]> cvs.zerfleddert.de Git - proxmark3-svn/blob - armsrc/iso14443a.c
projects / proxmark3-svn / blob
? search:


0de5ea6f67789ebdf40981cbf8892c085e1603f1
[proxmark3-svn] / armsrc / iso14443a.c
1 //-----------------------------------------------------------------------------
2 // Merlok - June 2011, 2012
3 // Gerhard de Koning Gans - May 2008
4 // Hagen Fritsch - June 2010
5 //
6 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
7 // at your option, any later version. See the LICENSE.txt file for the text of
8 // the license.
9 //-----------------------------------------------------------------------------
10 // Routines to support ISO 14443 type A.
11 //-----------------------------------------------------------------------------
12
13 #include "iso14443a.h"
14
15 #include <stdio.h>
16 #include <string.h>
17 #include "proxmark3.h"
18 #include "apps.h"
19 #include "util.h"
20 #include "usb_cdc.h"
21 #include "iso14443crc.h"
22 #include "crapto1/crapto1.h"
23 #include "mifareutil.h"
24 #include "mifaresniff.h"
25 #include "BigBuf.h"
26 #include "protocols.h"
27 #include "parity.h"
28 #include "fpgaloader.h"
29
30 typedef struct {
31 enum {
32 DEMOD_UNSYNCD,
33 // DEMOD_HALF_SYNCD,
34 // DEMOD_MOD_FIRST_HALF,
35 // DEMOD_NOMOD_FIRST_HALF,
36 DEMOD_MANCHESTER_DATA
37 } state;
38 uint16_t twoBits;
39 uint16_t highCnt;
40 uint16_t bitCount;
41 uint16_t collisionPos;
42 uint16_t syncBit;
43 uint8_t parityBits;
44 uint8_t parityLen;
45 uint16_t shiftReg;
46 uint16_t samples;
47 uint16_t len;
48 uint32_t startTime, endTime;
49 uint8_t *output;
50 uint8_t *parity;
51 } tDemod;
52
53 typedef enum {
54 MOD_NOMOD = 0,
55 MOD_SECOND_HALF,
56 MOD_FIRST_HALF,
57 MOD_BOTH_HALVES
58 } Modulation_t;
59
60 typedef struct {
61 enum {
62 STATE_UNSYNCD,
63 STATE_START_OF_COMMUNICATION,
64 STATE_MILLER_X,
65 STATE_MILLER_Y,
66 STATE_MILLER_Z,
67 // DROP_NONE,
68 // DROP_FIRST_HALF,
69 } state;
70 uint16_t shiftReg;
71 int16_t bitCount;
72 uint16_t len;
73 uint16_t byteCntMax;
74 uint16_t posCnt;
75 uint16_t syncBit;
76 uint8_t parityBits;
77 uint8_t parityLen;
78 uint32_t fourBits;
79 uint32_t startTime, endTime;
80 uint8_t *output;
81 uint8_t *parity;
82 } tUart;
83
84 static uint32_t iso14a_timeout;
85 #define MAX_ISO14A_TIMEOUT 524288
86
87 int rsamples = 0;
88 uint8_t trigger = 0;
89 // the block number for the ISO14443-4 PCB
90 static uint8_t iso14_pcb_blocknum = 0;
91
92 //
93 // ISO14443 timing:
94 //
95 // minimum time between the start bits of consecutive transfers from reader to tag: 7000 carrier (13.56Mhz) cycles
96 #define REQUEST_GUARD_TIME (7000/16 + 1)
97 // minimum time between last modulation of tag and next start bit from reader to tag: 1172 carrier cycles
98 #define FRAME_DELAY_TIME_PICC_TO_PCD (1172/16 + 1)
99 // bool LastCommandWasRequest = false;
100
101 //
102 // Total delays including SSC-Transfers between ARM and FPGA. These are in carrier clock cycles (1/13,56MHz)
103 //
104 // When the PM acts as reader and is receiving tag data, it takes
105 // 3 ticks delay in the AD converter
106 // 16 ticks until the modulation detector completes and sets curbit
107 // 8 ticks until bit_to_arm is assigned from curbit
108 // 8*16 ticks for the transfer from FPGA to ARM
109 // 4*16 ticks until we measure the time
110 // - 8*16 ticks because we measure the time of the previous transfer
111 #define DELAY_AIR2ARM_AS_READER (3 + 16 + 8 + 8*16 + 4*16 - 8*16)
112
113 // When the PM acts as a reader and is sending, it takes
114 // 4*16 ticks until we can write data to the sending hold register
115 // 8*16 ticks until the SHR is transferred to the Sending Shift Register
116 // 8 ticks until the first transfer starts
117 // 8 ticks later the FPGA samples the data
118 // 1 tick to assign mod_sig_coil
119 #define DELAY_ARM2AIR_AS_READER (4*16 + 8*16 + 8 + 8 + 1)
120
121 // When the PM acts as tag and is receiving it takes
122 // 2 ticks delay in the RF part (for the first falling edge),
123 // 3 ticks for the A/D conversion,
124 // 8 ticks on average until the start of the SSC transfer,
125 // 8 ticks until the SSC samples the first data
126 // 7*16 ticks to complete the transfer from FPGA to ARM
127 // 8 ticks until the next ssp_clk rising edge
128 // 4*16 ticks until we measure the time
129 // - 8*16 ticks because we measure the time of the previous transfer
130 #define DELAY_AIR2ARM_AS_TAG (2 + 3 + 8 + 8 + 7*16 + 8 + 4*16 - 8*16)
131
132 // The FPGA will report its internal sending delay in
133 uint16_t FpgaSendQueueDelay;
134 // the 5 first bits are the number of bits buffered in mod_sig_buf
135 // the last three bits are the remaining ticks/2 after the mod_sig_buf shift
136 #define DELAY_FPGA_QUEUE (FpgaSendQueueDelay<<1)
137
138 // When the PM acts as tag and is sending, it takes
139 // 4*16 + 8 ticks until we can write data to the sending hold register
140 // 8*16 ticks until the SHR is transferred to the Sending Shift Register
141 // 8 ticks later the FPGA samples the first data
142 // + 16 ticks until assigned to mod_sig
143 // + 1 tick to assign mod_sig_coil
144 // + a varying number of ticks in the FPGA Delay Queue (mod_sig_buf)
145 #define DELAY_ARM2AIR_AS_TAG (4*16 + 8 + 8*16 + 8 + 16 + 1 + DELAY_FPGA_QUEUE)
146
147 // When the PM acts as sniffer and is receiving tag data, it takes
148 // 3 ticks A/D conversion
149 // 14 ticks to complete the modulation detection
150 // 8 ticks (on average) until the result is stored in to_arm
151 // + the delays in transferring data - which is the same for
152 // sniffing reader and tag data and therefore not relevant
153 #define DELAY_TAG_AIR2ARM_AS_SNIFFER (3 + 14 + 8)
154
155 // When the PM acts as sniffer and is receiving reader data, it takes
156 // 2 ticks delay in analogue RF receiver (for the falling edge of the
157 // start bit, which marks the start of the communication)
158 // 3 ticks A/D conversion
159 // 8 ticks on average until the data is stored in to_arm.
160 // + the delays in transferring data - which is the same for
161 // sniffing reader and tag data and therefore not relevant
162 #define DELAY_READER_AIR2ARM_AS_SNIFFER (2 + 3 + 8)
163
164 //variables used for timing purposes:
165 //these are in ssp_clk cycles:
166 static uint32_t NextTransferTime;
167 static uint32_t LastTimeProxToAirStart;
168 static uint32_t LastProxToAirDuration;
169
170
171
172 // CARD TO READER - manchester
173 // Sequence D: 11110000 modulation with subcarrier during first half
174 // Sequence E: 00001111 modulation with subcarrier during second half
175 // Sequence F: 00000000 no modulation with subcarrier
176 // READER TO CARD - miller
177 // Sequence X: 00001100 drop after half a period
178 // Sequence Y: 00000000 no drop
179 // Sequence Z: 11000000 drop at start
180 #define SEC_D 0xf0
181 #define SEC_E 0x0f
182 #define SEC_F 0x00
183 #define SEC_X 0x0c
184 #define SEC_Y 0x00
185 #define SEC_Z 0xc0
186
187 void iso14a_set_trigger(bool enable) {
188 trigger = enable;
189 }
190
191
192 void iso14a_set_timeout(uint32_t timeout) {
193 // adjust timeout by FPGA delays and 2 additional ssp_frames to detect SOF
194 iso14a_timeout = timeout + (DELAY_AIR2ARM_AS_READER + DELAY_ARM2AIR_AS_READER)/(16*8) + 2;
195 if(MF_DBGLEVEL >= 3) Dbprintf("ISO14443A Timeout set to %ld (%dms)", timeout, timeout / 106);
196 }
197
198
199 uint32_t iso14a_get_timeout(void) {
200 return iso14a_timeout - (DELAY_AIR2ARM_AS_READER + DELAY_ARM2AIR_AS_READER)/(16*8) - 2;
201 }
202
203 //-----------------------------------------------------------------------------
204 // Generate the parity value for a byte sequence
205 //
206 //-----------------------------------------------------------------------------
207 void GetParity(const uint8_t *pbtCmd, uint16_t iLen, uint8_t *par)
208 {
209 uint16_t paritybit_cnt = 0;
210 uint16_t paritybyte_cnt = 0;
211 uint8_t parityBits = 0;
212
213 for (uint16_t i = 0; i < iLen; i++) {
214 // Generate the parity bits
215 parityBits |= ((oddparity8(pbtCmd[i])) << (7-paritybit_cnt));
216 if (paritybit_cnt == 7) {
217 par[paritybyte_cnt] = parityBits; // save 8 Bits parity
218 parityBits = 0; // and advance to next Parity Byte
219 paritybyte_cnt++;
220 paritybit_cnt = 0;
221 } else {
222 paritybit_cnt++;
223 }
224 }
225
226 // save remaining parity bits
227 par[paritybyte_cnt] = parityBits;
228
229 }
230
231 void AppendCrc14443a(uint8_t* data, int len)
232 {
233 ComputeCrc14443(CRC_14443_A,data,len,data+len,data+len+1);
234 }
235
236 static void AppendCrc14443b(uint8_t* data, int len)
237 {
238 ComputeCrc14443(CRC_14443_B,data,len,data+len,data+len+1);
239 }
240
241
242 //=============================================================================
243 // ISO 14443 Type A - Miller decoder
244 //=============================================================================
245 // Basics:
246 // This decoder is used when the PM3 acts as a tag.
247 // The reader will generate "pauses" by temporarily switching of the field.
248 // At the PM3 antenna we will therefore measure a modulated antenna voltage.
249 // The FPGA does a comparison with a threshold and would deliver e.g.:
250 // ........ 1 1 1 1 1 1 0 0 1 1 1 1 1 1 1 1 1 1 0 0 1 1 1 1 1 1 1 1 1 1 .......
251 // The Miller decoder needs to identify the following sequences:
252 // 2 (or 3) ticks pause followed by 6 (or 5) ticks unmodulated: pause at beginning - Sequence Z ("start of communication" or a "0")
253 // 8 ticks without a modulation: no pause - Sequence Y (a "0" or "end of communication" or "no information")
254 // 4 ticks unmodulated followed by 2 (or 3) ticks pause: pause in second half - Sequence X (a "1")
255 // Note 1: the bitstream may start at any time. We therefore need to sync.
256 // Note 2: the interpretation of Sequence Y and Z depends on the preceding sequence.
257 //-----------------------------------------------------------------------------
258 static tUart Uart;
259
260 // Lookup-Table to decide if 4 raw bits are a modulation.
261 // We accept the following:
262 // 0001 - a 3 tick wide pause
263 // 0011 - a 2 tick wide pause, or a three tick wide pause shifted left
264 // 0111 - a 2 tick wide pause shifted left
265 // 1001 - a 2 tick wide pause shifted right
266 const bool Mod_Miller_LUT[] = {
267 false, true, false, true, false, false, false, true,
268 false, true, false, false, false, false, false, false
269 };
270 #define IsMillerModulationNibble1(b) (Mod_Miller_LUT[(b & 0x000000F0) >> 4])
271 #define IsMillerModulationNibble2(b) (Mod_Miller_LUT[(b & 0x0000000F)])
272
273 static void UartReset() {
274 Uart.state = STATE_UNSYNCD;
275 Uart.bitCount = 0;
276 Uart.len = 0; // number of decoded data bytes
277 Uart.parityLen = 0; // number of decoded parity bytes
278 Uart.shiftReg = 0; // shiftreg to hold decoded data bits
279 Uart.parityBits = 0; // holds 8 parity bits
280 }
281
282 static void UartInit(uint8_t *data, uint8_t *parity) {
283 Uart.output = data;
284 Uart.parity = parity;
285 Uart.fourBits = 0x00000000; // clear the buffer for 4 Bits
286 Uart.startTime = 0;
287 Uart.endTime = 0;
288 UartReset();
289 }
290
291 // use parameter non_real_time to provide a timestamp. Set to 0 if the decoder should measure real time
292 static RAMFUNC bool MillerDecoding(uint8_t bit, uint32_t non_real_time) {
293
294 Uart.fourBits = (Uart.fourBits << 8) | bit;
295
296 if (Uart.state == STATE_UNSYNCD) { // not yet synced
297
298 Uart.syncBit = 9999; // not set
299 // The start bit is one ore more Sequence Y followed by a Sequence Z (... 11111111 00x11111). We need to distinguish from
300 // Sequence X followed by Sequence Y followed by Sequence Z (111100x1 11111111 00x11111)
301 // we therefore look for a ...xx11111111111100x11111xxxxxx... pattern
302 // (12 '1's followed by 2 '0's, eventually followed by another '0', followed by 5 '1's)
303 #define ISO14443A_STARTBIT_MASK 0x07FFEF80 // mask is 00000111 11111111 11101111 10000000
304 #define ISO14443A_STARTBIT_PATTERN 0x07FF8F80 // pattern is 00000111 11111111 10001111 10000000
305 if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 0)) == ISO14443A_STARTBIT_PATTERN >> 0) Uart.syncBit = 7;
306 else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 1)) == ISO14443A_STARTBIT_PATTERN >> 1) Uart.syncBit = 6;
307 else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 2)) == ISO14443A_STARTBIT_PATTERN >> 2) Uart.syncBit = 5;
308 else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 3)) == ISO14443A_STARTBIT_PATTERN >> 3) Uart.syncBit = 4;
309 else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 4)) == ISO14443A_STARTBIT_PATTERN >> 4) Uart.syncBit = 3;
310 else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 5)) == ISO14443A_STARTBIT_PATTERN >> 5) Uart.syncBit = 2;
311 else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 6)) == ISO14443A_STARTBIT_PATTERN >> 6) Uart.syncBit = 1;
312 else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 7)) == ISO14443A_STARTBIT_PATTERN >> 7) Uart.syncBit = 0;
313
314 if (Uart.syncBit != 9999) { // found a sync bit
315 Uart.startTime = non_real_time?non_real_time:(GetCountSspClk() & 0xfffffff8);
316 Uart.startTime -= Uart.syncBit;
317 Uart.endTime = Uart.startTime;
318 Uart.state = STATE_START_OF_COMMUNICATION;
319 LED_B_ON();
320 }
321
322 } else {
323
324 if (IsMillerModulationNibble1(Uart.fourBits >> Uart.syncBit)) {
325 if (IsMillerModulationNibble2(Uart.fourBits >> Uart.syncBit)) { // Modulation in both halves - error
326 LED_B_OFF();
327 UartReset();
328 } else { // Modulation in first half = Sequence Z = logic "0"
329 if (Uart.state == STATE_MILLER_X) { // error - must not follow after X
330 LED_B_OFF();
331 UartReset();
332 } else {
333 Uart.bitCount++;
334 Uart.shiftReg = (Uart.shiftReg >> 1); // add a 0 to the shiftreg
335 Uart.state = STATE_MILLER_Z;
336 Uart.endTime = Uart.startTime + 8*(9*Uart.len + Uart.bitCount + 1) - 6;
337 if(Uart.bitCount >= 9) { // if we decoded a full byte (including parity)
338 Uart.output[Uart.len++] = (Uart.shiftReg & 0xff);
339 Uart.parityBits <<= 1; // make room for the parity bit
340 Uart.parityBits |= ((Uart.shiftReg >> 8) & 0x01); // store parity bit
341 Uart.bitCount = 0;
342 Uart.shiftReg = 0;
343 if((Uart.len&0x0007) == 0) { // every 8 data bytes
344 Uart.parity[Uart.parityLen++] = Uart.parityBits; // store 8 parity bits
345 Uart.parityBits = 0;
346 }
347 }
348 }
349 }
350 } else {
351 if (IsMillerModulationNibble2(Uart.fourBits >> Uart.syncBit)) { // Modulation second half = Sequence X = logic "1"
352 Uart.bitCount++;
353 Uart.shiftReg = (Uart.shiftReg >> 1) | 0x100; // add a 1 to the shiftreg
354 Uart.state = STATE_MILLER_X;
355 Uart.endTime = Uart.startTime + 8*(9*Uart.len + Uart.bitCount + 1) - 2;
356 if(Uart.bitCount >= 9) { // if we decoded a full byte (including parity)
357 Uart.output[Uart.len++] = (Uart.shiftReg & 0xff);
358 Uart.parityBits <<= 1; // make room for the new parity bit
359 Uart.parityBits |= ((Uart.shiftReg >> 8) & 0x01); // store parity bit
360 Uart.bitCount = 0;
361 Uart.shiftReg = 0;
362 if ((Uart.len&0x0007) == 0) { // every 8 data bytes
363 Uart.parity[Uart.parityLen++] = Uart.parityBits; // store 8 parity bits
364 Uart.parityBits = 0;
365 }
366 }
367 } else { // no modulation in both halves - Sequence Y
368 if (Uart.state == STATE_MILLER_Z || Uart.state == STATE_MILLER_Y) { // Y after logic "0" - End of Communication
369 LED_B_OFF();
370 Uart.state = STATE_UNSYNCD;
371 Uart.bitCount--; // last "0" was part of EOC sequence
372 Uart.shiftReg <<= 1; // drop it
373 if(Uart.bitCount > 0) { // if we decoded some bits
374 Uart.shiftReg >>= (9 - Uart.bitCount); // right align them
375 Uart.output[Uart.len++] = (Uart.shiftReg & 0xff); // add last byte to the output
376 Uart.parityBits <<= 1; // add a (void) parity bit
377 Uart.parityBits <<= (8 - (Uart.len&0x0007)); // left align parity bits
378 Uart.parity[Uart.parityLen++] = Uart.parityBits; // and store it
379 return true;
380 } else if (Uart.len & 0x0007) { // there are some parity bits to store
381 Uart.parityBits <<= (8 - (Uart.len&0x0007)); // left align remaining parity bits
382 Uart.parity[Uart.parityLen++] = Uart.parityBits; // and store them
383 }
384 if (Uart.len) {
385 return true; // we are finished with decoding the raw data sequence
386 } else {
387 UartReset(); // Nothing received - start over
388 }
389 }
390 if (Uart.state == STATE_START_OF_COMMUNICATION) { // error - must not follow directly after SOC
391 LED_B_OFF();
392 UartReset();
393 } else { // a logic "0"
394 Uart.bitCount++;
395 Uart.shiftReg = (Uart.shiftReg >> 1); // add a 0 to the shiftreg
396 Uart.state = STATE_MILLER_Y;
397 if(Uart.bitCount >= 9) { // if we decoded a full byte (including parity)
398 Uart.output[Uart.len++] = (Uart.shiftReg & 0xff);
399 Uart.parityBits <<= 1; // make room for the parity bit
400 Uart.parityBits |= ((Uart.shiftReg >> 8) & 0x01); // store parity bit
401 Uart.bitCount = 0;
402 Uart.shiftReg = 0;
403 if ((Uart.len&0x0007) == 0) { // every 8 data bytes
404 Uart.parity[Uart.parityLen++] = Uart.parityBits; // store 8 parity bits
405 Uart.parityBits = 0;
406 }
407 }
408 }
409 }
410 }
411
412 }
413
414 return false; // not finished yet, need more data
415 }
416
417
418
419 //=============================================================================
420 // ISO 14443 Type A - Manchester decoder
421 //=============================================================================
422 // Basics:
423 // This decoder is used when the PM3 acts as a reader.
424 // The tag will modulate the reader field by asserting different loads to it. As a consequence, the voltage
425 // at the reader antenna will be modulated as well. The FPGA detects the modulation for us and would deliver e.g. the following:
426 // ........ 0 0 1 1 1 1 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 .......
427 // The Manchester decoder needs to identify the following sequences:
428 // 4 ticks modulated followed by 4 ticks unmodulated: Sequence D = 1 (also used as "start of communication")
429 // 4 ticks unmodulated followed by 4 ticks modulated: Sequence E = 0
430 // 8 ticks unmodulated: Sequence F = end of communication
431 // 8 ticks modulated: A collision. Save the collision position and treat as Sequence D
432 // Note 1: the bitstream may start at any time. We therefore need to sync.
433 // Note 2: parameter offset is used to determine the position of the parity bits (required for the anticollision command only)
434 static tDemod Demod;
435
436 // Lookup-Table to decide if 4 raw bits are a modulation.
437 // We accept three or four "1" in any position
438 const bool Mod_Manchester_LUT[] = {
439 false, false, false, false, false, false, false, true,
440 false, false, false, true, false, true, true, true
441 };
442
443 #define IsManchesterModulationNibble1(b) (Mod_Manchester_LUT[(b & 0x00F0) >> 4])
444 #define IsManchesterModulationNibble2(b) (Mod_Manchester_LUT[(b & 0x000F)])
445
446
447 static void DemodReset() {
448 Demod.state = DEMOD_UNSYNCD;
449 Demod.len = 0; // number of decoded data bytes
450 Demod.parityLen = 0;
451 Demod.shiftReg = 0; // shiftreg to hold decoded data bits
452 Demod.parityBits = 0; //
453 Demod.collisionPos = 0; // Position of collision bit
454 Demod.twoBits = 0xffff; // buffer for 2 Bits
455 Demod.highCnt = 0;
456 Demod.startTime = 0;
457 Demod.endTime = 0;
458 }
459
460 static void DemodInit(uint8_t *data, uint8_t *parity) {
461 Demod.output = data;
462 Demod.parity = parity;
463 DemodReset();
464 }
465
466 // use parameter non_real_time to provide a timestamp. Set to 0 if the decoder should measure real time
467 static RAMFUNC int ManchesterDecoding(uint8_t bit, uint16_t offset, uint32_t non_real_time) {
468
469 Demod.twoBits = (Demod.twoBits << 8) | bit;
470
471 if (Demod.state == DEMOD_UNSYNCD) {
472
473 if (Demod.highCnt < 2) { // wait for a stable unmodulated signal
474 if (Demod.twoBits == 0x0000) {
475 Demod.highCnt++;
476 } else {
477 Demod.highCnt = 0;
478 }
479 } else {
480 Demod.syncBit = 0xFFFF; // not set
481 if ((Demod.twoBits & 0x7700) == 0x7000) Demod.syncBit = 7;
482 else if ((Demod.twoBits & 0x3B80) == 0x3800) Demod.syncBit = 6;
483 else if ((Demod.twoBits & 0x1DC0) == 0x1C00) Demod.syncBit = 5;
484 else if ((Demod.twoBits & 0x0EE0) == 0x0E00) Demod.syncBit = 4;
485 else if ((Demod.twoBits & 0x0770) == 0x0700) Demod.syncBit = 3;
486 else if ((Demod.twoBits & 0x03B8) == 0x0380) Demod.syncBit = 2;
487 else if ((Demod.twoBits & 0x01DC) == 0x01C0) Demod.syncBit = 1;
488 else if ((Demod.twoBits & 0x00EE) == 0x00E0) Demod.syncBit = 0;
489 if (Demod.syncBit != 0xFFFF) {
490 Demod.startTime = non_real_time?non_real_time:(GetCountSspClk() & 0xfffffff8);
491 Demod.startTime -= Demod.syncBit;
492 Demod.bitCount = offset; // number of decoded data bits
493 Demod.state = DEMOD_MANCHESTER_DATA;
494 LED_C_ON();
495 }
496 }
497
498 } else {
499
500 if (IsManchesterModulationNibble1(Demod.twoBits >> Demod.syncBit)) { // modulation in first half
501 if (IsManchesterModulationNibble2(Demod.twoBits >> Demod.syncBit)) { // ... and in second half = collision
502 if (!Demod.collisionPos) {
503 Demod.collisionPos = (Demod.len << 3) + Demod.bitCount;
504 }
505 } // modulation in first half only - Sequence D = 1
506 Demod.bitCount++;
507 Demod.shiftReg = (Demod.shiftReg >> 1) | 0x100; // in both cases, add a 1 to the shiftreg
508 if(Demod.bitCount == 9) { // if we decoded a full byte (including parity)
509 Demod.output[Demod.len++] = (Demod.shiftReg & 0xff);
510 Demod.parityBits <<= 1; // make room for the parity bit
511 Demod.parityBits |= ((Demod.shiftReg >> 8) & 0x01); // store parity bit
512 Demod.bitCount = 0;
513 Demod.shiftReg = 0;
514 if((Demod.len&0x0007) == 0) { // every 8 data bytes
515 Demod.parity[Demod.parityLen++] = Demod.parityBits; // store 8 parity bits
516 Demod.parityBits = 0;
517 }
518 }
519 Demod.endTime = Demod.startTime + 8*(9*Demod.len + Demod.bitCount + 1) - 4;
520 } else { // no modulation in first half
521 if (IsManchesterModulationNibble2(Demod.twoBits >> Demod.syncBit)) { // and modulation in second half = Sequence E = 0
522 Demod.bitCount++;
523 Demod.shiftReg = (Demod.shiftReg >> 1); // add a 0 to the shiftreg
524 if(Demod.bitCount >= 9) { // if we decoded a full byte (including parity)
525 Demod.output[Demod.len++] = (Demod.shiftReg & 0xff);
526 Demod.parityBits <<= 1; // make room for the new parity bit
527 Demod.parityBits |= ((Demod.shiftReg >> 8) & 0x01); // store parity bit
528 Demod.bitCount = 0;
529 Demod.shiftReg = 0;
530 if ((Demod.len&0x0007) == 0) { // every 8 data bytes
531 Demod.parity[Demod.parityLen++] = Demod.parityBits; // store 8 parity bits1
532 Demod.parityBits = 0;
533 }
534 }
535 Demod.endTime = Demod.startTime + 8*(9*Demod.len + Demod.bitCount + 1);
536 } else { // no modulation in both halves - End of communication
537 LED_C_OFF();
538 if(Demod.bitCount > 0) { // there are some remaining data bits
539 Demod.shiftReg >>= (9 - Demod.bitCount); // right align the decoded bits
540 Demod.output[Demod.len++] = Demod.shiftReg & 0xff; // and add them to the output
541 Demod.parityBits <<= 1; // add a (void) parity bit
542 Demod.parityBits <<= (8 - (Demod.len&0x0007)); // left align remaining parity bits
543 Demod.parity[Demod.parityLen++] = Demod.parityBits; // and store them
544 return true;
545 } else if (Demod.len & 0x0007) { // there are some parity bits to store
546 Demod.parityBits <<= (8 - (Demod.len&0x0007)); // left align remaining parity bits
547 Demod.parity[Demod.parityLen++] = Demod.parityBits; // and store them
548 }
549 if (Demod.len) {
550 return true; // we are finished with decoding the raw data sequence
551 } else { // nothing received. Start over
552 DemodReset();
553 }
554 }
555 }
556
557 }
558
559 return false; // not finished yet, need more data
560 }
561
562 //=============================================================================
563 // Finally, a `sniffer' for ISO 14443 Type A
564 // Both sides of communication!
565 //=============================================================================
566
567 //-----------------------------------------------------------------------------
568 // Record the sequence of commands sent by the reader to the tag, with
569 // triggering so that we start recording at the point that the tag is moved
570 // near the reader.
571 //-----------------------------------------------------------------------------
572 void RAMFUNC SnoopIso14443a(uint8_t param) {
573 // param:
574 // bit 0 - trigger from first card answer
575 // bit 1 - trigger from first reader 7-bit request
576
577 LEDsoff();
578 LED_A_ON();
579
580 iso14443a_setup(FPGA_HF_ISO14443A_SNIFFER);
581
582 // Allocate memory from BigBuf for some buffers
583 // free all previous allocations first
584 BigBuf_free();
585
586 // The command (reader -> tag) that we're receiving.
587 uint8_t *receivedCmd = BigBuf_malloc(MAX_FRAME_SIZE);
588 uint8_t *receivedCmdPar = BigBuf_malloc(MAX_PARITY_SIZE);
589
590 // The response (tag -> reader) that we're receiving.
591 uint8_t *receivedResponse = BigBuf_malloc(MAX_FRAME_SIZE);
592 uint8_t *receivedResponsePar = BigBuf_malloc(MAX_PARITY_SIZE);
593
594 // The DMA buffer, used to stream samples from the FPGA
595 uint8_t *dmaBuf = BigBuf_malloc(DMA_BUFFER_SIZE);
596
597 // init trace buffer
598 clear_trace();
599 set_tracing(true);
600
601 uint8_t *data = dmaBuf;
602 uint8_t previous_data = 0;
603 int maxDataLen = 0;
604 int dataLen = 0;
605 bool TagIsActive = false;
606 bool ReaderIsActive = false;
607
608 // Set up the demodulator for tag -> reader responses.
609 DemodInit(receivedResponse, receivedResponsePar);
610
611 // Set up the demodulator for the reader -> tag commands
612 UartInit(receivedCmd, receivedCmdPar);
613
614 // Setup and start DMA.
615 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
616
617 // We won't start recording the frames that we acquire until we trigger;
618 // a good trigger condition to get started is probably when we see a
619 // response from the tag.
620 // triggered == false -- to wait first for card
621 bool triggered = !(param & 0x03);
622
623 // And now we loop, receiving samples.
624 for (uint32_t rsamples = 0; true; ) {
625
626 if (BUTTON_PRESS()) {
627 DbpString("cancelled by button");
628 break;
629 }
630
631 WDT_HIT();
632
633 int register readBufDataP = data - dmaBuf;
634 int register dmaBufDataP = DMA_BUFFER_SIZE - AT91C_BASE_PDC_SSC->PDC_RCR;
635 if (readBufDataP <= dmaBufDataP){
636 dataLen = dmaBufDataP - readBufDataP;
637 } else {
638 dataLen = DMA_BUFFER_SIZE - readBufDataP + dmaBufDataP;
639 }
640 // test for length of buffer
641 if(dataLen > maxDataLen) {
642 maxDataLen = dataLen;
643 if(dataLen > (9 * DMA_BUFFER_SIZE / 10)) {
644 Dbprintf("blew circular buffer! dataLen=%d", dataLen);
645 break;
646 }
647 }
648 if(dataLen < 1) continue;
649
650 // primary buffer was stopped( <-- we lost data!
651 if (!AT91C_BASE_PDC_SSC->PDC_RCR) {
652 AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) dmaBuf;
653 AT91C_BASE_PDC_SSC->PDC_RCR = DMA_BUFFER_SIZE;
654 Dbprintf("RxEmpty ERROR!!! data length:%d", dataLen); // temporary
655 }
656 // secondary buffer sets as primary, secondary buffer was stopped
657 if (!AT91C_BASE_PDC_SSC->PDC_RNCR) {
658 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dmaBuf;
659 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
660 }
661
662 if (rsamples & 0x01) { // Need two samples to feed Miller and Manchester-Decoder
663
664 if(!TagIsActive) { // no need to try decoding reader data if the tag is sending
665 uint8_t readerdata = (previous_data & 0xF0) | (*data >> 4);
666 if (MillerDecoding(readerdata, (rsamples-1)*4)) {
667 // check - if there is a short 7bit request from reader
668 if ((!triggered) && (param & 0x02) && (Uart.len == 1) && (Uart.bitCount == 7)) {
669 triggered = true;
670 }
671 if(triggered) {
672 if (!LogTrace(receivedCmd,
673 Uart.len,
674 Uart.startTime*16 - DELAY_READER_AIR2ARM_AS_SNIFFER,
675 Uart.endTime*16 - DELAY_READER_AIR2ARM_AS_SNIFFER,
676 Uart.parity,
677 true)) break;
678 }
679 /* And ready to receive another command. */
680 UartReset();
681 /* And also reset the demod code, which might have been */
682 /* false-triggered by the commands from the reader. */
683 DemodReset();
684 }
685 ReaderIsActive = (Uart.state != STATE_UNSYNCD);
686 }
687
688 if (!ReaderIsActive) { // no need to try decoding tag data if the reader is sending - and we cannot afford the time
689 uint8_t tagdata = (previous_data << 4) | (*data & 0x0F);
690 if (ManchesterDecoding(tagdata, 0, (rsamples-1)*4)) {
691 if (!LogTrace(receivedResponse,
692 Demod.len,
693 Demod.startTime*16 - DELAY_TAG_AIR2ARM_AS_SNIFFER,
694 Demod.endTime*16 - DELAY_TAG_AIR2ARM_AS_SNIFFER,
695 Demod.parity,
696 false)) break;
697 if ((!triggered) && (param & 0x01)) triggered = true;
698 // And ready to receive another response.
699 DemodReset();
700 // And reset the Miller decoder including itS (now outdated) input buffer
701 UartInit(receivedCmd, receivedCmdPar);
702 }
703 TagIsActive = (Demod.state != DEMOD_UNSYNCD);
704 }
705 }
706
707 previous_data = *data;
708 rsamples++;
709 data++;
710 if(data == dmaBuf + DMA_BUFFER_SIZE) {
711 data = dmaBuf;
712 }
713 } // main cycle
714
715 FpgaDisableSscDma();
716 LEDsoff();
717
718 DbpString("COMMAND FINISHED");
719 Dbprintf("maxDataLen=%d, Uart.state=%x, Uart.len=%d", maxDataLen, Uart.state, Uart.len);
720 Dbprintf("traceLen=%d, Uart.output[0]=%08x", BigBuf_get_traceLen(), (uint32_t)Uart.output[0]);
721 }
722
723 //-----------------------------------------------------------------------------
724 // Prepare tag messages
725 //-----------------------------------------------------------------------------
726 static void CodeIso14443aAsTagPar(const uint8_t *cmd, uint16_t len, uint8_t *parity) {
727 ToSendReset();
728
729 // Correction bit, might be removed when not needed
730 ToSendStuffBit(0);
731 ToSendStuffBit(0);
732 ToSendStuffBit(0);
733 ToSendStuffBit(0);
734 ToSendStuffBit(1); // 1
735 ToSendStuffBit(0);
736 ToSendStuffBit(0);
737 ToSendStuffBit(0);
738
739 // Send startbit
740 ToSend[++ToSendMax] = SEC_D;
741 LastProxToAirDuration = 8 * ToSendMax - 4;
742
743 for (uint16_t i = 0; i < len; i++) {
744 uint8_t b = cmd[i];
745
746 // Data bits
747 for (uint16_t j = 0; j < 8; j++) {
748 if(b & 1) {
749 ToSend[++ToSendMax] = SEC_D;
750 } else {
751 ToSend[++ToSendMax] = SEC_E;
752 }
753 b >>= 1;
754 }
755
756 // Get the parity bit
757 if (parity[i>>3] & (0x80>>(i&0x0007))) {
758 ToSend[++ToSendMax] = SEC_D;
759 LastProxToAirDuration = 8 * ToSendMax - 4;
760 } else {
761 ToSend[++ToSendMax] = SEC_E;
762 LastProxToAirDuration = 8 * ToSendMax;
763 }
764 }
765
766 // Send stopbit
767 ToSend[++ToSendMax] = SEC_F;
768
769 // Convert from last byte pos to length
770 ToSendMax++;
771 }
772
773
774 static void Code4bitAnswerAsTag(uint8_t cmd) {
775 int i;
776
777 ToSendReset();
778
779 // Correction bit, might be removed when not needed
780 ToSendStuffBit(0);
781 ToSendStuffBit(0);
782 ToSendStuffBit(0);
783 ToSendStuffBit(0);
784 ToSendStuffBit(1); // 1
785 ToSendStuffBit(0);
786 ToSendStuffBit(0);
787 ToSendStuffBit(0);
788
789 // Send startbit
790 ToSend[++ToSendMax] = SEC_D;
791
792 uint8_t b = cmd;
793 for (i = 0; i < 4; i++) {
794 if(b & 1) {
795 ToSend[++ToSendMax] = SEC_D;
796 LastProxToAirDuration = 8 * ToSendMax - 4;
797 } else {
798 ToSend[++ToSendMax] = SEC_E;
799 LastProxToAirDuration = 8 * ToSendMax;
800 }
801 b >>= 1;
802 }
803
804 // Send stopbit
805 ToSend[++ToSendMax] = SEC_F;
806
807 // Convert from last byte pos to length
808 ToSendMax++;
809 }
810
811
812 static uint8_t *LastReaderTraceTime = NULL;
813
814 static void EmLogTraceReader(void) {
815 // remember last reader trace start to fix timing info later
816 LastReaderTraceTime = BigBuf_get_addr() + BigBuf_get_traceLen();
817 LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, true);
818 }
819
820
821 static void FixLastReaderTraceTime(uint32_t tag_StartTime) {
822 uint32_t reader_EndTime = Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG;
823 uint32_t reader_StartTime = Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG;
824 uint16_t reader_modlen = reader_EndTime - reader_StartTime;
825 uint16_t approx_fdt = tag_StartTime - reader_EndTime;
826 uint16_t exact_fdt = (approx_fdt - 20 + 32)/64 * 64 + 20;
827 reader_StartTime = tag_StartTime - exact_fdt - reader_modlen;
828 LastReaderTraceTime[0] = (reader_StartTime >> 0) & 0xff;
829 LastReaderTraceTime[1] = (reader_StartTime >> 8) & 0xff;
830 LastReaderTraceTime[2] = (reader_StartTime >> 16) & 0xff;
831 LastReaderTraceTime[3] = (reader_StartTime >> 24) & 0xff;
832 }
833
834
835 static void EmLogTraceTag(uint8_t *tag_data, uint16_t tag_len, uint8_t *tag_Parity, uint32_t ProxToAirDuration) {
836 uint32_t tag_StartTime = LastTimeProxToAirStart*16 + DELAY_ARM2AIR_AS_TAG;
837 uint32_t tag_EndTime = (LastTimeProxToAirStart + ProxToAirDuration)*16 + DELAY_ARM2AIR_AS_TAG;
838 LogTrace(tag_data, tag_len, tag_StartTime, tag_EndTime, tag_Parity, false);
839 FixLastReaderTraceTime(tag_StartTime);
840 }
841
842
843 //-----------------------------------------------------------------------------
844 // Wait for commands from reader
845 // Stop when button is pressed
846 // Or return true when command is captured
847 //-----------------------------------------------------------------------------
848 static int GetIso14443aCommandFromReader(uint8_t *received, uint8_t *parity, int *len) {
849 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
850 // only, since we are receiving, not transmitting).
851 // Signal field is off with the appropriate LED
852 LED_D_OFF();
853 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
854
855 // Now run a `software UART' on the stream of incoming samples.
856 UartInit(received, parity);
857
858 // clear RXRDY:
859 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
860
861 for (;;) {
862 WDT_HIT();
863
864 if(BUTTON_PRESS()) return false;
865
866 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
867 b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
868 if(MillerDecoding(b, 0)) {
869 *len = Uart.len;
870 EmLogTraceReader();
871 return true;
872 }
873 }
874 }
875 }
876
877
878 int EmSend4bit(uint8_t resp);
879 static int EmSendCmdExPar(uint8_t *resp, uint16_t respLen, uint8_t *par);
880 int EmSendCmd(uint8_t *resp, uint16_t respLen);
881 int EmSendPrecompiledCmd(tag_response_info_t *response_info);
882
883
884 static bool prepare_tag_modulation(tag_response_info_t* response_info, size_t max_buffer_size) {
885 // Example response, answer to MIFARE Classic read block will be 16 bytes + 2 CRC = 18 bytes
886 // This will need the following byte array for a modulation sequence
887 // 144 data bits (18 * 8)
888 // 18 parity bits
889 // 2 Start and stop
890 // 1 Correction bit (Answer in 1172 or 1236 periods, see FPGA)
891 // 1 just for the case
892 // ----------- +
893 // 166 bytes, since every bit that needs to be send costs us a byte
894 //
895
896
897 // Prepare the tag modulation bits from the message
898 GetParity(response_info->response, response_info->response_n, &(response_info->par));
899 CodeIso14443aAsTagPar(response_info->response,response_info->response_n, &(response_info->par));
900
901 // Make sure we do not exceed the free buffer space
902 if (ToSendMax > max_buffer_size) {
903 Dbprintf("Out of memory, when modulating bits for tag answer:");
904 Dbhexdump(response_info->response_n, response_info->response, false);
905 return false;
906 }
907
908 // Copy the byte array, used for this modulation to the buffer position
909 memcpy(response_info->modulation, ToSend, ToSendMax);
910
911 // Store the number of bytes that were used for encoding/modulation and the time needed to transfer them
912 response_info->modulation_n = ToSendMax;
913 response_info->ProxToAirDuration = LastProxToAirDuration;
914
915 return true;
916 }
917
918
919 // "precompile" responses. There are 7 predefined responses with a total of 28 bytes data to transmit.
920 // Coded responses need one byte per bit to transfer (data, parity, start, stop, correction)
921 // 28 * 8 data bits, 28 * 1 parity bits, 7 start bits, 7 stop bits, 7 correction bits for the modulation
922 // -> need 273 bytes buffer
923 #define ALLOCATED_TAG_MODULATION_BUFFER_SIZE 273
924
925 bool prepare_allocated_tag_modulation(tag_response_info_t* response_info, uint8_t **buffer, size_t *max_buffer_size) {
926
927 // Retrieve and store the current buffer index
928 response_info->modulation = *buffer;
929
930 // Forward the prepare tag modulation function to the inner function
931 if (prepare_tag_modulation(response_info, *max_buffer_size)) {
932 // Update the free buffer offset and the remaining buffer size
933 *buffer += ToSendMax;
934 *max_buffer_size -= ToSendMax;
935 return true;
936 } else {
937 return false;
938 }
939 }
940
941 //-----------------------------------------------------------------------------
942 // Main loop of simulated tag: receive commands from reader, decide what
943 // response to send, and send it.
944 //-----------------------------------------------------------------------------
945 void SimulateIso14443aTag(int tagType, int uid_1st, int uid_2nd, uint8_t* data) {
946
947 uint8_t sak;
948
949 // The first response contains the ATQA (note: bytes are transmitted in reverse order).
950 uint8_t response1[2];
951
952 switch (tagType) {
953 case 1: { // MIFARE Classic
954 // Says: I am Mifare 1k - original line
955 response1[0] = 0x04;
956 response1[1] = 0x00;
957 sak = 0x08;
958 } break;
959 case 2: { // MIFARE Ultralight
960 // Says: I am a stupid memory tag, no crypto
961 response1[0] = 0x04;
962 response1[1] = 0x00;
963 sak = 0x00;
964 } break;
965 case 3: { // MIFARE DESFire
966 // Says: I am a DESFire tag, ph33r me
967 response1[0] = 0x04;
968 response1[1] = 0x03;
969 sak = 0x20;
970 } break;
971 case 4: { // ISO/IEC 14443-4
972 // Says: I am a javacard (JCOP)
973 response1[0] = 0x04;
974 response1[1] = 0x00;
975 sak = 0x28;
976 } break;
977 case 5: { // MIFARE TNP3XXX
978 // Says: I am a toy
979 response1[0] = 0x01;
980 response1[1] = 0x0f;
981 sak = 0x01;
982 } break;
983 default: {
984 Dbprintf("Error: unkown tagtype (%d)",tagType);
985 return;
986 } break;
987 }
988
989 // The second response contains the (mandatory) first 24 bits of the UID
990 uint8_t response2[5] = {0x00};
991
992 // Check if the uid uses the (optional) part
993 uint8_t response2a[5] = {0x00};
994
995 if (uid_2nd) {
996 response2[0] = 0x88;
997 num_to_bytes(uid_1st,3,response2+1);
998 num_to_bytes(uid_2nd,4,response2a);
999 response2a[4] = response2a[0] ^ response2a[1] ^ response2a[2] ^ response2a[3];
1000
1001 // Configure the ATQA and SAK accordingly
1002 response1[0] |= 0x40;
1003 sak |= 0x04;
1004 } else {
1005 num_to_bytes(uid_1st,4,response2);
1006 // Configure the ATQA and SAK accordingly
1007 response1[0] &= 0xBF;
1008 sak &= 0xFB;
1009 }
1010
1011 // Calculate the BitCountCheck (BCC) for the first 4 bytes of the UID.
1012 response2[4] = response2[0] ^ response2[1] ^ response2[2] ^ response2[3];
1013
1014 // Prepare the mandatory SAK (for 4 and 7 byte UID)
1015 uint8_t response3[3] = {0x00};
1016 response3[0] = sak;
1017 ComputeCrc14443(CRC_14443_A, response3, 1, &response3[1], &response3[2]);
1018
1019 // Prepare the optional second SAK (for 7 byte UID), drop the cascade bit
1020 uint8_t response3a[3] = {0x00};
1021 response3a[0] = sak & 0xFB;
1022 ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
1023
1024 uint8_t response5[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce
1025 uint8_t response6[] = { 0x04, 0x58, 0x80, 0x02, 0x00, 0x00 }; // dummy ATS (pseudo-ATR), answer to RATS:
1026 // Format byte = 0x58: FSCI=0x08 (FSC=256), TA(1) and TC(1) present,
1027 // TA(1) = 0x80: different divisors not supported, DR = 1, DS = 1
1028 // TB(1) = not present. Defaults: FWI = 4 (FWT = 256 * 16 * 2^4 * 1/fc = 4833us), SFGI = 0 (SFG = 256 * 16 * 2^0 * 1/fc = 302us)
1029 // TC(1) = 0x02: CID supported, NAD not supported
1030 ComputeCrc14443(CRC_14443_A, response6, 4, &response6[4], &response6[5]);
1031
1032 #define TAG_RESPONSE_COUNT 7
1033 tag_response_info_t responses[TAG_RESPONSE_COUNT] = {
1034 { .response = response1, .response_n = sizeof(response1) }, // Answer to request - respond with card type
1035 { .response = response2, .response_n = sizeof(response2) }, // Anticollision cascade1 - respond with uid
1036 { .response = response2a, .response_n = sizeof(response2a) }, // Anticollision cascade2 - respond with 2nd half of uid if asked
1037 { .response = response3, .response_n = sizeof(response3) }, // Acknowledge select - cascade 1
1038 { .response = response3a, .response_n = sizeof(response3a) }, // Acknowledge select - cascade 2
1039 { .response = response5, .response_n = sizeof(response5) }, // Authentication answer (random nonce)
1040 { .response = response6, .response_n = sizeof(response6) }, // dummy ATS (pseudo-ATR), answer to RATS
1041 };
1042
1043 // Allocate 512 bytes for the dynamic modulation, created when the reader queries for it
1044 // Such a response is less time critical, so we can prepare them on the fly
1045 #define DYNAMIC_RESPONSE_BUFFER_SIZE 64
1046 #define DYNAMIC_MODULATION_BUFFER_SIZE 512
1047 uint8_t dynamic_response_buffer[DYNAMIC_RESPONSE_BUFFER_SIZE];
1048 uint8_t dynamic_modulation_buffer[DYNAMIC_MODULATION_BUFFER_SIZE];
1049 tag_response_info_t dynamic_response_info = {
1050 .response = dynamic_response_buffer,
1051 .response_n = 0,
1052 .modulation = dynamic_modulation_buffer,
1053 .modulation_n = 0
1054 };
1055
1056 // We need to listen to the high-frequency, peak-detected path.
1057 iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN);
1058
1059 BigBuf_free_keep_EM();
1060
1061 // allocate buffers:
1062 uint8_t *receivedCmd = BigBuf_malloc(MAX_FRAME_SIZE);
1063 uint8_t *receivedCmdPar = BigBuf_malloc(MAX_PARITY_SIZE);
1064 uint8_t *free_buffer_pointer = BigBuf_malloc(ALLOCATED_TAG_MODULATION_BUFFER_SIZE);
1065 size_t free_buffer_size = ALLOCATED_TAG_MODULATION_BUFFER_SIZE;
1066 // clear trace
1067 clear_trace();
1068 set_tracing(true);
1069
1070 // Prepare the responses of the anticollision phase
1071 // there will be not enough time to do this at the moment the reader sends it REQA
1072 for (size_t i=0; i<TAG_RESPONSE_COUNT; i++) {
1073 prepare_allocated_tag_modulation(&responses[i], &free_buffer_pointer, &free_buffer_size);
1074 }
1075
1076 int len = 0;
1077
1078 // To control where we are in the protocol
1079 int order = 0;
1080 int lastorder;
1081
1082 // Just to allow some checks
1083 int happened = 0;
1084 int happened2 = 0;
1085 int cmdsRecvd = 0;
1086
1087 cmdsRecvd = 0;
1088 tag_response_info_t* p_response;
1089
1090 LED_A_ON();
1091 for (;;) {
1092 // Clean receive command buffer
1093 if(!GetIso14443aCommandFromReader(receivedCmd, receivedCmdPar, &len)) {
1094 DbpString("Button press");
1095 break;
1096 }
1097
1098 p_response = NULL;
1099
1100 // Okay, look at the command now.
1101 lastorder = order;
1102 if(receivedCmd[0] == 0x26) { // Received a REQUEST
1103 p_response = &responses[0]; order = 1;
1104 } else if(receivedCmd[0] == 0x52) { // Received a WAKEUP
1105 p_response = &responses[0]; order = 6;
1106 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x93) { // Received request for UID (cascade 1)
1107 p_response = &responses[1]; order = 2;
1108 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x95) { // Received request for UID (cascade 2)
1109 p_response = &responses[2]; order = 20;
1110 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] == 0x93) { // Received a SELECT (cascade 1)
1111 p_response = &responses[3]; order = 3;
1112 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] == 0x95) { // Received a SELECT (cascade 2)
1113 p_response = &responses[4]; order = 30;
1114 } else if(receivedCmd[0] == 0x30) { // Received a (plain) READ
1115 EmSendCmd(data+(4*receivedCmd[1]),16);
1116 // Dbprintf("Read request from reader: %x %x",receivedCmd[0],receivedCmd[1]);
1117 // We already responded, do not send anything with the EmSendCmd14443aRaw() that is called below
1118 p_response = NULL;
1119 } else if(receivedCmd[0] == 0x50) { // Received a HALT
1120 p_response = NULL;
1121 } else if(receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61) { // Received an authentication request
1122 p_response = &responses[5]; order = 7;
1123 } else if(receivedCmd[0] == 0xE0) { // Received a RATS request
1124 if (tagType == 1 || tagType == 2) { // RATS not supported
1125 EmSend4bit(CARD_NACK_NA);
1126 p_response = NULL;
1127 } else {
1128 p_response = &responses[6]; order = 70;
1129 }
1130 } else if (order == 7 && len == 8) { // Received {nr] and {ar} (part of authentication)
1131 uint32_t nr = bytes_to_num(receivedCmd,4);
1132 uint32_t ar = bytes_to_num(receivedCmd+4,4);
1133 Dbprintf("Auth attempt {nr}{ar}: %08x %08x",nr,ar);
1134 } else {
1135 // Check for ISO 14443A-4 compliant commands, look at left nibble
1136 switch (receivedCmd[0]) {
1137
1138 case 0x0B:
1139 case 0x0A: { // IBlock (command)
1140 dynamic_response_info.response[0] = receivedCmd[0];
1141 dynamic_response_info.response[1] = 0x00;
1142 dynamic_response_info.response[2] = 0x90;
1143 dynamic_response_info.response[3] = 0x00;
1144 dynamic_response_info.response_n = 4;
1145 } break;
1146
1147 case 0x1A:
1148 case 0x1B: { // Chaining command
1149 dynamic_response_info.response[0] = 0xaa | ((receivedCmd[0]) & 1);
1150 dynamic_response_info.response_n = 2;
1151 } break;
1152
1153 case 0xaa:
1154 case 0xbb: {
1155 dynamic_response_info.response[0] = receivedCmd[0] ^ 0x11;
1156 dynamic_response_info.response_n = 2;
1157 } break;
1158
1159 case 0xBA: { //
1160 memcpy(dynamic_response_info.response,"\xAB\x00",2);
1161 dynamic_response_info.response_n = 2;
1162 } break;
1163
1164 case 0xCA:
1165 case 0xC2: { // Readers sends deselect command
1166 memcpy(dynamic_response_info.response,"\xCA\x00",2);
1167 dynamic_response_info.response_n = 2;
1168 } break;
1169
1170 default: {
1171 // Never seen this command before
1172 Dbprintf("Received unknown command (len=%d):",len);
1173 Dbhexdump(len,receivedCmd,false);
1174 // Do not respond
1175 dynamic_response_info.response_n = 0;
1176 } break;
1177 }
1178
1179 if (dynamic_response_info.response_n > 0) {
1180 // Copy the CID from the reader query
1181 dynamic_response_info.response[1] = receivedCmd[1];
1182
1183 // Add CRC bytes, always used in ISO 14443A-4 compliant cards
1184 AppendCrc14443a(dynamic_response_info.response,dynamic_response_info.response_n);
1185 dynamic_response_info.response_n += 2;
1186
1187 if (prepare_tag_modulation(&dynamic_response_info,DYNAMIC_MODULATION_BUFFER_SIZE) == false) {
1188 Dbprintf("Error preparing tag response");
1189 break;
1190 }
1191 p_response = &dynamic_response_info;
1192 }
1193 }
1194
1195 // Count number of wakeups received after a halt
1196 if(order == 6 && lastorder == 5) { happened++; }
1197
1198 // Count number of other messages after a halt
1199 if(order != 6 && lastorder == 5) { happened2++; }
1200
1201 if(cmdsRecvd > 999) {
1202 DbpString("1000 commands later...");
1203 break;
1204 }
1205 cmdsRecvd++;
1206
1207 if (p_response != NULL) {
1208 EmSendPrecompiledCmd(p_response);
1209 }
1210
1211 if (!get_tracing()) {
1212 Dbprintf("Trace Full. Simulation stopped.");
1213 break;
1214 }
1215 }
1216
1217 Dbprintf("%x %x %x", happened, happened2, cmdsRecvd);
1218 LED_A_OFF();
1219 BigBuf_free_keep_EM();
1220 }
1221
1222
1223 // prepare a delayed transfer. This simply shifts ToSend[] by a number
1224 // of bits specified in the delay parameter.
1225 static void PrepareDelayedTransfer(uint16_t delay) {
1226 uint8_t bitmask = 0;
1227 uint8_t bits_to_shift = 0;
1228 uint8_t bits_shifted = 0;
1229
1230 delay &= 0x07;
1231 if (delay) {
1232 for (uint16_t i = 0; i < delay; i++) {
1233 bitmask |= (0x01 << i);
1234 }
1235 ToSend[ToSendMax++] = 0x00;
1236 for (uint16_t i = 0; i < ToSendMax; i++) {
1237 bits_to_shift = ToSend[i] & bitmask;
1238 ToSend[i] = ToSend[i] >> delay;
1239 ToSend[i] = ToSend[i] | (bits_shifted << (8 - delay));
1240 bits_shifted = bits_to_shift;
1241 }
1242 }
1243 }
1244
1245
1246 //-------------------------------------------------------------------------------------
1247 // Transmit the command (to the tag) that was placed in ToSend[].
1248 // Parameter timing:
1249 // if NULL: transfer at next possible time, taking into account
1250 // request guard time, startup frame guard time and frame delay time
1251 // if == 0: transfer immediately and return time of transfer
1252 // if != 0: delay transfer until time specified
1253 //-------------------------------------------------------------------------------------
1254 static void TransmitFor14443a(const uint8_t *cmd, uint16_t len, uint32_t *timing) {
1255 LED_B_ON();
1256 LED_D_ON();
1257 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1258
1259 uint32_t ThisTransferTime = 0;
1260
1261 if (timing) {
1262 if (*timing == 0) { // Measure time
1263 *timing = (GetCountSspClk() + 8) & 0xfffffff8;
1264 } else {
1265 PrepareDelayedTransfer(*timing & 0x00000007); // Delay transfer (fine tuning - up to 7 MF clock ticks)
1266 }
1267 if (MF_DBGLEVEL >= 4 && GetCountSspClk() >= (*timing & 0xfffffff8)) Dbprintf("TransmitFor14443a: Missed timing");
1268 while (GetCountSspClk() < (*timing & 0xfffffff8)); // Delay transfer (multiple of 8 MF clock ticks)
1269 LastTimeProxToAirStart = *timing;
1270 } else {
1271 ThisTransferTime = ((MAX(NextTransferTime, GetCountSspClk()) & 0xfffffff8) + 8);
1272 while (GetCountSspClk() < ThisTransferTime);
1273 LastTimeProxToAirStart = ThisTransferTime;
1274 }
1275
1276 uint16_t c = 0;
1277 for (;;) {
1278 if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1279 AT91C_BASE_SSC->SSC_THR = cmd[c];
1280 c++;
1281 if(c >= len) {
1282 break;
1283 }
1284 }
1285 }
1286
1287 NextTransferTime = MAX(NextTransferTime, LastTimeProxToAirStart + REQUEST_GUARD_TIME);
1288 LED_B_OFF();
1289 }
1290
1291
1292 //-----------------------------------------------------------------------------
1293 // Prepare reader command (in bits, support short frames) to send to FPGA
1294 //-----------------------------------------------------------------------------
1295 static void CodeIso14443aBitsAsReaderPar(const uint8_t *cmd, uint16_t bits, const uint8_t *parity) {
1296 int i, j;
1297 int last;
1298 uint8_t b;
1299
1300 ToSendReset();
1301
1302 // Start of Communication (Seq. Z)
1303 ToSend[++ToSendMax] = SEC_Z;
1304 LastProxToAirDuration = 8 * (ToSendMax+1) - 6;
1305 last = 0;
1306
1307 size_t bytecount = nbytes(bits);
1308 // Generate send structure for the data bits
1309 for (i = 0; i < bytecount; i++) {
1310 // Get the current byte to send
1311 b = cmd[i];
1312 size_t bitsleft = MIN((bits-(i*8)),8);
1313
1314 for (j = 0; j < bitsleft; j++) {
1315 if (b & 1) {
1316 // Sequence X
1317 ToSend[++ToSendMax] = SEC_X;
1318 LastProxToAirDuration = 8 * (ToSendMax+1) - 2;
1319 last = 1;
1320 } else {
1321 if (last == 0) {
1322 // Sequence Z
1323 ToSend[++ToSendMax] = SEC_Z;
1324 LastProxToAirDuration = 8 * (ToSendMax+1) - 6;
1325 } else {
1326 // Sequence Y
1327 ToSend[++ToSendMax] = SEC_Y;
1328 last = 0;
1329 }
1330 }
1331 b >>= 1;
1332 }
1333
1334 // Only transmit parity bit if we transmitted a complete byte
1335 if (j == 8 && parity != NULL) {
1336 // Get the parity bit
1337 if (parity[i>>3] & (0x80 >> (i&0x0007))) {
1338 // Sequence X
1339 ToSend[++ToSendMax] = SEC_X;
1340 LastProxToAirDuration = 8 * (ToSendMax+1) - 2;
1341 last = 1;
1342 } else {
1343 if (last == 0) {
1344 // Sequence Z
1345 ToSend[++ToSendMax] = SEC_Z;
1346 LastProxToAirDuration = 8 * (ToSendMax+1) - 6;
1347 } else {
1348 // Sequence Y
1349 ToSend[++ToSendMax] = SEC_Y;
1350 last = 0;
1351 }
1352 }
1353 }
1354 }
1355
1356 // End of Communication: Logic 0 followed by Sequence Y
1357 if (last == 0) {
1358 // Sequence Z
1359 ToSend[++ToSendMax] = SEC_Z;
1360 LastProxToAirDuration = 8 * (ToSendMax+1) - 6;
1361 } else {
1362 // Sequence Y
1363 ToSend[++ToSendMax] = SEC_Y;
1364 last = 0;
1365 }
1366 ToSend[++ToSendMax] = SEC_Y;
1367
1368 // Convert to length of command:
1369 ToSendMax++;
1370 }
1371
1372
1373 //-----------------------------------------------------------------------------
1374 // Wait for commands from reader
1375 // Stop when button is pressed (return 1) or field was gone (return 2)
1376 // Or return 0 when command is captured
1377 //-----------------------------------------------------------------------------
1378 int EmGetCmd(uint8_t *received, uint16_t *len, uint8_t *parity) {
1379 uint32_t field_off_time = -1;
1380 uint32_t samples = 0;
1381 int ret = 0;
1382 uint8_t b = 0;;
1383 uint8_t dmaBuf[DMA_BUFFER_SIZE];
1384 uint8_t *upTo = dmaBuf;
1385
1386 *len = 0;
1387
1388 // Run a 'software UART' on the stream of incoming samples.
1389 UartInit(received, parity);
1390
1391 // start ADC
1392 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
1393
1394 // Ensure that the FPGA Delay Queue is empty before we switch to TAGSIM_LISTEN
1395 while (GetCountSspClk() < LastTimeProxToAirStart + LastProxToAirDuration + (FpgaSendQueueDelay>>3) - 8 - 3) /* wait */ ;
1396
1397 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
1398 // only, since we are receiving, not transmitting).
1399 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
1400
1401 // clear receive register, measure time of next transfer
1402 uint32_t temp = AT91C_BASE_SSC->SSC_RHR; (void) temp;
1403 while (!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY)) ;
1404 uint32_t start_time = GetCountSspClk() & 0xfffffff8;
1405
1406 // Setup and start DMA.
1407 FpgaSetupSscDma(dmaBuf, DMA_BUFFER_SIZE);
1408
1409 for(;;) {
1410 uint16_t behindBy = ((uint8_t*)AT91C_BASE_PDC_SSC->PDC_RPR - upTo) & (DMA_BUFFER_SIZE-1);
1411
1412 if (behindBy == 0) continue;
1413
1414 b = *upTo++;
1415
1416 if(upTo >= dmaBuf + DMA_BUFFER_SIZE) { // we have read all of the DMA buffer content.
1417 upTo = dmaBuf; // start reading the circular buffer from the beginning
1418 if(behindBy > (9*DMA_BUFFER_SIZE/10)) {
1419 Dbprintf("About to blow circular buffer - aborted! behindBy=%d", behindBy);
1420 ret = 1;
1421 break;
1422 }
1423 }
1424 if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_ENDRX)) { // DMA Counter Register had reached 0, already rotated.
1425 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dmaBuf; // refresh the DMA Next Buffer and
1426 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE; // DMA Next Counter registers
1427 }
1428
1429 if (BUTTON_PRESS()) {
1430 ret = 1;
1431 break;
1432 }
1433
1434 // check reader's HF field
1435 if (AT91C_BASE_ADC->ADC_SR & ADC_END_OF_CONVERSION(ADC_CHAN_HF_LOW)) {
1436 if ((MAX_ADC_HF_VOLTAGE_LOW * AT91C_BASE_ADC->ADC_CDR[ADC_CHAN_HF_LOW]) >> 10 < MF_MINFIELDV) {
1437 if (GetTickCount() - field_off_time > 50) {
1438 ret = 2; // reader has switched off HF field for more than 50ms. Timeout
1439 break;
1440 }
1441 } else {
1442 field_off_time = GetTickCount(); // HF field is still there. Reset timer
1443 }
1444 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START; // restart ADC
1445 }
1446
1447 if (MillerDecoding(b, start_time + samples*8)) {
1448 *len = Uart.len;
1449 EmLogTraceReader();
1450 ret = 0;
1451 break;
1452 }
1453
1454 samples++;
1455 }
1456
1457 FpgaDisableSscDma();
1458 return ret;
1459 }
1460
1461
1462 static int EmSendCmd14443aRaw(uint8_t *resp, uint16_t respLen) {
1463 LED_C_ON();
1464
1465 uint8_t b;
1466 uint16_t i = 0;
1467 bool correctionNeeded;
1468
1469 // Modulate Manchester
1470 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD);
1471
1472 // include correction bit if necessary
1473 if (Uart.bitCount == 7)
1474 {
1475 // Short tags (7 bits) don't have parity, determine the correct value from MSB
1476 correctionNeeded = Uart.output[0] & 0x40;
1477 }
1478 else
1479 {
1480 // Look at the last parity bit
1481 correctionNeeded = Uart.parity[(Uart.len-1)/8] & (0x80 >> ((Uart.len-1) & 7));
1482 }
1483
1484 if (correctionNeeded) {
1485 // 1236, so correction bit needed
1486 i = 0;
1487 } else {
1488 i = 1;
1489 }
1490
1491 // clear receiving shift register and holding register
1492 b = AT91C_BASE_SSC->SSC_RHR; (void) b;
1493 while (!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY));
1494 b = AT91C_BASE_SSC->SSC_RHR; (void) b;
1495
1496 // wait for the FPGA to signal fdt_indicator == 1 (the FPGA is ready to queue new data in its delay line)
1497 for (uint16_t j = 0; j < 5; j++) { // allow timeout - better late than never
1498 while (!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY));
1499 if (AT91C_BASE_SSC->SSC_RHR) break;
1500 }
1501
1502 LastTimeProxToAirStart = (GetCountSspClk() & 0xfffffff8) + (correctionNeeded?8:0);
1503
1504 // send cycle
1505 for (; i < respLen; ) {
1506 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1507 AT91C_BASE_SSC->SSC_THR = resp[i++];
1508 FpgaSendQueueDelay = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1509 }
1510
1511 if(BUTTON_PRESS()) {
1512 break;
1513 }
1514 }
1515
1516 LED_C_OFF();
1517 return 0;
1518 }
1519
1520
1521 int EmSend4bit(uint8_t resp){
1522 Code4bitAnswerAsTag(resp);
1523 int res = EmSendCmd14443aRaw(ToSend, ToSendMax);
1524 // Log this tag answer and fix timing of previous reader command:
1525 EmLogTraceTag(&resp, 1, NULL, LastProxToAirDuration);
1526 return res;
1527 }
1528
1529
1530 static int EmSendCmdExPar(uint8_t *resp, uint16_t respLen, uint8_t *par){
1531 CodeIso14443aAsTagPar(resp, respLen, par);
1532 int res = EmSendCmd14443aRaw(ToSend, ToSendMax);
1533 // Log this tag answer and fix timing of previous reader command:
1534 EmLogTraceTag(resp, respLen, par, LastProxToAirDuration);
1535 return res;
1536 }
1537
1538
1539 int EmSendCmd(uint8_t *resp, uint16_t respLen){
1540 uint8_t par[MAX_PARITY_SIZE];
1541 GetParity(resp, respLen, par);
1542 return EmSendCmdExPar(resp, respLen, par);
1543 }
1544
1545
1546 int EmSendCmdPar(uint8_t *resp, uint16_t respLen, uint8_t *par){
1547 return EmSendCmdExPar(resp, respLen, par);
1548 }
1549
1550
1551 int EmSendPrecompiledCmd(tag_response_info_t *response_info) {
1552 int ret = EmSendCmd14443aRaw(response_info->modulation, response_info->modulation_n);
1553 // Log this tag answer and fix timing of previous reader command:
1554 EmLogTraceTag(response_info->response, response_info->response_n, &(response_info->par), response_info->ProxToAirDuration);
1555 return ret;
1556 }
1557
1558
1559 //-----------------------------------------------------------------------------
1560 // Wait a certain time for tag response
1561 // If a response is captured return true
1562 // If it takes too long return false
1563 //-----------------------------------------------------------------------------
1564 static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse, uint8_t *receivedResponsePar, uint16_t offset) {
1565 uint32_t c;
1566
1567 // Set FPGA mode to "reader listen mode", no modulation (listen
1568 // only, since we are receiving, not transmitting).
1569 // Signal field is on with the appropriate LED
1570 LED_D_ON();
1571 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_LISTEN);
1572
1573 // Now get the answer from the card
1574 DemodInit(receivedResponse, receivedResponsePar);
1575
1576 // clear RXRDY:
1577 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1578
1579 c = 0;
1580 for (;;) {
1581 WDT_HIT();
1582
1583 if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1584 b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1585 if (ManchesterDecoding(b, offset, 0)) {
1586 NextTransferTime = MAX(NextTransferTime, Demod.endTime - (DELAY_AIR2ARM_AS_READER + DELAY_ARM2AIR_AS_READER)/16 + FRAME_DELAY_TIME_PICC_TO_PCD);
1587 return true;
1588 } else if (c++ > iso14a_timeout && Demod.state == DEMOD_UNSYNCD) {
1589 return false;
1590 }
1591 }
1592 }
1593 }
1594
1595
1596 void ReaderTransmitBitsPar(uint8_t* frame, uint16_t bits, uint8_t *par, uint32_t *timing) {
1597
1598 CodeIso14443aBitsAsReaderPar(frame, bits, par);
1599
1600 // Send command to tag
1601 TransmitFor14443a(ToSend, ToSendMax, timing);
1602 if (trigger)
1603 LED_A_ON();
1604
1605 // Log reader command in trace buffer
1606 LogTrace(frame, nbytes(bits), LastTimeProxToAirStart*16 + DELAY_ARM2AIR_AS_READER, (LastTimeProxToAirStart + LastProxToAirDuration)*16 + DELAY_ARM2AIR_AS_READER, par, true);
1607 }
1608
1609
1610 void ReaderTransmitPar(uint8_t* frame, uint16_t len, uint8_t *par, uint32_t *timing) {
1611 ReaderTransmitBitsPar(frame, len*8, par, timing);
1612 }
1613
1614
1615 static void ReaderTransmitBits(uint8_t* frame, uint16_t len, uint32_t *timing) {
1616 // Generate parity and redirect
1617 uint8_t par[MAX_PARITY_SIZE];
1618 GetParity(frame, len/8, par);
1619 ReaderTransmitBitsPar(frame, len, par, timing);
1620 }
1621
1622
1623 void ReaderTransmit(uint8_t* frame, uint16_t len, uint32_t *timing) {
1624 // Generate parity and redirect
1625 uint8_t par[MAX_PARITY_SIZE];
1626 GetParity(frame, len, par);
1627 ReaderTransmitBitsPar(frame, len*8, par, timing);
1628 }
1629
1630
1631 static int ReaderReceiveOffset(uint8_t* receivedAnswer, uint16_t offset, uint8_t *parity) {
1632 if (!GetIso14443aAnswerFromTag(receivedAnswer, parity, offset)) return false;
1633 LogTrace(receivedAnswer, Demod.len, Demod.startTime*16 - DELAY_AIR2ARM_AS_READER, Demod.endTime*16 - DELAY_AIR2ARM_AS_READER, parity, false);
1634 return Demod.len;
1635 }
1636
1637
1638 int ReaderReceive(uint8_t *receivedAnswer, uint8_t *parity) {
1639 if (!GetIso14443aAnswerFromTag(receivedAnswer, parity, 0)) return false;
1640
1641 LogTrace(receivedAnswer, Demod.len, Demod.startTime*16 - DELAY_AIR2ARM_AS_READER, Demod.endTime*16 - DELAY_AIR2ARM_AS_READER, parity, false);
1642 return Demod.len;
1643 }
1644
1645
1646 static void iso14a_set_ATS_times(uint8_t *ats) {
1647
1648 uint8_t tb1;
1649 uint8_t fwi, sfgi;
1650 uint32_t fwt, sfgt;
1651
1652 if (ats[0] > 1) { // there is a format byte T0
1653 if ((ats[1] & 0x20) == 0x20) { // there is an interface byte TB(1)
1654 if ((ats[1] & 0x10) == 0x10) { // there is an interface byte TA(1) preceding TB(1)
1655 tb1 = ats[3];
1656 } else {
1657 tb1 = ats[2];
1658 }
1659 fwi = (tb1 & 0xf0) >> 4; // frame waiting time integer (FWI)
1660 if (fwi != 15) {
1661 fwt = 256 * 16 * (1 << fwi); // frame waiting time (FWT) in 1/fc
1662 iso14a_set_timeout(fwt/(8*16));
1663 }
1664 sfgi = tb1 & 0x0f; // startup frame guard time integer (SFGI)
1665 if (sfgi != 0 && sfgi != 15) {
1666 sfgt = 256 * 16 * (1 << sfgi); // startup frame guard time (SFGT) in 1/fc
1667 NextTransferTime = MAX(NextTransferTime, Demod.endTime + (sfgt - DELAY_AIR2ARM_AS_READER - DELAY_ARM2AIR_AS_READER)/16);
1668 }
1669 }
1670 }
1671 }
1672
1673
1674 static int GetATQA(uint8_t *resp, uint8_t *resp_par) {
1675
1676 #define WUPA_RETRY_TIMEOUT 10 // 10ms
1677 uint8_t wupa[] = {ISO14443A_CMD_WUPA}; // 0x26 - REQA 0x52 - WAKE-UP
1678
1679 uint32_t save_iso14a_timeout = iso14a_get_timeout();
1680 iso14a_set_timeout(1236/(16*8)+1); // response to WUPA is expected at exactly 1236/fc. No need to wait longer.
1681
1682 uint32_t start_time = GetTickCount();
1683 int len;
1684
1685 // we may need several tries if we did send an unknown command or a wrong authentication before...
1686 do {
1687 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1688 ReaderTransmitBitsPar(wupa, 7, NULL, NULL);
1689 // Receive the ATQA
1690 len = ReaderReceive(resp, resp_par);
1691 } while (len == 0 && GetTickCount() <= start_time + WUPA_RETRY_TIMEOUT);
1692
1693 iso14a_set_timeout(save_iso14a_timeout);
1694 return len;
1695 }
1696
1697
1698 // performs iso14443a anticollision (optional) and card select procedure
1699 // fills the uid and cuid pointer unless NULL
1700 // fills the card info record unless NULL
1701 // if anticollision is false, then the UID must be provided in uid_ptr[]
1702 // and num_cascades must be set (1: 4 Byte UID, 2: 7 Byte UID, 3: 10 Byte UID)
1703 // requests ATS unless no_rats is true
1704 int iso14443a_select_card(uint8_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, uint32_t *cuid_ptr, bool anticollision, uint8_t num_cascades, bool no_rats) {
1705 uint8_t sel_all[] = { 0x93,0x20 };
1706 uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
1707 uint8_t rats[] = { 0xE0,0x80,0x00,0x00 }; // FSD=256, FSDI=8, CID=0
1708 uint8_t resp[MAX_FRAME_SIZE]; // theoretically. A usual RATS will be much smaller
1709 uint8_t resp_par[MAX_PARITY_SIZE];
1710 uint8_t uid_resp[4];
1711 size_t uid_resp_len;
1712
1713 uint8_t sak = 0x04; // cascade uid
1714 int cascade_level = 0;
1715 int len;
1716
1717 // init card struct
1718 if (p_hi14a_card) {
1719 p_hi14a_card->uidlen = 0;
1720 memset(p_hi14a_card->uid, 0, 10);
1721 p_hi14a_card->ats_len = 0;
1722 }
1723
1724 if (!GetATQA(resp, resp_par)) {
1725 return 0;
1726 }
1727
1728 if (p_hi14a_card) {
1729 memcpy(p_hi14a_card->atqa, resp, 2);
1730 }
1731
1732 if (anticollision) {
1733 // clear uid
1734 if (uid_ptr) {
1735 memset(uid_ptr,0,10);
1736 }
1737 }
1738
1739 // check for proprietary anticollision:
1740 if ((resp[0] & 0x1F) == 0) {
1741 return 3;
1742 }
1743
1744 // OK we will select at least at cascade 1, lets see if first byte of UID was 0x88 in
1745 // which case we need to make a cascade 2 request and select - this is a long UID
1746 // While the UID is not complete, the 3rd bit (from the right) is set in the SAK.
1747 for (; sak & 0x04; cascade_level++) {
1748 // SELECT_* (L1: 0x93, L2: 0x95, L3: 0x97)
1749 sel_uid[0] = sel_all[0] = 0x93 + cascade_level * 2;
1750
1751 if (anticollision) {
1752 // SELECT_ALL
1753 ReaderTransmit(sel_all, sizeof(sel_all), NULL);
1754 if (!ReaderReceive(resp, resp_par)) {
1755 return 0;
1756 }
1757
1758 if (Demod.collisionPos) { // we had a collision and need to construct the UID bit by bit
1759 memset(uid_resp, 0, 4);
1760 uint16_t uid_resp_bits = 0;
1761 uint16_t collision_answer_offset = 0;
1762 // anti-collision-loop:
1763 while (Demod.collisionPos) {
1764 Dbprintf("Multiple tags detected. Collision after Bit %d", Demod.collisionPos);
1765 for (uint16_t i = collision_answer_offset; i < Demod.collisionPos; i++, uid_resp_bits++) { // add valid UID bits before collision point
1766 uint16_t UIDbit = (resp[i/8] >> (i % 8)) & 0x01;
1767 uid_resp[uid_resp_bits / 8] |= UIDbit << (uid_resp_bits % 8);
1768 }
1769 uid_resp[uid_resp_bits/8] |= 1 << (uid_resp_bits % 8); // next time select the card(s) with a 1 in the collision position
1770 uid_resp_bits++;
1771 // construct anticollosion command:
1772 sel_uid[1] = ((2 + uid_resp_bits/8) << 4) | (uid_resp_bits & 0x07); // length of data in bytes and bits
1773 for (uint16_t i = 0; i <= uid_resp_bits/8; i++) {
1774 sel_uid[2+i] = uid_resp[i];
1775 }
1776 collision_answer_offset = uid_resp_bits%8;
1777 ReaderTransmitBits(sel_uid, 16 + uid_resp_bits, NULL);
1778 if (!ReaderReceiveOffset(resp, collision_answer_offset, resp_par)) {
1779 return 0;
1780 }
1781 }
1782 // finally, add the last bits and BCC of the UID
1783 for (uint16_t i = collision_answer_offset; i < (Demod.len-1)*8; i++, uid_resp_bits++) {
1784 uint16_t UIDbit = (resp[i/8] >> (i%8)) & 0x01;
1785 uid_resp[uid_resp_bits/8] |= UIDbit << (uid_resp_bits % 8);
1786 }
1787
1788 } else { // no collision, use the response to SELECT_ALL as current uid
1789 memcpy(uid_resp, resp, 4);
1790 }
1791 } else {
1792 if (cascade_level < num_cascades - 1) {
1793 uid_resp[0] = 0x88;
1794 memcpy(uid_resp+1, uid_ptr+cascade_level*3, 3);
1795 } else {
1796 memcpy(uid_resp, uid_ptr+cascade_level*3, 4);
1797 }
1798 }
1799 uid_resp_len = 4;
1800
1801 // calculate crypto UID. Always use last 4 Bytes.
1802 if(cuid_ptr) {
1803 *cuid_ptr = bytes_to_num(uid_resp, 4);
1804 }
1805
1806 // Construct SELECT UID command
1807 sel_uid[1] = 0x70; // transmitting a full UID (1 Byte cmd, 1 Byte NVB, 4 Byte UID, 1 Byte BCC, 2 Bytes CRC)
1808 memcpy(sel_uid+2, uid_resp, 4); // the UID received during anticollision, or the provided UID
1809 sel_uid[6] = sel_uid[2] ^ sel_uid[3] ^ sel_uid[4] ^ sel_uid[5]; // calculate and add BCC
1810 AppendCrc14443a(sel_uid, 7); // calculate and add CRC
1811 ReaderTransmit(sel_uid, sizeof(sel_uid), NULL);
1812
1813 // Receive the SAK
1814 if (!ReaderReceive(resp, resp_par)) {
1815 return 0;
1816 }
1817 sak = resp[0];
1818
1819 // Test if more parts of the uid are coming
1820 if ((sak & 0x04) /* && uid_resp[0] == 0x88 */) {
1821 // Remove first byte, 0x88 is not an UID byte, it CT, see page 3 of:
1822 // http://www.nxp.com/documents/application_note/AN10927.pdf
1823 uid_resp[0] = uid_resp[1];
1824 uid_resp[1] = uid_resp[2];
1825 uid_resp[2] = uid_resp[3];
1826 uid_resp_len = 3;
1827 }
1828
1829 if(uid_ptr && anticollision) {
1830 memcpy(uid_ptr + (cascade_level*3), uid_resp, uid_resp_len);
1831 }
1832
1833 if(p_hi14a_card) {
1834 memcpy(p_hi14a_card->uid + (cascade_level*3), uid_resp, uid_resp_len);
1835 p_hi14a_card->uidlen += uid_resp_len;
1836 }
1837 }
1838
1839 if(p_hi14a_card) {
1840 p_hi14a_card->sak = sak;
1841 }
1842
1843 // PICC compilant with iso14443a-4 ---> (SAK & 0x20 != 0)
1844 if( (sak & 0x20) == 0) return 2;
1845
1846 if (!no_rats) {
1847 // Request for answer to select
1848 AppendCrc14443a(rats, 2);
1849 ReaderTransmit(rats, sizeof(rats), NULL);
1850
1851 if (!(len = ReaderReceive(resp, resp_par))) {
1852 return 0;
1853 }
1854
1855 if(p_hi14a_card) {
1856 memcpy(p_hi14a_card->ats, resp, len);
1857 p_hi14a_card->ats_len = len;
1858 }
1859
1860 // reset the PCB block number
1861 iso14_pcb_blocknum = 0;
1862
1863 // set default timeout and delay next transfer based on ATS
1864 iso14a_set_ATS_times(resp);
1865
1866 }
1867 return 1;
1868 }
1869
1870
1871 void iso14443a_setup(uint8_t fpga_minor_mode) {
1872 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1873 // Set up the synchronous serial port
1874 FpgaSetupSsc(FPGA_MAJOR_MODE_HF_ISO14443A);
1875 // connect Demodulated Signal to ADC:
1876 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1877
1878 // Signal field is on with the appropriate LED
1879 if (fpga_minor_mode == FPGA_HF_ISO14443A_READER_MOD
1880 || fpga_minor_mode == FPGA_HF_ISO14443A_READER_LISTEN) {
1881 LED_D_ON();
1882 } else {
1883 LED_D_OFF();
1884 }
1885 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | fpga_minor_mode);
1886
1887 // Set ADC to read field strength
1888 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_SWRST;
1889 AT91C_BASE_ADC->ADC_MR =
1890 ADC_MODE_PRESCALE(63) |
1891 ADC_MODE_STARTUP_TIME(1) |
1892 ADC_MODE_SAMPLE_HOLD_TIME(15);
1893 AT91C_BASE_ADC->ADC_CHER = ADC_CHANNEL(ADC_CHAN_HF_LOW);
1894
1895 // Start the timer
1896 StartCountSspClk();
1897
1898 DemodReset();
1899 UartReset();
1900 LastTimeProxToAirStart = 0;
1901 FpgaSendQueueDelay = 0;
1902 LastProxToAirDuration = 20; // arbitrary small value. Avoid lock in EmGetCmd()
1903 NextTransferTime = 2*DELAY_ARM2AIR_AS_READER;
1904 iso14a_set_timeout(1060); // 10ms default
1905 }
1906
1907 /* Peter Fillmore 2015
1908 Added card id field to the function
1909 info from ISO14443A standard
1910 b1 = Block Number
1911 b2 = RFU (always 1)
1912 b3 = depends on block
1913 b4 = Card ID following if set to 1
1914 b5 = depends on block type
1915 b6 = depends on block type
1916 b7,b8 = block type.
1917 Coding of I-BLOCK:
1918 b8 b7 b6 b5 b4 b3 b2 b1
1919 0 0 0 x x x 1 x
1920 b5 = chaining bit
1921 Coding of R-block:
1922 b8 b7 b6 b5 b4 b3 b2 b1
1923 1 0 1 x x 0 1 x
1924 b5 = ACK/NACK
1925 Coding of S-block:
1926 b8 b7 b6 b5 b4 b3 b2 b1
1927 1 1 x x x 0 1 0
1928 b5,b6 = 00 - DESELECT
1929 11 - WTX
1930 */
1931 int iso14_apdu(uint8_t *cmd, uint16_t cmd_len, bool send_chaining, void *data, uint8_t *res) {
1932 uint8_t parity[MAX_PARITY_SIZE];
1933 uint8_t real_cmd[cmd_len + 4];
1934
1935 if (cmd_len) {
1936 // ISO 14443 APDU frame: PCB [CID] [NAD] APDU CRC PCB=0x02
1937 real_cmd[0] = 0x02; // bnr,nad,cid,chn=0; i-block(0x00)
1938 if (send_chaining) {
1939 real_cmd[0] |= 0x10;
1940 }
1941 // put block number into the PCB
1942 real_cmd[0] |= iso14_pcb_blocknum;
1943 memcpy(real_cmd + 1, cmd, cmd_len);
1944 } else {
1945 // R-block. ACK
1946 real_cmd[0] = 0xA2; // r-block + ACK
1947 real_cmd[0] |= iso14_pcb_blocknum;
1948 }
1949 AppendCrc14443a(real_cmd, cmd_len + 1);
1950
1951 ReaderTransmit(real_cmd, cmd_len + 3, NULL);
1952
1953 size_t len = ReaderReceive(data, parity);
1954 uint8_t *data_bytes = (uint8_t *) data;
1955
1956 if (!len) {
1957 return 0; //DATA LINK ERROR
1958 } else {
1959 // S-Block WTX
1960 while (len && ((data_bytes[0] & 0xF2) == 0xF2)) {
1961 uint32_t save_iso14a_timeout = iso14a_get_timeout();
1962 // temporarily increase timeout
1963 iso14a_set_timeout(MAX((data_bytes[1] & 0x3f) * save_iso14a_timeout, MAX_ISO14A_TIMEOUT));
1964 // Transmit WTX back
1965 // byte1 - WTXM [1..59]. command FWT=FWT*WTXM
1966 data_bytes[1] = data_bytes[1] & 0x3f; // 2 high bits mandatory set to 0b
1967 // now need to fix CRC.
1968 AppendCrc14443a(data_bytes, len - 2);
1969 // transmit S-Block
1970 ReaderTransmit(data_bytes, len, NULL);
1971 // retrieve the result again (with increased timeout)
1972 len = ReaderReceive(data, parity);
1973 data_bytes = data;
1974 // restore timeout
1975 iso14a_set_timeout(save_iso14a_timeout);
1976 }
1977
1978 // if we received an I- or R(ACK)-Block with a block number equal to the
1979 // current block number, toggle the current block number
1980 if (len >= 3 // PCB+CRC = 3 bytes
1981 && ((data_bytes[0] & 0xC0) == 0 // I-Block
1982 || (data_bytes[0] & 0xD0) == 0x80) // R-Block with ACK bit set to 0
1983 && (data_bytes[0] & 0x01) == iso14_pcb_blocknum) // equal block numbers
1984 {
1985 iso14_pcb_blocknum ^= 1;
1986 }
1987
1988 // if we received I-block with chaining we need to send ACK and receive another block of data
1989 if (res)
1990 *res = data_bytes[0];
1991
1992 // crc check
1993 if (len >= 3 && !CheckCrc14443(CRC_14443_A, data_bytes, len)) {
1994 return -1;
1995 }
1996
1997 }
1998
1999 if (len) {
2000 // cut frame byte
2001 len -= 1;
2002 // memmove(data_bytes, data_bytes + 1, len);
2003 for (int i = 0; i < len; i++)
2004 data_bytes[i] = data_bytes[i + 1];
2005 }
2006
2007 return len;
2008 }
2009
2010
2011 //-----------------------------------------------------------------------------
2012 // Read an ISO 14443a tag. Send out commands and store answers.
2013 //
2014 //-----------------------------------------------------------------------------
2015 void ReaderIso14443a(UsbCommand *c) {
2016
2017 iso14a_command_t param = c->arg[0];
2018 uint8_t *cmd = c->d.asBytes;
2019 size_t len = c->arg[1] & 0xffff;
2020 size_t lenbits = c->arg[1] >> 16;
2021 uint32_t timeout = c->arg[2];
2022 uint32_t arg0 = 0;
2023 uint8_t buf[USB_CMD_DATA_SIZE] = {0};
2024 uint8_t par[MAX_PARITY_SIZE];
2025 bool cantSELECT = false;
2026
2027 set_tracing(true);
2028
2029 if (param & ISO14A_CLEAR_TRACE) {
2030 clear_trace();
2031 }
2032
2033 if (param & ISO14A_REQUEST_TRIGGER) {
2034 iso14a_set_trigger(true);
2035 }
2036
2037 if (param & ISO14A_CONNECT) {
2038 LED_A_ON();
2039 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
2040 if(!(param & ISO14A_NO_SELECT)) {
2041 iso14a_card_select_t *card = (iso14a_card_select_t*)buf;
2042 arg0 = iso14443a_select_card(NULL, card, NULL, true, 0, param & ISO14A_NO_RATS);
2043
2044 // if we cant select then we cant send data
2045 if (arg0 != 1 && arg0 != 2) {
2046 // 1 - all is OK with ATS, 2 - without ATS
2047 cantSELECT = true;
2048 }
2049 FpgaDisableTracing();
2050 LED_B_ON();
2051 cmd_send(CMD_NACK,arg0,card->uidlen,0,buf,sizeof(iso14a_card_select_t));
2052 LED_B_OFF();
2053 }
2054 }
2055
2056 if (param & ISO14A_SET_TIMEOUT) {
2057 iso14a_set_timeout(timeout);
2058 }
2059
2060 if (param & ISO14A_APDU && !cantSELECT) {
2061 uint8_t res;
2062 arg0 = iso14_apdu(cmd, len, (param & ISO14A_SEND_CHAINING), buf, &res);
2063 FpgaDisableTracing();
2064 LED_B_ON();
2065 cmd_send(CMD_ACK, arg0, res, 0, buf, sizeof(buf));
2066 LED_B_OFF();
2067 }
2068
2069 if (param & ISO14A_RAW && !cantSELECT) {
2070 if (param & ISO14A_APPEND_CRC) {
2071 if(param & ISO14A_TOPAZMODE) {
2072 AppendCrc14443b(cmd,len);
2073 } else {
2074 AppendCrc14443a(cmd,len);
2075 }
2076 len += 2;
2077 if (lenbits) lenbits += 16;
2078 }
2079 if (lenbits > 0) { // want to send a specific number of bits (e.g. short commands)
2080 if (param & ISO14A_TOPAZMODE) {
2081 int bits_to_send = lenbits;
2082 uint16_t i = 0;
2083 ReaderTransmitBitsPar(&cmd[i++], MIN(bits_to_send, 7), NULL, NULL); // first byte is always short (7bits) and no parity
2084 bits_to_send -= 7;
2085 while (bits_to_send > 0) {
2086 ReaderTransmitBitsPar(&cmd[i++], MIN(bits_to_send, 8), NULL, NULL); // following bytes are 8 bit and no parity
2087 bits_to_send -= 8;
2088 }
2089 } else {
2090 GetParity(cmd, lenbits/8, par);
2091 ReaderTransmitBitsPar(cmd, lenbits, par, NULL); // bytes are 8 bit with odd parity
2092 }
2093 } else { // want to send complete bytes only
2094 if (param & ISO14A_TOPAZMODE) {
2095 uint16_t i = 0;
2096 ReaderTransmitBitsPar(&cmd[i++], 7, NULL, NULL); // first byte: 7 bits, no paritiy
2097 while (i < len) {
2098 ReaderTransmitBitsPar(&cmd[i++], 8, NULL, NULL); // following bytes: 8 bits, no paritiy
2099 }
2100 } else {
2101 ReaderTransmit(cmd,len, NULL); // 8 bits, odd parity
2102 }
2103 }
2104 arg0 = ReaderReceive(buf, par);
2105 FpgaDisableTracing();
2106
2107 LED_B_ON();
2108 cmd_send(CMD_ACK, arg0, 0, 0, buf, sizeof(buf));
2109 LED_B_OFF();
2110 }
2111
2112 if (param & ISO14A_REQUEST_TRIGGER) {
2113 iso14a_set_trigger(false);
2114 }
2115
2116 if (param & ISO14A_NO_DISCONNECT) {
2117 return;
2118 }
2119
2120 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2121 LEDsoff();
2122 }
2123
2124
2125 // Determine the distance between two nonces.
2126 // Assume that the difference is small, but we don't know which is first.
2127 // Therefore try in alternating directions.
2128 static int32_t dist_nt(uint32_t nt1, uint32_t nt2) {
2129
2130 uint16_t i;
2131 uint32_t nttmp1, nttmp2;
2132
2133 if (nt1 == nt2) return 0;
2134
2135 nttmp1 = nt1;
2136 nttmp2 = nt2;
2137
2138 for (i = 1; i < 32768; i++) {
2139 nttmp1 = prng_successor(nttmp1, 1);
2140 if (nttmp1 == nt2) return i;
2141 nttmp2 = prng_successor(nttmp2, 1);
2142 if (nttmp2 == nt1) return -i;
2143 }
2144
2145 return(-99999); // either nt1 or nt2 are invalid nonces
2146 }
2147
2148
2149 //-----------------------------------------------------------------------------
2150 // Recover several bits of the cypher stream. This implements (first stages of)
2151 // the algorithm described in "The Dark Side of Security by Obscurity and
2152 // Cloning MiFare Classic Rail and Building Passes, Anywhere, Anytime"
2153 // (article by Nicolas T. Courtois, 2009)
2154 //-----------------------------------------------------------------------------
2155 void ReaderMifare(bool first_try)
2156 {
2157 // Mifare AUTH
2158 uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b };
2159 uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
2160 static uint8_t mf_nr_ar3;
2161
2162 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
2163 uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];
2164
2165 iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
2166
2167 // free eventually allocated BigBuf memory. We want all for tracing.
2168 BigBuf_free();
2169
2170 clear_trace();
2171 set_tracing(true);
2172
2173 uint8_t nt_diff = 0;
2174 uint8_t par[1] = {0}; // maximum 8 Bytes to be sent here, 1 byte parity is therefore enough
2175 static uint8_t par_low = 0;
2176 bool led_on = true;
2177 uint8_t uid[10] ={0};
2178 uint32_t cuid;
2179
2180 uint32_t nt = 0;
2181 uint32_t previous_nt = 0;
2182 static uint32_t nt_attacked = 0;
2183 uint8_t par_list[8] = {0x00};
2184 uint8_t ks_list[8] = {0x00};
2185
2186 #define PRNG_SEQUENCE_LENGTH (1 << 16);
2187 uint32_t sync_time = GetCountSspClk() & 0xfffffff8;
2188 static int32_t sync_cycles;
2189 int catch_up_cycles = 0;
2190 int last_catch_up = 0;
2191 uint16_t elapsed_prng_sequences;
2192 uint16_t consecutive_resyncs = 0;
2193 int isOK = 0;
2194
2195 if (first_try) {
2196 mf_nr_ar3 = 0;
2197 par[0] = par_low = 0;
2198 sync_cycles = PRNG_SEQUENCE_LENGTH; // theory: Mifare Classic's random generator repeats every 2^16 cycles (and so do the tag nonces).
2199 nt_attacked = 0;
2200 }
2201 else {
2202 // we were unsuccessful on a previous call. Try another READER nonce (first 3 parity bits remain the same)
2203 mf_nr_ar3++;
2204 mf_nr_ar[3] = mf_nr_ar3;
2205 par[0] = par_low;
2206 }
2207
2208 LED_A_ON();
2209 LED_B_OFF();
2210 LED_C_OFF();
2211
2212
2213 #define MAX_UNEXPECTED_RANDOM 4 // maximum number of unexpected (i.e. real) random numbers when trying to sync. Then give up.
2214 #define MAX_SYNC_TRIES 32
2215 #define SYNC_TIME_BUFFER 16 // if there is only SYNC_TIME_BUFFER left before next planned sync, wait for next PRNG cycle
2216 #define NUM_DEBUG_INFOS 8 // per strategy
2217 #define MAX_STRATEGY 3
2218 uint16_t unexpected_random = 0;
2219 uint16_t sync_tries = 0;
2220 int16_t debug_info_nr = -1;
2221 uint16_t strategy = 0;
2222 int32_t debug_info[MAX_STRATEGY][NUM_DEBUG_INFOS];
2223 uint32_t select_time;
2224 uint32_t halt_time;
2225
2226 for (uint16_t i = 0; true; i++) {
2227
2228 LED_C_ON();
2229 WDT_HIT();
2230
2231 // Test if the action was cancelled
2232 if(BUTTON_PRESS()) {
2233 isOK = -1;
2234 break;
2235 }
2236
2237 if (strategy == 2) {
2238 // test with additional hlt command
2239 halt_time = 0;
2240 int len = mifare_sendcmd_short(NULL, false, 0x50, 0x00, receivedAnswer, receivedAnswerPar, &halt_time);
2241 if (len && MF_DBGLEVEL >= 3) {
2242 Dbprintf("Unexpected response of %d bytes to hlt command (additional debugging).", len);
2243 }
2244 }
2245
2246 if (strategy == 3) {
2247 // test with FPGA power off/on
2248 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2249 SpinDelay(200);
2250 iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
2251 SpinDelay(100);
2252 }
2253
2254 if(!iso14443a_select_card(uid, NULL, &cuid, true, 0, true)) {
2255 if (MF_DBGLEVEL >= 1) Dbprintf("Mifare: Can't select card");
2256 continue;
2257 }
2258 select_time = GetCountSspClk();
2259
2260 elapsed_prng_sequences = 1;
2261 if (debug_info_nr == -1) {
2262 sync_time = (sync_time & 0xfffffff8) + sync_cycles + catch_up_cycles;
2263 catch_up_cycles = 0;
2264
2265 // if we missed the sync time already or are about to miss it, advance to the next nonce repeat
2266 while(sync_time < GetCountSspClk() + SYNC_TIME_BUFFER) {
2267 elapsed_prng_sequences++;
2268 sync_time = (sync_time & 0xfffffff8) + sync_cycles;
2269 }
2270
2271 // Transmit MIFARE_CLASSIC_AUTH at synctime. Should result in returning the same tag nonce (== nt_attacked)
2272 ReaderTransmit(mf_auth, sizeof(mf_auth), &sync_time);
2273 } else {
2274 // collect some information on tag nonces for debugging:
2275 #define DEBUG_FIXED_SYNC_CYCLES PRNG_SEQUENCE_LENGTH
2276 if (strategy == 0) {
2277 // nonce distances at fixed time after card select:
2278 sync_time = select_time + DEBUG_FIXED_SYNC_CYCLES;
2279 } else if (strategy == 1) {
2280 // nonce distances at fixed time between authentications:
2281 sync_time = sync_time + DEBUG_FIXED_SYNC_CYCLES;
2282 } else if (strategy == 2) {
2283 // nonce distances at fixed time after halt:
2284 sync_time = halt_time + DEBUG_FIXED_SYNC_CYCLES;
2285 } else {
2286 // nonce_distances at fixed time after power on
2287 sync_time = DEBUG_FIXED_SYNC_CYCLES;
2288 }
2289 ReaderTransmit(mf_auth, sizeof(mf_auth), &sync_time);
2290 }
2291
2292 // Receive the (4 Byte) "random" nonce
2293 if (!ReaderReceive(receivedAnswer, receivedAnswerPar)) {
2294 if (MF_DBGLEVEL >= 1) Dbprintf("Mifare: Couldn't receive tag nonce");
2295 continue;
2296 }
2297
2298 previous_nt = nt;
2299 nt = bytes_to_num(receivedAnswer, 4);
2300
2301 // Transmit reader nonce with fake par
2302 ReaderTransmitPar(mf_nr_ar, sizeof(mf_nr_ar), par, NULL);
2303
2304 if (first_try && previous_nt && !nt_attacked) { // we didn't calibrate our clock yet
2305 int nt_distance = dist_nt(previous_nt, nt);
2306 if (nt_distance == 0) {
2307 nt_attacked = nt;
2308 } else {
2309 if (nt_distance == -99999) { // invalid nonce received
2310 unexpected_random++;
2311 if (unexpected_random > MAX_UNEXPECTED_RANDOM) {
2312 isOK = -3; // Card has an unpredictable PRNG. Give up
2313 break;
2314 } else {
2315 continue; // continue trying...
2316 }
2317 }
2318 if (++sync_tries > MAX_SYNC_TRIES) {
2319 if (strategy > MAX_STRATEGY || MF_DBGLEVEL < 3) {
2320 isOK = -4; // Card's PRNG runs at an unexpected frequency or resets unexpectedly
2321 break;
2322 } else { // continue for a while, just to collect some debug info
2323 debug_info[strategy][debug_info_nr] = nt_distance;
2324 debug_info_nr++;
2325 if (debug_info_nr == NUM_DEBUG_INFOS) {
2326 strategy++;
2327 debug_info_nr = 0;
2328 }
2329 continue;
2330 }
2331 }
2332 sync_cycles = (sync_cycles - nt_distance/elapsed_prng_sequences);
2333 if (sync_cycles <= 0) {
2334 sync_cycles += PRNG_SEQUENCE_LENGTH;
2335 }
2336 if (MF_DBGLEVEL >= 3) {
2337 Dbprintf("calibrating in cycle %d. nt_distance=%d, elapsed_prng_sequences=%d, new sync_cycles: %d\n", i, nt_distance, elapsed_prng_sequences, sync_cycles);
2338 }
2339 continue;
2340 }
2341 }
2342
2343 if ((nt != nt_attacked) && nt_attacked) { // we somehow lost sync. Try to catch up again...
2344 catch_up_cycles = -dist_nt(nt_attacked, nt);
2345 if (catch_up_cycles == 99999) { // invalid nonce received. Don't resync on that one.
2346 catch_up_cycles = 0;
2347 continue;
2348 }
2349 catch_up_cycles /= elapsed_prng_sequences;
2350 if (catch_up_cycles == last_catch_up) {
2351 consecutive_resyncs++;
2352 }
2353 else {
2354 last_catch_up = catch_up_cycles;
2355 consecutive_resyncs = 0;
2356 }
2357 if (consecutive_resyncs < 3) {
2358 if (MF_DBGLEVEL >= 3) Dbprintf("Lost sync in cycle %d. nt_distance=%d. Consecutive Resyncs = %d. Trying one time catch up...\n", i, -catch_up_cycles, consecutive_resyncs);
2359 }
2360 else {
2361 sync_cycles = sync_cycles + catch_up_cycles;
2362 if (MF_DBGLEVEL >= 3) Dbprintf("Lost sync in cycle %d for the fourth time consecutively (nt_distance = %d). Adjusting sync_cycles to %d.\n", i, -catch_up_cycles, sync_cycles);
2363 last_catch_up = 0;
2364 catch_up_cycles = 0;
2365 consecutive_resyncs = 0;
2366 }
2367 continue;
2368 }
2369
2370 consecutive_resyncs = 0;
2371
2372 // Receive answer. This will be a 4 Bit NACK when the 8 parity bits are OK after decoding
2373 if (ReaderReceive(receivedAnswer, receivedAnswerPar)) {
2374 catch_up_cycles = 8; // the PRNG is delayed by 8 cycles due to the NAC (4Bits = 0x05 encrypted) transfer
2375
2376 if (nt_diff == 0) {
2377 par_low = par[0] & 0xE0; // there is no need to check all parities for other nt_diff. Parity Bits for mf_nr_ar[0..2] won't change
2378 }
2379
2380 led_on = !led_on;
2381 if(led_on) LED_B_ON(); else LED_B_OFF();
2382
2383 par_list[nt_diff] = SwapBits(par[0], 8);
2384 ks_list[nt_diff] = receivedAnswer[0] ^ 0x05;
2385
2386 // Test if the information is complete
2387 if (nt_diff == 0x07) {
2388 isOK = 1;
2389 break;
2390 }
2391
2392 nt_diff = (nt_diff + 1) & 0x07;
2393 mf_nr_ar[3] = (mf_nr_ar[3] & 0x1F) | (nt_diff << 5);
2394 par[0] = par_low;
2395 } else {
2396 if (nt_diff == 0 && first_try)
2397 {
2398 par[0]++;
2399 if (par[0] == 0x00) { // tried all 256 possible parities without success. Card doesn't send NACK.
2400 isOK = -2;
2401 break;
2402 }
2403 } else {
2404 par[0] = ((par[0] & 0x1F) + 1) | par_low;
2405 }
2406 }
2407 }
2408
2409
2410 mf_nr_ar[3] &= 0x1F;
2411
2412 if (isOK == -4) {
2413 if (MF_DBGLEVEL >= 3) {
2414 for (uint16_t i = 0; i <= MAX_STRATEGY; i++) {
2415 for (uint16_t j = 0; j < NUM_DEBUG_INFOS; j++) {
2416 Dbprintf("collected debug info[%d][%d] = %d", i, j, debug_info[i][j]);
2417 }
2418 }
2419 }
2420 }
2421
2422 FpgaDisableTracing();
2423
2424 uint8_t buf[32];
2425 memcpy(buf + 0, uid, 4);
2426 num_to_bytes(nt, 4, buf + 4);
2427 memcpy(buf + 8, par_list, 8);
2428 memcpy(buf + 16, ks_list, 8);
2429 memcpy(buf + 24, mf_nr_ar, 8);
2430
2431 cmd_send(CMD_ACK, isOK, 0, 0, buf, 32);
2432
2433 // Thats it...
2434 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2435 LEDsoff();
2436
2437 set_tracing(false);
2438 }
2439
2440
2441 //-----------------------------------------------------------------------------
2442 // MIFARE sniffer.
2443 //
2444 //-----------------------------------------------------------------------------
2445 void RAMFUNC SniffMifare(uint8_t param) {
2446 // param:
2447 // bit 0 - trigger from first card answer
2448 // bit 1 - trigger from first reader 7-bit request
2449
2450 // C(red) A(yellow) B(green)
2451 LEDsoff();
2452 LED_A_ON();
2453
2454 // init trace buffer
2455 clear_trace();
2456 set_tracing(true);
2457
2458 // The command (reader -> tag) that we're receiving.
2459 // The length of a received command will in most cases be no more than 18 bytes.
2460 // So 32 should be enough!
2461 uint8_t receivedCmd[MAX_MIFARE_FRAME_SIZE];
2462 uint8_t receivedCmdPar[MAX_MIFARE_PARITY_SIZE];
2463 // The response (tag -> reader) that we're receiving.
2464 uint8_t receivedResponse[MAX_MIFARE_FRAME_SIZE];
2465 uint8_t receivedResponsePar[MAX_MIFARE_PARITY_SIZE];
2466
2467 iso14443a_setup(FPGA_HF_ISO14443A_SNIFFER);
2468
2469 // free eventually allocated BigBuf memory
2470 BigBuf_free();
2471 // allocate the DMA buffer, used to stream samples from the FPGA
2472 uint8_t *dmaBuf = BigBuf_malloc(DMA_BUFFER_SIZE);
2473 uint8_t *data = dmaBuf;
2474 uint8_t previous_data = 0;
2475 int maxDataLen = 0;
2476 int dataLen = 0;
2477 bool ReaderIsActive = false;
2478 bool TagIsActive = false;
2479
2480 // Set up the demodulator for tag -> reader responses.
2481 DemodInit(receivedResponse, receivedResponsePar);
2482
2483 // Set up the demodulator for the reader -> tag commands
2484 UartInit(receivedCmd, receivedCmdPar);
2485
2486 // Setup for the DMA.
2487 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE); // set transfer address and number of bytes. Start transfer.
2488
2489 // init sniffer
2490 MfSniffInit();
2491
2492 // And now we loop, receiving samples.
2493 for (uint32_t sniffCounter = 0; true; ) {
2494
2495 if(BUTTON_PRESS()) {
2496 DbpString("Canceled by button.");
2497 break;
2498 }
2499
2500 WDT_HIT();
2501
2502 if ((sniffCounter & 0x0000FFFF) == 0) { // from time to time
2503 // check if a transaction is completed (timeout after 2000ms).
2504 // if yes, stop the DMA transfer and send what we have so far to the client
2505 if (MfSniffSend(2000)) {
2506 // Reset everything - we missed some sniffed data anyway while the DMA was stopped
2507 sniffCounter = 0;
2508 data = dmaBuf;
2509 maxDataLen = 0;
2510 ReaderIsActive = false;
2511 TagIsActive = false;
2512 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE); // set transfer address and number of bytes. Start transfer.
2513 }
2514 }
2515
2516 int register readBufDataP = data - dmaBuf; // number of bytes we have processed so far
2517 int register dmaBufDataP = DMA_BUFFER_SIZE - AT91C_BASE_PDC_SSC->PDC_RCR; // number of bytes already transferred
2518 if (readBufDataP <= dmaBufDataP){ // we are processing the same block of data which is currently being transferred
2519 dataLen = dmaBufDataP - readBufDataP; // number of bytes still to be processed
2520 } else {
2521 dataLen = DMA_BUFFER_SIZE - readBufDataP + dmaBufDataP; // number of bytes still to be processed
2522 }
2523 // test for length of buffer
2524 if(dataLen > maxDataLen) { // we are more behind than ever...
2525 maxDataLen = dataLen;
2526 if(dataLen > (9 * DMA_BUFFER_SIZE / 10)) {
2527 Dbprintf("blew circular buffer! dataLen=0x%x", dataLen);
2528 break;
2529 }
2530 }
2531 if(dataLen < 1) continue;
2532
2533 // primary buffer was stopped ( <-- we lost data!
2534 if (!AT91C_BASE_PDC_SSC->PDC_RCR) {
2535 AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) dmaBuf;
2536 AT91C_BASE_PDC_SSC->PDC_RCR = DMA_BUFFER_SIZE;
2537 Dbprintf("RxEmpty ERROR!!! data length:%d", dataLen); // temporary
2538 }
2539 // secondary buffer sets as primary, secondary buffer was stopped
2540 if (!AT91C_BASE_PDC_SSC->PDC_RNCR) {
2541 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dmaBuf;
2542 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
2543 }
2544
2545 if (sniffCounter & 0x01) {
2546
2547 if(!TagIsActive) { // no need to try decoding tag data if the reader is sending
2548 uint8_t readerdata = (previous_data & 0xF0) | (*data >> 4);
2549 if(MillerDecoding(readerdata, (sniffCounter-1)*4)) {
2550
2551 if (MfSniffLogic(receivedCmd, Uart.len, Uart.parity, Uart.bitCount, true)) break;
2552
2553 /* And ready to receive another command. */
2554 UartInit(receivedCmd, receivedCmdPar);
2555
2556 /* And also reset the demod code */
2557 DemodReset();
2558 }
2559 ReaderIsActive = (Uart.state != STATE_UNSYNCD);
2560 }
2561
2562 if(!ReaderIsActive) { // no need to try decoding tag data if the reader is sending
2563 uint8_t tagdata = (previous_data << 4) | (*data & 0x0F);
2564 if(ManchesterDecoding(tagdata, 0, (sniffCounter-1)*4)) {
2565
2566 if (MfSniffLogic(receivedResponse, Demod.len, Demod.parity, Demod.bitCount, false)) break;
2567
2568 // And ready to receive another response.
2569 DemodReset();
2570 // And reset the Miller decoder including its (now outdated) input buffer
2571 UartInit(receivedCmd, receivedCmdPar);
2572 }
2573 TagIsActive = (Demod.state != DEMOD_UNSYNCD);
2574 }
2575 }
2576
2577 previous_data = *data;
2578 sniffCounter++;
2579 data++;
2580 if(data == dmaBuf + DMA_BUFFER_SIZE) {
2581 data = dmaBuf;
2582 }
2583
2584 } // main cycle
2585
2586 FpgaDisableTracing();
2587 FpgaDisableSscDma();
2588 LEDsoff();
2589
2590 DbpString("COMMAND FINISHED.");
2591
2592 MfSniffEnd();
2593
2594 Dbprintf("maxDataLen=%x, Uart.state=%x, Uart.len=%x", maxDataLen, Uart.state, Uart.len);
2595 }
Proxmark3 GIT tracking
Impressum, Datenschutz