]> cvs.zerfleddert.de Git - proxmark3-svn/blob - armsrc/appmain.c
Add Smartcard functions (RDV4.0) (#646)
[proxmark3-svn] / armsrc / appmain.c
1 //-----------------------------------------------------------------------------
2 // Jonathan Westhues, Mar 2006
3 // Edits by Gerhard de Koning Gans, Sep 2007 (##)
4 //
5 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
6 // at your option, any later version. See the LICENSE.txt file for the text of
7 // the license.
8 //-----------------------------------------------------------------------------
9 // The main application code. This is the first thing called after start.c
10 // executes.
11 //-----------------------------------------------------------------------------
12
13 #include <stdarg.h>
14
15 #include "usb_cdc.h"
16 #include "cmd.h"
17 #include "proxmark3.h"
18 #include "apps.h"
19 #include "fpga.h"
20 #include "util.h"
21 #include "printf.h"
22 #include "string.h"
23 #include "legicrf.h"
24 #include "hitag2.h"
25 #include "hitagS.h"
26 #include "lfsampling.h"
27 #include "BigBuf.h"
28 #include "mifareutil.h"
29 #include "pcf7931.h"
30 #ifdef WITH_LCD
31 #include "LCD.h"
32 #endif
33 #ifdef WITH_SMARTCARD
34 #include "i2c.h"
35 #endif
36
37
38 // Craig Young - 14a stand-alone code
39 #ifdef WITH_ISO14443a
40 #include "iso14443a.h"
41 #endif
42
43 //=============================================================================
44 // A buffer where we can queue things up to be sent through the FPGA, for
45 // any purpose (fake tag, as reader, whatever). We go MSB first, since that
46 // is the order in which they go out on the wire.
47 //=============================================================================
48
49 #define TOSEND_BUFFER_SIZE (9*MAX_FRAME_SIZE + 1 + 1 + 2) // 8 data bits and 1 parity bit per payload byte, 1 correction bit, 1 SOC bit, 2 EOC bits
50 uint8_t ToSend[TOSEND_BUFFER_SIZE];
51 int ToSendMax;
52 static int ToSendBit;
53 struct common_area common_area __attribute__((section(".commonarea")));
54
55 void ToSendReset(void)
56 {
57 ToSendMax = -1;
58 ToSendBit = 8;
59 }
60
61 void ToSendStuffBit(int b)
62 {
63 if(ToSendBit >= 8) {
64 ToSendMax++;
65 ToSend[ToSendMax] = 0;
66 ToSendBit = 0;
67 }
68
69 if(b) {
70 ToSend[ToSendMax] |= (1 << (7 - ToSendBit));
71 }
72
73 ToSendBit++;
74
75 if(ToSendMax >= sizeof(ToSend)) {
76 ToSendBit = 0;
77 DbpString("ToSendStuffBit overflowed!");
78 }
79 }
80
81 //=============================================================================
82 // Debug print functions, to go out over USB, to the usual PC-side client.
83 //=============================================================================
84
85 void DbpString(char *str)
86 {
87 byte_t len = strlen(str);
88 cmd_send(CMD_DEBUG_PRINT_STRING,len,0,0,(byte_t*)str,len);
89 }
90
91 #if 0
92 void DbpIntegers(int x1, int x2, int x3)
93 {
94 cmd_send(CMD_DEBUG_PRINT_INTEGERS,x1,x2,x3,0,0);
95 }
96 #endif
97
98 void Dbprintf(const char *fmt, ...) {
99 // should probably limit size here; oh well, let's just use a big buffer
100 char output_string[128];
101 va_list ap;
102
103 va_start(ap, fmt);
104 kvsprintf(fmt, output_string, 10, ap);
105 va_end(ap);
106
107 DbpString(output_string);
108 }
109
110 // prints HEX & ASCII
111 void Dbhexdump(int len, uint8_t *d, bool bAsci) {
112 int l=0,i;
113 char ascii[9];
114
115 while (len>0) {
116 if (len>8) l=8;
117 else l=len;
118
119 memcpy(ascii,d,l);
120 ascii[l]=0;
121
122 // filter safe ascii
123 for (i=0;i<l;i++)
124 if (ascii[i]<32 || ascii[i]>126) ascii[i]='.';
125
126 if (bAsci) {
127 Dbprintf("%-8s %*D",ascii,l,d," ");
128 } else {
129 Dbprintf("%*D",l,d," ");
130 }
131
132 len-=8;
133 d+=8;
134 }
135 }
136
137 //-----------------------------------------------------------------------------
138 // Read an ADC channel and block till it completes, then return the result
139 // in ADC units (0 to 1023). Also a routine to average 32 samples and
140 // return that.
141 //-----------------------------------------------------------------------------
142 static int ReadAdc(int ch)
143 {
144 // Note: ADC_MODE_PRESCALE and ADC_MODE_SAMPLE_HOLD_TIME are set to the maximum allowed value.
145 // AMPL_HI is are high impedance (10MOhm || 1MOhm) output, the input capacitance of the ADC is 12pF (typical). This results in a time constant
146 // of RC = (0.91MOhm) * 12pF = 10.9us. Even after the maximum configurable sample&hold time of 40us the input capacitor will not be fully charged.
147 //
148 // The maths are:
149 // If there is a voltage v_in at the input, the voltage v_cap at the capacitor (this is what we are measuring) will be
150 //
151 // v_cap = v_in * (1 - exp(-SHTIM/RC)) = v_in * (1 - exp(-40us/10.9us)) = v_in * 0,97 (i.e. an error of 3%)
152
153 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_SWRST;
154 AT91C_BASE_ADC->ADC_MR =
155 ADC_MODE_PRESCALE(63) | // ADC_CLK = MCK / ((63+1) * 2) = 48MHz / 128 = 375kHz
156 ADC_MODE_STARTUP_TIME(1) | // Startup Time = (1+1) * 8 / ADC_CLK = 16 / 375kHz = 42,7us Note: must be > 20us
157 ADC_MODE_SAMPLE_HOLD_TIME(15); // Sample & Hold Time SHTIM = 15 / ADC_CLK = 15 / 375kHz = 40us
158
159 AT91C_BASE_ADC->ADC_CHER = ADC_CHANNEL(ch);
160 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
161
162 while(!(AT91C_BASE_ADC->ADC_SR & ADC_END_OF_CONVERSION(ch))) {};
163
164 return AT91C_BASE_ADC->ADC_CDR[ch];
165 }
166
167 int AvgAdc(int ch) // was static - merlok
168 {
169 int i;
170 int a = 0;
171
172 for(i = 0; i < 32; i++) {
173 a += ReadAdc(ch);
174 }
175
176 return (a + 15) >> 5;
177 }
178
179 void MeasureAntennaTuningLfOnly(int *vLf125, int *vLf134, int *peakf, int *peakv, uint8_t LF_Results[])
180 {
181 int i, adcval = 0, peak = 0;
182
183 /*
184 * Sweeps the useful LF range of the proxmark from
185 * 46.8kHz (divisor=255) to 600kHz (divisor=19) and
186 * read the voltage in the antenna, the result left
187 * in the buffer is a graph which should clearly show
188 * the resonating frequency of your LF antenna
189 * ( hopefully around 95 if it is tuned to 125kHz!)
190 */
191
192 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
193 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
194 SpinDelay(50);
195
196 for (i=255; i>=19; i--) {
197 WDT_HIT();
198 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, i);
199 SpinDelay(20);
200 adcval = ((MAX_ADC_LF_VOLTAGE * AvgAdc(ADC_CHAN_LF)) >> 10);
201 if (i==95) *vLf125 = adcval; // voltage at 125Khz
202 if (i==89) *vLf134 = adcval; // voltage at 134Khz
203
204 LF_Results[i] = adcval >> 9; // scale int to fit in byte for graphing purposes
205 if(LF_Results[i] > peak) {
206 *peakv = adcval;
207 peak = LF_Results[i];
208 *peakf = i;
209 //ptr = i;
210 }
211 }
212
213 for (i=18; i >= 0; i--) LF_Results[i] = 0;
214
215 return;
216 }
217
218 void MeasureAntennaTuningHfOnly(int *vHf)
219 {
220 // Let the FPGA drive the high-frequency antenna around 13.56 MHz.
221 LED_A_ON();
222 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
223 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR);
224 SpinDelay(20);
225 *vHf = (MAX_ADC_HF_VOLTAGE * AvgAdc(ADC_CHAN_HF)) >> 10;
226 LED_A_OFF();
227
228 return;
229 }
230
231 void MeasureAntennaTuning(int mode)
232 {
233 uint8_t LF_Results[256] = {0};
234 int peakv = 0, peakf = 0;
235 int vLf125 = 0, vLf134 = 0, vHf = 0; // in mV
236
237 LED_B_ON();
238
239 if (((mode & FLAG_TUNE_ALL) == FLAG_TUNE_ALL) && (FpgaGetCurrent() == FPGA_BITSTREAM_HF)) {
240 // Reverse "standard" order if HF already loaded, to avoid unnecessary swap.
241 MeasureAntennaTuningHfOnly(&vHf);
242 MeasureAntennaTuningLfOnly(&vLf125, &vLf134, &peakf, &peakv, LF_Results);
243 } else {
244 if (mode & FLAG_TUNE_LF) {
245 MeasureAntennaTuningLfOnly(&vLf125, &vLf134, &peakf, &peakv, LF_Results);
246 }
247 if (mode & FLAG_TUNE_HF) {
248 MeasureAntennaTuningHfOnly(&vHf);
249 }
250 }
251
252 cmd_send(CMD_MEASURED_ANTENNA_TUNING, vLf125>>1 | (vLf134>>1<<16), vHf, peakf | (peakv>>1<<16), LF_Results, 256);
253 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
254 LED_B_OFF();
255 return;
256 }
257
258 void MeasureAntennaTuningHf(void)
259 {
260 int vHf = 0; // in mV
261
262 DbpString("Measuring HF antenna, press button to exit");
263
264 // Let the FPGA drive the high-frequency antenna around 13.56 MHz.
265 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
266 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR);
267
268 for (;;) {
269 SpinDelay(20);
270 vHf = (MAX_ADC_HF_VOLTAGE * AvgAdc(ADC_CHAN_HF)) >> 10;
271
272 Dbprintf("%d mV",vHf);
273 if (BUTTON_PRESS()) break;
274 }
275 DbpString("cancelled");
276
277 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
278
279 }
280
281
282 void ReadMem(int addr)
283 {
284 const uint8_t *data = ((uint8_t *)addr);
285
286 Dbprintf("%x: %02x %02x %02x %02x %02x %02x %02x %02x",
287 addr, data[0], data[1], data[2], data[3], data[4], data[5], data[6], data[7]);
288 }
289
290 /* osimage version information is linked in */
291 extern struct version_information version_information;
292 /* bootrom version information is pointed to from _bootphase1_version_pointer */
293 extern char *_bootphase1_version_pointer, _flash_start, _flash_end, _bootrom_start, _bootrom_end, __data_src_start__;
294
295 void SendVersion(void)
296 {
297 char temp[USB_CMD_DATA_SIZE]; /* Limited data payload in USB packets */
298 char VersionString[USB_CMD_DATA_SIZE] = { '\0' };
299
300 /* Try to find the bootrom version information. Expect to find a pointer at
301 * symbol _bootphase1_version_pointer, perform slight sanity checks on the
302 * pointer, then use it.
303 */
304 char *bootrom_version = *(char**)&_bootphase1_version_pointer;
305 if( bootrom_version < &_flash_start || bootrom_version >= &_flash_end ) {
306 strcat(VersionString, "bootrom version information appears invalid\n");
307 } else {
308 FormatVersionInformation(temp, sizeof(temp), "bootrom: ", bootrom_version);
309 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
310 }
311
312 FormatVersionInformation(temp, sizeof(temp), "os: ", &version_information);
313 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
314
315 for (int i = 0; i < fpga_bitstream_num; i++) {
316 strncat(VersionString, fpga_version_information[i], sizeof(VersionString) - strlen(VersionString) - 1);
317 if (i < fpga_bitstream_num - 1) {
318 strncat(VersionString, "\n", sizeof(VersionString) - strlen(VersionString) - 1);
319 }
320 }
321
322 // Send Chip ID and used flash memory
323 uint32_t text_and_rodata_section_size = (uint32_t)&__data_src_start__ - (uint32_t)&_flash_start;
324 uint32_t compressed_data_section_size = common_area.arg1;
325 cmd_send(CMD_ACK, *(AT91C_DBGU_CIDR), text_and_rodata_section_size + compressed_data_section_size, 0, VersionString, strlen(VersionString));
326 }
327
328 // measure the USB Speed by sending SpeedTestBufferSize bytes to client and measuring the elapsed time.
329 // Note: this mimics GetFromBigbuf(), i.e. we have the overhead of the UsbCommand structure included.
330 void printUSBSpeed(void)
331 {
332 Dbprintf("USB Speed:");
333 Dbprintf(" Sending USB packets to client...");
334
335 #define USB_SPEED_TEST_MIN_TIME 1500 // in milliseconds
336 uint8_t *test_data = BigBuf_get_addr();
337 uint32_t end_time;
338
339 uint32_t start_time = end_time = GetTickCount();
340 uint32_t bytes_transferred = 0;
341
342 LED_B_ON();
343 while(end_time < start_time + USB_SPEED_TEST_MIN_TIME) {
344 cmd_send(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K, 0, USB_CMD_DATA_SIZE, 0, test_data, USB_CMD_DATA_SIZE);
345 end_time = GetTickCount();
346 bytes_transferred += USB_CMD_DATA_SIZE;
347 }
348 LED_B_OFF();
349
350 Dbprintf(" Time elapsed: %dms", end_time - start_time);
351 Dbprintf(" Bytes transferred: %d", bytes_transferred);
352 Dbprintf(" USB Transfer Speed PM3 -> Client = %d Bytes/s",
353 1000 * bytes_transferred / (end_time - start_time));
354
355 }
356
357 /**
358 * Prints runtime information about the PM3.
359 **/
360 void SendStatus(void)
361 {
362 BigBuf_print_status();
363 Fpga_print_status();
364 #ifdef WITH_SMARTCARD
365 I2C_print_status();
366 #endif
367 printConfig(); //LF Sampling config
368 printUSBSpeed();
369 Dbprintf("Various");
370 Dbprintf(" MF_DBGLEVEL........%d", MF_DBGLEVEL);
371 Dbprintf(" ToSendMax..........%d", ToSendMax);
372 Dbprintf(" ToSendBit..........%d", ToSendBit);
373
374 cmd_send(CMD_ACK,1,0,0,0,0);
375 }
376
377 #if defined(WITH_ISO14443a_StandAlone) || defined(WITH_LF_StandAlone)
378
379 #define OPTS 2
380
381 void StandAloneMode()
382 {
383 DbpString("Stand-alone mode! No PC necessary.");
384 // Oooh pretty -- notify user we're in elite samy mode now
385 LED(LED_RED, 200);
386 LED(LED_ORANGE, 200);
387 LED(LED_GREEN, 200);
388 LED(LED_ORANGE, 200);
389 LED(LED_RED, 200);
390 LED(LED_ORANGE, 200);
391 LED(LED_GREEN, 200);
392 LED(LED_ORANGE, 200);
393 LED(LED_RED, 200);
394
395 }
396
397 #endif
398
399
400
401 #ifdef WITH_ISO14443a_StandAlone
402 void StandAloneMode14a()
403 {
404 StandAloneMode();
405 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
406
407 int selected = 0;
408 bool playing = false, GotoRecord = false, GotoClone = false;
409 bool cardRead[OPTS] = {false};
410 uint8_t readUID[10] = {0};
411 uint32_t uid_1st[OPTS]={0};
412 uint32_t uid_2nd[OPTS]={0};
413 uint32_t uid_tmp1 = 0;
414 uint32_t uid_tmp2 = 0;
415 iso14a_card_select_t hi14a_card[OPTS];
416
417 LED(selected + 1, 0);
418
419 for (;;)
420 {
421 usb_poll();
422 WDT_HIT();
423 SpinDelay(300);
424
425 if (GotoRecord || !cardRead[selected])
426 {
427 GotoRecord = false;
428 LEDsoff();
429 LED(selected + 1, 0);
430 LED(LED_RED2, 0);
431
432 // record
433 Dbprintf("Enabling iso14443a reader mode for [Bank: %u]...", selected);
434 /* need this delay to prevent catching some weird data */
435 SpinDelay(500);
436 /* Code for reading from 14a tag */
437 uint8_t uid[10] ={0};
438 uint32_t cuid;
439 iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
440
441 for ( ; ; )
442 {
443 WDT_HIT();
444 if (BUTTON_PRESS()) {
445 if (cardRead[selected]) {
446 Dbprintf("Button press detected -- replaying card in bank[%d]", selected);
447 break;
448 }
449 else if (cardRead[(selected+1)%OPTS]) {
450 Dbprintf("Button press detected but no card in bank[%d] so playing from bank[%d]", selected, (selected+1)%OPTS);
451 selected = (selected+1)%OPTS;
452 break;
453 }
454 else {
455 Dbprintf("Button press detected but no stored tag to play. (Ignoring button)");
456 SpinDelay(300);
457 }
458 }
459 if (!iso14443a_select_card(uid, &hi14a_card[selected], &cuid, true, 0, true))
460 continue;
461 else
462 {
463 Dbprintf("Read UID:"); Dbhexdump(10,uid,0);
464 memcpy(readUID,uid,10*sizeof(uint8_t));
465 uint8_t *dst = (uint8_t *)&uid_tmp1;
466 // Set UID byte order
467 for (int i=0; i<4; i++)
468 dst[i] = uid[3-i];
469 dst = (uint8_t *)&uid_tmp2;
470 for (int i=0; i<4; i++)
471 dst[i] = uid[7-i];
472 if (uid_1st[(selected+1)%OPTS] == uid_tmp1 && uid_2nd[(selected+1)%OPTS] == uid_tmp2) {
473 Dbprintf("Card selected has same UID as what is stored in the other bank. Skipping.");
474 }
475 else {
476 if (uid_tmp2) {
477 Dbprintf("Bank[%d] received a 7-byte UID",selected);
478 uid_1st[selected] = (uid_tmp1)>>8;
479 uid_2nd[selected] = (uid_tmp1<<24) + (uid_tmp2>>8);
480 }
481 else {
482 Dbprintf("Bank[%d] received a 4-byte UID",selected);
483 uid_1st[selected] = uid_tmp1;
484 uid_2nd[selected] = uid_tmp2;
485 }
486 break;
487 }
488 }
489 }
490 Dbprintf("ATQA = %02X%02X",hi14a_card[selected].atqa[0],hi14a_card[selected].atqa[1]);
491 Dbprintf("SAK = %02X",hi14a_card[selected].sak);
492 LEDsoff();
493 LED(LED_GREEN, 200);
494 LED(LED_ORANGE, 200);
495 LED(LED_GREEN, 200);
496 LED(LED_ORANGE, 200);
497
498 LEDsoff();
499 LED(selected + 1, 0);
500
501 // Next state is replay:
502 playing = true;
503
504 cardRead[selected] = true;
505 }
506 /* MF Classic UID clone */
507 else if (GotoClone)
508 {
509 GotoClone=false;
510 LEDsoff();
511 LED(selected + 1, 0);
512 LED(LED_ORANGE, 250);
513
514
515 // record
516 Dbprintf("Preparing to Clone card [Bank: %x]; uid: %08x", selected, uid_1st[selected]);
517
518 // wait for button to be released
519 while(BUTTON_PRESS())
520 {
521 // Delay cloning until card is in place
522 WDT_HIT();
523 }
524 Dbprintf("Starting clone. [Bank: %u]", selected);
525 // need this delay to prevent catching some weird data
526 SpinDelay(500);
527 // Begin clone function here:
528 /* Example from client/mifarehost.c for commanding a block write for "magic Chinese" cards:
529 UsbCommand c = {CMD_MIFARE_CSETBLOCK, {wantWipe, params & (0xFE | (uid == NULL ? 0:1)), blockNo}};
530 memcpy(c.d.asBytes, data, 16);
531 SendCommand(&c);
532
533 Block read is similar:
534 UsbCommand c = {CMD_MIFARE_CGETBLOCK, {params, 0, blockNo}};
535 We need to imitate that call with blockNo 0 to set a uid.
536
537 The get and set commands are handled in this file:
538 // Work with "magic Chinese" card
539 case CMD_MIFARE_CSETBLOCK:
540 MifareCSetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
541 break;
542 case CMD_MIFARE_CGETBLOCK:
543 MifareCGetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
544 break;
545
546 mfCSetUID provides example logic for UID set workflow:
547 -Read block0 from card in field with MifareCGetBlock()
548 -Configure new values without replacing reserved bytes
549 memcpy(block0, uid, 4); // Copy UID bytes from byte array
550 // Mifare UID BCC
551 block0[4] = block0[0]^block0[1]^block0[2]^block0[3]; // BCC on byte 5
552 Bytes 5-7 are reserved SAK and ATQA for mifare classic
553 -Use mfCSetBlock(0, block0, oldUID, wantWipe, CSETBLOCK_SINGLE_OPER) to write it
554 */
555 uint8_t oldBlock0[16] = {0}, newBlock0[16] = {0}, testBlock0[16] = {0};
556 // arg0 = Flags == CSETBLOCK_SINGLE_OPER=0x1F, arg1=returnSlot, arg2=blockNo
557 MifareCGetBlock(0x3F, 1, 0, oldBlock0);
558 if (oldBlock0[0] == 0 && oldBlock0[0] == oldBlock0[1] && oldBlock0[1] == oldBlock0[2] && oldBlock0[2] == oldBlock0[3]) {
559 Dbprintf("No changeable tag detected. Returning to replay mode for bank[%d]", selected);
560 playing = true;
561 }
562 else {
563 Dbprintf("UID from target tag: %02X%02X%02X%02X", oldBlock0[0],oldBlock0[1],oldBlock0[2],oldBlock0[3]);
564 memcpy(newBlock0,oldBlock0,16);
565 // Copy uid_1st for bank (2nd is for longer UIDs not supported if classic)
566
567 newBlock0[0] = uid_1st[selected]>>24;
568 newBlock0[1] = 0xFF & (uid_1st[selected]>>16);
569 newBlock0[2] = 0xFF & (uid_1st[selected]>>8);
570 newBlock0[3] = 0xFF & (uid_1st[selected]);
571 newBlock0[4] = newBlock0[0]^newBlock0[1]^newBlock0[2]^newBlock0[3];
572 // arg0 = needWipe, arg1 = workFlags, arg2 = blockNo, datain
573 MifareCSetBlock(0, 0xFF,0, newBlock0);
574 MifareCGetBlock(0x3F, 1, 0, testBlock0);
575 if (memcmp(testBlock0,newBlock0,16)==0)
576 {
577 DbpString("Cloned successfull!");
578 cardRead[selected] = false; // Only if the card was cloned successfully should we clear it
579 playing = false;
580 GotoRecord = true;
581 selected = (selected+1) % OPTS;
582 }
583 else {
584 Dbprintf("Clone failed. Back to replay mode on bank[%d]", selected);
585 playing = true;
586 }
587 }
588 LEDsoff();
589 LED(selected + 1, 0);
590
591 }
592 // Change where to record (or begin playing)
593 else if (playing) // button_pressed == BUTTON_SINGLE_CLICK && cardRead[selected])
594 {
595 LEDsoff();
596 LED(selected + 1, 0);
597
598 // Begin transmitting
599 LED(LED_GREEN, 0);
600 DbpString("Playing");
601 for ( ; ; ) {
602 WDT_HIT();
603 int button_action = BUTTON_HELD(1000);
604 if (button_action == 0) { // No button action, proceed with sim
605 uint8_t data[512] = {0}; // in case there is a read command received we shouldn't break
606 Dbprintf("Simulating ISO14443a tag with uid[0]: %08x, uid[1]: %08x [Bank: %u]", uid_1st[selected],uid_2nd[selected],selected);
607 if (hi14a_card[selected].sak == 8 && hi14a_card[selected].atqa[0] == 4 && hi14a_card[selected].atqa[1] == 0) {
608 DbpString("Mifare Classic");
609 SimulateIso14443aTag(1,uid_1st[selected], uid_2nd[selected], data); // Mifare Classic
610 }
611 else if (hi14a_card[selected].sak == 0 && hi14a_card[selected].atqa[0] == 0x44 && hi14a_card[selected].atqa[1] == 0) {
612 DbpString("Mifare Ultralight");
613 SimulateIso14443aTag(2,uid_1st[selected],uid_2nd[selected],data); // Mifare Ultralight
614 }
615 else if (hi14a_card[selected].sak == 20 && hi14a_card[selected].atqa[0] == 0x44 && hi14a_card[selected].atqa[1] == 3) {
616 DbpString("Mifare DESFire");
617 SimulateIso14443aTag(3,uid_1st[selected],uid_2nd[selected],data); // Mifare DESFire
618 }
619 else {
620 Dbprintf("Unrecognized tag type -- defaulting to Mifare Classic emulation");
621 SimulateIso14443aTag(1,uid_1st[selected], uid_2nd[selected], data);
622 }
623 }
624 else if (button_action == BUTTON_SINGLE_CLICK) {
625 selected = (selected + 1) % OPTS;
626 Dbprintf("Done playing. Switching to record mode on bank %d",selected);
627 GotoRecord = true;
628 break;
629 }
630 else if (button_action == BUTTON_HOLD) {
631 Dbprintf("Playtime over. Begin cloning...");
632 GotoClone = true;
633 break;
634 }
635 WDT_HIT();
636 }
637
638 /* We pressed a button so ignore it here with a delay */
639 SpinDelay(300);
640 LEDsoff();
641 LED(selected + 1, 0);
642 }
643 }
644 }
645 #elif WITH_LF_StandAlone
646 // samy's sniff and repeat routine
647 void SamyRun()
648 {
649 StandAloneMode();
650 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
651
652 int high[OPTS], low[OPTS];
653 int selected = 0;
654 int playing = 0;
655 int cardRead = 0;
656
657 // Turn on selected LED
658 LED(selected + 1, 0);
659
660 for (;;)
661 {
662 usb_poll();
663 WDT_HIT();
664
665 // Was our button held down or pressed?
666 int button_pressed = BUTTON_HELD(1000);
667 SpinDelay(300);
668
669 // Button was held for a second, begin recording
670 if (button_pressed > 0 && cardRead == 0)
671 {
672 LEDsoff();
673 LED(selected + 1, 0);
674 LED(LED_RED2, 0);
675
676 // record
677 DbpString("Starting recording");
678
679 // wait for button to be released
680 while(BUTTON_PRESS())
681 WDT_HIT();
682
683 /* need this delay to prevent catching some weird data */
684 SpinDelay(500);
685
686 CmdHIDdemodFSK(1, &high[selected], &low[selected], 0);
687 Dbprintf("Recorded %x %x%08x", selected, high[selected], low[selected]);
688
689 LEDsoff();
690 LED(selected + 1, 0);
691 // Finished recording
692
693 // If we were previously playing, set playing off
694 // so next button push begins playing what we recorded
695 playing = 0;
696
697 cardRead = 1;
698
699 }
700
701 else if (button_pressed > 0 && cardRead == 1)
702 {
703 LEDsoff();
704 LED(selected + 1, 0);
705 LED(LED_ORANGE, 0);
706
707 // record
708 Dbprintf("Cloning %x %x%08x", selected, high[selected], low[selected]);
709
710 // wait for button to be released
711 while(BUTTON_PRESS())
712 WDT_HIT();
713
714 /* need this delay to prevent catching some weird data */
715 SpinDelay(500);
716
717 CopyHIDtoT55x7(0, high[selected], low[selected], 0);
718 Dbprintf("Cloned %x %x%08x", selected, high[selected], low[selected]);
719
720 LEDsoff();
721 LED(selected + 1, 0);
722 // Finished recording
723
724 // If we were previously playing, set playing off
725 // so next button push begins playing what we recorded
726 playing = 0;
727
728 cardRead = 0;
729
730 }
731
732 // Change where to record (or begin playing)
733 else if (button_pressed)
734 {
735 // Next option if we were previously playing
736 if (playing)
737 selected = (selected + 1) % OPTS;
738 playing = !playing;
739
740 LEDsoff();
741 LED(selected + 1, 0);
742
743 // Begin transmitting
744 if (playing)
745 {
746 LED(LED_GREEN, 0);
747 DbpString("Playing");
748 // wait for button to be released
749 while(BUTTON_PRESS())
750 WDT_HIT();
751 Dbprintf("%x %x%08x", selected, high[selected], low[selected]);
752 CmdHIDsimTAG(high[selected], low[selected], 0);
753 DbpString("Done playing");
754 if (BUTTON_HELD(1000) > 0)
755 {
756 DbpString("Exiting");
757 LEDsoff();
758 return;
759 }
760
761 /* We pressed a button so ignore it here with a delay */
762 SpinDelay(300);
763
764 // when done, we're done playing, move to next option
765 selected = (selected + 1) % OPTS;
766 playing = !playing;
767 LEDsoff();
768 LED(selected + 1, 0);
769 }
770 else
771 while(BUTTON_PRESS())
772 WDT_HIT();
773 }
774 }
775 }
776
777 #endif
778 /*
779 OBJECTIVE
780 Listen and detect an external reader. Determine the best location
781 for the antenna.
782
783 INSTRUCTIONS:
784 Inside the ListenReaderField() function, there is two mode.
785 By default, when you call the function, you will enter mode 1.
786 If you press the PM3 button one time, you will enter mode 2.
787 If you press the PM3 button a second time, you will exit the function.
788
789 DESCRIPTION OF MODE 1:
790 This mode just listens for an external reader field and lights up green
791 for HF and/or red for LF. This is the original mode of the detectreader
792 function.
793
794 DESCRIPTION OF MODE 2:
795 This mode will visually represent, using the LEDs, the actual strength of the
796 current compared to the maximum current detected. Basically, once you know
797 what kind of external reader is present, it will help you spot the best location to place
798 your antenna. You will probably not get some good results if there is a LF and a HF reader
799 at the same place! :-)
800
801 LIGHT SCHEME USED:
802 */
803 static const char LIGHT_SCHEME[] = {
804 0x0, /* ---- | No field detected */
805 0x1, /* X--- | 14% of maximum current detected */
806 0x2, /* -X-- | 29% of maximum current detected */
807 0x4, /* --X- | 43% of maximum current detected */
808 0x8, /* ---X | 57% of maximum current detected */
809 0xC, /* --XX | 71% of maximum current detected */
810 0xE, /* -XXX | 86% of maximum current detected */
811 0xF, /* XXXX | 100% of maximum current detected */
812 };
813 static const int LIGHT_LEN = sizeof(LIGHT_SCHEME)/sizeof(LIGHT_SCHEME[0]);
814
815 void ListenReaderField(int limit)
816 {
817 int lf_av, lf_av_new, lf_baseline= 0, lf_max;
818 int hf_av, hf_av_new, hf_baseline= 0, hf_max;
819 int mode=1, display_val, display_max, i;
820
821 #define LF_ONLY 1
822 #define HF_ONLY 2
823 #define REPORT_CHANGE 10 // report new values only if they have changed at least by REPORT_CHANGE
824
825
826 // switch off FPGA - we don't want to measure our own signal
827 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
828 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
829
830 LEDsoff();
831
832 lf_av = lf_max = AvgAdc(ADC_CHAN_LF);
833
834 if(limit != HF_ONLY) {
835 Dbprintf("LF 125/134kHz Baseline: %dmV", (MAX_ADC_LF_VOLTAGE * lf_av) >> 10);
836 lf_baseline = lf_av;
837 }
838
839 hf_av = hf_max = AvgAdc(ADC_CHAN_HF);
840
841 if (limit != LF_ONLY) {
842 Dbprintf("HF 13.56MHz Baseline: %dmV", (MAX_ADC_HF_VOLTAGE * hf_av) >> 10);
843 hf_baseline = hf_av;
844 }
845
846 for(;;) {
847 if (BUTTON_PRESS()) {
848 SpinDelay(500);
849 switch (mode) {
850 case 1:
851 mode=2;
852 DbpString("Signal Strength Mode");
853 break;
854 case 2:
855 default:
856 DbpString("Stopped");
857 LEDsoff();
858 return;
859 break;
860 }
861 }
862 WDT_HIT();
863
864 if (limit != HF_ONLY) {
865 if(mode == 1) {
866 if (ABS(lf_av - lf_baseline) > REPORT_CHANGE)
867 LED_D_ON();
868 else
869 LED_D_OFF();
870 }
871
872 lf_av_new = AvgAdc(ADC_CHAN_LF);
873 // see if there's a significant change
874 if(ABS(lf_av - lf_av_new) > REPORT_CHANGE) {
875 Dbprintf("LF 125/134kHz Field Change: %5dmV", (MAX_ADC_LF_VOLTAGE * lf_av_new) >> 10);
876 lf_av = lf_av_new;
877 if (lf_av > lf_max)
878 lf_max = lf_av;
879 }
880 }
881
882 if (limit != LF_ONLY) {
883 if (mode == 1){
884 if (ABS(hf_av - hf_baseline) > REPORT_CHANGE)
885 LED_B_ON();
886 else
887 LED_B_OFF();
888 }
889
890 hf_av_new = AvgAdc(ADC_CHAN_HF);
891 // see if there's a significant change
892 if(ABS(hf_av - hf_av_new) > REPORT_CHANGE) {
893 Dbprintf("HF 13.56MHz Field Change: %5dmV", (MAX_ADC_HF_VOLTAGE * hf_av_new) >> 10);
894 hf_av = hf_av_new;
895 if (hf_av > hf_max)
896 hf_max = hf_av;
897 }
898 }
899
900 if(mode == 2) {
901 if (limit == LF_ONLY) {
902 display_val = lf_av;
903 display_max = lf_max;
904 } else if (limit == HF_ONLY) {
905 display_val = hf_av;
906 display_max = hf_max;
907 } else { /* Pick one at random */
908 if( (hf_max - hf_baseline) > (lf_max - lf_baseline) ) {
909 display_val = hf_av;
910 display_max = hf_max;
911 } else {
912 display_val = lf_av;
913 display_max = lf_max;
914 }
915 }
916 for (i=0; i<LIGHT_LEN; i++) {
917 if (display_val >= ((display_max/LIGHT_LEN)*i) && display_val <= ((display_max/LIGHT_LEN)*(i+1))) {
918 if (LIGHT_SCHEME[i] & 0x1) LED_C_ON(); else LED_C_OFF();
919 if (LIGHT_SCHEME[i] & 0x2) LED_A_ON(); else LED_A_OFF();
920 if (LIGHT_SCHEME[i] & 0x4) LED_B_ON(); else LED_B_OFF();
921 if (LIGHT_SCHEME[i] & 0x8) LED_D_ON(); else LED_D_OFF();
922 break;
923 }
924 }
925 }
926 }
927 }
928
929 void UsbPacketReceived(uint8_t *packet, int len)
930 {
931 UsbCommand *c = (UsbCommand *)packet;
932
933 // Dbprintf("received %d bytes, with command: 0x%04x and args: %d %d %d",len,c->cmd,c->arg[0],c->arg[1],c->arg[2]);
934
935 switch(c->cmd) {
936 #ifdef WITH_LF
937 case CMD_SET_LF_SAMPLING_CONFIG:
938 setSamplingConfig((sample_config *) c->d.asBytes);
939 break;
940 case CMD_ACQUIRE_RAW_ADC_SAMPLES_125K:
941 cmd_send(CMD_ACK,SampleLF(c->arg[0], c->arg[1]),0,0,0,0);
942 break;
943 case CMD_MOD_THEN_ACQUIRE_RAW_ADC_SAMPLES_125K:
944 ModThenAcquireRawAdcSamples125k(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
945 break;
946 case CMD_LF_SNOOP_RAW_ADC_SAMPLES:
947 cmd_send(CMD_ACK,SnoopLF(),0,0,0,0);
948 break;
949 case CMD_HID_DEMOD_FSK:
950 CmdHIDdemodFSK(c->arg[0], 0, 0, 1);
951 break;
952 case CMD_HID_SIM_TAG:
953 CmdHIDsimTAG(c->arg[0], c->arg[1], 1);
954 break;
955 case CMD_FSK_SIM_TAG:
956 CmdFSKsimTAG(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
957 break;
958 case CMD_ASK_SIM_TAG:
959 CmdASKsimTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
960 break;
961 case CMD_PSK_SIM_TAG:
962 CmdPSKsimTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
963 break;
964 case CMD_HID_CLONE_TAG:
965 CopyHIDtoT55x7(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]);
966 break;
967 case CMD_IO_DEMOD_FSK:
968 CmdIOdemodFSK(c->arg[0], 0, 0, 1);
969 break;
970 case CMD_IO_CLONE_TAG:
971 CopyIOtoT55x7(c->arg[0], c->arg[1]);
972 break;
973 case CMD_EM410X_DEMOD:
974 CmdEM410xdemod(c->arg[0], 0, 0, 1);
975 break;
976 case CMD_EM410X_WRITE_TAG:
977 WriteEM410x(c->arg[0], c->arg[1], c->arg[2]);
978 break;
979 case CMD_READ_TI_TYPE:
980 ReadTItag();
981 break;
982 case CMD_WRITE_TI_TYPE:
983 WriteTItag(c->arg[0],c->arg[1],c->arg[2]);
984 break;
985 case CMD_SIMULATE_TAG_125K:
986 LED_A_ON();
987 SimulateTagLowFrequency(c->arg[0], c->arg[1], 1);
988 LED_A_OFF();
989 break;
990 case CMD_LF_SIMULATE_BIDIR:
991 SimulateTagLowFrequencyBidir(c->arg[0], c->arg[1]);
992 break;
993 case CMD_INDALA_CLONE_TAG:
994 CopyIndala64toT55x7(c->arg[0], c->arg[1]);
995 break;
996 case CMD_INDALA_CLONE_TAG_L:
997 CopyIndala224toT55x7(c->d.asDwords[0], c->d.asDwords[1], c->d.asDwords[2], c->d.asDwords[3], c->d.asDwords[4], c->d.asDwords[5], c->d.asDwords[6]);
998 break;
999 case CMD_T55XX_READ_BLOCK:
1000 T55xxReadBlock(c->arg[0], c->arg[1], c->arg[2]);
1001 break;
1002 case CMD_T55XX_WRITE_BLOCK:
1003 T55xxWriteBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]);
1004 break;
1005 case CMD_T55XX_WAKEUP:
1006 T55xxWakeUp(c->arg[0]);
1007 break;
1008 case CMD_T55XX_RESET_READ:
1009 T55xxResetRead();
1010 break;
1011 case CMD_PCF7931_READ:
1012 ReadPCF7931();
1013 break;
1014 case CMD_PCF7931_WRITE:
1015 WritePCF7931(c->d.asBytes[0],c->d.asBytes[1],c->d.asBytes[2],c->d.asBytes[3],c->d.asBytes[4],c->d.asBytes[5],c->d.asBytes[6], c->d.asBytes[9], c->d.asBytes[7]-128,c->d.asBytes[8]-128, c->arg[0], c->arg[1], c->arg[2]);
1016 break;
1017 case CMD_EM4X_READ_WORD:
1018 EM4xReadWord(c->arg[0], c->arg[1],c->arg[2]);
1019 break;
1020 case CMD_EM4X_WRITE_WORD:
1021 EM4xWriteWord(c->arg[0], c->arg[1], c->arg[2]);
1022 break;
1023 case CMD_AWID_DEMOD_FSK: // Set realtime AWID demodulation
1024 CmdAWIDdemodFSK(c->arg[0], 0, 0, 1);
1025 break;
1026 case CMD_VIKING_CLONE_TAG:
1027 CopyVikingtoT55xx(c->arg[0], c->arg[1], c->arg[2]);
1028 break;
1029 case CMD_COTAG:
1030 Cotag(c->arg[0]);
1031 break;
1032 #endif
1033
1034 #ifdef WITH_HITAG
1035 case CMD_SNOOP_HITAG: // Eavesdrop Hitag tag, args = type
1036 SnoopHitag(c->arg[0]);
1037 break;
1038 case CMD_SIMULATE_HITAG: // Simulate Hitag tag, args = memory content
1039 SimulateHitagTag((bool)c->arg[0],(byte_t*)c->d.asBytes);
1040 break;
1041 case CMD_READER_HITAG: // Reader for Hitag tags, args = type and function
1042 ReaderHitag((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes);
1043 break;
1044 case CMD_SIMULATE_HITAG_S:// Simulate Hitag s tag, args = memory content
1045 SimulateHitagSTag((bool)c->arg[0],(byte_t*)c->d.asBytes);
1046 break;
1047 case CMD_TEST_HITAGS_TRACES:// Tests every challenge within the given file
1048 check_challenges((bool)c->arg[0],(byte_t*)c->d.asBytes);
1049 break;
1050 case CMD_READ_HITAG_S://Reader for only Hitag S tags, args = key or challenge
1051 ReadHitagS((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes);
1052 break;
1053 case CMD_WR_HITAG_S://writer for Hitag tags args=data to write,page and key or challenge
1054 if ((hitag_function)c->arg[0] < 10) {
1055 WritePageHitagS((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes,c->arg[2]);
1056 }
1057 else if ((hitag_function)c->arg[0] >= 10) {
1058 WriterHitag((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes, c->arg[2]);
1059 }
1060 break;
1061 #endif
1062
1063 #ifdef WITH_ISO15693
1064 case CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_15693:
1065 AcquireRawAdcSamplesIso15693();
1066 break;
1067 case CMD_RECORD_RAW_ADC_SAMPLES_ISO_15693:
1068 RecordRawAdcSamplesIso15693();
1069 break;
1070
1071 case CMD_ISO_15693_COMMAND:
1072 DirectTag15693Command(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
1073 break;
1074
1075 case CMD_ISO_15693_FIND_AFI:
1076 BruteforceIso15693Afi(c->arg[0]);
1077 break;
1078
1079 case CMD_ISO_15693_DEBUG:
1080 SetDebugIso15693(c->arg[0]);
1081 break;
1082
1083 case CMD_READER_ISO_15693:
1084 ReaderIso15693(c->arg[0]);
1085 break;
1086 case CMD_SIMTAG_ISO_15693:
1087 SimTagIso15693(c->arg[0], c->d.asBytes);
1088 break;
1089 #endif
1090
1091 #ifdef WITH_LEGICRF
1092 case CMD_SIMULATE_TAG_LEGIC_RF:
1093 LegicRfSimulate(c->arg[0], c->arg[1], c->arg[2]);
1094 break;
1095
1096 case CMD_WRITER_LEGIC_RF:
1097 LegicRfWriter(c->arg[1], c->arg[0]);
1098 break;
1099
1100 case CMD_READER_LEGIC_RF:
1101 LegicRfReader(c->arg[0], c->arg[1]);
1102 break;
1103 #endif
1104
1105 #ifdef WITH_ISO14443b
1106 case CMD_READ_SRI512_TAG:
1107 ReadSTMemoryIso14443b(0x0F);
1108 break;
1109 case CMD_READ_SRIX4K_TAG:
1110 ReadSTMemoryIso14443b(0x7F);
1111 break;
1112 case CMD_SNOOP_ISO_14443B:
1113 SnoopIso14443b();
1114 break;
1115 case CMD_SIMULATE_TAG_ISO_14443B:
1116 SimulateIso14443bTag();
1117 break;
1118 case CMD_ISO_14443B_COMMAND:
1119 SendRawCommand14443B(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
1120 break;
1121 #endif
1122
1123 #ifdef WITH_ISO14443a
1124 case CMD_SNOOP_ISO_14443a:
1125 SnoopIso14443a(c->arg[0]);
1126 break;
1127 case CMD_READER_ISO_14443a:
1128 ReaderIso14443a(c);
1129 break;
1130 case CMD_SIMULATE_TAG_ISO_14443a:
1131 SimulateIso14443aTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); // ## Simulate iso14443a tag - pass tag type & UID
1132 break;
1133
1134 case CMD_EPA_PACE_COLLECT_NONCE:
1135 EPA_PACE_Collect_Nonce(c);
1136 break;
1137 case CMD_EPA_PACE_REPLAY:
1138 EPA_PACE_Replay(c);
1139 break;
1140
1141 case CMD_READER_MIFARE:
1142 ReaderMifare(c->arg[0]);
1143 break;
1144 case CMD_MIFARE_READBL:
1145 MifareReadBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1146 break;
1147 case CMD_MIFAREU_READBL:
1148 MifareUReadBlock(c->arg[0],c->arg[1], c->d.asBytes);
1149 break;
1150 case CMD_MIFAREUC_AUTH:
1151 MifareUC_Auth(c->arg[0],c->d.asBytes);
1152 break;
1153 case CMD_MIFAREU_READCARD:
1154 MifareUReadCard(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1155 break;
1156 case CMD_MIFAREUC_SETPWD:
1157 MifareUSetPwd(c->arg[0], c->d.asBytes);
1158 break;
1159 case CMD_MIFARE_READSC:
1160 MifareReadSector(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1161 break;
1162 case CMD_MIFARE_WRITEBL:
1163 MifareWriteBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1164 break;
1165 //case CMD_MIFAREU_WRITEBL_COMPAT:
1166 //MifareUWriteBlockCompat(c->arg[0], c->d.asBytes);
1167 //break;
1168 case CMD_MIFAREU_WRITEBL:
1169 MifareUWriteBlock(c->arg[0], c->arg[1], c->d.asBytes);
1170 break;
1171 case CMD_MIFARE_ACQUIRE_ENCRYPTED_NONCES:
1172 MifareAcquireEncryptedNonces(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1173 break;
1174 case CMD_MIFARE_NESTED:
1175 MifareNested(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1176 break;
1177 case CMD_MIFARE_CHKKEYS:
1178 MifareChkKeys(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1179 break;
1180 case CMD_SIMULATE_MIFARE_CARD:
1181 Mifare1ksim(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1182 break;
1183
1184 // emulator
1185 case CMD_MIFARE_SET_DBGMODE:
1186 MifareSetDbgLvl(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1187 break;
1188 case CMD_MIFARE_EML_MEMCLR:
1189 MifareEMemClr(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1190 break;
1191 case CMD_MIFARE_EML_MEMSET:
1192 MifareEMemSet(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1193 break;
1194 case CMD_MIFARE_EML_MEMGET:
1195 MifareEMemGet(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1196 break;
1197 case CMD_MIFARE_EML_CARDLOAD:
1198 MifareECardLoad(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1199 break;
1200
1201 // Work with "magic Chinese" card
1202 case CMD_MIFARE_CWIPE:
1203 MifareCWipe(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1204 break;
1205 case CMD_MIFARE_CSETBLOCK:
1206 MifareCSetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1207 break;
1208 case CMD_MIFARE_CGETBLOCK:
1209 MifareCGetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1210 break;
1211 case CMD_MIFARE_CIDENT:
1212 MifareCIdent();
1213 break;
1214
1215 // mifare sniffer
1216 case CMD_MIFARE_SNIFFER:
1217 SniffMifare(c->arg[0]);
1218 break;
1219
1220 #endif
1221
1222 #ifdef WITH_ICLASS
1223 // Makes use of ISO14443a FPGA Firmware
1224 case CMD_SNOOP_ICLASS:
1225 SnoopIClass();
1226 break;
1227 case CMD_SIMULATE_TAG_ICLASS:
1228 SimulateIClass(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1229 break;
1230 case CMD_READER_ICLASS:
1231 ReaderIClass(c->arg[0]);
1232 break;
1233 case CMD_READER_ICLASS_REPLAY:
1234 ReaderIClass_Replay(c->arg[0], c->d.asBytes);
1235 break;
1236 case CMD_ICLASS_EML_MEMSET:
1237 emlSet(c->d.asBytes,c->arg[0], c->arg[1]);
1238 break;
1239 case CMD_ICLASS_WRITEBLOCK:
1240 iClass_WriteBlock(c->arg[0], c->d.asBytes);
1241 break;
1242 case CMD_ICLASS_READCHECK: // auth step 1
1243 iClass_ReadCheck(c->arg[0], c->arg[1]);
1244 break;
1245 case CMD_ICLASS_READBLOCK:
1246 iClass_ReadBlk(c->arg[0]);
1247 break;
1248 case CMD_ICLASS_AUTHENTICATION: //check
1249 iClass_Authentication(c->d.asBytes);
1250 break;
1251 case CMD_ICLASS_DUMP:
1252 iClass_Dump(c->arg[0], c->arg[1]);
1253 break;
1254 case CMD_ICLASS_CLONE:
1255 iClass_Clone(c->arg[0], c->arg[1], c->d.asBytes);
1256 break;
1257 #endif
1258 #ifdef WITH_HFSNOOP
1259 case CMD_HF_SNIFFER:
1260 HfSnoop(c->arg[0], c->arg[1]);
1261 break;
1262 #endif
1263 #ifdef WITH_SMARTCARD
1264 case CMD_SMART_ATR: {
1265 SmartCardAtr();
1266 break;
1267 }
1268 case CMD_SMART_SETCLOCK:{
1269 SmartCardSetClock(c->arg[0]);
1270 break;
1271 }
1272 case CMD_SMART_RAW: {
1273 SmartCardRaw(c->arg[0], c->arg[1], c->d.asBytes);
1274 break;
1275 }
1276 case CMD_SMART_UPLOAD: {
1277 // upload file from client
1278 uint8_t *mem = BigBuf_get_addr();
1279 memcpy( mem + c->arg[0], c->d.asBytes, USB_CMD_DATA_SIZE);
1280 cmd_send(CMD_ACK,1,0,0,0,0);
1281 break;
1282 }
1283 case CMD_SMART_UPGRADE: {
1284 SmartCardUpgrade(c->arg[0]);
1285 break;
1286 }
1287 #endif
1288
1289 case CMD_BUFF_CLEAR:
1290 BigBuf_Clear();
1291 break;
1292
1293 case CMD_MEASURE_ANTENNA_TUNING:
1294 MeasureAntennaTuning(c->arg[0]);
1295 break;
1296
1297 case CMD_MEASURE_ANTENNA_TUNING_HF:
1298 MeasureAntennaTuningHf();
1299 break;
1300
1301 case CMD_LISTEN_READER_FIELD:
1302 ListenReaderField(c->arg[0]);
1303 break;
1304
1305 case CMD_FPGA_MAJOR_MODE_OFF: // ## FPGA Control
1306 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1307 SpinDelay(200);
1308 LED_D_OFF(); // LED D indicates field ON or OFF
1309 break;
1310
1311 case CMD_DOWNLOAD_RAW_ADC_SAMPLES_125K:
1312
1313 LED_B_ON();
1314 uint8_t *BigBuf = BigBuf_get_addr();
1315 for(size_t i=0; i<c->arg[1]; i += USB_CMD_DATA_SIZE) {
1316 size_t len = MIN((c->arg[1] - i),USB_CMD_DATA_SIZE);
1317 cmd_send(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K,i,len,BigBuf_get_traceLen(),BigBuf+c->arg[0]+i,len);
1318 }
1319 // Trigger a finish downloading signal with an ACK frame
1320 cmd_send(CMD_ACK,1,0,BigBuf_get_traceLen(),getSamplingConfig(),sizeof(sample_config));
1321 LED_B_OFF();
1322 break;
1323
1324 case CMD_DOWNLOADED_SIM_SAMPLES_125K: {
1325 // iceman; since changing fpga_bitstreams clears bigbuff, Its better to call it before.
1326 // to be able to use this one for uploading data to device
1327 // arg1 = 0 upload for LF usage
1328 // 1 upload for HF usage
1329 if (c->arg[1] == 0)
1330 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1331 else
1332 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1333
1334 uint8_t *b = BigBuf_get_addr();
1335 memcpy(b+c->arg[0], c->d.asBytes, USB_CMD_DATA_SIZE);
1336 cmd_send(CMD_ACK,0,0,0,0,0);
1337 break;
1338 }
1339 case CMD_READ_MEM:
1340 ReadMem(c->arg[0]);
1341 break;
1342
1343 case CMD_SET_LF_DIVISOR:
1344 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1345 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, c->arg[0]);
1346 break;
1347
1348 case CMD_SET_ADC_MUX:
1349 switch(c->arg[0]) {
1350 case 0: SetAdcMuxFor(GPIO_MUXSEL_LOPKD); break;
1351 case 1: SetAdcMuxFor(GPIO_MUXSEL_LORAW); break;
1352 case 2: SetAdcMuxFor(GPIO_MUXSEL_HIPKD); break;
1353 case 3: SetAdcMuxFor(GPIO_MUXSEL_HIRAW); break;
1354 }
1355 break;
1356
1357 case CMD_VERSION:
1358 SendVersion();
1359 break;
1360 case CMD_STATUS:
1361 SendStatus();
1362 break;
1363 case CMD_PING:
1364 cmd_send(CMD_ACK,0,0,0,0,0);
1365 break;
1366 #ifdef WITH_LCD
1367 case CMD_LCD_RESET:
1368 LCDReset();
1369 break;
1370 case CMD_LCD:
1371 LCDSend(c->arg[0]);
1372 break;
1373 #endif
1374 case CMD_SETUP_WRITE:
1375 case CMD_FINISH_WRITE:
1376 case CMD_HARDWARE_RESET:
1377 usb_disable();
1378 SpinDelay(1000);
1379 SpinDelay(1000);
1380 AT91C_BASE_RSTC->RSTC_RCR = RST_CONTROL_KEY | AT91C_RSTC_PROCRST;
1381 for(;;) {
1382 // We're going to reset, and the bootrom will take control.
1383 }
1384 break;
1385
1386 case CMD_START_FLASH:
1387 if(common_area.flags.bootrom_present) {
1388 common_area.command = COMMON_AREA_COMMAND_ENTER_FLASH_MODE;
1389 }
1390 usb_disable();
1391 AT91C_BASE_RSTC->RSTC_RCR = RST_CONTROL_KEY | AT91C_RSTC_PROCRST;
1392 for(;;);
1393 break;
1394
1395 case CMD_DEVICE_INFO: {
1396 uint32_t dev_info = DEVICE_INFO_FLAG_OSIMAGE_PRESENT | DEVICE_INFO_FLAG_CURRENT_MODE_OS;
1397 if(common_area.flags.bootrom_present) dev_info |= DEVICE_INFO_FLAG_BOOTROM_PRESENT;
1398 cmd_send(CMD_DEVICE_INFO,dev_info,0,0,0,0);
1399 break;
1400 }
1401 default:
1402 Dbprintf("%s: 0x%04x","unknown command:",c->cmd);
1403 break;
1404 }
1405 }
1406
1407 void __attribute__((noreturn)) AppMain(void)
1408 {
1409 SpinDelay(100);
1410 clear_trace();
1411 if(common_area.magic != COMMON_AREA_MAGIC || common_area.version != 1) {
1412 /* Initialize common area */
1413 memset(&common_area, 0, sizeof(common_area));
1414 common_area.magic = COMMON_AREA_MAGIC;
1415 common_area.version = 1;
1416 }
1417 common_area.flags.osimage_present = 1;
1418
1419 LED_D_OFF();
1420 LED_C_OFF();
1421 LED_B_OFF();
1422 LED_A_OFF();
1423
1424 // Init USB device
1425 usb_enable();
1426
1427 // The FPGA gets its clock from us from PCK0 output, so set that up.
1428 AT91C_BASE_PIOA->PIO_BSR = GPIO_PCK0;
1429 AT91C_BASE_PIOA->PIO_PDR = GPIO_PCK0;
1430 AT91C_BASE_PMC->PMC_SCER = AT91C_PMC_PCK0;
1431 // PCK0 is PLL clock / 4 = 96Mhz / 4 = 24Mhz
1432 AT91C_BASE_PMC->PMC_PCKR[0] = AT91C_PMC_CSS_PLL_CLK |
1433 AT91C_PMC_PRES_CLK_4; // 4 for 24Mhz pck0, 2 for 48 MHZ pck0
1434 AT91C_BASE_PIOA->PIO_OER = GPIO_PCK0;
1435
1436 // Reset SPI
1437 AT91C_BASE_SPI->SPI_CR = AT91C_SPI_SWRST;
1438 // Reset SSC
1439 AT91C_BASE_SSC->SSC_CR = AT91C_SSC_SWRST;
1440
1441 // Load the FPGA image, which we have stored in our flash.
1442 // (the HF version by default)
1443 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1444
1445 StartTickCount();
1446
1447 #ifdef WITH_LCD
1448 LCDInit();
1449 #endif
1450
1451 byte_t rx[sizeof(UsbCommand)];
1452 size_t rx_len;
1453
1454 for(;;) {
1455 if (usb_poll()) {
1456 rx_len = usb_read(rx,sizeof(UsbCommand));
1457 if (rx_len) {
1458 UsbPacketReceived(rx,rx_len);
1459 }
1460 }
1461 WDT_HIT();
1462
1463 #ifdef WITH_LF_StandAlone
1464 #ifndef WITH_ISO14443a_StandAlone
1465 if (BUTTON_HELD(1000) > 0)
1466 SamyRun();
1467 #endif
1468 #endif
1469 #ifdef WITH_ISO14443a
1470 #ifdef WITH_ISO14443a_StandAlone
1471 if (BUTTON_HELD(1000) > 0)
1472 StandAloneMode14a();
1473 #endif
1474 #endif
1475 }
1476 }
Impressum, Datenschutz