1 //-----------------------------------------------------------------------------
2 // Jonathan Westhues, Mar 2006
3 // Edits by Gerhard de Koning Gans, Sep 2007 (##)
5 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
6 // at your option, any later version. See the LICENSE.txt file for the text of
8 //-----------------------------------------------------------------------------
9 // The main application code. This is the first thing called after start.c
11 //-----------------------------------------------------------------------------
17 #include "proxmark3.h"
24 #include "legicrfsim.h"
28 #include "iso14443b.h"
30 #include "lfsampling.h"
32 #include "mifareutil.h"
33 #include "mifaresim.h"
37 #include "fpgaloader.h"
42 static uint32_t hw_capabilities
;
44 // Craig Young - 14a stand-alone code
46 #include "iso14443a.h"
49 //=============================================================================
50 // A buffer where we can queue things up to be sent through the FPGA, for
51 // any purpose (fake tag, as reader, whatever). We go MSB first, since that
52 // is the order in which they go out on the wire.
53 //=============================================================================
55 #define TOSEND_BUFFER_SIZE (9*MAX_FRAME_SIZE + 1 + 1 + 2) // 8 data bits and 1 parity bit per payload byte, 1 correction bit, 1 SOC bit, 2 EOC bits
56 uint8_t ToSend
[TOSEND_BUFFER_SIZE
];
59 struct common_area common_area
__attribute__((section(".commonarea")));
61 void ToSendReset(void)
67 void ToSendStuffBit(int b
)
71 ToSend
[ToSendMax
] = 0;
76 ToSend
[ToSendMax
] |= (1 << (7 - ToSendBit
));
81 if(ToSendMax
>= sizeof(ToSend
)) {
83 DbpString("ToSendStuffBit overflowed!");
87 //=============================================================================
88 // Debug print functions, to go out over USB, to the usual PC-side client.
89 //=============================================================================
91 void DbpString(char *str
)
93 byte_t len
= strlen(str
);
94 cmd_send(CMD_DEBUG_PRINT_STRING
,len
,0,0,(byte_t
*)str
,len
);
98 void DbpIntegers(int x1
, int x2
, int x3
)
100 cmd_send(CMD_DEBUG_PRINT_INTEGERS
,x1
,x2
,x3
,0,0);
104 void Dbprintf(const char *fmt
, ...) {
105 // should probably limit size here; oh well, let's just use a big buffer
106 char output_string
[128];
110 kvsprintf(fmt
, output_string
, 10, ap
);
113 DbpString(output_string
);
116 // prints HEX & ASCII
117 void Dbhexdump(int len
, uint8_t *d
, bool bAsci
) {
130 if (ascii
[i
]<32 || ascii
[i
]>126) ascii
[i
]='.';
133 Dbprintf("%-8s %*D",ascii
,l
,d
," ");
135 Dbprintf("%*D",l
,d
," ");
143 //-----------------------------------------------------------------------------
144 // Read an ADC channel and block till it completes, then return the result
145 // in ADC units (0 to 1023). Also a routine to average 32 samples and
147 //-----------------------------------------------------------------------------
148 static int ReadAdc(int ch
)
150 // Note: ADC_MODE_PRESCALE and ADC_MODE_SAMPLE_HOLD_TIME are set to the maximum allowed value.
151 // AMPL_HI is a high impedance (10MOhm || 1MOhm) output, the input capacitance of the ADC is 12pF (typical). This results in a time constant
152 // of RC = (0.91MOhm) * 12pF = 10.9us. Even after the maximum configurable sample&hold time of 40us the input capacitor will not be fully charged.
155 // If there is a voltage v_in at the input, the voltage v_cap at the capacitor (this is what we are measuring) will be
157 // v_cap = v_in * (1 - exp(-SHTIM/RC)) = v_in * (1 - exp(-40us/10.9us)) = v_in * 0,97 (i.e. an error of 3%)
159 AT91C_BASE_ADC
->ADC_CR
= AT91C_ADC_SWRST
;
160 AT91C_BASE_ADC
->ADC_MR
=
161 ADC_MODE_PRESCALE(63) | // ADC_CLK = MCK / ((63+1) * 2) = 48MHz / 128 = 375kHz
162 ADC_MODE_STARTUP_TIME(1) | // Startup Time = (1+1) * 8 / ADC_CLK = 16 / 375kHz = 42,7us Note: must be > 20us
163 ADC_MODE_SAMPLE_HOLD_TIME(15); // Sample & Hold Time SHTIM = 15 / ADC_CLK = 15 / 375kHz = 40us
165 AT91C_BASE_ADC
->ADC_CHER
= ADC_CHANNEL(ch
);
166 AT91C_BASE_ADC
->ADC_CR
= AT91C_ADC_START
;
168 while(!(AT91C_BASE_ADC
->ADC_SR
& ADC_END_OF_CONVERSION(ch
))) {};
170 return AT91C_BASE_ADC
->ADC_CDR
[ch
] & 0x3ff;
173 int AvgAdc(int ch
) // was static - merlok
178 for(i
= 0; i
< 32; i
++) {
182 return (a
+ 15) >> 5;
185 static int AvgAdc_Voltage_HF(void)
187 int AvgAdc_Voltage_Low
, AvgAdc_Voltage_High
;
189 AvgAdc_Voltage_Low
= (MAX_ADC_HF_VOLTAGE_LOW
* AvgAdc(ADC_CHAN_HF_LOW
)) >> 10;
190 // if voltage range is about to be exceeded, use high voltage ADC channel if available (RDV40 only)
191 if (AvgAdc_Voltage_Low
> MAX_ADC_HF_VOLTAGE_LOW
- 300) {
192 AvgAdc_Voltage_High
= (MAX_ADC_HF_VOLTAGE_HIGH
* AvgAdc(ADC_CHAN_HF_HIGH
)) >> 10;
193 if (AvgAdc_Voltage_High
>= AvgAdc_Voltage_Low
) {
194 return AvgAdc_Voltage_High
;
197 return AvgAdc_Voltage_Low
;
200 static int AvgAdc_Voltage_LF(void)
202 return (MAX_ADC_LF_VOLTAGE
* AvgAdc(ADC_CHAN_LF
)) >> 10;
205 void MeasureAntennaTuningLfOnly(int *vLf125
, int *vLf134
, int *peakf
, int *peakv
, uint8_t LF_Results
[])
207 int i
, adcval
= 0, peak
= 0;
210 * Sweeps the useful LF range of the proxmark from
211 * 46.8kHz (divisor=255) to 600kHz (divisor=19) and
212 * read the voltage in the antenna, the result left
213 * in the buffer is a graph which should clearly show
214 * the resonating frequency of your LF antenna
215 * ( hopefully around 95 if it is tuned to 125kHz!)
218 FpgaDownloadAndGo(FPGA_BITSTREAM_LF
);
219 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC
| FPGA_LF_ADC_READER_FIELD
);
222 for (i
=255; i
>=19; i
--) {
224 FpgaSendCommand(FPGA_CMD_SET_DIVISOR
, i
);
226 adcval
= AvgAdc_Voltage_LF();
227 if (i
==95) *vLf125
= adcval
; // voltage at 125Khz
228 if (i
==89) *vLf134
= adcval
; // voltage at 134Khz
230 LF_Results
[i
] = adcval
>> 9; // scale int to fit in byte for graphing purposes
231 if(LF_Results
[i
] > peak
) {
233 peak
= LF_Results
[i
];
239 for (i
=18; i
>= 0; i
--) LF_Results
[i
] = 0;
244 void MeasureAntennaTuningHfOnly(int *vHf
)
246 // Let the FPGA drive the high-frequency antenna around 13.56 MHz.
248 FpgaDownloadAndGo(FPGA_BITSTREAM_HF
);
249 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER
);
251 *vHf
= AvgAdc_Voltage_HF();
256 void MeasureAntennaTuning(int mode
)
258 uint8_t LF_Results
[256] = {0};
259 int peakv
= 0, peakf
= 0;
260 int vLf125
= 0, vLf134
= 0, vHf
= 0; // in mV
264 if (((mode
& FLAG_TUNE_ALL
) == FLAG_TUNE_ALL
) && (FpgaGetCurrent() == FPGA_BITSTREAM_HF
)) {
265 // Reverse "standard" order if HF already loaded, to avoid unnecessary swap.
266 MeasureAntennaTuningHfOnly(&vHf
);
267 MeasureAntennaTuningLfOnly(&vLf125
, &vLf134
, &peakf
, &peakv
, LF_Results
);
269 if (mode
& FLAG_TUNE_LF
) {
270 MeasureAntennaTuningLfOnly(&vLf125
, &vLf134
, &peakf
, &peakv
, LF_Results
);
272 if (mode
& FLAG_TUNE_HF
) {
273 MeasureAntennaTuningHfOnly(&vHf
);
277 cmd_send(CMD_MEASURED_ANTENNA_TUNING
, vLf125
>>1 | (vLf134
>>1<<16), vHf
, peakf
| (peakv
>>1<<16), LF_Results
, 256);
278 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
283 void MeasureAntennaTuningHf(void)
285 int vHf
= 0; // in mV
287 DbpString("Measuring HF antenna, press button to exit");
289 // Let the FPGA drive the high-frequency antenna around 13.56 MHz.
290 FpgaDownloadAndGo(FPGA_BITSTREAM_HF
);
291 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER
);
295 vHf
= AvgAdc_Voltage_HF();
297 Dbprintf("%d mV",vHf
);
298 if (BUTTON_PRESS()) break;
300 DbpString("cancelled");
302 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
307 void ReadMem(int addr
)
309 const uint8_t *data
= ((uint8_t *)addr
);
311 Dbprintf("%x: %02x %02x %02x %02x %02x %02x %02x %02x",
312 addr
, data
[0], data
[1], data
[2], data
[3], data
[4], data
[5], data
[6], data
[7]);
315 /* osimage version information is linked in */
316 extern struct version_information version_information
;
317 /* bootrom version information is pointed to from _bootphase1_version_pointer */
318 extern char *_bootphase1_version_pointer
, _flash_start
, _flash_end
, _bootrom_start
, _bootrom_end
, __data_src_start__
;
321 void set_hw_capabilities(void)
323 if (I2C_is_available()) {
324 hw_capabilities
|= HAS_SMARTCARD_SLOT
;
327 if (false) { // TODO: implement a test
328 hw_capabilities
|= HAS_EXTRA_FLASH_MEM
;
333 void SendVersion(void)
335 set_hw_capabilities();
337 char temp
[USB_CMD_DATA_SIZE
]; /* Limited data payload in USB packets */
338 char VersionString
[USB_CMD_DATA_SIZE
] = { '\0' };
340 /* Try to find the bootrom version information. Expect to find a pointer at
341 * symbol _bootphase1_version_pointer, perform slight sanity checks on the
342 * pointer, then use it.
344 char *bootrom_version
= *(char**)&_bootphase1_version_pointer
;
345 if( bootrom_version
< &_flash_start
|| bootrom_version
>= &_flash_end
) {
346 strcat(VersionString
, "bootrom version information appears invalid\n");
348 FormatVersionInformation(temp
, sizeof(temp
), "bootrom: ", bootrom_version
);
349 strncat(VersionString
, temp
, sizeof(VersionString
) - strlen(VersionString
) - 1);
352 FormatVersionInformation(temp
, sizeof(temp
), "os: ", &version_information
);
353 strncat(VersionString
, temp
, sizeof(VersionString
) - strlen(VersionString
) - 1);
355 for (int i
= 0; i
< fpga_bitstream_num
; i
++) {
356 strncat(VersionString
, fpga_version_information
[i
], sizeof(VersionString
) - strlen(VersionString
) - 1);
357 strncat(VersionString
, "\n", sizeof(VersionString
) - strlen(VersionString
) - 1);
360 // test availability of SmartCard slot
361 if (I2C_is_available()) {
362 strncat(VersionString
, "SmartCard Slot: available\n", sizeof(VersionString
) - strlen(VersionString
) - 1);
364 strncat(VersionString
, "SmartCard Slot: not available\n", sizeof(VersionString
) - strlen(VersionString
) - 1);
367 // Send Chip ID and used flash memory
368 uint32_t text_and_rodata_section_size
= (uint32_t)&__data_src_start__
- (uint32_t)&_flash_start
;
369 uint32_t compressed_data_section_size
= common_area
.arg1
;
370 cmd_send(CMD_ACK
, *(AT91C_DBGU_CIDR
), text_and_rodata_section_size
+ compressed_data_section_size
, hw_capabilities
, VersionString
, strlen(VersionString
));
373 // measure the USB Speed by sending SpeedTestBufferSize bytes to client and measuring the elapsed time.
374 // Note: this mimics GetFromBigbuf(), i.e. we have the overhead of the UsbCommand structure included.
375 void printUSBSpeed(void)
377 Dbprintf("USB Speed:");
378 Dbprintf(" Sending USB packets to client...");
380 #define USB_SPEED_TEST_MIN_TIME 1500 // in milliseconds
381 uint8_t *test_data
= BigBuf_get_addr();
384 uint32_t start_time
= end_time
= GetTickCount();
385 uint32_t bytes_transferred
= 0;
388 while(end_time
< start_time
+ USB_SPEED_TEST_MIN_TIME
) {
389 cmd_send(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K
, 0, USB_CMD_DATA_SIZE
, 0, test_data
, USB_CMD_DATA_SIZE
);
390 end_time
= GetTickCount();
391 bytes_transferred
+= USB_CMD_DATA_SIZE
;
395 Dbprintf(" Time elapsed: %dms", end_time
- start_time
);
396 Dbprintf(" Bytes transferred: %d", bytes_transferred
);
397 Dbprintf(" USB Transfer Speed PM3 -> Client = %d Bytes/s",
398 1000 * bytes_transferred
/ (end_time
- start_time
));
403 * Prints runtime information about the PM3.
405 void SendStatus(void)
407 BigBuf_print_status();
409 #ifdef WITH_SMARTCARD
412 printConfig(); //LF Sampling config
415 Dbprintf(" MF_DBGLEVEL........%d", MF_DBGLEVEL
);
416 Dbprintf(" ToSendMax..........%d", ToSendMax
);
417 Dbprintf(" ToSendBit..........%d", ToSendBit
);
419 cmd_send(CMD_ACK
,1,0,0,0,0);
422 #if defined(WITH_ISO14443a_StandAlone) || defined(WITH_LF_StandAlone)
426 void StandAloneMode()
428 DbpString("Stand-alone mode! No PC necessary.");
429 // Oooh pretty -- notify user we're in elite samy mode now
431 LED(LED_ORANGE
, 200);
433 LED(LED_ORANGE
, 200);
435 LED(LED_ORANGE
, 200);
437 LED(LED_ORANGE
, 200);
446 #ifdef WITH_ISO14443a_StandAlone
447 void StandAloneMode14a()
450 FpgaDownloadAndGo(FPGA_BITSTREAM_HF
);
453 bool playing
= false, GotoRecord
= false, GotoClone
= false;
454 bool cardRead
[OPTS
] = {false};
455 uint8_t readUID
[10] = {0};
456 uint32_t uid_1st
[OPTS
]={0};
457 uint32_t uid_2nd
[OPTS
]={0};
458 uint32_t uid_tmp1
= 0;
459 uint32_t uid_tmp2
= 0;
460 iso14a_card_select_t hi14a_card
[OPTS
];
462 LED(selected
+ 1, 0);
470 if (GotoRecord
|| !cardRead
[selected
])
474 LED(selected
+ 1, 0);
478 Dbprintf("Enabling iso14443a reader mode for [Bank: %u]...", selected
);
479 /* need this delay to prevent catching some weird data */
481 /* Code for reading from 14a tag */
482 uint8_t uid
[10] ={0};
484 iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD
);
489 if (BUTTON_PRESS()) {
490 if (cardRead
[selected
]) {
491 Dbprintf("Button press detected -- replaying card in bank[%d]", selected
);
494 else if (cardRead
[(selected
+1)%OPTS
]) {
495 Dbprintf("Button press detected but no card in bank[%d] so playing from bank[%d]", selected
, (selected
+1)%OPTS
);
496 selected
= (selected
+1)%OPTS
;
500 Dbprintf("Button press detected but no stored tag to play. (Ignoring button)");
504 if (!iso14443a_select_card(uid
, &hi14a_card
[selected
], &cuid
, true, 0, true))
508 Dbprintf("Read UID:"); Dbhexdump(10,uid
,0);
509 memcpy(readUID
,uid
,10*sizeof(uint8_t));
510 uint8_t *dst
= (uint8_t *)&uid_tmp1
;
511 // Set UID byte order
512 for (int i
=0; i
<4; i
++)
514 dst
= (uint8_t *)&uid_tmp2
;
515 for (int i
=0; i
<4; i
++)
517 if (uid_1st
[(selected
+1)%OPTS
] == uid_tmp1
&& uid_2nd
[(selected
+1)%OPTS
] == uid_tmp2
) {
518 Dbprintf("Card selected has same UID as what is stored in the other bank. Skipping.");
522 Dbprintf("Bank[%d] received a 7-byte UID",selected
);
523 uid_1st
[selected
] = (uid_tmp1
)>>8;
524 uid_2nd
[selected
] = (uid_tmp1
<<24) + (uid_tmp2
>>8);
527 Dbprintf("Bank[%d] received a 4-byte UID",selected
);
528 uid_1st
[selected
] = uid_tmp1
;
529 uid_2nd
[selected
] = uid_tmp2
;
535 Dbprintf("ATQA = %02X%02X",hi14a_card
[selected
].atqa
[0],hi14a_card
[selected
].atqa
[1]);
536 Dbprintf("SAK = %02X",hi14a_card
[selected
].sak
);
539 LED(LED_ORANGE
, 200);
541 LED(LED_ORANGE
, 200);
544 LED(selected
+ 1, 0);
546 // Next state is replay:
549 cardRead
[selected
] = true;
551 /* MF Classic UID clone */
556 LED(selected
+ 1, 0);
557 LED(LED_ORANGE
, 250);
561 Dbprintf("Preparing to Clone card [Bank: %x]; uid: %08x", selected
, uid_1st
[selected
]);
563 // wait for button to be released
564 while(BUTTON_PRESS())
566 // Delay cloning until card is in place
569 Dbprintf("Starting clone. [Bank: %u]", selected
);
570 // need this delay to prevent catching some weird data
572 // Begin clone function here:
573 /* Example from client/mifarehost.c for commanding a block write for "magic Chinese" cards:
574 UsbCommand c = {CMD_MIFARE_CSETBLOCK, {wantWipe, params & (0xFE | (uid == NULL ? 0:1)), blockNo}};
575 memcpy(c.d.asBytes, data, 16);
578 Block read is similar:
579 UsbCommand c = {CMD_MIFARE_CGETBLOCK, {params, 0, blockNo}};
580 We need to imitate that call with blockNo 0 to set a uid.
582 The get and set commands are handled in this file:
583 // Work with "magic Chinese" card
584 case CMD_MIFARE_CSETBLOCK:
585 MifareCSetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
587 case CMD_MIFARE_CGETBLOCK:
588 MifareCGetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
591 mfCSetUID provides example logic for UID set workflow:
592 -Read block0 from card in field with MifareCGetBlock()
593 -Configure new values without replacing reserved bytes
594 memcpy(block0, uid, 4); // Copy UID bytes from byte array
596 block0[4] = block0[0]^block0[1]^block0[2]^block0[3]; // BCC on byte 5
597 Bytes 5-7 are reserved SAK and ATQA for mifare classic
598 -Use mfCSetBlock(0, block0, oldUID, wantWipe, CSETBLOCK_SINGLE_OPER) to write it
600 uint8_t oldBlock0
[16] = {0}, newBlock0
[16] = {0}, testBlock0
[16] = {0};
601 // arg0 = Flags == CSETBLOCK_SINGLE_OPER=0x1F, arg1=returnSlot, arg2=blockNo
602 MifareCGetBlock(0x3F, 1, 0, oldBlock0
);
603 if (oldBlock0
[0] == 0 && oldBlock0
[0] == oldBlock0
[1] && oldBlock0
[1] == oldBlock0
[2] && oldBlock0
[2] == oldBlock0
[3]) {
604 Dbprintf("No changeable tag detected. Returning to replay mode for bank[%d]", selected
);
608 Dbprintf("UID from target tag: %02X%02X%02X%02X", oldBlock0
[0],oldBlock0
[1],oldBlock0
[2],oldBlock0
[3]);
609 memcpy(newBlock0
,oldBlock0
,16);
610 // Copy uid_1st for bank (2nd is for longer UIDs not supported if classic)
612 newBlock0
[0] = uid_1st
[selected
]>>24;
613 newBlock0
[1] = 0xFF & (uid_1st
[selected
]>>16);
614 newBlock0
[2] = 0xFF & (uid_1st
[selected
]>>8);
615 newBlock0
[3] = 0xFF & (uid_1st
[selected
]);
616 newBlock0
[4] = newBlock0
[0]^newBlock0
[1]^newBlock0
[2]^newBlock0
[3];
617 // arg0 = needWipe, arg1 = workFlags, arg2 = blockNo, datain
618 MifareCSetBlock(0, 0xFF,0, newBlock0
);
619 MifareCGetBlock(0x3F, 1, 0, testBlock0
);
620 if (memcmp(testBlock0
,newBlock0
,16)==0)
622 DbpString("Cloned successfull!");
623 cardRead
[selected
] = false; // Only if the card was cloned successfully should we clear it
626 selected
= (selected
+1) % OPTS
;
629 Dbprintf("Clone failed. Back to replay mode on bank[%d]", selected
);
634 LED(selected
+ 1, 0);
637 // Change where to record (or begin playing)
638 else if (playing
) // button_pressed == BUTTON_SINGLE_CLICK && cardRead[selected])
641 LED(selected
+ 1, 0);
643 // Begin transmitting
645 DbpString("Playing");
648 int button_action
= BUTTON_HELD(1000);
649 if (button_action
== 0) { // No button action, proceed with sim
650 uint8_t data
[512] = {0}; // in case there is a read command received we shouldn't break
651 Dbprintf("Simulating ISO14443a tag with uid[0]: %08x, uid[1]: %08x [Bank: %u]", uid_1st
[selected
],uid_2nd
[selected
],selected
);
652 if (hi14a_card
[selected
].sak
== 8 && hi14a_card
[selected
].atqa
[0] == 4 && hi14a_card
[selected
].atqa
[1] == 0) {
653 DbpString("Mifare Classic");
654 SimulateIso14443aTag(1,uid_1st
[selected
], uid_2nd
[selected
], data
); // Mifare Classic
656 else if (hi14a_card
[selected
].sak
== 0 && hi14a_card
[selected
].atqa
[0] == 0x44 && hi14a_card
[selected
].atqa
[1] == 0) {
657 DbpString("Mifare Ultralight");
658 SimulateIso14443aTag(2,uid_1st
[selected
],uid_2nd
[selected
],data
); // Mifare Ultralight
660 else if (hi14a_card
[selected
].sak
== 20 && hi14a_card
[selected
].atqa
[0] == 0x44 && hi14a_card
[selected
].atqa
[1] == 3) {
661 DbpString("Mifare DESFire");
662 SimulateIso14443aTag(3,uid_1st
[selected
],uid_2nd
[selected
],data
); // Mifare DESFire
665 Dbprintf("Unrecognized tag type -- defaulting to Mifare Classic emulation");
666 SimulateIso14443aTag(1,uid_1st
[selected
], uid_2nd
[selected
], data
);
669 else if (button_action
== BUTTON_SINGLE_CLICK
) {
670 selected
= (selected
+ 1) % OPTS
;
671 Dbprintf("Done playing. Switching to record mode on bank %d",selected
);
675 else if (button_action
== BUTTON_HOLD
) {
676 Dbprintf("Playtime over. Begin cloning...");
683 /* We pressed a button so ignore it here with a delay */
686 LED(selected
+ 1, 0);
690 #elif WITH_LF_StandAlone
691 // samy's sniff and repeat routine
695 FpgaDownloadAndGo(FPGA_BITSTREAM_LF
);
697 int tops
[OPTS
], high
[OPTS
], low
[OPTS
];
702 // Turn on selected LED
703 LED(selected
+ 1, 0);
710 // Was our button held down or pressed?
711 int button_pressed
= BUTTON_HELD(1000);
714 // Button was held for a second, begin recording
715 if (button_pressed
> 0 && cardRead
== 0)
718 LED(selected
+ 1, 0);
722 DbpString("Starting recording");
724 // wait for button to be released
725 while(BUTTON_PRESS())
728 /* need this delay to prevent catching some weird data */
731 CmdHIDdemodFSK(1, &tops
[selected
], &high
[selected
], &low
[selected
], 0);
732 if (tops
[selected
] > 0)
733 Dbprintf("Recorded %x %x%08x%08x", selected
, tops
[selected
], high
[selected
], low
[selected
]);
735 Dbprintf("Recorded %x %x%08x", selected
, high
[selected
], low
[selected
]);
738 LED(selected
+ 1, 0);
739 // Finished recording
741 // If we were previously playing, set playing off
742 // so next button push begins playing what we recorded
749 else if (button_pressed
> 0 && cardRead
== 1)
752 LED(selected
+ 1, 0);
756 if (tops
[selected
] > 0)
757 Dbprintf("Cloning %x %x%08x%08x", selected
, tops
[selected
], high
[selected
], low
[selected
]);
759 Dbprintf("Cloning %x %x%08x", selected
, high
[selected
], low
[selected
]);
761 // wait for button to be released
762 while(BUTTON_PRESS())
765 /* need this delay to prevent catching some weird data */
768 CopyHIDtoT55x7(tops
[selected
] & 0x000FFFFF, high
[selected
], low
[selected
], (tops
[selected
] != 0 && ((high
[selected
]& 0xFFFFFFC0) != 0)), 0x1D);
769 if (tops
[selected
] > 0)
770 Dbprintf("Cloned %x %x%08x%08x", selected
, tops
[selected
], high
[selected
], low
[selected
]);
772 Dbprintf("Cloned %x %x%08x", selected
, high
[selected
], low
[selected
]);
775 LED(selected
+ 1, 0);
776 // Finished recording
778 // If we were previously playing, set playing off
779 // so next button push begins playing what we recorded
786 // Change where to record (or begin playing)
787 else if (button_pressed
)
789 // Next option if we were previously playing
791 selected
= (selected
+ 1) % OPTS
;
795 LED(selected
+ 1, 0);
797 // Begin transmitting
801 DbpString("Playing");
802 // wait for button to be released
803 while(BUTTON_PRESS())
805 if (tops
[selected
] > 0)
806 Dbprintf("%x %x%08x%08x", selected
, tops
[selected
], high
[selected
], low
[selected
]);
808 Dbprintf("%x %x%08x", selected
, high
[selected
], low
[selected
]);
810 CmdHIDsimTAG(tops
[selected
], high
[selected
], low
[selected
], 0);
811 DbpString("Done playing");
812 if (BUTTON_HELD(1000) > 0)
814 DbpString("Exiting");
819 /* We pressed a button so ignore it here with a delay */
822 // when done, we're done playing, move to next option
823 selected
= (selected
+ 1) % OPTS
;
826 LED(selected
+ 1, 0);
829 while(BUTTON_PRESS())
838 Listen and detect an external reader. Determine the best location
842 Inside the ListenReaderField() function, there is two mode.
843 By default, when you call the function, you will enter mode 1.
844 If you press the PM3 button one time, you will enter mode 2.
845 If you press the PM3 button a second time, you will exit the function.
847 DESCRIPTION OF MODE 1:
848 This mode just listens for an external reader field and lights up green
849 for HF and/or red for LF. This is the original mode of the detectreader
852 DESCRIPTION OF MODE 2:
853 This mode will visually represent, using the LEDs, the actual strength of the
854 current compared to the maximum current detected. Basically, once you know
855 what kind of external reader is present, it will help you spot the best location to place
856 your antenna. You will probably not get some good results if there is a LF and a HF reader
857 at the same place! :-)
861 static const char LIGHT_SCHEME
[] = {
862 0x0, /* ---- | No field detected */
863 0x1, /* X--- | 14% of maximum current detected */
864 0x2, /* -X-- | 29% of maximum current detected */
865 0x4, /* --X- | 43% of maximum current detected */
866 0x8, /* ---X | 57% of maximum current detected */
867 0xC, /* --XX | 71% of maximum current detected */
868 0xE, /* -XXX | 86% of maximum current detected */
869 0xF, /* XXXX | 100% of maximum current detected */
871 static const int LIGHT_LEN
= sizeof(LIGHT_SCHEME
)/sizeof(LIGHT_SCHEME
[0]);
873 void ListenReaderField(int limit
)
875 int lf_av
, lf_av_new
=0, lf_baseline
= 0, lf_max
;
876 int hf_av
, hf_av_new
=0, hf_baseline
= 0, hf_max
;
877 int mode
=1, display_val
, display_max
, i
;
881 #define REPORT_CHANGE_PERCENT 5 // report new values only if they have changed at least by REPORT_CHANGE_PERCENT
882 #define MIN_HF_FIELD 300 // in mode 1 signal HF field greater than MIN_HF_FIELD above baseline
883 #define MIN_LF_FIELD 1200 // in mode 1 signal LF field greater than MIN_LF_FIELD above baseline
886 // switch off FPGA - we don't want to measure our own signal
887 FpgaDownloadAndGo(FPGA_BITSTREAM_HF
);
888 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
892 lf_av
= lf_max
= AvgAdc_Voltage_LF();
894 if(limit
!= HF_ONLY
) {
895 Dbprintf("LF 125/134kHz Baseline: %dmV", lf_av
);
899 hf_av
= hf_max
= AvgAdc_Voltage_HF();
901 if (limit
!= LF_ONLY
) {
902 Dbprintf("HF 13.56MHz Baseline: %dmV", hf_av
);
908 if (BUTTON_PRESS()) {
912 DbpString("Signal Strength Mode");
916 DbpString("Stopped");
921 while (BUTTON_PRESS());
925 if (limit
!= HF_ONLY
) {
927 if (lf_av
- lf_baseline
> MIN_LF_FIELD
)
933 lf_av_new
= AvgAdc_Voltage_LF();
934 // see if there's a significant change
935 if (ABS((lf_av
- lf_av_new
)*100/(lf_av
?lf_av
:1)) > REPORT_CHANGE_PERCENT
) {
936 Dbprintf("LF 125/134kHz Field Change: %5dmV", lf_av_new
);
943 if (limit
!= LF_ONLY
) {
945 if (hf_av
- hf_baseline
> MIN_HF_FIELD
)
951 hf_av_new
= AvgAdc_Voltage_HF();
953 // see if there's a significant change
954 if (ABS((hf_av
- hf_av_new
)*100/(hf_av
?hf_av
:1)) > REPORT_CHANGE_PERCENT
) {
955 Dbprintf("HF 13.56MHz Field Change: %5dmV", hf_av_new
);
963 if (limit
== LF_ONLY
) {
965 display_max
= lf_max
;
966 } else if (limit
== HF_ONLY
) {
968 display_max
= hf_max
;
969 } else { /* Pick one at random */
970 if( (hf_max
- hf_baseline
) > (lf_max
- lf_baseline
) ) {
972 display_max
= hf_max
;
975 display_max
= lf_max
;
978 for (i
=0; i
<LIGHT_LEN
; i
++) {
979 if (display_val
>= ((display_max
/LIGHT_LEN
)*i
) && display_val
<= ((display_max
/LIGHT_LEN
)*(i
+1))) {
980 if (LIGHT_SCHEME
[i
] & 0x1) LED_C_ON(); else LED_C_OFF();
981 if (LIGHT_SCHEME
[i
] & 0x2) LED_A_ON(); else LED_A_OFF();
982 if (LIGHT_SCHEME
[i
] & 0x4) LED_B_ON(); else LED_B_OFF();
983 if (LIGHT_SCHEME
[i
] & 0x8) LED_D_ON(); else LED_D_OFF();
991 void UsbPacketReceived(uint8_t *packet
, int len
)
993 UsbCommand
*c
= (UsbCommand
*)packet
;
995 // Dbprintf("received %d bytes, with command: 0x%04x and args: %d %d %d",len,c->cmd,c->arg[0],c->arg[1],c->arg[2]);
999 case CMD_SET_LF_SAMPLING_CONFIG
:
1000 setSamplingConfig((sample_config
*) c
->d
.asBytes
);
1002 case CMD_ACQUIRE_RAW_ADC_SAMPLES_125K
:
1003 cmd_send(CMD_ACK
,SampleLF(c
->arg
[0], c
->arg
[1]),0,0,0,0);
1005 case CMD_MOD_THEN_ACQUIRE_RAW_ADC_SAMPLES_125K
:
1006 ModThenAcquireRawAdcSamples125k(c
->arg
[0],c
->arg
[1],c
->arg
[2],c
->d
.asBytes
);
1008 case CMD_LF_SNOOP_RAW_ADC_SAMPLES
:
1009 cmd_send(CMD_ACK
,SnoopLF(),0,0,0,0);
1011 case CMD_HID_DEMOD_FSK
:
1012 CmdHIDdemodFSK(c
->arg
[0], 0, 0, 0, 1);
1014 case CMD_HID_SIM_TAG
:
1015 CmdHIDsimTAG(c
->arg
[0], c
->arg
[1], c
->arg
[2], 1);
1017 case CMD_FSK_SIM_TAG
:
1018 CmdFSKsimTAG(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
1020 case CMD_ASK_SIM_TAG
:
1021 CmdASKsimTag(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
1023 case CMD_PSK_SIM_TAG
:
1024 CmdPSKsimTag(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
1026 case CMD_HID_CLONE_TAG
:
1027 CopyHIDtoT55x7(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
[0], 0x1D);
1029 case CMD_PARADOX_CLONE_TAG
:
1030 // Paradox cards are the same as HID, with a different preamble, so we can reuse the same function
1031 CopyHIDtoT55x7(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
[0], 0x0F);
1033 case CMD_IO_DEMOD_FSK
:
1034 CmdIOdemodFSK(c
->arg
[0], 0, 0, 1);
1036 case CMD_IO_CLONE_TAG
:
1037 CopyIOtoT55x7(c
->arg
[0], c
->arg
[1]);
1039 case CMD_EM410X_DEMOD
:
1040 CmdEM410xdemod(c
->arg
[0], 0, 0, 1);
1042 case CMD_EM410X_WRITE_TAG
:
1043 WriteEM410x(c
->arg
[0], c
->arg
[1], c
->arg
[2]);
1045 case CMD_READ_TI_TYPE
:
1048 case CMD_WRITE_TI_TYPE
:
1049 WriteTItag(c
->arg
[0],c
->arg
[1],c
->arg
[2]);
1051 case CMD_SIMULATE_TAG_125K
:
1053 SimulateTagLowFrequency(c
->arg
[0], c
->arg
[1], 1);
1056 case CMD_LF_SIMULATE_BIDIR
:
1057 SimulateTagLowFrequencyBidir(c
->arg
[0], c
->arg
[1]);
1059 case CMD_INDALA_CLONE_TAG
:
1060 CopyIndala64toT55x7(c
->arg
[0], c
->arg
[1]);
1062 case CMD_INDALA_CLONE_TAG_L
:
1063 CopyIndala224toT55x7(c
->d
.asDwords
[0], c
->d
.asDwords
[1], c
->d
.asDwords
[2], c
->d
.asDwords
[3], c
->d
.asDwords
[4], c
->d
.asDwords
[5], c
->d
.asDwords
[6]);
1065 case CMD_T55XX_READ_BLOCK
:
1066 T55xxReadBlock(c
->arg
[0], c
->arg
[1], c
->arg
[2]);
1068 case CMD_T55XX_WRITE_BLOCK
:
1069 T55xxWriteBlock(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
[0]);
1071 case CMD_T55XX_WAKEUP
:
1072 T55xxWakeUp(c
->arg
[0]);
1074 case CMD_T55XX_RESET_READ
:
1077 case CMD_PCF7931_READ
:
1080 case CMD_PCF7931_WRITE
:
1081 WritePCF7931(c
->d
.asBytes
[0],c
->d
.asBytes
[1],c
->d
.asBytes
[2],c
->d
.asBytes
[3],c
->d
.asBytes
[4],c
->d
.asBytes
[5],c
->d
.asBytes
[6], c
->d
.asBytes
[9], c
->d
.asBytes
[7]-128,c
->d
.asBytes
[8]-128, c
->arg
[0], c
->arg
[1], c
->arg
[2]);
1083 case CMD_PCF7931_BRUTEFORCE
:
1084 BruteForcePCF7931(c
->arg
[0], (c
->arg
[1] & 0xFF), c
->d
.asBytes
[9], c
->d
.asBytes
[7]-128,c
->d
.asBytes
[8]-128);
1086 case CMD_EM4X_READ_WORD
:
1087 EM4xReadWord(c
->arg
[0], c
->arg
[1],c
->arg
[2]);
1089 case CMD_EM4X_WRITE_WORD
:
1090 EM4xWriteWord(c
->arg
[0], c
->arg
[1], c
->arg
[2]);
1092 case CMD_EM4X_PROTECT
:
1093 EM4xProtect(c
->arg
[0], c
->arg
[1], c
->arg
[2]);
1095 case CMD_AWID_DEMOD_FSK
: // Set realtime AWID demodulation
1096 CmdAWIDdemodFSK(c
->arg
[0], 0, 0, 1);
1098 case CMD_VIKING_CLONE_TAG
:
1099 CopyVikingtoT55xx(c
->arg
[0], c
->arg
[1], c
->arg
[2]);
1107 case CMD_SNOOP_HITAG
: // Eavesdrop Hitag tag, args = type
1108 SnoopHitag(c
->arg
[0]);
1110 case CMD_SIMULATE_HITAG
: // Simulate Hitag tag, args = memory content
1111 SimulateHitagTag((bool)c
->arg
[0],(byte_t
*)c
->d
.asBytes
);
1113 case CMD_READER_HITAG
: // Reader for Hitag tags, args = type and function
1114 ReaderHitag((hitag_function
)c
->arg
[0],(hitag_data
*)c
->d
.asBytes
);
1116 case CMD_SIMULATE_HITAG_S
:// Simulate Hitag s tag, args = memory content
1117 SimulateHitagSTag((bool)c
->arg
[0],(byte_t
*)c
->d
.asBytes
);
1119 case CMD_TEST_HITAGS_TRACES
:// Tests every challenge within the given file
1120 check_challenges_cmd((bool)c
->arg
[0], (byte_t
*)c
->d
.asBytes
, (uint8_t)c
->arg
[1]);
1122 case CMD_READ_HITAG_S
://Reader for only Hitag S tags, args = key or challenge
1123 ReadHitagSCmd((hitag_function
)c
->arg
[0], (hitag_data
*)c
->d
.asBytes
, (uint8_t)c
->arg
[1], (uint8_t)c
->arg
[2], false);
1125 case CMD_READ_HITAG_S_BLK
:
1126 ReadHitagSCmd((hitag_function
)c
->arg
[0], (hitag_data
*)c
->d
.asBytes
, (uint8_t)c
->arg
[1], (uint8_t)c
->arg
[2], true);
1128 case CMD_WR_HITAG_S
://writer for Hitag tags args=data to write,page and key or challenge
1129 if ((hitag_function
)c
->arg
[0] < 10) {
1130 WritePageHitagS((hitag_function
)c
->arg
[0],(hitag_data
*)c
->d
.asBytes
,c
->arg
[2]);
1132 else if ((hitag_function
)c
->arg
[0] >= 10) {
1133 WriterHitag((hitag_function
)c
->arg
[0],(hitag_data
*)c
->d
.asBytes
, c
->arg
[2]);
1138 #ifdef WITH_ISO15693
1139 case CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_15693
:
1140 AcquireRawAdcSamplesIso15693();
1143 case CMD_SNOOP_ISO_15693
:
1147 case CMD_ISO_15693_COMMAND
:
1148 DirectTag15693Command(c
->arg
[0],c
->arg
[1],c
->arg
[2],c
->d
.asBytes
);
1151 case CMD_ISO_15693_FIND_AFI
:
1152 BruteforceIso15693Afi(c
->arg
[0]);
1155 case CMD_ISO_15693_DEBUG
:
1156 SetDebugIso15693(c
->arg
[0]);
1159 case CMD_READER_ISO_15693
:
1160 ReaderIso15693(c
->arg
[0]);
1163 case CMD_SIMTAG_ISO_15693
:
1164 SimTagIso15693(c
->arg
[0], c
->d
.asBytes
);
1167 case CMD_CSETUID_ISO_15693
:
1168 SetTag15693Uid(c
->d
.asBytes
);
1173 case CMD_SIMULATE_TAG_LEGIC_RF
:
1174 LegicRfSimulate(c
->arg
[0]);
1177 case CMD_WRITER_LEGIC_RF
:
1178 LegicRfWriter(c
->arg
[1], c
->arg
[0]);
1181 case CMD_READER_LEGIC_RF
:
1182 LegicRfReader(c
->arg
[0], c
->arg
[1]);
1186 #ifdef WITH_ISO14443b
1187 case CMD_READ_SRI512_TAG
:
1188 ReadSTMemoryIso14443b(0x0F);
1190 case CMD_READ_SRIX4K_TAG
:
1191 ReadSTMemoryIso14443b(0x7F);
1193 case CMD_SNOOP_ISO_14443B
:
1196 case CMD_SIMULATE_TAG_ISO_14443B
:
1197 SimulateIso14443bTag();
1199 case CMD_ISO_14443B_COMMAND
:
1200 SendRawCommand14443B(c
->arg
[0],c
->arg
[1],c
->arg
[2],c
->d
.asBytes
);
1204 #ifdef WITH_ISO14443a
1205 case CMD_SNOOP_ISO_14443a
:
1206 SnoopIso14443a(c
->arg
[0]);
1208 case CMD_READER_ISO_14443a
:
1211 case CMD_SIMULATE_TAG_ISO_14443a
:
1212 SimulateIso14443aTag(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
); // ## Simulate iso14443a tag - pass tag type & UID
1215 case CMD_EPA_PACE_COLLECT_NONCE
:
1216 EPA_PACE_Collect_Nonce(c
);
1218 case CMD_EPA_PACE_REPLAY
:
1222 case CMD_READER_MIFARE
:
1223 ReaderMifare(c
->arg
[0]);
1225 case CMD_MIFARE_READBL
:
1226 MifareReadBlock(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
1228 case CMD_MIFAREU_READBL
:
1229 MifareUReadBlock(c
->arg
[0],c
->arg
[1], c
->d
.asBytes
);
1231 case CMD_MIFAREUC_AUTH
:
1232 MifareUC_Auth(c
->arg
[0],c
->d
.asBytes
);
1234 case CMD_MIFAREU_READCARD
:
1235 MifareUReadCard(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
1237 case CMD_MIFAREUC_SETPWD
:
1238 MifareUSetPwd(c
->arg
[0], c
->d
.asBytes
);
1240 case CMD_MIFARE_READSC
:
1241 MifareReadSector(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
1243 case CMD_MIFARE_WRITEBL
:
1244 MifareWriteBlock(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
1246 //case CMD_MIFAREU_WRITEBL_COMPAT:
1247 //MifareUWriteBlockCompat(c->arg[0], c->d.asBytes);
1249 case CMD_MIFAREU_WRITEBL
:
1250 MifareUWriteBlock(c
->arg
[0], c
->arg
[1], c
->d
.asBytes
);
1252 case CMD_MIFARE_ACQUIRE_ENCRYPTED_NONCES
:
1253 MifareAcquireEncryptedNonces(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
1255 case CMD_MIFARE_NESTED
:
1256 MifareNested(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
1258 case CMD_MIFARE_CHKKEYS
:
1259 MifareChkKeys(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
1261 case CMD_SIMULATE_MIFARE_CARD
:
1262 MifareSim(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
1266 case CMD_MIFARE_SET_DBGMODE
:
1267 MifareSetDbgLvl(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
1269 case CMD_MIFARE_EML_MEMCLR
:
1270 MifareEMemClr(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
1272 case CMD_MIFARE_EML_MEMSET
:
1273 MifareEMemSet(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
1275 case CMD_MIFARE_EML_MEMGET
:
1276 MifareEMemGet(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
1278 case CMD_MIFARE_EML_CARDLOAD
:
1279 MifareECardLoad(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
1282 // Work with "magic Chinese" card
1283 case CMD_MIFARE_CWIPE
:
1284 MifareCWipe(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
1286 case CMD_MIFARE_CSETBLOCK
:
1287 MifareCSetBlock(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
1289 case CMD_MIFARE_CGETBLOCK
:
1290 MifareCGetBlock(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
1292 case CMD_MIFARE_CIDENT
:
1297 case CMD_MIFARE_SNIFFER
:
1298 SniffMifare(c
->arg
[0]);
1304 // Makes use of ISO14443a FPGA Firmware
1305 case CMD_SNOOP_ICLASS
:
1308 case CMD_SIMULATE_TAG_ICLASS
:
1309 SimulateIClass(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
1311 case CMD_READER_ICLASS
:
1312 ReaderIClass(c
->arg
[0]);
1314 case CMD_READER_ICLASS_REPLAY
:
1315 ReaderIClass_Replay(c
->arg
[0], c
->d
.asBytes
);
1317 case CMD_ICLASS_EML_MEMSET
:
1318 emlSet(c
->d
.asBytes
,c
->arg
[0], c
->arg
[1]);
1320 case CMD_ICLASS_WRITEBLOCK
:
1321 iClass_WriteBlock(c
->arg
[0], c
->d
.asBytes
);
1323 case CMD_ICLASS_READCHECK
: // auth step 1
1324 iClass_ReadCheck(c
->arg
[0], c
->arg
[1]);
1326 case CMD_ICLASS_READBLOCK
:
1327 iClass_ReadBlk(c
->arg
[0]);
1329 case CMD_ICLASS_AUTHENTICATION
: //check
1330 iClass_Authentication(c
->d
.asBytes
);
1332 case CMD_ICLASS_DUMP
:
1333 iClass_Dump(c
->arg
[0], c
->arg
[1]);
1335 case CMD_ICLASS_CLONE
:
1336 iClass_Clone(c
->arg
[0], c
->arg
[1], c
->d
.asBytes
);
1341 case CMD_HF_SNIFFER
:
1342 HfSnoop(c
->arg
[0], c
->arg
[1]);
1349 #ifdef WITH_SMARTCARD
1350 case CMD_SMART_ATR
: {
1354 case CMD_SMART_SETCLOCK
:{
1355 SmartCardSetClock(c
->arg
[0]);
1358 case CMD_SMART_RAW
: {
1359 SmartCardRaw(c
->arg
[0], c
->arg
[1], c
->d
.asBytes
);
1362 case CMD_SMART_UPLOAD
: {
1363 // upload file from client
1364 uint8_t *mem
= BigBuf_get_addr();
1365 memcpy( mem
+ c
->arg
[0], c
->d
.asBytes
, USB_CMD_DATA_SIZE
);
1366 cmd_send(CMD_ACK
,1,0,0,0,0);
1369 case CMD_SMART_UPGRADE
: {
1370 SmartCardUpgrade(c
->arg
[0]);
1375 case CMD_BUFF_CLEAR
:
1379 case CMD_MEASURE_ANTENNA_TUNING
:
1380 MeasureAntennaTuning(c
->arg
[0]);
1383 case CMD_MEASURE_ANTENNA_TUNING_HF
:
1384 MeasureAntennaTuningHf();
1387 case CMD_LISTEN_READER_FIELD
:
1388 ListenReaderField(c
->arg
[0]);
1391 case CMD_FPGA_MAJOR_MODE_OFF
: // ## FPGA Control
1392 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
1394 LED_D_OFF(); // LED D indicates field ON or OFF
1397 case CMD_DOWNLOAD_RAW_ADC_SAMPLES_125K
:
1399 uint8_t *BigBuf
= BigBuf_get_addr();
1400 for(size_t i
=0; i
<c
->arg
[1]; i
+= USB_CMD_DATA_SIZE
) {
1401 size_t len
= MIN((c
->arg
[1] - i
),USB_CMD_DATA_SIZE
);
1402 cmd_send(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K
,i
,len
,BigBuf_get_traceLen(),BigBuf
+c
->arg
[0]+i
,len
);
1404 // Trigger a finish downloading signal with an ACK frame
1405 cmd_send(CMD_ACK
,1,0,BigBuf_get_traceLen(),getSamplingConfig(),sizeof(sample_config
));
1409 case CMD_DOWNLOADED_SIM_SAMPLES_125K
: {
1410 // iceman; since changing fpga_bitstreams clears bigbuff, Its better to call it before.
1411 // to be able to use this one for uploading data to device
1412 // arg1 = 0 upload for LF usage
1413 // 1 upload for HF usage
1415 FpgaDownloadAndGo(FPGA_BITSTREAM_LF
);
1417 FpgaDownloadAndGo(FPGA_BITSTREAM_HF
);
1419 uint8_t *b
= BigBuf_get_addr();
1420 memcpy(b
+c
->arg
[0], c
->d
.asBytes
, USB_CMD_DATA_SIZE
);
1421 cmd_send(CMD_ACK
,0,0,0,0,0);
1428 case CMD_SET_LF_DIVISOR
:
1429 FpgaDownloadAndGo(FPGA_BITSTREAM_LF
);
1430 FpgaSendCommand(FPGA_CMD_SET_DIVISOR
, c
->arg
[0]);
1433 case CMD_SET_ADC_MUX
:
1435 case 0: SetAdcMuxFor(GPIO_MUXSEL_LOPKD
); break;
1436 case 1: SetAdcMuxFor(GPIO_MUXSEL_LORAW
); break;
1437 case 2: SetAdcMuxFor(GPIO_MUXSEL_HIPKD
); break;
1438 case 3: SetAdcMuxFor(GPIO_MUXSEL_HIRAW
); break;
1449 cmd_send(CMD_ACK
,0,0,0,0,0);
1459 case CMD_SETUP_WRITE
:
1460 case CMD_FINISH_WRITE
:
1461 case CMD_HARDWARE_RESET
:
1465 AT91C_BASE_RSTC
->RSTC_RCR
= RST_CONTROL_KEY
| AT91C_RSTC_PROCRST
;
1467 // We're going to reset, and the bootrom will take control.
1471 case CMD_START_FLASH
:
1472 if(common_area
.flags
.bootrom_present
) {
1473 common_area
.command
= COMMON_AREA_COMMAND_ENTER_FLASH_MODE
;
1476 AT91C_BASE_RSTC
->RSTC_RCR
= RST_CONTROL_KEY
| AT91C_RSTC_PROCRST
;
1480 case CMD_DEVICE_INFO
: {
1481 uint32_t dev_info
= DEVICE_INFO_FLAG_OSIMAGE_PRESENT
| DEVICE_INFO_FLAG_CURRENT_MODE_OS
;
1482 if(common_area
.flags
.bootrom_present
) dev_info
|= DEVICE_INFO_FLAG_BOOTROM_PRESENT
;
1483 cmd_send(CMD_DEVICE_INFO
,dev_info
,0,0,0,0);
1487 Dbprintf("%s: 0x%04x","unknown command:",c
->cmd
);
1492 void __attribute__((noreturn
)) AppMain(void)
1496 if(common_area
.magic
!= COMMON_AREA_MAGIC
|| common_area
.version
!= 1) {
1497 /* Initialize common area */
1498 memset(&common_area
, 0, sizeof(common_area
));
1499 common_area
.magic
= COMMON_AREA_MAGIC
;
1500 common_area
.version
= 1;
1502 common_area
.flags
.osimage_present
= 1;
1509 // The FPGA gets its clock from us from PCK0 output, so set that up.
1510 AT91C_BASE_PIOA
->PIO_BSR
= GPIO_PCK0
;
1511 AT91C_BASE_PIOA
->PIO_PDR
= GPIO_PCK0
;
1512 AT91C_BASE_PMC
->PMC_SCER
= AT91C_PMC_PCK0
;
1513 // PCK0 is PLL clock / 4 = 96Mhz / 4 = 24Mhz
1514 AT91C_BASE_PMC
->PMC_PCKR
[0] = AT91C_PMC_CSS_PLL_CLK
|
1515 AT91C_PMC_PRES_CLK_4
; // 4 for 24Mhz pck0, 2 for 48 MHZ pck0
1516 AT91C_BASE_PIOA
->PIO_OER
= GPIO_PCK0
;
1519 AT91C_BASE_SPI
->SPI_CR
= AT91C_SPI_SWRST
;
1521 AT91C_BASE_SSC
->SSC_CR
= AT91C_SSC_SWRST
;
1523 // Load the FPGA image, which we have stored in our flash.
1524 // (the HF version by default)
1525 FpgaDownloadAndGo(FPGA_BITSTREAM_HF
);
1533 byte_t rx
[sizeof(UsbCommand
)];
1538 rx_len
= usb_read(rx
,sizeof(UsbCommand
));
1540 UsbPacketReceived(rx
,rx_len
);
1545 #ifdef WITH_LF_StandAlone
1546 #ifndef WITH_ISO14443a_StandAlone
1547 if (BUTTON_HELD(1000) > 0)
1551 #ifdef WITH_ISO14443a
1552 #ifdef WITH_ISO14443a_StandAlone
1553 if (BUTTON_HELD(1000) > 0)
1554 StandAloneMode14a();