1 //----------------------------------------------------------------------------- 
   2 // Merlok - June 2011, 2012 
   3 // Gerhard de Koning Gans - May 2008 
   4 // Hagen Fritsch - June 2010 
   6 // This code is licensed to you under the terms of the GNU GPL, version 2 or, 
   7 // at your option, any later version. See the LICENSE.txt file for the text of 
   9 //----------------------------------------------------------------------------- 
  10 // Routines to support ISO 14443 type A. 
  11 //----------------------------------------------------------------------------- 
  13 #include "proxmark3.h" 
  18 #include "iso14443crc.h" 
  19 #include "iso14443a.h" 
  21 #include "mifareutil.h" 
  23 static uint32_t iso14a_timeout
; 
  26 // the block number for the ISO14443-4 PCB 
  27 static uint8_t iso14_pcb_blocknum 
= 0; 
  32 // minimum time between the start bits of consecutive transfers from reader to tag: 7000 carrier (13.56Mhz) cycles 
  33 #define REQUEST_GUARD_TIME (7000/16 + 1) 
  34 // minimum time between last modulation of tag and next start bit from reader to tag: 1172 carrier cycles  
  35 #define FRAME_DELAY_TIME_PICC_TO_PCD (1172/16 + 1)  
  36 // bool LastCommandWasRequest = FALSE; 
  39 // Total delays including SSC-Transfers between ARM and FPGA. These are in carrier clock cycles (1/13,56MHz) 
  41 // When the PM acts as reader and is receiving tag data, it takes 
  42 // 3 ticks delay in the AD converter 
  43 // 16 ticks until the modulation detector completes and sets curbit 
  44 // 8 ticks until bit_to_arm is assigned from curbit 
  45 // 8*16 ticks for the transfer from FPGA to ARM 
  46 // 4*16 ticks until we measure the time 
  47 // - 8*16 ticks because we measure the time of the previous transfer  
  48 #define DELAY_AIR2ARM_AS_READER (3 + 16 + 8 + 8*16 + 4*16 - 8*16)  
  50 // When the PM acts as a reader and is sending, it takes 
  51 // 4*16 ticks until we can write data to the sending hold register 
  52 // 8*16 ticks until the SHR is transferred to the Sending Shift Register 
  53 // 8 ticks until the first transfer starts 
  54 // 8 ticks later the FPGA samples the data 
  55 // 1 tick to assign mod_sig_coil 
  56 #define DELAY_ARM2AIR_AS_READER (4*16 + 8*16 + 8 + 8 + 1) 
  58 // When the PM acts as tag and is receiving it takes 
  59 // 2 ticks delay in the RF part (for the first falling edge), 
  60 // 3 ticks for the A/D conversion, 
  61 // 8 ticks on average until the start of the SSC transfer, 
  62 // 8 ticks until the SSC samples the first data 
  63 // 7*16 ticks to complete the transfer from FPGA to ARM 
  64 // 8 ticks until the next ssp_clk rising edge 
  65 // 4*16 ticks until we measure the time  
  66 // - 8*16 ticks because we measure the time of the previous transfer  
  67 #define DELAY_AIR2ARM_AS_TAG (2 + 3 + 8 + 8 + 7*16 + 8 + 4*16 - 8*16) 
  69 // The FPGA will report its internal sending delay in 
  70 uint16_t FpgaSendQueueDelay
; 
  71 // the 5 first bits are the number of bits buffered in mod_sig_buf 
  72 // the last three bits are the remaining ticks/2 after the mod_sig_buf shift 
  73 #define DELAY_FPGA_QUEUE (FpgaSendQueueDelay<<1) 
  75 // When the PM acts as tag and is sending, it takes 
  76 // 4*16 ticks until we can write data to the sending hold register 
  77 // 8*16 ticks until the SHR is transferred to the Sending Shift Register 
  78 // 8 ticks until the first transfer starts 
  79 // 8 ticks later the FPGA samples the data 
  80 // + a varying number of ticks in the FPGA Delay Queue (mod_sig_buf) 
  81 // + 1 tick to assign mod_sig_coil 
  82 #define DELAY_ARM2AIR_AS_TAG (4*16 + 8*16 + 8 + 8 + DELAY_FPGA_QUEUE + 1) 
  84 // When the PM acts as sniffer and is receiving tag data, it takes 
  85 // 3 ticks A/D conversion 
  86 // 14 ticks to complete the modulation detection 
  87 // 8 ticks (on average) until the result is stored in to_arm 
  88 // + the delays in transferring data - which is the same for 
  89 // sniffing reader and tag data and therefore not relevant 
  90 #define DELAY_TAG_AIR2ARM_AS_SNIFFER (3 + 14 + 8)  
  92 // When the PM acts as sniffer and is receiving reader data, it takes 
  93 // 2 ticks delay in analogue RF receiver (for the falling edge of the  
  94 // start bit, which marks the start of the communication) 
  95 // 3 ticks A/D conversion 
  96 // 8 ticks on average until the data is stored in to_arm. 
  97 // + the delays in transferring data - which is the same for 
  98 // sniffing reader and tag data and therefore not relevant 
  99 #define DELAY_READER_AIR2ARM_AS_SNIFFER (2 + 3 + 8)  
 101 //variables used for timing purposes: 
 102 //these are in ssp_clk cycles: 
 103 static uint32_t NextTransferTime
; 
 104 static uint32_t LastTimeProxToAirStart
; 
 105 static uint32_t LastProxToAirDuration
; 
 109 // CARD TO READER - manchester 
 110 // Sequence D: 11110000 modulation with subcarrier during first half 
 111 // Sequence E: 00001111 modulation with subcarrier during second half 
 112 // Sequence F: 00000000 no modulation with subcarrier 
 113 // READER TO CARD - miller 
 114 // Sequence X: 00001100 drop after half a period 
 115 // Sequence Y: 00000000 no drop 
 116 // Sequence Z: 11000000 drop at start 
 124 const uint8_t OddByteParity
[256] = { 
 125   1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1, 
 126   0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0, 
 127   0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0, 
 128   1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1, 
 129   0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0, 
 130   1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1, 
 131   1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1, 
 132   0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0, 
 133   0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0, 
 134   1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1, 
 135   1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1, 
 136   0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0, 
 137   1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1, 
 138   0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0, 
 139   0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0, 
 140   1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1 
 144 void iso14a_set_trigger(bool enable
) { 
 149 void iso14a_set_timeout(uint32_t timeout
) { 
 150         iso14a_timeout 
= timeout
; 
 151         if(MF_DBGLEVEL 
>= 3) Dbprintf("ISO14443A Timeout set to %ld (%dms)", iso14a_timeout
, iso14a_timeout 
/ 106); 
 155 void iso14a_set_ATS_timeout(uint8_t *ats
) { 
 161         if (ats
[0] > 1) {                                                       // there is a format byte T0 
 162                 if ((ats
[1] & 0x20) == 0x20) {                  // there is an interface byte TB(1) 
 163                         if ((ats
[1] & 0x10) == 0x10) {          // there is an interface byte TA(1) preceding TB(1) 
 168                         fwi 
= (tb1 
& 0xf0) >> 4;                        // frame waiting indicator (FWI) 
 169                         fwt 
= 256 * 16 * (1 << fwi
);            // frame waiting time (FWT) in 1/fc 
 171                         iso14a_set_timeout(fwt
/(8*16)); 
 177 //----------------------------------------------------------------------------- 
 178 // Generate the parity value for a byte sequence 
 180 //----------------------------------------------------------------------------- 
 181 byte_t 
oddparity (const byte_t bt
) 
 183         return OddByteParity
[bt
]; 
 186 void GetParity(const uint8_t *pbtCmd
, uint16_t iLen
, uint8_t *par
) 
 188         uint16_t paritybit_cnt 
= 0; 
 189         uint16_t paritybyte_cnt 
= 0; 
 190         uint8_t parityBits 
= 0; 
 192         for (uint16_t i 
= 0; i 
< iLen
; i
++) { 
 193                 // Generate the parity bits 
 194                 parityBits 
|= ((OddByteParity
[pbtCmd
[i
]]) << (7-paritybit_cnt
)); 
 195                 if (paritybit_cnt 
== 7) { 
 196                         par
[paritybyte_cnt
] = parityBits
;       // save 8 Bits parity 
 197                         parityBits 
= 0;                                         // and advance to next Parity Byte 
 205         // save remaining parity bits 
 206         par
[paritybyte_cnt
] = parityBits
; 
 210 void AppendCrc14443a(uint8_t* data
, int len
) 
 212         ComputeCrc14443(CRC_14443_A
,data
,len
,data
+len
,data
+len
+1); 
 215 void AppendCrc14443b(uint8_t* data
, int len
) 
 217         ComputeCrc14443(CRC_14443_B
,data
,len
,data
+len
,data
+len
+1); 
 221 //============================================================================= 
 222 // ISO 14443 Type A - Miller decoder 
 223 //============================================================================= 
 225 // This decoder is used when the PM3 acts as a tag. 
 226 // The reader will generate "pauses" by temporarily switching of the field.  
 227 // At the PM3 antenna we will therefore measure a modulated antenna voltage.  
 228 // The FPGA does a comparison with a threshold and would deliver e.g.: 
 229 // ........  1 1 1 1 1 1 0 0 1 1 1 1 1 1 1 1 1 1 0 0 1 1 1 1 1 1 1 1 1 1  ....... 
 230 // The Miller decoder needs to identify the following sequences: 
 231 // 2 (or 3) ticks pause followed by 6 (or 5) ticks unmodulated:         pause at beginning - Sequence Z ("start of communication" or a "0") 
 232 // 8 ticks without a modulation:                                                                        no pause - Sequence Y (a "0" or "end of communication" or "no information") 
 233 // 4 ticks unmodulated followed by 2 (or 3) ticks pause:                        pause in second half - Sequence X (a "1") 
 234 // Note 1: the bitstream may start at any time. We therefore need to sync. 
 235 // Note 2: the interpretation of Sequence Y and Z depends on the preceding sequence. 
 236 //----------------------------------------------------------------------------- 
 239 // Lookup-Table to decide if 4 raw bits are a modulation. 
 240 // We accept the following: 
 241 // 0001  -   a 3 tick wide pause 
 242 // 0011  -   a 2 tick wide pause, or a three tick wide pause shifted left 
 243 // 0111  -   a 2 tick wide pause shifted left 
 244 // 1001  -   a 2 tick wide pause shifted right 
 245 const bool Mod_Miller_LUT
[] = { 
 246         FALSE
,  TRUE
, FALSE
, TRUE
,  FALSE
, FALSE
, FALSE
, TRUE
, 
 247         FALSE
,  TRUE
, FALSE
, FALSE
, FALSE
, FALSE
, FALSE
, FALSE
 
 249 #define IsMillerModulationNibble1(b) (Mod_Miller_LUT[(b & 0x000000F0) >> 4]) 
 250 #define IsMillerModulationNibble2(b) (Mod_Miller_LUT[(b & 0x0000000F)]) 
 254         Uart
.state 
= STATE_UNSYNCD
; 
 256         Uart
.len 
= 0;                                           // number of decoded data bytes 
 257         Uart
.parityLen 
= 0;                                     // number of decoded parity bytes 
 258         Uart
.shiftReg 
= 0;                                      // shiftreg to hold decoded data bits 
 259         Uart
.parityBits 
= 0;                            // holds 8 parity bits 
 268 void UartInit(uint8_t *data
, uint8_t *parity
) 
 271         Uart
.parity 
= parity
; 
 272         Uart
.fourBits 
= 0x00000000;                     // clear the buffer for 4 Bits 
 276 // use parameter non_real_time to provide a timestamp. Set to 0 if the decoder should measure real time 
 277 static RAMFUNC 
bool MillerDecoding(uint8_t bit
, uint32_t non_real_time
) 
 280         Uart
.fourBits 
= (Uart
.fourBits 
<< 8) | bit
; 
 282         if (Uart
.state 
== STATE_UNSYNCD
) {                                                                                      // not yet synced 
 284                 Uart
.syncBit 
= 9999;                                                                                                    // not set 
 286                 // 00x11111 2|3 ticks pause followed by 6|5 ticks unmodulated           Sequence Z (a "0" or "start of communication") 
 287                 // 11111111 8 ticks unmodulation                                                                        Sequence Y (a "0" or "end of communication" or "no information") 
 288                 // 111100x1 4 ticks unmodulated followed by 2|3 ticks pause                     Sequence X (a "1") 
 290                 // The start bit is one ore more Sequence Y followed by a Sequence Z (... 11111111 00x11111). We need to distinguish from 
 291                 // Sequence X followed by Sequence Y followed by Sequence Z     (111100x1 11111111 00x11111) 
 292                 // we therefore look for a ...xx1111 11111111 00x11111xxxxxx... pattern  
 293                 // (12 '1's followed by 2 '0's, eventually followed by another '0', followed by 5 '1's) 
 295 #define ISO14443A_STARTBIT_MASK         0x07FFEF80              // mask is    00001111 11111111 1110 1111 10000000 
 296 #define ISO14443A_STARTBIT_PATTERN      0x07FF8F80              // pattern is 00001111 11111111 1000 1111 10000000 
 298                 if              ((Uart
.fourBits 
& (ISO14443A_STARTBIT_MASK 
>> 0)) == ISO14443A_STARTBIT_PATTERN 
>> 0) Uart
.syncBit 
= 7; 
 299                 else if ((Uart
.fourBits 
& (ISO14443A_STARTBIT_MASK 
>> 1)) == ISO14443A_STARTBIT_PATTERN 
>> 1) Uart
.syncBit 
= 6; 
 300                 else if ((Uart
.fourBits 
& (ISO14443A_STARTBIT_MASK 
>> 2)) == ISO14443A_STARTBIT_PATTERN 
>> 2) Uart
.syncBit 
= 5; 
 301                 else if ((Uart
.fourBits 
& (ISO14443A_STARTBIT_MASK 
>> 3)) == ISO14443A_STARTBIT_PATTERN 
>> 3) Uart
.syncBit 
= 4; 
 302                 else if ((Uart
.fourBits 
& (ISO14443A_STARTBIT_MASK 
>> 4)) == ISO14443A_STARTBIT_PATTERN 
>> 4) Uart
.syncBit 
= 3; 
 303                 else if ((Uart
.fourBits 
& (ISO14443A_STARTBIT_MASK 
>> 5)) == ISO14443A_STARTBIT_PATTERN 
>> 5) Uart
.syncBit 
= 2; 
 304                 else if ((Uart
.fourBits 
& (ISO14443A_STARTBIT_MASK 
>> 6)) == ISO14443A_STARTBIT_PATTERN 
>> 6) Uart
.syncBit 
= 1; 
 305                 else if ((Uart
.fourBits 
& (ISO14443A_STARTBIT_MASK 
>> 7)) == ISO14443A_STARTBIT_PATTERN 
>> 7) Uart
.syncBit 
= 0; 
 307                 if (Uart
.syncBit 
!= 9999) {                                                                                             // found a sync bit 
 308                                 Uart
.startTime 
= non_real_time
?non_real_time
:(GetCountSspClk() & 0xfffffff8); 
 309                                 Uart
.startTime 
-= Uart
.syncBit
; 
 310                                 Uart
.endTime 
= Uart
.startTime
; 
 311                                 Uart
.state 
= STATE_START_OF_COMMUNICATION
; 
 316                 if (IsMillerModulationNibble1(Uart
.fourBits 
>> Uart
.syncBit
)) {                  
 317                         if (IsMillerModulationNibble2(Uart
.fourBits 
>> Uart
.syncBit
)) {         // Modulation in both halves - error 
 319                         } else {                                                                                                                        // Modulation in first half = Sequence Z = logic "0" 
 320                                 if (Uart
.state 
== STATE_MILLER_X
) {                                                             // error - must not follow after X 
 324                                         Uart
.shiftReg 
= (Uart
.shiftReg 
>> 1);                                           // add a 0 to the shiftreg 
 325                                         Uart
.state 
= STATE_MILLER_Z
; 
 326                                         Uart
.endTime 
= Uart
.startTime 
+ 8*(9*Uart
.len 
+ Uart
.bitCount 
+ 1) - 6; 
 327                                         if(Uart
.bitCount 
>= 9) {                                                                        // if we decoded a full byte (including parity) 
 328                                                 Uart
.output
[Uart
.len
++] = (Uart
.shiftReg 
& 0xff); 
 329                                                 Uart
.parityBits 
<<= 1;                                                                  // make room for the parity bit 
 330                                                 Uart
.parityBits 
|= ((Uart
.shiftReg 
>> 8) & 0x01);               // store parity bit 
 333                                                 if((Uart
.len
&0x0007) == 0) {                                                    // every 8 data bytes 
 334                                                         Uart
.parity
[Uart
.parityLen
++] = Uart
.parityBits
;        // store 8 parity bits 
 341                         if (IsMillerModulationNibble2(Uart
.fourBits 
>> Uart
.syncBit
)) {         // Modulation second half = Sequence X = logic "1" 
 343                                 Uart
.shiftReg 
= (Uart
.shiftReg 
>> 1) | 0x100;                                   // add a 1 to the shiftreg 
 344                                 Uart
.state 
= STATE_MILLER_X
; 
 345                                 Uart
.endTime 
= Uart
.startTime 
+ 8*(9*Uart
.len 
+ Uart
.bitCount 
+ 1) - 2; 
 346                                 if(Uart
.bitCount 
>= 9) {                                                                                // if we decoded a full byte (including parity) 
 347                                         Uart
.output
[Uart
.len
++] = (Uart
.shiftReg 
& 0xff); 
 348                                         Uart
.parityBits 
<<= 1;                                                                          // make room for the new parity bit 
 349                                         Uart
.parityBits 
|= ((Uart
.shiftReg 
>> 8) & 0x01);                       // store parity bit 
 352                                         if ((Uart
.len
&0x0007) == 0) {                                                           // every 8 data bytes 
 353                                                 Uart
.parity
[Uart
.parityLen
++] = Uart
.parityBits
;                // store 8 parity bits 
 357                         } else {                                                                                                                        // no modulation in both halves - Sequence Y 
 358                                 if (Uart
.state 
== STATE_MILLER_Z 
|| Uart
.state 
== STATE_MILLER_Y
) {     // Y after logic "0" - End of Communication 
 359                                         Uart
.state 
= STATE_UNSYNCD
; 
 360                                         Uart
.bitCount
--;                                                                                        // last "0" was part of EOC sequence 
 361                                         Uart
.shiftReg 
<<= 1;                                                                            // drop it 
 362                                         if(Uart
.bitCount 
> 0) {                                                                         // if we decoded some bits 
 363                                                 Uart
.shiftReg 
>>= (9 - Uart
.bitCount
);                                  // right align them 
 364                                                 Uart
.output
[Uart
.len
++] = (Uart
.shiftReg 
& 0xff);               // add last byte to the output 
 365                                                 Uart
.parityBits 
<<= 1;                                                                  // add a (void) parity bit 
 366                                                 Uart
.parityBits 
<<= (8 - (Uart
.len
&0x0007));                    // left align parity bits 
 367                                                 Uart
.parity
[Uart
.parityLen
++] = Uart
.parityBits
;                // and store it 
 369                                         } else if (Uart
.len 
& 0x0007) {                                                         // there are some parity bits to store 
 370                                                 Uart
.parityBits 
<<= (8 - (Uart
.len
&0x0007));                    // left align remaining parity bits 
 371                                                 Uart
.parity
[Uart
.parityLen
++] = Uart
.parityBits
;                // and store them 
 374                                                 return TRUE
;                                                                                    // we are finished with decoding the raw data sequence 
 376                                                 UartReset();                                                                                    // Nothing received - start over 
 379                                 if (Uart
.state 
== STATE_START_OF_COMMUNICATION
) {                               // error - must not follow directly after SOC 
 381                                 } else {                                                                                                                // a logic "0" 
 383                                         Uart
.shiftReg 
= (Uart
.shiftReg 
>> 1);                                           // add a 0 to the shiftreg 
 384                                         Uart
.state 
= STATE_MILLER_Y
; 
 385                                         if(Uart
.bitCount 
>= 9) {                                                                        // if we decoded a full byte (including parity) 
 386                                                 Uart
.output
[Uart
.len
++] = (Uart
.shiftReg 
& 0xff); 
 387                                                 Uart
.parityBits 
<<= 1;                                                                  // make room for the parity bit 
 388                                                 Uart
.parityBits 
|= ((Uart
.shiftReg 
>> 8) & 0x01);               // store parity bit 
 391                                                 if ((Uart
.len
&0x0007) == 0) {                                                   // every 8 data bytes 
 392                                                         Uart
.parity
[Uart
.parityLen
++] = Uart
.parityBits
;        // store 8 parity bits 
 402     return FALSE
;       // not finished yet, need more data 
 407 //============================================================================= 
 408 // ISO 14443 Type A - Manchester decoder 
 409 //============================================================================= 
 411 // This decoder is used when the PM3 acts as a reader. 
 412 // The tag will modulate the reader field by asserting different loads to it. As a consequence, the voltage 
 413 // at the reader antenna will be modulated as well. The FPGA detects the modulation for us and would deliver e.g. the following: 
 414 // ........ 0 0 1 1 1 1 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ....... 
 415 // The Manchester decoder needs to identify the following sequences: 
 416 // 4 ticks modulated followed by 4 ticks unmodulated:   Sequence D = 1 (also used as "start of communication") 
 417 // 4 ticks unmodulated followed by 4 ticks modulated:   Sequence E = 0 
 418 // 8 ticks unmodulated:                                                                 Sequence F = end of communication 
 419 // 8 ticks modulated:                                                                   A collision. Save the collision position and treat as Sequence D 
 420 // Note 1: the bitstream may start at any time. We therefore need to sync. 
 421 // Note 2: parameter offset is used to determine the position of the parity bits (required for the anticollision command only) 
 424 // Lookup-Table to decide if 4 raw bits are a modulation. 
 425 // We accept three or four "1" in any position 
 426 const bool Mod_Manchester_LUT
[] = { 
 427         FALSE
, FALSE
, FALSE
, FALSE
, FALSE
, FALSE
, FALSE
, TRUE
, 
 428         FALSE
, FALSE
, FALSE
, TRUE
,  FALSE
, TRUE
,  TRUE
,  TRUE
 
 431 #define IsManchesterModulationNibble1(b) (Mod_Manchester_LUT[(b & 0x00F0) >> 4]) 
 432 #define IsManchesterModulationNibble2(b) (Mod_Manchester_LUT[(b & 0x000F)]) 
 437         Demod
.state 
= DEMOD_UNSYNCD
; 
 438         Demod
.len 
= 0;                                          // number of decoded data bytes 
 440         Demod
.shiftReg 
= 0;                                     // shiftreg to hold decoded data bits 
 441         Demod
.parityBits 
= 0;                           //  
 442         Demod
.collisionPos 
= 0;                         // Position of collision bit 
 443         Demod
.twoBits 
= 0xffff;                         // buffer for 2 Bits 
 450         Demod
.syncBit 
= 0xFFFF; 
 454 void DemodInit(uint8_t *data
, uint8_t *parity
) 
 457         Demod
.parity 
= parity
; 
 461 // use parameter non_real_time to provide a timestamp. Set to 0 if the decoder should measure real time 
 462 static RAMFUNC 
int ManchesterDecoding(uint8_t bit
, uint16_t offset
, uint32_t non_real_time
) 
 465         Demod
.twoBits 
= (Demod
.twoBits 
<< 8) | bit
; 
 467         if (Demod
.state 
== DEMOD_UNSYNCD
) { 
 469                 if (Demod
.highCnt 
< 2) {                                                                                        // wait for a stable unmodulated signal 
 470                         if (Demod
.twoBits 
== 0x0000) { 
 476                         Demod
.syncBit 
= 0xFFFF;                 // not set 
 477                         if              ((Demod
.twoBits 
& 0x7700) == 0x7000) Demod
.syncBit 
= 7;  
 478                         else if ((Demod
.twoBits 
& 0x3B80) == 0x3800) Demod
.syncBit 
= 6; 
 479                         else if ((Demod
.twoBits 
& 0x1DC0) == 0x1C00) Demod
.syncBit 
= 5; 
 480                         else if ((Demod
.twoBits 
& 0x0EE0) == 0x0E00) Demod
.syncBit 
= 4; 
 481                         else if ((Demod
.twoBits 
& 0x0770) == 0x0700) Demod
.syncBit 
= 3; 
 482                         else if ((Demod
.twoBits 
& 0x03B8) == 0x0380) Demod
.syncBit 
= 2; 
 483                         else if ((Demod
.twoBits 
& 0x01DC) == 0x01C0) Demod
.syncBit 
= 1; 
 484                         else if ((Demod
.twoBits 
& 0x00EE) == 0x00E0) Demod
.syncBit 
= 0; 
 485                         if (Demod
.syncBit 
!= 0xFFFF) { 
 486                                 Demod
.startTime 
= non_real_time
?non_real_time
:(GetCountSspClk() & 0xfffffff8); 
 487                                 Demod
.startTime 
-= Demod
.syncBit
; 
 488                                 Demod
.bitCount 
= offset
;                        // number of decoded data bits 
 489                                 Demod
.state 
= DEMOD_MANCHESTER_DATA
; 
 495                 if (IsManchesterModulationNibble1(Demod
.twoBits 
>> Demod
.syncBit
)) {            // modulation in first half 
 496                         if (IsManchesterModulationNibble2(Demod
.twoBits 
>> Demod
.syncBit
)) {    // ... and in second half = collision 
 497                                 if (!Demod
.collisionPos
) { 
 498                                         Demod
.collisionPos 
= (Demod
.len 
<< 3) + Demod
.bitCount
; 
 500                         }                                                                                                                       // modulation in first half only - Sequence D = 1 
 502                         Demod
.shiftReg 
= (Demod
.shiftReg 
>> 1) | 0x100;                         // in both cases, add a 1 to the shiftreg 
 503                         if(Demod
.bitCount 
== 9) {                                                                       // if we decoded a full byte (including parity) 
 504                                 Demod
.output
[Demod
.len
++] = (Demod
.shiftReg 
& 0xff); 
 505                                 Demod
.parityBits 
<<= 1;                                                                 // make room for the parity bit 
 506                                 Demod
.parityBits 
|= ((Demod
.shiftReg 
>> 8) & 0x01);     // store parity bit 
 509                                 if((Demod
.len
&0x0007) == 0) {                                                   // every 8 data bytes 
 510                                         Demod
.parity
[Demod
.parityLen
++] = Demod
.parityBits
;     // store 8 parity bits 
 511                                         Demod
.parityBits 
= 0; 
 514                         Demod
.endTime 
= Demod
.startTime 
+ 8*(9*Demod
.len 
+ Demod
.bitCount 
+ 1) - 4; 
 515                 } else {                                                                                                                // no modulation in first half 
 516                         if (IsManchesterModulationNibble2(Demod
.twoBits 
>> Demod
.syncBit
)) {    // and modulation in second half = Sequence E = 0 
 518                                 Demod
.shiftReg 
= (Demod
.shiftReg 
>> 1);                                 // add a 0 to the shiftreg 
 519                                 if(Demod
.bitCount 
>= 9) {                                                               // if we decoded a full byte (including parity) 
 520                                         Demod
.output
[Demod
.len
++] = (Demod
.shiftReg 
& 0xff); 
 521                                         Demod
.parityBits 
<<= 1;                                                         // make room for the new parity bit 
 522                                         Demod
.parityBits 
|= ((Demod
.shiftReg 
>> 8) & 0x01); // store parity bit 
 525                                         if ((Demod
.len
&0x0007) == 0) {                                          // every 8 data bytes 
 526                                                 Demod
.parity
[Demod
.parityLen
++] = Demod
.parityBits
;     // store 8 parity bits1 
 527                                                 Demod
.parityBits 
= 0; 
 530                                 Demod
.endTime 
= Demod
.startTime 
+ 8*(9*Demod
.len 
+ Demod
.bitCount 
+ 1); 
 531                         } else {                                                                                                        // no modulation in both halves - End of communication 
 532                                 if(Demod
.bitCount 
> 0) {                                                                // there are some remaining data bits 
 533                                         Demod
.shiftReg 
>>= (9 - Demod
.bitCount
);                        // right align the decoded bits 
 534                                         Demod
.output
[Demod
.len
++] = Demod
.shiftReg 
& 0xff;      // and add them to the output 
 535                                         Demod
.parityBits 
<<= 1;                                                         // add a (void) parity bit 
 536                                         Demod
.parityBits 
<<= (8 - (Demod
.len
&0x0007));          // left align remaining parity bits 
 537                                         Demod
.parity
[Demod
.parityLen
++] = Demod
.parityBits
;     // and store them 
 539                                 } else if (Demod
.len 
& 0x0007) {                                                // there are some parity bits to store 
 540                                         Demod
.parityBits 
<<= (8 - (Demod
.len
&0x0007));          // left align remaining parity bits 
 541                                         Demod
.parity
[Demod
.parityLen
++] = Demod
.parityBits
;     // and store them 
 544                                         return TRUE
;                                                                            // we are finished with decoding the raw data sequence 
 545                                 } else {                                                                                                // nothing received. Start over 
 551     return FALSE
;       // not finished yet, need more data 
 554 //============================================================================= 
 555 // Finally, a `sniffer' for ISO 14443 Type A 
 556 // Both sides of communication! 
 557 //============================================================================= 
 559 //----------------------------------------------------------------------------- 
 560 // Record the sequence of commands sent by the reader to the tag, with 
 561 // triggering so that we start recording at the point that the tag is moved 
 563 //----------------------------------------------------------------------------- 
 564 void RAMFUNC 
SniffIso14443a(uint8_t param
) { 
 566         // bit 0 - trigger from first card answer 
 567         // bit 1 - trigger from first reader 7-bit request 
 570         iso14443a_setup(FPGA_HF_ISO14443A_SNIFFER
); 
 572         // Allocate memory from BigBuf for some buffers 
 573         // free all previous allocations first 
 580         // The command (reader -> tag) that we're receiving. 
 581         uint8_t *receivedCmd 
= BigBuf_malloc(MAX_FRAME_SIZE
); 
 582         uint8_t *receivedCmdPar 
= BigBuf_malloc(MAX_PARITY_SIZE
); 
 584         // The response (tag -> reader) that we're receiving. 
 585         uint8_t *receivedResponse 
= BigBuf_malloc(MAX_FRAME_SIZE
); 
 586         uint8_t *receivedResponsePar 
= BigBuf_malloc(MAX_PARITY_SIZE
); 
 588         // The DMA buffer, used to stream samples from the FPGA 
 589         uint8_t *dmaBuf 
= BigBuf_malloc(DMA_BUFFER_SIZE
); 
 591         uint8_t *data 
= dmaBuf
; 
 592         uint8_t previous_data 
= 0; 
 595         bool TagIsActive 
= FALSE
; 
 596         bool ReaderIsActive 
= FALSE
; 
 598         // Set up the demodulator for tag -> reader responses. 
 599         DemodInit(receivedResponse
, receivedResponsePar
); 
 601         // Set up the demodulator for the reader -> tag commands 
 602         UartInit(receivedCmd
, receivedCmdPar
); 
 604         // Setup and start DMA. 
 605         FpgaSetupSscDma((uint8_t *)dmaBuf
, DMA_BUFFER_SIZE
); 
 607         // We won't start recording the frames that we acquire until we trigger; 
 608         // a good trigger condition to get started is probably when we see a 
 609         // response from the tag. 
 610         // triggered == FALSE -- to wait first for card 
 611         bool triggered 
= !(param 
& 0x03);  
 613         // And now we loop, receiving samples. 
 614         for(uint32_t rsamples 
= 0; TRUE
; ) { 
 617                         DbpString("cancelled by button"); 
 624                 int register readBufDataP 
= data 
- dmaBuf
; 
 625                 int register dmaBufDataP 
= DMA_BUFFER_SIZE 
- AT91C_BASE_PDC_SSC
->PDC_RCR
; 
 626                 if (readBufDataP 
<= dmaBufDataP
){ 
 627                         dataLen 
= dmaBufDataP 
- readBufDataP
; 
 629                         dataLen 
= DMA_BUFFER_SIZE 
- readBufDataP 
+ dmaBufDataP
; 
 631                 // test for length of buffer 
 632                 if(dataLen 
> maxDataLen
) { 
 633                         maxDataLen 
= dataLen
; 
 634                         if(dataLen 
> (9 * DMA_BUFFER_SIZE 
/ 10)) { 
 635                                 Dbprintf("blew circular buffer! dataLen=%d", dataLen
); 
 639                 if(dataLen 
< 1) continue; 
 641                 // primary buffer was stopped( <-- we lost data! 
 642                 if (!AT91C_BASE_PDC_SSC
->PDC_RCR
) { 
 643                         AT91C_BASE_PDC_SSC
->PDC_RPR 
= (uint32_t) dmaBuf
; 
 644                         AT91C_BASE_PDC_SSC
->PDC_RCR 
= DMA_BUFFER_SIZE
; 
 645                         Dbprintf("RxEmpty ERROR!!! data length:%d", dataLen
); // temporary 
 647                 // secondary buffer sets as primary, secondary buffer was stopped 
 648                 if (!AT91C_BASE_PDC_SSC
->PDC_RNCR
) { 
 649                         AT91C_BASE_PDC_SSC
->PDC_RNPR 
= (uint32_t) dmaBuf
; 
 650                         AT91C_BASE_PDC_SSC
->PDC_RNCR 
= DMA_BUFFER_SIZE
; 
 655                 if (rsamples 
& 0x01) {                          // Need two samples to feed Miller and Manchester-Decoder 
 657                         if(!TagIsActive
) {              // no need to try decoding reader data if the tag is sending 
 658                                 uint8_t readerdata 
= (previous_data 
& 0xF0) | (*data 
>> 4); 
 659                                 if (MillerDecoding(readerdata
, (rsamples
-1)*4)) { 
 662                                         // check - if there is a short 7bit request from reader 
 663                                         if ((!triggered
) && (param 
& 0x02) && (Uart
.len 
== 1) && (Uart
.bitCount 
== 7)) triggered 
= TRUE
; 
 666                                                 if (!LogTrace(receivedCmd
,  
 668                                                                                 Uart
.startTime
*16 - DELAY_READER_AIR2ARM_AS_SNIFFER
, 
 669                                                                                 Uart
.endTime
*16 - DELAY_READER_AIR2ARM_AS_SNIFFER
, 
 673                                         /* And ready to receive another command. */ 
 675                                         /* And also reset the demod code, which might have been */ 
 676                                         /* false-triggered by the commands from the reader. */ 
 680                                 ReaderIsActive 
= (Uart
.state 
!= STATE_UNSYNCD
); 
 683                         if(!ReaderIsActive
) {           // no need to try decoding tag data if the reader is sending - and we cannot afford the time 
 684                                 uint8_t tagdata 
= (previous_data 
<< 4) | (*data 
& 0x0F); 
 685                                 if(ManchesterDecoding(tagdata
, 0, (rsamples
-1)*4)) { 
 688                                         if (!LogTrace(receivedResponse
,  
 690                                                                         Demod
.startTime
*16 - DELAY_TAG_AIR2ARM_AS_SNIFFER
,  
 691                                                                         Demod
.endTime
*16 - DELAY_TAG_AIR2ARM_AS_SNIFFER
, 
 695                                         if ((!triggered
) && (param 
& 0x01)) triggered 
= TRUE
; 
 697                                         // And ready to receive another response. 
 699                                         // And reset the Miller decoder including itS (now outdated) input buffer 
 700                                         UartInit(receivedCmd
, receivedCmdPar
); 
 704                                 TagIsActive 
= (Demod
.state 
!= DEMOD_UNSYNCD
); 
 708                 previous_data 
= *data
; 
 711                 if(data 
== dmaBuf 
+ DMA_BUFFER_SIZE
) { 
 719         Dbprintf("maxDataLen=%d, Uart.state=%x, Uart.len=%d", maxDataLen
, Uart
.state
, Uart
.len
); 
 720         Dbprintf("traceLen=%d, Uart.output[0]=%08x", BigBuf_get_traceLen(), (uint32_t)Uart
.output
[0]); 
 725 //----------------------------------------------------------------------------- 
 726 // Prepare tag messages 
 727 //----------------------------------------------------------------------------- 
 728 static void CodeIso14443aAsTagPar(const uint8_t *cmd
, uint16_t len
, uint8_t *parity
) 
 732         // Correction bit, might be removed when not needed 
 737         ToSendStuffBit(1);  // 1 
 743         ToSend
[++ToSendMax
] = SEC_D
; 
 744         LastProxToAirDuration 
= 8 * ToSendMax 
- 4; 
 746         for(uint16_t i 
= 0; i 
< len
; i
++) { 
 750                 for(uint16_t j 
= 0; j 
< 8; j
++) { 
 752                                 ToSend
[++ToSendMax
] = SEC_D
; 
 754                                 ToSend
[++ToSendMax
] = SEC_E
; 
 759                 // Get the parity bit 
 760                 if (parity
[i
>>3] & (0x80>>(i
&0x0007))) { 
 761                         ToSend
[++ToSendMax
] = SEC_D
; 
 762                         LastProxToAirDuration 
= 8 * ToSendMax 
- 4; 
 764                         ToSend
[++ToSendMax
] = SEC_E
; 
 765                         LastProxToAirDuration 
= 8 * ToSendMax
; 
 770         ToSend
[++ToSendMax
] = SEC_F
; 
 772         // Convert from last byte pos to length 
 776 static void CodeIso14443aAsTag(const uint8_t *cmd
, uint16_t len
) 
 778         uint8_t par
[MAX_PARITY_SIZE
]; 
 780         GetParity(cmd
, len
, par
); 
 781         CodeIso14443aAsTagPar(cmd
, len
, par
); 
 785 static void Code4bitAnswerAsTag(uint8_t cmd
) 
 791         // Correction bit, might be removed when not needed 
 796         ToSendStuffBit(1);  // 1 
 802         ToSend
[++ToSendMax
] = SEC_D
; 
 805         for(i 
= 0; i 
< 4; i
++) { 
 807                         ToSend
[++ToSendMax
] = SEC_D
; 
 808                         LastProxToAirDuration 
= 8 * ToSendMax 
- 4; 
 810                         ToSend
[++ToSendMax
] = SEC_E
; 
 811                         LastProxToAirDuration 
= 8 * ToSendMax
; 
 817         ToSend
[++ToSendMax
] = SEC_F
; 
 819         // Convert from last byte pos to length 
 823 //----------------------------------------------------------------------------- 
 824 // Wait for commands from reader 
 825 // Stop when button is pressed 
 826 // Or return TRUE when command is captured 
 827 //----------------------------------------------------------------------------- 
 828 static int GetIso14443aCommandFromReader(uint8_t *received
, uint8_t *parity
, int *len
) 
 830     // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen 
 831     // only, since we are receiving, not transmitting). 
 832     // Signal field is off with the appropriate LED 
 834     FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A 
| FPGA_HF_ISO14443A_TAGSIM_LISTEN
); 
 836     // Now run a `software UART' on the stream of incoming samples. 
 837         UartInit(received
, parity
); 
 840     uint8_t b 
= (uint8_t)AT91C_BASE_SSC
->SSC_RHR
; 
 845         if(BUTTON_PRESS()) return FALSE
; 
 847         if(AT91C_BASE_SSC
->SSC_SR 
& (AT91C_SSC_RXRDY
)) { 
 848             b 
= (uint8_t)AT91C_BASE_SSC
->SSC_RHR
; 
 849                         if(MillerDecoding(b
, 0)) { 
 857 static int EmSendCmd14443aRaw(uint8_t *resp
, uint16_t respLen
, bool correctionNeeded
); 
 858 int EmSend4bitEx(uint8_t resp
, bool correctionNeeded
); 
 859 int EmSend4bit(uint8_t resp
); 
 860 int EmSendCmdExPar(uint8_t *resp
, uint16_t respLen
, bool correctionNeeded
, uint8_t *par
); 
 861 int EmSendCmdEx(uint8_t *resp
, uint16_t respLen
, bool correctionNeeded
); 
 862 int EmSendCmd(uint8_t *resp
, uint16_t respLen
); 
 863 int EmSendCmdPar(uint8_t *resp
, uint16_t respLen
, uint8_t *par
); 
 864 bool EmLogTrace(uint8_t *reader_data
, uint16_t reader_len
, uint32_t reader_StartTime
, uint32_t reader_EndTime
, uint8_t *reader_Parity
, 
 865                                  uint8_t *tag_data
, uint16_t tag_len
, uint32_t tag_StartTime
, uint32_t tag_EndTime
, uint8_t *tag_Parity
); 
 867 static uint8_t* free_buffer_pointer
; 
 874   uint32_t ProxToAirDuration
; 
 875 } tag_response_info_t
; 
 877 bool prepare_tag_modulation(tag_response_info_t
* response_info
, size_t max_buffer_size
) { 
 878         // Example response, answer to MIFARE Classic read block will be 16 bytes + 2 CRC = 18 bytes 
 879         // This will need the following byte array for a modulation sequence 
 880         //    144        data bits (18 * 8) 
 883         //      1        Correction bit (Answer in 1172 or 1236 periods, see FPGA) 
 884         //      1        just for the case 
 886         //    166 bytes, since every bit that needs to be send costs us a byte 
 890   // Prepare the tag modulation bits from the message 
 891   CodeIso14443aAsTag(response_info
->response
,response_info
->response_n
); 
 893   // Make sure we do not exceed the free buffer space 
 894   if (ToSendMax 
> max_buffer_size
) { 
 895     Dbprintf("Out of memory, when modulating bits for tag answer:"); 
 896     Dbhexdump(response_info
->response_n
,response_info
->response
,false); 
 900   // Copy the byte array, used for this modulation to the buffer position 
 901   memcpy(response_info
->modulation
,ToSend
,ToSendMax
); 
 903   // Store the number of bytes that were used for encoding/modulation and the time needed to transfer them 
 904   response_info
->modulation_n 
= ToSendMax
; 
 905   response_info
->ProxToAirDuration 
= LastProxToAirDuration
; 
 911 // "precompile" responses. There are 7 predefined responses with a total of 28 bytes data to transmit. 
 912 // Coded responses need one byte per bit to transfer (data, parity, start, stop, correction)  
 913 // 28 * 8 data bits, 28 * 1 parity bits, 7 start bits, 7 stop bits, 7 correction bits 
 914 // -> need 273 bytes buffer 
 915 // 44 * 8 data bits, 44 * 1 parity bits, 9 start bits, 9 stop bits, 9 correction bits --370 
 916 // 47 * 8 data bits, 47 * 1 parity bits, 10 start bits, 10 stop bits, 10 correction bits  
 917 #define ALLOCATED_TAG_MODULATION_BUFFER_SIZE 453  
 919 bool prepare_allocated_tag_modulation(tag_response_info_t
* response_info
) { 
 920   // Retrieve and store the current buffer index 
 921   response_info
->modulation 
= free_buffer_pointer
; 
 923   // Determine the maximum size we can use from our buffer 
 924   size_t max_buffer_size 
= ALLOCATED_TAG_MODULATION_BUFFER_SIZE
; 
 926   // Forward the prepare tag modulation function to the inner function 
 927   if (prepare_tag_modulation(response_info
, max_buffer_size
)) { 
 928     // Update the free buffer offset 
 929     free_buffer_pointer 
+= ToSendMax
; 
 936 //----------------------------------------------------------------------------- 
 937 // Main loop of simulated tag: receive commands from reader, decide what 
 938 // response to send, and send it. 
 939 //----------------------------------------------------------------------------- 
 940 void SimulateIso14443aTag(int tagType
, int flags
, byte_t
* data
) 
 943         //Here, we collect UID,NT,AR,NR,UID2,NT2,AR2,NR2 
 944         // This can be used in a reader-only attack. 
 945         // (it can also be retrieved via 'hf 14a list', but hey... 
 946         uint32_t ar_nr_responses
[] = {0,0,0,0,0,0,0,0,0,0}; 
 947         uint8_t ar_nr_collected 
= 0; 
 951         // PACK response to PWD AUTH for EV1/NTAG 
 952         uint8_t response8
[4] =  {0,0,0,0}; 
 954         // The first response contains the ATQA (note: bytes are transmitted in reverse order). 
 955         uint8_t response1
[2] =  {0,0}; 
 958                 case 1: { // MIFARE Classic 
 959                         // Says: I am Mifare 1k - original line 
 964                 case 2: { // MIFARE Ultralight 
 965                         // Says: I am a stupid memory tag, no crypto 
 970                 case 3: { // MIFARE DESFire 
 971                         // Says: I am a DESFire tag, ph33r me 
 976                 case 4: { // ISO/IEC 14443-4 
 977                         // Says: I am a javacard (JCOP) 
 982                 case 5: { // MIFARE TNP3XXX 
 988                 case 6: { // MIFARE Mini 
 989                         // Says: I am a Mifare Mini, 320b 
 995                         // Says: I am a NTAG,  
1000                         response8
[0] = 0x80; 
1001                         response8
[1] = 0x80; 
1002                         ComputeCrc14443(CRC_14443_A
, response8
, 2, &response8
[2], &response8
[3]); 
1005                         Dbprintf("Error: unkown tagtype (%d)",tagType
); 
1010         // The second response contains the (mandatory) first 24 bits of the UID 
1011         uint8_t response2
[5] = {0x00}; 
1013         // Check if the uid uses the (optional) part 
1014         uint8_t response2a
[5] = {0x00}; 
1016         if (flags 
& FLAG_7B_UID_IN_DATA
) { 
1017                 response2
[0] = 0x88; 
1018                 response2
[1] = data
[0]; 
1019                 response2
[2] = data
[1]; 
1020                 response2
[3] = data
[2]; 
1022                 response2a
[0] = data
[3]; 
1023                 response2a
[1] = data
[4]; 
1024                 response2a
[2] = data
[5]; 
1025                 response2a
[3] = data
[6]; //?? 
1026                 response2a
[4] = response2a
[0] ^ response2a
[1] ^ response2a
[2] ^ response2a
[3]; 
1028                 // Configure the ATQA and SAK accordingly 
1029                 response1
[0] |= 0x40; 
1032                 memcpy(response2
, data
, 4); 
1033                 //num_to_bytes(uid_1st,4,response2); 
1034                 // Configure the ATQA and SAK accordingly 
1035                 response1
[0] &= 0xBF; 
1039         // Calculate the BitCountCheck (BCC) for the first 4 bytes of the UID. 
1040         response2
[4] = response2
[0] ^ response2
[1] ^ response2
[2] ^ response2
[3]; 
1042         // Prepare the mandatory SAK (for 4 and 7 byte UID) 
1043         uint8_t response3
[3]  = {0x00}; 
1045         ComputeCrc14443(CRC_14443_A
, response3
, 1, &response3
[1], &response3
[2]); 
1047         // Prepare the optional second SAK (for 7 byte UID), drop the cascade bit 
1048         uint8_t response3a
[3]  = {0x00}; 
1049         response3a
[0] = sak 
& 0xFB; 
1050         ComputeCrc14443(CRC_14443_A
, response3a
, 1, &response3a
[1], &response3a
[2]); 
1052         uint8_t response5
[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce 
1053         uint8_t response6
[] = { 0x04, 0x58, 0x80, 0x02, 0x00, 0x00 }; // dummy ATS (pseudo-ATR), answer to RATS:  
1054         // Format byte = 0x58: FSCI=0x08 (FSC=256), TA(1) and TC(1) present,  
1055         // TA(1) = 0x80: different divisors not supported, DR = 1, DS = 1 
1056         // TB(1) = not present. Defaults: FWI = 4 (FWT = 256 * 16 * 2^4 * 1/fc = 4833us), SFGI = 0 (SFG = 256 * 16 * 2^0 * 1/fc = 302us) 
1057         // TC(1) = 0x02: CID supported, NAD not supported 
1058         ComputeCrc14443(CRC_14443_A
, response6
, 4, &response6
[4], &response6
[5]); 
1060         // Prepare GET_VERSION (different for EV-1 / NTAG) 
1061         //uint8_t response7_EV1[] = {0x00, 0x04, 0x03, 0x01, 0x01, 0x00, 0x0b, 0x03, 0xfd, 0xf7};  //EV1 48bytes VERSION. 
1062         uint8_t response7_NTAG
[] = {0x00, 0x04, 0x04, 0x02, 0x01, 0x00, 0x11, 0x03, 0x01, 0x9e}; //NTAG 215 
1064         // Prepare CHK_TEARING 
1065         uint8_t response9
[] =  {0xBD,0x90,0x3f}; 
1067         #define TAG_RESPONSE_COUNT 10 
1068         tag_response_info_t responses
[TAG_RESPONSE_COUNT
] = { 
1069                 { .response 
= response1
,  .response_n 
= sizeof(response1
)  },  // Answer to request - respond with card type 
1070                 { .response 
= response2
,  .response_n 
= sizeof(response2
)  },  // Anticollision cascade1 - respond with uid 
1071                 { .response 
= response2a
, .response_n 
= sizeof(response2a
) },  // Anticollision cascade2 - respond with 2nd half of uid if asked 
1072                 { .response 
= response3
,  .response_n 
= sizeof(response3
)  },  // Acknowledge select - cascade 1 
1073                 { .response 
= response3a
, .response_n 
= sizeof(response3a
) },  // Acknowledge select - cascade 2 
1074                 { .response 
= response5
,  .response_n 
= sizeof(response5
)  },  // Authentication answer (random nonce) 
1075                 { .response 
= response6
,  .response_n 
= sizeof(response6
)  },  // dummy ATS (pseudo-ATR), answer to RATS 
1076                 { .response 
= response7_NTAG
,  .response_n 
= sizeof(response7_NTAG
)  },  // EV1/NTAG GET_VERSION response 
1077                 { .response 
= response8
,   .response_n 
= sizeof(response8
) },  // EV1/NTAG PACK response 
1078                 { .response 
= response9
,   .response_n 
= sizeof(response9
) }  // EV1/NTAG CHK_TEAR response 
1081         // Allocate 512 bytes for the dynamic modulation, created when the reader queries for it 
1082         // Such a response is less time critical, so we can prepare them on the fly 
1083         #define DYNAMIC_RESPONSE_BUFFER_SIZE 64 
1084         #define DYNAMIC_MODULATION_BUFFER_SIZE 512 
1085         uint8_t dynamic_response_buffer
[DYNAMIC_RESPONSE_BUFFER_SIZE
]; 
1086         uint8_t dynamic_modulation_buffer
[DYNAMIC_MODULATION_BUFFER_SIZE
]; 
1087         tag_response_info_t dynamic_response_info 
= { 
1088                 .response 
= dynamic_response_buffer
, 
1090                 .modulation 
= dynamic_modulation_buffer
, 
1094         // We need to listen to the high-frequency, peak-detected path. 
1095         iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN
); 
1097         BigBuf_free_keep_EM(); 
1099         // allocate buffers: 
1100         uint8_t *receivedCmd 
= BigBuf_malloc(MAX_FRAME_SIZE
); 
1101         uint8_t *receivedCmdPar 
= BigBuf_malloc(MAX_PARITY_SIZE
); 
1102         free_buffer_pointer 
= BigBuf_malloc(ALLOCATED_TAG_MODULATION_BUFFER_SIZE
); 
1108         // Prepare the responses of the anticollision phase 
1109         // there will be not enough time to do this at the moment the reader sends it REQA 
1110         for (size_t i
=0; i
<TAG_RESPONSE_COUNT
; i
++) { 
1111                 prepare_allocated_tag_modulation(&responses
[i
]); 
1116         // To control where we are in the protocol 
1120         // Just to allow some checks 
1126         tag_response_info_t
* p_response
; 
1130                 // Clean receive command buffer 
1132                 if(!GetIso14443aCommandFromReader(receivedCmd
, receivedCmdPar
, &len
)) { 
1133                         DbpString("Button press"); 
1139                 // Okay, look at the command now. 
1141                 if(receivedCmd
[0] == 0x26) { // Received a REQUEST 
1142                         p_response 
= &responses
[0]; order 
= 1; 
1143                 } else if(receivedCmd
[0] == 0x52) { // Received a WAKEUP 
1144                         p_response 
= &responses
[0]; order 
= 6; 
1145                 } else if(receivedCmd
[1] == 0x20 && receivedCmd
[0] == 0x93) {   // Received request for UID (cascade 1) 
1146                         p_response 
= &responses
[1]; order 
= 2; 
1147                 } else if(receivedCmd
[1] == 0x20 && receivedCmd
[0] == 0x95) {   // Received request for UID (cascade 2) 
1148                         p_response 
= &responses
[2]; order 
= 20; 
1149                 } else if(receivedCmd
[1] == 0x70 && receivedCmd
[0] == 0x93) {   // Received a SELECT (cascade 1) 
1150                         p_response 
= &responses
[3]; order 
= 3; 
1151                 } else if(receivedCmd
[1] == 0x70 && receivedCmd
[0] == 0x95) {   // Received a SELECT (cascade 2) 
1152                         p_response 
= &responses
[4]; order 
= 30; 
1153                 } else if(receivedCmd
[0] == 0x30) {     // Received a (plain) READ 
1154                         uint8_t block 
= receivedCmd
[1]; 
1155                         if ( tagType 
== 7 ) { 
1156                                 uint16_t start 
= 4 * block
; 
1158                                 /*if ( block < 4 ) { 
1160                                         uint8_t blockdata[50] = { 
1161                                         data[0],data[1],data[2], 0x88 ^ data[0] ^ data[1] ^ data[2], 
1162                                         data[3],data[4],data[5],data[6], 
1163                                         data[3] ^ data[4] ^ data[5] ^ data[6],0x48,0x0f,0xe0, 
1164                                         0xe1,0x10,0x12,0x00, 
1165                                         0x03,0x00,0xfe,0x00,  
1166                                         0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 
1167                                         0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 
1168                                         0x00,0x00,0x00,0x00, 
1170                                         AppendCrc14443a(blockdata+start, 16); 
1171                                         EmSendCmdEx( blockdata+start, MAX_MIFARE_FRAME_SIZE, false); 
1173                                         uint8_t emdata
[MAX_MIFARE_FRAME_SIZE
]; 
1174                                         emlGetMemBt( emdata
, start
, 16); 
1175                                         AppendCrc14443a(emdata
, 16); 
1176                                         EmSendCmdEx(emdata
, sizeof(emdata
), false);                              
1181                                 EmSendCmdEx(data
+(4*block
),16,false); 
1182                                 // Dbprintf("Read request from reader: %x %x",receivedCmd[0],receivedCmd[1]); 
1183                                 // We already responded, do not send anything with the EmSendCmd14443aRaw() that is called below 
1186                 } else if(receivedCmd
[0] == 0x3A) {     // Received a FAST READ (ranged read) -- just returns all zeros. 
1188                                 uint8_t emdata
[MAX_FRAME_SIZE
]; 
1189                                 int start 
=  receivedCmd
[1] * 4; 
1190                                 int len   
= (receivedCmd
[2] - receivedCmd
[1] + 1) * 4; 
1191                                 emlGetMemBt( emdata
, start
, len
); 
1192                                 AppendCrc14443a(emdata
, len
); 
1193                                 EmSendCmdEx(emdata
, len
+2, false);                               
1196                 } else if(receivedCmd
[0] == 0x3C && tagType 
== 7) {     // Received a READ SIGNATURE --  
1197                                 // ECC data,  taken from a NTAG215 amiibo token. might work. LEN: 32, + 2 crc 
1198                                 uint8_t data
[] = {0x56,0x06,0xa6,0x4f,0x43,0x32,0x53,0x6f, 
1199                                                                   0x43,0xda,0x45,0xd6,0x61,0x38,0xaa,0x1e, 
1200                                                                   0xcf,0xd3,0x61,0x36,0xca,0x5f,0xbb,0x05, 
1201                                                                   0xce,0x21,0x24,0x5b,0xa6,0x7a,0x79,0x07, 
1203                                 AppendCrc14443a(data
, sizeof(data
)-2); 
1204                                 EmSendCmdEx(data
,sizeof(data
),false); 
1206                 } else if(receivedCmd
[0] == 0x39 && tagType 
== 7) {     // Received a READ COUNTER --  
1207                                 uint8_t data
[] =  {0x00,0x00,0x00,0x14,0xa5}; 
1208                                 EmSendCmdEx(data
,sizeof(data
),false);                            
1210                 } else if(receivedCmd
[0] == 0xA5 && tagType 
== 7) {     // Received a INC COUNTER --  
1211                         // number of counter 
1212                         //uint8_t counter = receivedCmd[1]; 
1213                         //uint32_t val = bytes_to_num(receivedCmd+2,4); 
1216                         uint8_t ack
[] = {0x0a}; 
1217                         EmSendCmdEx(ack
,sizeof(ack
),false); 
1220                 } else if(receivedCmd
[0] == 0x3E && tagType 
== 7) {     // Received a CHECK_TEARING_EVENT --  
1221                                 p_response 
= &responses
[9];                              
1222                 } else if(receivedCmd
[0] == 0x50) {     // Received a HALT 
1225                                 LogTrace(receivedCmd
, Uart
.len
, Uart
.startTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.endTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.parity
, TRUE
); 
1228                 } else if(receivedCmd
[0] == 0x60 || receivedCmd
[0] == 0x61) {   // Received an authentication request 
1230                         if ( tagType 
== 7 ) {   // IF NTAG /EV1  0x60 == GET_VERSION, not a authentication request. 
1231                                 p_response 
= &responses
[7]; 
1233                                 p_response 
= &responses
[5]; order 
= 7; 
1235                 } else if(receivedCmd
[0] == 0xE0) {     // Received a RATS request 
1236                         if (tagType 
== 1 || tagType 
== 2) {     // RATS not supported 
1237                                 EmSend4bit(CARD_NACK_NA
); 
1240                                 p_response 
= &responses
[6]; order 
= 70; 
1242                 } else if (order 
== 7 && len 
== 8) { // Received {nr] and {ar} (part of authentication) 
1244                                 LogTrace(receivedCmd
, Uart
.len
, Uart
.startTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.endTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.parity
, TRUE
); 
1246                         uint32_t nonce 
= bytes_to_num(response5
,4); 
1247                         uint32_t nr 
= bytes_to_num(receivedCmd
,4); 
1248                         uint32_t ar 
= bytes_to_num(receivedCmd
+4,4); 
1249                         //Dbprintf("Auth attempt {nonce}{nr}{ar}: %08x %08x %08x", nonce, nr, ar); 
1251                         if(flags 
& FLAG_NR_AR_ATTACK 
) 
1253                                 if(ar_nr_collected 
< 2){ 
1254                                         // Avoid duplicates... probably not necessary, nr should vary.  
1255                                         //if(ar_nr_responses[3] != nr){                                          
1256                                                 ar_nr_responses
[ar_nr_collected
*5]   = 0; 
1257                                                 ar_nr_responses
[ar_nr_collected
*5+1] = 0; 
1258                                                 ar_nr_responses
[ar_nr_collected
*5+2] = nonce
; 
1259                                                 ar_nr_responses
[ar_nr_collected
*5+3] = nr
; 
1260                                                 ar_nr_responses
[ar_nr_collected
*5+4] = ar
; 
1265                                 if(ar_nr_collected 
> 1 ) { 
1267                                         if (MF_DBGLEVEL 
>= 2) { 
1268                                                         Dbprintf("Collected two pairs of AR/NR which can be used to extract keys from reader:"); 
1269                                                         Dbprintf("../tools/mfkey/mfkey32 %07x%08x %08x %08x %08x %08x %08x", 
1270                                                                 ar_nr_responses
[0], // UID1 
1271                                                                 ar_nr_responses
[1], // UID2 
1272                                                                 ar_nr_responses
[2], // NT 
1273                                                                 ar_nr_responses
[3], // AR1 
1274                                                                 ar_nr_responses
[4], // NR1 
1275                                                                 ar_nr_responses
[8], // AR2 
1276                                                                 ar_nr_responses
[9]  // NR2 
1278                                                         Dbprintf("../tools/mfkey/mfkey32v2 %06x%08x %08x %08x %08x %08x %08x %08x", 
1279                                                                 ar_nr_responses
[0], // UID1 
1280                                                                 ar_nr_responses
[1], // UID2 
1281                                                                 ar_nr_responses
[2], // NT1 
1282                                                                 ar_nr_responses
[3], // AR1 
1283                                                                 ar_nr_responses
[4], // NR1 
1284                                                                 ar_nr_responses
[7], // NT2 
1285                                                                 ar_nr_responses
[8], // AR2 
1286                                                                 ar_nr_responses
[9]  // NR2 
1289                                         uint8_t len 
= ar_nr_collected
*5*4; 
1290                                         cmd_send(CMD_ACK
,CMD_SIMULATE_MIFARE_CARD
,len
,0,&ar_nr_responses
,len
); 
1291                                         ar_nr_collected 
= 0; 
1292                                         memset(ar_nr_responses
, 0x00, len
); 
1295                 } else if (receivedCmd
[0] == 0x1a ) // ULC authentication 
1299                 else if (receivedCmd
[0] == 0x1b) // NTAG / EV-1 authentication 
1301                         if ( tagType 
== 7 ) { 
1302                                 p_response 
=  &responses
[8]; // PACK response 
1303                                 uint32_t pwd 
= bytes_to_num(receivedCmd
+1,4); 
1305                                 if ( MF_DBGLEVEL 
>= 3)  Dbprintf("Auth attempt: %08x", pwd
);     
1309                         // Check for ISO 14443A-4 compliant commands, look at left nibble 
1310                         switch (receivedCmd
[0]) { 
1312                                 case 0x03: {  // IBlock (command no CID) 
1313                                         dynamic_response_info
.response
[0] = receivedCmd
[0]; 
1314                                         dynamic_response_info
.response
[1] = 0x90; 
1315                                         dynamic_response_info
.response
[2] = 0x00; 
1316                                         dynamic_response_info
.response_n 
= 3; 
1319                                 case 0x0A: { // IBlock (command CID) 
1320                                   dynamic_response_info
.response
[0] = receivedCmd
[0]; 
1321                                   dynamic_response_info
.response
[1] = 0x00; 
1322                                   dynamic_response_info
.response
[2] = 0x90; 
1323                                   dynamic_response_info
.response
[3] = 0x00; 
1324                                   dynamic_response_info
.response_n 
= 4; 
1328                                 case 0x1B: { // Chaining command 
1329                                   dynamic_response_info
.response
[0] = 0xaa | ((receivedCmd
[0]) & 1); 
1330                                   dynamic_response_info
.response_n 
= 2; 
1335                                   dynamic_response_info
.response
[0] = receivedCmd
[0] ^ 0x11; 
1336                                   dynamic_response_info
.response_n 
= 2; 
1339                                 case 0xBA: { // ping / pong 
1340                                         dynamic_response_info
.response
[0] = 0xAB; 
1341                                         dynamic_response_info
.response
[1] = 0x00; 
1342                                         dynamic_response_info
.response_n 
= 2; 
1346                                 case 0xC2: { // Readers sends deselect command 
1347                                         dynamic_response_info
.response
[0] = 0xCA; 
1348                                         dynamic_response_info
.response
[1] = 0x00; 
1349                                         dynamic_response_info
.response_n 
= 2; 
1353                                         // Never seen this command before 
1355                                                 LogTrace(receivedCmd
, Uart
.len
, Uart
.startTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.endTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.parity
, TRUE
); 
1357                                         Dbprintf("Received unknown command (len=%d):",len
); 
1358                                         Dbhexdump(len
,receivedCmd
,false); 
1360                                         dynamic_response_info
.response_n 
= 0; 
1364                         if (dynamic_response_info
.response_n 
> 0) { 
1365                                 // Copy the CID from the reader query 
1366                                 dynamic_response_info
.response
[1] = receivedCmd
[1]; 
1368                                 // Add CRC bytes, always used in ISO 14443A-4 compliant cards 
1369                                 AppendCrc14443a(dynamic_response_info
.response
,dynamic_response_info
.response_n
); 
1370                                 dynamic_response_info
.response_n 
+= 2; 
1372                                 if (prepare_tag_modulation(&dynamic_response_info
,DYNAMIC_MODULATION_BUFFER_SIZE
) == false) { 
1373                                         Dbprintf("Error preparing tag response"); 
1375                                                 LogTrace(receivedCmd
, Uart
.len
, Uart
.startTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.endTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.parity
, TRUE
); 
1379                                 p_response 
= &dynamic_response_info
; 
1383                 // Count number of wakeups received after a halt 
1384                 if(order 
== 6 && lastorder 
== 5) { happened
++; } 
1386                 // Count number of other messages after a halt 
1387                 if(order 
!= 6 && lastorder 
== 5) { happened2
++; } 
1389                 if(cmdsRecvd 
> 999) { 
1390                         DbpString("1000 commands later..."); 
1395                 if (p_response 
!= NULL
) { 
1396                         EmSendCmd14443aRaw(p_response
->modulation
, p_response
->modulation_n
, receivedCmd
[0] == 0x52); 
1397                         // do the tracing for the previous reader request and this tag answer: 
1398                         uint8_t par
[MAX_PARITY_SIZE
]; 
1399                         GetParity(p_response
->response
, p_response
->response_n
, par
); 
1401                         EmLogTrace(Uart
.output
,  
1403                                                 Uart
.startTime
*16 - DELAY_AIR2ARM_AS_TAG
,  
1404                                                 Uart
.endTime
*16 - DELAY_AIR2ARM_AS_TAG
,  
1406                                                 p_response
->response
,  
1407                                                 p_response
->response_n
, 
1408                                                 LastTimeProxToAirStart
*16 + DELAY_ARM2AIR_AS_TAG
, 
1409                                                 (LastTimeProxToAirStart 
+ p_response
->ProxToAirDuration
)*16 + DELAY_ARM2AIR_AS_TAG
,  
1414                         Dbprintf("Trace Full. Simulation stopped."); 
1419         FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
); 
1421         BigBuf_free_keep_EM(); 
1424         if (MF_DBGLEVEL 
>= 4){ 
1425                 Dbprintf("-[ Wake ups after halt [%d]", happened
); 
1426                 Dbprintf("-[ Messages after halt [%d]", happened2
); 
1427                 Dbprintf("-[ Num of received cmd [%d]", cmdsRecvd
); 
1432 // prepare a delayed transfer. This simply shifts ToSend[] by a number 
1433 // of bits specified in the delay parameter. 
1434 void PrepareDelayedTransfer(uint16_t delay
) 
1436         uint8_t bitmask 
= 0; 
1437         uint8_t bits_to_shift 
= 0; 
1438         uint8_t bits_shifted 
= 0; 
1442                 for (uint16_t i 
= 0; i 
< delay
; i
++) { 
1443                         bitmask 
|= (0x01 << i
); 
1445                 ToSend
[ToSendMax
++] = 0x00; 
1446                 for (uint16_t i 
= 0; i 
< ToSendMax
; i
++) { 
1447                         bits_to_shift 
= ToSend
[i
] & bitmask
; 
1448                         ToSend
[i
] = ToSend
[i
] >> delay
; 
1449                         ToSend
[i
] = ToSend
[i
] | (bits_shifted 
<< (8 - delay
)); 
1450                         bits_shifted 
= bits_to_shift
; 
1456 //------------------------------------------------------------------------------------- 
1457 // Transmit the command (to the tag) that was placed in ToSend[]. 
1458 // Parameter timing: 
1459 // if NULL: transfer at next possible time, taking into account 
1460 //                      request guard time and frame delay time 
1461 // if == 0:     transfer immediately and return time of transfer 
1462 // if != 0: delay transfer until time specified 
1463 //------------------------------------------------------------------------------------- 
1464 static void TransmitFor14443a(const uint8_t *cmd
, uint16_t len
, uint32_t *timing
) 
1467         FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A 
| FPGA_HF_ISO14443A_READER_MOD
); 
1469         uint32_t ThisTransferTime 
= 0; 
1472                 if(*timing 
== 0) {                                                                              // Measure time 
1473                         *timing 
= (GetCountSspClk() + 8) & 0xfffffff8; 
1475                         PrepareDelayedTransfer(*timing 
& 0x00000007);           // Delay transfer (fine tuning - up to 7 MF clock ticks) 
1477                 if(MF_DBGLEVEL 
>= 4 && GetCountSspClk() >= (*timing 
& 0xfffffff8)) Dbprintf("TransmitFor14443a: Missed timing"); 
1478                 while(GetCountSspClk() < (*timing 
& 0xfffffff8));               // Delay transfer (multiple of 8 MF clock ticks) 
1479                 LastTimeProxToAirStart 
= *timing
; 
1481                 ThisTransferTime 
= ((MAX(NextTransferTime
, GetCountSspClk()) & 0xfffffff8) + 8); 
1482                 while(GetCountSspClk() < ThisTransferTime
); 
1483                 LastTimeProxToAirStart 
= ThisTransferTime
; 
1487         AT91C_BASE_SSC
->SSC_THR 
= SEC_Y
; 
1491                 if(AT91C_BASE_SSC
->SSC_SR 
& (AT91C_SSC_TXRDY
)) { 
1492                         AT91C_BASE_SSC
->SSC_THR 
= cmd
[c
]; 
1500         NextTransferTime 
= MAX(NextTransferTime
, LastTimeProxToAirStart 
+ REQUEST_GUARD_TIME
); 
1504 //----------------------------------------------------------------------------- 
1505 // Prepare reader command (in bits, support short frames) to send to FPGA 
1506 //----------------------------------------------------------------------------- 
1507 void CodeIso14443aBitsAsReaderPar(const uint8_t *cmd
, uint16_t bits
, const uint8_t *parity
) 
1515         // Start of Communication (Seq. Z) 
1516         ToSend
[++ToSendMax
] = SEC_Z
; 
1517         LastProxToAirDuration 
= 8 * (ToSendMax
+1) - 6; 
1520         size_t bytecount 
= nbytes(bits
); 
1521         // Generate send structure for the data bits 
1522         for (i 
= 0; i 
< bytecount
; i
++) { 
1523                 // Get the current byte to send 
1525                 size_t bitsleft 
= MIN((bits
-(i
*8)),8); 
1527                 for (j 
= 0; j 
< bitsleft
; j
++) { 
1530                                 ToSend
[++ToSendMax
] = SEC_X
; 
1531                                 LastProxToAirDuration 
= 8 * (ToSendMax
+1) - 2; 
1536                                 ToSend
[++ToSendMax
] = SEC_Z
; 
1537                                 LastProxToAirDuration 
= 8 * (ToSendMax
+1) - 6; 
1540                                         ToSend
[++ToSendMax
] = SEC_Y
; 
1547                 // Only transmit parity bit if we transmitted a complete byte 
1548                 if (j 
== 8 && parity 
!= NULL
) { 
1549                         // Get the parity bit 
1550                         if (parity
[i
>>3] & (0x80 >> (i
&0x0007))) { 
1552                                 ToSend
[++ToSendMax
] = SEC_X
; 
1553                                 LastProxToAirDuration 
= 8 * (ToSendMax
+1) - 2; 
1558                                         ToSend
[++ToSendMax
] = SEC_Z
; 
1559                                         LastProxToAirDuration 
= 8 * (ToSendMax
+1) - 6; 
1562                                         ToSend
[++ToSendMax
] = SEC_Y
; 
1569         // End of Communication: Logic 0 followed by Sequence Y 
1572                 ToSend
[++ToSendMax
] = SEC_Z
; 
1573                 LastProxToAirDuration 
= 8 * (ToSendMax
+1) - 6; 
1576                 ToSend
[++ToSendMax
] = SEC_Y
; 
1579         ToSend
[++ToSendMax
] = SEC_Y
; 
1581         // Convert to length of command: 
1585 //----------------------------------------------------------------------------- 
1586 // Prepare reader command to send to FPGA 
1587 //----------------------------------------------------------------------------- 
1588 void CodeIso14443aAsReaderPar(const uint8_t *cmd
, uint16_t len
, const uint8_t *parity
) 
1590   CodeIso14443aBitsAsReaderPar(cmd
, len
*8, parity
); 
1594 //----------------------------------------------------------------------------- 
1595 // Wait for commands from reader 
1596 // Stop when button is pressed (return 1) or field was gone (return 2) 
1597 // Or return 0 when command is captured 
1598 //----------------------------------------------------------------------------- 
1599 static int EmGetCmd(uint8_t *received
, uint16_t *len
, uint8_t *parity
) 
1603         uint32_t timer 
= 0, vtime 
= 0; 
1607         // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen 
1608         // only, since we are receiving, not transmitting). 
1609         // Signal field is off with the appropriate LED 
1611         FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A 
| FPGA_HF_ISO14443A_TAGSIM_LISTEN
); 
1613         // Set ADC to read field strength 
1614         AT91C_BASE_ADC
->ADC_CR 
= AT91C_ADC_SWRST
; 
1615         AT91C_BASE_ADC
->ADC_MR 
= 
1616                                 ADC_MODE_PRESCALE(63) | 
1617                                 ADC_MODE_STARTUP_TIME(1) | 
1618                                 ADC_MODE_SAMPLE_HOLD_TIME(15); 
1619         AT91C_BASE_ADC
->ADC_CHER 
= ADC_CHANNEL(ADC_CHAN_HF
); 
1621         AT91C_BASE_ADC
->ADC_CR 
= AT91C_ADC_START
; 
1623         // Now run a 'software UART' on the stream of incoming samples. 
1624         UartInit(received
, parity
); 
1627     uint8_t b 
= (uint8_t)AT91C_BASE_SSC
->SSC_RHR
; 
1632                 if (BUTTON_PRESS()) return 1; 
1634                 // test if the field exists 
1635                 if (AT91C_BASE_ADC
->ADC_SR 
& ADC_END_OF_CONVERSION(ADC_CHAN_HF
)) { 
1637                         analogAVG 
+= AT91C_BASE_ADC
->ADC_CDR
[ADC_CHAN_HF
]; 
1638                         AT91C_BASE_ADC
->ADC_CR 
= AT91C_ADC_START
; 
1639                         if (analogCnt 
>= 32) { 
1640                                 if ((MAX_ADC_HF_VOLTAGE 
* (analogAVG 
/ analogCnt
) >> 10) < MF_MINFIELDV
) { 
1641                                         vtime 
= GetTickCount(); 
1642                                         if (!timer
) timer 
= vtime
; 
1643                                         // 50ms no field --> card to idle state 
1644                                         if (vtime 
- timer 
> 50) return 2; 
1646                                         if (timer
) timer 
= 0; 
1652                 // receive and test the miller decoding 
1653         if(AT91C_BASE_SSC
->SSC_SR 
& (AT91C_SSC_RXRDY
)) { 
1654             b 
= (uint8_t)AT91C_BASE_SSC
->SSC_RHR
; 
1655                         if(MillerDecoding(b
, 0)) { 
1665 static int EmSendCmd14443aRaw(uint8_t *resp
, uint16_t respLen
, bool correctionNeeded
) 
1669         uint32_t ThisTransferTime
; 
1671         // Modulate Manchester 
1672         FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A 
| FPGA_HF_ISO14443A_TAGSIM_MOD
); 
1674         // include correction bit if necessary 
1675         if (Uart
.parityBits 
& 0x01) { 
1676                 correctionNeeded 
= TRUE
; 
1678         if(correctionNeeded
) { 
1679                 // 1236, so correction bit needed 
1685         // clear receiving shift register and holding register 
1686         while(!(AT91C_BASE_SSC
->SSC_SR 
& AT91C_SSC_RXRDY
)); 
1687         b 
= AT91C_BASE_SSC
->SSC_RHR
; (void) b
; 
1688         while(!(AT91C_BASE_SSC
->SSC_SR 
& AT91C_SSC_RXRDY
)); 
1689         b 
= AT91C_BASE_SSC
->SSC_RHR
; (void) b
; 
1691         // wait for the FPGA to signal fdt_indicator == 1 (the FPGA is ready to queue new data in its delay line) 
1692         for (uint16_t j 
= 0; j 
< 5; j
++) {      // allow timeout - better late than never 
1693                 while(!(AT91C_BASE_SSC
->SSC_SR 
& AT91C_SSC_RXRDY
)); 
1694                 if (AT91C_BASE_SSC
->SSC_RHR
) break; 
1697         while ((ThisTransferTime 
= GetCountSspClk()) & 0x00000007); 
1700         AT91C_BASE_SSC
->SSC_THR 
= SEC_F
; 
1703         for(; i 
< respLen
; ) { 
1704                 if(AT91C_BASE_SSC
->SSC_SR 
& (AT91C_SSC_TXRDY
)) { 
1705                         AT91C_BASE_SSC
->SSC_THR 
= resp
[i
++]; 
1706                         FpgaSendQueueDelay 
= (uint8_t)AT91C_BASE_SSC
->SSC_RHR
; 
1709                 if(BUTTON_PRESS()) break; 
1712         // Ensure that the FPGA Delay Queue is empty before we switch to TAGSIM_LISTEN again: 
1713         uint8_t fpga_queued_bits 
= FpgaSendQueueDelay 
>> 3; 
1714         for (i 
= 0; i 
<= fpga_queued_bits
/8 + 1; ) { 
1715                 if(AT91C_BASE_SSC
->SSC_SR 
& (AT91C_SSC_TXRDY
)) { 
1716                         AT91C_BASE_SSC
->SSC_THR 
= SEC_F
; 
1717                         FpgaSendQueueDelay 
= (uint8_t)AT91C_BASE_SSC
->SSC_RHR
; 
1722         LastTimeProxToAirStart 
= ThisTransferTime 
+ (correctionNeeded
?8:0); 
1727 int EmSend4bitEx(uint8_t resp
, bool correctionNeeded
){ 
1728         Code4bitAnswerAsTag(resp
); 
1729         int res 
= EmSendCmd14443aRaw(ToSend
, ToSendMax
, correctionNeeded
); 
1730         // do the tracing for the previous reader request and this tag answer: 
1732         GetParity(&resp
, 1, par
); 
1733         EmLogTrace(Uart
.output
,  
1735                                 Uart
.startTime
*16 - DELAY_AIR2ARM_AS_TAG
,  
1736                                 Uart
.endTime
*16 - DELAY_AIR2ARM_AS_TAG
,  
1740                                 LastTimeProxToAirStart
*16 + DELAY_ARM2AIR_AS_TAG
, 
1741                                 (LastTimeProxToAirStart 
+ LastProxToAirDuration
)*16 + DELAY_ARM2AIR_AS_TAG
,  
1746 int EmSend4bit(uint8_t resp
){ 
1747         return EmSend4bitEx(resp
, false); 
1750 int EmSendCmdExPar(uint8_t *resp
, uint16_t respLen
, bool correctionNeeded
, uint8_t *par
){ 
1751         CodeIso14443aAsTagPar(resp
, respLen
, par
); 
1752         int res 
= EmSendCmd14443aRaw(ToSend
, ToSendMax
, correctionNeeded
); 
1753         // do the tracing for the previous reader request and this tag answer: 
1754         EmLogTrace(Uart
.output
,  
1756                                 Uart
.startTime
*16 - DELAY_AIR2ARM_AS_TAG
,  
1757                                 Uart
.endTime
*16 - DELAY_AIR2ARM_AS_TAG
,  
1761                                 LastTimeProxToAirStart
*16 + DELAY_ARM2AIR_AS_TAG
, 
1762                                 (LastTimeProxToAirStart 
+ LastProxToAirDuration
)*16 + DELAY_ARM2AIR_AS_TAG
,  
1767 int EmSendCmdEx(uint8_t *resp
, uint16_t respLen
, bool correctionNeeded
){ 
1768         uint8_t par
[MAX_PARITY_SIZE
]; 
1769         GetParity(resp
, respLen
, par
); 
1770         return EmSendCmdExPar(resp
, respLen
, correctionNeeded
, par
); 
1773 int EmSendCmd(uint8_t *resp
, uint16_t respLen
){ 
1774         uint8_t par
[MAX_PARITY_SIZE
]; 
1775         GetParity(resp
, respLen
, par
); 
1776         return EmSendCmdExPar(resp
, respLen
, false, par
); 
1779 int EmSendCmdPar(uint8_t *resp
, uint16_t respLen
, uint8_t *par
){ 
1780         return EmSendCmdExPar(resp
, respLen
, false, par
); 
1783 bool EmLogTrace(uint8_t *reader_data
, uint16_t reader_len
, uint32_t reader_StartTime
, uint32_t reader_EndTime
, uint8_t *reader_Parity
, 
1784                                  uint8_t *tag_data
, uint16_t tag_len
, uint32_t tag_StartTime
, uint32_t tag_EndTime
, uint8_t *tag_Parity
) 
1787                 // we cannot exactly measure the end and start of a received command from reader. However we know that the delay from 
1788                 // end of the received command to start of the tag's (simulated by us) answer is n*128+20 or n*128+84 resp. 
1789                 // with n >= 9. The start of the tags answer can be measured and therefore the end of the received command be calculated: 
1790                 uint16_t reader_modlen 
= reader_EndTime 
- reader_StartTime
; 
1791                 uint16_t approx_fdt 
= tag_StartTime 
- reader_EndTime
; 
1792                 uint16_t exact_fdt 
= (approx_fdt 
- 20 + 32)/64 * 64 + 20; 
1793                 reader_EndTime 
= tag_StartTime 
- exact_fdt
; 
1794                 reader_StartTime 
= reader_EndTime 
- reader_modlen
; 
1795                 if (!LogTrace(reader_data
, reader_len
, reader_StartTime
, reader_EndTime
, reader_Parity
, TRUE
)) { 
1797                 } else return(!LogTrace(tag_data
, tag_len
, tag_StartTime
, tag_EndTime
, tag_Parity
, FALSE
)); 
1803 //----------------------------------------------------------------------------- 
1804 // Wait a certain time for tag response 
1805 //  If a response is captured return TRUE 
1806 //  If it takes too long return FALSE 
1807 //----------------------------------------------------------------------------- 
1808 static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse
, uint8_t *receivedResponsePar
, uint16_t offset
) 
1812         // Set FPGA mode to "reader listen mode", no modulation (listen 
1813         // only, since we are receiving, not transmitting). 
1814         // Signal field is on with the appropriate LED 
1816         FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A 
| FPGA_HF_ISO14443A_READER_LISTEN
); 
1818         // Now get the answer from the card 
1819         DemodInit(receivedResponse
, receivedResponsePar
); 
1822     uint8_t b 
= (uint8_t)AT91C_BASE_SSC
->SSC_RHR
; 
1827                 if(AT91C_BASE_SSC
->SSC_SR 
& (AT91C_SSC_RXRDY
)) { 
1828                         b 
= (uint8_t)AT91C_BASE_SSC
->SSC_RHR
; 
1829                         if(ManchesterDecoding(b
, offset
, 0)) { 
1830                                 NextTransferTime 
= MAX(NextTransferTime
, Demod
.endTime 
- (DELAY_AIR2ARM_AS_READER 
+ DELAY_ARM2AIR_AS_READER
)/16 + FRAME_DELAY_TIME_PICC_TO_PCD
); 
1832                         } else if (c
++ > iso14a_timeout 
&& Demod
.state 
== DEMOD_UNSYNCD
) { 
1839 void ReaderTransmitBitsPar(uint8_t* frame
, uint16_t bits
, uint8_t *par
, uint32_t *timing
) 
1841         CodeIso14443aBitsAsReaderPar(frame
, bits
, par
); 
1843         // Send command to tag 
1844         TransmitFor14443a(ToSend
, ToSendMax
, timing
); 
1848         // Log reader command in trace buffer 
1850                 LogTrace(frame
, nbytes(bits
), LastTimeProxToAirStart
*16 + DELAY_ARM2AIR_AS_READER
, (LastTimeProxToAirStart 
+ LastProxToAirDuration
)*16 + DELAY_ARM2AIR_AS_READER
, par
, TRUE
); 
1854 void ReaderTransmitPar(uint8_t* frame
, uint16_t len
, uint8_t *par
, uint32_t *timing
) 
1856   ReaderTransmitBitsPar(frame
, len
*8, par
, timing
); 
1859 void ReaderTransmitBits(uint8_t* frame
, uint16_t len
, uint32_t *timing
) 
1861   // Generate parity and redirect 
1862   uint8_t par
[MAX_PARITY_SIZE
]; 
1863   GetParity(frame
, len
/8, par
); 
1864   ReaderTransmitBitsPar(frame
, len
, par
, timing
); 
1867 void ReaderTransmit(uint8_t* frame
, uint16_t len
, uint32_t *timing
) 
1869   // Generate parity and redirect 
1870   uint8_t par
[MAX_PARITY_SIZE
]; 
1871   GetParity(frame
, len
, par
); 
1872   ReaderTransmitBitsPar(frame
, len
*8, par
, timing
); 
1875 int ReaderReceiveOffset(uint8_t* receivedAnswer
, uint16_t offset
, uint8_t *parity
) 
1877         if (!GetIso14443aAnswerFromTag(receivedAnswer
, parity
, offset
)) return FALSE
; 
1879                 LogTrace(receivedAnswer
, Demod
.len
, Demod
.startTime
*16 - DELAY_AIR2ARM_AS_READER
, Demod
.endTime
*16 - DELAY_AIR2ARM_AS_READER
, parity
, FALSE
); 
1884 int ReaderReceive(uint8_t *receivedAnswer
, uint8_t *parity
) 
1886         if (!GetIso14443aAnswerFromTag(receivedAnswer
, parity
, 0)) return FALSE
; 
1888                 LogTrace(receivedAnswer
, Demod
.len
, Demod
.startTime
*16 - DELAY_AIR2ARM_AS_READER
, Demod
.endTime
*16 - DELAY_AIR2ARM_AS_READER
, parity
, FALSE
); 
1893 /* performs iso14443a anticollision procedure 
1894  * fills the uid pointer unless NULL 
1895  * fills resp_data unless NULL */ 
1896 int iso14443a_select_card(byte_t 
*uid_ptr
, iso14a_card_select_t 
*p_hi14a_card
, uint32_t *cuid_ptr
) { 
1897         uint8_t wupa
[]       = { 0x52 };  // 0x26 - REQA  0x52 - WAKE-UP 
1898         uint8_t sel_all
[]    = { 0x93,0x20 }; 
1899         uint8_t sel_uid
[]    = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00}; 
1900         uint8_t rats
[]       = { 0xE0,0x80,0x00,0x00 }; // FSD=256, FSDI=8, CID=0 
1901         uint8_t resp
[MAX_FRAME_SIZE
]; // theoretically. A usual RATS will be much smaller 
1902         uint8_t resp_par
[MAX_PARITY_SIZE
]; 
1904         size_t uid_resp_len
; 
1906         uint8_t sak 
= 0x04; // cascade uid 
1907         int cascade_level 
= 0; 
1910         // Broadcast for a card, WUPA (0x52) will force response from all cards in the field 
1911     ReaderTransmitBitsPar(wupa
,7,0, NULL
); 
1914         if(!ReaderReceive(resp
, resp_par
)) return 0; 
1917                 memcpy(p_hi14a_card
->atqa
, resp
, 2); 
1918                 p_hi14a_card
->uidlen 
= 0; 
1919                 memset(p_hi14a_card
->uid
,0,10); 
1924                 memset(uid_ptr
,0,10); 
1927         // check for proprietary anticollision: 
1928         if ((resp
[0] & 0x1F) == 0) { 
1932         // OK we will select at least at cascade 1, lets see if first byte of UID was 0x88 in 
1933         // which case we need to make a cascade 2 request and select - this is a long UID 
1934         // While the UID is not complete, the 3nd bit (from the right) is set in the SAK. 
1935         for(; sak 
& 0x04; cascade_level
++) { 
1936                 // SELECT_* (L1: 0x93, L2: 0x95, L3: 0x97) 
1937                 sel_uid
[0] = sel_all
[0] = 0x93 + cascade_level 
* 2; 
1940                 ReaderTransmit(sel_all
, sizeof(sel_all
), NULL
); 
1941                 if (!ReaderReceive(resp
, resp_par
)) return 0; 
1943                 if (Demod
.collisionPos
) {                       // we had a collision and need to construct the UID bit by bit 
1944                         memset(uid_resp
, 0, 4); 
1945                         uint16_t uid_resp_bits 
= 0; 
1946                         uint16_t collision_answer_offset 
= 0; 
1947                         // anti-collision-loop: 
1948                         while (Demod
.collisionPos
) { 
1949                                 Dbprintf("Multiple tags detected. Collision after Bit %d", Demod
.collisionPos
); 
1950                                 for (uint16_t i 
= collision_answer_offset
; i 
< Demod
.collisionPos
; i
++, uid_resp_bits
++) {      // add valid UID bits before collision point 
1951                                         uint16_t UIDbit 
= (resp
[i
/8] >> (i 
% 8)) & 0x01; 
1952                                         uid_resp
[uid_resp_bits 
/ 8] |= UIDbit 
<< (uid_resp_bits 
% 8); 
1954                                 uid_resp
[uid_resp_bits
/8] |= 1 << (uid_resp_bits 
% 8);                                  // next time select the card(s) with a 1 in the collision position 
1956                                 // construct anticollosion command: 
1957                                 sel_uid
[1] = ((2 + uid_resp_bits
/8) << 4) | (uid_resp_bits 
& 0x07);     // length of data in bytes and bits 
1958                                 for (uint16_t i 
= 0; i 
<= uid_resp_bits
/8; i
++) { 
1959                                         sel_uid
[2+i
] = uid_resp
[i
]; 
1961                                 collision_answer_offset 
= uid_resp_bits%8
; 
1962                                 ReaderTransmitBits(sel_uid
, 16 + uid_resp_bits
, NULL
); 
1963                                 if (!ReaderReceiveOffset(resp
, collision_answer_offset
, resp_par
)) return 0; 
1965                         // finally, add the last bits and BCC of the UID 
1966                         for (uint16_t i 
= collision_answer_offset
; i 
< (Demod
.len
-1)*8; i
++, uid_resp_bits
++) { 
1967                                 uint16_t UIDbit 
= (resp
[i
/8] >> (i%8
)) & 0x01; 
1968                                 uid_resp
[uid_resp_bits
/8] |= UIDbit 
<< (uid_resp_bits 
% 8); 
1971                 } else {                // no collision, use the response to SELECT_ALL as current uid 
1972                         memcpy(uid_resp
, resp
, 4); 
1976                 // calculate crypto UID. Always use last 4 Bytes. 
1978                         *cuid_ptr 
= bytes_to_num(uid_resp
, 4); 
1981                 // Construct SELECT UID command 
1982                 sel_uid
[1] = 0x70;                                                                                                      // transmitting a full UID (1 Byte cmd, 1 Byte NVB, 4 Byte UID, 1 Byte BCC, 2 Bytes CRC) 
1983                 memcpy(sel_uid
+2, uid_resp
, 4);                                                                         // the UID 
1984                 sel_uid
[6] = sel_uid
[2] ^ sel_uid
[3] ^ sel_uid
[4] ^ sel_uid
[5];         // calculate and add BCC 
1985                 AppendCrc14443a(sel_uid
, 7);                                                                            // calculate and add CRC 
1986                 ReaderTransmit(sel_uid
, sizeof(sel_uid
), NULL
); 
1989                 if (!ReaderReceive(resp
, resp_par
)) return 0; 
1992     // Test if more parts of the uid are coming 
1993                 if ((sak 
& 0x04) /* && uid_resp[0] == 0x88 */) { 
1994                         // Remove first byte, 0x88 is not an UID byte, it CT, see page 3 of: 
1995                         // http://www.nxp.com/documents/application_note/AN10927.pdf 
1996                         uid_resp
[0] = uid_resp
[1]; 
1997                         uid_resp
[1] = uid_resp
[2]; 
1998                         uid_resp
[2] = uid_resp
[3];  
2004                         memcpy(uid_ptr 
+ (cascade_level
*3), uid_resp
, uid_resp_len
); 
2008                         memcpy(p_hi14a_card
->uid 
+ (cascade_level
*3), uid_resp
, uid_resp_len
); 
2009                         p_hi14a_card
->uidlen 
+= uid_resp_len
; 
2014                 p_hi14a_card
->sak 
= sak
; 
2015                 p_hi14a_card
->ats_len 
= 0; 
2018         // non iso14443a compliant tag 
2019         if( (sak 
& 0x20) == 0) return 2;  
2021         // Request for answer to select 
2022         AppendCrc14443a(rats
, 2); 
2023         ReaderTransmit(rats
, sizeof(rats
), NULL
); 
2025         if (!(len 
= ReaderReceive(resp
, resp_par
))) return 0; 
2029                 memcpy(p_hi14a_card
->ats
, resp
, sizeof(p_hi14a_card
->ats
)); 
2030                 p_hi14a_card
->ats_len 
= len
; 
2033         // reset the PCB block number 
2034         iso14_pcb_blocknum 
= 0; 
2036         // set default timeout based on ATS 
2037         iso14a_set_ATS_timeout(resp
); 
2042 void iso14443a_setup(uint8_t fpga_minor_mode
) { 
2043         FpgaDownloadAndGo(FPGA_BITSTREAM_HF
); 
2044         // Set up the synchronous serial port 
2046         // connect Demodulated Signal to ADC: 
2047         SetAdcMuxFor(GPIO_MUXSEL_HIPKD
); 
2049         // Signal field is on with the appropriate LED 
2050         if (fpga_minor_mode 
== FPGA_HF_ISO14443A_READER_MOD
 
2051                 || fpga_minor_mode 
== FPGA_HF_ISO14443A_READER_LISTEN
) { 
2056         FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A 
| fpga_minor_mode
); 
2063         NextTransferTime 
= 2*DELAY_ARM2AIR_AS_READER
; 
2064         iso14a_set_timeout(10*106); // 10ms default 
2067 int iso14_apdu(uint8_t *cmd
, uint16_t cmd_len
, void *data
) { 
2068         uint8_t parity
[MAX_PARITY_SIZE
]; 
2069         uint8_t real_cmd
[cmd_len
+4]; 
2070         real_cmd
[0] = 0x0a; //I-Block 
2071         // put block number into the PCB 
2072         real_cmd
[0] |= iso14_pcb_blocknum
; 
2073         real_cmd
[1] = 0x00; //CID: 0 //FIXME: allow multiple selected cards 
2074         memcpy(real_cmd
+2, cmd
, cmd_len
); 
2075         AppendCrc14443a(real_cmd
,cmd_len
+2); 
2077         ReaderTransmit(real_cmd
, cmd_len
+4, NULL
); 
2078         size_t len 
= ReaderReceive(data
, parity
); 
2079         uint8_t *data_bytes 
= (uint8_t *) data
; 
2081                 return 0; //DATA LINK ERROR 
2082         // if we received an I- or R(ACK)-Block with a block number equal to the 
2083         // current block number, toggle the current block number 
2084         else if (len 
>= 4 // PCB+CID+CRC = 4 bytes 
2085                  && ((data_bytes
[0] & 0xC0) == 0 // I-Block 
2086                      || (data_bytes
[0] & 0xD0) == 0x80) // R-Block with ACK bit set to 0 
2087                  && (data_bytes
[0] & 0x01) == iso14_pcb_blocknum
) // equal block numbers 
2089                 iso14_pcb_blocknum 
^= 1; 
2095 //----------------------------------------------------------------------------- 
2096 // Read an ISO 14443a tag. Send out commands and store answers. 
2098 //----------------------------------------------------------------------------- 
2099 void ReaderIso14443a(UsbCommand 
*c
) 
2101         iso14a_command_t param 
= c
->arg
[0]; 
2102         uint8_t *cmd 
= c
->d
.asBytes
; 
2103         size_t len 
= c
->arg
[1] & 0xffff; 
2104         size_t lenbits 
= c
->arg
[1] >> 16; 
2105         uint32_t timeout 
= c
->arg
[2]; 
2107         byte_t buf
[USB_CMD_DATA_SIZE
]; 
2108         uint8_t par
[MAX_PARITY_SIZE
]; 
2110         if(param 
& ISO14A_CONNECT
) { 
2116         if(param 
& ISO14A_REQUEST_TRIGGER
) { 
2117                 iso14a_set_trigger(TRUE
); 
2120         if(param 
& ISO14A_CONNECT
) { 
2121                 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN
); 
2122                 if(!(param 
& ISO14A_NO_SELECT
)) { 
2123                         iso14a_card_select_t 
*card 
= (iso14a_card_select_t
*)buf
; 
2124                         arg0 
= iso14443a_select_card(NULL
,card
,NULL
); 
2125                         cmd_send(CMD_ACK
,arg0
,card
->uidlen
,0,buf
,sizeof(iso14a_card_select_t
)); 
2129         if(param 
& ISO14A_SET_TIMEOUT
) { 
2130                 iso14a_set_timeout(timeout
); 
2133         if(param 
& ISO14A_APDU
) { 
2134                 arg0 
= iso14_apdu(cmd
, len
, buf
); 
2135                 cmd_send(CMD_ACK
,arg0
,0,0,buf
,sizeof(buf
)); 
2138         if(param 
& ISO14A_RAW
) { 
2139                 if(param 
& ISO14A_APPEND_CRC
) { 
2140                         if(param 
& ISO14A_TOPAZMODE
) { 
2141                                 AppendCrc14443b(cmd
,len
); 
2143                                 AppendCrc14443a(cmd
,len
); 
2146                         if (lenbits
) lenbits 
+= 16; 
2148                 if(lenbits
>0) {                         // want to send a specific number of bits (e.g. short commands) 
2149                         if(param 
& ISO14A_TOPAZMODE
) { 
2150                                 int bits_to_send 
= lenbits
; 
2152                                 ReaderTransmitBitsPar(&cmd
[i
++], MIN(bits_to_send
, 7), NULL
, NULL
);             // first byte is always short (7bits) and no parity 
2154                                 while (bits_to_send 
> 0) { 
2155                                         ReaderTransmitBitsPar(&cmd
[i
++], MIN(bits_to_send
, 8), NULL
, NULL
);     // following bytes are 8 bit and no parity 
2159                         GetParity(cmd
, lenbits
/8, par
); 
2160                                 ReaderTransmitBitsPar(cmd
, lenbits
, par
, NULL
);                                                 // bytes are 8 bit with odd parity 
2162                 } else {                                        // want to send complete bytes only 
2163                         if(param 
& ISO14A_TOPAZMODE
) { 
2165                                 ReaderTransmitBitsPar(&cmd
[i
++], 7, NULL
, NULL
);                                                // first byte: 7 bits, no paritiy 
2167                                         ReaderTransmitBitsPar(&cmd
[i
++], 8, NULL
, NULL
);                                        // following bytes: 8 bits, no paritiy 
2170                                 ReaderTransmit(cmd
,len
, NULL
);                                                                                  // 8 bits, odd parity 
2173                 arg0 
= ReaderReceive(buf
, par
); 
2174                 cmd_send(CMD_ACK
,arg0
,0,0,buf
,sizeof(buf
)); 
2177         if(param 
& ISO14A_REQUEST_TRIGGER
) { 
2178                 iso14a_set_trigger(FALSE
); 
2181         if(param 
& ISO14A_NO_DISCONNECT
) { 
2185         FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
); 
2191 // Determine the distance between two nonces. 
2192 // Assume that the difference is small, but we don't know which is first. 
2193 // Therefore try in alternating directions. 
2194 int32_t dist_nt(uint32_t nt1
, uint32_t nt2
) { 
2197         uint32_t nttmp1
, nttmp2
; 
2199         if (nt1 
== nt2
) return 0; 
2204         for (i 
= 1; i 
< 0xFFFF; i
++) { 
2205                 nttmp1 
= prng_successor(nttmp1
, 1); 
2206                 if (nttmp1 
== nt2
) return i
; 
2207                 nttmp2 
= prng_successor(nttmp2
, 1); 
2208                         if (nttmp2 
== nt1
) return -i
; 
2211         return(-99999); // either nt1 or nt2 are invalid nonces 
2215 //----------------------------------------------------------------------------- 
2216 // Recover several bits of the cypher stream. This implements (first stages of) 
2217 // the algorithm described in "The Dark Side of Security by Obscurity and 
2218 // Cloning MiFare Classic Rail and Building Passes, Anywhere, Anytime" 
2219 // (article by Nicolas T. Courtois, 2009) 
2220 //----------------------------------------------------------------------------- 
2221 void ReaderMifare(bool first_try
) 
2224         uint8_t mf_auth
[]    = { 0x60,0x00,0xf5,0x7b }; 
2225         uint8_t mf_nr_ar
[]   = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 }; 
2226         static uint8_t mf_nr_ar3
; 
2228         uint8_t receivedAnswer
[MAX_MIFARE_FRAME_SIZE
]; 
2229         uint8_t receivedAnswerPar
[MAX_MIFARE_PARITY_SIZE
]; 
2232                 iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD
); 
2235         // free eventually allocated BigBuf memory. We want all for tracing. 
2242         uint8_t par
[1] = {0};   // maximum 8 Bytes to be sent here, 1 byte parity is therefore enough 
2243         static byte_t par_low 
= 0; 
2245         uint8_t uid
[10]  ={0}; 
2249         uint32_t previous_nt 
= 0; 
2250         static uint32_t nt_attacked 
= 0; 
2251         byte_t par_list
[8] = {0x00}; 
2252         byte_t ks_list
[8] = {0x00}; 
2254    #define PRNG_SEQUENCE_LENGTH  (1 << 16); 
2255         static uint32_t sync_time 
= 0; 
2256         static int32_t sync_cycles 
= 0; 
2257         int catch_up_cycles 
= 0; 
2258         int last_catch_up 
= 0; 
2259         uint16_t elapsed_prng_sequences
; 
2260         uint16_t consecutive_resyncs 
= 0; 
2265                 sync_time 
= GetCountSspClk() & 0xfffffff8; 
2266                 sync_cycles 
= PRNG_SEQUENCE_LENGTH
; //65536;    //0x10000                       // theory: Mifare Classic's random generator repeats every 2^16 cycles (and so do the nonces). 
2271                 // we were unsuccessful on a previous call. Try another READER nonce (first 3 parity bits remain the same) 
2273                 mf_nr_ar
[3] = mf_nr_ar3
; 
2282         #define MAX_UNEXPECTED_RANDOM   4               // maximum number of unexpected (i.e. real) random numbers when trying to sync. Then give up. 
2283         #define MAX_SYNC_TRIES                  32 
2284         #define NUM_DEBUG_INFOS                 8               // per strategy 
2285         #define MAX_STRATEGY                    3 
2286         uint16_t unexpected_random 
= 0; 
2287         uint16_t sync_tries 
= 0; 
2288         int16_t debug_info_nr 
= -1; 
2289         uint16_t strategy 
= 0; 
2290         int32_t debug_info
[MAX_STRATEGY
][NUM_DEBUG_INFOS
]; 
2291         uint32_t select_time
; 
2294         for(uint16_t i 
= 0; TRUE
; i
++) { 
2299                 // Test if the action was cancelled 
2300                 if(BUTTON_PRESS()) { 
2305                 if (strategy 
== 2) { 
2306                         // test with additional hlt command 
2308                         int len 
= mifare_sendcmd_short(NULL
, false, 0x50, 0x00, receivedAnswer
, receivedAnswerPar
, &halt_time
); 
2309                         if (len 
&& MF_DBGLEVEL 
>= 3) { 
2310                                 Dbprintf("Unexpected response of %d bytes to hlt command (additional debugging).", len
); 
2314                 if (strategy 
== 3) { 
2315                         // test with FPGA power off/on 
2316                         FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
); 
2318                         iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD
); 
2322                 if(!iso14443a_select_card(uid
, NULL
, &cuid
)) { 
2323                         if (MF_DBGLEVEL 
>= 1)   Dbprintf("Mifare: Can't select card"); 
2326                 select_time 
= GetCountSspClk(); 
2328                 elapsed_prng_sequences 
= 1; 
2329                 if (debug_info_nr 
== -1) { 
2330                         sync_time 
= (sync_time 
& 0xfffffff8) + sync_cycles 
+ catch_up_cycles
; 
2331                         catch_up_cycles 
= 0; 
2333                         // if we missed the sync time already, advance to the next nonce repeat 
2334                         while(GetCountSspClk() > sync_time
) { 
2335                                 elapsed_prng_sequences
++; 
2336                                 sync_time 
= (sync_time 
& 0xfffffff8) + sync_cycles
; 
2339                         // Transmit MIFARE_CLASSIC_AUTH at synctime. Should result in returning the same tag nonce (== nt_attacked)  
2340                         ReaderTransmit(mf_auth
, sizeof(mf_auth
), &sync_time
); 
2342                         // collect some information on tag nonces for debugging: 
2343                         #define DEBUG_FIXED_SYNC_CYCLES PRNG_SEQUENCE_LENGTH 
2344                         if (strategy 
== 0) { 
2345                                 // nonce distances at fixed time after card select: 
2346                                 sync_time 
= select_time 
+ DEBUG_FIXED_SYNC_CYCLES
; 
2347                         } else if (strategy 
== 1) { 
2348                                 // nonce distances at fixed time between authentications: 
2349                                 sync_time 
= sync_time 
+ DEBUG_FIXED_SYNC_CYCLES
; 
2350                         } else if (strategy 
== 2) { 
2351                                 // nonce distances at fixed time after halt: 
2352                                 sync_time 
= halt_time 
+ DEBUG_FIXED_SYNC_CYCLES
; 
2354                                 // nonce_distances at fixed time after power on 
2355                                 sync_time 
= DEBUG_FIXED_SYNC_CYCLES
; 
2357                         ReaderTransmit(mf_auth
, sizeof(mf_auth
), &sync_time
); 
2360                 // Receive the (4 Byte) "random" nonce 
2361                 if (!ReaderReceive(receivedAnswer
, receivedAnswerPar
)) { 
2362                         if (MF_DBGLEVEL 
>= 1)   Dbprintf("Mifare: Couldn't receive tag nonce"); 
2367                 nt 
= bytes_to_num(receivedAnswer
, 4); 
2369                 // Transmit reader nonce with fake par 
2370                 ReaderTransmitPar(mf_nr_ar
, sizeof(mf_nr_ar
), par
, NULL
); 
2372                 if (first_try 
&& previous_nt 
&& !nt_attacked
) { // we didn't calibrate our clock yet 
2373                         int nt_distance 
= dist_nt(previous_nt
, nt
); 
2374                         if (nt_distance 
== 0) { 
2377                                 if (nt_distance 
== -99999) { // invalid nonce received 
2378                                         unexpected_random
++; 
2379                                         if (unexpected_random 
> MAX_UNEXPECTED_RANDOM
) { 
2380                                                 isOK 
= -3;              // Card has an unpredictable PRNG. Give up       
2383                                                 continue;               // continue trying... 
2386                                 if (++sync_tries 
> MAX_SYNC_TRIES
) { 
2387                                         if (strategy 
> MAX_STRATEGY 
|| MF_DBGLEVEL 
< 3) { 
2388                                                 isOK 
= -4;                      // Card's PRNG runs at an unexpected frequency or resets unexpectedly 
2390                                         } else {                                // continue for a while, just to collect some debug info 
2391                                                 debug_info
[strategy
][debug_info_nr
] = nt_distance
; 
2393                                                 if (debug_info_nr 
== NUM_DEBUG_INFOS
) { 
2400                                 sync_cycles 
= (sync_cycles 
- nt_distance
/elapsed_prng_sequences
); 
2401                                 if (sync_cycles 
<= 0) { 
2402                                         sync_cycles 
+= PRNG_SEQUENCE_LENGTH
; 
2404                                 if (MF_DBGLEVEL 
>= 3) { 
2405                                         Dbprintf("calibrating in cycle %d. nt_distance=%d, elapsed_prng_sequences=%d, new sync_cycles: %d\n", i
, nt_distance
, elapsed_prng_sequences
, sync_cycles
); 
2411                 if ((nt 
!= nt_attacked
) && nt_attacked
) {       // we somehow lost sync. Try to catch up again... 
2412                         catch_up_cycles 
= -dist_nt(nt_attacked
, nt
); 
2413                         if (catch_up_cycles 
== 99999) {                 // invalid nonce received. Don't resync on that one. 
2414                                 catch_up_cycles 
= 0; 
2417                         catch_up_cycles 
/= elapsed_prng_sequences
; 
2418                         if (catch_up_cycles 
== last_catch_up
) { 
2419                                 consecutive_resyncs
++; 
2422                                 last_catch_up 
= catch_up_cycles
; 
2423                             consecutive_resyncs 
= 0; 
2425                         if (consecutive_resyncs 
< 3) { 
2426                                 if (MF_DBGLEVEL 
>= 3) Dbprintf("Lost sync in cycle %d. nt_distance=%d. Consecutive Resyncs = %d. Trying one time catch up...\n", i
, -catch_up_cycles
, consecutive_resyncs
); 
2429                                 sync_cycles 
= sync_cycles 
+ catch_up_cycles
; 
2430                                 if (MF_DBGLEVEL 
>= 3) Dbprintf("Lost sync in cycle %d for the fourth time consecutively (nt_distance = %d). Adjusting sync_cycles to %d.\n", i
, -catch_up_cycles
, sync_cycles
); 
2432                                 catch_up_cycles 
= 0; 
2433                                 consecutive_resyncs 
= 0; 
2438                 consecutive_resyncs 
= 0; 
2440                 // Receive answer. This will be a 4 Bit NACK when the 8 parity bits are OK after decoding 
2441                 if (ReaderReceive(receivedAnswer
, receivedAnswerPar
)) { 
2442                         catch_up_cycles 
= 8;    // the PRNG is delayed by 8 cycles due to the NAC (4Bits = 0x05 encrypted) transfer 
2445                                 par_low 
= par
[0] & 0xE0; // there is no need to check all parities for other nt_diff. Parity Bits for mf_nr_ar[0..2] won't change 
2449                         if(led_on
) LED_B_ON(); else LED_B_OFF(); 
2451                         par_list
[nt_diff
] = SwapBits(par
[0], 8); 
2452                         ks_list
[nt_diff
] = receivedAnswer
[0] ^ 0x05; 
2454                         // Test if the information is complete 
2455                         if (nt_diff 
== 0x07) { 
2460                         nt_diff 
= (nt_diff 
+ 1) & 0x07; 
2461                         mf_nr_ar
[3] = (mf_nr_ar
[3] & 0x1F) | (nt_diff 
<< 5); 
2464                         if (nt_diff 
== 0 && first_try
) 
2467                                 if (par
[0] == 0x00) {           // tried all 256 possible parities without success. Card doesn't send NACK. 
2472                                 par
[0] = ((par
[0] & 0x1F) + 1) | par_low
; 
2478         mf_nr_ar
[3] &= 0x1F; 
2481                 if (MF_DBGLEVEL 
>= 3) { 
2482                         for (uint16_t i 
= 0; i 
<= MAX_STRATEGY
; i
++) { 
2483                                 for(uint16_t j 
= 0; j 
< NUM_DEBUG_INFOS
; j
++) { 
2484                                         Dbprintf("collected debug info[%d][%d] = %d", i
, j
, debug_info
[i
][j
]); 
2491         memcpy(buf 
+ 0,  uid
, 4); 
2492         num_to_bytes(nt
, 4, buf 
+ 4); 
2493         memcpy(buf 
+ 8,  par_list
, 8); 
2494         memcpy(buf 
+ 16, ks_list
, 8); 
2495         memcpy(buf 
+ 24, mf_nr_ar
, 4); 
2497         cmd_send(CMD_ACK
,isOK
,0,0,buf
,28); 
2500         FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
); 
2507   *MIFARE 1K simulate. 
2510   *     FLAG_INTERACTIVE - In interactive mode, we are expected to finish the operation with an ACK 
2511   * 4B_FLAG_UID_IN_DATA - means that there is a 4-byte UID in the data-section, we're expected to use that 
2512   * 7B_FLAG_UID_IN_DATA - means that there is a 7-byte UID in the data-section, we're expected to use that 
2513   *     FLAG_NR_AR_ATTACK  - means we should collect NR_AR responses for bruteforcing later 
2514   *@param exitAfterNReads, exit simulation after n blocks have been read, 0 is inifite 
2516 void Mifare1ksim(uint8_t flags
, uint8_t exitAfterNReads
, uint8_t arg2
, uint8_t *datain
) 
2518         int cardSTATE 
= MFEMUL_NOFIELD
; 
2520         int vHf 
= 0;    // in mV 
2522         uint32_t selTimer 
= 0; 
2523         uint32_t authTimer 
= 0; 
2525         uint8_t cardWRBL 
= 0; 
2526         uint8_t cardAUTHSC 
= 0; 
2527         uint8_t cardAUTHKEY 
= 0xff;  // no authentication 
2528 //      uint32_t cardRr = 0; 
2530         //uint32_t rn_enc = 0; 
2532         uint32_t cardINTREG 
= 0; 
2533         uint8_t cardINTBLOCK 
= 0; 
2534         struct Crypto1State mpcs 
= {0, 0}; 
2535         struct Crypto1State 
*pcs
; 
2537         uint32_t numReads 
= 0;//Counts numer of times reader read a block 
2538         uint8_t receivedCmd
[MAX_MIFARE_FRAME_SIZE
]; 
2539         uint8_t receivedCmd_par
[MAX_MIFARE_PARITY_SIZE
]; 
2540         uint8_t response
[MAX_MIFARE_FRAME_SIZE
]; 
2541         uint8_t response_par
[MAX_MIFARE_PARITY_SIZE
]; 
2543         uint8_t rATQA
[] = {0x04, 0x00}; // Mifare classic 1k 4BUID 
2544         uint8_t rUIDBCC1
[] = {0xde, 0xad, 0xbe, 0xaf, 0x62}; 
2545         uint8_t rUIDBCC2
[] = {0xde, 0xad, 0xbe, 0xaf, 0x62}; // !!! 
2546         //uint8_t rSAK[] = {0x08, 0xb6, 0xdd}; // Mifare Classic 
2547         uint8_t rSAK
[] = {0x09, 0x3f, 0xcc };  // Mifare Mini  
2548         uint8_t rSAK1
[] = {0x04, 0xda, 0x17}; 
2550         uint8_t rAUTH_NT
[] = {0x01, 0x01, 0x01, 0x01}; 
2551         uint8_t rAUTH_AT
[] = {0x00, 0x00, 0x00, 0x00}; 
2553         //Here, we collect UID,NT,AR,NR,UID2,NT2,AR2,NR2 
2554         // This can be used in a reader-only attack. 
2555         // (it can also be retrieved via 'hf 14a list', but hey... 
2556         uint32_t ar_nr_responses
[] = {0,0,0,0,0,0,0,0,0,0}; 
2557         uint8_t ar_nr_collected 
= 0; 
2559         // Authenticate response - nonce 
2560         uint32_t nonce 
= bytes_to_num(rAUTH_NT
, 4); 
2562         //-- Determine the UID 
2563         // Can be set from emulator memory, incoming data 
2564         // and can be 7 or 4 bytes long 
2565         if (flags 
& FLAG_4B_UID_IN_DATA
) 
2567                 // 4B uid comes from data-portion of packet 
2568                 memcpy(rUIDBCC1
,datain
,4); 
2569                 rUIDBCC1
[4] = rUIDBCC1
[0] ^ rUIDBCC1
[1] ^ rUIDBCC1
[2] ^ rUIDBCC1
[3]; 
2571         } else if (flags 
& FLAG_7B_UID_IN_DATA
) { 
2572                 // 7B uid comes from data-portion of packet 
2573                 memcpy(&rUIDBCC1
[1],datain
,3); 
2574                 memcpy(rUIDBCC2
, datain
+3, 4); 
2577                 // get UID from emul memory 
2578                 emlGetMemBt(receivedCmd
, 7, 1); 
2579                 _7BUID 
= !(receivedCmd
[0] == 0x00); 
2580                 if (!_7BUID
) {                     // ---------- 4BUID 
2581                         emlGetMemBt(rUIDBCC1
, 0, 4); 
2582                 } else {                           // ---------- 7BUID 
2583                         emlGetMemBt(&rUIDBCC1
[1], 0, 3); 
2584                         emlGetMemBt(rUIDBCC2
, 3, 4); 
2589         ar_nr_responses
[0*5]   = bytes_to_num(rUIDBCC1
+1, 3); 
2591                 ar_nr_responses
[0*5+1] = bytes_to_num(rUIDBCC2
, 4); 
2594          * Regardless of what method was used to set the UID, set fifth byte and modify 
2595          * the ATQA for 4 or 7-byte UID 
2597         rUIDBCC1
[4] = rUIDBCC1
[0] ^ rUIDBCC1
[1] ^ rUIDBCC1
[2] ^ rUIDBCC1
[3]; 
2601                 rUIDBCC1
[4] = rUIDBCC1
[0] ^ rUIDBCC1
[1] ^ rUIDBCC1
[2] ^ rUIDBCC1
[3]; 
2602                 rUIDBCC2
[4] = rUIDBCC2
[0] ^ rUIDBCC2
[1] ^ rUIDBCC2
[2] ^ rUIDBCC2
[3]; 
2605         if (MF_DBGLEVEL 
>= 1)   { 
2607                         Dbprintf("4B UID: %02x%02x%02x%02x",  
2608                                 rUIDBCC1
[0], rUIDBCC1
[1], rUIDBCC1
[2], rUIDBCC1
[3]); 
2610                         Dbprintf("7B UID: (%02x)%02x%02x%02x%02x%02x%02x%02x", 
2611                                 rUIDBCC1
[0], rUIDBCC1
[1], rUIDBCC1
[2], rUIDBCC1
[3], 
2612                                 rUIDBCC2
[0], rUIDBCC2
[1] ,rUIDBCC2
[2], rUIDBCC2
[3]); 
2616         // We need to listen to the high-frequency, peak-detected path. 
2617         iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN
); 
2619         // free eventually allocated BigBuf memory but keep Emulator Memory 
2620         BigBuf_free_keep_EM(); 
2627         bool finished 
= FALSE
; 
2628         while (!BUTTON_PRESS() && !finished
) { 
2631                 // find reader field 
2632                 if (cardSTATE 
== MFEMUL_NOFIELD
) { 
2633                         vHf 
= (MAX_ADC_HF_VOLTAGE 
* AvgAdc(ADC_CHAN_HF
)) >> 10; 
2634                         if (vHf 
> MF_MINFIELDV
) { 
2635                                 cardSTATE_TO_IDLE(); 
2639                 if(cardSTATE 
== MFEMUL_NOFIELD
) continue; 
2642                 res 
= EmGetCmd(receivedCmd
, &len
, receivedCmd_par
); 
2643                 if (res 
== 2) { //Field is off! 
2644                         cardSTATE 
= MFEMUL_NOFIELD
; 
2647                 } else if (res 
== 1) { 
2648                         break;  //return value 1 means button press 
2651                 // REQ or WUP request in ANY state and WUP in HALTED state 
2652                 if (len 
== 1 && ((receivedCmd
[0] == 0x26 && cardSTATE 
!= MFEMUL_HALTED
) || receivedCmd
[0] == 0x52)) { 
2653                         selTimer 
= GetTickCount(); 
2654                         EmSendCmdEx(rATQA
, sizeof(rATQA
), (receivedCmd
[0] == 0x52)); 
2655                         cardSTATE 
= MFEMUL_SELECT1
; 
2657                         // init crypto block 
2660                         crypto1_destroy(pcs
); 
2665                 switch (cardSTATE
) { 
2666                         case MFEMUL_NOFIELD
: 
2669                                 LogTrace(Uart
.output
, Uart
.len
, Uart
.startTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.endTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.parity
, TRUE
); 
2672                         case MFEMUL_SELECT1
:{ 
2674                                 if (len 
== 2 && (receivedCmd
[0] == 0x93 && receivedCmd
[1] == 0x20)) { 
2675                                         if (MF_DBGLEVEL 
>= 4)   Dbprintf("SELECT ALL received"); 
2676                                         EmSendCmd(rUIDBCC1
, sizeof(rUIDBCC1
)); 
2680                                 if (MF_DBGLEVEL 
>= 4 && len 
== 9 && receivedCmd
[0] == 0x93 && receivedCmd
[1] == 0x70 ) 
2682                                         Dbprintf("SELECT %02x%02x%02x%02x received",receivedCmd
[2],receivedCmd
[3],receivedCmd
[4],receivedCmd
[5]); 
2686                                                 (receivedCmd
[0] == 0x93 && receivedCmd
[1] == 0x70 && memcmp(&receivedCmd
[2], rUIDBCC1
, 4) == 0)) { 
2687                                         EmSendCmd(_7BUID
?rSAK1
:rSAK
, _7BUID
?sizeof(rSAK1
):sizeof(rSAK
)); 
2688                                         cuid 
= bytes_to_num(rUIDBCC1
, 4); 
2690                                                 cardSTATE 
= MFEMUL_WORK
; 
2692                                                 if (MF_DBGLEVEL 
>= 4)   Dbprintf("--> WORK. anticol1 time: %d", GetTickCount() - selTimer
); 
2695                                                 cardSTATE 
= MFEMUL_SELECT2
; 
2703                                         cardSTATE_TO_IDLE(); 
2704                                         LogTrace(Uart
.output
, Uart
.len
, Uart
.startTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.endTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.parity
, TRUE
); 
2708                                 uint32_t ar 
= bytes_to_num(receivedCmd
, 4); 
2709                                 uint32_t nr 
= bytes_to_num(&receivedCmd
[4], 4); 
2712                                 //if(ar_nr_collected < 2 && cardAUTHSC == 2){ 
2713                                 if(ar_nr_collected 
< 2){ 
2714                                         if(ar_nr_responses
[2] != ar
) 
2715                                         {// Avoid duplicates... probably not necessary, ar should vary.  
2716                                                 //ar_nr_responses[ar_nr_collected*5]   = 0; 
2717                                                 //ar_nr_responses[ar_nr_collected*5+1] = 0; 
2718                                                 ar_nr_responses
[ar_nr_collected
*5+2] = nonce
; 
2719                                                 ar_nr_responses
[ar_nr_collected
*5+3] = nr
; 
2720                                                 ar_nr_responses
[ar_nr_collected
*5+4] = ar
; 
2723                                         // Interactive mode flag, means we need to send ACK 
2724                                         if(flags 
& FLAG_INTERACTIVE 
&& ar_nr_collected 
== 2) 
2731                                 //crypto1_word(pcs, ar , 1); 
2732                                 //cardRr = nr ^ crypto1_word(pcs, 0, 0); 
2735                                 //if (cardRr != prng_successor(nonce, 64)){ 
2737                                         //if (MF_DBGLEVEL >= 4) Dbprintf("AUTH FAILED for sector %d with key %c. cardRr=%08x, succ=%08x", 
2738                                         //      cardAUTHSC, cardAUTHKEY == 0 ? 'A' : 'B', 
2739                                         //              cardRr, prng_successor(nonce, 64)); 
2740                                         // Shouldn't we respond anything here? 
2741                                         // Right now, we don't nack or anything, which causes the 
2742                                         // reader to do a WUPA after a while. /Martin 
2743                                         // -- which is the correct response. /piwi 
2744                                         //cardSTATE_TO_IDLE(); 
2745                                         //LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE); 
2749                                 ans 
= prng_successor(nonce
, 96) ^ crypto1_word(pcs
, 0, 0); 
2751                                 num_to_bytes(ans
, 4, rAUTH_AT
); 
2753                                 EmSendCmd(rAUTH_AT
, sizeof(rAUTH_AT
)); 
2755                                 cardSTATE 
= MFEMUL_WORK
; 
2756                                 if (MF_DBGLEVEL 
>= 4)   Dbprintf("AUTH COMPLETED for sector %d with key %c. time=%d",  
2757                                         cardAUTHSC
, cardAUTHKEY 
== 0 ? 'A' : 'B', 
2758                                         GetTickCount() - authTimer
); 
2761                         case MFEMUL_SELECT2
:{ 
2763                                         LogTrace(Uart
.output
, Uart
.len
, Uart
.startTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.endTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.parity
, TRUE
); 
2766                                 if (len 
== 2 && (receivedCmd
[0] == 0x95 && receivedCmd
[1] == 0x20)) { 
2767                                         EmSendCmd(rUIDBCC2
, sizeof(rUIDBCC2
)); 
2773                                                 (receivedCmd
[0] == 0x95 && receivedCmd
[1] == 0x70 && memcmp(&receivedCmd
[2], rUIDBCC2
, 4) == 0)) { 
2774                                         EmSendCmd(rSAK
, sizeof(rSAK
)); 
2775                                         cuid 
= bytes_to_num(rUIDBCC2
, 4); 
2776                                         cardSTATE 
= MFEMUL_WORK
; 
2778                                         if (MF_DBGLEVEL 
>= 4)   Dbprintf("--> WORK. anticol2 time: %d", GetTickCount() - selTimer
); 
2782                                 // i guess there is a command). go into the work state. 
2784                                         LogTrace(Uart
.output
, Uart
.len
, Uart
.startTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.endTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.parity
, TRUE
); 
2787                                 cardSTATE 
= MFEMUL_WORK
; 
2789                                 //intentional fall-through to the next case-stmt 
2794                                         LogTrace(Uart
.output
, Uart
.len
, Uart
.startTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.endTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.parity
, TRUE
); 
2798                                 bool encrypted_data 
= (cardAUTHKEY 
!= 0xFF) ; 
2800                                 if(encrypted_data
) { 
2802                                         mf_crypto1_decrypt(pcs
, receivedCmd
, len
); 
2805                                 if (len 
== 4 && (receivedCmd
[0] == 0x60 || receivedCmd
[0] == 0x61)) { 
2806                                         authTimer 
= GetTickCount(); 
2807                                         cardAUTHSC 
= receivedCmd
[1] / 4;  // received block num 
2808                                         cardAUTHKEY 
= receivedCmd
[0] - 0x60; 
2809                                         crypto1_destroy(pcs
);//Added by martin 
2810                                         crypto1_create(pcs
, emlGetKey(cardAUTHSC
, cardAUTHKEY
)); 
2812                                         if (!encrypted_data
) { // first authentication 
2813                                                 if (MF_DBGLEVEL 
>= 4) Dbprintf("Reader authenticating for block %d (0x%02x) with key %d",receivedCmd
[1] ,receivedCmd
[1],cardAUTHKEY  
); 
2815                                                 crypto1_word(pcs
, cuid 
^ nonce
, 0);//Update crypto state 
2816                                                 num_to_bytes(nonce
, 4, rAUTH_AT
); // Send nonce 
2817                                         } else { // nested authentication 
2818                                                 if (MF_DBGLEVEL 
>= 4) Dbprintf("Reader doing nested authentication for block %d (0x%02x) with key %d",receivedCmd
[1] ,receivedCmd
[1],cardAUTHKEY 
); 
2819                                                 ans 
= nonce 
^ crypto1_word(pcs
, cuid 
^ nonce
, 0);  
2820                                                 num_to_bytes(ans
, 4, rAUTH_AT
); 
2823                                         EmSendCmd(rAUTH_AT
, sizeof(rAUTH_AT
)); 
2824                                         //Dbprintf("Sending rAUTH %02x%02x%02x%02x", rAUTH_AT[0],rAUTH_AT[1],rAUTH_AT[2],rAUTH_AT[3]); 
2825                                         cardSTATE 
= MFEMUL_AUTH1
; 
2829                                 // rule 13 of 7.5.3. in ISO 14443-4. chaining shall be continued 
2830                                 // BUT... ACK --> NACK 
2831                                 if (len 
== 1 && receivedCmd
[0] == CARD_ACK
) { 
2832                                         EmSend4bit(mf_crypto1_encrypt4bit(pcs
, CARD_NACK_NA
)); 
2836                                 // rule 12 of 7.5.3. in ISO 14443-4. R(NAK) --> R(ACK) 
2837                                 if (len 
== 1 && receivedCmd
[0] == CARD_NACK_NA
) { 
2838                                         EmSend4bit(mf_crypto1_encrypt4bit(pcs
, CARD_ACK
)); 
2843                                         LogTrace(Uart
.output
, Uart
.len
, Uart
.startTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.endTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.parity
, TRUE
); 
2847                                 if(receivedCmd
[0] == 0x30 // read block 
2848                                                 || receivedCmd
[0] == 0xA0 // write block 
2849                                                 || receivedCmd
[0] == 0xC0 // inc 
2850                                                 || receivedCmd
[0] == 0xC1 // dec 
2851                                                 || receivedCmd
[0] == 0xC2 // restore 
2852                                                 || receivedCmd
[0] == 0xB0) { // transfer 
2853                                         if (receivedCmd
[1] >= 16 * 4) { 
2854                                                 EmSend4bit(mf_crypto1_encrypt4bit(pcs
, CARD_NACK_NA
)); 
2855                                                 if (MF_DBGLEVEL 
>= 4) Dbprintf("Reader tried to operate (0x%02) on out of range block: %d (0x%02x), nacking",receivedCmd
[0],receivedCmd
[1],receivedCmd
[1]); 
2859                                         if (receivedCmd
[1] / 4 != cardAUTHSC
) { 
2860                                                 EmSend4bit(mf_crypto1_encrypt4bit(pcs
, CARD_NACK_NA
)); 
2861                                                 if (MF_DBGLEVEL 
>= 4) Dbprintf("Reader tried to operate (0x%02) on block (0x%02x) not authenticated for (0x%02x), nacking",receivedCmd
[0],receivedCmd
[1],cardAUTHSC
); 
2866                                 if (receivedCmd
[0] == 0x30) { 
2867                                         if (MF_DBGLEVEL 
>= 4) { 
2868                                                 Dbprintf("Reader reading block %d (0x%02x)",receivedCmd
[1],receivedCmd
[1]); 
2870                                         emlGetMem(response
, receivedCmd
[1], 1); 
2871                                         AppendCrc14443a(response
, 16); 
2872                                         mf_crypto1_encrypt(pcs
, response
, 18, response_par
); 
2873                                         EmSendCmdPar(response
, 18, response_par
); 
2875                                         if(exitAfterNReads 
> 0 && numReads 
>= exitAfterNReads
) { 
2876                                                 Dbprintf("%d reads done, exiting", numReads
); 
2882                                 if (receivedCmd
[0] == 0xA0) { 
2883                                         if (MF_DBGLEVEL 
>= 4) Dbprintf("RECV 0xA0 write block %d (%02x)",receivedCmd
[1],receivedCmd
[1]); 
2884                                         EmSend4bit(mf_crypto1_encrypt4bit(pcs
, CARD_ACK
)); 
2885                                         cardSTATE 
= MFEMUL_WRITEBL2
; 
2886                                         cardWRBL 
= receivedCmd
[1]; 
2889                                 // increment, decrement, restore 
2890                                 if (receivedCmd
[0] == 0xC0 || receivedCmd
[0] == 0xC1 || receivedCmd
[0] == 0xC2) { 
2891                                         if (MF_DBGLEVEL 
>= 4) Dbprintf("RECV 0x%02x inc(0xC1)/dec(0xC0)/restore(0xC2) block %d (%02x)",receivedCmd
[0],receivedCmd
[1],receivedCmd
[1]); 
2892                                         if (emlCheckValBl(receivedCmd
[1])) { 
2893                                                 if (MF_DBGLEVEL 
>= 4) Dbprintf("Reader tried to operate on block, but emlCheckValBl failed, nacking"); 
2894                                                 EmSend4bit(mf_crypto1_encrypt4bit(pcs
, CARD_NACK_NA
)); 
2897                                         EmSend4bit(mf_crypto1_encrypt4bit(pcs
, CARD_ACK
)); 
2898                                         if (receivedCmd
[0] == 0xC1) 
2899                                                 cardSTATE 
= MFEMUL_INTREG_INC
; 
2900                                         if (receivedCmd
[0] == 0xC0) 
2901                                                 cardSTATE 
= MFEMUL_INTREG_DEC
; 
2902                                         if (receivedCmd
[0] == 0xC2) 
2903                                                 cardSTATE 
= MFEMUL_INTREG_REST
; 
2904                                         cardWRBL 
= receivedCmd
[1]; 
2908                                 if (receivedCmd
[0] == 0xB0) { 
2909                                         if (MF_DBGLEVEL 
>= 4) Dbprintf("RECV 0x%02x transfer block %d (%02x)",receivedCmd
[0],receivedCmd
[1],receivedCmd
[1]); 
2910                                         if (emlSetValBl(cardINTREG
, cardINTBLOCK
, receivedCmd
[1])) 
2911                                                 EmSend4bit(mf_crypto1_encrypt4bit(pcs
, CARD_NACK_NA
)); 
2913                                                 EmSend4bit(mf_crypto1_encrypt4bit(pcs
, CARD_ACK
)); 
2917                                 if (receivedCmd
[0] == 0x50 && receivedCmd
[1] == 0x00) { 
2920                                         cardSTATE 
= MFEMUL_HALTED
; 
2921                                         if (MF_DBGLEVEL 
>= 4)   Dbprintf("--> HALTED. Selected time: %d ms",  GetTickCount() - selTimer
); 
2922                                         LogTrace(Uart
.output
, Uart
.len
, Uart
.startTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.endTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.parity
, TRUE
); 
2926                                 if (receivedCmd
[0] == 0xe0) {//RATS 
2927                                         EmSend4bit(mf_crypto1_encrypt4bit(pcs
, CARD_NACK_NA
)); 
2930                                 // command not allowed 
2931                                 if (MF_DBGLEVEL 
>= 4)   Dbprintf("Received command not allowed, nacking"); 
2932                                 EmSend4bit(mf_crypto1_encrypt4bit(pcs
, CARD_NACK_NA
)); 
2935                         case MFEMUL_WRITEBL2
:{ 
2937                                         mf_crypto1_decrypt(pcs
, receivedCmd
, len
); 
2938                                         emlSetMem(receivedCmd
, cardWRBL
, 1); 
2939                                         EmSend4bit(mf_crypto1_encrypt4bit(pcs
, CARD_ACK
)); 
2940                                         cardSTATE 
= MFEMUL_WORK
; 
2942                                         cardSTATE_TO_IDLE(); 
2943                                         LogTrace(Uart
.output
, Uart
.len
, Uart
.startTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.endTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.parity
, TRUE
); 
2948                         case MFEMUL_INTREG_INC
:{ 
2949                                 mf_crypto1_decrypt(pcs
, receivedCmd
, len
); 
2950                                 memcpy(&ans
, receivedCmd
, 4); 
2951                                 if (emlGetValBl(&cardINTREG
, &cardINTBLOCK
, cardWRBL
)) { 
2952                                         EmSend4bit(mf_crypto1_encrypt4bit(pcs
, CARD_NACK_NA
)); 
2953                                         cardSTATE_TO_IDLE(); 
2956                                 LogTrace(Uart
.output
, Uart
.len
, Uart
.startTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.endTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.parity
, TRUE
); 
2957                                 cardINTREG 
= cardINTREG 
+ ans
; 
2958                                 cardSTATE 
= MFEMUL_WORK
; 
2961                         case MFEMUL_INTREG_DEC
:{ 
2962                                 mf_crypto1_decrypt(pcs
, receivedCmd
, len
); 
2963                                 memcpy(&ans
, receivedCmd
, 4); 
2964                                 if (emlGetValBl(&cardINTREG
, &cardINTBLOCK
, cardWRBL
)) { 
2965                                         EmSend4bit(mf_crypto1_encrypt4bit(pcs
, CARD_NACK_NA
)); 
2966                                         cardSTATE_TO_IDLE(); 
2969                                 LogTrace(Uart
.output
, Uart
.len
, Uart
.startTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.endTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.parity
, TRUE
); 
2970                                 cardINTREG 
= cardINTREG 
- ans
; 
2971                                 cardSTATE 
= MFEMUL_WORK
; 
2974                         case MFEMUL_INTREG_REST
:{ 
2975                                 mf_crypto1_decrypt(pcs
, receivedCmd
, len
); 
2976                                 memcpy(&ans
, receivedCmd
, 4); 
2977                                 if (emlGetValBl(&cardINTREG
, &cardINTBLOCK
, cardWRBL
)) { 
2978                                         EmSend4bit(mf_crypto1_encrypt4bit(pcs
, CARD_NACK_NA
)); 
2979                                         cardSTATE_TO_IDLE(); 
2982                                 LogTrace(Uart
.output
, Uart
.len
, Uart
.startTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.endTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.parity
, TRUE
); 
2983                                 cardSTATE 
= MFEMUL_WORK
; 
2989         FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
); 
2992         if(flags 
& FLAG_INTERACTIVE
)// Interactive mode flag, means we need to send ACK 
2994                 //May just aswell send the collected ar_nr in the response aswell 
2995                 uint8_t len 
= ar_nr_collected
*5*4; 
2996                 cmd_send(CMD_ACK
, CMD_SIMULATE_MIFARE_CARD
, len
, 0, &ar_nr_responses
, len
); 
2999         if(flags 
& FLAG_NR_AR_ATTACK 
&& MF_DBGLEVEL 
>= 1 ) 
3001                 if(ar_nr_collected 
> 1 ) { 
3002                         Dbprintf("Collected two pairs of AR/NR which can be used to extract keys from reader:"); 
3003                         Dbprintf("../tools/mfkey/mfkey32 %06x%08x %08x %08x %08x %08x %08x", 
3004                                         ar_nr_responses
[0], // UID1 
3005                                         ar_nr_responses
[1], // UID2 
3006                                         ar_nr_responses
[2], // NT 
3007                                         ar_nr_responses
[3], // AR1 
3008                                         ar_nr_responses
[4], // NR1 
3009                                         ar_nr_responses
[8], // AR2 
3010                                         ar_nr_responses
[9]  // NR2 
3012                         Dbprintf("../tools/mfkey/mfkey32v2 %06x%08x %08x %08x %08x %08x %08x %08x", 
3013                                         ar_nr_responses
[0], // UID1 
3014                                         ar_nr_responses
[1], // UID2 
3015                                         ar_nr_responses
[2], // NT1 
3016                                         ar_nr_responses
[3], // AR1 
3017                                         ar_nr_responses
[4], // NR1 
3018                                         ar_nr_responses
[7], // NT2 
3019                                         ar_nr_responses
[8], // AR2 
3020                                         ar_nr_responses
[9]  // NR2 
3023                         Dbprintf("Failed to obtain two AR/NR pairs!"); 
3024                         if(ar_nr_collected 
> 0 ) { 
3025                                 Dbprintf("Only got these: UID=%07x%08x, nonce=%08x, AR1=%08x, NR1=%08x", 
3026                                                 ar_nr_responses
[0], // UID1 
3027                                                 ar_nr_responses
[1], // UID2 
3028                                                 ar_nr_responses
[2], // NT 
3029                                                 ar_nr_responses
[3], // AR1 
3030                                                 ar_nr_responses
[4]  // NR1 
3035         if (MF_DBGLEVEL 
>= 1)   Dbprintf("Emulator stopped. Tracing: %d  trace length: %d ", tracing
, BigBuf_get_traceLen()); 
3041 //----------------------------------------------------------------------------- 
3044 //----------------------------------------------------------------------------- 
3045 void RAMFUNC 
SniffMifare(uint8_t param
) { 
3047         // bit 0 - trigger from first card answer 
3048         // bit 1 - trigger from first reader 7-bit request 
3050         // C(red) A(yellow) B(green) 
3052         // init trace buffer 
3056         // The command (reader -> tag) that we're receiving. 
3057         // The length of a received command will in most cases be no more than 18 bytes. 
3058         // So 32 should be enough! 
3059         uint8_t receivedCmd
[MAX_MIFARE_FRAME_SIZE
]; 
3060         uint8_t receivedCmdPar
[MAX_MIFARE_PARITY_SIZE
]; 
3061         // The response (tag -> reader) that we're receiving. 
3062         uint8_t receivedResponse
[MAX_MIFARE_FRAME_SIZE
]; 
3063         uint8_t receivedResponsePar
[MAX_MIFARE_PARITY_SIZE
]; 
3065         iso14443a_setup(FPGA_HF_ISO14443A_SNIFFER
); 
3067         // free eventually allocated BigBuf memory 
3069         // allocate the DMA buffer, used to stream samples from the FPGA 
3070         uint8_t *dmaBuf 
= BigBuf_malloc(DMA_BUFFER_SIZE
); 
3071         uint8_t *data 
= dmaBuf
; 
3072         uint8_t previous_data 
= 0; 
3075         bool ReaderIsActive 
= FALSE
; 
3076         bool TagIsActive 
= FALSE
; 
3078         // Set up the demodulator for tag -> reader responses. 
3079         DemodInit(receivedResponse
, receivedResponsePar
); 
3081         // Set up the demodulator for the reader -> tag commands 
3082         UartInit(receivedCmd
, receivedCmdPar
); 
3084         // Setup for the DMA. 
3085         FpgaSetupSscDma((uint8_t *)dmaBuf
, DMA_BUFFER_SIZE
); // set transfer address and number of bytes. Start transfer. 
3092         // And now we loop, receiving samples. 
3093         for(uint32_t sniffCounter 
= 0; TRUE
; ) { 
3095                 if(BUTTON_PRESS()) { 
3096                         DbpString("cancelled by button"); 
3103                 if ((sniffCounter 
& 0x0000FFFF) == 0) { // from time to time 
3104                         // check if a transaction is completed (timeout after 2000ms). 
3105                         // if yes, stop the DMA transfer and send what we have so far to the client 
3106                         if (MfSniffSend(2000)) {                         
3107                                 // Reset everything - we missed some sniffed data anyway while the DMA was stopped 
3111                                 ReaderIsActive 
= FALSE
; 
3112                                 TagIsActive 
= FALSE
; 
3113                                 FpgaSetupSscDma((uint8_t *)dmaBuf
, DMA_BUFFER_SIZE
); // set transfer address and number of bytes. Start transfer. 
3117                 int register readBufDataP 
= data 
- dmaBuf
;      // number of bytes we have processed so far 
3118                 int register dmaBufDataP 
= DMA_BUFFER_SIZE 
- AT91C_BASE_PDC_SSC
->PDC_RCR
; // number of bytes already transferred 
3119                 if (readBufDataP 
<= dmaBufDataP
){                       // we are processing the same block of data which is currently being transferred 
3120                         dataLen 
= dmaBufDataP 
- readBufDataP
;   // number of bytes still to be processed 
3122                         dataLen 
= DMA_BUFFER_SIZE 
- readBufDataP 
+ dmaBufDataP
; // number of bytes still to be processed 
3124                 // test for length of buffer 
3125                 if(dataLen 
> maxDataLen
) {                                      // we are more behind than ever... 
3126                         maxDataLen 
= dataLen
;                                    
3127                         if(dataLen 
> (9 * DMA_BUFFER_SIZE 
/ 10)) { 
3128                                 Dbprintf("blew circular buffer! dataLen=0x%x", dataLen
); 
3132                 if(dataLen 
< 1) continue; 
3134                 // primary buffer was stopped ( <-- we lost data! 
3135                 if (!AT91C_BASE_PDC_SSC
->PDC_RCR
) { 
3136                         AT91C_BASE_PDC_SSC
->PDC_RPR 
= (uint32_t) dmaBuf
; 
3137                         AT91C_BASE_PDC_SSC
->PDC_RCR 
= DMA_BUFFER_SIZE
; 
3138                         Dbprintf("RxEmpty ERROR!!! data length:%d", dataLen
); // temporary 
3140                 // secondary buffer sets as primary, secondary buffer was stopped 
3141                 if (!AT91C_BASE_PDC_SSC
->PDC_RNCR
) { 
3142                         AT91C_BASE_PDC_SSC
->PDC_RNPR 
= (uint32_t) dmaBuf
; 
3143                         AT91C_BASE_PDC_SSC
->PDC_RNCR 
= DMA_BUFFER_SIZE
; 
3148                 if (sniffCounter 
& 0x01) { 
3150                         if(!TagIsActive
) {              // no need to try decoding tag data if the reader is sending 
3151                                 uint8_t readerdata 
= (previous_data 
& 0xF0) | (*data 
>> 4); 
3152                                 if(MillerDecoding(readerdata
, (sniffCounter
-1)*4)) { 
3154                                         if (MfSniffLogic(receivedCmd
, Uart
.len
, Uart
.parity
, Uart
.bitCount
, TRUE
)) break; 
3156                                         /* And ready to receive another command. */ 
3159                                         /* And also reset the demod code */ 
3162                                 ReaderIsActive 
= (Uart
.state 
!= STATE_UNSYNCD
); 
3165                         if(!ReaderIsActive
) {           // no need to try decoding tag data if the reader is sending 
3166                                 uint8_t tagdata 
= (previous_data 
<< 4) | (*data 
& 0x0F); 
3167                                 if(ManchesterDecoding(tagdata
, 0, (sniffCounter
-1)*4)) { 
3170                                         if (MfSniffLogic(receivedResponse
, Demod
.len
, Demod
.parity
, Demod
.bitCount
, FALSE
)) break; 
3172                                         // And ready to receive another response. 
3175                                         // And reset the Miller decoder including its (now outdated) input buffer 
3176                                         UartInit(receivedCmd
, receivedCmdPar
); 
3177                                         // why not UartReset? 
3179                                 TagIsActive 
= (Demod
.state 
!= DEMOD_UNSYNCD
); 
3183                 previous_data 
= *data
; 
3186                 if(data 
== dmaBuf 
+ DMA_BUFFER_SIZE
) { 
3192         FpgaDisableSscDma(); 
3195         Dbprintf("maxDataLen=%x, Uart.state=%x, Uart.len=%x", maxDataLen
, Uart
.state
, Uart
.len
);