]> cvs.zerfleddert.de Git - proxmark3-svn/blob - armsrc/iso14443.c
projects / proxmark3-svn / blob
? search:


39112fdfce543cdbc8e0d373013f69957942615f
[proxmark3-svn] / armsrc / iso14443.c
1 //-----------------------------------------------------------------------------
2 // Jonathan Westhues, split Nov 2006
3 //
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
6 // the license.
7 //-----------------------------------------------------------------------------
8 // Routines to support ISO 14443. This includes both the reader software and
9 // the `fake tag' modes. At the moment only the Type B modulation is
10 // supported.
11 //-----------------------------------------------------------------------------
12
13 #include "proxmark3.h"
14 #include "apps.h"
15 #include "util.h"
16 #include "string.h"
17
18 #include "iso14443crc.h"
19
20 //static void GetSamplesFor14443(int weTx, int n);
21
22 /*#define DEMOD_TRACE_SIZE 4096
23 #define READER_TAG_BUFFER_SIZE 2048
24 #define TAG_READER_BUFFER_SIZE 2048
25 #define DEMOD_DMA_BUFFER_SIZE 1024
26 */
27 //=============================================================================
28 // An ISO 14443 Type B tag. We listen for commands from the reader, using
29 // a UART kind of thing that's implemented in software. When we get a
30 // frame (i.e., a group of bytes between SOF and EOF), we check the CRC.
31 // If it's good, then we can do something appropriate with it, and send
32 // a response.
33 //=============================================================================
34
35 //-----------------------------------------------------------------------------
36 // Code up a string of octets at layer 2 (including CRC, we don't generate
37 // that here) so that they can be transmitted to the reader. Doesn't transmit
38 // them yet, just leaves them ready to send in ToSend[].
39 //-----------------------------------------------------------------------------
40 static void CodeIso14443bAsTag(const uint8_t *cmd, int len)
41 {
42 int i;
43
44 ToSendReset();
45
46 // Transmit a burst of ones, as the initial thing that lets the
47 // reader get phase sync. This (TR1) must be > 80/fs, per spec,
48 // but tag that I've tried (a Paypass) exceeds that by a fair bit,
49 // so I will too.
50 for(i = 0; i < 20; i++) {
51 ToSendStuffBit(1);
52 ToSendStuffBit(1);
53 ToSendStuffBit(1);
54 ToSendStuffBit(1);
55 }
56
57 // Send SOF.
58 for(i = 0; i < 10; i++) {
59 ToSendStuffBit(0);
60 ToSendStuffBit(0);
61 ToSendStuffBit(0);
62 ToSendStuffBit(0);
63 }
64 for(i = 0; i < 2; i++) {
65 ToSendStuffBit(1);
66 ToSendStuffBit(1);
67 ToSendStuffBit(1);
68 ToSendStuffBit(1);
69 }
70
71 for(i = 0; i < len; i++) {
72 int j;
73 uint8_t b = cmd[i];
74
75 // Start bit
76 ToSendStuffBit(0);
77 ToSendStuffBit(0);
78 ToSendStuffBit(0);
79 ToSendStuffBit(0);
80
81 // Data bits
82 for(j = 0; j < 8; j++) {
83 if(b & 1) {
84 ToSendStuffBit(1);
85 ToSendStuffBit(1);
86 ToSendStuffBit(1);
87 ToSendStuffBit(1);
88 } else {
89 ToSendStuffBit(0);
90 ToSendStuffBit(0);
91 ToSendStuffBit(0);
92 ToSendStuffBit(0);
93 }
94 b >>= 1;
95 }
96
97 // Stop bit
98 ToSendStuffBit(1);
99 ToSendStuffBit(1);
100 ToSendStuffBit(1);
101 ToSendStuffBit(1);
102 }
103
104 // Send SOF.
105 for(i = 0; i < 10; i++) {
106 ToSendStuffBit(0);
107 ToSendStuffBit(0);
108 ToSendStuffBit(0);
109 ToSendStuffBit(0);
110 }
111 for(i = 0; i < 10; i++) {
112 ToSendStuffBit(1);
113 ToSendStuffBit(1);
114 ToSendStuffBit(1);
115 ToSendStuffBit(1);
116 }
117
118 // Convert from last byte pos to length
119 ToSendMax++;
120
121 // Add a few more for slop
122 ToSendMax += 2;
123 }
124
125 //-----------------------------------------------------------------------------
126 // The software UART that receives commands from the reader, and its state
127 // variables.
128 //-----------------------------------------------------------------------------
129 static struct {
130 enum {
131 STATE_UNSYNCD,
132 STATE_GOT_FALLING_EDGE_OF_SOF,
133 STATE_AWAITING_START_BIT,
134 STATE_RECEIVING_DATA,
135 STATE_ERROR_WAIT
136 } state;
137 uint16_t shiftReg;
138 int bitCnt;
139 int byteCnt;
140 int byteCntMax;
141 int posCnt;
142 uint8_t *output;
143 } Uart;
144
145 /* Receive & handle a bit coming from the reader.
146 *
147 * LED handling:
148 * LED A -> ON once we have received the SOF and are expecting the rest.
149 * LED A -> OFF once we have received EOF or are in error state or unsynced
150 *
151 * Returns: true if we received a EOF
152 * false if we are still waiting for some more
153 */
154 static int Handle14443UartBit(int bit)
155 {
156 switch(Uart.state) {
157 case STATE_UNSYNCD:
158 LED_A_OFF();
159 if(!bit) {
160 // we went low, so this could be the beginning
161 // of an SOF
162 Uart.state = STATE_GOT_FALLING_EDGE_OF_SOF;
163 Uart.posCnt = 0;
164 Uart.bitCnt = 0;
165 }
166 break;
167
168 case STATE_GOT_FALLING_EDGE_OF_SOF:
169 Uart.posCnt++;
170 if(Uart.posCnt == 2) {
171 if(bit) {
172 if(Uart.bitCnt >= 10) {
173 // we've seen enough consecutive
174 // zeros that it's a valid SOF
175 Uart.posCnt = 0;
176 Uart.byteCnt = 0;
177 Uart.state = STATE_AWAITING_START_BIT;
178 LED_A_ON(); // Indicate we got a valid SOF
179 } else {
180 // didn't stay down long enough
181 // before going high, error
182 Uart.state = STATE_ERROR_WAIT;
183 }
184 } else {
185 // do nothing, keep waiting
186 }
187 Uart.bitCnt++;
188 }
189 if(Uart.posCnt >= 4) Uart.posCnt = 0;
190 if(Uart.bitCnt > 14) {
191 // Give up if we see too many zeros without
192 // a one, too.
193 Uart.state = STATE_ERROR_WAIT;
194 }
195 break;
196
197 case STATE_AWAITING_START_BIT:
198 Uart.posCnt++;
199 if(bit) {
200 if(Uart.posCnt > 25) {
201 // stayed high for too long between
202 // characters, error
203 Uart.state = STATE_ERROR_WAIT;
204 }
205 } else {
206 // falling edge, this starts the data byte
207 Uart.posCnt = 0;
208 Uart.bitCnt = 0;
209 Uart.shiftReg = 0;
210 Uart.state = STATE_RECEIVING_DATA;
211 LED_A_ON(); // Indicate we're receiving
212 }
213 break;
214
215 case STATE_RECEIVING_DATA:
216 Uart.posCnt++;
217 if(Uart.posCnt == 2) {
218 // time to sample a bit
219 Uart.shiftReg >>= 1;
220 if(bit) {
221 Uart.shiftReg |= 0x200;
222 }
223 Uart.bitCnt++;
224 }
225 if(Uart.posCnt >= 4) {
226 Uart.posCnt = 0;
227 }
228 if(Uart.bitCnt == 10) {
229 if((Uart.shiftReg & 0x200) && !(Uart.shiftReg & 0x001))
230 {
231 // this is a data byte, with correct
232 // start and stop bits
233 Uart.output[Uart.byteCnt] = (Uart.shiftReg >> 1) & 0xff;
234 Uart.byteCnt++;
235
236 if(Uart.byteCnt >= Uart.byteCntMax) {
237 // Buffer overflowed, give up
238 Uart.posCnt = 0;
239 Uart.state = STATE_ERROR_WAIT;
240 } else {
241 // so get the next byte now
242 Uart.posCnt = 0;
243 Uart.state = STATE_AWAITING_START_BIT;
244 }
245 } else if(Uart.shiftReg == 0x000) {
246 // this is an EOF byte
247 LED_A_OFF(); // Finished receiving
248 return TRUE;
249 } else {
250 // this is an error
251 Uart.posCnt = 0;
252 Uart.state = STATE_ERROR_WAIT;
253 }
254 }
255 break;
256
257 case STATE_ERROR_WAIT:
258 // We're all screwed up, so wait a little while
259 // for whatever went wrong to finish, and then
260 // start over.
261 Uart.posCnt++;
262 if(Uart.posCnt > 10) {
263 Uart.state = STATE_UNSYNCD;
264 }
265 break;
266
267 default:
268 Uart.state = STATE_UNSYNCD;
269 break;
270 }
271
272 // This row make the error blew circular buffer in hf 14b snoop
273 //if (Uart.state == STATE_ERROR_WAIT) LED_A_OFF(); // Error
274
275 return FALSE;
276 }
277
278 //-----------------------------------------------------------------------------
279 // Receive a command (from the reader to us, where we are the simulated tag),
280 // and store it in the given buffer, up to the given maximum length. Keeps
281 // spinning, waiting for a well-framed command, until either we get one
282 // (returns TRUE) or someone presses the pushbutton on the board (FALSE).
283 //
284 // Assume that we're called with the SSC (to the FPGA) and ADC path set
285 // correctly.
286 //-----------------------------------------------------------------------------
287 static int GetIso14443CommandFromReader(uint8_t *received, int *len, int maxLen)
288 {
289 uint8_t mask;
290 int i, bit;
291
292 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
293 // only, since we are receiving, not transmitting).
294 // Signal field is off with the appropriate LED
295 LED_D_OFF();
296 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_NO_MODULATION);
297
298
299 // Now run a `software UART' on the stream of incoming samples.
300 Uart.output = received;
301 Uart.byteCntMax = maxLen;
302 Uart.state = STATE_UNSYNCD;
303
304 for(;;) {
305 WDT_HIT();
306
307 if(BUTTON_PRESS()) return FALSE;
308
309 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
310 AT91C_BASE_SSC->SSC_THR = 0x00;
311 }
312 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
313 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
314
315 mask = 0x80;
316 for(i = 0; i < 8; i++, mask >>= 1) {
317 bit = (b & mask);
318 if(Handle14443UartBit(bit)) {
319 *len = Uart.byteCnt;
320 return TRUE;
321 }
322 }
323 }
324 }
325 }
326
327 //-----------------------------------------------------------------------------
328 // Main loop of simulated tag: receive commands from reader, decide what
329 // response to send, and send it.
330 //-----------------------------------------------------------------------------
331 void SimulateIso14443Tag(void)
332 {
333 static const uint8_t cmd1[] = { 0x05, 0x00, 0x08, 0x39, 0x73 };
334 static const uint8_t response1[] = {
335 0x50, 0x82, 0x0d, 0xe1, 0x74, 0x20, 0x38, 0x19, 0x22,
336 0x00, 0x21, 0x85, 0x5e, 0xd7
337 };
338
339 uint8_t *resp;
340 int respLen;
341
342 uint8_t *resp1 = (((uint8_t *)BigBuf) + 800);
343 int resp1Len;
344
345 uint8_t *receivedCmd = (uint8_t *)BigBuf;
346 int len;
347
348 int i;
349
350 int cmdsRecvd = 0;
351
352 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
353 memset(receivedCmd, 0x44, 400);
354
355 CodeIso14443bAsTag(response1, sizeof(response1));
356 memcpy(resp1, ToSend, ToSendMax); resp1Len = ToSendMax;
357
358 // We need to listen to the high-frequency, peak-detected path.
359 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
360 FpgaSetupSsc();
361
362 cmdsRecvd = 0;
363
364 for(;;) {
365 uint8_t b1, b2;
366
367 if(!GetIso14443CommandFromReader(receivedCmd, &len, 100)) {
368 Dbprintf("button pressed, received %d commands", cmdsRecvd);
369 break;
370 }
371
372 // Good, look at the command now.
373
374 if(len == sizeof(cmd1) && memcmp(receivedCmd, cmd1, len)==0) {
375 resp = resp1; respLen = resp1Len;
376 } else {
377 Dbprintf("new cmd from reader: len=%d, cmdsRecvd=%d", len, cmdsRecvd);
378 // And print whether the CRC fails, just for good measure
379 ComputeCrc14443(CRC_14443_B, receivedCmd, len-2, &b1, &b2);
380 if(b1 != receivedCmd[len-2] || b2 != receivedCmd[len-1]) {
381 // Not so good, try again.
382 DbpString("+++CRC fail");
383 } else {
384 DbpString("CRC passes");
385 }
386 break;
387 }
388
389 memset(receivedCmd, 0x44, 32);
390
391 cmdsRecvd++;
392
393 if(cmdsRecvd > 0x30) {
394 DbpString("many commands later...");
395 break;
396 }
397
398 if(respLen <= 0) continue;
399
400 // Modulate BPSK
401 // Signal field is off with the appropriate LED
402 LED_D_OFF();
403 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_MODULATE_BPSK);
404 AT91C_BASE_SSC->SSC_THR = 0xff;
405 FpgaSetupSsc();
406
407 // Transmit the response.
408 i = 0;
409 for(;;) {
410 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
411 uint8_t b = resp[i];
412
413 AT91C_BASE_SSC->SSC_THR = b;
414
415 i++;
416 if(i > respLen) {
417 break;
418 }
419 }
420 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
421 volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
422 (void)b;
423 }
424 }
425 }
426 }
427
428 //=============================================================================
429 // An ISO 14443 Type B reader. We take layer two commands, code them
430 // appropriately, and then send them to the tag. We then listen for the
431 // tag's response, which we leave in the buffer to be demodulated on the
432 // PC side.
433 //=============================================================================
434
435 static struct {
436 enum {
437 DEMOD_UNSYNCD,
438 DEMOD_PHASE_REF_TRAINING,
439 DEMOD_AWAITING_FALLING_EDGE_OF_SOF,
440 DEMOD_GOT_FALLING_EDGE_OF_SOF,
441 DEMOD_AWAITING_START_BIT,
442 DEMOD_RECEIVING_DATA,
443 DEMOD_ERROR_WAIT
444 } state;
445 int bitCount;
446 int posCount;
447 int thisBit;
448 int metric;
449 int metricN;
450 uint16_t shiftReg;
451 uint8_t *output;
452 int len;
453 int sumI;
454 int sumQ;
455 } Demod;
456
457 /*
458 * Handles reception of a bit from the tag
459 *
460 * LED handling:
461 * LED C -> ON once we have received the SOF and are expecting the rest.
462 * LED C -> OFF once we have received EOF or are unsynced
463 *
464 * Returns: true if we received a EOF
465 * false if we are still waiting for some more
466 *
467 */
468 static RAMFUNC int Handle14443SamplesDemod(int ci, int cq)
469 {
470 int v;
471
472 // The soft decision on the bit uses an estimate of just the
473 // quadrant of the reference angle, not the exact angle.
474 #define MAKE_SOFT_DECISION() { \
475 if(Demod.sumI > 0) { \
476 v = ci; \
477 } else { \
478 v = -ci; \
479 } \
480 if(Demod.sumQ > 0) { \
481 v += cq; \
482 } else { \
483 v -= cq; \
484 } \
485 }
486
487 switch(Demod.state) {
488 case DEMOD_UNSYNCD:
489 v = ci;
490 if(v < 0) v = -v;
491 if(cq > 0) {
492 v += cq;
493 } else {
494 v -= cq;
495 }
496 if(v > 40) {
497 Demod.posCount = 0;
498 Demod.state = DEMOD_PHASE_REF_TRAINING;
499 Demod.sumI = 0;
500 Demod.sumQ = 0;
501 }
502 break;
503
504 case DEMOD_PHASE_REF_TRAINING:
505 if(Demod.posCount < 8) {
506 Demod.sumI += ci;
507 Demod.sumQ += cq;
508 } else if(Demod.posCount > 100) {
509 // error, waited too long
510 Demod.state = DEMOD_UNSYNCD;
511 } else {
512 MAKE_SOFT_DECISION();
513 if(v < 0) {
514 Demod.state = DEMOD_AWAITING_FALLING_EDGE_OF_SOF;
515 Demod.posCount = 0;
516 }
517 }
518 Demod.posCount++;
519 break;
520
521 case DEMOD_AWAITING_FALLING_EDGE_OF_SOF:
522 MAKE_SOFT_DECISION();
523 if(v < 0) {
524 Demod.state = DEMOD_GOT_FALLING_EDGE_OF_SOF;
525 Demod.posCount = 0;
526 } else {
527 if(Demod.posCount > 100) {
528 Demod.state = DEMOD_UNSYNCD;
529 }
530 }
531 Demod.posCount++;
532 break;
533
534 case DEMOD_GOT_FALLING_EDGE_OF_SOF:
535 MAKE_SOFT_DECISION();
536 if(v > 0) {
537 if(Demod.posCount < 12) {
538 Demod.state = DEMOD_UNSYNCD;
539 } else {
540 LED_C_ON(); // Got SOF
541 Demod.state = DEMOD_AWAITING_START_BIT;
542 Demod.posCount = 0;
543 Demod.len = 0;
544 Demod.metricN = 0;
545 Demod.metric = 0;
546 }
547 } else {
548 if(Demod.posCount > 100) {
549 Demod.state = DEMOD_UNSYNCD;
550 }
551 }
552 Demod.posCount++;
553 break;
554
555 case DEMOD_AWAITING_START_BIT:
556 MAKE_SOFT_DECISION();
557 if(v > 0) {
558 if(Demod.posCount > 10) {
559 Demod.state = DEMOD_UNSYNCD;
560 }
561 } else {
562 Demod.bitCount = 0;
563 Demod.posCount = 1;
564 Demod.thisBit = v;
565 Demod.shiftReg = 0;
566 Demod.state = DEMOD_RECEIVING_DATA;
567 }
568 break;
569
570 case DEMOD_RECEIVING_DATA:
571 MAKE_SOFT_DECISION();
572 if(Demod.posCount == 0) {
573 Demod.thisBit = v;
574 Demod.posCount = 1;
575 } else {
576 Demod.thisBit += v;
577
578 if(Demod.thisBit > 0) {
579 Demod.metric += Demod.thisBit;
580 } else {
581 Demod.metric -= Demod.thisBit;
582 }
583 (Demod.metricN)++;
584
585 Demod.shiftReg >>= 1;
586 if(Demod.thisBit > 0) {
587 Demod.shiftReg |= 0x200;
588 }
589
590 Demod.bitCount++;
591 if(Demod.bitCount == 10) {
592 uint16_t s = Demod.shiftReg;
593 if((s & 0x200) && !(s & 0x001)) {
594 uint8_t b = (s >> 1);
595 Demod.output[Demod.len] = b;
596 Demod.len++;
597 Demod.state = DEMOD_AWAITING_START_BIT;
598 } else if(s == 0x000) {
599 // This is EOF
600 LED_C_OFF();
601 Demod.state = DEMOD_UNSYNCD;
602 return TRUE;
603 } else {
604 Demod.state = DEMOD_UNSYNCD;
605 }
606 }
607 Demod.posCount = 0;
608 }
609 break;
610
611 default:
612 Demod.state = DEMOD_UNSYNCD;
613 break;
614 }
615
616 if (Demod.state == DEMOD_UNSYNCD) LED_C_OFF(); // Not synchronized...
617 return FALSE;
618 }
619
620 static void DemodReset()
621 {
622 // Clear out the state of the "UART" that receives from the tag.
623 Demod.output = ((uint8_t *)BigBuf) + RECV_RESP_OFFSET;
624 Demod.len = 0;
625 Demod.state = DEMOD_UNSYNCD;
626 memset(Demod.output, 0x00, MAX_FRAME_SIZE);
627
628 }
629
630 static void UartReset()
631 {
632 // And the UART that receives from the reader
633 Uart.output = ((uint8_t *)BigBuf) + RECV_CMD_OFFSET;
634 Uart.byteCntMax = MAX_FRAME_SIZE;
635 Uart.state = STATE_UNSYNCD;
636 }
637
638 /*
639 * Demodulate the samples we received from the tag, also log to tracebuffer
640 * weTx: set to 'TRUE' if we behave like a reader
641 * set to 'FALSE' if we behave like a snooper
642 * quiet: set to 'TRUE' to disable debug output
643 */
644 static void GetSamplesFor14443Demod(int weTx, int n, int quiet)
645 {
646 int max = 0;
647 int gotFrame = FALSE;
648
649 int lastRxCounter;
650
651 int ci, cq;
652
653 int samples = 0;
654
655 DemodReset();
656 UartReset();
657
658 // The DMA buffer, used to stream samples from the FPGA
659 int8_t *dmaBuf = ((int8_t *)BigBuf) + DMA_BUFFER_OFFSET;
660 int8_t *upTo= dmaBuf;
661 lastRxCounter = DMA_BUFFER_SIZE;
662 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
663
664 // Signal field is ON with the appropriate LED:
665 if (weTx) LED_D_ON(); else LED_D_OFF();
666 // And put the FPGA in the appropriate mode
667 FpgaWriteConfWord(
668 FPGA_MAJOR_MODE_HF_READER_RX_XCORR | FPGA_HF_READER_RX_XCORR_848_KHZ |
669 (weTx ? 0 : FPGA_HF_READER_RX_XCORR_SNOOP));
670
671 for(;;) {
672 int behindBy = lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR;
673 if(behindBy > max) max = behindBy;
674
675 while(((lastRxCounter-AT91C_BASE_PDC_SSC->PDC_RCR) & (DMA_BUFFER_SIZE-1))
676 > 2)
677 {
678 ci = upTo[0];
679 cq = upTo[1];
680 upTo += 2;
681 if(upTo - dmaBuf > DMA_BUFFER_SIZE) {
682 upTo -= DMA_BUFFER_SIZE;
683 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) upTo;
684 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
685 }
686 lastRxCounter -= 2;
687 if(lastRxCounter <= 0) {
688 lastRxCounter += DMA_BUFFER_SIZE;
689 }
690
691 samples += 2;
692
693 Handle14443UartBit(1);
694 Handle14443UartBit(1);
695
696 if(Handle14443SamplesDemod(ci, cq)) {
697 gotFrame = 1;
698 }
699 }
700
701 if(samples > 2000) {
702 break;
703 }
704 }
705 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
706 if (!quiet) Dbprintf("%x %x %x", max, gotFrame, Demod.len);
707 //Tracing
708 if (tracing && Demod.len > 0) {
709 uint8_t parity[MAX_PARITY_SIZE];
710 GetParity(Demod.output , Demod.len, parity);
711 LogTrace(Demod.output,Demod.len, 0, 0, parity, FALSE);
712 }
713 }
714
715 //-----------------------------------------------------------------------------
716 // Read the tag's response. We just receive a stream of slightly-processed
717 // samples from the FPGA, which we will later do some signal processing on,
718 // to get the bits.
719 //-----------------------------------------------------------------------------
720 /*static void GetSamplesFor14443(int weTx, int n)
721 {
722 uint8_t *dest = (uint8_t *)BigBuf;
723 int c;
724
725 FpgaWriteConfWord(
726 FPGA_MAJOR_MODE_HF_READER_RX_XCORR | FPGA_HF_READER_RX_XCORR_848_KHZ |
727 (weTx ? 0 : FPGA_HF_READER_RX_XCORR_SNOOP));
728
729 c = 0;
730 for(;;) {
731 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
732 AT91C_BASE_SSC->SSC_THR = 0x43;
733 }
734 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
735 int8_t b;
736 b = (int8_t)AT91C_BASE_SSC->SSC_RHR;
737
738 dest[c++] = (uint8_t)b;
739
740 if(c >= n) {
741 break;
742 }
743 }
744 }
745 }*/
746
747 //-----------------------------------------------------------------------------
748 // Transmit the command (to the tag) that was placed in ToSend[].
749 //-----------------------------------------------------------------------------
750 static void TransmitFor14443(void)
751 {
752 int c;
753
754 FpgaSetupSsc();
755
756 while(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
757 AT91C_BASE_SSC->SSC_THR = 0xff;
758 }
759
760 // Signal field is ON with the appropriate Red LED
761 LED_D_ON();
762 // Signal we are transmitting with the Green LED
763 LED_B_ON();
764 FpgaWriteConfWord(
765 FPGA_MAJOR_MODE_HF_READER_TX | FPGA_HF_READER_TX_SHALLOW_MOD);
766
767 for(c = 0; c < 10;) {
768 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
769 AT91C_BASE_SSC->SSC_THR = 0xff;
770 c++;
771 }
772 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
773 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
774 (void)r;
775 }
776 WDT_HIT();
777 }
778
779 c = 0;
780 for(;;) {
781 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
782 AT91C_BASE_SSC->SSC_THR = ToSend[c];
783 c++;
784 if(c >= ToSendMax) {
785 break;
786 }
787 }
788 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
789 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
790 (void)r;
791 }
792 WDT_HIT();
793 }
794 LED_B_OFF(); // Finished sending
795 }
796
797 //-----------------------------------------------------------------------------
798 // Code a layer 2 command (string of octets, including CRC) into ToSend[],
799 // so that it is ready to transmit to the tag using TransmitFor14443().
800 //-----------------------------------------------------------------------------
801 static void CodeIso14443bAsReader(const uint8_t *cmd, int len)
802 {
803 int i, j;
804 uint8_t b;
805
806 ToSendReset();
807
808 // Establish initial reference level
809 for(i = 0; i < 40; i++) {
810 ToSendStuffBit(1);
811 }
812 // Send SOF
813 for(i = 0; i < 10; i++) {
814 ToSendStuffBit(0);
815 }
816
817 for(i = 0; i < len; i++) {
818 // Stop bits/EGT
819 ToSendStuffBit(1);
820 ToSendStuffBit(1);
821 // Start bit
822 ToSendStuffBit(0);
823 // Data bits
824 b = cmd[i];
825 for(j = 0; j < 8; j++) {
826 if(b & 1) {
827 ToSendStuffBit(1);
828 } else {
829 ToSendStuffBit(0);
830 }
831 b >>= 1;
832 }
833 }
834 // Send EOF
835 ToSendStuffBit(1);
836 for(i = 0; i < 10; i++) {
837 ToSendStuffBit(0);
838 }
839 for(i = 0; i < 8; i++) {
840 ToSendStuffBit(1);
841 }
842
843 // And then a little more, to make sure that the last character makes
844 // it out before we switch to rx mode.
845 for(i = 0; i < 24; i++) {
846 ToSendStuffBit(1);
847 }
848
849 // Convert from last character reference to length
850 ToSendMax++;
851 }
852
853 //-----------------------------------------------------------------------------
854 // Read an ISO 14443 tag. We send it some set of commands, and record the
855 // responses.
856 // The command name is misleading, it actually decodes the reponse in HEX
857 // into the output buffer (read the result using hexsamples, not hisamples)
858 //
859 // obsolete function only for test
860 //-----------------------------------------------------------------------------
861 void AcquireRawAdcSamplesIso14443(uint32_t parameter)
862 {
863 uint8_t cmd1[] = { 0x05, 0x00, 0x08, 0x39, 0x73 };
864
865 SendRawCommand14443B(sizeof(cmd1),1,1,cmd1);
866 }
867
868 /**
869 Convenience function to encode, transmit and trace iso 14443b comms
870 **/
871 static void CodeAndTransmit14443bAsReader(const uint8_t *cmd, int len)
872 {
873 CodeIso14443bAsReader(cmd, len);
874 TransmitFor14443();
875 if (tracing) {
876 uint8_t parity[MAX_PARITY_SIZE];
877 GetParity(cmd, len, parity);
878 LogTrace(cmd,len, 0, 0, parity, TRUE);
879 }
880 }
881
882 //-----------------------------------------------------------------------------
883 // Read a SRI512 ISO 14443 tag.
884 //
885 // SRI512 tags are just simple memory tags, here we're looking at making a dump
886 // of the contents of the memory. No anticollision algorithm is done, we assume
887 // we have a single tag in the field.
888 //
889 // I tried to be systematic and check every answer of the tag, every CRC, etc...
890 //-----------------------------------------------------------------------------
891 void ReadSTMemoryIso14443(uint32_t dwLast)
892 {
893 clear_trace();
894 set_tracing(TRUE);
895
896 uint8_t i = 0x00;
897
898 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
899 // Make sure that we start from off, since the tags are stateful;
900 // confusing things will happen if we don't reset them between reads.
901 LED_D_OFF();
902 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
903 SpinDelay(200);
904
905 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
906 FpgaSetupSsc();
907
908 // Now give it time to spin up.
909 // Signal field is on with the appropriate LED
910 LED_D_ON();
911 FpgaWriteConfWord(
912 FPGA_MAJOR_MODE_HF_READER_RX_XCORR | FPGA_HF_READER_RX_XCORR_848_KHZ);
913 SpinDelay(200);
914
915 // First command: wake up the tag using the INITIATE command
916 uint8_t cmd1[] = { 0x06, 0x00, 0x97, 0x5b};
917
918 CodeAndTransmit14443bAsReader(cmd1, sizeof(cmd1));
919 // LED_A_ON();
920 GetSamplesFor14443Demod(TRUE, 2000,TRUE);
921 // LED_A_OFF();
922
923 if (Demod.len == 0) {
924 DbpString("No response from tag");
925 return;
926 } else {
927 Dbprintf("Randomly generated UID from tag (+ 2 byte CRC): %x %x %x",
928 Demod.output[0], Demod.output[1],Demod.output[2]);
929 }
930 // There is a response, SELECT the uid
931 DbpString("Now SELECT tag:");
932 cmd1[0] = 0x0E; // 0x0E is SELECT
933 cmd1[1] = Demod.output[0];
934 ComputeCrc14443(CRC_14443_B, cmd1, 2, &cmd1[2], &cmd1[3]);
935 CodeAndTransmit14443bAsReader(cmd1, sizeof(cmd1));
936
937 // LED_A_ON();
938 GetSamplesFor14443Demod(TRUE, 2000,TRUE);
939 // LED_A_OFF();
940 if (Demod.len != 3) {
941 Dbprintf("Expected 3 bytes from tag, got %d", Demod.len);
942 return;
943 }
944 // Check the CRC of the answer:
945 ComputeCrc14443(CRC_14443_B, Demod.output, 1 , &cmd1[2], &cmd1[3]);
946 if(cmd1[2] != Demod.output[1] || cmd1[3] != Demod.output[2]) {
947 DbpString("CRC Error reading select response.");
948 return;
949 }
950 // Check response from the tag: should be the same UID as the command we just sent:
951 if (cmd1[1] != Demod.output[0]) {
952 Dbprintf("Bad response to SELECT from Tag, aborting: %x %x", cmd1[1], Demod.output[0]);
953 return;
954 }
955 // Tag is now selected,
956 // First get the tag's UID:
957 cmd1[0] = 0x0B;
958 ComputeCrc14443(CRC_14443_B, cmd1, 1 , &cmd1[1], &cmd1[2]);
959 CodeAndTransmit14443bAsReader(cmd1, 3); // Only first three bytes for this one
960
961 // LED_A_ON();
962 GetSamplesFor14443Demod(TRUE, 2000,TRUE);
963 // LED_A_OFF();
964 if (Demod.len != 10) {
965 Dbprintf("Expected 10 bytes from tag, got %d", Demod.len);
966 return;
967 }
968 // The check the CRC of the answer (use cmd1 as temporary variable):
969 ComputeCrc14443(CRC_14443_B, Demod.output, 8, &cmd1[2], &cmd1[3]);
970 if(cmd1[2] != Demod.output[8] || cmd1[3] != Demod.output[9]) {
971 Dbprintf("CRC Error reading block! - Below: expected, got %x %x",
972 (cmd1[2]<<8)+cmd1[3], (Demod.output[8]<<8)+Demod.output[9]);
973 // Do not return;, let's go on... (we should retry, maybe ?)
974 }
975 Dbprintf("Tag UID (64 bits): %08x %08x",
976 (Demod.output[7]<<24) + (Demod.output[6]<<16) + (Demod.output[5]<<8) + Demod.output[4],
977 (Demod.output[3]<<24) + (Demod.output[2]<<16) + (Demod.output[1]<<8) + Demod.output[0]);
978
979 // Now loop to read all 16 blocks, address from 0 to last block
980 Dbprintf("Tag memory dump, block 0 to %d",dwLast);
981 cmd1[0] = 0x08;
982 i = 0x00;
983 dwLast++;
984 for (;;) {
985 if (i == dwLast) {
986 DbpString("System area block (0xff):");
987 i = 0xff;
988 }
989 cmd1[1] = i;
990 ComputeCrc14443(CRC_14443_B, cmd1, 2, &cmd1[2], &cmd1[3]);
991 CodeAndTransmit14443bAsReader(cmd1, sizeof(cmd1));
992
993 // LED_A_ON();
994 GetSamplesFor14443Demod(TRUE, 2000,TRUE);
995 // LED_A_OFF();
996 if (Demod.len != 6) { // Check if we got an answer from the tag
997 DbpString("Expected 6 bytes from tag, got less...");
998 return;
999 }
1000 // The check the CRC of the answer (use cmd1 as temporary variable):
1001 ComputeCrc14443(CRC_14443_B, Demod.output, 4, &cmd1[2], &cmd1[3]);
1002 if(cmd1[2] != Demod.output[4] || cmd1[3] != Demod.output[5]) {
1003 Dbprintf("CRC Error reading block! - Below: expected, got %x %x",
1004 (cmd1[2]<<8)+cmd1[3], (Demod.output[4]<<8)+Demod.output[5]);
1005 // Do not return;, let's go on... (we should retry, maybe ?)
1006 }
1007 // Now print out the memory location:
1008 Dbprintf("Address=%x, Contents=%x, CRC=%x", i,
1009 (Demod.output[3]<<24) + (Demod.output[2]<<16) + (Demod.output[1]<<8) + Demod.output[0],
1010 (Demod.output[4]<<8)+Demod.output[5]);
1011 if (i == 0xff) {
1012 break;
1013 }
1014 i++;
1015 }
1016 }
1017
1018
1019 //=============================================================================
1020 // Finally, the `sniffer' combines elements from both the reader and
1021 // simulated tag, to show both sides of the conversation.
1022 //=============================================================================
1023
1024 //-----------------------------------------------------------------------------
1025 // Record the sequence of commands sent by the reader to the tag, with
1026 // triggering so that we start recording at the point that the tag is moved
1027 // near the reader.
1028 //-----------------------------------------------------------------------------
1029 /*
1030 * Memory usage for this function, (within BigBuf)
1031 * 0-4095 : Demodulated samples receive (4096 bytes) - DEMOD_TRACE_SIZE
1032 * 4096-6143 : Last Received command, 2048 bytes (reader->tag) - READER_TAG_BUFFER_SIZE
1033 * 6144-8191 : Last Received command, 2048 bytes(tag->reader) - TAG_READER_BUFFER_SIZE
1034 * 8192-9215 : DMA Buffer, 1024 bytes (samples) - DEMOD_DMA_BUFFER_SIZE
1035 */
1036 void RAMFUNC SnoopIso14443(void)
1037 {
1038 // We won't start recording the frames that we acquire until we trigger;
1039 // a good trigger condition to get started is probably when we see a
1040 // response from the tag.
1041 int triggered = TRUE;
1042
1043 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1044
1045 clear_trace();
1046 set_tracing(TRUE);
1047
1048 // The DMA buffer, used to stream samples from the FPGA.
1049 int8_t *dmaBuf = ((int8_t *)BigBuf) + DMA_BUFFER_OFFSET;
1050 int lastRxCounter;
1051 int8_t *upTo;
1052 int ci, cq;
1053 int maxBehindBy = 0;
1054
1055 // Count of samples received so far, so that we can include timing
1056 // information in the trace buffer.
1057 int samples = 0;
1058
1059 DemodReset();
1060 UartReset();
1061
1062 // Print some debug information about the buffer sizes
1063 Dbprintf("Snooping buffers initialized:");
1064 Dbprintf(" Trace: %i bytes", TRACE_SIZE);
1065 Dbprintf(" Reader -> tag: %i bytes", MAX_FRAME_SIZE);
1066 Dbprintf(" tag -> Reader: %i bytes", MAX_FRAME_SIZE);
1067 Dbprintf(" DMA: %i bytes", DMA_BUFFER_SIZE);
1068
1069 // Signal field is off with the appropriate LED
1070 LED_D_OFF();
1071
1072 // And put the FPGA in the appropriate mode
1073 FpgaWriteConfWord(
1074 FPGA_MAJOR_MODE_HF_READER_RX_XCORR | FPGA_HF_READER_RX_XCORR_848_KHZ |
1075 FPGA_HF_READER_RX_XCORR_SNOOP);
1076 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1077
1078 // Setup for the DMA.
1079 FpgaSetupSsc();
1080 upTo = dmaBuf;
1081 lastRxCounter = DMA_BUFFER_SIZE;
1082 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
1083 uint8_t parity[MAX_PARITY_SIZE];
1084 LED_A_ON();
1085
1086 // And now we loop, receiving samples.
1087 for(;;) {
1088 int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) &
1089 (DMA_BUFFER_SIZE-1);
1090 if(behindBy > maxBehindBy) {
1091 maxBehindBy = behindBy;
1092 if(behindBy > (DMA_BUFFER_SIZE-2)) { // TODO: understand whether we can increase/decrease as we want or not?
1093 Dbprintf("blew circular buffer! behindBy=0x%x", behindBy);
1094 break;
1095 }
1096 }
1097 if(behindBy < 2) continue;
1098
1099 ci = upTo[0];
1100 cq = upTo[1];
1101 upTo += 2;
1102 lastRxCounter -= 2;
1103 if(upTo - dmaBuf > DMA_BUFFER_SIZE) {
1104 upTo -= DMA_BUFFER_SIZE;
1105 lastRxCounter += DMA_BUFFER_SIZE;
1106 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) upTo;
1107 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
1108 }
1109
1110 samples += 2;
1111
1112 if(Handle14443UartBit(ci & 1)) {
1113 if(triggered && tracing) {
1114 GetParity(Uart.output, Uart.byteCnt, parity);
1115 LogTrace(Uart.output,Uart.byteCnt,samples, samples,parity,TRUE);
1116 }
1117 /* And ready to receive another command. */
1118 UartReset();
1119 /* And also reset the demod code, which might have been */
1120 /* false-triggered by the commands from the reader. */
1121 DemodReset();
1122 }
1123 if(Handle14443UartBit(cq & 1)) {
1124 if(triggered && tracing) {
1125 GetParity(Uart.output, Uart.byteCnt, parity);
1126 LogTrace(Uart.output,Uart.byteCnt,samples, samples,parity,TRUE);
1127 }
1128 /* And ready to receive another command. */
1129 UartReset();
1130 /* And also reset the demod code, which might have been */
1131 /* false-triggered by the commands from the reader. */
1132 DemodReset();
1133 }
1134
1135 if(Handle14443SamplesDemod(ci, cq)) {
1136
1137 //Use samples as a time measurement
1138 if(tracing)
1139 {
1140 uint8_t parity[MAX_PARITY_SIZE];
1141 GetParity(Demod.output, Demod.len, parity);
1142 LogTrace(Demod.output,Demod.len,samples, samples,parity,FALSE);
1143 }
1144 triggered = TRUE;
1145 LED_A_OFF();
1146 LED_B_ON();
1147
1148 // And ready to receive another response.
1149 DemodReset();
1150 }
1151 WDT_HIT();
1152
1153 if(!tracing) {
1154 DbpString("Reached trace limit");
1155 break;
1156 }
1157
1158 if(BUTTON_PRESS()) {
1159 DbpString("cancelled");
1160 break;
1161 }
1162 }
1163 FpgaDisableSscDma();
1164 LED_A_OFF();
1165 LED_B_OFF();
1166 LED_C_OFF();
1167 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
1168 DbpString("Snoop statistics:");
1169 Dbprintf(" Max behind by: %i", maxBehindBy);
1170 Dbprintf(" Uart State: %x", Uart.state);
1171 Dbprintf(" Uart ByteCnt: %i", Uart.byteCnt);
1172 Dbprintf(" Uart ByteCntMax: %i", Uart.byteCntMax);
1173 Dbprintf(" Trace length: %i", traceLen);
1174 }
1175
1176 /*
1177 * Send raw command to tag ISO14443B
1178 * @Input
1179 * datalen len of buffer data
1180 * recv bool when true wait for data from tag and send to client
1181 * powerfield bool leave the field on when true
1182 * data buffer with byte to send
1183 *
1184 * @Output
1185 * none
1186 *
1187 */
1188
1189 void SendRawCommand14443B(uint32_t datalen, uint32_t recv,uint8_t powerfield, uint8_t data[])
1190 {
1191 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1192 if(!powerfield)
1193 {
1194 // Make sure that we start from off, since the tags are stateful;
1195 // confusing things will happen if we don't reset them between reads.
1196 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1197 LED_D_OFF();
1198 SpinDelay(200);
1199 }
1200
1201 if(!GETBIT(GPIO_LED_D))
1202 {
1203 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1204 FpgaSetupSsc();
1205
1206 // Now give it time to spin up.
1207 // Signal field is on with the appropriate LED
1208 LED_D_ON();
1209 FpgaWriteConfWord(
1210 FPGA_MAJOR_MODE_HF_READER_RX_XCORR | FPGA_HF_READER_RX_XCORR_848_KHZ);
1211 SpinDelay(200);
1212 }
1213
1214 CodeAndTransmit14443bAsReader(data, datalen);
1215
1216 if(recv)
1217 {
1218 uint16_t iLen = MIN(Demod.len,USB_CMD_DATA_SIZE);
1219 GetSamplesFor14443Demod(TRUE, 2000, TRUE);
1220 cmd_send(CMD_ACK,iLen,0,0,Demod.output,iLen);
1221 }
1222 if(!powerfield)
1223 {
1224 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1225 LED_D_OFF();
1226 }
1227 }
1228
Proxmark3 GIT tracking
Impressum, Datenschutz