]> cvs.zerfleddert.de Git - proxmark3-svn/blob - armsrc/iso14443a.c
projects / proxmark3-svn / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
cleaned up some code
[proxmark3-svn] / armsrc / iso14443a.c
1 //-----------------------------------------------------------------------------
2 // Merlok - June 2011
3 // Gerhard de Koning Gans - May 2008
4 // Hagen Fritsch - June 2010
5 //
6 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
7 // at your option, any later version. See the LICENSE.txt file for the text of
8 // the license.
9 //-----------------------------------------------------------------------------
10 // Routines to support ISO 14443 type A.
11 //-----------------------------------------------------------------------------
12
13 #include "proxmark3.h"
14 #include "apps.h"
15 #include "util.h"
16 #include "string.h"
17
18 #include "iso14443crc.h"
19 #include "iso14443a.h"
20 #include "crapto1.h"
21 #include "mifareutil.h"
22
23 static uint32_t iso14a_timeout;
24 uint8_t *trace = (uint8_t *) BigBuf;
25 int traceLen = 0;
26 int rsamples = 0;
27 int tracing = TRUE;
28 uint8_t trigger = 0;
29
30 // CARD TO READER - manchester
31 // Sequence D: 11110000 modulation with subcarrier during first half
32 // Sequence E: 00001111 modulation with subcarrier during second half
33 // Sequence F: 00000000 no modulation with subcarrier
34 // READER TO CARD - miller
35 // Sequence X: 00001100 drop after half a period
36 // Sequence Y: 00000000 no drop
37 // Sequence Z: 11000000 drop at start
38 #define SEC_D 0xf0
39 #define SEC_E 0x0f
40 #define SEC_F 0x00
41 #define SEC_X 0x0c
42 #define SEC_Y 0x00
43 #define SEC_Z 0xc0
44
45 const uint8_t OddByteParity[256] = {
46 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
47 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
48 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
49 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
50 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
51 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
52 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
53 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
54 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
55 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
56 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
57 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
58 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
59 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
60 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
61 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1
62 };
63
64
65 void iso14a_set_trigger(int enable) {
66 trigger = enable;
67 }
68
69 void iso14a_clear_tracelen(void) {
70 traceLen = 0;
71 }
72 void iso14a_set_tracing(int enable) {
73 tracing = enable;
74 }
75
76 //-----------------------------------------------------------------------------
77 // Generate the parity value for a byte sequence
78 //
79 //-----------------------------------------------------------------------------
80 byte_t oddparity (const byte_t bt)
81 {
82 return OddByteParity[bt];
83 }
84
85 uint32_t GetParity(const uint8_t * pbtCmd, int iLen)
86 {
87 int i;
88 uint32_t dwPar = 0;
89
90 // Generate the encrypted data
91 for (i = 0; i < iLen; i++) {
92 // Save the encrypted parity bit
93 dwPar |= ((OddByteParity[pbtCmd[i]]) << i);
94 }
95 return dwPar;
96 }
97
98 void AppendCrc14443a(uint8_t* data, int len)
99 {
100 ComputeCrc14443(CRC_14443_A,data,len,data+len,data+len+1);
101 }
102
103 // The function LogTrace() is also used by the iClass implementation in iClass.c
104 int LogTrace(const uint8_t * btBytes, int iLen, int iSamples, uint32_t dwParity, int bReader)
105 {
106 // Return when trace is full
107 if (traceLen >= TRACE_SIZE) return FALSE;
108
109 // Trace the random, i'm curious
110 rsamples += iSamples;
111 trace[traceLen++] = ((rsamples >> 0) & 0xff);
112 trace[traceLen++] = ((rsamples >> 8) & 0xff);
113 trace[traceLen++] = ((rsamples >> 16) & 0xff);
114 trace[traceLen++] = ((rsamples >> 24) & 0xff);
115 if (!bReader) {
116 trace[traceLen - 1] |= 0x80;
117 }
118 trace[traceLen++] = ((dwParity >> 0) & 0xff);
119 trace[traceLen++] = ((dwParity >> 8) & 0xff);
120 trace[traceLen++] = ((dwParity >> 16) & 0xff);
121 trace[traceLen++] = ((dwParity >> 24) & 0xff);
122 trace[traceLen++] = iLen;
123 memcpy(trace + traceLen, btBytes, iLen);
124 traceLen += iLen;
125 return TRUE;
126 }
127
128 //-----------------------------------------------------------------------------
129 // The software UART that receives commands from the reader, and its state
130 // variables.
131 //-----------------------------------------------------------------------------
132 static struct {
133 enum {
134 STATE_UNSYNCD,
135 STATE_START_OF_COMMUNICATION,
136 STATE_MILLER_X,
137 STATE_MILLER_Y,
138 STATE_MILLER_Z,
139 STATE_ERROR_WAIT
140 } state;
141 uint16_t shiftReg;
142 int bitCnt;
143 int byteCnt;
144 int byteCntMax;
145 int posCnt;
146 int syncBit;
147 int parityBits;
148 int samples;
149 int highCnt;
150 int bitBuffer;
151 enum {
152 DROP_NONE,
153 DROP_FIRST_HALF,
154 DROP_SECOND_HALF
155 } drop;
156 uint8_t *output;
157 } Uart;
158
159 static RAMFUNC int MillerDecoding(int bit)
160 {
161 //int error = 0;
162 int bitright;
163
164 if(!Uart.bitBuffer) {
165 Uart.bitBuffer = bit ^ 0xFF0;
166 return FALSE;
167 }
168 else {
169 Uart.bitBuffer <<= 4;
170 Uart.bitBuffer ^= bit;
171 }
172
173 int EOC = FALSE;
174
175 if(Uart.state != STATE_UNSYNCD) {
176 Uart.posCnt++;
177
178 if((Uart.bitBuffer & Uart.syncBit) ^ Uart.syncBit) {
179 bit = 0x00;
180 }
181 else {
182 bit = 0x01;
183 }
184 if(((Uart.bitBuffer << 1) & Uart.syncBit) ^ Uart.syncBit) {
185 bitright = 0x00;
186 }
187 else {
188 bitright = 0x01;
189 }
190 if(bit != bitright) { bit = bitright; }
191
192 if(Uart.posCnt == 1) {
193 // measurement first half bitperiod
194 if(!bit) {
195 Uart.drop = DROP_FIRST_HALF;
196 }
197 }
198 else {
199 // measurement second half bitperiod
200 if(!bit & (Uart.drop == DROP_NONE)) {
201 Uart.drop = DROP_SECOND_HALF;
202 }
203 else if(!bit) {
204 // measured a drop in first and second half
205 // which should not be possible
206 Uart.state = STATE_ERROR_WAIT;
207 //error = 0x01;
208 }
209
210 Uart.posCnt = 0;
211
212 switch(Uart.state) {
213 case STATE_START_OF_COMMUNICATION:
214 Uart.shiftReg = 0;
215 if(Uart.drop == DROP_SECOND_HALF) {
216 // error, should not happen in SOC
217 Uart.state = STATE_ERROR_WAIT;
218 //error = 0x02;
219 }
220 else {
221 // correct SOC
222 Uart.state = STATE_MILLER_Z;
223 }
224 break;
225
226 case STATE_MILLER_Z:
227 Uart.bitCnt++;
228 Uart.shiftReg >>= 1;
229 if(Uart.drop == DROP_NONE) {
230 // logic '0' followed by sequence Y
231 // end of communication
232 Uart.state = STATE_UNSYNCD;
233 EOC = TRUE;
234 }
235 // if(Uart.drop == DROP_FIRST_HALF) {
236 // Uart.state = STATE_MILLER_Z; stay the same
237 // we see a logic '0' }
238 if(Uart.drop == DROP_SECOND_HALF) {
239 // we see a logic '1'
240 Uart.shiftReg |= 0x100;
241 Uart.state = STATE_MILLER_X;
242 }
243 break;
244
245 case STATE_MILLER_X:
246 Uart.shiftReg >>= 1;
247 if(Uart.drop == DROP_NONE) {
248 // sequence Y, we see a '0'
249 Uart.state = STATE_MILLER_Y;
250 Uart.bitCnt++;
251 }
252 if(Uart.drop == DROP_FIRST_HALF) {
253 // Would be STATE_MILLER_Z
254 // but Z does not follow X, so error
255 Uart.state = STATE_ERROR_WAIT;
256 //error = 0x03;
257 }
258 if(Uart.drop == DROP_SECOND_HALF) {
259 // We see a '1' and stay in state X
260 Uart.shiftReg |= 0x100;
261 Uart.bitCnt++;
262 }
263 break;
264
265 case STATE_MILLER_Y:
266 Uart.bitCnt++;
267 Uart.shiftReg >>= 1;
268 if(Uart.drop == DROP_NONE) {
269 // logic '0' followed by sequence Y
270 // end of communication
271 Uart.state = STATE_UNSYNCD;
272 EOC = TRUE;
273 }
274 if(Uart.drop == DROP_FIRST_HALF) {
275 // we see a '0'
276 Uart.state = STATE_MILLER_Z;
277 }
278 if(Uart.drop == DROP_SECOND_HALF) {
279 // We see a '1' and go to state X
280 Uart.shiftReg |= 0x100;
281 Uart.state = STATE_MILLER_X;
282 }
283 break;
284
285 case STATE_ERROR_WAIT:
286 // That went wrong. Now wait for at least two bit periods
287 // and try to sync again
288 if(Uart.drop == DROP_NONE) {
289 Uart.highCnt = 6;
290 Uart.state = STATE_UNSYNCD;
291 }
292 break;
293
294 default:
295 Uart.state = STATE_UNSYNCD;
296 Uart.highCnt = 0;
297 break;
298 }
299
300 Uart.drop = DROP_NONE;
301
302 // should have received at least one whole byte...
303 if((Uart.bitCnt == 2) && EOC && (Uart.byteCnt > 0)) {
304 return TRUE;
305 }
306
307 if(Uart.bitCnt == 9) {
308 Uart.output[Uart.byteCnt] = (Uart.shiftReg & 0xff);
309 Uart.byteCnt++;
310
311 Uart.parityBits <<= 1;
312 Uart.parityBits ^= ((Uart.shiftReg >> 8) & 0x01);
313
314 if(EOC) {
315 // when End of Communication received and
316 // all data bits processed..
317 return TRUE;
318 }
319 Uart.bitCnt = 0;
320 }
321
322 /*if(error) {
323 Uart.output[Uart.byteCnt] = 0xAA;
324 Uart.byteCnt++;
325 Uart.output[Uart.byteCnt] = error & 0xFF;
326 Uart.byteCnt++;
327 Uart.output[Uart.byteCnt] = 0xAA;
328 Uart.byteCnt++;
329 Uart.output[Uart.byteCnt] = (Uart.bitBuffer >> 8) & 0xFF;
330 Uart.byteCnt++;
331 Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
332 Uart.byteCnt++;
333 Uart.output[Uart.byteCnt] = (Uart.syncBit >> 3) & 0xFF;
334 Uart.byteCnt++;
335 Uart.output[Uart.byteCnt] = 0xAA;
336 Uart.byteCnt++;
337 return TRUE;
338 }*/
339 }
340
341 }
342 else {
343 bit = Uart.bitBuffer & 0xf0;
344 bit >>= 4;
345 bit ^= 0x0F;
346 if(bit) {
347 // should have been high or at least (4 * 128) / fc
348 // according to ISO this should be at least (9 * 128 + 20) / fc
349 if(Uart.highCnt == 8) {
350 // we went low, so this could be start of communication
351 // it turns out to be safer to choose a less significant
352 // syncbit... so we check whether the neighbour also represents the drop
353 Uart.posCnt = 1; // apparently we are busy with our first half bit period
354 Uart.syncBit = bit & 8;
355 Uart.samples = 3;
356 if(!Uart.syncBit) { Uart.syncBit = bit & 4; Uart.samples = 2; }
357 else if(bit & 4) { Uart.syncBit = bit & 4; Uart.samples = 2; bit <<= 2; }
358 if(!Uart.syncBit) { Uart.syncBit = bit & 2; Uart.samples = 1; }
359 else if(bit & 2) { Uart.syncBit = bit & 2; Uart.samples = 1; bit <<= 1; }
360 if(!Uart.syncBit) { Uart.syncBit = bit & 1; Uart.samples = 0;
361 if(Uart.syncBit && (Uart.bitBuffer & 8)) {
362 Uart.syncBit = 8;
363
364 // the first half bit period is expected in next sample
365 Uart.posCnt = 0;
366 Uart.samples = 3;
367 }
368 }
369 else if(bit & 1) { Uart.syncBit = bit & 1; Uart.samples = 0; }
370
371 Uart.syncBit <<= 4;
372 Uart.state = STATE_START_OF_COMMUNICATION;
373 Uart.drop = DROP_FIRST_HALF;
374 Uart.bitCnt = 0;
375 Uart.byteCnt = 0;
376 Uart.parityBits = 0;
377 //error = 0;
378 }
379 else {
380 Uart.highCnt = 0;
381 }
382 }
383 else {
384 if(Uart.highCnt < 8) {
385 Uart.highCnt++;
386 }
387 }
388 }
389
390 return FALSE;
391 }
392
393 //=============================================================================
394 // ISO 14443 Type A - Manchester
395 //=============================================================================
396
397 static struct {
398 enum {
399 DEMOD_UNSYNCD,
400 DEMOD_START_OF_COMMUNICATION,
401 DEMOD_MANCHESTER_D,
402 DEMOD_MANCHESTER_E,
403 DEMOD_MANCHESTER_F,
404 DEMOD_ERROR_WAIT
405 } state;
406 int bitCount;
407 int posCount;
408 int syncBit;
409 int parityBits;
410 uint16_t shiftReg;
411 int buffer;
412 int buff;
413 int samples;
414 int len;
415 enum {
416 SUB_NONE,
417 SUB_FIRST_HALF,
418 SUB_SECOND_HALF
419 } sub;
420 uint8_t *output;
421 } Demod;
422
423 static RAMFUNC int ManchesterDecoding(int v)
424 {
425 int bit;
426 int modulation;
427 //int error = 0;
428
429 if(!Demod.buff) {
430 Demod.buff = 1;
431 Demod.buffer = v;
432 return FALSE;
433 }
434 else {
435 bit = Demod.buffer;
436 Demod.buffer = v;
437 }
438
439 if(Demod.state==DEMOD_UNSYNCD) {
440 Demod.output[Demod.len] = 0xfa;
441 Demod.syncBit = 0;
442 //Demod.samples = 0;
443 Demod.posCount = 1; // This is the first half bit period, so after syncing handle the second part
444
445 if(bit & 0x08) {
446 Demod.syncBit = 0x08;
447 }
448
449 if(bit & 0x04) {
450 if(Demod.syncBit) {
451 bit <<= 4;
452 }
453 Demod.syncBit = 0x04;
454 }
455
456 if(bit & 0x02) {
457 if(Demod.syncBit) {
458 bit <<= 2;
459 }
460 Demod.syncBit = 0x02;
461 }
462
463 if(bit & 0x01 && Demod.syncBit) {
464 Demod.syncBit = 0x01;
465 }
466
467 if(Demod.syncBit) {
468 Demod.len = 0;
469 Demod.state = DEMOD_START_OF_COMMUNICATION;
470 Demod.sub = SUB_FIRST_HALF;
471 Demod.bitCount = 0;
472 Demod.shiftReg = 0;
473 Demod.parityBits = 0;
474 Demod.samples = 0;
475 if(Demod.posCount) {
476 if(trigger) LED_A_OFF();
477 switch(Demod.syncBit) {
478 case 0x08: Demod.samples = 3; break;
479 case 0x04: Demod.samples = 2; break;
480 case 0x02: Demod.samples = 1; break;
481 case 0x01: Demod.samples = 0; break;
482 }
483 }
484 //error = 0;
485 }
486 }
487 else {
488 //modulation = bit & Demod.syncBit;
489 modulation = ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
490
491 Demod.samples += 4;
492
493 if(Demod.posCount==0) {
494 Demod.posCount = 1;
495 if(modulation) {
496 Demod.sub = SUB_FIRST_HALF;
497 }
498 else {
499 Demod.sub = SUB_NONE;
500 }
501 }
502 else {
503 Demod.posCount = 0;
504 if(modulation && (Demod.sub == SUB_FIRST_HALF)) {
505 if(Demod.state!=DEMOD_ERROR_WAIT) {
506 Demod.state = DEMOD_ERROR_WAIT;
507 Demod.output[Demod.len] = 0xaa;
508 //error = 0x01;
509 }
510 }
511 else if(modulation) {
512 Demod.sub = SUB_SECOND_HALF;
513 }
514
515 switch(Demod.state) {
516 case DEMOD_START_OF_COMMUNICATION:
517 if(Demod.sub == SUB_FIRST_HALF) {
518 Demod.state = DEMOD_MANCHESTER_D;
519 }
520 else {
521 Demod.output[Demod.len] = 0xab;
522 Demod.state = DEMOD_ERROR_WAIT;
523 //error = 0x02;
524 }
525 break;
526
527 case DEMOD_MANCHESTER_D:
528 case DEMOD_MANCHESTER_E:
529 if(Demod.sub == SUB_FIRST_HALF) {
530 Demod.bitCount++;
531 Demod.shiftReg = (Demod.shiftReg >> 1) ^ 0x100;
532 Demod.state = DEMOD_MANCHESTER_D;
533 }
534 else if(Demod.sub == SUB_SECOND_HALF) {
535 Demod.bitCount++;
536 Demod.shiftReg >>= 1;
537 Demod.state = DEMOD_MANCHESTER_E;
538 }
539 else {
540 Demod.state = DEMOD_MANCHESTER_F;
541 }
542 break;
543
544 case DEMOD_MANCHESTER_F:
545 // Tag response does not need to be a complete byte!
546 if(Demod.len > 0 || Demod.bitCount > 0) {
547 if(Demod.bitCount > 0) {
548 Demod.shiftReg >>= (9 - Demod.bitCount);
549 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
550 Demod.len++;
551 // No parity bit, so just shift a 0
552 Demod.parityBits <<= 1;
553 }
554
555 Demod.state = DEMOD_UNSYNCD;
556 return TRUE;
557 }
558 else {
559 Demod.output[Demod.len] = 0xad;
560 Demod.state = DEMOD_ERROR_WAIT;
561 //error = 0x03;
562 }
563 break;
564
565 case DEMOD_ERROR_WAIT:
566 Demod.state = DEMOD_UNSYNCD;
567 break;
568
569 default:
570 Demod.output[Demod.len] = 0xdd;
571 Demod.state = DEMOD_UNSYNCD;
572 break;
573 }
574
575 if(Demod.bitCount>=9) {
576 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
577 Demod.len++;
578
579 Demod.parityBits <<= 1;
580 Demod.parityBits ^= ((Demod.shiftReg >> 8) & 0x01);
581
582 Demod.bitCount = 0;
583 Demod.shiftReg = 0;
584 }
585
586 /*if(error) {
587 Demod.output[Demod.len] = 0xBB;
588 Demod.len++;
589 Demod.output[Demod.len] = error & 0xFF;
590 Demod.len++;
591 Demod.output[Demod.len] = 0xBB;
592 Demod.len++;
593 Demod.output[Demod.len] = bit & 0xFF;
594 Demod.len++;
595 Demod.output[Demod.len] = Demod.buffer & 0xFF;
596 Demod.len++;
597 Demod.output[Demod.len] = Demod.syncBit & 0xFF;
598 Demod.len++;
599 Demod.output[Demod.len] = 0xBB;
600 Demod.len++;
601 return TRUE;
602 }*/
603
604 }
605
606 } // end (state != UNSYNCED)
607
608 return FALSE;
609 }
610
611 //=============================================================================
612 // Finally, a `sniffer' for ISO 14443 Type A
613 // Both sides of communication!
614 //=============================================================================
615
616 //-----------------------------------------------------------------------------
617 // Record the sequence of commands sent by the reader to the tag, with
618 // triggering so that we start recording at the point that the tag is moved
619 // near the reader.
620 //-----------------------------------------------------------------------------
621 void RAMFUNC SnoopIso14443a(void)
622 {
623 // #define RECV_CMD_OFFSET 2032 // original (working as of 21/2/09) values
624 // #define RECV_RES_OFFSET 2096 // original (working as of 21/2/09) values
625 // #define DMA_BUFFER_OFFSET 2160 // original (working as of 21/2/09) values
626 // #define DMA_BUFFER_SIZE 4096 // original (working as of 21/2/09) values
627 // #define TRACE_SIZE 2000 // original (working as of 21/2/09) values
628
629 // We won't start recording the frames that we acquire until we trigger;
630 // a good trigger condition to get started is probably when we see a
631 // response from the tag.
632 int triggered = FALSE; // FALSE to wait first for card
633
634 // The command (reader -> tag) that we're receiving.
635 // The length of a received command will in most cases be no more than 18 bytes.
636 // So 32 should be enough!
637 uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
638 // The response (tag -> reader) that we're receiving.
639 uint8_t *receivedResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET);
640
641 // As we receive stuff, we copy it from receivedCmd or receivedResponse
642 // into trace, along with its length and other annotations.
643 //uint8_t *trace = (uint8_t *)BigBuf;
644
645 traceLen = 0; // uncommented to fix ISSUE 15 - gerhard - jan2011
646
647 // The DMA buffer, used to stream samples from the FPGA
648 int8_t *dmaBuf = ((int8_t *)BigBuf) + DMA_BUFFER_OFFSET;
649 int lastRxCounter;
650 int8_t *upTo;
651 int smpl;
652 int maxBehindBy = 0;
653
654 // Count of samples received so far, so that we can include timing
655 // information in the trace buffer.
656 int samples = 0;
657 int rsamples = 0;
658
659 memset(trace, 0x44, TRACE_SIZE);
660
661 // Set up the demodulator for tag -> reader responses.
662 Demod.output = receivedResponse;
663 Demod.len = 0;
664 Demod.state = DEMOD_UNSYNCD;
665
666 // Setup for the DMA.
667 FpgaSetupSsc();
668 upTo = dmaBuf;
669 lastRxCounter = DMA_BUFFER_SIZE;
670 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
671
672 // And the reader -> tag commands
673 memset(&Uart, 0, sizeof(Uart));
674 Uart.output = receivedCmd;
675 Uart.byteCntMax = 32; // was 100 (greg)////////////////////////////////////////////////////////////////////////
676 Uart.state = STATE_UNSYNCD;
677
678 // And put the FPGA in the appropriate mode
679 // Signal field is off with the appropriate LED
680 LED_D_OFF();
681 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER);
682 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
683
684
685 // And now we loop, receiving samples.
686 for(;;) {
687 LED_A_ON();
688 WDT_HIT();
689 int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) &
690 (DMA_BUFFER_SIZE-1);
691 if(behindBy > maxBehindBy) {
692 maxBehindBy = behindBy;
693 if(behindBy > 400) {
694 Dbprintf("blew circular buffer! behindBy=0x%x", behindBy);
695 goto done;
696 }
697 }
698 if(behindBy < 1) continue;
699
700 LED_A_OFF();
701 smpl = upTo[0];
702 upTo++;
703 lastRxCounter -= 1;
704 if(upTo - dmaBuf > DMA_BUFFER_SIZE) {
705 upTo -= DMA_BUFFER_SIZE;
706 lastRxCounter += DMA_BUFFER_SIZE;
707 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) upTo;
708 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
709 }
710
711 samples += 4;
712 if(MillerDecoding((smpl & 0xF0) >> 4)) {
713 rsamples = samples - Uart.samples;
714 LED_C_ON();
715 if(triggered) {
716 trace[traceLen++] = ((rsamples >> 0) & 0xff);
717 trace[traceLen++] = ((rsamples >> 8) & 0xff);
718 trace[traceLen++] = ((rsamples >> 16) & 0xff);
719 trace[traceLen++] = ((rsamples >> 24) & 0xff);
720 trace[traceLen++] = ((Uart.parityBits >> 0) & 0xff);
721 trace[traceLen++] = ((Uart.parityBits >> 8) & 0xff);
722 trace[traceLen++] = ((Uart.parityBits >> 16) & 0xff);
723 trace[traceLen++] = ((Uart.parityBits >> 24) & 0xff);
724 trace[traceLen++] = Uart.byteCnt;
725 memcpy(trace+traceLen, receivedCmd, Uart.byteCnt);
726 traceLen += Uart.byteCnt;
727 if(traceLen > TRACE_SIZE) break;
728 }
729 /* And ready to receive another command. */
730 Uart.state = STATE_UNSYNCD;
731 /* And also reset the demod code, which might have been */
732 /* false-triggered by the commands from the reader. */
733 Demod.state = DEMOD_UNSYNCD;
734 LED_B_OFF();
735 }
736
737 if(ManchesterDecoding(smpl & 0x0F)) {
738 rsamples = samples - Demod.samples;
739 LED_B_ON();
740
741 // timestamp, as a count of samples
742 trace[traceLen++] = ((rsamples >> 0) & 0xff);
743 trace[traceLen++] = ((rsamples >> 8) & 0xff);
744 trace[traceLen++] = ((rsamples >> 16) & 0xff);
745 trace[traceLen++] = 0x80 | ((rsamples >> 24) & 0xff);
746 trace[traceLen++] = ((Demod.parityBits >> 0) & 0xff);
747 trace[traceLen++] = ((Demod.parityBits >> 8) & 0xff);
748 trace[traceLen++] = ((Demod.parityBits >> 16) & 0xff);
749 trace[traceLen++] = ((Demod.parityBits >> 24) & 0xff);
750 // length
751 trace[traceLen++] = Demod.len;
752 memcpy(trace+traceLen, receivedResponse, Demod.len);
753 traceLen += Demod.len;
754 if(traceLen > TRACE_SIZE) break;
755
756 triggered = TRUE;
757
758 // And ready to receive another response.
759 memset(&Demod, 0, sizeof(Demod));
760 Demod.output = receivedResponse;
761 Demod.state = DEMOD_UNSYNCD;
762 LED_C_OFF();
763 }
764
765 if(BUTTON_PRESS()) {
766 DbpString("cancelled_a");
767 goto done;
768 }
769 }
770
771 DbpString("COMMAND FINISHED");
772
773 done:
774 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
775 Dbprintf("maxBehindBy=%x, Uart.state=%x, Uart.byteCnt=%x", maxBehindBy, Uart.state, Uart.byteCnt);
776 Dbprintf("Uart.byteCntMax=%x, traceLen=%x, Uart.output[0]=%x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
777 LED_A_OFF();
778 LED_B_OFF();
779 LED_C_OFF();
780 LED_D_OFF();
781 }
782
783 //-----------------------------------------------------------------------------
784 // Prepare tag messages
785 //-----------------------------------------------------------------------------
786 static void CodeIso14443aAsTagPar(const uint8_t *cmd, int len, uint32_t dwParity)
787 {
788 int i;
789
790 ToSendReset();
791
792 // Correction bit, might be removed when not needed
793 ToSendStuffBit(0);
794 ToSendStuffBit(0);
795 ToSendStuffBit(0);
796 ToSendStuffBit(0);
797 ToSendStuffBit(1); // 1
798 ToSendStuffBit(0);
799 ToSendStuffBit(0);
800 ToSendStuffBit(0);
801
802 // Send startbit
803 ToSend[++ToSendMax] = SEC_D;
804
805 for(i = 0; i < len; i++) {
806 int j;
807 uint8_t b = cmd[i];
808
809 // Data bits
810 for(j = 0; j < 8; j++) {
811 if(b & 1) {
812 ToSend[++ToSendMax] = SEC_D;
813 } else {
814 ToSend[++ToSendMax] = SEC_E;
815 }
816 b >>= 1;
817 }
818
819 // Get the parity bit
820 if ((dwParity >> i) & 0x01) {
821 ToSend[++ToSendMax] = SEC_D;
822 } else {
823 ToSend[++ToSendMax] = SEC_E;
824 }
825 }
826
827 // Send stopbit
828 ToSend[++ToSendMax] = SEC_F;
829
830 // Convert from last byte pos to length
831 ToSendMax++;
832 }
833
834 static void CodeIso14443aAsTag(const uint8_t *cmd, int len){
835 CodeIso14443aAsTagPar(cmd, len, GetParity(cmd, len));
836 }
837
838 //-----------------------------------------------------------------------------
839 // This is to send a NACK kind of answer, its only 3 bits, I know it should be 4
840 //-----------------------------------------------------------------------------
841 static void CodeStrangeAnswerAsTag()
842 {
843 int i;
844
845 ToSendReset();
846
847 // Correction bit, might be removed when not needed
848 ToSendStuffBit(0);
849 ToSendStuffBit(0);
850 ToSendStuffBit(0);
851 ToSendStuffBit(0);
852 ToSendStuffBit(1); // 1
853 ToSendStuffBit(0);
854 ToSendStuffBit(0);
855 ToSendStuffBit(0);
856
857 // Send startbit
858 ToSend[++ToSendMax] = SEC_D;
859
860 // 0
861 ToSend[++ToSendMax] = SEC_E;
862
863 // 0
864 ToSend[++ToSendMax] = SEC_E;
865
866 // 1
867 ToSend[++ToSendMax] = SEC_D;
868
869 // Send stopbit
870 ToSend[++ToSendMax] = SEC_F;
871
872 // Flush the buffer in FPGA!!
873 for(i = 0; i < 5; i++) {
874 ToSend[++ToSendMax] = SEC_F;
875 }
876
877 // Convert from last byte pos to length
878 ToSendMax++;
879 }
880
881 static void Code4bitAnswerAsTag(uint8_t cmd)
882 {
883 int i;
884
885 ToSendReset();
886
887 // Correction bit, might be removed when not needed
888 ToSendStuffBit(0);
889 ToSendStuffBit(0);
890 ToSendStuffBit(0);
891 ToSendStuffBit(0);
892 ToSendStuffBit(1); // 1
893 ToSendStuffBit(0);
894 ToSendStuffBit(0);
895 ToSendStuffBit(0);
896
897 // Send startbit
898 ToSend[++ToSendMax] = SEC_D;
899
900 uint8_t b = cmd;
901 for(i = 0; i < 4; i++) {
902 if(b & 1) {
903 ToSend[++ToSendMax] = SEC_D;
904 } else {
905 ToSend[++ToSendMax] = SEC_E;
906 }
907 b >>= 1;
908 }
909
910 // Send stopbit
911 ToSend[++ToSendMax] = SEC_F;
912
913 // Flush the buffer in FPGA!!
914 for(i = 0; i < 5; i++) {
915 ToSend[++ToSendMax] = SEC_F;
916 }
917
918 // Convert from last byte pos to length
919 ToSendMax++;
920 }
921
922 //-----------------------------------------------------------------------------
923 // Wait for commands from reader
924 // Stop when button is pressed
925 // Or return TRUE when command is captured
926 //-----------------------------------------------------------------------------
927 static int GetIso14443aCommandFromReader(uint8_t *received, int *len, int maxLen)
928 {
929 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
930 // only, since we are receiving, not transmitting).
931 // Signal field is off with the appropriate LED
932 LED_D_OFF();
933 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
934
935 // Now run a `software UART' on the stream of incoming samples.
936 Uart.output = received;
937 Uart.byteCntMax = maxLen;
938 Uart.state = STATE_UNSYNCD;
939
940 for(;;) {
941 WDT_HIT();
942
943 if(BUTTON_PRESS()) return FALSE;
944
945 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
946 AT91C_BASE_SSC->SSC_THR = 0x00;
947 }
948 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
949 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
950 if(MillerDecoding((b & 0xf0) >> 4)) {
951 *len = Uart.byteCnt;
952 return TRUE;
953 }
954 if(MillerDecoding(b & 0x0f)) {
955 *len = Uart.byteCnt;
956 return TRUE;
957 }
958 }
959 }
960 }
961 static int EmSendCmd14443aRaw(uint8_t *resp, int respLen, int correctionNeeded);
962
963 //-----------------------------------------------------------------------------
964 // Main loop of simulated tag: receive commands from reader, decide what
965 // response to send, and send it.
966 //-----------------------------------------------------------------------------
967 void SimulateIso14443aTag(int tagType, int uid_1st, int uid_2nd)
968 {
969 // Enable and clear the trace
970 tracing = TRUE;
971 traceLen = 0;
972 memset(trace, 0x44, TRACE_SIZE);
973
974 // This function contains the tag emulation
975 uint8_t sak;
976
977 // The first response contains the ATQA (note: bytes are transmitted in reverse order).
978 uint8_t response1[2];
979
980 switch (tagType) {
981 case 1: { // MIFARE Classic
982 // Says: I am Mifare 1k - original line
983 response1[0] = 0x04;
984 response1[1] = 0x00;
985 sak = 0x08;
986 } break;
987 case 2: { // MIFARE Ultralight
988 // Says: I am a stupid memory tag, no crypto
989 response1[0] = 0x04;
990 response1[1] = 0x00;
991 sak = 0x00;
992 } break;
993 case 3: { // MIFARE DESFire
994 // Says: I am a DESFire tag, ph33r me
995 response1[0] = 0x04;
996 response1[1] = 0x03;
997 sak = 0x20;
998 } break;
999 case 4: { // ISO/IEC 14443-4
1000 // Says: I am a javacard (JCOP)
1001 response1[0] = 0x04;
1002 response1[1] = 0x00;
1003 sak = 0x28;
1004 } break;
1005 default: {
1006 Dbprintf("Error: unkown tagtype (%d)",tagType);
1007 return;
1008 } break;
1009 }
1010
1011 // The second response contains the (mandatory) first 24 bits of the UID
1012 uint8_t response2[5];
1013
1014 // Check if the uid uses the (optional) part
1015 uint8_t response2a[5];
1016 if (uid_2nd) {
1017 response2[0] = 0x88;
1018 num_to_bytes(uid_1st,3,response2+1);
1019 num_to_bytes(uid_2nd,4,response2a);
1020 response2a[4] = response2a[0] ^ response2a[1] ^ response2a[2] ^ response2a[3];
1021
1022 // Configure the ATQA and SAK accordingly
1023 response1[0] |= 0x40;
1024 sak |= 0x04;
1025 } else {
1026 num_to_bytes(uid_1st,4,response2);
1027 // Configure the ATQA and SAK accordingly
1028 response1[0] &= 0xBF;
1029 sak &= 0xFB;
1030 }
1031
1032 // Calculate the BitCountCheck (BCC) for the first 4 bytes of the UID.
1033 response2[4] = response2[0] ^ response2[1] ^ response2[2] ^ response2[3];
1034
1035 // Prepare the mandatory SAK (for 4 and 7 byte UID)
1036 uint8_t response3[3];
1037 response3[0] = sak;
1038 ComputeCrc14443(CRC_14443_A, response3, 1, &response3[1], &response3[2]);
1039
1040 // Prepare the optional second SAK (for 7 byte UID), drop the cascade bit
1041 uint8_t response3a[3];
1042 response3a[0] = sak & 0xFB;
1043 ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
1044
1045 uint8_t response5[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce
1046 uint8_t response6[] = { 0x03, 0x3B, 0x00, 0x00, 0x00 }; // dummy ATS (pseudo-ATR), answer to RATS
1047 ComputeCrc14443(CRC_14443_A, response6, 3, &response6[3], &response6[4]);
1048
1049 uint8_t *resp;
1050 int respLen;
1051
1052 // Longest possible response will be 16 bytes + 2 CRC = 18 bytes
1053 // This will need
1054 // 144 data bits (18 * 8)
1055 // 18 parity bits
1056 // 2 Start and stop
1057 // 1 Correction bit (Answer in 1172 or 1236 periods, see FPGA)
1058 // 1 just for the case
1059 // ----------- +
1060 // 166
1061 //
1062 // 166 bytes, since every bit that needs to be send costs us a byte
1063 //
1064
1065 // Respond with card type
1066 uint8_t *resp1 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET);
1067 int resp1Len;
1068
1069 // Anticollision cascade1 - respond with uid
1070 uint8_t *resp2 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + 166);
1071 int resp2Len;
1072
1073 // Anticollision cascade2 - respond with 2nd half of uid if asked
1074 // we're only going to be asked if we set the 1st byte of the UID (during cascade1) to 0x88
1075 uint8_t *resp2a = (((uint8_t *)BigBuf) + 1140);
1076 int resp2aLen;
1077
1078 // Acknowledge select - cascade 1
1079 uint8_t *resp3 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + (166*2));
1080 int resp3Len;
1081
1082 // Acknowledge select - cascade 2
1083 uint8_t *resp3a = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + (166*3));
1084 int resp3aLen;
1085
1086 // Response to a read request - not implemented atm
1087 uint8_t *resp4 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + (166*4));
1088 int resp4Len;
1089
1090 // Authenticate response - nonce
1091 uint8_t *resp5 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + (166*5));
1092 int resp5Len;
1093
1094 // Authenticate response - nonce
1095 uint8_t *resp6 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + (166*6));
1096 int resp6Len;
1097
1098 uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
1099 int len;
1100
1101 // To control where we are in the protocol
1102 int order = 0;
1103 int lastorder;
1104
1105 // Just to allow some checks
1106 int happened = 0;
1107 int happened2 = 0;
1108
1109 int cmdsRecvd = 0;
1110 uint8_t* respdata = NULL;
1111 int respsize = 0;
1112 uint8_t nack = 0x04;
1113
1114 memset(receivedCmd, 0x44, RECV_CMD_SIZE);
1115
1116 // Prepare the responses of the anticollision phase
1117 // there will be not enough time to do this at the moment the reader sends it REQA
1118
1119 // Answer to request
1120 CodeIso14443aAsTag(response1, sizeof(response1));
1121 memcpy(resp1, ToSend, ToSendMax); resp1Len = ToSendMax;
1122
1123 // Send our UID (cascade 1)
1124 CodeIso14443aAsTag(response2, sizeof(response2));
1125 memcpy(resp2, ToSend, ToSendMax); resp2Len = ToSendMax;
1126
1127 // Answer to select (cascade1)
1128 CodeIso14443aAsTag(response3, sizeof(response3));
1129 memcpy(resp3, ToSend, ToSendMax); resp3Len = ToSendMax;
1130
1131 // Send the cascade 2 2nd part of the uid
1132 CodeIso14443aAsTag(response2a, sizeof(response2a));
1133 memcpy(resp2a, ToSend, ToSendMax); resp2aLen = ToSendMax;
1134
1135 // Answer to select (cascade 2)
1136 CodeIso14443aAsTag(response3a, sizeof(response3a));
1137 memcpy(resp3a, ToSend, ToSendMax); resp3aLen = ToSendMax;
1138
1139 // Strange answer is an example of rare message size (3 bits)
1140 CodeStrangeAnswerAsTag();
1141 memcpy(resp4, ToSend, ToSendMax); resp4Len = ToSendMax;
1142
1143 // Authentication answer (random nonce)
1144 CodeIso14443aAsTag(response5, sizeof(response5));
1145 memcpy(resp5, ToSend, ToSendMax); resp5Len = ToSendMax;
1146
1147 // dummy ATS (pseudo-ATR), answer to RATS
1148 CodeIso14443aAsTag(response6, sizeof(response6));
1149 memcpy(resp6, ToSend, ToSendMax); resp6Len = ToSendMax;
1150
1151 // We need to listen to the high-frequency, peak-detected path.
1152 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1153 FpgaSetupSsc();
1154
1155 cmdsRecvd = 0;
1156
1157 LED_A_ON();
1158 for(;;) {
1159
1160 if(!GetIso14443aCommandFromReader(receivedCmd, &len, RECV_CMD_SIZE)) {
1161 DbpString("button press");
1162 break;
1163 }
1164 // doob - added loads of debug strings so we can see what the reader is saying to us during the sim as hi14alist is not populated
1165 // Okay, look at the command now.
1166 lastorder = order;
1167 if(receivedCmd[0] == 0x26) { // Received a REQUEST
1168 resp = resp1; respLen = resp1Len; order = 1;
1169 respdata = response1;
1170 respsize = sizeof(response1);
1171 } else if(receivedCmd[0] == 0x52) { // Received a WAKEUP
1172 resp = resp1; respLen = resp1Len; order = 6;
1173 respdata = response1;
1174 respsize = sizeof(response1);
1175 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x93) { // Received request for UID (cascade 1)
1176 resp = resp2; respLen = resp2Len; order = 2;
1177 respdata = response2;
1178 respsize = sizeof(response2);
1179 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x95) { // Received request for UID (cascade 2)
1180 resp = resp2a; respLen = resp2aLen; order = 20;
1181 respdata = response2a;
1182 respsize = sizeof(response2a);
1183 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] == 0x93) { // Received a SELECT (cascade 1)
1184 resp = resp3; respLen = resp3Len; order = 3;
1185 respdata = response3;
1186 respsize = sizeof(response3);
1187 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] == 0x95) { // Received a SELECT (cascade 2)
1188 resp = resp3a; respLen = resp3aLen; order = 30;
1189 respdata = response3a;
1190 respsize = sizeof(response3a);
1191 } else if(receivedCmd[0] == 0x30) { // Received a (plain) READ
1192 resp = resp4; respLen = resp4Len; order = 4; // Do nothing
1193 Dbprintf("Read request from reader: %x %x",receivedCmd[0],receivedCmd[1]);
1194 respdata = &nack;
1195 respsize = sizeof(nack); // 4-bit answer
1196 } else if(receivedCmd[0] == 0x50) { // Received a HALT
1197 DbpString("Reader requested we HALT!:");
1198 // Do not respond
1199 resp = resp1; respLen = 0; order = 0;
1200 respdata = NULL;
1201 respsize = 0;
1202 } else if(receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61) { // Received an authentication request
1203 resp = resp5; respLen = resp5Len; order = 7;
1204 respdata = response5;
1205 respsize = sizeof(response5);
1206 } else if(receivedCmd[0] == 0xE0) { // Received a RATS request
1207 resp = resp6; respLen = resp6Len; order = 70;
1208 respdata = response6;
1209 respsize = sizeof(response6);
1210 } else {
1211 // Never seen this command before
1212 Dbprintf("Received unknown command (len=%d): %02x %02x %02x %02x %02x %02x %02x %02x %02x",
1213 len,
1214 receivedCmd[0], receivedCmd[1], receivedCmd[2],
1215 receivedCmd[3], receivedCmd[4], receivedCmd[5],
1216 receivedCmd[6], receivedCmd[7], receivedCmd[8]);
1217 // Do not respond
1218 resp = resp1; respLen = 0; order = 0;
1219 respdata = NULL;
1220 respsize = 0;
1221 }
1222
1223 // Count number of wakeups received after a halt
1224 if(order == 6 && lastorder == 5) { happened++; }
1225
1226 // Count number of other messages after a halt
1227 if(order != 6 && lastorder == 5) { happened2++; }
1228
1229 // Look at last parity bit to determine timing of answer
1230 if((Uart.parityBits & 0x01) || receivedCmd[0] == 0x52) {
1231 // 1236, so correction bit needed
1232 //i = 0;
1233 }
1234
1235 if(cmdsRecvd > 999) {
1236 DbpString("1000 commands later...");
1237 break;
1238 } else {
1239 cmdsRecvd++;
1240 }
1241
1242 if(respLen > 0) {
1243 EmSendCmd14443aRaw(resp, respLen, receivedCmd[0] == 0x52);
1244 }
1245
1246 // After sending the response, print out some debug data.
1247 if (receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61) {
1248 Dbprintf("Authenticate request from reader: %02x %02x",receivedCmd[0],receivedCmd[1]);
1249 } else if (receivedCmd[0] == 0xE0) {
1250 Dbprintf("RATS request from reader: %02x %02x",receivedCmd[0],receivedCmd[1]);
1251 } else if (receivedCmd[0] == 0x30) {
1252 Dbprintf("READ request from reader: %02x %02x",receivedCmd[0],receivedCmd[1]);
1253 }
1254
1255
1256 if (tracing) {
1257 LogTrace(receivedCmd,len, 0, Uart.parityBits, TRUE);
1258 if (respdata != NULL) {
1259 LogTrace(respdata,respsize, 0, SwapBits(GetParity(respdata,respsize),respsize), FALSE);
1260 }
1261 if(traceLen > TRACE_SIZE) {
1262 DbpString("Trace full");
1263 break;
1264 }
1265 }
1266
1267 memset(receivedCmd, 0x44, RECV_CMD_SIZE);
1268 }
1269
1270 Dbprintf("%x %x %x", happened, happened2, cmdsRecvd);
1271 LED_A_OFF();
1272 }
1273
1274 //-----------------------------------------------------------------------------
1275 // Transmit the command (to the tag) that was placed in ToSend[].
1276 //-----------------------------------------------------------------------------
1277 static void TransmitFor14443a(const uint8_t *cmd, int len, int *samples, int *wait)
1278 {
1279 int c;
1280
1281 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1282
1283 if (wait)
1284 if(*wait < 10)
1285 *wait = 10;
1286
1287 for(c = 0; c < *wait;) {
1288 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1289 AT91C_BASE_SSC->SSC_THR = 0x00; // For exact timing!
1290 c++;
1291 }
1292 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1293 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
1294 (void)r;
1295 }
1296 WDT_HIT();
1297 }
1298
1299 c = 0;
1300 for(;;) {
1301 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1302 AT91C_BASE_SSC->SSC_THR = cmd[c];
1303 c++;
1304 if(c >= len) {
1305 break;
1306 }
1307 }
1308 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1309 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
1310 (void)r;
1311 }
1312 WDT_HIT();
1313 }
1314 if (samples) *samples = (c + *wait) << 3;
1315 }
1316
1317 //-----------------------------------------------------------------------------
1318 // Code a 7-bit command without parity bit
1319 // This is especially for 0x26 and 0x52 (REQA and WUPA)
1320 //-----------------------------------------------------------------------------
1321 void ShortFrameFromReader(const uint8_t bt)
1322 {
1323 int j;
1324 int last;
1325 uint8_t b;
1326
1327 ToSendReset();
1328
1329 // Start of Communication (Seq. Z)
1330 ToSend[++ToSendMax] = SEC_Z;
1331 last = 0;
1332
1333 b = bt;
1334 for(j = 0; j < 7; j++) {
1335 if(b & 1) {
1336 // Sequence X
1337 ToSend[++ToSendMax] = SEC_X;
1338 last = 1;
1339 } else {
1340 if(last == 0) {
1341 // Sequence Z
1342 ToSend[++ToSendMax] = SEC_Z;
1343 }
1344 else {
1345 // Sequence Y
1346 ToSend[++ToSendMax] = SEC_Y;
1347 last = 0;
1348 }
1349 }
1350 b >>= 1;
1351 }
1352
1353 // End of Communication
1354 if(last == 0) {
1355 // Sequence Z
1356 ToSend[++ToSendMax] = SEC_Z;
1357 }
1358 else {
1359 // Sequence Y
1360 ToSend[++ToSendMax] = SEC_Y;
1361 last = 0;
1362 }
1363 // Sequence Y
1364 ToSend[++ToSendMax] = SEC_Y;
1365
1366 // Just to be sure!
1367 ToSend[++ToSendMax] = SEC_Y;
1368 ToSend[++ToSendMax] = SEC_Y;
1369 ToSend[++ToSendMax] = SEC_Y;
1370
1371 // Convert from last character reference to length
1372 ToSendMax++;
1373 }
1374
1375 //-----------------------------------------------------------------------------
1376 // Prepare reader command to send to FPGA
1377 //
1378 //-----------------------------------------------------------------------------
1379 void CodeIso14443aAsReaderPar(const uint8_t * cmd, int len, uint32_t dwParity)
1380 {
1381 int i, j;
1382 int last;
1383 uint8_t b;
1384
1385 ToSendReset();
1386
1387 // Start of Communication (Seq. Z)
1388 ToSend[++ToSendMax] = SEC_Z;
1389 last = 0;
1390
1391 // Generate send structure for the data bits
1392 for (i = 0; i < len; i++) {
1393 // Get the current byte to send
1394 b = cmd[i];
1395
1396 for (j = 0; j < 8; j++) {
1397 if (b & 1) {
1398 // Sequence X
1399 ToSend[++ToSendMax] = SEC_X;
1400 last = 1;
1401 } else {
1402 if (last == 0) {
1403 // Sequence Z
1404 ToSend[++ToSendMax] = SEC_Z;
1405 } else {
1406 // Sequence Y
1407 ToSend[++ToSendMax] = SEC_Y;
1408 last = 0;
1409 }
1410 }
1411 b >>= 1;
1412 }
1413
1414 // Get the parity bit
1415 if ((dwParity >> i) & 0x01) {
1416 // Sequence X
1417 ToSend[++ToSendMax] = SEC_X;
1418 last = 1;
1419 } else {
1420 if (last == 0) {
1421 // Sequence Z
1422 ToSend[++ToSendMax] = SEC_Z;
1423 } else {
1424 // Sequence Y
1425 ToSend[++ToSendMax] = SEC_Y;
1426 last = 0;
1427 }
1428 }
1429 }
1430
1431 // End of Communication
1432 if (last == 0) {
1433 // Sequence Z
1434 ToSend[++ToSendMax] = SEC_Z;
1435 } else {
1436 // Sequence Y
1437 ToSend[++ToSendMax] = SEC_Y;
1438 last = 0;
1439 }
1440 // Sequence Y
1441 ToSend[++ToSendMax] = SEC_Y;
1442
1443 // Just to be sure!
1444 ToSend[++ToSendMax] = SEC_Y;
1445 ToSend[++ToSendMax] = SEC_Y;
1446 ToSend[++ToSendMax] = SEC_Y;
1447
1448 // Convert from last character reference to length
1449 ToSendMax++;
1450 }
1451
1452 //-----------------------------------------------------------------------------
1453 // Wait for commands from reader
1454 // Stop when button is pressed (return 1) or field was gone (return 2)
1455 // Or return 0 when command is captured
1456 //-----------------------------------------------------------------------------
1457 static int EmGetCmd(uint8_t *received, int *len, int maxLen)
1458 {
1459 *len = 0;
1460
1461 uint32_t timer = 0, vtime = 0;
1462 int analogCnt = 0;
1463 int analogAVG = 0;
1464
1465 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
1466 // only, since we are receiving, not transmitting).
1467 // Signal field is off with the appropriate LED
1468 LED_D_OFF();
1469 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
1470
1471 // Set ADC to read field strength
1472 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_SWRST;
1473 AT91C_BASE_ADC->ADC_MR =
1474 ADC_MODE_PRESCALE(32) |
1475 ADC_MODE_STARTUP_TIME(16) |
1476 ADC_MODE_SAMPLE_HOLD_TIME(8);
1477 AT91C_BASE_ADC->ADC_CHER = ADC_CHANNEL(ADC_CHAN_HF);
1478 // start ADC
1479 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
1480
1481 // Now run a 'software UART' on the stream of incoming samples.
1482 Uart.output = received;
1483 Uart.byteCntMax = maxLen;
1484 Uart.state = STATE_UNSYNCD;
1485
1486 for(;;) {
1487 WDT_HIT();
1488
1489 if (BUTTON_PRESS()) return 1;
1490
1491 // test if the field exists
1492 if (AT91C_BASE_ADC->ADC_SR & ADC_END_OF_CONVERSION(ADC_CHAN_HF)) {
1493 analogCnt++;
1494 analogAVG += AT91C_BASE_ADC->ADC_CDR[ADC_CHAN_HF];
1495 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
1496 if (analogCnt >= 32) {
1497 if ((33000 * (analogAVG / analogCnt) >> 10) < MF_MINFIELDV) {
1498 vtime = GetTickCount();
1499 if (!timer) timer = vtime;
1500 // 50ms no field --> card to idle state
1501 if (vtime - timer > 50) return 2;
1502 } else
1503 if (timer) timer = 0;
1504 analogCnt = 0;
1505 analogAVG = 0;
1506 }
1507 }
1508 // transmit none
1509 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1510 AT91C_BASE_SSC->SSC_THR = 0x00;
1511 }
1512 // receive and test the miller decoding
1513 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1514 volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1515 if(MillerDecoding((b & 0xf0) >> 4)) {
1516 *len = Uart.byteCnt;
1517 if (tracing) LogTrace(received, *len, GetDeltaCountUS(), Uart.parityBits, TRUE);
1518 return 0;
1519 }
1520 if(MillerDecoding(b & 0x0f)) {
1521 *len = Uart.byteCnt;
1522 if (tracing) LogTrace(received, *len, GetDeltaCountUS(), Uart.parityBits, TRUE);
1523 return 0;
1524 }
1525 }
1526 }
1527 }
1528
1529 static int EmSendCmd14443aRaw(uint8_t *resp, int respLen, int correctionNeeded)
1530 {
1531 int i, u = 0;
1532 uint8_t b = 0;
1533
1534 // Modulate Manchester
1535 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD);
1536 AT91C_BASE_SSC->SSC_THR = 0x00;
1537 FpgaSetupSsc();
1538
1539 // include correction bit
1540 i = 1;
1541 if((Uart.parityBits & 0x01) || correctionNeeded) {
1542 // 1236, so correction bit needed
1543 i = 0;
1544 }
1545
1546 // send cycle
1547 for(;;) {
1548 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1549 volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1550 (void)b;
1551 }
1552 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1553 if(i > respLen) {
1554 b = 0xff; // was 0x00
1555 u++;
1556 } else {
1557 b = resp[i];
1558 i++;
1559 }
1560 AT91C_BASE_SSC->SSC_THR = b;
1561
1562 if(u > 4) break;
1563 }
1564 if(BUTTON_PRESS()) {
1565 break;
1566 }
1567 }
1568
1569 return 0;
1570 }
1571
1572 int EmSend4bitEx(uint8_t resp, int correctionNeeded){
1573 Code4bitAnswerAsTag(resp);
1574 int res = EmSendCmd14443aRaw(ToSend, ToSendMax, correctionNeeded);
1575 if (tracing) LogTrace(&resp, 1, GetDeltaCountUS(), GetParity(&resp, 1), FALSE);
1576 return res;
1577 }
1578
1579 int EmSend4bit(uint8_t resp){
1580 return EmSend4bitEx(resp, 0);
1581 }
1582
1583 int EmSendCmdExPar(uint8_t *resp, int respLen, int correctionNeeded, uint32_t par){
1584 CodeIso14443aAsTagPar(resp, respLen, par);
1585 int res = EmSendCmd14443aRaw(ToSend, ToSendMax, correctionNeeded);
1586 if (tracing) LogTrace(resp, respLen, GetDeltaCountUS(), par, FALSE);
1587 return res;
1588 }
1589
1590 int EmSendCmdEx(uint8_t *resp, int respLen, int correctionNeeded){
1591 return EmSendCmdExPar(resp, respLen, correctionNeeded, GetParity(resp, respLen));
1592 }
1593
1594 int EmSendCmd(uint8_t *resp, int respLen){
1595 return EmSendCmdExPar(resp, respLen, 0, GetParity(resp, respLen));
1596 }
1597
1598 int EmSendCmdPar(uint8_t *resp, int respLen, uint32_t par){
1599 return EmSendCmdExPar(resp, respLen, 0, par);
1600 }
1601
1602 //-----------------------------------------------------------------------------
1603 // Wait a certain time for tag response
1604 // If a response is captured return TRUE
1605 // If it takes to long return FALSE
1606 //-----------------------------------------------------------------------------
1607 static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse, int maxLen, int *samples, int *elapsed) //uint8_t *buffer
1608 {
1609 // buffer needs to be 512 bytes
1610 int c;
1611
1612 // Set FPGA mode to "reader listen mode", no modulation (listen
1613 // only, since we are receiving, not transmitting).
1614 // Signal field is on with the appropriate LED
1615 LED_D_ON();
1616 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_LISTEN);
1617
1618 // Now get the answer from the card
1619 Demod.output = receivedResponse;
1620 Demod.len = 0;
1621 Demod.state = DEMOD_UNSYNCD;
1622
1623 uint8_t b;
1624 if (elapsed) *elapsed = 0;
1625
1626 c = 0;
1627 for(;;) {
1628 WDT_HIT();
1629
1630 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1631 AT91C_BASE_SSC->SSC_THR = 0x00; // To make use of exact timing of next command from reader!!
1632 if (elapsed) (*elapsed)++;
1633 }
1634 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1635 if(c < iso14a_timeout) { c++; } else { return FALSE; }
1636 b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1637 if(ManchesterDecoding((b>>4) & 0xf)) {
1638 *samples = ((c - 1) << 3) + 4;
1639 return TRUE;
1640 }
1641 if(ManchesterDecoding(b & 0x0f)) {
1642 *samples = c << 3;
1643 return TRUE;
1644 }
1645 }
1646 }
1647 }
1648
1649 void ReaderTransmitShort(const uint8_t* bt)
1650 {
1651 int wait = 0;
1652 int samples = 0;
1653
1654 ShortFrameFromReader(*bt);
1655
1656 // Select the card
1657 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
1658
1659 // Store reader command in buffer
1660 if (tracing) LogTrace(bt,1,0,GetParity(bt,1),TRUE);
1661 }
1662
1663 void ReaderTransmitPar(uint8_t* frame, int len, uint32_t par)
1664 {
1665 int wait = 0;
1666 int samples = 0;
1667
1668 // This is tied to other size changes
1669 // uint8_t* frame_addr = ((uint8_t*)BigBuf) + 2024;
1670 CodeIso14443aAsReaderPar(frame,len,par);
1671
1672 // Select the card
1673 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
1674 if(trigger)
1675 LED_A_ON();
1676
1677 // Store reader command in buffer
1678 if (tracing) LogTrace(frame,len,0,par,TRUE);
1679 }
1680
1681
1682 void ReaderTransmit(uint8_t* frame, int len)
1683 {
1684 // Generate parity and redirect
1685 ReaderTransmitPar(frame,len,GetParity(frame,len));
1686 }
1687
1688 int ReaderReceive(uint8_t* receivedAnswer)
1689 {
1690 int samples = 0;
1691 if (!GetIso14443aAnswerFromTag(receivedAnswer,160,&samples,0)) return FALSE;
1692 if (tracing) LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE);
1693 if(samples == 0) return FALSE;
1694 return Demod.len;
1695 }
1696
1697 int ReaderReceivePar(uint8_t* receivedAnswer, uint32_t * parptr)
1698 {
1699 int samples = 0;
1700 if (!GetIso14443aAnswerFromTag(receivedAnswer,160,&samples,0)) return FALSE;
1701 if (tracing) LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE);
1702 *parptr = Demod.parityBits;
1703 if(samples == 0) return FALSE;
1704 return Demod.len;
1705 }
1706
1707 /* performs iso14443a anticolision procedure
1708 * fills the uid pointer unless NULL
1709 * fills resp_data unless NULL */
1710 int iso14443a_select_card(uint8_t * uid_ptr, iso14a_card_select_t * resp_data, uint32_t * cuid_ptr) {
1711 uint8_t wupa[] = { 0x52 }; // 0x26 - REQA 0x52 - WAKE-UP
1712 uint8_t sel_all[] = { 0x93,0x20 };
1713 uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
1714 uint8_t rats[] = { 0xE0,0x80,0x00,0x00 }; // FSD=256, FSDI=8, CID=0
1715
1716 uint8_t* resp = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
1717
1718 uint8_t sak = 0x04; // cascade uid
1719 int cascade_level = 0;
1720
1721 int len;
1722
1723 // clear uid
1724 memset(uid_ptr, 0, 8);
1725
1726 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1727 ReaderTransmitShort(wupa);
1728 // Receive the ATQA
1729 if(!ReaderReceive(resp)) return 0;
1730
1731 if(resp_data)
1732 memcpy(resp_data->atqa, resp, 2);
1733
1734 // OK we will select at least at cascade 1, lets see if first byte of UID was 0x88 in
1735 // which case we need to make a cascade 2 request and select - this is a long UID
1736 // While the UID is not complete, the 3nd bit (from the right) is set in the SAK.
1737 for(; sak & 0x04; cascade_level++)
1738 {
1739 // SELECT_* (L1: 0x93, L2: 0x95, L3: 0x97)
1740 sel_uid[0] = sel_all[0] = 0x93 + cascade_level * 2;
1741
1742 // SELECT_ALL
1743 ReaderTransmit(sel_all,sizeof(sel_all));
1744 if (!ReaderReceive(resp)) return 0;
1745 if(uid_ptr) memcpy(uid_ptr + cascade_level*4, resp, 4);
1746
1747 // calculate crypto UID
1748 if(cuid_ptr) *cuid_ptr = bytes_to_num(resp, 4);
1749
1750 // Construct SELECT UID command
1751 memcpy(sel_uid+2,resp,5);
1752 AppendCrc14443a(sel_uid,7);
1753 ReaderTransmit(sel_uid,sizeof(sel_uid));
1754
1755 // Receive the SAK
1756 if (!ReaderReceive(resp)) return 0;
1757 sak = resp[0];
1758 }
1759 if(resp_data) {
1760 resp_data->sak = sak;
1761 resp_data->ats_len = 0;
1762 }
1763 //-- this byte not UID, it CT. http://www.nxp.com/documents/application_note/AN10927.pdf page 3
1764 if (uid_ptr[0] == 0x88) {
1765 memcpy(uid_ptr, uid_ptr + 1, 7);
1766 uid_ptr[7] = 0;
1767 }
1768
1769 if( (sak & 0x20) == 0)
1770 return 2; // non iso14443a compliant tag
1771
1772 // Request for answer to select
1773 if(resp_data) { // JCOP cards - if reader sent RATS then there is no MIFARE session at all!!!
1774 AppendCrc14443a(rats, 2);
1775 ReaderTransmit(rats, sizeof(rats));
1776
1777 if (!(len = ReaderReceive(resp))) return 0;
1778
1779 memcpy(resp_data->ats, resp, sizeof(resp_data->ats));
1780 resp_data->ats_len = len;
1781 }
1782
1783 return 1;
1784 }
1785
1786 void iso14443a_setup() {
1787 // Setup SSC
1788 FpgaSetupSsc();
1789 // Start from off (no field generated)
1790 // Signal field is off with the appropriate LED
1791 LED_D_OFF();
1792 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1793 SpinDelay(200);
1794
1795 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1796
1797 // Now give it time to spin up.
1798 // Signal field is on with the appropriate LED
1799 LED_D_ON();
1800 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1801 SpinDelay(200);
1802
1803 iso14a_timeout = 2048; //default
1804 }
1805
1806 int iso14_apdu(uint8_t * cmd, size_t cmd_len, void * data) {
1807 uint8_t real_cmd[cmd_len+4];
1808 real_cmd[0] = 0x0a; //I-Block
1809 real_cmd[1] = 0x00; //CID: 0 //FIXME: allow multiple selected cards
1810 memcpy(real_cmd+2, cmd, cmd_len);
1811 AppendCrc14443a(real_cmd,cmd_len+2);
1812
1813 ReaderTransmit(real_cmd, cmd_len+4);
1814 size_t len = ReaderReceive(data);
1815 if(!len)
1816 return -1; //DATA LINK ERROR
1817
1818 return len;
1819 }
1820
1821
1822 //-----------------------------------------------------------------------------
1823 // Read an ISO 14443a tag. Send out commands and store answers.
1824 //
1825 //-----------------------------------------------------------------------------
1826 void ReaderIso14443a(UsbCommand * c, UsbCommand * ack)
1827 {
1828 iso14a_command_t param = c->arg[0];
1829 uint8_t * cmd = c->d.asBytes;
1830 size_t len = c->arg[1];
1831
1832 if(param & ISO14A_REQUEST_TRIGGER) iso14a_set_trigger(1);
1833
1834 if(param & ISO14A_CONNECT) {
1835 iso14443a_setup();
1836 ack->arg[0] = iso14443a_select_card(ack->d.asBytes, (iso14a_card_select_t *) (ack->d.asBytes+12), NULL);
1837 UsbSendPacket((void *)ack, sizeof(UsbCommand));
1838 }
1839
1840 if(param & ISO14A_SET_TIMEOUT) {
1841 iso14a_timeout = c->arg[2];
1842 }
1843
1844 if(param & ISO14A_SET_TIMEOUT) {
1845 iso14a_timeout = c->arg[2];
1846 }
1847
1848 if(param & ISO14A_APDU) {
1849 ack->arg[0] = iso14_apdu(cmd, len, ack->d.asBytes);
1850 UsbSendPacket((void *)ack, sizeof(UsbCommand));
1851 }
1852
1853 if(param & ISO14A_RAW) {
1854 if(param & ISO14A_APPEND_CRC) {
1855 AppendCrc14443a(cmd,len);
1856 len += 2;
1857 }
1858 ReaderTransmit(cmd,len);
1859 ack->arg[0] = ReaderReceive(ack->d.asBytes);
1860 UsbSendPacket((void *)ack, sizeof(UsbCommand));
1861 }
1862
1863 if(param & ISO14A_REQUEST_TRIGGER) iso14a_set_trigger(0);
1864
1865 if(param & ISO14A_NO_DISCONNECT)
1866 return;
1867
1868 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1869 LEDsoff();
1870 }
1871 //-----------------------------------------------------------------------------
1872 // Read an ISO 14443a tag. Send out commands and store answers.
1873 //
1874 //-----------------------------------------------------------------------------
1875 void ReaderMifare(uint32_t parameter)
1876 {
1877 // Mifare AUTH
1878 uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b };
1879 uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
1880
1881 uint8_t* receivedAnswer = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
1882 traceLen = 0;
1883 tracing = false;
1884
1885 iso14443a_setup();
1886
1887 LED_A_ON();
1888 LED_B_OFF();
1889 LED_C_OFF();
1890
1891 byte_t nt_diff = 0;
1892 LED_A_OFF();
1893 byte_t par = 0;
1894 //byte_t par_mask = 0xff;
1895 byte_t par_low = 0;
1896 int led_on = TRUE;
1897 uint8_t uid[8];
1898 uint32_t cuid;
1899
1900 tracing = FALSE;
1901 byte_t nt[4] = {0,0,0,0};
1902 byte_t nt_attacked[4], nt_noattack[4];
1903 byte_t par_list[8] = {0,0,0,0,0,0,0,0};
1904 byte_t ks_list[8] = {0,0,0,0,0,0,0,0};
1905 num_to_bytes(parameter, 4, nt_noattack);
1906 int isOK = 0, isNULL = 0;
1907
1908 while(TRUE)
1909 {
1910 LED_C_ON();
1911 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1912 SpinDelay(200);
1913 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1914 LED_C_OFF();
1915
1916 // Test if the action was cancelled
1917 if(BUTTON_PRESS()) {
1918 break;
1919 }
1920
1921 if(!iso14443a_select_card(uid, NULL, &cuid)) continue;
1922
1923 // Transmit MIFARE_CLASSIC_AUTH
1924 ReaderTransmit(mf_auth, sizeof(mf_auth));
1925
1926 // Receive the (16 bit) "random" nonce
1927 if (!ReaderReceive(receivedAnswer)) continue;
1928 memcpy(nt, receivedAnswer, 4);
1929
1930 // Transmit reader nonce and reader answer
1931 ReaderTransmitPar(mf_nr_ar, sizeof(mf_nr_ar),par);
1932
1933 // Receive 4 bit answer
1934 if (ReaderReceive(receivedAnswer))
1935 {
1936 if ( (parameter != 0) && (memcmp(nt, nt_noattack, 4) == 0) ) continue;
1937
1938 isNULL = (nt_attacked[0] == 0) && (nt_attacked[1] == 0) && (nt_attacked[2] == 0) && (nt_attacked[3] == 0);
1939 if ( (isNULL != 0 ) && (memcmp(nt, nt_attacked, 4) != 0) ) continue;
1940
1941 if (nt_diff == 0)
1942 {
1943 LED_A_ON();
1944 memcpy(nt_attacked, nt, 4);
1945 //par_mask = 0xf8;
1946 par_low = par & 0x07;
1947 }
1948
1949 led_on = !led_on;
1950 if(led_on) LED_B_ON(); else LED_B_OFF();
1951 par_list[nt_diff] = par;
1952 ks_list[nt_diff] = receivedAnswer[0] ^ 0x05;
1953
1954 // Test if the information is complete
1955 if (nt_diff == 0x07) {
1956 isOK = 1;
1957 break;
1958 }
1959
1960 nt_diff = (nt_diff + 1) & 0x07;
1961 mf_nr_ar[3] = nt_diff << 5;
1962 par = par_low;
1963 } else {
1964 if (nt_diff == 0)
1965 {
1966 par++;
1967 } else {
1968 par = (((par >> 3) + 1) << 3) | par_low;
1969 }
1970 }
1971 }
1972
1973 LogTrace(nt, 4, 0, GetParity(nt, 4), TRUE);
1974 LogTrace(par_list, 8, 0, GetParity(par_list, 8), TRUE);
1975 LogTrace(ks_list, 8, 0, GetParity(ks_list, 8), TRUE);
1976
1977 UsbCommand ack = {CMD_ACK, {isOK, 0, 0}};
1978 memcpy(ack.d.asBytes + 0, uid, 4);
1979 memcpy(ack.d.asBytes + 4, nt, 4);
1980 memcpy(ack.d.asBytes + 8, par_list, 8);
1981 memcpy(ack.d.asBytes + 16, ks_list, 8);
1982
1983 LED_B_ON();
1984 UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
1985 LED_B_OFF();
1986
1987 // Thats it...
1988 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1989 LEDsoff();
1990 tracing = TRUE;
1991
1992 if (MF_DBGLEVEL >= 1) DbpString("COMMAND mifare FINISHED");
1993 }
1994
1995
1996 //-----------------------------------------------------------------------------
1997 // MIFARE 1K simulate.
1998 //
1999 //-----------------------------------------------------------------------------
2000 void Mifare1ksim(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
2001 {
2002 int cardSTATE = MFEMUL_NOFIELD;
2003 int _7BUID = 0;
2004 int vHf = 0; // in mV
2005 //int nextCycleTimeout = 0;
2006 int res;
2007 // uint32_t timer = 0;
2008 uint32_t selTimer = 0;
2009 uint32_t authTimer = 0;
2010 uint32_t par = 0;
2011 int len = 0;
2012 uint8_t cardWRBL = 0;
2013 uint8_t cardAUTHSC = 0;
2014 uint8_t cardAUTHKEY = 0xff; // no authentication
2015 //uint32_t cardRn = 0;
2016 uint32_t cardRr = 0;
2017 uint32_t cuid = 0;
2018 //uint32_t rn_enc = 0;
2019 uint32_t ans = 0;
2020 uint32_t cardINTREG = 0;
2021 uint8_t cardINTBLOCK = 0;
2022 struct Crypto1State mpcs = {0, 0};
2023 struct Crypto1State *pcs;
2024 pcs = &mpcs;
2025
2026 uint8_t* receivedCmd = eml_get_bigbufptr_recbuf();
2027 uint8_t *response = eml_get_bigbufptr_sendbuf();
2028
2029 static uint8_t rATQA[] = {0x04, 0x00}; // Mifare classic 1k 4BUID
2030
2031 static uint8_t rUIDBCC1[] = {0xde, 0xad, 0xbe, 0xaf, 0x62};
2032 static uint8_t rUIDBCC2[] = {0xde, 0xad, 0xbe, 0xaf, 0x62}; // !!!
2033
2034 static uint8_t rSAK[] = {0x08, 0xb6, 0xdd};
2035 static uint8_t rSAK1[] = {0x04, 0xda, 0x17};
2036
2037 static uint8_t rAUTH_NT[] = {0x01, 0x02, 0x03, 0x04};
2038 // static uint8_t rAUTH_NT[] = {0x1a, 0xac, 0xff, 0x4f};
2039 static uint8_t rAUTH_AT[] = {0x00, 0x00, 0x00, 0x00};
2040
2041 // clear trace
2042 traceLen = 0;
2043 tracing = true;
2044
2045 // Authenticate response - nonce
2046 uint32_t nonce = bytes_to_num(rAUTH_NT, 4);
2047
2048 // get UID from emul memory
2049 emlGetMemBt(receivedCmd, 7, 1);
2050 _7BUID = !(receivedCmd[0] == 0x00);
2051 if (!_7BUID) { // ---------- 4BUID
2052 rATQA[0] = 0x04;
2053
2054 emlGetMemBt(rUIDBCC1, 0, 4);
2055 rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
2056 } else { // ---------- 7BUID
2057 rATQA[0] = 0x44;
2058
2059 rUIDBCC1[0] = 0x88;
2060 emlGetMemBt(&rUIDBCC1[1], 0, 3);
2061 rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
2062 emlGetMemBt(rUIDBCC2, 3, 4);
2063 rUIDBCC2[4] = rUIDBCC2[0] ^ rUIDBCC2[1] ^ rUIDBCC2[2] ^ rUIDBCC2[3];
2064 }
2065
2066 // -------------------------------------- test area
2067
2068 // -------------------------------------- END test area
2069 // start mkseconds counter
2070 StartCountUS();
2071
2072 // We need to listen to the high-frequency, peak-detected path.
2073 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
2074 FpgaSetupSsc();
2075
2076 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
2077 SpinDelay(200);
2078
2079 if (MF_DBGLEVEL >= 1) Dbprintf("Started. 7buid=%d", _7BUID);
2080 // calibrate mkseconds counter
2081 GetDeltaCountUS();
2082 while (true) {
2083 WDT_HIT();
2084
2085 if(BUTTON_PRESS()) {
2086 break;
2087 }
2088
2089 // find reader field
2090 // Vref = 3300mV, and an 10:1 voltage divider on the input
2091 // can measure voltages up to 33000 mV
2092 if (cardSTATE == MFEMUL_NOFIELD) {
2093 vHf = (33000 * AvgAdc(ADC_CHAN_HF)) >> 10;
2094 if (vHf > MF_MINFIELDV) {
2095 cardSTATE_TO_IDLE();
2096 LED_A_ON();
2097 }
2098 }
2099
2100 if (cardSTATE != MFEMUL_NOFIELD) {
2101 res = EmGetCmd(receivedCmd, &len, RECV_CMD_SIZE); // (+ nextCycleTimeout)
2102 if (res == 2) {
2103 cardSTATE = MFEMUL_NOFIELD;
2104 LEDsoff();
2105 continue;
2106 }
2107 if(res) break;
2108 }
2109
2110 //nextCycleTimeout = 0;
2111
2112 // if (len) Dbprintf("len:%d cmd: %02x %02x %02x %02x", len, receivedCmd[0], receivedCmd[1], receivedCmd[2], receivedCmd[3]);
2113
2114 if (len != 4 && cardSTATE != MFEMUL_NOFIELD) { // len != 4 <---- speed up the code 4 authentication
2115 // REQ or WUP request in ANY state and WUP in HALTED state
2116 if (len == 1 && ((receivedCmd[0] == 0x26 && cardSTATE != MFEMUL_HALTED) || receivedCmd[0] == 0x52)) {
2117 selTimer = GetTickCount();
2118 EmSendCmdEx(rATQA, sizeof(rATQA), (receivedCmd[0] == 0x52));
2119 cardSTATE = MFEMUL_SELECT1;
2120
2121 // init crypto block
2122 LED_B_OFF();
2123 LED_C_OFF();
2124 crypto1_destroy(pcs);
2125 cardAUTHKEY = 0xff;
2126 }
2127 }
2128
2129 switch (cardSTATE) {
2130 case MFEMUL_NOFIELD:{
2131 break;
2132 }
2133 case MFEMUL_HALTED:{
2134 break;
2135 }
2136 case MFEMUL_IDLE:{
2137 break;
2138 }
2139 case MFEMUL_SELECT1:{
2140 // select all
2141 if (len == 2 && (receivedCmd[0] == 0x93 && receivedCmd[1] == 0x20)) {
2142 EmSendCmd(rUIDBCC1, sizeof(rUIDBCC1));
2143 break;
2144 }
2145
2146 // select card
2147 if (len == 9 &&
2148 (receivedCmd[0] == 0x93 && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], rUIDBCC1, 4) == 0)) {
2149 if (!_7BUID)
2150 EmSendCmd(rSAK, sizeof(rSAK));
2151 else
2152 EmSendCmd(rSAK1, sizeof(rSAK1));
2153
2154 cuid = bytes_to_num(rUIDBCC1, 4);
2155 if (!_7BUID) {
2156 cardSTATE = MFEMUL_WORK;
2157 LED_B_ON();
2158 if (MF_DBGLEVEL >= 4) Dbprintf("--> WORK. anticol1 time: %d", GetTickCount() - selTimer);
2159 break;
2160 } else {
2161 cardSTATE = MFEMUL_SELECT2;
2162 break;
2163 }
2164 }
2165
2166 break;
2167 }
2168 case MFEMUL_SELECT2:{
2169 if (!len) break;
2170
2171 if (len == 2 && (receivedCmd[0] == 0x95 && receivedCmd[1] == 0x20)) {
2172 EmSendCmd(rUIDBCC2, sizeof(rUIDBCC2));
2173 break;
2174 }
2175
2176 // select 2 card
2177 if (len == 9 &&
2178 (receivedCmd[0] == 0x95 && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], rUIDBCC2, 4) == 0)) {
2179 EmSendCmd(rSAK, sizeof(rSAK));
2180
2181 cuid = bytes_to_num(rUIDBCC2, 4);
2182 cardSTATE = MFEMUL_WORK;
2183 LED_B_ON();
2184 if (MF_DBGLEVEL >= 4) Dbprintf("--> WORK. anticol2 time: %d", GetTickCount() - selTimer);
2185 break;
2186 }
2187
2188 // i guess there is a command). go into the work state.
2189 if (len != 4) break;
2190 cardSTATE = MFEMUL_WORK;
2191 goto lbWORK;
2192 }
2193 case MFEMUL_AUTH1:{
2194 if (len == 8) {
2195 // --- crypto
2196 //rn_enc = bytes_to_num(receivedCmd, 4);
2197 //cardRn = rn_enc ^ crypto1_word(pcs, rn_enc , 1);
2198 cardRr = bytes_to_num(&receivedCmd[4], 4) ^ crypto1_word(pcs, 0, 0);
2199 // test if auth OK
2200 if (cardRr != prng_successor(nonce, 64)){
2201 if (MF_DBGLEVEL >= 4) Dbprintf("AUTH FAILED. cardRr=%08x, succ=%08x", cardRr, prng_successor(nonce, 64));
2202 cardSTATE_TO_IDLE();
2203 break;
2204 }
2205 ans = prng_successor(nonce, 96) ^ crypto1_word(pcs, 0, 0);
2206 num_to_bytes(ans, 4, rAUTH_AT);
2207 // --- crypto
2208 EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
2209 cardSTATE = MFEMUL_AUTH2;
2210 } else {
2211 cardSTATE_TO_IDLE();
2212 }
2213 if (cardSTATE != MFEMUL_AUTH2) break;
2214 }
2215 case MFEMUL_AUTH2:{
2216 LED_C_ON();
2217 cardSTATE = MFEMUL_WORK;
2218 if (MF_DBGLEVEL >= 4) Dbprintf("AUTH COMPLETED. sec=%d, key=%d time=%d", cardAUTHSC, cardAUTHKEY, GetTickCount() - authTimer);
2219 break;
2220 }
2221 case MFEMUL_WORK:{
2222 lbWORK: if (len == 0) break;
2223
2224 if (cardAUTHKEY == 0xff) {
2225 // first authentication
2226 if (len == 4 && (receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61)) {
2227 authTimer = GetTickCount();
2228
2229 cardAUTHSC = receivedCmd[1] / 4; // received block num
2230 cardAUTHKEY = receivedCmd[0] - 0x60;
2231
2232 // --- crypto
2233 crypto1_create(pcs, emlGetKey(cardAUTHSC, cardAUTHKEY));
2234 ans = nonce ^ crypto1_word(pcs, cuid ^ nonce, 0);
2235 num_to_bytes(nonce, 4, rAUTH_AT);
2236 EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
2237 // --- crypto
2238
2239 // last working revision
2240 // EmSendCmd14443aRaw(resp1, resp1Len, 0);
2241 // LogTrace(NULL, 0, GetDeltaCountUS(), 0, true);
2242
2243 cardSTATE = MFEMUL_AUTH1;
2244 //nextCycleTimeout = 10;
2245 break;
2246 }
2247 } else {
2248 // decrypt seqence
2249 mf_crypto1_decrypt(pcs, receivedCmd, len);
2250
2251 // nested authentication
2252 if (len == 4 && (receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61)) {
2253 authTimer = GetTickCount();
2254
2255 cardAUTHSC = receivedCmd[1] / 4; // received block num
2256 cardAUTHKEY = receivedCmd[0] - 0x60;
2257
2258 // --- crypto
2259 crypto1_create(pcs, emlGetKey(cardAUTHSC, cardAUTHKEY));
2260 ans = nonce ^ crypto1_word(pcs, cuid ^ nonce, 0);
2261 num_to_bytes(ans, 4, rAUTH_AT);
2262 EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
2263 // --- crypto
2264
2265 cardSTATE = MFEMUL_AUTH1;
2266 //nextCycleTimeout = 10;
2267 break;
2268 }
2269 }
2270
2271 // rule 13 of 7.5.3. in ISO 14443-4. chaining shall be continued
2272 // BUT... ACK --> NACK
2273 if (len == 1 && receivedCmd[0] == CARD_ACK) {
2274 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2275 break;
2276 }
2277
2278 // rule 12 of 7.5.3. in ISO 14443-4. R(NAK) --> R(ACK)
2279 if (len == 1 && receivedCmd[0] == CARD_NACK_NA) {
2280 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
2281 break;
2282 }
2283
2284 // read block
2285 if (len == 4 && receivedCmd[0] == 0x30) {
2286 if (receivedCmd[1] >= 16 * 4 || receivedCmd[1] / 4 != cardAUTHSC) {
2287 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2288 break;
2289 }
2290 emlGetMem(response, receivedCmd[1], 1);
2291 AppendCrc14443a(response, 16);
2292 mf_crypto1_encrypt(pcs, response, 18, &par);
2293 EmSendCmdPar(response, 18, par);
2294 break;
2295 }
2296
2297 // write block
2298 if (len == 4 && receivedCmd[0] == 0xA0) {
2299 if (receivedCmd[1] >= 16 * 4 || receivedCmd[1] / 4 != cardAUTHSC) {
2300 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2301 break;
2302 }
2303 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
2304 //nextCycleTimeout = 50;
2305 cardSTATE = MFEMUL_WRITEBL2;
2306 cardWRBL = receivedCmd[1];
2307 break;
2308 }
2309
2310 // works with cardINTREG
2311
2312 // increment, decrement, restore
2313 if (len == 4 && (receivedCmd[0] == 0xC0 || receivedCmd[0] == 0xC1 || receivedCmd[0] == 0xC2)) {
2314 if (receivedCmd[1] >= 16 * 4 ||
2315 receivedCmd[1] / 4 != cardAUTHSC ||
2316 emlCheckValBl(receivedCmd[1])) {
2317 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2318 break;
2319 }
2320 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
2321 if (receivedCmd[0] == 0xC1)
2322 cardSTATE = MFEMUL_INTREG_INC;
2323 if (receivedCmd[0] == 0xC0)
2324 cardSTATE = MFEMUL_INTREG_DEC;
2325 if (receivedCmd[0] == 0xC2)
2326 cardSTATE = MFEMUL_INTREG_REST;
2327 cardWRBL = receivedCmd[1];
2328
2329 break;
2330 }
2331
2332
2333 // transfer
2334 if (len == 4 && receivedCmd[0] == 0xB0) {
2335 if (receivedCmd[1] >= 16 * 4 || receivedCmd[1] / 4 != cardAUTHSC) {
2336 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2337 break;
2338 }
2339
2340 if (emlSetValBl(cardINTREG, cardINTBLOCK, receivedCmd[1]))
2341 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2342 else
2343 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
2344
2345 break;
2346 }
2347
2348 // halt
2349 if (len == 4 && (receivedCmd[0] == 0x50 && receivedCmd[1] == 0x00)) {
2350 LED_B_OFF();
2351 LED_C_OFF();
2352 cardSTATE = MFEMUL_HALTED;
2353 if (MF_DBGLEVEL >= 4) Dbprintf("--> HALTED. Selected time: %d ms", GetTickCount() - selTimer);
2354 break;
2355 }
2356
2357 // command not allowed
2358 if (len == 4) {
2359 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2360 break;
2361 }
2362
2363 // case break
2364 break;
2365 }
2366 case MFEMUL_WRITEBL2:{
2367 if (len == 18){
2368 mf_crypto1_decrypt(pcs, receivedCmd, len);
2369 emlSetMem(receivedCmd, cardWRBL, 1);
2370 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
2371 cardSTATE = MFEMUL_WORK;
2372 break;
2373 } else {
2374 cardSTATE_TO_IDLE();
2375 break;
2376 }
2377 break;
2378 }
2379
2380 case MFEMUL_INTREG_INC:{
2381 mf_crypto1_decrypt(pcs, receivedCmd, len);
2382 memcpy(&ans, receivedCmd, 4);
2383 if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
2384 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2385 cardSTATE_TO_IDLE();
2386 break;
2387 }
2388 cardINTREG = cardINTREG + ans;
2389 cardSTATE = MFEMUL_WORK;
2390 break;
2391 }
2392 case MFEMUL_INTREG_DEC:{
2393 mf_crypto1_decrypt(pcs, receivedCmd, len);
2394 memcpy(&ans, receivedCmd, 4);
2395 if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
2396 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2397 cardSTATE_TO_IDLE();
2398 break;
2399 }
2400 cardINTREG = cardINTREG - ans;
2401 cardSTATE = MFEMUL_WORK;
2402 break;
2403 }
2404 case MFEMUL_INTREG_REST:{
2405 mf_crypto1_decrypt(pcs, receivedCmd, len);
2406 memcpy(&ans, receivedCmd, 4);
2407 if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
2408 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2409 cardSTATE_TO_IDLE();
2410 break;
2411 }
2412 cardSTATE = MFEMUL_WORK;
2413 break;
2414 }
2415
2416 }
2417
2418 }
2419
2420 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2421 LEDsoff();
2422
2423 // add trace trailer
2424 memset(rAUTH_NT, 0x44, 4);
2425 LogTrace(rAUTH_NT, 4, 0, 0, TRUE);
2426
2427 if (MF_DBGLEVEL >= 1) Dbprintf("Emulator stopped. Tracing: %d trace length: %d ", tracing, traceLen);
2428 }
Proxmark3 GIT tracking
Impressum, Datenschutz