]> cvs.zerfleddert.de Git - proxmark3-svn/blob - armsrc/iso14443a.c
projects / proxmark3-svn / blob
? search:


0a9f7c039333764b9f9cbe27d2ee1ddba9b4bba3
[proxmark3-svn] / armsrc / iso14443a.c
1 //-----------------------------------------------------------------------------
2 // Merlok - June 2011, 2012
3 // Gerhard de Koning Gans - May 2008
4 // Hagen Fritsch - June 2010
5 //
6 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
7 // at your option, any later version. See the LICENSE.txt file for the text of
8 // the license.
9 //-----------------------------------------------------------------------------
10 // Routines to support ISO 14443 type A.
11 //-----------------------------------------------------------------------------
12
13 #include "iso14443a.h"
14
15 #include <stdio.h>
16 #include <string.h>
17 #include "proxmark3.h"
18 #include "apps.h"
19 #include "util.h"
20 #include "cmd.h"
21 #include "iso14443crc.h"
22 #include "crapto1/crapto1.h"
23 #include "mifareutil.h"
24 #include "mifaresniff.h"
25 #include "BigBuf.h"
26 #include "protocols.h"
27 #include "parity.h"
28
29 typedef struct {
30 enum {
31 DEMOD_UNSYNCD,
32 // DEMOD_HALF_SYNCD,
33 // DEMOD_MOD_FIRST_HALF,
34 // DEMOD_NOMOD_FIRST_HALF,
35 DEMOD_MANCHESTER_DATA
36 } state;
37 uint16_t twoBits;
38 uint16_t highCnt;
39 uint16_t bitCount;
40 uint16_t collisionPos;
41 uint16_t syncBit;
42 uint8_t parityBits;
43 uint8_t parityLen;
44 uint16_t shiftReg;
45 uint16_t samples;
46 uint16_t len;
47 uint32_t startTime, endTime;
48 uint8_t *output;
49 uint8_t *parity;
50 } tDemod;
51
52 typedef enum {
53 MOD_NOMOD = 0,
54 MOD_SECOND_HALF,
55 MOD_FIRST_HALF,
56 MOD_BOTH_HALVES
57 } Modulation_t;
58
59 typedef struct {
60 enum {
61 STATE_UNSYNCD,
62 STATE_START_OF_COMMUNICATION,
63 STATE_MILLER_X,
64 STATE_MILLER_Y,
65 STATE_MILLER_Z,
66 // DROP_NONE,
67 // DROP_FIRST_HALF,
68 } state;
69 uint16_t shiftReg;
70 int16_t bitCount;
71 uint16_t len;
72 uint16_t byteCntMax;
73 uint16_t posCnt;
74 uint16_t syncBit;
75 uint8_t parityBits;
76 uint8_t parityLen;
77 uint32_t fourBits;
78 uint32_t startTime, endTime;
79 uint8_t *output;
80 uint8_t *parity;
81 } tUart;
82
83 static uint32_t iso14a_timeout;
84 #define MAX_ISO14A_TIMEOUT 524288
85
86 int rsamples = 0;
87 uint8_t trigger = 0;
88 // the block number for the ISO14443-4 PCB
89 static uint8_t iso14_pcb_blocknum = 0;
90
91 //
92 // ISO14443 timing:
93 //
94 // minimum time between the start bits of consecutive transfers from reader to tag: 7000 carrier (13.56Mhz) cycles
95 #define REQUEST_GUARD_TIME (7000/16 + 1)
96 // minimum time between last modulation of tag and next start bit from reader to tag: 1172 carrier cycles
97 #define FRAME_DELAY_TIME_PICC_TO_PCD (1172/16 + 1)
98 // bool LastCommandWasRequest = false;
99
100 //
101 // Total delays including SSC-Transfers between ARM and FPGA. These are in carrier clock cycles (1/13,56MHz)
102 //
103 // When the PM acts as reader and is receiving tag data, it takes
104 // 3 ticks delay in the AD converter
105 // 16 ticks until the modulation detector completes and sets curbit
106 // 8 ticks until bit_to_arm is assigned from curbit
107 // 8*16 ticks for the transfer from FPGA to ARM
108 // 4*16 ticks until we measure the time
109 // - 8*16 ticks because we measure the time of the previous transfer
110 #define DELAY_AIR2ARM_AS_READER (3 + 16 + 8 + 8*16 + 4*16 - 8*16)
111
112 // When the PM acts as a reader and is sending, it takes
113 // 4*16 ticks until we can write data to the sending hold register
114 // 8*16 ticks until the SHR is transferred to the Sending Shift Register
115 // 8 ticks until the first transfer starts
116 // 8 ticks later the FPGA samples the data
117 // 1 tick to assign mod_sig_coil
118 #define DELAY_ARM2AIR_AS_READER (4*16 + 8*16 + 8 + 8 + 1)
119
120 // When the PM acts as tag and is receiving it takes
121 // 2 ticks delay in the RF part (for the first falling edge),
122 // 3 ticks for the A/D conversion,
123 // 8 ticks on average until the start of the SSC transfer,
124 // 8 ticks until the SSC samples the first data
125 // 7*16 ticks to complete the transfer from FPGA to ARM
126 // 8 ticks until the next ssp_clk rising edge
127 // 4*16 ticks until we measure the time
128 // - 8*16 ticks because we measure the time of the previous transfer
129 #define DELAY_AIR2ARM_AS_TAG (2 + 3 + 8 + 8 + 7*16 + 8 + 4*16 - 8*16)
130
131 // The FPGA will report its internal sending delay in
132 uint16_t FpgaSendQueueDelay;
133 // the 5 first bits are the number of bits buffered in mod_sig_buf
134 // the last three bits are the remaining ticks/2 after the mod_sig_buf shift
135 #define DELAY_FPGA_QUEUE (FpgaSendQueueDelay<<1)
136
137 // When the PM acts as tag and is sending, it takes
138 // 4*16 + 8 ticks until we can write data to the sending hold register
139 // 8*16 ticks until the SHR is transferred to the Sending Shift Register
140 // 8 ticks later the FPGA samples the first data
141 // + 16 ticks until assigned to mod_sig
142 // + 1 tick to assign mod_sig_coil
143 // + a varying number of ticks in the FPGA Delay Queue (mod_sig_buf)
144 #define DELAY_ARM2AIR_AS_TAG (4*16 + 8 + 8*16 + 8 + 16 + 1 + DELAY_FPGA_QUEUE)
145
146 // When the PM acts as sniffer and is receiving tag data, it takes
147 // 3 ticks A/D conversion
148 // 14 ticks to complete the modulation detection
149 // 8 ticks (on average) until the result is stored in to_arm
150 // + the delays in transferring data - which is the same for
151 // sniffing reader and tag data and therefore not relevant
152 #define DELAY_TAG_AIR2ARM_AS_SNIFFER (3 + 14 + 8)
153
154 // When the PM acts as sniffer and is receiving reader data, it takes
155 // 2 ticks delay in analogue RF receiver (for the falling edge of the
156 // start bit, which marks the start of the communication)
157 // 3 ticks A/D conversion
158 // 8 ticks on average until the data is stored in to_arm.
159 // + the delays in transferring data - which is the same for
160 // sniffing reader and tag data and therefore not relevant
161 #define DELAY_READER_AIR2ARM_AS_SNIFFER (2 + 3 + 8)
162
163 //variables used for timing purposes:
164 //these are in ssp_clk cycles:
165 static uint32_t NextTransferTime;
166 static uint32_t LastTimeProxToAirStart;
167 static uint32_t LastProxToAirDuration;
168
169
170
171 // CARD TO READER - manchester
172 // Sequence D: 11110000 modulation with subcarrier during first half
173 // Sequence E: 00001111 modulation with subcarrier during second half
174 // Sequence F: 00000000 no modulation with subcarrier
175 // READER TO CARD - miller
176 // Sequence X: 00001100 drop after half a period
177 // Sequence Y: 00000000 no drop
178 // Sequence Z: 11000000 drop at start
179 #define SEC_D 0xf0
180 #define SEC_E 0x0f
181 #define SEC_F 0x00
182 #define SEC_X 0x0c
183 #define SEC_Y 0x00
184 #define SEC_Z 0xc0
185
186 void iso14a_set_trigger(bool enable) {
187 trigger = enable;
188 }
189
190
191 void iso14a_set_timeout(uint32_t timeout) {
192 iso14a_timeout = timeout - (DELAY_AIR2ARM_AS_READER + DELAY_ARM2AIR_AS_READER)/(16*8) + 2;
193 if(MF_DBGLEVEL >= 3) Dbprintf("ISO14443A Timeout set to %ld (%dms)", timeout, timeout / 106);
194 }
195
196
197 uint32_t iso14a_get_timeout(void) {
198 return iso14a_timeout + (DELAY_AIR2ARM_AS_READER + DELAY_ARM2AIR_AS_READER)/(16*8) - 2;
199 }
200
201 //-----------------------------------------------------------------------------
202 // Generate the parity value for a byte sequence
203 //
204 //-----------------------------------------------------------------------------
205 void GetParity(const uint8_t *pbtCmd, uint16_t iLen, uint8_t *par)
206 {
207 uint16_t paritybit_cnt = 0;
208 uint16_t paritybyte_cnt = 0;
209 uint8_t parityBits = 0;
210
211 for (uint16_t i = 0; i < iLen; i++) {
212 // Generate the parity bits
213 parityBits |= ((oddparity8(pbtCmd[i])) << (7-paritybit_cnt));
214 if (paritybit_cnt == 7) {
215 par[paritybyte_cnt] = parityBits; // save 8 Bits parity
216 parityBits = 0; // and advance to next Parity Byte
217 paritybyte_cnt++;
218 paritybit_cnt = 0;
219 } else {
220 paritybit_cnt++;
221 }
222 }
223
224 // save remaining parity bits
225 par[paritybyte_cnt] = parityBits;
226
227 }
228
229 void AppendCrc14443a(uint8_t* data, int len)
230 {
231 ComputeCrc14443(CRC_14443_A,data,len,data+len,data+len+1);
232 }
233
234 static void AppendCrc14443b(uint8_t* data, int len)
235 {
236 ComputeCrc14443(CRC_14443_B,data,len,data+len,data+len+1);
237 }
238
239
240 //=============================================================================
241 // ISO 14443 Type A - Miller decoder
242 //=============================================================================
243 // Basics:
244 // This decoder is used when the PM3 acts as a tag.
245 // The reader will generate "pauses" by temporarily switching of the field.
246 // At the PM3 antenna we will therefore measure a modulated antenna voltage.
247 // The FPGA does a comparison with a threshold and would deliver e.g.:
248 // ........ 1 1 1 1 1 1 0 0 1 1 1 1 1 1 1 1 1 1 0 0 1 1 1 1 1 1 1 1 1 1 .......
249 // The Miller decoder needs to identify the following sequences:
250 // 2 (or 3) ticks pause followed by 6 (or 5) ticks unmodulated: pause at beginning - Sequence Z ("start of communication" or a "0")
251 // 8 ticks without a modulation: no pause - Sequence Y (a "0" or "end of communication" or "no information")
252 // 4 ticks unmodulated followed by 2 (or 3) ticks pause: pause in second half - Sequence X (a "1")
253 // Note 1: the bitstream may start at any time. We therefore need to sync.
254 // Note 2: the interpretation of Sequence Y and Z depends on the preceding sequence.
255 //-----------------------------------------------------------------------------
256 static tUart Uart;
257
258 // Lookup-Table to decide if 4 raw bits are a modulation.
259 // We accept the following:
260 // 0001 - a 3 tick wide pause
261 // 0011 - a 2 tick wide pause, or a three tick wide pause shifted left
262 // 0111 - a 2 tick wide pause shifted left
263 // 1001 - a 2 tick wide pause shifted right
264 const bool Mod_Miller_LUT[] = {
265 false, true, false, true, false, false, false, true,
266 false, true, false, false, false, false, false, false
267 };
268 #define IsMillerModulationNibble1(b) (Mod_Miller_LUT[(b & 0x000000F0) >> 4])
269 #define IsMillerModulationNibble2(b) (Mod_Miller_LUT[(b & 0x0000000F)])
270
271 static void UartReset()
272 {
273 Uart.state = STATE_UNSYNCD;
274 Uart.bitCount = 0;
275 Uart.len = 0; // number of decoded data bytes
276 Uart.parityLen = 0; // number of decoded parity bytes
277 Uart.shiftReg = 0; // shiftreg to hold decoded data bits
278 Uart.parityBits = 0; // holds 8 parity bits
279 Uart.startTime = 0;
280 Uart.endTime = 0;
281 }
282
283 static void UartInit(uint8_t *data, uint8_t *parity)
284 {
285 Uart.output = data;
286 Uart.parity = parity;
287 Uart.fourBits = 0x00000000; // clear the buffer for 4 Bits
288 UartReset();
289 }
290
291 // use parameter non_real_time to provide a timestamp. Set to 0 if the decoder should measure real time
292 static RAMFUNC bool MillerDecoding(uint8_t bit, uint32_t non_real_time)
293 {
294
295 Uart.fourBits = (Uart.fourBits << 8) | bit;
296
297 if (Uart.state == STATE_UNSYNCD) { // not yet synced
298
299 Uart.syncBit = 9999; // not set
300 // The start bit is one ore more Sequence Y followed by a Sequence Z (... 11111111 00x11111). We need to distinguish from
301 // Sequence X followed by Sequence Y followed by Sequence Z (111100x1 11111111 00x11111)
302 // we therefore look for a ...xx11111111111100x11111xxxxxx... pattern
303 // (12 '1's followed by 2 '0's, eventually followed by another '0', followed by 5 '1's)
304 #define ISO14443A_STARTBIT_MASK 0x07FFEF80 // mask is 00000111 11111111 11101111 10000000
305 #define ISO14443A_STARTBIT_PATTERN 0x07FF8F80 // pattern is 00000111 11111111 10001111 10000000
306 if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 0)) == ISO14443A_STARTBIT_PATTERN >> 0) Uart.syncBit = 7;
307 else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 1)) == ISO14443A_STARTBIT_PATTERN >> 1) Uart.syncBit = 6;
308 else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 2)) == ISO14443A_STARTBIT_PATTERN >> 2) Uart.syncBit = 5;
309 else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 3)) == ISO14443A_STARTBIT_PATTERN >> 3) Uart.syncBit = 4;
310 else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 4)) == ISO14443A_STARTBIT_PATTERN >> 4) Uart.syncBit = 3;
311 else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 5)) == ISO14443A_STARTBIT_PATTERN >> 5) Uart.syncBit = 2;
312 else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 6)) == ISO14443A_STARTBIT_PATTERN >> 6) Uart.syncBit = 1;
313 else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 7)) == ISO14443A_STARTBIT_PATTERN >> 7) Uart.syncBit = 0;
314
315 if (Uart.syncBit != 9999) { // found a sync bit
316 Uart.startTime = non_real_time?non_real_time:(GetCountSspClk() & 0xfffffff8);
317 Uart.startTime -= Uart.syncBit;
318 Uart.endTime = Uart.startTime;
319 Uart.state = STATE_START_OF_COMMUNICATION;
320 }
321
322 } else {
323
324 if (IsMillerModulationNibble1(Uart.fourBits >> Uart.syncBit)) {
325 if (IsMillerModulationNibble2(Uart.fourBits >> Uart.syncBit)) { // Modulation in both halves - error
326 UartReset();
327 } else { // Modulation in first half = Sequence Z = logic "0"
328 if (Uart.state == STATE_MILLER_X) { // error - must not follow after X
329 UartReset();
330 } else {
331 Uart.bitCount++;
332 Uart.shiftReg = (Uart.shiftReg >> 1); // add a 0 to the shiftreg
333 Uart.state = STATE_MILLER_Z;
334 Uart.endTime = Uart.startTime + 8*(9*Uart.len + Uart.bitCount + 1) - 6;
335 if(Uart.bitCount >= 9) { // if we decoded a full byte (including parity)
336 Uart.output[Uart.len++] = (Uart.shiftReg & 0xff);
337 Uart.parityBits <<= 1; // make room for the parity bit
338 Uart.parityBits |= ((Uart.shiftReg >> 8) & 0x01); // store parity bit
339 Uart.bitCount = 0;
340 Uart.shiftReg = 0;
341 if((Uart.len&0x0007) == 0) { // every 8 data bytes
342 Uart.parity[Uart.parityLen++] = Uart.parityBits; // store 8 parity bits
343 Uart.parityBits = 0;
344 }
345 }
346 }
347 }
348 } else {
349 if (IsMillerModulationNibble2(Uart.fourBits >> Uart.syncBit)) { // Modulation second half = Sequence X = logic "1"
350 Uart.bitCount++;
351 Uart.shiftReg = (Uart.shiftReg >> 1) | 0x100; // add a 1 to the shiftreg
352 Uart.state = STATE_MILLER_X;
353 Uart.endTime = Uart.startTime + 8*(9*Uart.len + Uart.bitCount + 1) - 2;
354 if(Uart.bitCount >= 9) { // if we decoded a full byte (including parity)
355 Uart.output[Uart.len++] = (Uart.shiftReg & 0xff);
356 Uart.parityBits <<= 1; // make room for the new parity bit
357 Uart.parityBits |= ((Uart.shiftReg >> 8) & 0x01); // store parity bit
358 Uart.bitCount = 0;
359 Uart.shiftReg = 0;
360 if ((Uart.len&0x0007) == 0) { // every 8 data bytes
361 Uart.parity[Uart.parityLen++] = Uart.parityBits; // store 8 parity bits
362 Uart.parityBits = 0;
363 }
364 }
365 } else { // no modulation in both halves - Sequence Y
366 if (Uart.state == STATE_MILLER_Z || Uart.state == STATE_MILLER_Y) { // Y after logic "0" - End of Communication
367 Uart.state = STATE_UNSYNCD;
368 Uart.bitCount--; // last "0" was part of EOC sequence
369 Uart.shiftReg <<= 1; // drop it
370 if(Uart.bitCount > 0) { // if we decoded some bits
371 Uart.shiftReg >>= (9 - Uart.bitCount); // right align them
372 Uart.output[Uart.len++] = (Uart.shiftReg & 0xff); // add last byte to the output
373 Uart.parityBits <<= 1; // add a (void) parity bit
374 Uart.parityBits <<= (8 - (Uart.len&0x0007)); // left align parity bits
375 Uart.parity[Uart.parityLen++] = Uart.parityBits; // and store it
376 return true;
377 } else if (Uart.len & 0x0007) { // there are some parity bits to store
378 Uart.parityBits <<= (8 - (Uart.len&0x0007)); // left align remaining parity bits
379 Uart.parity[Uart.parityLen++] = Uart.parityBits; // and store them
380 }
381 if (Uart.len) {
382 return true; // we are finished with decoding the raw data sequence
383 } else {
384 UartReset(); // Nothing received - start over
385 }
386 }
387 if (Uart.state == STATE_START_OF_COMMUNICATION) { // error - must not follow directly after SOC
388 UartReset();
389 } else { // a logic "0"
390 Uart.bitCount++;
391 Uart.shiftReg = (Uart.shiftReg >> 1); // add a 0 to the shiftreg
392 Uart.state = STATE_MILLER_Y;
393 if(Uart.bitCount >= 9) { // if we decoded a full byte (including parity)
394 Uart.output[Uart.len++] = (Uart.shiftReg & 0xff);
395 Uart.parityBits <<= 1; // make room for the parity bit
396 Uart.parityBits |= ((Uart.shiftReg >> 8) & 0x01); // store parity bit
397 Uart.bitCount = 0;
398 Uart.shiftReg = 0;
399 if ((Uart.len&0x0007) == 0) { // every 8 data bytes
400 Uart.parity[Uart.parityLen++] = Uart.parityBits; // store 8 parity bits
401 Uart.parityBits = 0;
402 }
403 }
404 }
405 }
406 }
407
408 }
409
410 return false; // not finished yet, need more data
411 }
412
413
414
415 //=============================================================================
416 // ISO 14443 Type A - Manchester decoder
417 //=============================================================================
418 // Basics:
419 // This decoder is used when the PM3 acts as a reader.
420 // The tag will modulate the reader field by asserting different loads to it. As a consequence, the voltage
421 // at the reader antenna will be modulated as well. The FPGA detects the modulation for us and would deliver e.g. the following:
422 // ........ 0 0 1 1 1 1 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 .......
423 // The Manchester decoder needs to identify the following sequences:
424 // 4 ticks modulated followed by 4 ticks unmodulated: Sequence D = 1 (also used as "start of communication")
425 // 4 ticks unmodulated followed by 4 ticks modulated: Sequence E = 0
426 // 8 ticks unmodulated: Sequence F = end of communication
427 // 8 ticks modulated: A collision. Save the collision position and treat as Sequence D
428 // Note 1: the bitstream may start at any time. We therefore need to sync.
429 // Note 2: parameter offset is used to determine the position of the parity bits (required for the anticollision command only)
430 static tDemod Demod;
431
432 // Lookup-Table to decide if 4 raw bits are a modulation.
433 // We accept three or four "1" in any position
434 const bool Mod_Manchester_LUT[] = {
435 false, false, false, false, false, false, false, true,
436 false, false, false, true, false, true, true, true
437 };
438
439 #define IsManchesterModulationNibble1(b) (Mod_Manchester_LUT[(b & 0x00F0) >> 4])
440 #define IsManchesterModulationNibble2(b) (Mod_Manchester_LUT[(b & 0x000F)])
441
442
443 static void DemodReset()
444 {
445 Demod.state = DEMOD_UNSYNCD;
446 Demod.len = 0; // number of decoded data bytes
447 Demod.parityLen = 0;
448 Demod.shiftReg = 0; // shiftreg to hold decoded data bits
449 Demod.parityBits = 0; //
450 Demod.collisionPos = 0; // Position of collision bit
451 Demod.twoBits = 0xffff; // buffer for 2 Bits
452 Demod.highCnt = 0;
453 Demod.startTime = 0;
454 Demod.endTime = 0;
455 }
456
457 static void DemodInit(uint8_t *data, uint8_t *parity)
458 {
459 Demod.output = data;
460 Demod.parity = parity;
461 DemodReset();
462 }
463
464 // use parameter non_real_time to provide a timestamp. Set to 0 if the decoder should measure real time
465 static RAMFUNC int ManchesterDecoding(uint8_t bit, uint16_t offset, uint32_t non_real_time)
466 {
467
468 Demod.twoBits = (Demod.twoBits << 8) | bit;
469
470 if (Demod.state == DEMOD_UNSYNCD) {
471
472 if (Demod.highCnt < 2) { // wait for a stable unmodulated signal
473 if (Demod.twoBits == 0x0000) {
474 Demod.highCnt++;
475 } else {
476 Demod.highCnt = 0;
477 }
478 } else {
479 Demod.syncBit = 0xFFFF; // not set
480 if ((Demod.twoBits & 0x7700) == 0x7000) Demod.syncBit = 7;
481 else if ((Demod.twoBits & 0x3B80) == 0x3800) Demod.syncBit = 6;
482 else if ((Demod.twoBits & 0x1DC0) == 0x1C00) Demod.syncBit = 5;
483 else if ((Demod.twoBits & 0x0EE0) == 0x0E00) Demod.syncBit = 4;
484 else if ((Demod.twoBits & 0x0770) == 0x0700) Demod.syncBit = 3;
485 else if ((Demod.twoBits & 0x03B8) == 0x0380) Demod.syncBit = 2;
486 else if ((Demod.twoBits & 0x01DC) == 0x01C0) Demod.syncBit = 1;
487 else if ((Demod.twoBits & 0x00EE) == 0x00E0) Demod.syncBit = 0;
488 if (Demod.syncBit != 0xFFFF) {
489 Demod.startTime = non_real_time?non_real_time:(GetCountSspClk() & 0xfffffff8);
490 Demod.startTime -= Demod.syncBit;
491 Demod.bitCount = offset; // number of decoded data bits
492 Demod.state = DEMOD_MANCHESTER_DATA;
493 }
494 }
495
496 } else {
497
498 if (IsManchesterModulationNibble1(Demod.twoBits >> Demod.syncBit)) { // modulation in first half
499 if (IsManchesterModulationNibble2(Demod.twoBits >> Demod.syncBit)) { // ... and in second half = collision
500 if (!Demod.collisionPos) {
501 Demod.collisionPos = (Demod.len << 3) + Demod.bitCount;
502 }
503 } // modulation in first half only - Sequence D = 1
504 Demod.bitCount++;
505 Demod.shiftReg = (Demod.shiftReg >> 1) | 0x100; // in both cases, add a 1 to the shiftreg
506 if(Demod.bitCount == 9) { // if we decoded a full byte (including parity)
507 Demod.output[Demod.len++] = (Demod.shiftReg & 0xff);
508 Demod.parityBits <<= 1; // make room for the parity bit
509 Demod.parityBits |= ((Demod.shiftReg >> 8) & 0x01); // store parity bit
510 Demod.bitCount = 0;
511 Demod.shiftReg = 0;
512 if((Demod.len&0x0007) == 0) { // every 8 data bytes
513 Demod.parity[Demod.parityLen++] = Demod.parityBits; // store 8 parity bits
514 Demod.parityBits = 0;
515 }
516 }
517 Demod.endTime = Demod.startTime + 8*(9*Demod.len + Demod.bitCount + 1) - 4;
518 } else { // no modulation in first half
519 if (IsManchesterModulationNibble2(Demod.twoBits >> Demod.syncBit)) { // and modulation in second half = Sequence E = 0
520 Demod.bitCount++;
521 Demod.shiftReg = (Demod.shiftReg >> 1); // add a 0 to the shiftreg
522 if(Demod.bitCount >= 9) { // if we decoded a full byte (including parity)
523 Demod.output[Demod.len++] = (Demod.shiftReg & 0xff);
524 Demod.parityBits <<= 1; // make room for the new parity bit
525 Demod.parityBits |= ((Demod.shiftReg >> 8) & 0x01); // store parity bit
526 Demod.bitCount = 0;
527 Demod.shiftReg = 0;
528 if ((Demod.len&0x0007) == 0) { // every 8 data bytes
529 Demod.parity[Demod.parityLen++] = Demod.parityBits; // store 8 parity bits1
530 Demod.parityBits = 0;
531 }
532 }
533 Demod.endTime = Demod.startTime + 8*(9*Demod.len + Demod.bitCount + 1);
534 } else { // no modulation in both halves - End of communication
535 if(Demod.bitCount > 0) { // there are some remaining data bits
536 Demod.shiftReg >>= (9 - Demod.bitCount); // right align the decoded bits
537 Demod.output[Demod.len++] = Demod.shiftReg & 0xff; // and add them to the output
538 Demod.parityBits <<= 1; // add a (void) parity bit
539 Demod.parityBits <<= (8 - (Demod.len&0x0007)); // left align remaining parity bits
540 Demod.parity[Demod.parityLen++] = Demod.parityBits; // and store them
541 return true;
542 } else if (Demod.len & 0x0007) { // there are some parity bits to store
543 Demod.parityBits <<= (8 - (Demod.len&0x0007)); // left align remaining parity bits
544 Demod.parity[Demod.parityLen++] = Demod.parityBits; // and store them
545 }
546 if (Demod.len) {
547 return true; // we are finished with decoding the raw data sequence
548 } else { // nothing received. Start over
549 DemodReset();
550 }
551 }
552 }
553
554 }
555
556 return false; // not finished yet, need more data
557 }
558
559 //=============================================================================
560 // Finally, a `sniffer' for ISO 14443 Type A
561 // Both sides of communication!
562 //=============================================================================
563
564 //-----------------------------------------------------------------------------
565 // Record the sequence of commands sent by the reader to the tag, with
566 // triggering so that we start recording at the point that the tag is moved
567 // near the reader.
568 //-----------------------------------------------------------------------------
569 void RAMFUNC SnoopIso14443a(uint8_t param) {
570 // param:
571 // bit 0 - trigger from first card answer
572 // bit 1 - trigger from first reader 7-bit request
573
574 LEDsoff();
575
576 iso14443a_setup(FPGA_HF_ISO14443A_SNIFFER);
577
578 // Allocate memory from BigBuf for some buffers
579 // free all previous allocations first
580 BigBuf_free();
581
582 // The command (reader -> tag) that we're receiving.
583 uint8_t *receivedCmd = BigBuf_malloc(MAX_FRAME_SIZE);
584 uint8_t *receivedCmdPar = BigBuf_malloc(MAX_PARITY_SIZE);
585
586 // The response (tag -> reader) that we're receiving.
587 uint8_t *receivedResponse = BigBuf_malloc(MAX_FRAME_SIZE);
588 uint8_t *receivedResponsePar = BigBuf_malloc(MAX_PARITY_SIZE);
589
590 // The DMA buffer, used to stream samples from the FPGA
591 uint8_t *dmaBuf = BigBuf_malloc(DMA_BUFFER_SIZE);
592
593 // init trace buffer
594 clear_trace();
595 set_tracing(true);
596
597 uint8_t *data = dmaBuf;
598 uint8_t previous_data = 0;
599 int maxDataLen = 0;
600 int dataLen = 0;
601 bool TagIsActive = false;
602 bool ReaderIsActive = false;
603
604 // Set up the demodulator for tag -> reader responses.
605 DemodInit(receivedResponse, receivedResponsePar);
606
607 // Set up the demodulator for the reader -> tag commands
608 UartInit(receivedCmd, receivedCmdPar);
609
610 // Setup and start DMA.
611 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
612
613 // We won't start recording the frames that we acquire until we trigger;
614 // a good trigger condition to get started is probably when we see a
615 // response from the tag.
616 // triggered == false -- to wait first for card
617 bool triggered = !(param & 0x03);
618
619 // And now we loop, receiving samples.
620 for(uint32_t rsamples = 0; true; ) {
621
622 if(BUTTON_PRESS()) {
623 DbpString("cancelled by button");
624 break;
625 }
626
627 LED_A_ON();
628 WDT_HIT();
629
630 int register readBufDataP = data - dmaBuf;
631 int register dmaBufDataP = DMA_BUFFER_SIZE - AT91C_BASE_PDC_SSC->PDC_RCR;
632 if (readBufDataP <= dmaBufDataP){
633 dataLen = dmaBufDataP - readBufDataP;
634 } else {
635 dataLen = DMA_BUFFER_SIZE - readBufDataP + dmaBufDataP;
636 }
637 // test for length of buffer
638 if(dataLen > maxDataLen) {
639 maxDataLen = dataLen;
640 if(dataLen > (9 * DMA_BUFFER_SIZE / 10)) {
641 Dbprintf("blew circular buffer! dataLen=%d", dataLen);
642 break;
643 }
644 }
645 if(dataLen < 1) continue;
646
647 // primary buffer was stopped( <-- we lost data!
648 if (!AT91C_BASE_PDC_SSC->PDC_RCR) {
649 AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) dmaBuf;
650 AT91C_BASE_PDC_SSC->PDC_RCR = DMA_BUFFER_SIZE;
651 Dbprintf("RxEmpty ERROR!!! data length:%d", dataLen); // temporary
652 }
653 // secondary buffer sets as primary, secondary buffer was stopped
654 if (!AT91C_BASE_PDC_SSC->PDC_RNCR) {
655 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dmaBuf;
656 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
657 }
658
659 LED_A_OFF();
660
661 if (rsamples & 0x01) { // Need two samples to feed Miller and Manchester-Decoder
662
663 if(!TagIsActive) { // no need to try decoding reader data if the tag is sending
664 uint8_t readerdata = (previous_data & 0xF0) | (*data >> 4);
665 if (MillerDecoding(readerdata, (rsamples-1)*4)) {
666 LED_C_ON();
667
668 // check - if there is a short 7bit request from reader
669 if ((!triggered) && (param & 0x02) && (Uart.len == 1) && (Uart.bitCount == 7)) triggered = true;
670
671 if(triggered) {
672 if (!LogTrace(receivedCmd,
673 Uart.len,
674 Uart.startTime*16 - DELAY_READER_AIR2ARM_AS_SNIFFER,
675 Uart.endTime*16 - DELAY_READER_AIR2ARM_AS_SNIFFER,
676 Uart.parity,
677 true)) break;
678 }
679 /* And ready to receive another command. */
680 UartReset();
681 /* And also reset the demod code, which might have been */
682 /* false-triggered by the commands from the reader. */
683 DemodReset();
684 LED_B_OFF();
685 }
686 ReaderIsActive = (Uart.state != STATE_UNSYNCD);
687 }
688
689 if(!ReaderIsActive) { // no need to try decoding tag data if the reader is sending - and we cannot afford the time
690 uint8_t tagdata = (previous_data << 4) | (*data & 0x0F);
691 if(ManchesterDecoding(tagdata, 0, (rsamples-1)*4)) {
692 LED_B_ON();
693
694 if (!LogTrace(receivedResponse,
695 Demod.len,
696 Demod.startTime*16 - DELAY_TAG_AIR2ARM_AS_SNIFFER,
697 Demod.endTime*16 - DELAY_TAG_AIR2ARM_AS_SNIFFER,
698 Demod.parity,
699 false)) break;
700
701 if ((!triggered) && (param & 0x01)) triggered = true;
702
703 // And ready to receive another response.
704 DemodReset();
705 // And reset the Miller decoder including itS (now outdated) input buffer
706 UartInit(receivedCmd, receivedCmdPar);
707
708 LED_C_OFF();
709 }
710 TagIsActive = (Demod.state != DEMOD_UNSYNCD);
711 }
712 }
713
714 previous_data = *data;
715 rsamples++;
716 data++;
717 if(data == dmaBuf + DMA_BUFFER_SIZE) {
718 data = dmaBuf;
719 }
720 } // main cycle
721
722 DbpString("COMMAND FINISHED");
723
724 FpgaDisableSscDma();
725 Dbprintf("maxDataLen=%d, Uart.state=%x, Uart.len=%d", maxDataLen, Uart.state, Uart.len);
726 Dbprintf("traceLen=%d, Uart.output[0]=%08x", BigBuf_get_traceLen(), (uint32_t)Uart.output[0]);
727 LEDsoff();
728 }
729
730 //-----------------------------------------------------------------------------
731 // Prepare tag messages
732 //-----------------------------------------------------------------------------
733 static void CodeIso14443aAsTagPar(const uint8_t *cmd, uint16_t len, uint8_t *parity)
734 {
735 ToSendReset();
736
737 // Correction bit, might be removed when not needed
738 ToSendStuffBit(0);
739 ToSendStuffBit(0);
740 ToSendStuffBit(0);
741 ToSendStuffBit(0);
742 ToSendStuffBit(1); // 1
743 ToSendStuffBit(0);
744 ToSendStuffBit(0);
745 ToSendStuffBit(0);
746
747 // Send startbit
748 ToSend[++ToSendMax] = SEC_D;
749 LastProxToAirDuration = 8 * ToSendMax - 4;
750
751 for(uint16_t i = 0; i < len; i++) {
752 uint8_t b = cmd[i];
753
754 // Data bits
755 for(uint16_t j = 0; j < 8; j++) {
756 if(b & 1) {
757 ToSend[++ToSendMax] = SEC_D;
758 } else {
759 ToSend[++ToSendMax] = SEC_E;
760 }
761 b >>= 1;
762 }
763
764 // Get the parity bit
765 if (parity[i>>3] & (0x80>>(i&0x0007))) {
766 ToSend[++ToSendMax] = SEC_D;
767 LastProxToAirDuration = 8 * ToSendMax - 4;
768 } else {
769 ToSend[++ToSendMax] = SEC_E;
770 LastProxToAirDuration = 8 * ToSendMax;
771 }
772 }
773
774 // Send stopbit
775 ToSend[++ToSendMax] = SEC_F;
776
777 // Convert from last byte pos to length
778 ToSendMax++;
779 }
780
781
782 static void Code4bitAnswerAsTag(uint8_t cmd)
783 {
784 int i;
785
786 ToSendReset();
787
788 // Correction bit, might be removed when not needed
789 ToSendStuffBit(0);
790 ToSendStuffBit(0);
791 ToSendStuffBit(0);
792 ToSendStuffBit(0);
793 ToSendStuffBit(1); // 1
794 ToSendStuffBit(0);
795 ToSendStuffBit(0);
796 ToSendStuffBit(0);
797
798 // Send startbit
799 ToSend[++ToSendMax] = SEC_D;
800
801 uint8_t b = cmd;
802 for(i = 0; i < 4; i++) {
803 if(b & 1) {
804 ToSend[++ToSendMax] = SEC_D;
805 LastProxToAirDuration = 8 * ToSendMax - 4;
806 } else {
807 ToSend[++ToSendMax] = SEC_E;
808 LastProxToAirDuration = 8 * ToSendMax;
809 }
810 b >>= 1;
811 }
812
813 // Send stopbit
814 ToSend[++ToSendMax] = SEC_F;
815
816 // Convert from last byte pos to length
817 ToSendMax++;
818 }
819
820
821 static uint8_t *LastReaderTraceTime = NULL;
822
823 static void EmLogTraceReader(void) {
824 // remember last reader trace start to fix timing info later
825 LastReaderTraceTime = BigBuf_get_addr() + BigBuf_get_traceLen();
826 LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, true);
827 }
828
829
830 static void FixLastReaderTraceTime(uint32_t tag_StartTime) {
831 uint32_t reader_EndTime = Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG;
832 uint32_t reader_StartTime = Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG;
833 uint16_t reader_modlen = reader_EndTime - reader_StartTime;
834 uint16_t approx_fdt = tag_StartTime - reader_EndTime;
835 uint16_t exact_fdt = (approx_fdt - 20 + 32)/64 * 64 + 20;
836 reader_StartTime = tag_StartTime - exact_fdt - reader_modlen;
837 LastReaderTraceTime[0] = (reader_StartTime >> 0) & 0xff;
838 LastReaderTraceTime[1] = (reader_StartTime >> 8) & 0xff;
839 LastReaderTraceTime[2] = (reader_StartTime >> 16) & 0xff;
840 LastReaderTraceTime[3] = (reader_StartTime >> 24) & 0xff;
841 }
842
843
844 static void EmLogTraceTag(uint8_t *tag_data, uint16_t tag_len, uint8_t *tag_Parity, uint32_t ProxToAirDuration) {
845 uint32_t tag_StartTime = LastTimeProxToAirStart*16 + DELAY_ARM2AIR_AS_TAG;
846 uint32_t tag_EndTime = (LastTimeProxToAirStart + ProxToAirDuration)*16 + DELAY_ARM2AIR_AS_TAG;
847 LogTrace(tag_data, tag_len, tag_StartTime, tag_EndTime, tag_Parity, false);
848 FixLastReaderTraceTime(tag_StartTime);
849 }
850
851
852 //-----------------------------------------------------------------------------
853 // Wait for commands from reader
854 // Stop when button is pressed
855 // Or return true when command is captured
856 //-----------------------------------------------------------------------------
857 static int GetIso14443aCommandFromReader(uint8_t *received, uint8_t *parity, int *len)
858 {
859 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
860 // only, since we are receiving, not transmitting).
861 // Signal field is off with the appropriate LED
862 LED_D_OFF();
863 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
864
865 // Now run a `software UART' on the stream of incoming samples.
866 UartInit(received, parity);
867
868 // clear RXRDY:
869 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
870
871 for(;;) {
872 WDT_HIT();
873
874 if(BUTTON_PRESS()) return false;
875
876 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
877 b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
878 if(MillerDecoding(b, 0)) {
879 *len = Uart.len;
880 EmLogTraceReader();
881 return true;
882 }
883 }
884 }
885 }
886
887
888 static int EmSend4bitEx(uint8_t resp);
889 int EmSend4bit(uint8_t resp);
890 static int EmSendCmdExPar(uint8_t *resp, uint16_t respLen, uint8_t *par);
891 int EmSendCmdEx(uint8_t *resp, uint16_t respLen);
892 int EmSendPrecompiledCmd(tag_response_info_t *response_info);
893
894
895 static bool prepare_tag_modulation(tag_response_info_t* response_info, size_t max_buffer_size) {
896 // Example response, answer to MIFARE Classic read block will be 16 bytes + 2 CRC = 18 bytes
897 // This will need the following byte array for a modulation sequence
898 // 144 data bits (18 * 8)
899 // 18 parity bits
900 // 2 Start and stop
901 // 1 Correction bit (Answer in 1172 or 1236 periods, see FPGA)
902 // 1 just for the case
903 // ----------- +
904 // 166 bytes, since every bit that needs to be send costs us a byte
905 //
906
907
908 // Prepare the tag modulation bits from the message
909 GetParity(response_info->response, response_info->response_n, &(response_info->par));
910 CodeIso14443aAsTagPar(response_info->response,response_info->response_n, &(response_info->par));
911
912 // Make sure we do not exceed the free buffer space
913 if (ToSendMax > max_buffer_size) {
914 Dbprintf("Out of memory, when modulating bits for tag answer:");
915 Dbhexdump(response_info->response_n, response_info->response, false);
916 return false;
917 }
918
919 // Copy the byte array, used for this modulation to the buffer position
920 memcpy(response_info->modulation, ToSend, ToSendMax);
921
922 // Store the number of bytes that were used for encoding/modulation and the time needed to transfer them
923 response_info->modulation_n = ToSendMax;
924 response_info->ProxToAirDuration = LastProxToAirDuration;
925
926 return true;
927 }
928
929
930 // "precompile" responses. There are 7 predefined responses with a total of 28 bytes data to transmit.
931 // Coded responses need one byte per bit to transfer (data, parity, start, stop, correction)
932 // 28 * 8 data bits, 28 * 1 parity bits, 7 start bits, 7 stop bits, 7 correction bits for the modulation
933 // -> need 273 bytes buffer
934 #define ALLOCATED_TAG_MODULATION_BUFFER_SIZE 273
935
936 bool prepare_allocated_tag_modulation(tag_response_info_t* response_info, uint8_t **buffer, size_t *max_buffer_size) {
937
938 // Retrieve and store the current buffer index
939 response_info->modulation = *buffer;
940
941 // Forward the prepare tag modulation function to the inner function
942 if (prepare_tag_modulation(response_info, *max_buffer_size)) {
943 // Update the free buffer offset and the remaining buffer size
944 *buffer += ToSendMax;
945 *max_buffer_size -= ToSendMax;
946 return true;
947 } else {
948 return false;
949 }
950 }
951
952 //-----------------------------------------------------------------------------
953 // Main loop of simulated tag: receive commands from reader, decide what
954 // response to send, and send it.
955 //-----------------------------------------------------------------------------
956 void SimulateIso14443aTag(int tagType, int uid_1st, int uid_2nd, byte_t* data)
957 {
958 uint8_t sak;
959
960 // The first response contains the ATQA (note: bytes are transmitted in reverse order).
961 uint8_t response1[2];
962
963 switch (tagType) {
964 case 1: { // MIFARE Classic
965 // Says: I am Mifare 1k - original line
966 response1[0] = 0x04;
967 response1[1] = 0x00;
968 sak = 0x08;
969 } break;
970 case 2: { // MIFARE Ultralight
971 // Says: I am a stupid memory tag, no crypto
972 response1[0] = 0x04;
973 response1[1] = 0x00;
974 sak = 0x00;
975 } break;
976 case 3: { // MIFARE DESFire
977 // Says: I am a DESFire tag, ph33r me
978 response1[0] = 0x04;
979 response1[1] = 0x03;
980 sak = 0x20;
981 } break;
982 case 4: { // ISO/IEC 14443-4
983 // Says: I am a javacard (JCOP)
984 response1[0] = 0x04;
985 response1[1] = 0x00;
986 sak = 0x28;
987 } break;
988 case 5: { // MIFARE TNP3XXX
989 // Says: I am a toy
990 response1[0] = 0x01;
991 response1[1] = 0x0f;
992 sak = 0x01;
993 } break;
994 default: {
995 Dbprintf("Error: unkown tagtype (%d)",tagType);
996 return;
997 } break;
998 }
999
1000 // The second response contains the (mandatory) first 24 bits of the UID
1001 uint8_t response2[5] = {0x00};
1002
1003 // Check if the uid uses the (optional) part
1004 uint8_t response2a[5] = {0x00};
1005
1006 if (uid_2nd) {
1007 response2[0] = 0x88;
1008 num_to_bytes(uid_1st,3,response2+1);
1009 num_to_bytes(uid_2nd,4,response2a);
1010 response2a[4] = response2a[0] ^ response2a[1] ^ response2a[2] ^ response2a[3];
1011
1012 // Configure the ATQA and SAK accordingly
1013 response1[0] |= 0x40;
1014 sak |= 0x04;
1015 } else {
1016 num_to_bytes(uid_1st,4,response2);
1017 // Configure the ATQA and SAK accordingly
1018 response1[0] &= 0xBF;
1019 sak &= 0xFB;
1020 }
1021
1022 // Calculate the BitCountCheck (BCC) for the first 4 bytes of the UID.
1023 response2[4] = response2[0] ^ response2[1] ^ response2[2] ^ response2[3];
1024
1025 // Prepare the mandatory SAK (for 4 and 7 byte UID)
1026 uint8_t response3[3] = {0x00};
1027 response3[0] = sak;
1028 ComputeCrc14443(CRC_14443_A, response3, 1, &response3[1], &response3[2]);
1029
1030 // Prepare the optional second SAK (for 7 byte UID), drop the cascade bit
1031 uint8_t response3a[3] = {0x00};
1032 response3a[0] = sak & 0xFB;
1033 ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
1034
1035 uint8_t response5[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce
1036 uint8_t response6[] = { 0x04, 0x58, 0x80, 0x02, 0x00, 0x00 }; // dummy ATS (pseudo-ATR), answer to RATS:
1037 // Format byte = 0x58: FSCI=0x08 (FSC=256), TA(1) and TC(1) present,
1038 // TA(1) = 0x80: different divisors not supported, DR = 1, DS = 1
1039 // TB(1) = not present. Defaults: FWI = 4 (FWT = 256 * 16 * 2^4 * 1/fc = 4833us), SFGI = 0 (SFG = 256 * 16 * 2^0 * 1/fc = 302us)
1040 // TC(1) = 0x02: CID supported, NAD not supported
1041 ComputeCrc14443(CRC_14443_A, response6, 4, &response6[4], &response6[5]);
1042
1043 #define TAG_RESPONSE_COUNT 7
1044 tag_response_info_t responses[TAG_RESPONSE_COUNT] = {
1045 { .response = response1, .response_n = sizeof(response1) }, // Answer to request - respond with card type
1046 { .response = response2, .response_n = sizeof(response2) }, // Anticollision cascade1 - respond with uid
1047 { .response = response2a, .response_n = sizeof(response2a) }, // Anticollision cascade2 - respond with 2nd half of uid if asked
1048 { .response = response3, .response_n = sizeof(response3) }, // Acknowledge select - cascade 1
1049 { .response = response3a, .response_n = sizeof(response3a) }, // Acknowledge select - cascade 2
1050 { .response = response5, .response_n = sizeof(response5) }, // Authentication answer (random nonce)
1051 { .response = response6, .response_n = sizeof(response6) }, // dummy ATS (pseudo-ATR), answer to RATS
1052 };
1053
1054 // Allocate 512 bytes for the dynamic modulation, created when the reader queries for it
1055 // Such a response is less time critical, so we can prepare them on the fly
1056 #define DYNAMIC_RESPONSE_BUFFER_SIZE 64
1057 #define DYNAMIC_MODULATION_BUFFER_SIZE 512
1058 uint8_t dynamic_response_buffer[DYNAMIC_RESPONSE_BUFFER_SIZE];
1059 uint8_t dynamic_modulation_buffer[DYNAMIC_MODULATION_BUFFER_SIZE];
1060 tag_response_info_t dynamic_response_info = {
1061 .response = dynamic_response_buffer,
1062 .response_n = 0,
1063 .modulation = dynamic_modulation_buffer,
1064 .modulation_n = 0
1065 };
1066
1067 // We need to listen to the high-frequency, peak-detected path.
1068 iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN);
1069
1070 BigBuf_free_keep_EM();
1071
1072 // allocate buffers:
1073 uint8_t *receivedCmd = BigBuf_malloc(MAX_FRAME_SIZE);
1074 uint8_t *receivedCmdPar = BigBuf_malloc(MAX_PARITY_SIZE);
1075 uint8_t *free_buffer_pointer = BigBuf_malloc(ALLOCATED_TAG_MODULATION_BUFFER_SIZE);
1076 size_t free_buffer_size = ALLOCATED_TAG_MODULATION_BUFFER_SIZE;
1077 // clear trace
1078 clear_trace();
1079 set_tracing(true);
1080
1081 // Prepare the responses of the anticollision phase
1082 // there will be not enough time to do this at the moment the reader sends it REQA
1083 for (size_t i=0; i<TAG_RESPONSE_COUNT; i++) {
1084 prepare_allocated_tag_modulation(&responses[i], &free_buffer_pointer, &free_buffer_size);
1085 }
1086
1087 int len = 0;
1088
1089 // To control where we are in the protocol
1090 int order = 0;
1091 int lastorder;
1092
1093 // Just to allow some checks
1094 int happened = 0;
1095 int happened2 = 0;
1096 int cmdsRecvd = 0;
1097
1098 cmdsRecvd = 0;
1099 tag_response_info_t* p_response;
1100
1101 LED_A_ON();
1102 for(;;) {
1103 // Clean receive command buffer
1104 if(!GetIso14443aCommandFromReader(receivedCmd, receivedCmdPar, &len)) {
1105 DbpString("Button press");
1106 break;
1107 }
1108
1109 p_response = NULL;
1110
1111 // Okay, look at the command now.
1112 lastorder = order;
1113 if(receivedCmd[0] == 0x26) { // Received a REQUEST
1114 p_response = &responses[0]; order = 1;
1115 } else if(receivedCmd[0] == 0x52) { // Received a WAKEUP
1116 p_response = &responses[0]; order = 6;
1117 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x93) { // Received request for UID (cascade 1)
1118 p_response = &responses[1]; order = 2;
1119 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x95) { // Received request for UID (cascade 2)
1120 p_response = &responses[2]; order = 20;
1121 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] == 0x93) { // Received a SELECT (cascade 1)
1122 p_response = &responses[3]; order = 3;
1123 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] == 0x95) { // Received a SELECT (cascade 2)
1124 p_response = &responses[4]; order = 30;
1125 } else if(receivedCmd[0] == 0x30) { // Received a (plain) READ
1126 EmSendCmdEx(data+(4*receivedCmd[1]),16);
1127 // Dbprintf("Read request from reader: %x %x",receivedCmd[0],receivedCmd[1]);
1128 // We already responded, do not send anything with the EmSendCmd14443aRaw() that is called below
1129 p_response = NULL;
1130 } else if(receivedCmd[0] == 0x50) { // Received a HALT
1131 p_response = NULL;
1132 } else if(receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61) { // Received an authentication request
1133 p_response = &responses[5]; order = 7;
1134 } else if(receivedCmd[0] == 0xE0) { // Received a RATS request
1135 if (tagType == 1 || tagType == 2) { // RATS not supported
1136 EmSend4bit(CARD_NACK_NA);
1137 p_response = NULL;
1138 } else {
1139 p_response = &responses[6]; order = 70;
1140 }
1141 } else if (order == 7 && len == 8) { // Received {nr] and {ar} (part of authentication)
1142 uint32_t nr = bytes_to_num(receivedCmd,4);
1143 uint32_t ar = bytes_to_num(receivedCmd+4,4);
1144 Dbprintf("Auth attempt {nr}{ar}: %08x %08x",nr,ar);
1145 } else {
1146 // Check for ISO 14443A-4 compliant commands, look at left nibble
1147 switch (receivedCmd[0]) {
1148
1149 case 0x0B:
1150 case 0x0A: { // IBlock (command)
1151 dynamic_response_info.response[0] = receivedCmd[0];
1152 dynamic_response_info.response[1] = 0x00;
1153 dynamic_response_info.response[2] = 0x90;
1154 dynamic_response_info.response[3] = 0x00;
1155 dynamic_response_info.response_n = 4;
1156 } break;
1157
1158 case 0x1A:
1159 case 0x1B: { // Chaining command
1160 dynamic_response_info.response[0] = 0xaa | ((receivedCmd[0]) & 1);
1161 dynamic_response_info.response_n = 2;
1162 } break;
1163
1164 case 0xaa:
1165 case 0xbb: {
1166 dynamic_response_info.response[0] = receivedCmd[0] ^ 0x11;
1167 dynamic_response_info.response_n = 2;
1168 } break;
1169
1170 case 0xBA: { //
1171 memcpy(dynamic_response_info.response,"\xAB\x00",2);
1172 dynamic_response_info.response_n = 2;
1173 } break;
1174
1175 case 0xCA:
1176 case 0xC2: { // Readers sends deselect command
1177 memcpy(dynamic_response_info.response,"\xCA\x00",2);
1178 dynamic_response_info.response_n = 2;
1179 } break;
1180
1181 default: {
1182 // Never seen this command before
1183 Dbprintf("Received unknown command (len=%d):",len);
1184 Dbhexdump(len,receivedCmd,false);
1185 // Do not respond
1186 dynamic_response_info.response_n = 0;
1187 } break;
1188 }
1189
1190 if (dynamic_response_info.response_n > 0) {
1191 // Copy the CID from the reader query
1192 dynamic_response_info.response[1] = receivedCmd[1];
1193
1194 // Add CRC bytes, always used in ISO 14443A-4 compliant cards
1195 AppendCrc14443a(dynamic_response_info.response,dynamic_response_info.response_n);
1196 dynamic_response_info.response_n += 2;
1197
1198 if (prepare_tag_modulation(&dynamic_response_info,DYNAMIC_MODULATION_BUFFER_SIZE) == false) {
1199 Dbprintf("Error preparing tag response");
1200 break;
1201 }
1202 p_response = &dynamic_response_info;
1203 }
1204 }
1205
1206 // Count number of wakeups received after a halt
1207 if(order == 6 && lastorder == 5) { happened++; }
1208
1209 // Count number of other messages after a halt
1210 if(order != 6 && lastorder == 5) { happened2++; }
1211
1212 if(cmdsRecvd > 999) {
1213 DbpString("1000 commands later...");
1214 break;
1215 }
1216 cmdsRecvd++;
1217
1218 if (p_response != NULL) {
1219 EmSendPrecompiledCmd(p_response);
1220 }
1221
1222 if (!tracing) {
1223 Dbprintf("Trace Full. Simulation stopped.");
1224 break;
1225 }
1226 }
1227
1228 Dbprintf("%x %x %x", happened, happened2, cmdsRecvd);
1229 LED_A_OFF();
1230 BigBuf_free_keep_EM();
1231 }
1232
1233
1234 // prepare a delayed transfer. This simply shifts ToSend[] by a number
1235 // of bits specified in the delay parameter.
1236 static void PrepareDelayedTransfer(uint16_t delay)
1237 {
1238 uint8_t bitmask = 0;
1239 uint8_t bits_to_shift = 0;
1240 uint8_t bits_shifted = 0;
1241
1242 delay &= 0x07;
1243 if (delay) {
1244 for (uint16_t i = 0; i < delay; i++) {
1245 bitmask |= (0x01 << i);
1246 }
1247 ToSend[ToSendMax++] = 0x00;
1248 for (uint16_t i = 0; i < ToSendMax; i++) {
1249 bits_to_shift = ToSend[i] & bitmask;
1250 ToSend[i] = ToSend[i] >> delay;
1251 ToSend[i] = ToSend[i] | (bits_shifted << (8 - delay));
1252 bits_shifted = bits_to_shift;
1253 }
1254 }
1255 }
1256
1257
1258 //-------------------------------------------------------------------------------------
1259 // Transmit the command (to the tag) that was placed in ToSend[].
1260 // Parameter timing:
1261 // if NULL: transfer at next possible time, taking into account
1262 // request guard time, startup frame guard time and frame delay time
1263 // if == 0: transfer immediately and return time of transfer
1264 // if != 0: delay transfer until time specified
1265 //-------------------------------------------------------------------------------------
1266 static void TransmitFor14443a(const uint8_t *cmd, uint16_t len, uint32_t *timing)
1267 {
1268
1269 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1270
1271 uint32_t ThisTransferTime = 0;
1272
1273 if (timing) {
1274 if(*timing == 0) { // Measure time
1275 *timing = (GetCountSspClk() + 8) & 0xfffffff8;
1276 } else {
1277 PrepareDelayedTransfer(*timing & 0x00000007); // Delay transfer (fine tuning - up to 7 MF clock ticks)
1278 }
1279 if(MF_DBGLEVEL >= 4 && GetCountSspClk() >= (*timing & 0xfffffff8)) Dbprintf("TransmitFor14443a: Missed timing");
1280 while(GetCountSspClk() < (*timing & 0xfffffff8)); // Delay transfer (multiple of 8 MF clock ticks)
1281 LastTimeProxToAirStart = *timing;
1282 } else {
1283 ThisTransferTime = ((MAX(NextTransferTime, GetCountSspClk()) & 0xfffffff8) + 8);
1284 while(GetCountSspClk() < ThisTransferTime);
1285 LastTimeProxToAirStart = ThisTransferTime;
1286 }
1287
1288 // clear TXRDY
1289 AT91C_BASE_SSC->SSC_THR = SEC_Y;
1290
1291 uint16_t c = 0;
1292 for(;;) {
1293 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1294 AT91C_BASE_SSC->SSC_THR = cmd[c];
1295 c++;
1296 if(c >= len) {
1297 break;
1298 }
1299 }
1300 }
1301
1302 NextTransferTime = MAX(NextTransferTime, LastTimeProxToAirStart + REQUEST_GUARD_TIME);
1303 }
1304
1305
1306 //-----------------------------------------------------------------------------
1307 // Prepare reader command (in bits, support short frames) to send to FPGA
1308 //-----------------------------------------------------------------------------
1309 static void CodeIso14443aBitsAsReaderPar(const uint8_t *cmd, uint16_t bits, const uint8_t *parity)
1310 {
1311 int i, j;
1312 int last;
1313 uint8_t b;
1314
1315 ToSendReset();
1316
1317 // Start of Communication (Seq. Z)
1318 ToSend[++ToSendMax] = SEC_Z;
1319 LastProxToAirDuration = 8 * (ToSendMax+1) - 6;
1320 last = 0;
1321
1322 size_t bytecount = nbytes(bits);
1323 // Generate send structure for the data bits
1324 for (i = 0; i < bytecount; i++) {
1325 // Get the current byte to send
1326 b = cmd[i];
1327 size_t bitsleft = MIN((bits-(i*8)),8);
1328
1329 for (j = 0; j < bitsleft; j++) {
1330 if (b & 1) {
1331 // Sequence X
1332 ToSend[++ToSendMax] = SEC_X;
1333 LastProxToAirDuration = 8 * (ToSendMax+1) - 2;
1334 last = 1;
1335 } else {
1336 if (last == 0) {
1337 // Sequence Z
1338 ToSend[++ToSendMax] = SEC_Z;
1339 LastProxToAirDuration = 8 * (ToSendMax+1) - 6;
1340 } else {
1341 // Sequence Y
1342 ToSend[++ToSendMax] = SEC_Y;
1343 last = 0;
1344 }
1345 }
1346 b >>= 1;
1347 }
1348
1349 // Only transmit parity bit if we transmitted a complete byte
1350 if (j == 8 && parity != NULL) {
1351 // Get the parity bit
1352 if (parity[i>>3] & (0x80 >> (i&0x0007))) {
1353 // Sequence X
1354 ToSend[++ToSendMax] = SEC_X;
1355 LastProxToAirDuration = 8 * (ToSendMax+1) - 2;
1356 last = 1;
1357 } else {
1358 if (last == 0) {
1359 // Sequence Z
1360 ToSend[++ToSendMax] = SEC_Z;
1361 LastProxToAirDuration = 8 * (ToSendMax+1) - 6;
1362 } else {
1363 // Sequence Y
1364 ToSend[++ToSendMax] = SEC_Y;
1365 last = 0;
1366 }
1367 }
1368 }
1369 }
1370
1371 // End of Communication: Logic 0 followed by Sequence Y
1372 if (last == 0) {
1373 // Sequence Z
1374 ToSend[++ToSendMax] = SEC_Z;
1375 LastProxToAirDuration = 8 * (ToSendMax+1) - 6;
1376 } else {
1377 // Sequence Y
1378 ToSend[++ToSendMax] = SEC_Y;
1379 last = 0;
1380 }
1381 ToSend[++ToSendMax] = SEC_Y;
1382
1383 // Convert to length of command:
1384 ToSendMax++;
1385 }
1386
1387
1388 //-----------------------------------------------------------------------------
1389 // Wait for commands from reader
1390 // Stop when button is pressed (return 1) or field was gone (return 2)
1391 // Or return 0 when command is captured
1392 //-----------------------------------------------------------------------------
1393 int EmGetCmd(uint8_t *received, uint16_t *len, uint8_t *parity)
1394 {
1395 *len = 0;
1396
1397 uint32_t timer = 0, vtime = 0;
1398 int analogCnt = 0;
1399 int analogAVG = 0;
1400
1401 // Set ADC to read field strength
1402 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_SWRST;
1403 AT91C_BASE_ADC->ADC_MR =
1404 ADC_MODE_PRESCALE(63) |
1405 ADC_MODE_STARTUP_TIME(1) |
1406 ADC_MODE_SAMPLE_HOLD_TIME(15);
1407 AT91C_BASE_ADC->ADC_CHER = ADC_CHANNEL(ADC_CHAN_HF);
1408 // start ADC
1409 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
1410
1411 // Run a 'software UART' on the stream of incoming samples.
1412 UartInit(received, parity);
1413
1414 // Ensure that the FPGA Delay Queue is empty before we switch to TAGSIM_LISTEN
1415 do {
1416 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1417 AT91C_BASE_SSC->SSC_THR = SEC_F;
1418 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR; (void) b;
1419 }
1420 } while (GetCountSspClk() < LastTimeProxToAirStart + LastProxToAirDuration + (FpgaSendQueueDelay>>3));
1421
1422 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
1423 // only, since we are receiving, not transmitting).
1424 // Signal field is off with the appropriate LED
1425 LED_D_OFF();
1426 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
1427
1428 for(;;) {
1429 WDT_HIT();
1430
1431 if (BUTTON_PRESS()) return 1;
1432
1433 // test if the field exists
1434 if (AT91C_BASE_ADC->ADC_SR & ADC_END_OF_CONVERSION(ADC_CHAN_HF)) {
1435 analogCnt++;
1436 analogAVG += AT91C_BASE_ADC->ADC_CDR[ADC_CHAN_HF];
1437 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
1438 if (analogCnt >= 32) {
1439 if ((MAX_ADC_HF_VOLTAGE * (analogAVG / analogCnt) >> 10) < MF_MINFIELDV) {
1440 vtime = GetTickCount();
1441 if (!timer) timer = vtime;
1442 // 50ms no field --> card to idle state
1443 if (vtime - timer > 50) return 2;
1444 } else
1445 if (timer) timer = 0;
1446 analogCnt = 0;
1447 analogAVG = 0;
1448 }
1449 }
1450
1451 // receive and test the miller decoding
1452 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1453 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1454 if(MillerDecoding(b, 0)) {
1455 *len = Uart.len;
1456 EmLogTraceReader();
1457 return 0;
1458 }
1459 }
1460
1461 }
1462 }
1463
1464
1465 static int EmSendCmd14443aRaw(uint8_t *resp, uint16_t respLen)
1466 {
1467 uint8_t b;
1468 uint16_t i = 0;
1469 bool correctionNeeded;
1470
1471 // Modulate Manchester
1472 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD);
1473
1474 // include correction bit if necessary
1475 if (Uart.bitCount == 7)
1476 {
1477 // Short tags (7 bits) don't have parity, determine the correct value from MSB
1478 correctionNeeded = Uart.output[0] & 0x40;
1479 }
1480 else
1481 {
1482 // Look at the last parity bit
1483 correctionNeeded = Uart.parity[(Uart.len-1)/8] & (0x80 >> ((Uart.len-1) & 7));
1484 }
1485
1486 if(correctionNeeded) {
1487 // 1236, so correction bit needed
1488 i = 0;
1489 } else {
1490 i = 1;
1491 }
1492
1493 // clear receiving shift register and holding register
1494 while(!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY));
1495 b = AT91C_BASE_SSC->SSC_RHR; (void) b;
1496 while(!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY));
1497 b = AT91C_BASE_SSC->SSC_RHR; (void) b;
1498
1499 // wait for the FPGA to signal fdt_indicator == 1 (the FPGA is ready to queue new data in its delay line)
1500 for (uint16_t j = 0; j < 5; j++) { // allow timeout - better late than never
1501 while(!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY));
1502 if (AT91C_BASE_SSC->SSC_RHR) break;
1503 }
1504
1505 LastTimeProxToAirStart = (GetCountSspClk() & 0xfffffff8) + (correctionNeeded?8:0);
1506
1507 // send cycle
1508 for(; i < respLen; ) {
1509 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1510 AT91C_BASE_SSC->SSC_THR = resp[i++];
1511 FpgaSendQueueDelay = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1512 }
1513
1514 if(BUTTON_PRESS()) {
1515 break;
1516 }
1517 }
1518
1519 return 0;
1520 }
1521
1522
1523 static int EmSend4bitEx(uint8_t resp){
1524 Code4bitAnswerAsTag(resp);
1525 int res = EmSendCmd14443aRaw(ToSend, ToSendMax);
1526 // do the tracing for the previous reader request and this tag answer:
1527 EmLogTraceTag(&resp, 1, NULL, LastProxToAirDuration);
1528 return res;
1529 }
1530
1531
1532 int EmSend4bit(uint8_t resp){
1533 return EmSend4bitEx(resp);
1534 }
1535
1536
1537 static int EmSendCmdExPar(uint8_t *resp, uint16_t respLen, uint8_t *par){
1538 CodeIso14443aAsTagPar(resp, respLen, par);
1539 int res = EmSendCmd14443aRaw(ToSend, ToSendMax);
1540 // do the tracing for the previous reader request and this tag answer:
1541 EmLogTraceTag(resp, respLen, par, LastProxToAirDuration);
1542 return res;
1543 }
1544
1545
1546 int EmSendCmdEx(uint8_t *resp, uint16_t respLen){
1547 uint8_t par[MAX_PARITY_SIZE];
1548 GetParity(resp, respLen, par);
1549 return EmSendCmdExPar(resp, respLen, par);
1550 }
1551
1552
1553 int EmSendCmd(uint8_t *resp, uint16_t respLen){
1554 uint8_t par[MAX_PARITY_SIZE];
1555 GetParity(resp, respLen, par);
1556 return EmSendCmdExPar(resp, respLen, par);
1557 }
1558
1559
1560 int EmSendCmdPar(uint8_t *resp, uint16_t respLen, uint8_t *par){
1561 return EmSendCmdExPar(resp, respLen, par);
1562 }
1563
1564
1565 int EmSendPrecompiledCmd(tag_response_info_t *response_info) {
1566 int ret = EmSendCmd14443aRaw(response_info->modulation, response_info->modulation_n);
1567 // do the tracing for the previous reader request and this tag answer:
1568 EmLogTraceTag(response_info->response, response_info->response_n, &(response_info->par), response_info->ProxToAirDuration);
1569 return ret;
1570 }
1571
1572
1573 //-----------------------------------------------------------------------------
1574 // Wait a certain time for tag response
1575 // If a response is captured return true
1576 // If it takes too long return false
1577 //-----------------------------------------------------------------------------
1578 static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse, uint8_t *receivedResponsePar, uint16_t offset)
1579 {
1580 uint32_t c;
1581
1582 // Set FPGA mode to "reader listen mode", no modulation (listen
1583 // only, since we are receiving, not transmitting).
1584 // Signal field is on with the appropriate LED
1585 LED_D_ON();
1586 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_LISTEN);
1587
1588 // Now get the answer from the card
1589 DemodInit(receivedResponse, receivedResponsePar);
1590
1591 // clear RXRDY:
1592 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1593
1594 c = 0;
1595 for(;;) {
1596 WDT_HIT();
1597
1598 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1599 b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1600 if(ManchesterDecoding(b, offset, 0)) {
1601 NextTransferTime = MAX(NextTransferTime, Demod.endTime - (DELAY_AIR2ARM_AS_READER + DELAY_ARM2AIR_AS_READER)/16 + FRAME_DELAY_TIME_PICC_TO_PCD);
1602 return true;
1603 } else if (c++ > iso14a_timeout && Demod.state == DEMOD_UNSYNCD) {
1604 return false;
1605 }
1606 }
1607 }
1608 }
1609
1610
1611 void ReaderTransmitBitsPar(uint8_t* frame, uint16_t bits, uint8_t *par, uint32_t *timing)
1612 {
1613 CodeIso14443aBitsAsReaderPar(frame, bits, par);
1614
1615 // Send command to tag
1616 TransmitFor14443a(ToSend, ToSendMax, timing);
1617 if(trigger)
1618 LED_A_ON();
1619
1620 // Log reader command in trace buffer
1621 if (tracing) {
1622 LogTrace(frame, nbytes(bits), LastTimeProxToAirStart*16 + DELAY_ARM2AIR_AS_READER, (LastTimeProxToAirStart + LastProxToAirDuration)*16 + DELAY_ARM2AIR_AS_READER, par, true);
1623 }
1624 }
1625
1626
1627 void ReaderTransmitPar(uint8_t* frame, uint16_t len, uint8_t *par, uint32_t *timing)
1628 {
1629 ReaderTransmitBitsPar(frame, len*8, par, timing);
1630 }
1631
1632
1633 static void ReaderTransmitBits(uint8_t* frame, uint16_t len, uint32_t *timing)
1634 {
1635 // Generate parity and redirect
1636 uint8_t par[MAX_PARITY_SIZE];
1637 GetParity(frame, len/8, par);
1638 ReaderTransmitBitsPar(frame, len, par, timing);
1639 }
1640
1641
1642 void ReaderTransmit(uint8_t* frame, uint16_t len, uint32_t *timing)
1643 {
1644 // Generate parity and redirect
1645 uint8_t par[MAX_PARITY_SIZE];
1646 GetParity(frame, len, par);
1647 ReaderTransmitBitsPar(frame, len*8, par, timing);
1648 }
1649
1650
1651 static int ReaderReceiveOffset(uint8_t* receivedAnswer, uint16_t offset, uint8_t *parity)
1652 {
1653 if (!GetIso14443aAnswerFromTag(receivedAnswer, parity, offset)) return false;
1654 if (tracing) {
1655 LogTrace(receivedAnswer, Demod.len, Demod.startTime*16 - DELAY_AIR2ARM_AS_READER, Demod.endTime*16 - DELAY_AIR2ARM_AS_READER, parity, false);
1656 }
1657 return Demod.len;
1658 }
1659
1660
1661 int ReaderReceive(uint8_t *receivedAnswer, uint8_t *parity)
1662 {
1663 if (!GetIso14443aAnswerFromTag(receivedAnswer, parity, 0)) return false;
1664 if (tracing) {
1665 LogTrace(receivedAnswer, Demod.len, Demod.startTime*16 - DELAY_AIR2ARM_AS_READER, Demod.endTime*16 - DELAY_AIR2ARM_AS_READER, parity, false);
1666 }
1667 return Demod.len;
1668 }
1669
1670
1671 static void iso14a_set_ATS_times(uint8_t *ats) {
1672
1673 uint8_t tb1;
1674 uint8_t fwi, sfgi;
1675 uint32_t fwt, sfgt;
1676
1677 if (ats[0] > 1) { // there is a format byte T0
1678 if ((ats[1] & 0x20) == 0x20) { // there is an interface byte TB(1)
1679 if ((ats[1] & 0x10) == 0x10) { // there is an interface byte TA(1) preceding TB(1)
1680 tb1 = ats[3];
1681 } else {
1682 tb1 = ats[2];
1683 }
1684 fwi = (tb1 & 0xf0) >> 4; // frame waiting time integer (FWI)
1685 if (fwi != 15) {
1686 fwt = 256 * 16 * (1 << fwi); // frame waiting time (FWT) in 1/fc
1687 iso14a_set_timeout(fwt/(8*16));
1688 }
1689 sfgi = tb1 & 0x0f; // startup frame guard time integer (SFGI)
1690 if (sfgi != 0 && sfgi != 15) {
1691 sfgt = 256 * 16 * (1 << sfgi); // startup frame guard time (SFGT) in 1/fc
1692 NextTransferTime = MAX(NextTransferTime, Demod.endTime + (sfgt - DELAY_AIR2ARM_AS_READER - DELAY_ARM2AIR_AS_READER)/16);
1693 }
1694 }
1695 }
1696 }
1697
1698
1699 static int GetATQA(uint8_t *resp, uint8_t *resp_par) {
1700
1701 #define WUPA_RETRY_TIMEOUT 10 // 10ms
1702 uint8_t wupa[] = { 0x52 }; // 0x26 - REQA 0x52 - WAKE-UP
1703
1704 uint32_t save_iso14a_timeout = iso14a_get_timeout();
1705 iso14a_set_timeout(1236/(16*8)+1); // response to WUPA is expected at exactly 1236/fc. No need to wait longer.
1706
1707 uint32_t start_time = GetTickCount();
1708 int len;
1709
1710 // we may need several tries if we did send an unknown command or a wrong authentication before...
1711 do {
1712 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1713 ReaderTransmitBitsPar(wupa, 7, NULL, NULL);
1714 // Receive the ATQA
1715 len = ReaderReceive(resp, resp_par);
1716 } while (len == 0 && GetTickCount() <= start_time + WUPA_RETRY_TIMEOUT);
1717
1718 iso14a_set_timeout(save_iso14a_timeout);
1719 return len;
1720 }
1721
1722
1723 // performs iso14443a anticollision (optional) and card select procedure
1724 // fills the uid and cuid pointer unless NULL
1725 // fills the card info record unless NULL
1726 // if anticollision is false, then the UID must be provided in uid_ptr[]
1727 // and num_cascades must be set (1: 4 Byte UID, 2: 7 Byte UID, 3: 10 Byte UID)
1728 // requests ATS unless no_rats is true
1729 int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, uint32_t *cuid_ptr, bool anticollision, uint8_t num_cascades, bool no_rats) {
1730 uint8_t sel_all[] = { 0x93,0x20 };
1731 uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
1732 uint8_t rats[] = { 0xE0,0x80,0x00,0x00 }; // FSD=256, FSDI=8, CID=0
1733 uint8_t resp[MAX_FRAME_SIZE]; // theoretically. A usual RATS will be much smaller
1734 uint8_t resp_par[MAX_PARITY_SIZE];
1735 byte_t uid_resp[4];
1736 size_t uid_resp_len;
1737
1738 uint8_t sak = 0x04; // cascade uid
1739 int cascade_level = 0;
1740 int len;
1741
1742 // init card struct
1743 if(p_hi14a_card) {
1744 p_hi14a_card->uidlen = 0;
1745 memset(p_hi14a_card->uid, 0, 10);
1746 p_hi14a_card->ats_len = 0;
1747 }
1748
1749 if (!GetATQA(resp, resp_par)) {
1750 return 0;
1751 }
1752
1753 if(p_hi14a_card) {
1754 memcpy(p_hi14a_card->atqa, resp, 2);
1755 }
1756
1757 if (anticollision) {
1758 // clear uid
1759 if (uid_ptr) {
1760 memset(uid_ptr,0,10);
1761 }
1762 }
1763
1764 // check for proprietary anticollision:
1765 if ((resp[0] & 0x1F) == 0) {
1766 return 3;
1767 }
1768
1769 // OK we will select at least at cascade 1, lets see if first byte of UID was 0x88 in
1770 // which case we need to make a cascade 2 request and select - this is a long UID
1771 // While the UID is not complete, the 3nd bit (from the right) is set in the SAK.
1772 for(; sak & 0x04; cascade_level++) {
1773 // SELECT_* (L1: 0x93, L2: 0x95, L3: 0x97)
1774 sel_uid[0] = sel_all[0] = 0x93 + cascade_level * 2;
1775
1776 if (anticollision) {
1777 // SELECT_ALL
1778 ReaderTransmit(sel_all, sizeof(sel_all), NULL);
1779 if (!ReaderReceive(resp, resp_par)) return 0;
1780
1781 if (Demod.collisionPos) { // we had a collision and need to construct the UID bit by bit
1782 memset(uid_resp, 0, 4);
1783 uint16_t uid_resp_bits = 0;
1784 uint16_t collision_answer_offset = 0;
1785 // anti-collision-loop:
1786 while (Demod.collisionPos) {
1787 Dbprintf("Multiple tags detected. Collision after Bit %d", Demod.collisionPos);
1788 for (uint16_t i = collision_answer_offset; i < Demod.collisionPos; i++, uid_resp_bits++) { // add valid UID bits before collision point
1789 uint16_t UIDbit = (resp[i/8] >> (i % 8)) & 0x01;
1790 uid_resp[uid_resp_bits / 8] |= UIDbit << (uid_resp_bits % 8);
1791 }
1792 uid_resp[uid_resp_bits/8] |= 1 << (uid_resp_bits % 8); // next time select the card(s) with a 1 in the collision position
1793 uid_resp_bits++;
1794 // construct anticollosion command:
1795 sel_uid[1] = ((2 + uid_resp_bits/8) << 4) | (uid_resp_bits & 0x07); // length of data in bytes and bits
1796 for (uint16_t i = 0; i <= uid_resp_bits/8; i++) {
1797 sel_uid[2+i] = uid_resp[i];
1798 }
1799 collision_answer_offset = uid_resp_bits%8;
1800 ReaderTransmitBits(sel_uid, 16 + uid_resp_bits, NULL);
1801 if (!ReaderReceiveOffset(resp, collision_answer_offset, resp_par)) return 0;
1802 }
1803 // finally, add the last bits and BCC of the UID
1804 for (uint16_t i = collision_answer_offset; i < (Demod.len-1)*8; i++, uid_resp_bits++) {
1805 uint16_t UIDbit = (resp[i/8] >> (i%8)) & 0x01;
1806 uid_resp[uid_resp_bits/8] |= UIDbit << (uid_resp_bits % 8);
1807 }
1808
1809 } else { // no collision, use the response to SELECT_ALL as current uid
1810 memcpy(uid_resp, resp, 4);
1811 }
1812 } else {
1813 if (cascade_level < num_cascades - 1) {
1814 uid_resp[0] = 0x88;
1815 memcpy(uid_resp+1, uid_ptr+cascade_level*3, 3);
1816 } else {
1817 memcpy(uid_resp, uid_ptr+cascade_level*3, 4);
1818 }
1819 }
1820 uid_resp_len = 4;
1821
1822 // calculate crypto UID. Always use last 4 Bytes.
1823 if(cuid_ptr) {
1824 *cuid_ptr = bytes_to_num(uid_resp, 4);
1825 }
1826
1827 // Construct SELECT UID command
1828 sel_uid[1] = 0x70; // transmitting a full UID (1 Byte cmd, 1 Byte NVB, 4 Byte UID, 1 Byte BCC, 2 Bytes CRC)
1829 memcpy(sel_uid+2, uid_resp, 4); // the UID received during anticollision, or the provided UID
1830 sel_uid[6] = sel_uid[2] ^ sel_uid[3] ^ sel_uid[4] ^ sel_uid[5]; // calculate and add BCC
1831 AppendCrc14443a(sel_uid, 7); // calculate and add CRC
1832 ReaderTransmit(sel_uid, sizeof(sel_uid), NULL);
1833
1834 // Receive the SAK
1835 if (!ReaderReceive(resp, resp_par)) return 0;
1836 sak = resp[0];
1837
1838 // Test if more parts of the uid are coming
1839 if ((sak & 0x04) /* && uid_resp[0] == 0x88 */) {
1840 // Remove first byte, 0x88 is not an UID byte, it CT, see page 3 of:
1841 // http://www.nxp.com/documents/application_note/AN10927.pdf
1842 uid_resp[0] = uid_resp[1];
1843 uid_resp[1] = uid_resp[2];
1844 uid_resp[2] = uid_resp[3];
1845 uid_resp_len = 3;
1846 }
1847
1848 if(uid_ptr && anticollision) {
1849 memcpy(uid_ptr + (cascade_level*3), uid_resp, uid_resp_len);
1850 }
1851
1852 if(p_hi14a_card) {
1853 memcpy(p_hi14a_card->uid + (cascade_level*3), uid_resp, uid_resp_len);
1854 p_hi14a_card->uidlen += uid_resp_len;
1855 }
1856 }
1857
1858 if(p_hi14a_card) {
1859 p_hi14a_card->sak = sak;
1860 }
1861
1862 // PICC compilant with iso14443a-4 ---> (SAK & 0x20 != 0)
1863 if( (sak & 0x20) == 0) return 2;
1864
1865 if (!no_rats) {
1866 // Request for answer to select
1867 AppendCrc14443a(rats, 2);
1868 ReaderTransmit(rats, sizeof(rats), NULL);
1869
1870 if (!(len = ReaderReceive(resp, resp_par))) return 0;
1871
1872 if(p_hi14a_card) {
1873 memcpy(p_hi14a_card->ats, resp, len);
1874 p_hi14a_card->ats_len = len;
1875 }
1876
1877 // reset the PCB block number
1878 iso14_pcb_blocknum = 0;
1879
1880 // set default timeout and delay next transfer based on ATS
1881 iso14a_set_ATS_times(resp);
1882
1883 }
1884 return 1;
1885 }
1886
1887
1888 void iso14443a_setup(uint8_t fpga_minor_mode) {
1889 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1890 // Set up the synchronous serial port
1891 FpgaSetupSsc();
1892 // connect Demodulated Signal to ADC:
1893 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1894
1895 // Signal field is on with the appropriate LED
1896 if (fpga_minor_mode == FPGA_HF_ISO14443A_READER_MOD
1897 || fpga_minor_mode == FPGA_HF_ISO14443A_READER_LISTEN) {
1898 LED_D_ON();
1899 } else {
1900 LED_D_OFF();
1901 }
1902 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | fpga_minor_mode);
1903
1904 // Start the timer
1905 StartCountSspClk();
1906
1907 DemodReset();
1908 UartReset();
1909 NextTransferTime = 2*DELAY_ARM2AIR_AS_READER;
1910 iso14a_set_timeout(1060); // 10ms default
1911 }
1912
1913 /* Peter Fillmore 2015
1914 Added card id field to the function
1915 info from ISO14443A standard
1916 b1 = Block Number
1917 b2 = RFU (always 1)
1918 b3 = depends on block
1919 b4 = Card ID following if set to 1
1920 b5 = depends on block type
1921 b6 = depends on block type
1922 b7,b8 = block type.
1923 Coding of I-BLOCK:
1924 b8 b7 b6 b5 b4 b3 b2 b1
1925 0 0 0 x x x 1 x
1926 b5 = chaining bit
1927 Coding of R-block:
1928 b8 b7 b6 b5 b4 b3 b2 b1
1929 1 0 1 x x 0 1 x
1930 b5 = ACK/NACK
1931 Coding of S-block:
1932 b8 b7 b6 b5 b4 b3 b2 b1
1933 1 1 x x x 0 1 0
1934 b5,b6 = 00 - DESELECT
1935 11 - WTX
1936 */
1937 int iso14_apdu(uint8_t *cmd, uint16_t cmd_len, void *data) {
1938 uint8_t parity[MAX_PARITY_SIZE];
1939 uint8_t real_cmd[cmd_len + 4];
1940
1941 // ISO 14443 APDU frame: PCB [CID] [NAD] APDU CRC PCB=0x02
1942 real_cmd[0] = 0x02; // bnr,nad,cid,chn=0; i-block(0x00)
1943 // put block number into the PCB
1944 real_cmd[0] |= iso14_pcb_blocknum;
1945 memcpy(real_cmd + 1, cmd, cmd_len);
1946 AppendCrc14443a(real_cmd, cmd_len + 1);
1947
1948 ReaderTransmit(real_cmd, cmd_len + 3, NULL);
1949
1950 size_t len = ReaderReceive(data, parity);
1951 uint8_t *data_bytes = (uint8_t *) data;
1952
1953 if (!len) {
1954 return 0; //DATA LINK ERROR
1955 } else{
1956 // S-Block WTX
1957 while((data_bytes[0] & 0xF2) == 0xF2) {
1958 uint32_t save_iso14a_timeout = iso14a_get_timeout();
1959 // temporarily increase timeout
1960 iso14a_set_timeout(MAX((data_bytes[1] & 0x3f) * save_iso14a_timeout, MAX_ISO14A_TIMEOUT));
1961 // Transmit WTX back
1962 // byte1 - WTXM [1..59]. command FWT=FWT*WTXM
1963 data_bytes[1] = data_bytes[1] & 0x3f; // 2 high bits mandatory set to 0b
1964 // now need to fix CRC.
1965 AppendCrc14443a(data_bytes, len - 2);
1966 // transmit S-Block
1967 ReaderTransmit(data_bytes, len, NULL);
1968 // retrieve the result again (with increased timeout)
1969 len = ReaderReceive(data, parity);
1970 data_bytes = data;
1971 // restore timeout
1972 iso14a_set_timeout(save_iso14a_timeout);
1973 }
1974
1975 // if we received an I- or R(ACK)-Block with a block number equal to the
1976 // current block number, toggle the current block number
1977 if (len >= 3 // PCB+CRC = 3 bytes
1978 && ((data_bytes[0] & 0xC0) == 0 // I-Block
1979 || (data_bytes[0] & 0xD0) == 0x80) // R-Block with ACK bit set to 0
1980 && (data_bytes[0] & 0x01) == iso14_pcb_blocknum) // equal block numbers
1981 {
1982 iso14_pcb_blocknum ^= 1;
1983 }
1984
1985 // crc check
1986 if (len >=3 && !CheckCrc14443(CRC_14443_A, data_bytes, len)) {
1987 return -1;
1988 }
1989
1990 }
1991
1992 // cut frame byte
1993 len -= 1;
1994 // memmove(data_bytes, data_bytes + 1, len);
1995 for (int i = 0; i < len; i++)
1996 data_bytes[i] = data_bytes[i + 1];
1997
1998 return len;
1999 }
2000
2001
2002 //-----------------------------------------------------------------------------
2003 // Read an ISO 14443a tag. Send out commands and store answers.
2004 //
2005 //-----------------------------------------------------------------------------
2006 void ReaderIso14443a(UsbCommand *c)
2007 {
2008 iso14a_command_t param = c->arg[0];
2009 uint8_t *cmd = c->d.asBytes;
2010 size_t len = c->arg[1] & 0xffff;
2011 size_t lenbits = c->arg[1] >> 16;
2012 uint32_t timeout = c->arg[2];
2013 uint32_t arg0 = 0;
2014 byte_t buf[USB_CMD_DATA_SIZE] = {0};
2015 uint8_t par[MAX_PARITY_SIZE];
2016 bool cantSELECT = false;
2017
2018 set_tracing(true);
2019
2020 if(param & ISO14A_CLEAR_TRACE) {
2021 clear_trace();
2022 }
2023
2024 if(param & ISO14A_REQUEST_TRIGGER) {
2025 iso14a_set_trigger(true);
2026 }
2027
2028 if(param & ISO14A_CONNECT) {
2029 LED_A_ON();
2030 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
2031 if(!(param & ISO14A_NO_SELECT)) {
2032 iso14a_card_select_t *card = (iso14a_card_select_t*)buf;
2033 arg0 = iso14443a_select_card(NULL, card, NULL, true, 0, param & ISO14A_NO_RATS);
2034
2035 // if we cant select then we cant send data
2036 if (arg0 != 1 && arg0 != 2) {
2037 // 1 - all is OK with ATS, 2 - without ATS
2038 cantSELECT = true;
2039 }
2040
2041 LED_B_ON();
2042 cmd_send(CMD_ACK,arg0,card->uidlen,0,buf,sizeof(iso14a_card_select_t));
2043 LED_B_OFF();
2044 }
2045 }
2046
2047 if(param & ISO14A_SET_TIMEOUT) {
2048 iso14a_set_timeout(timeout);
2049 }
2050
2051 if(param & ISO14A_APDU && !cantSELECT) {
2052 arg0 = iso14_apdu(cmd, len, buf);
2053 LED_B_ON();
2054 cmd_send(CMD_ACK, arg0, 0, 0, buf, sizeof(buf));
2055 LED_B_OFF();
2056 }
2057
2058 if(param & ISO14A_RAW && !cantSELECT) {
2059 if(param & ISO14A_APPEND_CRC) {
2060 if(param & ISO14A_TOPAZMODE) {
2061 AppendCrc14443b(cmd,len);
2062 } else {
2063 AppendCrc14443a(cmd,len);
2064 }
2065 len += 2;
2066 if (lenbits) lenbits += 16;
2067 }
2068 if(lenbits>0) { // want to send a specific number of bits (e.g. short commands)
2069 if(param & ISO14A_TOPAZMODE) {
2070 int bits_to_send = lenbits;
2071 uint16_t i = 0;
2072 ReaderTransmitBitsPar(&cmd[i++], MIN(bits_to_send, 7), NULL, NULL); // first byte is always short (7bits) and no parity
2073 bits_to_send -= 7;
2074 while (bits_to_send > 0) {
2075 ReaderTransmitBitsPar(&cmd[i++], MIN(bits_to_send, 8), NULL, NULL); // following bytes are 8 bit and no parity
2076 bits_to_send -= 8;
2077 }
2078 } else {
2079 GetParity(cmd, lenbits/8, par);
2080 ReaderTransmitBitsPar(cmd, lenbits, par, NULL); // bytes are 8 bit with odd parity
2081 }
2082 } else { // want to send complete bytes only
2083 if(param & ISO14A_TOPAZMODE) {
2084 uint16_t i = 0;
2085 ReaderTransmitBitsPar(&cmd[i++], 7, NULL, NULL); // first byte: 7 bits, no paritiy
2086 while (i < len) {
2087 ReaderTransmitBitsPar(&cmd[i++], 8, NULL, NULL); // following bytes: 8 bits, no paritiy
2088 }
2089 } else {
2090 ReaderTransmit(cmd,len, NULL); // 8 bits, odd parity
2091 }
2092 }
2093 arg0 = ReaderReceive(buf, par);
2094
2095 LED_B_ON();
2096 cmd_send(CMD_ACK,arg0,0,0,buf,sizeof(buf));
2097 LED_B_OFF();
2098 }
2099
2100 if(param & ISO14A_REQUEST_TRIGGER) {
2101 iso14a_set_trigger(false);
2102 }
2103
2104 if(param & ISO14A_NO_DISCONNECT) {
2105 return;
2106 }
2107
2108 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2109 LEDsoff();
2110 }
2111
2112
2113 // Determine the distance between two nonces.
2114 // Assume that the difference is small, but we don't know which is first.
2115 // Therefore try in alternating directions.
2116 static int32_t dist_nt(uint32_t nt1, uint32_t nt2) {
2117
2118 uint16_t i;
2119 uint32_t nttmp1, nttmp2;
2120
2121 if (nt1 == nt2) return 0;
2122
2123 nttmp1 = nt1;
2124 nttmp2 = nt2;
2125
2126 for (i = 1; i < 32768; i++) {
2127 nttmp1 = prng_successor(nttmp1, 1);
2128 if (nttmp1 == nt2) return i;
2129 nttmp2 = prng_successor(nttmp2, 1);
2130 if (nttmp2 == nt1) return -i;
2131 }
2132
2133 return(-99999); // either nt1 or nt2 are invalid nonces
2134 }
2135
2136
2137 //-----------------------------------------------------------------------------
2138 // Recover several bits of the cypher stream. This implements (first stages of)
2139 // the algorithm described in "The Dark Side of Security by Obscurity and
2140 // Cloning MiFare Classic Rail and Building Passes, Anywhere, Anytime"
2141 // (article by Nicolas T. Courtois, 2009)
2142 //-----------------------------------------------------------------------------
2143 void ReaderMifare(bool first_try)
2144 {
2145 // Mifare AUTH
2146 uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b };
2147 uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
2148 static uint8_t mf_nr_ar3;
2149
2150 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
2151 uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];
2152
2153 if (first_try) {
2154 iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
2155 }
2156
2157 // free eventually allocated BigBuf memory. We want all for tracing.
2158 BigBuf_free();
2159
2160 clear_trace();
2161 set_tracing(true);
2162
2163 byte_t nt_diff = 0;
2164 uint8_t par[1] = {0}; // maximum 8 Bytes to be sent here, 1 byte parity is therefore enough
2165 static byte_t par_low = 0;
2166 bool led_on = true;
2167 uint8_t uid[10] ={0};
2168 uint32_t cuid;
2169
2170 uint32_t nt = 0;
2171 uint32_t previous_nt = 0;
2172 static uint32_t nt_attacked = 0;
2173 byte_t par_list[8] = {0x00};
2174 byte_t ks_list[8] = {0x00};
2175
2176 #define PRNG_SEQUENCE_LENGTH (1 << 16);
2177 static uint32_t sync_time;
2178 static int32_t sync_cycles;
2179 int catch_up_cycles = 0;
2180 int last_catch_up = 0;
2181 uint16_t elapsed_prng_sequences;
2182 uint16_t consecutive_resyncs = 0;
2183 int isOK = 0;
2184
2185 if (first_try) {
2186 mf_nr_ar3 = 0;
2187 sync_time = GetCountSspClk() & 0xfffffff8;
2188 sync_cycles = PRNG_SEQUENCE_LENGTH; // theory: Mifare Classic's random generator repeats every 2^16 cycles (and so do the tag nonces).
2189 nt_attacked = 0;
2190 par[0] = 0;
2191 }
2192 else {
2193 // we were unsuccessful on a previous call. Try another READER nonce (first 3 parity bits remain the same)
2194 mf_nr_ar3++;
2195 mf_nr_ar[3] = mf_nr_ar3;
2196 par[0] = par_low;
2197 }
2198
2199 LED_A_ON();
2200 LED_B_OFF();
2201 LED_C_OFF();
2202
2203
2204 #define MAX_UNEXPECTED_RANDOM 4 // maximum number of unexpected (i.e. real) random numbers when trying to sync. Then give up.
2205 #define MAX_SYNC_TRIES 32
2206 #define NUM_DEBUG_INFOS 8 // per strategy
2207 #define MAX_STRATEGY 3
2208 uint16_t unexpected_random = 0;
2209 uint16_t sync_tries = 0;
2210 int16_t debug_info_nr = -1;
2211 uint16_t strategy = 0;
2212 int32_t debug_info[MAX_STRATEGY][NUM_DEBUG_INFOS];
2213 uint32_t select_time;
2214 uint32_t halt_time;
2215
2216 for(uint16_t i = 0; true; i++) {
2217
2218 LED_C_ON();
2219 WDT_HIT();
2220
2221 // Test if the action was cancelled
2222 if(BUTTON_PRESS()) {
2223 isOK = -1;
2224 break;
2225 }
2226
2227 if (strategy == 2) {
2228 // test with additional hlt command
2229 halt_time = 0;
2230 int len = mifare_sendcmd_short(NULL, false, 0x50, 0x00, receivedAnswer, receivedAnswerPar, &halt_time);
2231 if (len && MF_DBGLEVEL >= 3) {
2232 Dbprintf("Unexpected response of %d bytes to hlt command (additional debugging).", len);
2233 }
2234 }
2235
2236 if (strategy == 3) {
2237 // test with FPGA power off/on
2238 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2239 SpinDelay(200);
2240 iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
2241 SpinDelay(100);
2242 }
2243
2244 if(!iso14443a_select_card(uid, NULL, &cuid, true, 0, true)) {
2245 if (MF_DBGLEVEL >= 1) Dbprintf("Mifare: Can't select card");
2246 continue;
2247 }
2248 select_time = GetCountSspClk();
2249
2250 elapsed_prng_sequences = 1;
2251 if (debug_info_nr == -1) {
2252 sync_time = (sync_time & 0xfffffff8) + sync_cycles + catch_up_cycles;
2253 catch_up_cycles = 0;
2254
2255 // if we missed the sync time already, advance to the next nonce repeat
2256 while(GetCountSspClk() > sync_time) {
2257 elapsed_prng_sequences++;
2258 sync_time = (sync_time & 0xfffffff8) + sync_cycles;
2259 }
2260
2261 // Transmit MIFARE_CLASSIC_AUTH at synctime. Should result in returning the same tag nonce (== nt_attacked)
2262 ReaderTransmit(mf_auth, sizeof(mf_auth), &sync_time);
2263 } else {
2264 // collect some information on tag nonces for debugging:
2265 #define DEBUG_FIXED_SYNC_CYCLES PRNG_SEQUENCE_LENGTH
2266 if (strategy == 0) {
2267 // nonce distances at fixed time after card select:
2268 sync_time = select_time + DEBUG_FIXED_SYNC_CYCLES;
2269 } else if (strategy == 1) {
2270 // nonce distances at fixed time between authentications:
2271 sync_time = sync_time + DEBUG_FIXED_SYNC_CYCLES;
2272 } else if (strategy == 2) {
2273 // nonce distances at fixed time after halt:
2274 sync_time = halt_time + DEBUG_FIXED_SYNC_CYCLES;
2275 } else {
2276 // nonce_distances at fixed time after power on
2277 sync_time = DEBUG_FIXED_SYNC_CYCLES;
2278 }
2279 ReaderTransmit(mf_auth, sizeof(mf_auth), &sync_time);
2280 }
2281
2282 // Receive the (4 Byte) "random" nonce
2283 if (!ReaderReceive(receivedAnswer, receivedAnswerPar)) {
2284 if (MF_DBGLEVEL >= 1) Dbprintf("Mifare: Couldn't receive tag nonce");
2285 continue;
2286 }
2287
2288 previous_nt = nt;
2289 nt = bytes_to_num(receivedAnswer, 4);
2290
2291 // Transmit reader nonce with fake par
2292 ReaderTransmitPar(mf_nr_ar, sizeof(mf_nr_ar), par, NULL);
2293
2294 if (first_try && previous_nt && !nt_attacked) { // we didn't calibrate our clock yet
2295 int nt_distance = dist_nt(previous_nt, nt);
2296 if (nt_distance == 0) {
2297 nt_attacked = nt;
2298 } else {
2299 if (nt_distance == -99999) { // invalid nonce received
2300 unexpected_random++;
2301 if (unexpected_random > MAX_UNEXPECTED_RANDOM) {
2302 isOK = -3; // Card has an unpredictable PRNG. Give up
2303 break;
2304 } else {
2305 continue; // continue trying...
2306 }
2307 }
2308 if (++sync_tries > MAX_SYNC_TRIES) {
2309 if (strategy > MAX_STRATEGY || MF_DBGLEVEL < 3) {
2310 isOK = -4; // Card's PRNG runs at an unexpected frequency or resets unexpectedly
2311 break;
2312 } else { // continue for a while, just to collect some debug info
2313 debug_info[strategy][debug_info_nr] = nt_distance;
2314 debug_info_nr++;
2315 if (debug_info_nr == NUM_DEBUG_INFOS) {
2316 strategy++;
2317 debug_info_nr = 0;
2318 }
2319 continue;
2320 }
2321 }
2322 sync_cycles = (sync_cycles - nt_distance/elapsed_prng_sequences);
2323 if (sync_cycles <= 0) {
2324 sync_cycles += PRNG_SEQUENCE_LENGTH;
2325 }
2326 if (MF_DBGLEVEL >= 3) {
2327 Dbprintf("calibrating in cycle %d. nt_distance=%d, elapsed_prng_sequences=%d, new sync_cycles: %d\n", i, nt_distance, elapsed_prng_sequences, sync_cycles);
2328 }
2329 continue;
2330 }
2331 }
2332
2333 if ((nt != nt_attacked) && nt_attacked) { // we somehow lost sync. Try to catch up again...
2334 catch_up_cycles = -dist_nt(nt_attacked, nt);
2335 if (catch_up_cycles == 99999) { // invalid nonce received. Don't resync on that one.
2336 catch_up_cycles = 0;
2337 continue;
2338 }
2339 catch_up_cycles /= elapsed_prng_sequences;
2340 if (catch_up_cycles == last_catch_up) {
2341 consecutive_resyncs++;
2342 }
2343 else {
2344 last_catch_up = catch_up_cycles;
2345 consecutive_resyncs = 0;
2346 }
2347 if (consecutive_resyncs < 3) {
2348 if (MF_DBGLEVEL >= 3) Dbprintf("Lost sync in cycle %d. nt_distance=%d. Consecutive Resyncs = %d. Trying one time catch up...\n", i, -catch_up_cycles, consecutive_resyncs);
2349 }
2350 else {
2351 sync_cycles = sync_cycles + catch_up_cycles;
2352 if (MF_DBGLEVEL >= 3) Dbprintf("Lost sync in cycle %d for the fourth time consecutively (nt_distance = %d). Adjusting sync_cycles to %d.\n", i, -catch_up_cycles, sync_cycles);
2353 last_catch_up = 0;
2354 catch_up_cycles = 0;
2355 consecutive_resyncs = 0;
2356 }
2357 continue;
2358 }
2359
2360 consecutive_resyncs = 0;
2361
2362 // Receive answer. This will be a 4 Bit NACK when the 8 parity bits are OK after decoding
2363 if (ReaderReceive(receivedAnswer, receivedAnswerPar)) {
2364 catch_up_cycles = 8; // the PRNG is delayed by 8 cycles due to the NAC (4Bits = 0x05 encrypted) transfer
2365
2366 if (nt_diff == 0) {
2367 par_low = par[0] & 0xE0; // there is no need to check all parities for other nt_diff. Parity Bits for mf_nr_ar[0..2] won't change
2368 }
2369
2370 led_on = !led_on;
2371 if(led_on) LED_B_ON(); else LED_B_OFF();
2372
2373 par_list[nt_diff] = SwapBits(par[0], 8);
2374 ks_list[nt_diff] = receivedAnswer[0] ^ 0x05;
2375
2376 // Test if the information is complete
2377 if (nt_diff == 0x07) {
2378 isOK = 1;
2379 break;
2380 }
2381
2382 nt_diff = (nt_diff + 1) & 0x07;
2383 mf_nr_ar[3] = (mf_nr_ar[3] & 0x1F) | (nt_diff << 5);
2384 par[0] = par_low;
2385 } else {
2386 if (nt_diff == 0 && first_try)
2387 {
2388 par[0]++;
2389 if (par[0] == 0x00) { // tried all 256 possible parities without success. Card doesn't send NACK.
2390 isOK = -2;
2391 break;
2392 }
2393 } else {
2394 par[0] = ((par[0] & 0x1F) + 1) | par_low;
2395 }
2396 }
2397 }
2398
2399
2400 mf_nr_ar[3] &= 0x1F;
2401
2402 if (isOK == -4) {
2403 if (MF_DBGLEVEL >= 3) {
2404 for (uint16_t i = 0; i <= MAX_STRATEGY; i++) {
2405 for(uint16_t j = 0; j < NUM_DEBUG_INFOS; j++) {
2406 Dbprintf("collected debug info[%d][%d] = %d", i, j, debug_info[i][j]);
2407 }
2408 }
2409 }
2410 }
2411
2412 byte_t buf[28];
2413 memcpy(buf + 0, uid, 4);
2414 num_to_bytes(nt, 4, buf + 4);
2415 memcpy(buf + 8, par_list, 8);
2416 memcpy(buf + 16, ks_list, 8);
2417 memcpy(buf + 24, mf_nr_ar, 4);
2418
2419 cmd_send(CMD_ACK, isOK, 0, 0, buf, 28);
2420
2421 // Thats it...
2422 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2423 LEDsoff();
2424
2425 set_tracing(false);
2426 }
2427
2428
2429 //-----------------------------------------------------------------------------
2430 // MIFARE sniffer.
2431 //
2432 //-----------------------------------------------------------------------------
2433 void RAMFUNC SniffMifare(uint8_t param) {
2434 // param:
2435 // bit 0 - trigger from first card answer
2436 // bit 1 - trigger from first reader 7-bit request
2437
2438 // C(red) A(yellow) B(green)
2439 LEDsoff();
2440 // init trace buffer
2441 clear_trace();
2442 set_tracing(true);
2443
2444 // The command (reader -> tag) that we're receiving.
2445 // The length of a received command will in most cases be no more than 18 bytes.
2446 // So 32 should be enough!
2447 uint8_t receivedCmd[MAX_MIFARE_FRAME_SIZE];
2448 uint8_t receivedCmdPar[MAX_MIFARE_PARITY_SIZE];
2449 // The response (tag -> reader) that we're receiving.
2450 uint8_t receivedResponse[MAX_MIFARE_FRAME_SIZE];
2451 uint8_t receivedResponsePar[MAX_MIFARE_PARITY_SIZE];
2452
2453 iso14443a_setup(FPGA_HF_ISO14443A_SNIFFER);
2454
2455 // free eventually allocated BigBuf memory
2456 BigBuf_free();
2457 // allocate the DMA buffer, used to stream samples from the FPGA
2458 uint8_t *dmaBuf = BigBuf_malloc(DMA_BUFFER_SIZE);
2459 uint8_t *data = dmaBuf;
2460 uint8_t previous_data = 0;
2461 int maxDataLen = 0;
2462 int dataLen = 0;
2463 bool ReaderIsActive = false;
2464 bool TagIsActive = false;
2465
2466 // Set up the demodulator for tag -> reader responses.
2467 DemodInit(receivedResponse, receivedResponsePar);
2468
2469 // Set up the demodulator for the reader -> tag commands
2470 UartInit(receivedCmd, receivedCmdPar);
2471
2472 // Setup for the DMA.
2473 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE); // set transfer address and number of bytes. Start transfer.
2474
2475 LED_D_OFF();
2476
2477 // init sniffer
2478 MfSniffInit();
2479
2480 // And now we loop, receiving samples.
2481 for(uint32_t sniffCounter = 0; true; ) {
2482
2483 if(BUTTON_PRESS()) {
2484 DbpString("cancelled by button");
2485 break;
2486 }
2487
2488 LED_A_ON();
2489 WDT_HIT();
2490
2491 if ((sniffCounter & 0x0000FFFF) == 0) { // from time to time
2492 // check if a transaction is completed (timeout after 2000ms).
2493 // if yes, stop the DMA transfer and send what we have so far to the client
2494 if (MfSniffSend(2000)) {
2495 // Reset everything - we missed some sniffed data anyway while the DMA was stopped
2496 sniffCounter = 0;
2497 data = dmaBuf;
2498 maxDataLen = 0;
2499 ReaderIsActive = false;
2500 TagIsActive = false;
2501 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE); // set transfer address and number of bytes. Start transfer.
2502 }
2503 }
2504
2505 int register readBufDataP = data - dmaBuf; // number of bytes we have processed so far
2506 int register dmaBufDataP = DMA_BUFFER_SIZE - AT91C_BASE_PDC_SSC->PDC_RCR; // number of bytes already transferred
2507 if (readBufDataP <= dmaBufDataP){ // we are processing the same block of data which is currently being transferred
2508 dataLen = dmaBufDataP - readBufDataP; // number of bytes still to be processed
2509 } else {
2510 dataLen = DMA_BUFFER_SIZE - readBufDataP + dmaBufDataP; // number of bytes still to be processed
2511 }
2512 // test for length of buffer
2513 if(dataLen > maxDataLen) { // we are more behind than ever...
2514 maxDataLen = dataLen;
2515 if(dataLen > (9 * DMA_BUFFER_SIZE / 10)) {
2516 Dbprintf("blew circular buffer! dataLen=0x%x", dataLen);
2517 break;
2518 }
2519 }
2520 if(dataLen < 1) continue;
2521
2522 // primary buffer was stopped ( <-- we lost data!
2523 if (!AT91C_BASE_PDC_SSC->PDC_RCR) {
2524 AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) dmaBuf;
2525 AT91C_BASE_PDC_SSC->PDC_RCR = DMA_BUFFER_SIZE;
2526 Dbprintf("RxEmpty ERROR!!! data length:%d", dataLen); // temporary
2527 }
2528 // secondary buffer sets as primary, secondary buffer was stopped
2529 if (!AT91C_BASE_PDC_SSC->PDC_RNCR) {
2530 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dmaBuf;
2531 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
2532 }
2533
2534 LED_A_OFF();
2535
2536 if (sniffCounter & 0x01) {
2537
2538 if(!TagIsActive) { // no need to try decoding tag data if the reader is sending
2539 uint8_t readerdata = (previous_data & 0xF0) | (*data >> 4);
2540 if(MillerDecoding(readerdata, (sniffCounter-1)*4)) {
2541 LED_C_INV();
2542 if (MfSniffLogic(receivedCmd, Uart.len, Uart.parity, Uart.bitCount, true)) break;
2543
2544 /* And ready to receive another command. */
2545 UartInit(receivedCmd, receivedCmdPar);
2546
2547 /* And also reset the demod code */
2548 DemodReset();
2549 }
2550 ReaderIsActive = (Uart.state != STATE_UNSYNCD);
2551 }
2552
2553 if(!ReaderIsActive) { // no need to try decoding tag data if the reader is sending
2554 uint8_t tagdata = (previous_data << 4) | (*data & 0x0F);
2555 if(ManchesterDecoding(tagdata, 0, (sniffCounter-1)*4)) {
2556 LED_C_INV();
2557
2558 if (MfSniffLogic(receivedResponse, Demod.len, Demod.parity, Demod.bitCount, false)) break;
2559
2560 // And ready to receive another response.
2561 DemodReset();
2562 // And reset the Miller decoder including its (now outdated) input buffer
2563 UartInit(receivedCmd, receivedCmdPar);
2564 }
2565 TagIsActive = (Demod.state != DEMOD_UNSYNCD);
2566 }
2567 }
2568
2569 previous_data = *data;
2570 sniffCounter++;
2571 data++;
2572 if(data == dmaBuf + DMA_BUFFER_SIZE) {
2573 data = dmaBuf;
2574 }
2575
2576 } // main cycle
2577
2578 DbpString("COMMAND FINISHED");
2579
2580 FpgaDisableSscDma();
2581 MfSniffEnd();
2582
2583 Dbprintf("maxDataLen=%x, Uart.state=%x, Uart.len=%x", maxDataLen, Uart.state, Uart.len);
2584 LEDsoff();
2585 }
Proxmark3 GIT tracking
Impressum, Datenschutz