]> cvs.zerfleddert.de Git - proxmark3-svn/blob - armsrc/iclass.c
projects / proxmark3-svn / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
armsrc/fpgaloader.c: forgot the copyright notice
[proxmark3-svn] / armsrc / iclass.c
1 //-----------------------------------------------------------------------------
2 // Gerhard de Koning Gans - May 2008
3 // Hagen Fritsch - June 2010
4 // Gerhard de Koning Gans - May 2011
5 // Gerhard de Koning Gans - June 2012 - Added iClass card and reader emulation
6 //
7 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
8 // at your option, any later version. See the LICENSE.txt file for the text of
9 // the license.
10 //-----------------------------------------------------------------------------
11 // Routines to support iClass.
12 //-----------------------------------------------------------------------------
13 // Based on ISO14443a implementation. Still in experimental phase.
14 // Contribution made during a security research at Radboud University Nijmegen
15 //
16 // Please feel free to contribute and extend iClass support!!
17 //-----------------------------------------------------------------------------
18 //
19 // FIX:
20 // ====
21 // We still have sometimes a demodulation error when snooping iClass communication.
22 // The resulting trace of a read-block-03 command may look something like this:
23 //
24 // + 22279: : 0c 03 e8 01
25 //
26 // ...with an incorrect answer...
27 //
28 // + 85: 0: TAG ff! ff! ff! ff! ff! ff! ff! ff! bb 33 bb 00 01! 0e! 04! bb !crc
29 //
30 // We still left the error signalling bytes in the traces like 0xbb
31 //
32 // A correct trace should look like this:
33 //
34 // + 21112: : 0c 03 e8 01
35 // + 85: 0: TAG ff ff ff ff ff ff ff ff ea f5
36 //
37 //-----------------------------------------------------------------------------
38
39 #include "proxmark3.h"
40 #include "apps.h"
41 #include "util.h"
42 #include "string.h"
43 #include "common.h"
44 // Needed for CRC in emulation mode;
45 // same construction as in ISO 14443;
46 // different initial value (CRC_ICLASS)
47 #include "iso14443crc.h"
48
49 static int timeout = 4096;
50
51 // CARD TO READER
52 // Sequence D: 11110000 modulation with subcarrier during first half
53 // Sequence E: 00001111 modulation with subcarrier during second half
54 // Sequence F: 00000000 no modulation with subcarrier
55 // READER TO CARD
56 // Sequence X: 00001100 drop after half a period
57 // Sequence Y: 00000000 no drop
58 // Sequence Z: 11000000 drop at start
59 #define SEC_X 0x0c
60 #define SEC_Y 0x00
61 #define SEC_Z 0xc0
62
63 static int SendIClassAnswer(uint8_t *resp, int respLen, int delay);
64
65 //-----------------------------------------------------------------------------
66 // The software UART that receives commands from the reader, and its state
67 // variables.
68 //-----------------------------------------------------------------------------
69 static struct {
70 enum {
71 STATE_UNSYNCD,
72 STATE_START_OF_COMMUNICATION,
73 STATE_RECEIVING
74 } state;
75 uint16_t shiftReg;
76 int bitCnt;
77 int byteCnt;
78 int byteCntMax;
79 int posCnt;
80 int nOutOfCnt;
81 int OutOfCnt;
82 int syncBit;
83 int parityBits;
84 int samples;
85 int highCnt;
86 int swapper;
87 int counter;
88 int bitBuffer;
89 int dropPosition;
90 uint8_t *output;
91 } Uart;
92
93 static RAMFUNC int OutOfNDecoding(int bit)
94 {
95 //int error = 0;
96 int bitright;
97
98 if(!Uart.bitBuffer) {
99 Uart.bitBuffer = bit ^ 0xFF0;
100 return FALSE;
101 }
102 else {
103 Uart.bitBuffer <<= 4;
104 Uart.bitBuffer ^= bit;
105 }
106
107 /*if(Uart.swapper) {
108 Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
109 Uart.byteCnt++;
110 Uart.swapper = 0;
111 if(Uart.byteCnt > 15) { return TRUE; }
112 }
113 else {
114 Uart.swapper = 1;
115 }*/
116
117 if(Uart.state != STATE_UNSYNCD) {
118 Uart.posCnt++;
119
120 if((Uart.bitBuffer & Uart.syncBit) ^ Uart.syncBit) {
121 bit = 0x00;
122 }
123 else {
124 bit = 0x01;
125 }
126 if(((Uart.bitBuffer << 1) & Uart.syncBit) ^ Uart.syncBit) {
127 bitright = 0x00;
128 }
129 else {
130 bitright = 0x01;
131 }
132 if(bit != bitright) { bit = bitright; }
133
134
135 // So, now we only have to deal with *bit*, lets see...
136 if(Uart.posCnt == 1) {
137 // measurement first half bitperiod
138 if(!bit) {
139 // Drop in first half means that we are either seeing
140 // an SOF or an EOF.
141
142 if(Uart.nOutOfCnt == 1) {
143 // End of Communication
144 Uart.state = STATE_UNSYNCD;
145 Uart.highCnt = 0;
146 if(Uart.byteCnt == 0) {
147 // Its not straightforward to show single EOFs
148 // So just leave it and do not return TRUE
149 Uart.output[Uart.byteCnt] = 0xf0;
150 Uart.byteCnt++;
151
152 // Calculate the parity bit for the client...
153 Uart.parityBits = 1;
154 }
155 else {
156 return TRUE;
157 }
158 }
159 else if(Uart.state != STATE_START_OF_COMMUNICATION) {
160 // When not part of SOF or EOF, it is an error
161 Uart.state = STATE_UNSYNCD;
162 Uart.highCnt = 0;
163 //error = 4;
164 }
165 }
166 }
167 else {
168 // measurement second half bitperiod
169 // Count the bitslot we are in... (ISO 15693)
170 Uart.nOutOfCnt++;
171
172 if(!bit) {
173 if(Uart.dropPosition) {
174 if(Uart.state == STATE_START_OF_COMMUNICATION) {
175 //error = 1;
176 }
177 else {
178 //error = 7;
179 }
180 // It is an error if we already have seen a drop in current frame
181 Uart.state = STATE_UNSYNCD;
182 Uart.highCnt = 0;
183 }
184 else {
185 Uart.dropPosition = Uart.nOutOfCnt;
186 }
187 }
188
189 Uart.posCnt = 0;
190
191
192 if(Uart.nOutOfCnt == Uart.OutOfCnt && Uart.OutOfCnt == 4) {
193 Uart.nOutOfCnt = 0;
194
195 if(Uart.state == STATE_START_OF_COMMUNICATION) {
196 if(Uart.dropPosition == 4) {
197 Uart.state = STATE_RECEIVING;
198 Uart.OutOfCnt = 256;
199 }
200 else if(Uart.dropPosition == 3) {
201 Uart.state = STATE_RECEIVING;
202 Uart.OutOfCnt = 4;
203 //Uart.output[Uart.byteCnt] = 0xdd;
204 //Uart.byteCnt++;
205 }
206 else {
207 Uart.state = STATE_UNSYNCD;
208 Uart.highCnt = 0;
209 }
210 Uart.dropPosition = 0;
211 }
212 else {
213 // RECEIVING DATA
214 // 1 out of 4
215 if(!Uart.dropPosition) {
216 Uart.state = STATE_UNSYNCD;
217 Uart.highCnt = 0;
218 //error = 9;
219 }
220 else {
221 Uart.shiftReg >>= 2;
222
223 // Swap bit order
224 Uart.dropPosition--;
225 //if(Uart.dropPosition == 1) { Uart.dropPosition = 2; }
226 //else if(Uart.dropPosition == 2) { Uart.dropPosition = 1; }
227
228 Uart.shiftReg ^= ((Uart.dropPosition & 0x03) << 6);
229 Uart.bitCnt += 2;
230 Uart.dropPosition = 0;
231
232 if(Uart.bitCnt == 8) {
233 Uart.output[Uart.byteCnt] = (Uart.shiftReg & 0xff);
234 Uart.byteCnt++;
235
236 // Calculate the parity bit for the client...
237 Uart.parityBits <<= 1;
238 Uart.parityBits ^= OddByteParity[(Uart.shiftReg & 0xff)];
239
240 Uart.bitCnt = 0;
241 Uart.shiftReg = 0;
242 }
243 }
244 }
245 }
246 else if(Uart.nOutOfCnt == Uart.OutOfCnt) {
247 // RECEIVING DATA
248 // 1 out of 256
249 if(!Uart.dropPosition) {
250 Uart.state = STATE_UNSYNCD;
251 Uart.highCnt = 0;
252 //error = 3;
253 }
254 else {
255 Uart.dropPosition--;
256 Uart.output[Uart.byteCnt] = (Uart.dropPosition & 0xff);
257 Uart.byteCnt++;
258
259 // Calculate the parity bit for the client...
260 Uart.parityBits <<= 1;
261 Uart.parityBits ^= OddByteParity[(Uart.dropPosition & 0xff)];
262
263 Uart.bitCnt = 0;
264 Uart.shiftReg = 0;
265 Uart.nOutOfCnt = 0;
266 Uart.dropPosition = 0;
267 }
268 }
269
270 /*if(error) {
271 Uart.output[Uart.byteCnt] = 0xAA;
272 Uart.byteCnt++;
273 Uart.output[Uart.byteCnt] = error & 0xFF;
274 Uart.byteCnt++;
275 Uart.output[Uart.byteCnt] = 0xAA;
276 Uart.byteCnt++;
277 Uart.output[Uart.byteCnt] = (Uart.bitBuffer >> 8) & 0xFF;
278 Uart.byteCnt++;
279 Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
280 Uart.byteCnt++;
281 Uart.output[Uart.byteCnt] = (Uart.syncBit >> 3) & 0xFF;
282 Uart.byteCnt++;
283 Uart.output[Uart.byteCnt] = 0xAA;
284 Uart.byteCnt++;
285 return TRUE;
286 }*/
287 }
288
289 }
290 else {
291 bit = Uart.bitBuffer & 0xf0;
292 bit >>= 4;
293 bit ^= 0x0F; // drops become 1s ;-)
294 if(bit) {
295 // should have been high or at least (4 * 128) / fc
296 // according to ISO this should be at least (9 * 128 + 20) / fc
297 if(Uart.highCnt == 8) {
298 // we went low, so this could be start of communication
299 // it turns out to be safer to choose a less significant
300 // syncbit... so we check whether the neighbour also represents the drop
301 Uart.posCnt = 1; // apparently we are busy with our first half bit period
302 Uart.syncBit = bit & 8;
303 Uart.samples = 3;
304 if(!Uart.syncBit) { Uart.syncBit = bit & 4; Uart.samples = 2; }
305 else if(bit & 4) { Uart.syncBit = bit & 4; Uart.samples = 2; bit <<= 2; }
306 if(!Uart.syncBit) { Uart.syncBit = bit & 2; Uart.samples = 1; }
307 else if(bit & 2) { Uart.syncBit = bit & 2; Uart.samples = 1; bit <<= 1; }
308 if(!Uart.syncBit) { Uart.syncBit = bit & 1; Uart.samples = 0;
309 if(Uart.syncBit && (Uart.bitBuffer & 8)) {
310 Uart.syncBit = 8;
311
312 // the first half bit period is expected in next sample
313 Uart.posCnt = 0;
314 Uart.samples = 3;
315 }
316 }
317 else if(bit & 1) { Uart.syncBit = bit & 1; Uart.samples = 0; }
318
319 Uart.syncBit <<= 4;
320 Uart.state = STATE_START_OF_COMMUNICATION;
321 Uart.bitCnt = 0;
322 Uart.byteCnt = 0;
323 Uart.parityBits = 0;
324 Uart.nOutOfCnt = 0;
325 Uart.OutOfCnt = 4; // Start at 1/4, could switch to 1/256
326 Uart.dropPosition = 0;
327 Uart.shiftReg = 0;
328 //error = 0;
329 }
330 else {
331 Uart.highCnt = 0;
332 }
333 }
334 else {
335 if(Uart.highCnt < 8) {
336 Uart.highCnt++;
337 }
338 }
339 }
340
341 return FALSE;
342 }
343
344 //=============================================================================
345 // Manchester
346 //=============================================================================
347
348 static struct {
349 enum {
350 DEMOD_UNSYNCD,
351 DEMOD_START_OF_COMMUNICATION,
352 DEMOD_START_OF_COMMUNICATION2,
353 DEMOD_START_OF_COMMUNICATION3,
354 DEMOD_SOF_COMPLETE,
355 DEMOD_MANCHESTER_D,
356 DEMOD_MANCHESTER_E,
357 DEMOD_END_OF_COMMUNICATION,
358 DEMOD_END_OF_COMMUNICATION2,
359 DEMOD_MANCHESTER_F,
360 DEMOD_ERROR_WAIT
361 } state;
362 int bitCount;
363 int posCount;
364 int syncBit;
365 int parityBits;
366 uint16_t shiftReg;
367 int buffer;
368 int buffer2;
369 int buffer3;
370 int buff;
371 int samples;
372 int len;
373 enum {
374 SUB_NONE,
375 SUB_FIRST_HALF,
376 SUB_SECOND_HALF,
377 SUB_BOTH
378 } sub;
379 uint8_t *output;
380 } Demod;
381
382 static RAMFUNC int ManchesterDecoding(int v)
383 {
384 int bit;
385 int modulation;
386 int error = 0;
387
388 bit = Demod.buffer;
389 Demod.buffer = Demod.buffer2;
390 Demod.buffer2 = Demod.buffer3;
391 Demod.buffer3 = v;
392
393 if(Demod.buff < 3) {
394 Demod.buff++;
395 return FALSE;
396 }
397
398 if(Demod.state==DEMOD_UNSYNCD) {
399 Demod.output[Demod.len] = 0xfa;
400 Demod.syncBit = 0;
401 //Demod.samples = 0;
402 Demod.posCount = 1; // This is the first half bit period, so after syncing handle the second part
403
404 if(bit & 0x08) {
405 Demod.syncBit = 0x08;
406 }
407
408 if(bit & 0x04) {
409 if(Demod.syncBit) {
410 bit <<= 4;
411 }
412 Demod.syncBit = 0x04;
413 }
414
415 if(bit & 0x02) {
416 if(Demod.syncBit) {
417 bit <<= 2;
418 }
419 Demod.syncBit = 0x02;
420 }
421
422 if(bit & 0x01 && Demod.syncBit) {
423 Demod.syncBit = 0x01;
424 }
425
426 if(Demod.syncBit) {
427 Demod.len = 0;
428 Demod.state = DEMOD_START_OF_COMMUNICATION;
429 Demod.sub = SUB_FIRST_HALF;
430 Demod.bitCount = 0;
431 Demod.shiftReg = 0;
432 Demod.parityBits = 0;
433 Demod.samples = 0;
434 if(Demod.posCount) {
435 //if(trigger) LED_A_OFF(); // Not useful in this case...
436 switch(Demod.syncBit) {
437 case 0x08: Demod.samples = 3; break;
438 case 0x04: Demod.samples = 2; break;
439 case 0x02: Demod.samples = 1; break;
440 case 0x01: Demod.samples = 0; break;
441 }
442 // SOF must be long burst... otherwise stay unsynced!!!
443 if(!(Demod.buffer & Demod.syncBit) || !(Demod.buffer2 & Demod.syncBit)) {
444 Demod.state = DEMOD_UNSYNCD;
445 }
446 }
447 else {
448 // SOF must be long burst... otherwise stay unsynced!!!
449 if(!(Demod.buffer2 & Demod.syncBit) || !(Demod.buffer3 & Demod.syncBit)) {
450 Demod.state = DEMOD_UNSYNCD;
451 error = 0x88;
452 }
453
454 }
455 error = 0;
456
457 }
458 }
459 else {
460 modulation = bit & Demod.syncBit;
461 modulation |= ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
462 //modulation = ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
463
464 Demod.samples += 4;
465
466 if(Demod.posCount==0) {
467 Demod.posCount = 1;
468 if(modulation) {
469 Demod.sub = SUB_FIRST_HALF;
470 }
471 else {
472 Demod.sub = SUB_NONE;
473 }
474 }
475 else {
476 Demod.posCount = 0;
477 /*(modulation && (Demod.sub == SUB_FIRST_HALF)) {
478 if(Demod.state!=DEMOD_ERROR_WAIT) {
479 Demod.state = DEMOD_ERROR_WAIT;
480 Demod.output[Demod.len] = 0xaa;
481 error = 0x01;
482 }
483 }*/
484 //else if(modulation) {
485 if(modulation) {
486 if(Demod.sub == SUB_FIRST_HALF) {
487 Demod.sub = SUB_BOTH;
488 }
489 else {
490 Demod.sub = SUB_SECOND_HALF;
491 }
492 }
493 else if(Demod.sub == SUB_NONE) {
494 if(Demod.state == DEMOD_SOF_COMPLETE) {
495 Demod.output[Demod.len] = 0x0f;
496 Demod.len++;
497 Demod.parityBits <<= 1;
498 Demod.parityBits ^= OddByteParity[0x0f];
499 Demod.state = DEMOD_UNSYNCD;
500 // error = 0x0f;
501 return TRUE;
502 }
503 else {
504 Demod.state = DEMOD_ERROR_WAIT;
505 error = 0x33;
506 }
507 /*if(Demod.state!=DEMOD_ERROR_WAIT) {
508 Demod.state = DEMOD_ERROR_WAIT;
509 Demod.output[Demod.len] = 0xaa;
510 error = 0x01;
511 }*/
512 }
513
514 switch(Demod.state) {
515 case DEMOD_START_OF_COMMUNICATION:
516 if(Demod.sub == SUB_BOTH) {
517 //Demod.state = DEMOD_MANCHESTER_D;
518 Demod.state = DEMOD_START_OF_COMMUNICATION2;
519 Demod.posCount = 1;
520 Demod.sub = SUB_NONE;
521 }
522 else {
523 Demod.output[Demod.len] = 0xab;
524 Demod.state = DEMOD_ERROR_WAIT;
525 error = 0xd2;
526 }
527 break;
528 case DEMOD_START_OF_COMMUNICATION2:
529 if(Demod.sub == SUB_SECOND_HALF) {
530 Demod.state = DEMOD_START_OF_COMMUNICATION3;
531 }
532 else {
533 Demod.output[Demod.len] = 0xab;
534 Demod.state = DEMOD_ERROR_WAIT;
535 error = 0xd3;
536 }
537 break;
538 case DEMOD_START_OF_COMMUNICATION3:
539 if(Demod.sub == SUB_SECOND_HALF) {
540 // Demod.state = DEMOD_MANCHESTER_D;
541 Demod.state = DEMOD_SOF_COMPLETE;
542 //Demod.output[Demod.len] = Demod.syncBit & 0xFF;
543 //Demod.len++;
544 }
545 else {
546 Demod.output[Demod.len] = 0xab;
547 Demod.state = DEMOD_ERROR_WAIT;
548 error = 0xd4;
549 }
550 break;
551 case DEMOD_SOF_COMPLETE:
552 case DEMOD_MANCHESTER_D:
553 case DEMOD_MANCHESTER_E:
554 // OPPOSITE FROM ISO14443 - 11110000 = 0 (1 in 14443)
555 // 00001111 = 1 (0 in 14443)
556 if(Demod.sub == SUB_SECOND_HALF) { // SUB_FIRST_HALF
557 Demod.bitCount++;
558 Demod.shiftReg = (Demod.shiftReg >> 1) ^ 0x100;
559 Demod.state = DEMOD_MANCHESTER_D;
560 }
561 else if(Demod.sub == SUB_FIRST_HALF) { // SUB_SECOND_HALF
562 Demod.bitCount++;
563 Demod.shiftReg >>= 1;
564 Demod.state = DEMOD_MANCHESTER_E;
565 }
566 else if(Demod.sub == SUB_BOTH) {
567 Demod.state = DEMOD_MANCHESTER_F;
568 }
569 else {
570 Demod.state = DEMOD_ERROR_WAIT;
571 error = 0x55;
572 }
573 break;
574
575 case DEMOD_MANCHESTER_F:
576 // Tag response does not need to be a complete byte!
577 if(Demod.len > 0 || Demod.bitCount > 0) {
578 if(Demod.bitCount > 1) { // was > 0, do not interpret last closing bit, is part of EOF
579 Demod.shiftReg >>= (9 - Demod.bitCount);
580 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
581 Demod.len++;
582 // No parity bit, so just shift a 0
583 Demod.parityBits <<= 1;
584 }
585
586 Demod.state = DEMOD_UNSYNCD;
587 return TRUE;
588 }
589 else {
590 Demod.output[Demod.len] = 0xad;
591 Demod.state = DEMOD_ERROR_WAIT;
592 error = 0x03;
593 }
594 break;
595
596 case DEMOD_ERROR_WAIT:
597 Demod.state = DEMOD_UNSYNCD;
598 break;
599
600 default:
601 Demod.output[Demod.len] = 0xdd;
602 Demod.state = DEMOD_UNSYNCD;
603 break;
604 }
605
606 /*if(Demod.bitCount>=9) {
607 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
608 Demod.len++;
609
610 Demod.parityBits <<= 1;
611 Demod.parityBits ^= ((Demod.shiftReg >> 8) & 0x01);
612
613 Demod.bitCount = 0;
614 Demod.shiftReg = 0;
615 }*/
616 if(Demod.bitCount>=8) {
617 Demod.shiftReg >>= 1;
618 Demod.output[Demod.len] = (Demod.shiftReg & 0xff);
619 Demod.len++;
620
621 // FOR ISO15639 PARITY NOT SEND OTA, JUST CALCULATE IT FOR THE CLIENT
622 Demod.parityBits <<= 1;
623 Demod.parityBits ^= OddByteParity[(Demod.shiftReg & 0xff)];
624
625 Demod.bitCount = 0;
626 Demod.shiftReg = 0;
627 }
628
629 if(error) {
630 Demod.output[Demod.len] = 0xBB;
631 Demod.len++;
632 Demod.output[Demod.len] = error & 0xFF;
633 Demod.len++;
634 Demod.output[Demod.len] = 0xBB;
635 Demod.len++;
636 Demod.output[Demod.len] = bit & 0xFF;
637 Demod.len++;
638 Demod.output[Demod.len] = Demod.buffer & 0xFF;
639 Demod.len++;
640 // Look harder ;-)
641 Demod.output[Demod.len] = Demod.buffer2 & 0xFF;
642 Demod.len++;
643 Demod.output[Demod.len] = Demod.syncBit & 0xFF;
644 Demod.len++;
645 Demod.output[Demod.len] = 0xBB;
646 Demod.len++;
647 return TRUE;
648 }
649
650 }
651
652 } // end (state != UNSYNCED)
653
654 return FALSE;
655 }
656
657 //=============================================================================
658 // Finally, a `sniffer' for iClass communication
659 // Both sides of communication!
660 //=============================================================================
661
662 //-----------------------------------------------------------------------------
663 // Record the sequence of commands sent by the reader to the tag, with
664 // triggering so that we start recording at the point that the tag is moved
665 // near the reader.
666 //-----------------------------------------------------------------------------
667 void RAMFUNC SnoopIClass(void)
668 {
669 // DEFINED ABOVE
670 // #define RECV_CMD_OFFSET 3032
671 // #define RECV_RES_OFFSET 3096
672 // #define DMA_BUFFER_OFFSET 3160
673 // #define DMA_BUFFER_SIZE 4096
674 // #define TRACE_SIZE 3000
675
676 // We won't start recording the frames that we acquire until we trigger;
677 // a good trigger condition to get started is probably when we see a
678 // response from the tag.
679 //int triggered = FALSE; // FALSE to wait first for card
680
681 // The command (reader -> tag) that we're receiving.
682 // The length of a received command will in most cases be no more than 18 bytes.
683 // So 32 should be enough!
684 uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
685 // The response (tag -> reader) that we're receiving.
686 uint8_t *receivedResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET);
687
688 // As we receive stuff, we copy it from receivedCmd or receivedResponse
689 // into trace, along with its length and other annotations.
690 //uint8_t *trace = (uint8_t *)BigBuf;
691
692 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
693
694 // reset traceLen to 0
695 iso14a_set_tracing(TRUE);
696 iso14a_clear_trace();
697 iso14a_set_trigger(FALSE);
698
699 // The DMA buffer, used to stream samples from the FPGA
700 int8_t *dmaBuf = ((int8_t *)BigBuf) + DMA_BUFFER_OFFSET;
701 int lastRxCounter;
702 int8_t *upTo;
703 int smpl;
704 int maxBehindBy = 0;
705
706 // Count of samples received so far, so that we can include timing
707 // information in the trace buffer.
708 int samples = 0;
709 rsamples = 0;
710
711 memset(trace, 0x44, RECV_CMD_OFFSET);
712
713 // Set up the demodulator for tag -> reader responses.
714 Demod.output = receivedResponse;
715 Demod.len = 0;
716 Demod.state = DEMOD_UNSYNCD;
717
718 // Setup for the DMA.
719 FpgaSetupSsc();
720 upTo = dmaBuf;
721 lastRxCounter = DMA_BUFFER_SIZE;
722 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
723
724 // And the reader -> tag commands
725 memset(&Uart, 0, sizeof(Uart));
726 Uart.output = receivedCmd;
727 Uart.byteCntMax = 32; // was 100 (greg)////////////////////////////////////////////////////////////////////////
728 Uart.state = STATE_UNSYNCD;
729
730 // And put the FPGA in the appropriate mode
731 // Signal field is off with the appropriate LED
732 LED_D_OFF();
733 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER);
734 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
735
736 int div = 0;
737 //int div2 = 0;
738 int decbyte = 0;
739 int decbyter = 0;
740
741 // And now we loop, receiving samples.
742 for(;;) {
743 LED_A_ON();
744 WDT_HIT();
745 int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) &
746 (DMA_BUFFER_SIZE-1);
747 if(behindBy > maxBehindBy) {
748 maxBehindBy = behindBy;
749 if(behindBy > 400) {
750 Dbprintf("blew circular buffer! behindBy=0x%x", behindBy);
751 goto done;
752 }
753 }
754 if(behindBy < 1) continue;
755
756 LED_A_OFF();
757 smpl = upTo[0];
758 upTo++;
759 lastRxCounter -= 1;
760 if(upTo - dmaBuf > DMA_BUFFER_SIZE) {
761 upTo -= DMA_BUFFER_SIZE;
762 lastRxCounter += DMA_BUFFER_SIZE;
763 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) upTo;
764 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
765 }
766
767 //samples += 4;
768 samples += 1;
769 //div2++;
770
771 //if(div2 > 3) {
772 //div2 = 0;
773 //decbyte ^= ((smpl & 0x01) << (3 - div));
774 //decbyte ^= (((smpl & 0x01) | ((smpl & 0x02) >> 1)) << (3 - div)); // better already...
775 //decbyte ^= (((smpl & 0x01) | ((smpl & 0x02) >> 1) | ((smpl & 0x04) >> 2)) << (3 - div)); // even better...
776 if(smpl & 0xF) {
777 decbyte ^= (1 << (3 - div));
778 }
779 //decbyte ^= (MajorityNibble[(smpl & 0x0F)] << (3 - div));
780
781 // FOR READER SIDE COMMUMICATION...
782 //decbyte ^= ((smpl & 0x10) << (3 - div));
783 decbyter <<= 2;
784 decbyter ^= (smpl & 0x30);
785
786 div++;
787
788 if((div + 1) % 2 == 0) {
789 smpl = decbyter;
790 if(OutOfNDecoding((smpl & 0xF0) >> 4)) {
791 rsamples = samples - Uart.samples;
792 LED_C_ON();
793 //if(triggered) {
794 trace[traceLen++] = ((rsamples >> 0) & 0xff);
795 trace[traceLen++] = ((rsamples >> 8) & 0xff);
796 trace[traceLen++] = ((rsamples >> 16) & 0xff);
797 trace[traceLen++] = ((rsamples >> 24) & 0xff);
798 trace[traceLen++] = ((Uart.parityBits >> 0) & 0xff);
799 trace[traceLen++] = ((Uart.parityBits >> 8) & 0xff);
800 trace[traceLen++] = ((Uart.parityBits >> 16) & 0xff);
801 trace[traceLen++] = ((Uart.parityBits >> 24) & 0xff);
802 trace[traceLen++] = Uart.byteCnt;
803 memcpy(trace+traceLen, receivedCmd, Uart.byteCnt);
804 traceLen += Uart.byteCnt;
805 if(traceLen > TRACE_SIZE) break;
806 //}
807 /* And ready to receive another command. */
808 Uart.state = STATE_UNSYNCD;
809 /* And also reset the demod code, which might have been */
810 /* false-triggered by the commands from the reader. */
811 Demod.state = DEMOD_UNSYNCD;
812 LED_B_OFF();
813 Uart.byteCnt = 0;
814 }
815 decbyter = 0;
816 }
817
818 if(div > 3) {
819 smpl = decbyte;
820 if(ManchesterDecoding(smpl & 0x0F)) {
821 rsamples = samples - Demod.samples;
822 LED_B_ON();
823
824 // timestamp, as a count of samples
825 trace[traceLen++] = ((rsamples >> 0) & 0xff);
826 trace[traceLen++] = ((rsamples >> 8) & 0xff);
827 trace[traceLen++] = ((rsamples >> 16) & 0xff);
828 trace[traceLen++] = 0x80 | ((rsamples >> 24) & 0xff);
829 trace[traceLen++] = ((Demod.parityBits >> 0) & 0xff);
830 trace[traceLen++] = ((Demod.parityBits >> 8) & 0xff);
831 trace[traceLen++] = ((Demod.parityBits >> 16) & 0xff);
832 trace[traceLen++] = ((Demod.parityBits >> 24) & 0xff);
833 // length
834 trace[traceLen++] = Demod.len;
835 memcpy(trace+traceLen, receivedResponse, Demod.len);
836 traceLen += Demod.len;
837 if(traceLen > TRACE_SIZE) break;
838
839 //triggered = TRUE;
840
841 // And ready to receive another response.
842 memset(&Demod, 0, sizeof(Demod));
843 Demod.output = receivedResponse;
844 Demod.state = DEMOD_UNSYNCD;
845 LED_C_OFF();
846 }
847
848 div = 0;
849 decbyte = 0x00;
850 }
851 //}
852
853 if(BUTTON_PRESS()) {
854 DbpString("cancelled_a");
855 goto done;
856 }
857 }
858
859 DbpString("COMMAND FINISHED");
860
861 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
862 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
863
864 done:
865 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
866 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
867 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
868 LED_A_OFF();
869 LED_B_OFF();
870 LED_C_OFF();
871 LED_D_OFF();
872 }
873
874 void rotateCSN(uint8_t* originalCSN, uint8_t* rotatedCSN) {
875 int i;
876 for(i = 0; i < 8; i++) {
877 rotatedCSN[i] = (originalCSN[i] >> 3) | (originalCSN[(i+1)%8] << 5);
878 }
879 }
880
881 //-----------------------------------------------------------------------------
882 // Wait for commands from reader
883 // Stop when button is pressed
884 // Or return TRUE when command is captured
885 //-----------------------------------------------------------------------------
886 static int GetIClassCommandFromReader(uint8_t *received, int *len, int maxLen)
887 {
888 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
889 // only, since we are receiving, not transmitting).
890 // Signal field is off with the appropriate LED
891 LED_D_OFF();
892 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
893
894 // Now run a `software UART' on the stream of incoming samples.
895 Uart.output = received;
896 Uart.byteCntMax = maxLen;
897 Uart.state = STATE_UNSYNCD;
898
899 for(;;) {
900 WDT_HIT();
901
902 if(BUTTON_PRESS()) return FALSE;
903
904 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
905 AT91C_BASE_SSC->SSC_THR = 0x00;
906 }
907 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
908 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
909 /*if(OutOfNDecoding((b & 0xf0) >> 4)) {
910 *len = Uart.byteCnt;
911 return TRUE;
912 }*/
913 if(OutOfNDecoding(b & 0x0f)) {
914 *len = Uart.byteCnt;
915 return TRUE;
916 }
917 }
918 }
919 }
920
921
922 //-----------------------------------------------------------------------------
923 // Prepare tag messages
924 //-----------------------------------------------------------------------------
925 static void CodeIClassTagAnswer(const uint8_t *cmd, int len)
926 {
927 int i;
928
929 ToSendReset();
930
931 // Send SOF
932 ToSend[++ToSendMax] = 0x00;
933 ToSend[++ToSendMax] = 0x00;
934 ToSend[++ToSendMax] = 0x00;
935 ToSend[++ToSendMax] = 0xff;
936 ToSend[++ToSendMax] = 0xff;
937 ToSend[++ToSendMax] = 0xff;
938 ToSend[++ToSendMax] = 0x00;
939 ToSend[++ToSendMax] = 0xff;
940
941 for(i = 0; i < len; i++) {
942 int j;
943 uint8_t b = cmd[i];
944
945 // Data bits
946 for(j = 0; j < 8; j++) {
947 if(b & 1) {
948 ToSend[++ToSendMax] = 0x00;
949 ToSend[++ToSendMax] = 0xff;
950 } else {
951 ToSend[++ToSendMax] = 0xff;
952 ToSend[++ToSendMax] = 0x00;
953 }
954 b >>= 1;
955 }
956 }
957
958 // Send EOF
959 ToSend[++ToSendMax] = 0xff;
960 ToSend[++ToSendMax] = 0x00;
961 ToSend[++ToSendMax] = 0xff;
962 ToSend[++ToSendMax] = 0xff;
963 ToSend[++ToSendMax] = 0xff;
964 ToSend[++ToSendMax] = 0x00;
965 ToSend[++ToSendMax] = 0x00;
966 ToSend[++ToSendMax] = 0x00;
967
968 // Convert from last byte pos to length
969 ToSendMax++;
970 }
971
972 // Only SOF
973 static void CodeIClassTagSOF()
974 {
975 ToSendReset();
976
977 // Send SOF
978 ToSend[++ToSendMax] = 0x00;
979 ToSend[++ToSendMax] = 0x00;
980 ToSend[++ToSendMax] = 0x00;
981 ToSend[++ToSendMax] = 0xff;
982 ToSend[++ToSendMax] = 0xff;
983 ToSend[++ToSendMax] = 0xff;
984 ToSend[++ToSendMax] = 0x00;
985 ToSend[++ToSendMax] = 0xff;
986
987 // Convert from last byte pos to length
988 ToSendMax++;
989 }
990
991 //-----------------------------------------------------------------------------
992 // Simulate iClass Card
993 // Only CSN (Card Serial Number)
994 //
995 //-----------------------------------------------------------------------------
996 void SimulateIClass(uint8_t arg0, uint8_t *datain)
997 {
998 uint8_t simType = arg0;
999
1000 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1001
1002 // Enable and clear the trace
1003 tracing = TRUE;
1004 traceLen = 0;
1005 memset(trace, 0x44, TRACE_SIZE);
1006
1007 // CSN followed by two CRC bytes
1008 uint8_t response2[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
1009 uint8_t response3[] = { 0x03, 0x1f, 0xec, 0x8a, 0xf7, 0xff, 0x12, 0xe0, 0x00, 0x00 };
1010
1011 // e-Purse
1012 uint8_t response4[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
1013
1014 if(simType == 0) {
1015 // Use the CSN from commandline
1016 memcpy(response3, datain, 8);
1017 }
1018
1019 // Construct anticollision-CSN
1020 rotateCSN(response3,response2);
1021
1022 // Compute CRC on both CSNs
1023 ComputeCrc14443(CRC_ICLASS, response2, 8, &response2[8], &response2[9]);
1024 ComputeCrc14443(CRC_ICLASS, response3, 8, &response3[8], &response3[9]);
1025
1026 // Reader 0a
1027 // Tag 0f
1028 // Reader 0c
1029 // Tag anticoll. CSN
1030 // Reader 81 anticoll. CSN
1031 // Tag CSN
1032
1033 uint8_t *resp;
1034 int respLen;
1035 uint8_t* respdata = NULL;
1036 int respsize = 0;
1037 uint8_t sof = 0x0f;
1038
1039 // Respond SOF -- takes 8 bytes
1040 uint8_t *resp1 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET);
1041 int resp1Len;
1042
1043 // Anticollision CSN (rotated CSN)
1044 // 176: Takes 16 bytes for SOF/EOF and 10 * 16 = 160 bytes (2 bytes/bit)
1045 uint8_t *resp2 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + 10);
1046 int resp2Len;
1047
1048 // CSN
1049 // 176: Takes 16 bytes for SOF/EOF and 10 * 16 = 160 bytes (2 bytes/bit)
1050 uint8_t *resp3 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + 190);
1051 int resp3Len;
1052
1053 // e-Purse
1054 // 144: Takes 16 bytes for SOF/EOF and 8 * 16 = 128 bytes (2 bytes/bit)
1055 uint8_t *resp4 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + 370);
1056 int resp4Len;
1057
1058 // + 1720..
1059 uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
1060 memset(receivedCmd, 0x44, RECV_CMD_SIZE);
1061 int len;
1062
1063 // Prepare card messages
1064 ToSendMax = 0;
1065
1066 // First card answer: SOF
1067 CodeIClassTagSOF();
1068 memcpy(resp1, ToSend, ToSendMax); resp1Len = ToSendMax;
1069
1070 // Anticollision CSN
1071 CodeIClassTagAnswer(response2, sizeof(response2));
1072 memcpy(resp2, ToSend, ToSendMax); resp2Len = ToSendMax;
1073
1074 // CSN
1075 CodeIClassTagAnswer(response3, sizeof(response3));
1076 memcpy(resp3, ToSend, ToSendMax); resp3Len = ToSendMax;
1077
1078 // e-Purse
1079 CodeIClassTagAnswer(response4, sizeof(response4));
1080 memcpy(resp4, ToSend, ToSendMax); resp4Len = ToSendMax;
1081
1082
1083 // Start from off (no field generated)
1084 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1085 SpinDelay(200);
1086
1087
1088 // We need to listen to the high-frequency, peak-detected path.
1089 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1090 FpgaSetupSsc();
1091
1092 // To control where we are in the protocol
1093 int cmdsRecvd = 0;
1094
1095 LED_A_ON();
1096 for(;;) {
1097 LED_B_OFF();
1098 //Signal tracer
1099 // Can be used to get a trigger for an oscilloscope..
1100 LED_C_OFF();
1101
1102 if(!GetIClassCommandFromReader(receivedCmd, &len, 100)) {
1103 DbpString("button press");
1104 break;
1105 }
1106 //Signal tracer
1107 LED_C_ON();
1108
1109
1110 // Okay, look at the command now.
1111 if(receivedCmd[0] == 0x0a) {
1112 // Reader in anticollission phase
1113 resp = resp1; respLen = resp1Len; //order = 1;
1114 respdata = &sof;
1115 respsize = sizeof(sof);
1116 //resp = resp2; respLen = resp2Len; order = 2;
1117 //DbpString("Hello request from reader:");
1118 } else if(receivedCmd[0] == 0x0c) {
1119 // Reader asks for anticollission CSN
1120 resp = resp2; respLen = resp2Len; //order = 2;
1121 respdata = response2;
1122 respsize = sizeof(response2);
1123 //DbpString("Reader requests anticollission CSN:");
1124 } else if(receivedCmd[0] == 0x81) {
1125 // Reader selects anticollission CSN.
1126 // Tag sends the corresponding real CSN
1127 resp = resp3; respLen = resp3Len; //order = 3;
1128 respdata = response3;
1129 respsize = sizeof(response3);
1130 //DbpString("Reader selects anticollission CSN:");
1131 } else if(receivedCmd[0] == 0x88) {
1132 // Read e-purse (88 02)
1133 resp = resp4; respLen = resp4Len; //order = 4;
1134 respdata = response4;
1135 respsize = sizeof(response4);
1136 LED_B_ON();
1137 } else if(receivedCmd[0] == 0x05) {
1138 // Reader random and reader MAC!!!
1139 // Lets store this ;-)
1140 /*
1141 Dbprintf(" CSN: %02x %02x %02x %02x %02x %02x %02x %02x",
1142 response3[0], response3[1], response3[2],
1143 response3[3], response3[4], response3[5],
1144 response3[6], response3[7]);
1145 */
1146 Dbprintf("READER AUTH (len=%02d): %02x %02x %02x %02x %02x %02x %02x %02x %02x",
1147 len,
1148 receivedCmd[0], receivedCmd[1], receivedCmd[2],
1149 receivedCmd[3], receivedCmd[4], receivedCmd[5],
1150 receivedCmd[6], receivedCmd[7], receivedCmd[8]);
1151
1152 // Do not respond
1153 // We do not know what to answer, so lets keep quit
1154 resp = resp1; respLen = 0; //order = 5;
1155 respdata = NULL;
1156 respsize = 0;
1157 } else if(receivedCmd[0] == 0x00 && len == 1) {
1158 // Reader ends the session
1159 resp = resp1; respLen = 0; //order = 0;
1160 respdata = NULL;
1161 respsize = 0;
1162 } else {
1163 // Never seen this command before
1164 Dbprintf("Unknown command received from reader (len=%d): %x %x %x %x %x %x %x %x %x",
1165 len,
1166 receivedCmd[0], receivedCmd[1], receivedCmd[2],
1167 receivedCmd[3], receivedCmd[4], receivedCmd[5],
1168 receivedCmd[6], receivedCmd[7], receivedCmd[8]);
1169 // Do not respond
1170 resp = resp1; respLen = 0; //order = 0;
1171 respdata = NULL;
1172 respsize = 0;
1173 }
1174
1175 if(cmdsRecvd > 999) {
1176 DbpString("1000 commands later...");
1177 break;
1178 }
1179 else {
1180 cmdsRecvd++;
1181 }
1182
1183 if(respLen > 0) {
1184 SendIClassAnswer(resp, respLen, 21);
1185 }
1186
1187 if (tracing) {
1188 LogTrace(receivedCmd,len, rsamples, Uart.parityBits, TRUE);
1189 if (respdata != NULL) {
1190 LogTrace(respdata,respsize, rsamples, SwapBits(GetParity(respdata,respsize),respsize), FALSE);
1191 }
1192 if(traceLen > TRACE_SIZE) {
1193 DbpString("Trace full");
1194 break;
1195 }
1196 }
1197
1198 memset(receivedCmd, 0x44, RECV_CMD_SIZE);
1199 }
1200
1201 Dbprintf("%x", cmdsRecvd);
1202 LED_A_OFF();
1203 LED_B_OFF();
1204 }
1205
1206 static int SendIClassAnswer(uint8_t *resp, int respLen, int delay)
1207 {
1208 int i = 0, d=0;//, u = 0, d = 0;
1209 uint8_t b = 0;
1210
1211 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR|FPGA_HF_SIMULATOR_MODULATE_424K);
1212
1213 AT91C_BASE_SSC->SSC_THR = 0x00;
1214 FpgaSetupSsc();
1215 while(!BUTTON_PRESS()) {
1216 if((AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY)){
1217 b = AT91C_BASE_SSC->SSC_RHR; (void) b;
1218 }
1219 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)){
1220 b = 0x00;
1221 if(d < delay) {
1222 d++;
1223 }
1224 else {
1225 if( i < respLen){
1226 b = resp[i];
1227 //Hack
1228 //b = 0xAC;
1229 }
1230 i++;
1231 }
1232 AT91C_BASE_SSC->SSC_THR = b;
1233 }
1234
1235 if (i > respLen +4) break;
1236 }
1237
1238 return 0;
1239 }
1240
1241 /// THE READER CODE
1242
1243 //-----------------------------------------------------------------------------
1244 // Transmit the command (to the tag) that was placed in ToSend[].
1245 //-----------------------------------------------------------------------------
1246 static void TransmitIClassCommand(const uint8_t *cmd, int len, int *samples, int *wait)
1247 {
1248 int c;
1249 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1250 AT91C_BASE_SSC->SSC_THR = 0x00;
1251 FpgaSetupSsc();
1252
1253 if (wait)
1254 if(*wait < 10)
1255 *wait = 10;
1256
1257 for(c = 0; c < *wait;) {
1258 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1259 AT91C_BASE_SSC->SSC_THR = 0x00; // For exact timing!
1260 c++;
1261 }
1262 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1263 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
1264 (void)r;
1265 }
1266 WDT_HIT();
1267 }
1268
1269 uint8_t sendbyte;
1270 bool firstpart = TRUE;
1271 c = 0;
1272 for(;;) {
1273 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1274
1275 // DOUBLE THE SAMPLES!
1276 if(firstpart) {
1277 sendbyte = (cmd[c] & 0xf0) | (cmd[c] >> 4);
1278 }
1279 else {
1280 sendbyte = (cmd[c] & 0x0f) | (cmd[c] << 4);
1281 c++;
1282 }
1283 if(sendbyte == 0xff) {
1284 sendbyte = 0xfe;
1285 }
1286 AT91C_BASE_SSC->SSC_THR = sendbyte;
1287 firstpart = !firstpart;
1288
1289 if(c >= len) {
1290 break;
1291 }
1292 }
1293 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1294 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
1295 (void)r;
1296 }
1297 WDT_HIT();
1298 }
1299 if (samples) *samples = (c + *wait) << 3;
1300 }
1301
1302
1303 //-----------------------------------------------------------------------------
1304 // Prepare iClass reader command to send to FPGA
1305 //-----------------------------------------------------------------------------
1306 void CodeIClassCommand(const uint8_t * cmd, int len)
1307 {
1308 int i, j, k;
1309 uint8_t b;
1310
1311 ToSendReset();
1312
1313 // Start of Communication: 1 out of 4
1314 ToSend[++ToSendMax] = 0xf0;
1315 ToSend[++ToSendMax] = 0x00;
1316 ToSend[++ToSendMax] = 0x0f;
1317 ToSend[++ToSendMax] = 0x00;
1318
1319 // Modulate the bytes
1320 for (i = 0; i < len; i++) {
1321 b = cmd[i];
1322 for(j = 0; j < 4; j++) {
1323 for(k = 0; k < 4; k++) {
1324 if(k == (b & 3)) {
1325 ToSend[++ToSendMax] = 0x0f;
1326 }
1327 else {
1328 ToSend[++ToSendMax] = 0x00;
1329 }
1330 }
1331 b >>= 2;
1332 }
1333 }
1334
1335 // End of Communication
1336 ToSend[++ToSendMax] = 0x00;
1337 ToSend[++ToSendMax] = 0x00;
1338 ToSend[++ToSendMax] = 0xf0;
1339 ToSend[++ToSendMax] = 0x00;
1340
1341 // Convert from last character reference to length
1342 ToSendMax++;
1343 }
1344
1345 void ReaderTransmitIClass(uint8_t* frame, int len)
1346 {
1347 int wait = 0;
1348 int samples = 0;
1349 int par = 0;
1350
1351 // This is tied to other size changes
1352 // uint8_t* frame_addr = ((uint8_t*)BigBuf) + 2024;
1353 CodeIClassCommand(frame,len);
1354
1355 // Select the card
1356 TransmitIClassCommand(ToSend, ToSendMax, &samples, &wait);
1357 if(trigger)
1358 LED_A_ON();
1359
1360 // Store reader command in buffer
1361 if (tracing) LogTrace(frame,len,rsamples,par,TRUE);
1362 }
1363
1364 //-----------------------------------------------------------------------------
1365 // Wait a certain time for tag response
1366 // If a response is captured return TRUE
1367 // If it takes too long return FALSE
1368 //-----------------------------------------------------------------------------
1369 static int GetIClassAnswer(uint8_t *receivedResponse, int maxLen, int *samples, int *elapsed) //uint8_t *buffer
1370 {
1371 // buffer needs to be 512 bytes
1372 int c;
1373
1374 // Set FPGA mode to "reader listen mode", no modulation (listen
1375 // only, since we are receiving, not transmitting).
1376 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_LISTEN);
1377
1378 // Now get the answer from the card
1379 Demod.output = receivedResponse;
1380 Demod.len = 0;
1381 Demod.state = DEMOD_UNSYNCD;
1382
1383 uint8_t b;
1384 if (elapsed) *elapsed = 0;
1385
1386 bool skip = FALSE;
1387
1388 c = 0;
1389 for(;;) {
1390 WDT_HIT();
1391
1392 if(BUTTON_PRESS()) return FALSE;
1393
1394 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1395 AT91C_BASE_SSC->SSC_THR = 0x00; // To make use of exact timing of next command from reader!!
1396 if (elapsed) (*elapsed)++;
1397 }
1398 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1399 if(c < timeout) { c++; } else { return FALSE; }
1400 b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1401 skip = !skip;
1402 if(skip) continue;
1403 /*if(ManchesterDecoding((b>>4) & 0xf)) {
1404 *samples = ((c - 1) << 3) + 4;
1405 return TRUE;
1406 }*/
1407 if(ManchesterDecoding(b & 0x0f)) {
1408 *samples = c << 3;
1409 return TRUE;
1410 }
1411 }
1412 }
1413 }
1414
1415 int ReaderReceiveIClass(uint8_t* receivedAnswer)
1416 {
1417 int samples = 0;
1418 if (!GetIClassAnswer(receivedAnswer,160,&samples,0)) return FALSE;
1419 rsamples += samples;
1420 if (tracing) LogTrace(receivedAnswer,Demod.len,rsamples,Demod.parityBits,FALSE);
1421 if(samples == 0) return FALSE;
1422 return Demod.len;
1423 }
1424
1425 // Reader iClass Anticollission
1426 void ReaderIClass(uint8_t arg0) {
1427 uint8_t act_all[] = { 0x0a };
1428 uint8_t identify[] = { 0x0c };
1429 uint8_t select[] = { 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
1430
1431 uint8_t* resp = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
1432
1433 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1434
1435 // Reset trace buffer
1436 memset(trace, 0x44, RECV_CMD_OFFSET);
1437 traceLen = 0;
1438
1439 // Setup SSC
1440 FpgaSetupSsc();
1441 // Start from off (no field generated)
1442 // Signal field is off with the appropriate LED
1443 LED_D_OFF();
1444 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1445 SpinDelay(200);
1446
1447 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1448
1449 // Now give it time to spin up.
1450 // Signal field is on with the appropriate LED
1451 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1452 SpinDelay(200);
1453
1454 LED_A_ON();
1455
1456 for(;;) {
1457
1458 if(traceLen > TRACE_SIZE) {
1459 DbpString("Trace full");
1460 break;
1461 }
1462
1463 if (BUTTON_PRESS()) break;
1464
1465 // Send act_all
1466 ReaderTransmitIClass(act_all, 1);
1467 // Card present?
1468 if(ReaderReceiveIClass(resp)) {
1469 ReaderTransmitIClass(identify, 1);
1470 if(ReaderReceiveIClass(resp) == 10) {
1471 // Select card
1472 memcpy(&select[1],resp,8);
1473 ReaderTransmitIClass(select, sizeof(select));
1474
1475 if(ReaderReceiveIClass(resp) == 10) {
1476 Dbprintf(" Selected CSN: %02x %02x %02x %02x %02x %02x %02x %02x",
1477 resp[0], resp[1], resp[2],
1478 resp[3], resp[4], resp[5],
1479 resp[6], resp[7]);
1480 }
1481 // Card selected, whats next... ;-)
1482 }
1483 }
1484 WDT_HIT();
1485 }
1486
1487 LED_A_OFF();
1488 }
1489
1490
Proxmark3 GIT tracking
Impressum, Datenschutz