1 //----------------------------------------------------------------------------- 
   2 // Routines to support ISO 14443 type A. 
   4 // Gerhard de Koning Gans - May 2008 
   5 //----------------------------------------------------------------------------- 
   8 #include "../common/iso14443_crc.c" 
  19 //----------------------------------------------------------------------------- 
  20 // The software UART that receives commands from the reader, and its state 
  22 //----------------------------------------------------------------------------- 
  26         STATE_START_OF_COMMUNICATION
, 
  50 static BOOL 
MillerDecoding(int bit
) 
  56                 Uart
.bitBuffer 
= bit 
^ 0xFF0; 
  61                 Uart
.bitBuffer 
^= bit
; 
  66         if(Uart
.state 
!= STATE_UNSYNCD
) { 
  69                 if((Uart
.bitBuffer 
& Uart
.syncBit
) ^ Uart
.syncBit
) { 
  75                 if(((Uart
.bitBuffer 
<< 1) & Uart
.syncBit
) ^ Uart
.syncBit
) { 
  81                 if(bit 
!= bitright
) { bit 
= bitright
; } 
  83                 if(Uart
.posCnt 
== 1) { 
  84                         // measurement first half bitperiod 
  86                                 Uart
.drop 
= DROP_FIRST_HALF
; 
  90                         // measurement second half bitperiod 
  91                         if(!bit 
& (Uart
.drop 
== DROP_NONE
)) { 
  92                                 Uart
.drop 
= DROP_SECOND_HALF
; 
  95                                 // measured a drop in first and second half 
  96                                 // which should not be possible 
  97                                 Uart
.state 
= STATE_ERROR_WAIT
; 
 104                                 case STATE_START_OF_COMMUNICATION
: 
 106                                         if(Uart
.drop 
== DROP_SECOND_HALF
) { 
 107                                                 // error, should not happen in SOC 
 108                                                 Uart
.state 
= STATE_ERROR_WAIT
; 
 113                                                 Uart
.state 
= STATE_MILLER_Z
; 
 120                                         if(Uart
.drop 
== DROP_NONE
) { 
 121                                                 // logic '0' followed by sequence Y 
 122                                                 // end of communication 
 123                                                 Uart
.state 
= STATE_UNSYNCD
; 
 126                                         // if(Uart.drop == DROP_FIRST_HALF) { 
 127                                         //      Uart.state = STATE_MILLER_Z; stay the same 
 128                                         //      we see a logic '0' } 
 129                                         if(Uart
.drop 
== DROP_SECOND_HALF
) { 
 130                                                 // we see a logic '1' 
 131                                                 Uart
.shiftReg 
|= 0x100; 
 132                                                 Uart
.state 
= STATE_MILLER_X
; 
 138                                         if(Uart
.drop 
== DROP_NONE
) { 
 139                                                 // sequence Y, we see a '0' 
 140                                                 Uart
.state 
= STATE_MILLER_Y
; 
 143                                         if(Uart
.drop 
== DROP_FIRST_HALF
) { 
 144                                                 // Would be STATE_MILLER_Z 
 145                                                 // but Z does not follow X, so error 
 146                                                 Uart
.state 
= STATE_ERROR_WAIT
; 
 149                                         if(Uart
.drop 
== DROP_SECOND_HALF
) { 
 150                                                 // We see a '1' and stay in state X 
 151                                                 Uart
.shiftReg 
|= 0x100; 
 159                                         if(Uart
.drop 
== DROP_NONE
) { 
 160                                                 // logic '0' followed by sequence Y 
 161                                                 // end of communication 
 162                                                 Uart
.state 
= STATE_UNSYNCD
; 
 165                                         if(Uart
.drop 
== DROP_FIRST_HALF
) { 
 167                                                 Uart
.state 
= STATE_MILLER_Z
; 
 169                                         if(Uart
.drop 
== DROP_SECOND_HALF
) { 
 170                                                 // We see a '1' and go to state X 
 171                                                 Uart
.shiftReg 
|= 0x100; 
 172                                                 Uart
.state 
= STATE_MILLER_X
; 
 176                                 case STATE_ERROR_WAIT
: 
 177                                         // That went wrong. Now wait for at least two bit periods 
 178                                         // and try to sync again 
 179                                         if(Uart
.drop 
== DROP_NONE
) { 
 181                                                 Uart
.state 
= STATE_UNSYNCD
; 
 186                                         Uart
.state 
= STATE_UNSYNCD
; 
 191                         Uart
.drop 
= DROP_NONE
; 
 193                         // should have received at least one whole byte... 
 194                         if((Uart
.bitCnt 
== 2) && EOC 
&& (Uart
.byteCnt 
> 0)) { 
 198                         if(Uart
.bitCnt 
== 9) { 
 199                                 Uart
.output
[Uart
.byteCnt
] = (Uart
.shiftReg 
& 0xff); 
 202                                 Uart
.parityBits 
<<= 1; 
 203                                 Uart
.parityBits 
^= ((Uart
.shiftReg 
>> 8) & 0x01); 
 206                                         // when End of Communication received and 
 207                                         // all data bits processed.. 
 214                                 Uart.output[Uart.byteCnt] = 0xAA; 
 216                                 Uart.output[Uart.byteCnt] = error & 0xFF; 
 218                                 Uart.output[Uart.byteCnt] = 0xAA; 
 220                                 Uart.output[Uart.byteCnt] = (Uart.bitBuffer >> 8) & 0xFF; 
 222                                 Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF; 
 224                                 Uart.output[Uart.byteCnt] = (Uart.syncBit >> 3) & 0xFF; 
 226                                 Uart.output[Uart.byteCnt] = 0xAA; 
 234                 bit 
= Uart
.bitBuffer 
& 0xf0; 
 238                         // should have been high or at least (4 * 128) / fc 
 239                         // according to ISO this should be at least (9 * 128 + 20) / fc 
 240                         if(Uart
.highCnt 
== 8) { 
 241                                 // we went low, so this could be start of communication 
 242                                 // it turns out to be safer to choose a less significant 
 243                                 // syncbit... so we check whether the neighbour also represents the drop 
 244                                 Uart
.posCnt 
= 1;   // apparently we are busy with our first half bit period 
 245                                 Uart
.syncBit 
= bit 
& 8; 
 247                                 if(!Uart
.syncBit
)       { Uart
.syncBit 
= bit 
& 4; Uart
.samples 
= 2; } 
 248                                 else if(bit 
& 4)        { Uart
.syncBit 
= bit 
& 4; Uart
.samples 
= 2; bit 
<<= 2; } 
 249                                 if(!Uart
.syncBit
)       { Uart
.syncBit 
= bit 
& 2; Uart
.samples 
= 1; } 
 250                                 else if(bit 
& 2)        { Uart
.syncBit 
= bit 
& 2; Uart
.samples 
= 1; bit 
<<= 1; } 
 251                                 if(!Uart
.syncBit
)       { Uart
.syncBit 
= bit 
& 1; Uart
.samples 
= 0; 
 252                                         if(Uart
.syncBit 
& (Uart
.bitBuffer 
& 8)) { 
 255                                                 // the first half bit period is expected in next sample 
 260                                 else if(bit 
& 1)        { Uart
.syncBit 
= bit 
& 1; Uart
.samples 
= 0; } 
 263                                 Uart
.state 
= STATE_START_OF_COMMUNICATION
; 
 264                                 Uart
.drop 
= DROP_FIRST_HALF
; 
 275                         if(Uart
.highCnt 
< 8) { 
 284 //============================================================================= 
 285 // ISO 14443 Type A - Manchester 
 286 //============================================================================= 
 291                 DEMOD_START_OF_COMMUNICATION
, 
 314 static BOOL 
ManchesterDecoding(int v
) 
 330         if(Demod
.state
==DEMOD_UNSYNCD
) { 
 331                 Demod
.output
[Demod
.len
] = 0xfa; 
 334                 Demod
.posCount 
= 1;             // This is the first half bit period, so after syncing handle the second part 
 335                 if(bit 
& 0x08) { Demod
.syncBit 
= 0x08; } 
 337                         if(bit 
& 0x04) { Demod
.syncBit 
= 0x04; } 
 339                 else if(bit 
& 0x04) { Demod
.syncBit 
= 0x04; bit 
<<= 4; } 
 341                         if(bit 
& 0x02) { Demod
.syncBit 
= 0x02; } 
 343                 else if(bit 
& 0x02) { Demod
.syncBit 
= 0x02; bit 
<<= 4; } 
 345                         if(bit 
& 0x01) { Demod
.syncBit 
= 0x01; } 
 347                         if(Demod
.syncBit 
& (Demod
.buffer 
& 0x08)) { 
 348                                 Demod
.syncBit 
= 0x08; 
 350                                 // The first half bitperiod is expected in next sample 
 352                                 Demod
.output
[Demod
.len
] = 0xfb; 
 355                 else if(bit 
& 0x01) { Demod
.syncBit 
= 0x01; } 
 359                         Demod
.state 
= DEMOD_START_OF_COMMUNICATION
; 
 360                         Demod
.sub 
= SUB_FIRST_HALF
; 
 363                         Demod
.parityBits 
= 0; 
 366                                 switch(Demod
.syncBit
) { 
 367                                         case 0x08: Demod
.samples 
= 3; break; 
 368                                         case 0x04: Demod
.samples 
= 2; break; 
 369                                         case 0x02: Demod
.samples 
= 1; break; 
 370                                         case 0x01: Demod
.samples 
= 0; break; 
 377                 //modulation = bit & Demod.syncBit; 
 378                 modulation 
= ((bit 
<< 1) ^ ((Demod
.buffer 
& 0x08) >> 3)) & Demod
.syncBit
; 
 382                 if(Demod
.posCount
==0) { 
 385                                 Demod
.sub 
= SUB_FIRST_HALF
; 
 388                                 Demod
.sub 
= SUB_NONE
; 
 393                         if(modulation 
&& (Demod
.sub 
== SUB_FIRST_HALF
)) { 
 394                                 if(Demod
.state
!=DEMOD_ERROR_WAIT
) { 
 395                                         Demod
.state 
= DEMOD_ERROR_WAIT
; 
 396                                         Demod
.output
[Demod
.len
] = 0xaa; 
 400                         else if(modulation
) { 
 401                                 Demod
.sub 
= SUB_SECOND_HALF
; 
 404                         switch(Demod
.state
) { 
 405                                 case DEMOD_START_OF_COMMUNICATION
: 
 406                                         if(Demod
.sub 
== SUB_FIRST_HALF
) { 
 407                                                 Demod
.state 
= DEMOD_MANCHESTER_D
; 
 410                                                 Demod
.output
[Demod
.len
] = 0xab; 
 411                                                 Demod
.state 
= DEMOD_ERROR_WAIT
; 
 416                                 case DEMOD_MANCHESTER_D
: 
 417                                 case DEMOD_MANCHESTER_E
: 
 418                                         if(Demod
.sub 
== SUB_FIRST_HALF
) { 
 420                                                 Demod
.shiftReg 
= (Demod
.shiftReg 
>> 1) ^ 0x100; 
 421                                                 Demod
.state 
= DEMOD_MANCHESTER_D
; 
 423                                         else if(Demod
.sub 
== SUB_SECOND_HALF
) { 
 425                                                 Demod
.shiftReg 
>>= 1; 
 426                                                 Demod
.state 
= DEMOD_MANCHESTER_E
; 
 429                                                 Demod
.state 
= DEMOD_MANCHESTER_F
; 
 433                                 case DEMOD_MANCHESTER_F
: 
 434                                         // Tag response does not need to be a complete byte! 
 435                                         if(Demod
.len 
> 0 || Demod
.bitCount 
> 0) { 
 436                                                 if(Demod
.bitCount 
> 0) { 
 437                                                         Demod
.shiftReg 
>>= (9 - Demod
.bitCount
); 
 438                                                         Demod
.output
[Demod
.len
] = Demod
.shiftReg 
& 0xff; 
 440                                                         // No parity bit, so just shift a 0 
 441                                                         Demod
.parityBits 
<<= 1; 
 444                                                 Demod
.state 
= DEMOD_UNSYNCD
; 
 448                                                 Demod
.output
[Demod
.len
] = 0xad; 
 449                                                 Demod
.state 
= DEMOD_ERROR_WAIT
; 
 454                                 case DEMOD_ERROR_WAIT
: 
 455                                         Demod
.state 
= DEMOD_UNSYNCD
; 
 459                                         Demod
.output
[Demod
.len
] = 0xdd; 
 460                                         Demod
.state 
= DEMOD_UNSYNCD
; 
 464                         if(Demod
.bitCount
>=9) { 
 465                                 Demod
.output
[Demod
.len
] = Demod
.shiftReg 
& 0xff; 
 468                                 Demod
.parityBits 
<<= 1; 
 469                                 Demod
.parityBits 
^= ((Demod
.shiftReg 
>> 8) & 0x01); 
 476                                 Demod.output[Demod.len] = 0xBB; 
 478                                 Demod.output[Demod.len] = error & 0xFF; 
 480                                 Demod.output[Demod.len] = 0xBB; 
 482                                 Demod.output[Demod.len] = bit & 0xFF; 
 484                                 Demod.output[Demod.len] = Demod.buffer & 0xFF; 
 486                                 Demod.output[Demod.len] = Demod.syncBit & 0xFF; 
 488                                 Demod.output[Demod.len] = 0xBB; 
 495         } // end (state != UNSYNCED) 
 500 //============================================================================= 
 501 // Finally, a `sniffer' for ISO 14443 Type A 
 502 // Both sides of communication! 
 503 //============================================================================= 
 505 //----------------------------------------------------------------------------- 
 506 // Record the sequence of commands sent by the reader to the tag, with 
 507 // triggering so that we start recording at the point that the tag is moved 
 509 //----------------------------------------------------------------------------- 
 510 void SnoopIso14443a(void) 
 513         // BIG CHANGE - UNDERSTAND THIS BEFORE WE COMMIT 
 515         #define RECV_CMD_OFFSET         3032 
 516         #define RECV_RES_OFFSET         3096 
 517         #define DMA_BUFFER_OFFSET       3160 
 518         #define DMA_BUFFER_SIZE         4096 
 519         #define TRACE_LENGTH            3000 
 521 //      #define RECV_CMD_OFFSET         2032    // original (working as of 21/2/09) values 
 522 //      #define RECV_RES_OFFSET         2096    // original (working as of 21/2/09) values 
 523 //      #define DMA_BUFFER_OFFSET       2160    // original (working as of 21/2/09) values 
 524 //      #define DMA_BUFFER_SIZE         4096    // original (working as of 21/2/09) values 
 525 //      #define TRACE_LENGTH            2000    // original (working as of 21/2/09) values 
 527     // We won't start recording the frames that we acquire until we trigger; 
 528     // a good trigger condition to get started is probably when we see a 
 529     // response from the tag. 
 530     BOOL triggered 
= TRUE
; // FALSE to wait first for card 
 532     // The command (reader -> tag) that we're receiving. 
 533         // The length of a received command will in most cases be no more than 18 bytes. 
 534         // So 32 should be enough! 
 535     BYTE 
*receivedCmd 
= (((BYTE 
*)BigBuf
) + RECV_CMD_OFFSET
); 
 536     // The response (tag -> reader) that we're receiving. 
 537     BYTE 
*receivedResponse 
= (((BYTE 
*)BigBuf
) + RECV_RES_OFFSET
); 
 539     // As we receive stuff, we copy it from receivedCmd or receivedResponse 
 540     // into trace, along with its length and other annotations. 
 541     BYTE 
*trace 
= (BYTE 
*)BigBuf
; 
 544     // The DMA buffer, used to stream samples from the FPGA 
 545     SBYTE 
*dmaBuf 
= ((SBYTE 
*)BigBuf
) + DMA_BUFFER_OFFSET
; 
 551     // Count of samples received so far, so that we can include timing 
 552     // information in the trace buffer. 
 556     memset(trace
, 0x44, RECV_CMD_OFFSET
); 
 558     // Set up the demodulator for tag -> reader responses. 
 559     Demod
.output 
= receivedResponse
; 
 561     Demod
.state 
= DEMOD_UNSYNCD
; 
 563     // And the reader -> tag commands 
 564     memset(&Uart
, 0, sizeof(Uart
)); 
 565     Uart
.output 
= receivedCmd
; 
 566     Uart
.byteCntMax 
= 32; // was 100 (greg)//////////////////////////////////////////////////////////////////////// 
 567     Uart
.state 
= STATE_UNSYNCD
; 
 569     // And put the FPGA in the appropriate mode 
 570     // Signal field is off with the appropriate LED 
 572     FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A 
| FPGA_HF_ISO14443A_SNIFFER
); 
 573     SetAdcMuxFor(GPIO_MUXSEL_HIPKD
); 
 575         // Setup for the DMA. 
 578     lastRxCounter 
= DMA_BUFFER_SIZE
; 
 579     FpgaSetupSscDma((BYTE 
*)dmaBuf
, DMA_BUFFER_SIZE
); 
 583     // And now we loop, receiving samples. 
 586         int behindBy 
= (lastRxCounter 
- AT91C_BASE_PDC_SSC
->PDC_RCR
) & 
 588         if(behindBy 
> maxBehindBy
) { 
 589             maxBehindBy 
= behindBy
; 
 591                 DbpString("blew circular buffer!"); 
 595         if(behindBy 
< 1) continue; 
 600         if(upTo 
- dmaBuf 
> DMA_BUFFER_SIZE
) { 
 601             upTo 
-= DMA_BUFFER_SIZE
; 
 602             lastRxCounter 
+= DMA_BUFFER_SIZE
; 
 603             AT91C_BASE_PDC_SSC
->PDC_RNPR 
= (DWORD
)upTo
; 
 604             AT91C_BASE_PDC_SSC
->PDC_RNCR 
= DMA_BUFFER_SIZE
; 
 608 #define HANDLE_BIT_IF_BODY \ 
 611                                 trace[traceLen++] = ((rsamples >>  0) & 0xff); \ 
 612                 trace[traceLen++] = ((rsamples >>  8) & 0xff); \ 
 613                 trace[traceLen++] = ((rsamples >> 16) & 0xff); \ 
 614                 trace[traceLen++] = ((rsamples >> 24) & 0xff); \ 
 615                                 trace[traceLen++] = ((Uart.parityBits >>  0) & 0xff); \ 
 616                                 trace[traceLen++] = ((Uart.parityBits >>  8) & 0xff); \ 
 617                                 trace[traceLen++] = ((Uart.parityBits >> 16) & 0xff); \ 
 618                                 trace[traceLen++] = ((Uart.parityBits >> 24) & 0xff); \ 
 619                 trace[traceLen++] = Uart.byteCnt; \ 
 620                 memcpy(trace+traceLen, receivedCmd, Uart.byteCnt); \ 
 621                 traceLen += Uart.byteCnt; \ 
 622                 if(traceLen > TRACE_LENGTH) break; \ 
 624             /* And ready to receive another command. */ \ 
 625             Uart.state = STATE_UNSYNCD; \ 
 626             /* And also reset the demod code, which might have been */ \ 
 627             /* false-triggered by the commands from the reader. */ \ 
 628             Demod.state = DEMOD_UNSYNCD; \ 
 631                 if(MillerDecoding((smpl & 0xF0) >> 4)) { 
 632             rsamples 
= samples 
- Uart
.samples
; 
 635                 if(ManchesterDecoding(smpl 
& 0x0F)) { 
 636                         rsamples 
= samples 
- Demod
.samples
; 
 639                         // timestamp, as a count of samples 
 640                         trace
[traceLen
++] = ((rsamples 
>>  0) & 0xff); 
 641                         trace
[traceLen
++] = ((rsamples 
>>  8) & 0xff); 
 642                         trace
[traceLen
++] = ((rsamples 
>> 16) & 0xff); 
 643                         trace
[traceLen
++] = 0x80 | ((rsamples 
>> 24) & 0xff); 
 644                         trace
[traceLen
++] = ((Demod
.parityBits 
>>  0) & 0xff); 
 645                         trace
[traceLen
++] = ((Demod
.parityBits 
>>  8) & 0xff); 
 646                         trace
[traceLen
++] = ((Demod
.parityBits 
>> 16) & 0xff); 
 647                         trace
[traceLen
++] = ((Demod
.parityBits 
>> 24) & 0xff); 
 649                         trace
[traceLen
++] = Demod
.len
; 
 650                         memcpy(trace
+traceLen
, receivedResponse
, Demod
.len
); 
 651                         traceLen 
+= Demod
.len
; 
 652                         if(traceLen 
> TRACE_LENGTH
) break; 
 656             // And ready to receive another response. 
 657             memset(&Demod
, 0, sizeof(Demod
)); 
 658             Demod
.output 
= receivedResponse
; 
 659             Demod
.state 
= DEMOD_UNSYNCD
; 
 664             DbpString("cancelled_a"); 
 669     DbpString("COMMAND FINISHED"); 
 671     DbpIntegers(maxBehindBy
, Uart
.state
, Uart
.byteCnt
); 
 672     DbpIntegers(Uart
.byteCntMax
, traceLen
, (int)Uart
.output
[0]); 
 675     AT91C_BASE_PDC_SSC
->PDC_PTCR 
= AT91C_PDC_RXTDIS
; 
 676     DbpIntegers(maxBehindBy
, Uart
.state
, Uart
.byteCnt
); 
 677     DbpIntegers(Uart
.byteCntMax
, traceLen
, (int)Uart
.output
[0]); 
 684 // Prepare communication bits to send to FPGA 
 685 void Sequence(SecType seq
) 
 691                 // Sequence D: 11110000 
 692                 // modulation with subcarrier during first half 
 693         ToSend
[ToSendMax
] = 0xf0; 
 696                 // Sequence E: 00001111 
 697                 // modulation with subcarrier during second half 
 698         ToSend
[ToSendMax
] = 0x0f; 
 701                 // Sequence F: 00000000 
 702                 // no modulation with subcarrier 
 703         ToSend
[ToSendMax
] = 0x00; 
 707                 // Sequence X: 00001100 
 708                 // drop after half a period 
 709         ToSend
[ToSendMax
] = 0x0c; 
 713                 // Sequence Y: 00000000 
 715         ToSend
[ToSendMax
] = 0x00; 
 718                 // Sequence Z: 11000000 
 720         ToSend
[ToSendMax
] = 0xc0; 
 725 //----------------------------------------------------------------------------- 
 726 // Prepare tag messages 
 727 //----------------------------------------------------------------------------- 
 728 static void CodeIso14443aAsTag(const BYTE 
*cmd
, int len
) 
 735         // Correction bit, might be removed when not needed 
 740         ToSendStuffBit(1);  // 1 
 748     for(i 
= 0; i 
< len
; i
++) { 
 754                 for(j 
= 0; j 
< 8; j
++) { 
 755             oddparity 
^= (b 
& 1); 
 775         // Flush the buffer in FPGA!! 
 776         for(i 
= 0; i 
< 5; i
++) { 
 780     // Convert from last byte pos to length 
 783     // Add a few more for slop 
 784     ToSend
[ToSendMax
++] = 0x00; 
 785         ToSend
[ToSendMax
++] = 0x00; 
 789 //----------------------------------------------------------------------------- 
 790 // This is to send a NACK kind of answer, its only 3 bits, I know it should be 4 
 791 //----------------------------------------------------------------------------- 
 792 static void CodeStrangeAnswer() 
 798         // Correction bit, might be removed when not needed 
 803         ToSendStuffBit(1);  // 1 
 823         // Flush the buffer in FPGA!! 
 824         for(i 
= 0; i 
< 5; i
++) { 
 828     // Convert from last byte pos to length 
 831     // Add a few more for slop 
 832     ToSend
[ToSendMax
++] = 0x00; 
 833         ToSend
[ToSendMax
++] = 0x00; 
 837 //----------------------------------------------------------------------------- 
 838 // Wait for commands from reader 
 839 // Stop when button is pressed 
 840 // Or return TRUE when command is captured 
 841 //----------------------------------------------------------------------------- 
 842 static BOOL 
GetIso14443aCommandFromReader(BYTE 
*received
, int *len
, int maxLen
) 
 844     // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen 
 845     // only, since we are receiving, not transmitting). 
 846     // Signal field is off with the appropriate LED 
 848     FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A 
| FPGA_HF_ISO14443A_TAGSIM_LISTEN
); 
 850     // Now run a `software UART' on the stream of incoming samples. 
 851     Uart
.output 
= received
; 
 852     Uart
.byteCntMax 
= maxLen
; 
 853     Uart
.state 
= STATE_UNSYNCD
; 
 858         if(BUTTON_PRESS()) return FALSE
; 
 860         if(AT91C_BASE_SSC
->SSC_SR 
& (AT91C_SSC_TXRDY
)) { 
 861             AT91C_BASE_SSC
->SSC_THR 
= 0x00; 
 863         if(AT91C_BASE_SSC
->SSC_SR 
& (AT91C_SSC_RXRDY
)) { 
 864             BYTE b 
= (BYTE
)AT91C_BASE_SSC
->SSC_RHR
; 
 865                         if(MillerDecoding((b 
& 0xf0) >> 4)) { 
 869                         if(MillerDecoding(b 
& 0x0f)) { 
 877 //----------------------------------------------------------------------------- 
 878 // Main loop of simulated tag: receive commands from reader, decide what 
 879 // response to send, and send it. 
 880 //----------------------------------------------------------------------------- 
 881 void SimulateIso14443aTag(int tagType
, int TagUid
) 
 883         // This function contains the tag emulation 
 885         // Prepare protocol messages 
 886     // static const BYTE cmd1[] = { 0x26 }; 
 887 //     static const BYTE response1[] = { 0x02, 0x00 }; // Says: I am Mifare 4k - original line - greg 
 889         static const BYTE response1
[] = { 0x44, 0x03 }; // Says: I am a DESFire Tag, ph33r me 
 890 //      static const BYTE response1[] = { 0x44, 0x00 }; // Says: I am a ULTRALITE Tag, 0wn me 
 893     // static const BYTE cmd2[] = { 0x93, 0x20 }; 
 894     //static const BYTE response2[] = { 0x9a, 0xe5, 0xe4, 0x43, 0xd8 }; // original value - greg 
 899     static const BYTE response2
[] = { 0x88, 0x04, 0x21, 0x3f, 0x4d }; // known uid - note cascade (0x88), 2nd byte (0x04) = NXP/Phillips 
 902 // When reader selects us during cascade1 it will send cmd3 
 903 //BYTE response3[] = { 0x04, 0x00, 0x00 }; // SAK Select (cascade1) successful response (ULTRALITE) 
 904 BYTE response3
[] = { 0x24, 0x00, 0x00 }; // SAK Select (cascade1) successful response (DESFire) 
 905 ComputeCrc14443(CRC_14443_A
, response3
, 1, &response3
[1], &response3
[2]); 
 907 // send cascade2 2nd half of UID 
 908 static const BYTE response2a
[] = { 0x51, 0x48, 0x1d, 0x80, 0x84 }; //  uid - cascade2 - 2nd half (4 bytes) of UID+ BCCheck 
 909 // NOTE : THE CRC on the above may be wrong as I have obfuscated the actual UID 
 912 // When reader selects us during cascade2 it will send cmd3a 
 913 //BYTE response3a[] = { 0x00, 0x00, 0x00 }; // SAK Select (cascade2) successful response (ULTRALITE) 
 914 BYTE response3a
[] = { 0x20, 0x00, 0x00 }; // SAK Select (cascade2) successful response (DESFire) 
 915 ComputeCrc14443(CRC_14443_A
, response3a
, 1, &response3a
[1], &response3a
[2]); 
 917     static const BYTE response5
[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce 
 922     // Longest possible response will be 16 bytes + 2 CRC = 18 bytes 
 924         //    144        data bits (18 * 8) 
 927         //      1        Correction bit (Answer in 1172 or 1236 periods, see FPGA) 
 928         //      1        just for the case 
 932         // 166 bytes, since every bit that needs to be send costs us a byte 
 936     // Respond with card type 
 937     BYTE 
*resp1 
= (((BYTE 
*)BigBuf
) + 800); 
 940     // Anticollision cascade1 - respond with uid 
 941     BYTE 
*resp2 
= (((BYTE 
*)BigBuf
) + 970); 
 944     // Anticollision cascade2 - respond with 2nd half of uid if asked 
 945     // we're only going to be asked if we set the 1st byte of the UID (during cascade1) to 0x88 
 946     BYTE 
*resp2a 
= (((BYTE 
*)BigBuf
) + 1140); 
 949     // Acknowledge select - cascade 1 
 950     BYTE 
*resp3 
= (((BYTE 
*)BigBuf
) + 1310); 
 953     // Acknowledge select - cascade 2 
 954     BYTE 
*resp3a 
= (((BYTE 
*)BigBuf
) + 1480); 
 957     // Response to a read request - not implemented atm 
 958     BYTE 
*resp4 
= (((BYTE 
*)BigBuf
) + 1550); 
 961     // Authenticate response - nonce 
 962     BYTE 
*resp5 
= (((BYTE 
*)BigBuf
) + 1720); 
 965     BYTE 
*receivedCmd 
= (BYTE 
*)BigBuf
; 
 972         // To control where we are in the protocol 
 976         // Just to allow some checks 
 984     memset(receivedCmd
, 0x44, 400); 
 986         // Prepare the responses of the anticollision phase 
 987         // there will be not enough time to do this at the moment the reader sends it REQA 
 990         CodeIso14443aAsTag(response1
, sizeof(response1
)); 
 991     memcpy(resp1
, ToSend
, ToSendMax
); resp1Len 
= ToSendMax
; 
 993         // Send our UID (cascade 1) 
 994         CodeIso14443aAsTag(response2
, sizeof(response2
)); 
 995     memcpy(resp2
, ToSend
, ToSendMax
); resp2Len 
= ToSendMax
; 
 997         // Answer to select (cascade1) 
 998         CodeIso14443aAsTag(response3
, sizeof(response3
)); 
 999     memcpy(resp3
, ToSend
, ToSendMax
); resp3Len 
= ToSendMax
; 
1001         // Send the cascade 2 2nd part of the uid 
1002         CodeIso14443aAsTag(response2a
, sizeof(response2a
)); 
1003     memcpy(resp2a
, ToSend
, ToSendMax
); resp2aLen 
= ToSendMax
; 
1005         // Answer to select (cascade 2) 
1006         CodeIso14443aAsTag(response3a
, sizeof(response3a
)); 
1007     memcpy(resp3a
, ToSend
, ToSendMax
); resp3aLen 
= ToSendMax
; 
1009         // Strange answer is an example of rare message size (3 bits) 
1010         CodeStrangeAnswer(); 
1011         memcpy(resp4
, ToSend
, ToSendMax
); resp4Len 
= ToSendMax
; 
1013         // Authentication answer (random nonce) 
1014         CodeIso14443aAsTag(response5
, sizeof(response5
)); 
1015     memcpy(resp5
, ToSend
, ToSendMax
); resp5Len 
= ToSendMax
; 
1017     // We need to listen to the high-frequency, peak-detected path. 
1018     SetAdcMuxFor(GPIO_MUXSEL_HIPKD
); 
1026                 if(!GetIso14443aCommandFromReader(receivedCmd
, &len
, 100)) { 
1027             DbpString("button press"); 
1030         // doob - added loads of debug strings so we can see what the reader is saying to us during the sim as hi14alist is not populated 
1031         // Okay, look at the command now. 
1033                 i 
= 1; // first byte transmitted 
1034         if(receivedCmd
[0] == 0x26) { 
1035                         // Received a REQUEST 
1036                         resp 
= resp1
; respLen 
= resp1Len
; order 
= 1; 
1037                         //DbpString("Hello request from reader:"); 
1038                 } else if(receivedCmd
[0] == 0x52) { 
1039                         // Received a WAKEUP 
1040                         resp 
= resp1
; respLen 
= resp1Len
; order 
= 6; 
1041 //                      //DbpString("Wakeup request from reader:"); 
1043                 } else if(receivedCmd
[1] == 0x20 && receivedCmd
[0] == 0x93) {   // greg - cascade 1 anti-collision 
1044                         // Received request for UID (cascade 1) 
1045                         resp 
= resp2
; respLen 
= resp2Len
; order 
= 2; 
1046 //                      DbpString("UID (cascade 1) request from reader:"); 
1047 //                      DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]); 
1050                 } else if(receivedCmd
[1] == 0x20 && receivedCmd
[0] ==0x95) {    // greg - cascade 2 anti-collision 
1051                         // Received request for UID (cascade 2) 
1052                         resp 
= resp2a
; respLen 
= resp2aLen
; order 
= 20; 
1053 //                      DbpString("UID (cascade 2) request from reader:"); 
1054 //                      DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]); 
1057                 } else if(receivedCmd
[1] == 0x70 && receivedCmd
[0] ==0x93) {    // greg - cascade 1 select 
1058                         // Received a SELECT 
1059                         resp 
= resp3
; respLen 
= resp3Len
; order 
= 3; 
1060 //                      DbpString("Select (cascade 1) request from reader:"); 
1061 //                      DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]); 
1064                 } else if(receivedCmd
[1] == 0x70 && receivedCmd
[0] ==0x95) {    // greg - cascade 2 select 
1065                         // Received a SELECT 
1066                         resp 
= resp3a
; respLen 
= resp3aLen
; order 
= 30; 
1067 //                      DbpString("Select (cascade 2) request from reader:"); 
1068 //                      DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]); 
1071                 } else if(receivedCmd
[0] == 0x30) { 
1073                         resp 
= resp4
; respLen 
= resp4Len
; order 
= 4; // Do nothing 
1074                         DbpString("Read request from reader:"); 
1075                         DbpIntegers(receivedCmd
[0], receivedCmd
[1], receivedCmd
[2]); 
1078                 } else if(receivedCmd
[0] == 0x50) { 
1080                         resp 
= resp1
; respLen 
= 0; order 
= 5; // Do nothing 
1081                         DbpString("Reader requested we HALT!:"); 
1083                 } else if(receivedCmd
[0] == 0x60) { 
1084                         // Received an authentication request 
1085                         resp 
= resp5
; respLen 
= resp5Len
; order 
= 7; 
1086                         DbpString("Authenticate request from reader:"); 
1087                         DbpIntegers(receivedCmd
[0], receivedCmd
[1], receivedCmd
[2]); 
1089                 } else if(receivedCmd
[0] == 0xE0) { 
1090                         // Received a RATS request 
1091                         resp 
= resp1
; respLen 
= 0;order 
= 70; 
1092                         DbpString("RATS request from reader:"); 
1093                         DbpIntegers(receivedCmd
[0], receivedCmd
[1], receivedCmd
[2]); 
1095             // Never seen this command before 
1096                         DbpString("Unknown command received from reader:"); 
1097                         DbpIntegers(receivedCmd
[0], receivedCmd
[1], receivedCmd
[2]); 
1098                         DbpIntegers(receivedCmd
[3], receivedCmd
[4], receivedCmd
[5]); 
1099                         DbpIntegers(receivedCmd
[6], receivedCmd
[7], receivedCmd
[8]); 
1102                         resp 
= resp1
; respLen 
= 0; order 
= 0; 
1105                 // Count number of wakeups received after a halt 
1106                 if(order 
== 6 && lastorder 
== 5) { happened
++; } 
1108                 // Count number of other messages after a halt 
1109                 if(order 
!= 6 && lastorder 
== 5) { happened2
++; } 
1111                 // Look at last parity bit to determine timing of answer 
1112                 if((Uart
.parityBits 
& 0x01) || receivedCmd
[0] == 0x52) { 
1113                         // 1236, so correction bit needed 
1117         memset(receivedCmd
, 0x44, 32); 
1119                 if(cmdsRecvd 
> 999) { 
1120                         DbpString("1000 commands later..."); 
1127         if(respLen 
<= 0) continue; 
1129         // Modulate Manchester 
1130                 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A 
| FPGA_HF_ISO14443A_TAGSIM_MOD
); 
1131         AT91C_BASE_SSC
->SSC_THR 
= 0x00; 
1134                 // ### Transmit the response ### 
1137                 fdt_indicator 
= FALSE
; 
1139             if(AT91C_BASE_SSC
->SSC_SR 
& (AT91C_SSC_RXRDY
)) { 
1140                                 volatile BYTE b 
= (BYTE
)AT91C_BASE_SSC
->SSC_RHR
; 
1143             if(AT91C_BASE_SSC
->SSC_SR 
& (AT91C_SSC_TXRDY
)) { 
1151                                 AT91C_BASE_SSC
->SSC_THR 
= b
; 
1157                         if(BUTTON_PRESS()) { 
1164         DbpIntegers(happened
, happened2
, cmdsRecvd
); 
1168 //----------------------------------------------------------------------------- 
1169 // Transmit the command (to the tag) that was placed in ToSend[]. 
1170 //----------------------------------------------------------------------------- 
1171 static void TransmitFor14443a(const BYTE 
*cmd
, int len
, int *samples
, int *wait
) 
1175     FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A 
| FPGA_HF_ISO14443A_READER_MOD
); 
1177         if(*wait 
< 10) { *wait 
= 10; } 
1179     for(c 
= 0; c 
< *wait
;) { 
1180         if(AT91C_BASE_SSC
->SSC_SR 
& (AT91C_SSC_TXRDY
)) { 
1181             AT91C_BASE_SSC
->SSC_THR 
= 0x00;             // For exact timing! 
1184         if(AT91C_BASE_SSC
->SSC_SR 
& (AT91C_SSC_RXRDY
)) { 
1185             volatile DWORD r 
= AT91C_BASE_SSC
->SSC_RHR
; 
1193         if(AT91C_BASE_SSC
->SSC_SR 
& (AT91C_SSC_TXRDY
)) { 
1194             AT91C_BASE_SSC
->SSC_THR 
= cmd
[c
]; 
1200         if(AT91C_BASE_SSC
->SSC_SR 
& (AT91C_SSC_RXRDY
)) { 
1201             volatile DWORD r 
= AT91C_BASE_SSC
->SSC_RHR
; 
1206         *samples 
= (c 
+ *wait
) << 3; 
1209 //----------------------------------------------------------------------------- 
1210 // To generate an arbitrary stream from reader 
1212 //----------------------------------------------------------------------------- 
1213 void ArbitraryFromReader(const BYTE 
*cmd
, int parity
, int len
) 
1222         // Start of Communication (Seq. Z) 
1226         for(i 
= 0; i 
< len
; i
++) { 
1229                 for(j 
= 0; j 
< 8; j
++) { 
1249                 // Predefined parity bit, the flipper flips when needed, because of flips in byte sent 
1250                 if(((parity 
>> (len 
- i 
- 1)) & 1)) { 
1267         // End of Communication 
1285     // Convert from last character reference to length 
1289 //----------------------------------------------------------------------------- 
1290 // Code a 7-bit command without parity bit 
1291 // This is especially for 0x26 and 0x52 (REQA and WUPA) 
1292 //----------------------------------------------------------------------------- 
1293 void ShortFrameFromReader(const BYTE 
*cmd
) 
1301         // Start of Communication (Seq. Z) 
1306         for(j 
= 0; j 
< 7; j
++) { 
1325         // End of Communication 
1343     // Convert from last character reference to length 
1347 //----------------------------------------------------------------------------- 
1348 // Prepare reader command to send to FPGA 
1350 //----------------------------------------------------------------------------- 
1351 void CodeIso14443aAsReader(const BYTE 
*cmd
, int len
) 
1360         // Start of Communication (Seq. Z) 
1364         for(i 
= 0; i 
< len
; i
++) { 
1368         for(j 
= 0; j 
< 8; j
++) { 
1369             oddparity 
^= (b 
& 1); 
1406         // End of Communication 
1424     // Convert from last character reference to length 
1429 //----------------------------------------------------------------------------- 
1430 // Wait a certain time for tag response 
1431 //  If a response is captured return TRUE 
1432 //  If it takes to long return FALSE 
1433 //----------------------------------------------------------------------------- 
1434 static BOOL 
GetIso14443aAnswerFromTag(BYTE 
*receivedResponse
, int maxLen
, int *samples
, int *elapsed
) //BYTE *buffer 
1436         // buffer needs to be 512 bytes 
1439         // Set FPGA mode to "reader listen mode", no modulation (listen 
1440     // only, since we are receiving, not transmitting). 
1441     // Signal field is on with the appropriate LED 
1443     FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A 
| FPGA_HF_ISO14443A_READER_LISTEN
); 
1445     // Now get the answer from the card 
1446     Demod
.output 
= receivedResponse
; 
1448     Demod
.state 
= DEMOD_UNSYNCD
; 
1457         if(AT91C_BASE_SSC
->SSC_SR 
& (AT91C_SSC_TXRDY
)) { 
1458             AT91C_BASE_SSC
->SSC_THR 
= 0x00;  // To make use of exact timing of next command from reader!! 
1461         if(AT91C_BASE_SSC
->SSC_SR 
& (AT91C_SSC_RXRDY
)) { 
1462                         if(c 
< 512) { c
++; } else { return FALSE
; } 
1463             b 
= (BYTE
)AT91C_BASE_SSC
->SSC_RHR
; 
1464                         if(ManchesterDecoding((b 
& 0xf0) >> 4)) { 
1465                                 *samples 
= ((c 
- 1) << 3) + 4; 
1468                         if(ManchesterDecoding(b 
& 0x0f)) { 
1476 //----------------------------------------------------------------------------- 
1477 // Read an ISO 14443a tag. Send out commands and store answers. 
1479 //----------------------------------------------------------------------------- 
1480 void ReaderIso14443a(DWORD parameter
) 
1483         static const BYTE cmd1
[]       = { 0x52 }; // or 0x26 
1484         static const BYTE cmd2
[]       = { 0x93,0x20 }; 
1485         // UID = 0x2a,0x69,0x8d,0x43,0x8d, last two bytes are CRC bytes 
1486         BYTE cmd3
[] = { 0x93,0x70,0x2a,0x69,0x8d,0x43,0x8d,0x52,0x55 }; 
1488         // For Ultralight add an extra anticollission layer -> 95 20 and then 95 70 
1490         // greg - here we will add our cascade level 2 anticolission and select functions to deal with ultralight               // and 7-byte UIDs in generall... 
1491         BYTE cmd4
[] = {0x95,0x20};      // ask for cascade 2 select 
1493         //BYTE cmd3a[] = { 0x95,0x70,0x2a,0x69,0x8d,0x43,0x8d,0x52,0x55 }; 
1497         BYTE cmd5
[] = { 0x95,0x70,0x2a,0x69,0x8d,0x43,0x8d,0x52,0x55 }; 
1500         // RATS (request for answer to select) 
1501         //BYTE cmd6[] = { 0xe0,0x50,0xbc,0xa5 };  // original RATS 
1502         BYTE cmd6
[] = { 0xe0,0x21,0xb2,0xc7 };  // Desfire RATS 
1505         BYTE cmd7
[] = { 0x60, 0x00, 0x00, 0x00 }; 
1507         int reqaddr 
= 2024;                                     // was 2024 - tied to other size changes 
1510         BYTE 
*req1 
= (((BYTE 
*)BigBuf
) + reqaddr
); 
1513     BYTE 
*req2 
= (((BYTE 
*)BigBuf
) + reqaddr 
+ reqsize
); 
1516     BYTE 
*req3 
= (((BYTE 
*)BigBuf
) + reqaddr 
+ (reqsize 
* 2)); 
1519 // greg added req 4 & 5 to deal with cascade 2 section 
1520     BYTE 
*req4 
= (((BYTE 
*)BigBuf
) + reqaddr 
+ (reqsize 
* 3)); 
1523     BYTE 
*req5 
= (((BYTE 
*)BigBuf
) + reqaddr 
+ (reqsize 
* 4)); 
1526     BYTE 
*req6 
= (((BYTE 
*)BigBuf
) + reqaddr 
+ (reqsize 
* 5)); 
1529     BYTE 
*req7 
= (((BYTE 
*)BigBuf
) + reqaddr 
+ (reqsize 
* 6)); 
1532         BYTE 
*receivedAnswer 
= (((BYTE 
*)BigBuf
) + 3560);       // was 3560 - tied to other size changes 
1534         BYTE 
*trace 
= (BYTE 
*)BigBuf
; 
1538         memset(trace
, 0x44, 2000);                              // was 2000 - tied to oter size chnages 
1539         // setting it to 3000 causes no tag responses to be detected (2900 is ok) 
1540         // setting it to 1000 causes no tag responses to be detected 
1542         // Prepare some commands! 
1543     ShortFrameFromReader(cmd1
); 
1544     memcpy(req1
, ToSend
, ToSendMax
); req1Len 
= ToSendMax
; 
1546         CodeIso14443aAsReader(cmd2
, sizeof(cmd2
)); 
1547     memcpy(req2
, ToSend
, ToSendMax
); req2Len 
= ToSendMax
; 
1549         CodeIso14443aAsReader(cmd3
, sizeof(cmd3
)); 
1550     memcpy(req3
, ToSend
, ToSendMax
); req3Len 
= ToSendMax
; 
1553         CodeIso14443aAsReader(cmd4
, sizeof(cmd4
));              // 4 is cascade 2 request 
1554     memcpy(req4
, ToSend
, ToSendMax
); req4Len 
= ToSendMax
; 
1557         CodeIso14443aAsReader(cmd5
, sizeof(cmd5
));      // 5 is cascade 2 select 
1558     memcpy(req5
, ToSend
, ToSendMax
); req5Len 
= ToSendMax
; 
1561         CodeIso14443aAsReader(cmd6
, sizeof(cmd6
)); 
1562     memcpy(req6
, ToSend
, ToSendMax
); req6Len 
= ToSendMax
; 
1567         // Start from off (no field generated) 
1568     // Signal field is off with the appropriate LED 
1570     FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
); 
1573     SetAdcMuxFor(GPIO_MUXSEL_HIPKD
); 
1576         // Now give it time to spin up. 
1577     // Signal field is on with the appropriate LED 
1579     FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A 
| FPGA_HF_ISO14443A_READER_MOD
); 
1592                 // Send WUPA (or REQA) 
1593                 TransmitFor14443a(req1
, req1Len
, &tsamples
, &wait
); 
1594                 // Store answer in buffer 
1595                 trace
[traceLen
++] = 0; trace
[traceLen
++] = 0; trace
[traceLen
++] = 0; trace
[traceLen
++] = 0; 
1596                 trace
[traceLen
++] = 0; trace
[traceLen
++] = 0; trace
[traceLen
++] = 0; trace
[traceLen
++] = 0; 
1597                 trace
[traceLen
++] = 1; 
1598                 memcpy(trace
+traceLen
, cmd1
, 1); 
1600                 if(traceLen 
> TRACE_LENGTH
) goto done
; 
1602                 while(!GetIso14443aAnswerFromTag(receivedAnswer
, 100, &samples
, &elapsed
)) { 
1603                         if(BUTTON_PRESS()) goto done
; 
1605                         // No answer, just continue polling 
1606                         TransmitFor14443a(req1
, req1Len
, &tsamples
, &wait
); 
1607                         // Store answer in buffer 
1608                         trace
[traceLen
++] = 0; trace
[traceLen
++] = 0; trace
[traceLen
++] = 0; trace
[traceLen
++] = 0; 
1609                         trace
[traceLen
++] = 0; trace
[traceLen
++] = 0; trace
[traceLen
++] = 0; trace
[traceLen
++] = 0; 
1610                         trace
[traceLen
++] = 1; 
1611                         memcpy(trace
+traceLen
, cmd1
, 1); 
1613                         if(traceLen 
> TRACE_LENGTH
) goto done
; 
1616                 // Store answer in buffer 
1617                 rsamples 
= rsamples 
+ (samples 
- Demod
.samples
); 
1618                 trace
[traceLen
++] = ((rsamples 
>>  0) & 0xff); 
1619                 trace
[traceLen
++] = ((rsamples 
>>  8) & 0xff); 
1620                 trace
[traceLen
++] = ((rsamples 
>> 16) & 0xff); 
1621                 trace
[traceLen
++] = 0x80 | ((rsamples 
>> 24) & 0xff); 
1622                 trace
[traceLen
++] = ((Demod
.parityBits 
>>  0) & 0xff); 
1623                 trace
[traceLen
++] = ((Demod
.parityBits 
>>  8) & 0xff); 
1624                 trace
[traceLen
++] = ((Demod
.parityBits 
>> 16) & 0xff); 
1625                 trace
[traceLen
++] = ((Demod
.parityBits 
>> 24) & 0xff); 
1626                 trace
[traceLen
++] = Demod
.len
; 
1627                 memcpy(trace
+traceLen
, receivedAnswer
, Demod
.len
); 
1628                 traceLen 
+= Demod
.len
; 
1629                 if(traceLen 
> TRACE_LENGTH
) goto done
; 
1632                 TransmitFor14443a(req2
, req2Len
, &tsamples
, &wait
); 
1633                 // Store answer in buffer 
1634                 trace
[traceLen
++] = 0; trace
[traceLen
++] = 0; trace
[traceLen
++] = 0; trace
[traceLen
++] = 0; 
1635                 trace
[traceLen
++] = 0; trace
[traceLen
++] = 0; trace
[traceLen
++] = 0; trace
[traceLen
++] = 0; 
1636                 trace
[traceLen
++] = 2; 
1637                 memcpy(trace
+traceLen
, cmd2
, 2); 
1639                 if(traceLen 
> TRACE_LENGTH
) goto done
; 
1641                 if(!GetIso14443aAnswerFromTag(receivedAnswer
, 100, &samples
, &elapsed
)) { 
1645                 // Store answer in buffer 
1646                 rsamples 
= rsamples 
+ (samples 
- Demod
.samples
); 
1647                 trace
[traceLen
++] = ((rsamples 
>>  0) & 0xff); 
1648                 trace
[traceLen
++] = ((rsamples 
>>  8) & 0xff); 
1649                 trace
[traceLen
++] = ((rsamples 
>> 16) & 0xff); 
1650                 trace
[traceLen
++] = 0x80 | ((rsamples 
>> 24) & 0xff); 
1651                 trace
[traceLen
++] = ((Demod
.parityBits 
>>  0) & 0xff); 
1652                 trace
[traceLen
++] = ((Demod
.parityBits 
>>  8) & 0xff); 
1653                 trace
[traceLen
++] = ((Demod
.parityBits 
>> 16) & 0xff); 
1654                 trace
[traceLen
++] = ((Demod
.parityBits 
>> 24) & 0xff); 
1655                 trace
[traceLen
++] = Demod
.len
; 
1656                 memcpy(trace
+traceLen
, receivedAnswer
, Demod
.len
); 
1657                 traceLen 
+= Demod
.len
; 
1658                 if(traceLen 
> TRACE_LENGTH
) goto done
; 
1660                 // Construct SELECT UID command 
1661                 // First copy the 5 bytes (Mifare Classic) after the 93 70 
1662                 memcpy(cmd3
+2,receivedAnswer
,5); 
1663                 // Secondly compute the two CRC bytes at the end 
1664                 ComputeCrc14443(CRC_14443_A
, cmd3
, 7, &cmd3
[7], &cmd3
[8]); 
1665                 // Prepare the bit sequence to modulate the subcarrier 
1666                 // Store answer in buffer 
1667                 trace
[traceLen
++] = 0; trace
[traceLen
++] = 0; trace
[traceLen
++] = 0; trace
[traceLen
++] = 0; 
1668                 trace
[traceLen
++] = 0; trace
[traceLen
++] = 0; trace
[traceLen
++] = 0; trace
[traceLen
++] = 0; 
1669                 trace
[traceLen
++] = 9; 
1670                 memcpy(trace
+traceLen
, cmd3
, 9); 
1672                 if(traceLen 
> TRACE_LENGTH
) goto done
; 
1673                 CodeIso14443aAsReader(cmd3
, sizeof(cmd3
)); 
1674                 memcpy(req3
, ToSend
, ToSendMax
); req3Len 
= ToSendMax
; 
1677                 TransmitFor14443a(req3
, req3Len
, &samples
, &wait
); 
1678                 if(!GetIso14443aAnswerFromTag(receivedAnswer
, 100, &samples
, &elapsed
)) { 
1682                 // Store answer in buffer 
1683                 rsamples 
= rsamples 
+ (samples 
- Demod
.samples
); 
1684                 trace
[traceLen
++] = ((rsamples 
>>  0) & 0xff); 
1685                 trace
[traceLen
++] = ((rsamples 
>>  8) & 0xff); 
1686                 trace
[traceLen
++] = ((rsamples 
>> 16) & 0xff); 
1687                 trace
[traceLen
++] = 0x80 | ((rsamples 
>> 24) & 0xff); 
1688                 trace
[traceLen
++] = ((Demod
.parityBits 
>>  0) & 0xff); 
1689                 trace
[traceLen
++] = ((Demod
.parityBits 
>>  8) & 0xff); 
1690                 trace
[traceLen
++] = ((Demod
.parityBits 
>> 16) & 0xff); 
1691                 trace
[traceLen
++] = ((Demod
.parityBits 
>> 24) & 0xff); 
1692                 trace
[traceLen
++] = Demod
.len
; 
1693                 memcpy(trace
+traceLen
, receivedAnswer
, Demod
.len
); 
1694                 traceLen 
+= Demod
.len
; 
1695                 if(traceLen 
> TRACE_LENGTH
) goto done
; 
1697 // OK we have selected at least at cascade 1, lets see if first byte of UID was 0x88 in 
1698 // which case we need to make a cascade 2 request and select - this is a long UID 
1699                 if (receivedAnswer
[0] == 0x88) 
1701                 // Do cascade level 2 stuff 
1702                 /////////////////////////////////////////////////////////////////// 
1703                 // First issue a '95 20' identify request 
1704                 // Ask for card UID (part 2) 
1705                 TransmitFor14443a(req4
, req4Len
, &tsamples
, &wait
); 
1706                 // Store answer in buffer 
1707                 trace
[traceLen
++] = 0; trace
[traceLen
++] = 0; trace
[traceLen
++] = 0; trace
[traceLen
++] = 0; 
1708                 trace
[traceLen
++] = 0; trace
[traceLen
++] = 0; trace
[traceLen
++] = 0; trace
[traceLen
++] = 0; 
1709                 trace
[traceLen
++] = 2; 
1710                 memcpy(trace
+traceLen
, cmd4
, 2); 
1712                 if(traceLen 
> TRACE_LENGTH
) { 
1713                 DbpString("Bugging out, just popped tracelength"); 
1716                 if(!GetIso14443aAnswerFromTag(receivedAnswer
, 100, &samples
, &elapsed
)) { 
1719                 // Store answer in buffer 
1720                 rsamples 
= rsamples 
+ (samples 
- Demod
.samples
); 
1721                 trace
[traceLen
++] = ((rsamples 
>>  0) & 0xff); 
1722                 trace
[traceLen
++] = ((rsamples 
>>  8) & 0xff); 
1723                 trace
[traceLen
++] = ((rsamples 
>> 16) & 0xff); 
1724                 trace
[traceLen
++] = 0x80 | ((rsamples 
>> 24) & 0xff); 
1725                 trace
[traceLen
++] = ((Demod
.parityBits 
>>  0) & 0xff); 
1726                 trace
[traceLen
++] = ((Demod
.parityBits 
>>  8) & 0xff); 
1727                 trace
[traceLen
++] = ((Demod
.parityBits 
>> 16) & 0xff); 
1728                 trace
[traceLen
++] = ((Demod
.parityBits 
>> 24) & 0xff); 
1729                 trace
[traceLen
++] = Demod
.len
; 
1730                 memcpy(trace
+traceLen
, receivedAnswer
, Demod
.len
); 
1731                 traceLen 
+= Demod
.len
; 
1732                 if(traceLen 
> TRACE_LENGTH
) goto done
; 
1733                 ////////////////////////////////////////////////////////////////// 
1734                 // Then Construct SELECT UID (cascasde 2) command 
1735                 DbpString("Just about to copy the UID out of the cascade 2 id req"); 
1736                 // First copy the 5 bytes (Mifare Classic) after the 95 70 
1737                 memcpy(cmd5
+2,receivedAnswer
,5); 
1738                 // Secondly compute the two CRC bytes at the end 
1739                 ComputeCrc14443(CRC_14443_A
, cmd4
, 7, &cmd5
[7], &cmd5
[8]); 
1740                 // Prepare the bit sequence to modulate the subcarrier 
1741                 // Store answer in buffer 
1742                 trace
[traceLen
++] = 0; trace
[traceLen
++] = 0; trace
[traceLen
++] = 0; trace
[traceLen
++] = 0; 
1743                 trace
[traceLen
++] = 0; trace
[traceLen
++] = 0; trace
[traceLen
++] = 0; trace
[traceLen
++] = 0; 
1744                 trace
[traceLen
++] = 9; 
1745                 memcpy(trace
+traceLen
, cmd5
, 9); 
1747                 if(traceLen 
> TRACE_LENGTH
) goto done
; 
1748                 CodeIso14443aAsReader(cmd5
, sizeof(cmd5
)); 
1749                 memcpy(req5
, ToSend
, ToSendMax
); req5Len 
= ToSendMax
; 
1752                 TransmitFor14443a(req4
, req4Len
, &samples
, &wait
); 
1753                 if(!GetIso14443aAnswerFromTag(receivedAnswer
, 100, &samples
, &elapsed
)) { 
1757                 // Store answer in buffer 
1758                 rsamples 
= rsamples 
+ (samples 
- Demod
.samples
); 
1759                 trace
[traceLen
++] = ((rsamples 
>>  0) & 0xff); 
1760                 trace
[traceLen
++] = ((rsamples 
>>  8) & 0xff); 
1761                 trace
[traceLen
++] = ((rsamples 
>> 16) & 0xff); 
1762                 trace
[traceLen
++] = 0x80 | ((rsamples 
>> 24) & 0xff); 
1763                 trace
[traceLen
++] = ((Demod
.parityBits 
>>  0) & 0xff); 
1764                 trace
[traceLen
++] = ((Demod
.parityBits 
>>  8) & 0xff); 
1765                 trace
[traceLen
++] = ((Demod
.parityBits 
>> 16) & 0xff); 
1766                 trace
[traceLen
++] = ((Demod
.parityBits 
>> 24) & 0xff); 
1767                 trace
[traceLen
++] = Demod
.len
; 
1768                 memcpy(trace
+traceLen
, receivedAnswer
, Demod
.len
); 
1769                 traceLen 
+= Demod
.len
; 
1770                 if(traceLen 
> TRACE_LENGTH
) goto done
; 
1774                 // Secondly compute the two CRC bytes at the end 
1775                 ComputeCrc14443(CRC_14443_A
, cmd7
, 2, &cmd7
[2], &cmd7
[3]); 
1776                 CodeIso14443aAsReader(cmd7
, sizeof(cmd7
)); 
1777                 memcpy(req7
, ToSend
, ToSendMax
); req7Len 
= ToSendMax
; 
1778                 // Send authentication request (Mifare Classic) 
1779                 TransmitFor14443a(req7
, req7Len
, &samples
, &wait
); 
1780                 trace
[traceLen
++] = 0; trace
[traceLen
++] = 0; trace
[traceLen
++] = 0; trace
[traceLen
++] = 0; 
1781                 trace
[traceLen
++] = 0; trace
[traceLen
++] = 0; trace
[traceLen
++] = 0; trace
[traceLen
++] = 0; 
1782                 trace
[traceLen
++] = 4; 
1783                 memcpy(trace
+traceLen
, cmd7
, 4); 
1785                 if(traceLen 
> TRACE_LENGTH
) goto done
; 
1786                 if(GetIso14443aAnswerFromTag(receivedAnswer
, 100, &samples
, &elapsed
)) { 
1788                         // We received probably a random, continue and trace! 
1795                 // Trace the random, i'm curious 
1796                 rsamples 
= rsamples 
+ (samples 
- Demod
.samples
); 
1797                 trace
[traceLen
++] = ((rsamples 
>>  0) & 0xff); 
1798                 trace
[traceLen
++] = ((rsamples 
>>  8) & 0xff); 
1799                 trace
[traceLen
++] = ((rsamples 
>> 16) & 0xff); 
1800                 trace
[traceLen
++] = 0x80 | ((rsamples 
>> 24) & 0xff); 
1801                 trace
[traceLen
++] = ((Demod
.parityBits 
>>  0) & 0xff); 
1802                 trace
[traceLen
++] = ((Demod
.parityBits 
>>  8) & 0xff); 
1803                 trace
[traceLen
++] = ((Demod
.parityBits 
>> 16) & 0xff); 
1804                 trace
[traceLen
++] = ((Demod
.parityBits 
>> 24) & 0xff); 
1805                 trace
[traceLen
++] = Demod
.len
; 
1806                 memcpy(trace
+traceLen
, receivedAnswer
, Demod
.len
); 
1807                 traceLen 
+= Demod
.len
; 
1808                 if(traceLen 
> TRACE_LENGTH
) goto done
; 
1814         FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
); 
1816         DbpIntegers(rsamples
, 0xCC, 0xCC); 
1817         DbpString("ready..");