]> cvs.zerfleddert.de Git - proxmark3-svn/blob - armsrc/iso15693.c
projects / proxmark3-svn / blob
? search:


85af0859ec8721a89d2a0d83d8784a0e12552d74
[proxmark3-svn] / armsrc / iso15693.c
1 //-----------------------------------------------------------------------------
2 // Jonathan Westhues, split Nov 2006
3 // Modified by Greg Jones, Jan 2009
4 // Modified by Adrian Dabrowski "atrox", Mar-Sept 2010,Oct 2011
5 // Modified by piwi, Oct 2018
6 //
7 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
8 // at your option, any later version. See the LICENSE.txt file for the text of
9 // the license.
10 //-----------------------------------------------------------------------------
11 // Routines to support ISO 15693. This includes both the reader software and
12 // the `fake tag' modes.
13 //-----------------------------------------------------------------------------
14
15 // The ISO 15693 describes two transmission modes from reader to tag, and four
16 // transmission modes from tag to reader. As of Oct 2018 this code supports
17 // both reader modes and the high speed variant with one subcarrier from card to reader.
18 // As long as the card fully support ISO 15693 this is no problem, since the
19 // reader chooses both data rates, but some non-standard tags do not.
20 // For card simulation, the code supports both high and low speed modes with one subcarrier.
21 //
22 // VCD (reader) -> VICC (tag)
23 // 1 out of 256:
24 // data rate: 1,66 kbit/s (fc/8192)
25 // used for long range
26 // 1 out of 4:
27 // data rate: 26,48 kbit/s (fc/512)
28 // used for short range, high speed
29 //
30 // VICC (tag) -> VCD (reader)
31 // Modulation:
32 // ASK / one subcarrier (423,75 khz)
33 // FSK / two subcarriers (423,75 khz && 484,28 khz)
34 // Data Rates / Modes:
35 // low ASK: 6,62 kbit/s
36 // low FSK: 6.67 kbit/s
37 // high ASK: 26,48 kbit/s
38 // high FSK: 26,69 kbit/s
39 //-----------------------------------------------------------------------------
40
41
42 // Random Remarks:
43 // *) UID is always used "transmission order" (LSB), which is reverse to display order
44
45 // TODO / BUGS / ISSUES:
46 // *) signal decoding is unable to detect collisions.
47 // *) add anti-collision support for inventory-commands
48 // *) read security status of a block
49 // *) sniffing and simulation do not support two subcarrier modes.
50 // *) remove or refactor code under "deprecated"
51 // *) document all the functions
52
53 #include "iso15693.h"
54
55 #include "proxmark3.h"
56 #include "util.h"
57 #include "apps.h"
58 #include "string.h"
59 #include "iso15693tools.h"
60 #include "protocols.h"
61 #include "cmd.h"
62 #include "BigBuf.h"
63 #include "fpgaloader.h"
64
65 #define arraylen(x) (sizeof(x)/sizeof((x)[0]))
66
67 static int DEBUG = 0;
68
69 ///////////////////////////////////////////////////////////////////////
70 // ISO 15693 Part 2 - Air Interface
71 // This section basically contains transmission and receiving of bits
72 ///////////////////////////////////////////////////////////////////////
73
74 // buffers
75 #define ISO15693_DMA_BUFFER_SIZE 2048 // must be a power of 2
76 #define ISO15693_MAX_RESPONSE_LENGTH 36 // allows read single block with the maximum block size of 256bits. Read multiple blocks not supported yet
77 #define ISO15693_MAX_COMMAND_LENGTH 45 // allows write single block with the maximum block size of 256bits. Write multiple blocks not supported yet
78
79 // ---------------------------
80 // Signal Processing
81 // ---------------------------
82
83 // prepare data using "1 out of 4" code for later transmission
84 // resulting data rate is 26.48 kbit/s (fc/512)
85 // cmd ... data
86 // n ... length of data
87 static void CodeIso15693AsReader(uint8_t *cmd, int n)
88 {
89 int i, j;
90
91 ToSendReset();
92
93 // Give it a bit of slack at the beginning
94 for(i = 0; i < 24; i++) {
95 ToSendStuffBit(1);
96 }
97
98 // SOF for 1of4
99 ToSendStuffBit(0);
100 ToSendStuffBit(1);
101 ToSendStuffBit(1);
102 ToSendStuffBit(1);
103 ToSendStuffBit(1);
104 ToSendStuffBit(0);
105 ToSendStuffBit(1);
106 ToSendStuffBit(1);
107 for(i = 0; i < n; i++) {
108 for(j = 0; j < 8; j += 2) {
109 int these = (cmd[i] >> j) & 3;
110 switch(these) {
111 case 0:
112 ToSendStuffBit(1);
113 ToSendStuffBit(0);
114 ToSendStuffBit(1);
115 ToSendStuffBit(1);
116 ToSendStuffBit(1);
117 ToSendStuffBit(1);
118 ToSendStuffBit(1);
119 ToSendStuffBit(1);
120 break;
121 case 1:
122 ToSendStuffBit(1);
123 ToSendStuffBit(1);
124 ToSendStuffBit(1);
125 ToSendStuffBit(0);
126 ToSendStuffBit(1);
127 ToSendStuffBit(1);
128 ToSendStuffBit(1);
129 ToSendStuffBit(1);
130 break;
131 case 2:
132 ToSendStuffBit(1);
133 ToSendStuffBit(1);
134 ToSendStuffBit(1);
135 ToSendStuffBit(1);
136 ToSendStuffBit(1);
137 ToSendStuffBit(0);
138 ToSendStuffBit(1);
139 ToSendStuffBit(1);
140 break;
141 case 3:
142 ToSendStuffBit(1);
143 ToSendStuffBit(1);
144 ToSendStuffBit(1);
145 ToSendStuffBit(1);
146 ToSendStuffBit(1);
147 ToSendStuffBit(1);
148 ToSendStuffBit(1);
149 ToSendStuffBit(0);
150 break;
151 }
152 }
153 }
154 // EOF
155 ToSendStuffBit(1);
156 ToSendStuffBit(1);
157 ToSendStuffBit(0);
158 ToSendStuffBit(1);
159
160 // Fill remainder of last byte with 1
161 for(i = 0; i < 4; i++) {
162 ToSendStuffBit(1);
163 }
164
165 ToSendMax++;
166 }
167
168 // encode data using "1 out of 256" scheme
169 // data rate is 1,66 kbit/s (fc/8192)
170 // is designed for more robust communication over longer distances
171 static void CodeIso15693AsReader256(uint8_t *cmd, int n)
172 {
173 int i, j;
174
175 ToSendReset();
176
177 // Give it a bit of slack at the beginning
178 for(i = 0; i < 24; i++) {
179 ToSendStuffBit(1);
180 }
181
182 // SOF for 1of256
183 ToSendStuffBit(0);
184 ToSendStuffBit(1);
185 ToSendStuffBit(1);
186 ToSendStuffBit(1);
187 ToSendStuffBit(1);
188 ToSendStuffBit(1);
189 ToSendStuffBit(1);
190 ToSendStuffBit(0);
191
192 for(i = 0; i < n; i++) {
193 for (j = 0; j<=255; j++) {
194 if (cmd[i]==j) {
195 ToSendStuffBit(1);
196 ToSendStuffBit(0);
197 } else {
198 ToSendStuffBit(1);
199 ToSendStuffBit(1);
200 }
201 }
202 }
203 // EOF
204 ToSendStuffBit(1);
205 ToSendStuffBit(1);
206 ToSendStuffBit(0);
207 ToSendStuffBit(1);
208
209 // Fill remainder of last byte with 1
210 for(i = 0; i < 4; i++) {
211 ToSendStuffBit(1);
212 }
213
214 ToSendMax++;
215 }
216
217
218 // static uint8_t encode4Bits(const uint8_t b) {
219 // uint8_t c = b & 0xF;
220 // // OTA, the least significant bits first
221 // // The columns are
222 // // 1 - Bit value to send
223 // // 2 - Reversed (big-endian)
224 // // 3 - Manchester Encoded
225 // // 4 - Hex values
226
227 // switch(c){
228 // // 1 2 3 4
229 // case 15: return 0x55; // 1111 -> 1111 -> 01010101 -> 0x55
230 // case 14: return 0x95; // 1110 -> 0111 -> 10010101 -> 0x95
231 // case 13: return 0x65; // 1101 -> 1011 -> 01100101 -> 0x65
232 // case 12: return 0xa5; // 1100 -> 0011 -> 10100101 -> 0xa5
233 // case 11: return 0x59; // 1011 -> 1101 -> 01011001 -> 0x59
234 // case 10: return 0x99; // 1010 -> 0101 -> 10011001 -> 0x99
235 // case 9: return 0x69; // 1001 -> 1001 -> 01101001 -> 0x69
236 // case 8: return 0xa9; // 1000 -> 0001 -> 10101001 -> 0xa9
237 // case 7: return 0x56; // 0111 -> 1110 -> 01010110 -> 0x56
238 // case 6: return 0x96; // 0110 -> 0110 -> 10010110 -> 0x96
239 // case 5: return 0x66; // 0101 -> 1010 -> 01100110 -> 0x66
240 // case 4: return 0xa6; // 0100 -> 0010 -> 10100110 -> 0xa6
241 // case 3: return 0x5a; // 0011 -> 1100 -> 01011010 -> 0x5a
242 // case 2: return 0x9a; // 0010 -> 0100 -> 10011010 -> 0x9a
243 // case 1: return 0x6a; // 0001 -> 1000 -> 01101010 -> 0x6a
244 // default: return 0xaa; // 0000 -> 0000 -> 10101010 -> 0xaa
245
246 // }
247 // }
248
249 static const uint8_t encode_4bits[16] = { 0xaa, 0x6a, 0x9a, 0x5a, 0xa6, 0x66, 0x96, 0x56, 0xa9, 0x69, 0x99, 0x59, 0xa5, 0x65, 0x95, 0x55 };
250
251 void CodeIso15693AsTag(uint8_t *cmd, size_t len) {
252 /*
253 * SOF comprises 3 parts;
254 * * An unmodulated time of 56.64 us
255 * * 24 pulses of 423.75 kHz (fc/32)
256 * * A logic 1, which starts with an unmodulated time of 18.88us
257 * followed by 8 pulses of 423.75kHz (fc/32)
258 *
259 * EOF comprises 3 parts:
260 * - A logic 0 (which starts with 8 pulses of fc/32 followed by an unmodulated
261 * time of 18.88us.
262 * - 24 pulses of fc/32
263 * - An unmodulated time of 56.64 us
264 *
265 * A logic 0 starts with 8 pulses of fc/32
266 * followed by an unmodulated time of 256/fc (~18,88us).
267 *
268 * A logic 0 starts with unmodulated time of 256/fc (~18,88us) followed by
269 * 8 pulses of fc/32 (also 18.88us)
270 *
271 * A bit here becomes 8 pulses of fc/32. Therefore:
272 * The SOF can be written as 00011101 = 0x1D
273 * The EOF can be written as 10111000 = 0xb8
274 * A logic 1 is 01
275 * A logic 0 is 10
276 *
277 * */
278
279 ToSendReset();
280
281 // SOF
282 ToSend[++ToSendMax] = 0x1D; // 00011101
283
284 // data
285 for (int i = 0; i < len; i++) {
286 ToSend[++ToSendMax] = encode_4bits[cmd[i] & 0xF];
287 ToSend[++ToSendMax] = encode_4bits[cmd[i] >> 4];
288 }
289
290 // EOF
291 ToSend[++ToSendMax] = 0xB8; // 10111000
292
293 ToSendMax++;
294 }
295
296
297 // Transmit the command (to the tag) that was placed in cmd[].
298 static void TransmitTo15693Tag(const uint8_t *cmd, int len, uint32_t start_time)
299 {
300 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_MODE_SEND_FULL_MOD);
301 FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER);
302
303 while (GetCountSspClk() < start_time) ;
304
305 LED_B_ON();
306 for(int c = 0; c < len; c++) {
307 uint8_t data = cmd[c];
308 for (int i = 0; i < 8; i++) {
309 uint16_t send_word = (data & 0x80) ? 0x0000 : 0xffff;
310 while (!(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY))) ;
311 AT91C_BASE_SSC->SSC_THR = send_word;
312 while (!(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY))) ;
313 AT91C_BASE_SSC->SSC_THR = send_word;
314 data <<= 1;
315 }
316 WDT_HIT();
317 }
318 LED_B_OFF();
319 }
320
321
322 //-----------------------------------------------------------------------------
323 // Transmit the tag response (to the reader) that was placed in cmd[].
324 //-----------------------------------------------------------------------------
325 void TransmitTo15693Reader(const uint8_t *cmd, size_t len, uint32_t *start_time, uint32_t slot_time, bool slow) {
326 // don't use the FPGA_HF_SIMULATOR_MODULATE_424K_8BIT minor mode. It would spoil GetCountSspClk()
327 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_MODULATE_424K);
328
329 uint32_t modulation_start_time = *start_time + 3 * 8; // no need to transfer the unmodulated start of SOF
330
331 while (GetCountSspClk() > (modulation_start_time & 0xfffffff8) + 3) { // we will miss the intended time
332 if (slot_time) {
333 modulation_start_time += slot_time; // use next available slot
334 } else {
335 modulation_start_time = (modulation_start_time & 0xfffffff8) + 8; // next possible time
336 }
337 }
338
339 while (GetCountSspClk() < (modulation_start_time & 0xfffffff8))
340 /* wait */ ;
341
342 uint8_t shift_delay = modulation_start_time & 0x00000007;
343
344 *start_time = modulation_start_time - 3 * 8;
345
346 LED_C_ON();
347 uint8_t bits_to_shift = 0x00;
348 uint8_t bits_to_send = 0x00;
349 for (size_t c = 0; c < len; c++) {
350 for (int i = (c==0?4:7); i >= 0; i--) {
351 uint8_t cmd_bits = ((cmd[c] >> i) & 0x01) ? 0xff : 0x00;
352 for (int j = 0; j < (slow?4:1); ) {
353 if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXRDY) {
354 bits_to_send = bits_to_shift << (8 - shift_delay) | cmd_bits >> shift_delay;
355 AT91C_BASE_SSC->SSC_THR = bits_to_send;
356 bits_to_shift = cmd_bits;
357 j++;
358 }
359 }
360 }
361 WDT_HIT();
362 }
363 // send the remaining bits, padded with 0:
364 bits_to_send = bits_to_shift << (8 - shift_delay);
365 for ( ; ; ) {
366 if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXRDY) {
367 AT91C_BASE_SSC->SSC_THR = bits_to_send;
368 break;
369 }
370 }
371 LED_C_OFF();
372 }
373
374
375 //=============================================================================
376 // An ISO 15693 decoder for tag responses (one subcarrier only).
377 // Uses cross correlation to identify each bit and EOF.
378 // This function is called 8 times per bit (every 2 subcarrier cycles).
379 // Subcarrier frequency fs is 424kHz, 1/fs = 2,36us,
380 // i.e. function is called every 4,72us
381 // LED handling:
382 // LED C -> ON once we have received the SOF and are expecting the rest.
383 // LED C -> OFF once we have received EOF or are unsynced
384 //
385 // Returns: true if we received a EOF
386 // false if we are still waiting for some more
387 //=============================================================================
388
389 #define NOISE_THRESHOLD 160 // don't try to correlate noise
390
391 typedef struct DecodeTag {
392 enum {
393 STATE_TAG_SOF_LOW,
394 STATE_TAG_SOF_HIGH,
395 STATE_TAG_SOF_HIGH_END,
396 STATE_TAG_RECEIVING_DATA,
397 STATE_TAG_EOF
398 } state;
399 int bitCount;
400 int posCount;
401 enum {
402 LOGIC0,
403 LOGIC1,
404 SOF_PART1,
405 SOF_PART2
406 } lastBit;
407 uint16_t shiftReg;
408 uint16_t max_len;
409 uint8_t *output;
410 int len;
411 int sum1, sum2;
412 } DecodeTag_t;
413
414
415 static int inline __attribute__((always_inline)) Handle15693SamplesFromTag(uint16_t amplitude, DecodeTag_t *DecodeTag)
416 {
417 switch(DecodeTag->state) {
418 case STATE_TAG_SOF_LOW:
419 // waiting for 12 times low (11 times low is accepted as well)
420 if (amplitude < NOISE_THRESHOLD) {
421 DecodeTag->posCount++;
422 } else {
423 if (DecodeTag->posCount > 10) {
424 DecodeTag->posCount = 1;
425 DecodeTag->sum1 = 0;
426 DecodeTag->state = STATE_TAG_SOF_HIGH;
427 } else {
428 DecodeTag->posCount = 0;
429 }
430 }
431 break;
432
433 case STATE_TAG_SOF_HIGH:
434 // waiting for 10 times high. Take average over the last 8
435 if (amplitude > NOISE_THRESHOLD) {
436 DecodeTag->posCount++;
437 if (DecodeTag->posCount > 2) {
438 DecodeTag->sum1 += amplitude; // keep track of average high value
439 }
440 if (DecodeTag->posCount == 10) {
441 DecodeTag->sum1 >>= 4; // calculate half of average high value (8 samples)
442 DecodeTag->state = STATE_TAG_SOF_HIGH_END;
443 }
444 } else { // high phase was too short
445 DecodeTag->posCount = 1;
446 DecodeTag->state = STATE_TAG_SOF_LOW;
447 }
448 break;
449
450 case STATE_TAG_SOF_HIGH_END:
451 // waiting for a falling edge
452 if (amplitude < DecodeTag->sum1) { // signal drops below 50% average high: a falling edge
453 DecodeTag->lastBit = SOF_PART1; // detected 1st part of SOF (12 samples low and 12 samples high)
454 DecodeTag->shiftReg = 0;
455 DecodeTag->bitCount = 0;
456 DecodeTag->len = 0;
457 DecodeTag->sum1 = amplitude;
458 DecodeTag->sum2 = 0;
459 DecodeTag->posCount = 2;
460 DecodeTag->state = STATE_TAG_RECEIVING_DATA;
461 LED_C_ON();
462 } else {
463 DecodeTag->posCount++;
464 if (DecodeTag->posCount > 13) { // high phase too long
465 DecodeTag->posCount = 0;
466 DecodeTag->state = STATE_TAG_SOF_LOW;
467 LED_C_OFF();
468 }
469 }
470 break;
471
472 case STATE_TAG_RECEIVING_DATA:
473 if (DecodeTag->posCount == 1) {
474 DecodeTag->sum1 = 0;
475 DecodeTag->sum2 = 0;
476 }
477 if (DecodeTag->posCount <= 4) {
478 DecodeTag->sum1 += amplitude;
479 } else {
480 DecodeTag->sum2 += amplitude;
481 }
482 if (DecodeTag->posCount == 8) {
483 int32_t corr_1 = DecodeTag->sum2 - DecodeTag->sum1;
484 int32_t corr_0 = -corr_1;
485 int32_t corr_EOF = (DecodeTag->sum1 + DecodeTag->sum2) / 2;
486 if (corr_EOF > corr_0 && corr_EOF > corr_1) {
487 if (DecodeTag->lastBit == LOGIC0) { // this was already part of EOF
488 DecodeTag->state = STATE_TAG_EOF;
489 } else {
490 DecodeTag->posCount = 0;
491 DecodeTag->state = STATE_TAG_SOF_LOW;
492 LED_C_OFF();
493 }
494 } else if (corr_1 > corr_0) {
495 // logic 1
496 if (DecodeTag->lastBit == SOF_PART1) { // still part of SOF
497 DecodeTag->lastBit = SOF_PART2; // SOF completed
498 } else {
499 DecodeTag->lastBit = LOGIC1;
500 DecodeTag->shiftReg >>= 1;
501 DecodeTag->shiftReg |= 0x80;
502 DecodeTag->bitCount++;
503 if (DecodeTag->bitCount == 8) {
504 DecodeTag->output[DecodeTag->len] = DecodeTag->shiftReg;
505 DecodeTag->len++;
506 if (DecodeTag->len > DecodeTag->max_len) {
507 // buffer overflow, give up
508 DecodeTag->posCount = 0;
509 DecodeTag->state = STATE_TAG_SOF_LOW;
510 LED_C_OFF();
511 }
512 DecodeTag->bitCount = 0;
513 DecodeTag->shiftReg = 0;
514 }
515 }
516 } else {
517 // logic 0
518 if (DecodeTag->lastBit == SOF_PART1) { // incomplete SOF
519 DecodeTag->posCount = 0;
520 DecodeTag->state = STATE_TAG_SOF_LOW;
521 LED_C_OFF();
522 } else {
523 DecodeTag->lastBit = LOGIC0;
524 DecodeTag->shiftReg >>= 1;
525 DecodeTag->bitCount++;
526 if (DecodeTag->bitCount == 8) {
527 DecodeTag->output[DecodeTag->len] = DecodeTag->shiftReg;
528 DecodeTag->len++;
529 if (DecodeTag->len > DecodeTag->max_len) {
530 // buffer overflow, give up
531 DecodeTag->posCount = 0;
532 DecodeTag->state = STATE_TAG_SOF_LOW;
533 LED_C_OFF();
534 }
535 DecodeTag->bitCount = 0;
536 DecodeTag->shiftReg = 0;
537 }
538 }
539 }
540 DecodeTag->posCount = 0;
541 }
542 DecodeTag->posCount++;
543 break;
544
545 case STATE_TAG_EOF:
546 if (DecodeTag->posCount == 1) {
547 DecodeTag->sum1 = 0;
548 DecodeTag->sum2 = 0;
549 }
550 if (DecodeTag->posCount <= 4) {
551 DecodeTag->sum1 += amplitude;
552 } else {
553 DecodeTag->sum2 += amplitude;
554 }
555 if (DecodeTag->posCount == 8) {
556 int32_t corr_1 = DecodeTag->sum2 - DecodeTag->sum1;
557 int32_t corr_0 = -corr_1;
558 int32_t corr_EOF = (DecodeTag->sum1 + DecodeTag->sum2) / 2;
559 if (corr_EOF > corr_0 || corr_1 > corr_0) {
560 DecodeTag->posCount = 0;
561 DecodeTag->state = STATE_TAG_SOF_LOW;
562 LED_C_OFF();
563 } else {
564 LED_C_OFF();
565 return true;
566 }
567 }
568 DecodeTag->posCount++;
569 break;
570
571 }
572
573 return false;
574 }
575
576
577 static void DecodeTagInit(DecodeTag_t *DecodeTag, uint8_t *data, uint16_t max_len)
578 {
579 DecodeTag->posCount = 0;
580 DecodeTag->state = STATE_TAG_SOF_LOW;
581 DecodeTag->output = data;
582 DecodeTag->max_len = max_len;
583 }
584
585
586 static void DecodeTagReset(DecodeTag_t *DecodeTag)
587 {
588 DecodeTag->posCount = 0;
589 DecodeTag->state = STATE_TAG_SOF_LOW;
590 }
591
592
593 /*
594 * Receive and decode the tag response, also log to tracebuffer
595 */
596 static int GetIso15693AnswerFromTag(uint8_t* response, uint16_t max_len, int timeout)
597 {
598 int samples = 0;
599 bool gotFrame = false;
600
601 uint16_t *dmaBuf = (uint16_t*)BigBuf_malloc(ISO15693_DMA_BUFFER_SIZE*sizeof(uint16_t));
602
603 // the Decoder data structure
604 DecodeTag_t DecodeTag = { 0 };
605 DecodeTagInit(&DecodeTag, response, max_len);
606
607 // wait for last transfer to complete
608 while (!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXEMPTY));
609
610 // And put the FPGA in the appropriate mode
611 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_SUBCARRIER_424_KHZ | FPGA_HF_READER_MODE_RECEIVE_AMPLITUDE);
612
613 // Setup and start DMA.
614 FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER);
615 FpgaSetupSscDma((uint8_t*) dmaBuf, ISO15693_DMA_BUFFER_SIZE);
616 uint16_t *upTo = dmaBuf;
617
618 for(;;) {
619 uint16_t behindBy = ((uint16_t*)AT91C_BASE_PDC_SSC->PDC_RPR - upTo) & (ISO15693_DMA_BUFFER_SIZE-1);
620
621 if (behindBy == 0) continue;
622
623 uint16_t tagdata = *upTo++;
624
625 if(upTo >= dmaBuf + ISO15693_DMA_BUFFER_SIZE) { // we have read all of the DMA buffer content.
626 upTo = dmaBuf; // start reading the circular buffer from the beginning
627 if(behindBy > (9*ISO15693_DMA_BUFFER_SIZE/10)) {
628 Dbprintf("About to blow circular buffer - aborted! behindBy=%d", behindBy);
629 break;
630 }
631 }
632 if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_ENDRX)) { // DMA Counter Register had reached 0, already rotated.
633 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dmaBuf; // refresh the DMA Next Buffer and
634 AT91C_BASE_PDC_SSC->PDC_RNCR = ISO15693_DMA_BUFFER_SIZE; // DMA Next Counter registers
635 }
636
637 samples++;
638
639 if (Handle15693SamplesFromTag(tagdata, &DecodeTag)) {
640 gotFrame = true;
641 break;
642 }
643
644 if (samples > timeout && DecodeTag.state < STATE_TAG_RECEIVING_DATA) {
645 DecodeTag.len = 0;
646 break;
647 }
648
649 }
650
651 FpgaDisableSscDma();
652 BigBuf_free();
653
654 if (DEBUG) Dbprintf("samples = %d, gotFrame = %d, Decoder: state = %d, len = %d, bitCount = %d, posCount = %d",
655 samples, gotFrame, DecodeTag.state, DecodeTag.len, DecodeTag.bitCount, DecodeTag.posCount);
656
657 if (DecodeTag.len > 0) {
658 LogTrace(DecodeTag.output, DecodeTag.len, 0, 0, NULL, false);
659 }
660
661 return DecodeTag.len;
662 }
663
664
665 //=============================================================================
666 // An ISO15693 decoder for reader commands.
667 //
668 // This function is called 4 times per bit (every 2 subcarrier cycles).
669 // Subcarrier frequency fs is 848kHz, 1/fs = 1,18us, i.e. function is called every 2,36us
670 // LED handling:
671 // LED B -> ON once we have received the SOF and are expecting the rest.
672 // LED B -> OFF once we have received EOF or are in error state or unsynced
673 //
674 // Returns: true if we received a EOF
675 // false if we are still waiting for some more
676 //=============================================================================
677
678 typedef struct DecodeReader {
679 enum {
680 STATE_READER_UNSYNCD,
681 STATE_READER_AWAIT_1ST_FALLING_EDGE_OF_SOF,
682 STATE_READER_AWAIT_1ST_RISING_EDGE_OF_SOF,
683 STATE_READER_AWAIT_2ND_FALLING_EDGE_OF_SOF,
684 STATE_READER_AWAIT_2ND_RISING_EDGE_OF_SOF,
685 STATE_READER_AWAIT_END_OF_SOF_1_OUT_OF_4,
686 STATE_READER_RECEIVE_DATA_1_OUT_OF_4,
687 STATE_READER_RECEIVE_DATA_1_OUT_OF_256
688 } state;
689 enum {
690 CODING_1_OUT_OF_4,
691 CODING_1_OUT_OF_256
692 } Coding;
693 uint8_t shiftReg;
694 uint8_t bitCount;
695 int byteCount;
696 int byteCountMax;
697 int posCount;
698 int sum1, sum2;
699 uint8_t *output;
700 } DecodeReader_t;
701
702
703 static void DecodeReaderInit(DecodeReader_t* DecodeReader, uint8_t *data, uint16_t max_len)
704 {
705 DecodeReader->output = data;
706 DecodeReader->byteCountMax = max_len;
707 DecodeReader->state = STATE_READER_UNSYNCD;
708 DecodeReader->byteCount = 0;
709 DecodeReader->bitCount = 0;
710 DecodeReader->posCount = 1;
711 DecodeReader->shiftReg = 0;
712 }
713
714
715 static void DecodeReaderReset(DecodeReader_t* DecodeReader)
716 {
717 DecodeReader->state = STATE_READER_UNSYNCD;
718 }
719
720
721 static int inline __attribute__((always_inline)) Handle15693SampleFromReader(uint8_t bit, DecodeReader_t *restrict DecodeReader)
722 {
723 switch (DecodeReader->state) {
724 case STATE_READER_UNSYNCD:
725 // wait for unmodulated carrier
726 if (bit) {
727 DecodeReader->state = STATE_READER_AWAIT_1ST_FALLING_EDGE_OF_SOF;
728 }
729 break;
730
731 case STATE_READER_AWAIT_1ST_FALLING_EDGE_OF_SOF:
732 if (!bit) {
733 // we went low, so this could be the beginning of a SOF
734 DecodeReader->posCount = 1;
735 DecodeReader->state = STATE_READER_AWAIT_1ST_RISING_EDGE_OF_SOF;
736 }
737 break;
738
739 case STATE_READER_AWAIT_1ST_RISING_EDGE_OF_SOF:
740 DecodeReader->posCount++;
741 if (bit) { // detected rising edge
742 if (DecodeReader->posCount < 4) { // rising edge too early (nominally expected at 5)
743 DecodeReader->state = STATE_READER_AWAIT_1ST_FALLING_EDGE_OF_SOF;
744 } else { // SOF
745 DecodeReader->state = STATE_READER_AWAIT_2ND_FALLING_EDGE_OF_SOF;
746 }
747 } else {
748 if (DecodeReader->posCount > 5) { // stayed low for too long
749 DecodeReaderReset(DecodeReader);
750 } else {
751 // do nothing, keep waiting
752 }
753 }
754 break;
755
756 case STATE_READER_AWAIT_2ND_FALLING_EDGE_OF_SOF:
757 DecodeReader->posCount++;
758 if (!bit) { // detected a falling edge
759 if (DecodeReader->posCount < 20) { // falling edge too early (nominally expected at 21 earliest)
760 DecodeReaderReset(DecodeReader);
761 } else if (DecodeReader->posCount < 23) { // SOF for 1 out of 4 coding
762 DecodeReader->Coding = CODING_1_OUT_OF_4;
763 DecodeReader->state = STATE_READER_AWAIT_2ND_RISING_EDGE_OF_SOF;
764 } else if (DecodeReader->posCount < 28) { // falling edge too early (nominally expected at 29 latest)
765 DecodeReaderReset(DecodeReader);
766 } else { // SOF for 1 out of 256 coding
767 DecodeReader->Coding = CODING_1_OUT_OF_256;
768 DecodeReader->state = STATE_READER_AWAIT_2ND_RISING_EDGE_OF_SOF;
769 }
770 } else {
771 if (DecodeReader->posCount > 29) { // stayed high for too long
772 DecodeReader->state = STATE_READER_AWAIT_1ST_FALLING_EDGE_OF_SOF;
773 } else {
774 // do nothing, keep waiting
775 }
776 }
777 break;
778
779 case STATE_READER_AWAIT_2ND_RISING_EDGE_OF_SOF:
780 DecodeReader->posCount++;
781 if (bit) { // detected rising edge
782 if (DecodeReader->Coding == CODING_1_OUT_OF_256) {
783 if (DecodeReader->posCount < 32) { // rising edge too early (nominally expected at 33)
784 DecodeReader->state = STATE_READER_AWAIT_1ST_FALLING_EDGE_OF_SOF;
785 } else {
786 DecodeReader->posCount = 1;
787 DecodeReader->bitCount = 0;
788 DecodeReader->byteCount = 0;
789 DecodeReader->sum1 = 1;
790 DecodeReader->state = STATE_READER_RECEIVE_DATA_1_OUT_OF_256;
791 LED_B_ON();
792 }
793 } else { // CODING_1_OUT_OF_4
794 if (DecodeReader->posCount < 24) { // rising edge too early (nominally expected at 25)
795 DecodeReader->state = STATE_READER_AWAIT_1ST_FALLING_EDGE_OF_SOF;
796 } else {
797 DecodeReader->posCount = 1;
798 DecodeReader->state = STATE_READER_AWAIT_END_OF_SOF_1_OUT_OF_4;
799 }
800 }
801 } else {
802 if (DecodeReader->Coding == CODING_1_OUT_OF_256) {
803 if (DecodeReader->posCount > 34) { // signal stayed low for too long
804 DecodeReaderReset(DecodeReader);
805 } else {
806 // do nothing, keep waiting
807 }
808 } else { // CODING_1_OUT_OF_4
809 if (DecodeReader->posCount > 26) { // signal stayed low for too long
810 DecodeReaderReset(DecodeReader);
811 } else {
812 // do nothing, keep waiting
813 }
814 }
815 }
816 break;
817
818 case STATE_READER_AWAIT_END_OF_SOF_1_OUT_OF_4:
819 DecodeReader->posCount++;
820 if (bit) {
821 if (DecodeReader->posCount == 9) {
822 DecodeReader->posCount = 1;
823 DecodeReader->bitCount = 0;
824 DecodeReader->byteCount = 0;
825 DecodeReader->sum1 = 1;
826 DecodeReader->state = STATE_READER_RECEIVE_DATA_1_OUT_OF_4;
827 LED_B_ON();
828 } else {
829 // do nothing, keep waiting
830 }
831 } else { // unexpected falling edge
832 DecodeReaderReset(DecodeReader);
833 }
834 break;
835
836 case STATE_READER_RECEIVE_DATA_1_OUT_OF_4:
837 bit = !!bit;
838 DecodeReader->posCount++;
839 if (DecodeReader->posCount == 1) {
840 DecodeReader->sum1 = bit;
841 } else if (DecodeReader->posCount <= 4) {
842 DecodeReader->sum1 += bit;
843 } else if (DecodeReader->posCount == 5) {
844 DecodeReader->sum2 = bit;
845 } else {
846 DecodeReader->sum2 += bit;
847 }
848 if (DecodeReader->posCount == 8) {
849 DecodeReader->posCount = 0;
850 if (DecodeReader->sum1 <= 1 && DecodeReader->sum2 >= 3) { // EOF
851 LED_B_OFF(); // Finished receiving
852 DecodeReaderReset(DecodeReader);
853 if (DecodeReader->byteCount != 0) {
854 return true;
855 }
856 }
857 if (DecodeReader->sum1 >= 3 && DecodeReader->sum2 <= 1) { // detected a 2bit position
858 DecodeReader->shiftReg >>= 2;
859 DecodeReader->shiftReg |= (DecodeReader->bitCount << 6);
860 }
861 if (DecodeReader->bitCount == 15) { // we have a full byte
862 DecodeReader->output[DecodeReader->byteCount++] = DecodeReader->shiftReg;
863 if (DecodeReader->byteCount > DecodeReader->byteCountMax) {
864 // buffer overflow, give up
865 LED_B_OFF();
866 DecodeReaderReset(DecodeReader);
867 }
868 DecodeReader->bitCount = 0;
869 DecodeReader->shiftReg = 0;
870 } else {
871 DecodeReader->bitCount++;
872 }
873 }
874 break;
875
876 case STATE_READER_RECEIVE_DATA_1_OUT_OF_256:
877 bit = !!bit;
878 DecodeReader->posCount++;
879 if (DecodeReader->posCount == 1) {
880 DecodeReader->sum1 = bit;
881 } else if (DecodeReader->posCount <= 4) {
882 DecodeReader->sum1 += bit;
883 } else if (DecodeReader->posCount == 5) {
884 DecodeReader->sum2 = bit;
885 } else {
886 DecodeReader->sum2 += bit;
887 }
888 if (DecodeReader->posCount == 8) {
889 DecodeReader->posCount = 0;
890 if (DecodeReader->sum1 <= 1 && DecodeReader->sum2 >= 3) { // EOF
891 LED_B_OFF(); // Finished receiving
892 DecodeReaderReset(DecodeReader);
893 if (DecodeReader->byteCount != 0) {
894 return true;
895 }
896 }
897 if (DecodeReader->sum1 >= 3 && DecodeReader->sum2 <= 1) { // detected the bit position
898 DecodeReader->shiftReg = DecodeReader->bitCount;
899 }
900 if (DecodeReader->bitCount == 255) { // we have a full byte
901 DecodeReader->output[DecodeReader->byteCount++] = DecodeReader->shiftReg;
902 if (DecodeReader->byteCount > DecodeReader->byteCountMax) {
903 // buffer overflow, give up
904 LED_B_OFF();
905 DecodeReaderReset(DecodeReader);
906 }
907 }
908 DecodeReader->bitCount++;
909 }
910 break;
911
912 default:
913 LED_B_OFF();
914 DecodeReaderReset(DecodeReader);
915 break;
916 }
917
918 return false;
919 }
920
921
922 //-----------------------------------------------------------------------------
923 // Receive a command (from the reader to us, where we are the simulated tag),
924 // and store it in the given buffer, up to the given maximum length. Keeps
925 // spinning, waiting for a well-framed command, until either we get one
926 // (returns len) or someone presses the pushbutton on the board (returns -1).
927 //
928 // Assume that we're called with the SSC (to the FPGA) and ADC path set
929 // correctly.
930 //-----------------------------------------------------------------------------
931
932 int GetIso15693CommandFromReader(uint8_t *received, size_t max_len, uint32_t *eof_time) {
933 int samples = 0;
934 bool gotFrame = false;
935 uint8_t b;
936
937 uint8_t dmaBuf[ISO15693_DMA_BUFFER_SIZE];
938
939 // the decoder data structure
940 DecodeReader_t DecodeReader = {0};
941 DecodeReaderInit(&DecodeReader, received, max_len);
942
943 // wait for last transfer to complete
944 while (!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXEMPTY));
945
946 LED_D_OFF();
947 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_NO_MODULATION);
948
949 // clear receive register and wait for next transfer
950 uint32_t temp = AT91C_BASE_SSC->SSC_RHR;
951 (void) temp;
952 while (!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY)) ;
953
954 uint32_t dma_start_time = GetCountSspClk() & 0xfffffff8;
955
956 // Setup and start DMA.
957 FpgaSetupSscDma(dmaBuf, ISO15693_DMA_BUFFER_SIZE);
958 uint8_t *upTo = dmaBuf;
959
960 for (;;) {
961 uint16_t behindBy = ((uint8_t*)AT91C_BASE_PDC_SSC->PDC_RPR - upTo) & (ISO15693_DMA_BUFFER_SIZE-1);
962
963 if (behindBy == 0) continue;
964
965 b = *upTo++;
966 if (upTo >= dmaBuf + ISO15693_DMA_BUFFER_SIZE) { // we have read all of the DMA buffer content.
967 upTo = dmaBuf; // start reading the circular buffer from the beginning
968 if (behindBy > (9*ISO15693_DMA_BUFFER_SIZE/10)) {
969 Dbprintf("About to blow circular buffer - aborted! behindBy=%d", behindBy);
970 break;
971 }
972 }
973 if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_ENDRX)) { // DMA Counter Register had reached 0, already rotated.
974 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dmaBuf; // refresh the DMA Next Buffer and
975 AT91C_BASE_PDC_SSC->PDC_RNCR = ISO15693_DMA_BUFFER_SIZE; // DMA Next Counter registers
976 }
977
978 for (int i = 7; i >= 0; i--) {
979 if (Handle15693SampleFromReader((b >> i) & 0x01, &DecodeReader)) {
980 *eof_time = dma_start_time + samples - DELAY_READER_TO_ARM_SIM; // end of EOF
981 gotFrame = true;
982 break;
983 }
984 samples++;
985 }
986
987 if (gotFrame) {
988 break;
989 }
990
991 if (BUTTON_PRESS()) {
992 DecodeReader.byteCount = -1;
993 break;
994 }
995
996 WDT_HIT();
997 }
998
999 FpgaDisableSscDma();
1000
1001 if (DEBUG) Dbprintf("samples = %d, gotFrame = %d, Decoder: state = %d, len = %d, bitCount = %d, posCount = %d",
1002 samples, gotFrame, DecodeReader.state, DecodeReader.byteCount, DecodeReader.bitCount, DecodeReader.posCount);
1003
1004 if (DecodeReader.byteCount > 0) {
1005 uint32_t sof_time = *eof_time
1006 - DecodeReader.byteCount * (DecodeReader.Coding==CODING_1_OUT_OF_4?128:2048) // time for byte transfers
1007 - 32 // time for SOF transfer
1008 - 16; // time for EOF transfer
1009 LogTrace(DecodeReader.output, DecodeReader.byteCount, sof_time, *eof_time, NULL, true);
1010 }
1011
1012 return DecodeReader.byteCount;
1013 }
1014
1015
1016 // Encode (into the ToSend buffers) an identify request, which is the first
1017 // thing that you must send to a tag to get a response.
1018 static void BuildIdentifyRequest(void)
1019 {
1020 uint8_t cmd[5];
1021
1022 uint16_t crc;
1023 // one sub-carrier, inventory, 1 slot, fast rate
1024 // AFI is at bit 5 (1<<4) when doing an INVENTORY
1025 cmd[0] = (1 << 2) | (1 << 5) | (1 << 1);
1026 // inventory command code
1027 cmd[1] = 0x01;
1028 // no mask
1029 cmd[2] = 0x00;
1030 //Now the CRC
1031 crc = Iso15693Crc(cmd, 3);
1032 cmd[3] = crc & 0xff;
1033 cmd[4] = crc >> 8;
1034
1035 CodeIso15693AsReader(cmd, sizeof(cmd));
1036 }
1037
1038
1039 //-----------------------------------------------------------------------------
1040 // Start to read an ISO 15693 tag. We send an identify request, then wait
1041 // for the response. The response is not demodulated, just left in the buffer
1042 // so that it can be downloaded to a PC and processed there.
1043 //-----------------------------------------------------------------------------
1044 void AcquireRawAdcSamplesIso15693(void)
1045 {
1046 LEDsoff();
1047 LED_A_ON();
1048
1049 uint8_t *dest = BigBuf_get_addr();
1050
1051 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1052 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER);
1053 FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER);
1054 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1055
1056 BuildIdentifyRequest();
1057
1058 // Give the tags time to energize
1059 LED_D_ON();
1060 SpinDelay(100);
1061
1062 // Now send the command
1063 TransmitTo15693Tag(ToSend, ToSendMax, 0);
1064
1065 // wait for last transfer to complete
1066 while (!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXEMPTY)) ;
1067
1068 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_SUBCARRIER_424_KHZ | FPGA_HF_READER_MODE_RECEIVE_AMPLITUDE);
1069
1070 for(int c = 0; c < 4000; ) {
1071 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1072 uint16_t r = AT91C_BASE_SSC->SSC_RHR;
1073 dest[c++] = r >> 5;
1074 }
1075 }
1076
1077 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1078 LEDsoff();
1079 }
1080
1081
1082 void SnoopIso15693(void)
1083 {
1084 LED_A_ON();
1085 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1086 BigBuf_free();
1087
1088 clear_trace();
1089 set_tracing(true);
1090
1091 // The DMA buffer, used to stream samples from the FPGA
1092 uint16_t* dmaBuf = (uint16_t*)BigBuf_malloc(ISO15693_DMA_BUFFER_SIZE*sizeof(uint16_t));
1093 uint16_t *upTo;
1094
1095 // Count of samples received so far, so that we can include timing
1096 // information in the trace buffer.
1097 int samples = 0;
1098
1099 DecodeTag_t DecodeTag = {0};
1100 uint8_t response[ISO15693_MAX_RESPONSE_LENGTH];
1101 DecodeTagInit(&DecodeTag, response, sizeof(response));
1102
1103 DecodeReader_t DecodeReader = {0};;
1104 uint8_t cmd[ISO15693_MAX_COMMAND_LENGTH];
1105 DecodeReaderInit(&DecodeReader, cmd, sizeof(cmd));
1106
1107 // Print some debug information about the buffer sizes
1108 if (DEBUG) {
1109 Dbprintf("Snooping buffers initialized:");
1110 Dbprintf(" Trace: %i bytes", BigBuf_max_traceLen());
1111 Dbprintf(" Reader -> tag: %i bytes", ISO15693_MAX_COMMAND_LENGTH);
1112 Dbprintf(" tag -> Reader: %i bytes", ISO15693_MAX_RESPONSE_LENGTH);
1113 Dbprintf(" DMA: %i bytes", ISO15693_DMA_BUFFER_SIZE * sizeof(uint16_t));
1114 }
1115 Dbprintf("Snoop started. Press PM3 Button to stop.");
1116
1117 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_MODE_SNOOP_AMPLITUDE);
1118 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1119
1120 // Setup for the DMA.
1121 FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER);
1122 upTo = dmaBuf;
1123 FpgaSetupSscDma((uint8_t*) dmaBuf, ISO15693_DMA_BUFFER_SIZE);
1124
1125 bool TagIsActive = false;
1126 bool ReaderIsActive = false;
1127 bool ExpectTagAnswer = false;
1128
1129 // And now we loop, receiving samples.
1130 for(;;) {
1131 uint16_t behindBy = ((uint16_t*)AT91C_BASE_PDC_SSC->PDC_RPR - upTo) & (ISO15693_DMA_BUFFER_SIZE-1);
1132
1133 if (behindBy == 0) continue;
1134
1135 uint16_t snoopdata = *upTo++;
1136
1137 if(upTo >= dmaBuf + ISO15693_DMA_BUFFER_SIZE) { // we have read all of the DMA buffer content.
1138 upTo = dmaBuf; // start reading the circular buffer from the beginning
1139 if(behindBy > (9*ISO15693_DMA_BUFFER_SIZE/10)) {
1140 Dbprintf("About to blow circular buffer - aborted! behindBy=%d, samples=%d", behindBy, samples);
1141 break;
1142 }
1143 if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_ENDRX)) { // DMA Counter Register had reached 0, already rotated.
1144 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dmaBuf; // refresh the DMA Next Buffer and
1145 AT91C_BASE_PDC_SSC->PDC_RNCR = ISO15693_DMA_BUFFER_SIZE; // DMA Next Counter registers
1146 WDT_HIT();
1147 if(BUTTON_PRESS()) {
1148 DbpString("Snoop stopped.");
1149 break;
1150 }
1151 }
1152 }
1153 samples++;
1154
1155 if (!TagIsActive) { // no need to try decoding reader data if the tag is sending
1156 if (Handle15693SampleFromReader(snoopdata & 0x02, &DecodeReader)) {
1157 FpgaDisableSscDma();
1158 ExpectTagAnswer = true;
1159 LogTrace(DecodeReader.output, DecodeReader.byteCount, samples, samples, NULL, true);
1160 /* And ready to receive another command. */
1161 DecodeReaderReset(&DecodeReader);
1162 /* And also reset the demod code, which might have been */
1163 /* false-triggered by the commands from the reader. */
1164 DecodeTagReset(&DecodeTag);
1165 upTo = dmaBuf;
1166 FpgaSetupSscDma((uint8_t*) dmaBuf, ISO15693_DMA_BUFFER_SIZE);
1167 }
1168 if (Handle15693SampleFromReader(snoopdata & 0x01, &DecodeReader)) {
1169 FpgaDisableSscDma();
1170 ExpectTagAnswer = true;
1171 LogTrace(DecodeReader.output, DecodeReader.byteCount, samples, samples, NULL, true);
1172 /* And ready to receive another command. */
1173 DecodeReaderReset(&DecodeReader);
1174 /* And also reset the demod code, which might have been */
1175 /* false-triggered by the commands from the reader. */
1176 DecodeTagReset(&DecodeTag);
1177 upTo = dmaBuf;
1178 FpgaSetupSscDma((uint8_t*) dmaBuf, ISO15693_DMA_BUFFER_SIZE);
1179 }
1180 ReaderIsActive = (DecodeReader.state >= STATE_READER_AWAIT_2ND_RISING_EDGE_OF_SOF);
1181 }
1182
1183 if (!ReaderIsActive && ExpectTagAnswer) { // no need to try decoding tag data if the reader is currently sending or no answer expected yet
1184 if (Handle15693SamplesFromTag(snoopdata >> 2, &DecodeTag)) {
1185 FpgaDisableSscDma();
1186 //Use samples as a time measurement
1187 LogTrace(DecodeTag.output, DecodeTag.len, samples, samples, NULL, false);
1188 // And ready to receive another response.
1189 DecodeTagReset(&DecodeTag);
1190 DecodeReaderReset(&DecodeReader);
1191 ExpectTagAnswer = false;
1192 upTo = dmaBuf;
1193 FpgaSetupSscDma((uint8_t*) dmaBuf, ISO15693_DMA_BUFFER_SIZE);
1194 }
1195 TagIsActive = (DecodeTag.state >= STATE_TAG_RECEIVING_DATA);
1196 }
1197
1198 }
1199
1200 FpgaDisableSscDma();
1201 BigBuf_free();
1202
1203 LEDsoff();
1204
1205 DbpString("Snoop statistics:");
1206 Dbprintf(" ExpectTagAnswer: %d", ExpectTagAnswer);
1207 Dbprintf(" DecodeTag State: %d", DecodeTag.state);
1208 Dbprintf(" DecodeTag byteCnt: %d", DecodeTag.len);
1209 Dbprintf(" DecodeReader State: %d", DecodeReader.state);
1210 Dbprintf(" DecodeReader byteCnt: %d", DecodeReader.byteCount);
1211 Dbprintf(" Trace length: %d", BigBuf_get_traceLen());
1212 }
1213
1214
1215 // Initialize the proxmark as iso15k reader
1216 static void Iso15693InitReader() {
1217 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1218 // Setup SSC
1219 // FpgaSetupSsc();
1220
1221 // Start from off (no field generated)
1222 LED_D_OFF();
1223 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1224 SpinDelay(10);
1225
1226 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1227 FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER);
1228
1229 // Give the tags time to energize
1230 LED_D_ON();
1231 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER);
1232 SpinDelay(250);
1233 }
1234
1235 ///////////////////////////////////////////////////////////////////////
1236 // ISO 15693 Part 3 - Air Interface
1237 // This section basically contains transmission and receiving of bits
1238 ///////////////////////////////////////////////////////////////////////
1239
1240
1241 // uid is in transmission order (which is reverse of display order)
1242 static void BuildReadBlockRequest(uint8_t *uid, uint8_t blockNumber )
1243 {
1244 uint8_t cmd[13];
1245
1246 uint16_t crc;
1247 // If we set the Option_Flag in this request, the VICC will respond with the security status of the block
1248 // followed by the block data
1249 cmd[0] = ISO15693_REQ_OPTION | ISO15693_REQ_ADDRESS | ISO15693_REQ_DATARATE_HIGH;
1250 // READ BLOCK command code
1251 cmd[1] = ISO15693_READBLOCK;
1252 // UID may be optionally specified here
1253 // 64-bit UID
1254 cmd[2] = uid[0];
1255 cmd[3] = uid[1];
1256 cmd[4] = uid[2];
1257 cmd[5] = uid[3];
1258 cmd[6] = uid[4];
1259 cmd[7] = uid[5];
1260 cmd[8] = uid[6];
1261 cmd[9] = uid[7]; // 0xe0; // always e0 (not exactly unique)
1262 // Block number to read
1263 cmd[10] = blockNumber;
1264 //Now the CRC
1265 crc = Iso15693Crc(cmd, 11); // the crc needs to be calculated over 11 bytes
1266 cmd[11] = crc & 0xff;
1267 cmd[12] = crc >> 8;
1268
1269 CodeIso15693AsReader(cmd, sizeof(cmd));
1270 }
1271
1272
1273 // Now the VICC>VCD responses when we are simulating a tag
1274 static void BuildInventoryResponse(uint8_t *uid)
1275 {
1276 uint8_t cmd[12];
1277
1278 uint16_t crc;
1279
1280 cmd[0] = 0; // No error, no protocol format extension
1281 cmd[1] = 0; // DSFID (data storage format identifier). 0x00 = not supported
1282 // 64-bit UID
1283 cmd[2] = uid[7]; //0x32;
1284 cmd[3] = uid[6]; //0x4b;
1285 cmd[4] = uid[5]; //0x03;
1286 cmd[5] = uid[4]; //0x01;
1287 cmd[6] = uid[3]; //0x00;
1288 cmd[7] = uid[2]; //0x10;
1289 cmd[8] = uid[1]; //0x05;
1290 cmd[9] = uid[0]; //0xe0;
1291 //Now the CRC
1292 crc = Iso15693Crc(cmd, 10);
1293 cmd[10] = crc & 0xff;
1294 cmd[11] = crc >> 8;
1295
1296 CodeIso15693AsTag(cmd, sizeof(cmd));
1297 }
1298
1299 // Universal Method for sending to and recv bytes from a tag
1300 // init ... should we initialize the reader?
1301 // speed ... 0 low speed, 1 hi speed
1302 // *recv will contain the tag's answer
1303 // return: lenght of received data
1304 int SendDataTag(uint8_t *send, int sendlen, bool init, int speed, uint8_t *recv, uint16_t max_recv_len, uint32_t start_time) {
1305
1306 LED_A_ON();
1307 LED_B_OFF();
1308 LED_C_OFF();
1309
1310 if (init) Iso15693InitReader();
1311
1312 int answerLen=0;
1313
1314 if (!speed) {
1315 // low speed (1 out of 256)
1316 CodeIso15693AsReader256(send, sendlen);
1317 } else {
1318 // high speed (1 out of 4)
1319 CodeIso15693AsReader(send, sendlen);
1320 }
1321
1322 TransmitTo15693Tag(ToSend, ToSendMax, start_time);
1323
1324 // Now wait for a response
1325 if (recv != NULL) {
1326 answerLen = GetIso15693AnswerFromTag(recv, max_recv_len, DELAY_ISO15693_VCD_TO_VICC_READER * 2);
1327 }
1328
1329 LED_A_OFF();
1330
1331 return answerLen;
1332 }
1333
1334
1335 // --------------------------------------------------------------------
1336 // Debug Functions
1337 // --------------------------------------------------------------------
1338
1339 // Decodes a message from a tag and displays its metadata and content
1340 #define DBD15STATLEN 48
1341 void DbdecodeIso15693Answer(int len, uint8_t *d) {
1342 char status[DBD15STATLEN+1]={0};
1343 uint16_t crc;
1344
1345 if (len > 3) {
1346 if (d[0] & ISO15693_RES_EXT)
1347 strncat(status,"ProtExt ", DBD15STATLEN);
1348 if (d[0] & ISO15693_RES_ERROR) {
1349 // error
1350 strncat(status,"Error ", DBD15STATLEN);
1351 switch (d[1]) {
1352 case 0x01:
1353 strncat(status,"01:notSupp", DBD15STATLEN);
1354 break;
1355 case 0x02:
1356 strncat(status,"02:notRecog", DBD15STATLEN);
1357 break;
1358 case 0x03:
1359 strncat(status,"03:optNotSupp", DBD15STATLEN);
1360 break;
1361 case 0x0f:
1362 strncat(status,"0f:noInfo", DBD15STATLEN);
1363 break;
1364 case 0x10:
1365 strncat(status,"10:doesn'tExist", DBD15STATLEN);
1366 break;
1367 case 0x11:
1368 strncat(status,"11:lockAgain", DBD15STATLEN);
1369 break;
1370 case 0x12:
1371 strncat(status,"12:locked", DBD15STATLEN);
1372 break;
1373 case 0x13:
1374 strncat(status,"13:progErr", DBD15STATLEN);
1375 break;
1376 case 0x14:
1377 strncat(status,"14:lockErr", DBD15STATLEN);
1378 break;
1379 default:
1380 strncat(status,"unknownErr", DBD15STATLEN);
1381 }
1382 strncat(status," ", DBD15STATLEN);
1383 } else {
1384 strncat(status,"NoErr ", DBD15STATLEN);
1385 }
1386
1387 crc=Iso15693Crc(d,len-2);
1388 if ( (( crc & 0xff ) == d[len-2]) && (( crc >> 8 ) == d[len-1]) )
1389 strncat(status,"CrcOK",DBD15STATLEN);
1390 else
1391 strncat(status,"CrcFail!",DBD15STATLEN);
1392
1393 Dbprintf("%s",status);
1394 }
1395 }
1396
1397
1398
1399 ///////////////////////////////////////////////////////////////////////
1400 // Functions called via USB/Client
1401 ///////////////////////////////////////////////////////////////////////
1402
1403 void SetDebugIso15693(uint32_t debug) {
1404 DEBUG=debug;
1405 Dbprintf("Iso15693 Debug is now %s",DEBUG?"on":"off");
1406 return;
1407 }
1408
1409
1410 //---------------------------------------------------------------------------------------
1411 // Simulate an ISO15693 reader, perform anti-collision and then attempt to read a sector.
1412 // all demodulation performed in arm rather than host. - greg
1413 //---------------------------------------------------------------------------------------
1414 void ReaderIso15693(uint32_t parameter)
1415 {
1416 LEDsoff();
1417 LED_A_ON();
1418
1419 set_tracing(true);
1420
1421 int answerLen = 0;
1422 uint8_t TagUID[8] = {0x00};
1423
1424 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1425
1426 uint8_t answer[ISO15693_MAX_RESPONSE_LENGTH];
1427
1428 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1429 // Setup SSC
1430 FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER);
1431
1432 // Start from off (no field generated)
1433 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1434 SpinDelay(200);
1435
1436 // Give the tags time to energize
1437 LED_D_ON();
1438 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER);
1439 SpinDelay(200);
1440 StartCountSspClk();
1441
1442
1443 // FIRST WE RUN AN INVENTORY TO GET THE TAG UID
1444 // THIS MEANS WE CAN PRE-BUILD REQUESTS TO SAVE CPU TIME
1445
1446 // Now send the IDENTIFY command
1447 BuildIdentifyRequest();
1448 TransmitTo15693Tag(ToSend, ToSendMax, 0);
1449
1450 // Now wait for a response
1451 answerLen = GetIso15693AnswerFromTag(answer, sizeof(answer), DELAY_ISO15693_VCD_TO_VICC_READER * 2) ;
1452 uint32_t start_time = GetCountSspClk() + DELAY_ISO15693_VICC_TO_VCD_READER;
1453
1454 if (answerLen >=12) // we should do a better check than this
1455 {
1456 TagUID[0] = answer[2];
1457 TagUID[1] = answer[3];
1458 TagUID[2] = answer[4];
1459 TagUID[3] = answer[5];
1460 TagUID[4] = answer[6];
1461 TagUID[5] = answer[7];
1462 TagUID[6] = answer[8]; // IC Manufacturer code
1463 TagUID[7] = answer[9]; // always E0
1464
1465 }
1466
1467 Dbprintf("%d octets read from IDENTIFY request:", answerLen);
1468 DbdecodeIso15693Answer(answerLen, answer);
1469 Dbhexdump(answerLen, answer, false);
1470
1471 // UID is reverse
1472 if (answerLen >= 12)
1473 Dbprintf("UID = %02hX%02hX%02hX%02hX%02hX%02hX%02hX%02hX",
1474 TagUID[7],TagUID[6],TagUID[5],TagUID[4],
1475 TagUID[3],TagUID[2],TagUID[1],TagUID[0]);
1476
1477
1478 // Dbprintf("%d octets read from SELECT request:", answerLen2);
1479 // DbdecodeIso15693Answer(answerLen2,answer2);
1480 // Dbhexdump(answerLen2,answer2,true);
1481
1482 // Dbprintf("%d octets read from XXX request:", answerLen3);
1483 // DbdecodeIso15693Answer(answerLen3,answer3);
1484 // Dbhexdump(answerLen3,answer3,true);
1485
1486 // read all pages
1487 if (answerLen >= 12 && DEBUG) {
1488 for (int i = 0; i < 32; i++) { // sanity check, assume max 32 pages
1489 BuildReadBlockRequest(TagUID, i);
1490 TransmitTo15693Tag(ToSend, ToSendMax, start_time);
1491 int answerLen = GetIso15693AnswerFromTag(answer, sizeof(answer), DELAY_ISO15693_VCD_TO_VICC_READER * 2);
1492 start_time = GetCountSspClk() + DELAY_ISO15693_VICC_TO_VCD_READER;
1493 if (answerLen > 0) {
1494 Dbprintf("READ SINGLE BLOCK %d returned %d octets:", i, answerLen);
1495 DbdecodeIso15693Answer(answerLen, answer);
1496 Dbhexdump(answerLen, answer, false);
1497 if ( *((uint32_t*) answer) == 0x07160101 ) break; // exit on NoPageErr
1498 }
1499 }
1500 }
1501
1502 // for the time being, switch field off to protect rdv4.0
1503 // note: this prevents using hf 15 cmd with s option - which isn't implemented yet anyway
1504 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1505 LED_D_OFF();
1506
1507 LED_A_OFF();
1508 }
1509
1510
1511 // Simulate an ISO15693 TAG.
1512 // For Inventory command: print command and send Inventory Response with given UID
1513 // TODO: interpret other reader commands and send appropriate response
1514 void SimTagIso15693(uint32_t parameter, uint8_t *uid)
1515 {
1516 LEDsoff();
1517 LED_A_ON();
1518
1519 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1520 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1521 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_NO_MODULATION);
1522 FpgaSetupSsc(FPGA_MAJOR_MODE_HF_SIMULATOR);
1523
1524 StartCountSspClk();
1525
1526 uint8_t cmd[ISO15693_MAX_COMMAND_LENGTH];
1527
1528 // Build a suitable response to the reader INVENTORY command
1529 BuildInventoryResponse(uid);
1530
1531 // Listen to reader
1532 while (!BUTTON_PRESS()) {
1533 uint32_t eof_time = 0, start_time = 0;
1534 int cmd_len = GetIso15693CommandFromReader(cmd, sizeof(cmd), &eof_time);
1535
1536 if ((cmd_len >= 5) && (cmd[0] & ISO15693_REQ_INVENTORY) && (cmd[1] == ISO15693_INVENTORY)) { // TODO: check more flags
1537 bool slow = !(cmd[0] & ISO15693_REQ_DATARATE_HIGH);
1538 start_time = eof_time + DELAY_ISO15693_VCD_TO_VICC_SIM - DELAY_ARM_TO_READER_SIM;
1539 TransmitTo15693Reader(ToSend, ToSendMax, &start_time, 0, slow);
1540 }
1541
1542 Dbprintf("%d bytes read from reader:", cmd_len);
1543 Dbhexdump(cmd_len, cmd, false);
1544 }
1545
1546 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1547 LEDsoff();
1548 }
1549
1550
1551 // Since there is no standardized way of reading the AFI out of a tag, we will brute force it
1552 // (some manufactures offer a way to read the AFI, though)
1553 void BruteforceIso15693Afi(uint32_t speed)
1554 {
1555 LEDsoff();
1556 LED_A_ON();
1557
1558 uint8_t data[6];
1559 uint8_t recv[ISO15693_MAX_RESPONSE_LENGTH];
1560
1561 int datalen=0, recvlen=0;
1562
1563 Iso15693InitReader();
1564 StartCountSspClk();
1565
1566 // first without AFI
1567 // Tags should respond without AFI and with AFI=0 even when AFI is active
1568
1569 data[0] = ISO15693_REQ_DATARATE_HIGH | ISO15693_REQ_INVENTORY | ISO15693_REQINV_SLOT1;
1570 data[1] = ISO15693_INVENTORY;
1571 data[2] = 0; // mask length
1572 datalen = Iso15693AddCrc(data,3);
1573 recvlen = SendDataTag(data, datalen, false, speed, recv, sizeof(recv), 0);
1574 uint32_t start_time = GetCountSspClk() + DELAY_ISO15693_VICC_TO_VCD_READER;
1575 WDT_HIT();
1576 if (recvlen>=12) {
1577 Dbprintf("NoAFI UID=%s", Iso15693sprintUID(NULL, &recv[2]));
1578 }
1579
1580 // now with AFI
1581
1582 data[0] = ISO15693_REQ_DATARATE_HIGH | ISO15693_REQ_INVENTORY | ISO15693_REQINV_AFI | ISO15693_REQINV_SLOT1;
1583 data[1] = ISO15693_INVENTORY;
1584 data[2] = 0; // AFI
1585 data[3] = 0; // mask length
1586
1587 for (int i = 0; i < 256; i++) {
1588 data[2] = i & 0xFF;
1589 datalen = Iso15693AddCrc(data,4);
1590 recvlen = SendDataTag(data, datalen, false, speed, recv, sizeof(recv), start_time);
1591 start_time = GetCountSspClk() + DELAY_ISO15693_VICC_TO_VCD_READER;
1592 WDT_HIT();
1593 if (recvlen >= 12) {
1594 Dbprintf("AFI=%i UID=%s", i, Iso15693sprintUID(NULL, &recv[2]));
1595 }
1596 }
1597 Dbprintf("AFI Bruteforcing done.");
1598
1599 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1600 LEDsoff();
1601 }
1602
1603 // Allows to directly send commands to the tag via the client
1604 void DirectTag15693Command(uint32_t datalen, uint32_t speed, uint32_t recv, uint8_t data[]) {
1605
1606 int recvlen = 0;
1607 uint8_t recvbuf[ISO15693_MAX_RESPONSE_LENGTH];
1608
1609 LED_A_ON();
1610
1611 if (DEBUG) {
1612 Dbprintf("SEND:");
1613 Dbhexdump(datalen, data, false);
1614 }
1615
1616 recvlen = SendDataTag(data, datalen, true, speed, (recv?recvbuf:NULL), sizeof(recvbuf), 0);
1617
1618 if (recv) {
1619 if (DEBUG) {
1620 Dbprintf("RECV:");
1621 Dbhexdump(recvlen, recvbuf, false);
1622 DbdecodeIso15693Answer(recvlen, recvbuf);
1623 }
1624
1625 cmd_send(CMD_ACK, recvlen>ISO15693_MAX_RESPONSE_LENGTH?ISO15693_MAX_RESPONSE_LENGTH:recvlen, 0, 0, recvbuf, ISO15693_MAX_RESPONSE_LENGTH);
1626
1627 }
1628
1629 // for the time being, switch field off to protect rdv4.0
1630 // note: this prevents using hf 15 cmd with s option - which isn't implemented yet anyway
1631 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1632 LED_D_OFF();
1633
1634 LED_A_OFF();
1635 }
1636
1637 //-----------------------------------------------------------------------------
1638 // Work with "magic Chinese" card.
1639 //
1640 //-----------------------------------------------------------------------------
1641
1642 // Set the UID to the tag (based on Iceman work).
1643 void SetTag15693Uid(uint8_t *uid)
1644 {
1645 uint8_t cmd[4][9] = {0x00};
1646
1647 uint16_t crc;
1648
1649 int recvlen = 0;
1650 uint8_t recvbuf[ISO15693_MAX_RESPONSE_LENGTH];
1651
1652 LED_A_ON();
1653
1654 // Command 1 : 02213E00000000
1655 cmd[0][0] = 0x02;
1656 cmd[0][1] = 0x21;
1657 cmd[0][2] = 0x3e;
1658 cmd[0][3] = 0x00;
1659 cmd[0][4] = 0x00;
1660 cmd[0][5] = 0x00;
1661 cmd[0][6] = 0x00;
1662
1663 // Command 2 : 02213F69960000
1664 cmd[1][0] = 0x02;
1665 cmd[1][1] = 0x21;
1666 cmd[1][2] = 0x3f;
1667 cmd[1][3] = 0x69;
1668 cmd[1][4] = 0x96;
1669 cmd[1][5] = 0x00;
1670 cmd[1][6] = 0x00;
1671
1672 // Command 3 : 022138u8u7u6u5 (where uX = uid byte X)
1673 cmd[2][0] = 0x02;
1674 cmd[2][1] = 0x21;
1675 cmd[2][2] = 0x38;
1676 cmd[2][3] = uid[7];
1677 cmd[2][4] = uid[6];
1678 cmd[2][5] = uid[5];
1679 cmd[2][6] = uid[4];
1680
1681 // Command 4 : 022139u4u3u2u1 (where uX = uid byte X)
1682 cmd[3][0] = 0x02;
1683 cmd[3][1] = 0x21;
1684 cmd[3][2] = 0x39;
1685 cmd[3][3] = uid[3];
1686 cmd[3][4] = uid[2];
1687 cmd[3][5] = uid[1];
1688 cmd[3][6] = uid[0];
1689
1690 for (int i=0; i<4; i++) {
1691 // Add the CRC
1692 crc = Iso15693Crc(cmd[i], 7);
1693 cmd[i][7] = crc & 0xff;
1694 cmd[i][8] = crc >> 8;
1695
1696 if (DEBUG) {
1697 Dbprintf("SEND:");
1698 Dbhexdump(sizeof(cmd[i]), cmd[i], false);
1699 }
1700
1701 recvlen = SendDataTag(cmd[i], sizeof(cmd[i]), true, 1, recvbuf, sizeof(recvbuf), 0);
1702
1703 if (DEBUG) {
1704 Dbprintf("RECV:");
1705 Dbhexdump(recvlen, recvbuf, false);
1706 DbdecodeIso15693Answer(recvlen, recvbuf);
1707 }
1708
1709 cmd_send(CMD_ACK, recvlen>ISO15693_MAX_RESPONSE_LENGTH?ISO15693_MAX_RESPONSE_LENGTH:recvlen, 0, 0, recvbuf, ISO15693_MAX_RESPONSE_LENGTH);
1710 }
1711
1712 LED_D_OFF();
1713
1714 LED_A_OFF();
1715 }
1716
1717
1718
1719 // --------------------------------------------------------------------
1720 // -- Misc & deprecated functions
1721 // --------------------------------------------------------------------
1722
1723 /*
1724
1725 // do not use; has a fix UID
1726 static void __attribute__((unused)) BuildSysInfoRequest(uint8_t *uid)
1727 {
1728 uint8_t cmd[12];
1729
1730 uint16_t crc;
1731 // If we set the Option_Flag in this request, the VICC will respond with the security status of the block
1732 // followed by the block data
1733 // one sub-carrier, inventory, 1 slot, fast rate
1734 cmd[0] = (1 << 5) | (1 << 1); // no SELECT bit
1735 // System Information command code
1736 cmd[1] = 0x2B;
1737 // UID may be optionally specified here
1738 // 64-bit UID
1739 cmd[2] = 0x32;
1740 cmd[3]= 0x4b;
1741 cmd[4] = 0x03;
1742 cmd[5] = 0x01;
1743 cmd[6] = 0x00;
1744 cmd[7] = 0x10;
1745 cmd[8] = 0x05;
1746 cmd[9]= 0xe0; // always e0 (not exactly unique)
1747 //Now the CRC
1748 crc = Iso15693Crc(cmd, 10); // the crc needs to be calculated over 2 bytes
1749 cmd[10] = crc & 0xff;
1750 cmd[11] = crc >> 8;
1751
1752 CodeIso15693AsReader(cmd, sizeof(cmd));
1753 }
1754
1755
1756 // do not use; has a fix UID
1757 static void __attribute__((unused)) BuildReadMultiBlockRequest(uint8_t *uid)
1758 {
1759 uint8_t cmd[14];
1760
1761 uint16_t crc;
1762 // If we set the Option_Flag in this request, the VICC will respond with the security status of the block
1763 // followed by the block data
1764 // one sub-carrier, inventory, 1 slot, fast rate
1765 cmd[0] = (1 << 5) | (1 << 1); // no SELECT bit
1766 // READ Multi BLOCK command code
1767 cmd[1] = 0x23;
1768 // UID may be optionally specified here
1769 // 64-bit UID
1770 cmd[2] = 0x32;
1771 cmd[3]= 0x4b;
1772 cmd[4] = 0x03;
1773 cmd[5] = 0x01;
1774 cmd[6] = 0x00;
1775 cmd[7] = 0x10;
1776 cmd[8] = 0x05;
1777 cmd[9]= 0xe0; // always e0 (not exactly unique)
1778 // First Block number to read
1779 cmd[10] = 0x00;
1780 // Number of Blocks to read
1781 cmd[11] = 0x2f; // read quite a few
1782 //Now the CRC
1783 crc = Iso15693Crc(cmd, 12); // the crc needs to be calculated over 2 bytes
1784 cmd[12] = crc & 0xff;
1785 cmd[13] = crc >> 8;
1786
1787 CodeIso15693AsReader(cmd, sizeof(cmd));
1788 }
1789
1790 // do not use; has a fix UID
1791 static void __attribute__((unused)) BuildArbitraryRequest(uint8_t *uid,uint8_t CmdCode)
1792 {
1793 uint8_t cmd[14];
1794
1795 uint16_t crc;
1796 // If we set the Option_Flag in this request, the VICC will respond with the security status of the block
1797 // followed by the block data
1798 // one sub-carrier, inventory, 1 slot, fast rate
1799 cmd[0] = (1 << 5) | (1 << 1); // no SELECT bit
1800 // READ BLOCK command code
1801 cmd[1] = CmdCode;
1802 // UID may be optionally specified here
1803 // 64-bit UID
1804 cmd[2] = 0x32;
1805 cmd[3]= 0x4b;
1806 cmd[4] = 0x03;
1807 cmd[5] = 0x01;
1808 cmd[6] = 0x00;
1809 cmd[7] = 0x10;
1810 cmd[8] = 0x05;
1811 cmd[9]= 0xe0; // always e0 (not exactly unique)
1812 // Parameter
1813 cmd[10] = 0x00;
1814 cmd[11] = 0x0a;
1815
1816 // cmd[12] = 0x00;
1817 // cmd[13] = 0x00; //Now the CRC
1818 crc = Iso15693Crc(cmd, 12); // the crc needs to be calculated over 2 bytes
1819 cmd[12] = crc & 0xff;
1820 cmd[13] = crc >> 8;
1821
1822 CodeIso15693AsReader(cmd, sizeof(cmd));
1823 }
1824
1825 // do not use; has a fix UID
1826 static void __attribute__((unused)) BuildArbitraryCustomRequest(uint8_t uid[], uint8_t CmdCode)
1827 {
1828 uint8_t cmd[14];
1829
1830 uint16_t crc;
1831 // If we set the Option_Flag in this request, the VICC will respond with the security status of the block
1832 // followed by the block data
1833 // one sub-carrier, inventory, 1 slot, fast rate
1834 cmd[0] = (1 << 5) | (1 << 1); // no SELECT bit
1835 // READ BLOCK command code
1836 cmd[1] = CmdCode;
1837 // UID may be optionally specified here
1838 // 64-bit UID
1839 cmd[2] = 0x32;
1840 cmd[3]= 0x4b;
1841 cmd[4] = 0x03;
1842 cmd[5] = 0x01;
1843 cmd[6] = 0x00;
1844 cmd[7] = 0x10;
1845 cmd[8] = 0x05;
1846 cmd[9]= 0xe0; // always e0 (not exactly unique)
1847 // Parameter
1848 cmd[10] = 0x05; // for custom codes this must be manufacturer code
1849 cmd[11] = 0x00;
1850
1851 // cmd[12] = 0x00;
1852 // cmd[13] = 0x00; //Now the CRC
1853 crc = Iso15693Crc(cmd, 12); // the crc needs to be calculated over 2 bytes
1854 cmd[12] = crc & 0xff;
1855 cmd[13] = crc >> 8;
1856
1857 CodeIso15693AsReader(cmd, sizeof(cmd));
1858 }
1859
1860
1861
1862
1863 */
1864
1865
Proxmark3 GIT tracking
Impressum, Datenschutz