]> cvs.zerfleddert.de Git - proxmark3-svn/blob - armsrc/appmain.c
projects / proxmark3-svn / blob
? search:


22657815ebaeb398a5e64c8d899cee40fa953c62
[proxmark3-svn] / armsrc / appmain.c
1 //-----------------------------------------------------------------------------
2 // Jonathan Westhues, Mar 2006
3 // Edits by Gerhard de Koning Gans, Sep 2007 (##)
4 //
5 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
6 // at your option, any later version. See the LICENSE.txt file for the text of
7 // the license.
8 //-----------------------------------------------------------------------------
9 // The main application code. This is the first thing called after start.c
10 // executes.
11 //-----------------------------------------------------------------------------
12
13 #include "usb_cdc.h"
14 #include "cmd.h"
15
16 #include "proxmark3.h"
17 #include "apps.h"
18 #include "util.h"
19 #include "printf.h"
20 #include "string.h"
21
22 #include <stdarg.h>
23
24 #include "legicrf.h"
25 #include <hitag2.h>
26 #include "lfsampling.h"
27 #include "BigBuf.h"
28 #include "mifareutil.h"
29 #include "pcf7931.h"
30 #ifdef WITH_LCD
31 #include "LCD.h"
32 #endif
33
34 // Craig Young - 14a stand-alone code
35 #ifdef WITH_ISO14443a_StandAlone
36 #include "iso14443a.h"
37 #include "protocols.h"
38 #endif
39
40 #define abs(x) ( ((x)<0) ? -(x) : (x) )
41
42 //=============================================================================
43 // A buffer where we can queue things up to be sent through the FPGA, for
44 // any purpose (fake tag, as reader, whatever). We go MSB first, since that
45 // is the order in which they go out on the wire.
46 //=============================================================================
47
48 #define TOSEND_BUFFER_SIZE (9*MAX_FRAME_SIZE + 1 + 1 + 2) // 8 data bits and 1 parity bit per payload byte, 1 correction bit, 1 SOC bit, 2 EOC bits
49 uint8_t ToSend[TOSEND_BUFFER_SIZE];
50 int ToSendMax = 0;
51 static int ToSendBit;
52 struct common_area common_area __attribute__((section(".commonarea")));
53
54 void ToSendReset(void)
55 {
56 ToSendMax = -1;
57 ToSendBit = 8;
58 }
59
60 void ToSendStuffBit(int b)
61 {
62 if(ToSendBit >= 8) {
63 ToSendMax++;
64 ToSend[ToSendMax] = 0;
65 ToSendBit = 0;
66 }
67
68 if(b) {
69 ToSend[ToSendMax] |= (1 << (7 - ToSendBit));
70 }
71
72 ToSendBit++;
73
74 if(ToSendMax >= sizeof(ToSend)) {
75 ToSendBit = 0;
76 DbpString("ToSendStuffBit overflowed!");
77 }
78 }
79
80 //=============================================================================
81 // Debug print functions, to go out over USB, to the usual PC-side client.
82 //=============================================================================
83
84 void DbpString(char *str)
85 {
86 byte_t len = strlen(str);
87 cmd_send(CMD_DEBUG_PRINT_STRING,len,0,0,(byte_t*)str,len);
88 }
89
90 #if 0
91 void DbpIntegers(int x1, int x2, int x3)
92 {
93 cmd_send(CMD_DEBUG_PRINT_INTEGERS,x1,x2,x3,0,0);
94 }
95 #endif
96
97 void Dbprintf(const char *fmt, ...) {
98 // should probably limit size here; oh well, let's just use a big buffer
99 char output_string[128];
100 va_list ap;
101
102 va_start(ap, fmt);
103 kvsprintf(fmt, output_string, 10, ap);
104 va_end(ap);
105
106 DbpString(output_string);
107 }
108
109 // prints HEX & ASCII
110 void Dbhexdump(int len, uint8_t *d, bool bAsci) {
111 int l=0,i;
112 char ascii[9];
113
114 while (len>0) {
115 if (len>8) l=8;
116 else l=len;
117
118 memcpy(ascii,d,l);
119 ascii[l]=0;
120
121 // filter safe ascii
122 for (i=0;i<l;i++)
123 if (ascii[i]<32 || ascii[i]>126) ascii[i]='.';
124
125 if (bAsci) {
126 Dbprintf("%-8s %*D",ascii,l,d," ");
127 } else {
128 Dbprintf("%*D",l,d," ");
129 }
130
131 len-=8;
132 d+=8;
133 }
134 }
135
136 //-----------------------------------------------------------------------------
137 // Read an ADC channel and block till it completes, then return the result
138 // in ADC units (0 to 1023). Also a routine to average 32 samples and
139 // return that.
140 //-----------------------------------------------------------------------------
141 static int ReadAdc(int ch)
142 {
143 uint32_t d;
144
145 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_SWRST;
146 AT91C_BASE_ADC->ADC_MR =
147 ADC_MODE_PRESCALE(63 /* was 32 */) | // ADC_CLK = MCK / ((63+1) * 2) = 48MHz / 128 = 375kHz
148 ADC_MODE_STARTUP_TIME(1 /* was 16 */) | // Startup Time = (1+1) * 8 / ADC_CLK = 16 / 375kHz = 42,7us Note: must be > 20us
149 ADC_MODE_SAMPLE_HOLD_TIME(15 /* was 8 */); // Sample & Hold Time SHTIM = 15 / ADC_CLK = 15 / 375kHz = 40us
150
151 // Note: ADC_MODE_PRESCALE and ADC_MODE_SAMPLE_HOLD_TIME are set to the maximum allowed value.
152 // Both AMPL_LO and AMPL_HI are very high impedance (10MOhm) outputs, the input capacitance of the ADC is 12pF (typical). This results in a time constant
153 // of RC = 10MOhm * 12pF = 120us. Even after the maximum configurable sample&hold time of 40us the input capacitor will not be fully charged.
154 //
155 // The maths are:
156 // If there is a voltage v_in at the input, the voltage v_cap at the capacitor (this is what we are measuring) will be
157 //
158 // v_cap = v_in * (1 - exp(-RC/SHTIM)) = v_in * (1 - exp(-3)) = v_in * 0,95 (i.e. an error of 5%)
159 //
160 // Note: with the "historic" values in the comments above, the error was 34% !!!
161
162 AT91C_BASE_ADC->ADC_CHER = ADC_CHANNEL(ch);
163
164 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
165
166 while(!(AT91C_BASE_ADC->ADC_SR & ADC_END_OF_CONVERSION(ch)))
167 ;
168 d = AT91C_BASE_ADC->ADC_CDR[ch];
169
170 return d;
171 }
172
173 int AvgAdc(int ch) // was static - merlok
174 {
175 int i;
176 int a = 0;
177
178 for(i = 0; i < 32; i++) {
179 a += ReadAdc(ch);
180 }
181
182 return (a + 15) >> 5;
183 }
184
185 void MeasureAntennaTuning(void)
186 {
187 uint8_t LF_Results[256];
188 int i, adcval = 0, peak = 0, peakv = 0, peakf = 0; //ptr = 0
189 int vLf125 = 0, vLf134 = 0, vHf = 0; // in mV
190
191 LED_B_ON();
192
193 /*
194 * Sweeps the useful LF range of the proxmark from
195 * 46.8kHz (divisor=255) to 600kHz (divisor=19) and
196 * read the voltage in the antenna, the result left
197 * in the buffer is a graph which should clearly show
198 * the resonating frequency of your LF antenna
199 * ( hopefully around 95 if it is tuned to 125kHz!)
200 */
201
202 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
203 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
204 for (i=255; i>=19; i--) {
205 WDT_HIT();
206 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, i);
207 SpinDelay(20);
208 adcval = ((MAX_ADC_LF_VOLTAGE * AvgAdc(ADC_CHAN_LF)) >> 10);
209 if (i==95) vLf125 = adcval; // voltage at 125Khz
210 if (i==89) vLf134 = adcval; // voltage at 134Khz
211
212 LF_Results[i] = adcval>>8; // scale int to fit in byte for graphing purposes
213 if(LF_Results[i] > peak) {
214 peakv = adcval;
215 peak = LF_Results[i];
216 peakf = i;
217 //ptr = i;
218 }
219 }
220
221 for (i=18; i >= 0; i--) LF_Results[i] = 0;
222
223 LED_A_ON();
224 // Let the FPGA drive the high-frequency antenna around 13.56 MHz.
225 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
226 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR);
227 SpinDelay(20);
228 vHf = (MAX_ADC_HF_VOLTAGE * AvgAdc(ADC_CHAN_HF)) >> 10;
229
230 cmd_send(CMD_MEASURED_ANTENNA_TUNING, vLf125 | (vLf134<<16), vHf, peakf | (peakv<<16), LF_Results, 256);
231 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
232 LED_A_OFF();
233 LED_B_OFF();
234 return;
235 }
236
237 void MeasureAntennaTuningHf(void)
238 {
239 int vHf = 0; // in mV
240
241 DbpString("Measuring HF antenna, press button to exit");
242
243 // Let the FPGA drive the high-frequency antenna around 13.56 MHz.
244 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
245 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR);
246
247 for (;;) {
248 SpinDelay(20);
249 vHf = (MAX_ADC_HF_VOLTAGE * AvgAdc(ADC_CHAN_HF)) >> 10;
250
251 Dbprintf("%d mV",vHf);
252 if (BUTTON_PRESS()) break;
253 }
254 DbpString("cancelled");
255
256 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
257
258 }
259
260
261 void ReadMem(int addr)
262 {
263 const uint8_t *data = ((uint8_t *)addr);
264
265 Dbprintf("%x: %02x %02x %02x %02x %02x %02x %02x %02x",
266 addr, data[0], data[1], data[2], data[3], data[4], data[5], data[6], data[7]);
267 }
268
269 /* osimage version information is linked in */
270 extern struct version_information version_information;
271 /* bootrom version information is pointed to from _bootphase1_version_pointer */
272 extern char *_bootphase1_version_pointer, _flash_start, _flash_end, _bootrom_start, _bootrom_end, __data_src_start__;
273 void SendVersion(void)
274 {
275 char temp[USB_CMD_DATA_SIZE]; /* Limited data payload in USB packets */
276 char VersionString[USB_CMD_DATA_SIZE] = { '\0' };
277
278 /* Try to find the bootrom version information. Expect to find a pointer at
279 * symbol _bootphase1_version_pointer, perform slight sanity checks on the
280 * pointer, then use it.
281 */
282 char *bootrom_version = *(char**)&_bootphase1_version_pointer;
283 if( bootrom_version < &_flash_start || bootrom_version >= &_flash_end ) {
284 strcat(VersionString, "bootrom version information appears invalid\n");
285 } else {
286 FormatVersionInformation(temp, sizeof(temp), "bootrom: ", bootrom_version);
287 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
288 }
289
290 FormatVersionInformation(temp, sizeof(temp), "os: ", &version_information);
291 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
292
293 FpgaGatherVersion(FPGA_BITSTREAM_LF, temp, sizeof(temp));
294 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
295 FpgaGatherVersion(FPGA_BITSTREAM_HF, temp, sizeof(temp));
296 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
297
298 // Send Chip ID and used flash memory
299 uint32_t text_and_rodata_section_size = (uint32_t)&__data_src_start__ - (uint32_t)&_flash_start;
300 uint32_t compressed_data_section_size = common_area.arg1;
301 cmd_send(CMD_ACK, *(AT91C_DBGU_CIDR), text_and_rodata_section_size + compressed_data_section_size, 0, VersionString, strlen(VersionString));
302 }
303
304 // measure the USB Speed by sending SpeedTestBufferSize bytes to client and measuring the elapsed time.
305 // Note: this mimics GetFromBigbuf(), i.e. we have the overhead of the UsbCommand structure included.
306 void printUSBSpeed(void)
307 {
308 Dbprintf("USB Speed:");
309 Dbprintf(" Sending USB packets to client...");
310
311 #define USB_SPEED_TEST_MIN_TIME 1500 // in milliseconds
312 uint8_t *test_data = BigBuf_get_addr();
313 uint32_t end_time;
314
315 uint32_t start_time = end_time = GetTickCount();
316 uint32_t bytes_transferred = 0;
317
318 LED_B_ON();
319 while(end_time < start_time + USB_SPEED_TEST_MIN_TIME) {
320 cmd_send(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K, 0, USB_CMD_DATA_SIZE, 0, test_data, USB_CMD_DATA_SIZE);
321 end_time = GetTickCount();
322 bytes_transferred += USB_CMD_DATA_SIZE;
323 }
324 LED_B_OFF();
325
326 Dbprintf(" Time elapsed: %dms", end_time - start_time);
327 Dbprintf(" Bytes transferred: %d", bytes_transferred);
328 Dbprintf(" USB Transfer Speed PM3 -> Client = %d Bytes/s",
329 1000 * bytes_transferred / (end_time - start_time));
330
331 }
332
333 /**
334 * Prints runtime information about the PM3.
335 **/
336 void SendStatus(void)
337 {
338 BigBuf_print_status();
339 Fpga_print_status();
340 printConfig(); //LF Sampling config
341 printUSBSpeed();
342 Dbprintf("Various");
343 Dbprintf(" MF_DBGLEVEL........%d", MF_DBGLEVEL);
344 Dbprintf(" ToSendMax..........%d", ToSendMax);
345 Dbprintf(" ToSendBit..........%d", ToSendBit);
346 Dbprintf(" ToSend BUFFERSIZE..%d", TOSEND_BUFFER_SIZE);
347
348 cmd_send(CMD_ACK,1,0,0,0,0);
349 }
350
351 #if defined(WITH_ISO14443a_StandAlone) || defined(WITH_LF)
352
353 #define OPTS 2
354 void StandAloneMode()
355 {
356 DbpString("Stand-alone mode! No PC necessary.");
357 // Oooh pretty -- notify user we're in elite samy mode now
358 LED(LED_RED, 200);
359 LED(LED_ORANGE, 200);
360 LED(LED_GREEN, 200);
361 LED(LED_ORANGE, 200);
362 LED(LED_RED, 200);
363 LED(LED_ORANGE, 200);
364 LED(LED_GREEN, 200);
365 LED(LED_ORANGE, 200);
366 LED(LED_RED, 200);
367 }
368 #endif
369
370 #ifdef WITH_ISO14443a_StandAlone
371 void StandAloneMode14a()
372 {
373 StandAloneMode();
374 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
375
376 int selected = 0;
377 int playing = 0, iGotoRecord = 0, iGotoClone = 0;
378 int cardRead[OPTS] = {0};
379 uint8_t readUID[10] = {0};
380 uint32_t uid_1st[OPTS]={0};
381 uint32_t uid_2nd[OPTS]={0};
382 uint32_t uid_tmp1 = 0;
383 uint32_t uid_tmp2 = 0;
384 iso14a_card_select_t hi14a_card[OPTS];
385
386 uint8_t params = (MAGIC_SINGLE | MAGIC_DATAIN);
387
388 LED(selected + 1, 0);
389
390 for (;;)
391 {
392 usb_poll();
393 WDT_HIT();
394 SpinDelay(300);
395
396 if (iGotoRecord == 1 || cardRead[selected] == 0)
397 {
398 iGotoRecord = 0;
399 LEDsoff();
400 LED(selected + 1, 0);
401 LED(LED_RED2, 0);
402
403 // record
404 Dbprintf("Enabling iso14443a reader mode for [Bank: %u]...", selected);
405 /* need this delay to prevent catching some weird data */
406 SpinDelay(500);
407 /* Code for reading from 14a tag */
408 uint8_t uid[10] ={0};
409 uint32_t cuid;
410 iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
411
412 for ( ; ; )
413 {
414 WDT_HIT();
415 if (BUTTON_PRESS()) {
416 if (cardRead[selected]) {
417 Dbprintf("Button press detected -- replaying card in bank[%d]", selected);
418 break;
419 }
420 else if (cardRead[(selected+1)%OPTS]) {
421 Dbprintf("Button press detected but no card in bank[%d] so playing from bank[%d]", selected, (selected+1)%OPTS);
422 selected = (selected+1)%OPTS;
423 break; // playing = 1;
424 }
425 else {
426 Dbprintf("Button press detected but no stored tag to play. (Ignoring button)");
427 SpinDelay(300);
428 }
429 }
430 if (!iso14443a_select_card(uid, &hi14a_card[selected], &cuid, true, 0))
431 continue;
432 else
433 {
434 Dbprintf("Read UID:"); Dbhexdump(10,uid,0);
435 memcpy(readUID,uid,10*sizeof(uint8_t));
436 uint8_t *dst = (uint8_t *)&uid_tmp1;
437 // Set UID byte order
438 for (int i=0; i<4; i++)
439 dst[i] = uid[3-i];
440 dst = (uint8_t *)&uid_tmp2;
441 for (int i=0; i<4; i++)
442 dst[i] = uid[7-i];
443 if (uid_1st[(selected+1)%OPTS] == uid_tmp1 && uid_2nd[(selected+1)%OPTS] == uid_tmp2) {
444 Dbprintf("Card selected has same UID as what is stored in the other bank. Skipping.");
445 }
446 else {
447 if (uid_tmp2) {
448 Dbprintf("Bank[%d] received a 7-byte UID",selected);
449 uid_1st[selected] = (uid_tmp1)>>8;
450 uid_2nd[selected] = (uid_tmp1<<24) + (uid_tmp2>>8);
451 }
452 else {
453 Dbprintf("Bank[%d] received a 4-byte UID",selected);
454 uid_1st[selected] = uid_tmp1;
455 uid_2nd[selected] = uid_tmp2;
456 }
457 break;
458 }
459 }
460 }
461 Dbprintf("ATQA = %02X%02X",hi14a_card[selected].atqa[0],hi14a_card[selected].atqa[1]);
462 Dbprintf("SAK = %02X",hi14a_card[selected].sak);
463 LEDsoff();
464 LED(LED_GREEN, 200);
465 LED(LED_ORANGE, 200);
466 LED(LED_GREEN, 200);
467 LED(LED_ORANGE, 200);
468
469 LEDsoff();
470 LED(selected + 1, 0);
471
472 // Next state is replay:
473 playing = 1;
474
475 cardRead[selected] = 1;
476 }
477 /* MF Classic UID clone */
478 else if (iGotoClone==1)
479 {
480 iGotoClone=0;
481 LEDsoff();
482 LED(selected + 1, 0);
483 LED(LED_ORANGE, 250);
484
485 // record
486 Dbprintf("Preparing to Clone card [Bank: %x]; uid: %08x", selected, uid_1st[selected]);
487
488 // wait for button to be released
489 // Delay cloning until card is in place
490 while(BUTTON_PRESS())
491 WDT_HIT();
492
493 Dbprintf("Starting clone. [Bank: %u]", selected);
494 // need this delay to prevent catching some weird data
495 SpinDelay(500);
496 // Begin clone function here:
497 /* Example from client/mifarehost.c for commanding a block write for "magic Chinese" cards:
498 UsbCommand c = {CMD_MIFARE_CSETBLOCK, {params & (0xFE | (uid == NULL ? 0:1)), blockNo, 0}};
499 memcpy(c.d.asBytes, data, 16);
500 SendCommand(&c);
501
502 Block read is similar:
503 UsbCommand c = {CMD_MIFARE_CGETBLOCK, {params, blockNo, 0}};
504 We need to imitate that call with blockNo 0 to set a uid.
505
506 The get and set commands are handled in this file:
507 // Work with "magic Chinese" card
508 case CMD_MIFARE_CSETBLOCK:
509 MifareCSetBlock(c->arg[0], c->arg[1], c->d.asBytes);
510 break;
511 case CMD_MIFARE_CGETBLOCK:
512 MifareCGetBlock(c->arg[0], c->arg[1], c->d.asBytes);
513 break;
514
515 mfCSetUID provides example logic for UID set workflow:
516 -Read block0 from card in field with MifareCGetBlock()
517 -Configure new values without replacing reserved bytes
518 memcpy(block0, uid, 4); // Copy UID bytes from byte array
519 // Mifare UID BCC
520 block0[4] = block0[0]^block0[1]^block0[2]^block0[3]; // BCC on byte 5
521 Bytes 5-7 are reserved SAK and ATQA for mifare classic
522 -Use mfCSetBlock(0, block0, oldUID, wantWipe, MAGIC_SINGLE) to write it
523 */
524 uint8_t oldBlock0[16] = {0}, newBlock0[16] = {0}, testBlock0[16] = {0};
525 // arg0 = Flags, arg1=blockNo
526 MifareCGetBlock(params, 0, oldBlock0);
527 if (oldBlock0[0] == 0 && oldBlock0[0] == oldBlock0[1] && oldBlock0[1] == oldBlock0[2] && oldBlock0[2] == oldBlock0[3]) {
528 Dbprintf("No changeable tag detected. Returning to replay mode for bank[%d]", selected);
529 playing = 1;
530 }
531 else {
532 Dbprintf("UID from target tag: %02X%02X%02X%02X", oldBlock0[0],oldBlock0[1],oldBlock0[2],oldBlock0[3]);
533 memcpy(newBlock0,oldBlock0,16);
534 // Copy uid_1st for bank (2nd is for longer UIDs not supported if classic)
535
536 newBlock0[0] = uid_1st[selected]>>24;
537 newBlock0[1] = 0xFF & (uid_1st[selected]>>16);
538 newBlock0[2] = 0xFF & (uid_1st[selected]>>8);
539 newBlock0[3] = 0xFF & (uid_1st[selected]);
540 newBlock0[4] = newBlock0[0]^newBlock0[1]^newBlock0[2]^newBlock0[3];
541
542 // arg0 = workFlags, arg1 = blockNo, datain
543 MifareCSetBlock(params, 0, newBlock0);
544 MifareCGetBlock(params, 0, testBlock0);
545
546 if (memcmp(testBlock0, newBlock0, 16)==0) {
547 DbpString("Cloned successfull!");
548 cardRead[selected] = 0; // Only if the card was cloned successfully should we clear it
549 playing = 0;
550 iGotoRecord = 1;
551 selected = (selected + 1) % OPTS;
552 } else {
553 Dbprintf("Clone failed. Back to replay mode on bank[%d]", selected);
554 playing = 1;
555 }
556 }
557 LEDsoff();
558 LED(selected + 1, 0);
559 }
560 // Change where to record (or begin playing)
561 else if (playing==1) // button_pressed == BUTTON_SINGLE_CLICK && cardRead[selected])
562 {
563 LEDsoff();
564 LED(selected + 1, 0);
565
566 // Begin transmitting
567 if (playing)
568 {
569 LED(LED_GREEN, 0);
570 DbpString("Playing");
571 for ( ; ; ) {
572 WDT_HIT();
573 int button_action = BUTTON_HELD(1000);
574 if (button_action == 0) { // No button action, proceed with sim
575 uint8_t data[512] = {0}; // in case there is a read command received we shouldn't break
576 uint8_t flags = ( uid_2nd[selected] > 0x00 ) ? FLAG_7B_UID_IN_DATA : FLAG_4B_UID_IN_DATA;
577 num_to_bytes(uid_1st[selected], 3, data);
578 num_to_bytes(uid_2nd[selected], 4, data);
579
580 Dbprintf("Simulating ISO14443a tag with uid[0]: %08x, uid[1]: %08x [Bank: %u]", uid_1st[selected],uid_2nd[selected],selected);
581 if (hi14a_card[selected].sak == 8 && hi14a_card[selected].atqa[0] == 4 && hi14a_card[selected].atqa[1] == 0) {
582 DbpString("Mifare Classic");
583 SimulateIso14443aTag(1, flags, data); // Mifare Classic
584 }
585 else if (hi14a_card[selected].sak == 0 && hi14a_card[selected].atqa[0] == 0x44 && hi14a_card[selected].atqa[1] == 0) {
586 DbpString("Mifare Ultralight");
587 SimulateIso14443aTag(2, flags, data); // Mifare Ultralight
588 }
589 else if (hi14a_card[selected].sak == 20 && hi14a_card[selected].atqa[0] == 0x44 && hi14a_card[selected].atqa[1] == 3) {
590 DbpString("Mifare DESFire");
591 SimulateIso14443aTag(3, flags, data); // Mifare DESFire
592 }
593 else {
594 Dbprintf("Unrecognized tag type -- defaulting to Mifare Classic emulation");
595 SimulateIso14443aTag(1, flags, data);
596 }
597 }
598 else if (button_action == BUTTON_SINGLE_CLICK) {
599 selected = (selected + 1) % OPTS;
600 Dbprintf("Done playing. Switching to record mode on bank %d",selected);
601 iGotoRecord = 1;
602 break;
603 }
604 else if (button_action == BUTTON_HOLD) {
605 Dbprintf("Playtime over. Begin cloning...");
606 iGotoClone = 1;
607 break;
608 }
609 WDT_HIT();
610 }
611
612 /* We pressed a button so ignore it here with a delay */
613 SpinDelay(300);
614 LEDsoff();
615 LED(selected + 1, 0);
616 }
617 else
618 while(BUTTON_PRESS())
619 WDT_HIT();
620 }
621 }
622 }
623 #elif WITH_LF
624 // samy's sniff and repeat routine
625 void SamyRun()
626 {
627 StandAloneMode();
628 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
629
630 int high[OPTS], low[OPTS];
631 int selected = 0;
632 int playing = 0;
633 int cardRead = 0;
634
635 // Turn on selected LED
636 LED(selected + 1, 0);
637
638 for (;;) {
639 usb_poll();
640 WDT_HIT();
641
642 // Was our button held down or pressed?
643 int button_pressed = BUTTON_HELD(1000);
644 SpinDelay(300);
645
646 // Button was held for a second, begin recording
647 if (button_pressed > 0 && cardRead == 0)
648 {
649 LEDsoff();
650 LED(selected + 1, 0);
651 LED(LED_RED2, 0);
652
653 // record
654 DbpString("Starting recording");
655
656 // wait for button to be released
657 while(BUTTON_PRESS())
658 WDT_HIT();
659
660 /* need this delay to prevent catching some weird data */
661 SpinDelay(500);
662
663 CmdHIDdemodFSK(1, &high[selected], &low[selected], 0);
664 Dbprintf("Recorded %x %x %x", selected, high[selected], low[selected]);
665
666 LEDsoff();
667 LED(selected + 1, 0);
668 // Finished recording
669 // If we were previously playing, set playing off
670 // so next button push begins playing what we recorded
671 playing = 0;
672 cardRead = 1;
673 }
674 else if (button_pressed > 0 && cardRead == 1) {
675 LEDsoff();
676 LED(selected + 1, 0);
677 LED(LED_ORANGE, 0);
678
679 // record
680 Dbprintf("Cloning %x %x %x", selected, high[selected], low[selected]);
681
682 // wait for button to be released
683 while(BUTTON_PRESS())
684 WDT_HIT();
685
686 /* need this delay to prevent catching some weird data */
687 SpinDelay(500);
688
689 CopyHIDtoT55x7(high[selected], low[selected], 0, 0);
690 Dbprintf("Cloned %x %x %x", selected, high[selected], low[selected]);
691
692 LEDsoff();
693 LED(selected + 1, 0);
694 // Finished recording
695
696 // If we were previously playing, set playing off
697 // so next button push begins playing what we recorded
698 playing = 0;
699 cardRead = 0;
700 }
701
702 // Change where to record (or begin playing)
703 else if (button_pressed) {
704 // Next option if we were previously playing
705 if (playing)
706 selected = (selected + 1) % OPTS;
707 playing = !playing;
708
709 LEDsoff();
710 LED(selected + 1, 0);
711
712 // Begin transmitting
713 if (playing)
714 {
715 LED(LED_GREEN, 0);
716 DbpString("Playing");
717 // wait for button to be released
718 while(BUTTON_PRESS())
719 WDT_HIT();
720
721 Dbprintf("%x %x %x", selected, high[selected], low[selected]);
722 CmdHIDsimTAG(high[selected], low[selected], 0);
723 DbpString("Done playing");
724
725 if (BUTTON_HELD(1000) > 0) {
726 DbpString("Exiting");
727 LEDsoff();
728 return;
729 }
730
731 /* We pressed a button so ignore it here with a delay */
732 SpinDelay(300);
733
734 // when done, we're done playing, move to next option
735 selected = (selected + 1) % OPTS;
736 playing = !playing;
737 LEDsoff();
738 LED(selected + 1, 0);
739 }
740 else
741 while(BUTTON_PRESS())
742 WDT_HIT();
743 }
744 }
745 }
746
747 #endif
748 /*
749 OBJECTIVE
750 Listen and detect an external reader. Determine the best location
751 for the antenna.
752
753 INSTRUCTIONS:
754 Inside the ListenReaderField() function, there is two mode.
755 By default, when you call the function, you will enter mode 1.
756 If you press the PM3 button one time, you will enter mode 2.
757 If you press the PM3 button a second time, you will exit the function.
758
759 DESCRIPTION OF MODE 1:
760 This mode just listens for an external reader field and lights up green
761 for HF and/or red for LF. This is the original mode of the detectreader
762 function.
763
764 DESCRIPTION OF MODE 2:
765 This mode will visually represent, using the LEDs, the actual strength of the
766 current compared to the maximum current detected. Basically, once you know
767 what kind of external reader is present, it will help you spot the best location to place
768 your antenna. You will probably not get some good results if there is a LF and a HF reader
769 at the same place! :-)
770
771 LIGHT SCHEME USED:
772 */
773 static const char LIGHT_SCHEME[] = {
774 0x0, /* ---- | No field detected */
775 0x1, /* X--- | 14% of maximum current detected */
776 0x2, /* -X-- | 29% of maximum current detected */
777 0x4, /* --X- | 43% of maximum current detected */
778 0x8, /* ---X | 57% of maximum current detected */
779 0xC, /* --XX | 71% of maximum current detected */
780 0xE, /* -XXX | 86% of maximum current detected */
781 0xF, /* XXXX | 100% of maximum current detected */
782 };
783 static const int LIGHT_LEN = sizeof(LIGHT_SCHEME)/sizeof(LIGHT_SCHEME[0]);
784
785 void ListenReaderField(int limit)
786 {
787 int lf_av, lf_av_new, lf_baseline= 0, lf_max;
788 int hf_av, hf_av_new, hf_baseline= 0, hf_max;
789 int mode=1, display_val, display_max, i;
790
791 #define LF_ONLY 1
792 #define HF_ONLY 2
793 #define REPORT_CHANGE 10 // report new values only if they have changed at least by REPORT_CHANGE
794
795
796 // switch off FPGA - we don't want to measure our own signal
797 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
798 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
799
800 LEDsoff();
801
802 lf_av = lf_max = AvgAdc(ADC_CHAN_LF);
803
804 if(limit != HF_ONLY) {
805 Dbprintf("LF 125/134kHz Baseline: %dmV", (MAX_ADC_LF_VOLTAGE * lf_av) >> 10);
806 lf_baseline = lf_av;
807 }
808
809 hf_av = hf_max = AvgAdc(ADC_CHAN_HF);
810
811 if (limit != LF_ONLY) {
812 Dbprintf("HF 13.56MHz Baseline: %dmV", (MAX_ADC_HF_VOLTAGE * hf_av) >> 10);
813 hf_baseline = hf_av;
814 }
815
816 for(;;) {
817 if (BUTTON_PRESS()) {
818 SpinDelay(500);
819 switch (mode) {
820 case 1:
821 mode=2;
822 DbpString("Signal Strength Mode");
823 break;
824 case 2:
825 default:
826 DbpString("Stopped");
827 LEDsoff();
828 return;
829 break;
830 }
831 }
832 WDT_HIT();
833
834 if (limit != HF_ONLY) {
835 if(mode == 1) {
836 if (abs(lf_av - lf_baseline) > REPORT_CHANGE)
837 LED_D_ON();
838 else
839 LED_D_OFF();
840 }
841
842 lf_av_new = AvgAdc(ADC_CHAN_LF);
843 // see if there's a significant change
844 if(abs(lf_av - lf_av_new) > REPORT_CHANGE) {
845 Dbprintf("LF 125/134kHz Field Change: %5dmV", (MAX_ADC_LF_VOLTAGE * lf_av_new) >> 10);
846 lf_av = lf_av_new;
847 if (lf_av > lf_max)
848 lf_max = lf_av;
849 }
850 }
851
852 if (limit != LF_ONLY) {
853 if (mode == 1){
854 if (abs(hf_av - hf_baseline) > REPORT_CHANGE)
855 LED_B_ON();
856 else
857 LED_B_OFF();
858 }
859
860 hf_av_new = AvgAdc(ADC_CHAN_HF);
861 // see if there's a significant change
862 if(abs(hf_av - hf_av_new) > REPORT_CHANGE) {
863 Dbprintf("HF 13.56MHz Field Change: %5dmV", (MAX_ADC_HF_VOLTAGE * hf_av_new) >> 10);
864 hf_av = hf_av_new;
865 if (hf_av > hf_max)
866 hf_max = hf_av;
867 }
868 }
869
870 if(mode == 2) {
871 if (limit == LF_ONLY) {
872 display_val = lf_av;
873 display_max = lf_max;
874 } else if (limit == HF_ONLY) {
875 display_val = hf_av;
876 display_max = hf_max;
877 } else { /* Pick one at random */
878 if( (hf_max - hf_baseline) > (lf_max - lf_baseline) ) {
879 display_val = hf_av;
880 display_max = hf_max;
881 } else {
882 display_val = lf_av;
883 display_max = lf_max;
884 }
885 }
886 for (i=0; i<LIGHT_LEN; i++) {
887 if (display_val >= ((display_max/LIGHT_LEN)*i) && display_val <= ((display_max/LIGHT_LEN)*(i+1))) {
888 if (LIGHT_SCHEME[i] & 0x1) LED_C_ON(); else LED_C_OFF();
889 if (LIGHT_SCHEME[i] & 0x2) LED_A_ON(); else LED_A_OFF();
890 if (LIGHT_SCHEME[i] & 0x4) LED_B_ON(); else LED_B_OFF();
891 if (LIGHT_SCHEME[i] & 0x8) LED_D_ON(); else LED_D_OFF();
892 break;
893 }
894 }
895 }
896 }
897 }
898
899 void UsbPacketReceived(uint8_t *packet, int len)
900 {
901 UsbCommand *c = (UsbCommand *)packet;
902
903 //Dbprintf("received %d bytes, with command: 0x%04x and args: %d %d %d",len,c->cmd,c->arg[0],c->arg[1],c->arg[2]);
904
905 switch(c->cmd) {
906 #ifdef WITH_LF
907 case CMD_SET_LF_SAMPLING_CONFIG:
908 setSamplingConfig((sample_config *) c->d.asBytes);
909 break;
910 case CMD_ACQUIRE_RAW_ADC_SAMPLES_125K:
911 cmd_send(CMD_ACK, SampleLF(c->arg[0]),0,0,0,0);
912 break;
913 case CMD_MOD_THEN_ACQUIRE_RAW_ADC_SAMPLES_125K:
914 ModThenAcquireRawAdcSamples125k(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
915 break;
916 case CMD_LF_SNOOP_RAW_ADC_SAMPLES:
917 cmd_send(CMD_ACK,SnoopLF(),0,0,0,0);
918 break;
919 case CMD_HID_DEMOD_FSK:
920 CmdHIDdemodFSK(c->arg[0], 0, 0, 1);
921 break;
922 case CMD_HID_SIM_TAG:
923 CmdHIDsimTAG(c->arg[0], c->arg[1], 1);
924 break;
925 case CMD_FSK_SIM_TAG:
926 CmdFSKsimTAG(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
927 break;
928 case CMD_ASK_SIM_TAG:
929 CmdASKsimTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
930 break;
931 case CMD_PSK_SIM_TAG:
932 CmdPSKsimTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
933 break;
934 case CMD_HID_CLONE_TAG:
935 CopyHIDtoT55x7(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]);
936 break;
937 case CMD_IO_DEMOD_FSK:
938 CmdIOdemodFSK(c->arg[0], 0, 0, 1);
939 break;
940 case CMD_IO_CLONE_TAG:
941 CopyIOtoT55x7(c->arg[0], c->arg[1]);
942 break;
943 case CMD_EM410X_DEMOD:
944 CmdEM410xdemod(c->arg[0], 0, 0, 1);
945 break;
946 case CMD_EM410X_WRITE_TAG:
947 WriteEM410x(c->arg[0], c->arg[1], c->arg[2]);
948 break;
949 case CMD_READ_TI_TYPE:
950 ReadTItag();
951 break;
952 case CMD_WRITE_TI_TYPE:
953 WriteTItag(c->arg[0],c->arg[1],c->arg[2]);
954 break;
955 case CMD_SIMULATE_TAG_125K:
956 LED_A_ON();
957 SimulateTagLowFrequency(c->arg[0], c->arg[1], 1);
958 LED_A_OFF();
959 break;
960 case CMD_LF_SIMULATE_BIDIR:
961 SimulateTagLowFrequencyBidir(c->arg[0], c->arg[1]);
962 break;
963 case CMD_INDALA_CLONE_TAG:
964 CopyIndala64toT55x7(c->arg[0], c->arg[1]);
965 break;
966 case CMD_INDALA_CLONE_TAG_L:
967 CopyIndala224toT55x7(c->d.asDwords[0], c->d.asDwords[1], c->d.asDwords[2], c->d.asDwords[3], c->d.asDwords[4], c->d.asDwords[5], c->d.asDwords[6]);
968 break;
969 case CMD_T55XX_READ_BLOCK:
970 T55xxReadBlock(c->arg[0], c->arg[1], c->arg[2]);
971 break;
972 case CMD_T55XX_WRITE_BLOCK:
973 T55xxWriteBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]);
974 break;
975 case CMD_T55XX_WAKEUP:
976 T55xxWakeUp(c->arg[0]);
977 break;
978 case CMD_T55XX_RESET_READ:
979 T55xxResetRead();
980 break;
981 case CMD_PCF7931_READ:
982 ReadPCF7931();
983 break;
984 case CMD_PCF7931_WRITE:
985 WritePCF7931(c->d.asBytes[0],c->d.asBytes[1],c->d.asBytes[2],c->d.asBytes[3],c->d.asBytes[4],c->d.asBytes[5],c->d.asBytes[6], c->d.asBytes[9], c->d.asBytes[7]-128,c->d.asBytes[8]-128, c->arg[0], c->arg[1], c->arg[2]);
986 break;
987 case CMD_EM4X_READ_WORD:
988 EM4xReadWord(c->arg[1], c->arg[2],c->d.asBytes[0]);
989 break;
990 case CMD_EM4X_WRITE_WORD:
991 EM4xWriteWord(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]);
992 break;
993 case CMD_AWID_DEMOD_FSK: // Set realtime AWID demodulation
994 CmdAWIDdemodFSK(c->arg[0], 0, 0, 1);
995 break;
996 case CMD_VIKING_CLONE_TAG:
997 CopyVikingtoT55xx(c->arg[0], c->arg[1], c->arg[2]);
998 break;
999 #endif
1000
1001 #ifdef WITH_HITAG
1002 case CMD_SNOOP_HITAG: // Eavesdrop Hitag tag, args = type
1003 SnoopHitag(c->arg[0]);
1004 break;
1005 case CMD_SIMULATE_HITAG: // Simulate Hitag tag, args = memory content
1006 SimulateHitagTag((bool)c->arg[0],(byte_t*)c->d.asBytes);
1007 break;
1008 case CMD_READER_HITAG: // Reader for Hitag tags, args = type and function
1009 ReaderHitag((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes);
1010 break;
1011 #endif
1012
1013 #ifdef WITH_ISO15693
1014 case CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_15693:
1015 AcquireRawAdcSamplesIso15693();
1016 break;
1017 case CMD_RECORD_RAW_ADC_SAMPLES_ISO_15693:
1018 RecordRawAdcSamplesIso15693();
1019 break;
1020
1021 case CMD_ISO_15693_COMMAND:
1022 DirectTag15693Command(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
1023 break;
1024
1025 case CMD_ISO_15693_FIND_AFI:
1026 BruteforceIso15693Afi(c->arg[0]);
1027 break;
1028
1029 case CMD_ISO_15693_DEBUG:
1030 SetDebugIso15693(c->arg[0]);
1031 break;
1032
1033 case CMD_READER_ISO_15693:
1034 ReaderIso15693(c->arg[0]);
1035 break;
1036 case CMD_SIMTAG_ISO_15693:
1037 SimTagIso15693(c->arg[0], c->d.asBytes);
1038 break;
1039 #endif
1040
1041 #ifdef WITH_LEGICRF
1042 case CMD_SIMULATE_TAG_LEGIC_RF:
1043 LegicRfSimulate(c->arg[0], c->arg[1], c->arg[2]);
1044 break;
1045
1046 case CMD_WRITER_LEGIC_RF:
1047 LegicRfWriter(c->arg[1], c->arg[0]);
1048 break;
1049
1050 case CMD_READER_LEGIC_RF:
1051 LegicRfReader(c->arg[0], c->arg[1]);
1052 break;
1053 #endif
1054
1055 #ifdef WITH_ISO14443b
1056 case CMD_READ_SRI512_TAG:
1057 ReadSTMemoryIso14443b(0x0F);
1058 break;
1059 case CMD_READ_SRIX4K_TAG:
1060 ReadSTMemoryIso14443b(0x7F);
1061 break;
1062 case CMD_SNOOP_ISO_14443B:
1063 SnoopIso14443b();
1064 break;
1065 case CMD_SIMULATE_TAG_ISO_14443B:
1066 SimulateIso14443bTag();
1067 break;
1068 case CMD_ISO_14443B_COMMAND:
1069 SendRawCommand14443B(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
1070 break;
1071 #endif
1072
1073 #ifdef WITH_ISO14443a
1074 case CMD_SNOOP_ISO_14443a:
1075 SniffIso14443a(c->arg[0]);
1076 break;
1077 case CMD_READER_ISO_14443a:
1078 ReaderIso14443a(c);
1079 break;
1080 case CMD_SIMULATE_TAG_ISO_14443a:
1081 SimulateIso14443aTag(c->arg[0], c->arg[1], c->d.asBytes); // ## Simulate iso14443a tag - pass tag type & UID
1082 break;
1083
1084 case CMD_EPA_PACE_COLLECT_NONCE:
1085 EPA_PACE_Collect_Nonce(c);
1086 break;
1087 case CMD_EPA_PACE_REPLAY:
1088 EPA_PACE_Replay(c);
1089 break;
1090
1091 case CMD_READER_MIFARE:
1092 ReaderMifare(c->arg[0]);
1093 break;
1094 case CMD_MIFARE_READBL:
1095 MifareReadBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1096 break;
1097 case CMD_MIFAREU_READBL:
1098 MifareUReadBlock(c->arg[0],c->arg[1], c->d.asBytes);
1099 break;
1100 case CMD_MIFAREUC_AUTH:
1101 MifareUC_Auth(c->arg[0],c->d.asBytes);
1102 break;
1103 case CMD_MIFAREU_READCARD:
1104 MifareUReadCard(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1105 break;
1106 case CMD_MIFAREUC_SETPWD:
1107 MifareUSetPwd(c->arg[0], c->d.asBytes);
1108 break;
1109 case CMD_MIFARE_READSC:
1110 MifareReadSector(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1111 break;
1112 case CMD_MIFARE_WRITEBL:
1113 MifareWriteBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1114 break;
1115 //case CMD_MIFAREU_WRITEBL_COMPAT:
1116 //MifareUWriteBlockCompat(c->arg[0], c->d.asBytes);
1117 //break;
1118 case CMD_MIFAREU_WRITEBL:
1119 MifareUWriteBlock(c->arg[0], c->arg[1], c->d.asBytes);
1120 break;
1121 case CMD_MIFARE_ACQUIRE_ENCRYPTED_NONCES:
1122 MifareAcquireEncryptedNonces(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1123 break;
1124 case CMD_MIFARE_NESTED:
1125 MifareNested(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1126 break;
1127 case CMD_MIFARE_CHKKEYS:
1128 MifareChkKeys(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1129 break;
1130 case CMD_SIMULATE_MIFARE_CARD:
1131 Mifare1ksim(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1132 break;
1133
1134 // emulator
1135 case CMD_MIFARE_SET_DBGMODE:
1136 MifareSetDbgLvl(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1137 break;
1138 case CMD_MIFARE_EML_MEMCLR:
1139 MifareEMemClr(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1140 break;
1141 case CMD_MIFARE_EML_MEMSET:
1142 MifareEMemSet(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1143 break;
1144 case CMD_MIFARE_EML_MEMGET:
1145 MifareEMemGet(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1146 break;
1147 case CMD_MIFARE_EML_CARDLOAD:
1148 MifareECardLoad(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1149 break;
1150
1151 // Work with "magic Chinese" card
1152 case CMD_MIFARE_CSETBLOCK:
1153 MifareCSetBlock(c->arg[0], c->arg[1], c->d.asBytes);
1154 break;
1155 case CMD_MIFARE_CGETBLOCK:
1156 MifareCGetBlock(c->arg[0], c->arg[1], c->d.asBytes);
1157 break;
1158 case CMD_MIFARE_CIDENT:
1159 MifareCIdent();
1160 break;
1161
1162 // mifare sniffer
1163 case CMD_MIFARE_SNIFFER:
1164 SniffMifare(c->arg[0]);
1165 break;
1166
1167 //mifare desfire
1168 case CMD_MIFARE_DESFIRE_READBL: break;
1169 case CMD_MIFARE_DESFIRE_WRITEBL: break;
1170 case CMD_MIFARE_DESFIRE_AUTH1:
1171 MifareDES_Auth1(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1172 break;
1173 case CMD_MIFARE_DESFIRE_AUTH2:
1174 //MifareDES_Auth2(c->arg[0],c->d.asBytes);
1175 break;
1176 case CMD_MIFARE_DES_READER:
1177 //readermifaredes(c->arg[0], c->arg[1], c->d.asBytes);
1178 break;
1179 case CMD_MIFARE_DESFIRE_INFO:
1180 MifareDesfireGetInformation();
1181 break;
1182 case CMD_MIFARE_DESFIRE:
1183 MifareSendCommand(c->arg[0], c->arg[1], c->d.asBytes);
1184 break;
1185
1186 case CMD_MIFARE_COLLECT_NONCES:
1187 break;
1188 #endif
1189
1190 #ifdef WITH_ICLASS
1191 // Makes use of ISO14443a FPGA Firmware
1192 case CMD_SNOOP_ICLASS:
1193 SnoopIClass();
1194 break;
1195 case CMD_SIMULATE_TAG_ICLASS:
1196 SimulateIClass(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1197 break;
1198 case CMD_READER_ICLASS:
1199 ReaderIClass(c->arg[0]);
1200 break;
1201 case CMD_READER_ICLASS_REPLAY:
1202 ReaderIClass_Replay(c->arg[0], c->d.asBytes);
1203 break;
1204 case CMD_ICLASS_EML_MEMSET:
1205 emlSet(c->d.asBytes,c->arg[0], c->arg[1]);
1206 break;
1207 case CMD_ICLASS_WRITEBLOCK:
1208 iClass_WriteBlock(c->arg[0], c->d.asBytes);
1209 break;
1210 case CMD_ICLASS_READCHECK: // auth step 1
1211 iClass_ReadCheck(c->arg[0], c->arg[1]);
1212 break;
1213 case CMD_ICLASS_READBLOCK:
1214 iClass_ReadBlk(c->arg[0]);
1215 break;
1216 case CMD_ICLASS_AUTHENTICATION: //check
1217 iClass_Authentication(c->d.asBytes);
1218 break;
1219 case CMD_ICLASS_DUMP:
1220 iClass_Dump(c->arg[0], c->arg[1]);
1221 break;
1222 case CMD_ICLASS_CLONE:
1223 iClass_Clone(c->arg[0], c->arg[1], c->d.asBytes);
1224 break;
1225 #endif
1226 #ifdef WITH_HFSNOOP
1227 case CMD_HF_SNIFFER:
1228 HfSnoop(c->arg[0], c->arg[1]);
1229 break;
1230 #endif
1231
1232 case CMD_BUFF_CLEAR:
1233 BigBuf_Clear();
1234 break;
1235
1236 case CMD_MEASURE_ANTENNA_TUNING:
1237 MeasureAntennaTuning();
1238 break;
1239
1240 case CMD_MEASURE_ANTENNA_TUNING_HF:
1241 MeasureAntennaTuningHf();
1242 break;
1243
1244 case CMD_LISTEN_READER_FIELD:
1245 ListenReaderField(c->arg[0]);
1246 break;
1247
1248 case CMD_FPGA_MAJOR_MODE_OFF: // ## FPGA Control
1249 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1250 SpinDelay(200);
1251 LED_D_OFF(); // LED D indicates field ON or OFF
1252 break;
1253
1254 case CMD_DOWNLOAD_RAW_ADC_SAMPLES_125K:
1255
1256 LED_B_ON();
1257 uint8_t *BigBuf = BigBuf_get_addr();
1258 size_t len = 0;
1259 for(size_t i=0; i<c->arg[1]; i += USB_CMD_DATA_SIZE) {
1260 len = MIN((c->arg[1] - i),USB_CMD_DATA_SIZE);
1261 cmd_send(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K,i,len,BigBuf_get_traceLen(),BigBuf+c->arg[0]+i,len);
1262 }
1263 // Trigger a finish downloading signal with an ACK frame
1264 cmd_send(CMD_ACK,1,0,BigBuf_get_traceLen(),getSamplingConfig(),sizeof(sample_config));
1265 LED_B_OFF();
1266 break;
1267
1268 case CMD_DOWNLOADED_SIM_SAMPLES_125K: {
1269 uint8_t *b = BigBuf_get_addr();
1270 memcpy(b+c->arg[0], c->d.asBytes, USB_CMD_DATA_SIZE);
1271 cmd_send(CMD_ACK,0,0,0,0,0);
1272 break;
1273 }
1274 case CMD_READ_MEM:
1275 ReadMem(c->arg[0]);
1276 break;
1277
1278 case CMD_SET_LF_DIVISOR:
1279 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1280 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, c->arg[0]);
1281 break;
1282
1283 case CMD_SET_ADC_MUX:
1284 switch(c->arg[0]) {
1285 case 0: SetAdcMuxFor(GPIO_MUXSEL_LOPKD); break;
1286 case 1: SetAdcMuxFor(GPIO_MUXSEL_LORAW); break;
1287 case 2: SetAdcMuxFor(GPIO_MUXSEL_HIPKD); break;
1288 case 3: SetAdcMuxFor(GPIO_MUXSEL_HIRAW); break;
1289 }
1290 break;
1291
1292 case CMD_VERSION:
1293 SendVersion();
1294 break;
1295 case CMD_STATUS:
1296 SendStatus();
1297 break;
1298 case CMD_PING:
1299 cmd_send(CMD_ACK,0,0,0,0,0);
1300 break;
1301 #ifdef WITH_LCD
1302 case CMD_LCD_RESET:
1303 LCDReset();
1304 break;
1305 case CMD_LCD:
1306 LCDSend(c->arg[0]);
1307 break;
1308 #endif
1309 case CMD_SETUP_WRITE:
1310 case CMD_FINISH_WRITE:
1311 case CMD_HARDWARE_RESET:
1312 usb_disable();
1313 SpinDelay(2000);
1314 AT91C_BASE_RSTC->RSTC_RCR = RST_CONTROL_KEY | AT91C_RSTC_PROCRST;
1315 for(;;) {
1316 // We're going to reset, and the bootrom will take control.
1317 }
1318 break;
1319
1320 case CMD_START_FLASH:
1321 if(common_area.flags.bootrom_present) {
1322 common_area.command = COMMON_AREA_COMMAND_ENTER_FLASH_MODE;
1323 }
1324 usb_disable();
1325 AT91C_BASE_RSTC->RSTC_RCR = RST_CONTROL_KEY | AT91C_RSTC_PROCRST;
1326 for(;;);
1327 break;
1328
1329 case CMD_DEVICE_INFO: {
1330 uint32_t dev_info = DEVICE_INFO_FLAG_OSIMAGE_PRESENT | DEVICE_INFO_FLAG_CURRENT_MODE_OS;
1331 if(common_area.flags.bootrom_present) dev_info |= DEVICE_INFO_FLAG_BOOTROM_PRESENT;
1332 cmd_send(CMD_DEVICE_INFO,dev_info,0,0,0,0);
1333 break;
1334 }
1335 default:
1336 Dbprintf("%s: 0x%04x","unknown command:",c->cmd);
1337 break;
1338 }
1339 }
1340
1341 void __attribute__((noreturn)) AppMain(void)
1342 {
1343 SpinDelay(100);
1344 clear_trace();
1345 if(common_area.magic != COMMON_AREA_MAGIC || common_area.version != 1) {
1346 /* Initialize common area */
1347 memset(&common_area, 0, sizeof(common_area));
1348 common_area.magic = COMMON_AREA_MAGIC;
1349 common_area.version = 1;
1350 }
1351 common_area.flags.osimage_present = 1;
1352
1353 LED_D_OFF();
1354 LED_C_OFF();
1355 LED_B_OFF();
1356 LED_A_OFF();
1357
1358 // Init USB device
1359 usb_enable();
1360
1361 // The FPGA gets its clock from us from PCK0 output, so set that up.
1362 AT91C_BASE_PIOA->PIO_BSR = GPIO_PCK0;
1363 AT91C_BASE_PIOA->PIO_PDR = GPIO_PCK0;
1364 AT91C_BASE_PMC->PMC_SCER = AT91C_PMC_PCK0;
1365 // PCK0 is PLL clock / 4 = 96Mhz / 4 = 24Mhz
1366 AT91C_BASE_PMC->PMC_PCKR[0] = AT91C_PMC_CSS_PLL_CLK |
1367 AT91C_PMC_PRES_CLK_4; // 4 for 24Mhz pck0, 2 for 48 MHZ pck0
1368 AT91C_BASE_PIOA->PIO_OER = GPIO_PCK0;
1369
1370 // Reset SPI
1371 AT91C_BASE_SPI->SPI_CR = AT91C_SPI_SWRST;
1372 // Reset SSC
1373 AT91C_BASE_SSC->SSC_CR = AT91C_SSC_SWRST;
1374
1375 // Load the FPGA image, which we have stored in our flash.
1376 // (the HF version by default)
1377 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1378
1379 StartTickCount();
1380
1381 #ifdef WITH_LCD
1382 LCDInit();
1383 #endif
1384
1385 byte_t rx[sizeof(UsbCommand)];
1386 size_t rx_len;
1387
1388 for(;;) {
1389 if (usb_poll()) {
1390 rx_len = usb_read(rx,sizeof(UsbCommand));
1391 if (rx_len) {
1392 UsbPacketReceived(rx,rx_len);
1393 }
1394 }
1395 WDT_HIT();
1396
1397 #ifdef WITH_LF
1398 #ifndef WITH_ISO14443a_StandAlone
1399 if (BUTTON_HELD(1000) > 0)
1400 SamyRun();
1401 #endif
1402 #endif
1403 #ifdef WITH_ISO14443a
1404 #ifdef WITH_ISO14443a_StandAlone
1405 if (BUTTON_HELD(1000) > 0)
1406 StandAloneMode14a();
1407 #endif
1408 #endif
1409 }
1410 }
Proxmark3 GIT tracking
Impressum, Datenschutz