]> cvs.zerfleddert.de Git - proxmark3-svn/blob - armsrc/iso14443a.c
projects / proxmark3-svn / blob
? search:


8e2c56b04638947c4ef50240be0d8904cc09e1f5
[proxmark3-svn] / armsrc / iso14443a.c
1 //-----------------------------------------------------------------------------
2 // Merlok - June 2011, 2012
3 // Gerhard de Koning Gans - May 2008
4 // Hagen Fritsch - June 2010
5 //
6 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
7 // at your option, any later version. See the LICENSE.txt file for the text of
8 // the license.
9 //-----------------------------------------------------------------------------
10 // Routines to support ISO 14443 type A.
11 //-----------------------------------------------------------------------------
12
13 #include "iso14443a.h"
14
15 #include <stdio.h>
16 #include <string.h>
17 #include "proxmark3.h"
18 #include "apps.h"
19 #include "util.h"
20 #include "cmd.h"
21 #include "iso14443crc.h"
22 #include "crapto1/crapto1.h"
23 #include "mifareutil.h"
24 #include "mifaresniff.h"
25 #include "BigBuf.h"
26 #include "protocols.h"
27 #include "parity.h"
28
29 typedef struct {
30 enum {
31 DEMOD_UNSYNCD,
32 // DEMOD_HALF_SYNCD,
33 // DEMOD_MOD_FIRST_HALF,
34 // DEMOD_NOMOD_FIRST_HALF,
35 DEMOD_MANCHESTER_DATA
36 } state;
37 uint16_t twoBits;
38 uint16_t highCnt;
39 uint16_t bitCount;
40 uint16_t collisionPos;
41 uint16_t syncBit;
42 uint8_t parityBits;
43 uint8_t parityLen;
44 uint16_t shiftReg;
45 uint16_t samples;
46 uint16_t len;
47 uint32_t startTime, endTime;
48 uint8_t *output;
49 uint8_t *parity;
50 } tDemod;
51
52 typedef enum {
53 MOD_NOMOD = 0,
54 MOD_SECOND_HALF,
55 MOD_FIRST_HALF,
56 MOD_BOTH_HALVES
57 } Modulation_t;
58
59 typedef struct {
60 enum {
61 STATE_UNSYNCD,
62 STATE_START_OF_COMMUNICATION,
63 STATE_MILLER_X,
64 STATE_MILLER_Y,
65 STATE_MILLER_Z,
66 // DROP_NONE,
67 // DROP_FIRST_HALF,
68 } state;
69 uint16_t shiftReg;
70 int16_t bitCount;
71 uint16_t len;
72 uint16_t byteCntMax;
73 uint16_t posCnt;
74 uint16_t syncBit;
75 uint8_t parityBits;
76 uint8_t parityLen;
77 uint32_t fourBits;
78 uint32_t startTime, endTime;
79 uint8_t *output;
80 uint8_t *parity;
81 } tUart;
82
83 static uint32_t iso14a_timeout;
84 int rsamples = 0;
85 uint8_t trigger = 0;
86 // the block number for the ISO14443-4 PCB
87 static uint8_t iso14_pcb_blocknum = 0;
88
89 //
90 // ISO14443 timing:
91 //
92 // minimum time between the start bits of consecutive transfers from reader to tag: 7000 carrier (13.56Mhz) cycles
93 #define REQUEST_GUARD_TIME (7000/16 + 1)
94 // minimum time between last modulation of tag and next start bit from reader to tag: 1172 carrier cycles
95 #define FRAME_DELAY_TIME_PICC_TO_PCD (1172/16 + 1)
96 // bool LastCommandWasRequest = false;
97
98 //
99 // Total delays including SSC-Transfers between ARM and FPGA. These are in carrier clock cycles (1/13,56MHz)
100 //
101 // When the PM acts as reader and is receiving tag data, it takes
102 // 3 ticks delay in the AD converter
103 // 16 ticks until the modulation detector completes and sets curbit
104 // 8 ticks until bit_to_arm is assigned from curbit
105 // 8*16 ticks for the transfer from FPGA to ARM
106 // 4*16 ticks until we measure the time
107 // - 8*16 ticks because we measure the time of the previous transfer
108 #define DELAY_AIR2ARM_AS_READER (3 + 16 + 8 + 8*16 + 4*16 - 8*16)
109
110 // When the PM acts as a reader and is sending, it takes
111 // 4*16 ticks until we can write data to the sending hold register
112 // 8*16 ticks until the SHR is transferred to the Sending Shift Register
113 // 8 ticks until the first transfer starts
114 // 8 ticks later the FPGA samples the data
115 // 1 tick to assign mod_sig_coil
116 #define DELAY_ARM2AIR_AS_READER (4*16 + 8*16 + 8 + 8 + 1)
117
118 // When the PM acts as tag and is receiving it takes
119 // 2 ticks delay in the RF part (for the first falling edge),
120 // 3 ticks for the A/D conversion,
121 // 8 ticks on average until the start of the SSC transfer,
122 // 8 ticks until the SSC samples the first data
123 // 7*16 ticks to complete the transfer from FPGA to ARM
124 // 8 ticks until the next ssp_clk rising edge
125 // 4*16 ticks until we measure the time
126 // - 8*16 ticks because we measure the time of the previous transfer
127 #define DELAY_AIR2ARM_AS_TAG (2 + 3 + 8 + 8 + 7*16 + 8 + 4*16 - 8*16)
128
129 // The FPGA will report its internal sending delay in
130 uint16_t FpgaSendQueueDelay;
131 // the 5 first bits are the number of bits buffered in mod_sig_buf
132 // the last three bits are the remaining ticks/2 after the mod_sig_buf shift
133 #define DELAY_FPGA_QUEUE (FpgaSendQueueDelay<<1)
134
135 // When the PM acts as tag and is sending, it takes
136 // 4*16 + 8 ticks until we can write data to the sending hold register
137 // 8*16 ticks until the SHR is transferred to the Sending Shift Register
138 // 8 ticks later the FPGA samples the first data
139 // + 16 ticks until assigned to mod_sig
140 // + 1 tick to assign mod_sig_coil
141 // + a varying number of ticks in the FPGA Delay Queue (mod_sig_buf)
142 #define DELAY_ARM2AIR_AS_TAG (4*16 + 8 + 8*16 + 8 + 16 + 1 + DELAY_FPGA_QUEUE)
143
144 // When the PM acts as sniffer and is receiving tag data, it takes
145 // 3 ticks A/D conversion
146 // 14 ticks to complete the modulation detection
147 // 8 ticks (on average) until the result is stored in to_arm
148 // + the delays in transferring data - which is the same for
149 // sniffing reader and tag data and therefore not relevant
150 #define DELAY_TAG_AIR2ARM_AS_SNIFFER (3 + 14 + 8)
151
152 // When the PM acts as sniffer and is receiving reader data, it takes
153 // 2 ticks delay in analogue RF receiver (for the falling edge of the
154 // start bit, which marks the start of the communication)
155 // 3 ticks A/D conversion
156 // 8 ticks on average until the data is stored in to_arm.
157 // + the delays in transferring data - which is the same for
158 // sniffing reader and tag data and therefore not relevant
159 #define DELAY_READER_AIR2ARM_AS_SNIFFER (2 + 3 + 8)
160
161 //variables used for timing purposes:
162 //these are in ssp_clk cycles:
163 static uint32_t NextTransferTime;
164 static uint32_t LastTimeProxToAirStart;
165 static uint32_t LastProxToAirDuration;
166
167
168
169 // CARD TO READER - manchester
170 // Sequence D: 11110000 modulation with subcarrier during first half
171 // Sequence E: 00001111 modulation with subcarrier during second half
172 // Sequence F: 00000000 no modulation with subcarrier
173 // READER TO CARD - miller
174 // Sequence X: 00001100 drop after half a period
175 // Sequence Y: 00000000 no drop
176 // Sequence Z: 11000000 drop at start
177 #define SEC_D 0xf0
178 #define SEC_E 0x0f
179 #define SEC_F 0x00
180 #define SEC_X 0x0c
181 #define SEC_Y 0x00
182 #define SEC_Z 0xc0
183
184 void iso14a_set_trigger(bool enable) {
185 trigger = enable;
186 }
187
188
189 void iso14a_set_timeout(uint32_t timeout) {
190 iso14a_timeout = timeout;
191 if(MF_DBGLEVEL >= 3) Dbprintf("ISO14443A Timeout set to %ld (%dms)", iso14a_timeout, iso14a_timeout / 106);
192 }
193
194
195 static void iso14a_set_ATS_timeout(uint8_t *ats) {
196
197 uint8_t tb1;
198 uint8_t fwi;
199 uint32_t fwt;
200
201 if (ats[0] > 1) { // there is a format byte T0
202 if ((ats[1] & 0x20) == 0x20) { // there is an interface byte TB(1)
203 if ((ats[1] & 0x10) == 0x10) { // there is an interface byte TA(1) preceding TB(1)
204 tb1 = ats[3];
205 } else {
206 tb1 = ats[2];
207 }
208 fwi = (tb1 & 0xf0) >> 4; // frame waiting indicator (FWI)
209 fwt = 256 * 16 * (1 << fwi); // frame waiting time (FWT) in 1/fc
210
211 iso14a_set_timeout(fwt/(8*16));
212 }
213 }
214 }
215
216
217 //-----------------------------------------------------------------------------
218 // Generate the parity value for a byte sequence
219 //
220 //-----------------------------------------------------------------------------
221 void GetParity(const uint8_t *pbtCmd, uint16_t iLen, uint8_t *par)
222 {
223 uint16_t paritybit_cnt = 0;
224 uint16_t paritybyte_cnt = 0;
225 uint8_t parityBits = 0;
226
227 for (uint16_t i = 0; i < iLen; i++) {
228 // Generate the parity bits
229 parityBits |= ((oddparity8(pbtCmd[i])) << (7-paritybit_cnt));
230 if (paritybit_cnt == 7) {
231 par[paritybyte_cnt] = parityBits; // save 8 Bits parity
232 parityBits = 0; // and advance to next Parity Byte
233 paritybyte_cnt++;
234 paritybit_cnt = 0;
235 } else {
236 paritybit_cnt++;
237 }
238 }
239
240 // save remaining parity bits
241 par[paritybyte_cnt] = parityBits;
242
243 }
244
245 void AppendCrc14443a(uint8_t* data, int len)
246 {
247 ComputeCrc14443(CRC_14443_A,data,len,data+len,data+len+1);
248 }
249
250 static void AppendCrc14443b(uint8_t* data, int len)
251 {
252 ComputeCrc14443(CRC_14443_B,data,len,data+len,data+len+1);
253 }
254
255
256 //=============================================================================
257 // ISO 14443 Type A - Miller decoder
258 //=============================================================================
259 // Basics:
260 // This decoder is used when the PM3 acts as a tag.
261 // The reader will generate "pauses" by temporarily switching of the field.
262 // At the PM3 antenna we will therefore measure a modulated antenna voltage.
263 // The FPGA does a comparison with a threshold and would deliver e.g.:
264 // ........ 1 1 1 1 1 1 0 0 1 1 1 1 1 1 1 1 1 1 0 0 1 1 1 1 1 1 1 1 1 1 .......
265 // The Miller decoder needs to identify the following sequences:
266 // 2 (or 3) ticks pause followed by 6 (or 5) ticks unmodulated: pause at beginning - Sequence Z ("start of communication" or a "0")
267 // 8 ticks without a modulation: no pause - Sequence Y (a "0" or "end of communication" or "no information")
268 // 4 ticks unmodulated followed by 2 (or 3) ticks pause: pause in second half - Sequence X (a "1")
269 // Note 1: the bitstream may start at any time. We therefore need to sync.
270 // Note 2: the interpretation of Sequence Y and Z depends on the preceding sequence.
271 //-----------------------------------------------------------------------------
272 static tUart Uart;
273
274 // Lookup-Table to decide if 4 raw bits are a modulation.
275 // We accept the following:
276 // 0001 - a 3 tick wide pause
277 // 0011 - a 2 tick wide pause, or a three tick wide pause shifted left
278 // 0111 - a 2 tick wide pause shifted left
279 // 1001 - a 2 tick wide pause shifted right
280 const bool Mod_Miller_LUT[] = {
281 false, true, false, true, false, false, false, true,
282 false, true, false, false, false, false, false, false
283 };
284 #define IsMillerModulationNibble1(b) (Mod_Miller_LUT[(b & 0x000000F0) >> 4])
285 #define IsMillerModulationNibble2(b) (Mod_Miller_LUT[(b & 0x0000000F)])
286
287 static void UartReset()
288 {
289 Uart.state = STATE_UNSYNCD;
290 Uart.bitCount = 0;
291 Uart.len = 0; // number of decoded data bytes
292 Uart.parityLen = 0; // number of decoded parity bytes
293 Uart.shiftReg = 0; // shiftreg to hold decoded data bits
294 Uart.parityBits = 0; // holds 8 parity bits
295 Uart.startTime = 0;
296 Uart.endTime = 0;
297 }
298
299 static void UartInit(uint8_t *data, uint8_t *parity)
300 {
301 Uart.output = data;
302 Uart.parity = parity;
303 Uart.fourBits = 0x00000000; // clear the buffer for 4 Bits
304 UartReset();
305 }
306
307 // use parameter non_real_time to provide a timestamp. Set to 0 if the decoder should measure real time
308 static RAMFUNC bool MillerDecoding(uint8_t bit, uint32_t non_real_time)
309 {
310
311 Uart.fourBits = (Uart.fourBits << 8) | bit;
312
313 if (Uart.state == STATE_UNSYNCD) { // not yet synced
314
315 Uart.syncBit = 9999; // not set
316 // The start bit is one ore more Sequence Y followed by a Sequence Z (... 11111111 00x11111). We need to distinguish from
317 // Sequence X followed by Sequence Y followed by Sequence Z (111100x1 11111111 00x11111)
318 // we therefore look for a ...xx11111111111100x11111xxxxxx... pattern
319 // (12 '1's followed by 2 '0's, eventually followed by another '0', followed by 5 '1's)
320 #define ISO14443A_STARTBIT_MASK 0x07FFEF80 // mask is 00000111 11111111 11101111 10000000
321 #define ISO14443A_STARTBIT_PATTERN 0x07FF8F80 // pattern is 00000111 11111111 10001111 10000000
322 if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 0)) == ISO14443A_STARTBIT_PATTERN >> 0) Uart.syncBit = 7;
323 else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 1)) == ISO14443A_STARTBIT_PATTERN >> 1) Uart.syncBit = 6;
324 else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 2)) == ISO14443A_STARTBIT_PATTERN >> 2) Uart.syncBit = 5;
325 else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 3)) == ISO14443A_STARTBIT_PATTERN >> 3) Uart.syncBit = 4;
326 else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 4)) == ISO14443A_STARTBIT_PATTERN >> 4) Uart.syncBit = 3;
327 else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 5)) == ISO14443A_STARTBIT_PATTERN >> 5) Uart.syncBit = 2;
328 else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 6)) == ISO14443A_STARTBIT_PATTERN >> 6) Uart.syncBit = 1;
329 else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 7)) == ISO14443A_STARTBIT_PATTERN >> 7) Uart.syncBit = 0;
330
331 if (Uart.syncBit != 9999) { // found a sync bit
332 Uart.startTime = non_real_time?non_real_time:(GetCountSspClk() & 0xfffffff8);
333 Uart.startTime -= Uart.syncBit;
334 Uart.endTime = Uart.startTime;
335 Uart.state = STATE_START_OF_COMMUNICATION;
336 }
337
338 } else {
339
340 if (IsMillerModulationNibble1(Uart.fourBits >> Uart.syncBit)) {
341 if (IsMillerModulationNibble2(Uart.fourBits >> Uart.syncBit)) { // Modulation in both halves - error
342 UartReset();
343 } else { // Modulation in first half = Sequence Z = logic "0"
344 if (Uart.state == STATE_MILLER_X) { // error - must not follow after X
345 UartReset();
346 } else {
347 Uart.bitCount++;
348 Uart.shiftReg = (Uart.shiftReg >> 1); // add a 0 to the shiftreg
349 Uart.state = STATE_MILLER_Z;
350 Uart.endTime = Uart.startTime + 8*(9*Uart.len + Uart.bitCount + 1) - 6;
351 if(Uart.bitCount >= 9) { // if we decoded a full byte (including parity)
352 Uart.output[Uart.len++] = (Uart.shiftReg & 0xff);
353 Uart.parityBits <<= 1; // make room for the parity bit
354 Uart.parityBits |= ((Uart.shiftReg >> 8) & 0x01); // store parity bit
355 Uart.bitCount = 0;
356 Uart.shiftReg = 0;
357 if((Uart.len&0x0007) == 0) { // every 8 data bytes
358 Uart.parity[Uart.parityLen++] = Uart.parityBits; // store 8 parity bits
359 Uart.parityBits = 0;
360 }
361 }
362 }
363 }
364 } else {
365 if (IsMillerModulationNibble2(Uart.fourBits >> Uart.syncBit)) { // Modulation second half = Sequence X = logic "1"
366 Uart.bitCount++;
367 Uart.shiftReg = (Uart.shiftReg >> 1) | 0x100; // add a 1 to the shiftreg
368 Uart.state = STATE_MILLER_X;
369 Uart.endTime = Uart.startTime + 8*(9*Uart.len + Uart.bitCount + 1) - 2;
370 if(Uart.bitCount >= 9) { // if we decoded a full byte (including parity)
371 Uart.output[Uart.len++] = (Uart.shiftReg & 0xff);
372 Uart.parityBits <<= 1; // make room for the new parity bit
373 Uart.parityBits |= ((Uart.shiftReg >> 8) & 0x01); // store parity bit
374 Uart.bitCount = 0;
375 Uart.shiftReg = 0;
376 if ((Uart.len&0x0007) == 0) { // every 8 data bytes
377 Uart.parity[Uart.parityLen++] = Uart.parityBits; // store 8 parity bits
378 Uart.parityBits = 0;
379 }
380 }
381 } else { // no modulation in both halves - Sequence Y
382 if (Uart.state == STATE_MILLER_Z || Uart.state == STATE_MILLER_Y) { // Y after logic "0" - End of Communication
383 Uart.state = STATE_UNSYNCD;
384 Uart.bitCount--; // last "0" was part of EOC sequence
385 Uart.shiftReg <<= 1; // drop it
386 if(Uart.bitCount > 0) { // if we decoded some bits
387 Uart.shiftReg >>= (9 - Uart.bitCount); // right align them
388 Uart.output[Uart.len++] = (Uart.shiftReg & 0xff); // add last byte to the output
389 Uart.parityBits <<= 1; // add a (void) parity bit
390 Uart.parityBits <<= (8 - (Uart.len&0x0007)); // left align parity bits
391 Uart.parity[Uart.parityLen++] = Uart.parityBits; // and store it
392 return true;
393 } else if (Uart.len & 0x0007) { // there are some parity bits to store
394 Uart.parityBits <<= (8 - (Uart.len&0x0007)); // left align remaining parity bits
395 Uart.parity[Uart.parityLen++] = Uart.parityBits; // and store them
396 }
397 if (Uart.len) {
398 return true; // we are finished with decoding the raw data sequence
399 } else {
400 UartReset(); // Nothing received - start over
401 }
402 }
403 if (Uart.state == STATE_START_OF_COMMUNICATION) { // error - must not follow directly after SOC
404 UartReset();
405 } else { // a logic "0"
406 Uart.bitCount++;
407 Uart.shiftReg = (Uart.shiftReg >> 1); // add a 0 to the shiftreg
408 Uart.state = STATE_MILLER_Y;
409 if(Uart.bitCount >= 9) { // if we decoded a full byte (including parity)
410 Uart.output[Uart.len++] = (Uart.shiftReg & 0xff);
411 Uart.parityBits <<= 1; // make room for the parity bit
412 Uart.parityBits |= ((Uart.shiftReg >> 8) & 0x01); // store parity bit
413 Uart.bitCount = 0;
414 Uart.shiftReg = 0;
415 if ((Uart.len&0x0007) == 0) { // every 8 data bytes
416 Uart.parity[Uart.parityLen++] = Uart.parityBits; // store 8 parity bits
417 Uart.parityBits = 0;
418 }
419 }
420 }
421 }
422 }
423
424 }
425
426 return false; // not finished yet, need more data
427 }
428
429
430
431 //=============================================================================
432 // ISO 14443 Type A - Manchester decoder
433 //=============================================================================
434 // Basics:
435 // This decoder is used when the PM3 acts as a reader.
436 // The tag will modulate the reader field by asserting different loads to it. As a consequence, the voltage
437 // at the reader antenna will be modulated as well. The FPGA detects the modulation for us and would deliver e.g. the following:
438 // ........ 0 0 1 1 1 1 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 .......
439 // The Manchester decoder needs to identify the following sequences:
440 // 4 ticks modulated followed by 4 ticks unmodulated: Sequence D = 1 (also used as "start of communication")
441 // 4 ticks unmodulated followed by 4 ticks modulated: Sequence E = 0
442 // 8 ticks unmodulated: Sequence F = end of communication
443 // 8 ticks modulated: A collision. Save the collision position and treat as Sequence D
444 // Note 1: the bitstream may start at any time. We therefore need to sync.
445 // Note 2: parameter offset is used to determine the position of the parity bits (required for the anticollision command only)
446 static tDemod Demod;
447
448 // Lookup-Table to decide if 4 raw bits are a modulation.
449 // We accept three or four "1" in any position
450 const bool Mod_Manchester_LUT[] = {
451 false, false, false, false, false, false, false, true,
452 false, false, false, true, false, true, true, true
453 };
454
455 #define IsManchesterModulationNibble1(b) (Mod_Manchester_LUT[(b & 0x00F0) >> 4])
456 #define IsManchesterModulationNibble2(b) (Mod_Manchester_LUT[(b & 0x000F)])
457
458
459 static void DemodReset()
460 {
461 Demod.state = DEMOD_UNSYNCD;
462 Demod.len = 0; // number of decoded data bytes
463 Demod.parityLen = 0;
464 Demod.shiftReg = 0; // shiftreg to hold decoded data bits
465 Demod.parityBits = 0; //
466 Demod.collisionPos = 0; // Position of collision bit
467 Demod.twoBits = 0xffff; // buffer for 2 Bits
468 Demod.highCnt = 0;
469 Demod.startTime = 0;
470 Demod.endTime = 0;
471 }
472
473 static void DemodInit(uint8_t *data, uint8_t *parity)
474 {
475 Demod.output = data;
476 Demod.parity = parity;
477 DemodReset();
478 }
479
480 // use parameter non_real_time to provide a timestamp. Set to 0 if the decoder should measure real time
481 static RAMFUNC int ManchesterDecoding(uint8_t bit, uint16_t offset, uint32_t non_real_time)
482 {
483
484 Demod.twoBits = (Demod.twoBits << 8) | bit;
485
486 if (Demod.state == DEMOD_UNSYNCD) {
487
488 if (Demod.highCnt < 2) { // wait for a stable unmodulated signal
489 if (Demod.twoBits == 0x0000) {
490 Demod.highCnt++;
491 } else {
492 Demod.highCnt = 0;
493 }
494 } else {
495 Demod.syncBit = 0xFFFF; // not set
496 if ((Demod.twoBits & 0x7700) == 0x7000) Demod.syncBit = 7;
497 else if ((Demod.twoBits & 0x3B80) == 0x3800) Demod.syncBit = 6;
498 else if ((Demod.twoBits & 0x1DC0) == 0x1C00) Demod.syncBit = 5;
499 else if ((Demod.twoBits & 0x0EE0) == 0x0E00) Demod.syncBit = 4;
500 else if ((Demod.twoBits & 0x0770) == 0x0700) Demod.syncBit = 3;
501 else if ((Demod.twoBits & 0x03B8) == 0x0380) Demod.syncBit = 2;
502 else if ((Demod.twoBits & 0x01DC) == 0x01C0) Demod.syncBit = 1;
503 else if ((Demod.twoBits & 0x00EE) == 0x00E0) Demod.syncBit = 0;
504 if (Demod.syncBit != 0xFFFF) {
505 Demod.startTime = non_real_time?non_real_time:(GetCountSspClk() & 0xfffffff8);
506 Demod.startTime -= Demod.syncBit;
507 Demod.bitCount = offset; // number of decoded data bits
508 Demod.state = DEMOD_MANCHESTER_DATA;
509 }
510 }
511
512 } else {
513
514 if (IsManchesterModulationNibble1(Demod.twoBits >> Demod.syncBit)) { // modulation in first half
515 if (IsManchesterModulationNibble2(Demod.twoBits >> Demod.syncBit)) { // ... and in second half = collision
516 if (!Demod.collisionPos) {
517 Demod.collisionPos = (Demod.len << 3) + Demod.bitCount;
518 }
519 } // modulation in first half only - Sequence D = 1
520 Demod.bitCount++;
521 Demod.shiftReg = (Demod.shiftReg >> 1) | 0x100; // in both cases, add a 1 to the shiftreg
522 if(Demod.bitCount == 9) { // if we decoded a full byte (including parity)
523 Demod.output[Demod.len++] = (Demod.shiftReg & 0xff);
524 Demod.parityBits <<= 1; // make room for the parity bit
525 Demod.parityBits |= ((Demod.shiftReg >> 8) & 0x01); // store parity bit
526 Demod.bitCount = 0;
527 Demod.shiftReg = 0;
528 if((Demod.len&0x0007) == 0) { // every 8 data bytes
529 Demod.parity[Demod.parityLen++] = Demod.parityBits; // store 8 parity bits
530 Demod.parityBits = 0;
531 }
532 }
533 Demod.endTime = Demod.startTime + 8*(9*Demod.len + Demod.bitCount + 1) - 4;
534 } else { // no modulation in first half
535 if (IsManchesterModulationNibble2(Demod.twoBits >> Demod.syncBit)) { // and modulation in second half = Sequence E = 0
536 Demod.bitCount++;
537 Demod.shiftReg = (Demod.shiftReg >> 1); // add a 0 to the shiftreg
538 if(Demod.bitCount >= 9) { // if we decoded a full byte (including parity)
539 Demod.output[Demod.len++] = (Demod.shiftReg & 0xff);
540 Demod.parityBits <<= 1; // make room for the new parity bit
541 Demod.parityBits |= ((Demod.shiftReg >> 8) & 0x01); // store parity bit
542 Demod.bitCount = 0;
543 Demod.shiftReg = 0;
544 if ((Demod.len&0x0007) == 0) { // every 8 data bytes
545 Demod.parity[Demod.parityLen++] = Demod.parityBits; // store 8 parity bits1
546 Demod.parityBits = 0;
547 }
548 }
549 Demod.endTime = Demod.startTime + 8*(9*Demod.len + Demod.bitCount + 1);
550 } else { // no modulation in both halves - End of communication
551 if(Demod.bitCount > 0) { // there are some remaining data bits
552 Demod.shiftReg >>= (9 - Demod.bitCount); // right align the decoded bits
553 Demod.output[Demod.len++] = Demod.shiftReg & 0xff; // and add them to the output
554 Demod.parityBits <<= 1; // add a (void) parity bit
555 Demod.parityBits <<= (8 - (Demod.len&0x0007)); // left align remaining parity bits
556 Demod.parity[Demod.parityLen++] = Demod.parityBits; // and store them
557 return true;
558 } else if (Demod.len & 0x0007) { // there are some parity bits to store
559 Demod.parityBits <<= (8 - (Demod.len&0x0007)); // left align remaining parity bits
560 Demod.parity[Demod.parityLen++] = Demod.parityBits; // and store them
561 }
562 if (Demod.len) {
563 return true; // we are finished with decoding the raw data sequence
564 } else { // nothing received. Start over
565 DemodReset();
566 }
567 }
568 }
569
570 }
571
572 return false; // not finished yet, need more data
573 }
574
575 //=============================================================================
576 // Finally, a `sniffer' for ISO 14443 Type A
577 // Both sides of communication!
578 //=============================================================================
579
580 //-----------------------------------------------------------------------------
581 // Record the sequence of commands sent by the reader to the tag, with
582 // triggering so that we start recording at the point that the tag is moved
583 // near the reader.
584 //-----------------------------------------------------------------------------
585 void RAMFUNC SnoopIso14443a(uint8_t param) {
586 // param:
587 // bit 0 - trigger from first card answer
588 // bit 1 - trigger from first reader 7-bit request
589
590 LEDsoff();
591
592 iso14443a_setup(FPGA_HF_ISO14443A_SNIFFER);
593
594 // Allocate memory from BigBuf for some buffers
595 // free all previous allocations first
596 BigBuf_free();
597
598 // The command (reader -> tag) that we're receiving.
599 uint8_t *receivedCmd = BigBuf_malloc(MAX_FRAME_SIZE);
600 uint8_t *receivedCmdPar = BigBuf_malloc(MAX_PARITY_SIZE);
601
602 // The response (tag -> reader) that we're receiving.
603 uint8_t *receivedResponse = BigBuf_malloc(MAX_FRAME_SIZE);
604 uint8_t *receivedResponsePar = BigBuf_malloc(MAX_PARITY_SIZE);
605
606 // The DMA buffer, used to stream samples from the FPGA
607 uint8_t *dmaBuf = BigBuf_malloc(DMA_BUFFER_SIZE);
608
609 // init trace buffer
610 clear_trace();
611 set_tracing(true);
612
613 uint8_t *data = dmaBuf;
614 uint8_t previous_data = 0;
615 int maxDataLen = 0;
616 int dataLen = 0;
617 bool TagIsActive = false;
618 bool ReaderIsActive = false;
619
620 // Set up the demodulator for tag -> reader responses.
621 DemodInit(receivedResponse, receivedResponsePar);
622
623 // Set up the demodulator for the reader -> tag commands
624 UartInit(receivedCmd, receivedCmdPar);
625
626 // Setup and start DMA.
627 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
628
629 // We won't start recording the frames that we acquire until we trigger;
630 // a good trigger condition to get started is probably when we see a
631 // response from the tag.
632 // triggered == false -- to wait first for card
633 bool triggered = !(param & 0x03);
634
635 // And now we loop, receiving samples.
636 for(uint32_t rsamples = 0; true; ) {
637
638 if(BUTTON_PRESS()) {
639 DbpString("cancelled by button");
640 break;
641 }
642
643 LED_A_ON();
644 WDT_HIT();
645
646 int register readBufDataP = data - dmaBuf;
647 int register dmaBufDataP = DMA_BUFFER_SIZE - AT91C_BASE_PDC_SSC->PDC_RCR;
648 if (readBufDataP <= dmaBufDataP){
649 dataLen = dmaBufDataP - readBufDataP;
650 } else {
651 dataLen = DMA_BUFFER_SIZE - readBufDataP + dmaBufDataP;
652 }
653 // test for length of buffer
654 if(dataLen > maxDataLen) {
655 maxDataLen = dataLen;
656 if(dataLen > (9 * DMA_BUFFER_SIZE / 10)) {
657 Dbprintf("blew circular buffer! dataLen=%d", dataLen);
658 break;
659 }
660 }
661 if(dataLen < 1) continue;
662
663 // primary buffer was stopped( <-- we lost data!
664 if (!AT91C_BASE_PDC_SSC->PDC_RCR) {
665 AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) dmaBuf;
666 AT91C_BASE_PDC_SSC->PDC_RCR = DMA_BUFFER_SIZE;
667 Dbprintf("RxEmpty ERROR!!! data length:%d", dataLen); // temporary
668 }
669 // secondary buffer sets as primary, secondary buffer was stopped
670 if (!AT91C_BASE_PDC_SSC->PDC_RNCR) {
671 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dmaBuf;
672 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
673 }
674
675 LED_A_OFF();
676
677 if (rsamples & 0x01) { // Need two samples to feed Miller and Manchester-Decoder
678
679 if(!TagIsActive) { // no need to try decoding reader data if the tag is sending
680 uint8_t readerdata = (previous_data & 0xF0) | (*data >> 4);
681 if (MillerDecoding(readerdata, (rsamples-1)*4)) {
682 LED_C_ON();
683
684 // check - if there is a short 7bit request from reader
685 if ((!triggered) && (param & 0x02) && (Uart.len == 1) && (Uart.bitCount == 7)) triggered = true;
686
687 if(triggered) {
688 if (!LogTrace(receivedCmd,
689 Uart.len,
690 Uart.startTime*16 - DELAY_READER_AIR2ARM_AS_SNIFFER,
691 Uart.endTime*16 - DELAY_READER_AIR2ARM_AS_SNIFFER,
692 Uart.parity,
693 true)) break;
694 }
695 /* And ready to receive another command. */
696 UartReset();
697 /* And also reset the demod code, which might have been */
698 /* false-triggered by the commands from the reader. */
699 DemodReset();
700 LED_B_OFF();
701 }
702 ReaderIsActive = (Uart.state != STATE_UNSYNCD);
703 }
704
705 if(!ReaderIsActive) { // no need to try decoding tag data if the reader is sending - and we cannot afford the time
706 uint8_t tagdata = (previous_data << 4) | (*data & 0x0F);
707 if(ManchesterDecoding(tagdata, 0, (rsamples-1)*4)) {
708 LED_B_ON();
709
710 if (!LogTrace(receivedResponse,
711 Demod.len,
712 Demod.startTime*16 - DELAY_TAG_AIR2ARM_AS_SNIFFER,
713 Demod.endTime*16 - DELAY_TAG_AIR2ARM_AS_SNIFFER,
714 Demod.parity,
715 false)) break;
716
717 if ((!triggered) && (param & 0x01)) triggered = true;
718
719 // And ready to receive another response.
720 DemodReset();
721 // And reset the Miller decoder including itS (now outdated) input buffer
722 UartInit(receivedCmd, receivedCmdPar);
723
724 LED_C_OFF();
725 }
726 TagIsActive = (Demod.state != DEMOD_UNSYNCD);
727 }
728 }
729
730 previous_data = *data;
731 rsamples++;
732 data++;
733 if(data == dmaBuf + DMA_BUFFER_SIZE) {
734 data = dmaBuf;
735 }
736 } // main cycle
737
738 DbpString("COMMAND FINISHED");
739
740 FpgaDisableSscDma();
741 Dbprintf("maxDataLen=%d, Uart.state=%x, Uart.len=%d", maxDataLen, Uart.state, Uart.len);
742 Dbprintf("traceLen=%d, Uart.output[0]=%08x", BigBuf_get_traceLen(), (uint32_t)Uart.output[0]);
743 LEDsoff();
744 }
745
746 //-----------------------------------------------------------------------------
747 // Prepare tag messages
748 //-----------------------------------------------------------------------------
749 static void CodeIso14443aAsTagPar(const uint8_t *cmd, uint16_t len, uint8_t *parity)
750 {
751 ToSendReset();
752
753 // Correction bit, might be removed when not needed
754 ToSendStuffBit(0);
755 ToSendStuffBit(0);
756 ToSendStuffBit(0);
757 ToSendStuffBit(0);
758 ToSendStuffBit(1); // 1
759 ToSendStuffBit(0);
760 ToSendStuffBit(0);
761 ToSendStuffBit(0);
762
763 // Send startbit
764 ToSend[++ToSendMax] = SEC_D;
765 LastProxToAirDuration = 8 * ToSendMax - 4;
766
767 for(uint16_t i = 0; i < len; i++) {
768 uint8_t b = cmd[i];
769
770 // Data bits
771 for(uint16_t j = 0; j < 8; j++) {
772 if(b & 1) {
773 ToSend[++ToSendMax] = SEC_D;
774 } else {
775 ToSend[++ToSendMax] = SEC_E;
776 }
777 b >>= 1;
778 }
779
780 // Get the parity bit
781 if (parity[i>>3] & (0x80>>(i&0x0007))) {
782 ToSend[++ToSendMax] = SEC_D;
783 LastProxToAirDuration = 8 * ToSendMax - 4;
784 } else {
785 ToSend[++ToSendMax] = SEC_E;
786 LastProxToAirDuration = 8 * ToSendMax;
787 }
788 }
789
790 // Send stopbit
791 ToSend[++ToSendMax] = SEC_F;
792
793 // Convert from last byte pos to length
794 ToSendMax++;
795 }
796
797
798 static void Code4bitAnswerAsTag(uint8_t cmd)
799 {
800 int i;
801
802 ToSendReset();
803
804 // Correction bit, might be removed when not needed
805 ToSendStuffBit(0);
806 ToSendStuffBit(0);
807 ToSendStuffBit(0);
808 ToSendStuffBit(0);
809 ToSendStuffBit(1); // 1
810 ToSendStuffBit(0);
811 ToSendStuffBit(0);
812 ToSendStuffBit(0);
813
814 // Send startbit
815 ToSend[++ToSendMax] = SEC_D;
816
817 uint8_t b = cmd;
818 for(i = 0; i < 4; i++) {
819 if(b & 1) {
820 ToSend[++ToSendMax] = SEC_D;
821 LastProxToAirDuration = 8 * ToSendMax - 4;
822 } else {
823 ToSend[++ToSendMax] = SEC_E;
824 LastProxToAirDuration = 8 * ToSendMax;
825 }
826 b >>= 1;
827 }
828
829 // Send stopbit
830 ToSend[++ToSendMax] = SEC_F;
831
832 // Convert from last byte pos to length
833 ToSendMax++;
834 }
835
836
837 static uint8_t *LastReaderTraceTime = NULL;
838
839 static void EmLogTraceReader(void) {
840 // remember last reader trace start to fix timing info later
841 LastReaderTraceTime = BigBuf_get_addr() + BigBuf_get_traceLen();
842 LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, true);
843 }
844
845
846 static void FixLastReaderTraceTime(uint32_t tag_StartTime) {
847 uint32_t reader_EndTime = Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG;
848 uint32_t reader_StartTime = Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG;
849 uint16_t reader_modlen = reader_EndTime - reader_StartTime;
850 uint16_t approx_fdt = tag_StartTime - reader_EndTime;
851 uint16_t exact_fdt = (approx_fdt - 20 + 32)/64 * 64 + 20;
852 reader_StartTime = tag_StartTime - exact_fdt - reader_modlen;
853 LastReaderTraceTime[0] = (reader_StartTime >> 0) & 0xff;
854 LastReaderTraceTime[1] = (reader_StartTime >> 8) & 0xff;
855 LastReaderTraceTime[2] = (reader_StartTime >> 16) & 0xff;
856 LastReaderTraceTime[3] = (reader_StartTime >> 24) & 0xff;
857 }
858
859
860 static void EmLogTraceTag(uint8_t *tag_data, uint16_t tag_len, uint8_t *tag_Parity, uint32_t ProxToAirDuration) {
861 uint32_t tag_StartTime = LastTimeProxToAirStart*16 + DELAY_ARM2AIR_AS_TAG;
862 uint32_t tag_EndTime = (LastTimeProxToAirStart + ProxToAirDuration)*16 + DELAY_ARM2AIR_AS_TAG;
863 LogTrace(tag_data, tag_len, tag_StartTime, tag_EndTime, tag_Parity, false);
864 FixLastReaderTraceTime(tag_StartTime);
865 }
866
867
868 //-----------------------------------------------------------------------------
869 // Wait for commands from reader
870 // Stop when button is pressed
871 // Or return true when command is captured
872 //-----------------------------------------------------------------------------
873 static int GetIso14443aCommandFromReader(uint8_t *received, uint8_t *parity, int *len)
874 {
875 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
876 // only, since we are receiving, not transmitting).
877 // Signal field is off with the appropriate LED
878 LED_D_OFF();
879 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
880
881 // Now run a `software UART' on the stream of incoming samples.
882 UartInit(received, parity);
883
884 // clear RXRDY:
885 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
886
887 for(;;) {
888 WDT_HIT();
889
890 if(BUTTON_PRESS()) return false;
891
892 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
893 b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
894 if(MillerDecoding(b, 0)) {
895 *len = Uart.len;
896 EmLogTraceReader();
897 return true;
898 }
899 }
900 }
901 }
902
903
904 static int EmSend4bitEx(uint8_t resp);
905 int EmSend4bit(uint8_t resp);
906 static int EmSendCmdExPar(uint8_t *resp, uint16_t respLen, uint8_t *par);
907 int EmSendCmdEx(uint8_t *resp, uint16_t respLen);
908 int EmSendPrecompiledCmd(tag_response_info_t *response_info);
909
910
911 static bool prepare_tag_modulation(tag_response_info_t* response_info, size_t max_buffer_size) {
912 // Example response, answer to MIFARE Classic read block will be 16 bytes + 2 CRC = 18 bytes
913 // This will need the following byte array for a modulation sequence
914 // 144 data bits (18 * 8)
915 // 18 parity bits
916 // 2 Start and stop
917 // 1 Correction bit (Answer in 1172 or 1236 periods, see FPGA)
918 // 1 just for the case
919 // ----------- +
920 // 166 bytes, since every bit that needs to be send costs us a byte
921 //
922
923
924 // Prepare the tag modulation bits from the message
925 GetParity(response_info->response, response_info->response_n, &(response_info->par));
926 CodeIso14443aAsTagPar(response_info->response,response_info->response_n, &(response_info->par));
927
928 // Make sure we do not exceed the free buffer space
929 if (ToSendMax > max_buffer_size) {
930 Dbprintf("Out of memory, when modulating bits for tag answer:");
931 Dbhexdump(response_info->response_n, response_info->response, false);
932 return false;
933 }
934
935 // Copy the byte array, used for this modulation to the buffer position
936 memcpy(response_info->modulation, ToSend, ToSendMax);
937
938 // Store the number of bytes that were used for encoding/modulation and the time needed to transfer them
939 response_info->modulation_n = ToSendMax;
940 response_info->ProxToAirDuration = LastProxToAirDuration;
941
942 return true;
943 }
944
945
946 // "precompile" responses. There are 7 predefined responses with a total of 28 bytes data to transmit.
947 // Coded responses need one byte per bit to transfer (data, parity, start, stop, correction)
948 // 28 * 8 data bits, 28 * 1 parity bits, 7 start bits, 7 stop bits, 7 correction bits for the modulation
949 // -> need 273 bytes buffer
950 #define ALLOCATED_TAG_MODULATION_BUFFER_SIZE 273
951
952 bool prepare_allocated_tag_modulation(tag_response_info_t* response_info, uint8_t **buffer, size_t *max_buffer_size) {
953
954 // Retrieve and store the current buffer index
955 response_info->modulation = *buffer;
956
957 // Forward the prepare tag modulation function to the inner function
958 if (prepare_tag_modulation(response_info, *max_buffer_size)) {
959 // Update the free buffer offset and the remaining buffer size
960 *buffer += ToSendMax;
961 *max_buffer_size -= ToSendMax;
962 return true;
963 } else {
964 return false;
965 }
966 }
967
968 //-----------------------------------------------------------------------------
969 // Main loop of simulated tag: receive commands from reader, decide what
970 // response to send, and send it.
971 //-----------------------------------------------------------------------------
972 void SimulateIso14443aTag(int tagType, int uid_1st, int uid_2nd, byte_t* data)
973 {
974 uint8_t sak;
975
976 // The first response contains the ATQA (note: bytes are transmitted in reverse order).
977 uint8_t response1[2];
978
979 switch (tagType) {
980 case 1: { // MIFARE Classic
981 // Says: I am Mifare 1k - original line
982 response1[0] = 0x04;
983 response1[1] = 0x00;
984 sak = 0x08;
985 } break;
986 case 2: { // MIFARE Ultralight
987 // Says: I am a stupid memory tag, no crypto
988 response1[0] = 0x04;
989 response1[1] = 0x00;
990 sak = 0x00;
991 } break;
992 case 3: { // MIFARE DESFire
993 // Says: I am a DESFire tag, ph33r me
994 response1[0] = 0x04;
995 response1[1] = 0x03;
996 sak = 0x20;
997 } break;
998 case 4: { // ISO/IEC 14443-4
999 // Says: I am a javacard (JCOP)
1000 response1[0] = 0x04;
1001 response1[1] = 0x00;
1002 sak = 0x28;
1003 } break;
1004 case 5: { // MIFARE TNP3XXX
1005 // Says: I am a toy
1006 response1[0] = 0x01;
1007 response1[1] = 0x0f;
1008 sak = 0x01;
1009 } break;
1010 default: {
1011 Dbprintf("Error: unkown tagtype (%d)",tagType);
1012 return;
1013 } break;
1014 }
1015
1016 // The second response contains the (mandatory) first 24 bits of the UID
1017 uint8_t response2[5] = {0x00};
1018
1019 // Check if the uid uses the (optional) part
1020 uint8_t response2a[5] = {0x00};
1021
1022 if (uid_2nd) {
1023 response2[0] = 0x88;
1024 num_to_bytes(uid_1st,3,response2+1);
1025 num_to_bytes(uid_2nd,4,response2a);
1026 response2a[4] = response2a[0] ^ response2a[1] ^ response2a[2] ^ response2a[3];
1027
1028 // Configure the ATQA and SAK accordingly
1029 response1[0] |= 0x40;
1030 sak |= 0x04;
1031 } else {
1032 num_to_bytes(uid_1st,4,response2);
1033 // Configure the ATQA and SAK accordingly
1034 response1[0] &= 0xBF;
1035 sak &= 0xFB;
1036 }
1037
1038 // Calculate the BitCountCheck (BCC) for the first 4 bytes of the UID.
1039 response2[4] = response2[0] ^ response2[1] ^ response2[2] ^ response2[3];
1040
1041 // Prepare the mandatory SAK (for 4 and 7 byte UID)
1042 uint8_t response3[3] = {0x00};
1043 response3[0] = sak;
1044 ComputeCrc14443(CRC_14443_A, response3, 1, &response3[1], &response3[2]);
1045
1046 // Prepare the optional second SAK (for 7 byte UID), drop the cascade bit
1047 uint8_t response3a[3] = {0x00};
1048 response3a[0] = sak & 0xFB;
1049 ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
1050
1051 uint8_t response5[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce
1052 uint8_t response6[] = { 0x04, 0x58, 0x80, 0x02, 0x00, 0x00 }; // dummy ATS (pseudo-ATR), answer to RATS:
1053 // Format byte = 0x58: FSCI=0x08 (FSC=256), TA(1) and TC(1) present,
1054 // TA(1) = 0x80: different divisors not supported, DR = 1, DS = 1
1055 // TB(1) = not present. Defaults: FWI = 4 (FWT = 256 * 16 * 2^4 * 1/fc = 4833us), SFGI = 0 (SFG = 256 * 16 * 2^0 * 1/fc = 302us)
1056 // TC(1) = 0x02: CID supported, NAD not supported
1057 ComputeCrc14443(CRC_14443_A, response6, 4, &response6[4], &response6[5]);
1058
1059 #define TAG_RESPONSE_COUNT 7
1060 tag_response_info_t responses[TAG_RESPONSE_COUNT] = {
1061 { .response = response1, .response_n = sizeof(response1) }, // Answer to request - respond with card type
1062 { .response = response2, .response_n = sizeof(response2) }, // Anticollision cascade1 - respond with uid
1063 { .response = response2a, .response_n = sizeof(response2a) }, // Anticollision cascade2 - respond with 2nd half of uid if asked
1064 { .response = response3, .response_n = sizeof(response3) }, // Acknowledge select - cascade 1
1065 { .response = response3a, .response_n = sizeof(response3a) }, // Acknowledge select - cascade 2
1066 { .response = response5, .response_n = sizeof(response5) }, // Authentication answer (random nonce)
1067 { .response = response6, .response_n = sizeof(response6) }, // dummy ATS (pseudo-ATR), answer to RATS
1068 };
1069
1070 // Allocate 512 bytes for the dynamic modulation, created when the reader queries for it
1071 // Such a response is less time critical, so we can prepare them on the fly
1072 #define DYNAMIC_RESPONSE_BUFFER_SIZE 64
1073 #define DYNAMIC_MODULATION_BUFFER_SIZE 512
1074 uint8_t dynamic_response_buffer[DYNAMIC_RESPONSE_BUFFER_SIZE];
1075 uint8_t dynamic_modulation_buffer[DYNAMIC_MODULATION_BUFFER_SIZE];
1076 tag_response_info_t dynamic_response_info = {
1077 .response = dynamic_response_buffer,
1078 .response_n = 0,
1079 .modulation = dynamic_modulation_buffer,
1080 .modulation_n = 0
1081 };
1082
1083 // We need to listen to the high-frequency, peak-detected path.
1084 iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN);
1085
1086 BigBuf_free_keep_EM();
1087
1088 // allocate buffers:
1089 uint8_t *receivedCmd = BigBuf_malloc(MAX_FRAME_SIZE);
1090 uint8_t *receivedCmdPar = BigBuf_malloc(MAX_PARITY_SIZE);
1091 uint8_t *free_buffer_pointer = BigBuf_malloc(ALLOCATED_TAG_MODULATION_BUFFER_SIZE);
1092 size_t free_buffer_size = ALLOCATED_TAG_MODULATION_BUFFER_SIZE;
1093 // clear trace
1094 clear_trace();
1095 set_tracing(true);
1096
1097 // Prepare the responses of the anticollision phase
1098 // there will be not enough time to do this at the moment the reader sends it REQA
1099 for (size_t i=0; i<TAG_RESPONSE_COUNT; i++) {
1100 prepare_allocated_tag_modulation(&responses[i], &free_buffer_pointer, &free_buffer_size);
1101 }
1102
1103 int len = 0;
1104
1105 // To control where we are in the protocol
1106 int order = 0;
1107 int lastorder;
1108
1109 // Just to allow some checks
1110 int happened = 0;
1111 int happened2 = 0;
1112 int cmdsRecvd = 0;
1113
1114 cmdsRecvd = 0;
1115 tag_response_info_t* p_response;
1116
1117 LED_A_ON();
1118 for(;;) {
1119 // Clean receive command buffer
1120 if(!GetIso14443aCommandFromReader(receivedCmd, receivedCmdPar, &len)) {
1121 DbpString("Button press");
1122 break;
1123 }
1124
1125 p_response = NULL;
1126
1127 // Okay, look at the command now.
1128 lastorder = order;
1129 if(receivedCmd[0] == 0x26) { // Received a REQUEST
1130 p_response = &responses[0]; order = 1;
1131 } else if(receivedCmd[0] == 0x52) { // Received a WAKEUP
1132 p_response = &responses[0]; order = 6;
1133 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x93) { // Received request for UID (cascade 1)
1134 p_response = &responses[1]; order = 2;
1135 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x95) { // Received request for UID (cascade 2)
1136 p_response = &responses[2]; order = 20;
1137 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] == 0x93) { // Received a SELECT (cascade 1)
1138 p_response = &responses[3]; order = 3;
1139 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] == 0x95) { // Received a SELECT (cascade 2)
1140 p_response = &responses[4]; order = 30;
1141 } else if(receivedCmd[0] == 0x30) { // Received a (plain) READ
1142 EmSendCmdEx(data+(4*receivedCmd[1]),16);
1143 // Dbprintf("Read request from reader: %x %x",receivedCmd[0],receivedCmd[1]);
1144 // We already responded, do not send anything with the EmSendCmd14443aRaw() that is called below
1145 p_response = NULL;
1146 } else if(receivedCmd[0] == 0x50) { // Received a HALT
1147 p_response = NULL;
1148 } else if(receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61) { // Received an authentication request
1149 p_response = &responses[5]; order = 7;
1150 } else if(receivedCmd[0] == 0xE0) { // Received a RATS request
1151 if (tagType == 1 || tagType == 2) { // RATS not supported
1152 EmSend4bit(CARD_NACK_NA);
1153 p_response = NULL;
1154 } else {
1155 p_response = &responses[6]; order = 70;
1156 }
1157 } else if (order == 7 && len == 8) { // Received {nr] and {ar} (part of authentication)
1158 uint32_t nr = bytes_to_num(receivedCmd,4);
1159 uint32_t ar = bytes_to_num(receivedCmd+4,4);
1160 Dbprintf("Auth attempt {nr}{ar}: %08x %08x",nr,ar);
1161 } else {
1162 // Check for ISO 14443A-4 compliant commands, look at left nibble
1163 switch (receivedCmd[0]) {
1164
1165 case 0x0B:
1166 case 0x0A: { // IBlock (command)
1167 dynamic_response_info.response[0] = receivedCmd[0];
1168 dynamic_response_info.response[1] = 0x00;
1169 dynamic_response_info.response[2] = 0x90;
1170 dynamic_response_info.response[3] = 0x00;
1171 dynamic_response_info.response_n = 4;
1172 } break;
1173
1174 case 0x1A:
1175 case 0x1B: { // Chaining command
1176 dynamic_response_info.response[0] = 0xaa | ((receivedCmd[0]) & 1);
1177 dynamic_response_info.response_n = 2;
1178 } break;
1179
1180 case 0xaa:
1181 case 0xbb: {
1182 dynamic_response_info.response[0] = receivedCmd[0] ^ 0x11;
1183 dynamic_response_info.response_n = 2;
1184 } break;
1185
1186 case 0xBA: { //
1187 memcpy(dynamic_response_info.response,"\xAB\x00",2);
1188 dynamic_response_info.response_n = 2;
1189 } break;
1190
1191 case 0xCA:
1192 case 0xC2: { // Readers sends deselect command
1193 memcpy(dynamic_response_info.response,"\xCA\x00",2);
1194 dynamic_response_info.response_n = 2;
1195 } break;
1196
1197 default: {
1198 // Never seen this command before
1199 Dbprintf("Received unknown command (len=%d):",len);
1200 Dbhexdump(len,receivedCmd,false);
1201 // Do not respond
1202 dynamic_response_info.response_n = 0;
1203 } break;
1204 }
1205
1206 if (dynamic_response_info.response_n > 0) {
1207 // Copy the CID from the reader query
1208 dynamic_response_info.response[1] = receivedCmd[1];
1209
1210 // Add CRC bytes, always used in ISO 14443A-4 compliant cards
1211 AppendCrc14443a(dynamic_response_info.response,dynamic_response_info.response_n);
1212 dynamic_response_info.response_n += 2;
1213
1214 if (prepare_tag_modulation(&dynamic_response_info,DYNAMIC_MODULATION_BUFFER_SIZE) == false) {
1215 Dbprintf("Error preparing tag response");
1216 break;
1217 }
1218 p_response = &dynamic_response_info;
1219 }
1220 }
1221
1222 // Count number of wakeups received after a halt
1223 if(order == 6 && lastorder == 5) { happened++; }
1224
1225 // Count number of other messages after a halt
1226 if(order != 6 && lastorder == 5) { happened2++; }
1227
1228 if(cmdsRecvd > 999) {
1229 DbpString("1000 commands later...");
1230 break;
1231 }
1232 cmdsRecvd++;
1233
1234 if (p_response != NULL) {
1235 EmSendPrecompiledCmd(p_response);
1236 }
1237
1238 if (!tracing) {
1239 Dbprintf("Trace Full. Simulation stopped.");
1240 break;
1241 }
1242 }
1243
1244 Dbprintf("%x %x %x", happened, happened2, cmdsRecvd);
1245 LED_A_OFF();
1246 BigBuf_free_keep_EM();
1247 }
1248
1249
1250 // prepare a delayed transfer. This simply shifts ToSend[] by a number
1251 // of bits specified in the delay parameter.
1252 static void PrepareDelayedTransfer(uint16_t delay)
1253 {
1254 uint8_t bitmask = 0;
1255 uint8_t bits_to_shift = 0;
1256 uint8_t bits_shifted = 0;
1257
1258 delay &= 0x07;
1259 if (delay) {
1260 for (uint16_t i = 0; i < delay; i++) {
1261 bitmask |= (0x01 << i);
1262 }
1263 ToSend[ToSendMax++] = 0x00;
1264 for (uint16_t i = 0; i < ToSendMax; i++) {
1265 bits_to_shift = ToSend[i] & bitmask;
1266 ToSend[i] = ToSend[i] >> delay;
1267 ToSend[i] = ToSend[i] | (bits_shifted << (8 - delay));
1268 bits_shifted = bits_to_shift;
1269 }
1270 }
1271 }
1272
1273
1274 //-------------------------------------------------------------------------------------
1275 // Transmit the command (to the tag) that was placed in ToSend[].
1276 // Parameter timing:
1277 // if NULL: transfer at next possible time, taking into account
1278 // request guard time and frame delay time
1279 // if == 0: transfer immediately and return time of transfer
1280 // if != 0: delay transfer until time specified
1281 //-------------------------------------------------------------------------------------
1282 static void TransmitFor14443a(const uint8_t *cmd, uint16_t len, uint32_t *timing)
1283 {
1284
1285 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1286
1287 uint32_t ThisTransferTime = 0;
1288
1289 if (timing) {
1290 if(*timing == 0) { // Measure time
1291 *timing = (GetCountSspClk() + 8) & 0xfffffff8;
1292 } else {
1293 PrepareDelayedTransfer(*timing & 0x00000007); // Delay transfer (fine tuning - up to 7 MF clock ticks)
1294 }
1295 if(MF_DBGLEVEL >= 4 && GetCountSspClk() >= (*timing & 0xfffffff8)) Dbprintf("TransmitFor14443a: Missed timing");
1296 while(GetCountSspClk() < (*timing & 0xfffffff8)); // Delay transfer (multiple of 8 MF clock ticks)
1297 LastTimeProxToAirStart = *timing;
1298 } else {
1299 ThisTransferTime = ((MAX(NextTransferTime, GetCountSspClk()) & 0xfffffff8) + 8);
1300 while(GetCountSspClk() < ThisTransferTime);
1301 LastTimeProxToAirStart = ThisTransferTime;
1302 }
1303
1304 // clear TXRDY
1305 AT91C_BASE_SSC->SSC_THR = SEC_Y;
1306
1307 uint16_t c = 0;
1308 for(;;) {
1309 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1310 AT91C_BASE_SSC->SSC_THR = cmd[c];
1311 c++;
1312 if(c >= len) {
1313 break;
1314 }
1315 }
1316 }
1317
1318 NextTransferTime = MAX(NextTransferTime, LastTimeProxToAirStart + REQUEST_GUARD_TIME);
1319 }
1320
1321
1322 //-----------------------------------------------------------------------------
1323 // Prepare reader command (in bits, support short frames) to send to FPGA
1324 //-----------------------------------------------------------------------------
1325 static void CodeIso14443aBitsAsReaderPar(const uint8_t *cmd, uint16_t bits, const uint8_t *parity)
1326 {
1327 int i, j;
1328 int last;
1329 uint8_t b;
1330
1331 ToSendReset();
1332
1333 // Start of Communication (Seq. Z)
1334 ToSend[++ToSendMax] = SEC_Z;
1335 LastProxToAirDuration = 8 * (ToSendMax+1) - 6;
1336 last = 0;
1337
1338 size_t bytecount = nbytes(bits);
1339 // Generate send structure for the data bits
1340 for (i = 0; i < bytecount; i++) {
1341 // Get the current byte to send
1342 b = cmd[i];
1343 size_t bitsleft = MIN((bits-(i*8)),8);
1344
1345 for (j = 0; j < bitsleft; j++) {
1346 if (b & 1) {
1347 // Sequence X
1348 ToSend[++ToSendMax] = SEC_X;
1349 LastProxToAirDuration = 8 * (ToSendMax+1) - 2;
1350 last = 1;
1351 } else {
1352 if (last == 0) {
1353 // Sequence Z
1354 ToSend[++ToSendMax] = SEC_Z;
1355 LastProxToAirDuration = 8 * (ToSendMax+1) - 6;
1356 } else {
1357 // Sequence Y
1358 ToSend[++ToSendMax] = SEC_Y;
1359 last = 0;
1360 }
1361 }
1362 b >>= 1;
1363 }
1364
1365 // Only transmit parity bit if we transmitted a complete byte
1366 if (j == 8 && parity != NULL) {
1367 // Get the parity bit
1368 if (parity[i>>3] & (0x80 >> (i&0x0007))) {
1369 // Sequence X
1370 ToSend[++ToSendMax] = SEC_X;
1371 LastProxToAirDuration = 8 * (ToSendMax+1) - 2;
1372 last = 1;
1373 } else {
1374 if (last == 0) {
1375 // Sequence Z
1376 ToSend[++ToSendMax] = SEC_Z;
1377 LastProxToAirDuration = 8 * (ToSendMax+1) - 6;
1378 } else {
1379 // Sequence Y
1380 ToSend[++ToSendMax] = SEC_Y;
1381 last = 0;
1382 }
1383 }
1384 }
1385 }
1386
1387 // End of Communication: Logic 0 followed by Sequence Y
1388 if (last == 0) {
1389 // Sequence Z
1390 ToSend[++ToSendMax] = SEC_Z;
1391 LastProxToAirDuration = 8 * (ToSendMax+1) - 6;
1392 } else {
1393 // Sequence Y
1394 ToSend[++ToSendMax] = SEC_Y;
1395 last = 0;
1396 }
1397 ToSend[++ToSendMax] = SEC_Y;
1398
1399 // Convert to length of command:
1400 ToSendMax++;
1401 }
1402
1403
1404 //-----------------------------------------------------------------------------
1405 // Wait for commands from reader
1406 // Stop when button is pressed (return 1) or field was gone (return 2)
1407 // Or return 0 when command is captured
1408 //-----------------------------------------------------------------------------
1409 int EmGetCmd(uint8_t *received, uint16_t *len, uint8_t *parity)
1410 {
1411 *len = 0;
1412
1413 uint32_t timer = 0, vtime = 0;
1414 int analogCnt = 0;
1415 int analogAVG = 0;
1416
1417 // Set ADC to read field strength
1418 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_SWRST;
1419 AT91C_BASE_ADC->ADC_MR =
1420 ADC_MODE_PRESCALE(63) |
1421 ADC_MODE_STARTUP_TIME(1) |
1422 ADC_MODE_SAMPLE_HOLD_TIME(15);
1423 AT91C_BASE_ADC->ADC_CHER = ADC_CHANNEL(ADC_CHAN_HF);
1424 // start ADC
1425 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
1426
1427 // Run a 'software UART' on the stream of incoming samples.
1428 UartInit(received, parity);
1429
1430 // Ensure that the FPGA Delay Queue is empty before we switch to TAGSIM_LISTEN
1431 do {
1432 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1433 AT91C_BASE_SSC->SSC_THR = SEC_F;
1434 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR; (void) b;
1435 }
1436 } while (GetCountSspClk() < LastTimeProxToAirStart + LastProxToAirDuration + (FpgaSendQueueDelay>>3));
1437
1438 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
1439 // only, since we are receiving, not transmitting).
1440 // Signal field is off with the appropriate LED
1441 LED_D_OFF();
1442 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
1443
1444 for(;;) {
1445 WDT_HIT();
1446
1447 if (BUTTON_PRESS()) return 1;
1448
1449 // test if the field exists
1450 if (AT91C_BASE_ADC->ADC_SR & ADC_END_OF_CONVERSION(ADC_CHAN_HF)) {
1451 analogCnt++;
1452 analogAVG += AT91C_BASE_ADC->ADC_CDR[ADC_CHAN_HF];
1453 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
1454 if (analogCnt >= 32) {
1455 if ((MAX_ADC_HF_VOLTAGE * (analogAVG / analogCnt) >> 10) < MF_MINFIELDV) {
1456 vtime = GetTickCount();
1457 if (!timer) timer = vtime;
1458 // 50ms no field --> card to idle state
1459 if (vtime - timer > 50) return 2;
1460 } else
1461 if (timer) timer = 0;
1462 analogCnt = 0;
1463 analogAVG = 0;
1464 }
1465 }
1466
1467 // receive and test the miller decoding
1468 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1469 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1470 if(MillerDecoding(b, 0)) {
1471 *len = Uart.len;
1472 EmLogTraceReader();
1473 return 0;
1474 }
1475 }
1476
1477 }
1478 }
1479
1480
1481 static int EmSendCmd14443aRaw(uint8_t *resp, uint16_t respLen)
1482 {
1483 uint8_t b;
1484 uint16_t i = 0;
1485 bool correctionNeeded;
1486
1487 // Modulate Manchester
1488 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD);
1489
1490 // include correction bit if necessary
1491 if (Uart.bitCount == 7)
1492 {
1493 // Short tags (7 bits) don't have parity, determine the correct value from MSB
1494 correctionNeeded = Uart.output[0] & 0x40;
1495 }
1496 else
1497 {
1498 // Look at the last parity bit
1499 correctionNeeded = Uart.parity[(Uart.len-1)/8] & (0x80 >> ((Uart.len-1) & 7));
1500 }
1501
1502 if(correctionNeeded) {
1503 // 1236, so correction bit needed
1504 i = 0;
1505 } else {
1506 i = 1;
1507 }
1508
1509 // clear receiving shift register and holding register
1510 while(!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY));
1511 b = AT91C_BASE_SSC->SSC_RHR; (void) b;
1512 while(!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY));
1513 b = AT91C_BASE_SSC->SSC_RHR; (void) b;
1514
1515 // wait for the FPGA to signal fdt_indicator == 1 (the FPGA is ready to queue new data in its delay line)
1516 for (uint16_t j = 0; j < 5; j++) { // allow timeout - better late than never
1517 while(!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY));
1518 if (AT91C_BASE_SSC->SSC_RHR) break;
1519 }
1520
1521 LastTimeProxToAirStart = (GetCountSspClk() & 0xfffffff8) + (correctionNeeded?8:0);
1522
1523 // send cycle
1524 for(; i < respLen; ) {
1525 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1526 AT91C_BASE_SSC->SSC_THR = resp[i++];
1527 FpgaSendQueueDelay = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1528 }
1529
1530 if(BUTTON_PRESS()) {
1531 break;
1532 }
1533 }
1534
1535 return 0;
1536 }
1537
1538
1539 static int EmSend4bitEx(uint8_t resp){
1540 Code4bitAnswerAsTag(resp);
1541 int res = EmSendCmd14443aRaw(ToSend, ToSendMax);
1542 // do the tracing for the previous reader request and this tag answer:
1543 EmLogTraceTag(&resp, 1, NULL, LastProxToAirDuration);
1544 return res;
1545 }
1546
1547
1548 int EmSend4bit(uint8_t resp){
1549 return EmSend4bitEx(resp);
1550 }
1551
1552
1553 static int EmSendCmdExPar(uint8_t *resp, uint16_t respLen, uint8_t *par){
1554 CodeIso14443aAsTagPar(resp, respLen, par);
1555 int res = EmSendCmd14443aRaw(ToSend, ToSendMax);
1556 // do the tracing for the previous reader request and this tag answer:
1557 EmLogTraceTag(resp, respLen, par, LastProxToAirDuration);
1558 return res;
1559 }
1560
1561
1562 int EmSendCmdEx(uint8_t *resp, uint16_t respLen){
1563 uint8_t par[MAX_PARITY_SIZE];
1564 GetParity(resp, respLen, par);
1565 return EmSendCmdExPar(resp, respLen, par);
1566 }
1567
1568
1569 int EmSendCmd(uint8_t *resp, uint16_t respLen){
1570 uint8_t par[MAX_PARITY_SIZE];
1571 GetParity(resp, respLen, par);
1572 return EmSendCmdExPar(resp, respLen, par);
1573 }
1574
1575
1576 int EmSendCmdPar(uint8_t *resp, uint16_t respLen, uint8_t *par){
1577 return EmSendCmdExPar(resp, respLen, par);
1578 }
1579
1580
1581 int EmSendPrecompiledCmd(tag_response_info_t *response_info) {
1582 int ret = EmSendCmd14443aRaw(response_info->modulation, response_info->modulation_n);
1583 // do the tracing for the previous reader request and this tag answer:
1584 EmLogTraceTag(response_info->response, response_info->response_n, &(response_info->par), response_info->ProxToAirDuration);
1585 return ret;
1586 }
1587
1588
1589 //-----------------------------------------------------------------------------
1590 // Wait a certain time for tag response
1591 // If a response is captured return true
1592 // If it takes too long return false
1593 //-----------------------------------------------------------------------------
1594 static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse, uint8_t *receivedResponsePar, uint16_t offset)
1595 {
1596 uint32_t c;
1597
1598 // Set FPGA mode to "reader listen mode", no modulation (listen
1599 // only, since we are receiving, not transmitting).
1600 // Signal field is on with the appropriate LED
1601 LED_D_ON();
1602 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_LISTEN);
1603
1604 // Now get the answer from the card
1605 DemodInit(receivedResponse, receivedResponsePar);
1606
1607 // clear RXRDY:
1608 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1609
1610 c = 0;
1611 for(;;) {
1612 WDT_HIT();
1613
1614 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1615 b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1616 if(ManchesterDecoding(b, offset, 0)) {
1617 NextTransferTime = MAX(NextTransferTime, Demod.endTime - (DELAY_AIR2ARM_AS_READER + DELAY_ARM2AIR_AS_READER)/16 + FRAME_DELAY_TIME_PICC_TO_PCD);
1618 return true;
1619 } else if (c++ > iso14a_timeout && Demod.state == DEMOD_UNSYNCD) {
1620 return false;
1621 }
1622 }
1623 }
1624 }
1625
1626
1627 void ReaderTransmitBitsPar(uint8_t* frame, uint16_t bits, uint8_t *par, uint32_t *timing)
1628 {
1629 CodeIso14443aBitsAsReaderPar(frame, bits, par);
1630
1631 // Send command to tag
1632 TransmitFor14443a(ToSend, ToSendMax, timing);
1633 if(trigger)
1634 LED_A_ON();
1635
1636 // Log reader command in trace buffer
1637 if (tracing) {
1638 LogTrace(frame, nbytes(bits), LastTimeProxToAirStart*16 + DELAY_ARM2AIR_AS_READER, (LastTimeProxToAirStart + LastProxToAirDuration)*16 + DELAY_ARM2AIR_AS_READER, par, true);
1639 }
1640 }
1641
1642
1643 void ReaderTransmitPar(uint8_t* frame, uint16_t len, uint8_t *par, uint32_t *timing)
1644 {
1645 ReaderTransmitBitsPar(frame, len*8, par, timing);
1646 }
1647
1648
1649 static void ReaderTransmitBits(uint8_t* frame, uint16_t len, uint32_t *timing)
1650 {
1651 // Generate parity and redirect
1652 uint8_t par[MAX_PARITY_SIZE];
1653 GetParity(frame, len/8, par);
1654 ReaderTransmitBitsPar(frame, len, par, timing);
1655 }
1656
1657
1658 void ReaderTransmit(uint8_t* frame, uint16_t len, uint32_t *timing)
1659 {
1660 // Generate parity and redirect
1661 uint8_t par[MAX_PARITY_SIZE];
1662 GetParity(frame, len, par);
1663 ReaderTransmitBitsPar(frame, len*8, par, timing);
1664 }
1665
1666
1667 static int ReaderReceiveOffset(uint8_t* receivedAnswer, uint16_t offset, uint8_t *parity)
1668 {
1669 if (!GetIso14443aAnswerFromTag(receivedAnswer, parity, offset)) return false;
1670 if (tracing) {
1671 LogTrace(receivedAnswer, Demod.len, Demod.startTime*16 - DELAY_AIR2ARM_AS_READER, Demod.endTime*16 - DELAY_AIR2ARM_AS_READER, parity, false);
1672 }
1673 return Demod.len;
1674 }
1675
1676
1677 int ReaderReceive(uint8_t *receivedAnswer, uint8_t *parity)
1678 {
1679 if (!GetIso14443aAnswerFromTag(receivedAnswer, parity, 0)) return false;
1680 if (tracing) {
1681 LogTrace(receivedAnswer, Demod.len, Demod.startTime*16 - DELAY_AIR2ARM_AS_READER, Demod.endTime*16 - DELAY_AIR2ARM_AS_READER, parity, false);
1682 }
1683 return Demod.len;
1684 }
1685
1686 // performs iso14443a anticollision (optional) and card select procedure
1687 // fills the uid and cuid pointer unless NULL
1688 // fills the card info record unless NULL
1689 // if anticollision is false, then the UID must be provided in uid_ptr[]
1690 // and num_cascades must be set (1: 4 Byte UID, 2: 7 Byte UID, 3: 10 Byte UID)
1691 // requests ATS unless no_rats is true
1692 int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, uint32_t *cuid_ptr, bool anticollision, uint8_t num_cascades, bool no_rats) {
1693 uint8_t wupa[] = { 0x52 }; // 0x26 - REQA 0x52 - WAKE-UP
1694 uint8_t sel_all[] = { 0x93,0x20 };
1695 uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
1696 uint8_t rats[] = { 0xE0,0x80,0x00,0x00 }; // FSD=256, FSDI=8, CID=0
1697 uint8_t resp[MAX_FRAME_SIZE]; // theoretically. A usual RATS will be much smaller
1698 uint8_t resp_par[MAX_PARITY_SIZE];
1699 byte_t uid_resp[4];
1700 size_t uid_resp_len;
1701
1702 uint8_t sak = 0x04; // cascade uid
1703 int cascade_level = 0;
1704 int len;
1705
1706 // init card struct
1707 if(p_hi14a_card) {
1708 p_hi14a_card->uidlen = 0;
1709 memset(p_hi14a_card->uid, 0, 10);
1710 p_hi14a_card->ats_len = 0;
1711 }
1712
1713 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1714 ReaderTransmitBitsPar(wupa, 7, NULL, NULL);
1715
1716 // Receive the ATQA
1717 if(!ReaderReceive(resp, resp_par)) return 0;
1718
1719 if(p_hi14a_card) {
1720 memcpy(p_hi14a_card->atqa, resp, 2);
1721 }
1722
1723 if (anticollision) {
1724 // clear uid
1725 if (uid_ptr) {
1726 memset(uid_ptr,0,10);
1727 }
1728 }
1729
1730 // check for proprietary anticollision:
1731 if ((resp[0] & 0x1F) == 0) {
1732 return 3;
1733 }
1734
1735 // OK we will select at least at cascade 1, lets see if first byte of UID was 0x88 in
1736 // which case we need to make a cascade 2 request and select - this is a long UID
1737 // While the UID is not complete, the 3nd bit (from the right) is set in the SAK.
1738 for(; sak & 0x04; cascade_level++) {
1739 // SELECT_* (L1: 0x93, L2: 0x95, L3: 0x97)
1740 sel_uid[0] = sel_all[0] = 0x93 + cascade_level * 2;
1741
1742 if (anticollision) {
1743 // SELECT_ALL
1744 ReaderTransmit(sel_all, sizeof(sel_all), NULL);
1745 if (!ReaderReceive(resp, resp_par)) return 0;
1746
1747 if (Demod.collisionPos) { // we had a collision and need to construct the UID bit by bit
1748 memset(uid_resp, 0, 4);
1749 uint16_t uid_resp_bits = 0;
1750 uint16_t collision_answer_offset = 0;
1751 // anti-collision-loop:
1752 while (Demod.collisionPos) {
1753 Dbprintf("Multiple tags detected. Collision after Bit %d", Demod.collisionPos);
1754 for (uint16_t i = collision_answer_offset; i < Demod.collisionPos; i++, uid_resp_bits++) { // add valid UID bits before collision point
1755 uint16_t UIDbit = (resp[i/8] >> (i % 8)) & 0x01;
1756 uid_resp[uid_resp_bits / 8] |= UIDbit << (uid_resp_bits % 8);
1757 }
1758 uid_resp[uid_resp_bits/8] |= 1 << (uid_resp_bits % 8); // next time select the card(s) with a 1 in the collision position
1759 uid_resp_bits++;
1760 // construct anticollosion command:
1761 sel_uid[1] = ((2 + uid_resp_bits/8) << 4) | (uid_resp_bits & 0x07); // length of data in bytes and bits
1762 for (uint16_t i = 0; i <= uid_resp_bits/8; i++) {
1763 sel_uid[2+i] = uid_resp[i];
1764 }
1765 collision_answer_offset = uid_resp_bits%8;
1766 ReaderTransmitBits(sel_uid, 16 + uid_resp_bits, NULL);
1767 if (!ReaderReceiveOffset(resp, collision_answer_offset, resp_par)) return 0;
1768 }
1769 // finally, add the last bits and BCC of the UID
1770 for (uint16_t i = collision_answer_offset; i < (Demod.len-1)*8; i++, uid_resp_bits++) {
1771 uint16_t UIDbit = (resp[i/8] >> (i%8)) & 0x01;
1772 uid_resp[uid_resp_bits/8] |= UIDbit << (uid_resp_bits % 8);
1773 }
1774
1775 } else { // no collision, use the response to SELECT_ALL as current uid
1776 memcpy(uid_resp, resp, 4);
1777 }
1778 } else {
1779 if (cascade_level < num_cascades - 1) {
1780 uid_resp[0] = 0x88;
1781 memcpy(uid_resp+1, uid_ptr+cascade_level*3, 3);
1782 } else {
1783 memcpy(uid_resp, uid_ptr+cascade_level*3, 4);
1784 }
1785 }
1786 uid_resp_len = 4;
1787
1788 // calculate crypto UID. Always use last 4 Bytes.
1789 if(cuid_ptr) {
1790 *cuid_ptr = bytes_to_num(uid_resp, 4);
1791 }
1792
1793 // Construct SELECT UID command
1794 sel_uid[1] = 0x70; // transmitting a full UID (1 Byte cmd, 1 Byte NVB, 4 Byte UID, 1 Byte BCC, 2 Bytes CRC)
1795 memcpy(sel_uid+2, uid_resp, 4); // the UID received during anticollision, or the provided UID
1796 sel_uid[6] = sel_uid[2] ^ sel_uid[3] ^ sel_uid[4] ^ sel_uid[5]; // calculate and add BCC
1797 AppendCrc14443a(sel_uid, 7); // calculate and add CRC
1798 ReaderTransmit(sel_uid, sizeof(sel_uid), NULL);
1799
1800 // Receive the SAK
1801 if (!ReaderReceive(resp, resp_par)) return 0;
1802 sak = resp[0];
1803
1804 // Test if more parts of the uid are coming
1805 if ((sak & 0x04) /* && uid_resp[0] == 0x88 */) {
1806 // Remove first byte, 0x88 is not an UID byte, it CT, see page 3 of:
1807 // http://www.nxp.com/documents/application_note/AN10927.pdf
1808 uid_resp[0] = uid_resp[1];
1809 uid_resp[1] = uid_resp[2];
1810 uid_resp[2] = uid_resp[3];
1811 uid_resp_len = 3;
1812 }
1813
1814 if(uid_ptr && anticollision) {
1815 memcpy(uid_ptr + (cascade_level*3), uid_resp, uid_resp_len);
1816 }
1817
1818 if(p_hi14a_card) {
1819 memcpy(p_hi14a_card->uid + (cascade_level*3), uid_resp, uid_resp_len);
1820 p_hi14a_card->uidlen += uid_resp_len;
1821 }
1822 }
1823
1824 if(p_hi14a_card) {
1825 p_hi14a_card->sak = sak;
1826 }
1827
1828 // PICC compilant with iso14443a-4 ---> (SAK & 0x20 != 0)
1829 if( (sak & 0x20) == 0) return 2;
1830
1831 if (!no_rats) {
1832 // Request for answer to select
1833 AppendCrc14443a(rats, 2);
1834 ReaderTransmit(rats, sizeof(rats), NULL);
1835
1836 if (!(len = ReaderReceive(resp, resp_par))) return 0;
1837
1838 if(p_hi14a_card) {
1839 memcpy(p_hi14a_card->ats, resp, len);
1840 p_hi14a_card->ats_len = len;
1841 }
1842
1843 // reset the PCB block number
1844 iso14_pcb_blocknum = 0;
1845
1846 // set default timeout based on ATS
1847 iso14a_set_ATS_timeout(resp);
1848 }
1849 return 1;
1850 }
1851
1852
1853 void iso14443a_setup(uint8_t fpga_minor_mode) {
1854 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1855 // Set up the synchronous serial port
1856 FpgaSetupSsc();
1857 // connect Demodulated Signal to ADC:
1858 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1859
1860 // Signal field is on with the appropriate LED
1861 if (fpga_minor_mode == FPGA_HF_ISO14443A_READER_MOD
1862 || fpga_minor_mode == FPGA_HF_ISO14443A_READER_LISTEN) {
1863 LED_D_ON();
1864 } else {
1865 LED_D_OFF();
1866 }
1867 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | fpga_minor_mode);
1868
1869 // Start the timer
1870 StartCountSspClk();
1871
1872 DemodReset();
1873 UartReset();
1874 NextTransferTime = 2*DELAY_ARM2AIR_AS_READER;
1875 iso14a_set_timeout(1060); // 10ms default
1876 }
1877
1878
1879 int iso14_apdu(uint8_t *cmd, uint16_t cmd_len, void *data) {
1880 uint8_t parity[MAX_PARITY_SIZE];
1881 uint8_t real_cmd[cmd_len + 4];
1882
1883 // ISO 14443 APDU frame: PCB [CID] [NAD] APDU CRC PCB=0x02
1884 real_cmd[0] = 0x02; // bnr,nad,cid,chn=0; i-block(0x00)
1885 // put block number into the PCB
1886 real_cmd[0] |= iso14_pcb_blocknum;
1887 memcpy(real_cmd + 1, cmd, cmd_len);
1888 AppendCrc14443a(real_cmd, cmd_len + 1);
1889
1890 ReaderTransmit(real_cmd, cmd_len + 3, NULL);
1891
1892 size_t len = ReaderReceive(data, parity);
1893 uint8_t *data_bytes = (uint8_t *) data;
1894
1895 if (!len) {
1896 return 0; //DATA LINK ERROR
1897
1898 // if we received an I- or R(ACK)-Block with a block number equal to the
1899 // current block number, toggle the current block number
1900 } else{
1901 if (len >= 3 // PCB+CRC = 3 bytes
1902 && ((data_bytes[0] & 0xC0) == 0 // I-Block
1903 || (data_bytes[0] & 0xD0) == 0x80) // R-Block with ACK bit set to 0
1904 && (data_bytes[0] & 0x01) == iso14_pcb_blocknum) // equal block numbers
1905 {
1906 iso14_pcb_blocknum ^= 1;
1907 }
1908
1909 // crc check
1910 if (len >=3 && !CheckCrc14443(CRC_14443_A, data_bytes, len)) {
1911 return -1;
1912 }
1913
1914 }
1915
1916 // cut frame byte
1917 len -= 1;
1918 // memmove(data_bytes, data_bytes + 1, len);
1919 for (int i = 0; i < len; i++)
1920 data_bytes[i] = data_bytes[i + 1];
1921
1922 return len;
1923 }
1924
1925
1926 //-----------------------------------------------------------------------------
1927 // Read an ISO 14443a tag. Send out commands and store answers.
1928 //
1929 //-----------------------------------------------------------------------------
1930 void ReaderIso14443a(UsbCommand *c)
1931 {
1932 iso14a_command_t param = c->arg[0];
1933 uint8_t *cmd = c->d.asBytes;
1934 size_t len = c->arg[1] & 0xffff;
1935 size_t lenbits = c->arg[1] >> 16;
1936 uint32_t timeout = c->arg[2];
1937 uint32_t arg0 = 0;
1938 byte_t buf[USB_CMD_DATA_SIZE] = {0};
1939 uint8_t par[MAX_PARITY_SIZE];
1940 bool cantSELECT = false;
1941
1942 set_tracing(true);
1943
1944 if(param & ISO14A_CLEAR_TRACE) {
1945 clear_trace();
1946 }
1947
1948 if(param & ISO14A_REQUEST_TRIGGER) {
1949 iso14a_set_trigger(true);
1950 }
1951
1952 if(param & ISO14A_CONNECT) {
1953 LED_A_ON();
1954 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
1955 if(!(param & ISO14A_NO_SELECT)) {
1956 iso14a_card_select_t *card = (iso14a_card_select_t*)buf;
1957 arg0 = iso14443a_select_card(NULL, card, NULL, true, 0, param & ISO14A_NO_RATS);
1958
1959 // if we cant select then we cant send data
1960 if (arg0 != 1 && arg0 != 2) {
1961 // 1 - all is OK with ATS, 2 - without ATS
1962 cantSELECT = true;
1963 }
1964
1965 LED_B_ON();
1966 cmd_send(CMD_ACK,arg0,card->uidlen,0,buf,sizeof(iso14a_card_select_t));
1967 LED_B_OFF();
1968 }
1969 }
1970
1971 if(param & ISO14A_SET_TIMEOUT) {
1972 iso14a_set_timeout(timeout);
1973 }
1974
1975 if(param & ISO14A_APDU && !cantSELECT) {
1976 arg0 = iso14_apdu(cmd, len, buf);
1977 LED_B_ON();
1978 cmd_send(CMD_ACK, arg0, 0, 0, buf, sizeof(buf));
1979 LED_B_OFF();
1980 }
1981
1982 if(param & ISO14A_RAW && !cantSELECT) {
1983 if(param & ISO14A_APPEND_CRC) {
1984 if(param & ISO14A_TOPAZMODE) {
1985 AppendCrc14443b(cmd,len);
1986 } else {
1987 AppendCrc14443a(cmd,len);
1988 }
1989 len += 2;
1990 if (lenbits) lenbits += 16;
1991 }
1992 if(lenbits>0) { // want to send a specific number of bits (e.g. short commands)
1993 if(param & ISO14A_TOPAZMODE) {
1994 int bits_to_send = lenbits;
1995 uint16_t i = 0;
1996 ReaderTransmitBitsPar(&cmd[i++], MIN(bits_to_send, 7), NULL, NULL); // first byte is always short (7bits) and no parity
1997 bits_to_send -= 7;
1998 while (bits_to_send > 0) {
1999 ReaderTransmitBitsPar(&cmd[i++], MIN(bits_to_send, 8), NULL, NULL); // following bytes are 8 bit and no parity
2000 bits_to_send -= 8;
2001 }
2002 } else {
2003 GetParity(cmd, lenbits/8, par);
2004 ReaderTransmitBitsPar(cmd, lenbits, par, NULL); // bytes are 8 bit with odd parity
2005 }
2006 } else { // want to send complete bytes only
2007 if(param & ISO14A_TOPAZMODE) {
2008 uint16_t i = 0;
2009 ReaderTransmitBitsPar(&cmd[i++], 7, NULL, NULL); // first byte: 7 bits, no paritiy
2010 while (i < len) {
2011 ReaderTransmitBitsPar(&cmd[i++], 8, NULL, NULL); // following bytes: 8 bits, no paritiy
2012 }
2013 } else {
2014 ReaderTransmit(cmd,len, NULL); // 8 bits, odd parity
2015 }
2016 }
2017 arg0 = ReaderReceive(buf, par);
2018
2019 LED_B_ON();
2020 cmd_send(CMD_ACK,arg0,0,0,buf,sizeof(buf));
2021 LED_B_OFF();
2022 }
2023
2024 if(param & ISO14A_REQUEST_TRIGGER) {
2025 iso14a_set_trigger(false);
2026 }
2027
2028 if(param & ISO14A_NO_DISCONNECT) {
2029 return;
2030 }
2031
2032 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2033 LEDsoff();
2034 }
2035
2036
2037 // Determine the distance between two nonces.
2038 // Assume that the difference is small, but we don't know which is first.
2039 // Therefore try in alternating directions.
2040 static int32_t dist_nt(uint32_t nt1, uint32_t nt2) {
2041
2042 uint16_t i;
2043 uint32_t nttmp1, nttmp2;
2044
2045 if (nt1 == nt2) return 0;
2046
2047 nttmp1 = nt1;
2048 nttmp2 = nt2;
2049
2050 for (i = 1; i < 32768; i++) {
2051 nttmp1 = prng_successor(nttmp1, 1);
2052 if (nttmp1 == nt2) return i;
2053 nttmp2 = prng_successor(nttmp2, 1);
2054 if (nttmp2 == nt1) return -i;
2055 }
2056
2057 return(-99999); // either nt1 or nt2 are invalid nonces
2058 }
2059
2060
2061 //-----------------------------------------------------------------------------
2062 // Recover several bits of the cypher stream. This implements (first stages of)
2063 // the algorithm described in "The Dark Side of Security by Obscurity and
2064 // Cloning MiFare Classic Rail and Building Passes, Anywhere, Anytime"
2065 // (article by Nicolas T. Courtois, 2009)
2066 //-----------------------------------------------------------------------------
2067 void ReaderMifare(bool first_try)
2068 {
2069 // Mifare AUTH
2070 uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b };
2071 uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
2072 static uint8_t mf_nr_ar3;
2073
2074 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
2075 uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];
2076
2077 if (first_try) {
2078 iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
2079 }
2080
2081 // free eventually allocated BigBuf memory. We want all for tracing.
2082 BigBuf_free();
2083
2084 clear_trace();
2085 set_tracing(true);
2086
2087 byte_t nt_diff = 0;
2088 uint8_t par[1] = {0}; // maximum 8 Bytes to be sent here, 1 byte parity is therefore enough
2089 static byte_t par_low = 0;
2090 bool led_on = true;
2091 uint8_t uid[10] ={0};
2092 uint32_t cuid;
2093
2094 uint32_t nt = 0;
2095 uint32_t previous_nt = 0;
2096 static uint32_t nt_attacked = 0;
2097 byte_t par_list[8] = {0x00};
2098 byte_t ks_list[8] = {0x00};
2099
2100 #define PRNG_SEQUENCE_LENGTH (1 << 16);
2101 static uint32_t sync_time;
2102 static int32_t sync_cycles;
2103 int catch_up_cycles = 0;
2104 int last_catch_up = 0;
2105 uint16_t elapsed_prng_sequences;
2106 uint16_t consecutive_resyncs = 0;
2107 int isOK = 0;
2108
2109 if (first_try) {
2110 mf_nr_ar3 = 0;
2111 sync_time = GetCountSspClk() & 0xfffffff8;
2112 sync_cycles = PRNG_SEQUENCE_LENGTH; // theory: Mifare Classic's random generator repeats every 2^16 cycles (and so do the tag nonces).
2113 nt_attacked = 0;
2114 par[0] = 0;
2115 }
2116 else {
2117 // we were unsuccessful on a previous call. Try another READER nonce (first 3 parity bits remain the same)
2118 mf_nr_ar3++;
2119 mf_nr_ar[3] = mf_nr_ar3;
2120 par[0] = par_low;
2121 }
2122
2123 LED_A_ON();
2124 LED_B_OFF();
2125 LED_C_OFF();
2126
2127
2128 #define MAX_UNEXPECTED_RANDOM 4 // maximum number of unexpected (i.e. real) random numbers when trying to sync. Then give up.
2129 #define MAX_SYNC_TRIES 32
2130 #define NUM_DEBUG_INFOS 8 // per strategy
2131 #define MAX_STRATEGY 3
2132 uint16_t unexpected_random = 0;
2133 uint16_t sync_tries = 0;
2134 int16_t debug_info_nr = -1;
2135 uint16_t strategy = 0;
2136 int32_t debug_info[MAX_STRATEGY][NUM_DEBUG_INFOS];
2137 uint32_t select_time;
2138 uint32_t halt_time;
2139
2140 for(uint16_t i = 0; true; i++) {
2141
2142 LED_C_ON();
2143 WDT_HIT();
2144
2145 // Test if the action was cancelled
2146 if(BUTTON_PRESS()) {
2147 isOK = -1;
2148 break;
2149 }
2150
2151 if (strategy == 2) {
2152 // test with additional hlt command
2153 halt_time = 0;
2154 int len = mifare_sendcmd_short(NULL, false, 0x50, 0x00, receivedAnswer, receivedAnswerPar, &halt_time);
2155 if (len && MF_DBGLEVEL >= 3) {
2156 Dbprintf("Unexpected response of %d bytes to hlt command (additional debugging).", len);
2157 }
2158 }
2159
2160 if (strategy == 3) {
2161 // test with FPGA power off/on
2162 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2163 SpinDelay(200);
2164 iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
2165 SpinDelay(100);
2166 }
2167
2168 if(!iso14443a_select_card(uid, NULL, &cuid, true, 0, true)) {
2169 if (MF_DBGLEVEL >= 1) Dbprintf("Mifare: Can't select card");
2170 continue;
2171 }
2172 select_time = GetCountSspClk();
2173
2174 elapsed_prng_sequences = 1;
2175 if (debug_info_nr == -1) {
2176 sync_time = (sync_time & 0xfffffff8) + sync_cycles + catch_up_cycles;
2177 catch_up_cycles = 0;
2178
2179 // if we missed the sync time already, advance to the next nonce repeat
2180 while(GetCountSspClk() > sync_time) {
2181 elapsed_prng_sequences++;
2182 sync_time = (sync_time & 0xfffffff8) + sync_cycles;
2183 }
2184
2185 // Transmit MIFARE_CLASSIC_AUTH at synctime. Should result in returning the same tag nonce (== nt_attacked)
2186 ReaderTransmit(mf_auth, sizeof(mf_auth), &sync_time);
2187 } else {
2188 // collect some information on tag nonces for debugging:
2189 #define DEBUG_FIXED_SYNC_CYCLES PRNG_SEQUENCE_LENGTH
2190 if (strategy == 0) {
2191 // nonce distances at fixed time after card select:
2192 sync_time = select_time + DEBUG_FIXED_SYNC_CYCLES;
2193 } else if (strategy == 1) {
2194 // nonce distances at fixed time between authentications:
2195 sync_time = sync_time + DEBUG_FIXED_SYNC_CYCLES;
2196 } else if (strategy == 2) {
2197 // nonce distances at fixed time after halt:
2198 sync_time = halt_time + DEBUG_FIXED_SYNC_CYCLES;
2199 } else {
2200 // nonce_distances at fixed time after power on
2201 sync_time = DEBUG_FIXED_SYNC_CYCLES;
2202 }
2203 ReaderTransmit(mf_auth, sizeof(mf_auth), &sync_time);
2204 }
2205
2206 // Receive the (4 Byte) "random" nonce
2207 if (!ReaderReceive(receivedAnswer, receivedAnswerPar)) {
2208 if (MF_DBGLEVEL >= 1) Dbprintf("Mifare: Couldn't receive tag nonce");
2209 continue;
2210 }
2211
2212 previous_nt = nt;
2213 nt = bytes_to_num(receivedAnswer, 4);
2214
2215 // Transmit reader nonce with fake par
2216 ReaderTransmitPar(mf_nr_ar, sizeof(mf_nr_ar), par, NULL);
2217
2218 if (first_try && previous_nt && !nt_attacked) { // we didn't calibrate our clock yet
2219 int nt_distance = dist_nt(previous_nt, nt);
2220 if (nt_distance == 0) {
2221 nt_attacked = nt;
2222 } else {
2223 if (nt_distance == -99999) { // invalid nonce received
2224 unexpected_random++;
2225 if (unexpected_random > MAX_UNEXPECTED_RANDOM) {
2226 isOK = -3; // Card has an unpredictable PRNG. Give up
2227 break;
2228 } else {
2229 continue; // continue trying...
2230 }
2231 }
2232 if (++sync_tries > MAX_SYNC_TRIES) {
2233 if (strategy > MAX_STRATEGY || MF_DBGLEVEL < 3) {
2234 isOK = -4; // Card's PRNG runs at an unexpected frequency or resets unexpectedly
2235 break;
2236 } else { // continue for a while, just to collect some debug info
2237 debug_info[strategy][debug_info_nr] = nt_distance;
2238 debug_info_nr++;
2239 if (debug_info_nr == NUM_DEBUG_INFOS) {
2240 strategy++;
2241 debug_info_nr = 0;
2242 }
2243 continue;
2244 }
2245 }
2246 sync_cycles = (sync_cycles - nt_distance/elapsed_prng_sequences);
2247 if (sync_cycles <= 0) {
2248 sync_cycles += PRNG_SEQUENCE_LENGTH;
2249 }
2250 if (MF_DBGLEVEL >= 3) {
2251 Dbprintf("calibrating in cycle %d. nt_distance=%d, elapsed_prng_sequences=%d, new sync_cycles: %d\n", i, nt_distance, elapsed_prng_sequences, sync_cycles);
2252 }
2253 continue;
2254 }
2255 }
2256
2257 if ((nt != nt_attacked) && nt_attacked) { // we somehow lost sync. Try to catch up again...
2258 catch_up_cycles = -dist_nt(nt_attacked, nt);
2259 if (catch_up_cycles == 99999) { // invalid nonce received. Don't resync on that one.
2260 catch_up_cycles = 0;
2261 continue;
2262 }
2263 catch_up_cycles /= elapsed_prng_sequences;
2264 if (catch_up_cycles == last_catch_up) {
2265 consecutive_resyncs++;
2266 }
2267 else {
2268 last_catch_up = catch_up_cycles;
2269 consecutive_resyncs = 0;
2270 }
2271 if (consecutive_resyncs < 3) {
2272 if (MF_DBGLEVEL >= 3) Dbprintf("Lost sync in cycle %d. nt_distance=%d. Consecutive Resyncs = %d. Trying one time catch up...\n", i, -catch_up_cycles, consecutive_resyncs);
2273 }
2274 else {
2275 sync_cycles = sync_cycles + catch_up_cycles;
2276 if (MF_DBGLEVEL >= 3) Dbprintf("Lost sync in cycle %d for the fourth time consecutively (nt_distance = %d). Adjusting sync_cycles to %d.\n", i, -catch_up_cycles, sync_cycles);
2277 last_catch_up = 0;
2278 catch_up_cycles = 0;
2279 consecutive_resyncs = 0;
2280 }
2281 continue;
2282 }
2283
2284 consecutive_resyncs = 0;
2285
2286 // Receive answer. This will be a 4 Bit NACK when the 8 parity bits are OK after decoding
2287 if (ReaderReceive(receivedAnswer, receivedAnswerPar)) {
2288 catch_up_cycles = 8; // the PRNG is delayed by 8 cycles due to the NAC (4Bits = 0x05 encrypted) transfer
2289
2290 if (nt_diff == 0) {
2291 par_low = par[0] & 0xE0; // there is no need to check all parities for other nt_diff. Parity Bits for mf_nr_ar[0..2] won't change
2292 }
2293
2294 led_on = !led_on;
2295 if(led_on) LED_B_ON(); else LED_B_OFF();
2296
2297 par_list[nt_diff] = SwapBits(par[0], 8);
2298 ks_list[nt_diff] = receivedAnswer[0] ^ 0x05;
2299
2300 // Test if the information is complete
2301 if (nt_diff == 0x07) {
2302 isOK = 1;
2303 break;
2304 }
2305
2306 nt_diff = (nt_diff + 1) & 0x07;
2307 mf_nr_ar[3] = (mf_nr_ar[3] & 0x1F) | (nt_diff << 5);
2308 par[0] = par_low;
2309 } else {
2310 if (nt_diff == 0 && first_try)
2311 {
2312 par[0]++;
2313 if (par[0] == 0x00) { // tried all 256 possible parities without success. Card doesn't send NACK.
2314 isOK = -2;
2315 break;
2316 }
2317 } else {
2318 par[0] = ((par[0] & 0x1F) + 1) | par_low;
2319 }
2320 }
2321 }
2322
2323
2324 mf_nr_ar[3] &= 0x1F;
2325
2326 if (isOK == -4) {
2327 if (MF_DBGLEVEL >= 3) {
2328 for (uint16_t i = 0; i <= MAX_STRATEGY; i++) {
2329 for(uint16_t j = 0; j < NUM_DEBUG_INFOS; j++) {
2330 Dbprintf("collected debug info[%d][%d] = %d", i, j, debug_info[i][j]);
2331 }
2332 }
2333 }
2334 }
2335
2336 byte_t buf[28];
2337 memcpy(buf + 0, uid, 4);
2338 num_to_bytes(nt, 4, buf + 4);
2339 memcpy(buf + 8, par_list, 8);
2340 memcpy(buf + 16, ks_list, 8);
2341 memcpy(buf + 24, mf_nr_ar, 4);
2342
2343 cmd_send(CMD_ACK, isOK, 0, 0, buf, 28);
2344
2345 // Thats it...
2346 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2347 LEDsoff();
2348
2349 set_tracing(false);
2350 }
2351
2352
2353 //-----------------------------------------------------------------------------
2354 // MIFARE sniffer.
2355 //
2356 //-----------------------------------------------------------------------------
2357 void RAMFUNC SniffMifare(uint8_t param) {
2358 // param:
2359 // bit 0 - trigger from first card answer
2360 // bit 1 - trigger from first reader 7-bit request
2361
2362 // C(red) A(yellow) B(green)
2363 LEDsoff();
2364 // init trace buffer
2365 clear_trace();
2366 set_tracing(true);
2367
2368 // The command (reader -> tag) that we're receiving.
2369 // The length of a received command will in most cases be no more than 18 bytes.
2370 // So 32 should be enough!
2371 uint8_t receivedCmd[MAX_MIFARE_FRAME_SIZE];
2372 uint8_t receivedCmdPar[MAX_MIFARE_PARITY_SIZE];
2373 // The response (tag -> reader) that we're receiving.
2374 uint8_t receivedResponse[MAX_MIFARE_FRAME_SIZE];
2375 uint8_t receivedResponsePar[MAX_MIFARE_PARITY_SIZE];
2376
2377 iso14443a_setup(FPGA_HF_ISO14443A_SNIFFER);
2378
2379 // free eventually allocated BigBuf memory
2380 BigBuf_free();
2381 // allocate the DMA buffer, used to stream samples from the FPGA
2382 uint8_t *dmaBuf = BigBuf_malloc(DMA_BUFFER_SIZE);
2383 uint8_t *data = dmaBuf;
2384 uint8_t previous_data = 0;
2385 int maxDataLen = 0;
2386 int dataLen = 0;
2387 bool ReaderIsActive = false;
2388 bool TagIsActive = false;
2389
2390 // Set up the demodulator for tag -> reader responses.
2391 DemodInit(receivedResponse, receivedResponsePar);
2392
2393 // Set up the demodulator for the reader -> tag commands
2394 UartInit(receivedCmd, receivedCmdPar);
2395
2396 // Setup for the DMA.
2397 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE); // set transfer address and number of bytes. Start transfer.
2398
2399 LED_D_OFF();
2400
2401 // init sniffer
2402 MfSniffInit();
2403
2404 // And now we loop, receiving samples.
2405 for(uint32_t sniffCounter = 0; true; ) {
2406
2407 if(BUTTON_PRESS()) {
2408 DbpString("cancelled by button");
2409 break;
2410 }
2411
2412 LED_A_ON();
2413 WDT_HIT();
2414
2415 if ((sniffCounter & 0x0000FFFF) == 0) { // from time to time
2416 // check if a transaction is completed (timeout after 2000ms).
2417 // if yes, stop the DMA transfer and send what we have so far to the client
2418 if (MfSniffSend(2000)) {
2419 // Reset everything - we missed some sniffed data anyway while the DMA was stopped
2420 sniffCounter = 0;
2421 data = dmaBuf;
2422 maxDataLen = 0;
2423 ReaderIsActive = false;
2424 TagIsActive = false;
2425 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE); // set transfer address and number of bytes. Start transfer.
2426 }
2427 }
2428
2429 int register readBufDataP = data - dmaBuf; // number of bytes we have processed so far
2430 int register dmaBufDataP = DMA_BUFFER_SIZE - AT91C_BASE_PDC_SSC->PDC_RCR; // number of bytes already transferred
2431 if (readBufDataP <= dmaBufDataP){ // we are processing the same block of data which is currently being transferred
2432 dataLen = dmaBufDataP - readBufDataP; // number of bytes still to be processed
2433 } else {
2434 dataLen = DMA_BUFFER_SIZE - readBufDataP + dmaBufDataP; // number of bytes still to be processed
2435 }
2436 // test for length of buffer
2437 if(dataLen > maxDataLen) { // we are more behind than ever...
2438 maxDataLen = dataLen;
2439 if(dataLen > (9 * DMA_BUFFER_SIZE / 10)) {
2440 Dbprintf("blew circular buffer! dataLen=0x%x", dataLen);
2441 break;
2442 }
2443 }
2444 if(dataLen < 1) continue;
2445
2446 // primary buffer was stopped ( <-- we lost data!
2447 if (!AT91C_BASE_PDC_SSC->PDC_RCR) {
2448 AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) dmaBuf;
2449 AT91C_BASE_PDC_SSC->PDC_RCR = DMA_BUFFER_SIZE;
2450 Dbprintf("RxEmpty ERROR!!! data length:%d", dataLen); // temporary
2451 }
2452 // secondary buffer sets as primary, secondary buffer was stopped
2453 if (!AT91C_BASE_PDC_SSC->PDC_RNCR) {
2454 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dmaBuf;
2455 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
2456 }
2457
2458 LED_A_OFF();
2459
2460 if (sniffCounter & 0x01) {
2461
2462 if(!TagIsActive) { // no need to try decoding tag data if the reader is sending
2463 uint8_t readerdata = (previous_data & 0xF0) | (*data >> 4);
2464 if(MillerDecoding(readerdata, (sniffCounter-1)*4)) {
2465 LED_C_INV();
2466 if (MfSniffLogic(receivedCmd, Uart.len, Uart.parity, Uart.bitCount, true)) break;
2467
2468 /* And ready to receive another command. */
2469 UartInit(receivedCmd, receivedCmdPar);
2470
2471 /* And also reset the demod code */
2472 DemodReset();
2473 }
2474 ReaderIsActive = (Uart.state != STATE_UNSYNCD);
2475 }
2476
2477 if(!ReaderIsActive) { // no need to try decoding tag data if the reader is sending
2478 uint8_t tagdata = (previous_data << 4) | (*data & 0x0F);
2479 if(ManchesterDecoding(tagdata, 0, (sniffCounter-1)*4)) {
2480 LED_C_INV();
2481
2482 if (MfSniffLogic(receivedResponse, Demod.len, Demod.parity, Demod.bitCount, false)) break;
2483
2484 // And ready to receive another response.
2485 DemodReset();
2486 // And reset the Miller decoder including its (now outdated) input buffer
2487 UartInit(receivedCmd, receivedCmdPar);
2488 }
2489 TagIsActive = (Demod.state != DEMOD_UNSYNCD);
2490 }
2491 }
2492
2493 previous_data = *data;
2494 sniffCounter++;
2495 data++;
2496 if(data == dmaBuf + DMA_BUFFER_SIZE) {
2497 data = dmaBuf;
2498 }
2499
2500 } // main cycle
2501
2502 DbpString("COMMAND FINISHED");
2503
2504 FpgaDisableSscDma();
2505 MfSniffEnd();
2506
2507 Dbprintf("maxDataLen=%x, Uart.state=%x, Uart.len=%x", maxDataLen, Uart.state, Uart.len);
2508 LEDsoff();
2509 }
Proxmark3 GIT tracking
Impressum, Datenschutz