]> cvs.zerfleddert.de Git - proxmark3-svn/blob - armsrc/appmain.c
projects / proxmark3-svn / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Adds `lf hid pack` and `lf hid unpack` offline commands. (#614)
[proxmark3-svn] / armsrc / appmain.c
1 //-----------------------------------------------------------------------------
2 // Jonathan Westhues, Mar 2006
3 // Edits by Gerhard de Koning Gans, Sep 2007 (##)
4 //
5 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
6 // at your option, any later version. See the LICENSE.txt file for the text of
7 // the license.
8 //-----------------------------------------------------------------------------
9 // The main application code. This is the first thing called after start.c
10 // executes.
11 //-----------------------------------------------------------------------------
12
13 #include <stdarg.h>
14
15 #include "usb_cdc.h"
16 #include "cmd.h"
17 #include "proxmark3.h"
18 #include "apps.h"
19 #include "util.h"
20 #include "printf.h"
21 #include "string.h"
22 #include "legicrf.h"
23 #include "hitag2.h"
24 #include "hitagS.h"
25 #include "lfsampling.h"
26 #include "BigBuf.h"
27 #include "mifareutil.h"
28 #include "pcf7931.h"
29 #ifdef WITH_LCD
30 #include "LCD.h"
31 #endif
32
33 // Craig Young - 14a stand-alone code
34 #ifdef WITH_ISO14443a
35 #include "iso14443a.h"
36 #endif
37
38 //=============================================================================
39 // A buffer where we can queue things up to be sent through the FPGA, for
40 // any purpose (fake tag, as reader, whatever). We go MSB first, since that
41 // is the order in which they go out on the wire.
42 //=============================================================================
43
44 #define TOSEND_BUFFER_SIZE (9*MAX_FRAME_SIZE + 1 + 1 + 2) // 8 data bits and 1 parity bit per payload byte, 1 correction bit, 1 SOC bit, 2 EOC bits
45 uint8_t ToSend[TOSEND_BUFFER_SIZE];
46 int ToSendMax;
47 static int ToSendBit;
48 struct common_area common_area __attribute__((section(".commonarea")));
49
50 void ToSendReset(void)
51 {
52 ToSendMax = -1;
53 ToSendBit = 8;
54 }
55
56 void ToSendStuffBit(int b)
57 {
58 if(ToSendBit >= 8) {
59 ToSendMax++;
60 ToSend[ToSendMax] = 0;
61 ToSendBit = 0;
62 }
63
64 if(b) {
65 ToSend[ToSendMax] |= (1 << (7 - ToSendBit));
66 }
67
68 ToSendBit++;
69
70 if(ToSendMax >= sizeof(ToSend)) {
71 ToSendBit = 0;
72 DbpString("ToSendStuffBit overflowed!");
73 }
74 }
75
76 //=============================================================================
77 // Debug print functions, to go out over USB, to the usual PC-side client.
78 //=============================================================================
79
80 void DbpString(char *str)
81 {
82 byte_t len = strlen(str);
83 cmd_send(CMD_DEBUG_PRINT_STRING,len,0,0,(byte_t*)str,len);
84 }
85
86 #if 0
87 void DbpIntegers(int x1, int x2, int x3)
88 {
89 cmd_send(CMD_DEBUG_PRINT_INTEGERS,x1,x2,x3,0,0);
90 }
91 #endif
92
93 void Dbprintf(const char *fmt, ...) {
94 // should probably limit size here; oh well, let's just use a big buffer
95 char output_string[128];
96 va_list ap;
97
98 va_start(ap, fmt);
99 kvsprintf(fmt, output_string, 10, ap);
100 va_end(ap);
101
102 DbpString(output_string);
103 }
104
105 // prints HEX & ASCII
106 void Dbhexdump(int len, uint8_t *d, bool bAsci) {
107 int l=0,i;
108 char ascii[9];
109
110 while (len>0) {
111 if (len>8) l=8;
112 else l=len;
113
114 memcpy(ascii,d,l);
115 ascii[l]=0;
116
117 // filter safe ascii
118 for (i=0;i<l;i++)
119 if (ascii[i]<32 || ascii[i]>126) ascii[i]='.';
120
121 if (bAsci) {
122 Dbprintf("%-8s %*D",ascii,l,d," ");
123 } else {
124 Dbprintf("%*D",l,d," ");
125 }
126
127 len-=8;
128 d+=8;
129 }
130 }
131
132 //-----------------------------------------------------------------------------
133 // Read an ADC channel and block till it completes, then return the result
134 // in ADC units (0 to 1023). Also a routine to average 32 samples and
135 // return that.
136 //-----------------------------------------------------------------------------
137 static int ReadAdc(int ch)
138 {
139 // Note: ADC_MODE_PRESCALE and ADC_MODE_SAMPLE_HOLD_TIME are set to the maximum allowed value.
140 // AMPL_HI is are high impedance (10MOhm || 1MOhm) output, the input capacitance of the ADC is 12pF (typical). This results in a time constant
141 // of RC = (0.91MOhm) * 12pF = 10.9us. Even after the maximum configurable sample&hold time of 40us the input capacitor will not be fully charged.
142 //
143 // The maths are:
144 // If there is a voltage v_in at the input, the voltage v_cap at the capacitor (this is what we are measuring) will be
145 //
146 // v_cap = v_in * (1 - exp(-SHTIM/RC)) = v_in * (1 - exp(-40us/10.9us)) = v_in * 0,97 (i.e. an error of 3%)
147
148 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_SWRST;
149 AT91C_BASE_ADC->ADC_MR =
150 ADC_MODE_PRESCALE(63) | // ADC_CLK = MCK / ((63+1) * 2) = 48MHz / 128 = 375kHz
151 ADC_MODE_STARTUP_TIME(1) | // Startup Time = (1+1) * 8 / ADC_CLK = 16 / 375kHz = 42,7us Note: must be > 20us
152 ADC_MODE_SAMPLE_HOLD_TIME(15); // Sample & Hold Time SHTIM = 15 / ADC_CLK = 15 / 375kHz = 40us
153
154 AT91C_BASE_ADC->ADC_CHER = ADC_CHANNEL(ch);
155 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
156
157 while(!(AT91C_BASE_ADC->ADC_SR & ADC_END_OF_CONVERSION(ch))) {};
158
159 return AT91C_BASE_ADC->ADC_CDR[ch];
160 }
161
162 int AvgAdc(int ch) // was static - merlok
163 {
164 int i;
165 int a = 0;
166
167 for(i = 0; i < 32; i++) {
168 a += ReadAdc(ch);
169 }
170
171 return (a + 15) >> 5;
172 }
173
174 void MeasureAntennaTuningLfOnly(int *vLf125, int *vLf134, int *peakf, int *peakv, uint8_t LF_Results[])
175 {
176 int i, adcval = 0, peak = 0;
177
178 /*
179 * Sweeps the useful LF range of the proxmark from
180 * 46.8kHz (divisor=255) to 600kHz (divisor=19) and
181 * read the voltage in the antenna, the result left
182 * in the buffer is a graph which should clearly show
183 * the resonating frequency of your LF antenna
184 * ( hopefully around 95 if it is tuned to 125kHz!)
185 */
186
187 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
188 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
189 SpinDelay(50);
190
191 for (i=255; i>=19; i--) {
192 WDT_HIT();
193 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, i);
194 SpinDelay(20);
195 adcval = ((MAX_ADC_LF_VOLTAGE * AvgAdc(ADC_CHAN_LF)) >> 10);
196 if (i==95) *vLf125 = adcval; // voltage at 125Khz
197 if (i==89) *vLf134 = adcval; // voltage at 134Khz
198
199 LF_Results[i] = adcval >> 9; // scale int to fit in byte for graphing purposes
200 if(LF_Results[i] > peak) {
201 *peakv = adcval;
202 peak = LF_Results[i];
203 *peakf = i;
204 //ptr = i;
205 }
206 }
207
208 for (i=18; i >= 0; i--) LF_Results[i] = 0;
209
210 return;
211 }
212
213 void MeasureAntennaTuningHfOnly(int *vHf)
214 {
215 // Let the FPGA drive the high-frequency antenna around 13.56 MHz.
216 LED_A_ON();
217 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
218 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR);
219 SpinDelay(20);
220 *vHf = (MAX_ADC_HF_VOLTAGE * AvgAdc(ADC_CHAN_HF)) >> 10;
221 LED_A_OFF();
222
223 return;
224 }
225
226 void MeasureAntennaTuning(int mode)
227 {
228 uint8_t LF_Results[256] = {0};
229 int peakv = 0, peakf = 0;
230 int vLf125 = 0, vLf134 = 0, vHf = 0; // in mV
231
232 LED_B_ON();
233
234 if (((mode & FLAG_TUNE_ALL) == FLAG_TUNE_ALL) && (FpgaGetCurrent() == FPGA_BITSTREAM_HF)) {
235 // Reverse "standard" order if HF already loaded, to avoid unnecessary swap.
236 MeasureAntennaTuningHfOnly(&vHf);
237 MeasureAntennaTuningLfOnly(&vLf125, &vLf134, &peakf, &peakv, LF_Results);
238 } else {
239 if (mode & FLAG_TUNE_LF) {
240 MeasureAntennaTuningLfOnly(&vLf125, &vLf134, &peakf, &peakv, LF_Results);
241 }
242 if (mode & FLAG_TUNE_HF) {
243 MeasureAntennaTuningHfOnly(&vHf);
244 }
245 }
246
247 cmd_send(CMD_MEASURED_ANTENNA_TUNING, vLf125>>1 | (vLf134>>1<<16), vHf, peakf | (peakv>>1<<16), LF_Results, 256);
248 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
249 LED_B_OFF();
250 return;
251 }
252
253 void MeasureAntennaTuningHf(void)
254 {
255 int vHf = 0; // in mV
256
257 DbpString("Measuring HF antenna, press button to exit");
258
259 // Let the FPGA drive the high-frequency antenna around 13.56 MHz.
260 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
261 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR);
262
263 for (;;) {
264 SpinDelay(20);
265 vHf = (MAX_ADC_HF_VOLTAGE * AvgAdc(ADC_CHAN_HF)) >> 10;
266
267 Dbprintf("%d mV",vHf);
268 if (BUTTON_PRESS()) break;
269 }
270 DbpString("cancelled");
271
272 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
273
274 }
275
276
277 void ReadMem(int addr)
278 {
279 const uint8_t *data = ((uint8_t *)addr);
280
281 Dbprintf("%x: %02x %02x %02x %02x %02x %02x %02x %02x",
282 addr, data[0], data[1], data[2], data[3], data[4], data[5], data[6], data[7]);
283 }
284
285 /* osimage version information is linked in */
286 extern struct version_information version_information;
287 /* bootrom version information is pointed to from _bootphase1_version_pointer */
288 extern char *_bootphase1_version_pointer, _flash_start, _flash_end, _bootrom_start, _bootrom_end, __data_src_start__;
289 void SendVersion(void)
290 {
291 char temp[USB_CMD_DATA_SIZE]; /* Limited data payload in USB packets */
292 char VersionString[USB_CMD_DATA_SIZE] = { '\0' };
293
294 /* Try to find the bootrom version information. Expect to find a pointer at
295 * symbol _bootphase1_version_pointer, perform slight sanity checks on the
296 * pointer, then use it.
297 */
298 char *bootrom_version = *(char**)&_bootphase1_version_pointer;
299 if( bootrom_version < &_flash_start || bootrom_version >= &_flash_end ) {
300 strcat(VersionString, "bootrom version information appears invalid\n");
301 } else {
302 FormatVersionInformation(temp, sizeof(temp), "bootrom: ", bootrom_version);
303 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
304 }
305
306 FormatVersionInformation(temp, sizeof(temp), "os: ", &version_information);
307 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
308
309 FpgaGatherVersion(FPGA_BITSTREAM_LF, temp, sizeof(temp));
310 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
311 FpgaGatherVersion(FPGA_BITSTREAM_HF, temp, sizeof(temp));
312 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
313
314 // Send Chip ID and used flash memory
315 uint32_t text_and_rodata_section_size = (uint32_t)&__data_src_start__ - (uint32_t)&_flash_start;
316 uint32_t compressed_data_section_size = common_area.arg1;
317 cmd_send(CMD_ACK, *(AT91C_DBGU_CIDR), text_and_rodata_section_size + compressed_data_section_size, 0, VersionString, strlen(VersionString));
318 }
319
320 // measure the USB Speed by sending SpeedTestBufferSize bytes to client and measuring the elapsed time.
321 // Note: this mimics GetFromBigbuf(), i.e. we have the overhead of the UsbCommand structure included.
322 void printUSBSpeed(void)
323 {
324 Dbprintf("USB Speed:");
325 Dbprintf(" Sending USB packets to client...");
326
327 #define USB_SPEED_TEST_MIN_TIME 1500 // in milliseconds
328 uint8_t *test_data = BigBuf_get_addr();
329 uint32_t end_time;
330
331 uint32_t start_time = end_time = GetTickCount();
332 uint32_t bytes_transferred = 0;
333
334 LED_B_ON();
335 while(end_time < start_time + USB_SPEED_TEST_MIN_TIME) {
336 cmd_send(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K, 0, USB_CMD_DATA_SIZE, 0, test_data, USB_CMD_DATA_SIZE);
337 end_time = GetTickCount();
338 bytes_transferred += USB_CMD_DATA_SIZE;
339 }
340 LED_B_OFF();
341
342 Dbprintf(" Time elapsed: %dms", end_time - start_time);
343 Dbprintf(" Bytes transferred: %d", bytes_transferred);
344 Dbprintf(" USB Transfer Speed PM3 -> Client = %d Bytes/s",
345 1000 * bytes_transferred / (end_time - start_time));
346
347 }
348
349 /**
350 * Prints runtime information about the PM3.
351 **/
352 void SendStatus(void)
353 {
354 BigBuf_print_status();
355 Fpga_print_status();
356 printConfig(); //LF Sampling config
357 printUSBSpeed();
358 Dbprintf("Various");
359 Dbprintf(" MF_DBGLEVEL......%d", MF_DBGLEVEL);
360 Dbprintf(" ToSendMax........%d",ToSendMax);
361 Dbprintf(" ToSendBit........%d",ToSendBit);
362
363 cmd_send(CMD_ACK,1,0,0,0,0);
364 }
365
366 #if defined(WITH_ISO14443a_StandAlone) || defined(WITH_LF)
367
368 #define OPTS 2
369
370 void StandAloneMode()
371 {
372 DbpString("Stand-alone mode! No PC necessary.");
373 // Oooh pretty -- notify user we're in elite samy mode now
374 LED(LED_RED, 200);
375 LED(LED_ORANGE, 200);
376 LED(LED_GREEN, 200);
377 LED(LED_ORANGE, 200);
378 LED(LED_RED, 200);
379 LED(LED_ORANGE, 200);
380 LED(LED_GREEN, 200);
381 LED(LED_ORANGE, 200);
382 LED(LED_RED, 200);
383
384 }
385
386 #endif
387
388
389
390 #ifdef WITH_ISO14443a_StandAlone
391 void StandAloneMode14a()
392 {
393 StandAloneMode();
394 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
395
396 int selected = 0;
397 bool playing = false, GotoRecord = false, GotoClone = false;
398 bool cardRead[OPTS] = {false};
399 uint8_t readUID[10] = {0};
400 uint32_t uid_1st[OPTS]={0};
401 uint32_t uid_2nd[OPTS]={0};
402 uint32_t uid_tmp1 = 0;
403 uint32_t uid_tmp2 = 0;
404 iso14a_card_select_t hi14a_card[OPTS];
405
406 LED(selected + 1, 0);
407
408 for (;;)
409 {
410 usb_poll();
411 WDT_HIT();
412 SpinDelay(300);
413
414 if (GotoRecord || !cardRead[selected])
415 {
416 GotoRecord = false;
417 LEDsoff();
418 LED(selected + 1, 0);
419 LED(LED_RED2, 0);
420
421 // record
422 Dbprintf("Enabling iso14443a reader mode for [Bank: %u]...", selected);
423 /* need this delay to prevent catching some weird data */
424 SpinDelay(500);
425 /* Code for reading from 14a tag */
426 uint8_t uid[10] ={0};
427 uint32_t cuid;
428 iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
429
430 for ( ; ; )
431 {
432 WDT_HIT();
433 if (BUTTON_PRESS()) {
434 if (cardRead[selected]) {
435 Dbprintf("Button press detected -- replaying card in bank[%d]", selected);
436 break;
437 }
438 else if (cardRead[(selected+1)%OPTS]) {
439 Dbprintf("Button press detected but no card in bank[%d] so playing from bank[%d]", selected, (selected+1)%OPTS);
440 selected = (selected+1)%OPTS;
441 break;
442 }
443 else {
444 Dbprintf("Button press detected but no stored tag to play. (Ignoring button)");
445 SpinDelay(300);
446 }
447 }
448 if (!iso14443a_select_card(uid, &hi14a_card[selected], &cuid, true, 0, true))
449 continue;
450 else
451 {
452 Dbprintf("Read UID:"); Dbhexdump(10,uid,0);
453 memcpy(readUID,uid,10*sizeof(uint8_t));
454 uint8_t *dst = (uint8_t *)&uid_tmp1;
455 // Set UID byte order
456 for (int i=0; i<4; i++)
457 dst[i] = uid[3-i];
458 dst = (uint8_t *)&uid_tmp2;
459 for (int i=0; i<4; i++)
460 dst[i] = uid[7-i];
461 if (uid_1st[(selected+1)%OPTS] == uid_tmp1 && uid_2nd[(selected+1)%OPTS] == uid_tmp2) {
462 Dbprintf("Card selected has same UID as what is stored in the other bank. Skipping.");
463 }
464 else {
465 if (uid_tmp2) {
466 Dbprintf("Bank[%d] received a 7-byte UID",selected);
467 uid_1st[selected] = (uid_tmp1)>>8;
468 uid_2nd[selected] = (uid_tmp1<<24) + (uid_tmp2>>8);
469 }
470 else {
471 Dbprintf("Bank[%d] received a 4-byte UID",selected);
472 uid_1st[selected] = uid_tmp1;
473 uid_2nd[selected] = uid_tmp2;
474 }
475 break;
476 }
477 }
478 }
479 Dbprintf("ATQA = %02X%02X",hi14a_card[selected].atqa[0],hi14a_card[selected].atqa[1]);
480 Dbprintf("SAK = %02X",hi14a_card[selected].sak);
481 LEDsoff();
482 LED(LED_GREEN, 200);
483 LED(LED_ORANGE, 200);
484 LED(LED_GREEN, 200);
485 LED(LED_ORANGE, 200);
486
487 LEDsoff();
488 LED(selected + 1, 0);
489
490 // Next state is replay:
491 playing = true;
492
493 cardRead[selected] = true;
494 }
495 /* MF Classic UID clone */
496 else if (GotoClone)
497 {
498 GotoClone=false;
499 LEDsoff();
500 LED(selected + 1, 0);
501 LED(LED_ORANGE, 250);
502
503
504 // record
505 Dbprintf("Preparing to Clone card [Bank: %x]; uid: %08x", selected, uid_1st[selected]);
506
507 // wait for button to be released
508 while(BUTTON_PRESS())
509 {
510 // Delay cloning until card is in place
511 WDT_HIT();
512 }
513 Dbprintf("Starting clone. [Bank: %u]", selected);
514 // need this delay to prevent catching some weird data
515 SpinDelay(500);
516 // Begin clone function here:
517 /* Example from client/mifarehost.c for commanding a block write for "magic Chinese" cards:
518 UsbCommand c = {CMD_MIFARE_CSETBLOCK, {wantWipe, params & (0xFE | (uid == NULL ? 0:1)), blockNo}};
519 memcpy(c.d.asBytes, data, 16);
520 SendCommand(&c);
521
522 Block read is similar:
523 UsbCommand c = {CMD_MIFARE_CGETBLOCK, {params, 0, blockNo}};
524 We need to imitate that call with blockNo 0 to set a uid.
525
526 The get and set commands are handled in this file:
527 // Work with "magic Chinese" card
528 case CMD_MIFARE_CSETBLOCK:
529 MifareCSetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
530 break;
531 case CMD_MIFARE_CGETBLOCK:
532 MifareCGetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
533 break;
534
535 mfCSetUID provides example logic for UID set workflow:
536 -Read block0 from card in field with MifareCGetBlock()
537 -Configure new values without replacing reserved bytes
538 memcpy(block0, uid, 4); // Copy UID bytes from byte array
539 // Mifare UID BCC
540 block0[4] = block0[0]^block0[1]^block0[2]^block0[3]; // BCC on byte 5
541 Bytes 5-7 are reserved SAK and ATQA for mifare classic
542 -Use mfCSetBlock(0, block0, oldUID, wantWipe, CSETBLOCK_SINGLE_OPER) to write it
543 */
544 uint8_t oldBlock0[16] = {0}, newBlock0[16] = {0}, testBlock0[16] = {0};
545 // arg0 = Flags == CSETBLOCK_SINGLE_OPER=0x1F, arg1=returnSlot, arg2=blockNo
546 MifareCGetBlock(0x3F, 1, 0, oldBlock0);
547 if (oldBlock0[0] == 0 && oldBlock0[0] == oldBlock0[1] && oldBlock0[1] == oldBlock0[2] && oldBlock0[2] == oldBlock0[3]) {
548 Dbprintf("No changeable tag detected. Returning to replay mode for bank[%d]", selected);
549 playing = true;
550 }
551 else {
552 Dbprintf("UID from target tag: %02X%02X%02X%02X", oldBlock0[0],oldBlock0[1],oldBlock0[2],oldBlock0[3]);
553 memcpy(newBlock0,oldBlock0,16);
554 // Copy uid_1st for bank (2nd is for longer UIDs not supported if classic)
555
556 newBlock0[0] = uid_1st[selected]>>24;
557 newBlock0[1] = 0xFF & (uid_1st[selected]>>16);
558 newBlock0[2] = 0xFF & (uid_1st[selected]>>8);
559 newBlock0[3] = 0xFF & (uid_1st[selected]);
560 newBlock0[4] = newBlock0[0]^newBlock0[1]^newBlock0[2]^newBlock0[3];
561 // arg0 = needWipe, arg1 = workFlags, arg2 = blockNo, datain
562 MifareCSetBlock(0, 0xFF,0, newBlock0);
563 MifareCGetBlock(0x3F, 1, 0, testBlock0);
564 if (memcmp(testBlock0,newBlock0,16)==0)
565 {
566 DbpString("Cloned successfull!");
567 cardRead[selected] = false; // Only if the card was cloned successfully should we clear it
568 playing = false;
569 GotoRecord = true;
570 selected = (selected+1) % OPTS;
571 }
572 else {
573 Dbprintf("Clone failed. Back to replay mode on bank[%d]", selected);
574 playing = true;
575 }
576 }
577 LEDsoff();
578 LED(selected + 1, 0);
579
580 }
581 // Change where to record (or begin playing)
582 else if (playing) // button_pressed == BUTTON_SINGLE_CLICK && cardRead[selected])
583 {
584 LEDsoff();
585 LED(selected + 1, 0);
586
587 // Begin transmitting
588 LED(LED_GREEN, 0);
589 DbpString("Playing");
590 for ( ; ; ) {
591 WDT_HIT();
592 int button_action = BUTTON_HELD(1000);
593 if (button_action == 0) { // No button action, proceed with sim
594 uint8_t data[512] = {0}; // in case there is a read command received we shouldn't break
595 Dbprintf("Simulating ISO14443a tag with uid[0]: %08x, uid[1]: %08x [Bank: %u]", uid_1st[selected],uid_2nd[selected],selected);
596 if (hi14a_card[selected].sak == 8 && hi14a_card[selected].atqa[0] == 4 && hi14a_card[selected].atqa[1] == 0) {
597 DbpString("Mifare Classic");
598 SimulateIso14443aTag(1,uid_1st[selected], uid_2nd[selected], data); // Mifare Classic
599 }
600 else if (hi14a_card[selected].sak == 0 && hi14a_card[selected].atqa[0] == 0x44 && hi14a_card[selected].atqa[1] == 0) {
601 DbpString("Mifare Ultralight");
602 SimulateIso14443aTag(2,uid_1st[selected],uid_2nd[selected],data); // Mifare Ultralight
603 }
604 else if (hi14a_card[selected].sak == 20 && hi14a_card[selected].atqa[0] == 0x44 && hi14a_card[selected].atqa[1] == 3) {
605 DbpString("Mifare DESFire");
606 SimulateIso14443aTag(3,uid_1st[selected],uid_2nd[selected],data); // Mifare DESFire
607 }
608 else {
609 Dbprintf("Unrecognized tag type -- defaulting to Mifare Classic emulation");
610 SimulateIso14443aTag(1,uid_1st[selected], uid_2nd[selected], data);
611 }
612 }
613 else if (button_action == BUTTON_SINGLE_CLICK) {
614 selected = (selected + 1) % OPTS;
615 Dbprintf("Done playing. Switching to record mode on bank %d",selected);
616 GotoRecord = true;
617 break;
618 }
619 else if (button_action == BUTTON_HOLD) {
620 Dbprintf("Playtime over. Begin cloning...");
621 GotoClone = true;
622 break;
623 }
624 WDT_HIT();
625 }
626
627 /* We pressed a button so ignore it here with a delay */
628 SpinDelay(300);
629 LEDsoff();
630 LED(selected + 1, 0);
631 }
632 }
633 }
634 #elif WITH_LF
635 // samy's sniff and repeat routine
636 void SamyRun()
637 {
638 StandAloneMode();
639 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
640
641 int high[OPTS], low[OPTS];
642 int selected = 0;
643 int playing = 0;
644 int cardRead = 0;
645
646 // Turn on selected LED
647 LED(selected + 1, 0);
648
649 for (;;)
650 {
651 usb_poll();
652 WDT_HIT();
653
654 // Was our button held down or pressed?
655 int button_pressed = BUTTON_HELD(1000);
656 SpinDelay(300);
657
658 // Button was held for a second, begin recording
659 if (button_pressed > 0 && cardRead == 0)
660 {
661 LEDsoff();
662 LED(selected + 1, 0);
663 LED(LED_RED2, 0);
664
665 // record
666 DbpString("Starting recording");
667
668 // wait for button to be released
669 while(BUTTON_PRESS())
670 WDT_HIT();
671
672 /* need this delay to prevent catching some weird data */
673 SpinDelay(500);
674
675 CmdHIDdemodFSK(1, &high[selected], &low[selected], 0);
676 Dbprintf("Recorded %x %x%08x", selected, high[selected], low[selected]);
677
678 LEDsoff();
679 LED(selected + 1, 0);
680 // Finished recording
681
682 // If we were previously playing, set playing off
683 // so next button push begins playing what we recorded
684 playing = 0;
685
686 cardRead = 1;
687
688 }
689
690 else if (button_pressed > 0 && cardRead == 1)
691 {
692 LEDsoff();
693 LED(selected + 1, 0);
694 LED(LED_ORANGE, 0);
695
696 // record
697 Dbprintf("Cloning %x %x%08x", selected, high[selected], low[selected]);
698
699 // wait for button to be released
700 while(BUTTON_PRESS())
701 WDT_HIT();
702
703 /* need this delay to prevent catching some weird data */
704 SpinDelay(500);
705
706 CopyHIDtoT55x7(0, high[selected], low[selected], 0);
707 Dbprintf("Cloned %x %x%08x", selected, high[selected], low[selected]);
708
709 LEDsoff();
710 LED(selected + 1, 0);
711 // Finished recording
712
713 // If we were previously playing, set playing off
714 // so next button push begins playing what we recorded
715 playing = 0;
716
717 cardRead = 0;
718
719 }
720
721 // Change where to record (or begin playing)
722 else if (button_pressed)
723 {
724 // Next option if we were previously playing
725 if (playing)
726 selected = (selected + 1) % OPTS;
727 playing = !playing;
728
729 LEDsoff();
730 LED(selected + 1, 0);
731
732 // Begin transmitting
733 if (playing)
734 {
735 LED(LED_GREEN, 0);
736 DbpString("Playing");
737 // wait for button to be released
738 while(BUTTON_PRESS())
739 WDT_HIT();
740 Dbprintf("%x %x%08x", selected, high[selected], low[selected]);
741 CmdHIDsimTAG(high[selected], low[selected], 0);
742 DbpString("Done playing");
743 if (BUTTON_HELD(1000) > 0)
744 {
745 DbpString("Exiting");
746 LEDsoff();
747 return;
748 }
749
750 /* We pressed a button so ignore it here with a delay */
751 SpinDelay(300);
752
753 // when done, we're done playing, move to next option
754 selected = (selected + 1) % OPTS;
755 playing = !playing;
756 LEDsoff();
757 LED(selected + 1, 0);
758 }
759 else
760 while(BUTTON_PRESS())
761 WDT_HIT();
762 }
763 }
764 }
765
766 #endif
767 /*
768 OBJECTIVE
769 Listen and detect an external reader. Determine the best location
770 for the antenna.
771
772 INSTRUCTIONS:
773 Inside the ListenReaderField() function, there is two mode.
774 By default, when you call the function, you will enter mode 1.
775 If you press the PM3 button one time, you will enter mode 2.
776 If you press the PM3 button a second time, you will exit the function.
777
778 DESCRIPTION OF MODE 1:
779 This mode just listens for an external reader field and lights up green
780 for HF and/or red for LF. This is the original mode of the detectreader
781 function.
782
783 DESCRIPTION OF MODE 2:
784 This mode will visually represent, using the LEDs, the actual strength of the
785 current compared to the maximum current detected. Basically, once you know
786 what kind of external reader is present, it will help you spot the best location to place
787 your antenna. You will probably not get some good results if there is a LF and a HF reader
788 at the same place! :-)
789
790 LIGHT SCHEME USED:
791 */
792 static const char LIGHT_SCHEME[] = {
793 0x0, /* ---- | No field detected */
794 0x1, /* X--- | 14% of maximum current detected */
795 0x2, /* -X-- | 29% of maximum current detected */
796 0x4, /* --X- | 43% of maximum current detected */
797 0x8, /* ---X | 57% of maximum current detected */
798 0xC, /* --XX | 71% of maximum current detected */
799 0xE, /* -XXX | 86% of maximum current detected */
800 0xF, /* XXXX | 100% of maximum current detected */
801 };
802 static const int LIGHT_LEN = sizeof(LIGHT_SCHEME)/sizeof(LIGHT_SCHEME[0]);
803
804 void ListenReaderField(int limit)
805 {
806 int lf_av, lf_av_new, lf_baseline= 0, lf_max;
807 int hf_av, hf_av_new, hf_baseline= 0, hf_max;
808 int mode=1, display_val, display_max, i;
809
810 #define LF_ONLY 1
811 #define HF_ONLY 2
812 #define REPORT_CHANGE 10 // report new values only if they have changed at least by REPORT_CHANGE
813
814
815 // switch off FPGA - we don't want to measure our own signal
816 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
817 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
818
819 LEDsoff();
820
821 lf_av = lf_max = AvgAdc(ADC_CHAN_LF);
822
823 if(limit != HF_ONLY) {
824 Dbprintf("LF 125/134kHz Baseline: %dmV", (MAX_ADC_LF_VOLTAGE * lf_av) >> 10);
825 lf_baseline = lf_av;
826 }
827
828 hf_av = hf_max = AvgAdc(ADC_CHAN_HF);
829
830 if (limit != LF_ONLY) {
831 Dbprintf("HF 13.56MHz Baseline: %dmV", (MAX_ADC_HF_VOLTAGE * hf_av) >> 10);
832 hf_baseline = hf_av;
833 }
834
835 for(;;) {
836 if (BUTTON_PRESS()) {
837 SpinDelay(500);
838 switch (mode) {
839 case 1:
840 mode=2;
841 DbpString("Signal Strength Mode");
842 break;
843 case 2:
844 default:
845 DbpString("Stopped");
846 LEDsoff();
847 return;
848 break;
849 }
850 }
851 WDT_HIT();
852
853 if (limit != HF_ONLY) {
854 if(mode == 1) {
855 if (ABS(lf_av - lf_baseline) > REPORT_CHANGE)
856 LED_D_ON();
857 else
858 LED_D_OFF();
859 }
860
861 lf_av_new = AvgAdc(ADC_CHAN_LF);
862 // see if there's a significant change
863 if(ABS(lf_av - lf_av_new) > REPORT_CHANGE) {
864 Dbprintf("LF 125/134kHz Field Change: %5dmV", (MAX_ADC_LF_VOLTAGE * lf_av_new) >> 10);
865 lf_av = lf_av_new;
866 if (lf_av > lf_max)
867 lf_max = lf_av;
868 }
869 }
870
871 if (limit != LF_ONLY) {
872 if (mode == 1){
873 if (ABS(hf_av - hf_baseline) > REPORT_CHANGE)
874 LED_B_ON();
875 else
876 LED_B_OFF();
877 }
878
879 hf_av_new = AvgAdc(ADC_CHAN_HF);
880 // see if there's a significant change
881 if(ABS(hf_av - hf_av_new) > REPORT_CHANGE) {
882 Dbprintf("HF 13.56MHz Field Change: %5dmV", (MAX_ADC_HF_VOLTAGE * hf_av_new) >> 10);
883 hf_av = hf_av_new;
884 if (hf_av > hf_max)
885 hf_max = hf_av;
886 }
887 }
888
889 if(mode == 2) {
890 if (limit == LF_ONLY) {
891 display_val = lf_av;
892 display_max = lf_max;
893 } else if (limit == HF_ONLY) {
894 display_val = hf_av;
895 display_max = hf_max;
896 } else { /* Pick one at random */
897 if( (hf_max - hf_baseline) > (lf_max - lf_baseline) ) {
898 display_val = hf_av;
899 display_max = hf_max;
900 } else {
901 display_val = lf_av;
902 display_max = lf_max;
903 }
904 }
905 for (i=0; i<LIGHT_LEN; i++) {
906 if (display_val >= ((display_max/LIGHT_LEN)*i) && display_val <= ((display_max/LIGHT_LEN)*(i+1))) {
907 if (LIGHT_SCHEME[i] & 0x1) LED_C_ON(); else LED_C_OFF();
908 if (LIGHT_SCHEME[i] & 0x2) LED_A_ON(); else LED_A_OFF();
909 if (LIGHT_SCHEME[i] & 0x4) LED_B_ON(); else LED_B_OFF();
910 if (LIGHT_SCHEME[i] & 0x8) LED_D_ON(); else LED_D_OFF();
911 break;
912 }
913 }
914 }
915 }
916 }
917
918 void UsbPacketReceived(uint8_t *packet, int len)
919 {
920 UsbCommand *c = (UsbCommand *)packet;
921
922 // Dbprintf("received %d bytes, with command: 0x%04x and args: %d %d %d",len,c->cmd,c->arg[0],c->arg[1],c->arg[2]);
923
924 switch(c->cmd) {
925 #ifdef WITH_LF
926 case CMD_SET_LF_SAMPLING_CONFIG:
927 setSamplingConfig((sample_config *) c->d.asBytes);
928 break;
929 case CMD_ACQUIRE_RAW_ADC_SAMPLES_125K:
930 cmd_send(CMD_ACK,SampleLF(c->arg[0], c->arg[1]),0,0,0,0);
931 break;
932 case CMD_MOD_THEN_ACQUIRE_RAW_ADC_SAMPLES_125K:
933 ModThenAcquireRawAdcSamples125k(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
934 break;
935 case CMD_LF_SNOOP_RAW_ADC_SAMPLES:
936 cmd_send(CMD_ACK,SnoopLF(),0,0,0,0);
937 break;
938 case CMD_HID_DEMOD_FSK:
939 CmdHIDdemodFSK(c->arg[0], 0, 0, 1);
940 break;
941 case CMD_HID_SIM_TAG:
942 CmdHIDsimTAG(c->arg[0], c->arg[1], 1);
943 break;
944 case CMD_FSK_SIM_TAG:
945 CmdFSKsimTAG(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
946 break;
947 case CMD_ASK_SIM_TAG:
948 CmdASKsimTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
949 break;
950 case CMD_PSK_SIM_TAG:
951 CmdPSKsimTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
952 break;
953 case CMD_HID_CLONE_TAG:
954 CopyHIDtoT55x7(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]);
955 break;
956 case CMD_IO_DEMOD_FSK:
957 CmdIOdemodFSK(c->arg[0], 0, 0, 1);
958 break;
959 case CMD_IO_CLONE_TAG:
960 CopyIOtoT55x7(c->arg[0], c->arg[1]);
961 break;
962 case CMD_EM410X_DEMOD:
963 CmdEM410xdemod(c->arg[0], 0, 0, 1);
964 break;
965 case CMD_EM410X_WRITE_TAG:
966 WriteEM410x(c->arg[0], c->arg[1], c->arg[2]);
967 break;
968 case CMD_READ_TI_TYPE:
969 ReadTItag();
970 break;
971 case CMD_WRITE_TI_TYPE:
972 WriteTItag(c->arg[0],c->arg[1],c->arg[2]);
973 break;
974 case CMD_SIMULATE_TAG_125K:
975 LED_A_ON();
976 SimulateTagLowFrequency(c->arg[0], c->arg[1], 1);
977 LED_A_OFF();
978 break;
979 case CMD_LF_SIMULATE_BIDIR:
980 SimulateTagLowFrequencyBidir(c->arg[0], c->arg[1]);
981 break;
982 case CMD_INDALA_CLONE_TAG:
983 CopyIndala64toT55x7(c->arg[0], c->arg[1]);
984 break;
985 case CMD_INDALA_CLONE_TAG_L:
986 CopyIndala224toT55x7(c->d.asDwords[0], c->d.asDwords[1], c->d.asDwords[2], c->d.asDwords[3], c->d.asDwords[4], c->d.asDwords[5], c->d.asDwords[6]);
987 break;
988 case CMD_T55XX_READ_BLOCK:
989 T55xxReadBlock(c->arg[0], c->arg[1], c->arg[2]);
990 break;
991 case CMD_T55XX_WRITE_BLOCK:
992 T55xxWriteBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]);
993 break;
994 case CMD_T55XX_WAKEUP:
995 T55xxWakeUp(c->arg[0]);
996 break;
997 case CMD_T55XX_RESET_READ:
998 T55xxResetRead();
999 break;
1000 case CMD_PCF7931_READ:
1001 ReadPCF7931();
1002 break;
1003 case CMD_PCF7931_WRITE:
1004 WritePCF7931(c->d.asBytes[0],c->d.asBytes[1],c->d.asBytes[2],c->d.asBytes[3],c->d.asBytes[4],c->d.asBytes[5],c->d.asBytes[6], c->d.asBytes[9], c->d.asBytes[7]-128,c->d.asBytes[8]-128, c->arg[0], c->arg[1], c->arg[2]);
1005 break;
1006 case CMD_EM4X_READ_WORD:
1007 EM4xReadWord(c->arg[0], c->arg[1],c->arg[2]);
1008 break;
1009 case CMD_EM4X_WRITE_WORD:
1010 EM4xWriteWord(c->arg[0], c->arg[1], c->arg[2]);
1011 break;
1012 case CMD_AWID_DEMOD_FSK: // Set realtime AWID demodulation
1013 CmdAWIDdemodFSK(c->arg[0], 0, 0, 1);
1014 break;
1015 case CMD_VIKING_CLONE_TAG:
1016 CopyVikingtoT55xx(c->arg[0], c->arg[1], c->arg[2]);
1017 break;
1018 case CMD_COTAG:
1019 Cotag(c->arg[0]);
1020 break;
1021 #endif
1022
1023 #ifdef WITH_HITAG
1024 case CMD_SNOOP_HITAG: // Eavesdrop Hitag tag, args = type
1025 SnoopHitag(c->arg[0]);
1026 break;
1027 case CMD_SIMULATE_HITAG: // Simulate Hitag tag, args = memory content
1028 SimulateHitagTag((bool)c->arg[0],(byte_t*)c->d.asBytes);
1029 break;
1030 case CMD_READER_HITAG: // Reader for Hitag tags, args = type and function
1031 ReaderHitag((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes);
1032 break;
1033 case CMD_SIMULATE_HITAG_S:// Simulate Hitag s tag, args = memory content
1034 SimulateHitagSTag((bool)c->arg[0],(byte_t*)c->d.asBytes);
1035 break;
1036 case CMD_TEST_HITAGS_TRACES:// Tests every challenge within the given file
1037 check_challenges((bool)c->arg[0],(byte_t*)c->d.asBytes);
1038 break;
1039 case CMD_READ_HITAG_S://Reader for only Hitag S tags, args = key or challenge
1040 ReadHitagS((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes);
1041 break;
1042 case CMD_WR_HITAG_S://writer for Hitag tags args=data to write,page and key or challenge
1043 if ((hitag_function)c->arg[0] < 10) {
1044 WritePageHitagS((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes,c->arg[2]);
1045 }
1046 else if ((hitag_function)c->arg[0] >= 10) {
1047 WriterHitag((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes, c->arg[2]);
1048 }
1049 break;
1050 #endif
1051
1052 #ifdef WITH_ISO15693
1053 case CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_15693:
1054 AcquireRawAdcSamplesIso15693();
1055 break;
1056 case CMD_RECORD_RAW_ADC_SAMPLES_ISO_15693:
1057 RecordRawAdcSamplesIso15693();
1058 break;
1059
1060 case CMD_ISO_15693_COMMAND:
1061 DirectTag15693Command(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
1062 break;
1063
1064 case CMD_ISO_15693_FIND_AFI:
1065 BruteforceIso15693Afi(c->arg[0]);
1066 break;
1067
1068 case CMD_ISO_15693_DEBUG:
1069 SetDebugIso15693(c->arg[0]);
1070 break;
1071
1072 case CMD_READER_ISO_15693:
1073 ReaderIso15693(c->arg[0]);
1074 break;
1075 case CMD_SIMTAG_ISO_15693:
1076 SimTagIso15693(c->arg[0], c->d.asBytes);
1077 break;
1078 #endif
1079
1080 #ifdef WITH_LEGICRF
1081 case CMD_SIMULATE_TAG_LEGIC_RF:
1082 LegicRfSimulate(c->arg[0], c->arg[1], c->arg[2]);
1083 break;
1084
1085 case CMD_WRITER_LEGIC_RF:
1086 LegicRfWriter(c->arg[1], c->arg[0]);
1087 break;
1088
1089 case CMD_READER_LEGIC_RF:
1090 LegicRfReader(c->arg[0], c->arg[1]);
1091 break;
1092 #endif
1093
1094 #ifdef WITH_ISO14443b
1095 case CMD_READ_SRI512_TAG:
1096 ReadSTMemoryIso14443b(0x0F);
1097 break;
1098 case CMD_READ_SRIX4K_TAG:
1099 ReadSTMemoryIso14443b(0x7F);
1100 break;
1101 case CMD_SNOOP_ISO_14443B:
1102 SnoopIso14443b();
1103 break;
1104 case CMD_SIMULATE_TAG_ISO_14443B:
1105 SimulateIso14443bTag();
1106 break;
1107 case CMD_ISO_14443B_COMMAND:
1108 SendRawCommand14443B(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
1109 break;
1110 #endif
1111
1112 #ifdef WITH_ISO14443a
1113 case CMD_SNOOP_ISO_14443a:
1114 SnoopIso14443a(c->arg[0]);
1115 break;
1116 case CMD_READER_ISO_14443a:
1117 ReaderIso14443a(c);
1118 break;
1119 case CMD_SIMULATE_TAG_ISO_14443a:
1120 SimulateIso14443aTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); // ## Simulate iso14443a tag - pass tag type & UID
1121 break;
1122
1123 case CMD_EPA_PACE_COLLECT_NONCE:
1124 EPA_PACE_Collect_Nonce(c);
1125 break;
1126 case CMD_EPA_PACE_REPLAY:
1127 EPA_PACE_Replay(c);
1128 break;
1129
1130 case CMD_READER_MIFARE:
1131 ReaderMifare(c->arg[0]);
1132 break;
1133 case CMD_MIFARE_READBL:
1134 MifareReadBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1135 break;
1136 case CMD_MIFAREU_READBL:
1137 MifareUReadBlock(c->arg[0],c->arg[1], c->d.asBytes);
1138 break;
1139 case CMD_MIFAREUC_AUTH:
1140 MifareUC_Auth(c->arg[0],c->d.asBytes);
1141 break;
1142 case CMD_MIFAREU_READCARD:
1143 MifareUReadCard(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1144 break;
1145 case CMD_MIFAREUC_SETPWD:
1146 MifareUSetPwd(c->arg[0], c->d.asBytes);
1147 break;
1148 case CMD_MIFARE_READSC:
1149 MifareReadSector(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1150 break;
1151 case CMD_MIFARE_WRITEBL:
1152 MifareWriteBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1153 break;
1154 //case CMD_MIFAREU_WRITEBL_COMPAT:
1155 //MifareUWriteBlockCompat(c->arg[0], c->d.asBytes);
1156 //break;
1157 case CMD_MIFAREU_WRITEBL:
1158 MifareUWriteBlock(c->arg[0], c->arg[1], c->d.asBytes);
1159 break;
1160 case CMD_MIFARE_ACQUIRE_ENCRYPTED_NONCES:
1161 MifareAcquireEncryptedNonces(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1162 break;
1163 case CMD_MIFARE_NESTED:
1164 MifareNested(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1165 break;
1166 case CMD_MIFARE_CHKKEYS:
1167 MifareChkKeys(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1168 break;
1169 case CMD_SIMULATE_MIFARE_CARD:
1170 Mifare1ksim(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1171 break;
1172
1173 // emulator
1174 case CMD_MIFARE_SET_DBGMODE:
1175 MifareSetDbgLvl(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1176 break;
1177 case CMD_MIFARE_EML_MEMCLR:
1178 MifareEMemClr(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1179 break;
1180 case CMD_MIFARE_EML_MEMSET:
1181 MifareEMemSet(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1182 break;
1183 case CMD_MIFARE_EML_MEMGET:
1184 MifareEMemGet(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1185 break;
1186 case CMD_MIFARE_EML_CARDLOAD:
1187 MifareECardLoad(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1188 break;
1189
1190 // Work with "magic Chinese" card
1191 case CMD_MIFARE_CWIPE:
1192 MifareCWipe(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1193 break;
1194 case CMD_MIFARE_CSETBLOCK:
1195 MifareCSetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1196 break;
1197 case CMD_MIFARE_CGETBLOCK:
1198 MifareCGetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1199 break;
1200 case CMD_MIFARE_CIDENT:
1201 MifareCIdent();
1202 break;
1203
1204 // mifare sniffer
1205 case CMD_MIFARE_SNIFFER:
1206 SniffMifare(c->arg[0]);
1207 break;
1208
1209 #endif
1210
1211 #ifdef WITH_ICLASS
1212 // Makes use of ISO14443a FPGA Firmware
1213 case CMD_SNOOP_ICLASS:
1214 SnoopIClass();
1215 break;
1216 case CMD_SIMULATE_TAG_ICLASS:
1217 SimulateIClass(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1218 break;
1219 case CMD_READER_ICLASS:
1220 ReaderIClass(c->arg[0]);
1221 break;
1222 case CMD_READER_ICLASS_REPLAY:
1223 ReaderIClass_Replay(c->arg[0], c->d.asBytes);
1224 break;
1225 case CMD_ICLASS_EML_MEMSET:
1226 emlSet(c->d.asBytes,c->arg[0], c->arg[1]);
1227 break;
1228 case CMD_ICLASS_WRITEBLOCK:
1229 iClass_WriteBlock(c->arg[0], c->d.asBytes);
1230 break;
1231 case CMD_ICLASS_READCHECK: // auth step 1
1232 iClass_ReadCheck(c->arg[0], c->arg[1]);
1233 break;
1234 case CMD_ICLASS_READBLOCK:
1235 iClass_ReadBlk(c->arg[0]);
1236 break;
1237 case CMD_ICLASS_AUTHENTICATION: //check
1238 iClass_Authentication(c->d.asBytes);
1239 break;
1240 case CMD_ICLASS_DUMP:
1241 iClass_Dump(c->arg[0], c->arg[1]);
1242 break;
1243 case CMD_ICLASS_CLONE:
1244 iClass_Clone(c->arg[0], c->arg[1], c->d.asBytes);
1245 break;
1246 #endif
1247 #ifdef WITH_HFSNOOP
1248 case CMD_HF_SNIFFER:
1249 HfSnoop(c->arg[0], c->arg[1]);
1250 break;
1251 #endif
1252
1253 case CMD_BUFF_CLEAR:
1254 BigBuf_Clear();
1255 break;
1256
1257 case CMD_MEASURE_ANTENNA_TUNING:
1258 MeasureAntennaTuning(c->arg[0]);
1259 break;
1260
1261 case CMD_MEASURE_ANTENNA_TUNING_HF:
1262 MeasureAntennaTuningHf();
1263 break;
1264
1265 case CMD_LISTEN_READER_FIELD:
1266 ListenReaderField(c->arg[0]);
1267 break;
1268
1269 case CMD_FPGA_MAJOR_MODE_OFF: // ## FPGA Control
1270 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1271 SpinDelay(200);
1272 LED_D_OFF(); // LED D indicates field ON or OFF
1273 break;
1274
1275 case CMD_DOWNLOAD_RAW_ADC_SAMPLES_125K:
1276
1277 LED_B_ON();
1278 uint8_t *BigBuf = BigBuf_get_addr();
1279 for(size_t i=0; i<c->arg[1]; i += USB_CMD_DATA_SIZE) {
1280 size_t len = MIN((c->arg[1] - i),USB_CMD_DATA_SIZE);
1281 cmd_send(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K,i,len,BigBuf_get_traceLen(),BigBuf+c->arg[0]+i,len);
1282 }
1283 // Trigger a finish downloading signal with an ACK frame
1284 cmd_send(CMD_ACK,1,0,BigBuf_get_traceLen(),getSamplingConfig(),sizeof(sample_config));
1285 LED_B_OFF();
1286 break;
1287
1288 case CMD_DOWNLOADED_SIM_SAMPLES_125K: {
1289 // iceman; since changing fpga_bitstreams clears bigbuff, Its better to call it before.
1290 // to be able to use this one for uploading data to device
1291 // arg1 = 0 upload for LF usage
1292 // 1 upload for HF usage
1293 if (c->arg[1] == 0)
1294 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1295 else
1296 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1297
1298 uint8_t *b = BigBuf_get_addr();
1299 memcpy(b+c->arg[0], c->d.asBytes, USB_CMD_DATA_SIZE);
1300 cmd_send(CMD_ACK,0,0,0,0,0);
1301 break;
1302 }
1303 case CMD_READ_MEM:
1304 ReadMem(c->arg[0]);
1305 break;
1306
1307 case CMD_SET_LF_DIVISOR:
1308 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1309 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, c->arg[0]);
1310 break;
1311
1312 case CMD_SET_ADC_MUX:
1313 switch(c->arg[0]) {
1314 case 0: SetAdcMuxFor(GPIO_MUXSEL_LOPKD); break;
1315 case 1: SetAdcMuxFor(GPIO_MUXSEL_LORAW); break;
1316 case 2: SetAdcMuxFor(GPIO_MUXSEL_HIPKD); break;
1317 case 3: SetAdcMuxFor(GPIO_MUXSEL_HIRAW); break;
1318 }
1319 break;
1320
1321 case CMD_VERSION:
1322 SendVersion();
1323 break;
1324 case CMD_STATUS:
1325 SendStatus();
1326 break;
1327 case CMD_PING:
1328 cmd_send(CMD_ACK,0,0,0,0,0);
1329 break;
1330 #ifdef WITH_LCD
1331 case CMD_LCD_RESET:
1332 LCDReset();
1333 break;
1334 case CMD_LCD:
1335 LCDSend(c->arg[0]);
1336 break;
1337 #endif
1338 case CMD_SETUP_WRITE:
1339 case CMD_FINISH_WRITE:
1340 case CMD_HARDWARE_RESET:
1341 usb_disable();
1342 SpinDelay(1000);
1343 SpinDelay(1000);
1344 AT91C_BASE_RSTC->RSTC_RCR = RST_CONTROL_KEY | AT91C_RSTC_PROCRST;
1345 for(;;) {
1346 // We're going to reset, and the bootrom will take control.
1347 }
1348 break;
1349
1350 case CMD_START_FLASH:
1351 if(common_area.flags.bootrom_present) {
1352 common_area.command = COMMON_AREA_COMMAND_ENTER_FLASH_MODE;
1353 }
1354 usb_disable();
1355 AT91C_BASE_RSTC->RSTC_RCR = RST_CONTROL_KEY | AT91C_RSTC_PROCRST;
1356 for(;;);
1357 break;
1358
1359 case CMD_DEVICE_INFO: {
1360 uint32_t dev_info = DEVICE_INFO_FLAG_OSIMAGE_PRESENT | DEVICE_INFO_FLAG_CURRENT_MODE_OS;
1361 if(common_area.flags.bootrom_present) dev_info |= DEVICE_INFO_FLAG_BOOTROM_PRESENT;
1362 cmd_send(CMD_DEVICE_INFO,dev_info,0,0,0,0);
1363 break;
1364 }
1365 default:
1366 Dbprintf("%s: 0x%04x","unknown command:",c->cmd);
1367 break;
1368 }
1369 }
1370
1371 void __attribute__((noreturn)) AppMain(void)
1372 {
1373 SpinDelay(100);
1374 clear_trace();
1375 if(common_area.magic != COMMON_AREA_MAGIC || common_area.version != 1) {
1376 /* Initialize common area */
1377 memset(&common_area, 0, sizeof(common_area));
1378 common_area.magic = COMMON_AREA_MAGIC;
1379 common_area.version = 1;
1380 }
1381 common_area.flags.osimage_present = 1;
1382
1383 LED_D_OFF();
1384 LED_C_OFF();
1385 LED_B_OFF();
1386 LED_A_OFF();
1387
1388 // Init USB device
1389 usb_enable();
1390
1391 // The FPGA gets its clock from us from PCK0 output, so set that up.
1392 AT91C_BASE_PIOA->PIO_BSR = GPIO_PCK0;
1393 AT91C_BASE_PIOA->PIO_PDR = GPIO_PCK0;
1394 AT91C_BASE_PMC->PMC_SCER = AT91C_PMC_PCK0;
1395 // PCK0 is PLL clock / 4 = 96Mhz / 4 = 24Mhz
1396 AT91C_BASE_PMC->PMC_PCKR[0] = AT91C_PMC_CSS_PLL_CLK |
1397 AT91C_PMC_PRES_CLK_4; // 4 for 24Mhz pck0, 2 for 48 MHZ pck0
1398 AT91C_BASE_PIOA->PIO_OER = GPIO_PCK0;
1399
1400 // Reset SPI
1401 AT91C_BASE_SPI->SPI_CR = AT91C_SPI_SWRST;
1402 // Reset SSC
1403 AT91C_BASE_SSC->SSC_CR = AT91C_SSC_SWRST;
1404
1405 // Load the FPGA image, which we have stored in our flash.
1406 // (the HF version by default)
1407 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1408
1409 StartTickCount();
1410
1411 #ifdef WITH_LCD
1412 LCDInit();
1413 #endif
1414
1415 byte_t rx[sizeof(UsbCommand)];
1416 size_t rx_len;
1417
1418 for(;;) {
1419 if (usb_poll()) {
1420 rx_len = usb_read(rx,sizeof(UsbCommand));
1421 if (rx_len) {
1422 UsbPacketReceived(rx,rx_len);
1423 }
1424 }
1425 WDT_HIT();
1426
1427 #ifdef WITH_LF
1428 #ifndef WITH_ISO14443a_StandAlone
1429 if (BUTTON_HELD(1000) > 0)
1430 SamyRun();
1431 #endif
1432 #endif
1433 #ifdef WITH_ISO14443a
1434 #ifdef WITH_ISO14443a_StandAlone
1435 if (BUTTON_HELD(1000) > 0)
1436 StandAloneMode14a();
1437 #endif
1438 #endif
1439 }
1440 }
Proxmark3 GIT tracking
Impressum, Datenschutz