]> cvs.zerfleddert.de Git - proxmark3-svn/blob - armsrc/iso14443b.c
projects / proxmark3-svn / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
fixed bug in ASKbiphaseDemod()
[proxmark3-svn] / armsrc / iso14443b.c
1 //-----------------------------------------------------------------------------
2 // Jonathan Westhues, split Nov 2006
3 // piwi 2018
4 //
5 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
6 // at your option, any later version. See the LICENSE.txt file for the text of
7 // the license.
8 //-----------------------------------------------------------------------------
9 // Routines to support ISO 14443B. This includes both the reader software and
10 // the `fake tag' modes.
11 //-----------------------------------------------------------------------------
12
13 #include "iso14443b.h"
14
15 #include "proxmark3.h"
16 #include "apps.h"
17 #include "util.h"
18 #include "string.h"
19 #include "iso14443crc.h"
20 #include "fpgaloader.h"
21 #include "BigBuf.h"
22
23 #define RECEIVE_SAMPLES_TIMEOUT 64 // TR0 max is 256/fs = 256/(848kHz) = 302us or 64 samples from FPGA
24 #define ISO14443B_DMA_BUFFER_SIZE 128
25
26 // PCB Block number for APDUs
27 static uint8_t pcb_blocknum = 0;
28
29 //=============================================================================
30 // An ISO 14443 Type B tag. We listen for commands from the reader, using
31 // a UART kind of thing that's implemented in software. When we get a
32 // frame (i.e., a group of bytes between SOF and EOF), we check the CRC.
33 // If it's good, then we can do something appropriate with it, and send
34 // a response.
35 //=============================================================================
36
37 //-----------------------------------------------------------------------------
38 // Code up a string of octets at layer 2 (including CRC, we don't generate
39 // that here) so that they can be transmitted to the reader. Doesn't transmit
40 // them yet, just leaves them ready to send in ToSend[].
41 //-----------------------------------------------------------------------------
42 static void CodeIso14443bAsTag(const uint8_t *cmd, int len)
43 {
44 int i;
45
46 ToSendReset();
47
48 // Transmit a burst of ones, as the initial thing that lets the
49 // reader get phase sync. This (TR1) must be > 80/fs, per spec,
50 // but tag that I've tried (a Paypass) exceeds that by a fair bit,
51 // so I will too.
52 for(i = 0; i < 20; i++) {
53 ToSendStuffBit(1);
54 ToSendStuffBit(1);
55 ToSendStuffBit(1);
56 ToSendStuffBit(1);
57 }
58
59 // Send SOF.
60 for(i = 0; i < 10; i++) {
61 ToSendStuffBit(0);
62 ToSendStuffBit(0);
63 ToSendStuffBit(0);
64 ToSendStuffBit(0);
65 }
66 for(i = 0; i < 2; i++) {
67 ToSendStuffBit(1);
68 ToSendStuffBit(1);
69 ToSendStuffBit(1);
70 ToSendStuffBit(1);
71 }
72
73 for(i = 0; i < len; i++) {
74 int j;
75 uint8_t b = cmd[i];
76
77 // Start bit
78 ToSendStuffBit(0);
79 ToSendStuffBit(0);
80 ToSendStuffBit(0);
81 ToSendStuffBit(0);
82
83 // Data bits
84 for(j = 0; j < 8; j++) {
85 if(b & 1) {
86 ToSendStuffBit(1);
87 ToSendStuffBit(1);
88 ToSendStuffBit(1);
89 ToSendStuffBit(1);
90 } else {
91 ToSendStuffBit(0);
92 ToSendStuffBit(0);
93 ToSendStuffBit(0);
94 ToSendStuffBit(0);
95 }
96 b >>= 1;
97 }
98
99 // Stop bit
100 ToSendStuffBit(1);
101 ToSendStuffBit(1);
102 ToSendStuffBit(1);
103 ToSendStuffBit(1);
104 }
105
106 // Send EOF.
107 for(i = 0; i < 10; i++) {
108 ToSendStuffBit(0);
109 ToSendStuffBit(0);
110 ToSendStuffBit(0);
111 ToSendStuffBit(0);
112 }
113 for(i = 0; i < 2; i++) {
114 ToSendStuffBit(1);
115 ToSendStuffBit(1);
116 ToSendStuffBit(1);
117 ToSendStuffBit(1);
118 }
119
120 // Convert from last byte pos to length
121 ToSendMax++;
122 }
123
124 //-----------------------------------------------------------------------------
125 // The software UART that receives commands from the reader, and its state
126 // variables.
127 //-----------------------------------------------------------------------------
128 static struct {
129 enum {
130 STATE_UNSYNCD,
131 STATE_GOT_FALLING_EDGE_OF_SOF,
132 STATE_AWAITING_START_BIT,
133 STATE_RECEIVING_DATA
134 } state;
135 uint16_t shiftReg;
136 int bitCnt;
137 int byteCnt;
138 int byteCntMax;
139 int posCnt;
140 uint8_t *output;
141 } Uart;
142
143 /* Receive & handle a bit coming from the reader.
144 *
145 * This function is called 4 times per bit (every 2 subcarrier cycles).
146 * Subcarrier frequency fs is 848kHz, 1/fs = 1,18us, i.e. function is called every 2,36us
147 *
148 * LED handling:
149 * LED A -> ON once we have received the SOF and are expecting the rest.
150 * LED A -> OFF once we have received EOF or are in error state or unsynced
151 *
152 * Returns: true if we received a EOF
153 * false if we are still waiting for some more
154 */
155 static RAMFUNC int Handle14443bUartBit(uint8_t bit)
156 {
157 switch(Uart.state) {
158 case STATE_UNSYNCD:
159 if(!bit) {
160 // we went low, so this could be the beginning
161 // of an SOF
162 Uart.state = STATE_GOT_FALLING_EDGE_OF_SOF;
163 Uart.posCnt = 0;
164 Uart.bitCnt = 0;
165 }
166 break;
167
168 case STATE_GOT_FALLING_EDGE_OF_SOF:
169 Uart.posCnt++;
170 if(Uart.posCnt == 2) { // sample every 4 1/fs in the middle of a bit
171 if(bit) {
172 if(Uart.bitCnt > 9) {
173 // we've seen enough consecutive
174 // zeros that it's a valid SOF
175 Uart.posCnt = 0;
176 Uart.byteCnt = 0;
177 Uart.state = STATE_AWAITING_START_BIT;
178 LED_A_ON(); // Indicate we got a valid SOF
179 } else {
180 // didn't stay down long enough
181 // before going high, error
182 Uart.state = STATE_UNSYNCD;
183 }
184 } else {
185 // do nothing, keep waiting
186 }
187 Uart.bitCnt++;
188 }
189 if(Uart.posCnt >= 4) Uart.posCnt = 0;
190 if(Uart.bitCnt > 12) {
191 // Give up if we see too many zeros without
192 // a one, too.
193 LED_A_OFF();
194 Uart.state = STATE_UNSYNCD;
195 }
196 break;
197
198 case STATE_AWAITING_START_BIT:
199 Uart.posCnt++;
200 if(bit) {
201 if(Uart.posCnt > 50/2) { // max 57us between characters = 49 1/fs, max 3 etus after low phase of SOF = 24 1/fs
202 // stayed high for too long between
203 // characters, error
204 Uart.state = STATE_UNSYNCD;
205 }
206 } else {
207 // falling edge, this starts the data byte
208 Uart.posCnt = 0;
209 Uart.bitCnt = 0;
210 Uart.shiftReg = 0;
211 Uart.state = STATE_RECEIVING_DATA;
212 }
213 break;
214
215 case STATE_RECEIVING_DATA:
216 Uart.posCnt++;
217 if(Uart.posCnt == 2) {
218 // time to sample a bit
219 Uart.shiftReg >>= 1;
220 if(bit) {
221 Uart.shiftReg |= 0x200;
222 }
223 Uart.bitCnt++;
224 }
225 if(Uart.posCnt >= 4) {
226 Uart.posCnt = 0;
227 }
228 if(Uart.bitCnt == 10) {
229 if((Uart.shiftReg & 0x200) && !(Uart.shiftReg & 0x001))
230 {
231 // this is a data byte, with correct
232 // start and stop bits
233 Uart.output[Uart.byteCnt] = (Uart.shiftReg >> 1) & 0xff;
234 Uart.byteCnt++;
235
236 if(Uart.byteCnt >= Uart.byteCntMax) {
237 // Buffer overflowed, give up
238 LED_A_OFF();
239 Uart.state = STATE_UNSYNCD;
240 } else {
241 // so get the next byte now
242 Uart.posCnt = 0;
243 Uart.state = STATE_AWAITING_START_BIT;
244 }
245 } else if (Uart.shiftReg == 0x000) {
246 // this is an EOF byte
247 LED_A_OFF(); // Finished receiving
248 Uart.state = STATE_UNSYNCD;
249 if (Uart.byteCnt != 0) {
250 return true;
251 }
252 } else {
253 // this is an error
254 LED_A_OFF();
255 Uart.state = STATE_UNSYNCD;
256 }
257 }
258 break;
259
260 default:
261 LED_A_OFF();
262 Uart.state = STATE_UNSYNCD;
263 break;
264 }
265
266 return false;
267 }
268
269
270 static void UartReset()
271 {
272 Uart.byteCntMax = MAX_FRAME_SIZE;
273 Uart.state = STATE_UNSYNCD;
274 Uart.byteCnt = 0;
275 Uart.bitCnt = 0;
276 }
277
278
279 static void UartInit(uint8_t *data)
280 {
281 Uart.output = data;
282 UartReset();
283 }
284
285
286 //-----------------------------------------------------------------------------
287 // Receive a command (from the reader to us, where we are the simulated tag),
288 // and store it in the given buffer, up to the given maximum length. Keeps
289 // spinning, waiting for a well-framed command, until either we get one
290 // (returns true) or someone presses the pushbutton on the board (false).
291 //
292 // Assume that we're called with the SSC (to the FPGA) and ADC path set
293 // correctly.
294 //-----------------------------------------------------------------------------
295 static int GetIso14443bCommandFromReader(uint8_t *received, uint16_t *len)
296 {
297 // Set FPGA mode to "simulated ISO 14443B tag", no modulation (listen
298 // only, since we are receiving, not transmitting).
299 // Signal field is off with the appropriate LED
300 LED_D_OFF();
301 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_NO_MODULATION);
302
303 // Now run a `software UART' on the stream of incoming samples.
304 UartInit(received);
305
306 for(;;) {
307 WDT_HIT();
308
309 if(BUTTON_PRESS()) return false;
310
311 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
312 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
313 for(uint8_t mask = 0x80; mask != 0x00; mask >>= 1) {
314 if(Handle14443bUartBit(b & mask)) {
315 *len = Uart.byteCnt;
316 return true;
317 }
318 }
319 }
320 }
321
322 return false;
323 }
324
325 //-----------------------------------------------------------------------------
326 // Main loop of simulated tag: receive commands from reader, decide what
327 // response to send, and send it.
328 //-----------------------------------------------------------------------------
329 void SimulateIso14443bTag(void)
330 {
331 LED_A_ON();
332 // the only commands we understand is WUPB, AFI=0, Select All, N=1:
333 static const uint8_t cmd1[] = { 0x05, 0x00, 0x08, 0x39, 0x73 }; // WUPB
334 // ... and REQB, AFI=0, Normal Request, N=1:
335 static const uint8_t cmd2[] = { 0x05, 0x00, 0x00, 0x71, 0xFF }; // REQB
336 // ... and HLTB
337 static const uint8_t cmd3[] = { 0x50, 0xff, 0xff, 0xff, 0xff }; // HLTB
338 // ... and ATTRIB
339 static const uint8_t cmd4[] = { 0x1D, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}; // ATTRIB
340
341 // ... and we always respond with ATQB, PUPI = 820de174, Application Data = 0x20381922,
342 // supports only 106kBit/s in both directions, max frame size = 32Bytes,
343 // supports ISO14443-4, FWI=8 (77ms), NAD supported, CID not supported:
344 static const uint8_t response1[] = {
345 0x50, 0x82, 0x0d, 0xe1, 0x74, 0x20, 0x38, 0x19, 0x22,
346 0x00, 0x21, 0x85, 0x5e, 0xd7
347 };
348 // response to HLTB and ATTRIB
349 static const uint8_t response2[] = {0x00, 0x78, 0xF0};
350
351
352 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
353
354 clear_trace();
355 set_tracing(true);
356
357 const uint8_t *resp;
358 uint8_t *respCode;
359 uint16_t respLen, respCodeLen;
360
361 // allocate command receive buffer
362 BigBuf_free();
363 uint8_t *receivedCmd = BigBuf_malloc(MAX_FRAME_SIZE);
364
365 uint16_t len;
366 uint16_t cmdsRecvd = 0;
367
368 // prepare the (only one) tag answer:
369 CodeIso14443bAsTag(response1, sizeof(response1));
370 uint8_t *resp1Code = BigBuf_malloc(ToSendMax);
371 memcpy(resp1Code, ToSend, ToSendMax);
372 uint16_t resp1CodeLen = ToSendMax;
373
374 // prepare the (other) tag answer:
375 CodeIso14443bAsTag(response2, sizeof(response2));
376 uint8_t *resp2Code = BigBuf_malloc(ToSendMax);
377 memcpy(resp2Code, ToSend, ToSendMax);
378 uint16_t resp2CodeLen = ToSendMax;
379
380 // We need to listen to the high-frequency, peak-detected path.
381 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
382 FpgaSetupSsc(FPGA_MAJOR_MODE_HF_SIMULATOR);
383
384 cmdsRecvd = 0;
385
386 for(;;) {
387
388 if(!GetIso14443bCommandFromReader(receivedCmd, &len)) {
389 Dbprintf("button pressed, received %d commands", cmdsRecvd);
390 break;
391 }
392
393 LogTrace(receivedCmd, len, 0, 0, NULL, true);
394
395 // Good, look at the command now.
396 if ( (len == sizeof(cmd1) && memcmp(receivedCmd, cmd1, len) == 0)
397 || (len == sizeof(cmd2) && memcmp(receivedCmd, cmd2, len) == 0) ) {
398 resp = response1;
399 respLen = sizeof(response1);
400 respCode = resp1Code;
401 respCodeLen = resp1CodeLen;
402 } else if ( (len == sizeof(cmd3) && receivedCmd[0] == cmd3[0])
403 || (len == sizeof(cmd4) && receivedCmd[0] == cmd4[0]) ) {
404 resp = response2;
405 respLen = sizeof(response2);
406 respCode = resp2Code;
407 respCodeLen = resp2CodeLen;
408 } else {
409 Dbprintf("new cmd from reader: len=%d, cmdsRecvd=%d", len, cmdsRecvd);
410 // And print whether the CRC fails, just for good measure
411 uint8_t b1, b2;
412 if (len >= 3){ // if crc exists
413 ComputeCrc14443(CRC_14443_B, receivedCmd, len-2, &b1, &b2);
414 if(b1 != receivedCmd[len-2] || b2 != receivedCmd[len-1]) {
415 // Not so good, try again.
416 DbpString("+++CRC fail");
417
418 } else {
419 DbpString("CRC passes");
420 }
421 }
422 //get rid of compiler warning
423 respCodeLen = 0;
424 resp = response1;
425 respLen = 0;
426 respCode = resp1Code;
427 //don't crash at new command just wait and see if reader will send other new cmds.
428 //break;
429 }
430
431 cmdsRecvd++;
432
433 if(cmdsRecvd > 0x30) {
434 DbpString("many commands later...");
435 break;
436 }
437
438 if(respCodeLen <= 0) continue;
439
440 // Modulate BPSK
441 // Signal field is off with the appropriate LED
442 LED_D_OFF();
443 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_MODULATE_BPSK);
444 AT91C_BASE_SSC->SSC_THR = 0xff;
445 FpgaSetupSsc(FPGA_MAJOR_MODE_HF_SIMULATOR);
446
447 // Transmit the response.
448 uint16_t i = 0;
449 for(;;) {
450 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
451 uint8_t b = respCode[i];
452
453 AT91C_BASE_SSC->SSC_THR = b;
454
455 i++;
456 if(i > respCodeLen) {
457 break;
458 }
459 }
460 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
461 volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
462 (void)b;
463 }
464 }
465
466 // trace the response:
467 LogTrace(resp, respLen, 0, 0, NULL, false);
468
469 }
470
471 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
472 LED_A_OFF();
473 }
474
475 //=============================================================================
476 // An ISO 14443 Type B reader. We take layer two commands, code them
477 // appropriately, and then send them to the tag. We then listen for the
478 // tag's response, which we leave in the buffer to be demodulated on the
479 // PC side.
480 //=============================================================================
481
482 static struct {
483 enum {
484 DEMOD_UNSYNCD,
485 DEMOD_PHASE_REF_TRAINING,
486 DEMOD_AWAITING_FALLING_EDGE_OF_SOF,
487 DEMOD_GOT_FALLING_EDGE_OF_SOF,
488 DEMOD_AWAITING_START_BIT,
489 DEMOD_RECEIVING_DATA
490 } state;
491 int bitCount;
492 int posCount;
493 int thisBit;
494 /* this had been used to add RSSI (Received Signal Strength Indication) to traces. Currently not implemented.
495 int metric;
496 int metricN;
497 */
498 uint16_t shiftReg;
499 uint8_t *output;
500 int len;
501 int sumI;
502 int sumQ;
503 } Demod;
504
505 /*
506 * Handles reception of a bit from the tag
507 *
508 * This function is called 2 times per bit (every 4 subcarrier cycles).
509 * Subcarrier frequency fs is 848kHz, 1/fs = 1,18us, i.e. function is called every 4,72us
510 *
511 * LED handling:
512 * LED C -> ON once we have received the SOF and are expecting the rest.
513 * LED C -> OFF once we have received EOF or are unsynced
514 *
515 * Returns: true if we received a EOF
516 * false if we are still waiting for some more
517 *
518 */
519 static RAMFUNC int Handle14443bSamplesDemod(int ci, int cq)
520 {
521 int v;
522
523 // The soft decision on the bit uses an estimate of just the
524 // quadrant of the reference angle, not the exact angle.
525 #define MAKE_SOFT_DECISION() { \
526 if(Demod.sumI > 0) { \
527 v = ci; \
528 } else { \
529 v = -ci; \
530 } \
531 if(Demod.sumQ > 0) { \
532 v += cq; \
533 } else { \
534 v -= cq; \
535 } \
536 }
537
538 #define SUBCARRIER_DETECT_THRESHOLD 8
539
540 // Subcarrier amplitude v = sqrt(ci^2 + cq^2), approximated here by max(abs(ci),abs(cq)) + 1/2*min(abs(ci),abs(cq)))
541 #define AMPLITUDE(ci,cq) (MAX(ABS(ci),ABS(cq)) + (MIN(ABS(ci),ABS(cq))/2))
542 switch(Demod.state) {
543 case DEMOD_UNSYNCD:
544 if(AMPLITUDE(ci,cq) > SUBCARRIER_DETECT_THRESHOLD) { // subcarrier detected
545 Demod.state = DEMOD_PHASE_REF_TRAINING;
546 Demod.sumI = ci;
547 Demod.sumQ = cq;
548 Demod.posCount = 1;
549 }
550 break;
551
552 case DEMOD_PHASE_REF_TRAINING:
553 if(Demod.posCount < 8) {
554 if (AMPLITUDE(ci,cq) > SUBCARRIER_DETECT_THRESHOLD) {
555 // set the reference phase (will code a logic '1') by averaging over 32 1/fs.
556 // note: synchronization time > 80 1/fs
557 Demod.sumI += ci;
558 Demod.sumQ += cq;
559 Demod.posCount++;
560 } else { // subcarrier lost
561 Demod.state = DEMOD_UNSYNCD;
562 }
563 } else {
564 Demod.state = DEMOD_AWAITING_FALLING_EDGE_OF_SOF;
565 }
566 break;
567
568 case DEMOD_AWAITING_FALLING_EDGE_OF_SOF:
569 MAKE_SOFT_DECISION();
570 if(v < 0) { // logic '0' detected
571 Demod.state = DEMOD_GOT_FALLING_EDGE_OF_SOF;
572 Demod.posCount = 0; // start of SOF sequence
573 } else {
574 if(Demod.posCount > 200/4) { // maximum length of TR1 = 200 1/fs
575 Demod.state = DEMOD_UNSYNCD;
576 }
577 }
578 Demod.posCount++;
579 break;
580
581 case DEMOD_GOT_FALLING_EDGE_OF_SOF:
582 Demod.posCount++;
583 MAKE_SOFT_DECISION();
584 if(v > 0) {
585 if(Demod.posCount < 9*2) { // low phase of SOF too short (< 9 etu). Note: spec is >= 10, but FPGA tends to "smear" edges
586 Demod.state = DEMOD_UNSYNCD;
587 } else {
588 LED_C_ON(); // Got SOF
589 Demod.state = DEMOD_AWAITING_START_BIT;
590 Demod.posCount = 0;
591 Demod.len = 0;
592 /* this had been used to add RSSI (Received Signal Strength Indication) to traces. Currently not implemented.
593 Demod.metricN = 0;
594 Demod.metric = 0;
595 */
596 }
597 } else {
598 if(Demod.posCount > 12*2) { // low phase of SOF too long (> 12 etu)
599 Demod.state = DEMOD_UNSYNCD;
600 LED_C_OFF();
601 }
602 }
603 break;
604
605 case DEMOD_AWAITING_START_BIT:
606 Demod.posCount++;
607 MAKE_SOFT_DECISION();
608 if(v > 0) {
609 if(Demod.posCount > 3*2) { // max 19us between characters = 16 1/fs, max 3 etu after low phase of SOF = 24 1/fs
610 Demod.state = DEMOD_UNSYNCD;
611 LED_C_OFF();
612 }
613 } else { // start bit detected
614 Demod.bitCount = 0;
615 Demod.posCount = 1; // this was the first half
616 Demod.thisBit = v;
617 Demod.shiftReg = 0;
618 Demod.state = DEMOD_RECEIVING_DATA;
619 }
620 break;
621
622 case DEMOD_RECEIVING_DATA:
623 MAKE_SOFT_DECISION();
624 if(Demod.posCount == 0) { // first half of bit
625 Demod.thisBit = v;
626 Demod.posCount = 1;
627 } else { // second half of bit
628 Demod.thisBit += v;
629
630 /* this had been used to add RSSI (Received Signal Strength Indication) to traces. Currently not implemented.
631 if(Demod.thisBit > 0) {
632 Demod.metric += Demod.thisBit;
633 } else {
634 Demod.metric -= Demod.thisBit;
635 }
636 (Demod.metricN)++;
637 */
638
639 Demod.shiftReg >>= 1;
640 if(Demod.thisBit > 0) { // logic '1'
641 Demod.shiftReg |= 0x200;
642 }
643
644 Demod.bitCount++;
645 if(Demod.bitCount == 10) {
646 uint16_t s = Demod.shiftReg;
647 if((s & 0x200) && !(s & 0x001)) { // stop bit == '1', start bit == '0'
648 uint8_t b = (s >> 1);
649 Demod.output[Demod.len] = b;
650 Demod.len++;
651 Demod.state = DEMOD_AWAITING_START_BIT;
652 } else {
653 Demod.state = DEMOD_UNSYNCD;
654 LED_C_OFF();
655 if(s == 0x000) {
656 // This is EOF (start, stop and all data bits == '0'
657 return true;
658 }
659 }
660 }
661 Demod.posCount = 0;
662 }
663 break;
664
665 default:
666 Demod.state = DEMOD_UNSYNCD;
667 LED_C_OFF();
668 break;
669 }
670
671 return false;
672 }
673
674
675 static void DemodReset()
676 {
677 // Clear out the state of the "UART" that receives from the tag.
678 Demod.len = 0;
679 Demod.state = DEMOD_UNSYNCD;
680 Demod.posCount = 0;
681 memset(Demod.output, 0x00, MAX_FRAME_SIZE);
682 }
683
684
685 static void DemodInit(uint8_t *data)
686 {
687 Demod.output = data;
688 DemodReset();
689 }
690
691
692 /*
693 * Demodulate the samples we received from the tag, also log to tracebuffer
694 * quiet: set to 'true' to disable debug output
695 */
696 static void GetSamplesFor14443bDemod(int timeout, bool quiet)
697 {
698 int maxBehindBy = 0;
699 bool gotFrame = false;
700 int lastRxCounter, samples = 0;
701 int8_t ci, cq;
702
703 // Allocate memory from BigBuf for some buffers
704 // free all previous allocations first
705 BigBuf_free();
706
707 // The response (tag -> reader) that we're receiving.
708 uint8_t *receivedResponse = BigBuf_malloc(MAX_FRAME_SIZE);
709
710 // The DMA buffer, used to stream samples from the FPGA
711 uint16_t *dmaBuf = (uint16_t*) BigBuf_malloc(ISO14443B_DMA_BUFFER_SIZE * sizeof(uint16_t));
712
713 // Set up the demodulator for tag -> reader responses.
714 DemodInit(receivedResponse);
715
716 // wait for last transfer to complete
717 while (!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXEMPTY))
718
719 // Setup and start DMA.
720 FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER);
721 FpgaSetupSscDma((uint8_t*) dmaBuf, ISO14443B_DMA_BUFFER_SIZE);
722
723 uint16_t *upTo = dmaBuf;
724 lastRxCounter = ISO14443B_DMA_BUFFER_SIZE;
725
726 // Signal field is ON with the appropriate LED:
727 LED_D_ON();
728 // And put the FPGA in the appropriate mode
729 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_SUBCARRIER_848_KHZ | FPGA_HF_READER_MODE_RECEIVE_IQ);
730
731 for(;;) {
732 int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) & (ISO14443B_DMA_BUFFER_SIZE-1);
733 if(behindBy > maxBehindBy) {
734 maxBehindBy = behindBy;
735 }
736
737 if(behindBy < 1) continue;
738
739 ci = *upTo >> 8;
740 cq = *upTo;
741 upTo++;
742 lastRxCounter--;
743 if(upTo >= dmaBuf + ISO14443B_DMA_BUFFER_SIZE) { // we have read all of the DMA buffer content.
744 upTo = dmaBuf; // start reading the circular buffer from the beginning
745 lastRxCounter += ISO14443B_DMA_BUFFER_SIZE;
746 }
747 if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_ENDRX)) { // DMA Counter Register had reached 0, already rotated.
748 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dmaBuf; // refresh the DMA Next Buffer and
749 AT91C_BASE_PDC_SSC->PDC_RNCR = ISO14443B_DMA_BUFFER_SIZE; // DMA Next Counter registers
750 }
751 samples++;
752
753 if(Handle14443bSamplesDemod(ci, cq)) {
754 gotFrame = true;
755 break;
756 }
757
758 if(samples > timeout && Demod.state < DEMOD_PHASE_REF_TRAINING) {
759 LED_C_OFF();
760 break;
761 }
762 }
763
764 FpgaDisableSscDma();
765
766 if (!quiet) Dbprintf("max behindby = %d, samples = %d, gotFrame = %d, Demod.len = %d, Demod.sumI = %d, Demod.sumQ = %d", maxBehindBy, samples, gotFrame, Demod.len, Demod.sumI, Demod.sumQ);
767 //Tracing
768 if (Demod.len > 0) {
769 LogTrace(Demod.output, Demod.len, 0, 0, NULL, false);
770 }
771 }
772
773
774 //-----------------------------------------------------------------------------
775 // Transmit the command (to the tag) that was placed in ToSend[].
776 //-----------------------------------------------------------------------------
777 static void TransmitFor14443b(void)
778 {
779 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_MODE_SEND_SHALLOW_MOD);
780 LED_B_ON();
781 for(int c = 0; c < ToSendMax; c++) {
782 uint8_t data = ToSend[c];
783 for (int i = 0; i < 8; i++) {
784 uint16_t send_word = (data & 0x80) ? 0x0000 : 0xffff;
785 while (!(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY))) ;
786 AT91C_BASE_SSC->SSC_THR = send_word;
787 while (!(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY))) ;
788 AT91C_BASE_SSC->SSC_THR = send_word;
789 data <<= 1;
790 }
791 WDT_HIT();
792 }
793 LED_B_OFF();
794 }
795
796
797 //-----------------------------------------------------------------------------
798 // Code a layer 2 command (string of octets, including CRC) into ToSend[],
799 // so that it is ready to transmit to the tag using TransmitFor14443b().
800 //-----------------------------------------------------------------------------
801 static void CodeIso14443bAsReader(const uint8_t *cmd, int len)
802 {
803 int i, j;
804 uint8_t b;
805
806 ToSendReset();
807
808 // Send SOF
809 for(i = 0; i < 10; i++) {
810 ToSendStuffBit(0);
811 }
812 ToSendStuffBit(1);
813 ToSendStuffBit(1);
814
815 for(i = 0; i < len; i++) {
816 // Start bit
817 ToSendStuffBit(0);
818 // Data bits
819 b = cmd[i];
820 for(j = 0; j < 8; j++) {
821 if(b & 1) {
822 ToSendStuffBit(1);
823 } else {
824 ToSendStuffBit(0);
825 }
826 b >>= 1;
827 }
828 // Stop bit
829 ToSendStuffBit(1);
830 }
831
832 // Send EOF
833 for(i = 0; i < 10; i++) {
834 ToSendStuffBit(0);
835 }
836 ToSendStuffBit(1);
837
838 // ensure that last byte is filled up
839 for(i = 0; i < 8; i++) {
840 ToSendStuffBit(1);
841 }
842
843 // Convert from last character reference to length
844 ToSendMax++;
845 }
846
847
848 /**
849 Convenience function to encode, transmit and trace iso 14443b comms
850 **/
851 static void CodeAndTransmit14443bAsReader(const uint8_t *cmd, int len)
852 {
853 CodeIso14443bAsReader(cmd, len);
854 TransmitFor14443b();
855 LogTrace(cmd,len, 0, 0, NULL, true);
856 }
857
858 /* Sends an APDU to the tag
859 * TODO: check CRC and preamble
860 */
861 int iso14443b_apdu(uint8_t const *message, size_t message_length, uint8_t *response)
862 {
863 LED_A_ON();
864 uint8_t message_frame[message_length + 4];
865 // PCB
866 message_frame[0] = 0x0A | pcb_blocknum;
867 pcb_blocknum ^= 1;
868 // CID
869 message_frame[1] = 0;
870 // INF
871 memcpy(message_frame + 2, message, message_length);
872 // EDC (CRC)
873 ComputeCrc14443(CRC_14443_B, message_frame, message_length + 2, &message_frame[message_length + 2], &message_frame[message_length + 3]);
874 // send
875 CodeAndTransmit14443bAsReader(message_frame, message_length + 4);
876 // get response
877 GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, true);
878 FpgaDisableTracing();
879 if(Demod.len < 3)
880 {
881 LED_A_OFF();
882 return 0;
883 }
884 // TODO: Check CRC
885 // copy response contents
886 if(response != NULL)
887 {
888 memcpy(response, Demod.output, Demod.len);
889 }
890 LED_A_OFF();
891 return Demod.len;
892 }
893
894 /* Perform the ISO 14443 B Card Selection procedure
895 * Currently does NOT do any collision handling.
896 * It expects 0-1 cards in the device's range.
897 * TODO: Support multiple cards (perform anticollision)
898 * TODO: Verify CRC checksums
899 */
900 int iso14443b_select_card()
901 {
902 // WUPB command (including CRC)
903 // Note: WUPB wakes up all tags, REQB doesn't wake up tags in HALT state
904 static const uint8_t wupb[] = { 0x05, 0x00, 0x08, 0x39, 0x73 };
905 // ATTRIB command (with space for CRC)
906 uint8_t attrib[] = { 0x1D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00};
907
908 // first, wake up the tag
909 CodeAndTransmit14443bAsReader(wupb, sizeof(wupb));
910 GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, true);
911 // ATQB too short?
912 if (Demod.len < 14)
913 {
914 return 2;
915 }
916
917 // select the tag
918 // copy the PUPI to ATTRIB
919 memcpy(attrib + 1, Demod.output + 1, 4);
920 /* copy the protocol info from ATQB (Protocol Info -> Protocol_Type) into
921 ATTRIB (Param 3) */
922 attrib[7] = Demod.output[10] & 0x0F;
923 ComputeCrc14443(CRC_14443_B, attrib, 9, attrib + 9, attrib + 10);
924 CodeAndTransmit14443bAsReader(attrib, sizeof(attrib));
925 GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, true);
926 // Answer to ATTRIB too short?
927 if(Demod.len < 3)
928 {
929 return 2;
930 }
931 // reset PCB block number
932 pcb_blocknum = 0;
933 return 1;
934 }
935
936 // Set up ISO 14443 Type B communication (similar to iso14443a_setup)
937 void iso14443b_setup() {
938 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
939 // Set up the synchronous serial port
940 FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER);
941 // connect Demodulated Signal to ADC:
942 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
943
944 // Signal field is on with the appropriate LED
945 LED_D_ON();
946 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_MODE_SEND_SHALLOW_MOD);
947
948 DemodReset();
949 UartReset();
950 }
951
952 //-----------------------------------------------------------------------------
953 // Read a SRI512 ISO 14443B tag.
954 //
955 // SRI512 tags are just simple memory tags, here we're looking at making a dump
956 // of the contents of the memory. No anticollision algorithm is done, we assume
957 // we have a single tag in the field.
958 //
959 // I tried to be systematic and check every answer of the tag, every CRC, etc...
960 //-----------------------------------------------------------------------------
961 void ReadSTMemoryIso14443b(uint32_t dwLast)
962 {
963 LED_A_ON();
964 uint8_t i = 0x00;
965
966 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
967 // Make sure that we start from off, since the tags are stateful;
968 // confusing things will happen if we don't reset them between reads.
969 LED_D_OFF();
970 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
971 SpinDelay(200);
972
973 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
974 FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER);
975
976 // Now give it time to spin up.
977 // Signal field is on with the appropriate LED
978 LED_D_ON();
979 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_MODE_SEND_SHALLOW_MOD);
980 SpinDelay(200);
981
982 clear_trace();
983 set_tracing(true);
984
985 // First command: wake up the tag using the INITIATE command
986 uint8_t cmd1[] = {0x06, 0x00, 0x97, 0x5b};
987 CodeAndTransmit14443bAsReader(cmd1, sizeof(cmd1));
988 GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, true);
989
990 if (Demod.len == 0) {
991 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
992 DbpString("No response from tag");
993 LEDsoff();
994 return;
995 } else {
996 Dbprintf("Randomly generated Chip ID (+ 2 byte CRC): %02x %02x %02x",
997 Demod.output[0], Demod.output[1], Demod.output[2]);
998 }
999
1000 // There is a response, SELECT the uid
1001 DbpString("Now SELECT tag:");
1002 cmd1[0] = 0x0E; // 0x0E is SELECT
1003 cmd1[1] = Demod.output[0];
1004 ComputeCrc14443(CRC_14443_B, cmd1, 2, &cmd1[2], &cmd1[3]);
1005 CodeAndTransmit14443bAsReader(cmd1, sizeof(cmd1));
1006 GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, true);
1007 if (Demod.len != 3) {
1008 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1009 Dbprintf("Expected 3 bytes from tag, got %d", Demod.len);
1010 LEDsoff();
1011 return;
1012 }
1013 // Check the CRC of the answer:
1014 ComputeCrc14443(CRC_14443_B, Demod.output, 1 , &cmd1[2], &cmd1[3]);
1015 if(cmd1[2] != Demod.output[1] || cmd1[3] != Demod.output[2]) {
1016 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1017 DbpString("CRC Error reading select response.");
1018 LEDsoff();
1019 return;
1020 }
1021 // Check response from the tag: should be the same UID as the command we just sent:
1022 if (cmd1[1] != Demod.output[0]) {
1023 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1024 Dbprintf("Bad response to SELECT from Tag, aborting: %02x %02x", cmd1[1], Demod.output[0]);
1025 LEDsoff();
1026 return;
1027 }
1028
1029 // Tag is now selected,
1030 // First get the tag's UID:
1031 cmd1[0] = 0x0B;
1032 ComputeCrc14443(CRC_14443_B, cmd1, 1 , &cmd1[1], &cmd1[2]);
1033 CodeAndTransmit14443bAsReader(cmd1, 3); // Only first three bytes for this one
1034 GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, true);
1035 if (Demod.len != 10) {
1036 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1037 Dbprintf("Expected 10 bytes from tag, got %d", Demod.len);
1038 LEDsoff();
1039 return;
1040 }
1041 // The check the CRC of the answer (use cmd1 as temporary variable):
1042 ComputeCrc14443(CRC_14443_B, Demod.output, 8, &cmd1[2], &cmd1[3]);
1043 if(cmd1[2] != Demod.output[8] || cmd1[3] != Demod.output[9]) {
1044 Dbprintf("CRC Error reading block! Expected: %04x got: %04x",
1045 (cmd1[2]<<8)+cmd1[3], (Demod.output[8]<<8)+Demod.output[9]);
1046 // Do not return;, let's go on... (we should retry, maybe ?)
1047 }
1048 Dbprintf("Tag UID (64 bits): %08x %08x",
1049 (Demod.output[7]<<24) + (Demod.output[6]<<16) + (Demod.output[5]<<8) + Demod.output[4],
1050 (Demod.output[3]<<24) + (Demod.output[2]<<16) + (Demod.output[1]<<8) + Demod.output[0]);
1051
1052 // Now loop to read all 16 blocks, address from 0 to last block
1053 Dbprintf("Tag memory dump, block 0 to %d", dwLast);
1054 cmd1[0] = 0x08;
1055 i = 0x00;
1056 dwLast++;
1057 for (;;) {
1058 if (i == dwLast) {
1059 DbpString("System area block (0xff):");
1060 i = 0xff;
1061 }
1062 cmd1[1] = i;
1063 ComputeCrc14443(CRC_14443_B, cmd1, 2, &cmd1[2], &cmd1[3]);
1064 CodeAndTransmit14443bAsReader(cmd1, sizeof(cmd1));
1065 GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, true);
1066 if (Demod.len != 6) { // Check if we got an answer from the tag
1067 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1068 DbpString("Expected 6 bytes from tag, got less...");
1069 LEDsoff();
1070 return;
1071 }
1072 // The check the CRC of the answer (use cmd1 as temporary variable):
1073 ComputeCrc14443(CRC_14443_B, Demod.output, 4, &cmd1[2], &cmd1[3]);
1074 if(cmd1[2] != Demod.output[4] || cmd1[3] != Demod.output[5]) {
1075 Dbprintf("CRC Error reading block! Expected: %04x got: %04x",
1076 (cmd1[2]<<8)+cmd1[3], (Demod.output[4]<<8)+Demod.output[5]);
1077 // Do not return;, let's go on... (we should retry, maybe ?)
1078 }
1079 // Now print out the memory location:
1080 Dbprintf("Address=%02x, Contents=%08x, CRC=%04x", i,
1081 (Demod.output[3]<<24) + (Demod.output[2]<<16) + (Demod.output[1]<<8) + Demod.output[0],
1082 (Demod.output[4]<<8)+Demod.output[5]);
1083 if (i == 0xff) {
1084 break;
1085 }
1086 i++;
1087 }
1088
1089 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1090 LEDsoff();
1091 }
1092
1093
1094 //=============================================================================
1095 // Finally, the `sniffer' combines elements from both the reader and
1096 // simulated tag, to show both sides of the conversation.
1097 //=============================================================================
1098
1099 //-----------------------------------------------------------------------------
1100 // Record the sequence of commands sent by the reader to the tag, with
1101 // triggering so that we start recording at the point that the tag is moved
1102 // near the reader.
1103 //-----------------------------------------------------------------------------
1104 /*
1105 * Memory usage for this function, (within BigBuf)
1106 * Last Received command (reader->tag) - MAX_FRAME_SIZE
1107 * Last Received command (tag->reader) - MAX_FRAME_SIZE
1108 * DMA Buffer - ISO14443B_DMA_BUFFER_SIZE
1109 * Demodulated samples received - all the rest
1110 */
1111 void RAMFUNC SnoopIso14443b(void)
1112 {
1113 LED_A_ON();
1114 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1115 BigBuf_free();
1116
1117 clear_trace();
1118 set_tracing(true);
1119
1120 // The DMA buffer, used to stream samples from the FPGA
1121 uint16_t *dmaBuf = (uint16_t*) BigBuf_malloc(ISO14443B_DMA_BUFFER_SIZE * sizeof(uint16_t));
1122 int lastRxCounter;
1123 uint16_t *upTo;
1124 int8_t ci, cq;
1125 int maxBehindBy = 0;
1126
1127 // Count of samples received so far, so that we can include timing
1128 // information in the trace buffer.
1129 int samples = 0;
1130
1131 DemodInit(BigBuf_malloc(MAX_FRAME_SIZE));
1132 UartInit(BigBuf_malloc(MAX_FRAME_SIZE));
1133
1134 // Print some debug information about the buffer sizes
1135 Dbprintf("Snooping buffers initialized:");
1136 Dbprintf(" Trace: %i bytes", BigBuf_max_traceLen());
1137 Dbprintf(" Reader -> tag: %i bytes", MAX_FRAME_SIZE);
1138 Dbprintf(" tag -> Reader: %i bytes", MAX_FRAME_SIZE);
1139 Dbprintf(" DMA: %i bytes", ISO14443B_DMA_BUFFER_SIZE);
1140
1141 // Signal field is off
1142 LED_D_OFF();
1143
1144 // And put the FPGA in the appropriate mode
1145 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_SUBCARRIER_848_KHZ | FPGA_HF_READER_MODE_SNOOP_IQ);
1146 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1147
1148 // Setup for the DMA.
1149 FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER);
1150 upTo = dmaBuf;
1151 lastRxCounter = ISO14443B_DMA_BUFFER_SIZE;
1152 FpgaSetupSscDma((uint8_t*) dmaBuf, ISO14443B_DMA_BUFFER_SIZE);
1153
1154 bool TagIsActive = false;
1155 bool ReaderIsActive = false;
1156 // We won't start recording the frames that we acquire until we trigger.
1157 // A good trigger condition to get started is probably when we see a
1158 // reader command
1159 bool triggered = false;
1160
1161 // And now we loop, receiving samples.
1162 for(;;) {
1163 int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) & (ISO14443B_DMA_BUFFER_SIZE-1);
1164 if(behindBy > maxBehindBy) {
1165 maxBehindBy = behindBy;
1166 }
1167
1168 if(behindBy < 1) continue;
1169
1170 ci = *upTo>>8;
1171 cq = *upTo;
1172 upTo++;
1173 lastRxCounter--;
1174 if(upTo >= dmaBuf + ISO14443B_DMA_BUFFER_SIZE) { // we have read all of the DMA buffer content.
1175 upTo = dmaBuf; // start reading the circular buffer from the beginning again
1176 lastRxCounter += ISO14443B_DMA_BUFFER_SIZE;
1177 if(behindBy > (9*ISO14443B_DMA_BUFFER_SIZE/10)) {
1178 Dbprintf("About to blow circular buffer - aborted! behindBy=%d", behindBy);
1179 break;
1180 }
1181 }
1182 if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_ENDRX)) { // DMA Counter Register had reached 0, already rotated.
1183 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dmaBuf; // refresh the DMA Next Buffer and
1184 AT91C_BASE_PDC_SSC->PDC_RNCR = ISO14443B_DMA_BUFFER_SIZE; // DMA Next Counter registers
1185 WDT_HIT();
1186 if(BUTTON_PRESS()) {
1187 DbpString("cancelled");
1188 break;
1189 }
1190 }
1191
1192 samples++;
1193
1194 if (!TagIsActive) { // no need to try decoding reader data if the tag is sending
1195 if(Handle14443bUartBit(ci & 0x01)) {
1196 triggered = true;
1197 LogTrace(Uart.output, Uart.byteCnt, samples, samples, NULL, true);
1198 /* And ready to receive another command. */
1199 UartReset();
1200 /* And also reset the demod code, which might have been */
1201 /* false-triggered by the commands from the reader. */
1202 DemodReset();
1203 }
1204 if(Handle14443bUartBit(cq & 0x01)) {
1205 triggered = true;
1206 LogTrace(Uart.output, Uart.byteCnt, samples, samples, NULL, true);
1207 /* And ready to receive another command. */
1208 UartReset();
1209 /* And also reset the demod code, which might have been */
1210 /* false-triggered by the commands from the reader. */
1211 DemodReset();
1212 }
1213 ReaderIsActive = (Uart.state > STATE_GOT_FALLING_EDGE_OF_SOF);
1214 }
1215
1216 if(!ReaderIsActive && triggered) { // no need to try decoding tag data if the reader is sending or not yet triggered
1217 if(Handle14443bSamplesDemod(ci/2, cq/2)) {
1218 //Use samples as a time measurement
1219 LogTrace(Demod.output, Demod.len, samples, samples, NULL, false);
1220 // And ready to receive another response.
1221 DemodReset();
1222 }
1223 TagIsActive = (Demod.state > DEMOD_GOT_FALLING_EDGE_OF_SOF);
1224 }
1225
1226 }
1227
1228 FpgaDisableSscDma();
1229 DbpString("Snoop statistics:");
1230 Dbprintf(" Max behind by: %i", maxBehindBy);
1231 Dbprintf(" Uart State: %x", Uart.state);
1232 Dbprintf(" Uart ByteCnt: %i", Uart.byteCnt);
1233 Dbprintf(" Uart ByteCntMax: %i", Uart.byteCntMax);
1234 Dbprintf(" Trace length: %i", BigBuf_get_traceLen());
1235 LEDsoff();
1236 }
1237
1238
1239 /*
1240 * Send raw command to tag ISO14443B
1241 * @Input
1242 * datalen len of buffer data
1243 * recv bool when true wait for data from tag and send to client
1244 * powerfield bool leave the field on when true
1245 * data buffer with byte to send
1246 *
1247 * @Output
1248 * none
1249 *
1250 */
1251 void SendRawCommand14443B(uint32_t datalen, uint32_t recv, uint8_t powerfield, uint8_t data[])
1252 {
1253 LED_A_ON();
1254 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1255 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1256
1257 // switch field on and give tag some time to power up
1258 LED_D_ON();
1259 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_MODE_SEND_SHALLOW_MOD);
1260 FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER);
1261 SpinDelay(10);
1262
1263 if (datalen){
1264 set_tracing(true);
1265
1266 CodeAndTransmit14443bAsReader(data, datalen);
1267
1268 if(recv) {
1269 GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, true);
1270 FpgaDisableTracing();
1271 uint16_t iLen = MIN(Demod.len, USB_CMD_DATA_SIZE);
1272 cmd_send(CMD_ACK, iLen, 0, 0, Demod.output, iLen);
1273 }
1274
1275 FpgaDisableTracing();
1276 }
1277
1278 if(!powerfield) {
1279 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1280 LED_D_OFF();
1281 }
1282
1283 LED_A_OFF();
1284 }
1285
Proxmark3 GIT tracking
Impressum, Datenschutz