]> cvs.zerfleddert.de Git - proxmark3-svn/blob - armsrc/appmain.c
projects / proxmark3-svn / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Add 'hf 15 csetuid' command to set UID on ISO15693 Magic tags (#842)
[proxmark3-svn] / armsrc / appmain.c
1 //-----------------------------------------------------------------------------
2 // Jonathan Westhues, Mar 2006
3 // Edits by Gerhard de Koning Gans, Sep 2007 (##)
4 //
5 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
6 // at your option, any later version. See the LICENSE.txt file for the text of
7 // the license.
8 //-----------------------------------------------------------------------------
9 // The main application code. This is the first thing called after start.c
10 // executes.
11 //-----------------------------------------------------------------------------
12
13 #include <stdarg.h>
14
15 #include "usb_cdc.h"
16 #include "cmd.h"
17 #include "proxmark3.h"
18 #include "apps.h"
19 #include "fpga.h"
20 #include "util.h"
21 #include "printf.h"
22 #include "string.h"
23 #include "legicrf.h"
24 #include "legicrfsim.h"
25 #include "hitag2.h"
26 #include "hitagS.h"
27 #include "iso14443b.h"
28 #include "iso15693.h"
29 #include "lfsampling.h"
30 #include "BigBuf.h"
31 #include "mifareutil.h"
32 #include "mifaresim.h"
33 #include "pcf7931.h"
34 #include "i2c.h"
35 #include "hfsnoop.h"
36 #include "fpgaloader.h"
37 #ifdef WITH_LCD
38 #include "LCD.h"
39 #endif
40
41 static uint32_t hw_capabilities;
42
43 // Craig Young - 14a stand-alone code
44 #ifdef WITH_ISO14443a
45 #include "iso14443a.h"
46 #endif
47
48 //=============================================================================
49 // A buffer where we can queue things up to be sent through the FPGA, for
50 // any purpose (fake tag, as reader, whatever). We go MSB first, since that
51 // is the order in which they go out on the wire.
52 //=============================================================================
53
54 #define TOSEND_BUFFER_SIZE (9*MAX_FRAME_SIZE + 1 + 1 + 2) // 8 data bits and 1 parity bit per payload byte, 1 correction bit, 1 SOC bit, 2 EOC bits
55 uint8_t ToSend[TOSEND_BUFFER_SIZE];
56 int ToSendMax;
57 static int ToSendBit;
58 struct common_area common_area __attribute__((section(".commonarea")));
59
60 void ToSendReset(void)
61 {
62 ToSendMax = -1;
63 ToSendBit = 8;
64 }
65
66 void ToSendStuffBit(int b)
67 {
68 if(ToSendBit >= 8) {
69 ToSendMax++;
70 ToSend[ToSendMax] = 0;
71 ToSendBit = 0;
72 }
73
74 if(b) {
75 ToSend[ToSendMax] |= (1 << (7 - ToSendBit));
76 }
77
78 ToSendBit++;
79
80 if(ToSendMax >= sizeof(ToSend)) {
81 ToSendBit = 0;
82 DbpString("ToSendStuffBit overflowed!");
83 }
84 }
85
86 //=============================================================================
87 // Debug print functions, to go out over USB, to the usual PC-side client.
88 //=============================================================================
89
90 void DbpString(char *str)
91 {
92 byte_t len = strlen(str);
93 cmd_send(CMD_DEBUG_PRINT_STRING,len,0,0,(byte_t*)str,len);
94 }
95
96 #if 0
97 void DbpIntegers(int x1, int x2, int x3)
98 {
99 cmd_send(CMD_DEBUG_PRINT_INTEGERS,x1,x2,x3,0,0);
100 }
101 #endif
102
103 void Dbprintf(const char *fmt, ...) {
104 // should probably limit size here; oh well, let's just use a big buffer
105 char output_string[128];
106 va_list ap;
107
108 va_start(ap, fmt);
109 kvsprintf(fmt, output_string, 10, ap);
110 va_end(ap);
111
112 DbpString(output_string);
113 }
114
115 // prints HEX & ASCII
116 void Dbhexdump(int len, uint8_t *d, bool bAsci) {
117 int l=0,i;
118 char ascii[9];
119
120 while (len>0) {
121 if (len>8) l=8;
122 else l=len;
123
124 memcpy(ascii,d,l);
125 ascii[l]=0;
126
127 // filter safe ascii
128 for (i=0;i<l;i++)
129 if (ascii[i]<32 || ascii[i]>126) ascii[i]='.';
130
131 if (bAsci) {
132 Dbprintf("%-8s %*D",ascii,l,d," ");
133 } else {
134 Dbprintf("%*D",l,d," ");
135 }
136
137 len-=8;
138 d+=8;
139 }
140 }
141
142 //-----------------------------------------------------------------------------
143 // Read an ADC channel and block till it completes, then return the result
144 // in ADC units (0 to 1023). Also a routine to average 32 samples and
145 // return that.
146 //-----------------------------------------------------------------------------
147 static int ReadAdc(int ch)
148 {
149 // Note: ADC_MODE_PRESCALE and ADC_MODE_SAMPLE_HOLD_TIME are set to the maximum allowed value.
150 // AMPL_HI is a high impedance (10MOhm || 1MOhm) output, the input capacitance of the ADC is 12pF (typical). This results in a time constant
151 // of RC = (0.91MOhm) * 12pF = 10.9us. Even after the maximum configurable sample&hold time of 40us the input capacitor will not be fully charged.
152 //
153 // The maths are:
154 // If there is a voltage v_in at the input, the voltage v_cap at the capacitor (this is what we are measuring) will be
155 //
156 // v_cap = v_in * (1 - exp(-SHTIM/RC)) = v_in * (1 - exp(-40us/10.9us)) = v_in * 0,97 (i.e. an error of 3%)
157
158 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_SWRST;
159 AT91C_BASE_ADC->ADC_MR =
160 ADC_MODE_PRESCALE(63) | // ADC_CLK = MCK / ((63+1) * 2) = 48MHz / 128 = 375kHz
161 ADC_MODE_STARTUP_TIME(1) | // Startup Time = (1+1) * 8 / ADC_CLK = 16 / 375kHz = 42,7us Note: must be > 20us
162 ADC_MODE_SAMPLE_HOLD_TIME(15); // Sample & Hold Time SHTIM = 15 / ADC_CLK = 15 / 375kHz = 40us
163
164 AT91C_BASE_ADC->ADC_CHER = ADC_CHANNEL(ch);
165 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
166
167 while(!(AT91C_BASE_ADC->ADC_SR & ADC_END_OF_CONVERSION(ch))) {};
168
169 return AT91C_BASE_ADC->ADC_CDR[ch] & 0x3ff;
170 }
171
172 int AvgAdc(int ch) // was static - merlok
173 {
174 int i;
175 int a = 0;
176
177 for(i = 0; i < 32; i++) {
178 a += ReadAdc(ch);
179 }
180
181 return (a + 15) >> 5;
182 }
183
184 static int AvgAdc_Voltage_HF(void)
185 {
186 int AvgAdc_Voltage_Low, AvgAdc_Voltage_High;
187
188 AvgAdc_Voltage_Low= (MAX_ADC_HF_VOLTAGE_LOW * AvgAdc(ADC_CHAN_HF_LOW)) >> 10;
189 // if voltage range is about to be exceeded, use high voltage ADC channel if available (RDV40 only)
190 if (AvgAdc_Voltage_Low > MAX_ADC_HF_VOLTAGE_LOW - 300) {
191 AvgAdc_Voltage_High = (MAX_ADC_HF_VOLTAGE_HIGH * AvgAdc(ADC_CHAN_HF_HIGH)) >> 10;
192 if (AvgAdc_Voltage_High >= AvgAdc_Voltage_Low) {
193 return AvgAdc_Voltage_High;
194 }
195 }
196 return AvgAdc_Voltage_Low;
197 }
198
199 static int AvgAdc_Voltage_LF(void)
200 {
201 return (MAX_ADC_LF_VOLTAGE * AvgAdc(ADC_CHAN_LF)) >> 10;
202 }
203
204 void MeasureAntennaTuningLfOnly(int *vLf125, int *vLf134, int *peakf, int *peakv, uint8_t LF_Results[])
205 {
206 int i, adcval = 0, peak = 0;
207
208 /*
209 * Sweeps the useful LF range of the proxmark from
210 * 46.8kHz (divisor=255) to 600kHz (divisor=19) and
211 * read the voltage in the antenna, the result left
212 * in the buffer is a graph which should clearly show
213 * the resonating frequency of your LF antenna
214 * ( hopefully around 95 if it is tuned to 125kHz!)
215 */
216
217 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
218 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
219 SpinDelay(50);
220
221 for (i=255; i>=19; i--) {
222 WDT_HIT();
223 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, i);
224 SpinDelay(20);
225 adcval = AvgAdc_Voltage_LF();
226 if (i==95) *vLf125 = adcval; // voltage at 125Khz
227 if (i==89) *vLf134 = adcval; // voltage at 134Khz
228
229 LF_Results[i] = adcval >> 9; // scale int to fit in byte for graphing purposes
230 if(LF_Results[i] > peak) {
231 *peakv = adcval;
232 peak = LF_Results[i];
233 *peakf = i;
234 //ptr = i;
235 }
236 }
237
238 for (i=18; i >= 0; i--) LF_Results[i] = 0;
239
240 return;
241 }
242
243 void MeasureAntennaTuningHfOnly(int *vHf)
244 {
245 // Let the FPGA drive the high-frequency antenna around 13.56 MHz.
246 LED_A_ON();
247 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
248 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER);
249 SpinDelay(20);
250 *vHf = AvgAdc_Voltage_HF();
251 LED_A_OFF();
252 return;
253 }
254
255 void MeasureAntennaTuning(int mode)
256 {
257 uint8_t LF_Results[256] = {0};
258 int peakv = 0, peakf = 0;
259 int vLf125 = 0, vLf134 = 0, vHf = 0; // in mV
260
261 LED_B_ON();
262
263 if (((mode & FLAG_TUNE_ALL) == FLAG_TUNE_ALL) && (FpgaGetCurrent() == FPGA_BITSTREAM_HF)) {
264 // Reverse "standard" order if HF already loaded, to avoid unnecessary swap.
265 MeasureAntennaTuningHfOnly(&vHf);
266 MeasureAntennaTuningLfOnly(&vLf125, &vLf134, &peakf, &peakv, LF_Results);
267 } else {
268 if (mode & FLAG_TUNE_LF) {
269 MeasureAntennaTuningLfOnly(&vLf125, &vLf134, &peakf, &peakv, LF_Results);
270 }
271 if (mode & FLAG_TUNE_HF) {
272 MeasureAntennaTuningHfOnly(&vHf);
273 }
274 }
275
276 cmd_send(CMD_MEASURED_ANTENNA_TUNING, vLf125>>1 | (vLf134>>1<<16), vHf, peakf | (peakv>>1<<16), LF_Results, 256);
277 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
278 LED_B_OFF();
279 return;
280 }
281
282 void MeasureAntennaTuningHf(void)
283 {
284 int vHf = 0; // in mV
285
286 DbpString("Measuring HF antenna, press button to exit");
287
288 // Let the FPGA drive the high-frequency antenna around 13.56 MHz.
289 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
290 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER);
291
292 for (;;) {
293 SpinDelay(500);
294 vHf = AvgAdc_Voltage_HF();
295
296 Dbprintf("%d mV",vHf);
297 if (BUTTON_PRESS()) break;
298 }
299 DbpString("cancelled");
300
301 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
302
303 }
304
305
306 void ReadMem(int addr)
307 {
308 const uint8_t *data = ((uint8_t *)addr);
309
310 Dbprintf("%x: %02x %02x %02x %02x %02x %02x %02x %02x",
311 addr, data[0], data[1], data[2], data[3], data[4], data[5], data[6], data[7]);
312 }
313
314 /* osimage version information is linked in */
315 extern struct version_information version_information;
316 /* bootrom version information is pointed to from _bootphase1_version_pointer */
317 extern char *_bootphase1_version_pointer, _flash_start, _flash_end, _bootrom_start, _bootrom_end, __data_src_start__;
318
319
320 void set_hw_capabilities(void)
321 {
322 if (I2C_is_available()) {
323 hw_capabilities |= HAS_SMARTCARD_SLOT;
324 }
325
326 if (false) { // TODO: implement a test
327 hw_capabilities |= HAS_EXTRA_FLASH_MEM;
328 }
329 }
330
331
332 void SendVersion(void)
333 {
334 set_hw_capabilities();
335
336 char temp[USB_CMD_DATA_SIZE]; /* Limited data payload in USB packets */
337 char VersionString[USB_CMD_DATA_SIZE] = { '\0' };
338
339 /* Try to find the bootrom version information. Expect to find a pointer at
340 * symbol _bootphase1_version_pointer, perform slight sanity checks on the
341 * pointer, then use it.
342 */
343 char *bootrom_version = *(char**)&_bootphase1_version_pointer;
344 if( bootrom_version < &_flash_start || bootrom_version >= &_flash_end ) {
345 strcat(VersionString, "bootrom version information appears invalid\n");
346 } else {
347 FormatVersionInformation(temp, sizeof(temp), "bootrom: ", bootrom_version);
348 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
349 }
350
351 FormatVersionInformation(temp, sizeof(temp), "os: ", &version_information);
352 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
353
354 for (int i = 0; i < fpga_bitstream_num; i++) {
355 strncat(VersionString, fpga_version_information[i], sizeof(VersionString) - strlen(VersionString) - 1);
356 strncat(VersionString, "\n", sizeof(VersionString) - strlen(VersionString) - 1);
357 }
358
359 // test availability of SmartCard slot
360 if (I2C_is_available()) {
361 strncat(VersionString, "SmartCard Slot: available\n", sizeof(VersionString) - strlen(VersionString) - 1);
362 } else {
363 strncat(VersionString, "SmartCard Slot: not available\n", sizeof(VersionString) - strlen(VersionString) - 1);
364 }
365
366 // Send Chip ID and used flash memory
367 uint32_t text_and_rodata_section_size = (uint32_t)&__data_src_start__ - (uint32_t)&_flash_start;
368 uint32_t compressed_data_section_size = common_area.arg1;
369 cmd_send(CMD_ACK, *(AT91C_DBGU_CIDR), text_and_rodata_section_size + compressed_data_section_size, hw_capabilities, VersionString, strlen(VersionString));
370 }
371
372 // measure the USB Speed by sending SpeedTestBufferSize bytes to client and measuring the elapsed time.
373 // Note: this mimics GetFromBigbuf(), i.e. we have the overhead of the UsbCommand structure included.
374 void printUSBSpeed(void)
375 {
376 Dbprintf("USB Speed:");
377 Dbprintf(" Sending USB packets to client...");
378
379 #define USB_SPEED_TEST_MIN_TIME 1500 // in milliseconds
380 uint8_t *test_data = BigBuf_get_addr();
381 uint32_t end_time;
382
383 uint32_t start_time = end_time = GetTickCount();
384 uint32_t bytes_transferred = 0;
385
386 LED_B_ON();
387 while(end_time < start_time + USB_SPEED_TEST_MIN_TIME) {
388 cmd_send(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K, 0, USB_CMD_DATA_SIZE, 0, test_data, USB_CMD_DATA_SIZE);
389 end_time = GetTickCount();
390 bytes_transferred += USB_CMD_DATA_SIZE;
391 }
392 LED_B_OFF();
393
394 Dbprintf(" Time elapsed: %dms", end_time - start_time);
395 Dbprintf(" Bytes transferred: %d", bytes_transferred);
396 Dbprintf(" USB Transfer Speed PM3 -> Client = %d Bytes/s",
397 1000 * bytes_transferred / (end_time - start_time));
398
399 }
400
401 /**
402 * Prints runtime information about the PM3.
403 **/
404 void SendStatus(void)
405 {
406 BigBuf_print_status();
407 Fpga_print_status();
408 #ifdef WITH_SMARTCARD
409 I2C_print_status();
410 #endif
411 printConfig(); //LF Sampling config
412 printUSBSpeed();
413 Dbprintf("Various");
414 Dbprintf(" MF_DBGLEVEL........%d", MF_DBGLEVEL);
415 Dbprintf(" ToSendMax..........%d", ToSendMax);
416 Dbprintf(" ToSendBit..........%d", ToSendBit);
417
418 cmd_send(CMD_ACK,1,0,0,0,0);
419 }
420
421 #if defined(WITH_ISO14443a_StandAlone) || defined(WITH_LF_StandAlone)
422
423 #define OPTS 2
424
425 void StandAloneMode()
426 {
427 DbpString("Stand-alone mode! No PC necessary.");
428 // Oooh pretty -- notify user we're in elite samy mode now
429 LED(LED_RED, 200);
430 LED(LED_ORANGE, 200);
431 LED(LED_GREEN, 200);
432 LED(LED_ORANGE, 200);
433 LED(LED_RED, 200);
434 LED(LED_ORANGE, 200);
435 LED(LED_GREEN, 200);
436 LED(LED_ORANGE, 200);
437 LED(LED_RED, 200);
438
439 }
440
441 #endif
442
443
444
445 #ifdef WITH_ISO14443a_StandAlone
446 void StandAloneMode14a()
447 {
448 StandAloneMode();
449 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
450
451 int selected = 0;
452 bool playing = false, GotoRecord = false, GotoClone = false;
453 bool cardRead[OPTS] = {false};
454 uint8_t readUID[10] = {0};
455 uint32_t uid_1st[OPTS]={0};
456 uint32_t uid_2nd[OPTS]={0};
457 uint32_t uid_tmp1 = 0;
458 uint32_t uid_tmp2 = 0;
459 iso14a_card_select_t hi14a_card[OPTS];
460
461 LED(selected + 1, 0);
462
463 for (;;)
464 {
465 usb_poll();
466 WDT_HIT();
467 SpinDelay(300);
468
469 if (GotoRecord || !cardRead[selected])
470 {
471 GotoRecord = false;
472 LEDsoff();
473 LED(selected + 1, 0);
474 LED(LED_RED2, 0);
475
476 // record
477 Dbprintf("Enabling iso14443a reader mode for [Bank: %u]...", selected);
478 /* need this delay to prevent catching some weird data */
479 SpinDelay(500);
480 /* Code for reading from 14a tag */
481 uint8_t uid[10] ={0};
482 uint32_t cuid;
483 iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
484
485 for ( ; ; )
486 {
487 WDT_HIT();
488 if (BUTTON_PRESS()) {
489 if (cardRead[selected]) {
490 Dbprintf("Button press detected -- replaying card in bank[%d]", selected);
491 break;
492 }
493 else if (cardRead[(selected+1)%OPTS]) {
494 Dbprintf("Button press detected but no card in bank[%d] so playing from bank[%d]", selected, (selected+1)%OPTS);
495 selected = (selected+1)%OPTS;
496 break;
497 }
498 else {
499 Dbprintf("Button press detected but no stored tag to play. (Ignoring button)");
500 SpinDelay(300);
501 }
502 }
503 if (!iso14443a_select_card(uid, &hi14a_card[selected], &cuid, true, 0, true))
504 continue;
505 else
506 {
507 Dbprintf("Read UID:"); Dbhexdump(10,uid,0);
508 memcpy(readUID,uid,10*sizeof(uint8_t));
509 uint8_t *dst = (uint8_t *)&uid_tmp1;
510 // Set UID byte order
511 for (int i=0; i<4; i++)
512 dst[i] = uid[3-i];
513 dst = (uint8_t *)&uid_tmp2;
514 for (int i=0; i<4; i++)
515 dst[i] = uid[7-i];
516 if (uid_1st[(selected+1)%OPTS] == uid_tmp1 && uid_2nd[(selected+1)%OPTS] == uid_tmp2) {
517 Dbprintf("Card selected has same UID as what is stored in the other bank. Skipping.");
518 }
519 else {
520 if (uid_tmp2) {
521 Dbprintf("Bank[%d] received a 7-byte UID",selected);
522 uid_1st[selected] = (uid_tmp1)>>8;
523 uid_2nd[selected] = (uid_tmp1<<24) + (uid_tmp2>>8);
524 }
525 else {
526 Dbprintf("Bank[%d] received a 4-byte UID",selected);
527 uid_1st[selected] = uid_tmp1;
528 uid_2nd[selected] = uid_tmp2;
529 }
530 break;
531 }
532 }
533 }
534 Dbprintf("ATQA = %02X%02X",hi14a_card[selected].atqa[0],hi14a_card[selected].atqa[1]);
535 Dbprintf("SAK = %02X",hi14a_card[selected].sak);
536 LEDsoff();
537 LED(LED_GREEN, 200);
538 LED(LED_ORANGE, 200);
539 LED(LED_GREEN, 200);
540 LED(LED_ORANGE, 200);
541
542 LEDsoff();
543 LED(selected + 1, 0);
544
545 // Next state is replay:
546 playing = true;
547
548 cardRead[selected] = true;
549 }
550 /* MF Classic UID clone */
551 else if (GotoClone)
552 {
553 GotoClone=false;
554 LEDsoff();
555 LED(selected + 1, 0);
556 LED(LED_ORANGE, 250);
557
558
559 // record
560 Dbprintf("Preparing to Clone card [Bank: %x]; uid: %08x", selected, uid_1st[selected]);
561
562 // wait for button to be released
563 while(BUTTON_PRESS())
564 {
565 // Delay cloning until card is in place
566 WDT_HIT();
567 }
568 Dbprintf("Starting clone. [Bank: %u]", selected);
569 // need this delay to prevent catching some weird data
570 SpinDelay(500);
571 // Begin clone function here:
572 /* Example from client/mifarehost.c for commanding a block write for "magic Chinese" cards:
573 UsbCommand c = {CMD_MIFARE_CSETBLOCK, {wantWipe, params & (0xFE | (uid == NULL ? 0:1)), blockNo}};
574 memcpy(c.d.asBytes, data, 16);
575 SendCommand(&c);
576
577 Block read is similar:
578 UsbCommand c = {CMD_MIFARE_CGETBLOCK, {params, 0, blockNo}};
579 We need to imitate that call with blockNo 0 to set a uid.
580
581 The get and set commands are handled in this file:
582 // Work with "magic Chinese" card
583 case CMD_MIFARE_CSETBLOCK:
584 MifareCSetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
585 break;
586 case CMD_MIFARE_CGETBLOCK:
587 MifareCGetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
588 break;
589
590 mfCSetUID provides example logic for UID set workflow:
591 -Read block0 from card in field with MifareCGetBlock()
592 -Configure new values without replacing reserved bytes
593 memcpy(block0, uid, 4); // Copy UID bytes from byte array
594 // Mifare UID BCC
595 block0[4] = block0[0]^block0[1]^block0[2]^block0[3]; // BCC on byte 5
596 Bytes 5-7 are reserved SAK and ATQA for mifare classic
597 -Use mfCSetBlock(0, block0, oldUID, wantWipe, CSETBLOCK_SINGLE_OPER) to write it
598 */
599 uint8_t oldBlock0[16] = {0}, newBlock0[16] = {0}, testBlock0[16] = {0};
600 // arg0 = Flags == CSETBLOCK_SINGLE_OPER=0x1F, arg1=returnSlot, arg2=blockNo
601 MifareCGetBlock(0x3F, 1, 0, oldBlock0);
602 if (oldBlock0[0] == 0 && oldBlock0[0] == oldBlock0[1] && oldBlock0[1] == oldBlock0[2] && oldBlock0[2] == oldBlock0[3]) {
603 Dbprintf("No changeable tag detected. Returning to replay mode for bank[%d]", selected);
604 playing = true;
605 }
606 else {
607 Dbprintf("UID from target tag: %02X%02X%02X%02X", oldBlock0[0],oldBlock0[1],oldBlock0[2],oldBlock0[3]);
608 memcpy(newBlock0,oldBlock0,16);
609 // Copy uid_1st for bank (2nd is for longer UIDs not supported if classic)
610
611 newBlock0[0] = uid_1st[selected]>>24;
612 newBlock0[1] = 0xFF & (uid_1st[selected]>>16);
613 newBlock0[2] = 0xFF & (uid_1st[selected]>>8);
614 newBlock0[3] = 0xFF & (uid_1st[selected]);
615 newBlock0[4] = newBlock0[0]^newBlock0[1]^newBlock0[2]^newBlock0[3];
616 // arg0 = needWipe, arg1 = workFlags, arg2 = blockNo, datain
617 MifareCSetBlock(0, 0xFF,0, newBlock0);
618 MifareCGetBlock(0x3F, 1, 0, testBlock0);
619 if (memcmp(testBlock0,newBlock0,16)==0)
620 {
621 DbpString("Cloned successfull!");
622 cardRead[selected] = false; // Only if the card was cloned successfully should we clear it
623 playing = false;
624 GotoRecord = true;
625 selected = (selected+1) % OPTS;
626 }
627 else {
628 Dbprintf("Clone failed. Back to replay mode on bank[%d]", selected);
629 playing = true;
630 }
631 }
632 LEDsoff();
633 LED(selected + 1, 0);
634
635 }
636 // Change where to record (or begin playing)
637 else if (playing) // button_pressed == BUTTON_SINGLE_CLICK && cardRead[selected])
638 {
639 LEDsoff();
640 LED(selected + 1, 0);
641
642 // Begin transmitting
643 LED(LED_GREEN, 0);
644 DbpString("Playing");
645 for ( ; ; ) {
646 WDT_HIT();
647 int button_action = BUTTON_HELD(1000);
648 if (button_action == 0) { // No button action, proceed with sim
649 uint8_t data[512] = {0}; // in case there is a read command received we shouldn't break
650 Dbprintf("Simulating ISO14443a tag with uid[0]: %08x, uid[1]: %08x [Bank: %u]", uid_1st[selected],uid_2nd[selected],selected);
651 if (hi14a_card[selected].sak == 8 && hi14a_card[selected].atqa[0] == 4 && hi14a_card[selected].atqa[1] == 0) {
652 DbpString("Mifare Classic");
653 SimulateIso14443aTag(1,uid_1st[selected], uid_2nd[selected], data); // Mifare Classic
654 }
655 else if (hi14a_card[selected].sak == 0 && hi14a_card[selected].atqa[0] == 0x44 && hi14a_card[selected].atqa[1] == 0) {
656 DbpString("Mifare Ultralight");
657 SimulateIso14443aTag(2,uid_1st[selected],uid_2nd[selected],data); // Mifare Ultralight
658 }
659 else if (hi14a_card[selected].sak == 20 && hi14a_card[selected].atqa[0] == 0x44 && hi14a_card[selected].atqa[1] == 3) {
660 DbpString("Mifare DESFire");
661 SimulateIso14443aTag(3,uid_1st[selected],uid_2nd[selected],data); // Mifare DESFire
662 }
663 else {
664 Dbprintf("Unrecognized tag type -- defaulting to Mifare Classic emulation");
665 SimulateIso14443aTag(1,uid_1st[selected], uid_2nd[selected], data);
666 }
667 }
668 else if (button_action == BUTTON_SINGLE_CLICK) {
669 selected = (selected + 1) % OPTS;
670 Dbprintf("Done playing. Switching to record mode on bank %d",selected);
671 GotoRecord = true;
672 break;
673 }
674 else if (button_action == BUTTON_HOLD) {
675 Dbprintf("Playtime over. Begin cloning...");
676 GotoClone = true;
677 break;
678 }
679 WDT_HIT();
680 }
681
682 /* We pressed a button so ignore it here with a delay */
683 SpinDelay(300);
684 LEDsoff();
685 LED(selected + 1, 0);
686 }
687 }
688 }
689 #elif WITH_LF_StandAlone
690 // samy's sniff and repeat routine
691 void SamyRun()
692 {
693 StandAloneMode();
694 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
695
696 int tops[OPTS], high[OPTS], low[OPTS];
697 int selected = 0;
698 int playing = 0;
699 int cardRead = 0;
700
701 // Turn on selected LED
702 LED(selected + 1, 0);
703
704 for (;;)
705 {
706 usb_poll();
707 WDT_HIT();
708
709 // Was our button held down or pressed?
710 int button_pressed = BUTTON_HELD(1000);
711 SpinDelay(300);
712
713 // Button was held for a second, begin recording
714 if (button_pressed > 0 && cardRead == 0)
715 {
716 LEDsoff();
717 LED(selected + 1, 0);
718 LED(LED_RED2, 0);
719
720 // record
721 DbpString("Starting recording");
722
723 // wait for button to be released
724 while(BUTTON_PRESS())
725 WDT_HIT();
726
727 /* need this delay to prevent catching some weird data */
728 SpinDelay(500);
729
730 CmdHIDdemodFSK(1, &tops[selected], &high[selected], &low[selected], 0);
731 if (tops[selected] > 0)
732 Dbprintf("Recorded %x %x%08x%08x", selected, tops[selected], high[selected], low[selected]);
733 else
734 Dbprintf("Recorded %x %x%08x", selected, high[selected], low[selected]);
735
736 LEDsoff();
737 LED(selected + 1, 0);
738 // Finished recording
739
740 // If we were previously playing, set playing off
741 // so next button push begins playing what we recorded
742 playing = 0;
743
744 cardRead = 1;
745
746 }
747
748 else if (button_pressed > 0 && cardRead == 1)
749 {
750 LEDsoff();
751 LED(selected + 1, 0);
752 LED(LED_ORANGE, 0);
753
754 // record
755 if (tops[selected] > 0)
756 Dbprintf("Cloning %x %x%08x%08x", selected, tops[selected], high[selected], low[selected]);
757 else
758 Dbprintf("Cloning %x %x%08x", selected, high[selected], low[selected]);
759
760 // wait for button to be released
761 while(BUTTON_PRESS())
762 WDT_HIT();
763
764 /* need this delay to prevent catching some weird data */
765 SpinDelay(500);
766
767 CopyHIDtoT55x7(tops[selected] & 0x000FFFFF, high[selected], low[selected], (tops[selected] != 0 && ((high[selected]& 0xFFFFFFC0) != 0)), 0x1D);
768 if (tops[selected] > 0)
769 Dbprintf("Cloned %x %x%08x%08x", selected, tops[selected], high[selected], low[selected]);
770 else
771 Dbprintf("Cloned %x %x%08x", selected, high[selected], low[selected]);
772
773 LEDsoff();
774 LED(selected + 1, 0);
775 // Finished recording
776
777 // If we were previously playing, set playing off
778 // so next button push begins playing what we recorded
779 playing = 0;
780
781 cardRead = 0;
782
783 }
784
785 // Change where to record (or begin playing)
786 else if (button_pressed)
787 {
788 // Next option if we were previously playing
789 if (playing)
790 selected = (selected + 1) % OPTS;
791 playing = !playing;
792
793 LEDsoff();
794 LED(selected + 1, 0);
795
796 // Begin transmitting
797 if (playing)
798 {
799 LED(LED_GREEN, 0);
800 DbpString("Playing");
801 // wait for button to be released
802 while(BUTTON_PRESS())
803 WDT_HIT();
804 if (tops[selected] > 0)
805 Dbprintf("%x %x%08x%08x", selected, tops[selected], high[selected], low[selected]);
806 else
807 Dbprintf("%x %x%08x", selected, high[selected], low[selected]);
808
809 CmdHIDsimTAG(tops[selected], high[selected], low[selected], 0);
810 DbpString("Done playing");
811 if (BUTTON_HELD(1000) > 0)
812 {
813 DbpString("Exiting");
814 LEDsoff();
815 return;
816 }
817
818 /* We pressed a button so ignore it here with a delay */
819 SpinDelay(300);
820
821 // when done, we're done playing, move to next option
822 selected = (selected + 1) % OPTS;
823 playing = !playing;
824 LEDsoff();
825 LED(selected + 1, 0);
826 }
827 else
828 while(BUTTON_PRESS())
829 WDT_HIT();
830 }
831 }
832 }
833
834 #endif
835 /*
836 OBJECTIVE
837 Listen and detect an external reader. Determine the best location
838 for the antenna.
839
840 INSTRUCTIONS:
841 Inside the ListenReaderField() function, there is two mode.
842 By default, when you call the function, you will enter mode 1.
843 If you press the PM3 button one time, you will enter mode 2.
844 If you press the PM3 button a second time, you will exit the function.
845
846 DESCRIPTION OF MODE 1:
847 This mode just listens for an external reader field and lights up green
848 for HF and/or red for LF. This is the original mode of the detectreader
849 function.
850
851 DESCRIPTION OF MODE 2:
852 This mode will visually represent, using the LEDs, the actual strength of the
853 current compared to the maximum current detected. Basically, once you know
854 what kind of external reader is present, it will help you spot the best location to place
855 your antenna. You will probably not get some good results if there is a LF and a HF reader
856 at the same place! :-)
857
858 LIGHT SCHEME USED:
859 */
860 static const char LIGHT_SCHEME[] = {
861 0x0, /* ---- | No field detected */
862 0x1, /* X--- | 14% of maximum current detected */
863 0x2, /* -X-- | 29% of maximum current detected */
864 0x4, /* --X- | 43% of maximum current detected */
865 0x8, /* ---X | 57% of maximum current detected */
866 0xC, /* --XX | 71% of maximum current detected */
867 0xE, /* -XXX | 86% of maximum current detected */
868 0xF, /* XXXX | 100% of maximum current detected */
869 };
870 static const int LIGHT_LEN = sizeof(LIGHT_SCHEME)/sizeof(LIGHT_SCHEME[0]);
871
872 void ListenReaderField(int limit)
873 {
874 int lf_av, lf_av_new=0, lf_baseline= 0, lf_max;
875 int hf_av, hf_av_new=0, hf_baseline= 0, hf_max;
876 int mode=1, display_val, display_max, i;
877
878 #define LF_ONLY 1
879 #define HF_ONLY 2
880 #define REPORT_CHANGE_PERCENT 5 // report new values only if they have changed at least by REPORT_CHANGE_PERCENT
881 #define MIN_HF_FIELD 300 // in mode 1 signal HF field greater than MIN_HF_FIELD above baseline
882 #define MIN_LF_FIELD 1200 // in mode 1 signal LF field greater than MIN_LF_FIELD above baseline
883
884
885 // switch off FPGA - we don't want to measure our own signal
886 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
887 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
888
889 LEDsoff();
890
891 lf_av = lf_max = AvgAdc_Voltage_LF();
892
893 if(limit != HF_ONLY) {
894 Dbprintf("LF 125/134kHz Baseline: %dmV", lf_av);
895 lf_baseline = lf_av;
896 }
897
898 hf_av = hf_max = AvgAdc_Voltage_HF();
899
900 if (limit != LF_ONLY) {
901 Dbprintf("HF 13.56MHz Baseline: %dmV", hf_av);
902 hf_baseline = hf_av;
903 }
904
905 for(;;) {
906 SpinDelay(500);
907 if (BUTTON_PRESS()) {
908 switch (mode) {
909 case 1:
910 mode=2;
911 DbpString("Signal Strength Mode");
912 break;
913 case 2:
914 default:
915 DbpString("Stopped");
916 LEDsoff();
917 return;
918 break;
919 }
920 while (BUTTON_PRESS());
921 }
922 WDT_HIT();
923
924 if (limit != HF_ONLY) {
925 if(mode == 1) {
926 if (lf_av - lf_baseline > MIN_LF_FIELD)
927 LED_D_ON();
928 else
929 LED_D_OFF();
930 }
931
932 lf_av_new = AvgAdc_Voltage_LF();
933 // see if there's a significant change
934 if (ABS((lf_av - lf_av_new)*100/(lf_av?lf_av:1)) > REPORT_CHANGE_PERCENT) {
935 Dbprintf("LF 125/134kHz Field Change: %5dmV", lf_av_new);
936 lf_av = lf_av_new;
937 if (lf_av > lf_max)
938 lf_max = lf_av;
939 }
940 }
941
942 if (limit != LF_ONLY) {
943 if (mode == 1){
944 if (hf_av - hf_baseline > MIN_HF_FIELD)
945 LED_B_ON();
946 else
947 LED_B_OFF();
948 }
949
950 hf_av_new = AvgAdc_Voltage_HF();
951
952 // see if there's a significant change
953 if (ABS((hf_av - hf_av_new)*100/(hf_av?hf_av:1)) > REPORT_CHANGE_PERCENT) {
954 Dbprintf("HF 13.56MHz Field Change: %5dmV", hf_av_new);
955 hf_av = hf_av_new;
956 if (hf_av > hf_max)
957 hf_max = hf_av;
958 }
959 }
960
961 if(mode == 2) {
962 if (limit == LF_ONLY) {
963 display_val = lf_av;
964 display_max = lf_max;
965 } else if (limit == HF_ONLY) {
966 display_val = hf_av;
967 display_max = hf_max;
968 } else { /* Pick one at random */
969 if( (hf_max - hf_baseline) > (lf_max - lf_baseline) ) {
970 display_val = hf_av;
971 display_max = hf_max;
972 } else {
973 display_val = lf_av;
974 display_max = lf_max;
975 }
976 }
977 for (i=0; i<LIGHT_LEN; i++) {
978 if (display_val >= ((display_max/LIGHT_LEN)*i) && display_val <= ((display_max/LIGHT_LEN)*(i+1))) {
979 if (LIGHT_SCHEME[i] & 0x1) LED_C_ON(); else LED_C_OFF();
980 if (LIGHT_SCHEME[i] & 0x2) LED_A_ON(); else LED_A_OFF();
981 if (LIGHT_SCHEME[i] & 0x4) LED_B_ON(); else LED_B_OFF();
982 if (LIGHT_SCHEME[i] & 0x8) LED_D_ON(); else LED_D_OFF();
983 break;
984 }
985 }
986 }
987 }
988 }
989
990 void UsbPacketReceived(uint8_t *packet, int len)
991 {
992 UsbCommand *c = (UsbCommand *)packet;
993
994 // Dbprintf("received %d bytes, with command: 0x%04x and args: %d %d %d",len,c->cmd,c->arg[0],c->arg[1],c->arg[2]);
995
996 switch(c->cmd) {
997 #ifdef WITH_LF
998 case CMD_SET_LF_SAMPLING_CONFIG:
999 setSamplingConfig((sample_config *) c->d.asBytes);
1000 break;
1001 case CMD_ACQUIRE_RAW_ADC_SAMPLES_125K:
1002 cmd_send(CMD_ACK,SampleLF(c->arg[0], c->arg[1]),0,0,0,0);
1003 break;
1004 case CMD_MOD_THEN_ACQUIRE_RAW_ADC_SAMPLES_125K:
1005 ModThenAcquireRawAdcSamples125k(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
1006 break;
1007 case CMD_LF_SNOOP_RAW_ADC_SAMPLES:
1008 cmd_send(CMD_ACK,SnoopLF(),0,0,0,0);
1009 break;
1010 case CMD_HID_DEMOD_FSK:
1011 CmdHIDdemodFSK(c->arg[0], 0, 0, 0, 1);
1012 break;
1013 case CMD_HID_SIM_TAG:
1014 CmdHIDsimTAG(c->arg[0], c->arg[1], c->arg[2], 1);
1015 break;
1016 case CMD_FSK_SIM_TAG:
1017 CmdFSKsimTAG(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1018 break;
1019 case CMD_ASK_SIM_TAG:
1020 CmdASKsimTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1021 break;
1022 case CMD_PSK_SIM_TAG:
1023 CmdPSKsimTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1024 break;
1025 case CMD_HID_CLONE_TAG:
1026 CopyHIDtoT55x7(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0], 0x1D);
1027 break;
1028 case CMD_PARADOX_CLONE_TAG:
1029 // Paradox cards are the same as HID, with a different preamble, so we can reuse the same function
1030 CopyHIDtoT55x7(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0], 0x0F);
1031 break;
1032 case CMD_IO_DEMOD_FSK:
1033 CmdIOdemodFSK(c->arg[0], 0, 0, 1);
1034 break;
1035 case CMD_IO_CLONE_TAG:
1036 CopyIOtoT55x7(c->arg[0], c->arg[1]);
1037 break;
1038 case CMD_EM410X_DEMOD:
1039 CmdEM410xdemod(c->arg[0], 0, 0, 1);
1040 break;
1041 case CMD_EM410X_WRITE_TAG:
1042 WriteEM410x(c->arg[0], c->arg[1], c->arg[2]);
1043 break;
1044 case CMD_READ_TI_TYPE:
1045 ReadTItag();
1046 break;
1047 case CMD_WRITE_TI_TYPE:
1048 WriteTItag(c->arg[0],c->arg[1],c->arg[2]);
1049 break;
1050 case CMD_SIMULATE_TAG_125K:
1051 LED_A_ON();
1052 SimulateTagLowFrequency(c->arg[0], c->arg[1], 1);
1053 LED_A_OFF();
1054 break;
1055 case CMD_LF_SIMULATE_BIDIR:
1056 SimulateTagLowFrequencyBidir(c->arg[0], c->arg[1]);
1057 break;
1058 case CMD_INDALA_CLONE_TAG:
1059 CopyIndala64toT55x7(c->arg[0], c->arg[1]);
1060 break;
1061 case CMD_INDALA_CLONE_TAG_L:
1062 CopyIndala224toT55x7(c->d.asDwords[0], c->d.asDwords[1], c->d.asDwords[2], c->d.asDwords[3], c->d.asDwords[4], c->d.asDwords[5], c->d.asDwords[6]);
1063 break;
1064 case CMD_T55XX_READ_BLOCK:
1065 T55xxReadBlock(c->arg[0], c->arg[1], c->arg[2]);
1066 break;
1067 case CMD_T55XX_WRITE_BLOCK:
1068 T55xxWriteBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]);
1069 break;
1070 case CMD_T55XX_WAKEUP:
1071 T55xxWakeUp(c->arg[0]);
1072 break;
1073 case CMD_T55XX_RESET_READ:
1074 T55xxResetRead();
1075 break;
1076 case CMD_PCF7931_READ:
1077 ReadPCF7931();
1078 break;
1079 case CMD_PCF7931_WRITE:
1080 WritePCF7931(c->d.asBytes[0],c->d.asBytes[1],c->d.asBytes[2],c->d.asBytes[3],c->d.asBytes[4],c->d.asBytes[5],c->d.asBytes[6], c->d.asBytes[9], c->d.asBytes[7]-128,c->d.asBytes[8]-128, c->arg[0], c->arg[1], c->arg[2]);
1081 break;
1082 case CMD_PCF7931_BRUTEFORCE:
1083 BruteForcePCF7931(c->arg[0], (c->arg[1] & 0xFF), c->d.asBytes[9], c->d.asBytes[7]-128,c->d.asBytes[8]-128);
1084 break;
1085 case CMD_EM4X_READ_WORD:
1086 EM4xReadWord(c->arg[0], c->arg[1],c->arg[2]);
1087 break;
1088 case CMD_EM4X_WRITE_WORD:
1089 EM4xWriteWord(c->arg[0], c->arg[1], c->arg[2]);
1090 break;
1091 case CMD_EM4X_PROTECT:
1092 EM4xProtect(c->arg[0], c->arg[1], c->arg[2]);
1093 break;
1094 case CMD_AWID_DEMOD_FSK: // Set realtime AWID demodulation
1095 CmdAWIDdemodFSK(c->arg[0], 0, 0, 1);
1096 break;
1097 case CMD_VIKING_CLONE_TAG:
1098 CopyVikingtoT55xx(c->arg[0], c->arg[1], c->arg[2]);
1099 break;
1100 case CMD_COTAG:
1101 Cotag(c->arg[0]);
1102 break;
1103 #endif
1104
1105 #ifdef WITH_HITAG
1106 case CMD_SNOOP_HITAG: // Eavesdrop Hitag tag, args = type
1107 SnoopHitag(c->arg[0]);
1108 break;
1109 case CMD_SIMULATE_HITAG: // Simulate Hitag tag, args = memory content
1110 SimulateHitagTag((bool)c->arg[0],(byte_t*)c->d.asBytes);
1111 break;
1112 case CMD_READER_HITAG: // Reader for Hitag tags, args = type and function
1113 ReaderHitag((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes);
1114 break;
1115 case CMD_SIMULATE_HITAG_S:// Simulate Hitag s tag, args = memory content
1116 SimulateHitagSTag((bool)c->arg[0],(byte_t*)c->d.asBytes);
1117 break;
1118 case CMD_TEST_HITAGS_TRACES:// Tests every challenge within the given file
1119 check_challenges_cmd((bool)c->arg[0], (byte_t*)c->d.asBytes, (uint8_t)c->arg[1]);
1120 break;
1121 case CMD_READ_HITAG_S://Reader for only Hitag S tags, args = key or challenge
1122 ReadHitagSCmd((hitag_function)c->arg[0], (hitag_data*)c->d.asBytes, (uint8_t)c->arg[1], (uint8_t)c->arg[2], false);
1123 break;
1124 case CMD_READ_HITAG_S_BLK:
1125 ReadHitagSCmd((hitag_function)c->arg[0], (hitag_data*)c->d.asBytes, (uint8_t)c->arg[1], (uint8_t)c->arg[2], true);
1126 break;
1127 case CMD_WR_HITAG_S://writer for Hitag tags args=data to write,page and key or challenge
1128 if ((hitag_function)c->arg[0] < 10) {
1129 WritePageHitagS((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes,c->arg[2]);
1130 }
1131 else if ((hitag_function)c->arg[0] >= 10) {
1132 WriterHitag((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes, c->arg[2]);
1133 }
1134 break;
1135 #endif
1136
1137 #ifdef WITH_ISO15693
1138 case CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_15693:
1139 AcquireRawAdcSamplesIso15693();
1140 break;
1141
1142 case CMD_SNOOP_ISO_15693:
1143 SnoopIso15693();
1144 break;
1145
1146 case CMD_ISO_15693_COMMAND:
1147 DirectTag15693Command(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
1148 break;
1149
1150 case CMD_ISO_15693_FIND_AFI:
1151 BruteforceIso15693Afi(c->arg[0]);
1152 break;
1153
1154 case CMD_ISO_15693_DEBUG:
1155 SetDebugIso15693(c->arg[0]);
1156 break;
1157
1158 case CMD_READER_ISO_15693:
1159 ReaderIso15693(c->arg[0]);
1160 break;
1161
1162 case CMD_SIMTAG_ISO_15693:
1163 SimTagIso15693(c->arg[0], c->d.asBytes);
1164 break;
1165
1166 case CMD_CSETUID_ISO_15693:
1167 SetTag15693Uid(c->d.asBytes);
1168 break;
1169 #endif
1170
1171 #ifdef WITH_LEGICRF
1172 case CMD_SIMULATE_TAG_LEGIC_RF:
1173 LegicRfSimulate(c->arg[0]);
1174 break;
1175
1176 case CMD_WRITER_LEGIC_RF:
1177 LegicRfWriter(c->arg[1], c->arg[0]);
1178 break;
1179
1180 case CMD_READER_LEGIC_RF:
1181 LegicRfReader(c->arg[0], c->arg[1]);
1182 break;
1183 #endif
1184
1185 #ifdef WITH_ISO14443b
1186 case CMD_READ_SRI512_TAG:
1187 ReadSTMemoryIso14443b(0x0F);
1188 break;
1189 case CMD_READ_SRIX4K_TAG:
1190 ReadSTMemoryIso14443b(0x7F);
1191 break;
1192 case CMD_SNOOP_ISO_14443B:
1193 SnoopIso14443b();
1194 break;
1195 case CMD_SIMULATE_TAG_ISO_14443B:
1196 SimulateIso14443bTag();
1197 break;
1198 case CMD_ISO_14443B_COMMAND:
1199 SendRawCommand14443B(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
1200 break;
1201 #endif
1202
1203 #ifdef WITH_ISO14443a
1204 case CMD_SNOOP_ISO_14443a:
1205 SnoopIso14443a(c->arg[0]);
1206 break;
1207 case CMD_READER_ISO_14443a:
1208 ReaderIso14443a(c);
1209 break;
1210 case CMD_SIMULATE_TAG_ISO_14443a:
1211 SimulateIso14443aTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); // ## Simulate iso14443a tag - pass tag type & UID
1212 break;
1213
1214 case CMD_EPA_PACE_COLLECT_NONCE:
1215 EPA_PACE_Collect_Nonce(c);
1216 break;
1217 case CMD_EPA_PACE_REPLAY:
1218 EPA_PACE_Replay(c);
1219 break;
1220
1221 case CMD_READER_MIFARE:
1222 ReaderMifare(c->arg[0]);
1223 break;
1224 case CMD_MIFARE_READBL:
1225 MifareReadBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1226 break;
1227 case CMD_MIFAREU_READBL:
1228 MifareUReadBlock(c->arg[0],c->arg[1], c->d.asBytes);
1229 break;
1230 case CMD_MIFAREUC_AUTH:
1231 MifareUC_Auth(c->arg[0],c->d.asBytes);
1232 break;
1233 case CMD_MIFAREU_READCARD:
1234 MifareUReadCard(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1235 break;
1236 case CMD_MIFAREUC_SETPWD:
1237 MifareUSetPwd(c->arg[0], c->d.asBytes);
1238 break;
1239 case CMD_MIFARE_READSC:
1240 MifareReadSector(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1241 break;
1242 case CMD_MIFARE_WRITEBL:
1243 MifareWriteBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1244 break;
1245 //case CMD_MIFAREU_WRITEBL_COMPAT:
1246 //MifareUWriteBlockCompat(c->arg[0], c->d.asBytes);
1247 //break;
1248 case CMD_MIFAREU_WRITEBL:
1249 MifareUWriteBlock(c->arg[0], c->arg[1], c->d.asBytes);
1250 break;
1251 case CMD_MIFARE_ACQUIRE_ENCRYPTED_NONCES:
1252 MifareAcquireEncryptedNonces(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1253 break;
1254 case CMD_MIFARE_NESTED:
1255 MifareNested(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1256 break;
1257 case CMD_MIFARE_CHKKEYS:
1258 MifareChkKeys(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1259 break;
1260 case CMD_SIMULATE_MIFARE_CARD:
1261 MifareSim(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1262 break;
1263
1264 // emulator
1265 case CMD_MIFARE_SET_DBGMODE:
1266 MifareSetDbgLvl(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1267 break;
1268 case CMD_MIFARE_EML_MEMCLR:
1269 MifareEMemClr(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1270 break;
1271 case CMD_MIFARE_EML_MEMSET:
1272 MifareEMemSet(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1273 break;
1274 case CMD_MIFARE_EML_MEMGET:
1275 MifareEMemGet(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1276 break;
1277 case CMD_MIFARE_EML_CARDLOAD:
1278 MifareECardLoad(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1279 break;
1280
1281 // Work with "magic Chinese" card
1282 case CMD_MIFARE_CWIPE:
1283 MifareCWipe(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1284 break;
1285 case CMD_MIFARE_CSETBLOCK:
1286 MifareCSetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1287 break;
1288 case CMD_MIFARE_CGETBLOCK:
1289 MifareCGetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1290 break;
1291 case CMD_MIFARE_CIDENT:
1292 MifareCIdent();
1293 break;
1294
1295 // mifare sniffer
1296 case CMD_MIFARE_SNIFFER:
1297 SniffMifare(c->arg[0]);
1298 break;
1299
1300 #endif
1301
1302 #ifdef WITH_ICLASS
1303 // Makes use of ISO14443a FPGA Firmware
1304 case CMD_SNOOP_ICLASS:
1305 SnoopIClass();
1306 break;
1307 case CMD_SIMULATE_TAG_ICLASS:
1308 SimulateIClass(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1309 break;
1310 case CMD_READER_ICLASS:
1311 ReaderIClass(c->arg[0]);
1312 break;
1313 case CMD_READER_ICLASS_REPLAY:
1314 ReaderIClass_Replay(c->arg[0], c->d.asBytes);
1315 break;
1316 case CMD_ICLASS_EML_MEMSET:
1317 emlSet(c->d.asBytes,c->arg[0], c->arg[1]);
1318 break;
1319 case CMD_ICLASS_WRITEBLOCK:
1320 iClass_WriteBlock(c->arg[0], c->d.asBytes);
1321 break;
1322 case CMD_ICLASS_READCHECK: // auth step 1
1323 iClass_ReadCheck(c->arg[0], c->arg[1]);
1324 break;
1325 case CMD_ICLASS_READBLOCK:
1326 iClass_ReadBlk(c->arg[0]);
1327 break;
1328 case CMD_ICLASS_AUTHENTICATION: //check
1329 iClass_Authentication(c->d.asBytes);
1330 break;
1331 case CMD_ICLASS_DUMP:
1332 iClass_Dump(c->arg[0], c->arg[1]);
1333 break;
1334 case CMD_ICLASS_CLONE:
1335 iClass_Clone(c->arg[0], c->arg[1], c->d.asBytes);
1336 break;
1337 #endif
1338
1339 #ifdef WITH_HFSNOOP
1340 case CMD_HF_SNIFFER:
1341 HfSnoop(c->arg[0], c->arg[1]);
1342 break;
1343 case CMD_HF_PLOT:
1344 HfPlot();
1345 break;
1346 #endif
1347
1348 #ifdef WITH_SMARTCARD
1349 case CMD_SMART_ATR: {
1350 SmartCardAtr();
1351 break;
1352 }
1353 case CMD_SMART_SETCLOCK:{
1354 SmartCardSetClock(c->arg[0]);
1355 break;
1356 }
1357 case CMD_SMART_RAW: {
1358 SmartCardRaw(c->arg[0], c->arg[1], c->d.asBytes);
1359 break;
1360 }
1361 case CMD_SMART_UPLOAD: {
1362 // upload file from client
1363 uint8_t *mem = BigBuf_get_addr();
1364 memcpy( mem + c->arg[0], c->d.asBytes, USB_CMD_DATA_SIZE);
1365 cmd_send(CMD_ACK,1,0,0,0,0);
1366 break;
1367 }
1368 case CMD_SMART_UPGRADE: {
1369 SmartCardUpgrade(c->arg[0]);
1370 break;
1371 }
1372 #endif
1373
1374 case CMD_BUFF_CLEAR:
1375 BigBuf_Clear();
1376 break;
1377
1378 case CMD_MEASURE_ANTENNA_TUNING:
1379 MeasureAntennaTuning(c->arg[0]);
1380 break;
1381
1382 case CMD_MEASURE_ANTENNA_TUNING_HF:
1383 MeasureAntennaTuningHf();
1384 break;
1385
1386 case CMD_LISTEN_READER_FIELD:
1387 ListenReaderField(c->arg[0]);
1388 break;
1389
1390 case CMD_FPGA_MAJOR_MODE_OFF: // ## FPGA Control
1391 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1392 SpinDelay(200);
1393 LED_D_OFF(); // LED D indicates field ON or OFF
1394 break;
1395
1396 case CMD_DOWNLOAD_RAW_ADC_SAMPLES_125K:
1397 LED_B_ON();
1398 uint8_t *BigBuf = BigBuf_get_addr();
1399 for(size_t i=0; i<c->arg[1]; i += USB_CMD_DATA_SIZE) {
1400 size_t len = MIN((c->arg[1] - i),USB_CMD_DATA_SIZE);
1401 cmd_send(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K,i,len,BigBuf_get_traceLen(),BigBuf+c->arg[0]+i,len);
1402 }
1403 // Trigger a finish downloading signal with an ACK frame
1404 cmd_send(CMD_ACK,1,0,BigBuf_get_traceLen(),getSamplingConfig(),sizeof(sample_config));
1405 LED_B_OFF();
1406 break;
1407
1408 case CMD_DOWNLOADED_SIM_SAMPLES_125K: {
1409 // iceman; since changing fpga_bitstreams clears bigbuff, Its better to call it before.
1410 // to be able to use this one for uploading data to device
1411 // arg1 = 0 upload for LF usage
1412 // 1 upload for HF usage
1413 if (c->arg[1] == 0)
1414 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1415 else
1416 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1417
1418 uint8_t *b = BigBuf_get_addr();
1419 memcpy(b+c->arg[0], c->d.asBytes, USB_CMD_DATA_SIZE);
1420 cmd_send(CMD_ACK,0,0,0,0,0);
1421 break;
1422 }
1423 case CMD_READ_MEM:
1424 ReadMem(c->arg[0]);
1425 break;
1426
1427 case CMD_SET_LF_DIVISOR:
1428 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1429 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, c->arg[0]);
1430 break;
1431
1432 case CMD_SET_ADC_MUX:
1433 switch(c->arg[0]) {
1434 case 0: SetAdcMuxFor(GPIO_MUXSEL_LOPKD); break;
1435 case 1: SetAdcMuxFor(GPIO_MUXSEL_LORAW); break;
1436 case 2: SetAdcMuxFor(GPIO_MUXSEL_HIPKD); break;
1437 case 3: SetAdcMuxFor(GPIO_MUXSEL_HIRAW); break;
1438 }
1439 break;
1440
1441 case CMD_VERSION:
1442 SendVersion();
1443 break;
1444 case CMD_STATUS:
1445 SendStatus();
1446 break;
1447 case CMD_PING:
1448 cmd_send(CMD_ACK,0,0,0,0,0);
1449 break;
1450 #ifdef WITH_LCD
1451 case CMD_LCD_RESET:
1452 LCDReset();
1453 break;
1454 case CMD_LCD:
1455 LCDSend(c->arg[0]);
1456 break;
1457 #endif
1458 case CMD_SETUP_WRITE:
1459 case CMD_FINISH_WRITE:
1460 case CMD_HARDWARE_RESET:
1461 usb_disable();
1462 SpinDelay(1000);
1463 SpinDelay(1000);
1464 AT91C_BASE_RSTC->RSTC_RCR = RST_CONTROL_KEY | AT91C_RSTC_PROCRST;
1465 for(;;) {
1466 // We're going to reset, and the bootrom will take control.
1467 }
1468 break;
1469
1470 case CMD_START_FLASH:
1471 if(common_area.flags.bootrom_present) {
1472 common_area.command = COMMON_AREA_COMMAND_ENTER_FLASH_MODE;
1473 }
1474 usb_disable();
1475 AT91C_BASE_RSTC->RSTC_RCR = RST_CONTROL_KEY | AT91C_RSTC_PROCRST;
1476 for(;;);
1477 break;
1478
1479 case CMD_DEVICE_INFO: {
1480 uint32_t dev_info = DEVICE_INFO_FLAG_OSIMAGE_PRESENT | DEVICE_INFO_FLAG_CURRENT_MODE_OS;
1481 if(common_area.flags.bootrom_present) dev_info |= DEVICE_INFO_FLAG_BOOTROM_PRESENT;
1482 cmd_send(CMD_DEVICE_INFO,dev_info,0,0,0,0);
1483 break;
1484 }
1485 default:
1486 Dbprintf("%s: 0x%04x","unknown command:",c->cmd);
1487 break;
1488 }
1489 }
1490
1491 void __attribute__((noreturn)) AppMain(void)
1492 {
1493 SpinDelay(100);
1494 clear_trace();
1495 if(common_area.magic != COMMON_AREA_MAGIC || common_area.version != 1) {
1496 /* Initialize common area */
1497 memset(&common_area, 0, sizeof(common_area));
1498 common_area.magic = COMMON_AREA_MAGIC;
1499 common_area.version = 1;
1500 }
1501 common_area.flags.osimage_present = 1;
1502
1503 LEDsoff();
1504
1505 // Init USB device
1506 usb_enable();
1507
1508 // The FPGA gets its clock from us from PCK0 output, so set that up.
1509 AT91C_BASE_PIOA->PIO_BSR = GPIO_PCK0;
1510 AT91C_BASE_PIOA->PIO_PDR = GPIO_PCK0;
1511 AT91C_BASE_PMC->PMC_SCER = AT91C_PMC_PCK0;
1512 // PCK0 is PLL clock / 4 = 96Mhz / 4 = 24Mhz
1513 AT91C_BASE_PMC->PMC_PCKR[0] = AT91C_PMC_CSS_PLL_CLK |
1514 AT91C_PMC_PRES_CLK_4; // 4 for 24Mhz pck0, 2 for 48 MHZ pck0
1515 AT91C_BASE_PIOA->PIO_OER = GPIO_PCK0;
1516
1517 // Reset SPI
1518 AT91C_BASE_SPI->SPI_CR = AT91C_SPI_SWRST;
1519 // Reset SSC
1520 AT91C_BASE_SSC->SSC_CR = AT91C_SSC_SWRST;
1521
1522 // Load the FPGA image, which we have stored in our flash.
1523 // (the HF version by default)
1524 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1525
1526 StartTickCount();
1527
1528 #ifdef WITH_LCD
1529 LCDInit();
1530 #endif
1531
1532 byte_t rx[sizeof(UsbCommand)];
1533 size_t rx_len;
1534
1535 for(;;) {
1536 if (usb_poll()) {
1537 rx_len = usb_read(rx,sizeof(UsbCommand));
1538 if (rx_len) {
1539 UsbPacketReceived(rx,rx_len);
1540 }
1541 }
1542 WDT_HIT();
1543
1544 #ifdef WITH_LF_StandAlone
1545 #ifndef WITH_ISO14443a_StandAlone
1546 if (BUTTON_HELD(1000) > 0)
1547 SamyRun();
1548 #endif
1549 #endif
1550 #ifdef WITH_ISO14443a
1551 #ifdef WITH_ISO14443a_StandAlone
1552 if (BUTTON_HELD(1000) > 0)
1553 StandAloneMode14a();
1554 #endif
1555 #endif
1556 }
1557 }
Proxmark3 GIT tracking
Impressum, Datenschutz