]> cvs.zerfleddert.de Git - proxmark3-svn/blob - armsrc/appmain.c
CHG: only need a byte in this loop
[proxmark3-svn] / armsrc / appmain.c
1 //-----------------------------------------------------------------------------
2 // Jonathan Westhues, Mar 2006
3 // Edits by Gerhard de Koning Gans, Sep 2007 (##)
4 //
5 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
6 // at your option, any later version. See the LICENSE.txt file for the text of
7 // the license.
8 //-----------------------------------------------------------------------------
9 // The main application code. This is the first thing called after start.c
10 // executes.
11 //-----------------------------------------------------------------------------
12 #include "usb_cdc.h"
13 #include "cmd.h"
14 #include "proxmark3.h"
15 #include "apps.h"
16 #include "util.h"
17 #include "printf.h"
18 #include "string.h"
19 #include <stdarg.h>
20 #include "legicrf.h"
21 #include "hitag2.h"
22 #include "hitagS.h"
23 #include "lfsampling.h"
24 #include "BigBuf.h"
25 #include "mifareutil.h"
26 #include "pcf7931.h"
27
28 #ifdef WITH_LCD
29 #include "LCD.h"
30 #endif
31
32 // Craig Young - 14a stand-alone code
33 #ifdef WITH_ISO14443a_StandAlone
34 #include "iso14443a.h"
35 #include "protocols.h"
36 #endif
37
38 //=============================================================================
39 // A buffer where we can queue things up to be sent through the FPGA, for
40 // any purpose (fake tag, as reader, whatever). We go MSB first, since that
41 // is the order in which they go out on the wire.
42 //=============================================================================
43
44 #define TOSEND_BUFFER_SIZE (9*MAX_FRAME_SIZE + 1 + 1 + 2) // 8 data bits and 1 parity bit per payload byte, 1 correction bit, 1 SOC bit, 2 EOC bits
45 uint8_t ToSend[TOSEND_BUFFER_SIZE];
46 int ToSendMax = 0;
47 static int ToSendBit;
48 struct common_area common_area __attribute__((section(".commonarea")));
49
50 void ToSendReset(void)
51 {
52 ToSendMax = -1;
53 ToSendBit = 8;
54 }
55
56 void ToSendStuffBit(int b) {
57 if(ToSendBit >= 8) {
58 ++ToSendMax;
59 ToSend[ToSendMax] = 0;
60 ToSendBit = 0;
61 }
62
63 if(b)
64 ToSend[ToSendMax] |= (1 << (7 - ToSendBit));
65
66 ++ToSendBit;
67
68 if(ToSendMax >= sizeof(ToSend)) {
69 ToSendBit = 0;
70 DbpString("ToSendStuffBit overflowed!");
71 }
72 }
73
74 void PrintToSendBuffer(void){
75 DbpString("Printing ToSendBuffer:");
76 Dbhexdump(ToSendMax, ToSend, 0);
77 }
78
79 //=============================================================================
80 // Debug print functions, to go out over USB, to the usual PC-side client.
81 //=============================================================================
82
83 void DbpStringEx(char *str, uint32_t cmd){
84 byte_t len = strlen(str);
85 cmd_send(CMD_DEBUG_PRINT_STRING,len, cmd,0,(byte_t*)str,len);
86 }
87
88 void DbpString(char *str) {
89 DbpStringEx(str, 0);
90 }
91
92 #if 0
93 void DbpIntegers(int x1, int x2, int x3) {
94 cmd_send(CMD_DEBUG_PRINT_INTEGERS,x1,x2,x3,0,0);
95 }
96 #endif
97 void DbprintfEx(uint32_t cmd, const char *fmt, ...) {
98 // should probably limit size here; oh well, let's just use a big buffer
99 char output_string[128] = {0x00};
100 va_list ap;
101
102 va_start(ap, fmt);
103 kvsprintf(fmt, output_string, 10, ap);
104 va_end(ap);
105
106 DbpStringEx(output_string, cmd);
107 }
108
109 void Dbprintf(const char *fmt, ...) {
110 // should probably limit size here; oh well, let's just use a big buffer
111 char output_string[128] = {0x00};
112 va_list ap;
113
114 va_start(ap, fmt);
115 kvsprintf(fmt, output_string, 10, ap);
116 va_end(ap);
117
118 DbpString(output_string);
119 }
120
121 // prints HEX & ASCII
122 void Dbhexdump(int len, uint8_t *d, bool bAsci) {
123 int l=0, i;
124 char ascii[9];
125
126 while (len>0) {
127
128 l = (len>8) ? 8 : len;
129
130 memcpy(ascii,d,l);
131 ascii[l]=0;
132
133 // filter safe ascii
134 for (i=0; i<l; ++i)
135 if (ascii[i]<32 || ascii[i]>126) ascii[i]='.';
136
137 if (bAsci)
138 Dbprintf("%-8s %*D",ascii,l,d," ");
139 else
140 Dbprintf("%*D",l,d," ");
141
142 len -= 8;
143 d += 8;
144 }
145 }
146
147 //-----------------------------------------------------------------------------
148 // Read an ADC channel and block till it completes, then return the result
149 // in ADC units (0 to 1023). Also a routine to average 32 samples and
150 // return that.
151 //-----------------------------------------------------------------------------
152 static int ReadAdc(int ch)
153 {
154 uint32_t d;
155
156 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_SWRST;
157 AT91C_BASE_ADC->ADC_MR =
158 ADC_MODE_PRESCALE(63 /* was 32 */) | // ADC_CLK = MCK / ((63+1) * 2) = 48MHz / 128 = 375kHz
159 ADC_MODE_STARTUP_TIME(1 /* was 16 */) | // Startup Time = (1+1) * 8 / ADC_CLK = 16 / 375kHz = 42,7us Note: must be > 20us
160 ADC_MODE_SAMPLE_HOLD_TIME(15 /* was 8 */); // Sample & Hold Time SHTIM = 15 / ADC_CLK = 15 / 375kHz = 40us
161
162 // Note: ADC_MODE_PRESCALE and ADC_MODE_SAMPLE_HOLD_TIME are set to the maximum allowed value.
163 // Both AMPL_LO and AMPL_HI are very high impedance (10MOhm) outputs, the input capacitance of the ADC is 12pF (typical). This results in a time constant
164 // of RC = 10MOhm * 12pF = 120us. Even after the maximum configurable sample&hold time of 40us the input capacitor will not be fully charged.
165 //
166 // The maths are:
167 // If there is a voltage v_in at the input, the voltage v_cap at the capacitor (this is what we are measuring) will be
168 //
169 // v_cap = v_in * (1 - exp(-RC/SHTIM)) = v_in * (1 - exp(-3)) = v_in * 0,95 (i.e. an error of 5%)
170 //
171 // Note: with the "historic" values in the comments above, the error was 34% !!!
172
173 AT91C_BASE_ADC->ADC_CHER = ADC_CHANNEL(ch);
174
175 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
176
177 while (!(AT91C_BASE_ADC->ADC_SR & ADC_END_OF_CONVERSION(ch))) ;
178
179 d = AT91C_BASE_ADC->ADC_CDR[ch];
180 return d;
181 }
182
183 int AvgAdc(int ch) // was static - merlok
184 {
185 int i;
186 int a = 0;
187
188 for(i = 0; i < 32; ++i)
189 a += ReadAdc(ch);
190
191 return (a + 15) >> 5;
192 }
193
194 void MeasureAntennaTuning(void) {
195 uint8_t LF_Results[256];
196 int i, adcval = 0, peak = 0, peakv = 0, peakf = 0; //ptr = 0
197 int vLf125 = 0, vLf134 = 0, vHf = 0; // in mV
198
199 LED_B_ON();
200
201 /*
202 * Sweeps the useful LF range of the proxmark from
203 * 46.8kHz (divisor=255) to 600kHz (divisor=19) and
204 * read the voltage in the antenna, the result left
205 * in the buffer is a graph which should clearly show
206 * the resonating frequency of your LF antenna
207 * ( hopefully around 95 if it is tuned to 125kHz!)
208 */
209
210 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
211 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
212
213 for (i=255; i>=19; i--) {
214 WDT_HIT();
215 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, i);
216 SpinDelay(20);
217 adcval = ((MAX_ADC_LF_VOLTAGE * AvgAdc(ADC_CHAN_LF)) >> 10);
218 if (i==95) vLf125 = adcval; // voltage at 125Khz
219 if (i==89) vLf134 = adcval; // voltage at 134Khz
220
221 LF_Results[i] = adcval>>8; // scale int to fit in byte for graphing purposes
222 if(LF_Results[i] > peak) {
223 peakv = adcval;
224 peak = LF_Results[i];
225 peakf = i;
226 //ptr = i;
227 }
228 }
229
230 for (i=18; i >= 0; i--) LF_Results[i] = 0;
231
232 LED_A_ON();
233 // Let the FPGA drive the high-frequency antenna around 13.56 MHz.
234 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
235 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR);
236 SpinDelay(20);
237 vHf = (MAX_ADC_HF_VOLTAGE * AvgAdc(ADC_CHAN_HF)) >> 10;
238
239 cmd_send(CMD_MEASURED_ANTENNA_TUNING, vLf125 | (vLf134<<16), vHf, peakf | (peakv<<16), LF_Results, 256);
240 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
241
242 LEDsoff();
243 }
244
245 void MeasureAntennaTuningHf(void) {
246 int vHf = 0; // in mV
247 // Let the FPGA drive the high-frequency antenna around 13.56 MHz.
248 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
249 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR);
250
251 while ( !BUTTON_PRESS() ){
252 SpinDelay(20);
253 vHf = (MAX_ADC_HF_VOLTAGE * AvgAdc(ADC_CHAN_HF)) >> 10;
254 //Dbprintf("%d mV",vHf);
255 DbprintfEx(CMD_MEASURE_ANTENNA_TUNING_HF, "%d mV",vHf);
256 }
257 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
258 DbpString("cancelled");
259 }
260
261
262 void ReadMem(int addr) {
263 const uint8_t *data = ((uint8_t *)addr);
264
265 Dbprintf("%x: %02x %02x %02x %02x %02x %02x %02x %02x",
266 addr, data[0], data[1], data[2], data[3], data[4], data[5], data[6], data[7]);
267 }
268
269 /* osimage version information is linked in */
270 extern struct version_information version_information;
271 /* bootrom version information is pointed to from _bootphase1_version_pointer */
272 extern char *_bootphase1_version_pointer, _flash_start, _flash_end, _bootrom_start, _bootrom_end, __data_src_start__;
273 void SendVersion(void)
274 {
275 char temp[USB_CMD_DATA_SIZE]; /* Limited data payload in USB packets */
276 char VersionString[USB_CMD_DATA_SIZE] = { '\0' };
277
278 /* Try to find the bootrom version information. Expect to find a pointer at
279 * symbol _bootphase1_version_pointer, perform slight sanity checks on the
280 * pointer, then use it.
281 */
282 char *bootrom_version = *(char**)&_bootphase1_version_pointer;
283
284 if( bootrom_version < &_flash_start || bootrom_version >= &_flash_end ) {
285 strcat(VersionString, "bootrom version information appears invalid\n");
286 } else {
287 FormatVersionInformation(temp, sizeof(temp), "bootrom: ", bootrom_version);
288 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
289 }
290
291 FormatVersionInformation(temp, sizeof(temp), "os: ", &version_information);
292 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
293
294 FpgaGatherVersion(FPGA_BITSTREAM_LF, temp, sizeof(temp));
295 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
296
297 FpgaGatherVersion(FPGA_BITSTREAM_HF, temp, sizeof(temp));
298 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
299
300 // Send Chip ID and used flash memory
301 uint32_t text_and_rodata_section_size = (uint32_t)&__data_src_start__ - (uint32_t)&_flash_start;
302 uint32_t compressed_data_section_size = common_area.arg1;
303 cmd_send(CMD_ACK, *(AT91C_DBGU_CIDR), text_and_rodata_section_size + compressed_data_section_size, 0, VersionString, strlen(VersionString));
304 }
305
306 // measure the USB Speed by sending SpeedTestBufferSize bytes to client and measuring the elapsed time.
307 // Note: this mimics GetFromBigbuf(), i.e. we have the overhead of the UsbCommand structure included.
308 void printUSBSpeed(void)
309 {
310 Dbprintf("USB Speed:");
311 Dbprintf(" Sending USB packets to client...");
312
313 #define USB_SPEED_TEST_MIN_TIME 1500 // in milliseconds
314 uint8_t *test_data = BigBuf_get_addr();
315 uint32_t end_time;
316
317 uint32_t start_time = end_time = GetTickCount();
318 uint32_t bytes_transferred = 0;
319
320 LED_B_ON();
321 while(end_time < start_time + USB_SPEED_TEST_MIN_TIME) {
322 cmd_send(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K, 0, USB_CMD_DATA_SIZE, 0, test_data, USB_CMD_DATA_SIZE);
323 end_time = GetTickCount();
324 bytes_transferred += USB_CMD_DATA_SIZE;
325 }
326 LED_B_OFF();
327
328 Dbprintf(" Time elapsed: %dms", end_time - start_time);
329 Dbprintf(" Bytes transferred: %d", bytes_transferred);
330 Dbprintf(" USB Transfer Speed PM3 -> Client = %d Bytes/s",
331 1000 * bytes_transferred / (end_time - start_time));
332
333 }
334
335 /**
336 * Prints runtime information about the PM3.
337 **/
338 void SendStatus(void) {
339 BigBuf_print_status();
340 Fpga_print_status();
341 printConfig(); //LF Sampling config
342 printUSBSpeed();
343 Dbprintf("Various");
344 Dbprintf(" MF_DBGLEVEL........%d", MF_DBGLEVEL);
345 Dbprintf(" ToSendMax..........%d", ToSendMax);
346 Dbprintf(" ToSendBit..........%d", ToSendBit);
347 Dbprintf(" ToSend BUFFERSIZE..%d", TOSEND_BUFFER_SIZE);
348
349 cmd_send(CMD_ACK,1,0,0,0,0);
350 }
351
352 #if defined(WITH_ISO14443a_StandAlone) || defined(WITH_LF)
353
354 #define OPTS 2
355 void StandAloneMode()
356 {
357 DbpString("Stand-alone mode! No PC necessary.");
358 // Oooh pretty -- notify user we're in elite samy mode now
359 LED(LED_RED, 200);
360 LED(LED_ORANGE, 200);
361 LED(LED_GREEN, 200);
362 LED(LED_ORANGE, 200);
363 LED(LED_RED, 200);
364 LED(LED_ORANGE, 200);
365 LED(LED_GREEN, 200);
366 LED(LED_ORANGE, 200);
367 LED(LED_RED, 200);
368 }
369 #endif
370
371 #ifdef WITH_ISO14443a_StandAlone
372 void StandAloneMode14a()
373 {
374 StandAloneMode();
375 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
376
377 int selected = 0;
378 int playing = 0, iGotoRecord = 0, iGotoClone = 0;
379 int cardRead[OPTS] = {0};
380 uint8_t readUID[10] = {0};
381 uint32_t uid_1st[OPTS]={0};
382 uint32_t uid_2nd[OPTS]={0};
383 uint32_t uid_tmp1 = 0;
384 uint32_t uid_tmp2 = 0;
385 iso14a_card_select_t hi14a_card[OPTS];
386
387 uint8_t params = (MAGIC_SINGLE | MAGIC_DATAIN);
388
389 LED(selected + 1, 0);
390
391 for (;;)
392 {
393 usb_poll();
394 WDT_HIT();
395 SpinDelay(300);
396
397 if (iGotoRecord == 1 || cardRead[selected] == 0)
398 {
399 iGotoRecord = 0;
400 LEDsoff();
401 LED(selected + 1, 0);
402 LED(LED_RED2, 0);
403
404 // record
405 Dbprintf("Enabling iso14443a reader mode for [Bank: %u]...", selected);
406 /* need this delay to prevent catching some weird data */
407 SpinDelay(500);
408 /* Code for reading from 14a tag */
409 uint8_t uid[10] = {0};
410 uint32_t cuid = 0;
411 iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
412
413 for ( ; ; )
414 {
415 WDT_HIT();
416 if (BUTTON_PRESS()) {
417 if (cardRead[selected]) {
418 Dbprintf("Button press detected -- replaying card in bank[%d]", selected);
419 break;
420 }
421 else if (cardRead[(selected+1)%OPTS]) {
422 Dbprintf("Button press detected but no card in bank[%d] so playing from bank[%d]", selected, (selected+1)%OPTS);
423 selected = (selected+1)%OPTS;
424 break; // playing = 1;
425 }
426 else {
427 Dbprintf("Button press detected but no stored tag to play. (Ignoring button)");
428 SpinDelay(300);
429 }
430 }
431 if (!iso14443a_select_card(uid, &hi14a_card[selected], &cuid, true, 0))
432 continue;
433 else
434 {
435 Dbprintf("Read UID:"); Dbhexdump(10,uid,0);
436 memcpy(readUID,uid,10*sizeof(uint8_t));
437 uint8_t *dst = (uint8_t *)&uid_tmp1;
438 // Set UID byte order
439 for (int i=0; i<4; i++)
440 dst[i] = uid[3-i];
441 dst = (uint8_t *)&uid_tmp2;
442 for (int i=0; i<4; i++)
443 dst[i] = uid[7-i];
444 if (uid_1st[(selected+1)%OPTS] == uid_tmp1 && uid_2nd[(selected+1)%OPTS] == uid_tmp2) {
445 Dbprintf("Card selected has same UID as what is stored in the other bank. Skipping.");
446 }
447 else {
448 if (uid_tmp2) {
449 Dbprintf("Bank[%d] received a 7-byte UID",selected);
450 uid_1st[selected] = (uid_tmp1)>>8;
451 uid_2nd[selected] = (uid_tmp1<<24) + (uid_tmp2>>8);
452 }
453 else {
454 Dbprintf("Bank[%d] received a 4-byte UID",selected);
455 uid_1st[selected] = uid_tmp1;
456 uid_2nd[selected] = uid_tmp2;
457 }
458 break;
459 }
460 }
461 }
462 Dbprintf("ATQA = %02X%02X",hi14a_card[selected].atqa[0],hi14a_card[selected].atqa[1]);
463 Dbprintf("SAK = %02X",hi14a_card[selected].sak);
464 LEDsoff();
465 LED(LED_GREEN, 200);
466 LED(LED_ORANGE, 200);
467 LED(LED_GREEN, 200);
468 LED(LED_ORANGE, 200);
469
470 LEDsoff();
471 LED(selected + 1, 0);
472
473 // Next state is replay:
474 playing = 1;
475
476 cardRead[selected] = 1;
477 }
478 /* MF Classic UID clone */
479 else if (iGotoClone==1)
480 {
481 iGotoClone=0;
482 LEDsoff();
483 LED(selected + 1, 0);
484 LED(LED_ORANGE, 250);
485
486 // record
487 Dbprintf("Preparing to Clone card [Bank: %x]; uid: %08x", selected, uid_1st[selected]);
488
489 // wait for button to be released
490 // Delay cloning until card is in place
491 while(BUTTON_PRESS())
492 WDT_HIT();
493
494 Dbprintf("Starting clone. [Bank: %u]", selected);
495 // need this delay to prevent catching some weird data
496 SpinDelay(500);
497 // Begin clone function here:
498 /* Example from client/mifarehost.c for commanding a block write for "magic Chinese" cards:
499 UsbCommand c = {CMD_MIFARE_CSETBLOCK, {params & (0xFE | (uid == NULL ? 0:1)), blockNo, 0}};
500 memcpy(c.d.asBytes, data, 16);
501 SendCommand(&c);
502
503 Block read is similar:
504 UsbCommand c = {CMD_MIFARE_CGETBLOCK, {params, blockNo, 0}};
505 We need to imitate that call with blockNo 0 to set a uid.
506
507 The get and set commands are handled in this file:
508 // Work with "magic Chinese" card
509 case CMD_MIFARE_CSETBLOCK:
510 MifareCSetBlock(c->arg[0], c->arg[1], c->d.asBytes);
511 break;
512 case CMD_MIFARE_CGETBLOCK:
513 MifareCGetBlock(c->arg[0], c->arg[1], c->d.asBytes);
514 break;
515
516 mfCSetUID provides example logic for UID set workflow:
517 -Read block0 from card in field with MifareCGetBlock()
518 -Configure new values without replacing reserved bytes
519 memcpy(block0, uid, 4); // Copy UID bytes from byte array
520 // Mifare UID BCC
521 block0[4] = block0[0]^block0[1]^block0[2]^block0[3]; // BCC on byte 5
522 Bytes 5-7 are reserved SAK and ATQA for mifare classic
523 -Use mfCSetBlock(0, block0, oldUID, wantWipe, MAGIC_SINGLE) to write it
524 */
525 uint8_t oldBlock0[16] = {0}, newBlock0[16] = {0}, testBlock0[16] = {0};
526 // arg0 = Flags, arg1=blockNo
527 MifareCGetBlock(params, 0, oldBlock0);
528 if (oldBlock0[0] == 0 && oldBlock0[0] == oldBlock0[1] && oldBlock0[1] == oldBlock0[2] && oldBlock0[2] == oldBlock0[3]) {
529 Dbprintf("No changeable tag detected. Returning to replay mode for bank[%d]", selected);
530 playing = 1;
531 }
532 else {
533 Dbprintf("UID from target tag: %02X%02X%02X%02X", oldBlock0[0],oldBlock0[1],oldBlock0[2],oldBlock0[3]);
534 memcpy(newBlock0,oldBlock0,16);
535 // Copy uid_1st for bank (2nd is for longer UIDs not supported if classic)
536
537 newBlock0[0] = uid_1st[selected]>>24;
538 newBlock0[1] = 0xFF & (uid_1st[selected]>>16);
539 newBlock0[2] = 0xFF & (uid_1st[selected]>>8);
540 newBlock0[3] = 0xFF & (uid_1st[selected]);
541 newBlock0[4] = newBlock0[0]^newBlock0[1]^newBlock0[2]^newBlock0[3];
542
543 // arg0 = workFlags, arg1 = blockNo, datain
544 MifareCSetBlock(params, 0, newBlock0);
545 MifareCGetBlock(params, 0, testBlock0);
546
547 if (memcmp(testBlock0, newBlock0, 16)==0) {
548 DbpString("Cloned successfull!");
549 cardRead[selected] = 0; // Only if the card was cloned successfully should we clear it
550 playing = 0;
551 iGotoRecord = 1;
552 selected = (selected + 1) % OPTS;
553 } else {
554 Dbprintf("Clone failed. Back to replay mode on bank[%d]", selected);
555 playing = 1;
556 }
557 }
558 LEDsoff();
559 LED(selected + 1, 0);
560 }
561 // Change where to record (or begin playing)
562 else if (playing==1) // button_pressed == BUTTON_SINGLE_CLICK && cardRead[selected])
563 {
564 LEDsoff();
565 LED(selected + 1, 0);
566
567 // Begin transmitting
568 if (playing)
569 {
570 LED(LED_GREEN, 0);
571 DbpString("Playing");
572 for ( ; ; ) {
573 WDT_HIT();
574 int button_action = BUTTON_HELD(1000);
575 if (button_action == 0) { // No button action, proceed with sim
576 uint8_t data[512] = {0}; // in case there is a read command received we shouldn't break
577 uint8_t flags = ( uid_2nd[selected] > 0x00 ) ? FLAG_7B_UID_IN_DATA : FLAG_4B_UID_IN_DATA;
578 num_to_bytes(uid_1st[selected], 3, data);
579 num_to_bytes(uid_2nd[selected], 4, data);
580
581 Dbprintf("Simulating ISO14443a tag with uid[0]: %08x, uid[1]: %08x [Bank: %u]", uid_1st[selected],uid_2nd[selected],selected);
582 if (hi14a_card[selected].sak == 8 && hi14a_card[selected].atqa[0] == 4 && hi14a_card[selected].atqa[1] == 0) {
583 DbpString("Mifare Classic");
584 SimulateIso14443aTag(1, flags, data); // Mifare Classic
585 }
586 else if (hi14a_card[selected].sak == 0 && hi14a_card[selected].atqa[0] == 0x44 && hi14a_card[selected].atqa[1] == 0) {
587 DbpString("Mifare Ultralight");
588 SimulateIso14443aTag(2, flags, data); // Mifare Ultralight
589 }
590 else if (hi14a_card[selected].sak == 20 && hi14a_card[selected].atqa[0] == 0x44 && hi14a_card[selected].atqa[1] == 3) {
591 DbpString("Mifare DESFire");
592 SimulateIso14443aTag(3, flags, data); // Mifare DESFire
593 }
594 else {
595 Dbprintf("Unrecognized tag type -- defaulting to Mifare Classic emulation");
596 SimulateIso14443aTag(1, flags, data);
597 }
598 }
599 else if (button_action == BUTTON_SINGLE_CLICK) {
600 selected = (selected + 1) % OPTS;
601 Dbprintf("Done playing. Switching to record mode on bank %d",selected);
602 iGotoRecord = 1;
603 break;
604 }
605 else if (button_action == BUTTON_HOLD) {
606 Dbprintf("Playtime over. Begin cloning...");
607 iGotoClone = 1;
608 break;
609 }
610 WDT_HIT();
611 }
612
613 /* We pressed a button so ignore it here with a delay */
614 SpinDelay(300);
615 LEDsoff();
616 LED(selected + 1, 0);
617 }
618 else
619 while(BUTTON_PRESS())
620 WDT_HIT();
621 }
622 }
623 }
624 #elif WITH_LF
625 // samy's sniff and repeat routine
626 void SamyRun()
627 {
628 StandAloneMode();
629 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
630
631 int high[OPTS], low[OPTS];
632 int selected = 0;
633 int playing = 0;
634 int cardRead = 0;
635
636 // Turn on selected LED
637 LED(selected + 1, 0);
638
639 for (;;) {
640 usb_poll();
641 WDT_HIT();
642
643 // Was our button held down or pressed?
644 int button_pressed = BUTTON_HELD(1000);
645 SpinDelay(300);
646
647 // Button was held for a second, begin recording
648 if (button_pressed > 0 && cardRead == 0)
649 {
650 LEDsoff();
651 LED(selected + 1, 0);
652 LED(LED_RED2, 0);
653
654 // record
655 DbpString("Starting recording");
656
657 // wait for button to be released
658 while(BUTTON_PRESS())
659 WDT_HIT();
660
661 /* need this delay to prevent catching some weird data */
662 SpinDelay(500);
663
664 CmdHIDdemodFSK(1, &high[selected], &low[selected], 0);
665 Dbprintf("Recorded %x %x %08x", selected, high[selected], low[selected]);
666
667 LEDsoff();
668 LED(selected + 1, 0);
669 // Finished recording
670 // If we were previously playing, set playing off
671 // so next button push begins playing what we recorded
672 playing = 0;
673 cardRead = 1;
674 }
675 else if (button_pressed > 0 && cardRead == 1) {
676 LEDsoff();
677 LED(selected + 1, 0);
678 LED(LED_ORANGE, 0);
679
680 // record
681 Dbprintf("Cloning %x %x %08x", selected, high[selected], low[selected]);
682
683 // wait for button to be released
684 while(BUTTON_PRESS())
685 WDT_HIT();
686
687 /* need this delay to prevent catching some weird data */
688 SpinDelay(500);
689
690 CopyHIDtoT55x7(0, high[selected], low[selected], 0);
691 Dbprintf("Cloned %x %x %08x", selected, high[selected], low[selected]);
692
693 LEDsoff();
694 LED(selected + 1, 0);
695 // Finished recording
696
697 // If we were previously playing, set playing off
698 // so next button push begins playing what we recorded
699 playing = 0;
700 cardRead = 0;
701 }
702
703 // Change where to record (or begin playing)
704 else if (button_pressed) {
705 // Next option if we were previously playing
706 if (playing)
707 selected = (selected + 1) % OPTS;
708 playing = !playing;
709
710 LEDsoff();
711 LED(selected + 1, 0);
712
713 // Begin transmitting
714 if (playing)
715 {
716 LED(LED_GREEN, 0);
717 DbpString("Playing");
718 // wait for button to be released
719 while(BUTTON_PRESS())
720 WDT_HIT();
721
722 Dbprintf("%x %x %08x", selected, high[selected], low[selected]);
723 CmdHIDsimTAG(high[selected], low[selected], 0);
724 DbpString("Done playing");
725
726 if (BUTTON_HELD(1000) > 0) {
727 DbpString("Exiting");
728 LEDsoff();
729 return;
730 }
731
732 /* We pressed a button so ignore it here with a delay */
733 SpinDelay(300);
734
735 // when done, we're done playing, move to next option
736 selected = (selected + 1) % OPTS;
737 playing = !playing;
738 LEDsoff();
739 LED(selected + 1, 0);
740 }
741 else
742 while(BUTTON_PRESS())
743 WDT_HIT();
744 }
745 }
746 }
747
748 #endif
749 /*
750 OBJECTIVE
751 Listen and detect an external reader. Determine the best location
752 for the antenna.
753
754 INSTRUCTIONS:
755 Inside the ListenReaderField() function, there is two mode.
756 By default, when you call the function, you will enter mode 1.
757 If you press the PM3 button one time, you will enter mode 2.
758 If you press the PM3 button a second time, you will exit the function.
759
760 DESCRIPTION OF MODE 1:
761 This mode just listens for an external reader field and lights up green
762 for HF and/or red for LF. This is the original mode of the detectreader
763 function.
764
765 DESCRIPTION OF MODE 2:
766 This mode will visually represent, using the LEDs, the actual strength of the
767 current compared to the maximum current detected. Basically, once you know
768 what kind of external reader is present, it will help you spot the best location to place
769 your antenna. You will probably not get some good results if there is a LF and a HF reader
770 at the same place! :-)
771
772 LIGHT SCHEME USED:
773 */
774 static const char LIGHT_SCHEME[] = {
775 0x0, /* ---- | No field detected */
776 0x1, /* X--- | 14% of maximum current detected */
777 0x2, /* -X-- | 29% of maximum current detected */
778 0x4, /* --X- | 43% of maximum current detected */
779 0x8, /* ---X | 57% of maximum current detected */
780 0xC, /* --XX | 71% of maximum current detected */
781 0xE, /* -XXX | 86% of maximum current detected */
782 0xF, /* XXXX | 100% of maximum current detected */
783 };
784 static const int LIGHT_LEN = sizeof(LIGHT_SCHEME)/sizeof(LIGHT_SCHEME[0]);
785
786 void ListenReaderField(int limit) {
787 #define LF_ONLY 1
788 #define HF_ONLY 2
789 #define REPORT_CHANGE 10 // report new values only if they have changed at least by REPORT_CHANGE
790
791 int lf_av, lf_av_new, lf_baseline= 0, lf_max;
792 int hf_av, hf_av_new, hf_baseline= 0, hf_max;
793 int mode=1, display_val, display_max, i;
794
795 // switch off FPGA - we don't want to measure our own signal
796 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
797 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
798
799 LEDsoff();
800
801 lf_av = lf_max = AvgAdc(ADC_CHAN_LF);
802
803 if(limit != HF_ONLY) {
804 Dbprintf("LF 125/134kHz Baseline: %dmV", (MAX_ADC_LF_VOLTAGE * lf_av) >> 10);
805 lf_baseline = lf_av;
806 }
807
808 hf_av = hf_max = AvgAdc(ADC_CHAN_HF);
809
810 if (limit != LF_ONLY) {
811 Dbprintf("HF 13.56MHz Baseline: %dmV", (MAX_ADC_HF_VOLTAGE * hf_av) >> 10);
812 hf_baseline = hf_av;
813 }
814
815 for(;;) {
816 if (BUTTON_PRESS()) {
817 SpinDelay(500);
818 switch (mode) {
819 case 1:
820 mode=2;
821 DbpString("Signal Strength Mode");
822 break;
823 case 2:
824 default:
825 DbpString("Stopped");
826 LEDsoff();
827 return;
828 break;
829 }
830 }
831 WDT_HIT();
832
833 if (limit != HF_ONLY) {
834 if(mode == 1) {
835 if (ABS(lf_av - lf_baseline) > REPORT_CHANGE)
836 LED_D_ON();
837 else
838 LED_D_OFF();
839 }
840
841 lf_av_new = AvgAdc(ADC_CHAN_LF);
842 // see if there's a significant change
843 if(ABS(lf_av - lf_av_new) > REPORT_CHANGE) {
844 Dbprintf("LF 125/134kHz Field Change: %5dmV", (MAX_ADC_LF_VOLTAGE * lf_av_new) >> 10);
845 lf_av = lf_av_new;
846 if (lf_av > lf_max)
847 lf_max = lf_av;
848 }
849 }
850
851 if (limit != LF_ONLY) {
852 if (mode == 1){
853 if (ABS(hf_av - hf_baseline) > REPORT_CHANGE)
854 LED_B_ON();
855 else
856 LED_B_OFF();
857 }
858
859 hf_av_new = AvgAdc(ADC_CHAN_HF);
860 // see if there's a significant change
861 if(ABS(hf_av - hf_av_new) > REPORT_CHANGE) {
862 Dbprintf("HF 13.56MHz Field Change: %5dmV", (MAX_ADC_HF_VOLTAGE * hf_av_new) >> 10);
863 hf_av = hf_av_new;
864 if (hf_av > hf_max)
865 hf_max = hf_av;
866 }
867 }
868
869 if(mode == 2) {
870 if (limit == LF_ONLY) {
871 display_val = lf_av;
872 display_max = lf_max;
873 } else if (limit == HF_ONLY) {
874 display_val = hf_av;
875 display_max = hf_max;
876 } else { /* Pick one at random */
877 if( (hf_max - hf_baseline) > (lf_max - lf_baseline) ) {
878 display_val = hf_av;
879 display_max = hf_max;
880 } else {
881 display_val = lf_av;
882 display_max = lf_max;
883 }
884 }
885 for (i=0; i<LIGHT_LEN; i++) {
886 if (display_val >= ((display_max/LIGHT_LEN)*i) && display_val <= ((display_max/LIGHT_LEN)*(i+1))) {
887 if (LIGHT_SCHEME[i] & 0x1) LED_C_ON(); else LED_C_OFF();
888 if (LIGHT_SCHEME[i] & 0x2) LED_A_ON(); else LED_A_OFF();
889 if (LIGHT_SCHEME[i] & 0x4) LED_B_ON(); else LED_B_OFF();
890 if (LIGHT_SCHEME[i] & 0x8) LED_D_ON(); else LED_D_OFF();
891 break;
892 }
893 }
894 }
895 }
896 }
897
898 void UsbPacketReceived(uint8_t *packet, int len)
899 {
900 UsbCommand *c = (UsbCommand *)packet;
901
902 //Dbprintf("received %d bytes, with command: 0x%04x and args: %d %d %d",len,c->cmd,c->arg[0],c->arg[1],c->arg[2]);
903
904 switch(c->cmd) {
905 #ifdef WITH_LF
906 case CMD_SET_LF_SAMPLING_CONFIG:
907 setSamplingConfig((sample_config *) c->d.asBytes);
908 break;
909 case CMD_ACQUIRE_RAW_ADC_SAMPLES_125K:
910 cmd_send(CMD_ACK, SampleLF(c->arg[0]),0,0,0,0);
911 break;
912 case CMD_MOD_THEN_ACQUIRE_RAW_ADC_SAMPLES_125K:
913 ModThenAcquireRawAdcSamples125k(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
914 break;
915 case CMD_LF_SNOOP_RAW_ADC_SAMPLES:
916 cmd_send(CMD_ACK,SnoopLF(),0,0,0,0);
917 break;
918 case CMD_HID_DEMOD_FSK:
919 CmdHIDdemodFSK(c->arg[0], 0, 0, 1);
920 break;
921 case CMD_HID_SIM_TAG:
922 CmdHIDsimTAG(c->arg[0], c->arg[1], 1);
923 break;
924 case CMD_FSK_SIM_TAG:
925 CmdFSKsimTAG(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
926 break;
927 case CMD_ASK_SIM_TAG:
928 CmdASKsimTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
929 break;
930 case CMD_PSK_SIM_TAG:
931 CmdPSKsimTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
932 break;
933 case CMD_HID_CLONE_TAG:
934 CopyHIDtoT55x7(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]);
935 break;
936 case CMD_IO_DEMOD_FSK:
937 CmdIOdemodFSK(c->arg[0], 0, 0, 1);
938 break;
939 case CMD_IO_CLONE_TAG:
940 CopyIOtoT55x7(c->arg[0], c->arg[1]);
941 break;
942 case CMD_EM410X_DEMOD:
943 CmdEM410xdemod(c->arg[0], 0, 0, 1);
944 break;
945 case CMD_EM410X_WRITE_TAG:
946 WriteEM410x(c->arg[0], c->arg[1], c->arg[2]);
947 break;
948 case CMD_READ_TI_TYPE:
949 ReadTItag();
950 break;
951 case CMD_WRITE_TI_TYPE:
952 WriteTItag(c->arg[0],c->arg[1],c->arg[2]);
953 break;
954 case CMD_SIMULATE_TAG_125K:
955 LED_A_ON();
956 SimulateTagLowFrequency(c->arg[0], c->arg[1], 1);
957 LED_A_OFF();
958 break;
959 case CMD_LF_SIMULATE_BIDIR:
960 SimulateTagLowFrequencyBidir(c->arg[0], c->arg[1]);
961 break;
962 case CMD_INDALA_CLONE_TAG:
963 CopyIndala64toT55x7(c->arg[0], c->arg[1]);
964 break;
965 case CMD_INDALA_CLONE_TAG_L:
966 CopyIndala224toT55x7(c->d.asDwords[0], c->d.asDwords[1], c->d.asDwords[2], c->d.asDwords[3], c->d.asDwords[4], c->d.asDwords[5], c->d.asDwords[6]);
967 break;
968 case CMD_T55XX_READ_BLOCK:
969 T55xxReadBlock(c->arg[0], c->arg[1], c->arg[2]);
970 break;
971 case CMD_T55XX_WRITE_BLOCK:
972 T55xxWriteBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]);
973 break;
974 case CMD_T55XX_WAKEUP:
975 T55xxWakeUp(c->arg[0]);
976 break;
977 case CMD_T55XX_RESET_READ:
978 T55xxResetRead();
979 break;
980 case CMD_PCF7931_READ:
981 ReadPCF7931();
982 break;
983 case CMD_PCF7931_WRITE:
984 WritePCF7931(c->d.asBytes[0],c->d.asBytes[1],c->d.asBytes[2],c->d.asBytes[3],c->d.asBytes[4],c->d.asBytes[5],c->d.asBytes[6], c->d.asBytes[9], c->d.asBytes[7]-128,c->d.asBytes[8]-128, c->arg[0], c->arg[1], c->arg[2]);
985 break;
986 case CMD_EM4X_READ_WORD:
987 EM4xReadWord(c->arg[1], c->arg[2],c->d.asBytes[0]);
988 break;
989 case CMD_EM4X_WRITE_WORD:
990 EM4xWriteWord(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]);
991 break;
992 case CMD_AWID_DEMOD_FSK: // Set realtime AWID demodulation
993 CmdAWIDdemodFSK(c->arg[0], 0, 0, 1);
994 break;
995 case CMD_VIKING_CLONE_TAG:
996 CopyVikingtoT55xx(c->arg[0], c->arg[1], c->arg[2]);
997 break;
998 #endif
999
1000 #ifdef WITH_HITAG
1001 case CMD_SNOOP_HITAG: // Eavesdrop Hitag tag, args = type
1002 SnoopHitag(c->arg[0]);
1003 break;
1004 case CMD_SIMULATE_HITAG: // Simulate Hitag tag, args = memory content
1005 SimulateHitagTag((bool)c->arg[0],(byte_t*)c->d.asBytes);
1006 break;
1007 case CMD_READER_HITAG: // Reader for Hitag tags, args = type and function
1008 ReaderHitag((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes);
1009 break;
1010 case CMD_SIMULATE_HITAG_S:// Simulate Hitag s tag, args = memory content
1011 SimulateHitagSTag((bool)c->arg[0],(byte_t*)c->d.asBytes);
1012 break;
1013 case CMD_TEST_HITAGS_TRACES:// Tests every challenge within the given file
1014 check_challenges((bool)c->arg[0],(byte_t*)c->d.asBytes);
1015 break;
1016 case CMD_READ_HITAG_S: //Reader for only Hitag S tags, args = key or challenge
1017 ReadHitagS((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes);
1018 break;
1019 case CMD_WR_HITAG_S: //writer for Hitag tags args=data to write,page and key or challenge
1020 WritePageHitagS((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes,c->arg[2]);
1021 break;
1022 #endif
1023
1024 #ifdef WITH_ISO15693
1025 case CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_15693:
1026 AcquireRawAdcSamplesIso15693();
1027 break;
1028 case CMD_RECORD_RAW_ADC_SAMPLES_ISO_15693:
1029 RecordRawAdcSamplesIso15693();
1030 break;
1031
1032 case CMD_ISO_15693_COMMAND:
1033 DirectTag15693Command(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
1034 break;
1035
1036 case CMD_ISO_15693_FIND_AFI:
1037 BruteforceIso15693Afi(c->arg[0]);
1038 break;
1039
1040 case CMD_ISO_15693_DEBUG:
1041 SetDebugIso15693(c->arg[0]);
1042 break;
1043
1044 case CMD_READER_ISO_15693:
1045 ReaderIso15693(c->arg[0]);
1046 break;
1047 case CMD_SIMTAG_ISO_15693:
1048 SimTagIso15693(c->arg[0], c->d.asBytes);
1049 break;
1050 #endif
1051
1052 #ifdef WITH_LEGICRF
1053 case CMD_SIMULATE_TAG_LEGIC_RF:
1054 LegicRfSimulate(c->arg[0], c->arg[1], c->arg[2]);
1055 break;
1056
1057 case CMD_WRITER_LEGIC_RF:
1058 LegicRfWriter(c->arg[1], c->arg[0]);
1059 break;
1060
1061 case CMD_READER_LEGIC_RF:
1062 LegicRfReader(c->arg[0], c->arg[1]);
1063 break;
1064 #endif
1065
1066 #ifdef WITH_ISO14443b
1067 case CMD_READ_SRI_TAG:
1068 ReadSTMemoryIso14443b(c->arg[0]);
1069 break;
1070 case CMD_SNOOP_ISO_14443B:
1071 SnoopIso14443b();
1072 break;
1073 case CMD_SIMULATE_TAG_ISO_14443B:
1074 SimulateIso14443bTag(c->arg[0]);
1075 break;
1076 case CMD_ISO_14443B_COMMAND:
1077 //SendRawCommand14443B(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
1078 SendRawCommand14443B_Ex(c);
1079 break;
1080 #endif
1081
1082 #ifdef WITH_ISO14443a
1083 case CMD_SNOOP_ISO_14443a:
1084 SniffIso14443a(c->arg[0]);
1085 break;
1086 case CMD_READER_ISO_14443a:
1087 ReaderIso14443a(c);
1088 break;
1089 case CMD_SIMULATE_TAG_ISO_14443a:
1090 SimulateIso14443aTag(c->arg[0], c->arg[1], c->d.asBytes); // ## Simulate iso14443a tag - pass tag type & UID
1091 break;
1092 case CMD_EPA_PACE_COLLECT_NONCE:
1093 EPA_PACE_Collect_Nonce(c);
1094 break;
1095 case CMD_EPA_PACE_REPLAY:
1096 EPA_PACE_Replay(c);
1097 break;
1098 case CMD_READER_MIFARE:
1099 ReaderMifare(c->arg[0], c->arg[1]);
1100 break;
1101 case CMD_MIFARE_READBL:
1102 MifareReadBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1103 break;
1104 case CMD_MIFAREU_READBL:
1105 MifareUReadBlock(c->arg[0],c->arg[1], c->d.asBytes);
1106 break;
1107 case CMD_MIFAREUC_AUTH:
1108 MifareUC_Auth(c->arg[0],c->d.asBytes);
1109 break;
1110 case CMD_MIFAREU_READCARD:
1111 MifareUReadCard(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1112 break;
1113 case CMD_MIFAREUC_SETPWD:
1114 MifareUSetPwd(c->arg[0], c->d.asBytes);
1115 break;
1116 case CMD_MIFARE_READSC:
1117 MifareReadSector(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1118 break;
1119 case CMD_MIFARE_WRITEBL:
1120 MifareWriteBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1121 break;
1122 //case CMD_MIFAREU_WRITEBL_COMPAT:
1123 //MifareUWriteBlockCompat(c->arg[0], c->d.asBytes);
1124 //break;
1125 case CMD_MIFAREU_WRITEBL:
1126 MifareUWriteBlock(c->arg[0], c->arg[1], c->d.asBytes);
1127 break;
1128 case CMD_MIFARE_ACQUIRE_ENCRYPTED_NONCES:
1129 MifareAcquireEncryptedNonces(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1130 break;
1131 case CMD_MIFARE_NESTED:
1132 MifareNested(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1133 break;
1134 case CMD_MIFARE_CHKKEYS:
1135 MifareChkKeys(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1136 break;
1137 case CMD_SIMULATE_MIFARE_CARD:
1138 Mifare1ksim(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1139 break;
1140
1141 // emulator
1142 case CMD_MIFARE_SET_DBGMODE:
1143 MifareSetDbgLvl(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1144 break;
1145 case CMD_MIFARE_EML_MEMCLR:
1146 MifareEMemClr(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1147 break;
1148 case CMD_MIFARE_EML_MEMSET:
1149 MifareEMemSet(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1150 break;
1151 case CMD_MIFARE_EML_MEMGET:
1152 MifareEMemGet(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1153 break;
1154 case CMD_MIFARE_EML_CARDLOAD:
1155 MifareECardLoad(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1156 break;
1157
1158 // Work with "magic Chinese" card
1159 case CMD_MIFARE_CSETBLOCK:
1160 MifareCSetBlock(c->arg[0], c->arg[1], c->d.asBytes);
1161 break;
1162 case CMD_MIFARE_CGETBLOCK:
1163 MifareCGetBlock(c->arg[0], c->arg[1], c->d.asBytes);
1164 break;
1165 case CMD_MIFARE_CIDENT:
1166 MifareCIdent();
1167 break;
1168
1169 // mifare sniffer
1170 case CMD_MIFARE_SNIFFER:
1171 SniffMifare(c->arg[0]);
1172 break;
1173
1174 //mifare desfire
1175 case CMD_MIFARE_DESFIRE_READBL: break;
1176 case CMD_MIFARE_DESFIRE_WRITEBL: break;
1177 case CMD_MIFARE_DESFIRE_AUTH1:
1178 MifareDES_Auth1(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1179 break;
1180 case CMD_MIFARE_DESFIRE_AUTH2:
1181 //MifareDES_Auth2(c->arg[0],c->d.asBytes);
1182 break;
1183 case CMD_MIFARE_DES_READER:
1184 //readermifaredes(c->arg[0], c->arg[1], c->d.asBytes);
1185 break;
1186 case CMD_MIFARE_DESFIRE_INFO:
1187 MifareDesfireGetInformation();
1188 break;
1189 case CMD_MIFARE_DESFIRE:
1190 MifareSendCommand(c->arg[0], c->arg[1], c->d.asBytes);
1191 break;
1192
1193 case CMD_MIFARE_COLLECT_NONCES:
1194 break;
1195 #endif
1196 #ifdef WITH_EMV
1197 case CMD_EMV_TRANSACTION:
1198 EMVTransaction();
1199 break;
1200 case CMD_EMV_GET_RANDOM_NUM:
1201 //EMVgetUDOL();
1202 break;
1203 case CMD_EMV_LOAD_VALUE:
1204 EMVloadvalue(c->arg[0], c->d.asBytes);
1205 break;
1206 case CMD_EMV_DUMP_CARD:
1207 EMVdumpcard();
1208 #endif
1209 #ifdef WITH_ICLASS
1210 // Makes use of ISO14443a FPGA Firmware
1211 case CMD_SNOOP_ICLASS:
1212 SnoopIClass();
1213 break;
1214 case CMD_SIMULATE_TAG_ICLASS:
1215 SimulateIClass(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1216 break;
1217 case CMD_READER_ICLASS:
1218 ReaderIClass(c->arg[0]);
1219 break;
1220 case CMD_READER_ICLASS_REPLAY:
1221 ReaderIClass_Replay(c->arg[0], c->d.asBytes);
1222 break;
1223 case CMD_ICLASS_EML_MEMSET:
1224 emlSet(c->d.asBytes,c->arg[0], c->arg[1]);
1225 break;
1226 case CMD_ICLASS_WRITEBLOCK:
1227 iClass_WriteBlock(c->arg[0], c->d.asBytes);
1228 break;
1229 case CMD_ICLASS_READCHECK: // auth step 1
1230 iClass_ReadCheck(c->arg[0], c->arg[1]);
1231 break;
1232 case CMD_ICLASS_READBLOCK:
1233 iClass_ReadBlk(c->arg[0]);
1234 break;
1235 case CMD_ICLASS_AUTHENTICATION: //check
1236 iClass_Authentication(c->d.asBytes);
1237 break;
1238 case CMD_ICLASS_DUMP:
1239 iClass_Dump(c->arg[0], c->arg[1]);
1240 break;
1241 case CMD_ICLASS_CLONE:
1242 iClass_Clone(c->arg[0], c->arg[1], c->d.asBytes);
1243 break;
1244 #endif
1245 #ifdef WITH_HFSNOOP
1246 case CMD_HF_SNIFFER:
1247 HfSnoop(c->arg[0], c->arg[1]);
1248 break;
1249 #endif
1250
1251 case CMD_BUFF_CLEAR:
1252 BigBuf_Clear();
1253 break;
1254
1255 case CMD_MEASURE_ANTENNA_TUNING:
1256 MeasureAntennaTuning();
1257 break;
1258
1259 case CMD_MEASURE_ANTENNA_TUNING_HF:
1260 MeasureAntennaTuningHf();
1261 break;
1262
1263 case CMD_LISTEN_READER_FIELD:
1264 ListenReaderField(c->arg[0]);
1265 break;
1266
1267 case CMD_FPGA_MAJOR_MODE_OFF: // ## FPGA Control
1268 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1269 SpinDelay(200);
1270 LED_D_OFF(); // LED D indicates field ON or OFF
1271 break;
1272
1273 case CMD_DOWNLOAD_RAW_ADC_SAMPLES_125K: {
1274 LED_B_ON();
1275 uint8_t *BigBuf = BigBuf_get_addr();
1276 size_t len = 0;
1277 for(size_t i=0; i<c->arg[1]; i += USB_CMD_DATA_SIZE) {
1278 len = MIN((c->arg[1] - i),USB_CMD_DATA_SIZE);
1279 cmd_send(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K,i,len,BigBuf_get_traceLen(),BigBuf+c->arg[0]+i,len);
1280 }
1281 // Trigger a finish downloading signal with an ACK frame
1282 cmd_send(CMD_ACK,1,0,BigBuf_get_traceLen(),getSamplingConfig(),sizeof(sample_config));
1283 LED_B_OFF();
1284 break;
1285 }
1286 case CMD_DOWNLOADED_SIM_SAMPLES_125K: {
1287 uint8_t *b = BigBuf_get_addr();
1288 memcpy( b + c->arg[0], c->d.asBytes, USB_CMD_DATA_SIZE);
1289 cmd_send(CMD_ACK,0,0,0,0,0);
1290 break;
1291 }
1292 case CMD_DOWNLOAD_EML_BIGBUF: {
1293 LED_B_ON();
1294 uint8_t *cardmem = BigBuf_get_EM_addr();
1295 size_t len = 0;
1296 for(size_t i=0; i < c->arg[1]; i += USB_CMD_DATA_SIZE) {
1297 len = MIN((c->arg[1] - i), USB_CMD_DATA_SIZE);
1298 cmd_send(CMD_DOWNLOADED_EML_BIGBUF, i, len, CARD_MEMORY_SIZE, cardmem + c->arg[0] + i, len);
1299 }
1300 // Trigger a finish downloading signal with an ACK frame
1301 cmd_send(CMD_ACK, 1, 0, CARD_MEMORY_SIZE, 0, 0);
1302 LED_B_OFF();
1303 break;
1304 }
1305 case CMD_READ_MEM:
1306 ReadMem(c->arg[0]);
1307 break;
1308
1309 case CMD_SET_LF_DIVISOR:
1310 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1311 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, c->arg[0]);
1312 break;
1313
1314 case CMD_SET_ADC_MUX:
1315 switch(c->arg[0]) {
1316 case 0: SetAdcMuxFor(GPIO_MUXSEL_LOPKD); break;
1317 case 1: SetAdcMuxFor(GPIO_MUXSEL_LORAW); break;
1318 case 2: SetAdcMuxFor(GPIO_MUXSEL_HIPKD); break;
1319 case 3: SetAdcMuxFor(GPIO_MUXSEL_HIRAW); break;
1320 }
1321 break;
1322
1323 case CMD_VERSION:
1324 SendVersion();
1325 break;
1326 case CMD_STATUS:
1327 SendStatus();
1328 break;
1329 case CMD_PING:
1330 cmd_send(CMD_ACK,0,0,0,0,0);
1331 break;
1332 #ifdef WITH_LCD
1333 case CMD_LCD_RESET:
1334 LCDReset();
1335 break;
1336 case CMD_LCD:
1337 LCDSend(c->arg[0]);
1338 break;
1339 #endif
1340 case CMD_SETUP_WRITE:
1341 case CMD_FINISH_WRITE:
1342 case CMD_HARDWARE_RESET:
1343 usb_disable();
1344 SpinDelay(2000);
1345 AT91C_BASE_RSTC->RSTC_RCR = RST_CONTROL_KEY | AT91C_RSTC_PROCRST;
1346 for(;;) {
1347 // We're going to reset, and the bootrom will take control.
1348 }
1349 break;
1350
1351 case CMD_START_FLASH:
1352 if(common_area.flags.bootrom_present) {
1353 common_area.command = COMMON_AREA_COMMAND_ENTER_FLASH_MODE;
1354 }
1355 usb_disable();
1356 AT91C_BASE_RSTC->RSTC_RCR = RST_CONTROL_KEY | AT91C_RSTC_PROCRST;
1357 for(;;);
1358 break;
1359
1360 case CMD_DEVICE_INFO: {
1361 uint32_t dev_info = DEVICE_INFO_FLAG_OSIMAGE_PRESENT | DEVICE_INFO_FLAG_CURRENT_MODE_OS;
1362 if(common_area.flags.bootrom_present) dev_info |= DEVICE_INFO_FLAG_BOOTROM_PRESENT;
1363 cmd_send(CMD_DEVICE_INFO,dev_info,0,0,0,0);
1364 break;
1365 }
1366 default:
1367 Dbprintf("%s: 0x%04x","unknown command:",c->cmd);
1368 break;
1369 }
1370 }
1371
1372 void __attribute__((noreturn)) AppMain(void)
1373 {
1374 SpinDelay(100);
1375 clear_trace();
1376 if(common_area.magic != COMMON_AREA_MAGIC || common_area.version != 1) {
1377 /* Initialize common area */
1378 memset(&common_area, 0, sizeof(common_area));
1379 common_area.magic = COMMON_AREA_MAGIC;
1380 common_area.version = 1;
1381 }
1382 common_area.flags.osimage_present = 1;
1383
1384 LED_D_OFF();
1385 LED_C_OFF();
1386 LED_B_OFF();
1387 LED_A_OFF();
1388
1389 // Init USB device
1390 usb_enable();
1391
1392 // The FPGA gets its clock from us from PCK0 output, so set that up.
1393 AT91C_BASE_PIOA->PIO_BSR = GPIO_PCK0;
1394 AT91C_BASE_PIOA->PIO_PDR = GPIO_PCK0;
1395 AT91C_BASE_PMC->PMC_SCER = AT91C_PMC_PCK0;
1396 // PCK0 is PLL clock / 4 = 96Mhz / 4 = 24Mhz
1397 AT91C_BASE_PMC->PMC_PCKR[0] = AT91C_PMC_CSS_PLL_CLK |
1398 AT91C_PMC_PRES_CLK_4; // 4 for 24Mhz pck0, 2 for 48 MHZ pck0
1399 AT91C_BASE_PIOA->PIO_OER = GPIO_PCK0;
1400
1401 // Reset SPI
1402 AT91C_BASE_SPI->SPI_CR = AT91C_SPI_SWRST;
1403 // Reset SSC
1404 AT91C_BASE_SSC->SSC_CR = AT91C_SSC_SWRST;
1405
1406 // Load the FPGA image, which we have stored in our flash.
1407 // (the HF version by default)
1408 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1409
1410 StartTickCount();
1411
1412 #ifdef WITH_LCD
1413 LCDInit();
1414 #endif
1415
1416 byte_t rx[sizeof(UsbCommand)];
1417 size_t rx_len;
1418
1419 for(;;) {
1420 if (usb_poll()) {
1421 rx_len = usb_read(rx,sizeof(UsbCommand));
1422 if (rx_len)
1423 UsbPacketReceived(rx,rx_len);
1424 }
1425 WDT_HIT();
1426
1427 #ifdef WITH_LF
1428 #ifndef WITH_ISO14443a_StandAlone
1429 if (BUTTON_HELD(1000) > 0)
1430 SamyRun();
1431 #endif
1432 #endif
1433 #ifdef WITH_ISO14443a
1434 #ifdef WITH_ISO14443a_StandAlone
1435 if (BUTTON_HELD(1000) > 0)
1436 StandAloneMode14a();
1437 #endif
1438 #endif
1439 }
1440 }
Impressum, Datenschutz