]> cvs.zerfleddert.de Git - proxmark3-svn/blob - armsrc/appmain.c
projects / proxmark3-svn / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Cleanup armsrc/string.c and string.h (#964)
[proxmark3-svn] / armsrc / appmain.c
1 //-----------------------------------------------------------------------------
2 // Jonathan Westhues, Mar 2006
3 // Edits by Gerhard de Koning Gans, Sep 2007 (##)
4 //
5 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
6 // at your option, any later version. See the LICENSE.txt file for the text of
7 // the license.
8 //-----------------------------------------------------------------------------
9 // The main application code. This is the first thing called after start.c
10 // executes.
11 //-----------------------------------------------------------------------------
12
13 #include <stdarg.h>
14
15 #include "usb_cdc.h"
16 #include "proxmark3.h"
17 #include "apps.h"
18 #include "fpga.h"
19 #include "util.h"
20 #include "printf.h"
21 #include "string.h"
22 #include "legicrf.h"
23 #include "legicrfsim.h"
24 #include "hitag2.h"
25 #include "hitagS.h"
26 #include "iclass.h"
27 #include "iso14443b.h"
28 #include "iso15693.h"
29 #include "lfsampling.h"
30 #include "BigBuf.h"
31 #include "mifarecmd.h"
32 #include "mifareutil.h"
33 #include "mifaresim.h"
34 #include "pcf7931.h"
35 #include "i2c.h"
36 #include "hfsnoop.h"
37 #include "fpgaloader.h"
38 #ifdef WITH_LCD
39 #include "LCD.h"
40 #endif
41
42 static uint32_t hw_capabilities;
43
44 // Craig Young - 14a stand-alone code
45 #ifdef WITH_ISO14443a
46 #include "iso14443a.h"
47 #endif
48
49 //=============================================================================
50 // A buffer where we can queue things up to be sent through the FPGA, for
51 // any purpose (fake tag, as reader, whatever). We go MSB first, since that
52 // is the order in which they go out on the wire.
53 //=============================================================================
54
55 #define TOSEND_BUFFER_SIZE (9*MAX_FRAME_SIZE + 1 + 1 + 2) // 8 data bits and 1 parity bit per payload byte, 1 correction bit, 1 SOC bit, 2 EOC bits
56 uint8_t ToSend[TOSEND_BUFFER_SIZE];
57 int ToSendMax;
58 static int ToSendBit;
59 struct common_area common_area __attribute__((section(".commonarea")));
60
61 void ToSendReset(void) {
62 ToSendMax = -1;
63 ToSendBit = 8;
64 }
65
66 void ToSendStuffBit(int b) {
67 if (ToSendBit >= 8) {
68 ToSendMax++;
69 ToSend[ToSendMax] = 0;
70 ToSendBit = 0;
71 }
72
73 if (b) {
74 ToSend[ToSendMax] |= (1 << (7 - ToSendBit));
75 }
76
77 ToSendBit++;
78
79 if (ToSendMax >= sizeof(ToSend)) {
80 ToSendBit = 0;
81 DbpString("ToSendStuffBit overflowed!");
82 }
83 }
84
85 //=============================================================================
86 // Debug print functions, to go out over USB, to the usual PC-side client.
87 //=============================================================================
88
89 void DbpString(char *str) {
90 uint8_t len = strlen(str);
91 cmd_send(CMD_DEBUG_PRINT_STRING,len,0,0,(uint8_t*)str,len);
92 }
93
94 void Dbprintf(const char *fmt, ...) {
95 // should probably limit size here; oh well, let's just use a big buffer
96 char output_string[128];
97 va_list ap;
98
99 va_start(ap, fmt);
100 kvsprintf(fmt, output_string, 10, ap);
101 va_end(ap);
102
103 DbpString(output_string);
104 }
105
106 // prints HEX & ASCII
107 void Dbhexdump(int len, uint8_t *d, bool bAsci) {
108 int l=0,i;
109 char ascii[9];
110
111 while (len>0) {
112 if (len>8) l=8;
113 else l=len;
114
115 memcpy(ascii,d,l);
116 ascii[l]=0;
117
118 // filter safe ascii
119 for (i = 0; i < l; i++)
120 if (ascii[i]<32 || ascii[i]>126) ascii[i] = '.';
121
122 if (bAsci) {
123 Dbprintf("%-8s %*D",ascii, l, d, " ");
124 } else {
125 Dbprintf("%*D", l, d, " ");
126 }
127
128 len -= 8;
129 d += 8;
130 }
131 }
132
133 //-----------------------------------------------------------------------------
134 // Read an ADC channel and block till it completes, then return the result
135 // in ADC units (0 to 1023). Also a routine to average 32 samples and
136 // return that.
137 //-----------------------------------------------------------------------------
138 static int ReadAdc(int ch) {
139 // Note: ADC_MODE_PRESCALE and ADC_MODE_SAMPLE_HOLD_TIME are set to the maximum allowed value.
140 // AMPL_HI is a high impedance (10MOhm || 1MOhm) output, the input capacitance of the ADC is 12pF (typical). This results in a time constant
141 // of RC = (0.91MOhm) * 12pF = 10.9us. Even after the maximum configurable sample&hold time of 40us the input capacitor will not be fully charged.
142 //
143 // The maths are:
144 // If there is a voltage v_in at the input, the voltage v_cap at the capacitor (this is what we are measuring) will be
145 //
146 // v_cap = v_in * (1 - exp(-SHTIM/RC)) = v_in * (1 - exp(-40us/10.9us)) = v_in * 0,97 (i.e. an error of 3%)
147
148 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_SWRST;
149 AT91C_BASE_ADC->ADC_MR =
150 ADC_MODE_PRESCALE(63) | // ADC_CLK = MCK / ((63+1) * 2) = 48MHz / 128 = 375kHz
151 ADC_MODE_STARTUP_TIME(1) | // Startup Time = (1+1) * 8 / ADC_CLK = 16 / 375kHz = 42,7us Note: must be > 20us
152 ADC_MODE_SAMPLE_HOLD_TIME(15); // Sample & Hold Time SHTIM = 15 / ADC_CLK = 15 / 375kHz = 40us
153
154 AT91C_BASE_ADC->ADC_CHER = ADC_CHANNEL(ch);
155 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
156
157 while(!(AT91C_BASE_ADC->ADC_SR & ADC_END_OF_CONVERSION(ch))) {};
158
159 return AT91C_BASE_ADC->ADC_CDR[ch] & 0x3ff;
160 }
161
162 int AvgAdc(int ch) { // was static - merlok{
163 int i;
164 int a = 0;
165
166 for(i = 0; i < 32; i++) {
167 a += ReadAdc(ch);
168 }
169
170 return (a + 15) >> 5;
171 }
172
173 static int AvgAdc_Voltage_HF(void) {
174 int AvgAdc_Voltage_Low, AvgAdc_Voltage_High;
175
176 AvgAdc_Voltage_Low= (MAX_ADC_HF_VOLTAGE_LOW * AvgAdc(ADC_CHAN_HF_LOW)) >> 10;
177 // if voltage range is about to be exceeded, use high voltage ADC channel if available (RDV40 only)
178 if (AvgAdc_Voltage_Low > MAX_ADC_HF_VOLTAGE_LOW - 300) {
179 AvgAdc_Voltage_High = (MAX_ADC_HF_VOLTAGE_HIGH * AvgAdc(ADC_CHAN_HF_HIGH)) >> 10;
180 if (AvgAdc_Voltage_High >= AvgAdc_Voltage_Low) {
181 return AvgAdc_Voltage_High;
182 }
183 }
184 return AvgAdc_Voltage_Low;
185 }
186
187 static int AvgAdc_Voltage_LF(void) {
188 return (MAX_ADC_LF_VOLTAGE * AvgAdc(ADC_CHAN_LF)) >> 10;
189 }
190
191 void MeasureAntennaTuningLfOnly(int *vLf125, int *vLf134, int *peakf, int *peakv, uint8_t LF_Results[]) {
192 int i, adcval = 0, peak = 0;
193
194 /*
195 * Sweeps the useful LF range of the proxmark from
196 * 46.8kHz (divisor=255) to 600kHz (divisor=19) and
197 * read the voltage in the antenna, the result left
198 * in the buffer is a graph which should clearly show
199 * the resonating frequency of your LF antenna
200 * ( hopefully around 95 if it is tuned to 125kHz!)
201 */
202
203 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
204 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
205 SpinDelay(50);
206
207 for (i = 255; i >= 19; i--) {
208 WDT_HIT();
209 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, i);
210 SpinDelay(20);
211 adcval = AvgAdc_Voltage_LF();
212 if (i == 95) *vLf125 = adcval; // voltage at 125Khz
213 if (i == 89) *vLf134 = adcval; // voltage at 134Khz
214
215 LF_Results[i] = adcval >> 9; // scale int to fit in byte for graphing purposes
216 if (LF_Results[i] > peak) {
217 *peakv = adcval;
218 peak = LF_Results[i];
219 *peakf = i;
220 //ptr = i;
221 }
222 }
223
224 for (i = 18; i >= 0; i--) LF_Results[i] = 0;
225
226 return;
227 }
228
229 void MeasureAntennaTuningHfOnly(int *vHf) {
230 // Let the FPGA drive the high-frequency antenna around 13.56 MHz.
231 LED_A_ON();
232 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
233 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER);
234 SpinDelay(20);
235 *vHf = AvgAdc_Voltage_HF();
236 LED_A_OFF();
237 return;
238 }
239
240 void MeasureAntennaTuning(int mode) {
241 uint8_t LF_Results[256] = {0};
242 int peakv = 0, peakf = 0;
243 int vLf125 = 0, vLf134 = 0, vHf = 0; // in mV
244
245 LED_B_ON();
246
247 if (((mode & FLAG_TUNE_ALL) == FLAG_TUNE_ALL) && (FpgaGetCurrent() == FPGA_BITSTREAM_HF)) {
248 // Reverse "standard" order if HF already loaded, to avoid unnecessary swap.
249 MeasureAntennaTuningHfOnly(&vHf);
250 MeasureAntennaTuningLfOnly(&vLf125, &vLf134, &peakf, &peakv, LF_Results);
251 } else {
252 if (mode & FLAG_TUNE_LF) {
253 MeasureAntennaTuningLfOnly(&vLf125, &vLf134, &peakf, &peakv, LF_Results);
254 }
255 if (mode & FLAG_TUNE_HF) {
256 MeasureAntennaTuningHfOnly(&vHf);
257 }
258 }
259
260 cmd_send(CMD_MEASURED_ANTENNA_TUNING, vLf125>>1 | (vLf134>>1<<16), vHf, peakf | (peakv>>1<<16), LF_Results, 256);
261 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
262 LED_B_OFF();
263 return;
264 }
265
266 void MeasureAntennaTuningHf(void) {
267 int vHf = 0; // in mV
268
269 DbpString("Measuring HF antenna, press button to exit");
270
271 // Let the FPGA drive the high-frequency antenna around 13.56 MHz.
272 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
273 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER);
274
275 for (;;) {
276 SpinDelay(500);
277 vHf = AvgAdc_Voltage_HF();
278
279 Dbprintf("%d mV",vHf);
280 if (BUTTON_PRESS()) break;
281 }
282 DbpString("cancelled");
283
284 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
285
286 }
287
288
289 void ReadMem(int addr) {
290 const uint8_t *data = ((uint8_t *)addr);
291
292 Dbprintf("%x: %02x %02x %02x %02x %02x %02x %02x %02x",
293 addr, data[0], data[1], data[2], data[3], data[4], data[5], data[6], data[7]);
294 }
295
296 /* osimage version information is linked in */
297 extern struct version_information version_information;
298 /* bootrom version information is pointed to from _bootphase1_version_pointer */
299 extern char *_bootphase1_version_pointer, _flash_start, _flash_end, _bootrom_start, _bootrom_end, __data_src_start__;
300
301
302 void set_hw_capabilities(void) {
303 if (I2C_is_available()) {
304 hw_capabilities |= HAS_SMARTCARD_SLOT;
305 }
306
307 if (false) { // TODO: implement a test
308 hw_capabilities |= HAS_EXTRA_FLASH_MEM;
309 }
310 }
311
312
313 void SendVersion(void) {
314 LED_A_ON();
315 set_hw_capabilities();
316
317 char temp[USB_CMD_DATA_SIZE]; /* Limited data payload in USB packets */
318 char VersionString[USB_CMD_DATA_SIZE] = { '\0' };
319
320 /* Try to find the bootrom version information. Expect to find a pointer at
321 * symbol _bootphase1_version_pointer, perform slight sanity checks on the
322 * pointer, then use it.
323 */
324 char *bootrom_version = *(char**)&_bootphase1_version_pointer;
325 if (bootrom_version < &_flash_start || bootrom_version >= &_flash_end) {
326 strcat(VersionString, "bootrom version information appears invalid\n");
327 } else {
328 FormatVersionInformation(temp, sizeof(temp), "bootrom: ", bootrom_version);
329 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
330 }
331
332 FormatVersionInformation(temp, sizeof(temp), "os: ", &version_information);
333 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
334
335 for (int i = 0; i < fpga_bitstream_num; i++) {
336 strncat(VersionString, fpga_version_information[i], sizeof(VersionString) - strlen(VersionString) - 1);
337 strncat(VersionString, "\n", sizeof(VersionString) - strlen(VersionString) - 1);
338 }
339
340 // test availability of SmartCard slot
341 if (I2C_is_available()) {
342 strncat(VersionString, "SmartCard Slot: available\n", sizeof(VersionString) - strlen(VersionString) - 1);
343 } else {
344 strncat(VersionString, "SmartCard Slot: not available\n", sizeof(VersionString) - strlen(VersionString) - 1);
345 }
346
347 // Send Chip ID and used flash memory
348 uint32_t text_and_rodata_section_size = (uint32_t)&__data_src_start__ - (uint32_t)&_flash_start;
349 uint32_t compressed_data_section_size = common_area.arg1;
350 cmd_send(CMD_ACK, *(AT91C_DBGU_CIDR), text_and_rodata_section_size + compressed_data_section_size, hw_capabilities, VersionString, strlen(VersionString) + 1);
351 LED_A_OFF();
352 }
353
354 // measure the USB Speed by sending SpeedTestBufferSize bytes to client and measuring the elapsed time.
355 // Note: this mimics GetFromBigbuf(), i.e. we have the overhead of the UsbCommand structure included.
356 void printUSBSpeed(void) {
357 Dbprintf("USB Speed:");
358 Dbprintf(" Sending USB packets to client...");
359
360 #define USB_SPEED_TEST_MIN_TIME 1500 // in milliseconds
361 uint8_t *test_data = BigBuf_get_addr();
362 uint32_t end_time;
363
364 uint32_t start_time = end_time = GetTickCount();
365 uint32_t bytes_transferred = 0;
366
367 while (end_time < start_time + USB_SPEED_TEST_MIN_TIME) {
368 cmd_send(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K, 0, USB_CMD_DATA_SIZE, 0, test_data, USB_CMD_DATA_SIZE);
369 end_time = GetTickCount();
370 bytes_transferred += USB_CMD_DATA_SIZE;
371 }
372
373 Dbprintf(" Time elapsed: %dms", end_time - start_time);
374 Dbprintf(" Bytes transferred: %d", bytes_transferred);
375 Dbprintf(" USB Transfer Speed PM3 -> Client = %d Bytes/s",
376 1000 * bytes_transferred / (end_time - start_time));
377
378 }
379
380 /**
381 * Prints runtime information about the PM3.
382 **/
383 void SendStatus(void) {
384 LED_A_ON();
385 BigBuf_print_status();
386 Fpga_print_status();
387 #ifdef WITH_SMARTCARD
388 I2C_print_status();
389 #endif
390 printConfig(); //LF Sampling config
391 printUSBSpeed();
392 Dbprintf("Various");
393 Dbprintf(" MF_DBGLEVEL........%d", MF_DBGLEVEL);
394 Dbprintf(" ToSendMax..........%d", ToSendMax);
395 Dbprintf(" ToSendBit..........%d", ToSendBit);
396
397 cmd_send(CMD_ACK, 1, 0, 0, 0, 0);
398 LED_A_OFF();
399 }
400
401 #if defined(WITH_ISO14443a_StandAlone) || defined(WITH_LF_StandAlone)
402
403 #define OPTS 2
404
405 void StandAloneMode() {
406 DbpString("Stand-alone mode! No PC necessary.");
407 // Oooh pretty -- notify user we're in elite samy mode now
408 LED(LED_RED, 200);
409 LED(LED_ORANGE, 200);
410 LED(LED_GREEN, 200);
411 LED(LED_ORANGE, 200);
412 LED(LED_RED, 200);
413 LED(LED_ORANGE, 200);
414 LED(LED_GREEN, 200);
415 LED(LED_ORANGE, 200);
416 LED(LED_RED, 200);
417 }
418
419 #endif
420
421
422
423 #ifdef WITH_ISO14443a_StandAlone
424 void StandAloneMode14a() {
425 StandAloneMode();
426 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
427
428 int selected = 0;
429 bool playing = false, GotoRecord = false, GotoClone = false;
430 bool cardRead[OPTS] = {false};
431 uint8_t readUID[10] = {0};
432 uint32_t uid_1st[OPTS]={0};
433 uint32_t uid_2nd[OPTS]={0};
434 uint32_t uid_tmp1 = 0;
435 uint32_t uid_tmp2 = 0;
436 iso14a_card_select_t hi14a_card[OPTS];
437
438 LED(selected + 1, 0);
439
440 for (;;) {
441 usb_poll();
442 WDT_HIT();
443 SpinDelay(300);
444
445 if (GotoRecord || !cardRead[selected]) {
446 GotoRecord = false;
447 LEDsoff();
448 LED(selected + 1, 0);
449 LED(LED_RED2, 0);
450
451 // record
452 Dbprintf("Enabling iso14443a reader mode for [Bank: %u]...", selected);
453 /* need this delay to prevent catching some weird data */
454 SpinDelay(500);
455 /* Code for reading from 14a tag */
456 uint8_t uid[10] ={0};
457 uint32_t cuid;
458 iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
459
460 for ( ; ; ) {
461 WDT_HIT();
462 if (BUTTON_PRESS()) {
463 if (cardRead[selected]) {
464 Dbprintf("Button press detected -- replaying card in bank[%d]", selected);
465 break;
466 } else if (cardRead[(selected+1)%OPTS]) {
467 Dbprintf("Button press detected but no card in bank[%d] so playing from bank[%d]", selected, (selected+1)%OPTS);
468 selected = (selected+1)%OPTS;
469 break;
470 } else {
471 Dbprintf("Button press detected but no stored tag to play. (Ignoring button)");
472 SpinDelay(300);
473 }
474 }
475 if (!iso14443a_select_card(uid, &hi14a_card[selected], &cuid, true, 0, true))
476 continue;
477 else {
478 Dbprintf("Read UID:"); Dbhexdump(10,uid,0);
479 memcpy(readUID,uid,10*sizeof(uint8_t));
480 uint8_t *dst = (uint8_t *)&uid_tmp1;
481 // Set UID byte order
482 for (int i = 0; i < 4; i++)
483 dst[i] = uid[3-i];
484 dst = (uint8_t *)&uid_tmp2;
485 for (int i = 0; i < 4; i++)
486 dst[i] = uid[7-i];
487 if (uid_1st[(selected+1) % OPTS] == uid_tmp1 && uid_2nd[(selected+1) % OPTS] == uid_tmp2) {
488 Dbprintf("Card selected has same UID as what is stored in the other bank. Skipping.");
489 } else {
490 if (uid_tmp2) {
491 Dbprintf("Bank[%d] received a 7-byte UID", selected);
492 uid_1st[selected] = (uid_tmp1)>>8;
493 uid_2nd[selected] = (uid_tmp1<<24) + (uid_tmp2>>8);
494 } else {
495 Dbprintf("Bank[%d] received a 4-byte UID", selected);
496 uid_1st[selected] = uid_tmp1;
497 uid_2nd[selected] = uid_tmp2;
498 }
499 break;
500 }
501 }
502 }
503 Dbprintf("ATQA = %02X%02X", hi14a_card[selected].atqa[0], hi14a_card[selected].atqa[1]);
504 Dbprintf("SAK = %02X", hi14a_card[selected].sak);
505 LEDsoff();
506 LED(LED_GREEN, 200);
507 LED(LED_ORANGE, 200);
508 LED(LED_GREEN, 200);
509 LED(LED_ORANGE, 200);
510
511 LEDsoff();
512 LED(selected + 1, 0);
513
514 // Next state is replay:
515 playing = true;
516
517 cardRead[selected] = true;
518 } else if (GotoClone) { /* MF Classic UID clone */
519 GotoClone=false;
520 LEDsoff();
521 LED(selected + 1, 0);
522 LED(LED_ORANGE, 250);
523
524
525 // record
526 Dbprintf("Preparing to Clone card [Bank: %x]; uid: %08x", selected, uid_1st[selected]);
527
528 // wait for button to be released
529 while(BUTTON_PRESS()) {
530 // Delay cloning until card is in place
531 WDT_HIT();
532 }
533 Dbprintf("Starting clone. [Bank: %u]", selected);
534 // need this delay to prevent catching some weird data
535 SpinDelay(500);
536 // Begin clone function here:
537 /* Example from client/mifarehost.c for commanding a block write for "magic Chinese" cards:
538 UsbCommand c = {CMD_MIFARE_CSETBLOCK, {wantWipe, params & (0xFE | (uid == NULL ? 0:1)), blockNo}};
539 memcpy(c.d.asBytes, data, 16);
540 SendCommand(&c);
541
542 Block read is similar:
543 UsbCommand c = {CMD_MIFARE_CGETBLOCK, {params, 0, blockNo}};
544 We need to imitate that call with blockNo 0 to set a uid.
545
546 The get and set commands are handled in this file:
547 // Work with "magic Chinese" card
548 case CMD_MIFARE_CSETBLOCK:
549 MifareCSetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
550 break;
551 case CMD_MIFARE_CGETBLOCK:
552 MifareCGetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
553 break;
554
555 mfCSetUID provides example logic for UID set workflow:
556 -Read block0 from card in field with MifareCGetBlock()
557 -Configure new values without replacing reserved bytes
558 memcpy(block0, uid, 4); // Copy UID bytes from byte array
559 // Mifare UID BCC
560 block0[4] = block0[0]^block0[1]^block0[2]^block0[3]; // BCC on byte 5
561 Bytes 5-7 are reserved SAK and ATQA for mifare classic
562 -Use mfCSetBlock(0, block0, oldUID, wantWipe, CSETBLOCK_SINGLE_OPER) to write it
563 */
564 uint8_t oldBlock0[16] = {0}, newBlock0[16] = {0}, testBlock0[16] = {0};
565 // arg0 = Flags == CSETBLOCK_SINGLE_OPER=0x1F, arg1=returnSlot, arg2=blockNo
566 MifareCGetBlock(0x3F, 1, 0, oldBlock0);
567 if (oldBlock0[0] == 0 && oldBlock0[0] == oldBlock0[1] && oldBlock0[1] == oldBlock0[2] && oldBlock0[2] == oldBlock0[3]) {
568 Dbprintf("No changeable tag detected. Returning to replay mode for bank[%d]", selected);
569 playing = true;
570 } else {
571 Dbprintf("UID from target tag: %02X%02X%02X%02X", oldBlock0[0], oldBlock0[1], oldBlock0[2], oldBlock0[3]);
572 memcpy(newBlock0, oldBlock0, 16);
573 // Copy uid_1st for bank (2nd is for longer UIDs not supported if classic)
574
575 newBlock0[0] = uid_1st[selected] >> 24;
576 newBlock0[1] = 0xFF & (uid_1st[selected] >> 16);
577 newBlock0[2] = 0xFF & (uid_1st[selected] >> 8);
578 newBlock0[3] = 0xFF & (uid_1st[selected]);
579 newBlock0[4] = newBlock0[0] ^ newBlock0[1] ^ newBlock0[2] ^ newBlock0[3];
580 // arg0 = needWipe, arg1 = workFlags, arg2 = blockNo, datain
581 MifareCSetBlock(0, 0xFF, 0, newBlock0);
582 MifareCGetBlock(0x3F, 1, 0, testBlock0);
583 if (memcmp(testBlock0, newBlock0, 16) == 0) {
584 DbpString("Cloned successfull!");
585 cardRead[selected] = false; // Only if the card was cloned successfully should we clear it
586 playing = false;
587 GotoRecord = true;
588 selected = (selected+1) % OPTS;
589 } else {
590 Dbprintf("Clone failed. Back to replay mode on bank[%d]", selected);
591 playing = true;
592 }
593 }
594 LEDsoff();
595 LED(selected + 1, 0);
596
597 } else if (playing) {
598 // button_pressed == BUTTON_SINGLE_CLICK && cardRead[selected])
599 // Change where to record (or begin playing)
600 LEDsoff();
601 LED(selected + 1, 0);
602
603 // Begin transmitting
604 LED(LED_GREEN, 0);
605 DbpString("Playing");
606 for ( ; ; ) {
607 WDT_HIT();
608 int button_action = BUTTON_HELD(1000);
609 if (button_action == 0) { // No button action, proceed with sim
610 uint8_t data[512] = {0}; // in case there is a read command received we shouldn't break
611 Dbprintf("Simulating ISO14443a tag with uid[0]: %08x, uid[1]: %08x [Bank: %u]", uid_1st[selected], uid_2nd[selected], selected);
612 if (hi14a_card[selected].sak == 8 && hi14a_card[selected].atqa[0] == 4 && hi14a_card[selected].atqa[1] == 0) {
613 DbpString("Mifare Classic");
614 SimulateIso14443aTag(1, uid_1st[selected], uid_2nd[selected], data); // Mifare Classic
615 } else if (hi14a_card[selected].sak == 0 && hi14a_card[selected].atqa[0] == 0x44 && hi14a_card[selected].atqa[1] == 0) {
616 DbpString("Mifare Ultralight");
617 SimulateIso14443aTag(2, uid_1st[selected], uid_2nd[selected], data); // Mifare Ultralight
618 } else if (hi14a_card[selected].sak == 20 && hi14a_card[selected].atqa[0] == 0x44 && hi14a_card[selected].atqa[1] == 3) {
619 DbpString("Mifare DESFire");
620 SimulateIso14443aTag(3, uid_1st[selected], uid_2nd[selected], data); // Mifare DESFire
621 } else {
622 Dbprintf("Unrecognized tag type -- defaulting to Mifare Classic emulation");
623 SimulateIso14443aTag(1, uid_1st[selected], uid_2nd[selected], data);
624 }
625 } else if (button_action == BUTTON_SINGLE_CLICK) {
626 selected = (selected + 1) % OPTS;
627 Dbprintf("Done playing. Switching to record mode on bank %d",selected);
628 GotoRecord = true;
629 break;
630 } else if (button_action == BUTTON_HOLD) {
631 Dbprintf("Playtime over. Begin cloning...");
632 GotoClone = true;
633 break;
634 }
635 WDT_HIT();
636 }
637
638 /* We pressed a button so ignore it here with a delay */
639 SpinDelay(300);
640 LEDsoff();
641 LED(selected + 1, 0);
642 }
643 }
644 }
645
646 #elif WITH_LF_StandAlone
647
648 // samy's sniff and repeat routine
649 void SamyRun() {
650 StandAloneMode();
651 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
652
653 int tops[OPTS], high[OPTS], low[OPTS];
654 int selected = 0;
655 int playing = 0;
656 int cardRead = 0;
657
658 // Turn on selected LED
659 LED(selected + 1, 0);
660
661 for (;;) {
662 usb_poll();
663 WDT_HIT();
664
665 // Was our button held down or pressed?
666 int button_pressed = BUTTON_HELD(1000);
667 SpinDelay(300);
668
669 // Button was held for a second, begin recording
670 if (button_pressed > 0 && cardRead == 0) {
671 LEDsoff();
672 LED(selected + 1, 0);
673 LED(LED_RED2, 0);
674
675 // record
676 DbpString("Starting recording");
677
678 // wait for button to be released
679 while(BUTTON_PRESS())
680 WDT_HIT();
681
682 /* need this delay to prevent catching some weird data */
683 SpinDelay(500);
684
685 CmdHIDdemodFSK(1, &tops[selected], &high[selected], &low[selected], 0);
686 if (tops[selected] > 0)
687 Dbprintf("Recorded %x %x%08x%08x", selected, tops[selected], high[selected], low[selected]);
688 else
689 Dbprintf("Recorded %x %x%08x", selected, high[selected], low[selected]);
690
691 LEDsoff();
692 LED(selected + 1, 0);
693 // Finished recording
694
695 // If we were previously playing, set playing off
696 // so next button push begins playing what we recorded
697 playing = 0;
698
699 cardRead = 1;
700
701 } else if (button_pressed > 0 && cardRead == 1) {
702 LEDsoff();
703 LED(selected + 1, 0);
704 LED(LED_ORANGE, 0);
705
706 // record
707 if (tops[selected] > 0)
708 Dbprintf("Cloning %x %x%08x%08x", selected, tops[selected], high[selected], low[selected]);
709 else
710 Dbprintf("Cloning %x %x%08x", selected, high[selected], low[selected]);
711
712 // wait for button to be released
713 while(BUTTON_PRESS())
714 WDT_HIT();
715
716 /* need this delay to prevent catching some weird data */
717 SpinDelay(500);
718
719 CopyHIDtoT55x7(tops[selected] & 0x000FFFFF, high[selected], low[selected], (tops[selected] != 0 && ((high[selected]& 0xFFFFFFC0) != 0)), 0x1D);
720 if (tops[selected] > 0)
721 Dbprintf("Cloned %x %x%08x%08x", selected, tops[selected], high[selected], low[selected]);
722 else
723 Dbprintf("Cloned %x %x%08x", selected, high[selected], low[selected]);
724
725 LEDsoff();
726 LED(selected + 1, 0);
727 // Finished recording
728
729 // If we were previously playing, set playing off
730 // so next button push begins playing what we recorded
731 playing = 0;
732
733 cardRead = 0;
734
735 } else if (button_pressed) {
736
737 // Change where to record (or begin playing)
738 // Next option if we were previously playing
739 if (playing)
740 selected = (selected + 1) % OPTS;
741 playing = !playing;
742
743 LEDsoff();
744 LED(selected + 1, 0);
745
746 // Begin transmitting
747 if (playing) {
748 LED(LED_GREEN, 0);
749 DbpString("Playing");
750 // wait for button to be released
751 while(BUTTON_PRESS())
752 WDT_HIT();
753 if (tops[selected] > 0)
754 Dbprintf("%x %x%08x%08x", selected, tops[selected], high[selected], low[selected]);
755 else
756 Dbprintf("%x %x%08x", selected, high[selected], low[selected]);
757
758 CmdHIDsimTAG(tops[selected], high[selected], low[selected], 0);
759 DbpString("Done playing");
760 if (BUTTON_HELD(1000) > 0) {
761 DbpString("Exiting");
762 LEDsoff();
763 return;
764 }
765
766 /* We pressed a button so ignore it here with a delay */
767 SpinDelay(300);
768
769 // when done, we're done playing, move to next option
770 selected = (selected + 1) % OPTS;
771 playing = !playing;
772 LEDsoff();
773 LED(selected + 1, 0);
774 } else
775 while(BUTTON_PRESS())
776 WDT_HIT();
777 }
778 }
779 }
780
781 #endif
782
783 /*
784 OBJECTIVE
785 Listen and detect an external reader. Determine the best location
786 for the antenna.
787
788 INSTRUCTIONS:
789 Inside the ListenReaderField() function, there is two mode.
790 By default, when you call the function, you will enter mode 1.
791 If you press the PM3 button one time, you will enter mode 2.
792 If you press the PM3 button a second time, you will exit the function.
793
794 DESCRIPTION OF MODE 1:
795 This mode just listens for an external reader field and lights up green
796 for HF and/or red for LF. This is the original mode of the detectreader
797 function.
798
799 DESCRIPTION OF MODE 2:
800 This mode will visually represent, using the LEDs, the actual strength of the
801 current compared to the maximum current detected. Basically, once you know
802 what kind of external reader is present, it will help you spot the best location to place
803 your antenna. You will probably not get some good results if there is a LF and a HF reader
804 at the same place! :-)
805
806 LIGHT SCHEME USED:
807 */
808 static const char LIGHT_SCHEME[] = {
809 0x0, /* ---- | No field detected */
810 0x1, /* X--- | 14% of maximum current detected */
811 0x2, /* -X-- | 29% of maximum current detected */
812 0x4, /* --X- | 43% of maximum current detected */
813 0x8, /* ---X | 57% of maximum current detected */
814 0xC, /* --XX | 71% of maximum current detected */
815 0xE, /* -XXX | 86% of maximum current detected */
816 0xF, /* XXXX | 100% of maximum current detected */
817 };
818
819 static const int LIGHT_LEN = sizeof(LIGHT_SCHEME)/sizeof(LIGHT_SCHEME[0]);
820
821 void ListenReaderField(int limit) {
822 int lf_av, lf_av_new=0, lf_baseline= 0, lf_max;
823 int hf_av, hf_av_new=0, hf_baseline= 0, hf_max;
824 int mode=1, display_val, display_max, i;
825
826 #define LF_ONLY 1
827 #define HF_ONLY 2
828 #define REPORT_CHANGE_PERCENT 5 // report new values only if they have changed at least by REPORT_CHANGE_PERCENT
829 #define MIN_HF_FIELD 300 // in mode 1 signal HF field greater than MIN_HF_FIELD above baseline
830 #define MIN_LF_FIELD 1200 // in mode 1 signal LF field greater than MIN_LF_FIELD above baseline
831
832
833 // switch off FPGA - we don't want to measure our own signal
834 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
835 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
836
837 LEDsoff();
838
839 lf_av = lf_max = AvgAdc_Voltage_LF();
840
841 if (limit != HF_ONLY) {
842 Dbprintf("LF 125/134kHz Baseline: %dmV", lf_av);
843 lf_baseline = lf_av;
844 }
845
846 hf_av = hf_max = AvgAdc_Voltage_HF();
847
848 if (limit != LF_ONLY) {
849 Dbprintf("HF 13.56MHz Baseline: %dmV", hf_av);
850 hf_baseline = hf_av;
851 }
852
853 for(;;) {
854 SpinDelay(500);
855 if (BUTTON_PRESS()) {
856 switch (mode) {
857 case 1:
858 mode=2;
859 DbpString("Signal Strength Mode");
860 break;
861 case 2:
862 default:
863 DbpString("Stopped");
864 LEDsoff();
865 return;
866 break;
867 }
868 while (BUTTON_PRESS())
869 /* wait */;
870 }
871 WDT_HIT();
872
873 if (limit != HF_ONLY) {
874 if(mode == 1) {
875 if (lf_av - lf_baseline > MIN_LF_FIELD)
876 LED_D_ON();
877 else
878 LED_D_OFF();
879 }
880
881 lf_av_new = AvgAdc_Voltage_LF();
882 // see if there's a significant change
883 if (ABS((lf_av - lf_av_new) * 100 / (lf_av?lf_av:1)) > REPORT_CHANGE_PERCENT) {
884 Dbprintf("LF 125/134kHz Field Change: %5dmV", lf_av_new);
885 lf_av = lf_av_new;
886 if (lf_av > lf_max)
887 lf_max = lf_av;
888 }
889 }
890
891 if (limit != LF_ONLY) {
892 if (mode == 1){
893 if (hf_av - hf_baseline > MIN_HF_FIELD)
894 LED_B_ON();
895 else
896 LED_B_OFF();
897 }
898
899 hf_av_new = AvgAdc_Voltage_HF();
900
901 // see if there's a significant change
902 if (ABS((hf_av - hf_av_new) * 100 / (hf_av?hf_av:1)) > REPORT_CHANGE_PERCENT) {
903 Dbprintf("HF 13.56MHz Field Change: %5dmV", hf_av_new);
904 hf_av = hf_av_new;
905 if (hf_av > hf_max)
906 hf_max = hf_av;
907 }
908 }
909
910 if (mode == 2) {
911 if (limit == LF_ONLY) {
912 display_val = lf_av;
913 display_max = lf_max;
914 } else if (limit == HF_ONLY) {
915 display_val = hf_av;
916 display_max = hf_max;
917 } else { /* Pick one at random */
918 if( (hf_max - hf_baseline) > (lf_max - lf_baseline) ) {
919 display_val = hf_av;
920 display_max = hf_max;
921 } else {
922 display_val = lf_av;
923 display_max = lf_max;
924 }
925 }
926 for (i = 0; i < LIGHT_LEN; i++) {
927 if (display_val >= (display_max / LIGHT_LEN * i) && display_val <= (display_max / LIGHT_LEN * (i+1))) {
928 if (LIGHT_SCHEME[i] & 0x1) LED_C_ON(); else LED_C_OFF();
929 if (LIGHT_SCHEME[i] & 0x2) LED_A_ON(); else LED_A_OFF();
930 if (LIGHT_SCHEME[i] & 0x4) LED_B_ON(); else LED_B_OFF();
931 if (LIGHT_SCHEME[i] & 0x8) LED_D_ON(); else LED_D_OFF();
932 break;
933 }
934 }
935 }
936 }
937 }
938
939
940 void UsbPacketReceived(UsbCommand *c) {
941
942 // Dbprintf("received %d bytes, with command: 0x%04x and args: %d %d %d",len,c->cmd,c->arg[0],c->arg[1],c->arg[2]);
943
944 switch(c->cmd) {
945 #ifdef WITH_LF
946 case CMD_SET_LF_SAMPLING_CONFIG:
947 setSamplingConfig(c->d.asBytes);
948 break;
949 case CMD_ACQUIRE_RAW_ADC_SAMPLES_125K:
950 cmd_send(CMD_ACK,SampleLF(c->arg[0], c->arg[1]),0,0,0,0);
951 break;
952 case CMD_MOD_THEN_ACQUIRE_RAW_ADC_SAMPLES_125K:
953 ModThenAcquireRawAdcSamples125k(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
954 break;
955 case CMD_LF_SNOOP_RAW_ADC_SAMPLES:
956 cmd_send(CMD_ACK,SnoopLF(),0,0,0,0);
957 break;
958 case CMD_HID_DEMOD_FSK:
959 CmdHIDdemodFSK(c->arg[0], 0, 0, 0, 1);
960 break;
961 case CMD_HID_SIM_TAG:
962 CmdHIDsimTAG(c->arg[0], c->arg[1], c->arg[2], 1);
963 break;
964 case CMD_FSK_SIM_TAG:
965 CmdFSKsimTAG(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
966 break;
967 case CMD_ASK_SIM_TAG:
968 CmdASKsimTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
969 break;
970 case CMD_PSK_SIM_TAG:
971 CmdPSKsimTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
972 break;
973 case CMD_HID_CLONE_TAG:
974 CopyHIDtoT55x7(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0], 0x1D);
975 break;
976 case CMD_PARADOX_CLONE_TAG:
977 // Paradox cards are the same as HID, with a different preamble, so we can reuse the same function
978 CopyHIDtoT55x7(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0], 0x0F);
979 break;
980 case CMD_IO_DEMOD_FSK:
981 CmdIOdemodFSK(c->arg[0], 0, 0, 1);
982 break;
983 case CMD_IO_CLONE_TAG:
984 CopyIOtoT55x7(c->arg[0], c->arg[1]);
985 break;
986 case CMD_EM410X_DEMOD:
987 CmdEM410xdemod(c->arg[0], 0, 0, 1);
988 break;
989 case CMD_EM410X_WRITE_TAG:
990 WriteEM410x(c->arg[0], c->arg[1], c->arg[2]);
991 break;
992 case CMD_READ_TI_TYPE:
993 ReadTItag();
994 break;
995 case CMD_WRITE_TI_TYPE:
996 WriteTItag(c->arg[0],c->arg[1],c->arg[2]);
997 break;
998 case CMD_SIMULATE_TAG_125K:
999 LED_A_ON();
1000 SimulateTagLowFrequency(c->arg[0], c->arg[1], 1);
1001 LED_A_OFF();
1002 break;
1003 case CMD_LF_SIMULATE_BIDIR:
1004 SimulateTagLowFrequencyBidir(c->arg[0], c->arg[1]);
1005 break;
1006 case CMD_INDALA_CLONE_TAG:
1007 CopyIndala64toT55x7(c->arg[0], c->arg[1]);
1008 break;
1009 case CMD_INDALA_CLONE_TAG_L:
1010 CopyIndala224toT55x7(c->d.asDwords[0], c->d.asDwords[1], c->d.asDwords[2], c->d.asDwords[3], c->d.asDwords[4], c->d.asDwords[5], c->d.asDwords[6]);
1011 break;
1012 case CMD_T55XX_READ_BLOCK:
1013 T55xxReadBlock(c->arg[0], c->arg[1], c->arg[2]);
1014 break;
1015 case CMD_T55XX_WRITE_BLOCK:
1016 T55xxWriteBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]);
1017 break;
1018 case CMD_T55XX_WAKEUP:
1019 T55xxWakeUp(c->arg[0]);
1020 break;
1021 case CMD_T55XX_RESET_READ:
1022 T55xxResetRead();
1023 break;
1024 case CMD_PCF7931_READ:
1025 ReadPCF7931();
1026 break;
1027 case CMD_PCF7931_WRITE:
1028 WritePCF7931(c->d.asBytes[0],c->d.asBytes[1],c->d.asBytes[2],c->d.asBytes[3],c->d.asBytes[4],c->d.asBytes[5],c->d.asBytes[6], c->d.asBytes[9], c->d.asBytes[7]-128,c->d.asBytes[8]-128, c->arg[0], c->arg[1], c->arg[2]);
1029 break;
1030 case CMD_PCF7931_BRUTEFORCE:
1031 BruteForcePCF7931(c->arg[0], (c->arg[1] & 0xFF), c->d.asBytes[9], c->d.asBytes[7]-128,c->d.asBytes[8]-128);
1032 break;
1033 case CMD_EM4X_READ_WORD:
1034 EM4xReadWord(c->arg[0], c->arg[1],c->arg[2]);
1035 break;
1036 case CMD_EM4X_WRITE_WORD:
1037 EM4xWriteWord(c->arg[0], c->arg[1], c->arg[2]);
1038 break;
1039 case CMD_EM4X_PROTECT:
1040 EM4xProtect(c->arg[0], c->arg[1], c->arg[2]);
1041 break;
1042 case CMD_AWID_DEMOD_FSK: // Set realtime AWID demodulation
1043 CmdAWIDdemodFSK(c->arg[0], 0, 0, 1);
1044 break;
1045 case CMD_VIKING_CLONE_TAG:
1046 CopyVikingtoT55xx(c->arg[0], c->arg[1], c->arg[2]);
1047 break;
1048 case CMD_COTAG:
1049 Cotag(c->arg[0]);
1050 break;
1051 #endif
1052
1053 #ifdef WITH_HITAG
1054 case CMD_SNOOP_HITAG: // Eavesdrop Hitag tag, args = type
1055 SnoopHitag(c->arg[0]);
1056 break;
1057 case CMD_SIMULATE_HITAG: // Simulate Hitag tag, args = memory content
1058 SimulateHitagTag((bool)c->arg[0], (uint8_t*)c->d.asBytes);
1059 break;
1060 case CMD_READER_HITAG: // Reader for Hitag tags, args = type and function
1061 ReaderHitag((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes);
1062 break;
1063 case CMD_SIMULATE_HITAG_S:// Simulate Hitag s tag, args = memory content
1064 SimulateHitagSTag((bool)c->arg[0],(uint8_t*)c->d.asBytes);
1065 break;
1066 case CMD_TEST_HITAGS_TRACES:// Tests every challenge within the given file
1067 check_challenges_cmd((bool)c->arg[0], (uint8_t*)c->d.asBytes, (uint8_t)c->arg[1]);
1068 break;
1069 case CMD_READ_HITAG_S://Reader for only Hitag S tags, args = key or challenge
1070 ReadHitagSCmd((hitag_function)c->arg[0], (hitag_data*)c->d.asBytes, (uint8_t)c->arg[1], (uint8_t)c->arg[2], false);
1071 break;
1072 case CMD_READ_HITAG_S_BLK:
1073 ReadHitagSCmd((hitag_function)c->arg[0], (hitag_data*)c->d.asBytes, (uint8_t)c->arg[1], (uint8_t)c->arg[2], true);
1074 break;
1075 case CMD_WR_HITAG_S://writer for Hitag tags args=data to write,page and key or challenge
1076 if ((hitag_function)c->arg[0] < 10) {
1077 WritePageHitagS((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes,c->arg[2]);
1078 }
1079 else if ((hitag_function)c->arg[0] >= 10) {
1080 WriterHitag((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes, c->arg[2]);
1081 }
1082 break;
1083 #endif
1084
1085 #ifdef WITH_ISO15693
1086 case CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_15693:
1087 AcquireRawAdcSamplesIso15693();
1088 break;
1089
1090 case CMD_SNOOP_ISO_15693:
1091 SnoopIso15693(0, NULL);
1092 break;
1093
1094 case CMD_ISO_15693_COMMAND:
1095 DirectTag15693Command(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
1096 break;
1097
1098 case CMD_ISO_15693_FIND_AFI:
1099 BruteforceIso15693Afi(c->arg[0]);
1100 break;
1101
1102 case CMD_ISO_15693_DEBUG:
1103 SetDebugIso15693(c->arg[0]);
1104 break;
1105
1106 case CMD_READER_ISO_15693:
1107 ReaderIso15693(c->arg[0]);
1108 break;
1109
1110 case CMD_SIMTAG_ISO_15693:
1111 SimTagIso15693(c->arg[0], c->d.asBytes);
1112 break;
1113
1114 case CMD_CSETUID_ISO_15693:
1115 SetTag15693Uid(c->d.asBytes);
1116 break;
1117 #endif
1118
1119 #ifdef WITH_LEGICRF
1120 case CMD_SIMULATE_TAG_LEGIC_RF:
1121 LegicRfSimulate(c->arg[0]);
1122 break;
1123
1124 case CMD_WRITER_LEGIC_RF:
1125 LegicRfWriter(c->arg[1], c->arg[0]);
1126 break;
1127
1128 case CMD_READER_LEGIC_RF:
1129 LegicRfReader(c->arg[0], c->arg[1]);
1130 break;
1131 #endif
1132
1133 #ifdef WITH_ISO14443b
1134 case CMD_READ_SRI512_TAG:
1135 ReadSTMemoryIso14443b(0x0F);
1136 break;
1137 case CMD_READ_SRIX4K_TAG:
1138 ReadSTMemoryIso14443b(0x7F);
1139 break;
1140 case CMD_SNOOP_ISO_14443B:
1141 SnoopIso14443b();
1142 break;
1143 case CMD_SIMULATE_TAG_ISO_14443B:
1144 SimulateIso14443bTag();
1145 break;
1146 case CMD_ISO_14443B_COMMAND:
1147 SendRawCommand14443B(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
1148 break;
1149 #endif
1150
1151 #ifdef WITH_ISO14443a
1152 case CMD_SNOOP_ISO_14443a:
1153 SnoopIso14443a(c->arg[0]);
1154 break;
1155 case CMD_READER_ISO_14443a:
1156 ReaderIso14443a(c);
1157 break;
1158 case CMD_SIMULATE_TAG_ISO_14443a:
1159 SimulateIso14443aTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); // ## Simulate iso14443a tag - pass tag type & UID
1160 break;
1161
1162 case CMD_EPA_PACE_COLLECT_NONCE:
1163 EPA_PACE_Collect_Nonce(c);
1164 break;
1165 case CMD_EPA_PACE_REPLAY:
1166 EPA_PACE_Replay(c);
1167 break;
1168
1169 case CMD_READER_MIFARE:
1170 ReaderMifare(c->arg[0]);
1171 break;
1172 case CMD_MIFARE_READBL:
1173 MifareReadBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1174 break;
1175 case CMD_MIFAREU_READBL:
1176 MifareUReadBlock(c->arg[0],c->arg[1], c->d.asBytes);
1177 break;
1178 case CMD_MIFAREUC_AUTH:
1179 MifareUC_Auth(c->arg[0],c->d.asBytes);
1180 break;
1181 case CMD_MIFAREU_READCARD:
1182 MifareUReadCard(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1183 break;
1184 case CMD_MIFAREUC_SETPWD:
1185 MifareUSetPwd(c->arg[0], c->d.asBytes);
1186 break;
1187 case CMD_MIFARE_READSC:
1188 MifareReadSector(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1189 break;
1190 case CMD_MIFARE_WRITEBL:
1191 MifareWriteBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1192 break;
1193 case CMD_MIFARE_PERSONALIZE_UID:
1194 MifarePersonalizeUID(c->arg[0], c->arg[1], c->d.asBytes);
1195 break;
1196 //case CMD_MIFAREU_WRITEBL_COMPAT:
1197 //MifareUWriteBlockCompat(c->arg[0], c->d.asBytes);
1198 //break;
1199 case CMD_MIFAREU_WRITEBL:
1200 MifareUWriteBlock(c->arg[0], c->arg[1], c->d.asBytes);
1201 break;
1202 case CMD_MIFARE_ACQUIRE_ENCRYPTED_NONCES:
1203 MifareAcquireEncryptedNonces(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1204 break;
1205 case CMD_MIFARE_NESTED:
1206 MifareNested(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1207 break;
1208 case CMD_MIFARE_CHKKEYS:
1209 MifareChkKeys(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1210 break;
1211 case CMD_SIMULATE_MIFARE_CARD:
1212 MifareSim(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1213 break;
1214
1215 // emulator
1216 case CMD_MIFARE_SET_DBGMODE:
1217 MifareSetDbgLvl(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1218 break;
1219 case CMD_MIFARE_EML_MEMCLR:
1220 MifareEMemClr(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1221 break;
1222 case CMD_MIFARE_EML_MEMSET:
1223 MifareEMemSet(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1224 break;
1225 case CMD_MIFARE_EML_MEMGET:
1226 MifareEMemGet(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1227 break;
1228 case CMD_MIFARE_EML_CARDLOAD:
1229 MifareECardLoad(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1230 break;
1231
1232 // Work with "magic Chinese" card
1233 case CMD_MIFARE_CWIPE:
1234 MifareCWipe(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1235 break;
1236 case CMD_MIFARE_CSETBLOCK:
1237 MifareCSetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1238 break;
1239 case CMD_MIFARE_CGETBLOCK:
1240 MifareCGetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1241 break;
1242 case CMD_MIFARE_CIDENT:
1243 MifareCIdent();
1244 break;
1245
1246 // mifare sniffer
1247 case CMD_MIFARE_SNIFFER:
1248 SniffMifare(c->arg[0]);
1249 break;
1250
1251 #endif
1252
1253 #ifdef WITH_ICLASS
1254 // Makes use of ISO14443a FPGA Firmware
1255 case CMD_SNOOP_ICLASS:
1256 SnoopIClass(c->arg[0], c->d.asBytes);
1257 break;
1258 case CMD_SIMULATE_TAG_ICLASS:
1259 SimulateIClass(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1260 break;
1261 case CMD_READER_ICLASS:
1262 ReaderIClass(c->arg[0]);
1263 break;
1264 case CMD_ICLASS_EML_MEMSET:
1265 emlSet(c->d.asBytes,c->arg[0], c->arg[1]);
1266 break;
1267 case CMD_ICLASS_WRITEBLOCK:
1268 iClass_WriteBlock(c->arg[0], c->d.asBytes);
1269 break;
1270 case CMD_ICLASS_READBLOCK:
1271 iClass_ReadBlk(c->arg[0]);
1272 break;
1273 case CMD_ICLASS_CHECK:
1274 iClass_Check(c->d.asBytes);
1275 break;
1276 case CMD_ICLASS_READCHECK:
1277 iClass_Readcheck(c->arg[0], c->arg[1]);
1278 break;
1279 case CMD_ICLASS_DUMP:
1280 iClass_Dump(c->arg[0], c->arg[1]);
1281 break;
1282 case CMD_ICLASS_CLONE:
1283 iClass_Clone(c->arg[0], c->arg[1], c->d.asBytes);
1284 break;
1285 #endif
1286
1287 #ifdef WITH_HFSNOOP
1288 case CMD_HF_SNIFFER:
1289 HfSnoop(c->arg[0], c->arg[1]);
1290 break;
1291 case CMD_HF_PLOT:
1292 HfPlot();
1293 break;
1294 #endif
1295
1296 #ifdef WITH_SMARTCARD
1297 case CMD_SMART_ATR: {
1298 SmartCardAtr();
1299 break;
1300 }
1301 case CMD_SMART_SETCLOCK:{
1302 SmartCardSetClock(c->arg[0]);
1303 break;
1304 }
1305 case CMD_SMART_RAW: {
1306 SmartCardRaw(c->arg[0], c->arg[1], c->d.asBytes);
1307 break;
1308 }
1309 case CMD_SMART_UPLOAD: {
1310 // upload file from client
1311 uint8_t *mem = BigBuf_get_addr();
1312 memcpy( mem + c->arg[0], c->d.asBytes, USB_CMD_DATA_SIZE);
1313 cmd_send(CMD_ACK,1,0,0,0,0);
1314 break;
1315 }
1316 case CMD_SMART_UPGRADE: {
1317 SmartCardUpgrade(c->arg[0]);
1318 break;
1319 }
1320 #endif
1321
1322 case CMD_BUFF_CLEAR:
1323 BigBuf_Clear();
1324 break;
1325
1326 case CMD_MEASURE_ANTENNA_TUNING:
1327 MeasureAntennaTuning(c->arg[0]);
1328 break;
1329
1330 case CMD_MEASURE_ANTENNA_TUNING_HF:
1331 MeasureAntennaTuningHf();
1332 break;
1333
1334 case CMD_LISTEN_READER_FIELD:
1335 ListenReaderField(c->arg[0]);
1336 break;
1337
1338 case CMD_FPGA_MAJOR_MODE_OFF: // ## FPGA Control
1339 LED_A_ON();
1340 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1341 SpinDelay(200);
1342 LED_D_OFF(); // LED D indicates field ON or OFF
1343 LED_A_OFF();
1344 break;
1345
1346 case CMD_DOWNLOAD_RAW_ADC_SAMPLES_125K:
1347 LED_B_ON();
1348 uint8_t *BigBuf = BigBuf_get_addr();
1349 for(size_t i=0; i<c->arg[1]; i += USB_CMD_DATA_SIZE) {
1350 size_t len = MIN((c->arg[1] - i),USB_CMD_DATA_SIZE);
1351 cmd_send(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K,i,len,BigBuf_get_traceLen(),BigBuf+c->arg[0]+i,len);
1352 }
1353 // Trigger a finish downloading signal with an ACK frame
1354 cmd_send(CMD_ACK,1,0,BigBuf_get_traceLen(),getSamplingConfig(),sizeof(sample_config));
1355 LED_B_OFF();
1356 break;
1357
1358 case CMD_DOWNLOADED_SIM_SAMPLES_125K: {
1359 // iceman; since changing fpga_bitstreams clears bigbuff, Its better to call it before.
1360 // to be able to use this one for uploading data to device
1361 // arg1 = 0 upload for LF usage
1362 // 1 upload for HF usage
1363 if (c->arg[1] == 0)
1364 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1365 else
1366 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1367
1368 uint8_t *b = BigBuf_get_addr();
1369 memcpy(b+c->arg[0], c->d.asBytes, USB_CMD_DATA_SIZE);
1370 cmd_send(CMD_ACK,0,0,0,0,0);
1371 break;
1372 }
1373 case CMD_READ_MEM:
1374 ReadMem(c->arg[0]);
1375 break;
1376
1377 case CMD_SET_LF_DIVISOR:
1378 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1379 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, c->arg[0]);
1380 break;
1381
1382 case CMD_SET_ADC_MUX:
1383 switch(c->arg[0]) {
1384 case 0: SetAdcMuxFor(GPIO_MUXSEL_LOPKD); break;
1385 case 1: SetAdcMuxFor(GPIO_MUXSEL_LORAW); break;
1386 case 2: SetAdcMuxFor(GPIO_MUXSEL_HIPKD); break;
1387 case 3: SetAdcMuxFor(GPIO_MUXSEL_HIRAW); break;
1388 }
1389 break;
1390
1391 case CMD_VERSION:
1392 SendVersion();
1393 break;
1394 case CMD_STATUS:
1395 SendStatus();
1396 break;
1397 case CMD_PING:
1398 cmd_send(CMD_ACK,0,0,0,0,0);
1399 break;
1400 #ifdef WITH_LCD
1401 case CMD_LCD_RESET:
1402 LCDReset();
1403 break;
1404 case CMD_LCD:
1405 LCDSend(c->arg[0]);
1406 break;
1407 #endif
1408 case CMD_SETUP_WRITE:
1409 case CMD_FINISH_WRITE:
1410 case CMD_HARDWARE_RESET:
1411 usb_disable();
1412 SpinDelay(1000);
1413 SpinDelay(1000);
1414 AT91C_BASE_RSTC->RSTC_RCR = RST_CONTROL_KEY | AT91C_RSTC_PROCRST;
1415 for(;;) {
1416 // We're going to reset, and the bootrom will take control.
1417 }
1418 break;
1419
1420 case CMD_START_FLASH:
1421 if(common_area.flags.bootrom_present) {
1422 common_area.command = COMMON_AREA_COMMAND_ENTER_FLASH_MODE;
1423 }
1424 usb_disable();
1425 AT91C_BASE_RSTC->RSTC_RCR = RST_CONTROL_KEY | AT91C_RSTC_PROCRST;
1426 for(;;);
1427 break;
1428
1429 case CMD_DEVICE_INFO: {
1430 uint32_t dev_info = DEVICE_INFO_FLAG_OSIMAGE_PRESENT | DEVICE_INFO_FLAG_CURRENT_MODE_OS;
1431 if(common_area.flags.bootrom_present) dev_info |= DEVICE_INFO_FLAG_BOOTROM_PRESENT;
1432 cmd_send_old(CMD_DEVICE_INFO,dev_info,0,0,0,0);
1433 break;
1434 }
1435 default:
1436 Dbprintf("%s: 0x%04x","unknown command:",c->cmd);
1437 break;
1438 }
1439 }
1440
1441
1442 void __attribute__((noreturn)) AppMain(void) {
1443
1444 SpinDelay(100);
1445 clear_trace();
1446 if(common_area.magic != COMMON_AREA_MAGIC || common_area.version != 1) {
1447 /* Initialize common area */
1448 memset(&common_area, 0, sizeof(common_area));
1449 common_area.magic = COMMON_AREA_MAGIC;
1450 common_area.version = 1;
1451 }
1452 common_area.flags.osimage_present = 1;
1453
1454 LEDsoff();
1455
1456 // Init USB device
1457 usb_enable();
1458
1459 // The FPGA gets its clock from us from PCK0 output, so set that up.
1460 AT91C_BASE_PIOA->PIO_BSR = GPIO_PCK0;
1461 AT91C_BASE_PIOA->PIO_PDR = GPIO_PCK0;
1462 AT91C_BASE_PMC->PMC_SCER = AT91C_PMC_PCK0;
1463 // PCK0 is PLL clock / 4 = 96Mhz / 4 = 24Mhz
1464 AT91C_BASE_PMC->PMC_PCKR[0] = AT91C_PMC_CSS_PLL_CLK |
1465 AT91C_PMC_PRES_CLK_4; // 4 for 24Mhz pck0, 2 for 48 MHZ pck0
1466 AT91C_BASE_PIOA->PIO_OER = GPIO_PCK0;
1467
1468 // Reset SPI
1469 AT91C_BASE_SPI->SPI_CR = AT91C_SPI_SWRST;
1470 AT91C_BASE_SPI->SPI_CR = AT91C_SPI_SWRST; // required twice on some AT91SAM Revisions (see Errata in AT91SAM datasheet)
1471 // Reset SSC
1472 AT91C_BASE_SSC->SSC_CR = AT91C_SSC_SWRST;
1473
1474 // Load the FPGA image, which we have stored in our flash (HF version by default)
1475 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1476
1477 StartTickCount();
1478
1479 #ifdef WITH_LCD
1480 LCDInit();
1481 #endif
1482
1483 UsbCommand rx;
1484
1485 for(;;) {
1486 WDT_HIT();
1487 if (cmd_receive(&rx)) {
1488 UsbPacketReceived(&rx);
1489 } else {
1490 #if defined(WITH_LF_StandAlone) && !defined(WITH_ISO14443a_StandAlone)
1491 if (BUTTON_HELD(1000) > 0)
1492 SamyRun();
1493 #endif
1494 #if defined(WITH_ISO14443a) && defined(WITH_ISO14443a_StandAlone)
1495 if (BUTTON_HELD(1000) > 0)
1496 StandAloneMode14a();
1497 #endif
1498 }
1499 }
1500 }
Proxmark3 GIT tracking
Impressum, Datenschutz