]> cvs.zerfleddert.de Git - proxmark3-svn/blob - armsrc/iclass.c
b14a0db5080738749f6d3145d2d8d80ded0977b6
[proxmark3-svn] / armsrc / iclass.c
1 //-----------------------------------------------------------------------------
2 // Gerhard de Koning Gans - May 2008
3 // Hagen Fritsch - June 2010
4 // Gerhard de Koning Gans - May 2011
5 // Gerhard de Koning Gans - June 2012 - Added iClass card and reader emulation
6 //
7 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
8 // at your option, any later version. See the LICENSE.txt file for the text of
9 // the license.
10 //-----------------------------------------------------------------------------
11 // Routines to support iClass.
12 //-----------------------------------------------------------------------------
13 // Based on ISO14443a implementation. Still in experimental phase.
14 // Contribution made during a security research at Radboud University Nijmegen
15 //
16 // Please feel free to contribute and extend iClass support!!
17 //-----------------------------------------------------------------------------
18 //
19 // FIX:
20 // ====
21 // We still have sometimes a demodulation error when snooping iClass communication.
22 // The resulting trace of a read-block-03 command may look something like this:
23 //
24 // + 22279: : 0c 03 e8 01
25 //
26 // ...with an incorrect answer...
27 //
28 // + 85: 0: TAG ff! ff! ff! ff! ff! ff! ff! ff! bb 33 bb 00 01! 0e! 04! bb !crc
29 //
30 // We still left the error signalling bytes in the traces like 0xbb
31 //
32 // A correct trace should look like this:
33 //
34 // + 21112: : 0c 03 e8 01
35 // + 85: 0: TAG ff ff ff ff ff ff ff ff ea f5
36 //
37 //-----------------------------------------------------------------------------
38
39 #include "proxmark3.h"
40 #include "apps.h"
41 #include "util.h"
42 #include "string.h"
43 #include "common.h"
44 #include "cmd.h"
45 // Needed for CRC in emulation mode;
46 // same construction as in ISO 14443;
47 // different initial value (CRC_ICLASS)
48 #include "iso14443crc.h"
49 #include "iso15693tools.h"
50
51 static int timeout = 4096;
52
53
54 static int SendIClassAnswer(uint8_t *resp, int respLen, int delay);
55
56 //-----------------------------------------------------------------------------
57 // The software UART that receives commands from the reader, and its state
58 // variables.
59 //-----------------------------------------------------------------------------
60 static struct {
61 enum {
62 STATE_UNSYNCD,
63 STATE_START_OF_COMMUNICATION,
64 STATE_RECEIVING
65 } state;
66 uint16_t shiftReg;
67 int bitCnt;
68 int byteCnt;
69 int byteCntMax;
70 int posCnt;
71 int nOutOfCnt;
72 int OutOfCnt;
73 int syncBit;
74 int parityBits;
75 int samples;
76 int highCnt;
77 int swapper;
78 int counter;
79 int bitBuffer;
80 int dropPosition;
81 uint8_t *output;
82 } Uart;
83
84 static RAMFUNC int OutOfNDecoding(int bit)
85 {
86 //int error = 0;
87 int bitright;
88
89 if(!Uart.bitBuffer) {
90 Uart.bitBuffer = bit ^ 0xFF0;
91 return FALSE;
92 }
93 else {
94 Uart.bitBuffer <<= 4;
95 Uart.bitBuffer ^= bit;
96 }
97
98 /*if(Uart.swapper) {
99 Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
100 Uart.byteCnt++;
101 Uart.swapper = 0;
102 if(Uart.byteCnt > 15) { return TRUE; }
103 }
104 else {
105 Uart.swapper = 1;
106 }*/
107
108 if(Uart.state != STATE_UNSYNCD) {
109 Uart.posCnt++;
110
111 if((Uart.bitBuffer & Uart.syncBit) ^ Uart.syncBit) {
112 bit = 0x00;
113 }
114 else {
115 bit = 0x01;
116 }
117 if(((Uart.bitBuffer << 1) & Uart.syncBit) ^ Uart.syncBit) {
118 bitright = 0x00;
119 }
120 else {
121 bitright = 0x01;
122 }
123 if(bit != bitright) { bit = bitright; }
124
125
126 // So, now we only have to deal with *bit*, lets see...
127 if(Uart.posCnt == 1) {
128 // measurement first half bitperiod
129 if(!bit) {
130 // Drop in first half means that we are either seeing
131 // an SOF or an EOF.
132
133 if(Uart.nOutOfCnt == 1) {
134 // End of Communication
135 Uart.state = STATE_UNSYNCD;
136 Uart.highCnt = 0;
137 if(Uart.byteCnt == 0) {
138 // Its not straightforward to show single EOFs
139 // So just leave it and do not return TRUE
140 Uart.output[Uart.byteCnt] = 0xf0;
141 Uart.byteCnt++;
142
143 // Calculate the parity bit for the client...
144 Uart.parityBits = 1;
145 }
146 else {
147 return TRUE;
148 }
149 }
150 else if(Uart.state != STATE_START_OF_COMMUNICATION) {
151 // When not part of SOF or EOF, it is an error
152 Uart.state = STATE_UNSYNCD;
153 Uart.highCnt = 0;
154 //error = 4;
155 }
156 }
157 }
158 else {
159 // measurement second half bitperiod
160 // Count the bitslot we are in... (ISO 15693)
161 Uart.nOutOfCnt++;
162
163 if(!bit) {
164 if(Uart.dropPosition) {
165 if(Uart.state == STATE_START_OF_COMMUNICATION) {
166 //error = 1;
167 }
168 else {
169 //error = 7;
170 }
171 // It is an error if we already have seen a drop in current frame
172 Uart.state = STATE_UNSYNCD;
173 Uart.highCnt = 0;
174 }
175 else {
176 Uart.dropPosition = Uart.nOutOfCnt;
177 }
178 }
179
180 Uart.posCnt = 0;
181
182
183 if(Uart.nOutOfCnt == Uart.OutOfCnt && Uart.OutOfCnt == 4) {
184 Uart.nOutOfCnt = 0;
185
186 if(Uart.state == STATE_START_OF_COMMUNICATION) {
187 if(Uart.dropPosition == 4) {
188 Uart.state = STATE_RECEIVING;
189 Uart.OutOfCnt = 256;
190 }
191 else if(Uart.dropPosition == 3) {
192 Uart.state = STATE_RECEIVING;
193 Uart.OutOfCnt = 4;
194 //Uart.output[Uart.byteCnt] = 0xdd;
195 //Uart.byteCnt++;
196 }
197 else {
198 Uart.state = STATE_UNSYNCD;
199 Uart.highCnt = 0;
200 }
201 Uart.dropPosition = 0;
202 }
203 else {
204 // RECEIVING DATA
205 // 1 out of 4
206 if(!Uart.dropPosition) {
207 Uart.state = STATE_UNSYNCD;
208 Uart.highCnt = 0;
209 //error = 9;
210 }
211 else {
212 Uart.shiftReg >>= 2;
213
214 // Swap bit order
215 Uart.dropPosition--;
216 //if(Uart.dropPosition == 1) { Uart.dropPosition = 2; }
217 //else if(Uart.dropPosition == 2) { Uart.dropPosition = 1; }
218
219 Uart.shiftReg ^= ((Uart.dropPosition & 0x03) << 6);
220 Uart.bitCnt += 2;
221 Uart.dropPosition = 0;
222
223 if(Uart.bitCnt == 8) {
224 Uart.output[Uart.byteCnt] = (Uart.shiftReg & 0xff);
225 Uart.byteCnt++;
226
227 // Calculate the parity bit for the client...
228 Uart.parityBits <<= 1;
229 Uart.parityBits ^= OddByteParity[(Uart.shiftReg & 0xff)];
230
231 Uart.bitCnt = 0;
232 Uart.shiftReg = 0;
233 }
234 }
235 }
236 }
237 else if(Uart.nOutOfCnt == Uart.OutOfCnt) {
238 // RECEIVING DATA
239 // 1 out of 256
240 if(!Uart.dropPosition) {
241 Uart.state = STATE_UNSYNCD;
242 Uart.highCnt = 0;
243 //error = 3;
244 }
245 else {
246 Uart.dropPosition--;
247 Uart.output[Uart.byteCnt] = (Uart.dropPosition & 0xff);
248 Uart.byteCnt++;
249
250 // Calculate the parity bit for the client...
251 Uart.parityBits <<= 1;
252 Uart.parityBits ^= OddByteParity[(Uart.dropPosition & 0xff)];
253
254 Uart.bitCnt = 0;
255 Uart.shiftReg = 0;
256 Uart.nOutOfCnt = 0;
257 Uart.dropPosition = 0;
258 }
259 }
260
261 /*if(error) {
262 Uart.output[Uart.byteCnt] = 0xAA;
263 Uart.byteCnt++;
264 Uart.output[Uart.byteCnt] = error & 0xFF;
265 Uart.byteCnt++;
266 Uart.output[Uart.byteCnt] = 0xAA;
267 Uart.byteCnt++;
268 Uart.output[Uart.byteCnt] = (Uart.bitBuffer >> 8) & 0xFF;
269 Uart.byteCnt++;
270 Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
271 Uart.byteCnt++;
272 Uart.output[Uart.byteCnt] = (Uart.syncBit >> 3) & 0xFF;
273 Uart.byteCnt++;
274 Uart.output[Uart.byteCnt] = 0xAA;
275 Uart.byteCnt++;
276 return TRUE;
277 }*/
278 }
279
280 }
281 else {
282 bit = Uart.bitBuffer & 0xf0;
283 bit >>= 4;
284 bit ^= 0x0F; // drops become 1s ;-)
285 if(bit) {
286 // should have been high or at least (4 * 128) / fc
287 // according to ISO this should be at least (9 * 128 + 20) / fc
288 if(Uart.highCnt == 8) {
289 // we went low, so this could be start of communication
290 // it turns out to be safer to choose a less significant
291 // syncbit... so we check whether the neighbour also represents the drop
292 Uart.posCnt = 1; // apparently we are busy with our first half bit period
293 Uart.syncBit = bit & 8;
294 Uart.samples = 3;
295 if(!Uart.syncBit) { Uart.syncBit = bit & 4; Uart.samples = 2; }
296 else if(bit & 4) { Uart.syncBit = bit & 4; Uart.samples = 2; bit <<= 2; }
297 if(!Uart.syncBit) { Uart.syncBit = bit & 2; Uart.samples = 1; }
298 else if(bit & 2) { Uart.syncBit = bit & 2; Uart.samples = 1; bit <<= 1; }
299 if(!Uart.syncBit) { Uart.syncBit = bit & 1; Uart.samples = 0;
300 if(Uart.syncBit && (Uart.bitBuffer & 8)) {
301 Uart.syncBit = 8;
302
303 // the first half bit period is expected in next sample
304 Uart.posCnt = 0;
305 Uart.samples = 3;
306 }
307 }
308 else if(bit & 1) { Uart.syncBit = bit & 1; Uart.samples = 0; }
309
310 Uart.syncBit <<= 4;
311 Uart.state = STATE_START_OF_COMMUNICATION;
312 Uart.bitCnt = 0;
313 Uart.byteCnt = 0;
314 Uart.parityBits = 0;
315 Uart.nOutOfCnt = 0;
316 Uart.OutOfCnt = 4; // Start at 1/4, could switch to 1/256
317 Uart.dropPosition = 0;
318 Uart.shiftReg = 0;
319 //error = 0;
320 }
321 else {
322 Uart.highCnt = 0;
323 }
324 }
325 else {
326 if(Uart.highCnt < 8) {
327 Uart.highCnt++;
328 }
329 }
330 }
331
332 return FALSE;
333 }
334
335 //=============================================================================
336 // Manchester
337 //=============================================================================
338
339 static struct {
340 enum {
341 DEMOD_UNSYNCD,
342 DEMOD_START_OF_COMMUNICATION,
343 DEMOD_START_OF_COMMUNICATION2,
344 DEMOD_START_OF_COMMUNICATION3,
345 DEMOD_SOF_COMPLETE,
346 DEMOD_MANCHESTER_D,
347 DEMOD_MANCHESTER_E,
348 DEMOD_END_OF_COMMUNICATION,
349 DEMOD_END_OF_COMMUNICATION2,
350 DEMOD_MANCHESTER_F,
351 DEMOD_ERROR_WAIT
352 } state;
353 int bitCount;
354 int posCount;
355 int syncBit;
356 int parityBits;
357 uint16_t shiftReg;
358 int buffer;
359 int buffer2;
360 int buffer3;
361 int buff;
362 int samples;
363 int len;
364 enum {
365 SUB_NONE,
366 SUB_FIRST_HALF,
367 SUB_SECOND_HALF,
368 SUB_BOTH
369 } sub;
370 uint8_t *output;
371 } Demod;
372
373 static RAMFUNC int ManchesterDecoding(int v)
374 {
375 int bit;
376 int modulation;
377 int error = 0;
378
379 bit = Demod.buffer;
380 Demod.buffer = Demod.buffer2;
381 Demod.buffer2 = Demod.buffer3;
382 Demod.buffer3 = v;
383
384 if(Demod.buff < 3) {
385 Demod.buff++;
386 return FALSE;
387 }
388
389 if(Demod.state==DEMOD_UNSYNCD) {
390 Demod.output[Demod.len] = 0xfa;
391 Demod.syncBit = 0;
392 //Demod.samples = 0;
393 Demod.posCount = 1; // This is the first half bit period, so after syncing handle the second part
394
395 if(bit & 0x08) {
396 Demod.syncBit = 0x08;
397 }
398
399 if(bit & 0x04) {
400 if(Demod.syncBit) {
401 bit <<= 4;
402 }
403 Demod.syncBit = 0x04;
404 }
405
406 if(bit & 0x02) {
407 if(Demod.syncBit) {
408 bit <<= 2;
409 }
410 Demod.syncBit = 0x02;
411 }
412
413 if(bit & 0x01 && Demod.syncBit) {
414 Demod.syncBit = 0x01;
415 }
416
417 if(Demod.syncBit) {
418 Demod.len = 0;
419 Demod.state = DEMOD_START_OF_COMMUNICATION;
420 Demod.sub = SUB_FIRST_HALF;
421 Demod.bitCount = 0;
422 Demod.shiftReg = 0;
423 Demod.parityBits = 0;
424 Demod.samples = 0;
425 if(Demod.posCount) {
426 //if(trigger) LED_A_OFF(); // Not useful in this case...
427 switch(Demod.syncBit) {
428 case 0x08: Demod.samples = 3; break;
429 case 0x04: Demod.samples = 2; break;
430 case 0x02: Demod.samples = 1; break;
431 case 0x01: Demod.samples = 0; break;
432 }
433 // SOF must be long burst... otherwise stay unsynced!!!
434 if(!(Demod.buffer & Demod.syncBit) || !(Demod.buffer2 & Demod.syncBit)) {
435 Demod.state = DEMOD_UNSYNCD;
436 }
437 }
438 else {
439 // SOF must be long burst... otherwise stay unsynced!!!
440 if(!(Demod.buffer2 & Demod.syncBit) || !(Demod.buffer3 & Demod.syncBit)) {
441 Demod.state = DEMOD_UNSYNCD;
442 error = 0x88;
443 }
444
445 }
446 error = 0;
447
448 }
449 }
450 else {
451 modulation = bit & Demod.syncBit;
452 modulation |= ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
453 //modulation = ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
454
455 Demod.samples += 4;
456
457 if(Demod.posCount==0) {
458 Demod.posCount = 1;
459 if(modulation) {
460 Demod.sub = SUB_FIRST_HALF;
461 }
462 else {
463 Demod.sub = SUB_NONE;
464 }
465 }
466 else {
467 Demod.posCount = 0;
468 /*(modulation && (Demod.sub == SUB_FIRST_HALF)) {
469 if(Demod.state!=DEMOD_ERROR_WAIT) {
470 Demod.state = DEMOD_ERROR_WAIT;
471 Demod.output[Demod.len] = 0xaa;
472 error = 0x01;
473 }
474 }*/
475 //else if(modulation) {
476 if(modulation) {
477 if(Demod.sub == SUB_FIRST_HALF) {
478 Demod.sub = SUB_BOTH;
479 }
480 else {
481 Demod.sub = SUB_SECOND_HALF;
482 }
483 }
484 else if(Demod.sub == SUB_NONE) {
485 if(Demod.state == DEMOD_SOF_COMPLETE) {
486 Demod.output[Demod.len] = 0x0f;
487 Demod.len++;
488 Demod.parityBits <<= 1;
489 Demod.parityBits ^= OddByteParity[0x0f];
490 Demod.state = DEMOD_UNSYNCD;
491 // error = 0x0f;
492 return TRUE;
493 }
494 else {
495 Demod.state = DEMOD_ERROR_WAIT;
496 error = 0x33;
497 }
498 /*if(Demod.state!=DEMOD_ERROR_WAIT) {
499 Demod.state = DEMOD_ERROR_WAIT;
500 Demod.output[Demod.len] = 0xaa;
501 error = 0x01;
502 }*/
503 }
504
505 switch(Demod.state) {
506 case DEMOD_START_OF_COMMUNICATION:
507 if(Demod.sub == SUB_BOTH) {
508 //Demod.state = DEMOD_MANCHESTER_D;
509 Demod.state = DEMOD_START_OF_COMMUNICATION2;
510 Demod.posCount = 1;
511 Demod.sub = SUB_NONE;
512 }
513 else {
514 Demod.output[Demod.len] = 0xab;
515 Demod.state = DEMOD_ERROR_WAIT;
516 error = 0xd2;
517 }
518 break;
519 case DEMOD_START_OF_COMMUNICATION2:
520 if(Demod.sub == SUB_SECOND_HALF) {
521 Demod.state = DEMOD_START_OF_COMMUNICATION3;
522 }
523 else {
524 Demod.output[Demod.len] = 0xab;
525 Demod.state = DEMOD_ERROR_WAIT;
526 error = 0xd3;
527 }
528 break;
529 case DEMOD_START_OF_COMMUNICATION3:
530 if(Demod.sub == SUB_SECOND_HALF) {
531 // Demod.state = DEMOD_MANCHESTER_D;
532 Demod.state = DEMOD_SOF_COMPLETE;
533 //Demod.output[Demod.len] = Demod.syncBit & 0xFF;
534 //Demod.len++;
535 }
536 else {
537 Demod.output[Demod.len] = 0xab;
538 Demod.state = DEMOD_ERROR_WAIT;
539 error = 0xd4;
540 }
541 break;
542 case DEMOD_SOF_COMPLETE:
543 case DEMOD_MANCHESTER_D:
544 case DEMOD_MANCHESTER_E:
545 // OPPOSITE FROM ISO14443 - 11110000 = 0 (1 in 14443)
546 // 00001111 = 1 (0 in 14443)
547 if(Demod.sub == SUB_SECOND_HALF) { // SUB_FIRST_HALF
548 Demod.bitCount++;
549 Demod.shiftReg = (Demod.shiftReg >> 1) ^ 0x100;
550 Demod.state = DEMOD_MANCHESTER_D;
551 }
552 else if(Demod.sub == SUB_FIRST_HALF) { // SUB_SECOND_HALF
553 Demod.bitCount++;
554 Demod.shiftReg >>= 1;
555 Demod.state = DEMOD_MANCHESTER_E;
556 }
557 else if(Demod.sub == SUB_BOTH) {
558 Demod.state = DEMOD_MANCHESTER_F;
559 }
560 else {
561 Demod.state = DEMOD_ERROR_WAIT;
562 error = 0x55;
563 }
564 break;
565
566 case DEMOD_MANCHESTER_F:
567 // Tag response does not need to be a complete byte!
568 if(Demod.len > 0 || Demod.bitCount > 0) {
569 if(Demod.bitCount > 1) { // was > 0, do not interpret last closing bit, is part of EOF
570 Demod.shiftReg >>= (9 - Demod.bitCount);
571 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
572 Demod.len++;
573 // No parity bit, so just shift a 0
574 Demod.parityBits <<= 1;
575 }
576
577 Demod.state = DEMOD_UNSYNCD;
578 return TRUE;
579 }
580 else {
581 Demod.output[Demod.len] = 0xad;
582 Demod.state = DEMOD_ERROR_WAIT;
583 error = 0x03;
584 }
585 break;
586
587 case DEMOD_ERROR_WAIT:
588 Demod.state = DEMOD_UNSYNCD;
589 break;
590
591 default:
592 Demod.output[Demod.len] = 0xdd;
593 Demod.state = DEMOD_UNSYNCD;
594 break;
595 }
596
597 /*if(Demod.bitCount>=9) {
598 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
599 Demod.len++;
600
601 Demod.parityBits <<= 1;
602 Demod.parityBits ^= ((Demod.shiftReg >> 8) & 0x01);
603
604 Demod.bitCount = 0;
605 Demod.shiftReg = 0;
606 }*/
607 if(Demod.bitCount>=8) {
608 Demod.shiftReg >>= 1;
609 Demod.output[Demod.len] = (Demod.shiftReg & 0xff);
610 Demod.len++;
611
612 // FOR ISO15639 PARITY NOT SEND OTA, JUST CALCULATE IT FOR THE CLIENT
613 Demod.parityBits <<= 1;
614 Demod.parityBits ^= OddByteParity[(Demod.shiftReg & 0xff)];
615
616 Demod.bitCount = 0;
617 Demod.shiftReg = 0;
618 }
619
620 if(error) {
621 Demod.output[Demod.len] = 0xBB;
622 Demod.len++;
623 Demod.output[Demod.len] = error & 0xFF;
624 Demod.len++;
625 Demod.output[Demod.len] = 0xBB;
626 Demod.len++;
627 Demod.output[Demod.len] = bit & 0xFF;
628 Demod.len++;
629 Demod.output[Demod.len] = Demod.buffer & 0xFF;
630 Demod.len++;
631 // Look harder ;-)
632 Demod.output[Demod.len] = Demod.buffer2 & 0xFF;
633 Demod.len++;
634 Demod.output[Demod.len] = Demod.syncBit & 0xFF;
635 Demod.len++;
636 Demod.output[Demod.len] = 0xBB;
637 Demod.len++;
638 return TRUE;
639 }
640
641 }
642
643 } // end (state != UNSYNCED)
644
645 return FALSE;
646 }
647
648 //=============================================================================
649 // Finally, a `sniffer' for iClass communication
650 // Both sides of communication!
651 //=============================================================================
652
653 //-----------------------------------------------------------------------------
654 // Record the sequence of commands sent by the reader to the tag, with
655 // triggering so that we start recording at the point that the tag is moved
656 // near the reader.
657 //-----------------------------------------------------------------------------
658 void RAMFUNC SnoopIClass(void)
659 {
660
661
662 // We won't start recording the frames that we acquire until we trigger;
663 // a good trigger condition to get started is probably when we see a
664 // response from the tag.
665 //int triggered = FALSE; // FALSE to wait first for card
666
667 // The command (reader -> tag) that we're receiving.
668 // The length of a received command will in most cases be no more than 18 bytes.
669 // So 32 should be enough!
670 uint8_t *readerToTagCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
671 // The response (tag -> reader) that we're receiving.
672 uint8_t *tagToReaderResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET);
673
674 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
675
676 // reset traceLen to 0
677 iso14a_set_tracing(TRUE);
678 iso14a_clear_trace();
679 iso14a_set_trigger(FALSE);
680
681 // The DMA buffer, used to stream samples from the FPGA
682 int8_t *dmaBuf = ((int8_t *)BigBuf) + DMA_BUFFER_OFFSET;
683 int lastRxCounter;
684 int8_t *upTo;
685 int smpl;
686 int maxBehindBy = 0;
687
688 // Count of samples received so far, so that we can include timing
689 // information in the trace buffer.
690 int samples = 0;
691 rsamples = 0;
692
693 // Set up the demodulator for tag -> reader responses.
694 Demod.output = tagToReaderResponse;
695 Demod.len = 0;
696 Demod.state = DEMOD_UNSYNCD;
697
698 // Setup for the DMA.
699 FpgaSetupSsc();
700 upTo = dmaBuf;
701 lastRxCounter = DMA_BUFFER_SIZE;
702 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
703
704 // And the reader -> tag commands
705 memset(&Uart, 0, sizeof(Uart));
706 Uart.output = readerToTagCmd;
707 Uart.byteCntMax = 32; // was 100 (greg)////////////////////////////////////////////////////////////////////////
708 Uart.state = STATE_UNSYNCD;
709
710 // And put the FPGA in the appropriate mode
711 // Signal field is off with the appropriate LED
712 LED_D_OFF();
713 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER);
714 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
715
716 uint32_t time_0 = GetCountSspClk();
717
718
719 int div = 0;
720 //int div2 = 0;
721 int decbyte = 0;
722 int decbyter = 0;
723
724 // And now we loop, receiving samples.
725 for(;;) {
726 LED_A_ON();
727 WDT_HIT();
728 int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) &
729 (DMA_BUFFER_SIZE-1);
730 if(behindBy > maxBehindBy) {
731 maxBehindBy = behindBy;
732 if(behindBy > 400) {
733 Dbprintf("blew circular buffer! behindBy=0x%x", behindBy);
734 goto done;
735 }
736 }
737 if(behindBy < 1) continue;
738
739 LED_A_OFF();
740 smpl = upTo[0];
741 upTo++;
742 lastRxCounter -= 1;
743 if(upTo - dmaBuf > DMA_BUFFER_SIZE) {
744 upTo -= DMA_BUFFER_SIZE;
745 lastRxCounter += DMA_BUFFER_SIZE;
746 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) upTo;
747 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
748 }
749
750 //samples += 4;
751 samples += 1;
752
753 if(smpl & 0xF) {
754 decbyte ^= (1 << (3 - div));
755 }
756
757 // FOR READER SIDE COMMUMICATION...
758
759 decbyter <<= 2;
760 decbyter ^= (smpl & 0x30);
761
762 div++;
763
764 if((div + 1) % 2 == 0) {
765 smpl = decbyter;
766 if(OutOfNDecoding((smpl & 0xF0) >> 4)) {
767 rsamples = samples - Uart.samples;
768 LED_C_ON();
769
770 //if(!LogTrace(Uart.output,Uart.byteCnt, rsamples, Uart.parityBits,TRUE)) break;
771 //if(!LogTrace(NULL, 0, Uart.endTime*16 - DELAY_READER_AIR2ARM_AS_SNIFFER, 0, TRUE)) break;
772 if(tracing)
773 {
774 LogTrace(Uart.output,Uart.byteCnt, (GetCountSspClk()-time_0) << 4, Uart.parityBits,TRUE);
775 LogTrace(NULL, 0, (GetCountSspClk()-time_0) << 4, 0, TRUE);
776 }
777
778
779 /* And ready to receive another command. */
780 Uart.state = STATE_UNSYNCD;
781 /* And also reset the demod code, which might have been */
782 /* false-triggered by the commands from the reader. */
783 Demod.state = DEMOD_UNSYNCD;
784 LED_B_OFF();
785 Uart.byteCnt = 0;
786 }
787 decbyter = 0;
788 }
789
790 if(div > 3) {
791 smpl = decbyte;
792 if(ManchesterDecoding(smpl & 0x0F)) {
793 rsamples = samples - Demod.samples;
794 LED_B_ON();
795
796 if(tracing)
797 {
798 LogTrace(Demod.output,Demod.len, (GetCountSspClk()-time_0) << 4 , Demod.parityBits,FALSE);
799 LogTrace(NULL, 0, (GetCountSspClk()-time_0) << 4, 0, FALSE);
800 }
801
802
803 // And ready to receive another response.
804 memset(&Demod, 0, sizeof(Demod));
805 Demod.output = tagToReaderResponse;
806 Demod.state = DEMOD_UNSYNCD;
807 LED_C_OFF();
808 }
809
810 div = 0;
811 decbyte = 0x00;
812 }
813 //}
814
815 if(BUTTON_PRESS()) {
816 DbpString("cancelled_a");
817 goto done;
818 }
819 }
820
821 DbpString("COMMAND FINISHED");
822
823 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
824 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
825
826 done:
827 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
828 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
829 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
830 LED_A_OFF();
831 LED_B_OFF();
832 LED_C_OFF();
833 LED_D_OFF();
834 }
835
836 void rotateCSN(uint8_t* originalCSN, uint8_t* rotatedCSN) {
837 int i;
838 for(i = 0; i < 8; i++) {
839 rotatedCSN[i] = (originalCSN[i] >> 3) | (originalCSN[(i+1)%8] << 5);
840 }
841 }
842
843 //-----------------------------------------------------------------------------
844 // Wait for commands from reader
845 // Stop when button is pressed
846 // Or return TRUE when command is captured
847 //-----------------------------------------------------------------------------
848 static int GetIClassCommandFromReader(uint8_t *received, int *len, int maxLen)
849 {
850 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
851 // only, since we are receiving, not transmitting).
852 // Signal field is off with the appropriate LED
853 LED_D_OFF();
854 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
855
856 // Now run a `software UART' on the stream of incoming samples.
857 Uart.output = received;
858 Uart.byteCntMax = maxLen;
859 Uart.state = STATE_UNSYNCD;
860
861 for(;;) {
862 WDT_HIT();
863
864 if(BUTTON_PRESS()) return FALSE;
865
866 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
867 AT91C_BASE_SSC->SSC_THR = 0x00;
868 }
869 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
870 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
871 /*if(OutOfNDecoding((b & 0xf0) >> 4)) {
872 *len = Uart.byteCnt;
873 return TRUE;
874 }*/
875 if(OutOfNDecoding(b & 0x0f)) {
876 *len = Uart.byteCnt;
877 return TRUE;
878 }
879 }
880 }
881 }
882
883
884 //-----------------------------------------------------------------------------
885 // Prepare tag messages
886 //-----------------------------------------------------------------------------
887 static void CodeIClassTagAnswer(const uint8_t *cmd, int len)
888 {
889 //So far a dummy implementation, not used
890 //int lastProxToAirDuration =0;
891 int i;
892
893 ToSendReset();
894
895 // Send SOF
896 ToSend[++ToSendMax] = 0x00;
897 ToSend[++ToSendMax] = 0x00;
898 ToSend[++ToSendMax] = 0x00;
899 ToSend[++ToSendMax] = 0xff;//Proxtoair duration starts here
900 ToSend[++ToSendMax] = 0xff;
901 ToSend[++ToSendMax] = 0xff;
902 ToSend[++ToSendMax] = 0x00;
903 ToSend[++ToSendMax] = 0xff;
904
905 for(i = 0; i < len; i++) {
906 int j;
907 uint8_t b = cmd[i];
908
909 // Data bits
910 for(j = 0; j < 8; j++) {
911 if(b & 1) {
912 ToSend[++ToSendMax] = 0x00;
913 ToSend[++ToSendMax] = 0xff;
914 } else {
915 ToSend[++ToSendMax] = 0xff;
916 ToSend[++ToSendMax] = 0x00;
917 }
918 b >>= 1;
919 }
920 }
921
922 // Send EOF
923 ToSend[++ToSendMax] = 0xff;
924 ToSend[++ToSendMax] = 0x00;
925 ToSend[++ToSendMax] = 0xff;
926 ToSend[++ToSendMax] = 0xff;
927 ToSend[++ToSendMax] = 0xff;
928 ToSend[++ToSendMax] = 0x00;
929 ToSend[++ToSendMax] = 0x00;
930 ToSend[++ToSendMax] = 0x00;
931
932 //lastProxToAirDuration = 8*ToSendMax - 3*8 - 3*8;//Not counting zeroes in the beginning or end
933
934 // Convert from last byte pos to length
935 ToSendMax++;
936 }
937
938 // Only SOF
939 static void CodeIClassTagSOF()
940 {
941 //So far a dummy implementation, not used
942 //int lastProxToAirDuration =0;
943
944 ToSendReset();
945 // Send SOF
946 ToSend[++ToSendMax] = 0x00;
947 ToSend[++ToSendMax] = 0x00;
948 ToSend[++ToSendMax] = 0x00;
949 ToSend[++ToSendMax] = 0xff;
950 ToSend[++ToSendMax] = 0xff;
951 ToSend[++ToSendMax] = 0xff;
952 ToSend[++ToSendMax] = 0x00;
953 ToSend[++ToSendMax] = 0xff;
954
955 // lastProxToAirDuration = 8*ToSendMax - 3*8;//Not counting zeroes in the beginning
956
957
958 // Convert from last byte pos to length
959 ToSendMax++;
960 }
961 int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader_mac_buf);
962 /**
963 * @brief SimulateIClass simulates an iClass card.
964 * @param arg0 type of simulation
965 * - 0 uses the first 8 bytes in usb data as CSN
966 * - 2 "dismantling iclass"-attack. This mode iterates through all CSN's specified
967 * in the usb data. This mode collects MAC from the reader, in order to do an offline
968 * attack on the keys. For more info, see "dismantling iclass" and proxclone.com.
969 * - Other : Uses the default CSN (031fec8af7ff12e0)
970 * @param arg1 - number of CSN's contained in datain (applicable for mode 2 only)
971 * @param arg2
972 * @param datain
973 */
974 void SimulateIClass(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain)
975 {
976 uint32_t simType = arg0;
977 uint32_t numberOfCSNS = arg1;
978 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
979
980 // Enable and clear the trace
981 iso14a_set_tracing(TRUE);
982 iso14a_clear_trace();
983
984 uint8_t csn_crc[] = { 0x03, 0x1f, 0xec, 0x8a, 0xf7, 0xff, 0x12, 0xe0, 0x00, 0x00 };
985 if(simType == 0) {
986 // Use the CSN from commandline
987 memcpy(csn_crc, datain, 8);
988 doIClassSimulation(csn_crc,0,NULL);
989 }else if(simType == 1)
990 {
991 doIClassSimulation(csn_crc,0,NULL);
992 }
993 else if(simType == 2)
994 {
995
996 uint8_t mac_responses[64] = { 0 };
997 Dbprintf("Going into attack mode");
998 // In this mode, a number of csns are within datain. We'll simulate each one, one at a time
999 // in order to collect MAC's from the reader. This can later be used in an offlne-attack
1000 // in order to obtain the keys, as in the "dismantling iclass"-paper.
1001 int i = 0;
1002 for( ; i < numberOfCSNS && i*8+8 < USB_CMD_DATA_SIZE; i++)
1003 {
1004 // The usb data is 512 bytes, fitting 65 8-byte CSNs in there.
1005
1006 memcpy(csn_crc, datain+(i*8), 8);
1007 if(doIClassSimulation(csn_crc,1,mac_responses))
1008 {
1009 return; // Button pressed
1010 }
1011 }
1012 cmd_send(CMD_ACK,CMD_SIMULATE_TAG_ICLASS,i,0,mac_responses,i*8);
1013
1014 }
1015 else{
1016 // We may want a mode here where we hardcode the csns to use (from proxclone).
1017 // That will speed things up a little, but not required just yet.
1018 Dbprintf("The mode is not implemented, reserved for future use");
1019 }
1020 Dbprintf("Done...");
1021
1022 }
1023 /**
1024 * @brief Does the actual simulation
1025 * @param csn - csn to use
1026 * @param breakAfterMacReceived if true, returns after reader MAC has been received.
1027 */
1028 int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader_mac_buf)
1029 {
1030
1031
1032 // CSN followed by two CRC bytes
1033 uint8_t response2[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
1034 uint8_t response3[] = { 0,0,0,0,0,0,0,0,0,0};
1035 memcpy(response3,csn,sizeof(response3));
1036 Dbprintf("Simulating CSN %02x%02x%02x%02x%02x%02x%02x%02x",csn[0],csn[1],csn[2],csn[3],csn[4],csn[5],csn[6],csn[7]);
1037 // e-Purse
1038 uint8_t response4[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
1039
1040 // Construct anticollision-CSN
1041 rotateCSN(response3,response2);
1042
1043 // Compute CRC on both CSNs
1044 ComputeCrc14443(CRC_ICLASS, response2, 8, &response2[8], &response2[9]);
1045 ComputeCrc14443(CRC_ICLASS, response3, 8, &response3[8], &response3[9]);
1046
1047 int exitLoop = 0;
1048 // Reader 0a
1049 // Tag 0f
1050 // Reader 0c
1051 // Tag anticoll. CSN
1052 // Reader 81 anticoll. CSN
1053 // Tag CSN
1054
1055 uint8_t *resp;
1056 int respLen;
1057 uint8_t* respdata = NULL;
1058 int respsize = 0;
1059 uint8_t sof = 0x0f;
1060
1061 // Respond SOF -- takes 8 bytes
1062 uint8_t *resp1 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET);
1063 int resp1Len;
1064
1065 // Anticollision CSN (rotated CSN)
1066 // 176: Takes 16 bytes for SOF/EOF and 10 * 16 = 160 bytes (2 bytes/bit)
1067 uint8_t *resp2 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + 10);
1068 int resp2Len;
1069
1070 // CSN
1071 // 176: Takes 16 bytes for SOF/EOF and 10 * 16 = 160 bytes (2 bytes/bit)
1072 uint8_t *resp3 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + 190);
1073 int resp3Len;
1074
1075 // e-Purse
1076 // 144: Takes 16 bytes for SOF/EOF and 8 * 16 = 128 bytes (2 bytes/bit)
1077 uint8_t *resp4 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + 370);
1078 int resp4Len;
1079
1080 // + 1720..
1081 uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
1082 memset(receivedCmd, 0x44, RECV_CMD_SIZE);
1083 int len;
1084
1085 // Prepare card messages
1086 ToSendMax = 0;
1087
1088 // First card answer: SOF
1089 CodeIClassTagSOF();
1090 memcpy(resp1, ToSend, ToSendMax); resp1Len = ToSendMax;
1091
1092 // Anticollision CSN
1093 CodeIClassTagAnswer(response2, sizeof(response2));
1094 memcpy(resp2, ToSend, ToSendMax); resp2Len = ToSendMax;
1095
1096 // CSN
1097 CodeIClassTagAnswer(response3, sizeof(response3));
1098 memcpy(resp3, ToSend, ToSendMax); resp3Len = ToSendMax;
1099
1100 // e-Purse
1101 CodeIClassTagAnswer(response4, sizeof(response4));
1102 memcpy(resp4, ToSend, ToSendMax); resp4Len = ToSendMax;
1103
1104
1105 // Start from off (no field generated)
1106 //FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1107 //SpinDelay(200);
1108 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
1109 SpinDelay(100);
1110 StartCountSspClk();
1111 // We need to listen to the high-frequency, peak-detected path.
1112 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1113 FpgaSetupSsc();
1114
1115 // To control where we are in the protocol
1116 int cmdsRecvd = 0;
1117 uint32_t time_0 = GetCountSspClk();
1118 uint32_t t2r_time =0;
1119 uint32_t r2t_time =0;
1120
1121 LED_A_ON();
1122 bool buttonPressed = false;
1123
1124 /** Hack for testing
1125 memcpy(reader_mac_buf,csn,8);
1126 exitLoop = true;
1127 end hack **/
1128
1129 while(!exitLoop) {
1130
1131 LED_B_OFF();
1132 //Signal tracer
1133 // Can be used to get a trigger for an oscilloscope..
1134 LED_C_OFF();
1135
1136 if(!GetIClassCommandFromReader(receivedCmd, &len, 100)) {
1137 buttonPressed = true;
1138 break;
1139 }
1140 r2t_time = GetCountSspClk();
1141 //Signal tracer
1142 LED_C_ON();
1143
1144 // Okay, look at the command now.
1145 if(receivedCmd[0] == 0x0a ) {
1146 // Reader in anticollission phase
1147 resp = resp1; respLen = resp1Len; //order = 1;
1148 respdata = &sof;
1149 respsize = sizeof(sof);
1150 } else if(receivedCmd[0] == 0x0c) {
1151 // Reader asks for anticollission CSN
1152 resp = resp2; respLen = resp2Len; //order = 2;
1153 respdata = response2;
1154 respsize = sizeof(response2);
1155 //DbpString("Reader requests anticollission CSN:");
1156 } else if(receivedCmd[0] == 0x81) {
1157 // Reader selects anticollission CSN.
1158 // Tag sends the corresponding real CSN
1159 resp = resp3; respLen = resp3Len; //order = 3;
1160 respdata = response3;
1161 respsize = sizeof(response3);
1162 //DbpString("Reader selects anticollission CSN:");
1163 } else if(receivedCmd[0] == 0x88) {
1164 // Read e-purse (88 02)
1165 resp = resp4; respLen = resp4Len; //order = 4;
1166 respdata = response4;
1167 respsize = sizeof(response4);
1168 LED_B_ON();
1169 } else if(receivedCmd[0] == 0x05) {
1170 // Reader random and reader MAC!!!
1171 // Do not respond
1172 // We do not know what to answer, so lets keep quiet
1173 resp = resp1; respLen = 0; //order = 5;
1174 respdata = NULL;
1175 respsize = 0;
1176 if (breakAfterMacReceived){
1177 // dbprintf:ing ...
1178 Dbprintf("CSN: %02x %02x %02x %02x %02x %02x %02x %02x",csn[0],csn[1],csn[2],csn[3],csn[4],csn[5],csn[6],csn[7]);
1179 Dbprintf("RDR: (len=%02d): %02x %02x %02x %02x %02x %02x %02x %02x %02x",len,
1180 receivedCmd[0], receivedCmd[1], receivedCmd[2],
1181 receivedCmd[3], receivedCmd[4], receivedCmd[5],
1182 receivedCmd[6], receivedCmd[7], receivedCmd[8]);
1183 if (reader_mac_buf != NULL)
1184 {
1185 memcpy(reader_mac_buf,receivedCmd+1,8);
1186 }
1187 exitLoop = true;
1188 }
1189 } else if(receivedCmd[0] == 0x00 && len == 1) {
1190 // Reader ends the session
1191 resp = resp1; respLen = 0; //order = 0;
1192 respdata = NULL;
1193 respsize = 0;
1194 } else {
1195 //#db# Unknown command received from reader (len=5): 26 1 0 f6 a 44 44 44 44
1196 // Never seen this command before
1197 Dbprintf("Unknown command received from reader (len=%d): %x %x %x %x %x %x %x %x %x",
1198 len,
1199 receivedCmd[0], receivedCmd[1], receivedCmd[2],
1200 receivedCmd[3], receivedCmd[4], receivedCmd[5],
1201 receivedCmd[6], receivedCmd[7], receivedCmd[8]);
1202 // Do not respond
1203 resp = resp1; respLen = 0; //order = 0;
1204 respdata = NULL;
1205 respsize = 0;
1206 }
1207
1208 if(cmdsRecvd > 100) {
1209 //DbpString("100 commands later...");
1210 //break;
1211 }
1212 else {
1213 cmdsRecvd++;
1214 }
1215
1216 if(respLen > 0) {
1217 SendIClassAnswer(resp, respLen, 21);
1218 t2r_time = GetCountSspClk();
1219 }
1220
1221 if (tracing) {
1222 LogTrace(receivedCmd,len, (r2t_time-time_0)<< 4, Uart.parityBits,TRUE);
1223 LogTrace(NULL,0, (r2t_time-time_0) << 4, 0,TRUE);
1224
1225 if (respdata != NULL) {
1226 LogTrace(respdata,respsize, (t2r_time-time_0) << 4,SwapBits(GetParity(respdata,respsize),respsize),FALSE);
1227 LogTrace(NULL,0, (t2r_time-time_0) << 4,0,FALSE);
1228
1229
1230 }
1231 if(!tracing) {
1232 DbpString("Trace full");
1233 //break;
1234 }
1235
1236 }
1237 memset(receivedCmd, 0x44, RECV_CMD_SIZE);
1238 }
1239
1240 //Dbprintf("%x", cmdsRecvd);
1241 LED_A_OFF();
1242 LED_B_OFF();
1243 if(buttonPressed)
1244 {
1245 DbpString("Button pressed");
1246 }
1247 return buttonPressed;
1248 }
1249
1250 static int SendIClassAnswer(uint8_t *resp, int respLen, int delay)
1251 {
1252 int i = 0, d=0;//, u = 0, d = 0;
1253 uint8_t b = 0;
1254
1255 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR|FPGA_HF_SIMULATOR_MODULATE_424K);
1256
1257 AT91C_BASE_SSC->SSC_THR = 0x00;
1258 FpgaSetupSsc();
1259 while(!BUTTON_PRESS()) {
1260 if((AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY)){
1261 b = AT91C_BASE_SSC->SSC_RHR; (void) b;
1262 }
1263 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)){
1264 b = 0x00;
1265 if(d < delay) {
1266 d++;
1267 }
1268 else {
1269 if( i < respLen){
1270 b = resp[i];
1271 //Hack
1272 //b = 0xAC;
1273 }
1274 i++;
1275 }
1276 AT91C_BASE_SSC->SSC_THR = b;
1277 }
1278
1279 if (i > respLen +4) break;
1280 }
1281
1282 return 0;
1283 }
1284
1285 /// THE READER CODE
1286
1287 //-----------------------------------------------------------------------------
1288 // Transmit the command (to the tag) that was placed in ToSend[].
1289 //-----------------------------------------------------------------------------
1290 static void TransmitIClassCommand(const uint8_t *cmd, int len, int *samples, int *wait)
1291 {
1292 int c;
1293 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1294 AT91C_BASE_SSC->SSC_THR = 0x00;
1295 FpgaSetupSsc();
1296
1297 if (wait)
1298 if(*wait < 10)
1299 *wait = 10;
1300
1301 for(c = 0; c < *wait;) {
1302 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1303 AT91C_BASE_SSC->SSC_THR = 0x00; // For exact timing!
1304 c++;
1305 }
1306 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1307 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
1308 (void)r;
1309 }
1310 WDT_HIT();
1311 }
1312
1313 uint8_t sendbyte;
1314 bool firstpart = TRUE;
1315 c = 0;
1316 for(;;) {
1317 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1318
1319 // DOUBLE THE SAMPLES!
1320 if(firstpart) {
1321 sendbyte = (cmd[c] & 0xf0) | (cmd[c] >> 4);
1322 }
1323 else {
1324 sendbyte = (cmd[c] & 0x0f) | (cmd[c] << 4);
1325 c++;
1326 }
1327 if(sendbyte == 0xff) {
1328 sendbyte = 0xfe;
1329 }
1330 AT91C_BASE_SSC->SSC_THR = sendbyte;
1331 firstpart = !firstpart;
1332
1333 if(c >= len) {
1334 break;
1335 }
1336 }
1337 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1338 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
1339 (void)r;
1340 }
1341 WDT_HIT();
1342 }
1343 if (samples) *samples = (c + *wait) << 3;
1344 }
1345
1346
1347 //-----------------------------------------------------------------------------
1348 // Prepare iClass reader command to send to FPGA
1349 //-----------------------------------------------------------------------------
1350 void CodeIClassCommand(const uint8_t * cmd, int len)
1351 {
1352 int i, j, k;
1353 uint8_t b;
1354
1355 ToSendReset();
1356
1357 // Start of Communication: 1 out of 4
1358 ToSend[++ToSendMax] = 0xf0;
1359 ToSend[++ToSendMax] = 0x00;
1360 ToSend[++ToSendMax] = 0x0f;
1361 ToSend[++ToSendMax] = 0x00;
1362
1363 // Modulate the bytes
1364 for (i = 0; i < len; i++) {
1365 b = cmd[i];
1366 for(j = 0; j < 4; j++) {
1367 for(k = 0; k < 4; k++) {
1368 if(k == (b & 3)) {
1369 ToSend[++ToSendMax] = 0x0f;
1370 }
1371 else {
1372 ToSend[++ToSendMax] = 0x00;
1373 }
1374 }
1375 b >>= 2;
1376 }
1377 }
1378
1379 // End of Communication
1380 ToSend[++ToSendMax] = 0x00;
1381 ToSend[++ToSendMax] = 0x00;
1382 ToSend[++ToSendMax] = 0xf0;
1383 ToSend[++ToSendMax] = 0x00;
1384
1385 // Convert from last character reference to length
1386 ToSendMax++;
1387 }
1388
1389 void ReaderTransmitIClass(uint8_t* frame, int len)
1390 {
1391 int wait = 0;
1392 int samples = 0;
1393 int par = 0;
1394
1395 // This is tied to other size changes
1396 // uint8_t* frame_addr = ((uint8_t*)BigBuf) + 2024;
1397 CodeIClassCommand(frame,len);
1398
1399 // Select the card
1400 TransmitIClassCommand(ToSend, ToSendMax, &samples, &wait);
1401 if(trigger)
1402 LED_A_ON();
1403
1404 // Store reader command in buffer
1405 if (tracing) LogTrace(frame,len,rsamples,par,TRUE);
1406 }
1407
1408 //-----------------------------------------------------------------------------
1409 // Wait a certain time for tag response
1410 // If a response is captured return TRUE
1411 // If it takes too long return FALSE
1412 //-----------------------------------------------------------------------------
1413 static int GetIClassAnswer(uint8_t *receivedResponse, int maxLen, int *samples, int *elapsed) //uint8_t *buffer
1414 {
1415 // buffer needs to be 512 bytes
1416 int c;
1417
1418 // Set FPGA mode to "reader listen mode", no modulation (listen
1419 // only, since we are receiving, not transmitting).
1420 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_LISTEN);
1421
1422 // Now get the answer from the card
1423 Demod.output = receivedResponse;
1424 Demod.len = 0;
1425 Demod.state = DEMOD_UNSYNCD;
1426
1427 uint8_t b;
1428 if (elapsed) *elapsed = 0;
1429
1430 bool skip = FALSE;
1431
1432 c = 0;
1433 for(;;) {
1434 WDT_HIT();
1435
1436 if(BUTTON_PRESS()) return FALSE;
1437
1438 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1439 AT91C_BASE_SSC->SSC_THR = 0x00; // To make use of exact timing of next command from reader!!
1440 if (elapsed) (*elapsed)++;
1441 }
1442 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1443 if(c < timeout) { c++; } else { return FALSE; }
1444 b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1445 skip = !skip;
1446 if(skip) continue;
1447 /*if(ManchesterDecoding((b>>4) & 0xf)) {
1448 *samples = ((c - 1) << 3) + 4;
1449 return TRUE;
1450 }*/
1451 if(ManchesterDecoding(b & 0x0f)) {
1452 *samples = c << 3;
1453 return TRUE;
1454 }
1455 }
1456 }
1457 }
1458
1459 int ReaderReceiveIClass(uint8_t* receivedAnswer)
1460 {
1461 int samples = 0;
1462 if (!GetIClassAnswer(receivedAnswer,160,&samples,0)) return FALSE;
1463 rsamples += samples;
1464 if (tracing) LogTrace(receivedAnswer,Demod.len,rsamples,Demod.parityBits,FALSE);
1465 if(samples == 0) return FALSE;
1466 return Demod.len;
1467 }
1468
1469 // Reader iClass Anticollission
1470 void ReaderIClass(uint8_t arg0) {
1471 uint8_t act_all[] = { 0x0a };
1472 uint8_t identify[] = { 0x0c };
1473 uint8_t select[] = { 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
1474
1475 uint8_t* resp = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
1476
1477 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1478
1479 // Reset trace buffer
1480 iso14a_set_tracing(TRUE);
1481 iso14a_clear_trace();
1482
1483 // Setup SSC
1484 FpgaSetupSsc();
1485 // Start from off (no field generated)
1486 // Signal field is off with the appropriate LED
1487 LED_D_OFF();
1488 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1489 SpinDelay(200);
1490
1491 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1492
1493 // Now give it time to spin up.
1494 // Signal field is on with the appropriate LED
1495 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1496 SpinDelay(200);
1497
1498 LED_A_ON();
1499
1500 for(;;) {
1501
1502 if(traceLen > TRACE_SIZE) {
1503 DbpString("Trace full");
1504 break;
1505 }
1506
1507 if (BUTTON_PRESS()) break;
1508
1509 // Send act_all
1510 ReaderTransmitIClass(act_all, 1);
1511 // Card present?
1512 if(ReaderReceiveIClass(resp)) {
1513 ReaderTransmitIClass(identify, 1);
1514 if(ReaderReceiveIClass(resp) == 10) {
1515 // Select card
1516 memcpy(&select[1],resp,8);
1517 ReaderTransmitIClass(select, sizeof(select));
1518
1519 if(ReaderReceiveIClass(resp) == 10) {
1520 Dbprintf(" Selected CSN: %02x %02x %02x %02x %02x %02x %02x %02x",
1521 resp[0], resp[1], resp[2],
1522 resp[3], resp[4], resp[5],
1523 resp[6], resp[7]);
1524 }
1525 // Card selected, whats next... ;-)
1526 }
1527 }
1528 WDT_HIT();
1529 }
1530
1531 LED_A_OFF();
1532 }
1533
1534 void ReaderIClass_Replay(uint8_t arg0, uint8_t *MAC) {
1535 uint8_t act_all[] = { 0x0a };
1536 uint8_t identify[] = { 0x0c };
1537 uint8_t select[] = { 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
1538 uint8_t readcheck_cc[]= { 0x88, 0x02 };
1539 uint8_t check[] = { 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
1540 uint8_t read[] = { 0x0c, 0x00, 0x00, 0x00 };
1541
1542 uint16_t crc = 0;
1543 uint8_t cardsize=0;
1544 bool read_success=false;
1545 uint8_t mem=0;
1546
1547 static struct memory_t{
1548 int k16;
1549 int book;
1550 int k2;
1551 int lockauth;
1552 int keyaccess;
1553 } memory;
1554
1555 uint8_t* resp = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
1556 // Enable and clear the trace
1557 iso14a_set_tracing(TRUE);
1558 iso14a_clear_trace();
1559
1560
1561
1562 // Setup SSC
1563 FpgaSetupSsc();
1564 // Start from off (no field generated)
1565 // Signal field is off with the appropriate LED
1566 LED_D_OFF();
1567 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1568 SpinDelay(200);
1569
1570 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1571
1572 // Now give it time to spin up.
1573 // Signal field is on with the appropriate LED
1574 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1575 SpinDelay(200);
1576
1577 LED_A_ON();
1578
1579 for(int i=0;i<1;i++) {
1580
1581 if(traceLen > TRACE_SIZE) {
1582 DbpString("Trace full");
1583 break;
1584 }
1585
1586 if (BUTTON_PRESS()) break;
1587
1588 // Send act_all
1589 ReaderTransmitIClass(act_all, 1);
1590 // Card present?
1591 if(ReaderReceiveIClass(resp)) {
1592 ReaderTransmitIClass(identify, 1);
1593 if(ReaderReceiveIClass(resp) == 10) {
1594 // Select card
1595 memcpy(&select[1],resp,8);
1596 ReaderTransmitIClass(select, sizeof(select));
1597
1598 if(ReaderReceiveIClass(resp) == 10) {
1599 Dbprintf(" Selected CSN: %02x %02x %02x %02x %02x %02x %02x %02x",
1600 resp[0], resp[1], resp[2],
1601 resp[3], resp[4], resp[5],
1602 resp[6], resp[7]);
1603 }
1604 // Card selected
1605 Dbprintf("Readcheck on Sector 2");
1606 ReaderTransmitIClass(readcheck_cc, sizeof(readcheck_cc));
1607 if(ReaderReceiveIClass(resp) == 8) {
1608 Dbprintf(" CC: %02x %02x %02x %02x %02x %02x %02x %02x",
1609 resp[0], resp[1], resp[2],
1610 resp[3], resp[4], resp[5],
1611 resp[6], resp[7]);
1612 }else return;
1613 Dbprintf("Authenticate");
1614 //for now replay captured auth (as cc not updated)
1615 memcpy(check+5,MAC,4);
1616 Dbprintf(" AA: %02x %02x %02x %02x",
1617 check[5], check[6], check[7],check[8]);
1618 ReaderTransmitIClass(check, sizeof(check));
1619 if(ReaderReceiveIClass(resp) == 4) {
1620 Dbprintf(" AR: %02x %02x %02x %02x",
1621 resp[0], resp[1], resp[2],resp[3]);
1622 }else {
1623 Dbprintf("Error: Authentication Fail!");
1624 return;
1625 }
1626 Dbprintf("Dump Contents");
1627 //first get configuration block
1628 read_success=false;
1629 read[1]=1;
1630 uint8_t *blockno=&read[1];
1631 crc = iclass_crc16((char *)blockno,1);
1632 read[2] = crc >> 8;
1633 read[3] = crc & 0xff;
1634 while(!read_success){
1635 ReaderTransmitIClass(read, sizeof(read));
1636 if(ReaderReceiveIClass(resp) == 10) {
1637 read_success=true;
1638 mem=resp[5];
1639 memory.k16= (mem & 0x80);
1640 memory.book= (mem & 0x20);
1641 memory.k2= (mem & 0x8);
1642 memory.lockauth= (mem & 0x2);
1643 memory.keyaccess= (mem & 0x1);
1644
1645 }
1646 }
1647 if (memory.k16){
1648 cardsize=255;
1649 }else cardsize=32;
1650 //then loop around remaining blocks
1651 for(uint8_t j=0; j<cardsize; j++){
1652 read_success=false;
1653 uint8_t *blockno=&j;
1654 //crc_data[0]=j;
1655 read[1]=j;
1656 crc = iclass_crc16((char *)blockno,1);
1657 read[2] = crc >> 8;
1658 read[3] = crc & 0xff;
1659 while(!read_success){
1660 ReaderTransmitIClass(read, sizeof(read));
1661 if(ReaderReceiveIClass(resp) == 10) {
1662 read_success=true;
1663 Dbprintf(" %02x: %02x %02x %02x %02x %02x %02x %02x %02x",
1664 j, resp[0], resp[1], resp[2],
1665 resp[3], resp[4], resp[5],
1666 resp[6], resp[7]);
1667 }
1668 }
1669 }
1670 }
1671 }
1672 WDT_HIT();
1673 }
1674
1675 LED_A_OFF();
1676 }
1677
1678 //1. Create Method to Read sectors/blocks 0,1,2 and Send to client
1679 void IClass_iso14443A_GetPublic(uint8_t arg0) {
1680 uint8_t act_all[] = { 0x0a };
1681 uint8_t identify[] = { 0x0c };
1682 uint8_t select[] = { 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
1683 uint8_t readcheck_cc[]= { 0x88, 0x02 };
1684
1685 uint8_t card_data[24]={0};
1686 uint8_t* resp = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
1687 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1688
1689 int read_success= 0;
1690
1691 // Enable and clear the trace
1692 iso14a_set_tracing(TRUE);
1693 iso14a_clear_trace();
1694
1695 // Setup SSC
1696 FpgaSetupSsc();
1697 // Start from off (no field generated)
1698 // Signal field is off with the appropriate LED
1699 LED_D_OFF();
1700 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1701 SpinDelay(200);
1702
1703 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1704
1705 // Now give it time to spin up.
1706 // Signal field is on with the appropriate LED
1707 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1708 SpinDelay(200);
1709
1710 LED_A_ON();
1711
1712 // Send act_all
1713 ReaderTransmitIClass(act_all, 1);
1714 // Card present?
1715 if(ReaderReceiveIClass(resp)) {
1716 ReaderTransmitIClass(identify, 1);
1717 if(ReaderReceiveIClass(resp) == 10) {
1718 //Copy the Anti-collision CSN to our select-packet
1719 memcpy(&select[1],resp,8);
1720 Dbprintf("Anti-collision CSN: %02x %02x %02x %02x %02x %02x %02x %02x",resp[0], resp[1], resp[2],
1721 resp[3], resp[4], resp[5],
1722 resp[6], resp[7]);
1723 //Select the card
1724 ReaderTransmitIClass(select, sizeof(select));
1725
1726 if(ReaderReceiveIClass(resp) == 10) {
1727 Dbprintf(" Selected CSN: %02x %02x %02x %02x %02x %02x %02x %02x",
1728 resp[0], resp[1], resp[2],
1729 resp[3], resp[4], resp[5],
1730 resp[6], resp[7]);
1731 //Save CSN in response data
1732 memcpy(card_data,resp,8);
1733 //Flag that we got to at least stage 1, read CSN
1734 read_success = 1;
1735
1736 // Card selected
1737 Dbprintf("Readcheck on Sector 2");
1738 ReaderTransmitIClass(readcheck_cc, sizeof(readcheck_cc));
1739 if(ReaderReceiveIClass(resp) == 8) {
1740 Dbprintf(" CC: %02x %02x %02x %02x %02x %02x %02x %02x",
1741 resp[0], resp[1], resp[2],
1742 resp[3], resp[4], resp[5],
1743 resp[6], resp[7]);
1744 //Save CC (e-purse) in response data
1745 memcpy(card_data+8,resp,8);
1746 //Got both
1747 read_success = 2;
1748 }
1749 }
1750 }
1751 }
1752 WDT_HIT();
1753
1754 LED_A_OFF();
1755 LED_B_ON();
1756 //Send back to client
1757 cmd_send(CMD_ACK,read_success,0,0,card_data,16);
1758 LED_B_OFF();
1759 }
1760
1761 //2. Create Read method (cut-down from above) based off responses from 1.
1762 // Since we have the MAC could continue to use replay function.
1763 //3. Create Write method
1764 /*
1765 void IClass_iso14443A_write(uint8_t arg0, uint8_t blockNo, uint8_t *data, uint8_t *MAC) {
1766 uint8_t act_all[] = { 0x0a };
1767 uint8_t identify[] = { 0x0c };
1768 uint8_t select[] = { 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
1769 uint8_t readcheck_cc[]= { 0x88, 0x02 };
1770 uint8_t check[] = { 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
1771 uint8_t read[] = { 0x0c, 0x00, 0x00, 0x00 };
1772 uint8_t write[] = { 0x87, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
1773
1774 uint16_t crc = 0;
1775
1776 uint8_t* resp = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
1777
1778 // Reset trace buffer
1779 memset(trace, 0x44, RECV_CMD_OFFSET);
1780 traceLen = 0;
1781
1782 // Setup SSC
1783 FpgaSetupSsc();
1784 // Start from off (no field generated)
1785 // Signal field is off with the appropriate LED
1786 LED_D_OFF();
1787 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1788 SpinDelay(200);
1789
1790 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1791
1792 // Now give it time to spin up.
1793 // Signal field is on with the appropriate LED
1794 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1795 SpinDelay(200);
1796
1797 LED_A_ON();
1798
1799 for(int i=0;i<1;i++) {
1800
1801 if(traceLen > TRACE_SIZE) {
1802 DbpString("Trace full");
1803 break;
1804 }
1805
1806 if (BUTTON_PRESS()) break;
1807
1808 // Send act_all
1809 ReaderTransmitIClass(act_all, 1);
1810 // Card present?
1811 if(ReaderReceiveIClass(resp)) {
1812 ReaderTransmitIClass(identify, 1);
1813 if(ReaderReceiveIClass(resp) == 10) {
1814 // Select card
1815 memcpy(&select[1],resp,8);
1816 ReaderTransmitIClass(select, sizeof(select));
1817
1818 if(ReaderReceiveIClass(resp) == 10) {
1819 Dbprintf(" Selected CSN: %02x %02x %02x %02x %02x %02x %02x %02x",
1820 resp[0], resp[1], resp[2],
1821 resp[3], resp[4], resp[5],
1822 resp[6], resp[7]);
1823 }
1824 // Card selected
1825 Dbprintf("Readcheck on Sector 2");
1826 ReaderTransmitIClass(readcheck_cc, sizeof(readcheck_cc));
1827 if(ReaderReceiveIClass(resp) == 8) {
1828 Dbprintf(" CC: %02x %02x %02x %02x %02x %02x %02x %02x",
1829 resp[0], resp[1], resp[2],
1830 resp[3], resp[4], resp[5],
1831 resp[6], resp[7]);
1832 }else return;
1833 Dbprintf("Authenticate");
1834 //for now replay captured auth (as cc not updated)
1835 memcpy(check+5,MAC,4);
1836 Dbprintf(" AA: %02x %02x %02x %02x",
1837 check[5], check[6], check[7],check[8]);
1838 ReaderTransmitIClass(check, sizeof(check));
1839 if(ReaderReceiveIClass(resp) == 4) {
1840 Dbprintf(" AR: %02x %02x %02x %02x",
1841 resp[0], resp[1], resp[2],resp[3]);
1842 }else {
1843 Dbprintf("Error: Authentication Fail!");
1844 return;
1845 }
1846 Dbprintf("Write Block");
1847
1848 //read configuration for max block number
1849 read_success=false;
1850 read[1]=1;
1851 uint8_t *blockno=&read[1];
1852 crc = iclass_crc16((char *)blockno,1);
1853 read[2] = crc >> 8;
1854 read[3] = crc & 0xff;
1855 while(!read_success){
1856 ReaderTransmitIClass(read, sizeof(read));
1857 if(ReaderReceiveIClass(resp) == 10) {
1858 read_success=true;
1859 mem=resp[5];
1860 memory.k16= (mem & 0x80);
1861 memory.book= (mem & 0x20);
1862 memory.k2= (mem & 0x8);
1863 memory.lockauth= (mem & 0x2);
1864 memory.keyaccess= (mem & 0x1);
1865
1866 }
1867 }
1868 if (memory.k16){
1869 cardsize=255;
1870 }else cardsize=32;
1871 //check card_size
1872
1873 memcpy(write+1,blockNo,1);
1874 memcpy(write+2,data,8);
1875 memcpy(write+10,mac,4);
1876 while(!send_success){
1877 ReaderTransmitIClass(write, sizeof(write));
1878 if(ReaderReceiveIClass(resp) == 10) {
1879 write_success=true;
1880 }
1881 }//
1882 }
1883 WDT_HIT();
1884 }
1885
1886 LED_A_OFF();
1887 }*/
Impressum, Datenschutz