]> cvs.zerfleddert.de Git - proxmark3-svn/blob - armsrc/iso14443b.c
projects / proxmark3-svn / blob
? search:


6434409d905312b945f85a139fc8a91d03cb7f18
[proxmark3-svn] / armsrc / iso14443b.c
1 //-----------------------------------------------------------------------------
2 // Jonathan Westhues, split Nov 2006
3 // piwi 2018
4 //
5 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
6 // at your option, any later version. See the LICENSE.txt file for the text of
7 // the license.
8 //-----------------------------------------------------------------------------
9 // Routines to support ISO 14443B. This includes both the reader software and
10 // the `fake tag' modes.
11 //-----------------------------------------------------------------------------
12
13 #include "iso14443b.h"
14
15 #include "proxmark3.h"
16 #include "apps.h"
17 #include "util.h"
18 #include "string.h"
19 #include "iso14443crc.h"
20 #include "fpgaloader.h"
21 #include "BigBuf.h"
22
23 #define RECEIVE_SAMPLES_TIMEOUT 64 // TR0 max is 256/fs = 256/(848kHz) = 302us or 64 samples from FPGA
24 #define ISO14443B_DMA_BUFFER_SIZE 128
25
26 // PCB Block number for APDUs
27 static uint8_t pcb_blocknum = 0;
28
29 //=============================================================================
30 // An ISO 14443 Type B tag. We listen for commands from the reader, using
31 // a UART kind of thing that's implemented in software. When we get a
32 // frame (i.e., a group of bytes between SOF and EOF), we check the CRC.
33 // If it's good, then we can do something appropriate with it, and send
34 // a response.
35 //=============================================================================
36
37 //-----------------------------------------------------------------------------
38 // Code up a string of octets at layer 2 (including CRC, we don't generate
39 // that here) so that they can be transmitted to the reader. Doesn't transmit
40 // them yet, just leaves them ready to send in ToSend[].
41 //-----------------------------------------------------------------------------
42 static void CodeIso14443bAsTag(const uint8_t *cmd, int len)
43 {
44 int i;
45
46 ToSendReset();
47
48 // Transmit a burst of ones, as the initial thing that lets the
49 // reader get phase sync. This (TR1) must be > 80/fs, per spec,
50 // but tag that I've tried (a Paypass) exceeds that by a fair bit,
51 // so I will too.
52 for(i = 0; i < 20; i++) {
53 ToSendStuffBit(1);
54 ToSendStuffBit(1);
55 ToSendStuffBit(1);
56 ToSendStuffBit(1);
57 }
58
59 // Send SOF.
60 for(i = 0; i < 10; i++) {
61 ToSendStuffBit(0);
62 ToSendStuffBit(0);
63 ToSendStuffBit(0);
64 ToSendStuffBit(0);
65 }
66 for(i = 0; i < 2; i++) {
67 ToSendStuffBit(1);
68 ToSendStuffBit(1);
69 ToSendStuffBit(1);
70 ToSendStuffBit(1);
71 }
72
73 for(i = 0; i < len; i++) {
74 int j;
75 uint8_t b = cmd[i];
76
77 // Start bit
78 ToSendStuffBit(0);
79 ToSendStuffBit(0);
80 ToSendStuffBit(0);
81 ToSendStuffBit(0);
82
83 // Data bits
84 for(j = 0; j < 8; j++) {
85 if(b & 1) {
86 ToSendStuffBit(1);
87 ToSendStuffBit(1);
88 ToSendStuffBit(1);
89 ToSendStuffBit(1);
90 } else {
91 ToSendStuffBit(0);
92 ToSendStuffBit(0);
93 ToSendStuffBit(0);
94 ToSendStuffBit(0);
95 }
96 b >>= 1;
97 }
98
99 // Stop bit
100 ToSendStuffBit(1);
101 ToSendStuffBit(1);
102 ToSendStuffBit(1);
103 ToSendStuffBit(1);
104 }
105
106 // Send EOF.
107 for(i = 0; i < 10; i++) {
108 ToSendStuffBit(0);
109 ToSendStuffBit(0);
110 ToSendStuffBit(0);
111 ToSendStuffBit(0);
112 }
113 for(i = 0; i < 2; i++) {
114 ToSendStuffBit(1);
115 ToSendStuffBit(1);
116 ToSendStuffBit(1);
117 ToSendStuffBit(1);
118 }
119
120 // Convert from last byte pos to length
121 ToSendMax++;
122 }
123
124 //-----------------------------------------------------------------------------
125 // The software UART that receives commands from the reader, and its state
126 // variables.
127 //-----------------------------------------------------------------------------
128 static struct {
129 enum {
130 STATE_UNSYNCD,
131 STATE_GOT_FALLING_EDGE_OF_SOF,
132 STATE_AWAITING_START_BIT,
133 STATE_RECEIVING_DATA
134 } state;
135 uint16_t shiftReg;
136 int bitCnt;
137 int byteCnt;
138 int byteCntMax;
139 int posCnt;
140 uint8_t *output;
141 } Uart;
142
143 /* Receive & handle a bit coming from the reader.
144 *
145 * This function is called 4 times per bit (every 2 subcarrier cycles).
146 * Subcarrier frequency fs is 848kHz, 1/fs = 1,18us, i.e. function is called every 2,36us
147 *
148 * LED handling:
149 * LED A -> ON once we have received the SOF and are expecting the rest.
150 * LED A -> OFF once we have received EOF or are in error state or unsynced
151 *
152 * Returns: true if we received a EOF
153 * false if we are still waiting for some more
154 */
155 static RAMFUNC int Handle14443bUartBit(uint8_t bit)
156 {
157 switch(Uart.state) {
158 case STATE_UNSYNCD:
159 if(!bit) {
160 // we went low, so this could be the beginning
161 // of an SOF
162 Uart.state = STATE_GOT_FALLING_EDGE_OF_SOF;
163 Uart.posCnt = 0;
164 Uart.bitCnt = 0;
165 }
166 break;
167
168 case STATE_GOT_FALLING_EDGE_OF_SOF:
169 Uart.posCnt++;
170 if(Uart.posCnt == 2) { // sample every 4 1/fs in the middle of a bit
171 if(bit) {
172 if(Uart.bitCnt > 9) {
173 // we've seen enough consecutive
174 // zeros that it's a valid SOF
175 Uart.posCnt = 0;
176 Uart.byteCnt = 0;
177 Uart.state = STATE_AWAITING_START_BIT;
178 LED_A_ON(); // Indicate we got a valid SOF
179 } else {
180 // didn't stay down long enough
181 // before going high, error
182 Uart.state = STATE_UNSYNCD;
183 }
184 } else {
185 // do nothing, keep waiting
186 }
187 Uart.bitCnt++;
188 }
189 if(Uart.posCnt >= 4) Uart.posCnt = 0;
190 if(Uart.bitCnt > 12) {
191 // Give up if we see too many zeros without
192 // a one, too.
193 LED_A_OFF();
194 Uart.state = STATE_UNSYNCD;
195 }
196 break;
197
198 case STATE_AWAITING_START_BIT:
199 Uart.posCnt++;
200 if(bit) {
201 if(Uart.posCnt > 50/2) { // max 57us between characters = 49 1/fs, max 3 etus after low phase of SOF = 24 1/fs
202 // stayed high for too long between
203 // characters, error
204 Uart.state = STATE_UNSYNCD;
205 }
206 } else {
207 // falling edge, this starts the data byte
208 Uart.posCnt = 0;
209 Uart.bitCnt = 0;
210 Uart.shiftReg = 0;
211 Uart.state = STATE_RECEIVING_DATA;
212 }
213 break;
214
215 case STATE_RECEIVING_DATA:
216 Uart.posCnt++;
217 if(Uart.posCnt == 2) {
218 // time to sample a bit
219 Uart.shiftReg >>= 1;
220 if(bit) {
221 Uart.shiftReg |= 0x200;
222 }
223 Uart.bitCnt++;
224 }
225 if(Uart.posCnt >= 4) {
226 Uart.posCnt = 0;
227 }
228 if(Uart.bitCnt == 10) {
229 if((Uart.shiftReg & 0x200) && !(Uart.shiftReg & 0x001))
230 {
231 // this is a data byte, with correct
232 // start and stop bits
233 Uart.output[Uart.byteCnt] = (Uart.shiftReg >> 1) & 0xff;
234 Uart.byteCnt++;
235
236 if(Uart.byteCnt >= Uart.byteCntMax) {
237 // Buffer overflowed, give up
238 LED_A_OFF();
239 Uart.state = STATE_UNSYNCD;
240 } else {
241 // so get the next byte now
242 Uart.posCnt = 0;
243 Uart.state = STATE_AWAITING_START_BIT;
244 }
245 } else if (Uart.shiftReg == 0x000) {
246 // this is an EOF byte
247 LED_A_OFF(); // Finished receiving
248 Uart.state = STATE_UNSYNCD;
249 if (Uart.byteCnt != 0) {
250 return true;
251 }
252 } else {
253 // this is an error
254 LED_A_OFF();
255 Uart.state = STATE_UNSYNCD;
256 }
257 }
258 break;
259
260 default:
261 LED_A_OFF();
262 Uart.state = STATE_UNSYNCD;
263 break;
264 }
265
266 return false;
267 }
268
269
270 static void UartReset()
271 {
272 Uart.byteCntMax = MAX_FRAME_SIZE;
273 Uart.state = STATE_UNSYNCD;
274 Uart.byteCnt = 0;
275 Uart.bitCnt = 0;
276 }
277
278
279 static void UartInit(uint8_t *data)
280 {
281 Uart.output = data;
282 UartReset();
283 }
284
285
286 //-----------------------------------------------------------------------------
287 // Receive a command (from the reader to us, where we are the simulated tag),
288 // and store it in the given buffer, up to the given maximum length. Keeps
289 // spinning, waiting for a well-framed command, until either we get one
290 // (returns true) or someone presses the pushbutton on the board (false).
291 //
292 // Assume that we're called with the SSC (to the FPGA) and ADC path set
293 // correctly.
294 //-----------------------------------------------------------------------------
295 static int GetIso14443bCommandFromReader(uint8_t *received, uint16_t *len)
296 {
297 // Set FPGA mode to "simulated ISO 14443B tag", no modulation (listen
298 // only, since we are receiving, not transmitting).
299 // Signal field is off with the appropriate LED
300 LED_D_OFF();
301 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_NO_MODULATION);
302
303 // Now run a `software UART' on the stream of incoming samples.
304 UartInit(received);
305
306 for(;;) {
307 WDT_HIT();
308
309 if(BUTTON_PRESS()) return false;
310
311 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
312 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
313 for(uint8_t mask = 0x80; mask != 0x00; mask >>= 1) {
314 if(Handle14443bUartBit(b & mask)) {
315 *len = Uart.byteCnt;
316 return true;
317 }
318 }
319 }
320 }
321
322 return false;
323 }
324
325 //-----------------------------------------------------------------------------
326 // Main loop of simulated tag: receive commands from reader, decide what
327 // response to send, and send it.
328 //-----------------------------------------------------------------------------
329 void SimulateIso14443bTag(void)
330 {
331 LED_A_ON();
332 // the only commands we understand is WUPB, AFI=0, Select All, N=1:
333 static const uint8_t cmd1[] = { 0x05, 0x00, 0x08, 0x39, 0x73 }; // WUPB
334 // ... and REQB, AFI=0, Normal Request, N=1:
335 static const uint8_t cmd2[] = { 0x05, 0x00, 0x00, 0x71, 0xFF }; // REQB
336 // ... and HLTB
337 static const uint8_t cmd3[] = { 0x50, 0xff, 0xff, 0xff, 0xff }; // HLTB
338 // ... and ATTRIB
339 static const uint8_t cmd4[] = { 0x1D, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}; // ATTRIB
340
341 // ... and we always respond with ATQB, PUPI = 820de174, Application Data = 0x20381922,
342 // supports only 106kBit/s in both directions, max frame size = 32Bytes,
343 // supports ISO14443-4, FWI=8 (77ms), NAD supported, CID not supported:
344 static const uint8_t response1[] = {
345 0x50, 0x82, 0x0d, 0xe1, 0x74, 0x20, 0x38, 0x19, 0x22,
346 0x00, 0x21, 0x85, 0x5e, 0xd7
347 };
348 // response to HLTB and ATTRIB
349 static const uint8_t response2[] = {0x00, 0x78, 0xF0};
350
351
352 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
353
354 clear_trace();
355 set_tracing(true);
356
357 const uint8_t *resp;
358 uint8_t *respCode;
359 uint16_t respLen, respCodeLen;
360
361 // allocate command receive buffer
362 BigBuf_free();
363 uint8_t *receivedCmd = BigBuf_malloc(MAX_FRAME_SIZE);
364
365 uint16_t len;
366 uint16_t cmdsRecvd = 0;
367
368 // prepare the (only one) tag answer:
369 CodeIso14443bAsTag(response1, sizeof(response1));
370 uint8_t *resp1Code = BigBuf_malloc(ToSendMax);
371 memcpy(resp1Code, ToSend, ToSendMax);
372 uint16_t resp1CodeLen = ToSendMax;
373
374 // prepare the (other) tag answer:
375 CodeIso14443bAsTag(response2, sizeof(response2));
376 uint8_t *resp2Code = BigBuf_malloc(ToSendMax);
377 memcpy(resp2Code, ToSend, ToSendMax);
378 uint16_t resp2CodeLen = ToSendMax;
379
380 // We need to listen to the high-frequency, peak-detected path.
381 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
382 FpgaSetupSsc(FPGA_MAJOR_MODE_HF_SIMULATOR);
383
384 cmdsRecvd = 0;
385
386 for(;;) {
387
388 if(!GetIso14443bCommandFromReader(receivedCmd, &len)) {
389 Dbprintf("button pressed, received %d commands", cmdsRecvd);
390 break;
391 }
392
393 LogTrace(receivedCmd, len, 0, 0, NULL, true);
394
395 // Good, look at the command now.
396 if ( (len == sizeof(cmd1) && memcmp(receivedCmd, cmd1, len) == 0)
397 || (len == sizeof(cmd2) && memcmp(receivedCmd, cmd2, len) == 0) ) {
398 resp = response1;
399 respLen = sizeof(response1);
400 respCode = resp1Code;
401 respCodeLen = resp1CodeLen;
402 } else if ( (len == sizeof(cmd3) && receivedCmd[0] == cmd3[0])
403 || (len == sizeof(cmd4) && receivedCmd[0] == cmd4[0]) ) {
404 resp = response2;
405 respLen = sizeof(response2);
406 respCode = resp2Code;
407 respCodeLen = resp2CodeLen;
408 } else {
409 Dbprintf("new cmd from reader: len=%d, cmdsRecvd=%d", len, cmdsRecvd);
410 // And print whether the CRC fails, just for good measure
411 uint8_t b1, b2;
412 if (len >= 3){ // if crc exists
413 ComputeCrc14443(CRC_14443_B, receivedCmd, len-2, &b1, &b2);
414 if(b1 != receivedCmd[len-2] || b2 != receivedCmd[len-1]) {
415 // Not so good, try again.
416 DbpString("+++CRC fail");
417
418 } else {
419 DbpString("CRC passes");
420 }
421 }
422 //get rid of compiler warning
423 respCodeLen = 0;
424 resp = response1;
425 respLen = 0;
426 respCode = resp1Code;
427 //don't crash at new command just wait and see if reader will send other new cmds.
428 //break;
429 }
430
431 cmdsRecvd++;
432
433 if(cmdsRecvd > 0x30) {
434 DbpString("many commands later...");
435 break;
436 }
437
438 if(respCodeLen <= 0) continue;
439
440 // Modulate BPSK
441 // Signal field is off with the appropriate LED
442 LED_D_OFF();
443 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_MODULATE_BPSK);
444 AT91C_BASE_SSC->SSC_THR = 0xff;
445 FpgaSetupSsc(FPGA_MAJOR_MODE_HF_SIMULATOR);
446
447 // Transmit the response.
448 uint16_t i = 0;
449 for(;;) {
450 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
451 uint8_t b = respCode[i];
452
453 AT91C_BASE_SSC->SSC_THR = b;
454
455 i++;
456 if(i > respCodeLen) {
457 break;
458 }
459 }
460 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
461 volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
462 (void)b;
463 }
464 }
465
466 // trace the response:
467 LogTrace(resp, respLen, 0, 0, NULL, false);
468
469 }
470
471 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
472 LED_A_OFF();
473 }
474
475 //=============================================================================
476 // An ISO 14443 Type B reader. We take layer two commands, code them
477 // appropriately, and then send them to the tag. We then listen for the
478 // tag's response, which we leave in the buffer to be demodulated on the
479 // PC side.
480 //=============================================================================
481
482 static struct {
483 enum {
484 DEMOD_UNSYNCD,
485 DEMOD_PHASE_REF_TRAINING,
486 DEMOD_AWAITING_FALLING_EDGE_OF_SOF,
487 DEMOD_GOT_FALLING_EDGE_OF_SOF,
488 DEMOD_AWAITING_START_BIT,
489 DEMOD_RECEIVING_DATA
490 } state;
491 int bitCount;
492 int posCount;
493 int thisBit;
494 /* this had been used to add RSSI (Received Signal Strength Indication) to traces. Currently not implemented.
495 int metric;
496 int metricN;
497 */
498 uint16_t shiftReg;
499 uint8_t *output;
500 int len;
501 int sumI;
502 int sumQ;
503 } Demod;
504
505 /*
506 * Handles reception of a bit from the tag
507 *
508 * This function is called 2 times per bit (every 4 subcarrier cycles).
509 * Subcarrier frequency fs is 848kHz, 1/fs = 1,18us, i.e. function is called every 4,72us
510 *
511 * LED handling:
512 * LED C -> ON once we have received the SOF and are expecting the rest.
513 * LED C -> OFF once we have received EOF or are unsynced
514 *
515 * Returns: true if we received a EOF
516 * false if we are still waiting for some more
517 *
518 */
519 static RAMFUNC int Handle14443bSamplesDemod(int ci, int cq)
520 {
521 int v;
522
523 // The soft decision on the bit uses an estimate of just the
524 // quadrant of the reference angle, not the exact angle.
525 #define MAKE_SOFT_DECISION() { \
526 if(Demod.sumI > 0) { \
527 v = ci; \
528 } else { \
529 v = -ci; \
530 } \
531 if(Demod.sumQ > 0) { \
532 v += cq; \
533 } else { \
534 v -= cq; \
535 } \
536 }
537
538 #define SUBCARRIER_DETECT_THRESHOLD 8
539
540 // Subcarrier amplitude v = sqrt(ci^2 + cq^2), approximated here by max(abs(ci),abs(cq)) + 1/2*min(abs(ci),abs(cq)))
541 #define AMPLITUDE(ci,cq) (MAX(ABS(ci),ABS(cq)) + (MIN(ABS(ci),ABS(cq))/2))
542 switch(Demod.state) {
543 case DEMOD_UNSYNCD:
544 if(AMPLITUDE(ci,cq) > SUBCARRIER_DETECT_THRESHOLD) { // subcarrier detected
545 Demod.state = DEMOD_PHASE_REF_TRAINING;
546 Demod.sumI = ci;
547 Demod.sumQ = cq;
548 Demod.posCount = 1;
549 }
550 break;
551
552 case DEMOD_PHASE_REF_TRAINING:
553 if(Demod.posCount < 8) {
554 if (AMPLITUDE(ci,cq) > SUBCARRIER_DETECT_THRESHOLD) {
555 // set the reference phase (will code a logic '1') by averaging over 32 1/fs.
556 // note: synchronization time > 80 1/fs
557 Demod.sumI += ci;
558 Demod.sumQ += cq;
559 Demod.posCount++;
560 } else { // subcarrier lost
561 Demod.state = DEMOD_UNSYNCD;
562 }
563 } else {
564 Demod.state = DEMOD_AWAITING_FALLING_EDGE_OF_SOF;
565 }
566 break;
567
568 case DEMOD_AWAITING_FALLING_EDGE_OF_SOF:
569 MAKE_SOFT_DECISION();
570 if(v < 0) { // logic '0' detected
571 Demod.state = DEMOD_GOT_FALLING_EDGE_OF_SOF;
572 Demod.posCount = 0; // start of SOF sequence
573 } else {
574 if(Demod.posCount > 200/4) { // maximum length of TR1 = 200 1/fs
575 Demod.state = DEMOD_UNSYNCD;
576 }
577 }
578 Demod.posCount++;
579 break;
580
581 case DEMOD_GOT_FALLING_EDGE_OF_SOF:
582 Demod.posCount++;
583 MAKE_SOFT_DECISION();
584 if(v > 0) {
585 if(Demod.posCount < 9*2) { // low phase of SOF too short (< 9 etu). Note: spec is >= 10, but FPGA tends to "smear" edges
586 Demod.state = DEMOD_UNSYNCD;
587 } else {
588 LED_C_ON(); // Got SOF
589 Demod.posCount = 0;
590 Demod.bitCount = 0;
591 Demod.len = 0;
592 Demod.state = DEMOD_AWAITING_START_BIT;
593 /* this had been used to add RSSI (Received Signal Strength Indication) to traces. Currently not implemented.
594 Demod.metricN = 0;
595 Demod.metric = 0;
596 */
597 }
598 } else {
599 if(Demod.posCount > 12*2) { // low phase of SOF too long (> 12 etu)
600 Demod.state = DEMOD_UNSYNCD;
601 LED_C_OFF();
602 }
603 }
604 break;
605
606 case DEMOD_AWAITING_START_BIT:
607 Demod.posCount++;
608 MAKE_SOFT_DECISION();
609 if (v > 0) {
610 if (Demod.posCount > 3*2) { // max 19us between characters = 16 1/fs, max 3 etu after low phase of SOF = 24 1/fs
611 LED_C_OFF();
612 if (Demod.bitCount == 0 && Demod.len == 0) { // received SOF only, this is valid for iClass/Picopass
613 return true;
614 } else {
615 Demod.state = DEMOD_UNSYNCD;
616 }
617 }
618 } else { // start bit detected
619 Demod.posCount = 1; // this was the first half
620 Demod.thisBit = v;
621 Demod.shiftReg = 0;
622 Demod.state = DEMOD_RECEIVING_DATA;
623 }
624 break;
625
626 case DEMOD_RECEIVING_DATA:
627 MAKE_SOFT_DECISION();
628 if (Demod.posCount == 0) { // first half of bit
629 Demod.thisBit = v;
630 Demod.posCount = 1;
631 } else { // second half of bit
632 Demod.thisBit += v;
633
634 /* this had been used to add RSSI (Received Signal Strength Indication) to traces. Currently not implemented.
635 if(Demod.thisBit > 0) {
636 Demod.metric += Demod.thisBit;
637 } else {
638 Demod.metric -= Demod.thisBit;
639 }
640 (Demod.metricN)++;
641 */
642
643 Demod.shiftReg >>= 1;
644 if (Demod.thisBit > 0) { // logic '1'
645 Demod.shiftReg |= 0x200;
646 }
647
648 Demod.bitCount++;
649 if (Demod.bitCount == 10) {
650 uint16_t s = Demod.shiftReg;
651 if ((s & 0x200) && !(s & 0x001)) { // stop bit == '1', start bit == '0'
652 uint8_t b = (s >> 1);
653 Demod.output[Demod.len] = b;
654 Demod.len++;
655 Demod.bitCount = 0;
656 Demod.state = DEMOD_AWAITING_START_BIT;
657 } else {
658 Demod.state = DEMOD_UNSYNCD;
659 LED_C_OFF();
660 if (s == 0x000) {
661 // This is EOF (start, stop and all data bits == '0'
662 return true;
663 }
664 }
665 }
666 Demod.posCount = 0;
667 }
668 break;
669
670 default:
671 Demod.state = DEMOD_UNSYNCD;
672 LED_C_OFF();
673 break;
674 }
675
676 return false;
677 }
678
679
680 static void DemodReset()
681 {
682 // Clear out the state of the "UART" that receives from the tag.
683 Demod.len = 0;
684 Demod.state = DEMOD_UNSYNCD;
685 Demod.posCount = 0;
686 memset(Demod.output, 0x00, MAX_FRAME_SIZE);
687 }
688
689
690 static void DemodInit(uint8_t *data)
691 {
692 Demod.output = data;
693 DemodReset();
694 }
695
696
697 /*
698 * Demodulate the samples we received from the tag, also log to tracebuffer
699 * quiet: set to 'true' to disable debug output
700 */
701 static int GetSamplesFor14443bDemod(int timeout, bool quiet) {
702 int ret = 0;
703 int maxBehindBy = 0;
704 bool gotFrame = false;
705 int lastRxCounter, samples = 0;
706 int8_t ci, cq;
707
708 // Allocate memory from BigBuf for some buffers
709 // free all previous allocations first
710 BigBuf_free();
711
712 // The response (tag -> reader) that we're receiving.
713 uint8_t *receivedResponse = BigBuf_malloc(MAX_FRAME_SIZE);
714
715 // The DMA buffer, used to stream samples from the FPGA
716 uint16_t *dmaBuf = (uint16_t*) BigBuf_malloc(ISO14443B_DMA_BUFFER_SIZE * sizeof(uint16_t));
717
718 // Set up the demodulator for tag -> reader responses.
719 DemodInit(receivedResponse);
720
721 // wait for last transfer to complete
722 while (!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXEMPTY))
723
724 // Setup and start DMA.
725 FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER);
726 FpgaSetupSscDma((uint8_t*) dmaBuf, ISO14443B_DMA_BUFFER_SIZE);
727
728 uint16_t *upTo = dmaBuf;
729 lastRxCounter = ISO14443B_DMA_BUFFER_SIZE;
730
731 // Signal field is ON with the appropriate LED:
732 LED_D_ON();
733 // And put the FPGA in the appropriate mode
734 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_SUBCARRIER_848_KHZ | FPGA_HF_READER_MODE_RECEIVE_IQ);
735
736 for(;;) {
737 int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) & (ISO14443B_DMA_BUFFER_SIZE-1);
738 if(behindBy > maxBehindBy) {
739 maxBehindBy = behindBy;
740 }
741
742 if(behindBy < 1) continue;
743
744 ci = *upTo >> 8;
745 cq = *upTo;
746 upTo++;
747 lastRxCounter--;
748 if(upTo >= dmaBuf + ISO14443B_DMA_BUFFER_SIZE) { // we have read all of the DMA buffer content.
749 upTo = dmaBuf; // start reading the circular buffer from the beginning
750 lastRxCounter += ISO14443B_DMA_BUFFER_SIZE;
751 }
752 if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_ENDRX)) { // DMA Counter Register had reached 0, already rotated.
753 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dmaBuf; // refresh the DMA Next Buffer and
754 AT91C_BASE_PDC_SSC->PDC_RNCR = ISO14443B_DMA_BUFFER_SIZE; // DMA Next Counter registers
755 }
756 samples++;
757
758 if (Handle14443bSamplesDemod(ci, cq)) {
759 ret = Demod.len;
760 gotFrame = true;
761 break;
762 }
763
764 if(samples > timeout && Demod.state < DEMOD_PHASE_REF_TRAINING) {
765 ret = -1;
766 LED_C_OFF();
767 break;
768 }
769 }
770
771 FpgaDisableSscDma();
772
773 if (!quiet) Dbprintf("max behindby = %d, samples = %d, gotFrame = %d, Demod.len = %d, Demod.sumI = %d, Demod.sumQ = %d", maxBehindBy, samples, gotFrame, Demod.len, Demod.sumI, Demod.sumQ);
774
775 if (ret < 0) {
776 return ret;
777 }
778 //Tracing
779 LogTrace(Demod.output, Demod.len, 0, 0, NULL, false);
780
781 return ret;
782 }
783
784
785 //-----------------------------------------------------------------------------
786 // Transmit the command (to the tag) that was placed in ToSend[].
787 //-----------------------------------------------------------------------------
788 static void TransmitFor14443b(void)
789 {
790 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_MODE_SEND_SHALLOW_MOD);
791 LED_B_ON();
792 for(int c = 0; c < ToSendMax; c++) {
793 uint8_t data = ToSend[c];
794 for (int i = 0; i < 8; i++) {
795 uint16_t send_word = (data & 0x80) ? 0x0000 : 0xffff;
796 while (!(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY))) ;
797 AT91C_BASE_SSC->SSC_THR = send_word;
798 while (!(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY))) ;
799 AT91C_BASE_SSC->SSC_THR = send_word;
800 data <<= 1;
801 }
802 WDT_HIT();
803 }
804 LED_B_OFF();
805 }
806
807
808 //-----------------------------------------------------------------------------
809 // Code a layer 2 command (string of octets, including CRC) into ToSend[],
810 // so that it is ready to transmit to the tag using TransmitFor14443b().
811 //-----------------------------------------------------------------------------
812 static void CodeIso14443bAsReader(const uint8_t *cmd, int len)
813 {
814 int i, j;
815 uint8_t b;
816
817 ToSendReset();
818
819 // Send SOF
820 for(i = 0; i < 10; i++) {
821 ToSendStuffBit(0);
822 }
823 ToSendStuffBit(1);
824 ToSendStuffBit(1);
825
826 for(i = 0; i < len; i++) {
827 // Start bit
828 ToSendStuffBit(0);
829 // Data bits
830 b = cmd[i];
831 for(j = 0; j < 8; j++) {
832 if(b & 1) {
833 ToSendStuffBit(1);
834 } else {
835 ToSendStuffBit(0);
836 }
837 b >>= 1;
838 }
839 // Stop bit
840 ToSendStuffBit(1);
841 }
842
843 // Send EOF
844 for(i = 0; i < 10; i++) {
845 ToSendStuffBit(0);
846 }
847 ToSendStuffBit(1);
848
849 // ensure that last byte is filled up
850 for(i = 0; i < 8; i++) {
851 ToSendStuffBit(1);
852 }
853
854 // Convert from last character reference to length
855 ToSendMax++;
856 }
857
858
859 /**
860 Convenience function to encode, transmit and trace iso 14443b comms
861 **/
862 static void CodeAndTransmit14443bAsReader(const uint8_t *cmd, int len)
863 {
864 CodeIso14443bAsReader(cmd, len);
865 TransmitFor14443b();
866 LogTrace(cmd,len, 0, 0, NULL, true);
867 }
868
869 /* Sends an APDU to the tag
870 * TODO: check CRC and preamble
871 */
872 int iso14443b_apdu(uint8_t const *message, size_t message_length, uint8_t *response) {
873 LED_A_ON();
874 uint8_t message_frame[message_length + 4];
875 // PCB
876 message_frame[0] = 0x0A | pcb_blocknum;
877 pcb_blocknum ^= 1;
878 // CID
879 message_frame[1] = 0;
880 // INF
881 memcpy(message_frame + 2, message, message_length);
882 // EDC (CRC)
883 ComputeCrc14443(CRC_14443_B, message_frame, message_length + 2, &message_frame[message_length + 2], &message_frame[message_length + 3]);
884 // send
885 CodeAndTransmit14443bAsReader(message_frame, message_length + 4);
886 // get response
887 int ret = GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, true);
888 FpgaDisableTracing();
889 if (ret < 3) {
890 LED_A_OFF();
891 return 0;
892 }
893 // TODO: Check CRC
894 // copy response contents
895 if (response != NULL) {
896 memcpy(response, Demod.output, Demod.len);
897 }
898 LED_A_OFF();
899 return ret;
900 }
901
902 /* Perform the ISO 14443 B Card Selection procedure
903 * Currently does NOT do any collision handling.
904 * It expects 0-1 cards in the device's range.
905 * TODO: Support multiple cards (perform anticollision)
906 * TODO: Verify CRC checksums
907 */
908 int iso14443b_select_card()
909 {
910 // WUPB command (including CRC)
911 // Note: WUPB wakes up all tags, REQB doesn't wake up tags in HALT state
912 static const uint8_t wupb[] = { 0x05, 0x00, 0x08, 0x39, 0x73 };
913 // ATTRIB command (with space for CRC)
914 uint8_t attrib[] = { 0x1D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00};
915
916 // first, wake up the tag
917 CodeAndTransmit14443bAsReader(wupb, sizeof(wupb));
918 int ret = GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, true);
919 // ATQB too short?
920 if (ret < 14) {
921 return 2;
922 }
923
924 // select the tag
925 // copy the PUPI to ATTRIB
926 memcpy(attrib + 1, Demod.output + 1, 4);
927 /* copy the protocol info from ATQB (Protocol Info -> Protocol_Type) into
928 ATTRIB (Param 3) */
929 attrib[7] = Demod.output[10] & 0x0F;
930 ComputeCrc14443(CRC_14443_B, attrib, 9, attrib + 9, attrib + 10);
931 CodeAndTransmit14443bAsReader(attrib, sizeof(attrib));
932 ret = GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, true);
933 // Answer to ATTRIB too short?
934 if (ret < 3) {
935 return 2;
936 }
937 // reset PCB block number
938 pcb_blocknum = 0;
939 return 1;
940 }
941
942 // Set up ISO 14443 Type B communication (similar to iso14443a_setup)
943 void iso14443b_setup() {
944 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
945 // Set up the synchronous serial port
946 FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER);
947 // connect Demodulated Signal to ADC:
948 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
949
950 // Signal field is on with the appropriate LED
951 LED_D_ON();
952 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_MODE_SEND_SHALLOW_MOD);
953
954 DemodReset();
955 UartReset();
956 }
957
958 //-----------------------------------------------------------------------------
959 // Read a SRI512 ISO 14443B tag.
960 //
961 // SRI512 tags are just simple memory tags, here we're looking at making a dump
962 // of the contents of the memory. No anticollision algorithm is done, we assume
963 // we have a single tag in the field.
964 //
965 // I tried to be systematic and check every answer of the tag, every CRC, etc...
966 //-----------------------------------------------------------------------------
967 void ReadSTMemoryIso14443b(uint32_t dwLast)
968 {
969 LED_A_ON();
970 uint8_t i = 0x00;
971
972 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
973 // Make sure that we start from off, since the tags are stateful;
974 // confusing things will happen if we don't reset them between reads.
975 LED_D_OFF();
976 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
977 SpinDelay(200);
978
979 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
980 FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER);
981
982 // Now give it time to spin up.
983 // Signal field is on with the appropriate LED
984 LED_D_ON();
985 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_MODE_SEND_SHALLOW_MOD);
986 SpinDelay(200);
987
988 clear_trace();
989 set_tracing(true);
990
991 // First command: wake up the tag using the INITIATE command
992 uint8_t cmd1[] = {0x06, 0x00, 0x97, 0x5b};
993 CodeAndTransmit14443bAsReader(cmd1, sizeof(cmd1));
994 int ret = GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, true);
995
996 if (ret < 0) {
997 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
998 DbpString("No response from tag");
999 LEDsoff();
1000 return;
1001 } else {
1002 Dbprintf("Randomly generated Chip ID (+ 2 byte CRC): %02x %02x %02x",
1003 Demod.output[0], Demod.output[1], Demod.output[2]);
1004 }
1005
1006 // There is a response, SELECT the uid
1007 DbpString("Now SELECT tag:");
1008 cmd1[0] = 0x0E; // 0x0E is SELECT
1009 cmd1[1] = Demod.output[0];
1010 ComputeCrc14443(CRC_14443_B, cmd1, 2, &cmd1[2], &cmd1[3]);
1011 CodeAndTransmit14443bAsReader(cmd1, sizeof(cmd1));
1012 ret = GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, true);
1013 if (Demod.len != 3) {
1014 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1015 Dbprintf("Expected 3 bytes from tag, got %d", Demod.len);
1016 LEDsoff();
1017 return;
1018 }
1019 // Check the CRC of the answer:
1020 ComputeCrc14443(CRC_14443_B, Demod.output, 1 , &cmd1[2], &cmd1[3]);
1021 if(cmd1[2] != Demod.output[1] || cmd1[3] != Demod.output[2]) {
1022 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1023 DbpString("CRC Error reading select response.");
1024 LEDsoff();
1025 return;
1026 }
1027 // Check response from the tag: should be the same UID as the command we just sent:
1028 if (cmd1[1] != Demod.output[0]) {
1029 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1030 Dbprintf("Bad response to SELECT from Tag, aborting: %02x %02x", cmd1[1], Demod.output[0]);
1031 LEDsoff();
1032 return;
1033 }
1034
1035 // Tag is now selected,
1036 // First get the tag's UID:
1037 cmd1[0] = 0x0B;
1038 ComputeCrc14443(CRC_14443_B, cmd1, 1 , &cmd1[1], &cmd1[2]);
1039 CodeAndTransmit14443bAsReader(cmd1, 3); // Only first three bytes for this one
1040 ret = GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, true);
1041 if (ret != 10) {
1042 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1043 Dbprintf("Expected 10 bytes from tag, got %d", Demod.len);
1044 LEDsoff();
1045 return;
1046 }
1047 // The check the CRC of the answer (use cmd1 as temporary variable):
1048 ComputeCrc14443(CRC_14443_B, Demod.output, 8, &cmd1[2], &cmd1[3]);
1049 if(cmd1[2] != Demod.output[8] || cmd1[3] != Demod.output[9]) {
1050 Dbprintf("CRC Error reading block! Expected: %04x got: %04x",
1051 (cmd1[2]<<8)+cmd1[3], (Demod.output[8]<<8)+Demod.output[9]);
1052 // Do not return;, let's go on... (we should retry, maybe ?)
1053 }
1054 Dbprintf("Tag UID (64 bits): %08x %08x",
1055 (Demod.output[7]<<24) + (Demod.output[6]<<16) + (Demod.output[5]<<8) + Demod.output[4],
1056 (Demod.output[3]<<24) + (Demod.output[2]<<16) + (Demod.output[1]<<8) + Demod.output[0]);
1057
1058 // Now loop to read all 16 blocks, address from 0 to last block
1059 Dbprintf("Tag memory dump, block 0 to %d", dwLast);
1060 cmd1[0] = 0x08;
1061 i = 0x00;
1062 dwLast++;
1063 for (;;) {
1064 if (i == dwLast) {
1065 DbpString("System area block (0xff):");
1066 i = 0xff;
1067 }
1068 cmd1[1] = i;
1069 ComputeCrc14443(CRC_14443_B, cmd1, 2, &cmd1[2], &cmd1[3]);
1070 CodeAndTransmit14443bAsReader(cmd1, sizeof(cmd1));
1071 ret = GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, true);
1072 if (ret != 6) { // Check if we got an answer from the tag
1073 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1074 DbpString("Expected 6 bytes from tag, got less...");
1075 LEDsoff();
1076 return;
1077 }
1078 // The check the CRC of the answer (use cmd1 as temporary variable):
1079 ComputeCrc14443(CRC_14443_B, Demod.output, 4, &cmd1[2], &cmd1[3]);
1080 if (cmd1[2] != Demod.output[4] || cmd1[3] != Demod.output[5]) {
1081 Dbprintf("CRC Error reading block! Expected: %04x got: %04x",
1082 (cmd1[2]<<8)+cmd1[3], (Demod.output[4]<<8)+Demod.output[5]);
1083 // Do not return;, let's go on... (we should retry, maybe ?)
1084 }
1085 // Now print out the memory location:
1086 Dbprintf("Address=%02x, Contents=%08x, CRC=%04x", i,
1087 (Demod.output[3]<<24) + (Demod.output[2]<<16) + (Demod.output[1]<<8) + Demod.output[0],
1088 (Demod.output[4]<<8)+Demod.output[5]);
1089 if (i == 0xff) {
1090 break;
1091 }
1092 i++;
1093 }
1094
1095 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1096 LEDsoff();
1097 }
1098
1099
1100 //=============================================================================
1101 // Finally, the `sniffer' combines elements from both the reader and
1102 // simulated tag, to show both sides of the conversation.
1103 //=============================================================================
1104
1105 //-----------------------------------------------------------------------------
1106 // Record the sequence of commands sent by the reader to the tag, with
1107 // triggering so that we start recording at the point that the tag is moved
1108 // near the reader.
1109 //-----------------------------------------------------------------------------
1110 /*
1111 * Memory usage for this function, (within BigBuf)
1112 * Last Received command (reader->tag) - MAX_FRAME_SIZE
1113 * Last Received command (tag->reader) - MAX_FRAME_SIZE
1114 * DMA Buffer - ISO14443B_DMA_BUFFER_SIZE
1115 * Demodulated samples received - all the rest
1116 */
1117 void RAMFUNC SnoopIso14443b(void)
1118 {
1119 LED_A_ON();
1120 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1121 BigBuf_free();
1122
1123 clear_trace();
1124 set_tracing(true);
1125
1126 // The DMA buffer, used to stream samples from the FPGA
1127 uint16_t *dmaBuf = (uint16_t*) BigBuf_malloc(ISO14443B_DMA_BUFFER_SIZE * sizeof(uint16_t));
1128 int lastRxCounter;
1129 uint16_t *upTo;
1130 int8_t ci, cq;
1131 int maxBehindBy = 0;
1132
1133 // Count of samples received so far, so that we can include timing
1134 // information in the trace buffer.
1135 int samples = 0;
1136
1137 DemodInit(BigBuf_malloc(MAX_FRAME_SIZE));
1138 UartInit(BigBuf_malloc(MAX_FRAME_SIZE));
1139
1140 // Print some debug information about the buffer sizes
1141 Dbprintf("Snooping buffers initialized:");
1142 Dbprintf(" Trace: %i bytes", BigBuf_max_traceLen());
1143 Dbprintf(" Reader -> tag: %i bytes", MAX_FRAME_SIZE);
1144 Dbprintf(" tag -> Reader: %i bytes", MAX_FRAME_SIZE);
1145 Dbprintf(" DMA: %i bytes", ISO14443B_DMA_BUFFER_SIZE);
1146
1147 // Signal field is off
1148 LED_D_OFF();
1149
1150 // And put the FPGA in the appropriate mode
1151 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_SUBCARRIER_848_KHZ | FPGA_HF_READER_MODE_SNOOP_IQ);
1152 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1153
1154 // Setup for the DMA.
1155 FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER);
1156 upTo = dmaBuf;
1157 lastRxCounter = ISO14443B_DMA_BUFFER_SIZE;
1158 FpgaSetupSscDma((uint8_t*) dmaBuf, ISO14443B_DMA_BUFFER_SIZE);
1159
1160 bool TagIsActive = false;
1161 bool ReaderIsActive = false;
1162 // We won't start recording the frames that we acquire until we trigger.
1163 // A good trigger condition to get started is probably when we see a
1164 // reader command
1165 bool triggered = false;
1166
1167 // And now we loop, receiving samples.
1168 for(;;) {
1169 int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) & (ISO14443B_DMA_BUFFER_SIZE-1);
1170 if(behindBy > maxBehindBy) {
1171 maxBehindBy = behindBy;
1172 }
1173
1174 if(behindBy < 1) continue;
1175
1176 ci = *upTo>>8;
1177 cq = *upTo;
1178 upTo++;
1179 lastRxCounter--;
1180 if(upTo >= dmaBuf + ISO14443B_DMA_BUFFER_SIZE) { // we have read all of the DMA buffer content.
1181 upTo = dmaBuf; // start reading the circular buffer from the beginning again
1182 lastRxCounter += ISO14443B_DMA_BUFFER_SIZE;
1183 if(behindBy > (9*ISO14443B_DMA_BUFFER_SIZE/10)) {
1184 Dbprintf("About to blow circular buffer - aborted! behindBy=%d", behindBy);
1185 break;
1186 }
1187 }
1188 if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_ENDRX)) { // DMA Counter Register had reached 0, already rotated.
1189 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dmaBuf; // refresh the DMA Next Buffer and
1190 AT91C_BASE_PDC_SSC->PDC_RNCR = ISO14443B_DMA_BUFFER_SIZE; // DMA Next Counter registers
1191 WDT_HIT();
1192 if(BUTTON_PRESS()) {
1193 DbpString("cancelled");
1194 break;
1195 }
1196 }
1197
1198 samples++;
1199
1200 if (!TagIsActive) { // no need to try decoding reader data if the tag is sending
1201 if(Handle14443bUartBit(ci & 0x01)) {
1202 triggered = true;
1203 LogTrace(Uart.output, Uart.byteCnt, samples, samples, NULL, true);
1204 /* And ready to receive another command. */
1205 UartReset();
1206 /* And also reset the demod code, which might have been */
1207 /* false-triggered by the commands from the reader. */
1208 DemodReset();
1209 }
1210 if(Handle14443bUartBit(cq & 0x01)) {
1211 triggered = true;
1212 LogTrace(Uart.output, Uart.byteCnt, samples, samples, NULL, true);
1213 /* And ready to receive another command. */
1214 UartReset();
1215 /* And also reset the demod code, which might have been */
1216 /* false-triggered by the commands from the reader. */
1217 DemodReset();
1218 }
1219 ReaderIsActive = (Uart.state > STATE_GOT_FALLING_EDGE_OF_SOF);
1220 }
1221
1222 if (!ReaderIsActive && triggered) { // no need to try decoding tag data if the reader is sending or not yet triggered
1223 if (Handle14443bSamplesDemod(ci/2, cq/2) >= 0) {
1224 //Use samples as a time measurement
1225 LogTrace(Demod.output, Demod.len, samples, samples, NULL, false);
1226 // And ready to receive another response.
1227 DemodReset();
1228 }
1229 TagIsActive = (Demod.state > DEMOD_GOT_FALLING_EDGE_OF_SOF);
1230 }
1231
1232 }
1233
1234 FpgaDisableSscDma();
1235 DbpString("Snoop statistics:");
1236 Dbprintf(" Max behind by: %i", maxBehindBy);
1237 Dbprintf(" Uart State: %x", Uart.state);
1238 Dbprintf(" Uart ByteCnt: %i", Uart.byteCnt);
1239 Dbprintf(" Uart ByteCntMax: %i", Uart.byteCntMax);
1240 Dbprintf(" Trace length: %i", BigBuf_get_traceLen());
1241 LEDsoff();
1242 }
1243
1244
1245 /*
1246 * Send raw command to tag ISO14443B
1247 * @Input
1248 * datalen len of buffer data
1249 * recv bool when true wait for data from tag and send to client
1250 * powerfield bool leave the field on when true
1251 * data buffer with byte to send
1252 *
1253 * @Output
1254 * none
1255 *
1256 */
1257 void SendRawCommand14443B(uint32_t datalen, uint32_t recv, uint8_t powerfield, uint8_t data[])
1258 {
1259 LED_A_ON();
1260 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1261 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1262
1263 // switch field on and give tag some time to power up
1264 LED_D_ON();
1265 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_MODE_SEND_SHALLOW_MOD);
1266 FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER);
1267 SpinDelay(10);
1268
1269 if (datalen){
1270 set_tracing(true);
1271
1272 CodeAndTransmit14443bAsReader(data, datalen);
1273
1274 if (recv) {
1275 int ret = GetSamplesFor14443bDemod(5*RECEIVE_SAMPLES_TIMEOUT, true);
1276 FpgaDisableTracing();
1277 uint16_t iLen = MIN(Demod.len, USB_CMD_DATA_SIZE);
1278 cmd_send(CMD_ACK, ret, 0, 0, Demod.output, iLen);
1279 }
1280
1281 FpgaDisableTracing();
1282 }
1283
1284 if (!powerfield) {
1285 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1286 LED_D_OFF();
1287 }
1288
1289 LED_A_OFF();
1290 }
1291
Proxmark3 GIT tracking
Impressum, Datenschutz