]> cvs.zerfleddert.de Git - proxmark3-svn/blob - armsrc/iso14443b.c
projects / proxmark3-svn / blob
? search:


9616cb301266853ec58b2da2c7e13f4497d7082c
[proxmark3-svn] / armsrc / iso14443b.c
1 //-----------------------------------------------------------------------------
2 // Jonathan Westhues, split Nov 2006
3 //
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
6 // the license.
7 //-----------------------------------------------------------------------------
8 // Routines to support ISO 14443B. This includes both the reader software and
9 // the `fake tag' modes.
10 //-----------------------------------------------------------------------------
11 #include "iso14443b.h"
12
13 #define RECEIVE_SAMPLES_TIMEOUT 20000
14 #define ISO14443B_DMA_BUFFER_SIZE 256
15
16 // the block number for the ISO14443-4 PCB (used with APDUs)
17 static uint8_t pcb_blocknum = 0;
18
19 //=============================================================================
20 // An ISO 14443 Type B tag. We listen for commands from the reader, using
21 // a UART kind of thing that's implemented in software. When we get a
22 // frame (i.e., a group of bytes between SOF and EOF), we check the CRC.
23 // If it's good, then we can do something appropriate with it, and send
24 // a response.
25 //=============================================================================
26
27
28 //-----------------------------------------------------------------------------
29 // The software UART that receives commands from the reader, and its state
30 // variables.
31 //-----------------------------------------------------------------------------
32 static struct {
33 enum {
34 STATE_UNSYNCD,
35 STATE_GOT_FALLING_EDGE_OF_SOF,
36 STATE_AWAITING_START_BIT,
37 STATE_RECEIVING_DATA
38 } state;
39 uint16_t shiftReg;
40 int bitCnt;
41 int byteCnt;
42 int byteCntMax;
43 int posCnt;
44 uint8_t *output;
45 } Uart;
46
47 static void UartReset()
48 {
49 Uart.byteCntMax = MAX_FRAME_SIZE;
50 Uart.state = STATE_UNSYNCD;
51 Uart.byteCnt = 0;
52 Uart.bitCnt = 0;
53 Uart.posCnt = 0;
54 memset(Uart.output, 0x00, MAX_FRAME_SIZE);
55 }
56
57 static void UartInit(uint8_t *data)
58 {
59 Uart.output = data;
60 UartReset();
61 }
62
63
64 static struct {
65 enum {
66 DEMOD_UNSYNCD,
67 DEMOD_PHASE_REF_TRAINING,
68 DEMOD_AWAITING_FALLING_EDGE_OF_SOF,
69 DEMOD_GOT_FALLING_EDGE_OF_SOF,
70 DEMOD_AWAITING_START_BIT,
71 DEMOD_RECEIVING_DATA
72 } state;
73 int bitCount;
74 int posCount;
75 int thisBit;
76 /* this had been used to add RSSI (Received Signal Strength Indication) to traces. Currently not implemented.
77 int metric;
78 int metricN;
79 */
80 uint16_t shiftReg;
81 uint8_t *output;
82 int len;
83 int sumI;
84 int sumQ;
85 } Demod;
86
87 static void DemodReset()
88 {
89 // Clear out the state of the "UART" that receives from the tag.
90 Demod.len = 0;
91 Demod.state = DEMOD_UNSYNCD;
92 Demod.posCount = 0;
93 Demod.sumI = 0;
94 Demod.sumQ = 0;
95 Demod.bitCount = 0;
96 Demod.thisBit = 0;
97 Demod.shiftReg = 0;
98 //memset(Demod.output, 0x00, MAX_FRAME_SIZE);
99 }
100
101
102 static void DemodInit(uint8_t *data)
103 {
104 Demod.output = data;
105 DemodReset();
106 }
107
108
109 void AppendCrc14443b(uint8_t* data, int len)
110 {
111 ComputeCrc14443(CRC_14443_B,data,len,data+len,data+len+1);
112 }
113
114 //-----------------------------------------------------------------------------
115 // Code up a string of octets at layer 2 (including CRC, we don't generate
116 // that here) so that they can be transmitted to the reader. Doesn't transmit
117 // them yet, just leaves them ready to send in ToSend[].
118 //-----------------------------------------------------------------------------
119 static void CodeIso14443bAsTag(const uint8_t *cmd, int len)
120 {
121 int i;
122
123 ToSendReset();
124
125 // Transmit a burst of ones, as the initial thing that lets the
126 // reader get phase sync. This (TR1) must be > 80/fs, per spec,
127 // but tag that I've tried (a Paypass) exceeds that by a fair bit,
128 // so I will too.
129 for(i = 0; i < 20; i++) {
130 ToSendStuffBit(1);
131 ToSendStuffBit(1);
132 ToSendStuffBit(1);
133 ToSendStuffBit(1);
134 }
135
136 // Send SOF.
137 for(i = 0; i < 10; i++) {
138 ToSendStuffBit(0);
139 ToSendStuffBit(0);
140 ToSendStuffBit(0);
141 ToSendStuffBit(0);
142 }
143 for(i = 0; i < 2; i++) {
144 ToSendStuffBit(1);
145 ToSendStuffBit(1);
146 ToSendStuffBit(1);
147 ToSendStuffBit(1);
148 }
149
150 for(i = 0; i < len; i++) {
151 int j;
152 uint8_t b = cmd[i];
153
154 // Start bit
155 ToSendStuffBit(0);
156 ToSendStuffBit(0);
157 ToSendStuffBit(0);
158 ToSendStuffBit(0);
159
160 // Data bits
161 for(j = 0; j < 8; j++) {
162 if(b & 1) {
163 ToSendStuffBit(1);
164 ToSendStuffBit(1);
165 ToSendStuffBit(1);
166 ToSendStuffBit(1);
167 } else {
168 ToSendStuffBit(0);
169 ToSendStuffBit(0);
170 ToSendStuffBit(0);
171 ToSendStuffBit(0);
172 }
173 b >>= 1;
174 }
175
176 // Stop bit
177 ToSendStuffBit(1);
178 ToSendStuffBit(1);
179 ToSendStuffBit(1);
180 ToSendStuffBit(1);
181 }
182
183 // Send EOF.
184 for(i = 0; i < 10; i++) {
185 ToSendStuffBit(0);
186 ToSendStuffBit(0);
187 ToSendStuffBit(0);
188 ToSendStuffBit(0);
189 }
190 for(i = 0; i < 2; i++) {
191 ToSendStuffBit(1);
192 ToSendStuffBit(1);
193 ToSendStuffBit(1);
194 ToSendStuffBit(1);
195 }
196
197 // Convert from last byte pos to length
198 ++ToSendMax;
199 }
200
201
202
203 /* Receive & handle a bit coming from the reader.
204 *
205 * This function is called 4 times per bit (every 2 subcarrier cycles).
206 * Subcarrier frequency fs is 848kHz, 1/fs = 1,18us, i.e. function is called every 2,36us
207 *
208 * LED handling:
209 * LED A -> ON once we have received the SOF and are expecting the rest.
210 * LED A -> OFF once we have received EOF or are in error state or unsynced
211 *
212 * Returns: true if we received a EOF
213 * false if we are still waiting for some more
214 */
215 static RAMFUNC int Handle14443bUartBit(uint8_t bit)
216 {
217 switch(Uart.state) {
218 case STATE_UNSYNCD:
219 if(!bit) {
220 // we went low, so this could be the beginning
221 // of an SOF
222 Uart.state = STATE_GOT_FALLING_EDGE_OF_SOF;
223 Uart.posCnt = 0;
224 Uart.bitCnt = 0;
225 }
226 break;
227
228 case STATE_GOT_FALLING_EDGE_OF_SOF:
229 Uart.posCnt++;
230 if(Uart.posCnt == 2) { // sample every 4 1/fs in the middle of a bit
231 if(bit) {
232 if(Uart.bitCnt > 9) {
233 // we've seen enough consecutive
234 // zeros that it's a valid SOF
235 Uart.posCnt = 0;
236 Uart.byteCnt = 0;
237 Uart.state = STATE_AWAITING_START_BIT;
238 LED_A_ON(); // Indicate we got a valid SOF
239 } else {
240 // didn't stay down long enough
241 // before going high, error
242 Uart.state = STATE_UNSYNCD;
243 }
244 } else {
245 // do nothing, keep waiting
246 }
247 Uart.bitCnt++;
248 }
249 if(Uart.posCnt >= 4) Uart.posCnt = 0;
250 if(Uart.bitCnt > 12) {
251 // Give up if we see too many zeros without
252 // a one, too.
253 LED_A_OFF();
254 Uart.state = STATE_UNSYNCD;
255 }
256 break;
257
258 case STATE_AWAITING_START_BIT:
259 Uart.posCnt++;
260 if(bit) {
261 if(Uart.posCnt > 50/2) { // max 57us between characters = 49 1/fs, max 3 etus after low phase of SOF = 24 1/fs
262 // stayed high for too long between
263 // characters, error
264 Uart.state = STATE_UNSYNCD;
265 }
266 } else {
267 // falling edge, this starts the data byte
268 Uart.posCnt = 0;
269 Uart.bitCnt = 0;
270 Uart.shiftReg = 0;
271 Uart.state = STATE_RECEIVING_DATA;
272 }
273 break;
274
275 case STATE_RECEIVING_DATA:
276 Uart.posCnt++;
277 if(Uart.posCnt == 2) {
278 // time to sample a bit
279 Uart.shiftReg >>= 1;
280 if(bit) {
281 Uart.shiftReg |= 0x200;
282 }
283 Uart.bitCnt++;
284 }
285 if(Uart.posCnt >= 4) {
286 Uart.posCnt = 0;
287 }
288 if(Uart.bitCnt == 10) {
289 if((Uart.shiftReg & 0x200) && !(Uart.shiftReg & 0x001))
290 {
291 // this is a data byte, with correct
292 // start and stop bits
293 Uart.output[Uart.byteCnt] = (Uart.shiftReg >> 1) & 0xff;
294 Uart.byteCnt++;
295
296 if(Uart.byteCnt >= Uart.byteCntMax) {
297 // Buffer overflowed, give up
298 LED_A_OFF();
299 Uart.state = STATE_UNSYNCD;
300 } else {
301 // so get the next byte now
302 Uart.posCnt = 0;
303 Uart.state = STATE_AWAITING_START_BIT;
304 }
305 } else if (Uart.shiftReg == 0x000) {
306 // this is an EOF byte
307 LED_A_OFF(); // Finished receiving
308 Uart.state = STATE_UNSYNCD;
309 if (Uart.byteCnt != 0) {
310 return TRUE;
311 }
312 } else {
313 // this is an error
314 LED_A_OFF();
315 Uart.state = STATE_UNSYNCD;
316 }
317 }
318 break;
319
320 default:
321 LED_A_OFF();
322 Uart.state = STATE_UNSYNCD;
323 break;
324 }
325
326 return FALSE;
327 }
328
329 //-----------------------------------------------------------------------------
330 // Receive a command (from the reader to us, where we are the simulated tag),
331 // and store it in the given buffer, up to the given maximum length. Keeps
332 // spinning, waiting for a well-framed command, until either we get one
333 // (returns TRUE) or someone presses the pushbutton on the board (FALSE).
334 //
335 // Assume that we're called with the SSC (to the FPGA) and ADC path set
336 // correctly.
337 //-----------------------------------------------------------------------------
338 static int GetIso14443bCommandFromReader(uint8_t *received, uint16_t *len)
339 {
340 // Set FPGA mode to "simulated ISO 14443B tag", no modulation (listen
341 // only, since we are receiving, not transmitting).
342 // Signal field is off with the appropriate LED
343 LED_D_OFF();
344 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_NO_MODULATION);
345
346 // Now run a `software UART' on the stream of incoming samples.
347 UartInit(received);
348
349 for(;;) {
350 WDT_HIT();
351
352 if(BUTTON_PRESS()) return FALSE;
353
354 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
355 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
356 for(uint8_t mask = 0x80; mask != 0x00; mask >>= 1) {
357 if(Handle14443bUartBit(b & mask)) {
358 *len = Uart.byteCnt;
359 return TRUE;
360 }
361 }
362 }
363 }
364
365 return FALSE;
366 }
367
368 //-----------------------------------------------------------------------------
369 // Main loop of simulated tag: receive commands from reader, decide what
370 // response to send, and send it.
371 //-----------------------------------------------------------------------------
372 void SimulateIso14443bTag(void)
373 {
374 // the only commands we understand is WUPB, AFI=0, Select All, N=1:
375 static const uint8_t cmd1[] = { ISO14443B_REQB, 0x00, 0x08, 0x39, 0x73 }; // WUPB
376 // ... and REQB, AFI=0, Normal Request, N=1:
377 static const uint8_t cmd2[] = { ISO14443B_REQB, 0x00, 0x00, 0x71, 0xFF }; // REQB
378 // ... and HLTB
379 static const uint8_t cmd3[] = { ISO14443B_HALT, 0xff, 0xff, 0xff, 0xff }; // HLTB
380 // ... and ATTRIB
381 static const uint8_t cmd4[] = { ISO14443B_ATTRIB, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}; // ATTRIB
382
383 // ... and we always respond with ATQB, PUPI = 820de174, Application Data = 0x20381922,
384 // supports only 106kBit/s in both directions, max frame size = 32Bytes,
385 // supports ISO14443-4, FWI=8 (77ms), NAD supported, CID not supported:
386 static const uint8_t response1[] = {
387 0x50, 0x82, 0x0d, 0xe1, 0x74, 0x20, 0x38, 0x19, 0x22,
388 0x00, 0x21, 0x85, 0x5e, 0xd7
389 };
390 // response to HLTB and ATTRIB
391 static const uint8_t response2[] = {0x00, 0x78, 0xF0};
392
393 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
394
395 clear_trace();
396 set_tracing(TRUE);
397
398 const uint8_t *resp;
399 uint8_t *respCode;
400 uint16_t respLen, respCodeLen;
401
402 // allocate command receive buffer
403 BigBuf_free(); BigBuf_Clear_ext(false);
404
405 uint8_t *receivedCmd = BigBuf_malloc(MAX_FRAME_SIZE);
406
407 uint16_t len;
408 uint16_t cmdsRecvd = 0;
409
410 // prepare the (only one) tag answer:
411 CodeIso14443bAsTag(response1, sizeof(response1));
412 uint8_t *resp1Code = BigBuf_malloc(ToSendMax);
413 memcpy(resp1Code, ToSend, ToSendMax);
414 uint16_t resp1CodeLen = ToSendMax;
415
416 // prepare the (other) tag answer:
417 CodeIso14443bAsTag(response2, sizeof(response2));
418 uint8_t *resp2Code = BigBuf_malloc(ToSendMax);
419 memcpy(resp2Code, ToSend, ToSendMax);
420 uint16_t resp2CodeLen = ToSendMax;
421
422 // We need to listen to the high-frequency, peak-detected path.
423 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
424 FpgaSetupSsc();
425
426 cmdsRecvd = 0;
427
428 for(;;) {
429
430 if (!GetIso14443bCommandFromReader(receivedCmd, &len)) {
431 Dbprintf("button pressed, received %d commands", cmdsRecvd);
432 break;
433 }
434
435 if (tracing)
436 LogTrace(receivedCmd, len, 0, 0, NULL, TRUE);
437
438
439 // Good, look at the command now.
440 if ( (len == sizeof(cmd1) && memcmp(receivedCmd, cmd1, len) == 0)
441 || (len == sizeof(cmd2) && memcmp(receivedCmd, cmd2, len) == 0) ) {
442 resp = response1;
443 respLen = sizeof(response1);
444 respCode = resp1Code;
445 respCodeLen = resp1CodeLen;
446 } else if ( (len == sizeof(cmd3) && receivedCmd[0] == cmd3[0])
447 || (len == sizeof(cmd4) && receivedCmd[0] == cmd4[0]) ) {
448 resp = response2;
449 respLen = sizeof(response2);
450 respCode = resp2Code;
451 respCodeLen = resp2CodeLen;
452 } else {
453 Dbprintf("new cmd from reader: len=%d, cmdsRecvd=%d", len, cmdsRecvd);
454
455 // And print whether the CRC fails, just for good measure
456 uint8_t b1, b2;
457 if (len >= 3){ // if crc exists
458 ComputeCrc14443(CRC_14443_B, receivedCmd, len-2, &b1, &b2);
459 if(b1 != receivedCmd[len-2] || b2 != receivedCmd[len-1]) {
460 // Not so good, try again.
461 DbpString("+++CRC fail");
462
463 } else {
464 DbpString("CRC passes");
465 }
466 }
467 //get rid of compiler warning
468 respCodeLen = 0;
469 resp = response1;
470 respLen = 0;
471 respCode = resp1Code;
472 //don't crash at new command just wait and see if reader will send other new cmds.
473 //break;
474 }
475
476 ++cmdsRecvd;
477
478 if(cmdsRecvd > 0xFF) {
479 DbpString("many commands later...");
480 break;
481 }
482
483 if(respCodeLen <= 0) continue;
484
485 // Modulate BPSK
486 // Signal field is off with the appropriate LED
487 LED_D_OFF();
488 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_MODULATE_BPSK);
489 AT91C_BASE_SSC->SSC_THR = 0xff;
490 FpgaSetupSsc();
491
492 // Transmit the response.
493 uint16_t i = 0;
494 volatile uint8_t b;
495 for(;;) {
496 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
497 uint8_t b = respCode[i];
498
499 AT91C_BASE_SSC->SSC_THR = b;
500
501 ++i;
502 if(i > respCodeLen)
503 break;
504
505 }
506 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
507 b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
508 (void)b;
509 }
510 }
511
512 if (tracing)
513 LogTrace(resp, respLen, 0, 0, NULL, FALSE);
514 }
515 }
516
517 //=============================================================================
518 // An ISO 14443 Type B reader. We take layer two commands, code them
519 // appropriately, and then send them to the tag. We then listen for the
520 // tag's response, which we leave in the buffer to be demodulated on the
521 // PC side.
522 //=============================================================================
523
524 /*
525 * Handles reception of a bit from the tag
526 *
527 * This function is called 2 times per bit (every 4 subcarrier cycles).
528 * Subcarrier frequency fs is 848kHz, 1/fs = 1,18us, i.e. function is called every 4,72us
529 *
530 * LED handling:
531 * LED C -> ON once we have received the SOF and are expecting the rest.
532 * LED C -> OFF once we have received EOF or are unsynced
533 *
534 * Returns: true if we received a EOF
535 * false if we are still waiting for some more
536 *
537 */
538 #ifndef SUBCARRIER_DETECT_THRESHOLD
539 # define SUBCARRIER_DETECT_THRESHOLD 6
540 #endif
541
542 static RAMFUNC int Handle14443bSamplesDemod(int ci, int cq)
543 {
544 int v = 0;
545 // The soft decision on the bit uses an estimate of just the
546 // quadrant of the reference angle, not the exact angle.
547 #define MAKE_SOFT_DECISION() { \
548 if(Demod.sumI > 0) { \
549 v = ci; \
550 } else { \
551 v = -ci; \
552 } \
553 if(Demod.sumQ > 0) { \
554 v += cq; \
555 } else { \
556 v -= cq; \
557 } \
558 }
559
560 // Subcarrier amplitude v = sqrt(ci^2 + cq^2), approximated here by abs(ci) + abs(cq)
561 /* #define CHECK_FOR_SUBCARRIER() { \
562 v = ci; \
563 if(v < 0) v = -v; \
564 if(cq > 0) { \
565 v += cq; \
566 } else { \
567 v -= cq; \
568 } \
569 }
570 */
571 // Subcarrier amplitude v = sqrt(ci^2 + cq^2), approximated here by max(abs(ci),abs(cq)) + 1/2*min(abs(ci),abs(cq)))
572 #define CHECK_FOR_SUBCARRIER() { \
573 if(ci < 0) { \
574 if(cq < 0) { /* ci < 0, cq < 0 */ \
575 if (cq < ci) { \
576 v = -cq - (ci >> 1); \
577 } else { \
578 v = -ci - (cq >> 1); \
579 } \
580 } else { /* ci < 0, cq >= 0 */ \
581 if (cq < -ci) { \
582 v = -ci + (cq >> 1); \
583 } else { \
584 v = cq - (ci >> 1); \
585 } \
586 } \
587 } else { \
588 if(cq < 0) { /* ci >= 0, cq < 0 */ \
589 if (-cq < ci) { \
590 v = ci - (cq >> 1); \
591 } else { \
592 v = -cq + (ci >> 1); \
593 } \
594 } else { /* ci >= 0, cq >= 0 */ \
595 if (cq < ci) { \
596 v = ci + (cq >> 1); \
597 } else { \
598 v = cq + (ci >> 1); \
599 } \
600 } \
601 } \
602 }
603
604 //note: couldn't we just use MAX(ABS(ci),ABS(cq)) + (MIN(ABS(ci),ABS(cq))/2) from common.h - marshmellow
605 #define CHECK_FOR_SUBCARRIER_duo() { \
606 v = MAX(ABS(ci),ABS(cq)) + (MIN(ABS(ci),ABS(cq))/2); \
607 }
608
609 switch(Demod.state) {
610 case DEMOD_UNSYNCD:
611
612 CHECK_FOR_SUBCARRIER();
613
614 // subcarrier detected
615 if(v > SUBCARRIER_DETECT_THRESHOLD) {
616 Demod.state = DEMOD_PHASE_REF_TRAINING;
617 Demod.sumI = ci;
618 Demod.sumQ = cq;
619 Demod.posCount = 1;
620 }
621 break;
622
623 case DEMOD_PHASE_REF_TRAINING:
624 if(Demod.posCount < 8) {
625
626 CHECK_FOR_SUBCARRIER();
627
628 if (v > SUBCARRIER_DETECT_THRESHOLD) {
629 // set the reference phase (will code a logic '1') by averaging over 32 1/fs.
630 // note: synchronization time > 80 1/fs
631 Demod.sumI += ci;
632 Demod.sumQ += cq;
633 ++Demod.posCount;
634 } else {
635 // subcarrier lost
636 Demod.state = DEMOD_UNSYNCD;
637 }
638 } else {
639 Demod.state = DEMOD_AWAITING_FALLING_EDGE_OF_SOF;
640 }
641 break;
642
643 case DEMOD_AWAITING_FALLING_EDGE_OF_SOF:
644
645 MAKE_SOFT_DECISION();
646
647 //Dbprintf("ICE: %d %d %d %d %d", v, Demod.sumI, Demod.sumQ, ci, cq );
648 if(v < 0) { // logic '0' detected
649 Demod.state = DEMOD_GOT_FALLING_EDGE_OF_SOF;
650 Demod.posCount = 0; // start of SOF sequence
651 } else {
652 // maximum length of TR1 = 200 1/fs
653 if(Demod.posCount > 25*2) Demod.state = DEMOD_UNSYNCD;
654 }
655 ++Demod.posCount;
656 break;
657
658 case DEMOD_GOT_FALLING_EDGE_OF_SOF:
659 ++Demod.posCount;
660
661 MAKE_SOFT_DECISION();
662
663 if(v > 0) {
664 // low phase of SOF too short (< 9 etu). Note: spec is >= 10, but FPGA tends to "smear" edges
665 if(Demod.posCount < 9*2) {
666 Demod.state = DEMOD_UNSYNCD;
667 } else {
668 LED_C_ON(); // Got SOF
669 Demod.state = DEMOD_AWAITING_START_BIT;
670 Demod.posCount = 0;
671 Demod.len = 0;
672 }
673 } else {
674 // low phase of SOF too long (> 12 etu)
675 if (Demod.posCount > 12*2) {
676 Demod.state = DEMOD_UNSYNCD;
677 LED_C_OFF();
678 }
679 }
680 break;
681
682 case DEMOD_AWAITING_START_BIT:
683 ++Demod.posCount;
684
685 MAKE_SOFT_DECISION();
686
687 if (v > 0) {
688 if(Demod.posCount > 3*2) { // max 19us between characters = 16 1/fs, max 3 etu after low phase of SOF = 24 1/fs
689 Demod.state = DEMOD_UNSYNCD;
690 LED_C_OFF();
691 }
692 } else { // start bit detected
693 Demod.bitCount = 0;
694 Demod.posCount = 1; // this was the first half
695 Demod.thisBit = v;
696 Demod.shiftReg = 0;
697 Demod.state = DEMOD_RECEIVING_DATA;
698 }
699 break;
700
701 case DEMOD_RECEIVING_DATA:
702
703 MAKE_SOFT_DECISION();
704
705 if (Demod.posCount == 0) {
706 // first half of bit
707 Demod.thisBit = v;
708 Demod.posCount = 1;
709 } else {
710 // second half of bit
711 Demod.thisBit += v;
712 Demod.shiftReg >>= 1;
713
714 // logic '1'
715 if(Demod.thisBit > 0) Demod.shiftReg |= 0x200;
716
717 ++Demod.bitCount;
718
719 if(Demod.bitCount == 10) {
720
721 uint16_t s = Demod.shiftReg;
722
723 // stop bit == '1', start bit == '0'
724 if((s & 0x200) && !(s & 0x001)) {
725 uint8_t b = (s >> 1);
726 Demod.output[Demod.len] = b;
727 ++Demod.len;
728 Demod.state = DEMOD_AWAITING_START_BIT;
729 } else {
730 Demod.state = DEMOD_UNSYNCD;
731 LED_C_OFF();
732
733 // This is EOF (start, stop and all data bits == '0'
734 if(s == 0) return TRUE;
735 }
736 }
737 Demod.posCount = 0;
738 }
739 break;
740
741 default:
742 Demod.state = DEMOD_UNSYNCD;
743 LED_C_OFF();
744 break;
745 }
746 return FALSE;
747 }
748
749
750 /*
751 * Demodulate the samples we received from the tag, also log to tracebuffer
752 * quiet: set to 'TRUE' to disable debug output
753 */
754 static void GetSamplesFor14443bDemod(int n, bool quiet)
755 {
756 int max = 0;
757 bool gotFrame = FALSE;
758 int lastRxCounter, ci, cq, samples = 0;
759
760 // Allocate memory from BigBuf for some buffers
761 // free all previous allocations first
762 ///BigBuf_free();
763
764 // The response (tag -> reader) that we're receiving.
765 // Set up the demodulator for tag -> reader responses.
766 // this init, can take some time to execute, memset
767 DemodInit(BigBuf_malloc(MAX_FRAME_SIZE));
768
769 // The DMA buffer, used to stream samples from the FPGA
770 int8_t *dmaBuf = (int8_t*) BigBuf_malloc(ISO14443B_DMA_BUFFER_SIZE);
771
772 // And put the FPGA in the appropriate mode
773 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR | FPGA_HF_READER_RX_XCORR_848_KHZ);
774
775 // Setup and start DMA.
776 FpgaSetupSscDma((uint8_t*) dmaBuf, ISO14443B_DMA_BUFFER_SIZE);
777
778 int8_t *upTo = dmaBuf;
779 lastRxCounter = ISO14443B_DMA_BUFFER_SIZE;
780
781 // Signal field is ON with the appropriate LED:
782 LED_D_ON();
783 for(;;) {
784 int behindBy = lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR;
785 if(behindBy > max) max = behindBy;
786
787 while(((lastRxCounter-AT91C_BASE_PDC_SSC->PDC_RCR) & (ISO14443B_DMA_BUFFER_SIZE-1)) > 2) {
788 ci = upTo[0];
789 cq = upTo[1];
790 upTo += 2;
791 if(upTo >= dmaBuf + ISO14443B_DMA_BUFFER_SIZE) {
792 upTo = dmaBuf;
793 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) upTo;
794 AT91C_BASE_PDC_SSC->PDC_RNCR = ISO14443B_DMA_BUFFER_SIZE;
795 }
796 lastRxCounter -= 2;
797
798 if(lastRxCounter <= 0)
799 lastRxCounter += ISO14443B_DMA_BUFFER_SIZE;
800
801 samples += 2;
802
803 // is this | 0x01 the error? & 0xfe in https://github.com/Proxmark/proxmark3/issues/103
804 // can we double this?
805 gotFrame = Handle14443bSamplesDemod(ci<<2 , cq<<2);
806 if ( gotFrame )
807 break;
808 }
809
810 if(samples > n || gotFrame)
811 break;
812 }
813
814 //disable
815 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
816
817 if (!quiet) {
818 Dbprintf("max behindby = %d, samples = %d, gotFrame = %s, Demod.state = %d, Demod.len = %d, Demod.sumI = %d, Demod.sumQ = %d",
819 max,
820 samples,
821 (gotFrame) ? "true" : "false",
822 Demod.state,
823 Demod.len,
824 Demod.sumI,
825 Demod.sumQ
826 );
827 }
828
829 if (tracing > 0)
830 LogTrace(Demod.output, Demod.len, samples, samples, NULL, FALSE);
831 }
832
833
834 //-----------------------------------------------------------------------------
835 // Transmit the command (to the tag) that was placed in ToSend[].
836 //-----------------------------------------------------------------------------
837 static void TransmitFor14443b(void)
838 {
839 int c;
840 volatile uint32_t r;
841 FpgaSetupSsc();
842
843 while(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY))
844 AT91C_BASE_SSC->SSC_THR = 0xff;
845
846 // Signal field is ON with the appropriate Red LED
847 LED_D_ON();
848 // Signal we are transmitting with the Green LED
849 LED_B_ON();
850 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_TX | FPGA_HF_READER_TX_SHALLOW_MOD);
851
852 for(c = 0; c < 10;) {
853 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
854 AT91C_BASE_SSC->SSC_THR = 0xff;
855 ++c;
856 }
857 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
858 r = AT91C_BASE_SSC->SSC_RHR;
859 (void)r;
860 }
861 WDT_HIT();
862 }
863
864 c = 0;
865 for(;;) {
866 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
867 AT91C_BASE_SSC->SSC_THR = ToSend[c];
868 ++c;
869 if(c >= ToSendMax)
870 break;
871 }
872 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
873 r = AT91C_BASE_SSC->SSC_RHR;
874 (void)r;
875 }
876 WDT_HIT();
877 }
878 LED_B_OFF(); // Finished sending
879 }
880
881
882 //-----------------------------------------------------------------------------
883 // Code a layer 2 command (string of octets, including CRC) into ToSend[],
884 // so that it is ready to transmit to the tag using TransmitFor14443b().
885 //-----------------------------------------------------------------------------
886 static void CodeIso14443bAsReader(const uint8_t *cmd, int len)
887 {
888 int i, j;
889 uint8_t b;
890
891 ToSendReset();
892
893 // Establish initial reference level
894 for(i = 0; i < 40; ++i)
895 ToSendStuffBit(1);
896
897 // Send SOF
898 for(i = 0; i < 10; ++i)
899 ToSendStuffBit(0);
900
901 for(i = 0; i < len; ++i) {
902 // Stop bits/EGT
903 ToSendStuffBit(1);
904 ToSendStuffBit(1);
905 // Start bit
906 ToSendStuffBit(0);
907 // Data bits
908 b = cmd[i];
909 for(j = 0; j < 8; ++j) {
910 if(b & 1)
911 ToSendStuffBit(1);
912 else
913 ToSendStuffBit(0);
914
915 b >>= 1;
916 }
917 }
918 // Send EOF
919 ToSendStuffBit(1);
920 for(i = 0; i < 10; ++i)
921 ToSendStuffBit(0);
922
923 for(i = 0; i < 8; ++i)
924 ToSendStuffBit(1);
925
926
927 // And then a little more, to make sure that the last character makes
928 // it out before we switch to rx mode.
929 for(i = 0; i < 24; ++i)
930 ToSendStuffBit(1);
931
932 // Convert from last character reference to length
933 ++ToSendMax;
934 }
935
936
937 /**
938 Convenience function to encode, transmit and trace iso 14443b comms
939 **/
940 static void CodeAndTransmit14443bAsReader(const uint8_t *cmd, int len)
941 {
942 CodeIso14443bAsReader(cmd, len);
943 TransmitFor14443b();
944
945 if(trigger) LED_A_ON();
946
947 if (tracing) LogTrace(cmd, len, 0, 0, NULL, TRUE);
948 }
949
950 /* Sends an APDU to the tag
951 * TODO: check CRC and preamble
952 */
953 uint8_t iso14443b_apdu(uint8_t const *message, size_t message_length, uint8_t *response)
954 {
955 uint8_t crc[2] = {0x00, 0x00};
956 uint8_t message_frame[message_length + 4];
957 // PCB
958 message_frame[0] = 0x0A | pcb_blocknum;
959 pcb_blocknum ^= 1;
960 // CID
961 message_frame[1] = 0;
962 // INF
963 memcpy(message_frame + 2, message, message_length);
964 // EDC (CRC)
965 ComputeCrc14443(CRC_14443_B, message_frame, message_length + 2, &message_frame[message_length + 2], &message_frame[message_length + 3]);
966 // send
967 CodeAndTransmit14443bAsReader(message_frame, message_length + 4);
968 // get response
969 GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, TRUE);
970 if(Demod.len < 3)
971 return 0;
972
973 // VALIDATE CRC
974 ComputeCrc14443(CRC_14443_B, Demod.output, Demod.len-2, &crc[0], &crc[1]);
975 if ( crc[0] != Demod.output[Demod.len-2] || crc[1] != Demod.output[Demod.len-1] )
976 return 0;
977
978 // copy response contents
979 if(response != NULL)
980 memcpy(response, Demod.output, Demod.len);
981
982 return Demod.len;
983 }
984
985 /**
986 * SRx Initialise.
987 */
988 uint8_t iso14443b_select_srx_card(iso14b_card_select_t *card )
989 {
990 // INITIATE command: wake up the tag using the INITIATE
991 static const uint8_t init_srx[] = { ISO14443B_INITIATE, 0x00, 0x97, 0x5b };
992 // SELECT command (with space for CRC)
993 uint8_t select_srx[] = { ISO14443B_SELECT, 0x00, 0x00, 0x00};
994 // temp to calc crc.
995 uint8_t crc[2] = {0x00, 0x00};
996
997 CodeAndTransmit14443bAsReader(init_srx, sizeof(init_srx));
998 GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, TRUE);
999
1000 if (Demod.len == 0) return 2;
1001
1002 // Randomly generated Chip ID
1003 if (card) card->chipid = Demod.output[0];
1004
1005 select_srx[1] = Demod.output[0];
1006
1007 ComputeCrc14443(CRC_14443_B, select_srx, 2, &select_srx[2], &select_srx[3]);
1008 CodeAndTransmit14443bAsReader(select_srx, sizeof(select_srx));
1009 GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, TRUE);
1010
1011 if (Demod.len != 3) return 2;
1012
1013 // Check the CRC of the answer:
1014 ComputeCrc14443(CRC_14443_B, Demod.output, Demod.len-2 , &crc[0], &crc[1]);
1015 if(crc[0] != Demod.output[1] || crc[1] != Demod.output[2]) return 3;
1016
1017 // Check response from the tag: should be the same UID as the command we just sent:
1018 if (select_srx[1] != Demod.output[0]) return 1;
1019
1020 // First get the tag's UID:
1021 select_srx[0] = ISO14443B_GET_UID;
1022
1023 ComputeCrc14443(CRC_14443_B, select_srx, 1 , &select_srx[1], &select_srx[2]);
1024 CodeAndTransmit14443bAsReader(select_srx, 3); // Only first three bytes for this one
1025 GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, TRUE);
1026
1027 if (Demod.len != 10) return 2;
1028
1029 // The check the CRC of the answer
1030 ComputeCrc14443(CRC_14443_B, Demod.output, Demod.len-2, &crc[0], &crc[1]);
1031 if(crc[0] != Demod.output[8] || crc[1] != Demod.output[9]) return 3;
1032
1033 if (card) {
1034 card->uidlen = 8;
1035 memcpy(card->uid, Demod.output, 8);
1036 }
1037
1038 return 0;
1039 }
1040 /* Perform the ISO 14443 B Card Selection procedure
1041 * Currently does NOT do any collision handling.
1042 * It expects 0-1 cards in the device's range.
1043 * TODO: Support multiple cards (perform anticollision)
1044 * TODO: Verify CRC checksums
1045 */
1046 uint8_t iso14443b_select_card(iso14b_card_select_t *card )
1047 {
1048 // WUPB command (including CRC)
1049 // Note: WUPB wakes up all tags, REQB doesn't wake up tags in HALT state
1050 static const uint8_t wupb[] = { ISO14443B_REQB, 0x00, 0x08, 0x39, 0x73 };
1051 // ATTRIB command (with space for CRC)
1052 uint8_t attrib[] = { ISO14443B_ATTRIB, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00};
1053
1054 // temp to calc crc.
1055 uint8_t crc[2] = {0x00, 0x00};
1056
1057 // first, wake up the tag
1058 CodeAndTransmit14443bAsReader(wupb, sizeof(wupb));
1059 GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, TRUE);
1060
1061 // ATQB too short?
1062 if (Demod.len < 14) return 2;
1063
1064 // VALIDATE CRC
1065 ComputeCrc14443(CRC_14443_B, Demod.output, Demod.len-2, &crc[0], &crc[1]);
1066 if ( crc[0] != Demod.output[12] || crc[1] != Demod.output[13] )
1067 return 3;
1068
1069 if (card) {
1070 card->uidlen = 4;
1071 memcpy(card->uid, Demod.output+1, 4);
1072 memcpy(card->atqb, Demod.output+5, 7);
1073 }
1074
1075 // copy the PUPI to ATTRIB
1076 memcpy(attrib + 1, Demod.output + 1, 4);
1077
1078 // copy the protocol info from ATQB (Protocol Info -> Protocol_Type) into ATTRIB (Param 3)
1079 attrib[7] = Demod.output[10] & 0x0F;
1080 ComputeCrc14443(CRC_14443_B, attrib, 9, attrib + 9, attrib + 10);
1081
1082 CodeAndTransmit14443bAsReader(attrib, sizeof(attrib));
1083 GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, TRUE);
1084
1085 // Answer to ATTRIB too short?
1086 if(Demod.len < 3) return 2;
1087
1088 // VALIDATE CRC
1089 ComputeCrc14443(CRC_14443_B, Demod.output, Demod.len-2, &crc[0], &crc[1]);
1090 if ( crc[0] != Demod.output[1] || crc[1] != Demod.output[2] )
1091 return 3;
1092
1093 // CID
1094 if (card) card->cid = Demod.output[0];
1095
1096 // reset PCB block number
1097 pcb_blocknum = 0;
1098 return 0;
1099 }
1100
1101 // Set up ISO 14443 Type B communication (similar to iso14443a_setup)
1102 void iso14443b_setup() {
1103
1104 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1105
1106 BigBuf_free(); BigBuf_Clear_ext(false);
1107 DemodReset();
1108 UartReset();
1109
1110 // Set up the synchronous serial port
1111 FpgaSetupSsc();
1112
1113 // connect Demodulated Signal to ADC:
1114 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1115
1116 // Signal field is on with the appropriate LED
1117 LED_D_ON();
1118 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_TX | FPGA_HF_READER_TX_SHALLOW_MOD);
1119 SpinDelay(400);
1120
1121 // Start the timer
1122 StartCountSspClk();
1123 }
1124
1125 //-----------------------------------------------------------------------------
1126 // Read a SRI512 ISO 14443B tag.
1127 //
1128 // SRI512 tags are just simple memory tags, here we're looking at making a dump
1129 // of the contents of the memory. No anticollision algorithm is done, we assume
1130 // we have a single tag in the field.
1131 //
1132 // I tried to be systematic and check every answer of the tag, every CRC, etc...
1133 //-----------------------------------------------------------------------------
1134 void ReadSTMemoryIso14443b(uint8_t numofblocks)
1135 {
1136 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1137 clear_trace();
1138 set_tracing(TRUE);
1139
1140 uint8_t i = 0x00;
1141
1142 // Make sure that we start from off, since the tags are stateful;
1143 // confusing things will happen if we don't reset them between reads.
1144 LED_D_OFF();
1145 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1146 SpinDelay(200);
1147
1148 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1149 FpgaSetupSsc();
1150
1151 // Now give it time to spin up.
1152 // Signal field is on with the appropriate LED
1153 LED_D_ON();
1154 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR | FPGA_HF_READER_RX_XCORR_848_KHZ);
1155 SpinDelay(300);
1156
1157 // First command: wake up the tag using the INITIATE command
1158 uint8_t cmd1[] = {ISO14443B_INITIATE, 0x00, 0x97, 0x5b};
1159 CodeAndTransmit14443bAsReader(cmd1, sizeof(cmd1));
1160 GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, TRUE);
1161
1162 if (Demod.len == 0) {
1163 DbpString("No response from tag");
1164 set_tracing(FALSE);
1165 return;
1166 } else {
1167 Dbprintf("Randomly generated Chip ID (+ 2 byte CRC): %02x %02x %02x",
1168 Demod.output[0], Demod.output[1], Demod.output[2]);
1169 }
1170
1171 // There is a response, SELECT the uid
1172 DbpString("Now SELECT tag:");
1173 cmd1[0] = ISO14443B_SELECT; // 0x0E is SELECT
1174 cmd1[1] = Demod.output[0];
1175 ComputeCrc14443(CRC_14443_B, cmd1, 2, &cmd1[2], &cmd1[3]);
1176 CodeAndTransmit14443bAsReader(cmd1, sizeof(cmd1));
1177 GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, TRUE);
1178 if (Demod.len != 3) {
1179 Dbprintf("Expected 3 bytes from tag, got %d", Demod.len);
1180 set_tracing(FALSE);
1181 return;
1182 }
1183 // Check the CRC of the answer:
1184 ComputeCrc14443(CRC_14443_B, Demod.output, 1 , &cmd1[2], &cmd1[3]);
1185 if(cmd1[2] != Demod.output[1] || cmd1[3] != Demod.output[2]) {
1186 DbpString("CRC Error reading select response.");
1187 set_tracing(FALSE);
1188 return;
1189 }
1190 // Check response from the tag: should be the same UID as the command we just sent:
1191 if (cmd1[1] != Demod.output[0]) {
1192 Dbprintf("Bad response to SELECT from Tag, aborting: %02x %02x", cmd1[1], Demod.output[0]);
1193 set_tracing(FALSE);
1194 return;
1195 }
1196
1197 // Tag is now selected,
1198 // First get the tag's UID:
1199 cmd1[0] = ISO14443B_GET_UID;
1200 ComputeCrc14443(CRC_14443_B, cmd1, 1 , &cmd1[1], &cmd1[2]);
1201 CodeAndTransmit14443bAsReader(cmd1, 3); // Only first three bytes for this one
1202 GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, TRUE);
1203 if (Demod.len != 10) {
1204 Dbprintf("Expected 10 bytes from tag, got %d", Demod.len);
1205 set_tracing(FALSE);
1206 return;
1207 }
1208 // The check the CRC of the answer (use cmd1 as temporary variable):
1209 ComputeCrc14443(CRC_14443_B, Demod.output, 8, &cmd1[2], &cmd1[3]);
1210 if(cmd1[2] != Demod.output[8] || cmd1[3] != Demod.output[9]) {
1211 Dbprintf("CRC Error reading block! Expected: %04x got: %04x",
1212 (cmd1[2]<<8)+cmd1[3], (Demod.output[8]<<8)+Demod.output[9]);
1213 // Do not return;, let's go on... (we should retry, maybe ?)
1214 }
1215 Dbprintf("Tag UID (64 bits): %08x %08x",
1216 (Demod.output[7]<<24) + (Demod.output[6]<<16) + (Demod.output[5]<<8) + Demod.output[4],
1217 (Demod.output[3]<<24) + (Demod.output[2]<<16) + (Demod.output[1]<<8) + Demod.output[0]);
1218
1219 // Now loop to read all 16 blocks, address from 0 to last block
1220 Dbprintf("Tag memory dump, block 0 to %d", numofblocks);
1221 cmd1[0] = 0x08;
1222 i = 0x00;
1223 ++numofblocks;
1224
1225 for (;;) {
1226 if (i == numofblocks) {
1227 DbpString("System area block (0xff):");
1228 i = 0xff;
1229 }
1230 cmd1[1] = i;
1231 ComputeCrc14443(CRC_14443_B, cmd1, 2, &cmd1[2], &cmd1[3]);
1232 CodeAndTransmit14443bAsReader(cmd1, sizeof(cmd1));
1233 GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, TRUE);
1234
1235 if (Demod.len != 6) { // Check if we got an answer from the tag
1236 DbpString("Expected 6 bytes from tag, got less...");
1237 return;
1238 }
1239 // The check the CRC of the answer (use cmd1 as temporary variable):
1240 ComputeCrc14443(CRC_14443_B, Demod.output, 4, &cmd1[2], &cmd1[3]);
1241 if(cmd1[2] != Demod.output[4] || cmd1[3] != Demod.output[5]) {
1242 Dbprintf("CRC Error reading block! Expected: %04x got: %04x",
1243 (cmd1[2]<<8)+cmd1[3], (Demod.output[4]<<8)+Demod.output[5]);
1244 // Do not return;, let's go on... (we should retry, maybe ?)
1245 }
1246 // Now print out the memory location:
1247 Dbprintf("Address=%02x, Contents=%08x, CRC=%04x", i,
1248 (Demod.output[3]<<24) + (Demod.output[2]<<16) + (Demod.output[1]<<8) + Demod.output[0],
1249 (Demod.output[4]<<8)+Demod.output[5]);
1250
1251 if (i == 0xff) break;
1252 ++i;
1253 }
1254
1255 set_tracing(FALSE);
1256 }
1257
1258 //=============================================================================
1259 // Finally, the `sniffer' combines elements from both the reader and
1260 // simulated tag, to show both sides of the conversation.
1261 //=============================================================================
1262
1263 //-----------------------------------------------------------------------------
1264 // Record the sequence of commands sent by the reader to the tag, with
1265 // triggering so that we start recording at the point that the tag is moved
1266 // near the reader.
1267 //-----------------------------------------------------------------------------
1268 /*
1269 * Memory usage for this function, (within BigBuf)
1270 * Last Received command (reader->tag) - MAX_FRAME_SIZE
1271 * Last Received command (tag->reader) - MAX_FRAME_SIZE
1272 * DMA Buffer - ISO14443B_DMA_BUFFER_SIZE
1273 * Demodulated samples received - all the rest
1274 */
1275 void RAMFUNC SnoopIso14443b(void)
1276 {
1277 // We won't start recording the frames that we acquire until we trigger;
1278 // a good trigger condition to get started is probably when we see a
1279 // response from the tag.
1280 int triggered = TRUE; // TODO: set and evaluate trigger condition
1281
1282 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1283 BigBuf_free(); BigBuf_Clear_ext(false);
1284
1285 clear_trace();
1286 set_tracing(TRUE);
1287
1288 // The DMA buffer, used to stream samples from the FPGA
1289 int8_t *dmaBuf = (int8_t*) BigBuf_malloc(ISO14443B_DMA_BUFFER_SIZE);
1290 int lastRxCounter;
1291 int8_t *upTo;
1292 int ci, cq;
1293 int maxBehindBy = 0;
1294
1295 // Count of samples received so far, so that we can include timing
1296 // information in the trace buffer.
1297 int samples = 0;
1298
1299 DemodInit(BigBuf_malloc(MAX_FRAME_SIZE));
1300 UartInit(BigBuf_malloc(MAX_FRAME_SIZE));
1301
1302 // Print some debug information about the buffer sizes
1303 Dbprintf("Snooping buffers initialized:");
1304 Dbprintf(" Trace: %i bytes", BigBuf_max_traceLen());
1305 Dbprintf(" Reader -> tag: %i bytes", MAX_FRAME_SIZE);
1306 Dbprintf(" tag -> Reader: %i bytes", MAX_FRAME_SIZE);
1307 Dbprintf(" DMA: %i bytes", ISO14443B_DMA_BUFFER_SIZE);
1308
1309 // Signal field is off, no reader signal, no tag signal
1310 LEDsoff();
1311
1312 // And put the FPGA in the appropriate mode
1313 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR | FPGA_HF_READER_RX_XCORR_848_KHZ | FPGA_HF_READER_RX_XCORR_SNOOP);
1314 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1315
1316 // Setup for the DMA.
1317 FpgaSetupSsc();
1318 upTo = dmaBuf;
1319 lastRxCounter = ISO14443B_DMA_BUFFER_SIZE;
1320 FpgaSetupSscDma((uint8_t*) dmaBuf, ISO14443B_DMA_BUFFER_SIZE);
1321
1322 bool TagIsActive = FALSE;
1323 bool ReaderIsActive = FALSE;
1324
1325 // And now we loop, receiving samples.
1326 for(;;) {
1327 int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) &
1328 (ISO14443B_DMA_BUFFER_SIZE-1);
1329
1330 if(behindBy > maxBehindBy) maxBehindBy = behindBy;
1331 if(behindBy < 2) continue;
1332
1333 ci = upTo[0];
1334 cq = upTo[1];
1335 upTo += 2;
1336 lastRxCounter -= 2;
1337 if(upTo >= dmaBuf + ISO14443B_DMA_BUFFER_SIZE) {
1338 upTo = dmaBuf;
1339 lastRxCounter += ISO14443B_DMA_BUFFER_SIZE;
1340 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dmaBuf;
1341 AT91C_BASE_PDC_SSC->PDC_RNCR = ISO14443B_DMA_BUFFER_SIZE;
1342 WDT_HIT();
1343 if(behindBy > (9*ISO14443B_DMA_BUFFER_SIZE/10)) { // TODO: understand whether we can increase/decrease as we want or not?
1344 Dbprintf("blew circular buffer! behindBy=%d", behindBy);
1345 break;
1346 }
1347
1348 if(!tracing) {
1349 DbpString("Trace full");
1350 break;
1351 }
1352
1353 if(BUTTON_PRESS()) {
1354 DbpString("cancelled");
1355 break;
1356 }
1357 }
1358
1359 samples += 2;
1360
1361 if (!TagIsActive) { // no need to try decoding reader data if the tag is sending
1362 if (Handle14443bUartBit(ci & 0x01)) {
1363
1364 if(triggered && tracing)
1365 LogTrace(Uart.output, Uart.byteCnt, samples, samples, NULL, TRUE);
1366
1367 /* And ready to receive another command. */
1368 UartReset();
1369 /* And also reset the demod code, which might have been */
1370 /* false-triggered by the commands from the reader. */
1371 DemodReset();
1372 }
1373
1374 if (Handle14443bUartBit(cq & 0x01)) {
1375 if(triggered && tracing)
1376 LogTrace(Uart.output, Uart.byteCnt, samples, samples, NULL, TRUE);
1377
1378 /* And ready to receive another command. */
1379 UartReset();
1380 /* And also reset the demod code, which might have been */
1381 /* false-triggered by the commands from the reader. */
1382 DemodReset();
1383 }
1384 ReaderIsActive = (Uart.state > STATE_GOT_FALLING_EDGE_OF_SOF);
1385 }
1386
1387 if(!ReaderIsActive) { // no need to try decoding tag data if the reader is sending - and we cannot afford the time
1388 // is this | 0x01 the error? & 0xfe in https://github.com/Proxmark/proxmark3/issues/103
1389 if(Handle14443bSamplesDemod(ci | 0x01, cq | 0x01)) {
1390
1391 //Use samples as a time measurement
1392 if(tracing)
1393 LogTrace(Demod.output, Demod.len, samples, samples, NULL, FALSE);
1394
1395 triggered = TRUE;
1396
1397 // And ready to receive another response.
1398 DemodReset();
1399 }
1400 TagIsActive = (Demod.state > DEMOD_GOT_FALLING_EDGE_OF_SOF);
1401 }
1402 }
1403
1404 FpgaDisableSscDma();
1405 LEDsoff();
1406
1407 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
1408 DbpString("Snoop statistics:");
1409 Dbprintf(" Max behind by: %i", maxBehindBy);
1410 Dbprintf(" Uart State: %x", Uart.state);
1411 Dbprintf(" Uart ByteCnt: %i", Uart.byteCnt);
1412 Dbprintf(" Uart ByteCntMax: %i", Uart.byteCntMax);
1413 Dbprintf(" Trace length: %i", BigBuf_get_traceLen());
1414 set_tracing(FALSE);
1415 }
1416
1417 void iso14b_set_trigger(bool enable) {
1418 trigger = enable;
1419 }
1420
1421 /*
1422 * Send raw command to tag ISO14443B
1423 * @Input
1424 * param flags enum ISO14B_COMMAND. (mifare.h)
1425 * len len of buffer data
1426 * data buffer with bytes to send
1427 *
1428 * @Output
1429 * none
1430 *
1431 */
1432 void SendRawCommand14443B_Ex(UsbCommand *c)
1433 {
1434 iso14b_command_t param = c->arg[0];
1435 size_t len = c->arg[1] & 0xffff;
1436 uint8_t *cmd = c->d.asBytes;
1437 uint8_t status = 0;
1438 uint32_t sendlen = sizeof(iso14b_card_select_t);
1439 uint8_t buf[USB_CMD_DATA_SIZE] = {0x00};
1440
1441 if (MF_DBGLEVEL > 3) Dbprintf("param, %04x", param );
1442
1443 // turn on trigger (LED_A)
1444 if (param & ISO14B_REQUEST_TRIGGER)
1445 iso14b_set_trigger(TRUE);
1446
1447 if (param & ISO14B_CONNECT) {
1448 // Make sure that we start from off, since the tags are stateful;
1449 // confusing things will happen if we don't reset them between reads.
1450 LED_D_OFF();
1451 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1452 SpinDelay(200);
1453 clear_trace();
1454 iso14443b_setup();
1455 }
1456
1457 set_tracing(TRUE);
1458
1459 if ( param & ISO14B_SELECT_STD) {
1460 iso14b_card_select_t *card = (iso14b_card_select_t*)buf;
1461 status = iso14443b_select_card(card);
1462 cmd_send(CMD_ACK, status, sendlen, 0, buf, sendlen);
1463 // 0: OK 2: attrib fail, 3:crc fail,
1464 if ( status > 0 ) return;
1465 }
1466
1467 if ( param & ISO14B_SELECT_SR) {
1468 iso14b_card_select_t *card = (iso14b_card_select_t*)buf;
1469 status = iso14443b_select_srx_card(card);
1470 cmd_send(CMD_ACK, status, sendlen, 0, buf, sendlen);
1471 // 0: OK 2: attrib fail, 3:crc fail,
1472 if ( status > 0 ) return;
1473 }
1474
1475 if (param & ISO14B_APDU) {
1476 status = iso14443b_apdu(cmd, len, buf);
1477 cmd_send(CMD_ACK, status, status, 0, buf, status);
1478 }
1479
1480 if (param & ISO14B_RAW) {
1481 if(param & ISO14B_APPEND_CRC) {
1482 AppendCrc14443b(cmd, len);
1483 len += 2;
1484 }
1485
1486 CodeAndTransmit14443bAsReader(cmd, len);
1487 GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, TRUE);
1488
1489 sendlen = MIN(Demod.len, USB_CMD_DATA_SIZE);
1490 status = (Demod.len > 0) ? 0 : 1;
1491 cmd_send(CMD_ACK, status, sendlen, 0, Demod.output, sendlen);
1492 }
1493
1494 // turn off trigger (LED_A)
1495 if (param & ISO14B_REQUEST_TRIGGER)
1496 iso14a_set_trigger(FALSE);
1497
1498 // turn off antenna et al
1499 // we don't send a HALT command.
1500 if ( param & ISO14B_DISCONNECT) {
1501 if (MF_DBGLEVEL > 3) Dbprintf("disconnect");
1502 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1503 FpgaDisableSscDma();
1504 set_tracing(FALSE);
1505 LEDsoff();
1506 }
1507 }
Proxmark3 GIT tracking
Impressum, Datenschutz