1 //-----------------------------------------------------------------------------
2 // Merlok - June 2011, 2012
3 // Gerhard de Koning Gans - May 2008
4 // Hagen Fritsch - June 2010
6 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
7 // at your option, any later version. See the LICENSE.txt file for the text of
9 //-----------------------------------------------------------------------------
10 // Routines to support ISO 14443 type A.
11 //-----------------------------------------------------------------------------
13 #include "proxmark3.h"
18 #include "iso14443crc.h"
19 #include "iso14443a.h"
21 #include "mifareutil.h"
23 static uint32_t iso14a_timeout
;
26 // the block number for the ISO14443-4 PCB
27 static uint8_t iso14_pcb_blocknum
= 0;
32 // minimum time between the start bits of consecutive transfers from reader to tag: 7000 carrier (13.56Mhz) cycles
33 #define REQUEST_GUARD_TIME (7000/16 + 1)
34 // minimum time between last modulation of tag and next start bit from reader to tag: 1172 carrier cycles
35 #define FRAME_DELAY_TIME_PICC_TO_PCD (1172/16 + 1)
36 // bool LastCommandWasRequest = FALSE;
39 // Total delays including SSC-Transfers between ARM and FPGA. These are in carrier clock cycles (1/13,56MHz)
41 // When the PM acts as reader and is receiving tag data, it takes
42 // 3 ticks delay in the AD converter
43 // 16 ticks until the modulation detector completes and sets curbit
44 // 8 ticks until bit_to_arm is assigned from curbit
45 // 8*16 ticks for the transfer from FPGA to ARM
46 // 4*16 ticks until we measure the time
47 // - 8*16 ticks because we measure the time of the previous transfer
48 #define DELAY_AIR2ARM_AS_READER (3 + 16 + 8 + 8*16 + 4*16 - 8*16)
50 // When the PM acts as a reader and is sending, it takes
51 // 4*16 ticks until we can write data to the sending hold register
52 // 8*16 ticks until the SHR is transferred to the Sending Shift Register
53 // 8 ticks until the first transfer starts
54 // 8 ticks later the FPGA samples the data
55 // 1 tick to assign mod_sig_coil
56 #define DELAY_ARM2AIR_AS_READER (4*16 + 8*16 + 8 + 8 + 1)
58 // When the PM acts as tag and is receiving it takes
59 // 2 ticks delay in the RF part (for the first falling edge),
60 // 3 ticks for the A/D conversion,
61 // 8 ticks on average until the start of the SSC transfer,
62 // 8 ticks until the SSC samples the first data
63 // 7*16 ticks to complete the transfer from FPGA to ARM
64 // 8 ticks until the next ssp_clk rising edge
65 // 4*16 ticks until we measure the time
66 // - 8*16 ticks because we measure the time of the previous transfer
67 #define DELAY_AIR2ARM_AS_TAG (2 + 3 + 8 + 8 + 7*16 + 8 + 4*16 - 8*16)
69 // The FPGA will report its internal sending delay in
70 uint16_t FpgaSendQueueDelay
;
71 // the 5 first bits are the number of bits buffered in mod_sig_buf
72 // the last three bits are the remaining ticks/2 after the mod_sig_buf shift
73 #define DELAY_FPGA_QUEUE (FpgaSendQueueDelay<<1)
75 // When the PM acts as tag and is sending, it takes
76 // 4*16 ticks until we can write data to the sending hold register
77 // 8*16 ticks until the SHR is transferred to the Sending Shift Register
78 // 8 ticks until the first transfer starts
79 // 8 ticks later the FPGA samples the data
80 // + a varying number of ticks in the FPGA Delay Queue (mod_sig_buf)
81 // + 1 tick to assign mod_sig_coil
82 #define DELAY_ARM2AIR_AS_TAG (4*16 + 8*16 + 8 + 8 + DELAY_FPGA_QUEUE + 1)
84 // When the PM acts as sniffer and is receiving tag data, it takes
85 // 3 ticks A/D conversion
86 // 14 ticks to complete the modulation detection
87 // 8 ticks (on average) until the result is stored in to_arm
88 // + the delays in transferring data - which is the same for
89 // sniffing reader and tag data and therefore not relevant
90 #define DELAY_TAG_AIR2ARM_AS_SNIFFER (3 + 14 + 8)
92 // When the PM acts as sniffer and is receiving reader data, it takes
93 // 2 ticks delay in analogue RF receiver (for the falling edge of the
94 // start bit, which marks the start of the communication)
95 // 3 ticks A/D conversion
96 // 8 ticks on average until the data is stored in to_arm.
97 // + the delays in transferring data - which is the same for
98 // sniffing reader and tag data and therefore not relevant
99 #define DELAY_READER_AIR2ARM_AS_SNIFFER (2 + 3 + 8)
101 //variables used for timing purposes:
102 //these are in ssp_clk cycles:
103 static uint32_t NextTransferTime
;
104 static uint32_t LastTimeProxToAirStart
;
105 static uint32_t LastProxToAirDuration
;
109 // CARD TO READER - manchester
110 // Sequence D: 11110000 modulation with subcarrier during first half
111 // Sequence E: 00001111 modulation with subcarrier during second half
112 // Sequence F: 00000000 no modulation with subcarrier
113 // READER TO CARD - miller
114 // Sequence X: 00001100 drop after half a period
115 // Sequence Y: 00000000 no drop
116 // Sequence Z: 11000000 drop at start
124 const uint8_t OddByteParity
[256] = {
125 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
126 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
127 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
128 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
129 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
130 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
131 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
132 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
133 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
134 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
135 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
136 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
137 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
138 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
139 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
140 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1
144 void iso14a_set_trigger(bool enable
) {
149 void iso14a_set_timeout(uint32_t timeout
) {
150 iso14a_timeout
= timeout
;
151 if(MF_DBGLEVEL
>= 3) Dbprintf("ISO14443A Timeout set to %ld (%dms)", iso14a_timeout
, iso14a_timeout
/ 106);
155 void iso14a_set_ATS_timeout(uint8_t *ats
) {
161 if (ats
[0] > 1) { // there is a format byte T0
162 if ((ats
[1] & 0x20) == 0x20) { // there is an interface byte TB(1)
163 if ((ats
[1] & 0x10) == 0x10) { // there is an interface byte TA(1) preceding TB(1)
168 fwi
= (tb1
& 0xf0) >> 4; // frame waiting indicator (FWI)
169 fwt
= 256 * 16 * (1 << fwi
); // frame waiting time (FWT) in 1/fc
171 iso14a_set_timeout(fwt
/(8*16));
177 //-----------------------------------------------------------------------------
178 // Generate the parity value for a byte sequence
180 //-----------------------------------------------------------------------------
181 byte_t
oddparity (const byte_t bt
)
183 return OddByteParity
[bt
];
186 void GetParity(const uint8_t *pbtCmd
, uint16_t iLen
, uint8_t *par
)
188 uint16_t paritybit_cnt
= 0;
189 uint16_t paritybyte_cnt
= 0;
190 uint8_t parityBits
= 0;
192 for (uint16_t i
= 0; i
< iLen
; i
++) {
193 // Generate the parity bits
194 parityBits
|= ((OddByteParity
[pbtCmd
[i
]]) << (7-paritybit_cnt
));
195 if (paritybit_cnt
== 7) {
196 par
[paritybyte_cnt
] = parityBits
; // save 8 Bits parity
197 parityBits
= 0; // and advance to next Parity Byte
205 // save remaining parity bits
206 par
[paritybyte_cnt
] = parityBits
;
210 void AppendCrc14443a(uint8_t* data
, int len
)
212 ComputeCrc14443(CRC_14443_A
,data
,len
,data
+len
,data
+len
+1);
215 void AppendCrc14443b(uint8_t* data
, int len
)
217 ComputeCrc14443(CRC_14443_B
,data
,len
,data
+len
,data
+len
+1);
221 //=============================================================================
222 // ISO 14443 Type A - Miller decoder
223 //=============================================================================
225 // This decoder is used when the PM3 acts as a tag.
226 // The reader will generate "pauses" by temporarily switching of the field.
227 // At the PM3 antenna we will therefore measure a modulated antenna voltage.
228 // The FPGA does a comparison with a threshold and would deliver e.g.:
229 // ........ 1 1 1 1 1 1 0 0 1 1 1 1 1 1 1 1 1 1 0 0 1 1 1 1 1 1 1 1 1 1 .......
230 // The Miller decoder needs to identify the following sequences:
231 // 2 (or 3) ticks pause followed by 6 (or 5) ticks unmodulated: pause at beginning - Sequence Z ("start of communication" or a "0")
232 // 8 ticks without a modulation: no pause - Sequence Y (a "0" or "end of communication" or "no information")
233 // 4 ticks unmodulated followed by 2 (or 3) ticks pause: pause in second half - Sequence X (a "1")
234 // Note 1: the bitstream may start at any time. We therefore need to sync.
235 // Note 2: the interpretation of Sequence Y and Z depends on the preceding sequence.
236 //-----------------------------------------------------------------------------
239 // Lookup-Table to decide if 4 raw bits are a modulation.
240 // We accept the following:
241 // 0001 - a 3 tick wide pause
242 // 0011 - a 2 tick wide pause, or a three tick wide pause shifted left
243 // 0111 - a 2 tick wide pause shifted left
244 // 1001 - a 2 tick wide pause shifted right
245 const bool Mod_Miller_LUT
[] = {
246 FALSE
, TRUE
, FALSE
, TRUE
, FALSE
, FALSE
, FALSE
, TRUE
,
247 FALSE
, TRUE
, FALSE
, FALSE
, FALSE
, FALSE
, FALSE
, FALSE
249 #define IsMillerModulationNibble1(b) (Mod_Miller_LUT[(b & 0x000000F0) >> 4])
250 #define IsMillerModulationNibble2(b) (Mod_Miller_LUT[(b & 0x0000000F)])
254 Uart
.state
= STATE_UNSYNCD
;
256 Uart
.len
= 0; // number of decoded data bytes
257 Uart
.parityLen
= 0; // number of decoded parity bytes
258 Uart
.shiftReg
= 0; // shiftreg to hold decoded data bits
259 Uart
.parityBits
= 0; // holds 8 parity bits
268 void UartInit(uint8_t *data
, uint8_t *parity
)
271 Uart
.parity
= parity
;
272 Uart
.fourBits
= 0x00000000; // clear the buffer for 4 Bits
276 // use parameter non_real_time to provide a timestamp. Set to 0 if the decoder should measure real time
277 static RAMFUNC
bool MillerDecoding(uint8_t bit
, uint32_t non_real_time
)
280 Uart
.fourBits
= (Uart
.fourBits
<< 8) | bit
;
282 if (Uart
.state
== STATE_UNSYNCD
) { // not yet synced
284 Uart
.syncBit
= 9999; // not set
286 // 00x11111 2|3 ticks pause followed by 6|5 ticks unmodulated Sequence Z (a "0" or "start of communication")
287 // 11111111 8 ticks unmodulation Sequence Y (a "0" or "end of communication" or "no information")
288 // 111100x1 4 ticks unmodulated followed by 2|3 ticks pause Sequence X (a "1")
290 // The start bit is one ore more Sequence Y followed by a Sequence Z (... 11111111 00x11111). We need to distinguish from
291 // Sequence X followed by Sequence Y followed by Sequence Z (111100x1 11111111 00x11111)
292 // we therefore look for a ...xx1111 11111111 00x11111xxxxxx... pattern
293 // (12 '1's followed by 2 '0's, eventually followed by another '0', followed by 5 '1's)
295 #define ISO14443A_STARTBIT_MASK 0x07FFEF80 // mask is 00001111 11111111 1110 1111 10000000
296 #define ISO14443A_STARTBIT_PATTERN 0x07FF8F80 // pattern is 00001111 11111111 1000 1111 10000000
298 if ((Uart
.fourBits
& (ISO14443A_STARTBIT_MASK
>> 0)) == ISO14443A_STARTBIT_PATTERN
>> 0) Uart
.syncBit
= 7;
299 else if ((Uart
.fourBits
& (ISO14443A_STARTBIT_MASK
>> 1)) == ISO14443A_STARTBIT_PATTERN
>> 1) Uart
.syncBit
= 6;
300 else if ((Uart
.fourBits
& (ISO14443A_STARTBIT_MASK
>> 2)) == ISO14443A_STARTBIT_PATTERN
>> 2) Uart
.syncBit
= 5;
301 else if ((Uart
.fourBits
& (ISO14443A_STARTBIT_MASK
>> 3)) == ISO14443A_STARTBIT_PATTERN
>> 3) Uart
.syncBit
= 4;
302 else if ((Uart
.fourBits
& (ISO14443A_STARTBIT_MASK
>> 4)) == ISO14443A_STARTBIT_PATTERN
>> 4) Uart
.syncBit
= 3;
303 else if ((Uart
.fourBits
& (ISO14443A_STARTBIT_MASK
>> 5)) == ISO14443A_STARTBIT_PATTERN
>> 5) Uart
.syncBit
= 2;
304 else if ((Uart
.fourBits
& (ISO14443A_STARTBIT_MASK
>> 6)) == ISO14443A_STARTBIT_PATTERN
>> 6) Uart
.syncBit
= 1;
305 else if ((Uart
.fourBits
& (ISO14443A_STARTBIT_MASK
>> 7)) == ISO14443A_STARTBIT_PATTERN
>> 7) Uart
.syncBit
= 0;
307 if (Uart
.syncBit
!= 9999) { // found a sync bit
308 Uart
.startTime
= non_real_time
?non_real_time
:(GetCountSspClk() & 0xfffffff8);
309 Uart
.startTime
-= Uart
.syncBit
;
310 Uart
.endTime
= Uart
.startTime
;
311 Uart
.state
= STATE_START_OF_COMMUNICATION
;
316 if (IsMillerModulationNibble1(Uart
.fourBits
>> Uart
.syncBit
)) {
317 if (IsMillerModulationNibble2(Uart
.fourBits
>> Uart
.syncBit
)) { // Modulation in both halves - error
319 } else { // Modulation in first half = Sequence Z = logic "0"
320 if (Uart
.state
== STATE_MILLER_X
) { // error - must not follow after X
324 Uart
.shiftReg
= (Uart
.shiftReg
>> 1); // add a 0 to the shiftreg
325 Uart
.state
= STATE_MILLER_Z
;
326 Uart
.endTime
= Uart
.startTime
+ 8*(9*Uart
.len
+ Uart
.bitCount
+ 1) - 6;
327 if(Uart
.bitCount
>= 9) { // if we decoded a full byte (including parity)
328 Uart
.output
[Uart
.len
++] = (Uart
.shiftReg
& 0xff);
329 Uart
.parityBits
<<= 1; // make room for the parity bit
330 Uart
.parityBits
|= ((Uart
.shiftReg
>> 8) & 0x01); // store parity bit
333 if((Uart
.len
&0x0007) == 0) { // every 8 data bytes
334 Uart
.parity
[Uart
.parityLen
++] = Uart
.parityBits
; // store 8 parity bits
341 if (IsMillerModulationNibble2(Uart
.fourBits
>> Uart
.syncBit
)) { // Modulation second half = Sequence X = logic "1"
343 Uart
.shiftReg
= (Uart
.shiftReg
>> 1) | 0x100; // add a 1 to the shiftreg
344 Uart
.state
= STATE_MILLER_X
;
345 Uart
.endTime
= Uart
.startTime
+ 8*(9*Uart
.len
+ Uart
.bitCount
+ 1) - 2;
346 if(Uart
.bitCount
>= 9) { // if we decoded a full byte (including parity)
347 Uart
.output
[Uart
.len
++] = (Uart
.shiftReg
& 0xff);
348 Uart
.parityBits
<<= 1; // make room for the new parity bit
349 Uart
.parityBits
|= ((Uart
.shiftReg
>> 8) & 0x01); // store parity bit
352 if ((Uart
.len
&0x0007) == 0) { // every 8 data bytes
353 Uart
.parity
[Uart
.parityLen
++] = Uart
.parityBits
; // store 8 parity bits
357 } else { // no modulation in both halves - Sequence Y
358 if (Uart
.state
== STATE_MILLER_Z
|| Uart
.state
== STATE_MILLER_Y
) { // Y after logic "0" - End of Communication
359 Uart
.state
= STATE_UNSYNCD
;
360 Uart
.bitCount
--; // last "0" was part of EOC sequence
361 Uart
.shiftReg
<<= 1; // drop it
362 if(Uart
.bitCount
> 0) { // if we decoded some bits
363 Uart
.shiftReg
>>= (9 - Uart
.bitCount
); // right align them
364 Uart
.output
[Uart
.len
++] = (Uart
.shiftReg
& 0xff); // add last byte to the output
365 Uart
.parityBits
<<= 1; // add a (void) parity bit
366 Uart
.parityBits
<<= (8 - (Uart
.len
&0x0007)); // left align parity bits
367 Uart
.parity
[Uart
.parityLen
++] = Uart
.parityBits
; // and store it
369 } else if (Uart
.len
& 0x0007) { // there are some parity bits to store
370 Uart
.parityBits
<<= (8 - (Uart
.len
&0x0007)); // left align remaining parity bits
371 Uart
.parity
[Uart
.parityLen
++] = Uart
.parityBits
; // and store them
374 return TRUE
; // we are finished with decoding the raw data sequence
376 UartReset(); // Nothing received - start over
379 if (Uart
.state
== STATE_START_OF_COMMUNICATION
) { // error - must not follow directly after SOC
381 } else { // a logic "0"
383 Uart
.shiftReg
= (Uart
.shiftReg
>> 1); // add a 0 to the shiftreg
384 Uart
.state
= STATE_MILLER_Y
;
385 if(Uart
.bitCount
>= 9) { // if we decoded a full byte (including parity)
386 Uart
.output
[Uart
.len
++] = (Uart
.shiftReg
& 0xff);
387 Uart
.parityBits
<<= 1; // make room for the parity bit
388 Uart
.parityBits
|= ((Uart
.shiftReg
>> 8) & 0x01); // store parity bit
391 if ((Uart
.len
&0x0007) == 0) { // every 8 data bytes
392 Uart
.parity
[Uart
.parityLen
++] = Uart
.parityBits
; // store 8 parity bits
402 return FALSE
; // not finished yet, need more data
407 //=============================================================================
408 // ISO 14443 Type A - Manchester decoder
409 //=============================================================================
411 // This decoder is used when the PM3 acts as a reader.
412 // The tag will modulate the reader field by asserting different loads to it. As a consequence, the voltage
413 // at the reader antenna will be modulated as well. The FPGA detects the modulation for us and would deliver e.g. the following:
414 // ........ 0 0 1 1 1 1 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 .......
415 // The Manchester decoder needs to identify the following sequences:
416 // 4 ticks modulated followed by 4 ticks unmodulated: Sequence D = 1 (also used as "start of communication")
417 // 4 ticks unmodulated followed by 4 ticks modulated: Sequence E = 0
418 // 8 ticks unmodulated: Sequence F = end of communication
419 // 8 ticks modulated: A collision. Save the collision position and treat as Sequence D
420 // Note 1: the bitstream may start at any time. We therefore need to sync.
421 // Note 2: parameter offset is used to determine the position of the parity bits (required for the anticollision command only)
424 // Lookup-Table to decide if 4 raw bits are a modulation.
425 // We accept three or four "1" in any position
426 const bool Mod_Manchester_LUT
[] = {
427 FALSE
, FALSE
, FALSE
, FALSE
, FALSE
, FALSE
, FALSE
, TRUE
,
428 FALSE
, FALSE
, FALSE
, TRUE
, FALSE
, TRUE
, TRUE
, TRUE
431 #define IsManchesterModulationNibble1(b) (Mod_Manchester_LUT[(b & 0x00F0) >> 4])
432 #define IsManchesterModulationNibble2(b) (Mod_Manchester_LUT[(b & 0x000F)])
437 Demod
.state
= DEMOD_UNSYNCD
;
438 Demod
.len
= 0; // number of decoded data bytes
440 Demod
.shiftReg
= 0; // shiftreg to hold decoded data bits
441 Demod
.parityBits
= 0; //
442 Demod
.collisionPos
= 0; // Position of collision bit
443 Demod
.twoBits
= 0xffff; // buffer for 2 Bits
450 Demod
.syncBit
= 0xFFFF;
454 void DemodInit(uint8_t *data
, uint8_t *parity
)
457 Demod
.parity
= parity
;
461 // use parameter non_real_time to provide a timestamp. Set to 0 if the decoder should measure real time
462 static RAMFUNC
int ManchesterDecoding(uint8_t bit
, uint16_t offset
, uint32_t non_real_time
)
465 Demod
.twoBits
= (Demod
.twoBits
<< 8) | bit
;
467 if (Demod
.state
== DEMOD_UNSYNCD
) {
469 if (Demod
.highCnt
< 2) { // wait for a stable unmodulated signal
470 if (Demod
.twoBits
== 0x0000) {
476 Demod
.syncBit
= 0xFFFF; // not set
477 if ((Demod
.twoBits
& 0x7700) == 0x7000) Demod
.syncBit
= 7;
478 else if ((Demod
.twoBits
& 0x3B80) == 0x3800) Demod
.syncBit
= 6;
479 else if ((Demod
.twoBits
& 0x1DC0) == 0x1C00) Demod
.syncBit
= 5;
480 else if ((Demod
.twoBits
& 0x0EE0) == 0x0E00) Demod
.syncBit
= 4;
481 else if ((Demod
.twoBits
& 0x0770) == 0x0700) Demod
.syncBit
= 3;
482 else if ((Demod
.twoBits
& 0x03B8) == 0x0380) Demod
.syncBit
= 2;
483 else if ((Demod
.twoBits
& 0x01DC) == 0x01C0) Demod
.syncBit
= 1;
484 else if ((Demod
.twoBits
& 0x00EE) == 0x00E0) Demod
.syncBit
= 0;
485 if (Demod
.syncBit
!= 0xFFFF) {
486 Demod
.startTime
= non_real_time
?non_real_time
:(GetCountSspClk() & 0xfffffff8);
487 Demod
.startTime
-= Demod
.syncBit
;
488 Demod
.bitCount
= offset
; // number of decoded data bits
489 Demod
.state
= DEMOD_MANCHESTER_DATA
;
495 if (IsManchesterModulationNibble1(Demod
.twoBits
>> Demod
.syncBit
)) { // modulation in first half
496 if (IsManchesterModulationNibble2(Demod
.twoBits
>> Demod
.syncBit
)) { // ... and in second half = collision
497 if (!Demod
.collisionPos
) {
498 Demod
.collisionPos
= (Demod
.len
<< 3) + Demod
.bitCount
;
500 } // modulation in first half only - Sequence D = 1
502 Demod
.shiftReg
= (Demod
.shiftReg
>> 1) | 0x100; // in both cases, add a 1 to the shiftreg
503 if(Demod
.bitCount
== 9) { // if we decoded a full byte (including parity)
504 Demod
.output
[Demod
.len
++] = (Demod
.shiftReg
& 0xff);
505 Demod
.parityBits
<<= 1; // make room for the parity bit
506 Demod
.parityBits
|= ((Demod
.shiftReg
>> 8) & 0x01); // store parity bit
509 if((Demod
.len
&0x0007) == 0) { // every 8 data bytes
510 Demod
.parity
[Demod
.parityLen
++] = Demod
.parityBits
; // store 8 parity bits
511 Demod
.parityBits
= 0;
514 Demod
.endTime
= Demod
.startTime
+ 8*(9*Demod
.len
+ Demod
.bitCount
+ 1) - 4;
515 } else { // no modulation in first half
516 if (IsManchesterModulationNibble2(Demod
.twoBits
>> Demod
.syncBit
)) { // and modulation in second half = Sequence E = 0
518 Demod
.shiftReg
= (Demod
.shiftReg
>> 1); // add a 0 to the shiftreg
519 if(Demod
.bitCount
>= 9) { // if we decoded a full byte (including parity)
520 Demod
.output
[Demod
.len
++] = (Demod
.shiftReg
& 0xff);
521 Demod
.parityBits
<<= 1; // make room for the new parity bit
522 Demod
.parityBits
|= ((Demod
.shiftReg
>> 8) & 0x01); // store parity bit
525 if ((Demod
.len
&0x0007) == 0) { // every 8 data bytes
526 Demod
.parity
[Demod
.parityLen
++] = Demod
.parityBits
; // store 8 parity bits1
527 Demod
.parityBits
= 0;
530 Demod
.endTime
= Demod
.startTime
+ 8*(9*Demod
.len
+ Demod
.bitCount
+ 1);
531 } else { // no modulation in both halves - End of communication
532 if(Demod
.bitCount
> 0) { // there are some remaining data bits
533 Demod
.shiftReg
>>= (9 - Demod
.bitCount
); // right align the decoded bits
534 Demod
.output
[Demod
.len
++] = Demod
.shiftReg
& 0xff; // and add them to the output
535 Demod
.parityBits
<<= 1; // add a (void) parity bit
536 Demod
.parityBits
<<= (8 - (Demod
.len
&0x0007)); // left align remaining parity bits
537 Demod
.parity
[Demod
.parityLen
++] = Demod
.parityBits
; // and store them
539 } else if (Demod
.len
& 0x0007) { // there are some parity bits to store
540 Demod
.parityBits
<<= (8 - (Demod
.len
&0x0007)); // left align remaining parity bits
541 Demod
.parity
[Demod
.parityLen
++] = Demod
.parityBits
; // and store them
544 return TRUE
; // we are finished with decoding the raw data sequence
545 } else { // nothing received. Start over
551 return FALSE
; // not finished yet, need more data
554 //=============================================================================
555 // Finally, a `sniffer' for ISO 14443 Type A
556 // Both sides of communication!
557 //=============================================================================
559 //-----------------------------------------------------------------------------
560 // Record the sequence of commands sent by the reader to the tag, with
561 // triggering so that we start recording at the point that the tag is moved
563 //-----------------------------------------------------------------------------
564 void RAMFUNC
SniffIso14443a(uint8_t param
) {
566 // bit 0 - trigger from first card answer
567 // bit 1 - trigger from first reader 7-bit request
571 // We won't start recording the frames that we acquire until we trigger;
572 // a good trigger condition to get started is probably when we see a
573 // response from the tag.
574 // triggered == FALSE -- to wait first for card
575 bool triggered
= !(param
& 0x03);
577 // Allocate memory from BigBuf for some buffers
578 // free all previous allocations first
581 // The command (reader -> tag) that we're receiving.
582 uint8_t *receivedCmd
= BigBuf_malloc(MAX_FRAME_SIZE
);
583 uint8_t *receivedCmdPar
= BigBuf_malloc(MAX_PARITY_SIZE
);
585 // The response (tag -> reader) that we're receiving.
586 uint8_t *receivedResponse
= BigBuf_malloc(MAX_FRAME_SIZE
);
587 uint8_t *receivedResponsePar
= BigBuf_malloc(MAX_PARITY_SIZE
);
589 // The DMA buffer, used to stream samples from the FPGA
590 uint8_t *dmaBuf
= BigBuf_malloc(DMA_BUFFER_SIZE
);
596 uint8_t *data
= dmaBuf
;
597 uint8_t previous_data
= 0;
600 bool TagIsActive
= FALSE
;
601 bool ReaderIsActive
= FALSE
;
603 iso14443a_setup(FPGA_HF_ISO14443A_SNIFFER
);
605 // Set up the demodulator for tag -> reader responses.
606 DemodInit(receivedResponse
, receivedResponsePar
);
608 // Set up the demodulator for the reader -> tag commands
609 UartInit(receivedCmd
, receivedCmdPar
);
611 // Setup and start DMA.
612 FpgaSetupSscDma((uint8_t *)dmaBuf
, DMA_BUFFER_SIZE
);
614 // And now we loop, receiving samples.
615 for(uint32_t rsamples
= 0; TRUE
; ) {
618 DbpString("cancelled by button");
625 int register readBufDataP
= data
- dmaBuf
;
626 int register dmaBufDataP
= DMA_BUFFER_SIZE
- AT91C_BASE_PDC_SSC
->PDC_RCR
;
627 if (readBufDataP
<= dmaBufDataP
){
628 dataLen
= dmaBufDataP
- readBufDataP
;
630 dataLen
= DMA_BUFFER_SIZE
- readBufDataP
+ dmaBufDataP
;
632 // test for length of buffer
633 if(dataLen
> maxDataLen
) {
634 maxDataLen
= dataLen
;
635 if(dataLen
> (9 * DMA_BUFFER_SIZE
/ 10)) {
636 Dbprintf("blew circular buffer! dataLen=%d", dataLen
);
640 if(dataLen
< 1) continue;
642 // primary buffer was stopped( <-- we lost data!
643 if (!AT91C_BASE_PDC_SSC
->PDC_RCR
) {
644 AT91C_BASE_PDC_SSC
->PDC_RPR
= (uint32_t) dmaBuf
;
645 AT91C_BASE_PDC_SSC
->PDC_RCR
= DMA_BUFFER_SIZE
;
646 Dbprintf("RxEmpty ERROR!!! data length:%d", dataLen
); // temporary
648 // secondary buffer sets as primary, secondary buffer was stopped
649 if (!AT91C_BASE_PDC_SSC
->PDC_RNCR
) {
650 AT91C_BASE_PDC_SSC
->PDC_RNPR
= (uint32_t) dmaBuf
;
651 AT91C_BASE_PDC_SSC
->PDC_RNCR
= DMA_BUFFER_SIZE
;
656 if (rsamples
& 0x01) { // Need two samples to feed Miller and Manchester-Decoder
658 if(!TagIsActive
) { // no need to try decoding reader data if the tag is sending
659 uint8_t readerdata
= (previous_data
& 0xF0) | (*data
>> 4);
660 if (MillerDecoding(readerdata
, (rsamples
-1)*4)) {
663 // check - if there is a short 7bit request from reader
664 if ((!triggered
) && (param
& 0x02) && (Uart
.len
== 1) && (Uart
.bitCount
== 7)) triggered
= TRUE
;
667 if (!LogTrace(receivedCmd
,
669 Uart
.startTime
*16 - DELAY_READER_AIR2ARM_AS_SNIFFER
,
670 Uart
.endTime
*16 - DELAY_READER_AIR2ARM_AS_SNIFFER
,
674 /* And ready to receive another command. */
676 /* And also reset the demod code, which might have been */
677 /* false-triggered by the commands from the reader. */
681 ReaderIsActive
= (Uart
.state
!= STATE_UNSYNCD
);
684 if(!ReaderIsActive
) { // no need to try decoding tag data if the reader is sending - and we cannot afford the time
685 uint8_t tagdata
= (previous_data
<< 4) | (*data
& 0x0F);
686 if(ManchesterDecoding(tagdata
, 0, (rsamples
-1)*4)) {
689 if (!LogTrace(receivedResponse
,
691 Demod
.startTime
*16 - DELAY_TAG_AIR2ARM_AS_SNIFFER
,
692 Demod
.endTime
*16 - DELAY_TAG_AIR2ARM_AS_SNIFFER
,
696 if ((!triggered
) && (param
& 0x01)) triggered
= TRUE
;
698 // And ready to receive another response.
700 // And reset the Miller decoder including itS (now outdated) input buffer
701 UartInit(receivedCmd
, receivedCmdPar
);
705 TagIsActive
= (Demod
.state
!= DEMOD_UNSYNCD
);
709 previous_data
= *data
;
712 if(data
== dmaBuf
+ DMA_BUFFER_SIZE
) {
717 DbpString("COMMAND FINISHED");
720 Dbprintf("maxDataLen=%d, Uart.state=%x, Uart.len=%d", maxDataLen
, Uart
.state
, Uart
.len
);
721 Dbprintf("traceLen=%d, Uart.output[0]=%08x", BigBuf_get_traceLen(), (uint32_t)Uart
.output
[0]);
725 //-----------------------------------------------------------------------------
726 // Prepare tag messages
727 //-----------------------------------------------------------------------------
728 static void CodeIso14443aAsTagPar(const uint8_t *cmd
, uint16_t len
, uint8_t *parity
)
732 // Correction bit, might be removed when not needed
737 ToSendStuffBit(1); // 1
743 ToSend
[++ToSendMax
] = SEC_D
;
744 LastProxToAirDuration
= 8 * ToSendMax
- 4;
746 for(uint16_t i
= 0; i
< len
; i
++) {
750 for(uint16_t j
= 0; j
< 8; j
++) {
752 ToSend
[++ToSendMax
] = SEC_D
;
754 ToSend
[++ToSendMax
] = SEC_E
;
759 // Get the parity bit
760 if (parity
[i
>>3] & (0x80>>(i
&0x0007))) {
761 ToSend
[++ToSendMax
] = SEC_D
;
762 LastProxToAirDuration
= 8 * ToSendMax
- 4;
764 ToSend
[++ToSendMax
] = SEC_E
;
765 LastProxToAirDuration
= 8 * ToSendMax
;
770 ToSend
[++ToSendMax
] = SEC_F
;
772 // Convert from last byte pos to length
776 static void CodeIso14443aAsTag(const uint8_t *cmd
, uint16_t len
)
778 uint8_t par
[MAX_PARITY_SIZE
];
780 GetParity(cmd
, len
, par
);
781 CodeIso14443aAsTagPar(cmd
, len
, par
);
785 static void Code4bitAnswerAsTag(uint8_t cmd
)
791 // Correction bit, might be removed when not needed
796 ToSendStuffBit(1); // 1
802 ToSend
[++ToSendMax
] = SEC_D
;
805 for(i
= 0; i
< 4; i
++) {
807 ToSend
[++ToSendMax
] = SEC_D
;
808 LastProxToAirDuration
= 8 * ToSendMax
- 4;
810 ToSend
[++ToSendMax
] = SEC_E
;
811 LastProxToAirDuration
= 8 * ToSendMax
;
817 ToSend
[++ToSendMax
] = SEC_F
;
819 // Convert from last byte pos to length
823 //-----------------------------------------------------------------------------
824 // Wait for commands from reader
825 // Stop when button is pressed
826 // Or return TRUE when command is captured
827 //-----------------------------------------------------------------------------
828 static int GetIso14443aCommandFromReader(uint8_t *received
, uint8_t *parity
, int *len
)
830 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
831 // only, since we are receiving, not transmitting).
832 // Signal field is off with the appropriate LED
834 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A
| FPGA_HF_ISO14443A_TAGSIM_LISTEN
);
836 // Now run a `software UART' on the stream of incoming samples.
837 UartInit(received
, parity
);
840 uint8_t b
= (uint8_t)AT91C_BASE_SSC
->SSC_RHR
;
845 if(BUTTON_PRESS()) return FALSE
;
847 if(AT91C_BASE_SSC
->SSC_SR
& (AT91C_SSC_RXRDY
)) {
848 b
= (uint8_t)AT91C_BASE_SSC
->SSC_RHR
;
849 if(MillerDecoding(b
, 0)) {
857 static int EmSendCmd14443aRaw(uint8_t *resp
, uint16_t respLen
, bool correctionNeeded
);
858 int EmSend4bitEx(uint8_t resp
, bool correctionNeeded
);
859 int EmSend4bit(uint8_t resp
);
860 int EmSendCmdExPar(uint8_t *resp
, uint16_t respLen
, bool correctionNeeded
, uint8_t *par
);
861 int EmSendCmdEx(uint8_t *resp
, uint16_t respLen
, bool correctionNeeded
);
862 int EmSendCmd(uint8_t *resp
, uint16_t respLen
);
863 int EmSendCmdPar(uint8_t *resp
, uint16_t respLen
, uint8_t *par
);
864 bool EmLogTrace(uint8_t *reader_data
, uint16_t reader_len
, uint32_t reader_StartTime
, uint32_t reader_EndTime
, uint8_t *reader_Parity
,
865 uint8_t *tag_data
, uint16_t tag_len
, uint32_t tag_StartTime
, uint32_t tag_EndTime
, uint8_t *tag_Parity
);
867 static uint8_t* free_buffer_pointer
;
874 uint32_t ProxToAirDuration
;
875 } tag_response_info_t
;
877 bool prepare_tag_modulation(tag_response_info_t
* response_info
, size_t max_buffer_size
) {
878 // Example response, answer to MIFARE Classic read block will be 16 bytes + 2 CRC = 18 bytes
879 // This will need the following byte array for a modulation sequence
880 // 144 data bits (18 * 8)
883 // 1 Correction bit (Answer in 1172 or 1236 periods, see FPGA)
884 // 1 just for the case
886 // 166 bytes, since every bit that needs to be send costs us a byte
890 // Prepare the tag modulation bits from the message
891 CodeIso14443aAsTag(response_info
->response
,response_info
->response_n
);
893 // Make sure we do not exceed the free buffer space
894 if (ToSendMax
> max_buffer_size
) {
895 Dbprintf("Out of memory, when modulating bits for tag answer:");
896 Dbhexdump(response_info
->response_n
,response_info
->response
,false);
900 // Copy the byte array, used for this modulation to the buffer position
901 memcpy(response_info
->modulation
,ToSend
,ToSendMax
);
903 // Store the number of bytes that were used for encoding/modulation and the time needed to transfer them
904 response_info
->modulation_n
= ToSendMax
;
905 response_info
->ProxToAirDuration
= LastProxToAirDuration
;
911 // "precompile" responses. There are 7 predefined responses with a total of 28 bytes data to transmit.
912 // Coded responses need one byte per bit to transfer (data, parity, start, stop, correction)
913 // 28 * 8 data bits, 28 * 1 parity bits, 7 start bits, 7 stop bits, 7 correction bits
914 // -> need 273 bytes buffer
915 #define ALLOCATED_TAG_MODULATION_BUFFER_SIZE 273
917 bool prepare_allocated_tag_modulation(tag_response_info_t
* response_info
) {
918 // Retrieve and store the current buffer index
919 response_info
->modulation
= free_buffer_pointer
;
921 // Determine the maximum size we can use from our buffer
922 size_t max_buffer_size
= ALLOCATED_TAG_MODULATION_BUFFER_SIZE
;
924 // Forward the prepare tag modulation function to the inner function
925 if (prepare_tag_modulation(response_info
, max_buffer_size
)) {
926 // Update the free buffer offset
927 free_buffer_pointer
+= ToSendMax
;
934 //-----------------------------------------------------------------------------
935 // Main loop of simulated tag: receive commands from reader, decide what
936 // response to send, and send it.
937 //-----------------------------------------------------------------------------
938 void SimulateIso14443aTag(int tagType
, int flags
, int uid_2nd
, byte_t
* data
)
941 //Here, we collect UID,NT,AR,NR,UID2,NT2,AR2,NR2
942 // This can be used in a reader-only attack.
943 // (it can also be retrieved via 'hf 14a list', but hey...
944 uint32_t ar_nr_responses
[] = {0,0,0,0,0,0,0,0,0,0};
945 uint8_t ar_nr_collected
= 0;
949 // The first response contains the ATQA (note: bytes are transmitted in reverse order).
950 uint8_t response1
[2];
953 case 1: { // MIFARE Classic
954 // Says: I am Mifare 1k - original line
959 case 2: { // MIFARE Ultralight
960 // Says: I am a stupid memory tag, no crypto
965 case 3: { // MIFARE DESFire
966 // Says: I am a DESFire tag, ph33r me
971 case 4: { // ISO/IEC 14443-4
972 // Says: I am a javacard (JCOP)
977 case 5: { // MIFARE TNP3XXX
983 case 6: { // MIFARE Mini
984 // Says: I am a Mifare Mini, 320b
990 Dbprintf("Error: unkown tagtype (%d)",tagType
);
995 // The second response contains the (mandatory) first 24 bits of the UID
996 uint8_t response2
[5] = {0x00};
998 // Check if the uid uses the (optional) part
999 uint8_t response2a
[5] = {0x00};
1001 if (flags
& FLAG_7B_UID_IN_DATA
) {
1002 response2
[0] = 0x88;
1003 response2
[1] = data
[0];
1004 response2
[2] = data
[1];
1005 response2
[3] = data
[2];
1007 response2a
[0] = data
[3];
1008 response2a
[1] = data
[4];
1009 response2a
[2] = data
[5];
1010 response2a
[3] = data
[7];
1011 response2a
[4] = response2a
[0] ^ response2a
[1] ^ response2a
[2] ^ response2a
[3];
1013 // Configure the ATQA and SAK accordingly
1014 response1
[0] |= 0x40;
1017 memcpy(response2
, data
, 4);
1018 //num_to_bytes(uid_1st,4,response2);
1019 // Configure the ATQA and SAK accordingly
1020 response1
[0] &= 0xBF;
1024 // Calculate the BitCountCheck (BCC) for the first 4 bytes of the UID.
1025 response2
[4] = response2
[0] ^ response2
[1] ^ response2
[2] ^ response2
[3];
1027 // Prepare the mandatory SAK (for 4 and 7 byte UID)
1028 uint8_t response3
[3] = {0x00};
1030 ComputeCrc14443(CRC_14443_A
, response3
, 1, &response3
[1], &response3
[2]);
1032 // Prepare the optional second SAK (for 7 byte UID), drop the cascade bit
1033 uint8_t response3a
[3] = {0x00};
1034 response3a
[0] = sak
& 0xFB;
1035 ComputeCrc14443(CRC_14443_A
, response3a
, 1, &response3a
[1], &response3a
[2]);
1037 uint8_t response5
[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce
1038 uint8_t response6
[] = { 0x04, 0x58, 0x80, 0x02, 0x00, 0x00 }; // dummy ATS (pseudo-ATR), answer to RATS:
1039 // Format byte = 0x58: FSCI=0x08 (FSC=256), TA(1) and TC(1) present,
1040 // TA(1) = 0x80: different divisors not supported, DR = 1, DS = 1
1041 // TB(1) = not present. Defaults: FWI = 4 (FWT = 256 * 16 * 2^4 * 1/fc = 4833us), SFGI = 0 (SFG = 256 * 16 * 2^0 * 1/fc = 302us)
1042 // TC(1) = 0x02: CID supported, NAD not supported
1043 ComputeCrc14443(CRC_14443_A
, response6
, 4, &response6
[4], &response6
[5]);
1045 #define TAG_RESPONSE_COUNT 7
1046 tag_response_info_t responses
[TAG_RESPONSE_COUNT
] = {
1047 { .response
= response1
, .response_n
= sizeof(response1
) }, // Answer to request - respond with card type
1048 { .response
= response2
, .response_n
= sizeof(response2
) }, // Anticollision cascade1 - respond with uid
1049 { .response
= response2a
, .response_n
= sizeof(response2a
) }, // Anticollision cascade2 - respond with 2nd half of uid if asked
1050 { .response
= response3
, .response_n
= sizeof(response3
) }, // Acknowledge select - cascade 1
1051 { .response
= response3a
, .response_n
= sizeof(response3a
) }, // Acknowledge select - cascade 2
1052 { .response
= response5
, .response_n
= sizeof(response5
) }, // Authentication answer (random nonce)
1053 { .response
= response6
, .response_n
= sizeof(response6
) }, // dummy ATS (pseudo-ATR), answer to RATS
1056 // Allocate 512 bytes for the dynamic modulation, created when the reader queries for it
1057 // Such a response is less time critical, so we can prepare them on the fly
1058 #define DYNAMIC_RESPONSE_BUFFER_SIZE 64
1059 #define DYNAMIC_MODULATION_BUFFER_SIZE 512
1060 uint8_t dynamic_response_buffer
[DYNAMIC_RESPONSE_BUFFER_SIZE
];
1061 uint8_t dynamic_modulation_buffer
[DYNAMIC_MODULATION_BUFFER_SIZE
];
1062 tag_response_info_t dynamic_response_info
= {
1063 .response
= dynamic_response_buffer
,
1065 .modulation
= dynamic_modulation_buffer
,
1069 BigBuf_free_keep_EM();
1071 // allocate buffers:
1072 uint8_t *receivedCmd
= BigBuf_malloc(MAX_FRAME_SIZE
);
1073 uint8_t *receivedCmdPar
= BigBuf_malloc(MAX_PARITY_SIZE
);
1074 free_buffer_pointer
= BigBuf_malloc(ALLOCATED_TAG_MODULATION_BUFFER_SIZE
);
1080 // Prepare the responses of the anticollision phase
1081 // there will be not enough time to do this at the moment the reader sends it REQA
1082 for (size_t i
=0; i
<TAG_RESPONSE_COUNT
; i
++) {
1083 prepare_allocated_tag_modulation(&responses
[i
]);
1088 // To control where we are in the protocol
1092 // Just to allow some checks
1097 // We need to listen to the high-frequency, peak-detected path.
1098 iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN
);
1101 tag_response_info_t
* p_response
;
1105 // Clean receive command buffer
1107 if(!GetIso14443aCommandFromReader(receivedCmd
, receivedCmdPar
, &len
)) {
1108 DbpString("Button press");
1114 // Okay, look at the command now.
1116 if(receivedCmd
[0] == 0x26) { // Received a REQUEST
1117 p_response
= &responses
[0]; order
= 1;
1118 } else if(receivedCmd
[0] == 0x52) { // Received a WAKEUP
1119 p_response
= &responses
[0]; order
= 6;
1120 } else if(receivedCmd
[1] == 0x20 && receivedCmd
[0] == 0x93) { // Received request for UID (cascade 1)
1121 p_response
= &responses
[1]; order
= 2;
1122 } else if(receivedCmd
[1] == 0x20 && receivedCmd
[0] == 0x95) { // Received request for UID (cascade 2)
1123 p_response
= &responses
[2]; order
= 20;
1124 } else if(receivedCmd
[1] == 0x70 && receivedCmd
[0] == 0x93) { // Received a SELECT (cascade 1)
1125 p_response
= &responses
[3]; order
= 3;
1126 } else if(receivedCmd
[1] == 0x70 && receivedCmd
[0] == 0x95) { // Received a SELECT (cascade 2)
1127 p_response
= &responses
[4]; order
= 30;
1128 } else if(receivedCmd
[0] == 0x30) { // Received a (plain) READ
1129 EmSendCmdEx(data
+(4*receivedCmd
[1]),16,false);
1130 // Dbprintf("Read request from reader: %x %x",receivedCmd[0],receivedCmd[1]);
1131 // We already responded, do not send anything with the EmSendCmd14443aRaw() that is called below
1133 } else if(receivedCmd
[0] == 0x50) { // Received a HALT
1136 LogTrace(receivedCmd
, Uart
.len
, Uart
.startTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.endTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.parity
, TRUE
);
1139 } else if(receivedCmd
[0] == 0x60 || receivedCmd
[0] == 0x61) { // Received an authentication request
1140 p_response
= &responses
[5]; order
= 7;
1141 } else if(receivedCmd
[0] == 0xE0) { // Received a RATS request
1142 if (tagType
== 1 || tagType
== 2) { // RATS not supported
1143 EmSend4bit(CARD_NACK_NA
);
1146 p_response
= &responses
[6]; order
= 70;
1148 } else if (order
== 7 && len
== 8) { // Received {nr] and {ar} (part of authentication)
1150 LogTrace(receivedCmd
, Uart
.len
, Uart
.startTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.endTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.parity
, TRUE
);
1152 uint32_t nonce
= bytes_to_num(response5
,4);
1153 uint32_t nr
= bytes_to_num(receivedCmd
,4);
1154 uint32_t ar
= bytes_to_num(receivedCmd
+4,4);
1155 //Dbprintf("Auth attempt {nonce}{nr}{ar}: %08x %08x %08x", nonce, nr, ar);
1157 if(flags
& FLAG_NR_AR_ATTACK
)
1159 if(ar_nr_collected
< 2){
1160 // Avoid duplicates... probably not necessary, nr should vary.
1161 //if(ar_nr_responses[3] != nr){
1162 ar_nr_responses
[ar_nr_collected
*5] = 0;
1163 ar_nr_responses
[ar_nr_collected
*5+1] = 0;
1164 ar_nr_responses
[ar_nr_collected
*5+2] = nonce
;
1165 ar_nr_responses
[ar_nr_collected
*5+3] = nr
;
1166 ar_nr_responses
[ar_nr_collected
*5+4] = ar
;
1171 if(ar_nr_collected
> 1 ) {
1173 if (MF_DBGLEVEL
>= 2) {
1174 Dbprintf("Collected two pairs of AR/NR which can be used to extract keys from reader:");
1175 Dbprintf("../tools/mfkey/mfkey32 %07x%08x %08x %08x %08x %08x %08x",
1176 ar_nr_responses
[0], // UID1
1177 ar_nr_responses
[1], // UID2
1178 ar_nr_responses
[2], // NT
1179 ar_nr_responses
[3], // AR1
1180 ar_nr_responses
[4], // NR1
1181 ar_nr_responses
[8], // AR2
1182 ar_nr_responses
[9] // NR2
1185 uint8_t len
= ar_nr_collected
*5*4;
1186 cmd_send(CMD_ACK
,CMD_SIMULATE_MIFARE_CARD
,len
,0,&ar_nr_responses
,len
);
1187 ar_nr_collected
= 0;
1188 memset(ar_nr_responses
, 0x00, len
);
1192 // Check for ISO 14443A-4 compliant commands, look at left nibble
1193 switch (receivedCmd
[0]) {
1196 case 0x0A: { // IBlock (command)
1197 dynamic_response_info
.response
[0] = receivedCmd
[0];
1198 dynamic_response_info
.response
[1] = 0x00;
1199 dynamic_response_info
.response
[2] = 0x90;
1200 dynamic_response_info
.response
[3] = 0x00;
1201 dynamic_response_info
.response_n
= 4;
1205 case 0x1B: { // Chaining command
1206 dynamic_response_info
.response
[0] = 0xaa | ((receivedCmd
[0]) & 1);
1207 dynamic_response_info
.response_n
= 2;
1212 dynamic_response_info
.response
[0] = receivedCmd
[0] ^ 0x11;
1213 dynamic_response_info
.response_n
= 2;
1217 memcpy(dynamic_response_info
.response
,"\xAB\x00",2);
1218 dynamic_response_info
.response_n
= 2;
1222 case 0xC2: { // Readers sends deselect command
1223 memcpy(dynamic_response_info
.response
,"\xCA\x00",2);
1224 dynamic_response_info
.response_n
= 2;
1228 // Never seen this command before
1230 LogTrace(receivedCmd
, Uart
.len
, Uart
.startTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.endTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.parity
, TRUE
);
1232 Dbprintf("Received unknown command (len=%d):",len
);
1233 Dbhexdump(len
,receivedCmd
,false);
1235 dynamic_response_info
.response_n
= 0;
1239 if (dynamic_response_info
.response_n
> 0) {
1240 // Copy the CID from the reader query
1241 dynamic_response_info
.response
[1] = receivedCmd
[1];
1243 // Add CRC bytes, always used in ISO 14443A-4 compliant cards
1244 AppendCrc14443a(dynamic_response_info
.response
,dynamic_response_info
.response_n
);
1245 dynamic_response_info
.response_n
+= 2;
1247 if (prepare_tag_modulation(&dynamic_response_info
,DYNAMIC_MODULATION_BUFFER_SIZE
) == false) {
1248 Dbprintf("Error preparing tag response");
1250 LogTrace(receivedCmd
, Uart
.len
, Uart
.startTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.endTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.parity
, TRUE
);
1254 p_response
= &dynamic_response_info
;
1258 // Count number of wakeups received after a halt
1259 if(order
== 6 && lastorder
== 5) { happened
++; }
1261 // Count number of other messages after a halt
1262 if(order
!= 6 && lastorder
== 5) { happened2
++; }
1264 if(cmdsRecvd
> 999) {
1265 DbpString("1000 commands later...");
1270 if (p_response
!= NULL
) {
1271 EmSendCmd14443aRaw(p_response
->modulation
, p_response
->modulation_n
, receivedCmd
[0] == 0x52);
1272 // do the tracing for the previous reader request and this tag answer:
1273 uint8_t par
[MAX_PARITY_SIZE
];
1274 GetParity(p_response
->response
, p_response
->response_n
, par
);
1276 EmLogTrace(Uart
.output
,
1278 Uart
.startTime
*16 - DELAY_AIR2ARM_AS_TAG
,
1279 Uart
.endTime
*16 - DELAY_AIR2ARM_AS_TAG
,
1281 p_response
->response
,
1282 p_response
->response_n
,
1283 LastTimeProxToAirStart
*16 + DELAY_ARM2AIR_AS_TAG
,
1284 (LastTimeProxToAirStart
+ p_response
->ProxToAirDuration
)*16 + DELAY_ARM2AIR_AS_TAG
,
1289 Dbprintf("Trace Full. Simulation stopped.");
1294 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
1296 Dbprintf("%x %x %x", happened
, happened2
, cmdsRecvd
);
1298 BigBuf_free_keep_EM();
1302 // prepare a delayed transfer. This simply shifts ToSend[] by a number
1303 // of bits specified in the delay parameter.
1304 void PrepareDelayedTransfer(uint16_t delay
)
1306 uint8_t bitmask
= 0;
1307 uint8_t bits_to_shift
= 0;
1308 uint8_t bits_shifted
= 0;
1312 for (uint16_t i
= 0; i
< delay
; i
++) {
1313 bitmask
|= (0x01 << i
);
1315 ToSend
[ToSendMax
++] = 0x00;
1316 for (uint16_t i
= 0; i
< ToSendMax
; i
++) {
1317 bits_to_shift
= ToSend
[i
] & bitmask
;
1318 ToSend
[i
] = ToSend
[i
] >> delay
;
1319 ToSend
[i
] = ToSend
[i
] | (bits_shifted
<< (8 - delay
));
1320 bits_shifted
= bits_to_shift
;
1326 //-------------------------------------------------------------------------------------
1327 // Transmit the command (to the tag) that was placed in ToSend[].
1328 // Parameter timing:
1329 // if NULL: transfer at next possible time, taking into account
1330 // request guard time and frame delay time
1331 // if == 0: transfer immediately and return time of transfer
1332 // if != 0: delay transfer until time specified
1333 //-------------------------------------------------------------------------------------
1334 static void TransmitFor14443a(const uint8_t *cmd
, uint16_t len
, uint32_t *timing
)
1337 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A
| FPGA_HF_ISO14443A_READER_MOD
);
1339 uint32_t ThisTransferTime
= 0;
1342 if(*timing
== 0) { // Measure time
1343 *timing
= (GetCountSspClk() + 8) & 0xfffffff8;
1345 PrepareDelayedTransfer(*timing
& 0x00000007); // Delay transfer (fine tuning - up to 7 MF clock ticks)
1347 if(MF_DBGLEVEL
>= 4 && GetCountSspClk() >= (*timing
& 0xfffffff8)) Dbprintf("TransmitFor14443a: Missed timing");
1348 while(GetCountSspClk() < (*timing
& 0xfffffff8)); // Delay transfer (multiple of 8 MF clock ticks)
1349 LastTimeProxToAirStart
= *timing
;
1351 ThisTransferTime
= ((MAX(NextTransferTime
, GetCountSspClk()) & 0xfffffff8) + 8);
1352 while(GetCountSspClk() < ThisTransferTime
);
1353 LastTimeProxToAirStart
= ThisTransferTime
;
1357 AT91C_BASE_SSC
->SSC_THR
= SEC_Y
;
1361 if(AT91C_BASE_SSC
->SSC_SR
& (AT91C_SSC_TXRDY
)) {
1362 AT91C_BASE_SSC
->SSC_THR
= cmd
[c
];
1370 NextTransferTime
= MAX(NextTransferTime
, LastTimeProxToAirStart
+ REQUEST_GUARD_TIME
);
1374 //-----------------------------------------------------------------------------
1375 // Prepare reader command (in bits, support short frames) to send to FPGA
1376 //-----------------------------------------------------------------------------
1377 void CodeIso14443aBitsAsReaderPar(const uint8_t *cmd
, uint16_t bits
, const uint8_t *parity
)
1385 // Start of Communication (Seq. Z)
1386 ToSend
[++ToSendMax
] = SEC_Z
;
1387 LastProxToAirDuration
= 8 * (ToSendMax
+1) - 6;
1390 size_t bytecount
= nbytes(bits
);
1391 // Generate send structure for the data bits
1392 for (i
= 0; i
< bytecount
; i
++) {
1393 // Get the current byte to send
1395 size_t bitsleft
= MIN((bits
-(i
*8)),8);
1397 for (j
= 0; j
< bitsleft
; j
++) {
1400 ToSend
[++ToSendMax
] = SEC_X
;
1401 LastProxToAirDuration
= 8 * (ToSendMax
+1) - 2;
1406 ToSend
[++ToSendMax
] = SEC_Z
;
1407 LastProxToAirDuration
= 8 * (ToSendMax
+1) - 6;
1410 ToSend
[++ToSendMax
] = SEC_Y
;
1417 // Only transmit parity bit if we transmitted a complete byte
1418 if (j
== 8 && parity
!= NULL
) {
1419 // Get the parity bit
1420 if (parity
[i
>>3] & (0x80 >> (i
&0x0007))) {
1422 ToSend
[++ToSendMax
] = SEC_X
;
1423 LastProxToAirDuration
= 8 * (ToSendMax
+1) - 2;
1428 ToSend
[++ToSendMax
] = SEC_Z
;
1429 LastProxToAirDuration
= 8 * (ToSendMax
+1) - 6;
1432 ToSend
[++ToSendMax
] = SEC_Y
;
1439 // End of Communication: Logic 0 followed by Sequence Y
1442 ToSend
[++ToSendMax
] = SEC_Z
;
1443 LastProxToAirDuration
= 8 * (ToSendMax
+1) - 6;
1446 ToSend
[++ToSendMax
] = SEC_Y
;
1449 ToSend
[++ToSendMax
] = SEC_Y
;
1451 // Convert to length of command:
1455 //-----------------------------------------------------------------------------
1456 // Prepare reader command to send to FPGA
1457 //-----------------------------------------------------------------------------
1458 void CodeIso14443aAsReaderPar(const uint8_t *cmd
, uint16_t len
, const uint8_t *parity
)
1460 CodeIso14443aBitsAsReaderPar(cmd
, len
*8, parity
);
1464 //-----------------------------------------------------------------------------
1465 // Wait for commands from reader
1466 // Stop when button is pressed (return 1) or field was gone (return 2)
1467 // Or return 0 when command is captured
1468 //-----------------------------------------------------------------------------
1469 static int EmGetCmd(uint8_t *received
, uint16_t *len
, uint8_t *parity
)
1473 uint32_t timer
= 0, vtime
= 0;
1477 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
1478 // only, since we are receiving, not transmitting).
1479 // Signal field is off with the appropriate LED
1481 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A
| FPGA_HF_ISO14443A_TAGSIM_LISTEN
);
1483 // Set ADC to read field strength
1484 AT91C_BASE_ADC
->ADC_CR
= AT91C_ADC_SWRST
;
1485 AT91C_BASE_ADC
->ADC_MR
=
1486 ADC_MODE_PRESCALE(63) |
1487 ADC_MODE_STARTUP_TIME(1) |
1488 ADC_MODE_SAMPLE_HOLD_TIME(15);
1489 AT91C_BASE_ADC
->ADC_CHER
= ADC_CHANNEL(ADC_CHAN_HF
);
1491 AT91C_BASE_ADC
->ADC_CR
= AT91C_ADC_START
;
1493 // Now run a 'software UART' on the stream of incoming samples.
1494 UartInit(received
, parity
);
1497 uint8_t b
= (uint8_t)AT91C_BASE_SSC
->SSC_RHR
;
1502 if (BUTTON_PRESS()) return 1;
1504 // test if the field exists
1505 if (AT91C_BASE_ADC
->ADC_SR
& ADC_END_OF_CONVERSION(ADC_CHAN_HF
)) {
1507 analogAVG
+= AT91C_BASE_ADC
->ADC_CDR
[ADC_CHAN_HF
];
1508 AT91C_BASE_ADC
->ADC_CR
= AT91C_ADC_START
;
1509 if (analogCnt
>= 32) {
1510 if ((MAX_ADC_HF_VOLTAGE
* (analogAVG
/ analogCnt
) >> 10) < MF_MINFIELDV
) {
1511 vtime
= GetTickCount();
1512 if (!timer
) timer
= vtime
;
1513 // 50ms no field --> card to idle state
1514 if (vtime
- timer
> 50) return 2;
1516 if (timer
) timer
= 0;
1522 // receive and test the miller decoding
1523 if(AT91C_BASE_SSC
->SSC_SR
& (AT91C_SSC_RXRDY
)) {
1524 b
= (uint8_t)AT91C_BASE_SSC
->SSC_RHR
;
1525 if(MillerDecoding(b
, 0)) {
1535 static int EmSendCmd14443aRaw(uint8_t *resp
, uint16_t respLen
, bool correctionNeeded
)
1539 uint32_t ThisTransferTime
;
1541 // Modulate Manchester
1542 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A
| FPGA_HF_ISO14443A_TAGSIM_MOD
);
1544 // include correction bit if necessary
1545 if (Uart
.parityBits
& 0x01) {
1546 correctionNeeded
= TRUE
;
1548 if(correctionNeeded
) {
1549 // 1236, so correction bit needed
1555 // clear receiving shift register and holding register
1556 while(!(AT91C_BASE_SSC
->SSC_SR
& AT91C_SSC_RXRDY
));
1557 b
= AT91C_BASE_SSC
->SSC_RHR
; (void) b
;
1558 while(!(AT91C_BASE_SSC
->SSC_SR
& AT91C_SSC_RXRDY
));
1559 b
= AT91C_BASE_SSC
->SSC_RHR
; (void) b
;
1561 // wait for the FPGA to signal fdt_indicator == 1 (the FPGA is ready to queue new data in its delay line)
1562 for (uint16_t j
= 0; j
< 5; j
++) { // allow timeout - better late than never
1563 while(!(AT91C_BASE_SSC
->SSC_SR
& AT91C_SSC_RXRDY
));
1564 if (AT91C_BASE_SSC
->SSC_RHR
) break;
1567 while ((ThisTransferTime
= GetCountSspClk()) & 0x00000007);
1570 AT91C_BASE_SSC
->SSC_THR
= SEC_F
;
1573 for(; i
< respLen
; ) {
1574 if(AT91C_BASE_SSC
->SSC_SR
& (AT91C_SSC_TXRDY
)) {
1575 AT91C_BASE_SSC
->SSC_THR
= resp
[i
++];
1576 FpgaSendQueueDelay
= (uint8_t)AT91C_BASE_SSC
->SSC_RHR
;
1579 if(BUTTON_PRESS()) {
1584 // Ensure that the FPGA Delay Queue is empty before we switch to TAGSIM_LISTEN again:
1585 uint8_t fpga_queued_bits
= FpgaSendQueueDelay
>> 3;
1586 for (i
= 0; i
<= fpga_queued_bits
/8 + 1; ) {
1587 if(AT91C_BASE_SSC
->SSC_SR
& (AT91C_SSC_TXRDY
)) {
1588 AT91C_BASE_SSC
->SSC_THR
= SEC_F
;
1589 FpgaSendQueueDelay
= (uint8_t)AT91C_BASE_SSC
->SSC_RHR
;
1594 LastTimeProxToAirStart
= ThisTransferTime
+ (correctionNeeded
?8:0);
1599 int EmSend4bitEx(uint8_t resp
, bool correctionNeeded
){
1600 Code4bitAnswerAsTag(resp
);
1601 int res
= EmSendCmd14443aRaw(ToSend
, ToSendMax
, correctionNeeded
);
1602 // do the tracing for the previous reader request and this tag answer:
1604 GetParity(&resp
, 1, par
);
1605 EmLogTrace(Uart
.output
,
1607 Uart
.startTime
*16 - DELAY_AIR2ARM_AS_TAG
,
1608 Uart
.endTime
*16 - DELAY_AIR2ARM_AS_TAG
,
1612 LastTimeProxToAirStart
*16 + DELAY_ARM2AIR_AS_TAG
,
1613 (LastTimeProxToAirStart
+ LastProxToAirDuration
)*16 + DELAY_ARM2AIR_AS_TAG
,
1618 int EmSend4bit(uint8_t resp
){
1619 return EmSend4bitEx(resp
, false);
1622 int EmSendCmdExPar(uint8_t *resp
, uint16_t respLen
, bool correctionNeeded
, uint8_t *par
){
1623 CodeIso14443aAsTagPar(resp
, respLen
, par
);
1624 int res
= EmSendCmd14443aRaw(ToSend
, ToSendMax
, correctionNeeded
);
1625 // do the tracing for the previous reader request and this tag answer:
1626 EmLogTrace(Uart
.output
,
1628 Uart
.startTime
*16 - DELAY_AIR2ARM_AS_TAG
,
1629 Uart
.endTime
*16 - DELAY_AIR2ARM_AS_TAG
,
1633 LastTimeProxToAirStart
*16 + DELAY_ARM2AIR_AS_TAG
,
1634 (LastTimeProxToAirStart
+ LastProxToAirDuration
)*16 + DELAY_ARM2AIR_AS_TAG
,
1639 int EmSendCmdEx(uint8_t *resp
, uint16_t respLen
, bool correctionNeeded
){
1640 uint8_t par
[MAX_PARITY_SIZE
];
1641 GetParity(resp
, respLen
, par
);
1642 return EmSendCmdExPar(resp
, respLen
, correctionNeeded
, par
);
1645 int EmSendCmd(uint8_t *resp
, uint16_t respLen
){
1646 uint8_t par
[MAX_PARITY_SIZE
];
1647 GetParity(resp
, respLen
, par
);
1648 return EmSendCmdExPar(resp
, respLen
, false, par
);
1651 int EmSendCmdPar(uint8_t *resp
, uint16_t respLen
, uint8_t *par
){
1652 return EmSendCmdExPar(resp
, respLen
, false, par
);
1655 bool EmLogTrace(uint8_t *reader_data
, uint16_t reader_len
, uint32_t reader_StartTime
, uint32_t reader_EndTime
, uint8_t *reader_Parity
,
1656 uint8_t *tag_data
, uint16_t tag_len
, uint32_t tag_StartTime
, uint32_t tag_EndTime
, uint8_t *tag_Parity
)
1659 // we cannot exactly measure the end and start of a received command from reader. However we know that the delay from
1660 // end of the received command to start of the tag's (simulated by us) answer is n*128+20 or n*128+84 resp.
1661 // with n >= 9. The start of the tags answer can be measured and therefore the end of the received command be calculated:
1662 uint16_t reader_modlen
= reader_EndTime
- reader_StartTime
;
1663 uint16_t approx_fdt
= tag_StartTime
- reader_EndTime
;
1664 uint16_t exact_fdt
= (approx_fdt
- 20 + 32)/64 * 64 + 20;
1665 reader_EndTime
= tag_StartTime
- exact_fdt
;
1666 reader_StartTime
= reader_EndTime
- reader_modlen
;
1667 if (!LogTrace(reader_data
, reader_len
, reader_StartTime
, reader_EndTime
, reader_Parity
, TRUE
)) {
1669 } else return(!LogTrace(tag_data
, tag_len
, tag_StartTime
, tag_EndTime
, tag_Parity
, FALSE
));
1675 //-----------------------------------------------------------------------------
1676 // Wait a certain time for tag response
1677 // If a response is captured return TRUE
1678 // If it takes too long return FALSE
1679 //-----------------------------------------------------------------------------
1680 static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse
, uint8_t *receivedResponsePar
, uint16_t offset
)
1684 // Set FPGA mode to "reader listen mode", no modulation (listen
1685 // only, since we are receiving, not transmitting).
1686 // Signal field is on with the appropriate LED
1688 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A
| FPGA_HF_ISO14443A_READER_LISTEN
);
1690 // Now get the answer from the card
1691 DemodInit(receivedResponse
, receivedResponsePar
);
1694 uint8_t b
= (uint8_t)AT91C_BASE_SSC
->SSC_RHR
;
1699 if(AT91C_BASE_SSC
->SSC_SR
& (AT91C_SSC_RXRDY
)) {
1700 b
= (uint8_t)AT91C_BASE_SSC
->SSC_RHR
;
1701 if(ManchesterDecoding(b
, offset
, 0)) {
1702 NextTransferTime
= MAX(NextTransferTime
, Demod
.endTime
- (DELAY_AIR2ARM_AS_READER
+ DELAY_ARM2AIR_AS_READER
)/16 + FRAME_DELAY_TIME_PICC_TO_PCD
);
1704 } else if (c
++ > iso14a_timeout
&& Demod
.state
== DEMOD_UNSYNCD
) {
1712 void ReaderTransmitBitsPar(uint8_t* frame
, uint16_t bits
, uint8_t *par
, uint32_t *timing
)
1714 CodeIso14443aBitsAsReaderPar(frame
, bits
, par
);
1716 // Send command to tag
1717 TransmitFor14443a(ToSend
, ToSendMax
, timing
);
1721 // Log reader command in trace buffer
1723 LogTrace(frame
, nbytes(bits
), LastTimeProxToAirStart
*16 + DELAY_ARM2AIR_AS_READER
, (LastTimeProxToAirStart
+ LastProxToAirDuration
)*16 + DELAY_ARM2AIR_AS_READER
, par
, TRUE
);
1728 void ReaderTransmitPar(uint8_t* frame
, uint16_t len
, uint8_t *par
, uint32_t *timing
)
1730 ReaderTransmitBitsPar(frame
, len
*8, par
, timing
);
1734 void ReaderTransmitBits(uint8_t* frame
, uint16_t len
, uint32_t *timing
)
1736 // Generate parity and redirect
1737 uint8_t par
[MAX_PARITY_SIZE
];
1738 GetParity(frame
, len
/8, par
);
1739 ReaderTransmitBitsPar(frame
, len
, par
, timing
);
1743 void ReaderTransmit(uint8_t* frame
, uint16_t len
, uint32_t *timing
)
1745 // Generate parity and redirect
1746 uint8_t par
[MAX_PARITY_SIZE
];
1747 GetParity(frame
, len
, par
);
1748 ReaderTransmitBitsPar(frame
, len
*8, par
, timing
);
1751 int ReaderReceiveOffset(uint8_t* receivedAnswer
, uint16_t offset
, uint8_t *parity
)
1753 if (!GetIso14443aAnswerFromTag(receivedAnswer
, parity
, offset
)) return FALSE
;
1755 LogTrace(receivedAnswer
, Demod
.len
, Demod
.startTime
*16 - DELAY_AIR2ARM_AS_READER
, Demod
.endTime
*16 - DELAY_AIR2ARM_AS_READER
, parity
, FALSE
);
1760 int ReaderReceive(uint8_t *receivedAnswer
, uint8_t *parity
)
1762 if (!GetIso14443aAnswerFromTag(receivedAnswer
, parity
, 0)) return FALSE
;
1764 LogTrace(receivedAnswer
, Demod
.len
, Demod
.startTime
*16 - DELAY_AIR2ARM_AS_READER
, Demod
.endTime
*16 - DELAY_AIR2ARM_AS_READER
, parity
, FALSE
);
1769 /* performs iso14443a anticollision procedure
1770 * fills the uid pointer unless NULL
1771 * fills resp_data unless NULL */
1772 int iso14443a_select_card(byte_t
*uid_ptr
, iso14a_card_select_t
*p_hi14a_card
, uint32_t *cuid_ptr
) {
1773 uint8_t wupa
[] = { 0x52 }; // 0x26 - REQA 0x52 - WAKE-UP
1774 uint8_t sel_all
[] = { 0x93,0x20 };
1775 uint8_t sel_uid
[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
1776 uint8_t rats
[] = { 0xE0,0x80,0x00,0x00 }; // FSD=256, FSDI=8, CID=0
1777 uint8_t resp
[MAX_FRAME_SIZE
]; // theoretically. A usual RATS will be much smaller
1778 uint8_t resp_par
[MAX_PARITY_SIZE
];
1780 size_t uid_resp_len
;
1782 uint8_t sak
= 0x04; // cascade uid
1783 int cascade_level
= 0;
1786 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1787 ReaderTransmitBitsPar(wupa
,7,0, NULL
);
1790 if(!ReaderReceive(resp
, resp_par
)) return 0;
1793 memcpy(p_hi14a_card
->atqa
, resp
, 2);
1794 p_hi14a_card
->uidlen
= 0;
1795 memset(p_hi14a_card
->uid
,0,10);
1800 memset(uid_ptr
,0,10);
1803 // check for proprietary anticollision:
1804 if ((resp
[0] & 0x1F) == 0) {
1808 // OK we will select at least at cascade 1, lets see if first byte of UID was 0x88 in
1809 // which case we need to make a cascade 2 request and select - this is a long UID
1810 // While the UID is not complete, the 3nd bit (from the right) is set in the SAK.
1811 for(; sak
& 0x04; cascade_level
++) {
1812 // SELECT_* (L1: 0x93, L2: 0x95, L3: 0x97)
1813 sel_uid
[0] = sel_all
[0] = 0x93 + cascade_level
* 2;
1816 ReaderTransmit(sel_all
, sizeof(sel_all
), NULL
);
1817 if (!ReaderReceive(resp
, resp_par
)) return 0;
1819 if (Demod
.collisionPos
) { // we had a collision and need to construct the UID bit by bit
1820 memset(uid_resp
, 0, 4);
1821 uint16_t uid_resp_bits
= 0;
1822 uint16_t collision_answer_offset
= 0;
1823 // anti-collision-loop:
1824 while (Demod
.collisionPos
) {
1825 Dbprintf("Multiple tags detected. Collision after Bit %d", Demod
.collisionPos
);
1826 for (uint16_t i
= collision_answer_offset
; i
< Demod
.collisionPos
; i
++, uid_resp_bits
++) { // add valid UID bits before collision point
1827 uint16_t UIDbit
= (resp
[i
/8] >> (i
% 8)) & 0x01;
1828 uid_resp
[uid_resp_bits
/ 8] |= UIDbit
<< (uid_resp_bits
% 8);
1830 uid_resp
[uid_resp_bits
/8] |= 1 << (uid_resp_bits
% 8); // next time select the card(s) with a 1 in the collision position
1832 // construct anticollosion command:
1833 sel_uid
[1] = ((2 + uid_resp_bits
/8) << 4) | (uid_resp_bits
& 0x07); // length of data in bytes and bits
1834 for (uint16_t i
= 0; i
<= uid_resp_bits
/8; i
++) {
1835 sel_uid
[2+i
] = uid_resp
[i
];
1837 collision_answer_offset
= uid_resp_bits
%8;
1838 ReaderTransmitBits(sel_uid
, 16 + uid_resp_bits
, NULL
);
1839 if (!ReaderReceiveOffset(resp
, collision_answer_offset
, resp_par
)) return 0;
1841 // finally, add the last bits and BCC of the UID
1842 for (uint16_t i
= collision_answer_offset
; i
< (Demod
.len
-1)*8; i
++, uid_resp_bits
++) {
1843 uint16_t UIDbit
= (resp
[i
/8] >> (i
%8)) & 0x01;
1844 uid_resp
[uid_resp_bits
/8] |= UIDbit
<< (uid_resp_bits
% 8);
1847 } else { // no collision, use the response to SELECT_ALL as current uid
1848 memcpy(uid_resp
, resp
, 4);
1852 // calculate crypto UID. Always use last 4 Bytes.
1854 *cuid_ptr
= bytes_to_num(uid_resp
, 4);
1857 // Construct SELECT UID command
1858 sel_uid
[1] = 0x70; // transmitting a full UID (1 Byte cmd, 1 Byte NVB, 4 Byte UID, 1 Byte BCC, 2 Bytes CRC)
1859 memcpy(sel_uid
+2, uid_resp
, 4); // the UID
1860 sel_uid
[6] = sel_uid
[2] ^ sel_uid
[3] ^ sel_uid
[4] ^ sel_uid
[5]; // calculate and add BCC
1861 AppendCrc14443a(sel_uid
, 7); // calculate and add CRC
1862 ReaderTransmit(sel_uid
, sizeof(sel_uid
), NULL
);
1865 if (!ReaderReceive(resp
, resp_par
)) return 0;
1868 // Test if more parts of the uid are coming
1869 if ((sak
& 0x04) /* && uid_resp[0] == 0x88 */) {
1870 // Remove first byte, 0x88 is not an UID byte, it CT, see page 3 of:
1871 // http://www.nxp.com/documents/application_note/AN10927.pdf
1872 uid_resp
[0] = uid_resp
[1];
1873 uid_resp
[1] = uid_resp
[2];
1874 uid_resp
[2] = uid_resp
[3];
1880 memcpy(uid_ptr
+ (cascade_level
*3), uid_resp
, uid_resp_len
);
1884 memcpy(p_hi14a_card
->uid
+ (cascade_level
*3), uid_resp
, uid_resp_len
);
1885 p_hi14a_card
->uidlen
+= uid_resp_len
;
1890 p_hi14a_card
->sak
= sak
;
1891 p_hi14a_card
->ats_len
= 0;
1894 // non iso14443a compliant tag
1895 if( (sak
& 0x20) == 0) return 2;
1897 // Request for answer to select
1898 AppendCrc14443a(rats
, 2);
1899 ReaderTransmit(rats
, sizeof(rats
), NULL
);
1901 if (!(len
= ReaderReceive(resp
, resp_par
))) return 0;
1905 memcpy(p_hi14a_card
->ats
, resp
, sizeof(p_hi14a_card
->ats
));
1906 p_hi14a_card
->ats_len
= len
;
1909 // reset the PCB block number
1910 iso14_pcb_blocknum
= 0;
1912 // set default timeout based on ATS
1913 iso14a_set_ATS_timeout(resp
);
1918 void iso14443a_setup(uint8_t fpga_minor_mode
) {
1919 FpgaDownloadAndGo(FPGA_BITSTREAM_HF
);
1920 // Set up the synchronous serial port
1922 // connect Demodulated Signal to ADC:
1923 SetAdcMuxFor(GPIO_MUXSEL_HIPKD
);
1925 // Signal field is on with the appropriate LED
1926 if (fpga_minor_mode
== FPGA_HF_ISO14443A_READER_MOD
1927 || fpga_minor_mode
== FPGA_HF_ISO14443A_READER_LISTEN
) {
1932 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A
| fpga_minor_mode
);
1939 NextTransferTime
= 2*DELAY_ARM2AIR_AS_READER
;
1940 iso14a_set_timeout(10*106); // 10ms default
1943 int iso14_apdu(uint8_t *cmd
, uint16_t cmd_len
, void *data
) {
1944 uint8_t parity
[MAX_PARITY_SIZE
];
1945 uint8_t real_cmd
[cmd_len
+4];
1946 real_cmd
[0] = 0x0a; //I-Block
1947 // put block number into the PCB
1948 real_cmd
[0] |= iso14_pcb_blocknum
;
1949 real_cmd
[1] = 0x00; //CID: 0 //FIXME: allow multiple selected cards
1950 memcpy(real_cmd
+2, cmd
, cmd_len
);
1951 AppendCrc14443a(real_cmd
,cmd_len
+2);
1953 ReaderTransmit(real_cmd
, cmd_len
+4, NULL
);
1954 size_t len
= ReaderReceive(data
, parity
);
1955 uint8_t *data_bytes
= (uint8_t *) data
;
1957 return 0; //DATA LINK ERROR
1958 // if we received an I- or R(ACK)-Block with a block number equal to the
1959 // current block number, toggle the current block number
1960 else if (len
>= 4 // PCB+CID+CRC = 4 bytes
1961 && ((data_bytes
[0] & 0xC0) == 0 // I-Block
1962 || (data_bytes
[0] & 0xD0) == 0x80) // R-Block with ACK bit set to 0
1963 && (data_bytes
[0] & 0x01) == iso14_pcb_blocknum
) // equal block numbers
1965 iso14_pcb_blocknum
^= 1;
1971 //-----------------------------------------------------------------------------
1972 // Read an ISO 14443a tag. Send out commands and store answers.
1974 //-----------------------------------------------------------------------------
1975 void ReaderIso14443a(UsbCommand
*c
)
1977 iso14a_command_t param
= c
->arg
[0];
1978 uint8_t *cmd
= c
->d
.asBytes
;
1979 size_t len
= c
->arg
[1] & 0xffff;
1980 size_t lenbits
= c
->arg
[1] >> 16;
1981 uint32_t timeout
= c
->arg
[2];
1983 byte_t buf
[USB_CMD_DATA_SIZE
];
1984 uint8_t par
[MAX_PARITY_SIZE
];
1986 if(param
& ISO14A_CONNECT
) {
1992 if(param
& ISO14A_REQUEST_TRIGGER
) {
1993 iso14a_set_trigger(TRUE
);
1996 if(param
& ISO14A_CONNECT
) {
1997 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN
);
1998 if(!(param
& ISO14A_NO_SELECT
)) {
1999 iso14a_card_select_t
*card
= (iso14a_card_select_t
*)buf
;
2000 arg0
= iso14443a_select_card(NULL
,card
,NULL
);
2001 cmd_send(CMD_ACK
,arg0
,card
->uidlen
,0,buf
,sizeof(iso14a_card_select_t
));
2005 if(param
& ISO14A_SET_TIMEOUT
) {
2006 iso14a_set_timeout(timeout
);
2009 if(param
& ISO14A_APDU
) {
2010 arg0
= iso14_apdu(cmd
, len
, buf
);
2011 cmd_send(CMD_ACK
,arg0
,0,0,buf
,sizeof(buf
));
2014 if(param
& ISO14A_RAW
) {
2015 if(param
& ISO14A_APPEND_CRC
) {
2016 if(param
& ISO14A_TOPAZMODE
) {
2017 AppendCrc14443b(cmd
,len
);
2019 AppendCrc14443a(cmd
,len
);
2022 if (lenbits
) lenbits
+= 16;
2024 if(lenbits
>0) { // want to send a specific number of bits (e.g. short commands)
2025 if(param
& ISO14A_TOPAZMODE
) {
2026 int bits_to_send
= lenbits
;
2028 ReaderTransmitBitsPar(&cmd
[i
++], MIN(bits_to_send
, 7), NULL
, NULL
); // first byte is always short (7bits) and no parity
2030 while (bits_to_send
> 0) {
2031 ReaderTransmitBitsPar(&cmd
[i
++], MIN(bits_to_send
, 8), NULL
, NULL
); // following bytes are 8 bit and no parity
2035 GetParity(cmd
, lenbits
/8, par
);
2036 ReaderTransmitBitsPar(cmd
, lenbits
, par
, NULL
); // bytes are 8 bit with odd parity
2038 } else { // want to send complete bytes only
2039 if(param
& ISO14A_TOPAZMODE
) {
2041 ReaderTransmitBitsPar(&cmd
[i
++], 7, NULL
, NULL
); // first byte: 7 bits, no paritiy
2043 ReaderTransmitBitsPar(&cmd
[i
++], 8, NULL
, NULL
); // following bytes: 8 bits, no paritiy
2046 ReaderTransmit(cmd
,len
, NULL
); // 8 bits, odd parity
2049 arg0
= ReaderReceive(buf
, par
);
2050 cmd_send(CMD_ACK
,arg0
,0,0,buf
,sizeof(buf
));
2053 if(param
& ISO14A_REQUEST_TRIGGER
) {
2054 iso14a_set_trigger(FALSE
);
2057 if(param
& ISO14A_NO_DISCONNECT
) {
2061 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
2066 // Determine the distance between two nonces.
2067 // Assume that the difference is small, but we don't know which is first.
2068 // Therefore try in alternating directions.
2069 int32_t dist_nt(uint32_t nt1
, uint32_t nt2
) {
2071 if (nt1
== nt2
) return 0;
2074 uint32_t nttmp1
= nt1
;
2075 uint32_t nttmp2
= nt2
;
2077 for (i
= 1; i
< 32768; i
++) {
2078 nttmp1
= prng_successor(nttmp1
, 1);
2079 if (nttmp1
== nt2
) return i
;
2080 nttmp2
= prng_successor(nttmp2
, 1);
2081 if (nttmp2
== nt1
) return -i
;
2084 return(-99999); // either nt1 or nt2 are invalid nonces
2088 //-----------------------------------------------------------------------------
2089 // Recover several bits of the cypher stream. This implements (first stages of)
2090 // the algorithm described in "The Dark Side of Security by Obscurity and
2091 // Cloning MiFare Classic Rail and Building Passes, Anywhere, Anytime"
2092 // (article by Nicolas T. Courtois, 2009)
2093 //-----------------------------------------------------------------------------
2094 void ReaderMifare(bool first_try
) {
2095 // free eventually allocated BigBuf memory. We want all for tracing.
2102 uint8_t mf_auth
[] = { 0x60,0x00,0xf5,0x7b };
2103 uint8_t mf_nr_ar
[8] = { 0x00 }; //{ 0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01 };
2104 static uint8_t mf_nr_ar3
= 0;
2106 uint8_t receivedAnswer
[MAX_MIFARE_FRAME_SIZE
] = { 0x00 };
2107 uint8_t receivedAnswerPar
[MAX_MIFARE_PARITY_SIZE
] = { 0x00 };
2110 uint8_t par
[1] = {0}; // maximum 8 Bytes to be sent here, 1 byte parity is therefore enough
2111 static byte_t par_low
= 0;
2113 uint8_t uid
[10] = {0x00};
2114 //uint32_t cuid = 0x00;
2117 uint32_t previous_nt
= 0;
2118 static uint32_t nt_attacked
= 0;
2119 byte_t par_list
[8] = {0x00};
2120 byte_t ks_list
[8] = {0x00};
2122 static uint32_t sync_time
= 0;
2123 static uint32_t sync_cycles
= 0;
2124 int catch_up_cycles
= 0;
2125 int last_catch_up
= 0;
2126 uint16_t consecutive_resyncs
= 0;
2129 int numWrongDistance
= 0;
2133 iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD
);
2134 sync_time
= GetCountSspClk() & 0xfffffff8;
2135 sync_cycles
= 65536; // theory: Mifare Classic's random generator repeats every 2^16 cycles (and so do the nonces).
2141 // we were unsuccessful on a previous call. Try another READER nonce (first 3 parity bits remain the same)
2143 mf_nr_ar
[3] = mf_nr_ar3
;
2152 for(uint16_t i
= 0; TRUE
; i
++) {
2156 // Test if the action was cancelled
2157 if(BUTTON_PRESS()) break;
2159 if (numWrongDistance
> 1000) {
2164 //if(!iso14443a_select_card(uid, NULL, &cuid)) {
2165 if(!iso14443a_select_card(uid
, NULL
, NULL
)) {
2166 if (MF_DBGLEVEL
>= 1) Dbprintf("Mifare: Can't select card");
2170 sync_time
= (sync_time
& 0xfffffff8) + sync_cycles
+ catch_up_cycles
;
2171 catch_up_cycles
= 0;
2173 // if we missed the sync time already, advance to the next nonce repeat
2174 while(GetCountSspClk() > sync_time
) {
2175 sync_time
= (sync_time
& 0xfffffff8) + sync_cycles
;
2178 // Transmit MIFARE_CLASSIC_AUTH at synctime. Should result in returning the same tag nonce (== nt_attacked)
2179 ReaderTransmit(mf_auth
, sizeof(mf_auth
), &sync_time
);
2181 // Receive the (4 Byte) "random" nonce
2182 if (!ReaderReceive(receivedAnswer
, receivedAnswerPar
)) {
2183 if (MF_DBGLEVEL
>= 1) Dbprintf("Mifare: Couldn't receive tag nonce");
2188 nt
= bytes_to_num(receivedAnswer
, 4);
2190 // Transmit reader nonce with fake par
2191 ReaderTransmitPar(mf_nr_ar
, sizeof(mf_nr_ar
), par
, NULL
);
2193 if (first_try
&& previous_nt
&& !nt_attacked
) { // we didn't calibrate our clock yet
2194 int nt_distance
= dist_nt(previous_nt
, nt
);
2195 if (nt_distance
== 0) {
2200 // invalid nonce received, try again
2201 if (nt_distance
== -99999) {
2203 if (MF_DBGLEVEL
>= 3) Dbprintf("The two nonces has invalid distance, tag could have good PRNG\n");
2207 sync_cycles
= (sync_cycles
- nt_distance
);
2208 if (MF_DBGLEVEL
>= 3) Dbprintf("calibrating in cycle %d. nt_distance=%d, Sync_cycles: %d\n", i
, nt_distance
, sync_cycles
);
2213 if ((nt
!= nt_attacked
) && nt_attacked
) { // we somehow lost sync. Try to catch up again...
2214 catch_up_cycles
= -dist_nt(nt_attacked
, nt
);
2215 if (catch_up_cycles
>= 99999) { // invalid nonce received. Don't resync on that one.
2216 catch_up_cycles
= 0;
2219 if (catch_up_cycles
== last_catch_up
) {
2220 consecutive_resyncs
++;
2223 last_catch_up
= catch_up_cycles
;
2224 consecutive_resyncs
= 0;
2226 if (consecutive_resyncs
< 3) {
2227 if (MF_DBGLEVEL
>= 3) Dbprintf("Lost sync in cycle %d. nt_distance=%d. Consecutive Resyncs = %d. Trying one time catch up...\n", i
, -catch_up_cycles
, consecutive_resyncs
);
2230 sync_cycles
= sync_cycles
+ catch_up_cycles
;
2231 if (MF_DBGLEVEL
>= 3) Dbprintf("Lost sync in cycle %d for the fourth time consecutively (nt_distance = %d). Adjusting sync_cycles to %d.\n", i
, -catch_up_cycles
, sync_cycles
);
2236 consecutive_resyncs
= 0;
2238 // Receive answer. This will be a 4 Bit NACK when the 8 parity bits are OK after decoding
2239 if (ReaderReceive(receivedAnswer
, receivedAnswerPar
))
2241 catch_up_cycles
= 8; // the PRNG is delayed by 8 cycles due to the NAC (4Bits = 0x05 encrypted) transfer
2245 par_low
= par
[0] & 0xE0; // there is no need to check all parities for other nt_diff. Parity Bits for mf_nr_ar[0..2] won't change
2249 if(led_on
) LED_B_ON(); else LED_B_OFF();
2251 par_list
[nt_diff
] = SwapBits(par
[0], 8);
2252 ks_list
[nt_diff
] = receivedAnswer
[0] ^ 0x05;
2254 // Test if the information is complete
2255 if (nt_diff
== 0x07) {
2260 nt_diff
= (nt_diff
+ 1) & 0x07;
2261 mf_nr_ar
[3] = (mf_nr_ar
[3] & 0x1F) | (nt_diff
<< 5);
2264 if (nt_diff
== 0 && first_try
)
2268 par
[0] = ((par
[0] & 0x1F) + 1) | par_low
;
2273 mf_nr_ar
[3] &= 0x1F;
2275 byte_t buf
[28] = {0x00};
2277 memcpy(buf
+ 0, uid
, 4);
2278 num_to_bytes(nt
, 4, buf
+ 4);
2279 memcpy(buf
+ 8, par_list
, 8);
2280 memcpy(buf
+ 16, ks_list
, 8);
2281 memcpy(buf
+ 24, mf_nr_ar
, 4);
2283 cmd_send(CMD_ACK
,isOK
,0,0,buf
,28);
2286 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
2292 *MIFARE 1K simulate.
2295 * FLAG_INTERACTIVE - In interactive mode, we are expected to finish the operation with an ACK
2296 * 4B_FLAG_UID_IN_DATA - means that there is a 4-byte UID in the data-section, we're expected to use that
2297 * 7B_FLAG_UID_IN_DATA - means that there is a 7-byte UID in the data-section, we're expected to use that
2298 * FLAG_NR_AR_ATTACK - means we should collect NR_AR responses for bruteforcing later
2299 *@param exitAfterNReads, exit simulation after n blocks have been read, 0 is inifite
2301 void Mifare1ksim(uint8_t flags
, uint8_t exitAfterNReads
, uint8_t arg2
, uint8_t *datain
)
2303 int cardSTATE
= MFEMUL_NOFIELD
;
2305 int vHf
= 0; // in mV
2307 uint32_t selTimer
= 0;
2308 uint32_t authTimer
= 0;
2310 uint8_t cardWRBL
= 0;
2311 uint8_t cardAUTHSC
= 0;
2312 uint8_t cardAUTHKEY
= 0xff; // no authentication
2313 uint32_t cardRr
= 0;
2315 //uint32_t rn_enc = 0;
2317 uint32_t cardINTREG
= 0;
2318 uint8_t cardINTBLOCK
= 0;
2319 struct Crypto1State mpcs
= {0, 0};
2320 struct Crypto1State
*pcs
;
2322 uint32_t numReads
= 0;//Counts numer of times reader read a block
2323 uint8_t receivedCmd
[MAX_MIFARE_FRAME_SIZE
];
2324 uint8_t receivedCmd_par
[MAX_MIFARE_PARITY_SIZE
];
2325 uint8_t response
[MAX_MIFARE_FRAME_SIZE
];
2326 uint8_t response_par
[MAX_MIFARE_PARITY_SIZE
];
2328 uint8_t rATQA
[] = {0x04, 0x00}; // Mifare classic 1k 4BUID
2329 uint8_t rUIDBCC1
[] = {0xde, 0xad, 0xbe, 0xaf, 0x62};
2330 uint8_t rUIDBCC2
[] = {0xde, 0xad, 0xbe, 0xaf, 0x62}; // !!!
2331 uint8_t rSAK
[] = {0x08, 0xb6, 0xdd};
2332 uint8_t rSAK1
[] = {0x04, 0xda, 0x17};
2334 uint8_t rAUTH_NT
[] = {0x01, 0x02, 0x03, 0x04};
2335 uint8_t rAUTH_AT
[] = {0x00, 0x00, 0x00, 0x00};
2337 //Here, we collect UID,NT,AR,NR,UID2,NT2,AR2,NR2
2338 // This can be used in a reader-only attack.
2339 // (it can also be retrieved via 'hf 14a list', but hey...
2340 uint32_t ar_nr_responses
[] = {0,0,0,0,0,0,0,0};
2341 uint8_t ar_nr_collected
= 0;
2343 // free eventually allocated BigBuf memory but keep Emulator Memory
2344 BigBuf_free_keep_EM();
2350 // Authenticate response - nonce
2351 uint32_t nonce
= bytes_to_num(rAUTH_NT
, 4);
2353 //-- Determine the UID
2354 // Can be set from emulator memory, incoming data
2355 // and can be 7 or 4 bytes long
2356 if (flags
& FLAG_4B_UID_IN_DATA
)
2358 // 4B uid comes from data-portion of packet
2359 memcpy(rUIDBCC1
,datain
,4);
2360 rUIDBCC1
[4] = rUIDBCC1
[0] ^ rUIDBCC1
[1] ^ rUIDBCC1
[2] ^ rUIDBCC1
[3];
2362 } else if (flags
& FLAG_7B_UID_IN_DATA
) {
2363 // 7B uid comes from data-portion of packet
2364 memcpy(&rUIDBCC1
[1],datain
,3);
2365 memcpy(rUIDBCC2
, datain
+3, 4);
2368 // get UID from emul memory
2369 emlGetMemBt(receivedCmd
, 7, 1);
2370 _7BUID
= !(receivedCmd
[0] == 0x00);
2371 if (!_7BUID
) { // ---------- 4BUID
2372 emlGetMemBt(rUIDBCC1
, 0, 4);
2373 } else { // ---------- 7BUID
2374 emlGetMemBt(&rUIDBCC1
[1], 0, 3);
2375 emlGetMemBt(rUIDBCC2
, 3, 4);
2380 * Regardless of what method was used to set the UID, set fifth byte and modify
2381 * the ATQA for 4 or 7-byte UID
2383 rUIDBCC1
[4] = rUIDBCC1
[0] ^ rUIDBCC1
[1] ^ rUIDBCC1
[2] ^ rUIDBCC1
[3];
2387 rUIDBCC1
[4] = rUIDBCC1
[0] ^ rUIDBCC1
[1] ^ rUIDBCC1
[2] ^ rUIDBCC1
[3];
2388 rUIDBCC2
[4] = rUIDBCC2
[0] ^ rUIDBCC2
[1] ^ rUIDBCC2
[2] ^ rUIDBCC2
[3];
2391 // We need to listen to the high-frequency, peak-detected path.
2392 iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN
);
2395 if (MF_DBGLEVEL
>= 1) {
2397 Dbprintf("4B UID: %02x%02x%02x%02x",
2398 rUIDBCC1
[0], rUIDBCC1
[1], rUIDBCC1
[2], rUIDBCC1
[3]);
2400 Dbprintf("7B UID: (%02x)%02x%02x%02x%02x%02x%02x%02x",
2401 rUIDBCC1
[0], rUIDBCC1
[1], rUIDBCC1
[2], rUIDBCC1
[3],
2402 rUIDBCC2
[0], rUIDBCC2
[1] ,rUIDBCC2
[2], rUIDBCC2
[3]);
2406 bool finished
= FALSE
;
2407 while (!BUTTON_PRESS() && !finished
) {
2410 // find reader field
2411 if (cardSTATE
== MFEMUL_NOFIELD
) {
2412 vHf
= (MAX_ADC_HF_VOLTAGE
* AvgAdc(ADC_CHAN_HF
)) >> 10;
2413 if (vHf
> MF_MINFIELDV
) {
2414 cardSTATE_TO_IDLE();
2418 if(cardSTATE
== MFEMUL_NOFIELD
) continue;
2422 res
= EmGetCmd(receivedCmd
, &len
, receivedCmd_par
);
2423 if (res
== 2) { //Field is off!
2424 cardSTATE
= MFEMUL_NOFIELD
;
2427 } else if (res
== 1) {
2428 break; //return value 1 means button press
2431 // REQ or WUP request in ANY state and WUP in HALTED state
2432 if (len
== 1 && ((receivedCmd
[0] == 0x26 && cardSTATE
!= MFEMUL_HALTED
) || receivedCmd
[0] == 0x52)) {
2433 selTimer
= GetTickCount();
2434 EmSendCmdEx(rATQA
, sizeof(rATQA
), (receivedCmd
[0] == 0x52));
2435 cardSTATE
= MFEMUL_SELECT1
;
2437 // init crypto block
2440 crypto1_destroy(pcs
);
2445 switch (cardSTATE
) {
2446 case MFEMUL_NOFIELD
:
2449 LogTrace(Uart
.output
, Uart
.len
, Uart
.startTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.endTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.parity
, TRUE
);
2452 case MFEMUL_SELECT1
:{
2454 if (len
== 2 && (receivedCmd
[0] == 0x93 && receivedCmd
[1] == 0x20)) {
2455 if (MF_DBGLEVEL
>= 4) Dbprintf("SELECT ALL received");
2456 EmSendCmd(rUIDBCC1
, sizeof(rUIDBCC1
));
2460 if (MF_DBGLEVEL
>= 4 && len
== 9 && receivedCmd
[0] == 0x93 && receivedCmd
[1] == 0x70 )
2462 Dbprintf("SELECT %02x%02x%02x%02x received",receivedCmd
[2],receivedCmd
[3],receivedCmd
[4],receivedCmd
[5]);
2466 (receivedCmd
[0] == 0x93 && receivedCmd
[1] == 0x70 && memcmp(&receivedCmd
[2], rUIDBCC1
, 4) == 0)) {
2467 EmSendCmd(_7BUID
?rSAK1
:rSAK
, _7BUID
?sizeof(rSAK1
):sizeof(rSAK
));
2468 cuid
= bytes_to_num(rUIDBCC1
, 4);
2470 cardSTATE
= MFEMUL_WORK
;
2472 if (MF_DBGLEVEL
>= 4) Dbprintf("--> WORK. anticol1 time: %d", GetTickCount() - selTimer
);
2475 cardSTATE
= MFEMUL_SELECT2
;
2483 cardSTATE_TO_IDLE();
2484 LogTrace(Uart
.output
, Uart
.len
, Uart
.startTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.endTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.parity
, TRUE
);
2488 uint32_t ar
= bytes_to_num(receivedCmd
, 4);
2489 uint32_t nr
= bytes_to_num(&receivedCmd
[4], 4);
2492 //if(ar_nr_collected < 2 && cardAUTHSC == 2){
2493 if(ar_nr_collected
< 2){
2494 if(ar_nr_responses
[2] != ar
)
2495 {// Avoid duplicates... probably not necessary, ar should vary.
2496 ar_nr_responses
[ar_nr_collected
*4] = cuid
;
2497 ar_nr_responses
[ar_nr_collected
*4+1] = nonce
;
2498 ar_nr_responses
[ar_nr_collected
*4+2] = ar
;
2499 ar_nr_responses
[ar_nr_collected
*4+3] = nr
;
2502 // Interactive mode flag, means we need to send ACK
2503 if(flags
& FLAG_INTERACTIVE
&& ar_nr_collected
== 2)
2510 crypto1_word(pcs
, ar
, 1);
2511 cardRr
= nr
^ crypto1_word(pcs
, 0, 0);
2514 if (cardRr
!= prng_successor(nonce
, 64)){
2515 if (MF_DBGLEVEL
>= 2) Dbprintf("AUTH FAILED for sector %d with key %c. cardRr=%08x, succ=%08x",
2516 cardAUTHSC
, cardAUTHKEY
== 0 ? 'A' : 'B',
2517 cardRr
, prng_successor(nonce
, 64));
2518 // Shouldn't we respond anything here?
2519 // Right now, we don't nack or anything, which causes the
2520 // reader to do a WUPA after a while. /Martin
2521 // -- which is the correct response. /piwi
2522 cardSTATE_TO_IDLE();
2523 LogTrace(Uart
.output
, Uart
.len
, Uart
.startTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.endTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.parity
, TRUE
);
2527 ans
= prng_successor(nonce
, 96) ^ crypto1_word(pcs
, 0, 0);
2529 num_to_bytes(ans
, 4, rAUTH_AT
);
2531 EmSendCmd(rAUTH_AT
, sizeof(rAUTH_AT
));
2533 cardSTATE
= MFEMUL_WORK
;
2534 if (MF_DBGLEVEL
>= 4) Dbprintf("AUTH COMPLETED for sector %d with key %c. time=%d",
2535 cardAUTHSC
, cardAUTHKEY
== 0 ? 'A' : 'B',
2536 GetTickCount() - authTimer
);
2539 case MFEMUL_SELECT2
:{
2541 LogTrace(Uart
.output
, Uart
.len
, Uart
.startTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.endTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.parity
, TRUE
);
2544 if (len
== 2 && (receivedCmd
[0] == 0x95 && receivedCmd
[1] == 0x20)) {
2545 EmSendCmd(rUIDBCC2
, sizeof(rUIDBCC2
));
2551 (receivedCmd
[0] == 0x95 && receivedCmd
[1] == 0x70 && memcmp(&receivedCmd
[2], rUIDBCC2
, 4) == 0)) {
2552 EmSendCmd(rSAK
, sizeof(rSAK
));
2553 cuid
= bytes_to_num(rUIDBCC2
, 4);
2554 cardSTATE
= MFEMUL_WORK
;
2556 if (MF_DBGLEVEL
>= 4) Dbprintf("--> WORK. anticol2 time: %d", GetTickCount() - selTimer
);
2560 // i guess there is a command). go into the work state.
2562 LogTrace(Uart
.output
, Uart
.len
, Uart
.startTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.endTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.parity
, TRUE
);
2565 cardSTATE
= MFEMUL_WORK
;
2567 //intentional fall-through to the next case-stmt
2572 LogTrace(Uart
.output
, Uart
.len
, Uart
.startTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.endTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.parity
, TRUE
);
2576 bool encrypted_data
= (cardAUTHKEY
!= 0xFF) ;
2578 if(encrypted_data
) {
2580 mf_crypto1_decrypt(pcs
, receivedCmd
, len
);
2583 if (len
== 4 && (receivedCmd
[0] == 0x60 || receivedCmd
[0] == 0x61)) {
2584 authTimer
= GetTickCount();
2585 cardAUTHSC
= receivedCmd
[1] / 4; // received block num
2586 cardAUTHKEY
= receivedCmd
[0] - 0x60;
2587 crypto1_destroy(pcs
);//Added by martin
2588 crypto1_create(pcs
, emlGetKey(cardAUTHSC
, cardAUTHKEY
));
2590 if (!encrypted_data
) { // first authentication
2591 if (MF_DBGLEVEL
>= 4) Dbprintf("Reader authenticating for block %d (0x%02x) with key %d",receivedCmd
[1] ,receivedCmd
[1],cardAUTHKEY
);
2593 crypto1_word(pcs
, cuid
^ nonce
, 0);//Update crypto state
2594 num_to_bytes(nonce
, 4, rAUTH_AT
); // Send nonce
2595 } else { // nested authentication
2596 if (MF_DBGLEVEL
>= 4) Dbprintf("Reader doing nested authentication for block %d (0x%02x) with key %d",receivedCmd
[1] ,receivedCmd
[1],cardAUTHKEY
);
2597 ans
= nonce
^ crypto1_word(pcs
, cuid
^ nonce
, 0);
2598 num_to_bytes(ans
, 4, rAUTH_AT
);
2601 EmSendCmd(rAUTH_AT
, sizeof(rAUTH_AT
));
2602 //Dbprintf("Sending rAUTH %02x%02x%02x%02x", rAUTH_AT[0],rAUTH_AT[1],rAUTH_AT[2],rAUTH_AT[3]);
2603 cardSTATE
= MFEMUL_AUTH1
;
2607 // rule 13 of 7.5.3. in ISO 14443-4. chaining shall be continued
2608 // BUT... ACK --> NACK
2609 if (len
== 1 && receivedCmd
[0] == CARD_ACK
) {
2610 EmSend4bit(mf_crypto1_encrypt4bit(pcs
, CARD_NACK_NA
));
2614 // rule 12 of 7.5.3. in ISO 14443-4. R(NAK) --> R(ACK)
2615 if (len
== 1 && receivedCmd
[0] == CARD_NACK_NA
) {
2616 EmSend4bit(mf_crypto1_encrypt4bit(pcs
, CARD_ACK
));
2621 LogTrace(Uart
.output
, Uart
.len
, Uart
.startTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.endTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.parity
, TRUE
);
2625 if(receivedCmd
[0] == 0x30 // read block
2626 || receivedCmd
[0] == 0xA0 // write block
2627 || receivedCmd
[0] == 0xC0 // inc
2628 || receivedCmd
[0] == 0xC1 // dec
2629 || receivedCmd
[0] == 0xC2 // restore
2630 || receivedCmd
[0] == 0xB0) { // transfer
2631 if (receivedCmd
[1] >= 16 * 4) {
2632 EmSend4bit(mf_crypto1_encrypt4bit(pcs
, CARD_NACK_NA
));
2633 if (MF_DBGLEVEL
>= 2) Dbprintf("Reader tried to operate (0x%02) on out of range block: %d (0x%02x), nacking",receivedCmd
[0],receivedCmd
[1],receivedCmd
[1]);
2637 if (receivedCmd
[1] / 4 != cardAUTHSC
) {
2638 EmSend4bit(mf_crypto1_encrypt4bit(pcs
, CARD_NACK_NA
));
2639 if (MF_DBGLEVEL
>= 2) Dbprintf("Reader tried to operate (0x%02) on block (0x%02x) not authenticated for (0x%02x), nacking",receivedCmd
[0],receivedCmd
[1],cardAUTHSC
);
2644 if (receivedCmd
[0] == 0x30) {
2645 if (MF_DBGLEVEL
>= 4) {
2646 Dbprintf("Reader reading block %d (0x%02x)",receivedCmd
[1],receivedCmd
[1]);
2648 emlGetMem(response
, receivedCmd
[1], 1);
2649 AppendCrc14443a(response
, 16);
2650 mf_crypto1_encrypt(pcs
, response
, 18, response_par
);
2651 EmSendCmdPar(response
, 18, response_par
);
2653 if(exitAfterNReads
> 0 && numReads
>= exitAfterNReads
) {
2654 Dbprintf("%d reads done, exiting", numReads
);
2660 if (receivedCmd
[0] == 0xA0) {
2661 if (MF_DBGLEVEL
>= 4) Dbprintf("RECV 0xA0 write block %d (%02x)",receivedCmd
[1],receivedCmd
[1]);
2662 EmSend4bit(mf_crypto1_encrypt4bit(pcs
, CARD_ACK
));
2663 cardSTATE
= MFEMUL_WRITEBL2
;
2664 cardWRBL
= receivedCmd
[1];
2667 // increment, decrement, restore
2668 if (receivedCmd
[0] == 0xC0 || receivedCmd
[0] == 0xC1 || receivedCmd
[0] == 0xC2) {
2669 if (MF_DBGLEVEL
>= 4) Dbprintf("RECV 0x%02x inc(0xC1)/dec(0xC0)/restore(0xC2) block %d (%02x)",receivedCmd
[0],receivedCmd
[1],receivedCmd
[1]);
2670 if (emlCheckValBl(receivedCmd
[1])) {
2671 if (MF_DBGLEVEL
>= 2) Dbprintf("Reader tried to operate on block, but emlCheckValBl failed, nacking");
2672 EmSend4bit(mf_crypto1_encrypt4bit(pcs
, CARD_NACK_NA
));
2675 EmSend4bit(mf_crypto1_encrypt4bit(pcs
, CARD_ACK
));
2676 if (receivedCmd
[0] == 0xC1)
2677 cardSTATE
= MFEMUL_INTREG_INC
;
2678 if (receivedCmd
[0] == 0xC0)
2679 cardSTATE
= MFEMUL_INTREG_DEC
;
2680 if (receivedCmd
[0] == 0xC2)
2681 cardSTATE
= MFEMUL_INTREG_REST
;
2682 cardWRBL
= receivedCmd
[1];
2686 if (receivedCmd
[0] == 0xB0) {
2687 if (MF_DBGLEVEL
>= 4) Dbprintf("RECV 0x%02x transfer block %d (%02x)",receivedCmd
[0],receivedCmd
[1],receivedCmd
[1]);
2688 if (emlSetValBl(cardINTREG
, cardINTBLOCK
, receivedCmd
[1]))
2689 EmSend4bit(mf_crypto1_encrypt4bit(pcs
, CARD_NACK_NA
));
2691 EmSend4bit(mf_crypto1_encrypt4bit(pcs
, CARD_ACK
));
2695 if (receivedCmd
[0] == 0x50 && receivedCmd
[1] == 0x00) {
2698 cardSTATE
= MFEMUL_HALTED
;
2699 if (MF_DBGLEVEL
>= 4) Dbprintf("--> HALTED. Selected time: %d ms", GetTickCount() - selTimer
);
2700 LogTrace(Uart
.output
, Uart
.len
, Uart
.startTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.endTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.parity
, TRUE
);
2704 if (receivedCmd
[0] == 0xe0) {//RATS
2705 EmSend4bit(mf_crypto1_encrypt4bit(pcs
, CARD_NACK_NA
));
2708 // command not allowed
2709 if (MF_DBGLEVEL
>= 4) Dbprintf("Received command not allowed, nacking");
2710 EmSend4bit(mf_crypto1_encrypt4bit(pcs
, CARD_NACK_NA
));
2713 case MFEMUL_WRITEBL2
:{
2715 mf_crypto1_decrypt(pcs
, receivedCmd
, len
);
2716 emlSetMem(receivedCmd
, cardWRBL
, 1);
2717 EmSend4bit(mf_crypto1_encrypt4bit(pcs
, CARD_ACK
));
2718 cardSTATE
= MFEMUL_WORK
;
2720 cardSTATE_TO_IDLE();
2721 LogTrace(Uart
.output
, Uart
.len
, Uart
.startTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.endTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.parity
, TRUE
);
2726 case MFEMUL_INTREG_INC
:{
2727 mf_crypto1_decrypt(pcs
, receivedCmd
, len
);
2728 memcpy(&ans
, receivedCmd
, 4);
2729 if (emlGetValBl(&cardINTREG
, &cardINTBLOCK
, cardWRBL
)) {
2730 EmSend4bit(mf_crypto1_encrypt4bit(pcs
, CARD_NACK_NA
));
2731 cardSTATE_TO_IDLE();
2734 LogTrace(Uart
.output
, Uart
.len
, Uart
.startTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.endTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.parity
, TRUE
);
2735 cardINTREG
= cardINTREG
+ ans
;
2736 cardSTATE
= MFEMUL_WORK
;
2739 case MFEMUL_INTREG_DEC
:{
2740 mf_crypto1_decrypt(pcs
, receivedCmd
, len
);
2741 memcpy(&ans
, receivedCmd
, 4);
2742 if (emlGetValBl(&cardINTREG
, &cardINTBLOCK
, cardWRBL
)) {
2743 EmSend4bit(mf_crypto1_encrypt4bit(pcs
, CARD_NACK_NA
));
2744 cardSTATE_TO_IDLE();
2747 LogTrace(Uart
.output
, Uart
.len
, Uart
.startTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.endTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.parity
, TRUE
);
2748 cardINTREG
= cardINTREG
- ans
;
2749 cardSTATE
= MFEMUL_WORK
;
2752 case MFEMUL_INTREG_REST
:{
2753 mf_crypto1_decrypt(pcs
, receivedCmd
, len
);
2754 memcpy(&ans
, receivedCmd
, 4);
2755 if (emlGetValBl(&cardINTREG
, &cardINTBLOCK
, cardWRBL
)) {
2756 EmSend4bit(mf_crypto1_encrypt4bit(pcs
, CARD_NACK_NA
));
2757 cardSTATE_TO_IDLE();
2760 LogTrace(Uart
.output
, Uart
.len
, Uart
.startTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.endTime
*16 - DELAY_AIR2ARM_AS_TAG
, Uart
.parity
, TRUE
);
2761 cardSTATE
= MFEMUL_WORK
;
2767 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
2770 if(flags
& FLAG_INTERACTIVE
)// Interactive mode flag, means we need to send ACK
2772 //May just aswell send the collected ar_nr in the response aswell
2773 cmd_send(CMD_ACK
,CMD_SIMULATE_MIFARE_CARD
,1,0,&ar_nr_responses
,ar_nr_collected
*4*4);
2776 if(flags
& FLAG_NR_AR_ATTACK
&& MF_DBGLEVEL
>= 1 )
2778 if(ar_nr_collected
> 1 ) {
2779 Dbprintf("Collected two pairs of AR/NR which can be used to extract keys from reader:");
2780 Dbprintf("../tools/mfkey/mfkey32 %08x %08x %08x %08x %08x %08x",
2781 ar_nr_responses
[0], // UID
2782 ar_nr_responses
[1], // NT
2783 ar_nr_responses
[2], // AR1
2784 ar_nr_responses
[3], // NR1
2785 ar_nr_responses
[6], // AR2
2786 ar_nr_responses
[7] // NR2
2789 Dbprintf("Failed to obtain two AR/NR pairs!");
2790 if(ar_nr_collected
> 0 ) {
2791 Dbprintf("Only got these: UID=%08x, nonce=%08x, AR1=%08x, NR1=%08x",
2792 ar_nr_responses
[0], // UID
2793 ar_nr_responses
[1], // NT
2794 ar_nr_responses
[2], // AR1
2795 ar_nr_responses
[3] // NR1
2800 if (MF_DBGLEVEL
>= 1) Dbprintf("Emulator stopped. Tracing: %d trace length: %d ", tracing
, BigBuf_get_traceLen());
2805 //-----------------------------------------------------------------------------
2808 //-----------------------------------------------------------------------------
2809 void RAMFUNC
SniffMifare(uint8_t param
) {
2811 // bit 0 - trigger from first card answer
2812 // bit 1 - trigger from first reader 7-bit request
2814 // free eventually allocated BigBuf memory
2817 // C(red) A(yellow) B(green)
2819 // init trace buffer
2823 // The command (reader -> tag) that we're receiving.
2824 // The length of a received command will in most cases be no more than 18 bytes.
2825 // So 32 should be enough!
2826 uint8_t receivedCmd
[MAX_MIFARE_FRAME_SIZE
];
2827 uint8_t receivedCmdPar
[MAX_MIFARE_PARITY_SIZE
];
2828 // The response (tag -> reader) that we're receiving.
2829 uint8_t receivedResponse
[MAX_MIFARE_FRAME_SIZE
];
2830 uint8_t receivedResponsePar
[MAX_MIFARE_PARITY_SIZE
];
2832 // allocate the DMA buffer, used to stream samples from the FPGA
2833 uint8_t *dmaBuf
= BigBuf_malloc(DMA_BUFFER_SIZE
);
2834 uint8_t *data
= dmaBuf
;
2835 uint8_t previous_data
= 0;
2838 bool ReaderIsActive
= FALSE
;
2839 bool TagIsActive
= FALSE
;
2841 iso14443a_setup(FPGA_HF_ISO14443A_SNIFFER
);
2843 // Set up the demodulator for tag -> reader responses.
2844 DemodInit(receivedResponse
, receivedResponsePar
);
2846 // Set up the demodulator for the reader -> tag commands
2847 UartInit(receivedCmd
, receivedCmdPar
);
2849 // Setup for the DMA.
2850 FpgaSetupSscDma((uint8_t *)dmaBuf
, DMA_BUFFER_SIZE
); // set transfer address and number of bytes. Start transfer.
2857 // And now we loop, receiving samples.
2858 for(uint32_t sniffCounter
= 0; TRUE
; ) {
2860 if(BUTTON_PRESS()) {
2861 DbpString("cancelled by button");
2868 if ((sniffCounter
& 0x0000FFFF) == 0) { // from time to time
2869 // check if a transaction is completed (timeout after 2000ms).
2870 // if yes, stop the DMA transfer and send what we have so far to the client
2871 if (MfSniffSend(2000)) {
2872 // Reset everything - we missed some sniffed data anyway while the DMA was stopped
2876 ReaderIsActive
= FALSE
;
2877 TagIsActive
= FALSE
;
2878 FpgaSetupSscDma((uint8_t *)dmaBuf
, DMA_BUFFER_SIZE
); // set transfer address and number of bytes. Start transfer.
2882 int register readBufDataP
= data
- dmaBuf
; // number of bytes we have processed so far
2883 int register dmaBufDataP
= DMA_BUFFER_SIZE
- AT91C_BASE_PDC_SSC
->PDC_RCR
; // number of bytes already transferred
2884 if (readBufDataP
<= dmaBufDataP
){ // we are processing the same block of data which is currently being transferred
2885 dataLen
= dmaBufDataP
- readBufDataP
; // number of bytes still to be processed
2887 dataLen
= DMA_BUFFER_SIZE
- readBufDataP
+ dmaBufDataP
; // number of bytes still to be processed
2889 // test for length of buffer
2890 if(dataLen
> maxDataLen
) { // we are more behind than ever...
2891 maxDataLen
= dataLen
;
2892 if(dataLen
> (9 * DMA_BUFFER_SIZE
/ 10)) {
2893 Dbprintf("blew circular buffer! dataLen=0x%x", dataLen
);
2897 if(dataLen
< 1) continue;
2899 // primary buffer was stopped ( <-- we lost data!
2900 if (!AT91C_BASE_PDC_SSC
->PDC_RCR
) {
2901 AT91C_BASE_PDC_SSC
->PDC_RPR
= (uint32_t) dmaBuf
;
2902 AT91C_BASE_PDC_SSC
->PDC_RCR
= DMA_BUFFER_SIZE
;
2903 Dbprintf("RxEmpty ERROR!!! data length:%d", dataLen
); // temporary
2905 // secondary buffer sets as primary, secondary buffer was stopped
2906 if (!AT91C_BASE_PDC_SSC
->PDC_RNCR
) {
2907 AT91C_BASE_PDC_SSC
->PDC_RNPR
= (uint32_t) dmaBuf
;
2908 AT91C_BASE_PDC_SSC
->PDC_RNCR
= DMA_BUFFER_SIZE
;
2913 if (sniffCounter
& 0x01) {
2915 if(!TagIsActive
) { // no need to try decoding tag data if the reader is sending
2916 uint8_t readerdata
= (previous_data
& 0xF0) | (*data
>> 4);
2917 if(MillerDecoding(readerdata
, (sniffCounter
-1)*4)) {
2919 if (MfSniffLogic(receivedCmd
, Uart
.len
, Uart
.parity
, Uart
.bitCount
, TRUE
)) break;
2921 /* And ready to receive another command. */
2922 UartInit(receivedCmd
, receivedCmdPar
);
2924 /* And also reset the demod code */
2927 ReaderIsActive
= (Uart
.state
!= STATE_UNSYNCD
);
2930 if(!ReaderIsActive
) { // no need to try decoding tag data if the reader is sending
2931 uint8_t tagdata
= (previous_data
<< 4) | (*data
& 0x0F);
2932 if(ManchesterDecoding(tagdata
, 0, (sniffCounter
-1)*4)) {
2935 if (MfSniffLogic(receivedResponse
, Demod
.len
, Demod
.parity
, Demod
.bitCount
, FALSE
)) break;
2937 // And ready to receive another response.
2940 // And reset the Miller decoder including its (now outdated) input buffer
2941 UartInit(receivedCmd
, receivedCmdPar
);
2943 TagIsActive
= (Demod
.state
!= DEMOD_UNSYNCD
);
2947 previous_data
= *data
;
2950 if(data
== dmaBuf
+ DMA_BUFFER_SIZE
) {
2956 DbpString("COMMAND FINISHED");
2958 FpgaDisableSscDma();
2961 Dbprintf("maxDataLen=%x, Uart.state=%x, Uart.len=%x", maxDataLen
, Uart
.state
, Uart
.len
);