]> cvs.zerfleddert.de Git - proxmark3-svn/blob - armsrc/iclass.c
projects / proxmark3-svn / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Navigate a page at a time in plot window
[proxmark3-svn] / armsrc / iclass.c
1 //-----------------------------------------------------------------------------
2 // Gerhard de Koning Gans - May 2008
3 // Hagen Fritsch - June 2010
4 // Gerhard de Koning Gans - May 2011
5 //
6 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
7 // at your option, any later version. See the LICENSE.txt file for the text of
8 // the license.
9 //-----------------------------------------------------------------------------
10 // Routines to support iClass.
11 //-----------------------------------------------------------------------------
12 // Based on ISO14443a implementation. Still in experimental phase.
13 // Contribution made during a security research at Radboud University Nijmegen
14 //
15 // Please feel free to contribute and extend iClass support!!
16 //-----------------------------------------------------------------------------
17 //
18 // TODO:
19 // =====
20 // - iClass emulation
21 // - reader emulation
22 //
23 // FIX:
24 // ====
25 // We still have sometimes a demodulation error when snooping iClass communication.
26 // The resulting trace of a read-block-03 command may look something like this:
27 //
28 // + 22279: : 0c 03 e8 01
29 //
30 // ...with an incorrect answer...
31 //
32 // + 85: 0: TAG ff! ff! ff! ff! ff! ff! ff! ff! bb 33 bb 00 01! 0e! 04! bb !crc
33 //
34 // We still left the error signalling bytes in the traces like 0xbb
35 //
36 // A correct trace should look like this:
37 //
38 // + 21112: : 0c 03 e8 01
39 // + 85: 0: TAG ff ff ff ff ff ff ff ff ea f5
40 //
41 //-----------------------------------------------------------------------------
42
43 #include "proxmark3.h"
44 #include "apps.h"
45 #include "util.h"
46 #include "string.h"
47 #include "common.h"
48
49 static uint8_t *trace = (uint8_t *) BigBuf;
50 static int traceLen = 0;
51 static int rsamples = 0;
52
53 // CARD TO READER
54 // Sequence D: 11110000 modulation with subcarrier during first half
55 // Sequence E: 00001111 modulation with subcarrier during second half
56 // Sequence F: 00000000 no modulation with subcarrier
57 // READER TO CARD
58 // Sequence X: 00001100 drop after half a period
59 // Sequence Y: 00000000 no drop
60 // Sequence Z: 11000000 drop at start
61 #define SEC_D 0xf0
62 #define SEC_E 0x0f
63 #define SEC_F 0x00
64 #define SEC_X 0x0c
65 #define SEC_Y 0x00
66 #define SEC_Z 0xc0
67
68 static const uint8_t OddByteParity[256] = {
69 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
70 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
71 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
72 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
73 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
74 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
75 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
76 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
77 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
78 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
79 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
80 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
81 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
82 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
83 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
84 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1
85 };
86
87 //static const uint8_t MajorityNibble[16] = { 0, 0, 0, 1, 0, 0, 1, 1, 0, 0, 0, 1, 1, 1, 1, 1 };
88 //static const uint8_t MajorityNibble[16] = { 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1 };
89
90 // BIG CHANGE - UNDERSTAND THIS BEFORE WE COMMIT
91 #define RECV_CMD_OFFSET 3032
92 #define RECV_RES_OFFSET 3096
93 #define DMA_BUFFER_OFFSET 3160
94 #define DMA_BUFFER_SIZE 4096
95 #define TRACE_LENGTH 3000
96
97
98 //-----------------------------------------------------------------------------
99 // The software UART that receives commands from the reader, and its state
100 // variables.
101 //-----------------------------------------------------------------------------
102 static struct {
103 enum {
104 STATE_UNSYNCD,
105 STATE_START_OF_COMMUNICATION,
106 STATE_RECEIVING
107 } state;
108 uint16_t shiftReg;
109 int bitCnt;
110 int byteCnt;
111 int byteCntMax;
112 int posCnt;
113 int nOutOfCnt;
114 int OutOfCnt;
115 int syncBit;
116 int parityBits;
117 int samples;
118 int highCnt;
119 int swapper;
120 int counter;
121 int bitBuffer;
122 int dropPosition;
123 uint8_t *output;
124 } Uart;
125
126 static RAMFUNC int MillerDecoding(int bit)
127 {
128 int error = 0;
129 int bitright;
130
131 if(!Uart.bitBuffer) {
132 Uart.bitBuffer = bit ^ 0xFF0;
133 return FALSE;
134 }
135 else {
136 Uart.bitBuffer <<= 4;
137 Uart.bitBuffer ^= bit;
138 }
139
140 /*if(Uart.swapper) {
141 Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
142 Uart.byteCnt++;
143 Uart.swapper = 0;
144 if(Uart.byteCnt > 15) { return TRUE; }
145 }
146 else {
147 Uart.swapper = 1;
148 }*/
149
150 if(Uart.state != STATE_UNSYNCD) {
151 Uart.posCnt++;
152
153 if((Uart.bitBuffer & Uart.syncBit) ^ Uart.syncBit) {
154 bit = 0x00;
155 }
156 else {
157 bit = 0x01;
158 }
159 if(((Uart.bitBuffer << 1) & Uart.syncBit) ^ Uart.syncBit) {
160 bitright = 0x00;
161 }
162 else {
163 bitright = 0x01;
164 }
165 if(bit != bitright) { bit = bitright; }
166
167
168 // So, now we only have to deal with *bit*, lets see...
169 if(Uart.posCnt == 1) {
170 // measurement first half bitperiod
171 if(!bit) {
172 // Drop in first half means that we are either seeing
173 // an SOF or an EOF.
174
175 if(Uart.nOutOfCnt == 1) {
176 // End of Communication
177 Uart.state = STATE_UNSYNCD;
178 Uart.highCnt = 0;
179 if(Uart.byteCnt == 0) {
180 // Its not straightforward to show single EOFs
181 // So just leave it and do not return TRUE
182 Uart.output[Uart.byteCnt] = 0xf0;
183 Uart.byteCnt++;
184
185 // Calculate the parity bit for the client...
186 Uart.parityBits = 1;
187 }
188 else {
189 return TRUE;
190 }
191 }
192 else if(Uart.state != STATE_START_OF_COMMUNICATION) {
193 // When not part of SOF or EOF, it is an error
194 Uart.state = STATE_UNSYNCD;
195 Uart.highCnt = 0;
196 error = 4;
197 }
198 }
199 }
200 else {
201 // measurement second half bitperiod
202 // Count the bitslot we are in... (ISO 15693)
203 Uart.nOutOfCnt++;
204
205 if(!bit) {
206 if(Uart.dropPosition) {
207 if(Uart.state == STATE_START_OF_COMMUNICATION) {
208 error = 1;
209 }
210 else {
211 error = 7;
212 }
213 // It is an error if we already have seen a drop in current frame
214 Uart.state = STATE_UNSYNCD;
215 Uart.highCnt = 0;
216 }
217 else {
218 Uart.dropPosition = Uart.nOutOfCnt;
219 }
220 }
221
222 Uart.posCnt = 0;
223
224
225 if(Uart.nOutOfCnt == Uart.OutOfCnt && Uart.OutOfCnt == 4) {
226 Uart.nOutOfCnt = 0;
227
228 if(Uart.state == STATE_START_OF_COMMUNICATION) {
229 if(Uart.dropPosition == 4) {
230 Uart.state = STATE_RECEIVING;
231 Uart.OutOfCnt = 256;
232 }
233 else if(Uart.dropPosition == 3) {
234 Uart.state = STATE_RECEIVING;
235 Uart.OutOfCnt = 4;
236 //Uart.output[Uart.byteCnt] = 0xdd;
237 //Uart.byteCnt++;
238 }
239 else {
240 Uart.state = STATE_UNSYNCD;
241 Uart.highCnt = 0;
242 }
243 Uart.dropPosition = 0;
244 }
245 else {
246 // RECEIVING DATA
247 // 1 out of 4
248 if(!Uart.dropPosition) {
249 Uart.state = STATE_UNSYNCD;
250 Uart.highCnt = 0;
251 error = 9;
252 }
253 else {
254 Uart.shiftReg >>= 2;
255
256 // Swap bit order
257 Uart.dropPosition--;
258 //if(Uart.dropPosition == 1) { Uart.dropPosition = 2; }
259 //else if(Uart.dropPosition == 2) { Uart.dropPosition = 1; }
260
261 Uart.shiftReg ^= ((Uart.dropPosition & 0x03) << 6);
262 Uart.bitCnt += 2;
263 Uart.dropPosition = 0;
264
265 if(Uart.bitCnt == 8) {
266 Uart.output[Uart.byteCnt] = (Uart.shiftReg & 0xff);
267 Uart.byteCnt++;
268
269 // Calculate the parity bit for the client...
270 Uart.parityBits <<= 1;
271 Uart.parityBits ^= OddByteParity[(Uart.shiftReg & 0xff)];
272
273 Uart.bitCnt = 0;
274 Uart.shiftReg = 0;
275 }
276 }
277 }
278 }
279 else if(Uart.nOutOfCnt == Uart.OutOfCnt) {
280 // RECEIVING DATA
281 // 1 out of 256
282 if(!Uart.dropPosition) {
283 Uart.state = STATE_UNSYNCD;
284 Uart.highCnt = 0;
285 error = 3;
286 }
287 else {
288 Uart.dropPosition--;
289 Uart.output[Uart.byteCnt] = (Uart.dropPosition & 0xff);
290 Uart.byteCnt++;
291
292 // Calculate the parity bit for the client...
293 Uart.parityBits <<= 1;
294 Uart.parityBits ^= OddByteParity[(Uart.dropPosition & 0xff)];
295
296 Uart.bitCnt = 0;
297 Uart.shiftReg = 0;
298 Uart.nOutOfCnt = 0;
299 Uart.dropPosition = 0;
300 }
301 }
302
303 /*if(error) {
304 Uart.output[Uart.byteCnt] = 0xAA;
305 Uart.byteCnt++;
306 Uart.output[Uart.byteCnt] = error & 0xFF;
307 Uart.byteCnt++;
308 Uart.output[Uart.byteCnt] = 0xAA;
309 Uart.byteCnt++;
310 Uart.output[Uart.byteCnt] = (Uart.bitBuffer >> 8) & 0xFF;
311 Uart.byteCnt++;
312 Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
313 Uart.byteCnt++;
314 Uart.output[Uart.byteCnt] = (Uart.syncBit >> 3) & 0xFF;
315 Uart.byteCnt++;
316 Uart.output[Uart.byteCnt] = 0xAA;
317 Uart.byteCnt++;
318 return TRUE;
319 }*/
320 }
321
322 }
323 else {
324 bit = Uart.bitBuffer & 0xf0;
325 bit >>= 4;
326 bit ^= 0x0F; // drops become 1s ;-)
327 if(bit) {
328 // should have been high or at least (4 * 128) / fc
329 // according to ISO this should be at least (9 * 128 + 20) / fc
330 if(Uart.highCnt == 8) {
331 // we went low, so this could be start of communication
332 // it turns out to be safer to choose a less significant
333 // syncbit... so we check whether the neighbour also represents the drop
334 Uart.posCnt = 1; // apparently we are busy with our first half bit period
335 Uart.syncBit = bit & 8;
336 Uart.samples = 3;
337 if(!Uart.syncBit) { Uart.syncBit = bit & 4; Uart.samples = 2; }
338 else if(bit & 4) { Uart.syncBit = bit & 4; Uart.samples = 2; bit <<= 2; }
339 if(!Uart.syncBit) { Uart.syncBit = bit & 2; Uart.samples = 1; }
340 else if(bit & 2) { Uart.syncBit = bit & 2; Uart.samples = 1; bit <<= 1; }
341 if(!Uart.syncBit) { Uart.syncBit = bit & 1; Uart.samples = 0;
342 if(Uart.syncBit && (Uart.bitBuffer & 8)) {
343 Uart.syncBit = 8;
344
345 // the first half bit period is expected in next sample
346 Uart.posCnt = 0;
347 Uart.samples = 3;
348 }
349 }
350 else if(bit & 1) { Uart.syncBit = bit & 1; Uart.samples = 0; }
351
352 Uart.syncBit <<= 4;
353 Uart.state = STATE_START_OF_COMMUNICATION;
354 Uart.bitCnt = 0;
355 Uart.byteCnt = 0;
356 Uart.parityBits = 0;
357 Uart.nOutOfCnt = 0;
358 Uart.OutOfCnt = 4; // Start at 1/4, could switch to 1/256
359 Uart.dropPosition = 0;
360 Uart.shiftReg = 0;
361 error = 0;
362 }
363 else {
364 Uart.highCnt = 0;
365 }
366 }
367 else {
368 if(Uart.highCnt < 8) {
369 Uart.highCnt++;
370 }
371 }
372 }
373
374 return FALSE;
375 }
376
377 //=============================================================================
378 // ISO 14443 Type A - Manchester
379 //=============================================================================
380
381 static struct {
382 enum {
383 DEMOD_UNSYNCD,
384 DEMOD_START_OF_COMMUNICATION,
385 DEMOD_START_OF_COMMUNICATION2,
386 DEMOD_START_OF_COMMUNICATION3,
387 DEMOD_SOF_COMPLETE,
388 DEMOD_MANCHESTER_D,
389 DEMOD_MANCHESTER_E,
390 DEMOD_END_OF_COMMUNICATION,
391 DEMOD_END_OF_COMMUNICATION2,
392 DEMOD_MANCHESTER_F,
393 DEMOD_ERROR_WAIT
394 } state;
395 int bitCount;
396 int posCount;
397 int syncBit;
398 int parityBits;
399 uint16_t shiftReg;
400 int buffer;
401 int buffer2;
402 int buffer3;
403 int buff;
404 int samples;
405 int len;
406 enum {
407 SUB_NONE,
408 SUB_FIRST_HALF,
409 SUB_SECOND_HALF,
410 SUB_BOTH
411 } sub;
412 uint8_t *output;
413 } Demod;
414
415 static RAMFUNC int ManchesterDecoding(int v)
416 {
417 int bit;
418 int modulation;
419 int error = 0;
420
421 bit = Demod.buffer;
422 Demod.buffer = Demod.buffer2;
423 Demod.buffer2 = Demod.buffer3;
424 Demod.buffer3 = v;
425
426 if(Demod.buff < 3) {
427 Demod.buff++;
428 return FALSE;
429 }
430
431 if(Demod.state==DEMOD_UNSYNCD) {
432 Demod.output[Demod.len] = 0xfa;
433 Demod.syncBit = 0;
434 //Demod.samples = 0;
435 Demod.posCount = 1; // This is the first half bit period, so after syncing handle the second part
436 /* if(bit & 0x08) { Demod.syncBit = 0x08; }
437 if(!Demod.syncBit) {
438 if(bit & 0x04) { Demod.syncBit = 0x04; }
439 }
440 else if(bit & 0x04) { Demod.syncBit = 0x04; bit <<= 4; }
441 if(!Demod.syncBit) {
442 if(bit & 0x02) { Demod.syncBit = 0x02; }
443 }
444 else if(bit & 0x02) { Demod.syncBit = 0x02; bit <<= 4; }
445 if(!Demod.syncBit) {
446 if(bit & 0x01) { Demod.syncBit = 0x01; }
447
448 if(Demod.syncBit && (Demod.buffer & 0x08)) {
449 Demod.syncBit = 0x08;
450
451 // The first half bitperiod is expected in next sample
452 Demod.posCount = 0;
453 Demod.output[Demod.len] = 0xfb;
454 }
455 }
456 else if(bit & 0x01) { Demod.syncBit = 0x01; }
457 */
458
459 if(bit & 0x08) {
460 Demod.syncBit = 0x08;
461 }
462
463 if(bit & 0x04) {
464 if(Demod.syncBit) {
465 bit <<= 4;
466 }
467 Demod.syncBit = 0x04;
468 }
469
470 if(bit & 0x02) {
471 if(Demod.syncBit) {
472 bit <<= 2;
473 }
474 Demod.syncBit = 0x02;
475 }
476
477 if(bit & 0x01 && Demod.syncBit) {
478 Demod.syncBit = 0x01;
479 }
480
481 if(Demod.syncBit) {
482 Demod.len = 0;
483 Demod.state = DEMOD_START_OF_COMMUNICATION;
484 Demod.sub = SUB_FIRST_HALF;
485 Demod.bitCount = 0;
486 Demod.shiftReg = 0;
487 Demod.parityBits = 0;
488 Demod.samples = 0;
489 if(Demod.posCount) {
490 //if(trigger) LED_A_OFF(); // Not useful in this case...
491 switch(Demod.syncBit) {
492 case 0x08: Demod.samples = 3; break;
493 case 0x04: Demod.samples = 2; break;
494 case 0x02: Demod.samples = 1; break;
495 case 0x01: Demod.samples = 0; break;
496 }
497 // SOF must be long burst... otherwise stay unsynced!!!
498 if(!(Demod.buffer & Demod.syncBit) || !(Demod.buffer2 & Demod.syncBit)) {
499 Demod.state = DEMOD_UNSYNCD;
500 }
501 }
502 else {
503 // SOF must be long burst... otherwise stay unsynced!!!
504 if(!(Demod.buffer2 & Demod.syncBit) || !(Demod.buffer3 & Demod.syncBit)) {
505 Demod.state = DEMOD_UNSYNCD;
506 error = 0x88;
507 }
508
509 }
510 error = 0;
511
512 }
513 }
514 else {
515 modulation = bit & Demod.syncBit;
516 modulation |= ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
517 //modulation = ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
518
519 Demod.samples += 4;
520
521 if(Demod.posCount==0) {
522 Demod.posCount = 1;
523 if(modulation) {
524 Demod.sub = SUB_FIRST_HALF;
525 }
526 else {
527 Demod.sub = SUB_NONE;
528 }
529 }
530 else {
531 Demod.posCount = 0;
532 /*(modulation && (Demod.sub == SUB_FIRST_HALF)) {
533 if(Demod.state!=DEMOD_ERROR_WAIT) {
534 Demod.state = DEMOD_ERROR_WAIT;
535 Demod.output[Demod.len] = 0xaa;
536 error = 0x01;
537 }
538 }*/
539 //else if(modulation) {
540 if(modulation) {
541 if(Demod.sub == SUB_FIRST_HALF) {
542 Demod.sub = SUB_BOTH;
543 }
544 else {
545 Demod.sub = SUB_SECOND_HALF;
546 }
547 }
548 else if(Demod.sub == SUB_NONE) {
549 if(Demod.state == DEMOD_SOF_COMPLETE) {
550 Demod.output[Demod.len] = 0x0f;
551 Demod.len++;
552 Demod.parityBits <<= 1;
553 Demod.parityBits ^= OddByteParity[0x0f];
554 Demod.state = DEMOD_UNSYNCD;
555 // error = 0x0f;
556 return TRUE;
557 }
558 else {
559 Demod.state = DEMOD_ERROR_WAIT;
560 error = 0x33;
561 }
562 /*if(Demod.state!=DEMOD_ERROR_WAIT) {
563 Demod.state = DEMOD_ERROR_WAIT;
564 Demod.output[Demod.len] = 0xaa;
565 error = 0x01;
566 }*/
567 }
568
569 switch(Demod.state) {
570 case DEMOD_START_OF_COMMUNICATION:
571 if(Demod.sub == SUB_BOTH) {
572 //Demod.state = DEMOD_MANCHESTER_D;
573 Demod.state = DEMOD_START_OF_COMMUNICATION2;
574 Demod.posCount = 1;
575 Demod.sub = SUB_NONE;
576 }
577 else {
578 Demod.output[Demod.len] = 0xab;
579 Demod.state = DEMOD_ERROR_WAIT;
580 error = 0xd2;
581 }
582 break;
583 case DEMOD_START_OF_COMMUNICATION2:
584 if(Demod.sub == SUB_SECOND_HALF) {
585 Demod.state = DEMOD_START_OF_COMMUNICATION3;
586 }
587 else {
588 Demod.output[Demod.len] = 0xab;
589 Demod.state = DEMOD_ERROR_WAIT;
590 error = 0xd3;
591 }
592 break;
593 case DEMOD_START_OF_COMMUNICATION3:
594 if(Demod.sub == SUB_SECOND_HALF) {
595 // Demod.state = DEMOD_MANCHESTER_D;
596 Demod.state = DEMOD_SOF_COMPLETE;
597 //Demod.output[Demod.len] = Demod.syncBit & 0xFF;
598 //Demod.len++;
599 }
600 else {
601 Demod.output[Demod.len] = 0xab;
602 Demod.state = DEMOD_ERROR_WAIT;
603 error = 0xd4;
604 }
605 break;
606 case DEMOD_SOF_COMPLETE:
607 case DEMOD_MANCHESTER_D:
608 case DEMOD_MANCHESTER_E:
609 // OPPOSITE FROM ISO14443 - 11110000 = 0 (1 in 14443)
610 // 00001111 = 1 (0 in 14443)
611 if(Demod.sub == SUB_SECOND_HALF) { // SUB_FIRST_HALF
612 Demod.bitCount++;
613 Demod.shiftReg = (Demod.shiftReg >> 1) ^ 0x100;
614 Demod.state = DEMOD_MANCHESTER_D;
615 }
616 else if(Demod.sub == SUB_FIRST_HALF) { // SUB_SECOND_HALF
617 Demod.bitCount++;
618 Demod.shiftReg >>= 1;
619 Demod.state = DEMOD_MANCHESTER_E;
620 }
621 else if(Demod.sub == SUB_BOTH) {
622 Demod.state = DEMOD_MANCHESTER_F;
623 }
624 else {
625 Demod.state = DEMOD_ERROR_WAIT;
626 error = 0x55;
627 }
628 break;
629
630 case DEMOD_MANCHESTER_F:
631 // Tag response does not need to be a complete byte!
632 if(Demod.len > 0 || Demod.bitCount > 0) {
633 if(Demod.bitCount > 1) { // was > 0, do not interpret last closing bit, is part of EOF
634 Demod.shiftReg >>= (9 - Demod.bitCount);
635 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
636 Demod.len++;
637 // No parity bit, so just shift a 0
638 Demod.parityBits <<= 1;
639 }
640
641 Demod.state = DEMOD_UNSYNCD;
642 return TRUE;
643 }
644 else {
645 Demod.output[Demod.len] = 0xad;
646 Demod.state = DEMOD_ERROR_WAIT;
647 error = 0x03;
648 }
649 break;
650
651 case DEMOD_ERROR_WAIT:
652 Demod.state = DEMOD_UNSYNCD;
653 break;
654
655 default:
656 Demod.output[Demod.len] = 0xdd;
657 Demod.state = DEMOD_UNSYNCD;
658 break;
659 }
660
661 /*if(Demod.bitCount>=9) {
662 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
663 Demod.len++;
664
665 Demod.parityBits <<= 1;
666 Demod.parityBits ^= ((Demod.shiftReg >> 8) & 0x01);
667
668 Demod.bitCount = 0;
669 Demod.shiftReg = 0;
670 }*/
671 if(Demod.bitCount>=8) {
672 Demod.shiftReg >>= 1;
673 Demod.output[Demod.len] = (Demod.shiftReg & 0xff);
674 Demod.len++;
675
676 // FOR ISO15639 PARITY NOT SEND OTA, JUST CALCULATE IT FOR THE CLIENT
677 Demod.parityBits <<= 1;
678 Demod.parityBits ^= OddByteParity[(Demod.shiftReg & 0xff)];
679
680 Demod.bitCount = 0;
681 Demod.shiftReg = 0;
682 }
683
684 if(error) {
685 Demod.output[Demod.len] = 0xBB;
686 Demod.len++;
687 Demod.output[Demod.len] = error & 0xFF;
688 Demod.len++;
689 Demod.output[Demod.len] = 0xBB;
690 Demod.len++;
691 Demod.output[Demod.len] = bit & 0xFF;
692 Demod.len++;
693 Demod.output[Demod.len] = Demod.buffer & 0xFF;
694 Demod.len++;
695 // Look harder ;-)
696 Demod.output[Demod.len] = Demod.buffer2 & 0xFF;
697 Demod.len++;
698 Demod.output[Demod.len] = Demod.syncBit & 0xFF;
699 Demod.len++;
700 Demod.output[Demod.len] = 0xBB;
701 Demod.len++;
702 return TRUE;
703 }
704
705 }
706
707 } // end (state != UNSYNCED)
708
709 return FALSE;
710 }
711
712 //=============================================================================
713 // Finally, a `sniffer' for ISO 14443 Type A
714 // Both sides of communication!
715 //=============================================================================
716
717 //-----------------------------------------------------------------------------
718 // Record the sequence of commands sent by the reader to the tag, with
719 // triggering so that we start recording at the point that the tag is moved
720 // near the reader.
721 //-----------------------------------------------------------------------------
722 void RAMFUNC SnoopIClass(void)
723 {
724 // #define RECV_CMD_OFFSET 2032 // original (working as of 21/2/09) values
725 // #define RECV_RES_OFFSET 2096 // original (working as of 21/2/09) values
726 // #define DMA_BUFFER_OFFSET 2160 // original (working as of 21/2/09) values
727 // #define DMA_BUFFER_SIZE 4096 // original (working as of 21/2/09) values
728 // #define TRACE_LENGTH 2000 // original (working as of 21/2/09) values
729
730 // We won't start recording the frames that we acquire until we trigger;
731 // a good trigger condition to get started is probably when we see a
732 // response from the tag.
733 int triggered = FALSE; // FALSE to wait first for card
734
735 // The command (reader -> tag) that we're receiving.
736 // The length of a received command will in most cases be no more than 18 bytes.
737 // So 32 should be enough!
738 uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
739 // The response (tag -> reader) that we're receiving.
740 uint8_t *receivedResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET);
741
742 // As we receive stuff, we copy it from receivedCmd or receivedResponse
743 // into trace, along with its length and other annotations.
744 //uint8_t *trace = (uint8_t *)BigBuf;
745
746 traceLen = 0; // uncommented to fix ISSUE 15 - gerhard - jan2011
747
748 // The DMA buffer, used to stream samples from the FPGA
749 int8_t *dmaBuf = ((int8_t *)BigBuf) + DMA_BUFFER_OFFSET;
750 int lastRxCounter;
751 int8_t *upTo;
752 int smpl;
753 int maxBehindBy = 0;
754
755 // Count of samples received so far, so that we can include timing
756 // information in the trace buffer.
757 int samples = 0;
758 rsamples = 0;
759
760 memset(trace, 0x44, RECV_CMD_OFFSET);
761
762 // Set up the demodulator for tag -> reader responses.
763 Demod.output = receivedResponse;
764 Demod.len = 0;
765 Demod.state = DEMOD_UNSYNCD;
766
767 // Setup for the DMA.
768 FpgaSetupSsc();
769 upTo = dmaBuf;
770 lastRxCounter = DMA_BUFFER_SIZE;
771 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
772
773 // And the reader -> tag commands
774 memset(&Uart, 0, sizeof(Uart));
775 Uart.output = receivedCmd;
776 Uart.byteCntMax = 32; // was 100 (greg)////////////////////////////////////////////////////////////////////////
777 Uart.state = STATE_UNSYNCD;
778
779 // And put the FPGA in the appropriate mode
780 // Signal field is off with the appropriate LED
781 LED_D_OFF();
782 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER);
783 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
784
785 int div = 0;
786 //int div2 = 0;
787 int decbyte = 0;
788 int decbyter = 0;
789
790 // And now we loop, receiving samples.
791 for(;;) {
792 LED_A_ON();
793 WDT_HIT();
794 int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) &
795 (DMA_BUFFER_SIZE-1);
796 if(behindBy > maxBehindBy) {
797 maxBehindBy = behindBy;
798 if(behindBy > 400) {
799 Dbprintf("blew circular buffer! behindBy=0x%x", behindBy);
800 goto done;
801 }
802 }
803 if(behindBy < 1) continue;
804
805 LED_A_OFF();
806 smpl = upTo[0];
807 upTo++;
808 lastRxCounter -= 1;
809 if(upTo - dmaBuf > DMA_BUFFER_SIZE) {
810 upTo -= DMA_BUFFER_SIZE;
811 lastRxCounter += DMA_BUFFER_SIZE;
812 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) upTo;
813 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
814 }
815
816 //samples += 4;
817 samples += 1;
818 //div2++;
819
820 //if(div2 > 3) {
821 //div2 = 0;
822 //decbyte ^= ((smpl & 0x01) << (3 - div));
823 //decbyte ^= (((smpl & 0x01) | ((smpl & 0x02) >> 1)) << (3 - div)); // better already...
824 //decbyte ^= (((smpl & 0x01) | ((smpl & 0x02) >> 1) | ((smpl & 0x04) >> 2)) << (3 - div)); // even better...
825 if(smpl & 0xF) {
826 decbyte ^= (1 << (3 - div));
827 }
828 //decbyte ^= (MajorityNibble[(smpl & 0x0F)] << (3 - div));
829
830 // FOR READER SIDE COMMUMICATION...
831 //decbyte ^= ((smpl & 0x10) << (3 - div));
832 decbyter <<= 2;
833 decbyter ^= (smpl & 0x30);
834
835 div++;
836
837 if((div + 1) % 2 == 0) {
838 smpl = decbyter;
839 if(MillerDecoding((smpl & 0xF0) >> 4)) {
840 rsamples = samples - Uart.samples;
841 LED_C_ON();
842 //if(triggered) {
843 trace[traceLen++] = ((rsamples >> 0) & 0xff);
844 trace[traceLen++] = ((rsamples >> 8) & 0xff);
845 trace[traceLen++] = ((rsamples >> 16) & 0xff);
846 trace[traceLen++] = ((rsamples >> 24) & 0xff);
847 trace[traceLen++] = ((Uart.parityBits >> 0) & 0xff);
848 trace[traceLen++] = ((Uart.parityBits >> 8) & 0xff);
849 trace[traceLen++] = ((Uart.parityBits >> 16) & 0xff);
850 trace[traceLen++] = ((Uart.parityBits >> 24) & 0xff);
851 trace[traceLen++] = Uart.byteCnt;
852 memcpy(trace+traceLen, receivedCmd, Uart.byteCnt);
853 traceLen += Uart.byteCnt;
854 if(traceLen > TRACE_LENGTH) break;
855 //}
856 /* And ready to receive another command. */
857 Uart.state = STATE_UNSYNCD;
858 /* And also reset the demod code, which might have been */
859 /* false-triggered by the commands from the reader. */
860 Demod.state = DEMOD_UNSYNCD;
861 LED_B_OFF();
862 Uart.byteCnt = 0;
863 }
864 decbyter = 0;
865 }
866
867 if(div > 3) {
868 smpl = decbyte;
869 if(ManchesterDecoding(smpl & 0x0F)) {
870 rsamples = samples - Demod.samples;
871 LED_B_ON();
872
873 // timestamp, as a count of samples
874 trace[traceLen++] = ((rsamples >> 0) & 0xff);
875 trace[traceLen++] = ((rsamples >> 8) & 0xff);
876 trace[traceLen++] = ((rsamples >> 16) & 0xff);
877 trace[traceLen++] = 0x80 | ((rsamples >> 24) & 0xff);
878 trace[traceLen++] = ((Demod.parityBits >> 0) & 0xff);
879 trace[traceLen++] = ((Demod.parityBits >> 8) & 0xff);
880 trace[traceLen++] = ((Demod.parityBits >> 16) & 0xff);
881 trace[traceLen++] = ((Demod.parityBits >> 24) & 0xff);
882 // length
883 trace[traceLen++] = Demod.len;
884 memcpy(trace+traceLen, receivedResponse, Demod.len);
885 traceLen += Demod.len;
886 if(traceLen > TRACE_LENGTH) break;
887
888 triggered = TRUE;
889
890 // And ready to receive another response.
891 memset(&Demod, 0, sizeof(Demod));
892 Demod.output = receivedResponse;
893 Demod.state = DEMOD_UNSYNCD;
894 LED_C_OFF();
895 }
896
897 div = 0;
898 decbyte = 0x00;
899 }
900 //}
901
902 if(BUTTON_PRESS()) {
903 DbpString("cancelled_a");
904 goto done;
905 }
906 }
907
908 DbpString("COMMAND FINISHED");
909
910 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
911 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
912
913 done:
914 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
915 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
916 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
917 LED_A_OFF();
918 LED_B_OFF();
919 LED_C_OFF();
920 LED_D_OFF();
921 }
922
Proxmark3 GIT tracking
Impressum, Datenschutz