1 //-----------------------------------------------------------------------------
2 // Gerhard de Koning Gans - May 2008
3 // Hagen Fritsch - June 2010
4 // Gerhard de Koning Gans - May 2011
5 // Gerhard de Koning Gans - June 2012 - Added iClass card and reader emulation
7 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
8 // at your option, any later version. See the LICENSE.txt file for the text of
10 //-----------------------------------------------------------------------------
11 // Routines to support iClass.
12 //-----------------------------------------------------------------------------
13 // Based on ISO14443a implementation. Still in experimental phase.
14 // Contribution made during a security research at Radboud University Nijmegen
16 // Please feel free to contribute and extend iClass support!!
17 //-----------------------------------------------------------------------------
21 // We still have sometimes a demodulation error when snooping iClass communication.
22 // The resulting trace of a read-block-03 command may look something like this:
24 // + 22279: : 0c 03 e8 01
26 // ...with an incorrect answer...
28 // + 85: 0: TAG ff! ff! ff! ff! ff! ff! ff! ff! bb 33 bb 00 01! 0e! 04! bb !crc
30 // We still left the error signalling bytes in the traces like 0xbb
32 // A correct trace should look like this:
34 // + 21112: : 0c 03 e8 01
35 // + 85: 0: TAG ff ff ff ff ff ff ff ff ea f5
37 //-----------------------------------------------------------------------------
39 #include "proxmark3.h"
45 // Needed for CRC in emulation mode;
46 // same construction as in ISO 14443;
47 // different initial value (CRC_ICLASS)
48 #include "iso14443crc.h"
49 #include "iso15693tools.h"
51 static int timeout
= 4096;
54 static int SendIClassAnswer(uint8_t *resp
, int respLen
, int delay
);
56 //-----------------------------------------------------------------------------
57 // The software UART that receives commands from the reader, and its state
59 //-----------------------------------------------------------------------------
63 STATE_START_OF_COMMUNICATION
,
84 static RAMFUNC
int OutOfNDecoding(int bit
)
90 Uart
.bitBuffer
= bit
^ 0xFF0;
95 Uart
.bitBuffer
^= bit
;
99 Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
102 if(Uart.byteCnt > 15) { return TRUE; }
108 if(Uart
.state
!= STATE_UNSYNCD
) {
111 if((Uart
.bitBuffer
& Uart
.syncBit
) ^ Uart
.syncBit
) {
117 if(((Uart
.bitBuffer
<< 1) & Uart
.syncBit
) ^ Uart
.syncBit
) {
123 if(bit
!= bitright
) { bit
= bitright
; }
126 // So, now we only have to deal with *bit*, lets see...
127 if(Uart
.posCnt
== 1) {
128 // measurement first half bitperiod
130 // Drop in first half means that we are either seeing
133 if(Uart
.nOutOfCnt
== 1) {
134 // End of Communication
135 Uart
.state
= STATE_UNSYNCD
;
137 if(Uart
.byteCnt
== 0) {
138 // Its not straightforward to show single EOFs
139 // So just leave it and do not return TRUE
140 Uart
.output
[Uart
.byteCnt
] = 0xf0;
143 // Calculate the parity bit for the client...
150 else if(Uart
.state
!= STATE_START_OF_COMMUNICATION
) {
151 // When not part of SOF or EOF, it is an error
152 Uart
.state
= STATE_UNSYNCD
;
159 // measurement second half bitperiod
160 // Count the bitslot we are in... (ISO 15693)
164 if(Uart
.dropPosition
) {
165 if(Uart
.state
== STATE_START_OF_COMMUNICATION
) {
171 // It is an error if we already have seen a drop in current frame
172 Uart
.state
= STATE_UNSYNCD
;
176 Uart
.dropPosition
= Uart
.nOutOfCnt
;
183 if(Uart
.nOutOfCnt
== Uart
.OutOfCnt
&& Uart
.OutOfCnt
== 4) {
186 if(Uart
.state
== STATE_START_OF_COMMUNICATION
) {
187 if(Uart
.dropPosition
== 4) {
188 Uart
.state
= STATE_RECEIVING
;
191 else if(Uart
.dropPosition
== 3) {
192 Uart
.state
= STATE_RECEIVING
;
194 //Uart.output[Uart.byteCnt] = 0xdd;
198 Uart
.state
= STATE_UNSYNCD
;
201 Uart
.dropPosition
= 0;
206 if(!Uart
.dropPosition
) {
207 Uart
.state
= STATE_UNSYNCD
;
216 //if(Uart.dropPosition == 1) { Uart.dropPosition = 2; }
217 //else if(Uart.dropPosition == 2) { Uart.dropPosition = 1; }
219 Uart
.shiftReg
^= ((Uart
.dropPosition
& 0x03) << 6);
221 Uart
.dropPosition
= 0;
223 if(Uart
.bitCnt
== 8) {
224 Uart
.output
[Uart
.byteCnt
] = (Uart
.shiftReg
& 0xff);
227 // Calculate the parity bit for the client...
228 Uart
.parityBits
<<= 1;
229 Uart
.parityBits
^= OddByteParity
[(Uart
.shiftReg
& 0xff)];
237 else if(Uart
.nOutOfCnt
== Uart
.OutOfCnt
) {
240 if(!Uart
.dropPosition
) {
241 Uart
.state
= STATE_UNSYNCD
;
247 Uart
.output
[Uart
.byteCnt
] = (Uart
.dropPosition
& 0xff);
250 // Calculate the parity bit for the client...
251 Uart
.parityBits
<<= 1;
252 Uart
.parityBits
^= OddByteParity
[(Uart
.dropPosition
& 0xff)];
257 Uart
.dropPosition
= 0;
262 Uart.output[Uart.byteCnt] = 0xAA;
264 Uart.output[Uart.byteCnt] = error & 0xFF;
266 Uart.output[Uart.byteCnt] = 0xAA;
268 Uart.output[Uart.byteCnt] = (Uart.bitBuffer >> 8) & 0xFF;
270 Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
272 Uart.output[Uart.byteCnt] = (Uart.syncBit >> 3) & 0xFF;
274 Uart.output[Uart.byteCnt] = 0xAA;
282 bit
= Uart
.bitBuffer
& 0xf0;
284 bit
^= 0x0F; // drops become 1s ;-)
286 // should have been high or at least (4 * 128) / fc
287 // according to ISO this should be at least (9 * 128 + 20) / fc
288 if(Uart
.highCnt
== 8) {
289 // we went low, so this could be start of communication
290 // it turns out to be safer to choose a less significant
291 // syncbit... so we check whether the neighbour also represents the drop
292 Uart
.posCnt
= 1; // apparently we are busy with our first half bit period
293 Uart
.syncBit
= bit
& 8;
295 if(!Uart
.syncBit
) { Uart
.syncBit
= bit
& 4; Uart
.samples
= 2; }
296 else if(bit
& 4) { Uart
.syncBit
= bit
& 4; Uart
.samples
= 2; bit
<<= 2; }
297 if(!Uart
.syncBit
) { Uart
.syncBit
= bit
& 2; Uart
.samples
= 1; }
298 else if(bit
& 2) { Uart
.syncBit
= bit
& 2; Uart
.samples
= 1; bit
<<= 1; }
299 if(!Uart
.syncBit
) { Uart
.syncBit
= bit
& 1; Uart
.samples
= 0;
300 if(Uart
.syncBit
&& (Uart
.bitBuffer
& 8)) {
303 // the first half bit period is expected in next sample
308 else if(bit
& 1) { Uart
.syncBit
= bit
& 1; Uart
.samples
= 0; }
311 Uart
.state
= STATE_START_OF_COMMUNICATION
;
316 Uart
.OutOfCnt
= 4; // Start at 1/4, could switch to 1/256
317 Uart
.dropPosition
= 0;
326 if(Uart
.highCnt
< 8) {
335 //=============================================================================
337 //=============================================================================
342 DEMOD_START_OF_COMMUNICATION
,
343 DEMOD_START_OF_COMMUNICATION2
,
344 DEMOD_START_OF_COMMUNICATION3
,
348 DEMOD_END_OF_COMMUNICATION
,
349 DEMOD_END_OF_COMMUNICATION2
,
373 static RAMFUNC
int ManchesterDecoding(int v
)
380 Demod
.buffer
= Demod
.buffer2
;
381 Demod
.buffer2
= Demod
.buffer3
;
389 if(Demod
.state
==DEMOD_UNSYNCD
) {
390 Demod
.output
[Demod
.len
] = 0xfa;
393 Demod
.posCount
= 1; // This is the first half bit period, so after syncing handle the second part
396 Demod
.syncBit
= 0x08;
403 Demod
.syncBit
= 0x04;
410 Demod
.syncBit
= 0x02;
413 if(bit
& 0x01 && Demod
.syncBit
) {
414 Demod
.syncBit
= 0x01;
419 Demod
.state
= DEMOD_START_OF_COMMUNICATION
;
420 Demod
.sub
= SUB_FIRST_HALF
;
423 Demod
.parityBits
= 0;
426 //if(trigger) LED_A_OFF(); // Not useful in this case...
427 switch(Demod
.syncBit
) {
428 case 0x08: Demod
.samples
= 3; break;
429 case 0x04: Demod
.samples
= 2; break;
430 case 0x02: Demod
.samples
= 1; break;
431 case 0x01: Demod
.samples
= 0; break;
433 // SOF must be long burst... otherwise stay unsynced!!!
434 if(!(Demod
.buffer
& Demod
.syncBit
) || !(Demod
.buffer2
& Demod
.syncBit
)) {
435 Demod
.state
= DEMOD_UNSYNCD
;
439 // SOF must be long burst... otherwise stay unsynced!!!
440 if(!(Demod
.buffer2
& Demod
.syncBit
) || !(Demod
.buffer3
& Demod
.syncBit
)) {
441 Demod
.state
= DEMOD_UNSYNCD
;
451 modulation
= bit
& Demod
.syncBit
;
452 modulation
|= ((bit
<< 1) ^ ((Demod
.buffer
& 0x08) >> 3)) & Demod
.syncBit
;
453 //modulation = ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
457 if(Demod
.posCount
==0) {
460 Demod
.sub
= SUB_FIRST_HALF
;
463 Demod
.sub
= SUB_NONE
;
468 /*(modulation && (Demod.sub == SUB_FIRST_HALF)) {
469 if(Demod.state!=DEMOD_ERROR_WAIT) {
470 Demod.state = DEMOD_ERROR_WAIT;
471 Demod.output[Demod.len] = 0xaa;
475 //else if(modulation) {
477 if(Demod
.sub
== SUB_FIRST_HALF
) {
478 Demod
.sub
= SUB_BOTH
;
481 Demod
.sub
= SUB_SECOND_HALF
;
484 else if(Demod
.sub
== SUB_NONE
) {
485 if(Demod
.state
== DEMOD_SOF_COMPLETE
) {
486 Demod
.output
[Demod
.len
] = 0x0f;
488 Demod
.parityBits
<<= 1;
489 Demod
.parityBits
^= OddByteParity
[0x0f];
490 Demod
.state
= DEMOD_UNSYNCD
;
495 Demod
.state
= DEMOD_ERROR_WAIT
;
498 /*if(Demod.state!=DEMOD_ERROR_WAIT) {
499 Demod.state = DEMOD_ERROR_WAIT;
500 Demod.output[Demod.len] = 0xaa;
505 switch(Demod
.state
) {
506 case DEMOD_START_OF_COMMUNICATION
:
507 if(Demod
.sub
== SUB_BOTH
) {
508 //Demod.state = DEMOD_MANCHESTER_D;
509 Demod
.state
= DEMOD_START_OF_COMMUNICATION2
;
511 Demod
.sub
= SUB_NONE
;
514 Demod
.output
[Demod
.len
] = 0xab;
515 Demod
.state
= DEMOD_ERROR_WAIT
;
519 case DEMOD_START_OF_COMMUNICATION2
:
520 if(Demod
.sub
== SUB_SECOND_HALF
) {
521 Demod
.state
= DEMOD_START_OF_COMMUNICATION3
;
524 Demod
.output
[Demod
.len
] = 0xab;
525 Demod
.state
= DEMOD_ERROR_WAIT
;
529 case DEMOD_START_OF_COMMUNICATION3
:
530 if(Demod
.sub
== SUB_SECOND_HALF
) {
531 // Demod.state = DEMOD_MANCHESTER_D;
532 Demod
.state
= DEMOD_SOF_COMPLETE
;
533 //Demod.output[Demod.len] = Demod.syncBit & 0xFF;
537 Demod
.output
[Demod
.len
] = 0xab;
538 Demod
.state
= DEMOD_ERROR_WAIT
;
542 case DEMOD_SOF_COMPLETE
:
543 case DEMOD_MANCHESTER_D
:
544 case DEMOD_MANCHESTER_E
:
545 // OPPOSITE FROM ISO14443 - 11110000 = 0 (1 in 14443)
546 // 00001111 = 1 (0 in 14443)
547 if(Demod
.sub
== SUB_SECOND_HALF
) { // SUB_FIRST_HALF
549 Demod
.shiftReg
= (Demod
.shiftReg
>> 1) ^ 0x100;
550 Demod
.state
= DEMOD_MANCHESTER_D
;
552 else if(Demod
.sub
== SUB_FIRST_HALF
) { // SUB_SECOND_HALF
554 Demod
.shiftReg
>>= 1;
555 Demod
.state
= DEMOD_MANCHESTER_E
;
557 else if(Demod
.sub
== SUB_BOTH
) {
558 Demod
.state
= DEMOD_MANCHESTER_F
;
561 Demod
.state
= DEMOD_ERROR_WAIT
;
566 case DEMOD_MANCHESTER_F
:
567 // Tag response does not need to be a complete byte!
568 if(Demod
.len
> 0 || Demod
.bitCount
> 0) {
569 if(Demod
.bitCount
> 1) { // was > 0, do not interpret last closing bit, is part of EOF
570 Demod
.shiftReg
>>= (9 - Demod
.bitCount
);
571 Demod
.output
[Demod
.len
] = Demod
.shiftReg
& 0xff;
573 // No parity bit, so just shift a 0
574 Demod
.parityBits
<<= 1;
577 Demod
.state
= DEMOD_UNSYNCD
;
581 Demod
.output
[Demod
.len
] = 0xad;
582 Demod
.state
= DEMOD_ERROR_WAIT
;
587 case DEMOD_ERROR_WAIT
:
588 Demod
.state
= DEMOD_UNSYNCD
;
592 Demod
.output
[Demod
.len
] = 0xdd;
593 Demod
.state
= DEMOD_UNSYNCD
;
597 /*if(Demod.bitCount>=9) {
598 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
601 Demod.parityBits <<= 1;
602 Demod.parityBits ^= ((Demod.shiftReg >> 8) & 0x01);
607 if(Demod
.bitCount
>=8) {
608 Demod
.shiftReg
>>= 1;
609 Demod
.output
[Demod
.len
] = (Demod
.shiftReg
& 0xff);
612 // FOR ISO15639 PARITY NOT SEND OTA, JUST CALCULATE IT FOR THE CLIENT
613 Demod
.parityBits
<<= 1;
614 Demod
.parityBits
^= OddByteParity
[(Demod
.shiftReg
& 0xff)];
621 Demod
.output
[Demod
.len
] = 0xBB;
623 Demod
.output
[Demod
.len
] = error
& 0xFF;
625 Demod
.output
[Demod
.len
] = 0xBB;
627 Demod
.output
[Demod
.len
] = bit
& 0xFF;
629 Demod
.output
[Demod
.len
] = Demod
.buffer
& 0xFF;
632 Demod
.output
[Demod
.len
] = Demod
.buffer2
& 0xFF;
634 Demod
.output
[Demod
.len
] = Demod
.syncBit
& 0xFF;
636 Demod
.output
[Demod
.len
] = 0xBB;
643 } // end (state != UNSYNCED)
648 //=============================================================================
649 // Finally, a `sniffer' for iClass communication
650 // Both sides of communication!
651 //=============================================================================
653 //-----------------------------------------------------------------------------
654 // Record the sequence of commands sent by the reader to the tag, with
655 // triggering so that we start recording at the point that the tag is moved
657 //-----------------------------------------------------------------------------
658 void RAMFUNC
SnoopIClass(void)
662 // We won't start recording the frames that we acquire until we trigger;
663 // a good trigger condition to get started is probably when we see a
664 // response from the tag.
665 //int triggered = FALSE; // FALSE to wait first for card
667 // The command (reader -> tag) that we're receiving.
668 // The length of a received command will in most cases be no more than 18 bytes.
669 // So 32 should be enough!
670 uint8_t *readerToTagCmd
= (((uint8_t *)BigBuf
) + RECV_CMD_OFFSET
);
671 // The response (tag -> reader) that we're receiving.
672 uint8_t *tagToReaderResponse
= (((uint8_t *)BigBuf
) + RECV_RES_OFFSET
);
674 FpgaDownloadAndGo(FPGA_BITSTREAM_HF
);
676 // reset traceLen to 0
677 iso14a_set_tracing(TRUE
);
678 iso14a_clear_trace();
679 iso14a_set_trigger(FALSE
);
681 // The DMA buffer, used to stream samples from the FPGA
682 int8_t *dmaBuf
= ((int8_t *)BigBuf
) + DMA_BUFFER_OFFSET
;
688 // Count of samples received so far, so that we can include timing
689 // information in the trace buffer.
693 // Set up the demodulator for tag -> reader responses.
694 Demod
.output
= tagToReaderResponse
;
696 Demod
.state
= DEMOD_UNSYNCD
;
698 // Setup for the DMA.
701 lastRxCounter
= DMA_BUFFER_SIZE
;
702 FpgaSetupSscDma((uint8_t *)dmaBuf
, DMA_BUFFER_SIZE
);
704 // And the reader -> tag commands
705 memset(&Uart
, 0, sizeof(Uart
));
706 Uart
.output
= readerToTagCmd
;
707 Uart
.byteCntMax
= 32; // was 100 (greg)////////////////////////////////////////////////////////////////////////
708 Uart
.state
= STATE_UNSYNCD
;
710 // And put the FPGA in the appropriate mode
711 // Signal field is off with the appropriate LED
713 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A
| FPGA_HF_ISO14443A_SNIFFER
);
714 SetAdcMuxFor(GPIO_MUXSEL_HIPKD
);
716 uint32_t time_0
= GetCountSspClk();
724 // And now we loop, receiving samples.
728 int behindBy
= (lastRxCounter
- AT91C_BASE_PDC_SSC
->PDC_RCR
) &
730 if(behindBy
> maxBehindBy
) {
731 maxBehindBy
= behindBy
;
733 Dbprintf("blew circular buffer! behindBy=0x%x", behindBy
);
737 if(behindBy
< 1) continue;
743 if(upTo
- dmaBuf
> DMA_BUFFER_SIZE
) {
744 upTo
-= DMA_BUFFER_SIZE
;
745 lastRxCounter
+= DMA_BUFFER_SIZE
;
746 AT91C_BASE_PDC_SSC
->PDC_RNPR
= (uint32_t) upTo
;
747 AT91C_BASE_PDC_SSC
->PDC_RNCR
= DMA_BUFFER_SIZE
;
754 decbyte
^= (1 << (3 - div
));
757 // FOR READER SIDE COMMUMICATION...
760 decbyter
^= (smpl
& 0x30);
764 if((div
+ 1) % 2 == 0) {
766 if(OutOfNDecoding((smpl
& 0xF0) >> 4)) {
767 rsamples
= samples
- Uart
.samples
;
770 //if(!LogTrace(Uart.output,Uart.byteCnt, rsamples, Uart.parityBits,TRUE)) break;
771 //if(!LogTrace(NULL, 0, Uart.endTime*16 - DELAY_READER_AIR2ARM_AS_SNIFFER, 0, TRUE)) break;
774 LogTrace(Uart
.output
,Uart
.byteCnt
, (GetCountSspClk()-time_0
) << 4, Uart
.parityBits
,TRUE
);
775 LogTrace(NULL
, 0, (GetCountSspClk()-time_0
) << 4, 0, TRUE
);
779 /* And ready to receive another command. */
780 Uart
.state
= STATE_UNSYNCD
;
781 /* And also reset the demod code, which might have been */
782 /* false-triggered by the commands from the reader. */
783 Demod
.state
= DEMOD_UNSYNCD
;
792 if(ManchesterDecoding(smpl
& 0x0F)) {
793 rsamples
= samples
- Demod
.samples
;
798 LogTrace(Demod
.output
,Demod
.len
, (GetCountSspClk()-time_0
) << 4 , Demod
.parityBits
,FALSE
);
799 LogTrace(NULL
, 0, (GetCountSspClk()-time_0
) << 4, 0, FALSE
);
803 // And ready to receive another response.
804 memset(&Demod
, 0, sizeof(Demod
));
805 Demod
.output
= tagToReaderResponse
;
806 Demod
.state
= DEMOD_UNSYNCD
;
816 DbpString("cancelled_a");
821 DbpString("COMMAND FINISHED");
823 Dbprintf("%x %x %x", maxBehindBy
, Uart
.state
, Uart
.byteCnt
);
824 Dbprintf("%x %x %x", Uart
.byteCntMax
, traceLen
, (int)Uart
.output
[0]);
827 AT91C_BASE_PDC_SSC
->PDC_PTCR
= AT91C_PDC_RXTDIS
;
828 Dbprintf("%x %x %x", maxBehindBy
, Uart
.state
, Uart
.byteCnt
);
829 Dbprintf("%x %x %x", Uart
.byteCntMax
, traceLen
, (int)Uart
.output
[0]);
836 void rotateCSN(uint8_t* originalCSN
, uint8_t* rotatedCSN
) {
838 for(i
= 0; i
< 8; i
++) {
839 rotatedCSN
[i
] = (originalCSN
[i
] >> 3) | (originalCSN
[(i
+1)%8] << 5);
843 //-----------------------------------------------------------------------------
844 // Wait for commands from reader
845 // Stop when button is pressed
846 // Or return TRUE when command is captured
847 //-----------------------------------------------------------------------------
848 static int GetIClassCommandFromReader(uint8_t *received
, int *len
, int maxLen
)
850 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
851 // only, since we are receiving, not transmitting).
852 // Signal field is off with the appropriate LED
854 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A
| FPGA_HF_ISO14443A_TAGSIM_LISTEN
);
856 // Now run a `software UART' on the stream of incoming samples.
857 Uart
.output
= received
;
858 Uart
.byteCntMax
= maxLen
;
859 Uart
.state
= STATE_UNSYNCD
;
864 if(BUTTON_PRESS()) return FALSE
;
866 if(AT91C_BASE_SSC
->SSC_SR
& (AT91C_SSC_TXRDY
)) {
867 AT91C_BASE_SSC
->SSC_THR
= 0x00;
869 if(AT91C_BASE_SSC
->SSC_SR
& (AT91C_SSC_RXRDY
)) {
870 uint8_t b
= (uint8_t)AT91C_BASE_SSC
->SSC_RHR
;
871 /*if(OutOfNDecoding((b & 0xf0) >> 4)) {
875 if(OutOfNDecoding(b
& 0x0f)) {
884 //-----------------------------------------------------------------------------
885 // Prepare tag messages
886 //-----------------------------------------------------------------------------
887 static void CodeIClassTagAnswer(const uint8_t *cmd
, int len
)
889 //So far a dummy implementation, not used
890 //int lastProxToAirDuration =0;
896 ToSend
[++ToSendMax
] = 0x00;
897 ToSend
[++ToSendMax
] = 0x00;
898 ToSend
[++ToSendMax
] = 0x00;
899 ToSend
[++ToSendMax
] = 0xff;//Proxtoair duration starts here
900 ToSend
[++ToSendMax
] = 0xff;
901 ToSend
[++ToSendMax
] = 0xff;
902 ToSend
[++ToSendMax
] = 0x00;
903 ToSend
[++ToSendMax
] = 0xff;
905 for(i
= 0; i
< len
; i
++) {
910 for(j
= 0; j
< 8; j
++) {
912 ToSend
[++ToSendMax
] = 0x00;
913 ToSend
[++ToSendMax
] = 0xff;
915 ToSend
[++ToSendMax
] = 0xff;
916 ToSend
[++ToSendMax
] = 0x00;
923 ToSend
[++ToSendMax
] = 0xff;
924 ToSend
[++ToSendMax
] = 0x00;
925 ToSend
[++ToSendMax
] = 0xff;
926 ToSend
[++ToSendMax
] = 0xff;
927 ToSend
[++ToSendMax
] = 0xff;
928 ToSend
[++ToSendMax
] = 0x00;
929 ToSend
[++ToSendMax
] = 0x00;
930 ToSend
[++ToSendMax
] = 0x00;
932 //lastProxToAirDuration = 8*ToSendMax - 3*8 - 3*8;//Not counting zeroes in the beginning or end
934 // Convert from last byte pos to length
939 static void CodeIClassTagSOF()
941 //So far a dummy implementation, not used
942 //int lastProxToAirDuration =0;
946 ToSend
[++ToSendMax
] = 0x00;
947 ToSend
[++ToSendMax
] = 0x00;
948 ToSend
[++ToSendMax
] = 0x00;
949 ToSend
[++ToSendMax
] = 0xff;
950 ToSend
[++ToSendMax
] = 0xff;
951 ToSend
[++ToSendMax
] = 0xff;
952 ToSend
[++ToSendMax
] = 0x00;
953 ToSend
[++ToSendMax
] = 0xff;
955 // lastProxToAirDuration = 8*ToSendMax - 3*8;//Not counting zeroes in the beginning
958 // Convert from last byte pos to length
961 int doIClassSimulation(uint8_t csn
[], int breakAfterMacReceived
, uint8_t *reader_mac_buf
);
963 * @brief SimulateIClass simulates an iClass card.
964 * @param arg0 type of simulation
965 * - 0 uses the first 8 bytes in usb data as CSN
966 * - 2 "dismantling iclass"-attack. This mode iterates through all CSN's specified
967 * in the usb data. This mode collects MAC from the reader, in order to do an offline
968 * attack on the keys. For more info, see "dismantling iclass" and proxclone.com.
969 * - Other : Uses the default CSN (031fec8af7ff12e0)
970 * @param arg1 - number of CSN's contained in datain (applicable for mode 2 only)
974 void SimulateIClass(uint32_t arg0
, uint32_t arg1
, uint32_t arg2
, uint8_t *datain
)
976 uint32_t simType
= arg0
;
977 uint32_t numberOfCSNS
= arg1
;
978 FpgaDownloadAndGo(FPGA_BITSTREAM_HF
);
980 // Enable and clear the trace
981 iso14a_set_tracing(TRUE
);
982 iso14a_clear_trace();
984 uint8_t csn_crc
[] = { 0x03, 0x1f, 0xec, 0x8a, 0xf7, 0xff, 0x12, 0xe0, 0x00, 0x00 };
986 // Use the CSN from commandline
987 memcpy(csn_crc
, datain
, 8);
988 doIClassSimulation(csn_crc
,0,NULL
);
989 }else if(simType
== 1)
991 doIClassSimulation(csn_crc
,0,NULL
);
993 else if(simType
== 2)
996 uint8_t mac_responses
[64] = { 0 };
997 Dbprintf("Going into attack mode");
998 // In this mode, a number of csns are within datain. We'll simulate each one, one at a time
999 // in order to collect MAC's from the reader. This can later be used in an offlne-attack
1000 // in order to obtain the keys, as in the "dismantling iclass"-paper.
1002 for( ; i
< numberOfCSNS
&& i
*8+8 < USB_CMD_DATA_SIZE
; i
++)
1004 // The usb data is 512 bytes, fitting 65 8-byte CSNs in there.
1006 memcpy(csn_crc
, datain
+(i
*8), 8);
1007 if(doIClassSimulation(csn_crc
,1,mac_responses
))
1009 return; // Button pressed
1012 cmd_send(CMD_ACK
,CMD_SIMULATE_TAG_ICLASS
,i
,0,mac_responses
,i
*8);
1016 // We may want a mode here where we hardcode the csns to use (from proxclone).
1017 // That will speed things up a little, but not required just yet.
1018 Dbprintf("The mode is not implemented, reserved for future use");
1020 Dbprintf("Done...");
1024 * @brief Does the actual simulation
1025 * @param csn - csn to use
1026 * @param breakAfterMacReceived if true, returns after reader MAC has been received.
1028 int doIClassSimulation(uint8_t csn
[], int breakAfterMacReceived
, uint8_t *reader_mac_buf
)
1032 // CSN followed by two CRC bytes
1033 uint8_t response2
[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
1034 uint8_t response3
[] = { 0,0,0,0,0,0,0,0,0,0};
1035 memcpy(response3
,csn
,sizeof(response3
));
1036 Dbprintf("Simulating CSN %02x%02x%02x%02x%02x%02x%02x%02x",csn
[0],csn
[1],csn
[2],csn
[3],csn
[4],csn
[5],csn
[6],csn
[7]);
1038 uint8_t response4
[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
1040 // Construct anticollision-CSN
1041 rotateCSN(response3
,response2
);
1043 // Compute CRC on both CSNs
1044 ComputeCrc14443(CRC_ICLASS
, response2
, 8, &response2
[8], &response2
[9]);
1045 ComputeCrc14443(CRC_ICLASS
, response3
, 8, &response3
[8], &response3
[9]);
1051 // Tag anticoll. CSN
1052 // Reader 81 anticoll. CSN
1057 uint8_t* respdata
= NULL
;
1061 // Respond SOF -- takes 8 bytes
1062 uint8_t *resp1
= (((uint8_t *)BigBuf
) + FREE_BUFFER_OFFSET
);
1065 // Anticollision CSN (rotated CSN)
1066 // 176: Takes 16 bytes for SOF/EOF and 10 * 16 = 160 bytes (2 bytes/bit)
1067 uint8_t *resp2
= (((uint8_t *)BigBuf
) + FREE_BUFFER_OFFSET
+ 10);
1071 // 176: Takes 16 bytes for SOF/EOF and 10 * 16 = 160 bytes (2 bytes/bit)
1072 uint8_t *resp3
= (((uint8_t *)BigBuf
) + FREE_BUFFER_OFFSET
+ 190);
1076 // 144: Takes 16 bytes for SOF/EOF and 8 * 16 = 128 bytes (2 bytes/bit)
1077 uint8_t *resp4
= (((uint8_t *)BigBuf
) + FREE_BUFFER_OFFSET
+ 370);
1081 uint8_t *receivedCmd
= (((uint8_t *)BigBuf
) + RECV_CMD_OFFSET
);
1082 memset(receivedCmd
, 0x44, RECV_CMD_SIZE
);
1085 // Prepare card messages
1088 // First card answer: SOF
1090 memcpy(resp1
, ToSend
, ToSendMax
); resp1Len
= ToSendMax
;
1092 // Anticollision CSN
1093 CodeIClassTagAnswer(response2
, sizeof(response2
));
1094 memcpy(resp2
, ToSend
, ToSendMax
); resp2Len
= ToSendMax
;
1097 CodeIClassTagAnswer(response3
, sizeof(response3
));
1098 memcpy(resp3
, ToSend
, ToSendMax
); resp3Len
= ToSendMax
;
1101 CodeIClassTagAnswer(response4
, sizeof(response4
));
1102 memcpy(resp4
, ToSend
, ToSendMax
); resp4Len
= ToSendMax
;
1105 // Start from off (no field generated)
1106 //FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1108 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A
| FPGA_HF_ISO14443A_TAGSIM_LISTEN
);
1111 // We need to listen to the high-frequency, peak-detected path.
1112 SetAdcMuxFor(GPIO_MUXSEL_HIPKD
);
1115 // To control where we are in the protocol
1117 uint32_t time_0
= GetCountSspClk();
1118 uint32_t t2r_time
=0;
1119 uint32_t r2t_time
=0;
1122 bool buttonPressed
= false;
1124 /** Hack for testing
1125 memcpy(reader_mac_buf,csn,8);
1133 // Can be used to get a trigger for an oscilloscope..
1136 if(!GetIClassCommandFromReader(receivedCmd
, &len
, 100)) {
1137 buttonPressed
= true;
1140 r2t_time
= GetCountSspClk();
1144 // Okay, look at the command now.
1145 if(receivedCmd
[0] == 0x0a ) {
1146 // Reader in anticollission phase
1147 resp
= resp1
; respLen
= resp1Len
; //order = 1;
1149 respsize
= sizeof(sof
);
1150 } else if(receivedCmd
[0] == 0x0c) {
1151 // Reader asks for anticollission CSN
1152 resp
= resp2
; respLen
= resp2Len
; //order = 2;
1153 respdata
= response2
;
1154 respsize
= sizeof(response2
);
1155 //DbpString("Reader requests anticollission CSN:");
1156 } else if(receivedCmd
[0] == 0x81) {
1157 // Reader selects anticollission CSN.
1158 // Tag sends the corresponding real CSN
1159 resp
= resp3
; respLen
= resp3Len
; //order = 3;
1160 respdata
= response3
;
1161 respsize
= sizeof(response3
);
1162 //DbpString("Reader selects anticollission CSN:");
1163 } else if(receivedCmd
[0] == 0x88) {
1164 // Read e-purse (88 02)
1165 resp
= resp4
; respLen
= resp4Len
; //order = 4;
1166 respdata
= response4
;
1167 respsize
= sizeof(response4
);
1169 } else if(receivedCmd
[0] == 0x05) {
1170 // Reader random and reader MAC!!!
1172 // We do not know what to answer, so lets keep quiet
1173 resp
= resp1
; respLen
= 0; //order = 5;
1176 if (breakAfterMacReceived
){
1178 Dbprintf("CSN: %02x %02x %02x %02x %02x %02x %02x %02x",csn
[0],csn
[1],csn
[2],csn
[3],csn
[4],csn
[5],csn
[6],csn
[7]);
1179 Dbprintf("RDR: (len=%02d): %02x %02x %02x %02x %02x %02x %02x %02x %02x",len
,
1180 receivedCmd
[0], receivedCmd
[1], receivedCmd
[2],
1181 receivedCmd
[3], receivedCmd
[4], receivedCmd
[5],
1182 receivedCmd
[6], receivedCmd
[7], receivedCmd
[8]);
1183 if (reader_mac_buf
!= NULL
)
1185 memcpy(reader_mac_buf
,receivedCmd
+1,8);
1189 } else if(receivedCmd
[0] == 0x00 && len
== 1) {
1190 // Reader ends the session
1191 resp
= resp1
; respLen
= 0; //order = 0;
1195 //#db# Unknown command received from reader (len=5): 26 1 0 f6 a 44 44 44 44
1196 // Never seen this command before
1197 Dbprintf("Unknown command received from reader (len=%d): %x %x %x %x %x %x %x %x %x",
1199 receivedCmd
[0], receivedCmd
[1], receivedCmd
[2],
1200 receivedCmd
[3], receivedCmd
[4], receivedCmd
[5],
1201 receivedCmd
[6], receivedCmd
[7], receivedCmd
[8]);
1203 resp
= resp1
; respLen
= 0; //order = 0;
1208 if(cmdsRecvd
> 100) {
1209 //DbpString("100 commands later...");
1217 SendIClassAnswer(resp
, respLen
, 21);
1218 t2r_time
= GetCountSspClk();
1222 LogTrace(receivedCmd
,len
, (r2t_time
-time_0
)<< 4, Uart
.parityBits
,TRUE
);
1223 LogTrace(NULL
,0, (r2t_time
-time_0
) << 4, 0,TRUE
);
1225 if (respdata
!= NULL
) {
1226 LogTrace(respdata
,respsize
, (t2r_time
-time_0
) << 4,SwapBits(GetParity(respdata
,respsize
),respsize
),FALSE
);
1227 LogTrace(NULL
,0, (t2r_time
-time_0
) << 4,0,FALSE
);
1232 DbpString("Trace full");
1237 memset(receivedCmd
, 0x44, RECV_CMD_SIZE
);
1240 //Dbprintf("%x", cmdsRecvd);
1245 DbpString("Button pressed");
1247 return buttonPressed
;
1250 static int SendIClassAnswer(uint8_t *resp
, int respLen
, int delay
)
1252 int i
= 0, d
=0;//, u = 0, d = 0;
1255 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR
|FPGA_HF_SIMULATOR_MODULATE_424K
);
1257 AT91C_BASE_SSC
->SSC_THR
= 0x00;
1259 while(!BUTTON_PRESS()) {
1260 if((AT91C_BASE_SSC
->SSC_SR
& AT91C_SSC_RXRDY
)){
1261 b
= AT91C_BASE_SSC
->SSC_RHR
; (void) b
;
1263 if(AT91C_BASE_SSC
->SSC_SR
& (AT91C_SSC_TXRDY
)){
1276 AT91C_BASE_SSC
->SSC_THR
= b
;
1279 if (i
> respLen
+4) break;
1287 //-----------------------------------------------------------------------------
1288 // Transmit the command (to the tag) that was placed in ToSend[].
1289 //-----------------------------------------------------------------------------
1290 static void TransmitIClassCommand(const uint8_t *cmd
, int len
, int *samples
, int *wait
)
1293 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A
| FPGA_HF_ISO14443A_READER_MOD
);
1294 AT91C_BASE_SSC
->SSC_THR
= 0x00;
1301 for(c
= 0; c
< *wait
;) {
1302 if(AT91C_BASE_SSC
->SSC_SR
& (AT91C_SSC_TXRDY
)) {
1303 AT91C_BASE_SSC
->SSC_THR
= 0x00; // For exact timing!
1306 if(AT91C_BASE_SSC
->SSC_SR
& (AT91C_SSC_RXRDY
)) {
1307 volatile uint32_t r
= AT91C_BASE_SSC
->SSC_RHR
;
1314 bool firstpart
= TRUE
;
1317 if(AT91C_BASE_SSC
->SSC_SR
& (AT91C_SSC_TXRDY
)) {
1319 // DOUBLE THE SAMPLES!
1321 sendbyte
= (cmd
[c
] & 0xf0) | (cmd
[c
] >> 4);
1324 sendbyte
= (cmd
[c
] & 0x0f) | (cmd
[c
] << 4);
1327 if(sendbyte
== 0xff) {
1330 AT91C_BASE_SSC
->SSC_THR
= sendbyte
;
1331 firstpart
= !firstpart
;
1337 if(AT91C_BASE_SSC
->SSC_SR
& (AT91C_SSC_RXRDY
)) {
1338 volatile uint32_t r
= AT91C_BASE_SSC
->SSC_RHR
;
1343 if (samples
) *samples
= (c
+ *wait
) << 3;
1347 //-----------------------------------------------------------------------------
1348 // Prepare iClass reader command to send to FPGA
1349 //-----------------------------------------------------------------------------
1350 void CodeIClassCommand(const uint8_t * cmd
, int len
)
1357 // Start of Communication: 1 out of 4
1358 ToSend
[++ToSendMax
] = 0xf0;
1359 ToSend
[++ToSendMax
] = 0x00;
1360 ToSend
[++ToSendMax
] = 0x0f;
1361 ToSend
[++ToSendMax
] = 0x00;
1363 // Modulate the bytes
1364 for (i
= 0; i
< len
; i
++) {
1366 for(j
= 0; j
< 4; j
++) {
1367 for(k
= 0; k
< 4; k
++) {
1369 ToSend
[++ToSendMax
] = 0x0f;
1372 ToSend
[++ToSendMax
] = 0x00;
1379 // End of Communication
1380 ToSend
[++ToSendMax
] = 0x00;
1381 ToSend
[++ToSendMax
] = 0x00;
1382 ToSend
[++ToSendMax
] = 0xf0;
1383 ToSend
[++ToSendMax
] = 0x00;
1385 // Convert from last character reference to length
1389 void ReaderTransmitIClass(uint8_t* frame
, int len
)
1395 // This is tied to other size changes
1396 // uint8_t* frame_addr = ((uint8_t*)BigBuf) + 2024;
1397 CodeIClassCommand(frame
,len
);
1400 TransmitIClassCommand(ToSend
, ToSendMax
, &samples
, &wait
);
1404 // Store reader command in buffer
1405 if (tracing
) LogTrace(frame
,len
,rsamples
,par
,TRUE
);
1408 //-----------------------------------------------------------------------------
1409 // Wait a certain time for tag response
1410 // If a response is captured return TRUE
1411 // If it takes too long return FALSE
1412 //-----------------------------------------------------------------------------
1413 static int GetIClassAnswer(uint8_t *receivedResponse
, int maxLen
, int *samples
, int *elapsed
) //uint8_t *buffer
1415 // buffer needs to be 512 bytes
1418 // Set FPGA mode to "reader listen mode", no modulation (listen
1419 // only, since we are receiving, not transmitting).
1420 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A
| FPGA_HF_ISO14443A_READER_LISTEN
);
1422 // Now get the answer from the card
1423 Demod
.output
= receivedResponse
;
1425 Demod
.state
= DEMOD_UNSYNCD
;
1428 if (elapsed
) *elapsed
= 0;
1436 if(BUTTON_PRESS()) return FALSE
;
1438 if(AT91C_BASE_SSC
->SSC_SR
& (AT91C_SSC_TXRDY
)) {
1439 AT91C_BASE_SSC
->SSC_THR
= 0x00; // To make use of exact timing of next command from reader!!
1440 if (elapsed
) (*elapsed
)++;
1442 if(AT91C_BASE_SSC
->SSC_SR
& (AT91C_SSC_RXRDY
)) {
1443 if(c
< timeout
) { c
++; } else { return FALSE
; }
1444 b
= (uint8_t)AT91C_BASE_SSC
->SSC_RHR
;
1447 /*if(ManchesterDecoding((b>>4) & 0xf)) {
1448 *samples = ((c - 1) << 3) + 4;
1451 if(ManchesterDecoding(b
& 0x0f)) {
1459 int ReaderReceiveIClass(uint8_t* receivedAnswer
)
1462 if (!GetIClassAnswer(receivedAnswer
,160,&samples
,0)) return FALSE
;
1463 rsamples
+= samples
;
1464 if (tracing
) LogTrace(receivedAnswer
,Demod
.len
,rsamples
,Demod
.parityBits
,FALSE
);
1465 if(samples
== 0) return FALSE
;
1469 // Reader iClass Anticollission
1470 void ReaderIClass(uint8_t arg0
) {
1471 uint8_t act_all
[] = { 0x0a };
1472 uint8_t identify
[] = { 0x0c };
1473 uint8_t select
[] = { 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
1475 uint8_t* resp
= (((uint8_t *)BigBuf
) + 3560); // was 3560 - tied to other size changes
1477 FpgaDownloadAndGo(FPGA_BITSTREAM_HF
);
1479 // Reset trace buffer
1480 iso14a_set_tracing(TRUE
);
1481 iso14a_clear_trace();
1485 // Start from off (no field generated)
1486 // Signal field is off with the appropriate LED
1488 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
1491 SetAdcMuxFor(GPIO_MUXSEL_HIPKD
);
1493 // Now give it time to spin up.
1494 // Signal field is on with the appropriate LED
1495 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A
| FPGA_HF_ISO14443A_READER_MOD
);
1502 if(traceLen
> TRACE_SIZE
) {
1503 DbpString("Trace full");
1507 if (BUTTON_PRESS()) break;
1510 ReaderTransmitIClass(act_all
, 1);
1512 if(ReaderReceiveIClass(resp
)) {
1513 ReaderTransmitIClass(identify
, 1);
1514 if(ReaderReceiveIClass(resp
) == 10) {
1516 memcpy(&select
[1],resp
,8);
1517 ReaderTransmitIClass(select
, sizeof(select
));
1519 if(ReaderReceiveIClass(resp
) == 10) {
1520 Dbprintf(" Selected CSN: %02x %02x %02x %02x %02x %02x %02x %02x",
1521 resp
[0], resp
[1], resp
[2],
1522 resp
[3], resp
[4], resp
[5],
1525 // Card selected, whats next... ;-)
1534 void ReaderIClass_Replay(uint8_t arg0
, uint8_t *MAC
) {
1535 uint8_t act_all
[] = { 0x0a };
1536 uint8_t identify
[] = { 0x0c };
1537 uint8_t select
[] = { 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
1538 uint8_t readcheck_cc
[]= { 0x88, 0x02 };
1539 uint8_t check
[] = { 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
1540 uint8_t read
[] = { 0x0c, 0x00, 0x00, 0x00 };
1544 bool read_success
=false;
1547 static struct memory_t
{
1555 uint8_t* resp
= (((uint8_t *)BigBuf
) + 3560); // was 3560 - tied to other size changes
1556 // Enable and clear the trace
1557 iso14a_set_tracing(TRUE
);
1558 iso14a_clear_trace();
1564 // Start from off (no field generated)
1565 // Signal field is off with the appropriate LED
1567 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
1570 SetAdcMuxFor(GPIO_MUXSEL_HIPKD
);
1572 // Now give it time to spin up.
1573 // Signal field is on with the appropriate LED
1574 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A
| FPGA_HF_ISO14443A_READER_MOD
);
1579 for(int i
=0;i
<1;i
++) {
1581 if(traceLen
> TRACE_SIZE
) {
1582 DbpString("Trace full");
1586 if (BUTTON_PRESS()) break;
1589 ReaderTransmitIClass(act_all
, 1);
1591 if(ReaderReceiveIClass(resp
)) {
1592 ReaderTransmitIClass(identify
, 1);
1593 if(ReaderReceiveIClass(resp
) == 10) {
1595 memcpy(&select
[1],resp
,8);
1596 ReaderTransmitIClass(select
, sizeof(select
));
1598 if(ReaderReceiveIClass(resp
) == 10) {
1599 Dbprintf(" Selected CSN: %02x %02x %02x %02x %02x %02x %02x %02x",
1600 resp
[0], resp
[1], resp
[2],
1601 resp
[3], resp
[4], resp
[5],
1605 Dbprintf("Readcheck on Sector 2");
1606 ReaderTransmitIClass(readcheck_cc
, sizeof(readcheck_cc
));
1607 if(ReaderReceiveIClass(resp
) == 8) {
1608 Dbprintf(" CC: %02x %02x %02x %02x %02x %02x %02x %02x",
1609 resp
[0], resp
[1], resp
[2],
1610 resp
[3], resp
[4], resp
[5],
1613 Dbprintf("Authenticate");
1614 //for now replay captured auth (as cc not updated)
1615 memcpy(check
+5,MAC
,4);
1616 Dbprintf(" AA: %02x %02x %02x %02x",
1617 check
[5], check
[6], check
[7],check
[8]);
1618 ReaderTransmitIClass(check
, sizeof(check
));
1619 if(ReaderReceiveIClass(resp
) == 4) {
1620 Dbprintf(" AR: %02x %02x %02x %02x",
1621 resp
[0], resp
[1], resp
[2],resp
[3]);
1623 Dbprintf("Error: Authentication Fail!");
1626 Dbprintf("Dump Contents");
1627 //first get configuration block
1630 uint8_t *blockno
=&read
[1];
1631 crc
= iclass_crc16((char *)blockno
,1);
1633 read
[3] = crc
& 0xff;
1634 while(!read_success
){
1635 ReaderTransmitIClass(read
, sizeof(read
));
1636 if(ReaderReceiveIClass(resp
) == 10) {
1639 memory
.k16
= (mem
& 0x80);
1640 memory
.book
= (mem
& 0x20);
1641 memory
.k2
= (mem
& 0x8);
1642 memory
.lockauth
= (mem
& 0x2);
1643 memory
.keyaccess
= (mem
& 0x1);
1650 //then loop around remaining blocks
1651 for(uint8_t j
=0; j
<cardsize
; j
++){
1653 uint8_t *blockno
=&j
;
1656 crc
= iclass_crc16((char *)blockno
,1);
1658 read
[3] = crc
& 0xff;
1659 while(!read_success
){
1660 ReaderTransmitIClass(read
, sizeof(read
));
1661 if(ReaderReceiveIClass(resp
) == 10) {
1663 Dbprintf(" %02x: %02x %02x %02x %02x %02x %02x %02x %02x",
1664 j
, resp
[0], resp
[1], resp
[2],
1665 resp
[3], resp
[4], resp
[5],
1678 //1. Create Method to Read sectors/blocks 0,1,2 and Send to client
1679 void IClass_iso14443A_GetPublic(uint8_t arg0
) {
1680 uint8_t act_all
[] = { 0x0a };
1681 uint8_t identify
[] = { 0x0c };
1682 uint8_t select
[] = { 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
1683 uint8_t readcheck_cc
[]= { 0x88, 0x02 };
1685 uint8_t card_data
[24]={0};
1686 uint8_t* resp
= (((uint8_t *)BigBuf
) + 3560); // was 3560 - tied to other size changes
1687 FpgaDownloadAndGo(FPGA_BITSTREAM_HF
);
1689 int read_success
= 0;
1691 // Enable and clear the trace
1692 iso14a_set_tracing(TRUE
);
1693 iso14a_clear_trace();
1697 // Start from off (no field generated)
1698 // Signal field is off with the appropriate LED
1700 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
1703 SetAdcMuxFor(GPIO_MUXSEL_HIPKD
);
1705 // Now give it time to spin up.
1706 // Signal field is on with the appropriate LED
1707 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A
| FPGA_HF_ISO14443A_READER_MOD
);
1713 ReaderTransmitIClass(act_all
, 1);
1715 if(ReaderReceiveIClass(resp
)) {
1716 ReaderTransmitIClass(identify
, 1);
1717 if(ReaderReceiveIClass(resp
) == 10) {
1718 //Copy the Anti-collision CSN to our select-packet
1719 memcpy(&select
[1],resp
,8);
1720 Dbprintf("Anti-collision CSN: %02x %02x %02x %02x %02x %02x %02x %02x",resp
[0], resp
[1], resp
[2],
1721 resp
[3], resp
[4], resp
[5],
1724 ReaderTransmitIClass(select
, sizeof(select
));
1726 if(ReaderReceiveIClass(resp
) == 10) {
1727 Dbprintf(" Selected CSN: %02x %02x %02x %02x %02x %02x %02x %02x",
1728 resp
[0], resp
[1], resp
[2],
1729 resp
[3], resp
[4], resp
[5],
1731 //Save CSN in response data
1732 memcpy(card_data
,resp
,8);
1733 //Flag that we got to at least stage 1, read CSN
1737 Dbprintf("Readcheck on Sector 2");
1738 ReaderTransmitIClass(readcheck_cc
, sizeof(readcheck_cc
));
1739 if(ReaderReceiveIClass(resp
) == 8) {
1740 Dbprintf(" CC: %02x %02x %02x %02x %02x %02x %02x %02x",
1741 resp
[0], resp
[1], resp
[2],
1742 resp
[3], resp
[4], resp
[5],
1744 //Save CC (e-purse) in response data
1745 memcpy(card_data
+8,resp
,8);
1756 //Send back to client
1757 cmd_send(CMD_ACK
,read_success
,0,0,card_data
,16);
1761 //2. Create Read method (cut-down from above) based off responses from 1.
1762 // Since we have the MAC could continue to use replay function.
1763 //3. Create Write method
1765 void IClass_iso14443A_write(uint8_t arg0, uint8_t blockNo, uint8_t *data, uint8_t *MAC) {
1766 uint8_t act_all[] = { 0x0a };
1767 uint8_t identify[] = { 0x0c };
1768 uint8_t select[] = { 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
1769 uint8_t readcheck_cc[]= { 0x88, 0x02 };
1770 uint8_t check[] = { 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
1771 uint8_t read[] = { 0x0c, 0x00, 0x00, 0x00 };
1772 uint8_t write[] = { 0x87, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
1776 uint8_t* resp = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
1778 // Reset trace buffer
1779 memset(trace, 0x44, RECV_CMD_OFFSET);
1784 // Start from off (no field generated)
1785 // Signal field is off with the appropriate LED
1787 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1790 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1792 // Now give it time to spin up.
1793 // Signal field is on with the appropriate LED
1794 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1799 for(int i=0;i<1;i++) {
1801 if(traceLen > TRACE_SIZE) {
1802 DbpString("Trace full");
1806 if (BUTTON_PRESS()) break;
1809 ReaderTransmitIClass(act_all, 1);
1811 if(ReaderReceiveIClass(resp)) {
1812 ReaderTransmitIClass(identify, 1);
1813 if(ReaderReceiveIClass(resp) == 10) {
1815 memcpy(&select[1],resp,8);
1816 ReaderTransmitIClass(select, sizeof(select));
1818 if(ReaderReceiveIClass(resp) == 10) {
1819 Dbprintf(" Selected CSN: %02x %02x %02x %02x %02x %02x %02x %02x",
1820 resp[0], resp[1], resp[2],
1821 resp[3], resp[4], resp[5],
1825 Dbprintf("Readcheck on Sector 2");
1826 ReaderTransmitIClass(readcheck_cc, sizeof(readcheck_cc));
1827 if(ReaderReceiveIClass(resp) == 8) {
1828 Dbprintf(" CC: %02x %02x %02x %02x %02x %02x %02x %02x",
1829 resp[0], resp[1], resp[2],
1830 resp[3], resp[4], resp[5],
1833 Dbprintf("Authenticate");
1834 //for now replay captured auth (as cc not updated)
1835 memcpy(check+5,MAC,4);
1836 Dbprintf(" AA: %02x %02x %02x %02x",
1837 check[5], check[6], check[7],check[8]);
1838 ReaderTransmitIClass(check, sizeof(check));
1839 if(ReaderReceiveIClass(resp) == 4) {
1840 Dbprintf(" AR: %02x %02x %02x %02x",
1841 resp[0], resp[1], resp[2],resp[3]);
1843 Dbprintf("Error: Authentication Fail!");
1846 Dbprintf("Write Block");
1848 //read configuration for max block number
1851 uint8_t *blockno=&read[1];
1852 crc = iclass_crc16((char *)blockno,1);
1854 read[3] = crc & 0xff;
1855 while(!read_success){
1856 ReaderTransmitIClass(read, sizeof(read));
1857 if(ReaderReceiveIClass(resp) == 10) {
1860 memory.k16= (mem & 0x80);
1861 memory.book= (mem & 0x20);
1862 memory.k2= (mem & 0x8);
1863 memory.lockauth= (mem & 0x2);
1864 memory.keyaccess= (mem & 0x1);
1873 memcpy(write+1,blockNo,1);
1874 memcpy(write+2,data,8);
1875 memcpy(write+10,mac,4);
1876 while(!send_success){
1877 ReaderTransmitIClass(write, sizeof(write));
1878 if(ReaderReceiveIClass(resp) == 10) {