD_EM4X_READ_WORD:
720 EM4xReadWord(c->arg[1], c->arg[2],c->d.asBytes[0]);
721 break;
722 case CMD_EM4X_WRITE_WORD:
723 EM4xWriteWord(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]);
724 break;
725 #endif
726
727 #ifdef WITH_HITAG
728 case CMD_SNOOP_HITAG: // Eavesdrop Hitag tag, args = type
729 SnoopHitag(c->arg[0]);
730 break;
731 case CMD_SIMULATE_HITAG: // Simulate Hitag tag, args = memory content
732 SimulateHitagTag((bool)c->arg[0],(byte_t*)c->d.asBytes);
733 break;
734 case CMD_READER_HITAG: // Reader for Hitag tags, args = type and function
735 ReaderHitag((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes);
736 break;
737 #endif
738
739 #ifdef WITH_ISO15693
740 case CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_15693:
741 AcquireRawAdcSamplesIso15693();
742 break;
743 case CMD_RECORD_RAW_ADC_SAMPLES_ISO_15693:
744 RecordRawAdcSamplesIso15693();
745 break;
746
747 case CMD_ISO_15693_COMMAND:
748 DirectTag15693Command(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
749 break;
750
751 case CMD_ISO_15693_FIND_AFI:
752 BruteforceIso15693Afi(c->arg[0]);
753 break;
754
755 case CMD_ISO_15693_DEBUG:
756 SetDebugIso15693(c->arg[0]);
757 break;
758
759 case CMD_READER_ISO_15693:
760 ReaderIso15693(c->arg[0]);
761 break;
762 case CMD_SIMTAG_ISO_15693:
763 SimTagIso15693(c->arg[0], c->d.asBytes);
764 break;
765 #endif
766
767 #ifdef WITH_LEGICRF
768 case CMD_SIMULATE_TAG_LEGIC_RF:
769 LegicRfSimulate(c->arg[0], c->arg[1], c->arg[2]);
770 break;
771
772 case CMD_WRITER_LEGIC_RF:
773 LegicRfWriter(c->arg[1], c->arg[0]);
774 break;
775
776 case CMD_READER_LEGIC_RF:
777 LegicRfReader(c->arg[0], c->arg[1]);
778 break;
779 #endif
780
781 #ifdef WITH_ISO14443b
782 case CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_14443:
783 AcquireRawAdcSamplesIso14443(c->arg[0]);
784 break;
785 case CMD_READ_SRI512_TAG:
786 ReadSTMemoryIso14443(0x0F);
787 break;
788 case CMD_READ_SRIX4K_TAG:
789 ReadSTMemoryIso14443(0x7F);
790 break;
791 case CMD_SNOOP_ISO_14443:
792 SnoopIso14443();
793 break;
794 case CMD_SIMULATE_TAG_ISO_14443:
795 SimulateIso14443Tag();
796 break;
797 case CMD_ISO_14443B_COMMAND:
798 SendRawCommand14443B(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
799 break;
800 #endif
801
802 #ifdef WITH_ISO14443a
803 case CMD_SNOOP_ISO_14443a:
804 SnoopIso14443a(c->arg[0]);
805 break;
806 case CMD_READER_ISO_14443a:
807 ReaderIso14443a(c);
808 break;
809 case CMD_SIMULATE_TAG_ISO_14443a:
810 SimulateIso14443aTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); // ## Simulate iso14443a tag - pass tag type & UID
811 break;
812
813 case CMD_EPA_PACE_COLLECT_NONCE:
814 EPA_PACE_Collect_Nonce(c);
815 break;
816
817 // case CMD_EPA_:
818 // EpaFoo(c);
819 // break;
820
821 case CMD_READER_MIFARE:
822 ReaderMifare(c->arg[0]);
823 break;
824 case CMD_MIFARE_READBL:
825 MifareReadBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
826 break;
827 case CMD_MIFAREU_READBL:
828 MifareUReadBlock(c->arg[0],c->arg[1], c->d.asBytes);
829 break;
830 case CMD_MIFAREUC_AUTH1:
831 MifareUC_Auth1(c->arg[0],c->d.asBytes);
832 break;
833 case CMD_MIFAREUC_AUTH2:
834 MifareUC_Auth2(c->arg[0],c->d.asBytes);
835 break;
836 case CMD_MIFAREU_READCARD:
837 MifareUReadCard(c->arg[0], c->arg[1], c->d.asBytes);
838 break;
839 case CMD_MIFAREUC_READCARD:
840 MifareUReadCard(c->arg[0], c->arg[1], c->d.asBytes);
841 break;
842 case CMD_MIFAREUC_SETPWD:
843 MifareUSetPwd(c->arg[0], c->d.asBytes);
844 break;
845 case CMD_MIFARE_READSC:
846 MifareReadSector(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
847 break;
848 case CMD_MIFARE_WRITEBL:
849 MifareWriteBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
850 break;
851 case CMD_MIFAREU_WRITEBL_COMPAT:
852 MifareUWriteBlock(c->arg[0], c->d.asBytes);
853 break;
854 case CMD_MIFAREU_WRITEBL:
855 MifareUWriteBlock_Special(c->arg[0], c->d.asBytes);
856 break;
857 case CMD_MIFARE_NESTED:
858 MifareNested(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
859 break;
860 case CMD_MIFARE_CHKKEYS:
861 MifareChkKeys(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
862 break;
863 case CMD_SIMULATE_MIFARE_CARD:
864 Mifare1ksim(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
865 break;
866
867 // emulator
868 case CMD_MIFARE_SET_DBGMODE:
869 MifareSetDbgLvl(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
870 break;
871 case CMD_MIFARE_EML_MEMCLR:
872 MifareEMemClr(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
873 break;
874 case CMD_MIFARE_EML_MEMSET:
875 MifareEMemSet(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
876 break;
877 case CMD_MIFARE_EML_MEMGET:
878 MifareEMemGet(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
879 break;
880 case CMD_MIFARE_EML_CARDLOAD:
881 MifareECardLoad(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
882 break;
883
884 // Work with "magic Chinese" card
885 case CMD_MIFARE_CSETBLOCK:
886 MifareCSetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
887 break;
888 case CMD_MIFARE_CGETBLOCK:
889 MifareCGetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
890 break;
891 case CMD_MIFARE_CIDENT:
892 MifareCIdent();
893 break;
894
895 // mifare sniffer
896 case CMD_MIFARE_SNIFFER:
897 SniffMifare(c->arg[0]);
898 break;
899
900 //mifare desfire
901 case CMD_MIFARE_DESFIRE_READBL: break;
902 case CMD_MIFARE_DESFIRE_WRITEBL: break;
903 case CMD_MIFARE_DESFIRE_AUTH1:
904 MifareDES_Auth1(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
905 break;
906 case CMD_MIFARE_DESFIRE_AUTH2:
907 //MifareDES_Auth2(c->arg[0],c->d.asBytes);
908 break;
909 case CMD_MIFARE_DES_READER:
910 //readermifaredes(c->arg[0], c->arg[1], c->d.asBytes);
911 break;
912 case CMD_MIFARE_DESFIRE_INFO:
913 MifareDesfireGetInformation();
914 break;
915 case CMD_MIFARE_DESFIRE:
916 MifareSendCommand(c->arg[0], c->arg[1], c->d.asBytes);
917 break;
918
919 case CMD_MIFARE_COLLECT_NONCES:
920 MifareCollectNonces(c->arg[0], c->arg[1]);
921 break;
922 #endif
923
924 #ifdef WITH_ICLASS
925 // Makes use of ISO14443a FPGA Firmware
926 case CMD_SNOOP_ICLASS:
927 SnoopIClass();
928 break;
929 case CMD_SIMULATE_TAG_ICLASS:
930 SimulateIClass(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
931 break;
932 case CMD_READER_ICLASS:
933 ReaderIClass(c->arg[0]);
934 break;
935 case CMD_READER_ICLASS_REPLAY:
936 ReaderIClass_Replay(c->arg[0], c->d.asBytes);
937 break;
938 case CMD_ICLASS_EML_MEMSET:
939 emlSet(c->d.asBytes,c->arg[0], c->arg[1]);
940 break;
941 #endif
942
943 case CMD_SIMULATE_TAG_HF_LISTEN:
944 SimulateTagHfListen();
945 break;
946
947 case CMD_BUFF_CLEAR:
948 BigBuf_Clear();
949 break;
950
951 case CMD_MEASURE_ANTENNA_TUNING:
952 MeasureAntennaTuning();
953 break;
954
955 case CMD_MEASURE_ANTENNA_TUNING_HF:
956 MeasureAntennaTuningHf();
957 break;
958
959 case CMD_LISTEN_READER_FIELD:
960 ListenReaderField(c->arg[0]);
961 break;
962
963 case CMD_FPGA_MAJOR_MODE_OFF: // ## FPGA Control
964 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
965 SpinDelay(200);
966 LED_D_OFF(); // LED D indicates field ON or OFF
967 break;
968
969 case CMD_DOWNLOAD_RAW_ADC_SAMPLES_125K:
970
971 LED_B_ON();
972 uint8_t *BigBuf = BigBuf_get_addr();
973 for(size_t i=0; i<c->arg[1]; i += USB_CMD_DATA_SIZE) {
974 size_t len = MIN((c->arg[1] - i),USB_CMD_DATA_SIZE);
975 cmd_send(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K,i,len,BigBuf_get_traceLen(),BigBuf+c->arg[0]+i,len);
976 }
977 // Trigger a finish downloading signal with an ACK frame
978 cmd_send(CMD_ACK,1,0,BigBuf_get_traceLen(),getSamplingConfig(),sizeof(sample_config));
979 LED_B_OFF();
980 break;
981
982 case CMD_DOWNLOADED_SIM_SAMPLES_125K: {
983 uint8_t *b = BigBuf_get_addr();
984 memcpy(b+c->arg[0], c->d.asBytes, USB_CMD_DATA_SIZE);
985 cmd_send(CMD_ACK,0,0,0,0,0);
986 break;
987 }
988 case CMD_READ_MEM:
989 ReadMem(c->arg[0]);
990 break;
991
992 case CMD_SET_LF_DIVISOR:
993 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
994 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, c->arg[0]);
995 break;
996
997 case CMD_SET_ADC_MUX:
998 switch(c->arg[0]) {
999 case 0: SetAdcMuxFor(GPIO_MUXSEL_LOPKD); break;
1000 case 1: SetAdcMuxFor(GPIO_MUXSEL_LORAW); break;
1001 case 2: SetAdcMuxFor(GPIO_MUXSEL_HIPKD); break;
1002 case 3: SetAdcMuxFor(GPIO_MUXSEL_HIRAW); break;
1003 }
1004 break;
1005
1006 case CMD_VERSION:
1007 SendVersion();
1008 break;
1009
1010 #ifdef WITH_LCD
1011 case CMD_LCD_RESET:
1012 LCDReset();
1013 break;
1014 case CMD_LCD:
1015 LCDSend(c->arg[0]);
1016 break;
1017 #endif
1018 case CMD_SETUP_WRITE:
1019 case CMD_FINISH_WRITE:
1020 case CMD_HARDWARE_RESET:
1021 usb_disable();
1022 SpinDelay(1000);
1023 SpinDelay(1000);
1024 AT91C_BASE_RSTC->RSTC_RCR = RST_CONTROL_KEY | AT91C_RSTC_PROCRST;
1025 for(;;) {
1026 // We're going to reset, and the bootrom will take control.
1027 }
1028 break;
1029
1030 case CMD_START_FLASH:
1031 if(common_area.flags.bootrom_present) {
1032 common_area.command = COMMON_AREA_COMMAND_ENTER_FLASH_MODE;
1033 }
1034 usb_disable();
1035 AT91C_BASE_RSTC->RSTC_RCR = RST_CONTROL_KEY | AT91C_RSTC_PROCRST;
1036 for(;;);
1037 break;
1038
1039 case CMD_DEVICE_INFO: {
1040 uint32_t dev_info = DEVICE_INFO_FLAG_OSIMAGE_PRESENT | DEVICE_INFO_FLAG_CURRENT_MODE_OS;
1041 if(common_area.flags.bootrom_present) dev_info |= DEVICE_INFO_FLAG_BOOTROM_PRESENT;
1042 cmd_send(CMD_DEVICE_INFO,dev_info,0,0,0,0);
1043 break;
1044 }
1045 default:
1046 Dbprintf("%s: 0x%04x","unknown command:",c->cmd);
1047 break;
1048 }
1049 }
1050
1051 void __attribute__((noreturn)) AppMain(void)
1052 {
1053 SpinDelay(100);
1054 clear_trace();
1055 if(common_area.magic != COMMON_AREA_MAGIC || common_area.version != 1) {
1056 /* Initialize common area */
1057 memset(&common_area, 0, sizeof(common_area));
1058 common_area.magic = COMMON_AREA_MAGIC;
1059 common_area.version = 1;
1060 }
1061 common_area.flags.osimage_present = 1;
1062
1063 LED_D_OFF();
1064 LED_C_OFF();
1065 LED_B_OFF();
1066 LED_A_OFF();
1067
1068 // Init USB device
1069 usb_enable();
1070
1071 // The FPGA gets its clock from us from PCK0 output, so set that up.
1072 AT91C_BASE_PIOA->PIO_BSR = GPIO_PCK0;
1073 AT91C_BASE_PIOA->PIO_PDR = GPIO_PCK0;
1074 AT91C_BASE_PMC->PMC_SCER = AT91C_PMC_PCK0;
1075 // PCK0 is PLL clock / 4 = 96Mhz / 4 = 24Mhz
1076 AT91C_BASE_PMC->PMC_PCKR[0] = AT91C_PMC_CSS_PLL_CLK |
1077 AT91C_PMC_PRES_CLK_4;
1078 AT91C_BASE_PIOA->PIO_OER = GPIO_PCK0;
1079
1080 // Reset SPI
1081 AT91C_BASE_SPI->SPI_CR = AT91C_SPI_SWRST;
1082 // Reset SSC
1083 AT91C_BASE_SSC->SSC_CR = AT91C_SSC_SWRST;
1084
1085 // Load the FPGA image, which we have stored in our flash.
1086 // (the HF version by default)
1087 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1088
1089 StartTickCount();
1090
1091 #ifdef WITH_LCD
1092 LCDInit();
1093 #endif
1094
1095 byte_t rx[sizeof(UsbCommand)];
1096 size_t rx_len;
1097
1098 for(;;) {
1099 if (usb_poll()) {
1100 rx_len = usb_read(rx,sizeof(UsbCommand));
1101 if (rx_len) {
1102 UsbPacketReceived(rx,rx_len);
1103 }
1104 }
1105 WDT_HIT();
1106
1107 #ifdef WITH_LF
1108 if (BUTTON_HELD(1000) > 0)
1109 SamyRun();
1110 #endif
1111 }
1112 }
Proxmark3 GIT tracking
Impressum, Datenschutz