]> cvs.zerfleddert.de Git - proxmark3-svn/blob - armsrc/iclass.c
projects / proxmark3-svn / blob
? search:


430597c116db891c0fa0cbfe7ee2a2a7fd303fcd
[proxmark3-svn] / armsrc / iclass.c
1 //-----------------------------------------------------------------------------
2 // Gerhard de Koning Gans - May 2008
3 // Hagen Fritsch - June 2010
4 // Gerhard de Koning Gans - May 2011
5 // Gerhard de Koning Gans - June 2012 - Added iClass card and reader emulation
6 //
7 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
8 // at your option, any later version. See the LICENSE.txt file for the text of
9 // the license.
10 //-----------------------------------------------------------------------------
11 // Routines to support iClass.
12 //-----------------------------------------------------------------------------
13 // Based on ISO14443a implementation. Still in experimental phase.
14 // Contribution made during a security research at Radboud University Nijmegen
15 //
16 // Please feel free to contribute and extend iClass support!!
17 //-----------------------------------------------------------------------------
18 //
19 // FIX:
20 // ====
21 // We still have sometimes a demodulation error when snooping iClass communication.
22 // The resulting trace of a read-block-03 command may look something like this:
23 //
24 // + 22279: : 0c 03 e8 01
25 //
26 // ...with an incorrect answer...
27 //
28 // + 85: 0: TAG ff! ff! ff! ff! ff! ff! ff! ff! bb 33 bb 00 01! 0e! 04! bb !crc
29 //
30 // We still left the error signalling bytes in the traces like 0xbb
31 //
32 // A correct trace should look like this:
33 //
34 // + 21112: : 0c 03 e8 01
35 // + 85: 0: TAG ff ff ff ff ff ff ff ff ea f5
36 //
37 //-----------------------------------------------------------------------------
38
39 #include "iclass.h"
40
41 #include "proxmark3.h"
42 #include "apps.h"
43 #include "util.h"
44 #include "string.h"
45 #include "printf.h"
46 #include "common.h"
47 #include "cmd.h"
48 #include "iso14443a.h"
49 #include "iso15693.h"
50 // Needed for CRC in emulation mode;
51 // same construction as in ISO 14443;
52 // different initial value (CRC_ICLASS)
53 #include "iso14443crc.h"
54 #include "iso15693tools.h"
55 #include "protocols.h"
56 #include "optimized_cipher.h"
57 #include "usb_cdc.h" // for usb_poll_validate_length
58 #include "fpgaloader.h"
59
60 // iCLASS has a slightly different timing compared to ISO15693. According to the picopass data sheet the tag response is expected 330us after
61 // the reader command. This is measured from end of reader EOF to first modulation of the tag's SOF which starts with a 56,64us unmodulated period.
62 // 330us = 140 ssp_clk cycles @ 423,75kHz when simulating.
63 // 56,64us = 24 ssp_clk_cycles
64 #define DELAY_ICLASS_VCD_TO_VICC_SIM (140 - 24)
65 // times in ssp_clk_cycles @ 3,3625MHz when acting as reader
66 #define DELAY_ICLASS_VICC_TO_VCD_READER DELAY_ISO15693_VICC_TO_VCD_READER
67 // times in samples @ 212kHz when acting as reader
68 #define ICLASS_READER_TIMEOUT_ACTALL 330 // 1558us, nominal 330us + 7slots*160us = 1450us
69 #define ICLASS_READER_TIMEOUT_UPDATE 3390 // 16000us, nominal 4-15ms
70 #define ICLASS_READER_TIMEOUT_OTHERS 80 // 380us, nominal 330us
71
72
73 //-----------------------------------------------------------------------------
74 // The software UART that receives commands from the reader, and its state
75 // variables.
76 //-----------------------------------------------------------------------------
77 static struct {
78 enum {
79 STATE_UNSYNCD,
80 STATE_START_OF_COMMUNICATION,
81 STATE_RECEIVING
82 } state;
83 uint16_t shiftReg;
84 int bitCnt;
85 int byteCnt;
86 int byteCntMax;
87 int posCnt;
88 int nOutOfCnt;
89 int OutOfCnt;
90 int syncBit;
91 int samples;
92 int highCnt;
93 int swapper;
94 int counter;
95 int bitBuffer;
96 int dropPosition;
97 uint8_t *output;
98 } Uart;
99
100 static RAMFUNC int OutOfNDecoding(int bit) {
101 //int error = 0;
102 int bitright;
103
104 if (!Uart.bitBuffer) {
105 Uart.bitBuffer = bit ^ 0xFF0;
106 return false;
107 } else {
108 Uart.bitBuffer <<= 4;
109 Uart.bitBuffer ^= bit;
110 }
111
112 /*if (Uart.swapper) {
113 Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
114 Uart.byteCnt++;
115 Uart.swapper = 0;
116 if (Uart.byteCnt > 15) { return true; }
117 }
118 else {
119 Uart.swapper = 1;
120 }*/
121
122 if (Uart.state != STATE_UNSYNCD) {
123 Uart.posCnt++;
124
125 if ((Uart.bitBuffer & Uart.syncBit) ^ Uart.syncBit) {
126 bit = 0x00;
127 } else {
128 bit = 0x01;
129 }
130 if (((Uart.bitBuffer << 1) & Uart.syncBit) ^ Uart.syncBit) {
131 bitright = 0x00;
132 } else {
133 bitright = 0x01;
134 }
135 if (bit != bitright) {
136 bit = bitright;
137 }
138
139
140 // So, now we only have to deal with *bit*, lets see...
141 if (Uart.posCnt == 1) {
142 // measurement first half bitperiod
143 if (!bit) {
144 // Drop in first half means that we are either seeing
145 // an SOF or an EOF.
146
147 if (Uart.nOutOfCnt == 1) {
148 // End of Communication
149 Uart.state = STATE_UNSYNCD;
150 Uart.highCnt = 0;
151 if (Uart.byteCnt == 0) {
152 // Its not straightforward to show single EOFs
153 // So just leave it and do not return true
154 Uart.output[0] = 0xf0;
155 Uart.byteCnt++;
156 } else {
157 return true;
158 }
159 } else if (Uart.state != STATE_START_OF_COMMUNICATION) {
160 // When not part of SOF or EOF, it is an error
161 Uart.state = STATE_UNSYNCD;
162 Uart.highCnt = 0;
163 //error = 4;
164 }
165 }
166 } else {
167 // measurement second half bitperiod
168 // Count the bitslot we are in... (ISO 15693)
169 Uart.nOutOfCnt++;
170
171 if (!bit) {
172 if (Uart.dropPosition) {
173 if (Uart.state == STATE_START_OF_COMMUNICATION) {
174 //error = 1;
175 } else {
176 //error = 7;
177 }
178 // It is an error if we already have seen a drop in current frame
179 Uart.state = STATE_UNSYNCD;
180 Uart.highCnt = 0;
181 } else {
182 Uart.dropPosition = Uart.nOutOfCnt;
183 }
184 }
185
186 Uart.posCnt = 0;
187
188
189 if (Uart.nOutOfCnt == Uart.OutOfCnt && Uart.OutOfCnt == 4) {
190 Uart.nOutOfCnt = 0;
191
192 if (Uart.state == STATE_START_OF_COMMUNICATION) {
193 if (Uart.dropPosition == 4) {
194 Uart.state = STATE_RECEIVING;
195 Uart.OutOfCnt = 256;
196 } else if (Uart.dropPosition == 3) {
197 Uart.state = STATE_RECEIVING;
198 Uart.OutOfCnt = 4;
199 //Uart.output[Uart.byteCnt] = 0xdd;
200 //Uart.byteCnt++;
201 } else {
202 Uart.state = STATE_UNSYNCD;
203 Uart.highCnt = 0;
204 }
205 Uart.dropPosition = 0;
206 } else {
207 // RECEIVING DATA
208 // 1 out of 4
209 if (!Uart.dropPosition) {
210 Uart.state = STATE_UNSYNCD;
211 Uart.highCnt = 0;
212 //error = 9;
213 } else {
214 Uart.shiftReg >>= 2;
215
216 // Swap bit order
217 Uart.dropPosition--;
218 //if (Uart.dropPosition == 1) { Uart.dropPosition = 2; }
219 //else if (Uart.dropPosition == 2) { Uart.dropPosition = 1; }
220
221 Uart.shiftReg ^= ((Uart.dropPosition & 0x03) << 6);
222 Uart.bitCnt += 2;
223 Uart.dropPosition = 0;
224
225 if (Uart.bitCnt == 8) {
226 Uart.output[Uart.byteCnt] = (Uart.shiftReg & 0xff);
227 Uart.byteCnt++;
228 Uart.bitCnt = 0;
229 Uart.shiftReg = 0;
230 }
231 }
232 }
233 } else if (Uart.nOutOfCnt == Uart.OutOfCnt) {
234 // RECEIVING DATA
235 // 1 out of 256
236 if (!Uart.dropPosition) {
237 Uart.state = STATE_UNSYNCD;
238 Uart.highCnt = 0;
239 //error = 3;
240 } else {
241 Uart.dropPosition--;
242 Uart.output[Uart.byteCnt] = (Uart.dropPosition & 0xff);
243 Uart.byteCnt++;
244 Uart.bitCnt = 0;
245 Uart.shiftReg = 0;
246 Uart.nOutOfCnt = 0;
247 Uart.dropPosition = 0;
248 }
249 }
250
251 /*if (error) {
252 Uart.output[Uart.byteCnt] = 0xAA;
253 Uart.byteCnt++;
254 Uart.output[Uart.byteCnt] = error & 0xFF;
255 Uart.byteCnt++;
256 Uart.output[Uart.byteCnt] = 0xAA;
257 Uart.byteCnt++;
258 Uart.output[Uart.byteCnt] = (Uart.bitBuffer >> 8) & 0xFF;
259 Uart.byteCnt++;
260 Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
261 Uart.byteCnt++;
262 Uart.output[Uart.byteCnt] = (Uart.syncBit >> 3) & 0xFF;
263 Uart.byteCnt++;
264 Uart.output[Uart.byteCnt] = 0xAA;
265 Uart.byteCnt++;
266 return true;
267 }*/
268 }
269
270 } else {
271 bit = Uart.bitBuffer & 0xf0;
272 bit >>= 4;
273 bit ^= 0x0F; // drops become 1s ;-)
274 if (bit) {
275 // should have been high or at least (4 * 128) / fc
276 // according to ISO this should be at least (9 * 128 + 20) / fc
277 if (Uart.highCnt == 8) {
278 // we went low, so this could be start of communication
279 // it turns out to be safer to choose a less significant
280 // syncbit... so we check whether the neighbour also represents the drop
281 Uart.posCnt = 1; // apparently we are busy with our first half bit period
282 Uart.syncBit = bit & 8;
283 Uart.samples = 3;
284 if (!Uart.syncBit) { Uart.syncBit = bit & 4; Uart.samples = 2; }
285 else if (bit & 4) { Uart.syncBit = bit & 4; Uart.samples = 2; bit <<= 2; }
286 if (!Uart.syncBit) { Uart.syncBit = bit & 2; Uart.samples = 1; }
287 else if (bit & 2) { Uart.syncBit = bit & 2; Uart.samples = 1; bit <<= 1; }
288 if (!Uart.syncBit) { Uart.syncBit = bit & 1; Uart.samples = 0;
289 if (Uart.syncBit && (Uart.bitBuffer & 8)) {
290 Uart.syncBit = 8;
291
292 // the first half bit period is expected in next sample
293 Uart.posCnt = 0;
294 Uart.samples = 3;
295 }
296 } else if (bit & 1) { Uart.syncBit = bit & 1; Uart.samples = 0; }
297
298 Uart.syncBit <<= 4;
299 Uart.state = STATE_START_OF_COMMUNICATION;
300 Uart.bitCnt = 0;
301 Uart.byteCnt = 0;
302 Uart.nOutOfCnt = 0;
303 Uart.OutOfCnt = 4; // Start at 1/4, could switch to 1/256
304 Uart.dropPosition = 0;
305 Uart.shiftReg = 0;
306 //error = 0;
307 } else {
308 Uart.highCnt = 0;
309 }
310 } else if (Uart.highCnt < 8) {
311 Uart.highCnt++;
312 }
313 }
314
315 return false;
316 }
317
318
319 //=============================================================================
320 // Manchester
321 //=============================================================================
322
323 static struct {
324 enum {
325 DEMOD_UNSYNCD,
326 DEMOD_START_OF_COMMUNICATION,
327 DEMOD_START_OF_COMMUNICATION2,
328 DEMOD_START_OF_COMMUNICATION3,
329 DEMOD_SOF_COMPLETE,
330 DEMOD_MANCHESTER_D,
331 DEMOD_MANCHESTER_E,
332 DEMOD_END_OF_COMMUNICATION,
333 DEMOD_END_OF_COMMUNICATION2,
334 DEMOD_MANCHESTER_F,
335 DEMOD_ERROR_WAIT
336 } state;
337 int bitCount;
338 int posCount;
339 int syncBit;
340 uint16_t shiftReg;
341 int buffer;
342 int buffer2;
343 int buffer3;
344 int buff;
345 int samples;
346 int len;
347 enum {
348 SUB_NONE,
349 SUB_FIRST_HALF,
350 SUB_SECOND_HALF,
351 SUB_BOTH
352 } sub;
353 uint8_t *output;
354 } Demod;
355
356 static RAMFUNC int ManchesterDecoding(int v) {
357 int bit;
358 int modulation;
359 int error = 0;
360
361 bit = Demod.buffer;
362 Demod.buffer = Demod.buffer2;
363 Demod.buffer2 = Demod.buffer3;
364 Demod.buffer3 = v;
365
366 if (Demod.buff < 3) {
367 Demod.buff++;
368 return false;
369 }
370
371 if (Demod.state==DEMOD_UNSYNCD) {
372 Demod.output[Demod.len] = 0xfa;
373 Demod.syncBit = 0;
374 //Demod.samples = 0;
375 Demod.posCount = 1; // This is the first half bit period, so after syncing handle the second part
376
377 if (bit & 0x08) {
378 Demod.syncBit = 0x08;
379 }
380
381 if (bit & 0x04) {
382 if (Demod.syncBit) {
383 bit <<= 4;
384 }
385 Demod.syncBit = 0x04;
386 }
387
388 if (bit & 0x02) {
389 if (Demod.syncBit) {
390 bit <<= 2;
391 }
392 Demod.syncBit = 0x02;
393 }
394
395 if (bit & 0x01 && Demod.syncBit) {
396 Demod.syncBit = 0x01;
397 }
398
399 if (Demod.syncBit) {
400 Demod.len = 0;
401 Demod.state = DEMOD_START_OF_COMMUNICATION;
402 Demod.sub = SUB_FIRST_HALF;
403 Demod.bitCount = 0;
404 Demod.shiftReg = 0;
405 Demod.samples = 0;
406 if (Demod.posCount) {
407 switch (Demod.syncBit) {
408 case 0x08: Demod.samples = 3; break;
409 case 0x04: Demod.samples = 2; break;
410 case 0x02: Demod.samples = 1; break;
411 case 0x01: Demod.samples = 0; break;
412 }
413 // SOF must be long burst... otherwise stay unsynced!!!
414 if (!(Demod.buffer & Demod.syncBit) || !(Demod.buffer2 & Demod.syncBit)) {
415 Demod.state = DEMOD_UNSYNCD;
416 }
417 } else {
418 // SOF must be long burst... otherwise stay unsynced!!!
419 if (!(Demod.buffer2 & Demod.syncBit) || !(Demod.buffer3 & Demod.syncBit)) {
420 Demod.state = DEMOD_UNSYNCD;
421 error = 0x88;
422 }
423
424 }
425 error = 0;
426
427 }
428 } else {
429 // state is DEMOD is in SYNC from here on.
430 modulation = bit & Demod.syncBit;
431 modulation |= ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
432
433 Demod.samples += 4;
434
435 if (Demod.posCount == 0) {
436 Demod.posCount = 1;
437 if (modulation) {
438 Demod.sub = SUB_FIRST_HALF;
439 } else {
440 Demod.sub = SUB_NONE;
441 }
442 } else {
443 Demod.posCount = 0;
444 if (modulation) {
445 if (Demod.sub == SUB_FIRST_HALF) {
446 Demod.sub = SUB_BOTH;
447 } else {
448 Demod.sub = SUB_SECOND_HALF;
449 }
450 } else if (Demod.sub == SUB_NONE) {
451 if (Demod.state == DEMOD_SOF_COMPLETE) {
452 Demod.output[Demod.len] = 0x0f;
453 Demod.len++;
454 Demod.state = DEMOD_UNSYNCD;
455 return true;
456 } else {
457 Demod.state = DEMOD_ERROR_WAIT;
458 error = 0x33;
459 }
460 }
461
462 switch(Demod.state) {
463 case DEMOD_START_OF_COMMUNICATION:
464 if (Demod.sub == SUB_BOTH) {
465 Demod.state = DEMOD_START_OF_COMMUNICATION2;
466 Demod.posCount = 1;
467 Demod.sub = SUB_NONE;
468 } else {
469 Demod.output[Demod.len] = 0xab;
470 Demod.state = DEMOD_ERROR_WAIT;
471 error = 0xd2;
472 }
473 break;
474 case DEMOD_START_OF_COMMUNICATION2:
475 if (Demod.sub == SUB_SECOND_HALF) {
476 Demod.state = DEMOD_START_OF_COMMUNICATION3;
477 } else {
478 Demod.output[Demod.len] = 0xab;
479 Demod.state = DEMOD_ERROR_WAIT;
480 error = 0xd3;
481 }
482 break;
483 case DEMOD_START_OF_COMMUNICATION3:
484 if (Demod.sub == SUB_SECOND_HALF) {
485 Demod.state = DEMOD_SOF_COMPLETE;
486 } else {
487 Demod.output[Demod.len] = 0xab;
488 Demod.state = DEMOD_ERROR_WAIT;
489 error = 0xd4;
490 }
491 break;
492 case DEMOD_SOF_COMPLETE:
493 case DEMOD_MANCHESTER_D:
494 case DEMOD_MANCHESTER_E:
495 // OPPOSITE FROM ISO14443 - 11110000 = 0 (1 in 14443)
496 // 00001111 = 1 (0 in 14443)
497 if (Demod.sub == SUB_SECOND_HALF) { // SUB_FIRST_HALF
498 Demod.bitCount++;
499 Demod.shiftReg = (Demod.shiftReg >> 1) ^ 0x100;
500 Demod.state = DEMOD_MANCHESTER_D;
501 } else if (Demod.sub == SUB_FIRST_HALF) { // SUB_SECOND_HALF
502 Demod.bitCount++;
503 Demod.shiftReg >>= 1;
504 Demod.state = DEMOD_MANCHESTER_E;
505 } else if (Demod.sub == SUB_BOTH) {
506 Demod.state = DEMOD_MANCHESTER_F;
507 } else {
508 Demod.state = DEMOD_ERROR_WAIT;
509 error = 0x55;
510 }
511 break;
512
513 case DEMOD_MANCHESTER_F:
514 // Tag response does not need to be a complete byte!
515 if (Demod.len > 0 || Demod.bitCount > 0) {
516 if (Demod.bitCount > 1) { // was > 0, do not interpret last closing bit, is part of EOF
517 Demod.shiftReg >>= (9 - Demod.bitCount); // right align data
518 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
519 Demod.len++;
520 }
521
522 Demod.state = DEMOD_UNSYNCD;
523 return true;
524 } else {
525 Demod.output[Demod.len] = 0xad;
526 Demod.state = DEMOD_ERROR_WAIT;
527 error = 0x03;
528 }
529 break;
530
531 case DEMOD_ERROR_WAIT:
532 Demod.state = DEMOD_UNSYNCD;
533 break;
534
535 default:
536 Demod.output[Demod.len] = 0xdd;
537 Demod.state = DEMOD_UNSYNCD;
538 break;
539 }
540
541 if (Demod.bitCount >= 8) {
542 Demod.shiftReg >>= 1;
543 Demod.output[Demod.len] = (Demod.shiftReg & 0xff);
544 Demod.len++;
545 Demod.bitCount = 0;
546 Demod.shiftReg = 0;
547 }
548
549 if (error) {
550 Demod.output[Demod.len] = 0xBB;
551 Demod.len++;
552 Demod.output[Demod.len] = error & 0xFF;
553 Demod.len++;
554 Demod.output[Demod.len] = 0xBB;
555 Demod.len++;
556 Demod.output[Demod.len] = bit & 0xFF;
557 Demod.len++;
558 Demod.output[Demod.len] = Demod.buffer & 0xFF;
559 Demod.len++;
560 // Look harder ;-)
561 Demod.output[Demod.len] = Demod.buffer2 & 0xFF;
562 Demod.len++;
563 Demod.output[Demod.len] = Demod.syncBit & 0xFF;
564 Demod.len++;
565 Demod.output[Demod.len] = 0xBB;
566 Demod.len++;
567 return true;
568 }
569
570 }
571
572 } // end (state != UNSYNCED)
573
574 return false;
575 }
576
577 //=============================================================================
578 // Finally, a `sniffer' for iClass communication
579 // Both sides of communication!
580 //=============================================================================
581
582 //-----------------------------------------------------------------------------
583 // Record the sequence of commands sent by the reader to the tag, with
584 // triggering so that we start recording at the point that the tag is moved
585 // near the reader.
586 //-----------------------------------------------------------------------------
587 void RAMFUNC SnoopIClass(void) {
588
589 // We won't start recording the frames that we acquire until we trigger;
590 // a good trigger condition to get started is probably when we see a
591 // response from the tag.
592 //int triggered = false; // false to wait first for card
593
594 // The command (reader -> tag) that we're receiving.
595 // The length of a received command will in most cases be no more than 18 bytes.
596 // So 32 should be enough!
597 #define ICLASS_BUFFER_SIZE 32
598 uint8_t readerToTagCmd[ICLASS_BUFFER_SIZE];
599 // The response (tag -> reader) that we're receiving.
600 uint8_t tagToReaderResponse[ICLASS_BUFFER_SIZE];
601
602 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
603
604 // free all BigBuf memory
605 BigBuf_free();
606 // The DMA buffer, used to stream samples from the FPGA
607 uint8_t *dmaBuf = BigBuf_malloc(DMA_BUFFER_SIZE);
608
609 set_tracing(true);
610 clear_trace();
611 iso14a_set_trigger(false);
612
613 int lastRxCounter;
614 uint8_t *upTo;
615 int smpl;
616 int maxBehindBy = 0;
617
618 // Count of samples received so far, so that we can include timing
619 // information in the trace buffer.
620 int samples = 0;
621 rsamples = 0;
622
623 // Set up the demodulator for tag -> reader responses.
624 Demod.output = tagToReaderResponse;
625 Demod.len = 0;
626 Demod.state = DEMOD_UNSYNCD;
627
628 // Setup for the DMA.
629 FpgaSetupSsc(FPGA_MAJOR_MODE_HF_ISO14443A);
630 upTo = dmaBuf;
631 lastRxCounter = DMA_BUFFER_SIZE;
632 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
633
634 // And the reader -> tag commands
635 memset(&Uart, 0, sizeof(Uart));
636 Uart.output = readerToTagCmd;
637 Uart.byteCntMax = 32; // was 100 (greg)////////////////////////////////////////////////////////////////////////
638 Uart.state = STATE_UNSYNCD;
639
640 // And put the FPGA in the appropriate mode
641 // Signal field is off with the appropriate LED
642 LED_D_OFF();
643 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER);
644 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
645
646 uint32_t time_0 = GetCountSspClk();
647 uint32_t time_start = 0;
648 uint32_t time_stop = 0;
649
650 int div = 0;
651 //int div2 = 0;
652 int decbyte = 0;
653 int decbyter = 0;
654
655 // And now we loop, receiving samples.
656 for (;;) {
657 LED_A_ON();
658 WDT_HIT();
659 int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) & (DMA_BUFFER_SIZE-1);
660 if (behindBy > maxBehindBy) {
661 maxBehindBy = behindBy;
662 if (behindBy > (9 * DMA_BUFFER_SIZE / 10)) {
663 Dbprintf("blew circular buffer! behindBy=0x%x", behindBy);
664 goto done;
665 }
666 }
667 if (behindBy < 1) continue;
668
669 LED_A_OFF();
670 smpl = upTo[0];
671 upTo++;
672 lastRxCounter -= 1;
673 if (upTo - dmaBuf > DMA_BUFFER_SIZE) {
674 upTo -= DMA_BUFFER_SIZE;
675 lastRxCounter += DMA_BUFFER_SIZE;
676 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) upTo;
677 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
678 }
679
680 //samples += 4;
681 samples += 1;
682
683 if (smpl & 0xF) {
684 decbyte ^= (1 << (3 - div));
685 }
686
687 // FOR READER SIDE COMMUMICATION...
688
689 decbyter <<= 2;
690 decbyter ^= (smpl & 0x30);
691
692 div++;
693
694 if ((div + 1) % 2 == 0) {
695 smpl = decbyter;
696 if (OutOfNDecoding((smpl & 0xF0) >> 4)) {
697 rsamples = samples - Uart.samples;
698 time_stop = (GetCountSspClk()-time_0) << 4;
699
700 //if (!LogTrace(Uart.output, Uart.byteCnt, rsamples, Uart.parityBits,true)) break;
701 //if (!LogTrace(NULL, 0, Uart.endTime*16 - DELAY_READER_AIR2ARM_AS_SNIFFER, 0, true)) break;
702 uint8_t parity[MAX_PARITY_SIZE];
703 GetParity(Uart.output, Uart.byteCnt, parity);
704 LogTrace_ISO15693(Uart.output, Uart.byteCnt, time_start*32, time_stop*32, parity, true);
705
706 /* And ready to receive another command. */
707 Uart.state = STATE_UNSYNCD;
708 /* And also reset the demod code, which might have been */
709 /* false-triggered by the commands from the reader. */
710 Demod.state = DEMOD_UNSYNCD;
711 Uart.byteCnt = 0;
712 } else {
713 time_start = (GetCountSspClk()-time_0) << 4;
714 }
715 decbyter = 0;
716 }
717
718 if (div > 3) {
719 smpl = decbyte;
720 if (ManchesterDecoding(smpl & 0x0F)) {
721 time_stop = (GetCountSspClk()-time_0) << 4;
722
723 rsamples = samples - Demod.samples;
724
725 uint8_t parity[MAX_PARITY_SIZE];
726 GetParity(Demod.output, Demod.len, parity);
727 LogTrace_ISO15693(Demod.output, Demod.len, time_start*32, time_stop*32, parity, false);
728
729 // And ready to receive another response.
730 memset(&Demod, 0, sizeof(Demod));
731 Demod.output = tagToReaderResponse;
732 Demod.state = DEMOD_UNSYNCD;
733 } else {
734 time_start = (GetCountSspClk()-time_0) << 4;
735 }
736
737 div = 0;
738 decbyte = 0x00;
739 }
740
741 if (BUTTON_PRESS()) {
742 DbpString("cancelled_a");
743 goto done;
744 }
745 }
746
747 DbpString("COMMAND FINISHED");
748
749 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
750 Dbprintf("%x %x %x", Uart.byteCntMax, BigBuf_get_traceLen(), (int)Uart.output[0]);
751
752 done:
753 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
754 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
755 Dbprintf("%x %x %x", Uart.byteCntMax, BigBuf_get_traceLen(), (int)Uart.output[0]);
756 LEDsoff();
757 }
758
759 void rotateCSN(uint8_t* originalCSN, uint8_t* rotatedCSN) {
760 int i;
761 for (i = 0; i < 8; i++) {
762 rotatedCSN[i] = (originalCSN[i] >> 3) | (originalCSN[(i+1)%8] << 5);
763 }
764 }
765
766 // Encode SOF only
767 static void CodeIClassTagSOF() {
768 ToSendReset();
769 ToSend[++ToSendMax] = 0x1D;
770 ToSendMax++;
771 }
772
773 static void AppendCrc(uint8_t *data, int len) {
774 ComputeCrc14443(CRC_ICLASS, data, len, data+len, data+len+1);
775 }
776
777
778 /**
779 * @brief Does the actual simulation
780 */
781 int doIClassSimulation(int simulationMode, uint8_t *reader_mac_buf) {
782
783 // free eventually allocated BigBuf memory
784 BigBuf_free_keep_EM();
785
786 uint16_t page_size = 32 * 8;
787 uint8_t current_page = 0;
788
789 // maintain cipher states for both credit and debit key for each page
790 State cipher_state_KC[8];
791 State cipher_state_KD[8];
792 State *cipher_state = &cipher_state_KD[0];
793
794 uint8_t *emulator = BigBuf_get_EM_addr();
795 uint8_t *csn = emulator;
796
797 // CSN followed by two CRC bytes
798 uint8_t anticoll_data[10];
799 uint8_t csn_data[10];
800 memcpy(csn_data, csn, sizeof(csn_data));
801 Dbprintf("Simulating CSN %02x%02x%02x%02x%02x%02x%02x%02x", csn[0], csn[1], csn[2], csn[3], csn[4], csn[5], csn[6], csn[7]);
802
803 // Construct anticollision-CSN
804 rotateCSN(csn_data, anticoll_data);
805
806 // Compute CRC on both CSNs
807 AppendCrc(anticoll_data, 8);
808 AppendCrc(csn_data, 8);
809
810 uint8_t diversified_key_d[8] = { 0x00 };
811 uint8_t diversified_key_c[8] = { 0x00 };
812 uint8_t *diversified_key = diversified_key_d;
813
814 // configuration block
815 uint8_t conf_block[10] = {0x12, 0xFF, 0xFF, 0xFF, 0x7F, 0x1F, 0xFF, 0x3C, 0x00, 0x00};
816
817 // e-Purse
818 uint8_t card_challenge_data[8] = { 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
819
820 if (simulationMode == ICLASS_SIM_MODE_FULL) {
821 // initialize from page 0
822 memcpy(conf_block, emulator + 8 * 1, 8);
823 memcpy(card_challenge_data, emulator + 8 * 2, 8); // e-purse
824 memcpy(diversified_key_d, emulator + 8 * 3, 8); // Kd
825 memcpy(diversified_key_c, emulator + 8 * 4, 8); // Kc
826 }
827
828 AppendCrc(conf_block, 8);
829
830 // save card challenge for sim2,4 attack
831 if (reader_mac_buf != NULL) {
832 memcpy(reader_mac_buf, card_challenge_data, 8);
833 }
834
835 if (conf_block[5] & 0x80) {
836 page_size = 256 * 8;
837 }
838
839 // From PicoPass DS:
840 // When the page is in personalization mode this bit is equal to 1.
841 // Once the application issuer has personalized and coded its dedicated areas, this bit must be set to 0:
842 // the page is then "in application mode".
843 bool personalization_mode = conf_block[7] & 0x80;
844
845 // chip memory may be divided in 8 pages
846 uint8_t max_page = conf_block[4] & 0x10 ? 0 : 7;
847
848 // Precalculate the cipher states, feeding it the CC
849 cipher_state_KD[0] = opt_doTagMAC_1(card_challenge_data, diversified_key_d);
850 cipher_state_KC[0] = opt_doTagMAC_1(card_challenge_data, diversified_key_c);
851 if (simulationMode == ICLASS_SIM_MODE_FULL) {
852 for (int i = 1; i < max_page; i++) {
853 uint8_t *epurse = emulator + i*page_size + 8*2;
854 uint8_t *Kd = emulator + i*page_size + 8*3;
855 uint8_t *Kc = emulator + i*page_size + 8*4;
856 cipher_state_KD[i] = opt_doTagMAC_1(epurse, Kd);
857 cipher_state_KC[i] = opt_doTagMAC_1(epurse, Kc);
858 }
859 }
860
861 int exitLoop = 0;
862 // Reader 0a
863 // Tag 0f
864 // Reader 0c
865 // Tag anticoll. CSN
866 // Reader 81 anticoll. CSN
867 // Tag CSN
868
869 uint8_t *modulated_response;
870 int modulated_response_size = 0;
871 uint8_t *trace_data = NULL;
872 int trace_data_size = 0;
873
874 // Respond SOF -- takes 1 bytes
875 uint8_t *resp_sof = BigBuf_malloc(1);
876 int resp_sof_Len;
877
878 // Anticollision CSN (rotated CSN)
879 // 22: Takes 2 bytes for SOF/EOF and 10 * 2 = 20 bytes (2 bytes/byte)
880 uint8_t *resp_anticoll = BigBuf_malloc(22);
881 int resp_anticoll_len;
882
883 // CSN (block 0)
884 // 22: Takes 2 bytes for SOF/EOF and 10 * 2 = 20 bytes (2 bytes/byte)
885 uint8_t *resp_csn = BigBuf_malloc(22);
886 int resp_csn_len;
887
888 // configuration (block 1) picopass 2ks
889 uint8_t *resp_conf = BigBuf_malloc(22);
890 int resp_conf_len;
891
892 // e-Purse (block 2)
893 // 18: Takes 2 bytes for SOF/EOF and 8 * 2 = 16 bytes (2 bytes/bit)
894 uint8_t *resp_cc = BigBuf_malloc(18);
895 int resp_cc_len;
896
897 // Kd, Kc (blocks 3 and 4). Cannot be read. Always respond with 0xff bytes only
898 uint8_t *resp_ff = BigBuf_malloc(22);
899 int resp_ff_len;
900 uint8_t ff_data[10] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00};
901 AppendCrc(ff_data, 8);
902
903 // Application Issuer Area (block 5)
904 uint8_t *resp_aia = BigBuf_malloc(22);
905 int resp_aia_len;
906 uint8_t aia_data[10] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00};
907 AppendCrc(aia_data, 8);
908
909 uint8_t *receivedCmd = BigBuf_malloc(MAX_FRAME_SIZE);
910 int len;
911
912 // Prepare card messages
913
914 // First card answer: SOF only
915 CodeIClassTagSOF();
916 memcpy(resp_sof, ToSend, ToSendMax);
917 resp_sof_Len = ToSendMax;
918
919 // Anticollision CSN
920 CodeIso15693AsTag(anticoll_data, sizeof(anticoll_data));
921 memcpy(resp_anticoll, ToSend, ToSendMax);
922 resp_anticoll_len = ToSendMax;
923
924 // CSN (block 0)
925 CodeIso15693AsTag(csn_data, sizeof(csn_data));
926 memcpy(resp_csn, ToSend, ToSendMax);
927 resp_csn_len = ToSendMax;
928
929 // Configuration (block 1)
930 CodeIso15693AsTag(conf_block, sizeof(conf_block));
931 memcpy(resp_conf, ToSend, ToSendMax);
932 resp_conf_len = ToSendMax;
933
934 // e-Purse (block 2)
935 CodeIso15693AsTag(card_challenge_data, sizeof(card_challenge_data));
936 memcpy(resp_cc, ToSend, ToSendMax);
937 resp_cc_len = ToSendMax;
938
939 // Kd, Kc (blocks 3 and 4)
940 CodeIso15693AsTag(ff_data, sizeof(ff_data));
941 memcpy(resp_ff, ToSend, ToSendMax);
942 resp_ff_len = ToSendMax;
943
944 // Application Issuer Area (block 5)
945 CodeIso15693AsTag(aia_data, sizeof(aia_data));
946 memcpy(resp_aia, ToSend, ToSendMax);
947 resp_aia_len = ToSendMax;
948
949 //This is used for responding to READ-block commands or other data which is dynamically generated
950 uint8_t *data_generic_trace = BigBuf_malloc(32 + 2); // 32 bytes data + 2byte CRC is max tag answer
951 uint8_t *data_response = BigBuf_malloc( (32 + 2) * 2 + 2);
952
953 bool buttonPressed = false;
954 enum { IDLE, ACTIVATED, SELECTED, HALTED } chip_state = IDLE;
955
956 while (!exitLoop) {
957 WDT_HIT();
958
959 uint32_t reader_eof_time = 0;
960 len = GetIso15693CommandFromReader(receivedCmd, MAX_FRAME_SIZE, &reader_eof_time);
961 if (len < 0) {
962 buttonPressed = true;
963 break;
964 }
965
966 // Now look at the reader command and provide appropriate responses
967 // default is no response:
968 modulated_response = NULL;
969 modulated_response_size = 0;
970 trace_data = NULL;
971 trace_data_size = 0;
972
973 if (receivedCmd[0] == ICLASS_CMD_ACTALL && len == 1) {
974 // Reader in anticollision phase
975 if (chip_state != HALTED) {
976 modulated_response = resp_sof;
977 modulated_response_size = resp_sof_Len;
978 chip_state = ACTIVATED;
979 }
980
981 } else if (receivedCmd[0] == ICLASS_CMD_READ_OR_IDENTIFY && len == 1) { // identify
982 // Reader asks for anticollision CSN
983 if (chip_state == SELECTED || chip_state == ACTIVATED) {
984 modulated_response = resp_anticoll;
985 modulated_response_size = resp_anticoll_len;
986 trace_data = anticoll_data;
987 trace_data_size = sizeof(anticoll_data);
988 }
989
990 } else if (receivedCmd[0] == ICLASS_CMD_SELECT && len == 9) {
991 // Reader selects anticollision CSN.
992 // Tag sends the corresponding real CSN
993 if (chip_state == ACTIVATED || chip_state == SELECTED) {
994 if (!memcmp(receivedCmd+1, anticoll_data, 8)) {
995 modulated_response = resp_csn;
996 modulated_response_size = resp_csn_len;
997 trace_data = csn_data;
998 trace_data_size = sizeof(csn_data);
999 chip_state = SELECTED;
1000 } else {
1001 chip_state = IDLE;
1002 }
1003 } else if (chip_state == HALTED) {
1004 // RESELECT with CSN
1005 if (!memcmp(receivedCmd+1, csn_data, 8)) {
1006 modulated_response = resp_csn;
1007 modulated_response_size = resp_csn_len;
1008 trace_data = csn_data;
1009 trace_data_size = sizeof(csn_data);
1010 chip_state = SELECTED;
1011 }
1012 }
1013
1014 } else if (receivedCmd[0] == ICLASS_CMD_READ_OR_IDENTIFY && len == 4) { // read block
1015 uint16_t blockNo = receivedCmd[1];
1016 if (chip_state == SELECTED) {
1017 if (simulationMode == ICLASS_SIM_MODE_EXIT_AFTER_MAC) {
1018 // provide defaults for blocks 0 ... 5
1019 switch (blockNo) {
1020 case 0: // csn (block 00)
1021 modulated_response = resp_csn;
1022 modulated_response_size = resp_csn_len;
1023 trace_data = csn_data;
1024 trace_data_size = sizeof(csn_data);
1025 break;
1026 case 1: // configuration (block 01)
1027 modulated_response = resp_conf;
1028 modulated_response_size = resp_conf_len;
1029 trace_data = conf_block;
1030 trace_data_size = sizeof(conf_block);
1031 break;
1032 case 2: // e-purse (block 02)
1033 modulated_response = resp_cc;
1034 modulated_response_size = resp_cc_len;
1035 trace_data = card_challenge_data;
1036 trace_data_size = sizeof(card_challenge_data);
1037 // set epurse of sim2,4 attack
1038 if (reader_mac_buf != NULL) {
1039 memcpy(reader_mac_buf, card_challenge_data, 8);
1040 }
1041 break;
1042 case 3:
1043 case 4: // Kd, Kc, always respond with 0xff bytes
1044 modulated_response = resp_ff;
1045 modulated_response_size = resp_ff_len;
1046 trace_data = ff_data;
1047 trace_data_size = sizeof(ff_data);
1048 break;
1049 case 5: // Application Issuer Area (block 05)
1050 modulated_response = resp_aia;
1051 modulated_response_size = resp_aia_len;
1052 trace_data = aia_data;
1053 trace_data_size = sizeof(aia_data);
1054 break;
1055 // default: don't respond
1056 }
1057 } else if (simulationMode == ICLASS_SIM_MODE_FULL) {
1058 if (blockNo == 3 || blockNo == 4) { // Kd, Kc, always respond with 0xff bytes
1059 modulated_response = resp_ff;
1060 modulated_response_size = resp_ff_len;
1061 trace_data = ff_data;
1062 trace_data_size = sizeof(ff_data);
1063 } else { // use data from emulator memory
1064 memcpy(data_generic_trace, emulator + current_page*page_size + 8*blockNo, 8);
1065 AppendCrc(data_generic_trace, 8);
1066 trace_data = data_generic_trace;
1067 trace_data_size = 10;
1068 CodeIso15693AsTag(trace_data, trace_data_size);
1069 memcpy(data_response, ToSend, ToSendMax);
1070 modulated_response = data_response;
1071 modulated_response_size = ToSendMax;
1072 }
1073 }
1074 }
1075
1076 } else if ((receivedCmd[0] == ICLASS_CMD_READCHECK_KD
1077 || receivedCmd[0] == ICLASS_CMD_READCHECK_KC) && receivedCmd[1] == 0x02 && len == 2) {
1078 // Read e-purse (88 02 || 18 02)
1079 if (chip_state == SELECTED) {
1080 if(receivedCmd[0] == ICLASS_CMD_READCHECK_KD){
1081 cipher_state = &cipher_state_KD[current_page];
1082 diversified_key = diversified_key_d;
1083 } else {
1084 cipher_state = &cipher_state_KC[current_page];
1085 diversified_key = diversified_key_c;
1086 }
1087 modulated_response = resp_cc;
1088 modulated_response_size = resp_cc_len;
1089 trace_data = card_challenge_data;
1090 trace_data_size = sizeof(card_challenge_data);
1091 }
1092
1093 } else if ((receivedCmd[0] == ICLASS_CMD_CHECK_KC
1094 || receivedCmd[0] == ICLASS_CMD_CHECK_KD) && len == 9) {
1095 // Reader random and reader MAC!!!
1096 if (chip_state == SELECTED) {
1097 if (simulationMode == ICLASS_SIM_MODE_FULL) {
1098 //NR, from reader, is in receivedCmd+1
1099 opt_doTagMAC_2(*cipher_state, receivedCmd+1, data_generic_trace, diversified_key);
1100 trace_data = data_generic_trace;
1101 trace_data_size = 4;
1102 CodeIso15693AsTag(trace_data, trace_data_size);
1103 memcpy(data_response, ToSend, ToSendMax);
1104 modulated_response = data_response;
1105 modulated_response_size = ToSendMax;
1106 //exitLoop = true;
1107 } else { // Not fullsim, we don't respond
1108 // We do not know what to answer, so lets keep quiet
1109 if (simulationMode == ICLASS_SIM_MODE_EXIT_AFTER_MAC) {
1110 if (reader_mac_buf != NULL) {
1111 // save NR and MAC for sim 2,4
1112 memcpy(reader_mac_buf + 8, receivedCmd + 1, 8);
1113 }
1114 exitLoop = true;
1115 }
1116 }
1117 }
1118
1119 } else if (receivedCmd[0] == ICLASS_CMD_HALT && len == 1) {
1120 if (chip_state == SELECTED) {
1121 // Reader ends the session
1122 modulated_response = resp_sof;
1123 modulated_response_size = resp_sof_Len;
1124 chip_state = HALTED;
1125 }
1126
1127 } else if (simulationMode == ICLASS_SIM_MODE_FULL && receivedCmd[0] == ICLASS_CMD_READ4 && len == 4) { // 0x06
1128 //Read 4 blocks
1129 if (chip_state == SELECTED) {
1130 uint8_t blockNo = receivedCmd[1];
1131 memcpy(data_generic_trace, emulator + current_page*page_size + blockNo*8, 8 * 4);
1132 AppendCrc(data_generic_trace, 8 * 4);
1133 trace_data = data_generic_trace;
1134 trace_data_size = 8 * 4 + 2;
1135 CodeIso15693AsTag(trace_data, trace_data_size);
1136 memcpy(data_response, ToSend, ToSendMax);
1137 modulated_response = data_response;
1138 modulated_response_size = ToSendMax;
1139 }
1140
1141 } else if (receivedCmd[0] == ICLASS_CMD_UPDATE && (len == 12 || len == 14)) {
1142 // We're expected to respond with the data+crc, exactly what's already in the receivedCmd
1143 // receivedCmd is now UPDATE 1b | ADDRESS 1b | DATA 8b | Signature 4b or CRC 2b
1144 if (chip_state == SELECTED) {
1145 uint8_t blockNo = receivedCmd[1];
1146 if (blockNo == 2) { // update e-purse
1147 memcpy(card_challenge_data, receivedCmd+2, 8);
1148 CodeIso15693AsTag(card_challenge_data, sizeof(card_challenge_data));
1149 memcpy(resp_cc, ToSend, ToSendMax);
1150 resp_cc_len = ToSendMax;
1151 cipher_state_KD[current_page] = opt_doTagMAC_1(card_challenge_data, diversified_key_d);
1152 cipher_state_KC[current_page] = opt_doTagMAC_1(card_challenge_data, diversified_key_c);
1153 if (simulationMode == ICLASS_SIM_MODE_FULL) {
1154 memcpy(emulator + current_page*page_size + 8*2, card_challenge_data, 8);
1155 }
1156 } else if (blockNo == 3) { // update Kd
1157 for (int i = 0; i < 8; i++) {
1158 if (personalization_mode) {
1159 diversified_key_d[i] = receivedCmd[2 + i];
1160 } else {
1161 diversified_key_d[i] ^= receivedCmd[2 + i];
1162 }
1163 }
1164 cipher_state_KD[current_page] = opt_doTagMAC_1(card_challenge_data, diversified_key_d);
1165 if (simulationMode == ICLASS_SIM_MODE_FULL) {
1166 memcpy(emulator + current_page*page_size + 8*3, diversified_key_d, 8);
1167 }
1168 } else if (blockNo == 4) { // update Kc
1169 for (int i = 0; i < 8; i++) {
1170 if (personalization_mode) {
1171 diversified_key_c[i] = receivedCmd[2 + i];
1172 } else {
1173 diversified_key_c[i] ^= receivedCmd[2 + i];
1174 }
1175 }
1176 cipher_state_KC[current_page] = opt_doTagMAC_1(card_challenge_data, diversified_key_c);
1177 if (simulationMode == ICLASS_SIM_MODE_FULL) {
1178 memcpy(emulator + current_page*page_size + 8*4, diversified_key_c, 8);
1179 }
1180 } else if (simulationMode == ICLASS_SIM_MODE_FULL) { // update any other data block
1181 memcpy(emulator + current_page*page_size + 8*blockNo, receivedCmd+2, 8);
1182 }
1183 memcpy(data_generic_trace, receivedCmd + 2, 8);
1184 AppendCrc(data_generic_trace, 8);
1185 trace_data = data_generic_trace;
1186 trace_data_size = 10;
1187 CodeIso15693AsTag(trace_data, trace_data_size);
1188 memcpy(data_response, ToSend, ToSendMax);
1189 modulated_response = data_response;
1190 modulated_response_size = ToSendMax;
1191 }
1192
1193 } else if (receivedCmd[0] == ICLASS_CMD_PAGESEL && len == 4) {
1194 // Pagesel
1195 // Chips with a single page will not answer to this command
1196 // Otherwise, we should answer 8bytes (conf block 1) + 2bytes CRC
1197 if (chip_state == SELECTED) {
1198 if (simulationMode == ICLASS_SIM_MODE_FULL && max_page > 0) {
1199 current_page = receivedCmd[1];
1200 memcpy(data_generic_trace, emulator + current_page*page_size + 8*1, 8);
1201 memcpy(diversified_key_d, emulator + current_page*page_size + 8*3, 8);
1202 memcpy(diversified_key_c, emulator + current_page*page_size + 8*4, 8);
1203 cipher_state = &cipher_state_KD[current_page];
1204 personalization_mode = data_generic_trace[7] & 0x80;
1205 AppendCrc(data_generic_trace, 8);
1206 trace_data = data_generic_trace;
1207 trace_data_size = 10;
1208 CodeIso15693AsTag(trace_data, trace_data_size);
1209 memcpy(data_response, ToSend, ToSendMax);
1210 modulated_response = data_response;
1211 modulated_response_size = ToSendMax;
1212 }
1213 }
1214
1215 } else if (receivedCmd[0] == 0x26 && len == 5) {
1216 // standard ISO15693 INVENTORY command. Ignore.
1217
1218 } else {
1219 // don't know how to handle this command
1220 char debug_message[250]; // should be enough
1221 sprintf(debug_message, "Unhandled command (len = %d) received from reader:", len);
1222 for (int i = 0; i < len && strlen(debug_message) < sizeof(debug_message) - 3 - 1; i++) {
1223 sprintf(debug_message + strlen(debug_message), " %02x", receivedCmd[i]);
1224 }
1225 Dbprintf("%s", debug_message);
1226 // Do not respond
1227 }
1228
1229 /**
1230 A legit tag has about 273,4us delay between reader EOT and tag SOF.
1231 **/
1232 if (modulated_response_size > 0) {
1233 uint32_t response_time = reader_eof_time + DELAY_ICLASS_VCD_TO_VICC_SIM;
1234 TransmitTo15693Reader(modulated_response, modulated_response_size, &response_time, 0, false);
1235 LogTrace_ISO15693(trace_data, trace_data_size, response_time*32, response_time*32 + modulated_response_size/2, NULL, false);
1236 }
1237
1238 }
1239
1240 if (buttonPressed)
1241 {
1242 DbpString("Button pressed");
1243 }
1244 return buttonPressed;
1245 }
1246
1247 /**
1248 * @brief SimulateIClass simulates an iClass card.
1249 * @param arg0 type of simulation
1250 * - 0 uses the first 8 bytes in usb data as CSN
1251 * - 2 "dismantling iclass"-attack. This mode iterates through all CSN's specified
1252 * in the usb data. This mode collects MAC from the reader, in order to do an offline
1253 * attack on the keys. For more info, see "dismantling iclass" and proxclone.com.
1254 * - Other : Uses the default CSN (031fec8af7ff12e0)
1255 * @param arg1 - number of CSN's contained in datain (applicable for mode 2 only)
1256 * @param arg2
1257 * @param datain
1258 */
1259 void SimulateIClass(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain) {
1260
1261 LED_A_ON();
1262
1263 uint32_t simType = arg0;
1264 uint32_t numberOfCSNS = arg1;
1265
1266 // setup hardware for simulation:
1267 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1268 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1269 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_NO_MODULATION);
1270 LED_D_OFF();
1271 FpgaSetupSsc(FPGA_MAJOR_MODE_HF_SIMULATOR);
1272 StartCountSspClk();
1273
1274 // Enable and clear the trace
1275 set_tracing(true);
1276 clear_trace();
1277 //Use the emulator memory for SIM
1278 uint8_t *emulator = BigBuf_get_EM_addr();
1279
1280 if (simType == ICLASS_SIM_MODE_CSN) {
1281 // Use the CSN from commandline
1282 memcpy(emulator, datain, 8);
1283 doIClassSimulation(ICLASS_SIM_MODE_CSN, NULL);
1284 } else if (simType == ICLASS_SIM_MODE_CSN_DEFAULT) {
1285 //Default CSN
1286 uint8_t csn_crc[] = { 0x03, 0x1f, 0xec, 0x8a, 0xf7, 0xff, 0x12, 0xe0, 0x00, 0x00 };
1287 // Use the CSN from commandline
1288 memcpy(emulator, csn_crc, 8);
1289 doIClassSimulation(ICLASS_SIM_MODE_CSN, NULL);
1290 } else if (simType == ICLASS_SIM_MODE_READER_ATTACK) {
1291 uint8_t mac_responses[USB_CMD_DATA_SIZE] = { 0 };
1292 Dbprintf("Going into attack mode, %d CSNS sent", numberOfCSNS);
1293 // In this mode, a number of csns are within datain. We'll simulate each one, one at a time
1294 // in order to collect MAC's from the reader. This can later be used in an offline-attack
1295 // in order to obtain the keys, as in the "dismantling iclass"-paper.
1296 int i;
1297 for (i = 0; i < numberOfCSNS && i*16+16 <= USB_CMD_DATA_SIZE; i++) {
1298 // The usb data is 512 bytes, fitting 32 responses (8 byte CC + 4 Byte NR + 4 Byte MAC = 16 Byte response).
1299 memcpy(emulator, datain+(i*8), 8);
1300 if (doIClassSimulation(ICLASS_SIM_MODE_EXIT_AFTER_MAC, mac_responses+i*16)) {
1301 // Button pressed
1302 break;
1303 }
1304 Dbprintf("CSN: %02x %02x %02x %02x %02x %02x %02x %02x",
1305 datain[i*8+0], datain[i*8+1], datain[i*8+2], datain[i*8+3],
1306 datain[i*8+4], datain[i*8+5], datain[i*8+6], datain[i*8+7]);
1307 Dbprintf("NR,MAC: %02x %02x %02x %02x %02x %02x %02x %02x",
1308 mac_responses[i*16+ 8], mac_responses[i*16+ 9], mac_responses[i*16+10], mac_responses[i*16+11],
1309 mac_responses[i*16+12], mac_responses[i*16+13], mac_responses[i*16+14], mac_responses[i*16+15]);
1310 SpinDelay(100); // give the reader some time to prepare for next CSN
1311 }
1312 cmd_send(CMD_ACK, CMD_SIMULATE_TAG_ICLASS, i, 0, mac_responses, i*16);
1313 } else if (simType == ICLASS_SIM_MODE_FULL) {
1314 //This is 'full sim' mode, where we use the emulator storage for data.
1315 doIClassSimulation(ICLASS_SIM_MODE_FULL, NULL);
1316 } else {
1317 // We may want a mode here where we hardcode the csns to use (from proxclone).
1318 // That will speed things up a little, but not required just yet.
1319 Dbprintf("The mode is not implemented, reserved for future use");
1320 }
1321
1322 Dbprintf("Done...");
1323
1324 LED_A_OFF();
1325 }
1326
1327
1328 /// THE READER CODE
1329
1330 static void ReaderTransmitIClass(uint8_t *frame, int len, uint32_t *start_time) {
1331
1332 CodeIso15693AsReader(frame, len);
1333
1334 TransmitTo15693Tag(ToSend, ToSendMax, start_time);
1335
1336 uint32_t end_time = *start_time + 32*(8*ToSendMax-4); // substract the 4 padding bits after EOF
1337 LogTrace_ISO15693(frame, len, *start_time*4, end_time*4, NULL, true);
1338 }
1339
1340
1341 static bool sendCmdGetResponseWithRetries(uint8_t* command, size_t cmdsize, uint8_t* resp, size_t max_resp_size,
1342 uint8_t expected_size, uint8_t retries, uint32_t start_time, uint32_t timeout, uint32_t *eof_time) {
1343 while (retries-- > 0) {
1344 ReaderTransmitIClass(command, cmdsize, &start_time);
1345 if (expected_size == GetIso15693AnswerFromTag(resp, max_resp_size, timeout, eof_time)) {
1346 return true;
1347 }
1348 }
1349 return false;//Error
1350 }
1351
1352 /**
1353 * @brief Selects an iclass tag
1354 * @param card_data where the CSN is stored for return
1355 * @return false = fail
1356 * true = success
1357 */
1358 static bool selectIclassTag(uint8_t *card_data, uint32_t *eof_time) {
1359 uint8_t act_all[] = { 0x0a };
1360 uint8_t identify[] = { 0x0c };
1361 uint8_t select[] = { 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
1362
1363 uint8_t resp[ICLASS_BUFFER_SIZE];
1364
1365 uint32_t start_time = GetCountSspClk();
1366
1367 // Send act_all
1368 ReaderTransmitIClass(act_all, 1, &start_time);
1369 // Card present?
1370 if (GetIso15693AnswerFromTag(resp, sizeof(resp), ICLASS_READER_TIMEOUT_ACTALL, eof_time) < 0) return false;//Fail
1371
1372 //Send Identify
1373 start_time = *eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
1374 ReaderTransmitIClass(identify, 1, &start_time);
1375 //We expect a 10-byte response here, 8 byte anticollision-CSN and 2 byte CRC
1376 uint8_t len = GetIso15693AnswerFromTag(resp, sizeof(resp), ICLASS_READER_TIMEOUT_OTHERS, eof_time);
1377 if (len != 10) return false;//Fail
1378
1379 //Copy the Anti-collision CSN to our select-packet
1380 memcpy(&select[1], resp, 8);
1381 //Select the card
1382 start_time = *eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
1383 ReaderTransmitIClass(select, sizeof(select), &start_time);
1384 //We expect a 10-byte response here, 8 byte CSN and 2 byte CRC
1385 len = GetIso15693AnswerFromTag(resp, sizeof(resp), ICLASS_READER_TIMEOUT_OTHERS, eof_time);
1386 if (len != 10) return false;//Fail
1387
1388 //Success - we got CSN
1389 //Save CSN in response data
1390 memcpy(card_data, resp, 8);
1391
1392 return true;
1393 }
1394
1395
1396 // Select an iClass tag and read all blocks which are always readable without authentication
1397 void ReaderIClass(uint8_t flags) {
1398
1399 LED_A_ON();
1400
1401 uint8_t card_data[6 * 8] = {0};
1402 memset(card_data, 0xFF, sizeof(card_data));
1403 uint8_t resp[ICLASS_BUFFER_SIZE];
1404 //Read conf block CRC(0x01) => 0xfa 0x22
1405 uint8_t readConf[] = {ICLASS_CMD_READ_OR_IDENTIFY, 0x01, 0xfa, 0x22};
1406 //Read e-purse block CRC(0x02) => 0x61 0x10
1407 uint8_t readEpurse[] = {ICLASS_CMD_READ_OR_IDENTIFY, 0x02, 0x61, 0x10};
1408 //Read App Issuer Area block CRC(0x05) => 0xde 0x64
1409 uint8_t readAA[] = {ICLASS_CMD_READ_OR_IDENTIFY, 0x05, 0xde, 0x64};
1410
1411 uint8_t result_status = 0;
1412
1413 if (flags & FLAG_ICLASS_READER_INIT) {
1414 Iso15693InitReader();
1415 }
1416
1417 if (flags & FLAG_ICLASS_READER_CLEARTRACE) {
1418 set_tracing(true);
1419 clear_trace();
1420 StartCountSspClk();
1421 }
1422
1423 uint32_t start_time = 0;
1424 uint32_t eof_time = 0;
1425
1426 if (selectIclassTag(resp, &eof_time)) {
1427 result_status = FLAG_ICLASS_READER_CSN;
1428 memcpy(card_data, resp, 8);
1429 }
1430
1431 start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
1432
1433 //Read block 1, config
1434 if (flags & FLAG_ICLASS_READER_CONF) {
1435 if (sendCmdGetResponseWithRetries(readConf, sizeof(readConf), resp, sizeof(resp), 10, 10, start_time, ICLASS_READER_TIMEOUT_OTHERS, &eof_time)) {
1436 result_status |= FLAG_ICLASS_READER_CONF;
1437 memcpy(card_data+8, resp, 8);
1438 } else {
1439 Dbprintf("Failed to read config block");
1440 }
1441 start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
1442 }
1443
1444 //Read block 2, e-purse
1445 if (flags & FLAG_ICLASS_READER_CC) {
1446 if (sendCmdGetResponseWithRetries(readEpurse, sizeof(readEpurse), resp, sizeof(resp), 10, 10, start_time, ICLASS_READER_TIMEOUT_OTHERS, &eof_time)) {
1447 result_status |= FLAG_ICLASS_READER_CC;
1448 memcpy(card_data + (8*2), resp, 8);
1449 } else {
1450 Dbprintf("Failed to read e-purse");
1451 }
1452 start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
1453 }
1454
1455 //Read block 5, AA
1456 if (flags & FLAG_ICLASS_READER_AA) {
1457 if (sendCmdGetResponseWithRetries(readAA, sizeof(readAA), resp, sizeof(resp), 10, 10, start_time, ICLASS_READER_TIMEOUT_OTHERS, &eof_time)) {
1458 result_status |= FLAG_ICLASS_READER_AA;
1459 memcpy(card_data + (8*5), resp, 8);
1460 } else {
1461 Dbprintf("Failed to read AA block");
1462 }
1463 }
1464
1465 cmd_send(CMD_ACK, result_status, 0, 0, card_data, sizeof(card_data));
1466
1467 LED_A_OFF();
1468 }
1469
1470
1471 void ReaderIClass_Replay(uint8_t arg0, uint8_t *MAC) {
1472
1473 LED_A_ON();
1474
1475 bool use_credit_key = false;
1476 uint8_t card_data[USB_CMD_DATA_SIZE]={0};
1477 uint16_t block_crc_LUT[255] = {0};
1478
1479 //Generate a lookup table for block crc
1480 for (int block = 0; block < 255; block++){
1481 char bl = block;
1482 block_crc_LUT[block] = iclass_crc16(&bl ,1);
1483 }
1484 //Dbprintf("Lookup table: %02x %02x %02x" ,block_crc_LUT[0],block_crc_LUT[1],block_crc_LUT[2]);
1485
1486 uint8_t readcheck_cc[] = { ICLASS_CMD_READCHECK_KD, 0x02 };
1487 if (use_credit_key)
1488 readcheck_cc[0] = ICLASS_CMD_READCHECK_KC;
1489 uint8_t check[] = { 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
1490 uint8_t read[] = { 0x0c, 0x00, 0x00, 0x00 };
1491
1492 uint16_t crc = 0;
1493 uint8_t cardsize = 0;
1494 uint8_t mem = 0;
1495
1496 static struct memory_t {
1497 int k16;
1498 int book;
1499 int k2;
1500 int lockauth;
1501 int keyaccess;
1502 } memory;
1503
1504 uint8_t resp[ICLASS_BUFFER_SIZE];
1505
1506 set_tracing(true);
1507 clear_trace();
1508 Iso15693InitReader();
1509
1510 StartCountSspClk();
1511 uint32_t start_time = 0;
1512 uint32_t eof_time = 0;
1513
1514 while (!BUTTON_PRESS()) {
1515
1516 WDT_HIT();
1517
1518 if (!get_tracing()) {
1519 DbpString("Trace full");
1520 break;
1521 }
1522
1523 if (!selectIclassTag(card_data, &eof_time)) continue;
1524
1525 start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
1526 if (!sendCmdGetResponseWithRetries(readcheck_cc, sizeof(readcheck_cc), resp, sizeof(resp), 8, 3, start_time, ICLASS_READER_TIMEOUT_OTHERS, &eof_time)) continue;
1527
1528 // replay captured auth (cc must not have been updated)
1529 memcpy(check+5, MAC, 4);
1530
1531 start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
1532 if (!sendCmdGetResponseWithRetries(check, sizeof(check), resp, sizeof(resp), 4, 5, start_time, ICLASS_READER_TIMEOUT_OTHERS, &eof_time)) {
1533 Dbprintf("Error: Authentication Fail!");
1534 continue;
1535 }
1536
1537 //first get configuration block (block 1)
1538 crc = block_crc_LUT[1];
1539 read[1] = 1;
1540 read[2] = crc >> 8;
1541 read[3] = crc & 0xff;
1542
1543 start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
1544 if (!sendCmdGetResponseWithRetries(read, sizeof(read), resp, sizeof(resp), 10, 10, start_time, ICLASS_READER_TIMEOUT_OTHERS, &eof_time)) {
1545 start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
1546 Dbprintf("Dump config (block 1) failed");
1547 continue;
1548 }
1549
1550 mem = resp[5];
1551 memory.k16 = (mem & 0x80);
1552 memory.book = (mem & 0x20);
1553 memory.k2 = (mem & 0x8);
1554 memory.lockauth = (mem & 0x2);
1555 memory.keyaccess = (mem & 0x1);
1556
1557 cardsize = memory.k16 ? 255 : 32;
1558 WDT_HIT();
1559 //Set card_data to all zeroes, we'll fill it with data
1560 memset(card_data, 0x0, USB_CMD_DATA_SIZE);
1561 uint8_t failedRead = 0;
1562 uint32_t stored_data_length = 0;
1563 //then loop around remaining blocks
1564 for (int block = 0; block < cardsize; block++) {
1565 read[1] = block;
1566 crc = block_crc_LUT[block];
1567 read[2] = crc >> 8;
1568 read[3] = crc & 0xff;
1569
1570 start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
1571 if (sendCmdGetResponseWithRetries(read, sizeof(read), resp, sizeof(resp), 10, 10, start_time, ICLASS_READER_TIMEOUT_OTHERS, &eof_time)) {
1572 Dbprintf(" %02x: %02x %02x %02x %02x %02x %02x %02x %02x",
1573 block, resp[0], resp[1], resp[2],
1574 resp[3], resp[4], resp[5],
1575 resp[6], resp[7]);
1576
1577 //Fill up the buffer
1578 memcpy(card_data+stored_data_length, resp, 8);
1579 stored_data_length += 8;
1580 if (stored_data_length +8 > USB_CMD_DATA_SIZE) {
1581 //Time to send this off and start afresh
1582 cmd_send(CMD_ACK,
1583 stored_data_length,//data length
1584 failedRead,//Failed blocks?
1585 0,//Not used ATM
1586 card_data, stored_data_length);
1587 //reset
1588 stored_data_length = 0;
1589 failedRead = 0;
1590 }
1591
1592 } else {
1593 failedRead = 1;
1594 stored_data_length += 8;//Otherwise, data becomes misaligned
1595 Dbprintf("Failed to dump block %d", block);
1596 }
1597 }
1598
1599 //Send off any remaining data
1600 if (stored_data_length > 0) {
1601 cmd_send(CMD_ACK,
1602 stored_data_length,//data length
1603 failedRead,//Failed blocks?
1604 0,//Not used ATM
1605 card_data,
1606 stored_data_length);
1607 }
1608 //If we got here, let's break
1609 break;
1610 }
1611 //Signal end of transmission
1612 cmd_send(CMD_ACK,
1613 0,//data length
1614 0,//Failed blocks?
1615 0,//Not used ATM
1616 card_data,
1617 0);
1618
1619 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1620 LED_D_OFF();
1621 LED_A_OFF();
1622 }
1623
1624
1625 void iClass_Check(uint8_t *MAC) {
1626 uint8_t check[9] = {ICLASS_CMD_CHECK_KD, 0x00};
1627 uint8_t resp[4];
1628 memcpy(check+5, MAC, 4);
1629 uint32_t eof_time;
1630 bool isOK = sendCmdGetResponseWithRetries(check, sizeof(check), resp, sizeof(resp), 4, 6, 0, ICLASS_READER_TIMEOUT_OTHERS, &eof_time);
1631 cmd_send(CMD_ACK, isOK, 0, 0, resp, sizeof(resp));
1632 }
1633
1634
1635 void iClass_Readcheck(uint8_t block, bool use_credit_key) {
1636 uint8_t readcheck[2] = {ICLASS_CMD_READCHECK_KD, block};
1637 if (use_credit_key) {
1638 readcheck[0] = ICLASS_CMD_READCHECK_KC;
1639 }
1640 uint8_t resp[8];
1641 uint32_t eof_time;
1642 bool isOK = sendCmdGetResponseWithRetries(readcheck, sizeof(readcheck), resp, sizeof(resp), 8, 6, 0, ICLASS_READER_TIMEOUT_OTHERS, &eof_time);
1643 cmd_send(CMD_ACK, isOK, 0, 0, resp, sizeof(resp));
1644 }
1645
1646
1647 static bool iClass_ReadBlock(uint8_t blockNo, uint8_t *readdata) {
1648 uint8_t readcmd[] = {ICLASS_CMD_READ_OR_IDENTIFY, blockNo, 0x00, 0x00}; //0x88, 0x00 // can i use 0C?
1649 char bl = blockNo;
1650 uint16_t rdCrc = iclass_crc16(&bl, 1);
1651 readcmd[2] = rdCrc >> 8;
1652 readcmd[3] = rdCrc & 0xff;
1653 uint8_t resp[10];
1654 uint32_t eof_time;
1655
1656 bool isOK = sendCmdGetResponseWithRetries(readcmd, sizeof(readcmd), resp, sizeof(resp), 10, 10, 0, ICLASS_READER_TIMEOUT_OTHERS, &eof_time);
1657 memcpy(readdata, resp, sizeof(resp));
1658
1659 return isOK;
1660 }
1661
1662
1663 void iClass_ReadBlk(uint8_t blockno) {
1664
1665 LED_A_ON();
1666
1667 uint8_t readblockdata[] = {0,0,0,0,0,0,0,0,0,0};
1668 bool isOK = iClass_ReadBlock(blockno, readblockdata);
1669 cmd_send(CMD_ACK, isOK, 0, 0, readblockdata, 8);
1670 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1671 LED_D_OFF();
1672
1673 LED_A_OFF();
1674 }
1675
1676
1677 void iClass_Dump(uint8_t startblock, uint8_t numblks) {
1678
1679 LED_A_ON();
1680
1681 uint8_t readblockdata[USB_CMD_DATA_SIZE+2] = {0};
1682 bool isOK = false;
1683 uint16_t blkCnt = 0;
1684
1685 if (numblks > USB_CMD_DATA_SIZE / 8) {
1686 numblks = USB_CMD_DATA_SIZE / 8;
1687 }
1688
1689 for (blkCnt = 0; blkCnt < numblks; blkCnt++) {
1690 isOK = iClass_ReadBlock(startblock+blkCnt, readblockdata+8*blkCnt);
1691 if (!isOK) {
1692 Dbprintf("Block %02X failed to read", startblock+blkCnt);
1693 break;
1694 }
1695 }
1696
1697 cmd_send(CMD_ACK, isOK, blkCnt, 0, readblockdata, blkCnt*8);
1698
1699 LED_A_OFF();
1700 }
1701
1702
1703 static bool iClass_WriteBlock_ext(uint8_t blockNo, uint8_t *data) {
1704
1705 uint8_t write[16] = {ICLASS_CMD_UPDATE, blockNo};
1706 memcpy(write+2, data, 12); // data + mac
1707 AppendCrc(write+1, 13);
1708 uint8_t resp[10];
1709 bool isOK = false;
1710 uint32_t eof_time = 0;
1711
1712 isOK = sendCmdGetResponseWithRetries(write, sizeof(write), resp, sizeof(resp), 10, 10, 0, ICLASS_READER_TIMEOUT_UPDATE, &eof_time);
1713 if (isOK && blockNo != 3 && blockNo != 4 && memcmp(write+2, resp, 8)) { // check response
1714 isOK = false;
1715 }
1716
1717 return isOK;
1718 }
1719
1720
1721 void iClass_WriteBlock(uint8_t blockNo, uint8_t *data) {
1722
1723 LED_A_ON();
1724
1725 bool isOK = iClass_WriteBlock_ext(blockNo, data);
1726 if (isOK) {
1727 Dbprintf("Write block [%02x] successful", blockNo);
1728 } else {
1729 Dbprintf("Write block [%02x] failed", blockNo);
1730 }
1731 cmd_send(CMD_ACK, isOK, 0, 0, 0, 0);
1732
1733 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1734 LED_D_OFF();
1735
1736 LED_A_OFF();
1737 }
1738
1739
1740 void iClass_Clone(uint8_t startblock, uint8_t endblock, uint8_t *data) {
1741 int i;
1742 int written = 0;
1743 int total_block = (endblock - startblock) + 1;
1744 for (i = 0; i < total_block; i++) {
1745 // block number
1746 if (iClass_WriteBlock_ext(i+startblock, data + (i*12))){
1747 Dbprintf("Write block [%02x] successful", i + startblock);
1748 written++;
1749 } else {
1750 if (iClass_WriteBlock_ext(i+startblock, data + (i*12))){
1751 Dbprintf("Write block [%02x] successful", i + startblock);
1752 written++;
1753 } else {
1754 Dbprintf("Write block [%02x] failed", i + startblock);
1755 }
1756 }
1757 }
1758 if (written == total_block)
1759 Dbprintf("Clone complete");
1760 else
1761 Dbprintf("Clone incomplete");
1762
1763 cmd_send(CMD_ACK, 1, 0, 0, 0, 0);
1764 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1765 LED_D_OFF();
1766 LED_A_OFF();
1767 }
Proxmark3 GIT tracking
Impressum, Datenschutz