]> cvs.zerfleddert.de Git - proxmark3-svn/blob - armsrc/iso14443b.c
projects / proxmark3-svn / blob
? search:


0b9962e1e5cf5ffe727051163ede8e9a4c0d6aad
[proxmark3-svn] / armsrc / iso14443b.c
1 //-----------------------------------------------------------------------------
2 // Jonathan Westhues, split Nov 2006
3 //
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
6 // the license.
7 //-----------------------------------------------------------------------------
8 // Routines to support ISO 14443B. This includes both the reader software and
9 // the `fake tag' modes.
10 //-----------------------------------------------------------------------------
11
12 #include "proxmark3.h"
13 #include "apps.h"
14 #include "util.h"
15 #include "string.h"
16 #include "iso14443crc.h"
17 #include "common.h"
18 #define RECEIVE_SAMPLES_TIMEOUT 600000
19 #define ISO14443B_DMA_BUFFER_SIZE 256
20
21
22 // PCB Block number for APDUs
23 static uint8_t pcb_blocknum = 0;
24
25 //=============================================================================
26 // An ISO 14443 Type B tag. We listen for commands from the reader, using
27 // a UART kind of thing that's implemented in software. When we get a
28 // frame (i.e., a group of bytes between SOF and EOF), we check the CRC.
29 // If it's good, then we can do something appropriate with it, and send
30 // a response.
31 //=============================================================================
32
33 //-----------------------------------------------------------------------------
34 // Code up a string of octets at layer 2 (including CRC, we don't generate
35 // that here) so that they can be transmitted to the reader. Doesn't transmit
36 // them yet, just leaves them ready to send in ToSend[].
37 //-----------------------------------------------------------------------------
38 static void CodeIso14443bAsTag(const uint8_t *cmd, int len)
39 {
40 int i;
41
42 ToSendReset();
43
44 // Transmit a burst of ones, as the initial thing that lets the
45 // reader get phase sync. This (TR1) must be > 80/fs, per spec,
46 // but tag that I've tried (a Paypass) exceeds that by a fair bit,
47 // so I will too.
48 for(i = 0; i < 20; i++) {
49 ToSendStuffBit(1);
50 ToSendStuffBit(1);
51 ToSendStuffBit(1);
52 ToSendStuffBit(1);
53 }
54
55 // Send SOF.
56 for(i = 0; i < 10; i++) {
57 ToSendStuffBit(0);
58 ToSendStuffBit(0);
59 ToSendStuffBit(0);
60 ToSendStuffBit(0);
61 }
62 for(i = 0; i < 2; i++) {
63 ToSendStuffBit(1);
64 ToSendStuffBit(1);
65 ToSendStuffBit(1);
66 ToSendStuffBit(1);
67 }
68
69 for(i = 0; i < len; i++) {
70 int j;
71 uint8_t b = cmd[i];
72
73 // Start bit
74 ToSendStuffBit(0);
75 ToSendStuffBit(0);
76 ToSendStuffBit(0);
77 ToSendStuffBit(0);
78
79 // Data bits
80 for(j = 0; j < 8; j++) {
81 if(b & 1) {
82 ToSendStuffBit(1);
83 ToSendStuffBit(1);
84 ToSendStuffBit(1);
85 ToSendStuffBit(1);
86 } else {
87 ToSendStuffBit(0);
88 ToSendStuffBit(0);
89 ToSendStuffBit(0);
90 ToSendStuffBit(0);
91 }
92 b >>= 1;
93 }
94
95 // Stop bit
96 ToSendStuffBit(1);
97 ToSendStuffBit(1);
98 ToSendStuffBit(1);
99 ToSendStuffBit(1);
100 }
101
102 // Send EOF.
103 for(i = 0; i < 10; i++) {
104 ToSendStuffBit(0);
105 ToSendStuffBit(0);
106 ToSendStuffBit(0);
107 ToSendStuffBit(0);
108 }
109 for(i = 0; i < 2; i++) {
110 ToSendStuffBit(1);
111 ToSendStuffBit(1);
112 ToSendStuffBit(1);
113 ToSendStuffBit(1);
114 }
115
116 // Convert from last byte pos to length
117 ToSendMax++;
118 }
119
120 //-----------------------------------------------------------------------------
121 // The software UART that receives commands from the reader, and its state
122 // variables.
123 //-----------------------------------------------------------------------------
124 static struct {
125 enum {
126 STATE_UNSYNCD,
127 STATE_GOT_FALLING_EDGE_OF_SOF,
128 STATE_AWAITING_START_BIT,
129 STATE_RECEIVING_DATA
130 } state;
131 uint16_t shiftReg;
132 int bitCnt;
133 int byteCnt;
134 int byteCntMax;
135 int posCnt;
136 uint8_t *output;
137 } Uart;
138
139 /* Receive & handle a bit coming from the reader.
140 *
141 * This function is called 4 times per bit (every 2 subcarrier cycles).
142 * Subcarrier frequency fs is 848kHz, 1/fs = 1,18us, i.e. function is called every 2,36us
143 *
144 * LED handling:
145 * LED A -> ON once we have received the SOF and are expecting the rest.
146 * LED A -> OFF once we have received EOF or are in error state or unsynced
147 *
148 * Returns: true if we received a EOF
149 * false if we are still waiting for some more
150 */
151 static RAMFUNC int Handle14443bUartBit(uint8_t bit)
152 {
153 switch(Uart.state) {
154 case STATE_UNSYNCD:
155 if(!bit) {
156 // we went low, so this could be the beginning
157 // of an SOF
158 Uart.state = STATE_GOT_FALLING_EDGE_OF_SOF;
159 Uart.posCnt = 0;
160 Uart.bitCnt = 0;
161 }
162 break;
163
164 case STATE_GOT_FALLING_EDGE_OF_SOF:
165 Uart.posCnt++;
166 if(Uart.posCnt == 2) { // sample every 4 1/fs in the middle of a bit
167 if(bit) {
168 if(Uart.bitCnt > 9) {
169 // we've seen enough consecutive
170 // zeros that it's a valid SOF
171 Uart.posCnt = 0;
172 Uart.byteCnt = 0;
173 Uart.state = STATE_AWAITING_START_BIT;
174 LED_A_ON(); // Indicate we got a valid SOF
175 } else {
176 // didn't stay down long enough
177 // before going high, error
178 Uart.state = STATE_UNSYNCD;
179 }
180 } else {
181 // do nothing, keep waiting
182 }
183 Uart.bitCnt++;
184 }
185 if(Uart.posCnt >= 4) Uart.posCnt = 0;
186 if(Uart.bitCnt > 12) {
187 // Give up if we see too many zeros without
188 // a one, too.
189 LED_A_OFF();
190 Uart.state = STATE_UNSYNCD;
191 }
192 break;
193
194 case STATE_AWAITING_START_BIT:
195 Uart.posCnt++;
196 if(bit) {
197 if(Uart.posCnt > 50/2) { // max 57us between characters = 49 1/fs, max 3 etus after low phase of SOF = 24 1/fs
198 // stayed high for too long between
199 // characters, error
200 Uart.state = STATE_UNSYNCD;
201 }
202 } else {
203 // falling edge, this starts the data byte
204 Uart.posCnt = 0;
205 Uart.bitCnt = 0;
206 Uart.shiftReg = 0;
207 Uart.state = STATE_RECEIVING_DATA;
208 }
209 break;
210
211 case STATE_RECEIVING_DATA:
212 Uart.posCnt++;
213 if(Uart.posCnt == 2) {
214 // time to sample a bit
215 Uart.shiftReg >>= 1;
216 if(bit) {
217 Uart.shiftReg |= 0x200;
218 }
219 Uart.bitCnt++;
220 }
221 if(Uart.posCnt >= 4) {
222 Uart.posCnt = 0;
223 }
224 if(Uart.bitCnt == 10) {
225 if((Uart.shiftReg & 0x200) && !(Uart.shiftReg & 0x001))
226 {
227 // this is a data byte, with correct
228 // start and stop bits
229 Uart.output[Uart.byteCnt] = (Uart.shiftReg >> 1) & 0xff;
230 Uart.byteCnt++;
231
232 if(Uart.byteCnt >= Uart.byteCntMax) {
233 // Buffer overflowed, give up
234 LED_A_OFF();
235 Uart.state = STATE_UNSYNCD;
236 } else {
237 // so get the next byte now
238 Uart.posCnt = 0;
239 Uart.state = STATE_AWAITING_START_BIT;
240 }
241 } else if (Uart.shiftReg == 0x000) {
242 // this is an EOF byte
243 LED_A_OFF(); // Finished receiving
244 Uart.state = STATE_UNSYNCD;
245 if (Uart.byteCnt != 0) {
246 return TRUE;
247 }
248 } else {
249 // this is an error
250 LED_A_OFF();
251 Uart.state = STATE_UNSYNCD;
252 }
253 }
254 break;
255
256 default:
257 LED_A_OFF();
258 Uart.state = STATE_UNSYNCD;
259 break;
260 }
261
262 return FALSE;
263 }
264
265
266 static void UartReset()
267 {
268 Uart.byteCntMax = MAX_FRAME_SIZE;
269 Uart.state = STATE_UNSYNCD;
270 Uart.byteCnt = 0;
271 Uart.bitCnt = 0;
272 Uart.posCnt = 0;
273 memset(Uart.output, 0x00, MAX_FRAME_SIZE);
274 }
275
276
277 static void UartInit(uint8_t *data)
278 {
279 Uart.output = data;
280 UartReset();
281 }
282
283
284 //-----------------------------------------------------------------------------
285 // Receive a command (from the reader to us, where we are the simulated tag),
286 // and store it in the given buffer, up to the given maximum length. Keeps
287 // spinning, waiting for a well-framed command, until either we get one
288 // (returns TRUE) or someone presses the pushbutton on the board (FALSE).
289 //
290 // Assume that we're called with the SSC (to the FPGA) and ADC path set
291 // correctly.
292 //-----------------------------------------------------------------------------
293 static int GetIso14443bCommandFromReader(uint8_t *received, uint16_t *len)
294 {
295 // Set FPGA mode to "simulated ISO 14443B tag", no modulation (listen
296 // only, since we are receiving, not transmitting).
297 // Signal field is off with the appropriate LED
298 LED_D_OFF();
299 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_NO_MODULATION);
300
301 // Now run a `software UART' on the stream of incoming samples.
302 UartInit(received);
303
304 for(;;) {
305 WDT_HIT();
306
307 if(BUTTON_PRESS()) return FALSE;
308
309 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
310 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
311 for(uint8_t mask = 0x80; mask != 0x00; mask >>= 1) {
312 if(Handle14443bUartBit(b & mask)) {
313 *len = Uart.byteCnt;
314 return TRUE;
315 }
316 }
317 }
318 }
319
320 return FALSE;
321 }
322
323 //-----------------------------------------------------------------------------
324 // Main loop of simulated tag: receive commands from reader, decide what
325 // response to send, and send it.
326 //-----------------------------------------------------------------------------
327 void SimulateIso14443bTag(void)
328 {
329 // the only commands we understand is WUPB, AFI=0, Select All, N=1:
330 static const uint8_t cmd1[] = { 0x05, 0x00, 0x08, 0x39, 0x73 }; // WUPB
331 // ... and REQB, AFI=0, Normal Request, N=1:
332 static const uint8_t cmd2[] = { 0x05, 0x00, 0x00, 0x71, 0xFF }; // REQB
333 // ... and HLTB
334 static const uint8_t cmd3[] = { 0x50, 0xff, 0xff, 0xff, 0xff }; // HLTB
335 // ... and ATTRIB
336 static const uint8_t cmd4[] = { 0x1D, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}; // ATTRIB
337
338 // ... and we always respond with ATQB, PUPI = 820de174, Application Data = 0x20381922,
339 // supports only 106kBit/s in both directions, max frame size = 32Bytes,
340 // supports ISO14443-4, FWI=8 (77ms), NAD supported, CID not supported:
341 static const uint8_t response1[] = {
342 0x50, 0x82, 0x0d, 0xe1, 0x74, 0x20, 0x38, 0x19, 0x22,
343 0x00, 0x21, 0x85, 0x5e, 0xd7
344 };
345 // response to HLTB and ATTRIB
346 static const uint8_t response2[] = {0x00, 0x78, 0xF0};
347
348 uint8_t parity[MAX_PARITY_SIZE];
349
350 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
351
352 clear_trace();
353 set_tracing(TRUE);
354
355 const uint8_t *resp;
356 uint8_t *respCode;
357 uint16_t respLen, respCodeLen;
358
359 // allocate command receive buffer
360 BigBuf_free();
361 uint8_t *receivedCmd = BigBuf_malloc(MAX_FRAME_SIZE);
362
363 uint16_t len;
364 uint16_t cmdsRecvd = 0;
365
366 // prepare the (only one) tag answer:
367 CodeIso14443bAsTag(response1, sizeof(response1));
368 uint8_t *resp1Code = BigBuf_malloc(ToSendMax);
369 memcpy(resp1Code, ToSend, ToSendMax);
370 uint16_t resp1CodeLen = ToSendMax;
371
372 // prepare the (other) tag answer:
373 CodeIso14443bAsTag(response2, sizeof(response2));
374 uint8_t *resp2Code = BigBuf_malloc(ToSendMax);
375 memcpy(resp2Code, ToSend, ToSendMax);
376 uint16_t resp2CodeLen = ToSendMax;
377
378 // We need to listen to the high-frequency, peak-detected path.
379 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
380 FpgaSetupSsc();
381
382 cmdsRecvd = 0;
383
384 for(;;) {
385
386 if(!GetIso14443bCommandFromReader(receivedCmd, &len)) {
387 Dbprintf("button pressed, received %d commands", cmdsRecvd);
388 break;
389 }
390
391 if (tracing) {
392 LogTrace(receivedCmd, len, 0, 0, parity, TRUE);
393 }
394
395 // Good, look at the command now.
396 if ( (len == sizeof(cmd1) && memcmp(receivedCmd, cmd1, len) == 0)
397 || (len == sizeof(cmd2) && memcmp(receivedCmd, cmd2, len) == 0) ) {
398 resp = response1;
399 respLen = sizeof(response1);
400 respCode = resp1Code;
401 respCodeLen = resp1CodeLen;
402 } else if ( (len == sizeof(cmd3) && receivedCmd[0] == cmd3[0])
403 || (len == sizeof(cmd4) && receivedCmd[0] == cmd4[0]) ) {
404 resp = response2;
405 respLen = sizeof(response2);
406 respCode = resp2Code;
407 respCodeLen = resp2CodeLen;
408 } else {
409 Dbprintf("new cmd from reader: len=%d, cmdsRecvd=%d", len, cmdsRecvd);
410 // And print whether the CRC fails, just for good measure
411 uint8_t b1, b2;
412 if (len >= 3){ // if crc exists
413 ComputeCrc14443(CRC_14443_B, receivedCmd, len-2, &b1, &b2);
414 if(b1 != receivedCmd[len-2] || b2 != receivedCmd[len-1]) {
415 // Not so good, try again.
416 DbpString("+++CRC fail");
417
418 } else {
419 DbpString("CRC passes");
420 }
421 }
422 //get rid of compiler warning
423 respCodeLen = 0;
424 resp = response1;
425 respLen = 0;
426 respCode = resp1Code;
427 //don't crash at new command just wait and see if reader will send other new cmds.
428 //break;
429 }
430
431 cmdsRecvd++;
432
433 if(cmdsRecvd > 0x30) {
434 DbpString("many commands later...");
435 break;
436 }
437
438 if(respCodeLen <= 0) continue;
439
440 // Modulate BPSK
441 // Signal field is off with the appropriate LED
442 LED_D_OFF();
443 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_MODULATE_BPSK);
444 AT91C_BASE_SSC->SSC_THR = 0xff;
445 FpgaSetupSsc();
446
447 uint8_t c;
448 // clear receiving shift register and holding register
449 while(!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY));
450 c = AT91C_BASE_SSC->SSC_RHR; (void) c;
451 while(!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY));
452 c = AT91C_BASE_SSC->SSC_RHR; (void) c;
453
454 // Clear TXRDY:
455 AT91C_BASE_SSC->SSC_THR = 0x00;
456
457 // Transmit the response.
458 uint16_t FpgaSendQueueDelay = 0;
459 uint16_t i = 0;
460 for(;i < respCodeLen; ) {
461 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
462 AT91C_BASE_SSC->SSC_THR = respCode[i++];
463 FpgaSendQueueDelay = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
464 }
465 if(BUTTON_PRESS()) break;
466 }
467
468 // Ensure that the FPGA Delay Queue is empty before we switch to TAGSIM_LISTEN again:
469 uint8_t fpga_queued_bits = FpgaSendQueueDelay >> 3;
470 for (i = 0; i <= fpga_queued_bits/8 + 1; ) {
471 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
472 AT91C_BASE_SSC->SSC_THR = 0x00;
473 FpgaSendQueueDelay = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
474 i++;
475 }
476 }
477
478 // trace the response:
479 if (tracing) LogTrace(resp, respLen, 0, 0, parity, FALSE);
480 }
481 FpgaDisableSscDma();
482 set_tracing(FALSE);
483 }
484
485 //=============================================================================
486 // An ISO 14443 Type B reader. We take layer two commands, code them
487 // appropriately, and then send them to the tag. We then listen for the
488 // tag's response, which we leave in the buffer to be demodulated on the
489 // PC side.
490 //=============================================================================
491
492 static struct {
493 enum {
494 DEMOD_UNSYNCD,
495 DEMOD_PHASE_REF_TRAINING,
496 DEMOD_AWAITING_FALLING_EDGE_OF_SOF,
497 DEMOD_GOT_FALLING_EDGE_OF_SOF,
498 DEMOD_AWAITING_START_BIT,
499 DEMOD_RECEIVING_DATA
500 } state;
501 int bitCount;
502 int posCount;
503 int thisBit;
504 /* this had been used to add RSSI (Received Signal Strength Indication) to traces. Currently not implemented.
505 int metric;
506 int metricN;
507 */
508 uint16_t shiftReg;
509 uint8_t *output;
510 int len;
511 int sumI;
512 int sumQ;
513 } Demod;
514
515 /*
516 * Handles reception of a bit from the tag
517 *
518 * This function is called 2 times per bit (every 4 subcarrier cycles).
519 * Subcarrier frequency fs is 848kHz, 1/fs = 1,18us, i.e. function is called every 4,72us
520 *
521 * LED handling:
522 * LED C -> ON once we have received the SOF and are expecting the rest.
523 * LED C -> OFF once we have received EOF or are unsynced
524 *
525 * Returns: true if we received a EOF
526 * false if we are still waiting for some more
527 *
528 */
529 #define abs(x) ( ((x)<0) ? -(x) : (x) )
530 static RAMFUNC int Handle14443bSamplesDemod(int ci, int cq)
531 {
532 int v = 0;
533 int ai = abs(ci);
534 int aq = abs(cq);
535 int halfci = (ai >> 1);
536 int halfcq = (aq >> 1);
537
538 // The soft decision on the bit uses an estimate of just the
539 // quadrant of the reference angle, not the exact angle.
540 #define MAKE_SOFT_DECISION() { \
541 if(Demod.sumI > 0) { \
542 v = ci; \
543 } else { \
544 v = -ci; \
545 } \
546 if(Demod.sumQ > 0) { \
547 v += cq; \
548 } else { \
549 v -= cq; \
550 } \
551 }
552
553 #define SUBCARRIER_DETECT_THRESHOLD 8
554
555 // Subcarrier amplitude v = sqrt(ci^2 + cq^2), approximated here by max(abs(ci),abs(cq)) + 1/2*min(abs(ci),abs(cq)))
556 #define CHECK_FOR_SUBCARRIER() { \
557 v = MAX(ai, aq) + MIN(halfci, halfcq); \
558 }
559
560
561 switch(Demod.state) {
562 case DEMOD_UNSYNCD:
563 CHECK_FOR_SUBCARRIER();
564 if(v > SUBCARRIER_DETECT_THRESHOLD) { // subcarrier detected
565 Demod.state = DEMOD_PHASE_REF_TRAINING;
566 Demod.sumI = ci;
567 Demod.sumQ = cq;
568 Demod.posCount = 1;
569 }
570 break;
571
572 case DEMOD_PHASE_REF_TRAINING:
573 if(Demod.posCount < 8) {
574 //if(Demod.posCount < 10*2) {
575 CHECK_FOR_SUBCARRIER();
576 if (v > SUBCARRIER_DETECT_THRESHOLD) {
577 // set the reference phase (will code a logic '1') by averaging over 32 1/fs.
578 // note: synchronization time > 80 1/fs
579 Demod.sumI += ci;
580 Demod.sumQ += cq;
581 Demod.posCount++;
582 } else { // subcarrier lost
583 Demod.state = DEMOD_UNSYNCD;
584 }
585 } else {
586 Demod.state = DEMOD_AWAITING_FALLING_EDGE_OF_SOF;
587 }
588 break;
589
590 case DEMOD_AWAITING_FALLING_EDGE_OF_SOF:
591 MAKE_SOFT_DECISION();
592 //Dbprintf("ICE: %d %d %d %d %d", v, Demod.sumI, Demod.sumQ, ci, cq );
593 if(v <= 0) { // logic '0' detected
594 Demod.state = DEMOD_GOT_FALLING_EDGE_OF_SOF;
595 Demod.posCount = 0; // start of SOF sequence
596 } else {
597 if(Demod.posCount > 25*2) { // maximum length of TR1 = 200 1/fs
598 Demod.state = DEMOD_UNSYNCD;
599 }
600 }
601 Demod.posCount++;
602 break;
603
604 case DEMOD_GOT_FALLING_EDGE_OF_SOF:
605 Demod.posCount++;
606 MAKE_SOFT_DECISION();
607 if(v > 0) {
608 if(Demod.posCount < 10*2) { // low phase of SOF too short (< 9 etu). Note: spec is >= 10, but FPGA tends to "smear" edges
609 Demod.state = DEMOD_UNSYNCD;
610 } else {
611 LED_C_ON(); // Got SOF
612 Demod.state = DEMOD_AWAITING_START_BIT;
613 Demod.posCount = 0;
614 Demod.len = 0;
615 /* this had been used to add RSSI (Received Signal Strength Indication) to traces. Currently not implemented.
616 Demod.metricN = 0;
617 Demod.metric = 0;
618 */
619 }
620 } else {
621 if(Demod.posCount > 13*2) { // low phase of SOF too long (> 12 etu)
622 Demod.state = DEMOD_UNSYNCD;
623 LED_C_OFF();
624 }
625 }
626 break;
627
628 case DEMOD_AWAITING_START_BIT:
629 Demod.posCount++;
630 MAKE_SOFT_DECISION();
631 if(v > 0) {
632 if(Demod.posCount > 3*2) { // max 19us between characters = 16 1/fs, max 3 etu after low phase of SOF = 24 1/fs
633 Demod.state = DEMOD_UNSYNCD;
634 LED_C_OFF();
635 }
636 } else { // start bit detected
637 Demod.bitCount = 0;
638 Demod.posCount = 1; // this was the first half
639 Demod.thisBit = v;
640 Demod.shiftReg = 0;
641 Demod.state = DEMOD_RECEIVING_DATA;
642 }
643 break;
644
645 case DEMOD_RECEIVING_DATA:
646 MAKE_SOFT_DECISION();
647 if(Demod.posCount == 0) { // first half of bit
648 Demod.thisBit = v;
649 Demod.posCount = 1;
650 } else { // second half of bit
651 Demod.thisBit += v;
652
653 /* this had been used to add RSSI (Received Signal Strength Indication) to traces. Currently not implemented.
654 if(Demod.thisBit > 0) {
655 Demod.metric += Demod.thisBit;
656 } else {
657 Demod.metric -= Demod.thisBit;
658 }
659 (Demod.metricN)++;
660 */
661
662 Demod.shiftReg >>= 1;
663 if(Demod.thisBit > 0) { // logic '1'
664 Demod.shiftReg |= 0x200;
665 }
666
667 Demod.bitCount++;
668 if(Demod.bitCount == 10) {
669 uint16_t s = Demod.shiftReg;
670 if((s & 0x200) && !(s & 0x001)) { // stop bit == '1', start bit == '0'
671 uint8_t b = (s >> 1);
672 Demod.output[Demod.len] = b;
673 Demod.len++;
674 Demod.state = DEMOD_AWAITING_START_BIT;
675 } else {
676 Demod.state = DEMOD_UNSYNCD;
677 LED_C_OFF();
678 if(s == 0x000) {
679 // This is EOF (start, stop and all data bits == '0'
680 return TRUE;
681 }
682 }
683 }
684 Demod.posCount = 0;
685 }
686 break;
687
688 default:
689 Demod.state = DEMOD_UNSYNCD;
690 LED_C_OFF();
691 break;
692 }
693 return FALSE;
694 }
695
696
697 static void DemodReset()
698 {
699 // Clear out the state of the "UART" that receives from the tag.
700 Demod.len = 0;
701 Demod.state = DEMOD_UNSYNCD;
702 Demod.posCount = 0;
703 Demod.sumI = 0;
704 Demod.sumQ = 0;
705 Demod.bitCount = 0;
706 Demod.thisBit = 0;
707 Demod.shiftReg = 0;
708 memset(Demod.output, 0x00, MAX_FRAME_SIZE);
709 }
710
711
712 static void DemodInit(uint8_t *data)
713 {
714 Demod.output = data;
715 DemodReset();
716 }
717
718
719 /*
720 * Demodulate the samples we received from the tag, also log to tracebuffer
721 * quiet: set to 'TRUE' to disable debug output
722 */
723 static void GetSamplesFor14443bDemod(int n, bool quiet)
724 {
725 int max = 0;
726 bool gotFrame = FALSE;
727 int lastRxCounter, ci, cq, samples = 0;
728
729 // Allocate memory from BigBuf for some buffers
730 // free all previous allocations first
731 BigBuf_free();
732
733 // And put the FPGA in the appropriate mode
734 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR | FPGA_HF_READER_RX_XCORR_848_KHZ);
735
736 // The response (tag -> reader) that we're receiving.
737 // Set up the demodulator for tag -> reader responses.
738 DemodInit(BigBuf_malloc(MAX_FRAME_SIZE));
739
740 // The DMA buffer, used to stream samples from the FPGA
741 int8_t *dmaBuf = (int8_t*) BigBuf_malloc(ISO14443B_DMA_BUFFER_SIZE);
742
743 // Setup and start DMA.
744 FpgaSetupSscDma((uint8_t*) dmaBuf, ISO14443B_DMA_BUFFER_SIZE);
745
746 int8_t *upTo = dmaBuf;
747 lastRxCounter = ISO14443B_DMA_BUFFER_SIZE;
748
749 // Signal field is ON with the appropriate LED:
750 LED_D_ON();
751 for(;;) {
752 int behindBy = lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR;
753 if(behindBy > max) max = behindBy;
754
755 while(((lastRxCounter-AT91C_BASE_PDC_SSC->PDC_RCR) & (ISO14443B_DMA_BUFFER_SIZE-1)) > 2) {
756 ci = upTo[0];
757 cq = upTo[1];
758 upTo += 2;
759 if(upTo >= dmaBuf + ISO14443B_DMA_BUFFER_SIZE) {
760 upTo = dmaBuf;
761 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) upTo;
762 AT91C_BASE_PDC_SSC->PDC_RNCR = ISO14443B_DMA_BUFFER_SIZE;
763 }
764 lastRxCounter -= 2;
765 if(lastRxCounter <= 0) {
766 lastRxCounter = ISO14443B_DMA_BUFFER_SIZE;
767 }
768
769 samples += 2;
770
771 //
772 gotFrame = Handle14443bSamplesDemod(ci , cq );
773 if ( gotFrame )
774 break;
775 }
776
777 if(samples > n || gotFrame) {
778 break;
779 }
780 }
781
782 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
783
784 if (!quiet && Demod.len == 0) {
785 Dbprintf("max behindby = %d, samples = %d, gotFrame = %d, Demod.len = %d, Demod.sumI = %d, Demod.sumQ = %d",
786 max,
787 samples,
788 gotFrame,
789 Demod.len,
790 Demod.sumI,
791 Demod.sumQ
792 );
793 }
794
795 //Tracing
796 if (tracing && Demod.len > 0) {
797 uint8_t parity[MAX_PARITY_SIZE];
798 LogTrace(Demod.output, Demod.len, 0, 0, parity, FALSE);
799 }
800 }
801
802
803 //-----------------------------------------------------------------------------
804 // Transmit the command (to the tag) that was placed in ToSend[].
805 //-----------------------------------------------------------------------------
806 static void TransmitFor14443b(void)
807 {
808 int c;
809
810 FpgaSetupSsc();
811
812 while(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
813 AT91C_BASE_SSC->SSC_THR = 0xff;
814 }
815
816 // Signal field is ON with the appropriate Red LED
817 LED_D_ON();
818 // Signal we are transmitting with the Green LED
819 LED_B_ON();
820 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_TX | FPGA_HF_READER_TX_SHALLOW_MOD);
821
822 for(c = 0; c < 10;) {
823 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
824 AT91C_BASE_SSC->SSC_THR = 0xff;
825 c++;
826 }
827 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
828 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
829 (void)r;
830 }
831 WDT_HIT();
832 }
833
834 c = 0;
835 for(;;) {
836 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
837 AT91C_BASE_SSC->SSC_THR = ToSend[c];
838 c++;
839 if(c >= ToSendMax) {
840 break;
841 }
842 }
843 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
844 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
845 (void)r;
846 }
847 WDT_HIT();
848 }
849 LED_B_OFF(); // Finished sending
850 }
851
852
853 //-----------------------------------------------------------------------------
854 // Code a layer 2 command (string of octets, including CRC) into ToSend[],
855 // so that it is ready to transmit to the tag using TransmitFor14443b().
856 //-----------------------------------------------------------------------------
857 static void CodeIso14443bAsReader(const uint8_t *cmd, int len)
858 {
859 int i, j;
860 uint8_t b;
861
862 ToSendReset();
863
864 // Establish initial reference level
865 for(i = 0; i < 40; i++) {
866 ToSendStuffBit(1);
867 }
868 // Send SOF
869 for(i = 0; i < 11; i++) {
870 ToSendStuffBit(0);
871 }
872
873 for(i = 0; i < len; i++) {
874 // Stop bits/EGT
875 ToSendStuffBit(1);
876 ToSendStuffBit(1);
877 // Start bit
878 ToSendStuffBit(0);
879 // Data bits
880 b = cmd[i];
881 for(j = 0; j < 8; j++) {
882 if(b & 1) {
883 ToSendStuffBit(1);
884 } else {
885 ToSendStuffBit(0);
886 }
887 b >>= 1;
888 }
889 }
890 // Send EOF
891 ToSendStuffBit(1);
892 for(i = 0; i < 11; i++) {
893 ToSendStuffBit(0);
894 }
895 for(i = 0; i < 8; i++) {
896 ToSendStuffBit(1);
897 }
898
899 // And then a little more, to make sure that the last character makes
900 // it out before we switch to rx mode.
901 for(i = 0; i < 10; i++) {
902 ToSendStuffBit(1);
903 }
904
905 // Convert from last character reference to length
906 ToSendMax++;
907 }
908
909
910 /**
911 Convenience function to encode, transmit and trace iso 14443b comms
912 **/
913 static void CodeAndTransmit14443bAsReader(const uint8_t *cmd, int len)
914 {
915 CodeIso14443bAsReader(cmd, len);
916 TransmitFor14443b();
917 if (tracing) {
918 uint8_t parity[MAX_PARITY_SIZE];
919 LogTrace(cmd,len, 0, 0, parity, TRUE);
920 }
921 }
922
923 /* Sends an APDU to the tag
924 * TODO: check CRC and preamble
925 */
926 int iso14443b_apdu(uint8_t const *message, size_t message_length, uint8_t *response)
927 {
928 uint8_t message_frame[message_length + 4];
929 // PCB
930 message_frame[0] = 0x0A | pcb_blocknum;
931 pcb_blocknum ^= 1;
932 // CID
933 message_frame[1] = 0;
934 // INF
935 memcpy(message_frame + 2, message, message_length);
936 // EDC (CRC)
937 ComputeCrc14443(CRC_14443_B, message_frame, message_length + 2, &message_frame[message_length + 2], &message_frame[message_length + 3]);
938 // send
939 CodeAndTransmit14443bAsReader(message_frame, message_length + 4);
940 // get response
941 GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT*100, TRUE);
942 if(Demod.len < 3)
943 {
944 return 0;
945 }
946 // TODO: Check CRC
947 // copy response contents
948 if(response != NULL)
949 {
950 memcpy(response, Demod.output, Demod.len);
951 }
952 return Demod.len;
953 }
954
955 /* Perform the ISO 14443 B Card Selection procedure
956 * Currently does NOT do any collision handling.
957 * It expects 0-1 cards in the device's range.
958 * TODO: Support multiple cards (perform anticollision)
959 * TODO: Verify CRC checksums
960 */
961 int iso14443b_select_card()
962 {
963 // WUPB command (including CRC)
964 // Note: WUPB wakes up all tags, REQB doesn't wake up tags in HALT state
965 static const uint8_t wupb[] = { 0x05, 0x00, 0x08, 0x39, 0x73 };
966 // ATTRIB command (with space for CRC)
967 uint8_t attrib[] = { 0x1D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00};
968
969 // first, wake up the tag
970 CodeAndTransmit14443bAsReader(wupb, sizeof(wupb));
971 GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, TRUE);
972 // ATQB too short?
973 if (Demod.len < 14)
974 {
975 return 2;
976 }
977
978 // select the tag
979 // copy the PUPI to ATTRIB
980 memcpy(attrib + 1, Demod.output + 1, 4);
981 /* copy the protocol info from ATQB (Protocol Info -> Protocol_Type) into
982 ATTRIB (Param 3) */
983 attrib[7] = Demod.output[10] & 0x0F;
984 ComputeCrc14443(CRC_14443_B, attrib, 9, attrib + 9, attrib + 10);
985 CodeAndTransmit14443bAsReader(attrib, sizeof(attrib));
986 GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, TRUE);
987 // Answer to ATTRIB too short?
988 if(Demod.len < 3)
989 {
990 return 2;
991 }
992 // reset PCB block number
993 pcb_blocknum = 0;
994 return 1;
995 }
996
997 // Set up ISO 14443 Type B communication (similar to iso14443a_setup)
998 void iso14443b_setup() {
999
1000 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1001
1002 BigBuf_free();
1003 // Set up the synchronous serial port
1004 FpgaSetupSsc();
1005 // connect Demodulated Signal to ADC:
1006 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1007
1008 // Signal field is on with the appropriate LED
1009 LED_D_ON();
1010 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_TX | FPGA_HF_READER_TX_SHALLOW_MOD);
1011
1012 //SpinDelay(100);
1013
1014 // Start the timer
1015 //StartCountSspClk();
1016
1017 DemodReset();
1018 UartReset();
1019 }
1020
1021 //-----------------------------------------------------------------------------
1022 // Read a SRI512 ISO 14443B tag.
1023 //
1024 // SRI512 tags are just simple memory tags, here we're looking at making a dump
1025 // of the contents of the memory. No anticollision algorithm is done, we assume
1026 // we have a single tag in the field.
1027 //
1028 // I tried to be systematic and check every answer of the tag, every CRC, etc...
1029 //-----------------------------------------------------------------------------
1030 void ReadSTMemoryIso14443b(uint32_t dwLast)
1031 {
1032 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1033 BigBuf_free();
1034
1035 clear_trace();
1036 set_tracing(TRUE);
1037
1038 uint8_t i = 0x00;
1039
1040 // Make sure that we start from off, since the tags are stateful;
1041 // confusing things will happen if we don't reset them between reads.
1042 LED_D_OFF();
1043 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1044 SpinDelay(200);
1045
1046 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1047 FpgaSetupSsc();
1048
1049 // Now give it time to spin up.
1050 // Signal field is on with the appropriate LED
1051 LED_D_ON();
1052 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR | FPGA_HF_READER_RX_XCORR_848_KHZ);
1053 SpinDelay(200);
1054
1055 // First command: wake up the tag using the INITIATE command
1056 uint8_t cmd1[] = {0x06, 0x00, 0x97, 0x5b};
1057 CodeAndTransmit14443bAsReader(cmd1, sizeof(cmd1));
1058 GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, TRUE);
1059
1060 if (Demod.len == 0) {
1061 DbpString("No response from tag");
1062 set_tracing(FALSE);
1063 return;
1064 } else {
1065 Dbprintf("Randomly generated Chip ID (+ 2 byte CRC): %02x %02x %02x",
1066 Demod.output[0], Demod.output[1], Demod.output[2]);
1067 }
1068
1069 // There is a response, SELECT the uid
1070 DbpString("Now SELECT tag:");
1071 cmd1[0] = 0x0E; // 0x0E is SELECT
1072 cmd1[1] = Demod.output[0];
1073 ComputeCrc14443(CRC_14443_B, cmd1, 2, &cmd1[2], &cmd1[3]);
1074 CodeAndTransmit14443bAsReader(cmd1, sizeof(cmd1));
1075 GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, TRUE);
1076 if (Demod.len != 3) {
1077 Dbprintf("Expected 3 bytes from tag, got %d", Demod.len);
1078 set_tracing(FALSE);
1079 return;
1080 }
1081 // Check the CRC of the answer:
1082 ComputeCrc14443(CRC_14443_B, Demod.output, 1 , &cmd1[2], &cmd1[3]);
1083 if(cmd1[2] != Demod.output[1] || cmd1[3] != Demod.output[2]) {
1084 DbpString("CRC Error reading select response.");
1085 set_tracing(FALSE);
1086 return;
1087 }
1088 // Check response from the tag: should be the same UID as the command we just sent:
1089 if (cmd1[1] != Demod.output[0]) {
1090 Dbprintf("Bad response to SELECT from Tag, aborting: %02x %02x", cmd1[1], Demod.output[0]);
1091 set_tracing(FALSE);
1092 return;
1093 }
1094
1095 // Tag is now selected,
1096 // First get the tag's UID:
1097 cmd1[0] = 0x0B;
1098 ComputeCrc14443(CRC_14443_B, cmd1, 1 , &cmd1[1], &cmd1[2]);
1099 CodeAndTransmit14443bAsReader(cmd1, 3); // Only first three bytes for this one
1100 GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, TRUE);
1101 if (Demod.len != 10) {
1102 Dbprintf("Expected 10 bytes from tag, got %d", Demod.len);
1103 set_tracing(FALSE);
1104 return;
1105 }
1106 // The check the CRC of the answer (use cmd1 as temporary variable):
1107 ComputeCrc14443(CRC_14443_B, Demod.output, 8, &cmd1[2], &cmd1[3]);
1108 if(cmd1[2] != Demod.output[8] || cmd1[3] != Demod.output[9]) {
1109 Dbprintf("CRC Error reading block! Expected: %04x got: %04x",
1110 (cmd1[2]<<8)+cmd1[3], (Demod.output[8]<<8)+Demod.output[9]);
1111 // Do not return;, let's go on... (we should retry, maybe ?)
1112 }
1113 Dbprintf("Tag UID (64 bits): %08x %08x",
1114 (Demod.output[7]<<24) + (Demod.output[6]<<16) + (Demod.output[5]<<8) + Demod.output[4],
1115 (Demod.output[3]<<24) + (Demod.output[2]<<16) + (Demod.output[1]<<8) + Demod.output[0]);
1116
1117 // Now loop to read all 16 blocks, address from 0 to last block
1118 Dbprintf("Tag memory dump, block 0 to %d", dwLast);
1119 cmd1[0] = 0x08;
1120 i = 0x00;
1121 dwLast++;
1122 for (;;) {
1123 if (i == dwLast) {
1124 DbpString("System area block (0xff):");
1125 i = 0xff;
1126 }
1127 cmd1[1] = i;
1128 ComputeCrc14443(CRC_14443_B, cmd1, 2, &cmd1[2], &cmd1[3]);
1129 CodeAndTransmit14443bAsReader(cmd1, sizeof(cmd1));
1130 GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, TRUE);
1131 if (Demod.len != 6) { // Check if we got an answer from the tag
1132 DbpString("Expected 6 bytes from tag, got less...");
1133 return;
1134 }
1135 // The check the CRC of the answer (use cmd1 as temporary variable):
1136 ComputeCrc14443(CRC_14443_B, Demod.output, 4, &cmd1[2], &cmd1[3]);
1137 if(cmd1[2] != Demod.output[4] || cmd1[3] != Demod.output[5]) {
1138 Dbprintf("CRC Error reading block! Expected: %04x got: %04x",
1139 (cmd1[2]<<8)+cmd1[3], (Demod.output[4]<<8)+Demod.output[5]);
1140 // Do not return;, let's go on... (we should retry, maybe ?)
1141 }
1142 // Now print out the memory location:
1143 Dbprintf("Address=%02x, Contents=%08x, CRC=%04x", i,
1144 (Demod.output[3]<<24) + (Demod.output[2]<<16) + (Demod.output[1]<<8) + Demod.output[0],
1145 (Demod.output[4]<<8)+Demod.output[5]);
1146 if (i == 0xff) {
1147 break;
1148 }
1149 i++;
1150 }
1151
1152 set_tracing(FALSE);
1153 }
1154
1155
1156 //=============================================================================
1157 // Finally, the `sniffer' combines elements from both the reader and
1158 // simulated tag, to show both sides of the conversation.
1159 //=============================================================================
1160
1161 //-----------------------------------------------------------------------------
1162 // Record the sequence of commands sent by the reader to the tag, with
1163 // triggering so that we start recording at the point that the tag is moved
1164 // near the reader.
1165 //-----------------------------------------------------------------------------
1166 /*
1167 * Memory usage for this function, (within BigBuf)
1168 * Last Received command (reader->tag) - MAX_FRAME_SIZE
1169 * Last Received command (tag->reader) - MAX_FRAME_SIZE
1170 * DMA Buffer - ISO14443B_DMA_BUFFER_SIZE
1171 * Demodulated samples received - all the rest
1172 */
1173 void RAMFUNC SnoopIso14443b(void)
1174 {
1175 // We won't start recording the frames that we acquire until we trigger;
1176 // a good trigger condition to get started is probably when we see a
1177 // response from the tag.
1178 int triggered = TRUE; // TODO: set and evaluate trigger condition
1179
1180 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1181 BigBuf_free();
1182
1183 clear_trace();
1184 set_tracing(TRUE);
1185
1186 // The DMA buffer, used to stream samples from the FPGA
1187 int8_t *dmaBuf = (int8_t*) BigBuf_malloc(ISO14443B_DMA_BUFFER_SIZE);
1188 int lastRxCounter;
1189 int8_t *upTo;
1190 int ci, cq;
1191 int maxBehindBy = 0;
1192
1193 // Count of samples received so far, so that we can include timing
1194 // information in the trace buffer.
1195 int samples = 0;
1196
1197 DemodInit(BigBuf_malloc(MAX_FRAME_SIZE));
1198 UartInit(BigBuf_malloc(MAX_FRAME_SIZE));
1199
1200 // Print some debug information about the buffer sizes
1201 Dbprintf("Snooping buffers initialized:");
1202 Dbprintf(" Trace: %i bytes", BigBuf_max_traceLen());
1203 Dbprintf(" Reader -> tag: %i bytes", MAX_FRAME_SIZE);
1204 Dbprintf(" tag -> Reader: %i bytes", MAX_FRAME_SIZE);
1205 Dbprintf(" DMA: %i bytes", ISO14443B_DMA_BUFFER_SIZE);
1206
1207 // Signal field is off, no reader signal, no tag signal
1208 LEDsoff();
1209
1210 // And put the FPGA in the appropriate mode
1211 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR | FPGA_HF_READER_RX_XCORR_848_KHZ | FPGA_HF_READER_RX_XCORR_SNOOP);
1212 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1213
1214 // Setup for the DMA.
1215 FpgaSetupSsc();
1216 upTo = dmaBuf;
1217 lastRxCounter = ISO14443B_DMA_BUFFER_SIZE;
1218 FpgaSetupSscDma((uint8_t*) dmaBuf, ISO14443B_DMA_BUFFER_SIZE);
1219 uint8_t parity[MAX_PARITY_SIZE];
1220
1221 bool TagIsActive = FALSE;
1222 bool ReaderIsActive = FALSE;
1223
1224 // And now we loop, receiving samples.
1225 for(;;) {
1226 int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) &
1227 (ISO14443B_DMA_BUFFER_SIZE-1);
1228 if(behindBy > maxBehindBy) {
1229 maxBehindBy = behindBy;
1230 }
1231
1232 if(behindBy < 2) continue;
1233
1234 ci = upTo[0];
1235 cq = upTo[1];
1236 upTo += 2;
1237 lastRxCounter -= 2;
1238 if(upTo >= dmaBuf + ISO14443B_DMA_BUFFER_SIZE) {
1239 upTo = dmaBuf;
1240 lastRxCounter += ISO14443B_DMA_BUFFER_SIZE;
1241 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dmaBuf;
1242 AT91C_BASE_PDC_SSC->PDC_RNCR = ISO14443B_DMA_BUFFER_SIZE;
1243 WDT_HIT();
1244 if(behindBy > (9*ISO14443B_DMA_BUFFER_SIZE/10)) { // TODO: understand whether we can increase/decrease as we want or not?
1245 Dbprintf("blew circular buffer! behindBy=%d", behindBy);
1246 break;
1247 }
1248 if(!tracing) {
1249 DbpString("Reached trace limit");
1250 break;
1251 }
1252 if(BUTTON_PRESS()) {
1253 DbpString("cancelled");
1254 break;
1255 }
1256 }
1257
1258 samples += 2;
1259
1260 if (!TagIsActive) { // no need to try decoding reader data if the tag is sending
1261 if(Handle14443bUartBit(ci & 0x01)) {
1262 if(triggered && tracing) {
1263 LogTrace(Uart.output, Uart.byteCnt, samples, samples, parity, TRUE);
1264 }
1265 /* And ready to receive another command. */
1266 UartReset();
1267 /* And also reset the demod code, which might have been */
1268 /* false-triggered by the commands from the reader. */
1269 DemodReset();
1270 }
1271 if(Handle14443bUartBit(cq & 0x01)) {
1272 if(triggered && tracing) {
1273 LogTrace(Uart.output, Uart.byteCnt, samples, samples, parity, TRUE);
1274 }
1275 /* And ready to receive another command. */
1276 UartReset();
1277 /* And also reset the demod code, which might have been */
1278 /* false-triggered by the commands from the reader. */
1279 DemodReset();
1280 }
1281 ReaderIsActive = (Uart.state > STATE_GOT_FALLING_EDGE_OF_SOF);
1282 }
1283
1284 if(!ReaderIsActive) { // no need to try decoding tag data if the reader is sending - and we cannot afford the time
1285 // is this | 0x01 the error? & 0xfe in https://github.com/Proxmark/proxmark3/issues/103
1286 if(Handle14443bSamplesDemod(ci & 0xfe, cq & 0xfe)) {
1287
1288 //Use samples as a time measurement
1289 if(tracing)
1290 {
1291 //uint8_t parity[MAX_PARITY_SIZE];
1292 LogTrace(Demod.output, Demod.len, samples, samples, parity, FALSE);
1293 }
1294 triggered = TRUE;
1295
1296 // And ready to receive another response.
1297 DemodReset();
1298 }
1299 TagIsActive = (Demod.state > DEMOD_GOT_FALLING_EDGE_OF_SOF);
1300 }
1301 }
1302
1303 FpgaDisableSscDma();
1304 LEDsoff();
1305 set_tracing(FALSE);
1306
1307 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
1308 DbpString("Snoop statistics:");
1309 Dbprintf(" Max behind by: %i", maxBehindBy);
1310 Dbprintf(" Uart State: %x", Uart.state);
1311 Dbprintf(" Uart ByteCnt: %i", Uart.byteCnt);
1312 Dbprintf(" Uart ByteCntMax: %i", Uart.byteCntMax);
1313 Dbprintf(" Trace length: %i", BigBuf_get_traceLen());
1314 }
1315
1316
1317 /*
1318 * Send raw command to tag ISO14443B
1319 * @Input
1320 * datalen len of buffer data
1321 * recv bool when true wait for data from tag and send to client
1322 * powerfield bool leave the field on when true
1323 * data buffer with byte to send
1324 *
1325 * @Output
1326 * none
1327 *
1328 */
1329 void SendRawCommand14443B(uint32_t datalen, uint32_t recv, uint8_t powerfield, uint8_t data[])
1330 {
1331 iso14443b_setup();
1332
1333 if ( datalen == 0 && recv == 0 && powerfield == 0){
1334
1335 } else {
1336 set_tracing(TRUE);
1337 CodeAndTransmit14443bAsReader(data, datalen);
1338 }
1339
1340 if(recv) {
1341 GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, FALSE);
1342 uint16_t iLen = MIN(Demod.len, USB_CMD_DATA_SIZE);
1343 cmd_send(CMD_ACK, iLen, 0, 0, Demod.output, iLen);
1344 }
1345
1346 if(!powerfield) {
1347 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1348 FpgaDisableSscDma();
1349 set_tracing(FALSE);
1350 LED_D_OFF();
1351 }
1352 }
1353
Proxmark3 GIT tracking
Impressum, Datenschutz