]> cvs.zerfleddert.de Git - proxmark3-svn/blob - armsrc/appmain.c
5169383ee20112af9f9e3d93a83f3188a7abde72
[proxmark3-svn] / armsrc / appmain.c
1 //-----------------------------------------------------------------------------
2 // Jonathan Westhues, Mar 2006
3 // Edits by Gerhard de Koning Gans, Sep 2007 (##)
4 //
5 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
6 // at your option, any later version. See the LICENSE.txt file for the text of
7 // the license.
8 //-----------------------------------------------------------------------------
9 // The main application code. This is the first thing called after start.c
10 // executes.
11 //-----------------------------------------------------------------------------
12
13 #include <stdarg.h>
14
15 #include "usb_cdc.h"
16 #include "cmd.h"
17 #include "proxmark3.h"
18 #include "apps.h"
19 #include "fpga.h"
20 #include "util.h"
21 #include "printf.h"
22 #include "string.h"
23 #include "legicrf.h"
24 #include "legicrfsim.h"
25 #include "hitag2.h"
26 #include "hitagS.h"
27 #include "iso14443b.h"
28 #include "iso15693.h"
29 #include "lfsampling.h"
30 #include "BigBuf.h"
31 #include "mifareutil.h"
32 #include "mifaresim.h"
33 #include "pcf7931.h"
34 #include "i2c.h"
35 #include "hfsnoop.h"
36 #include "fpgaloader.h"
37 #ifdef WITH_LCD
38 #include "LCD.h"
39 #endif
40
41 static uint32_t hw_capabilities;
42
43 // Craig Young - 14a stand-alone code
44 #ifdef WITH_ISO14443a
45 #include "iso14443a.h"
46 #endif
47
48 //=============================================================================
49 // A buffer where we can queue things up to be sent through the FPGA, for
50 // any purpose (fake tag, as reader, whatever). We go MSB first, since that
51 // is the order in which they go out on the wire.
52 //=============================================================================
53
54 #define TOSEND_BUFFER_SIZE (9*MAX_FRAME_SIZE + 1 + 1 + 2) // 8 data bits and 1 parity bit per payload byte, 1 correction bit, 1 SOC bit, 2 EOC bits
55 uint8_t ToSend[TOSEND_BUFFER_SIZE];
56 int ToSendMax;
57 static int ToSendBit;
58 struct common_area common_area __attribute__((section(".commonarea")));
59
60 void ToSendReset(void)
61 {
62 ToSendMax = -1;
63 ToSendBit = 8;
64 }
65
66 void ToSendStuffBit(int b)
67 {
68 if(ToSendBit >= 8) {
69 ToSendMax++;
70 ToSend[ToSendMax] = 0;
71 ToSendBit = 0;
72 }
73
74 if(b) {
75 ToSend[ToSendMax] |= (1 << (7 - ToSendBit));
76 }
77
78 ToSendBit++;
79
80 if(ToSendMax >= sizeof(ToSend)) {
81 ToSendBit = 0;
82 DbpString("ToSendStuffBit overflowed!");
83 }
84 }
85
86 //=============================================================================
87 // Debug print functions, to go out over USB, to the usual PC-side client.
88 //=============================================================================
89
90 void DbpString(char *str)
91 {
92 byte_t len = strlen(str);
93 cmd_send(CMD_DEBUG_PRINT_STRING,len,0,0,(byte_t*)str,len);
94 }
95
96 #if 0
97 void DbpIntegers(int x1, int x2, int x3)
98 {
99 cmd_send(CMD_DEBUG_PRINT_INTEGERS,x1,x2,x3,0,0);
100 }
101 #endif
102
103 void Dbprintf(const char *fmt, ...) {
104 // should probably limit size here; oh well, let's just use a big buffer
105 char output_string[128];
106 va_list ap;
107
108 va_start(ap, fmt);
109 kvsprintf(fmt, output_string, 10, ap);
110 va_end(ap);
111
112 DbpString(output_string);
113 }
114
115 // prints HEX & ASCII
116 void Dbhexdump(int len, uint8_t *d, bool bAsci) {
117 int l=0,i;
118 char ascii[9];
119
120 while (len>0) {
121 if (len>8) l=8;
122 else l=len;
123
124 memcpy(ascii,d,l);
125 ascii[l]=0;
126
127 // filter safe ascii
128 for (i=0;i<l;i++)
129 if (ascii[i]<32 || ascii[i]>126) ascii[i]='.';
130
131 if (bAsci) {
132 Dbprintf("%-8s %*D",ascii,l,d," ");
133 } else {
134 Dbprintf("%*D",l,d," ");
135 }
136
137 len-=8;
138 d+=8;
139 }
140 }
141
142 //-----------------------------------------------------------------------------
143 // Read an ADC channel and block till it completes, then return the result
144 // in ADC units (0 to 1023). Also a routine to average 32 samples and
145 // return that.
146 //-----------------------------------------------------------------------------
147 static int ReadAdc(int ch)
148 {
149 // Note: ADC_MODE_PRESCALE and ADC_MODE_SAMPLE_HOLD_TIME are set to the maximum allowed value.
150 // AMPL_HI is a high impedance (10MOhm || 1MOhm) output, the input capacitance of the ADC is 12pF (typical). This results in a time constant
151 // of RC = (0.91MOhm) * 12pF = 10.9us. Even after the maximum configurable sample&hold time of 40us the input capacitor will not be fully charged.
152 //
153 // The maths are:
154 // If there is a voltage v_in at the input, the voltage v_cap at the capacitor (this is what we are measuring) will be
155 //
156 // v_cap = v_in * (1 - exp(-SHTIM/RC)) = v_in * (1 - exp(-40us/10.9us)) = v_in * 0,97 (i.e. an error of 3%)
157
158 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_SWRST;
159 AT91C_BASE_ADC->ADC_MR =
160 ADC_MODE_PRESCALE(63) | // ADC_CLK = MCK / ((63+1) * 2) = 48MHz / 128 = 375kHz
161 ADC_MODE_STARTUP_TIME(1) | // Startup Time = (1+1) * 8 / ADC_CLK = 16 / 375kHz = 42,7us Note: must be > 20us
162 ADC_MODE_SAMPLE_HOLD_TIME(15); // Sample & Hold Time SHTIM = 15 / ADC_CLK = 15 / 375kHz = 40us
163
164 AT91C_BASE_ADC->ADC_CHER = ADC_CHANNEL(ch);
165 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
166
167 while(!(AT91C_BASE_ADC->ADC_SR & ADC_END_OF_CONVERSION(ch))) {};
168
169 return AT91C_BASE_ADC->ADC_CDR[ch] & 0x3ff;
170 }
171
172 int AvgAdc(int ch) // was static - merlok
173 {
174 int i;
175 int a = 0;
176
177 for(i = 0; i < 32; i++) {
178 a += ReadAdc(ch);
179 }
180
181 return (a + 15) >> 5;
182 }
183
184 static int AvgAdc_Voltage_HF(void)
185 {
186 int AvgAdc_Voltage_Low, AvgAdc_Voltage_High;
187
188 AvgAdc_Voltage_Low= (MAX_ADC_HF_VOLTAGE_LOW * AvgAdc(ADC_CHAN_HF_LOW)) >> 10;
189 // if voltage range is about to be exceeded, use high voltage ADC channel if available (RDV40 only)
190 if (AvgAdc_Voltage_Low > MAX_ADC_HF_VOLTAGE_LOW - 300) {
191 AvgAdc_Voltage_High = (MAX_ADC_HF_VOLTAGE_HIGH * AvgAdc(ADC_CHAN_HF_HIGH)) >> 10;
192 if (AvgAdc_Voltage_High >= AvgAdc_Voltage_Low) {
193 return AvgAdc_Voltage_High;
194 }
195 }
196 return AvgAdc_Voltage_Low;
197 }
198
199 static int AvgAdc_Voltage_LF(void)
200 {
201 return (MAX_ADC_LF_VOLTAGE * AvgAdc(ADC_CHAN_LF)) >> 10;
202 }
203
204 void MeasureAntennaTuningLfOnly(int *vLf125, int *vLf134, int *peakf, int *peakv, uint8_t LF_Results[])
205 {
206 int i, adcval = 0, peak = 0;
207
208 /*
209 * Sweeps the useful LF range of the proxmark from
210 * 46.8kHz (divisor=255) to 600kHz (divisor=19) and
211 * read the voltage in the antenna, the result left
212 * in the buffer is a graph which should clearly show
213 * the resonating frequency of your LF antenna
214 * ( hopefully around 95 if it is tuned to 125kHz!)
215 */
216
217 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
218 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
219 SpinDelay(50);
220
221 for (i=255; i>=19; i--) {
222 WDT_HIT();
223 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, i);
224 SpinDelay(20);
225 adcval = AvgAdc_Voltage_LF();
226 if (i==95) *vLf125 = adcval; // voltage at 125Khz
227 if (i==89) *vLf134 = adcval; // voltage at 134Khz
228
229 LF_Results[i] = adcval >> 9; // scale int to fit in byte for graphing purposes
230 if(LF_Results[i] > peak) {
231 *peakv = adcval;
232 peak = LF_Results[i];
233 *peakf = i;
234 //ptr = i;
235 }
236 }
237
238 for (i=18; i >= 0; i--) LF_Results[i] = 0;
239
240 return;
241 }
242
243 void MeasureAntennaTuningHfOnly(int *vHf)
244 {
245 // Let the FPGA drive the high-frequency antenna around 13.56 MHz.
246 LED_A_ON();
247 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
248 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER);
249 SpinDelay(20);
250 *vHf = AvgAdc_Voltage_HF();
251 LED_A_OFF();
252 return;
253 }
254
255 void MeasureAntennaTuning(int mode)
256 {
257 uint8_t LF_Results[256] = {0};
258 int peakv = 0, peakf = 0;
259 int vLf125 = 0, vLf134 = 0, vHf = 0; // in mV
260
261 LED_B_ON();
262
263 if (((mode & FLAG_TUNE_ALL) == FLAG_TUNE_ALL) && (FpgaGetCurrent() == FPGA_BITSTREAM_HF)) {
264 // Reverse "standard" order if HF already loaded, to avoid unnecessary swap.
265 MeasureAntennaTuningHfOnly(&vHf);
266 MeasureAntennaTuningLfOnly(&vLf125, &vLf134, &peakf, &peakv, LF_Results);
267 } else {
268 if (mode & FLAG_TUNE_LF) {
269 MeasureAntennaTuningLfOnly(&vLf125, &vLf134, &peakf, &peakv, LF_Results);
270 }
271 if (mode & FLAG_TUNE_HF) {
272 MeasureAntennaTuningHfOnly(&vHf);
273 }
274 }
275
276 cmd_send(CMD_MEASURED_ANTENNA_TUNING, vLf125>>1 | (vLf134>>1<<16), vHf, peakf | (peakv>>1<<16), LF_Results, 256);
277 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
278 LED_B_OFF();
279 return;
280 }
281
282 void MeasureAntennaTuningHf(void)
283 {
284 int vHf = 0; // in mV
285
286 DbpString("Measuring HF antenna, press button to exit");
287
288 // Let the FPGA drive the high-frequency antenna around 13.56 MHz.
289 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
290 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER);
291
292 for (;;) {
293 SpinDelay(500);
294 vHf = AvgAdc_Voltage_HF();
295
296 Dbprintf("%d mV",vHf);
297 if (BUTTON_PRESS()) break;
298 }
299 DbpString("cancelled");
300
301 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
302
303 }
304
305
306 void ReadMem(int addr)
307 {
308 const uint8_t *data = ((uint8_t *)addr);
309
310 Dbprintf("%x: %02x %02x %02x %02x %02x %02x %02x %02x",
311 addr, data[0], data[1], data[2], data[3], data[4], data[5], data[6], data[7]);
312 }
313
314 /* osimage version information is linked in */
315 extern struct version_information version_information;
316 /* bootrom version information is pointed to from _bootphase1_version_pointer */
317 extern char *_bootphase1_version_pointer, _flash_start, _flash_end, _bootrom_start, _bootrom_end, __data_src_start__;
318
319
320 void set_hw_capabilities(void)
321 {
322 if (I2C_is_available()) {
323 hw_capabilities |= HAS_SMARTCARD_SLOT;
324 }
325
326 if (false) { // TODO: implement a test
327 hw_capabilities |= HAS_EXTRA_FLASH_MEM;
328 }
329 }
330
331
332 void SendVersion(void)
333 {
334 set_hw_capabilities();
335
336 char temp[USB_CMD_DATA_SIZE]; /* Limited data payload in USB packets */
337 char VersionString[USB_CMD_DATA_SIZE] = { '\0' };
338
339 /* Try to find the bootrom version information. Expect to find a pointer at
340 * symbol _bootphase1_version_pointer, perform slight sanity checks on the
341 * pointer, then use it.
342 */
343 char *bootrom_version = *(char**)&_bootphase1_version_pointer;
344 if( bootrom_version < &_flash_start || bootrom_version >= &_flash_end ) {
345 strcat(VersionString, "bootrom version information appears invalid\n");
346 } else {
347 FormatVersionInformation(temp, sizeof(temp), "bootrom: ", bootrom_version);
348 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
349 }
350
351 FormatVersionInformation(temp, sizeof(temp), "os: ", &version_information);
352 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
353
354 for (int i = 0; i < fpga_bitstream_num; i++) {
355 strncat(VersionString, fpga_version_information[i], sizeof(VersionString) - strlen(VersionString) - 1);
356 strncat(VersionString, "\n", sizeof(VersionString) - strlen(VersionString) - 1);
357 }
358
359 // test availability of SmartCard slot
360 if (I2C_is_available()) {
361 strncat(VersionString, "SmartCard Slot: available\n", sizeof(VersionString) - strlen(VersionString) - 1);
362 } else {
363 strncat(VersionString, "SmartCard Slot: not available\n", sizeof(VersionString) - strlen(VersionString) - 1);
364 }
365
366 // Send Chip ID and used flash memory
367 uint32_t text_and_rodata_section_size = (uint32_t)&__data_src_start__ - (uint32_t)&_flash_start;
368 uint32_t compressed_data_section_size = common_area.arg1;
369 cmd_send(CMD_ACK, *(AT91C_DBGU_CIDR), text_and_rodata_section_size + compressed_data_section_size, hw_capabilities, VersionString, strlen(VersionString));
370 }
371
372 // measure the USB Speed by sending SpeedTestBufferSize bytes to client and measuring the elapsed time.
373 // Note: this mimics GetFromBigbuf(), i.e. we have the overhead of the UsbCommand structure included.
374 void printUSBSpeed(void)
375 {
376 Dbprintf("USB Speed:");
377 Dbprintf(" Sending USB packets to client...");
378
379 #define USB_SPEED_TEST_MIN_TIME 1500 // in milliseconds
380 uint8_t *test_data = BigBuf_get_addr();
381 uint32_t end_time;
382
383 uint32_t start_time = end_time = GetTickCount();
384 uint32_t bytes_transferred = 0;
385
386 LED_B_ON();
387 while(end_time < start_time + USB_SPEED_TEST_MIN_TIME) {
388 cmd_send(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K, 0, USB_CMD_DATA_SIZE, 0, test_data, USB_CMD_DATA_SIZE);
389 end_time = GetTickCount();
390 bytes_transferred += USB_CMD_DATA_SIZE;
391 }
392 LED_B_OFF();
393
394 Dbprintf(" Time elapsed: %dms", end_time - start_time);
395 Dbprintf(" Bytes transferred: %d", bytes_transferred);
396 Dbprintf(" USB Transfer Speed PM3 -> Client = %d Bytes/s",
397 1000 * bytes_transferred / (end_time - start_time));
398
399 }
400
401 /**
402 * Prints runtime information about the PM3.
403 **/
404 void SendStatus(void)
405 {
406 BigBuf_print_status();
407 Fpga_print_status();
408 #ifdef WITH_SMARTCARD
409 I2C_print_status();
410 #endif
411 printConfig(); //LF Sampling config
412 printUSBSpeed();
413 Dbprintf("Various");
414 Dbprintf(" MF_DBGLEVEL........%d", MF_DBGLEVEL);
415 Dbprintf(" ToSendMax..........%d", ToSendMax);
416 Dbprintf(" ToSendBit..........%d", ToSendBit);
417
418 cmd_send(CMD_ACK,1,0,0,0,0);
419 }
420
421 #if defined(WITH_ISO14443a_StandAlone) || defined(WITH_LF_StandAlone)
422
423 #define OPTS 2
424
425 void StandAloneMode()
426 {
427 DbpString("Stand-alone mode! No PC necessary.");
428 // Oooh pretty -- notify user we're in elite samy mode now
429 LED(LED_RED, 200);
430 LED(LED_ORANGE, 200);
431 LED(LED_GREEN, 200);
432 LED(LED_ORANGE, 200);
433 LED(LED_RED, 200);
434 LED(LED_ORANGE, 200);
435 LED(LED_GREEN, 200);
436 LED(LED_ORANGE, 200);
437 LED(LED_RED, 200);
438
439 }
440
441 #endif
442
443
444
445 #ifdef WITH_ISO14443a_StandAlone
446 void StandAloneMode14a()
447 {
448 StandAloneMode();
449 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
450
451 int selected = 0;
452 bool playing = false, GotoRecord = false, GotoClone = false;
453 bool cardRead[OPTS] = {false};
454 uint8_t readUID[10] = {0};
455 uint32_t uid_1st[OPTS]={0};
456 uint32_t uid_2nd[OPTS]={0};
457 uint32_t uid_tmp1 = 0;
458 uint32_t uid_tmp2 = 0;
459 iso14a_card_select_t hi14a_card[OPTS];
460
461 LED(selected + 1, 0);
462
463 for (;;)
464 {
465 usb_poll();
466 WDT_HIT();
467 SpinDelay(300);
468
469 if (GotoRecord || !cardRead[selected])
470 {
471 GotoRecord = false;
472 LEDsoff();
473 LED(selected + 1, 0);
474 LED(LED_RED2, 0);
475
476 // record
477 Dbprintf("Enabling iso14443a reader mode for [Bank: %u]...", selected);
478 /* need this delay to prevent catching some weird data */
479 SpinDelay(500);
480 /* Code for reading from 14a tag */
481 uint8_t uid[10] ={0};
482 uint32_t cuid;
483 iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
484
485 for ( ; ; )
486 {
487 WDT_HIT();
488 if (BUTTON_PRESS()) {
489 if (cardRead[selected]) {
490 Dbprintf("Button press detected -- replaying card in bank[%d]", selected);
491 break;
492 }
493 else if (cardRead[(selected+1)%OPTS]) {
494 Dbprintf("Button press detected but no card in bank[%d] so playing from bank[%d]", selected, (selected+1)%OPTS);
495 selected = (selected+1)%OPTS;
496 break;
497 }
498 else {
499 Dbprintf("Button press detected but no stored tag to play. (Ignoring button)");
500 SpinDelay(300);
501 }
502 }
503 if (!iso14443a_select_card(uid, &hi14a_card[selected], &cuid, true, 0, true))
504 continue;
505 else
506 {
507 Dbprintf("Read UID:"); Dbhexdump(10,uid,0);
508 memcpy(readUID,uid,10*sizeof(uint8_t));
509 uint8_t *dst = (uint8_t *)&uid_tmp1;
510 // Set UID byte order
511 for (int i=0; i<4; i++)
512 dst[i] = uid[3-i];
513 dst = (uint8_t *)&uid_tmp2;
514 for (int i=0; i<4; i++)
515 dst[i] = uid[7-i];
516 if (uid_1st[(selected+1)%OPTS] == uid_tmp1 && uid_2nd[(selected+1)%OPTS] == uid_tmp2) {
517 Dbprintf("Card selected has same UID as what is stored in the other bank. Skipping.");
518 }
519 else {
520 if (uid_tmp2) {
521 Dbprintf("Bank[%d] received a 7-byte UID",selected);
522 uid_1st[selected] = (uid_tmp1)>>8;
523 uid_2nd[selected] = (uid_tmp1<<24) + (uid_tmp2>>8);
524 }
525 else {
526 Dbprintf("Bank[%d] received a 4-byte UID",selected);
527 uid_1st[selected] = uid_tmp1;
528 uid_2nd[selected] = uid_tmp2;
529 }
530 break;
531 }
532 }
533 }
534 Dbprintf("ATQA = %02X%02X",hi14a_card[selected].atqa[0],hi14a_card[selected].atqa[1]);
535 Dbprintf("SAK = %02X",hi14a_card[selected].sak);
536 LEDsoff();
537 LED(LED_GREEN, 200);
538 LED(LED_ORANGE, 200);
539 LED(LED_GREEN, 200);
540 LED(LED_ORANGE, 200);
541
542 LEDsoff();
543 LED(selected + 1, 0);
544
545 // Next state is replay:
546 playing = true;
547
548 cardRead[selected] = true;
549 }
550 /* MF Classic UID clone */
551 else if (GotoClone)
552 {
553 GotoClone=false;
554 LEDsoff();
555 LED(selected + 1, 0);
556 LED(LED_ORANGE, 250);
557
558
559 // record
560 Dbprintf("Preparing to Clone card [Bank: %x]; uid: %08x", selected, uid_1st[selected]);
561
562 // wait for button to be released
563 while(BUTTON_PRESS())
564 {
565 // Delay cloning until card is in place
566 WDT_HIT();
567 }
568 Dbprintf("Starting clone. [Bank: %u]", selected);
569 // need this delay to prevent catching some weird data
570 SpinDelay(500);
571 // Begin clone function here:
572 /* Example from client/mifarehost.c for commanding a block write for "magic Chinese" cards:
573 UsbCommand c = {CMD_MIFARE_CSETBLOCK, {wantWipe, params & (0xFE | (uid == NULL ? 0:1)), blockNo}};
574 memcpy(c.d.asBytes, data, 16);
575 SendCommand(&c);
576
577 Block read is similar:
578 UsbCommand c = {CMD_MIFARE_CGETBLOCK, {params, 0, blockNo}};
579 We need to imitate that call with blockNo 0 to set a uid.
580
581 The get and set commands are handled in this file:
582 // Work with "magic Chinese" card
583 case CMD_MIFARE_CSETBLOCK:
584 MifareCSetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
585 break;
586 case CMD_MIFARE_CGETBLOCK:
587 MifareCGetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
588 break;
589
590 mfCSetUID provides example logic for UID set workflow:
591 -Read block0 from card in field with MifareCGetBlock()
592 -Configure new values without replacing reserved bytes
593 memcpy(block0, uid, 4); // Copy UID bytes from byte array
594 // Mifare UID BCC
595 block0[4] = block0[0]^block0[1]^block0[2]^block0[3]; // BCC on byte 5
596 Bytes 5-7 are reserved SAK and ATQA for mifare classic
597 -Use mfCSetBlock(0, block0, oldUID, wantWipe, CSETBLOCK_SINGLE_OPER) to write it
598 */
599 uint8_t oldBlock0[16] = {0}, newBlock0[16] = {0}, testBlock0[16] = {0};
600 // arg0 = Flags == CSETBLOCK_SINGLE_OPER=0x1F, arg1=returnSlot, arg2=blockNo
601 MifareCGetBlock(0x3F, 1, 0, oldBlock0);
602 if (oldBlock0[0] == 0 && oldBlock0[0] == oldBlock0[1] && oldBlock0[1] == oldBlock0[2] && oldBlock0[2] == oldBlock0[3]) {
603 Dbprintf("No changeable tag detected. Returning to replay mode for bank[%d]", selected);
604 playing = true;
605 }
606 else {
607 Dbprintf("UID from target tag: %02X%02X%02X%02X", oldBlock0[0],oldBlock0[1],oldBlock0[2],oldBlock0[3]);
608 memcpy(newBlock0,oldBlock0,16);
609 // Copy uid_1st for bank (2nd is for longer UIDs not supported if classic)
610
611 newBlock0[0] = uid_1st[selected]>>24;
612 newBlock0[1] = 0xFF & (uid_1st[selected]>>16);
613 newBlock0[2] = 0xFF & (uid_1st[selected]>>8);
614 newBlock0[3] = 0xFF & (uid_1st[selected]);
615 newBlock0[4] = newBlock0[0]^newBlock0[1]^newBlock0[2]^newBlock0[3];
616 // arg0 = needWipe, arg1 = workFlags, arg2 = blockNo, datain
617 MifareCSetBlock(0, 0xFF,0, newBlock0);
618 MifareCGetBlock(0x3F, 1, 0, testBlock0);
619 if (memcmp(testBlock0,newBlock0,16)==0)
620 {
621 DbpString("Cloned successfull!");
622 cardRead[selected] = false; // Only if the card was cloned successfully should we clear it
623 playing = false;
624 GotoRecord = true;
625 selected = (selected+1) % OPTS;
626 }
627 else {
628 Dbprintf("Clone failed. Back to replay mode on bank[%d]", selected);
629 playing = true;
630 }
631 }
632 LEDsoff();
633 LED(selected + 1, 0);
634
635 }
636 // Change where to record (or begin playing)
637 else if (playing) // button_pressed == BUTTON_SINGLE_CLICK && cardRead[selected])
638 {
639 LEDsoff();
640 LED(selected + 1, 0);
641
642 // Begin transmitting
643 LED(LED_GREEN, 0);
644 DbpString("Playing");
645 for ( ; ; ) {
646 WDT_HIT();
647 int button_action = BUTTON_HELD(1000);
648 if (button_action == 0) { // No button action, proceed with sim
649 uint8_t data[512] = {0}; // in case there is a read command received we shouldn't break
650 Dbprintf("Simulating ISO14443a tag with uid[0]: %08x, uid[1]: %08x [Bank: %u]", uid_1st[selected],uid_2nd[selected],selected);
651 if (hi14a_card[selected].sak == 8 && hi14a_card[selected].atqa[0] == 4 && hi14a_card[selected].atqa[1] == 0) {
652 DbpString("Mifare Classic");
653 SimulateIso14443aTag(1,uid_1st[selected], uid_2nd[selected], data); // Mifare Classic
654 }
655 else if (hi14a_card[selected].sak == 0 && hi14a_card[selected].atqa[0] == 0x44 && hi14a_card[selected].atqa[1] == 0) {
656 DbpString("Mifare Ultralight");
657 SimulateIso14443aTag(2,uid_1st[selected],uid_2nd[selected],data); // Mifare Ultralight
658 }
659 else if (hi14a_card[selected].sak == 20 && hi14a_card[selected].atqa[0] == 0x44 && hi14a_card[selected].atqa[1] == 3) {
660 DbpString("Mifare DESFire");
661 SimulateIso14443aTag(3,uid_1st[selected],uid_2nd[selected],data); // Mifare DESFire
662 }
663 else {
664 Dbprintf("Unrecognized tag type -- defaulting to Mifare Classic emulation");
665 SimulateIso14443aTag(1,uid_1st[selected], uid_2nd[selected], data);
666 }
667 }
668 else if (button_action == BUTTON_SINGLE_CLICK) {
669 selected = (selected + 1) % OPTS;
670 Dbprintf("Done playing. Switching to record mode on bank %d",selected);
671 GotoRecord = true;
672 break;
673 }
674 else if (button_action == BUTTON_HOLD) {
675 Dbprintf("Playtime over. Begin cloning...");
676 GotoClone = true;
677 break;
678 }
679 WDT_HIT();
680 }
681
682 /* We pressed a button so ignore it here with a delay */
683 SpinDelay(300);
684 LEDsoff();
685 LED(selected + 1, 0);
686 }
687 }
688 }
689 #elif WITH_LF_StandAlone
690 // samy's sniff and repeat routine
691 void SamyRun()
692 {
693 StandAloneMode();
694 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
695
696 int tops[OPTS], high[OPTS], low[OPTS];
697 int selected = 0;
698 int playing = 0;
699 int cardRead = 0;
700
701 // Turn on selected LED
702 LED(selected + 1, 0);
703
704 for (;;)
705 {
706 usb_poll();
707 WDT_HIT();
708
709 // Was our button held down or pressed?
710 int button_pressed = BUTTON_HELD(1000);
711 SpinDelay(300);
712
713 // Button was held for a second, begin recording
714 if (button_pressed > 0 && cardRead == 0)
715 {
716 LEDsoff();
717 LED(selected + 1, 0);
718 LED(LED_RED2, 0);
719
720 // record
721 DbpString("Starting recording");
722
723 // wait for button to be released
724 while(BUTTON_PRESS())
725 WDT_HIT();
726
727 /* need this delay to prevent catching some weird data */
728 SpinDelay(500);
729
730 CmdHIDdemodFSK(1, &tops[selected], &high[selected], &low[selected], 0);
731 if (tops[selected] > 0)
732 Dbprintf("Recorded %x %x%08x%08x", selected, tops[selected], high[selected], low[selected]);
733 else
734 Dbprintf("Recorded %x %x%08x", selected, high[selected], low[selected]);
735
736 LEDsoff();
737 LED(selected + 1, 0);
738 // Finished recording
739
740 // If we were previously playing, set playing off
741 // so next button push begins playing what we recorded
742 playing = 0;
743
744 cardRead = 1;
745
746 }
747
748 else if (button_pressed > 0 && cardRead == 1)
749 {
750 LEDsoff();
751 LED(selected + 1, 0);
752 LED(LED_ORANGE, 0);
753
754 // record
755 if (tops[selected] > 0)
756 Dbprintf("Cloning %x %x%08x%08x", selected, tops[selected], high[selected], low[selected]);
757 else
758 Dbprintf("Cloning %x %x%08x", selected, high[selected], low[selected]);
759
760 // wait for button to be released
761 while(BUTTON_PRESS())
762 WDT_HIT();
763
764 /* need this delay to prevent catching some weird data */
765 SpinDelay(500);
766
767 CopyHIDtoT55x7(tops[selected] & 0x000FFFFF, high[selected], low[selected], (tops[selected] != 0 && ((high[selected]& 0xFFFFFFC0) != 0)), 0x1D);
768 if (tops[selected] > 0)
769 Dbprintf("Cloned %x %x%08x%08x", selected, tops[selected], high[selected], low[selected]);
770 else
771 Dbprintf("Cloned %x %x%08x", selected, high[selected], low[selected]);
772
773 LEDsoff();
774 LED(selected + 1, 0);
775 // Finished recording
776
777 // If we were previously playing, set playing off
778 // so next button push begins playing what we recorded
779 playing = 0;
780
781 cardRead = 0;
782
783 }
784
785 // Change where to record (or begin playing)
786 else if (button_pressed)
787 {
788 // Next option if we were previously playing
789 if (playing)
790 selected = (selected + 1) % OPTS;
791 playing = !playing;
792
793 LEDsoff();
794 LED(selected + 1, 0);
795
796 // Begin transmitting
797 if (playing)
798 {
799 LED(LED_GREEN, 0);
800 DbpString("Playing");
801 // wait for button to be released
802 while(BUTTON_PRESS())
803 WDT_HIT();
804 if (tops[selected] > 0)
805 Dbprintf("%x %x%08x%08x", selected, tops[selected], high[selected], low[selected]);
806 else
807 Dbprintf("%x %x%08x", selected, high[selected], low[selected]);
808
809 CmdHIDsimTAG(tops[selected], high[selected], low[selected], 0);
810 DbpString("Done playing");
811 if (BUTTON_HELD(1000) > 0)
812 {
813 DbpString("Exiting");
814 LEDsoff();
815 return;
816 }
817
818 /* We pressed a button so ignore it here with a delay */
819 SpinDelay(300);
820
821 // when done, we're done playing, move to next option
822 selected = (selected + 1) % OPTS;
823 playing = !playing;
824 LEDsoff();
825 LED(selected + 1, 0);
826 }
827 else
828 while(BUTTON_PRESS())
829 WDT_HIT();
830 }
831 }
832 }
833
834 #endif
835 /*
836 OBJECTIVE
837 Listen and detect an external reader. Determine the best location
838 for the antenna.
839
840 INSTRUCTIONS:
841 Inside the ListenReaderField() function, there is two mode.
842 By default, when you call the function, you will enter mode 1.
843 If you press the PM3 button one time, you will enter mode 2.
844 If you press the PM3 button a second time, you will exit the function.
845
846 DESCRIPTION OF MODE 1:
847 This mode just listens for an external reader field and lights up green
848 for HF and/or red for LF. This is the original mode of the detectreader
849 function.
850
851 DESCRIPTION OF MODE 2:
852 This mode will visually represent, using the LEDs, the actual strength of the
853 current compared to the maximum current detected. Basically, once you know
854 what kind of external reader is present, it will help you spot the best location to place
855 your antenna. You will probably not get some good results if there is a LF and a HF reader
856 at the same place! :-)
857
858 LIGHT SCHEME USED:
859 */
860 static const char LIGHT_SCHEME[] = {
861 0x0, /* ---- | No field detected */
862 0x1, /* X--- | 14% of maximum current detected */
863 0x2, /* -X-- | 29% of maximum current detected */
864 0x4, /* --X- | 43% of maximum current detected */
865 0x8, /* ---X | 57% of maximum current detected */
866 0xC, /* --XX | 71% of maximum current detected */
867 0xE, /* -XXX | 86% of maximum current detected */
868 0xF, /* XXXX | 100% of maximum current detected */
869 };
870 static const int LIGHT_LEN = sizeof(LIGHT_SCHEME)/sizeof(LIGHT_SCHEME[0]);
871
872 void ListenReaderField(int limit)
873 {
874 int lf_av, lf_av_new=0, lf_baseline= 0, lf_max;
875 int hf_av, hf_av_new=0, hf_baseline= 0, hf_max;
876 int mode=1, display_val, display_max, i;
877
878 #define LF_ONLY 1
879 #define HF_ONLY 2
880 #define REPORT_CHANGE_PERCENT 5 // report new values only if they have changed at least by REPORT_CHANGE_PERCENT
881 #define MIN_HF_FIELD 300 // in mode 1 signal HF field greater than MIN_HF_FIELD above baseline
882 #define MIN_LF_FIELD 1200 // in mode 1 signal LF field greater than MIN_LF_FIELD above baseline
883
884
885 // switch off FPGA - we don't want to measure our own signal
886 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
887 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
888
889 LEDsoff();
890
891 lf_av = lf_max = AvgAdc_Voltage_LF();
892
893 if(limit != HF_ONLY) {
894 Dbprintf("LF 125/134kHz Baseline: %dmV", lf_av);
895 lf_baseline = lf_av;
896 }
897
898 hf_av = hf_max = AvgAdc_Voltage_HF();
899
900 if (limit != LF_ONLY) {
901 Dbprintf("HF 13.56MHz Baseline: %dmV", hf_av);
902 hf_baseline = hf_av;
903 }
904
905 for(;;) {
906 SpinDelay(500);
907 if (BUTTON_PRESS()) {
908 switch (mode) {
909 case 1:
910 mode=2;
911 DbpString("Signal Strength Mode");
912 break;
913 case 2:
914 default:
915 DbpString("Stopped");
916 LEDsoff();
917 return;
918 break;
919 }
920 while (BUTTON_PRESS());
921 }
922 WDT_HIT();
923
924 if (limit != HF_ONLY) {
925 if(mode == 1) {
926 if (lf_av - lf_baseline > MIN_LF_FIELD)
927 LED_D_ON();
928 else
929 LED_D_OFF();
930 }
931
932 lf_av_new = AvgAdc_Voltage_LF();
933 // see if there's a significant change
934 if (ABS((lf_av - lf_av_new)*100/(lf_av?lf_av:1)) > REPORT_CHANGE_PERCENT) {
935 Dbprintf("LF 125/134kHz Field Change: %5dmV", lf_av_new);
936 lf_av = lf_av_new;
937 if (lf_av > lf_max)
938 lf_max = lf_av;
939 }
940 }
941
942 if (limit != LF_ONLY) {
943 if (mode == 1){
944 if (hf_av - hf_baseline > MIN_HF_FIELD)
945 LED_B_ON();
946 else
947 LED_B_OFF();
948 }
949
950 hf_av_new = AvgAdc_Voltage_HF();
951
952 // see if there's a significant change
953 if (ABS((hf_av - hf_av_new)*100/(hf_av?hf_av:1)) > REPORT_CHANGE_PERCENT) {
954 Dbprintf("HF 13.56MHz Field Change: %5dmV", hf_av_new);
955 hf_av = hf_av_new;
956 if (hf_av > hf_max)
957 hf_max = hf_av;
958 }
959 }
960
961 if(mode == 2) {
962 if (limit == LF_ONLY) {
963 display_val = lf_av;
964 display_max = lf_max;
965 } else if (limit == HF_ONLY) {
966 display_val = hf_av;
967 display_max = hf_max;
968 } else { /* Pick one at random */
969 if( (hf_max - hf_baseline) > (lf_max - lf_baseline) ) {
970 display_val = hf_av;
971 display_max = hf_max;
972 } else {
973 display_val = lf_av;
974 display_max = lf_max;
975 }
976 }
977 for (i=0; i<LIGHT_LEN; i++) {
978 if (display_val >= ((display_max/LIGHT_LEN)*i) && display_val <= ((display_max/LIGHT_LEN)*(i+1))) {
979 if (LIGHT_SCHEME[i] & 0x1) LED_C_ON(); else LED_C_OFF();
980 if (LIGHT_SCHEME[i] & 0x2) LED_A_ON(); else LED_A_OFF();
981 if (LIGHT_SCHEME[i] & 0x4) LED_B_ON(); else LED_B_OFF();
982 if (LIGHT_SCHEME[i] & 0x8) LED_D_ON(); else LED_D_OFF();
983 break;
984 }
985 }
986 }
987 }
988 }
989
990 void UsbPacketReceived(uint8_t *packet, int len)
991 {
992 UsbCommand *c = (UsbCommand *)packet;
993
994 // Dbprintf("received %d bytes, with command: 0x%04x and args: %d %d %d",len,c->cmd,c->arg[0],c->arg[1],c->arg[2]);
995
996 switch(c->cmd) {
997 #ifdef WITH_LF
998 case CMD_SET_LF_SAMPLING_CONFIG:
999 setSamplingConfig((sample_config *) c->d.asBytes);
1000 break;
1001 case CMD_ACQUIRE_RAW_ADC_SAMPLES_125K:
1002 cmd_send(CMD_ACK,SampleLF(c->arg[0], c->arg[1]),0,0,0,0);
1003 break;
1004 case CMD_MOD_THEN_ACQUIRE_RAW_ADC_SAMPLES_125K:
1005 ModThenAcquireRawAdcSamples125k(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
1006 break;
1007 case CMD_LF_SNOOP_RAW_ADC_SAMPLES:
1008 cmd_send(CMD_ACK,SnoopLF(),0,0,0,0);
1009 break;
1010 case CMD_HID_DEMOD_FSK:
1011 CmdHIDdemodFSK(c->arg[0], 0, 0, 0, 1);
1012 break;
1013 case CMD_HID_SIM_TAG:
1014 CmdHIDsimTAG(c->arg[0], c->arg[1], c->arg[2], 1);
1015 break;
1016 case CMD_FSK_SIM_TAG:
1017 CmdFSKsimTAG(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1018 break;
1019 case CMD_ASK_SIM_TAG:
1020 CmdASKsimTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1021 break;
1022 case CMD_PSK_SIM_TAG:
1023 CmdPSKsimTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1024 break;
1025 case CMD_HID_CLONE_TAG:
1026 CopyHIDtoT55x7(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0], 0x1D);
1027 break;
1028 case CMD_PARADOX_CLONE_TAG:
1029 // Paradox cards are the same as HID, with a different preamble, so we can reuse the same function
1030 CopyHIDtoT55x7(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0], 0x0F);
1031 break;
1032 case CMD_IO_DEMOD_FSK:
1033 CmdIOdemodFSK(c->arg[0], 0, 0, 1);
1034 break;
1035 case CMD_IO_CLONE_TAG:
1036 CopyIOtoT55x7(c->arg[0], c->arg[1]);
1037 break;
1038 case CMD_EM410X_DEMOD:
1039 CmdEM410xdemod(c->arg[0], 0, 0, 1);
1040 break;
1041 case CMD_EM410X_WRITE_TAG:
1042 WriteEM410x(c->arg[0], c->arg[1], c->arg[2]);
1043 break;
1044 case CMD_READ_TI_TYPE:
1045 ReadTItag();
1046 break;
1047 case CMD_WRITE_TI_TYPE:
1048 WriteTItag(c->arg[0],c->arg[1],c->arg[2]);
1049 break;
1050 case CMD_SIMULATE_TAG_125K:
1051 LED_A_ON();
1052 SimulateTagLowFrequency(c->arg[0], c->arg[1], 1);
1053 LED_A_OFF();
1054 break;
1055 case CMD_LF_SIMULATE_BIDIR:
1056 SimulateTagLowFrequencyBidir(c->arg[0], c->arg[1]);
1057 break;
1058 case CMD_INDALA_CLONE_TAG:
1059 CopyIndala64toT55x7(c->arg[0], c->arg[1]);
1060 break;
1061 case CMD_INDALA_CLONE_TAG_L:
1062 CopyIndala224toT55x7(c->d.asDwords[0], c->d.asDwords[1], c->d.asDwords[2], c->d.asDwords[3], c->d.asDwords[4], c->d.asDwords[5], c->d.asDwords[6]);
1063 break;
1064 case CMD_T55XX_READ_BLOCK:
1065 T55xxReadBlock(c->arg[0], c->arg[1], c->arg[2]);
1066 break;
1067 case CMD_T55XX_WRITE_BLOCK:
1068 T55xxWriteBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]);
1069 break;
1070 case CMD_T55XX_WAKEUP:
1071 T55xxWakeUp(c->arg[0]);
1072 break;
1073 case CMD_T55XX_RESET_READ:
1074 T55xxResetRead();
1075 break;
1076 case CMD_PCF7931_READ:
1077 ReadPCF7931();
1078 break;
1079 case CMD_PCF7931_WRITE:
1080 WritePCF7931(c->d.asBytes[0],c->d.asBytes[1],c->d.asBytes[2],c->d.asBytes[3],c->d.asBytes[4],c->d.asBytes[5],c->d.asBytes[6], c->d.asBytes[9], c->d.asBytes[7]-128,c->d.asBytes[8]-128, c->arg[0], c->arg[1], c->arg[2]);
1081 break;
1082 case CMD_PCF7931_BRUTEFORCE:
1083 BruteForcePCF7931(c->arg[0], (c->arg[1] & 0xFF), c->d.asBytes[9], c->d.asBytes[7]-128,c->d.asBytes[8]-128);
1084 break;
1085 case CMD_EM4X_READ_WORD:
1086 EM4xReadWord(c->arg[0], c->arg[1],c->arg[2]);
1087 break;
1088 case CMD_EM4X_WRITE_WORD:
1089 EM4xWriteWord(c->arg[0], c->arg[1], c->arg[2]);
1090 break;
1091 case CMD_EM4X_PROTECT:
1092 EM4xProtect(c->arg[0], c->arg[1], c->arg[2]);
1093 break;
1094 case CMD_AWID_DEMOD_FSK: // Set realtime AWID demodulation
1095 CmdAWIDdemodFSK(c->arg[0], 0, 0, 1);
1096 break;
1097 case CMD_VIKING_CLONE_TAG:
1098 CopyVikingtoT55xx(c->arg[0], c->arg[1], c->arg[2]);
1099 break;
1100 case CMD_COTAG:
1101 Cotag(c->arg[0]);
1102 break;
1103 #endif
1104
1105 #ifdef WITH_HITAG
1106 case CMD_SNOOP_HITAG: // Eavesdrop Hitag tag, args = type
1107 SnoopHitag(c->arg[0]);
1108 break;
1109 case CMD_SIMULATE_HITAG: // Simulate Hitag tag, args = memory content
1110 SimulateHitagTag((bool)c->arg[0],(byte_t*)c->d.asBytes);
1111 break;
1112 case CMD_READER_HITAG: // Reader for Hitag tags, args = type and function
1113 ReaderHitag((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes);
1114 break;
1115 case CMD_SIMULATE_HITAG_S:// Simulate Hitag s tag, args = memory content
1116 SimulateHitagSTag((bool)c->arg[0],(byte_t*)c->d.asBytes);
1117 break;
1118 case CMD_TEST_HITAGS_TRACES:// Tests every challenge within the given file
1119 check_challenges_cmd((bool)c->arg[0], (byte_t*)c->d.asBytes, (uint8_t)c->arg[1]);
1120 break;
1121 case CMD_READ_HITAG_S://Reader for only Hitag S tags, args = key or challenge
1122 ReadHitagSCmd((hitag_function)c->arg[0], (hitag_data*)c->d.asBytes, (uint8_t)c->arg[1], (uint8_t)c->arg[2], false);
1123 break;
1124 case CMD_READ_HITAG_S_BLK:
1125 ReadHitagSCmd((hitag_function)c->arg[0], (hitag_data*)c->d.asBytes, (uint8_t)c->arg[1], (uint8_t)c->arg[2], true);
1126 break;
1127 case CMD_WR_HITAG_S://writer for Hitag tags args=data to write,page and key or challenge
1128 if ((hitag_function)c->arg[0] < 10) {
1129 WritePageHitagS((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes,c->arg[2]);
1130 }
1131 else if ((hitag_function)c->arg[0] >= 10) {
1132 WriterHitag((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes, c->arg[2]);
1133 }
1134 break;
1135 #endif
1136
1137 #ifdef WITH_ISO15693
1138 case CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_15693:
1139 AcquireRawAdcSamplesIso15693();
1140 break;
1141
1142 case CMD_SNOOP_ISO_15693:
1143 SnoopIso15693();
1144 break;
1145
1146 case CMD_ISO_15693_COMMAND:
1147 DirectTag15693Command(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
1148 break;
1149
1150 case CMD_ISO_15693_FIND_AFI:
1151 BruteforceIso15693Afi(c->arg[0]);
1152 break;
1153
1154 case CMD_ISO_15693_DEBUG:
1155 SetDebugIso15693(c->arg[0]);
1156 break;
1157
1158 case CMD_READER_ISO_15693:
1159 ReaderIso15693(c->arg[0]);
1160 break;
1161 case CMD_SIMTAG_ISO_15693:
1162 SimTagIso15693(c->arg[0], c->d.asBytes);
1163 break;
1164 #endif
1165
1166 #ifdef WITH_LEGICRF
1167 case CMD_SIMULATE_TAG_LEGIC_RF:
1168 LegicRfSimulate(c->arg[0]);
1169 break;
1170
1171 case CMD_WRITER_LEGIC_RF:
1172 LegicRfWriter(c->arg[1], c->arg[0]);
1173 break;
1174
1175 case CMD_READER_LEGIC_RF:
1176 LegicRfReader(c->arg[0], c->arg[1]);
1177 break;
1178 #endif
1179
1180 #ifdef WITH_ISO14443b
1181 case CMD_READ_SRI512_TAG:
1182 ReadSTMemoryIso14443b(0x0F);
1183 break;
1184 case CMD_READ_SRIX4K_TAG:
1185 ReadSTMemoryIso14443b(0x7F);
1186 break;
1187 case CMD_SNOOP_ISO_14443B:
1188 SnoopIso14443b();
1189 break;
1190 case CMD_SIMULATE_TAG_ISO_14443B:
1191 SimulateIso14443bTag();
1192 break;
1193 case CMD_ISO_14443B_COMMAND:
1194 SendRawCommand14443B(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
1195 break;
1196 #endif
1197
1198 #ifdef WITH_ISO14443a
1199 case CMD_SNOOP_ISO_14443a:
1200 SnoopIso14443a(c->arg[0]);
1201 break;
1202 case CMD_READER_ISO_14443a:
1203 ReaderIso14443a(c);
1204 break;
1205 case CMD_SIMULATE_TAG_ISO_14443a:
1206 SimulateIso14443aTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); // ## Simulate iso14443a tag - pass tag type & UID
1207 break;
1208
1209 case CMD_EPA_PACE_COLLECT_NONCE:
1210 EPA_PACE_Collect_Nonce(c);
1211 break;
1212 case CMD_EPA_PACE_REPLAY:
1213 EPA_PACE_Replay(c);
1214 break;
1215
1216 case CMD_READER_MIFARE:
1217 ReaderMifare(c->arg[0]);
1218 break;
1219 case CMD_MIFARE_READBL:
1220 MifareReadBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1221 break;
1222 case CMD_MIFAREU_READBL:
1223 MifareUReadBlock(c->arg[0],c->arg[1], c->d.asBytes);
1224 break;
1225 case CMD_MIFAREUC_AUTH:
1226 MifareUC_Auth(c->arg[0],c->d.asBytes);
1227 break;
1228 case CMD_MIFAREU_READCARD:
1229 MifareUReadCard(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1230 break;
1231 case CMD_MIFAREUC_SETPWD:
1232 MifareUSetPwd(c->arg[0], c->d.asBytes);
1233 break;
1234 case CMD_MIFARE_READSC:
1235 MifareReadSector(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1236 break;
1237 case CMD_MIFARE_WRITEBL:
1238 MifareWriteBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1239 break;
1240 //case CMD_MIFAREU_WRITEBL_COMPAT:
1241 //MifareUWriteBlockCompat(c->arg[0], c->d.asBytes);
1242 //break;
1243 case CMD_MIFAREU_WRITEBL:
1244 MifareUWriteBlock(c->arg[0], c->arg[1], c->d.asBytes);
1245 break;
1246 case CMD_MIFARE_ACQUIRE_ENCRYPTED_NONCES:
1247 MifareAcquireEncryptedNonces(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1248 break;
1249 case CMD_MIFARE_NESTED:
1250 MifareNested(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1251 break;
1252 case CMD_MIFARE_CHKKEYS:
1253 MifareChkKeys(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1254 break;
1255 case CMD_SIMULATE_MIFARE_CARD:
1256 MifareSim(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1257 break;
1258
1259 // emulator
1260 case CMD_MIFARE_SET_DBGMODE:
1261 MifareSetDbgLvl(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1262 break;
1263 case CMD_MIFARE_EML_MEMCLR:
1264 MifareEMemClr(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1265 break;
1266 case CMD_MIFARE_EML_MEMSET:
1267 MifareEMemSet(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1268 break;
1269 case CMD_MIFARE_EML_MEMGET:
1270 MifareEMemGet(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1271 break;
1272 case CMD_MIFARE_EML_CARDLOAD:
1273 MifareECardLoad(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1274 break;
1275
1276 // Work with "magic Chinese" card
1277 case CMD_MIFARE_CWIPE:
1278 MifareCWipe(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1279 break;
1280 case CMD_MIFARE_CSETBLOCK:
1281 MifareCSetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1282 break;
1283 case CMD_MIFARE_CGETBLOCK:
1284 MifareCGetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1285 break;
1286 case CMD_MIFARE_CIDENT:
1287 MifareCIdent();
1288 break;
1289
1290 // mifare sniffer
1291 case CMD_MIFARE_SNIFFER:
1292 SniffMifare(c->arg[0]);
1293 break;
1294
1295 #endif
1296
1297 #ifdef WITH_ICLASS
1298 // Makes use of ISO14443a FPGA Firmware
1299 case CMD_SNOOP_ICLASS:
1300 SnoopIClass();
1301 break;
1302 case CMD_SIMULATE_TAG_ICLASS:
1303 SimulateIClass(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1304 break;
1305 case CMD_READER_ICLASS:
1306 ReaderIClass(c->arg[0]);
1307 break;
1308 case CMD_READER_ICLASS_REPLAY:
1309 ReaderIClass_Replay(c->arg[0], c->d.asBytes);
1310 break;
1311 case CMD_ICLASS_EML_MEMSET:
1312 emlSet(c->d.asBytes,c->arg[0], c->arg[1]);
1313 break;
1314 case CMD_ICLASS_WRITEBLOCK:
1315 iClass_WriteBlock(c->arg[0], c->d.asBytes);
1316 break;
1317 case CMD_ICLASS_READCHECK: // auth step 1
1318 iClass_ReadCheck(c->arg[0], c->arg[1]);
1319 break;
1320 case CMD_ICLASS_READBLOCK:
1321 iClass_ReadBlk(c->arg[0]);
1322 break;
1323 case CMD_ICLASS_AUTHENTICATION: //check
1324 iClass_Authentication(c->d.asBytes);
1325 break;
1326 case CMD_ICLASS_DUMP:
1327 iClass_Dump(c->arg[0], c->arg[1]);
1328 break;
1329 case CMD_ICLASS_CLONE:
1330 iClass_Clone(c->arg[0], c->arg[1], c->d.asBytes);
1331 break;
1332 #endif
1333
1334 #ifdef WITH_HFSNOOP
1335 case CMD_HF_SNIFFER:
1336 HfSnoop(c->arg[0], c->arg[1]);
1337 break;
1338 case CMD_HF_PLOT:
1339 HfPlot();
1340 break;
1341 #endif
1342
1343 #ifdef WITH_SMARTCARD
1344 case CMD_SMART_ATR: {
1345 SmartCardAtr();
1346 break;
1347 }
1348 case CMD_SMART_SETCLOCK:{
1349 SmartCardSetClock(c->arg[0]);
1350 break;
1351 }
1352 case CMD_SMART_RAW: {
1353 SmartCardRaw(c->arg[0], c->arg[1], c->d.asBytes);
1354 break;
1355 }
1356 case CMD_SMART_UPLOAD: {
1357 // upload file from client
1358 uint8_t *mem = BigBuf_get_addr();
1359 memcpy( mem + c->arg[0], c->d.asBytes, USB_CMD_DATA_SIZE);
1360 cmd_send(CMD_ACK,1,0,0,0,0);
1361 break;
1362 }
1363 case CMD_SMART_UPGRADE: {
1364 SmartCardUpgrade(c->arg[0]);
1365 break;
1366 }
1367 #endif
1368
1369 case CMD_BUFF_CLEAR:
1370 BigBuf_Clear();
1371 break;
1372
1373 case CMD_MEASURE_ANTENNA_TUNING:
1374 MeasureAntennaTuning(c->arg[0]);
1375 break;
1376
1377 case CMD_MEASURE_ANTENNA_TUNING_HF:
1378 MeasureAntennaTuningHf();
1379 break;
1380
1381 case CMD_LISTEN_READER_FIELD:
1382 ListenReaderField(c->arg[0]);
1383 break;
1384
1385 case CMD_FPGA_MAJOR_MODE_OFF: // ## FPGA Control
1386 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1387 SpinDelay(200);
1388 LED_D_OFF(); // LED D indicates field ON or OFF
1389 break;
1390
1391 case CMD_DOWNLOAD_RAW_ADC_SAMPLES_125K:
1392 LED_B_ON();
1393 uint8_t *BigBuf = BigBuf_get_addr();
1394 for(size_t i=0; i<c->arg[1]; i += USB_CMD_DATA_SIZE) {
1395 size_t len = MIN((c->arg[1] - i),USB_CMD_DATA_SIZE);
1396 cmd_send(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K,i,len,BigBuf_get_traceLen(),BigBuf+c->arg[0]+i,len);
1397 }
1398 // Trigger a finish downloading signal with an ACK frame
1399 cmd_send(CMD_ACK,1,0,BigBuf_get_traceLen(),getSamplingConfig(),sizeof(sample_config));
1400 LED_B_OFF();
1401 break;
1402
1403 case CMD_DOWNLOADED_SIM_SAMPLES_125K: {
1404 // iceman; since changing fpga_bitstreams clears bigbuff, Its better to call it before.
1405 // to be able to use this one for uploading data to device
1406 // arg1 = 0 upload for LF usage
1407 // 1 upload for HF usage
1408 if (c->arg[1] == 0)
1409 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1410 else
1411 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1412
1413 uint8_t *b = BigBuf_get_addr();
1414 memcpy(b+c->arg[0], c->d.asBytes, USB_CMD_DATA_SIZE);
1415 cmd_send(CMD_ACK,0,0,0,0,0);
1416 break;
1417 }
1418 case CMD_READ_MEM:
1419 ReadMem(c->arg[0]);
1420 break;
1421
1422 case CMD_SET_LF_DIVISOR:
1423 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1424 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, c->arg[0]);
1425 break;
1426
1427 case CMD_SET_ADC_MUX:
1428 switch(c->arg[0]) {
1429 case 0: SetAdcMuxFor(GPIO_MUXSEL_LOPKD); break;
1430 case 1: SetAdcMuxFor(GPIO_MUXSEL_LORAW); break;
1431 case 2: SetAdcMuxFor(GPIO_MUXSEL_HIPKD); break;
1432 case 3: SetAdcMuxFor(GPIO_MUXSEL_HIRAW); break;
1433 }
1434 break;
1435
1436 case CMD_VERSION:
1437 SendVersion();
1438 break;
1439 case CMD_STATUS:
1440 SendStatus();
1441 break;
1442 case CMD_PING:
1443 cmd_send(CMD_ACK,0,0,0,0,0);
1444 break;
1445 #ifdef WITH_LCD
1446 case CMD_LCD_RESET:
1447 LCDReset();
1448 break;
1449 case CMD_LCD:
1450 LCDSend(c->arg[0]);
1451 break;
1452 #endif
1453 case CMD_SETUP_WRITE:
1454 case CMD_FINISH_WRITE:
1455 case CMD_HARDWARE_RESET:
1456 usb_disable();
1457 SpinDelay(1000);
1458 SpinDelay(1000);
1459 AT91C_BASE_RSTC->RSTC_RCR = RST_CONTROL_KEY | AT91C_RSTC_PROCRST;
1460 for(;;) {
1461 // We're going to reset, and the bootrom will take control.
1462 }
1463 break;
1464
1465 case CMD_START_FLASH:
1466 if(common_area.flags.bootrom_present) {
1467 common_area.command = COMMON_AREA_COMMAND_ENTER_FLASH_MODE;
1468 }
1469 usb_disable();
1470 AT91C_BASE_RSTC->RSTC_RCR = RST_CONTROL_KEY | AT91C_RSTC_PROCRST;
1471 for(;;);
1472 break;
1473
1474 case CMD_DEVICE_INFO: {
1475 uint32_t dev_info = DEVICE_INFO_FLAG_OSIMAGE_PRESENT | DEVICE_INFO_FLAG_CURRENT_MODE_OS;
1476 if(common_area.flags.bootrom_present) dev_info |= DEVICE_INFO_FLAG_BOOTROM_PRESENT;
1477 cmd_send(CMD_DEVICE_INFO,dev_info,0,0,0,0);
1478 break;
1479 }
1480 default:
1481 Dbprintf("%s: 0x%04x","unknown command:",c->cmd);
1482 break;
1483 }
1484 }
1485
1486 void __attribute__((noreturn)) AppMain(void)
1487 {
1488 SpinDelay(100);
1489 clear_trace();
1490 if(common_area.magic != COMMON_AREA_MAGIC || common_area.version != 1) {
1491 /* Initialize common area */
1492 memset(&common_area, 0, sizeof(common_area));
1493 common_area.magic = COMMON_AREA_MAGIC;
1494 common_area.version = 1;
1495 }
1496 common_area.flags.osimage_present = 1;
1497
1498 LEDsoff();
1499
1500 // Init USB device
1501 usb_enable();
1502
1503 // The FPGA gets its clock from us from PCK0 output, so set that up.
1504 AT91C_BASE_PIOA->PIO_BSR = GPIO_PCK0;
1505 AT91C_BASE_PIOA->PIO_PDR = GPIO_PCK0;
1506 AT91C_BASE_PMC->PMC_SCER = AT91C_PMC_PCK0;
1507 // PCK0 is PLL clock / 4 = 96Mhz / 4 = 24Mhz
1508 AT91C_BASE_PMC->PMC_PCKR[0] = AT91C_PMC_CSS_PLL_CLK |
1509 AT91C_PMC_PRES_CLK_4; // 4 for 24Mhz pck0, 2 for 48 MHZ pck0
1510 AT91C_BASE_PIOA->PIO_OER = GPIO_PCK0;
1511
1512 // Reset SPI
1513 AT91C_BASE_SPI->SPI_CR = AT91C_SPI_SWRST;
1514 // Reset SSC
1515 AT91C_BASE_SSC->SSC_CR = AT91C_SSC_SWRST;
1516
1517 // Load the FPGA image, which we have stored in our flash.
1518 // (the HF version by default)
1519 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1520
1521 StartTickCount();
1522
1523 #ifdef WITH_LCD
1524 LCDInit();
1525 #endif
1526
1527 byte_t rx[sizeof(UsbCommand)];
1528 size_t rx_len;
1529
1530 for(;;) {
1531 if (usb_poll()) {
1532 rx_len = usb_read(rx,sizeof(UsbCommand));
1533 if (rx_len) {
1534 UsbPacketReceived(rx,rx_len);
1535 }
1536 }
1537 WDT_HIT();
1538
1539 #ifdef WITH_LF_StandAlone
1540 #ifndef WITH_ISO14443a_StandAlone
1541 if (BUTTON_HELD(1000) > 0)
1542 SamyRun();
1543 #endif
1544 #endif
1545 #ifdef WITH_ISO14443a
1546 #ifdef WITH_ISO14443a_StandAlone
1547 if (BUTTON_HELD(1000) > 0)
1548 StandAloneMode14a();
1549 #endif
1550 #endif
1551 }
1552 }
Impressum, Datenschutz