]> cvs.zerfleddert.de Git - proxmark3-svn/blob - armsrc/iso14443b.c
projects / proxmark3-svn / blob
? search:


989b477ca6b03788a5f916baeaceee97f08cf9bf
[proxmark3-svn] / armsrc / iso14443b.c
1 //-----------------------------------------------------------------------------
2 // Jonathan Westhues, split Nov 2006
3 //
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
6 // the license.
7 //-----------------------------------------------------------------------------
8 // Routines to support ISO 14443B. This includes both the reader software and
9 // the `fake tag' modes.
10 //-----------------------------------------------------------------------------
11
12 #include "proxmark3.h"
13 #include "apps.h"
14 #include "util.h"
15 #include "string.h"
16
17 #include "iso14443crc.h"
18
19 #define RECEIVE_SAMPLES_TIMEOUT 2000
20
21 //=============================================================================
22 // An ISO 14443 Type B tag. We listen for commands from the reader, using
23 // a UART kind of thing that's implemented in software. When we get a
24 // frame (i.e., a group of bytes between SOF and EOF), we check the CRC.
25 // If it's good, then we can do something appropriate with it, and send
26 // a response.
27 //=============================================================================
28
29 //-----------------------------------------------------------------------------
30 // Code up a string of octets at layer 2 (including CRC, we don't generate
31 // that here) so that they can be transmitted to the reader. Doesn't transmit
32 // them yet, just leaves them ready to send in ToSend[].
33 //-----------------------------------------------------------------------------
34 static void CodeIso14443bAsTag(const uint8_t *cmd, int len)
35 {
36 int i;
37
38 ToSendReset();
39
40 // Transmit a burst of ones, as the initial thing that lets the
41 // reader get phase sync. This (TR1) must be > 80/fs, per spec,
42 // but tag that I've tried (a Paypass) exceeds that by a fair bit,
43 // so I will too.
44 for(i = 0; i < 20; i++) {
45 ToSendStuffBit(1);
46 ToSendStuffBit(1);
47 ToSendStuffBit(1);
48 ToSendStuffBit(1);
49 }
50
51 // Send SOF.
52 for(i = 0; i < 10; i++) {
53 ToSendStuffBit(0);
54 ToSendStuffBit(0);
55 ToSendStuffBit(0);
56 ToSendStuffBit(0);
57 }
58 for(i = 0; i < 2; i++) {
59 ToSendStuffBit(1);
60 ToSendStuffBit(1);
61 ToSendStuffBit(1);
62 ToSendStuffBit(1);
63 }
64
65 for(i = 0; i < len; i++) {
66 int j;
67 uint8_t b = cmd[i];
68
69 // Start bit
70 ToSendStuffBit(0);
71 ToSendStuffBit(0);
72 ToSendStuffBit(0);
73 ToSendStuffBit(0);
74
75 // Data bits
76 for(j = 0; j < 8; j++) {
77 if(b & 1) {
78 ToSendStuffBit(1);
79 ToSendStuffBit(1);
80 ToSendStuffBit(1);
81 ToSendStuffBit(1);
82 } else {
83 ToSendStuffBit(0);
84 ToSendStuffBit(0);
85 ToSendStuffBit(0);
86 ToSendStuffBit(0);
87 }
88 b >>= 1;
89 }
90
91 // Stop bit
92 ToSendStuffBit(1);
93 ToSendStuffBit(1);
94 ToSendStuffBit(1);
95 ToSendStuffBit(1);
96 }
97
98 // Send EOF.
99 for(i = 0; i < 10; i++) {
100 ToSendStuffBit(0);
101 ToSendStuffBit(0);
102 ToSendStuffBit(0);
103 ToSendStuffBit(0);
104 }
105 for(i = 0; i < 2; i++) {
106 ToSendStuffBit(1);
107 ToSendStuffBit(1);
108 ToSendStuffBit(1);
109 ToSendStuffBit(1);
110 }
111
112 // Convert from last byte pos to length
113 ToSendMax++;
114 }
115
116 //-----------------------------------------------------------------------------
117 // The software UART that receives commands from the reader, and its state
118 // variables.
119 //-----------------------------------------------------------------------------
120 static struct {
121 enum {
122 STATE_UNSYNCD,
123 STATE_GOT_FALLING_EDGE_OF_SOF,
124 STATE_AWAITING_START_BIT,
125 STATE_RECEIVING_DATA,
126 STATE_ERROR_WAIT
127 } state;
128 uint16_t shiftReg;
129 int bitCnt;
130 int byteCnt;
131 int byteCntMax;
132 int posCnt;
133 uint8_t *output;
134 } Uart;
135
136 /* Receive & handle a bit coming from the reader.
137 *
138 * This function is called 4 times per bit (every 2 subcarrier cycles).
139 * Subcarrier frequency fs is 848kHz, 1/fs = 1,18us, i.e. function is called every 2,36us
140 *
141 * LED handling:
142 * LED A -> ON once we have received the SOF and are expecting the rest.
143 * LED A -> OFF once we have received EOF or are in error state or unsynced
144 *
145 * Returns: true if we received a EOF
146 * false if we are still waiting for some more
147 */
148 static int Handle14443bUartBit(int bit)
149 {
150 switch(Uart.state) {
151 case STATE_UNSYNCD:
152 if(!bit) {
153 // we went low, so this could be the beginning
154 // of an SOF
155 Uart.state = STATE_GOT_FALLING_EDGE_OF_SOF;
156 Uart.posCnt = 0;
157 Uart.bitCnt = 0;
158 }
159 break;
160
161 case STATE_GOT_FALLING_EDGE_OF_SOF:
162 Uart.posCnt++;
163 if(Uart.posCnt == 2) { // sample every 4 1/fs in the middle of a bit
164 if(bit) {
165 if(Uart.bitCnt > 9) {
166 // we've seen enough consecutive
167 // zeros that it's a valid SOF
168 Uart.posCnt = 0;
169 Uart.byteCnt = 0;
170 Uart.state = STATE_AWAITING_START_BIT;
171 LED_A_ON(); // Indicate we got a valid SOF
172 } else {
173 // didn't stay down long enough
174 // before going high, error
175 Uart.state = STATE_ERROR_WAIT;
176 }
177 } else {
178 // do nothing, keep waiting
179 }
180 Uart.bitCnt++;
181 }
182 if(Uart.posCnt >= 4) Uart.posCnt = 0;
183 if(Uart.bitCnt > 12) {
184 // Give up if we see too many zeros without
185 // a one, too.
186 Uart.state = STATE_ERROR_WAIT;
187 }
188 break;
189
190 case STATE_AWAITING_START_BIT:
191 Uart.posCnt++;
192 if(bit) {
193 if(Uart.posCnt > 50/2) { // max 57us between characters = 49 1/fs, max 3 etus after low phase of SOF = 24 1/fs
194 // stayed high for too long between
195 // characters, error
196 Uart.state = STATE_ERROR_WAIT;
197 }
198 } else {
199 // falling edge, this starts the data byte
200 Uart.posCnt = 0;
201 Uart.bitCnt = 0;
202 Uart.shiftReg = 0;
203 Uart.state = STATE_RECEIVING_DATA;
204 }
205 break;
206
207 case STATE_RECEIVING_DATA:
208 Uart.posCnt++;
209 if(Uart.posCnt == 2) {
210 // time to sample a bit
211 Uart.shiftReg >>= 1;
212 if(bit) {
213 Uart.shiftReg |= 0x200;
214 }
215 Uart.bitCnt++;
216 }
217 if(Uart.posCnt >= 4) {
218 Uart.posCnt = 0;
219 }
220 if(Uart.bitCnt == 10) {
221 if((Uart.shiftReg & 0x200) && !(Uart.shiftReg & 0x001))
222 {
223 // this is a data byte, with correct
224 // start and stop bits
225 Uart.output[Uart.byteCnt] = (Uart.shiftReg >> 1) & 0xff;
226 Uart.byteCnt++;
227
228 if(Uart.byteCnt >= Uart.byteCntMax) {
229 // Buffer overflowed, give up
230 Uart.posCnt = 0;
231 Uart.state = STATE_ERROR_WAIT;
232 } else {
233 // so get the next byte now
234 Uart.posCnt = 0;
235 Uart.state = STATE_AWAITING_START_BIT;
236 }
237 } else if(Uart.shiftReg == 0x000) {
238 // this is an EOF byte
239 LED_A_OFF(); // Finished receiving
240 return TRUE;
241 } else {
242 // this is an error
243 Uart.posCnt = 0;
244 Uart.state = STATE_ERROR_WAIT;
245 }
246 }
247 break;
248
249 case STATE_ERROR_WAIT:
250 // We're all screwed up, so wait a little while
251 // for whatever went wrong to finish, and then
252 // start over.
253 Uart.posCnt++;
254 if(Uart.posCnt > 10) {
255 Uart.state = STATE_UNSYNCD;
256 LED_A_OFF();
257 }
258 break;
259
260 default:
261 Uart.state = STATE_UNSYNCD;
262 break;
263 }
264
265 return FALSE;
266 }
267
268 //-----------------------------------------------------------------------------
269 // Receive a command (from the reader to us, where we are the simulated tag),
270 // and store it in the given buffer, up to the given maximum length. Keeps
271 // spinning, waiting for a well-framed command, until either we get one
272 // (returns TRUE) or someone presses the pushbutton on the board (FALSE).
273 //
274 // Assume that we're called with the SSC (to the FPGA) and ADC path set
275 // correctly.
276 //-----------------------------------------------------------------------------
277 static int GetIso14443bCommandFromReader(uint8_t *received, int *len, int maxLen)
278 {
279 uint8_t mask;
280 int i, bit;
281
282 // Set FPGA mode to "simulated ISO 14443B tag", no modulation (listen
283 // only, since we are receiving, not transmitting).
284 // Signal field is off with the appropriate LED
285 LED_D_OFF();
286 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_NO_MODULATION);
287
288
289 // Now run a `software UART' on the stream of incoming samples.
290 Uart.output = received;
291 Uart.byteCntMax = maxLen;
292 Uart.state = STATE_UNSYNCD;
293
294 for(;;) {
295 WDT_HIT();
296
297 if(BUTTON_PRESS()) return FALSE;
298
299 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
300 AT91C_BASE_SSC->SSC_THR = 0x00;
301 }
302 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
303 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
304
305 mask = 0x80;
306 for(i = 0; i < 8; i++, mask >>= 1) {
307 bit = (b & mask);
308 if(Handle14443bUartBit(bit)) {
309 *len = Uart.byteCnt;
310 return TRUE;
311 }
312 }
313 }
314 }
315 }
316
317 //-----------------------------------------------------------------------------
318 // Main loop of simulated tag: receive commands from reader, decide what
319 // response to send, and send it.
320 //-----------------------------------------------------------------------------
321 void SimulateIso14443bTag(void)
322 {
323 // the only command we understand is REQB, AFI=0, Select All, N=0:
324 static const uint8_t cmd1[] = { 0x05, 0x00, 0x08, 0x39, 0x73 };
325 // ... and we respond with ATQB, PUPI = 820de174, Application Data = 0x20381922,
326 // supports only 106kBit/s in both directions, max frame size = 32Bytes,
327 // supports ISO14443-4, FWI=8 (77ms), NAD supported, CID not supported:
328 static const uint8_t response1[] = {
329 0x50, 0x82, 0x0d, 0xe1, 0x74, 0x20, 0x38, 0x19, 0x22,
330 0x00, 0x21, 0x85, 0x5e, 0xd7
331 };
332
333 uint8_t *resp;
334 int respLen;
335
336 // allocate command receive buffer
337 BigBuf_free();
338 uint8_t *receivedCmd = BigBuf_malloc(MAX_FRAME_SIZE);
339 int len;
340
341 int i;
342
343 int cmdsRecvd = 0;
344
345 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
346
347 // prepare the (only one) tag answer:
348 CodeIso14443bAsTag(response1, sizeof(response1));
349 uint8_t *resp1 = BigBuf_malloc(ToSendMax);
350 memcpy(resp1, ToSend, ToSendMax);
351 uint16_t resp1Len = ToSendMax;
352
353 // We need to listen to the high-frequency, peak-detected path.
354 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
355 FpgaSetupSsc();
356
357 cmdsRecvd = 0;
358
359 for(;;) {
360 uint8_t b1, b2;
361
362 if(!GetIso14443bCommandFromReader(receivedCmd, &len, 100)) {
363 Dbprintf("button pressed, received %d commands", cmdsRecvd);
364 break;
365 }
366
367 // Good, look at the command now.
368
369 if(len == sizeof(cmd1) && memcmp(receivedCmd, cmd1, len) == 0) {
370 resp = resp1; respLen = resp1Len;
371 } else {
372 Dbprintf("new cmd from reader: len=%d, cmdsRecvd=%d", len, cmdsRecvd);
373 // And print whether the CRC fails, just for good measure
374 ComputeCrc14443(CRC_14443_B, receivedCmd, len-2, &b1, &b2);
375 if(b1 != receivedCmd[len-2] || b2 != receivedCmd[len-1]) {
376 // Not so good, try again.
377 DbpString("+++CRC fail");
378 } else {
379 DbpString("CRC passes");
380 }
381 break;
382 }
383
384 cmdsRecvd++;
385
386 if(cmdsRecvd > 0x30) {
387 DbpString("many commands later...");
388 break;
389 }
390
391 if(respLen <= 0) continue;
392
393 // Modulate BPSK
394 // Signal field is off with the appropriate LED
395 LED_D_OFF();
396 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_MODULATE_BPSK);
397 AT91C_BASE_SSC->SSC_THR = 0xff;
398 FpgaSetupSsc();
399
400 // Transmit the response.
401 i = 0;
402 for(;;) {
403 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
404 uint8_t b = resp[i];
405
406 AT91C_BASE_SSC->SSC_THR = b;
407
408 i++;
409 if(i > respLen) {
410 break;
411 }
412 }
413 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
414 volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
415 (void)b;
416 }
417 }
418 }
419 }
420
421 //=============================================================================
422 // An ISO 14443 Type B reader. We take layer two commands, code them
423 // appropriately, and then send them to the tag. We then listen for the
424 // tag's response, which we leave in the buffer to be demodulated on the
425 // PC side.
426 //=============================================================================
427
428 static struct {
429 enum {
430 DEMOD_UNSYNCD,
431 DEMOD_PHASE_REF_TRAINING,
432 DEMOD_AWAITING_FALLING_EDGE_OF_SOF,
433 DEMOD_GOT_FALLING_EDGE_OF_SOF,
434 DEMOD_AWAITING_START_BIT,
435 DEMOD_RECEIVING_DATA,
436 DEMOD_ERROR_WAIT
437 } state;
438 int bitCount;
439 int posCount;
440 int thisBit;
441 /* this had been used to add RSSI (Received Signal Strength Indication) to traces. Currently not implemented.
442 int metric;
443 int metricN;
444 */
445 uint16_t shiftReg;
446 uint8_t *output;
447 int len;
448 int sumI;
449 int sumQ;
450 } Demod;
451
452 /*
453 * Handles reception of a bit from the tag
454 *
455 * This function is called 2 times per bit (every 4 subcarrier cycles).
456 * Subcarrier frequency fs is 848kHz, 1/fs = 1,18us, i.e. function is called every 4,72us
457 *
458 * LED handling:
459 * LED C -> ON once we have received the SOF and are expecting the rest.
460 * LED C -> OFF once we have received EOF or are unsynced
461 *
462 * Returns: true if we received a EOF
463 * false if we are still waiting for some more
464 *
465 */
466 static RAMFUNC int Handle14443bSamplesDemod(int ci, int cq)
467 {
468 int v;
469
470 // The soft decision on the bit uses an estimate of just the
471 // quadrant of the reference angle, not the exact angle.
472 #define MAKE_SOFT_DECISION() { \
473 if(Demod.sumI > 0) { \
474 v = ci; \
475 } else { \
476 v = -ci; \
477 } \
478 if(Demod.sumQ > 0) { \
479 v += cq; \
480 } else { \
481 v -= cq; \
482 } \
483 }
484
485 #define SUBCARRIER_DETECT_THRESHOLD 8
486
487 // Subcarrier amplitude v = sqrt(ci^2 + cq^2), approximated here by abs(ci) + abs(cq)
488 /* #define CHECK_FOR_SUBCARRIER() { \
489 v = ci; \
490 if(v < 0) v = -v; \
491 if(cq > 0) { \
492 v += cq; \
493 } else { \
494 v -= cq; \
495 } \
496 }
497 */
498 // Subcarrier amplitude v = sqrt(ci^2 + cq^2), approximated here by max(abs(ci),abs(cq)) + 1/2*min(abs(ci),abs(cq)))
499 #define CHECK_FOR_SUBCARRIER() { \
500 if(ci < 0) { \
501 if(cq < 0) { /* ci < 0, cq < 0 */ \
502 if (cq < ci) { \
503 v = -cq - (ci >> 1); \
504 } else { \
505 v = -ci - (cq >> 1); \
506 } \
507 } else { /* ci < 0, cq >= 0 */ \
508 if (cq < -ci) { \
509 v = -ci + (cq >> 1); \
510 } else { \
511 v = cq - (ci >> 1); \
512 } \
513 } \
514 } else { \
515 if(cq < 0) { /* ci >= 0, cq < 0 */ \
516 if (-cq < ci) { \
517 v = ci - (cq >> 1); \
518 } else { \
519 v = -cq + (ci >> 1); \
520 } \
521 } else { /* ci >= 0, cq >= 0 */ \
522 if (cq < ci) { \
523 v = ci + (cq >> 1); \
524 } else { \
525 v = cq + (ci >> 1); \
526 } \
527 } \
528 } \
529 }
530
531 switch(Demod.state) {
532 case DEMOD_UNSYNCD:
533 CHECK_FOR_SUBCARRIER();
534 if(v > SUBCARRIER_DETECT_THRESHOLD) { // subcarrier detected
535 Demod.state = DEMOD_PHASE_REF_TRAINING;
536 Demod.sumI = ci;
537 Demod.sumQ = cq;
538 Demod.posCount = 1;
539 }
540 break;
541
542 case DEMOD_PHASE_REF_TRAINING:
543 if(Demod.posCount < 8) {
544 CHECK_FOR_SUBCARRIER();
545 if (v > SUBCARRIER_DETECT_THRESHOLD) {
546 // set the reference phase (will code a logic '1') by averaging over 32 1/fs.
547 // note: synchronization time > 80 1/fs
548 Demod.sumI += ci;
549 Demod.sumQ += cq;
550 Demod.posCount++;
551 } else { // subcarrier lost
552 Demod.state = DEMOD_UNSYNCD;
553 }
554 } else {
555 Demod.state = DEMOD_AWAITING_FALLING_EDGE_OF_SOF;
556 }
557 break;
558
559 case DEMOD_AWAITING_FALLING_EDGE_OF_SOF:
560 MAKE_SOFT_DECISION();
561 if(v < 0) { // logic '0' detected
562 Demod.state = DEMOD_GOT_FALLING_EDGE_OF_SOF;
563 Demod.posCount = 0; // start of SOF sequence
564 } else {
565 if(Demod.posCount > 200/4) { // maximum length of TR1 = 200 1/fs
566 Demod.state = DEMOD_UNSYNCD;
567 }
568 }
569 Demod.posCount++;
570 break;
571
572 case DEMOD_GOT_FALLING_EDGE_OF_SOF:
573 Demod.posCount++;
574 MAKE_SOFT_DECISION();
575 if(v > 0) {
576 if(Demod.posCount < 9*2) { // low phase of SOF too short (< 9 etu). Note: spec is >= 10, but FPGA tends to "smear" edges
577 Demod.state = DEMOD_UNSYNCD;
578 } else {
579 LED_C_ON(); // Got SOF
580 Demod.state = DEMOD_AWAITING_START_BIT;
581 Demod.posCount = 0;
582 Demod.len = 0;
583 /* this had been used to add RSSI (Received Signal Strength Indication) to traces. Currently not implemented.
584 Demod.metricN = 0;
585 Demod.metric = 0;
586 */
587 }
588 } else {
589 if(Demod.posCount > 12*2) { // low phase of SOF too long (> 12 etu)
590 Demod.state = DEMOD_UNSYNCD;
591 LED_C_OFF();
592 }
593 }
594 break;
595
596 case DEMOD_AWAITING_START_BIT:
597 Demod.posCount++;
598 MAKE_SOFT_DECISION();
599 if(v > 0) {
600 if(Demod.posCount > 3*2) { // max 19us between characters = 16 1/fs, max 3 etu after low phase of SOF = 24 1/fs
601 Demod.state = DEMOD_UNSYNCD;
602 LED_C_OFF();
603 }
604 } else { // start bit detected
605 Demod.bitCount = 0;
606 Demod.posCount = 1; // this was the first half
607 Demod.thisBit = v;
608 Demod.shiftReg = 0;
609 Demod.state = DEMOD_RECEIVING_DATA;
610 }
611 break;
612
613 case DEMOD_RECEIVING_DATA:
614 MAKE_SOFT_DECISION();
615 if(Demod.posCount == 0) { // first half of bit
616 Demod.thisBit = v;
617 Demod.posCount = 1;
618 } else { // second half of bit
619 Demod.thisBit += v;
620
621 /* this had been used to add RSSI (Received Signal Strength Indication) to traces. Currently not implemented.
622 if(Demod.thisBit > 0) {
623 Demod.metric += Demod.thisBit;
624 } else {
625 Demod.metric -= Demod.thisBit;
626 }
627 (Demod.metricN)++;
628 */
629
630 Demod.shiftReg >>= 1;
631 if(Demod.thisBit > 0) { // logic '1'
632 Demod.shiftReg |= 0x200;
633 }
634
635 Demod.bitCount++;
636 if(Demod.bitCount == 10) {
637 uint16_t s = Demod.shiftReg;
638 if((s & 0x200) && !(s & 0x001)) { // stop bit == '1', start bit == '0'
639 uint8_t b = (s >> 1);
640 Demod.output[Demod.len] = b;
641 Demod.len++;
642 Demod.state = DEMOD_AWAITING_START_BIT;
643 } else {
644 Demod.state = DEMOD_UNSYNCD;
645 LED_C_OFF();
646 if(s == 0x000) {
647 // This is EOF (start, stop and all data bits == '0'
648 return TRUE;
649 }
650 }
651 }
652 Demod.posCount = 0;
653 }
654 break;
655
656 default:
657 Demod.state = DEMOD_UNSYNCD;
658 LED_C_OFF();
659 break;
660 }
661
662 return FALSE;
663 }
664
665
666 static void DemodReset()
667 {
668 // Clear out the state of the "UART" that receives from the tag.
669 Demod.len = 0;
670 Demod.state = DEMOD_UNSYNCD;
671 Demod.posCount = 0;
672 memset(Demod.output, 0x00, MAX_FRAME_SIZE);
673 }
674
675
676 static void DemodInit(uint8_t *data)
677 {
678 Demod.output = data;
679 DemodReset();
680 }
681
682
683 static void UartReset()
684 {
685 Uart.byteCntMax = MAX_FRAME_SIZE;
686 Uart.state = STATE_UNSYNCD;
687 Uart.byteCnt = 0;
688 Uart.bitCnt = 0;
689 }
690
691
692 static void UartInit(uint8_t *data)
693 {
694 Uart.output = data;
695 UartReset();
696 }
697
698
699 /*
700 * Demodulate the samples we received from the tag, also log to tracebuffer
701 * quiet: set to 'TRUE' to disable debug output
702 */
703 static void GetSamplesFor14443bDemod(int n, bool quiet)
704 {
705 int max = 0;
706 bool gotFrame = FALSE;
707 int lastRxCounter, ci, cq, samples = 0;
708
709 // Allocate memory from BigBuf for some buffers
710 // free all previous allocations first
711 BigBuf_free();
712
713 // The response (tag -> reader) that we're receiving.
714 uint8_t *receivedResponse = BigBuf_malloc(MAX_FRAME_SIZE);
715
716 // The DMA buffer, used to stream samples from the FPGA
717 int8_t *dmaBuf = (int8_t*) BigBuf_malloc(ISO14443B_DMA_BUFFER_SIZE);
718
719 // Set up the demodulator for tag -> reader responses.
720 DemodInit(receivedResponse);
721
722 // Setup and start DMA.
723 FpgaSetupSscDma((uint8_t*) dmaBuf, ISO14443B_DMA_BUFFER_SIZE);
724
725 int8_t *upTo = dmaBuf;
726 lastRxCounter = ISO14443B_DMA_BUFFER_SIZE;
727
728 // Signal field is ON with the appropriate LED:
729 LED_D_ON();
730 // And put the FPGA in the appropriate mode
731 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR);
732
733 for(;;) {
734 int behindBy = lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR;
735 if(behindBy > max) max = behindBy;
736
737 while(((lastRxCounter-AT91C_BASE_PDC_SSC->PDC_RCR) & (ISO14443B_DMA_BUFFER_SIZE-1)) > 2) {
738 ci = upTo[0];
739 cq = upTo[1];
740 upTo += 2;
741 if(upTo >= dmaBuf + ISO14443B_DMA_BUFFER_SIZE) {
742 upTo = dmaBuf;
743 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) upTo;
744 AT91C_BASE_PDC_SSC->PDC_RNCR = ISO14443B_DMA_BUFFER_SIZE;
745 }
746 lastRxCounter -= 2;
747 if(lastRxCounter <= 0) {
748 lastRxCounter += ISO14443B_DMA_BUFFER_SIZE;
749 }
750
751 samples += 2;
752
753 if(Handle14443bSamplesDemod(ci, cq)) {
754 gotFrame = TRUE;
755 break;
756 }
757 }
758
759 if(samples > n || gotFrame) {
760 break;
761 }
762 }
763
764 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
765
766 if (!quiet) Dbprintf("max behindby = %d, samples = %d, gotFrame = %d, Demod.len = %d, Demod.sumI = %d, Demod.sumQ = %d", max, samples, gotFrame, Demod.len, Demod.sumI, Demod.sumQ);
767 //Tracing
768 if (tracing && Demod.len > 0) {
769 uint8_t parity[MAX_PARITY_SIZE];
770 //GetParity(Demod.output, Demod.len, parity);
771 LogTrace(Demod.output, Demod.len, 0, 0, parity, FALSE);
772 }
773 }
774
775
776 //-----------------------------------------------------------------------------
777 // Transmit the command (to the tag) that was placed in ToSend[].
778 //-----------------------------------------------------------------------------
779 static void TransmitFor14443b(void)
780 {
781 int c;
782
783 FpgaSetupSsc();
784
785 while(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
786 AT91C_BASE_SSC->SSC_THR = 0xff;
787 }
788
789 // Signal field is ON with the appropriate Red LED
790 LED_D_ON();
791 // Signal we are transmitting with the Green LED
792 LED_B_ON();
793 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_TX | FPGA_HF_READER_TX_SHALLOW_MOD);
794
795 for(c = 0; c < 10;) {
796 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
797 AT91C_BASE_SSC->SSC_THR = 0xff;
798 c++;
799 }
800 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
801 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
802 (void)r;
803 }
804 WDT_HIT();
805 }
806
807 c = 0;
808 for(;;) {
809 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
810 AT91C_BASE_SSC->SSC_THR = ToSend[c];
811 c++;
812 if(c >= ToSendMax) {
813 break;
814 }
815 }
816 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
817 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
818 (void)r;
819 }
820 WDT_HIT();
821 }
822 LED_B_OFF(); // Finished sending
823 }
824
825
826 //-----------------------------------------------------------------------------
827 // Code a layer 2 command (string of octets, including CRC) into ToSend[],
828 // so that it is ready to transmit to the tag using TransmitFor14443b().
829 //-----------------------------------------------------------------------------
830 static void CodeIso14443bAsReader(const uint8_t *cmd, int len)
831 {
832 int i, j;
833 uint8_t b;
834
835 ToSendReset();
836
837 // Establish initial reference level
838 for(i = 0; i < 40; i++) {
839 ToSendStuffBit(1);
840 }
841 // Send SOF
842 for(i = 0; i < 10; i++) {
843 ToSendStuffBit(0);
844 }
845
846 for(i = 0; i < len; i++) {
847 // Stop bits/EGT
848 ToSendStuffBit(1);
849 ToSendStuffBit(1);
850 // Start bit
851 ToSendStuffBit(0);
852 // Data bits
853 b = cmd[i];
854 for(j = 0; j < 8; j++) {
855 if(b & 1) {
856 ToSendStuffBit(1);
857 } else {
858 ToSendStuffBit(0);
859 }
860 b >>= 1;
861 }
862 }
863 // Send EOF
864 ToSendStuffBit(1);
865 for(i = 0; i < 10; i++) {
866 ToSendStuffBit(0);
867 }
868 for(i = 0; i < 8; i++) {
869 ToSendStuffBit(1);
870 }
871
872 // And then a little more, to make sure that the last character makes
873 // it out before we switch to rx mode.
874 for(i = 0; i < 24; i++) {
875 ToSendStuffBit(1);
876 }
877
878 // Convert from last character reference to length
879 ToSendMax++;
880 }
881
882
883 //-----------------------------------------------------------------------------
884 // Read an ISO 14443B tag. We send it some set of commands, and record the
885 // responses.
886 // The command name is misleading, it actually decodes the reponse in HEX
887 // into the output buffer (read the result using hexsamples, not hisamples)
888 //
889 // obsolete function only for test
890 //-----------------------------------------------------------------------------
891 void AcquireRawAdcSamplesIso14443b(uint32_t parameter)
892 {
893 uint8_t cmd1[] = { 0x05, 0x00, 0x08, 0x39, 0x73 }; // REQB with AFI=0, Request All, N=0
894
895 SendRawCommand14443B(sizeof(cmd1),1,1,cmd1);
896 }
897
898
899 /**
900 Convenience function to encode, transmit and trace iso 14443b comms
901 **/
902 static void CodeAndTransmit14443bAsReader(const uint8_t *cmd, int len)
903 {
904 CodeIso14443bAsReader(cmd, len);
905 TransmitFor14443b();
906 if (tracing) {
907 uint8_t parity[MAX_PARITY_SIZE];
908 GetParity(cmd, len, parity);
909 LogTrace(cmd,len, 0, 0, parity, TRUE);
910 }
911 }
912
913
914 //-----------------------------------------------------------------------------
915 // Read a SRI512 ISO 14443B tag.
916 //
917 // SRI512 tags are just simple memory tags, here we're looking at making a dump
918 // of the contents of the memory. No anticollision algorithm is done, we assume
919 // we have a single tag in the field.
920 //
921 // I tried to be systematic and check every answer of the tag, every CRC, etc...
922 //-----------------------------------------------------------------------------
923 void ReadSTMemoryIso14443b(uint32_t dwLast)
924 {
925 clear_trace();
926 set_tracing(TRUE);
927
928 uint8_t i = 0x00;
929
930 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
931 // Make sure that we start from off, since the tags are stateful;
932 // confusing things will happen if we don't reset them between reads.
933 LED_D_OFF();
934 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
935 SpinDelay(200);
936
937 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
938 FpgaSetupSsc();
939
940 // Now give it time to spin up.
941 // Signal field is on with the appropriate LED
942 LED_D_ON();
943 FpgaWriteConfWord(
944 FPGA_MAJOR_MODE_HF_READER_RX_XCORR);
945 SpinDelay(200);
946
947 // First command: wake up the tag using the INITIATE command
948 uint8_t cmd1[] = {0x06, 0x00, 0x97, 0x5b};
949
950 CodeAndTransmit14443bAsReader(cmd1, sizeof(cmd1));
951 // LED_A_ON();
952 GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, TRUE);
953 // LED_A_OFF();
954
955 if (Demod.len == 0) {
956 DbpString("No response from tag");
957 return;
958 } else {
959 Dbprintf("Randomly generated UID from tag (+ 2 byte CRC): %x %x %x",
960 Demod.output[0], Demod.output[1], Demod.output[2]);
961 }
962 // There is a response, SELECT the uid
963 DbpString("Now SELECT tag:");
964 cmd1[0] = 0x0E; // 0x0E is SELECT
965 cmd1[1] = Demod.output[0];
966 ComputeCrc14443(CRC_14443_B, cmd1, 2, &cmd1[2], &cmd1[3]);
967 CodeAndTransmit14443bAsReader(cmd1, sizeof(cmd1));
968
969 // LED_A_ON();
970 GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, TRUE);
971 // LED_A_OFF();
972 if (Demod.len != 3) {
973 Dbprintf("Expected 3 bytes from tag, got %d", Demod.len);
974 return;
975 }
976 // Check the CRC of the answer:
977 ComputeCrc14443(CRC_14443_B, Demod.output, 1 , &cmd1[2], &cmd1[3]);
978 if(cmd1[2] != Demod.output[1] || cmd1[3] != Demod.output[2]) {
979 DbpString("CRC Error reading select response.");
980 return;
981 }
982 // Check response from the tag: should be the same UID as the command we just sent:
983 if (cmd1[1] != Demod.output[0]) {
984 Dbprintf("Bad response to SELECT from Tag, aborting: %x %x", cmd1[1], Demod.output[0]);
985 return;
986 }
987 // Tag is now selected,
988 // First get the tag's UID:
989 cmd1[0] = 0x0B;
990 ComputeCrc14443(CRC_14443_B, cmd1, 1 , &cmd1[1], &cmd1[2]);
991 CodeAndTransmit14443bAsReader(cmd1, 3); // Only first three bytes for this one
992
993 // LED_A_ON();
994 GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, TRUE);
995 // LED_A_OFF();
996 if (Demod.len != 10) {
997 Dbprintf("Expected 10 bytes from tag, got %d", Demod.len);
998 return;
999 }
1000 // The check the CRC of the answer (use cmd1 as temporary variable):
1001 ComputeCrc14443(CRC_14443_B, Demod.output, 8, &cmd1[2], &cmd1[3]);
1002 if(cmd1[2] != Demod.output[8] || cmd1[3] != Demod.output[9]) {
1003 Dbprintf("CRC Error reading block! - Below: expected, got %x %x",
1004 (cmd1[2]<<8)+cmd1[3], (Demod.output[8]<<8)+Demod.output[9]);
1005 // Do not return;, let's go on... (we should retry, maybe ?)
1006 }
1007 Dbprintf("Tag UID (64 bits): %08x %08x",
1008 (Demod.output[7]<<24) + (Demod.output[6]<<16) + (Demod.output[5]<<8) + Demod.output[4],
1009 (Demod.output[3]<<24) + (Demod.output[2]<<16) + (Demod.output[1]<<8) + Demod.output[0]);
1010
1011 // Now loop to read all 16 blocks, address from 0 to last block
1012 Dbprintf("Tag memory dump, block 0 to %d",dwLast);
1013 cmd1[0] = 0x08;
1014 i = 0x00;
1015 dwLast++;
1016 for (;;) {
1017 if (i == dwLast) {
1018 DbpString("System area block (0xff):");
1019 i = 0xff;
1020 }
1021 cmd1[1] = i;
1022 ComputeCrc14443(CRC_14443_B, cmd1, 2, &cmd1[2], &cmd1[3]);
1023 CodeAndTransmit14443bAsReader(cmd1, sizeof(cmd1));
1024
1025 // LED_A_ON();
1026 GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, TRUE);
1027 // LED_A_OFF();
1028 if (Demod.len != 6) { // Check if we got an answer from the tag
1029 DbpString("Expected 6 bytes from tag, got less...");
1030 return;
1031 }
1032 // The check the CRC of the answer (use cmd1 as temporary variable):
1033 ComputeCrc14443(CRC_14443_B, Demod.output, 4, &cmd1[2], &cmd1[3]);
1034 if(cmd1[2] != Demod.output[4] || cmd1[3] != Demod.output[5]) {
1035 Dbprintf("CRC Error reading block! - Below: expected, got %x %x",
1036 (cmd1[2]<<8)+cmd1[3], (Demod.output[4]<<8)+Demod.output[5]);
1037 // Do not return;, let's go on... (we should retry, maybe ?)
1038 }
1039 // Now print out the memory location:
1040 Dbprintf("Address=%x, Contents=%x, CRC=%x", i,
1041 (Demod.output[3]<<24) + (Demod.output[2]<<16) + (Demod.output[1]<<8) + Demod.output[0],
1042 (Demod.output[4]<<8)+Demod.output[5]);
1043 if (i == 0xff) {
1044 break;
1045 }
1046 i++;
1047 }
1048 }
1049
1050
1051 //=============================================================================
1052 // Finally, the `sniffer' combines elements from both the reader and
1053 // simulated tag, to show both sides of the conversation.
1054 //=============================================================================
1055
1056 //-----------------------------------------------------------------------------
1057 // Record the sequence of commands sent by the reader to the tag, with
1058 // triggering so that we start recording at the point that the tag is moved
1059 // near the reader.
1060 //-----------------------------------------------------------------------------
1061 /*
1062 * Memory usage for this function, (within BigBuf)
1063 * Last Received command (reader->tag) - MAX_FRAME_SIZE
1064 * Last Received command (tag->reader) - MAX_FRAME_SIZE
1065 * DMA Buffer - ISO14443B_DMA_BUFFER_SIZE
1066 * Demodulated samples received - all the rest
1067 */
1068 void RAMFUNC SnoopIso14443b(void)
1069 {
1070 // We won't start recording the frames that we acquire until we trigger;
1071 // a good trigger condition to get started is probably when we see a
1072 // response from the tag.
1073 int triggered = TRUE; // TODO: set and evaluate trigger condition
1074
1075 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1076 BigBuf_free();
1077
1078 clear_trace();
1079 set_tracing(TRUE);
1080
1081 // The DMA buffer, used to stream samples from the FPGA
1082 int8_t *dmaBuf = (int8_t*) BigBuf_malloc(ISO14443B_DMA_BUFFER_SIZE);
1083 int lastRxCounter;
1084 int8_t *upTo;
1085 int ci, cq;
1086 int maxBehindBy = 0;
1087
1088 // Count of samples received so far, so that we can include timing
1089 // information in the trace buffer.
1090 int samples = 0;
1091
1092 DemodInit(BigBuf_malloc(MAX_FRAME_SIZE));
1093 UartInit(BigBuf_malloc(MAX_FRAME_SIZE));
1094
1095 // Print some debug information about the buffer sizes
1096 Dbprintf("Snooping buffers initialized:");
1097 Dbprintf(" Trace: %i bytes", BigBuf_max_traceLen());
1098 Dbprintf(" Reader -> tag: %i bytes", MAX_FRAME_SIZE);
1099 Dbprintf(" tag -> Reader: %i bytes", MAX_FRAME_SIZE);
1100 Dbprintf(" DMA: %i bytes", ISO14443B_DMA_BUFFER_SIZE);
1101
1102 // Signal field is off, no reader signal, no tag signal
1103 LEDsoff();
1104
1105 // And put the FPGA in the appropriate mode
1106 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR | FPGA_HF_READER_RX_XCORR_SNOOP);
1107 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1108
1109 // Setup for the DMA.
1110 FpgaSetupSsc();
1111 upTo = dmaBuf;
1112 lastRxCounter = ISO14443B_DMA_BUFFER_SIZE;
1113 FpgaSetupSscDma((uint8_t*) dmaBuf, ISO14443B_DMA_BUFFER_SIZE);
1114 uint8_t parity[MAX_PARITY_SIZE];
1115
1116 bool TagIsActive = FALSE;
1117 bool ReaderIsActive = FALSE;
1118
1119 // And now we loop, receiving samples.
1120 for(;;) {
1121 int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) &
1122 (ISO14443B_DMA_BUFFER_SIZE-1);
1123 if(behindBy > maxBehindBy) {
1124 maxBehindBy = behindBy;
1125 }
1126
1127 if(behindBy < 2) continue;
1128
1129 ci = upTo[0];
1130 cq = upTo[1];
1131 upTo += 2;
1132 lastRxCounter -= 2;
1133 if(upTo >= dmaBuf + ISO14443B_DMA_BUFFER_SIZE) {
1134 upTo = dmaBuf;
1135 lastRxCounter += ISO14443B_DMA_BUFFER_SIZE;
1136 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dmaBuf;
1137 AT91C_BASE_PDC_SSC->PDC_RNCR = ISO14443B_DMA_BUFFER_SIZE;
1138 WDT_HIT();
1139 if(behindBy > (9*ISO14443B_DMA_BUFFER_SIZE/10)) { // TODO: understand whether we can increase/decrease as we want or not?
1140 Dbprintf("blew circular buffer! behindBy=0x%x", behindBy);
1141 break;
1142 }
1143 if(!tracing) {
1144 DbpString("Reached trace limit");
1145 break;
1146 }
1147 if(BUTTON_PRESS()) {
1148 DbpString("cancelled");
1149 break;
1150 }
1151 }
1152
1153 samples += 2;
1154
1155 if (!TagIsActive) { // no need to try decoding reader data if the tag is sending
1156 if(Handle14443bUartBit(ci & 0x01)) {
1157 if(triggered && tracing) {
1158 //GetParity(Uart.output, Uart.byteCnt, parity);
1159 LogTrace(Uart.output, Uart.byteCnt, samples, samples, parity, TRUE);
1160 }
1161 /* And ready to receive another command. */
1162 UartReset();
1163 /* And also reset the demod code, which might have been */
1164 /* false-triggered by the commands from the reader. */
1165 DemodReset();
1166 }
1167 if(Handle14443bUartBit(cq & 0x01)) {
1168 if(triggered && tracing) {
1169 //GetParity(Uart.output, Uart.byteCnt, parity);
1170 LogTrace(Uart.output, Uart.byteCnt, samples, samples, parity, TRUE);
1171 }
1172 /* And ready to receive another command. */
1173 UartReset();
1174 /* And also reset the demod code, which might have been */
1175 /* false-triggered by the commands from the reader. */
1176 DemodReset();
1177 }
1178 ReaderIsActive = (Uart.state != STATE_UNSYNCD);
1179 }
1180
1181 if(!ReaderIsActive) { // no need to try decoding tag data if the reader is sending - and we cannot afford the time
1182 if(Handle14443bSamplesDemod(ci & 0xFE, cq & 0xFE)) {
1183
1184 //Use samples as a time measurement
1185 if(tracing)
1186 {
1187 uint8_t parity[MAX_PARITY_SIZE];
1188 //GetParity(Demod.output, Demod.len, parity);
1189 LogTrace(Demod.output, Demod.len, samples, samples, parity, FALSE);
1190 }
1191 triggered = TRUE;
1192
1193 // And ready to receive another response.
1194 DemodReset();
1195 }
1196 TagIsActive = (Demod.state > DEMOD_GOT_FALLING_EDGE_OF_SOF);
1197 }
1198
1199 }
1200
1201 FpgaDisableSscDma();
1202 LEDsoff();
1203 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
1204 DbpString("Snoop statistics:");
1205 Dbprintf(" Max behind by: %i", maxBehindBy);
1206 Dbprintf(" Uart State: %x", Uart.state);
1207 Dbprintf(" Uart ByteCnt: %i", Uart.byteCnt);
1208 Dbprintf(" Uart ByteCntMax: %i", Uart.byteCntMax);
1209 Dbprintf(" Trace length: %i", BigBuf_get_traceLen());
1210 }
1211
1212
1213 /*
1214 * Send raw command to tag ISO14443B
1215 * @Input
1216 * datalen len of buffer data
1217 * recv bool when true wait for data from tag and send to client
1218 * powerfield bool leave the field on when true
1219 * data buffer with byte to send
1220 *
1221 * @Output
1222 * none
1223 *
1224 */
1225 void SendRawCommand14443B(uint32_t datalen, uint32_t recv, uint8_t powerfield, uint8_t data[])
1226 {
1227 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1228 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1229 FpgaSetupSsc();
1230
1231 set_tracing(TRUE);
1232
1233 /* if(!powerfield) {
1234 // Make sure that we start from off, since the tags are stateful;
1235 // confusing things will happen if we don't reset them between reads.
1236 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1237 LED_D_OFF();
1238 SpinDelay(200);
1239 }
1240 */
1241
1242 // if(!GETBIT(GPIO_LED_D)) { // if field is off
1243 // FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR);
1244 // // Signal field is on with the appropriate LED
1245 // LED_D_ON();
1246 // SpinDelay(200);
1247 // }
1248
1249 CodeAndTransmit14443bAsReader(data, datalen);
1250
1251 if(recv) {
1252 GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, TRUE);
1253 uint16_t iLen = MIN(Demod.len, USB_CMD_DATA_SIZE);
1254 cmd_send(CMD_ACK, iLen, 0, 0, Demod.output, iLen);
1255 }
1256
1257 if(!powerfield) {
1258 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1259 LED_D_OFF();
1260 }
1261 }
1262
Proxmark3 GIT tracking
Impressum, Datenschutz