]> cvs.zerfleddert.de Git - proxmark3-svn/blob - armsrc/iso14443a.c
setting svn:eol-style=native on files, part 3
[proxmark3-svn] / armsrc / iso14443a.c
1 //-----------------------------------------------------------------------------
2 // Gerhard de Koning Gans - May 2008
3 //
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
6 // the license.
7 //-----------------------------------------------------------------------------
8 // Routines to support ISO 14443 type A.
9 //-----------------------------------------------------------------------------
10
11 #include "proxmark3.h"
12 #include "apps.h"
13 #include "util.h"
14 #include "string.h"
15
16 #include "iso14443crc.h"
17
18 static uint8_t *trace = (uint8_t *) BigBuf;
19 static int traceLen = 0;
20 static int rsamples = 0;
21 static int tracing = TRUE;
22
23 typedef enum {
24 SEC_D = 1,
25 SEC_E = 2,
26 SEC_F = 3,
27 SEC_X = 4,
28 SEC_Y = 5,
29 SEC_Z = 6
30 } SecType;
31
32 static const uint8_t OddByteParity[256] = {
33 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
34 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
35 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
36 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
37 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
38 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
39 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
40 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
41 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
42 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
43 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
44 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
45 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
46 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
47 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
48 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1
49 };
50
51 // BIG CHANGE - UNDERSTAND THIS BEFORE WE COMMIT
52 #define RECV_CMD_OFFSET 3032
53 #define RECV_RES_OFFSET 3096
54 #define DMA_BUFFER_OFFSET 3160
55 #define DMA_BUFFER_SIZE 4096
56 #define TRACE_LENGTH 3000
57
58 //-----------------------------------------------------------------------------
59 // Generate the parity value for a byte sequence
60 //
61 //-----------------------------------------------------------------------------
62 uint32_t GetParity(const uint8_t * pbtCmd, int iLen)
63 {
64 int i;
65 uint32_t dwPar = 0;
66
67 // Generate the encrypted data
68 for (i = 0; i < iLen; i++) {
69 // Save the encrypted parity bit
70 dwPar |= ((OddByteParity[pbtCmd[i]]) << i);
71 }
72 return dwPar;
73 }
74
75 static void AppendCrc14443a(uint8_t* data, int len)
76 {
77 ComputeCrc14443(CRC_14443_A,data,len,data+len,data+len+1);
78 }
79
80 int LogTrace(const uint8_t * btBytes, int iLen, int iSamples, uint32_t dwParity, int bReader)
81 {
82 // Return when trace is full
83 if (traceLen >= TRACE_LENGTH) return FALSE;
84
85 // Trace the random, i'm curious
86 rsamples += iSamples;
87 trace[traceLen++] = ((rsamples >> 0) & 0xff);
88 trace[traceLen++] = ((rsamples >> 8) & 0xff);
89 trace[traceLen++] = ((rsamples >> 16) & 0xff);
90 trace[traceLen++] = ((rsamples >> 24) & 0xff);
91 if (!bReader) {
92 trace[traceLen - 1] |= 0x80;
93 }
94 trace[traceLen++] = ((dwParity >> 0) & 0xff);
95 trace[traceLen++] = ((dwParity >> 8) & 0xff);
96 trace[traceLen++] = ((dwParity >> 16) & 0xff);
97 trace[traceLen++] = ((dwParity >> 24) & 0xff);
98 trace[traceLen++] = iLen;
99 memcpy(trace + traceLen, btBytes, iLen);
100 traceLen += iLen;
101 return TRUE;
102 }
103
104 int LogTraceInfo(byte_t* data, size_t len)
105 {
106 return LogTrace(data,len,0,GetParity(data,len),TRUE);
107 }
108
109 //-----------------------------------------------------------------------------
110 // The software UART that receives commands from the reader, and its state
111 // variables.
112 //-----------------------------------------------------------------------------
113 static struct {
114 enum {
115 STATE_UNSYNCD,
116 STATE_START_OF_COMMUNICATION,
117 STATE_MILLER_X,
118 STATE_MILLER_Y,
119 STATE_MILLER_Z,
120 STATE_ERROR_WAIT
121 } state;
122 uint16_t shiftReg;
123 int bitCnt;
124 int byteCnt;
125 int byteCntMax;
126 int posCnt;
127 int syncBit;
128 int parityBits;
129 int samples;
130 int highCnt;
131 int bitBuffer;
132 enum {
133 DROP_NONE,
134 DROP_FIRST_HALF,
135 DROP_SECOND_HALF
136 } drop;
137 uint8_t *output;
138 } Uart;
139
140 static int MillerDecoding(int bit)
141 {
142 int error = 0;
143 int bitright;
144
145 if(!Uart.bitBuffer) {
146 Uart.bitBuffer = bit ^ 0xFF0;
147 return FALSE;
148 }
149 else {
150 Uart.bitBuffer <<= 4;
151 Uart.bitBuffer ^= bit;
152 }
153
154 int EOC = FALSE;
155
156 if(Uart.state != STATE_UNSYNCD) {
157 Uart.posCnt++;
158
159 if((Uart.bitBuffer & Uart.syncBit) ^ Uart.syncBit) {
160 bit = 0x00;
161 }
162 else {
163 bit = 0x01;
164 }
165 if(((Uart.bitBuffer << 1) & Uart.syncBit) ^ Uart.syncBit) {
166 bitright = 0x00;
167 }
168 else {
169 bitright = 0x01;
170 }
171 if(bit != bitright) { bit = bitright; }
172
173 if(Uart.posCnt == 1) {
174 // measurement first half bitperiod
175 if(!bit) {
176 Uart.drop = DROP_FIRST_HALF;
177 }
178 }
179 else {
180 // measurement second half bitperiod
181 if(!bit & (Uart.drop == DROP_NONE)) {
182 Uart.drop = DROP_SECOND_HALF;
183 }
184 else if(!bit) {
185 // measured a drop in first and second half
186 // which should not be possible
187 Uart.state = STATE_ERROR_WAIT;
188 error = 0x01;
189 }
190
191 Uart.posCnt = 0;
192
193 switch(Uart.state) {
194 case STATE_START_OF_COMMUNICATION:
195 Uart.shiftReg = 0;
196 if(Uart.drop == DROP_SECOND_HALF) {
197 // error, should not happen in SOC
198 Uart.state = STATE_ERROR_WAIT;
199 error = 0x02;
200 }
201 else {
202 // correct SOC
203 Uart.state = STATE_MILLER_Z;
204 }
205 break;
206
207 case STATE_MILLER_Z:
208 Uart.bitCnt++;
209 Uart.shiftReg >>= 1;
210 if(Uart.drop == DROP_NONE) {
211 // logic '0' followed by sequence Y
212 // end of communication
213 Uart.state = STATE_UNSYNCD;
214 EOC = TRUE;
215 }
216 // if(Uart.drop == DROP_FIRST_HALF) {
217 // Uart.state = STATE_MILLER_Z; stay the same
218 // we see a logic '0' }
219 if(Uart.drop == DROP_SECOND_HALF) {
220 // we see a logic '1'
221 Uart.shiftReg |= 0x100;
222 Uart.state = STATE_MILLER_X;
223 }
224 break;
225
226 case STATE_MILLER_X:
227 Uart.shiftReg >>= 1;
228 if(Uart.drop == DROP_NONE) {
229 // sequence Y, we see a '0'
230 Uart.state = STATE_MILLER_Y;
231 Uart.bitCnt++;
232 }
233 if(Uart.drop == DROP_FIRST_HALF) {
234 // Would be STATE_MILLER_Z
235 // but Z does not follow X, so error
236 Uart.state = STATE_ERROR_WAIT;
237 error = 0x03;
238 }
239 if(Uart.drop == DROP_SECOND_HALF) {
240 // We see a '1' and stay in state X
241 Uart.shiftReg |= 0x100;
242 Uart.bitCnt++;
243 }
244 break;
245
246 case STATE_MILLER_Y:
247 Uart.bitCnt++;
248 Uart.shiftReg >>= 1;
249 if(Uart.drop == DROP_NONE) {
250 // logic '0' followed by sequence Y
251 // end of communication
252 Uart.state = STATE_UNSYNCD;
253 EOC = TRUE;
254 }
255 if(Uart.drop == DROP_FIRST_HALF) {
256 // we see a '0'
257 Uart.state = STATE_MILLER_Z;
258 }
259 if(Uart.drop == DROP_SECOND_HALF) {
260 // We see a '1' and go to state X
261 Uart.shiftReg |= 0x100;
262 Uart.state = STATE_MILLER_X;
263 }
264 break;
265
266 case STATE_ERROR_WAIT:
267 // That went wrong. Now wait for at least two bit periods
268 // and try to sync again
269 if(Uart.drop == DROP_NONE) {
270 Uart.highCnt = 6;
271 Uart.state = STATE_UNSYNCD;
272 }
273 break;
274
275 default:
276 Uart.state = STATE_UNSYNCD;
277 Uart.highCnt = 0;
278 break;
279 }
280
281 Uart.drop = DROP_NONE;
282
283 // should have received at least one whole byte...
284 if((Uart.bitCnt == 2) && EOC && (Uart.byteCnt > 0)) {
285 return TRUE;
286 }
287
288 if(Uart.bitCnt == 9) {
289 Uart.output[Uart.byteCnt] = (Uart.shiftReg & 0xff);
290 Uart.byteCnt++;
291
292 Uart.parityBits <<= 1;
293 Uart.parityBits ^= ((Uart.shiftReg >> 8) & 0x01);
294
295 if(EOC) {
296 // when End of Communication received and
297 // all data bits processed..
298 return TRUE;
299 }
300 Uart.bitCnt = 0;
301 }
302
303 /*if(error) {
304 Uart.output[Uart.byteCnt] = 0xAA;
305 Uart.byteCnt++;
306 Uart.output[Uart.byteCnt] = error & 0xFF;
307 Uart.byteCnt++;
308 Uart.output[Uart.byteCnt] = 0xAA;
309 Uart.byteCnt++;
310 Uart.output[Uart.byteCnt] = (Uart.bitBuffer >> 8) & 0xFF;
311 Uart.byteCnt++;
312 Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
313 Uart.byteCnt++;
314 Uart.output[Uart.byteCnt] = (Uart.syncBit >> 3) & 0xFF;
315 Uart.byteCnt++;
316 Uart.output[Uart.byteCnt] = 0xAA;
317 Uart.byteCnt++;
318 return TRUE;
319 }*/
320 }
321
322 }
323 else {
324 bit = Uart.bitBuffer & 0xf0;
325 bit >>= 4;
326 bit ^= 0x0F;
327 if(bit) {
328 // should have been high or at least (4 * 128) / fc
329 // according to ISO this should be at least (9 * 128 + 20) / fc
330 if(Uart.highCnt == 8) {
331 // we went low, so this could be start of communication
332 // it turns out to be safer to choose a less significant
333 // syncbit... so we check whether the neighbour also represents the drop
334 Uart.posCnt = 1; // apparently we are busy with our first half bit period
335 Uart.syncBit = bit & 8;
336 Uart.samples = 3;
337 if(!Uart.syncBit) { Uart.syncBit = bit & 4; Uart.samples = 2; }
338 else if(bit & 4) { Uart.syncBit = bit & 4; Uart.samples = 2; bit <<= 2; }
339 if(!Uart.syncBit) { Uart.syncBit = bit & 2; Uart.samples = 1; }
340 else if(bit & 2) { Uart.syncBit = bit & 2; Uart.samples = 1; bit <<= 1; }
341 if(!Uart.syncBit) { Uart.syncBit = bit & 1; Uart.samples = 0;
342 if(Uart.syncBit & (Uart.bitBuffer & 8)) {
343 Uart.syncBit = 8;
344
345 // the first half bit period is expected in next sample
346 Uart.posCnt = 0;
347 Uart.samples = 3;
348 }
349 }
350 else if(bit & 1) { Uart.syncBit = bit & 1; Uart.samples = 0; }
351
352 Uart.syncBit <<= 4;
353 Uart.state = STATE_START_OF_COMMUNICATION;
354 Uart.drop = DROP_FIRST_HALF;
355 Uart.bitCnt = 0;
356 Uart.byteCnt = 0;
357 Uart.parityBits = 0;
358 error = 0;
359 }
360 else {
361 Uart.highCnt = 0;
362 }
363 }
364 else {
365 if(Uart.highCnt < 8) {
366 Uart.highCnt++;
367 }
368 }
369 }
370
371 return FALSE;
372 }
373
374 //=============================================================================
375 // ISO 14443 Type A - Manchester
376 //=============================================================================
377
378 static struct {
379 enum {
380 DEMOD_UNSYNCD,
381 DEMOD_START_OF_COMMUNICATION,
382 DEMOD_MANCHESTER_D,
383 DEMOD_MANCHESTER_E,
384 DEMOD_MANCHESTER_F,
385 DEMOD_ERROR_WAIT
386 } state;
387 int bitCount;
388 int posCount;
389 int syncBit;
390 int parityBits;
391 uint16_t shiftReg;
392 int buffer;
393 int buff;
394 int samples;
395 int len;
396 enum {
397 SUB_NONE,
398 SUB_FIRST_HALF,
399 SUB_SECOND_HALF
400 } sub;
401 uint8_t *output;
402 } Demod;
403
404 static int ManchesterDecoding(int v)
405 {
406 int bit;
407 int modulation;
408 int error = 0;
409
410 if(!Demod.buff) {
411 Demod.buff = 1;
412 Demod.buffer = v;
413 return FALSE;
414 }
415 else {
416 bit = Demod.buffer;
417 Demod.buffer = v;
418 }
419
420 if(Demod.state==DEMOD_UNSYNCD) {
421 Demod.output[Demod.len] = 0xfa;
422 Demod.syncBit = 0;
423 //Demod.samples = 0;
424 Demod.posCount = 1; // This is the first half bit period, so after syncing handle the second part
425 if(bit & 0x08) { Demod.syncBit = 0x08; }
426 if(!Demod.syncBit) {
427 if(bit & 0x04) { Demod.syncBit = 0x04; }
428 }
429 else if(bit & 0x04) { Demod.syncBit = 0x04; bit <<= 4; }
430 if(!Demod.syncBit) {
431 if(bit & 0x02) { Demod.syncBit = 0x02; }
432 }
433 else if(bit & 0x02) { Demod.syncBit = 0x02; bit <<= 4; }
434 if(!Demod.syncBit) {
435 if(bit & 0x01) { Demod.syncBit = 0x01; }
436
437 if(Demod.syncBit & (Demod.buffer & 0x08)) {
438 Demod.syncBit = 0x08;
439
440 // The first half bitperiod is expected in next sample
441 Demod.posCount = 0;
442 Demod.output[Demod.len] = 0xfb;
443 }
444 }
445 else if(bit & 0x01) { Demod.syncBit = 0x01; }
446
447 if(Demod.syncBit) {
448 Demod.len = 0;
449 Demod.state = DEMOD_START_OF_COMMUNICATION;
450 Demod.sub = SUB_FIRST_HALF;
451 Demod.bitCount = 0;
452 Demod.shiftReg = 0;
453 Demod.parityBits = 0;
454 Demod.samples = 0;
455 if(Demod.posCount) {
456 switch(Demod.syncBit) {
457 case 0x08: Demod.samples = 3; break;
458 case 0x04: Demod.samples = 2; break;
459 case 0x02: Demod.samples = 1; break;
460 case 0x01: Demod.samples = 0; break;
461 }
462 }
463 error = 0;
464 }
465 }
466 else {
467 //modulation = bit & Demod.syncBit;
468 modulation = ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
469
470 Demod.samples += 4;
471
472 if(Demod.posCount==0) {
473 Demod.posCount = 1;
474 if(modulation) {
475 Demod.sub = SUB_FIRST_HALF;
476 }
477 else {
478 Demod.sub = SUB_NONE;
479 }
480 }
481 else {
482 Demod.posCount = 0;
483 if(modulation && (Demod.sub == SUB_FIRST_HALF)) {
484 if(Demod.state!=DEMOD_ERROR_WAIT) {
485 Demod.state = DEMOD_ERROR_WAIT;
486 Demod.output[Demod.len] = 0xaa;
487 error = 0x01;
488 }
489 }
490 else if(modulation) {
491 Demod.sub = SUB_SECOND_HALF;
492 }
493
494 switch(Demod.state) {
495 case DEMOD_START_OF_COMMUNICATION:
496 if(Demod.sub == SUB_FIRST_HALF) {
497 Demod.state = DEMOD_MANCHESTER_D;
498 }
499 else {
500 Demod.output[Demod.len] = 0xab;
501 Demod.state = DEMOD_ERROR_WAIT;
502 error = 0x02;
503 }
504 break;
505
506 case DEMOD_MANCHESTER_D:
507 case DEMOD_MANCHESTER_E:
508 if(Demod.sub == SUB_FIRST_HALF) {
509 Demod.bitCount++;
510 Demod.shiftReg = (Demod.shiftReg >> 1) ^ 0x100;
511 Demod.state = DEMOD_MANCHESTER_D;
512 }
513 else if(Demod.sub == SUB_SECOND_HALF) {
514 Demod.bitCount++;
515 Demod.shiftReg >>= 1;
516 Demod.state = DEMOD_MANCHESTER_E;
517 }
518 else {
519 Demod.state = DEMOD_MANCHESTER_F;
520 }
521 break;
522
523 case DEMOD_MANCHESTER_F:
524 // Tag response does not need to be a complete byte!
525 if(Demod.len > 0 || Demod.bitCount > 0) {
526 if(Demod.bitCount > 0) {
527 Demod.shiftReg >>= (9 - Demod.bitCount);
528 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
529 Demod.len++;
530 // No parity bit, so just shift a 0
531 Demod.parityBits <<= 1;
532 }
533
534 Demod.state = DEMOD_UNSYNCD;
535 return TRUE;
536 }
537 else {
538 Demod.output[Demod.len] = 0xad;
539 Demod.state = DEMOD_ERROR_WAIT;
540 error = 0x03;
541 }
542 break;
543
544 case DEMOD_ERROR_WAIT:
545 Demod.state = DEMOD_UNSYNCD;
546 break;
547
548 default:
549 Demod.output[Demod.len] = 0xdd;
550 Demod.state = DEMOD_UNSYNCD;
551 break;
552 }
553
554 if(Demod.bitCount>=9) {
555 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
556 Demod.len++;
557
558 Demod.parityBits <<= 1;
559 Demod.parityBits ^= ((Demod.shiftReg >> 8) & 0x01);
560
561 Demod.bitCount = 0;
562 Demod.shiftReg = 0;
563 }
564
565 /*if(error) {
566 Demod.output[Demod.len] = 0xBB;
567 Demod.len++;
568 Demod.output[Demod.len] = error & 0xFF;
569 Demod.len++;
570 Demod.output[Demod.len] = 0xBB;
571 Demod.len++;
572 Demod.output[Demod.len] = bit & 0xFF;
573 Demod.len++;
574 Demod.output[Demod.len] = Demod.buffer & 0xFF;
575 Demod.len++;
576 Demod.output[Demod.len] = Demod.syncBit & 0xFF;
577 Demod.len++;
578 Demod.output[Demod.len] = 0xBB;
579 Demod.len++;
580 return TRUE;
581 }*/
582
583 }
584
585 } // end (state != UNSYNCED)
586
587 return FALSE;
588 }
589
590 //=============================================================================
591 // Finally, a `sniffer' for ISO 14443 Type A
592 // Both sides of communication!
593 //=============================================================================
594
595 //-----------------------------------------------------------------------------
596 // Record the sequence of commands sent by the reader to the tag, with
597 // triggering so that we start recording at the point that the tag is moved
598 // near the reader.
599 //-----------------------------------------------------------------------------
600 void SnoopIso14443a(void)
601 {
602 // #define RECV_CMD_OFFSET 2032 // original (working as of 21/2/09) values
603 // #define RECV_RES_OFFSET 2096 // original (working as of 21/2/09) values
604 // #define DMA_BUFFER_OFFSET 2160 // original (working as of 21/2/09) values
605 // #define DMA_BUFFER_SIZE 4096 // original (working as of 21/2/09) values
606 // #define TRACE_LENGTH 2000 // original (working as of 21/2/09) values
607
608 // We won't start recording the frames that we acquire until we trigger;
609 // a good trigger condition to get started is probably when we see a
610 // response from the tag.
611 int triggered = TRUE; // FALSE to wait first for card
612
613 // The command (reader -> tag) that we're receiving.
614 // The length of a received command will in most cases be no more than 18 bytes.
615 // So 32 should be enough!
616 uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
617 // The response (tag -> reader) that we're receiving.
618 uint8_t *receivedResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET);
619
620 // As we receive stuff, we copy it from receivedCmd or receivedResponse
621 // into trace, along with its length and other annotations.
622 //uint8_t *trace = (uint8_t *)BigBuf;
623 //int traceLen = 0;
624
625 // The DMA buffer, used to stream samples from the FPGA
626 int8_t *dmaBuf = ((int8_t *)BigBuf) + DMA_BUFFER_OFFSET;
627 int lastRxCounter;
628 int8_t *upTo;
629 int smpl;
630 int maxBehindBy = 0;
631
632 // Count of samples received so far, so that we can include timing
633 // information in the trace buffer.
634 int samples = 0;
635 int rsamples = 0;
636
637 memset(trace, 0x44, RECV_CMD_OFFSET);
638
639 // Set up the demodulator for tag -> reader responses.
640 Demod.output = receivedResponse;
641 Demod.len = 0;
642 Demod.state = DEMOD_UNSYNCD;
643
644 // And the reader -> tag commands
645 memset(&Uart, 0, sizeof(Uart));
646 Uart.output = receivedCmd;
647 Uart.byteCntMax = 32; // was 100 (greg)////////////////////////////////////////////////////////////////////////
648 Uart.state = STATE_UNSYNCD;
649
650 // And put the FPGA in the appropriate mode
651 // Signal field is off with the appropriate LED
652 LED_D_OFF();
653 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER);
654 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
655
656 // Setup for the DMA.
657 FpgaSetupSsc();
658 upTo = dmaBuf;
659 lastRxCounter = DMA_BUFFER_SIZE;
660 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
661
662 LED_A_ON();
663
664 // And now we loop, receiving samples.
665 for(;;) {
666 WDT_HIT();
667 int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) &
668 (DMA_BUFFER_SIZE-1);
669 if(behindBy > maxBehindBy) {
670 maxBehindBy = behindBy;
671 if(behindBy > 400) {
672 DbpString("blew circular buffer!");
673 goto done;
674 }
675 }
676 if(behindBy < 1) continue;
677
678 smpl = upTo[0];
679 upTo++;
680 lastRxCounter -= 1;
681 if(upTo - dmaBuf > DMA_BUFFER_SIZE) {
682 upTo -= DMA_BUFFER_SIZE;
683 lastRxCounter += DMA_BUFFER_SIZE;
684 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) upTo;
685 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
686 }
687
688 samples += 4;
689 #define HANDLE_BIT_IF_BODY \
690 LED_C_ON(); \
691 if(triggered) { \
692 trace[traceLen++] = ((rsamples >> 0) & 0xff); \
693 trace[traceLen++] = ((rsamples >> 8) & 0xff); \
694 trace[traceLen++] = ((rsamples >> 16) & 0xff); \
695 trace[traceLen++] = ((rsamples >> 24) & 0xff); \
696 trace[traceLen++] = ((Uart.parityBits >> 0) & 0xff); \
697 trace[traceLen++] = ((Uart.parityBits >> 8) & 0xff); \
698 trace[traceLen++] = ((Uart.parityBits >> 16) & 0xff); \
699 trace[traceLen++] = ((Uart.parityBits >> 24) & 0xff); \
700 trace[traceLen++] = Uart.byteCnt; \
701 memcpy(trace+traceLen, receivedCmd, Uart.byteCnt); \
702 traceLen += Uart.byteCnt; \
703 if(traceLen > TRACE_LENGTH) break; \
704 } \
705 /* And ready to receive another command. */ \
706 Uart.state = STATE_UNSYNCD; \
707 /* And also reset the demod code, which might have been */ \
708 /* false-triggered by the commands from the reader. */ \
709 Demod.state = DEMOD_UNSYNCD; \
710 LED_B_OFF(); \
711
712 if(MillerDecoding((smpl & 0xF0) >> 4)) {
713 rsamples = samples - Uart.samples;
714 HANDLE_BIT_IF_BODY
715 }
716 if(ManchesterDecoding(smpl & 0x0F)) {
717 rsamples = samples - Demod.samples;
718 LED_B_ON();
719
720 // timestamp, as a count of samples
721 trace[traceLen++] = ((rsamples >> 0) & 0xff);
722 trace[traceLen++] = ((rsamples >> 8) & 0xff);
723 trace[traceLen++] = ((rsamples >> 16) & 0xff);
724 trace[traceLen++] = 0x80 | ((rsamples >> 24) & 0xff);
725 trace[traceLen++] = ((Demod.parityBits >> 0) & 0xff);
726 trace[traceLen++] = ((Demod.parityBits >> 8) & 0xff);
727 trace[traceLen++] = ((Demod.parityBits >> 16) & 0xff);
728 trace[traceLen++] = ((Demod.parityBits >> 24) & 0xff);
729 // length
730 trace[traceLen++] = Demod.len;
731 memcpy(trace+traceLen, receivedResponse, Demod.len);
732 traceLen += Demod.len;
733 if(traceLen > TRACE_LENGTH) break;
734
735 triggered = TRUE;
736
737 // And ready to receive another response.
738 memset(&Demod, 0, sizeof(Demod));
739 Demod.output = receivedResponse;
740 Demod.state = DEMOD_UNSYNCD;
741 LED_C_OFF();
742 }
743
744 if(BUTTON_PRESS()) {
745 DbpString("cancelled_a");
746 goto done;
747 }
748 }
749
750 DbpString("COMMAND FINISHED");
751
752 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
753 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
754
755 done:
756 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
757 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
758 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
759 LED_A_OFF();
760 LED_B_OFF();
761 LED_C_OFF();
762 LED_D_OFF();
763 }
764
765 // Prepare communication bits to send to FPGA
766 void Sequence(SecType seq)
767 {
768 ToSendMax++;
769 switch(seq) {
770 // CARD TO READER
771 case SEC_D:
772 // Sequence D: 11110000
773 // modulation with subcarrier during first half
774 ToSend[ToSendMax] = 0xf0;
775 break;
776 case SEC_E:
777 // Sequence E: 00001111
778 // modulation with subcarrier during second half
779 ToSend[ToSendMax] = 0x0f;
780 break;
781 case SEC_F:
782 // Sequence F: 00000000
783 // no modulation with subcarrier
784 ToSend[ToSendMax] = 0x00;
785 break;
786 // READER TO CARD
787 case SEC_X:
788 // Sequence X: 00001100
789 // drop after half a period
790 ToSend[ToSendMax] = 0x0c;
791 break;
792 case SEC_Y:
793 default:
794 // Sequence Y: 00000000
795 // no drop
796 ToSend[ToSendMax] = 0x00;
797 break;
798 case SEC_Z:
799 // Sequence Z: 11000000
800 // drop at start
801 ToSend[ToSendMax] = 0xc0;
802 break;
803 }
804 }
805
806 //-----------------------------------------------------------------------------
807 // Prepare tag messages
808 //-----------------------------------------------------------------------------
809 static void CodeIso14443aAsTag(const uint8_t *cmd, int len)
810 {
811 int i;
812 int oddparity;
813
814 ToSendReset();
815
816 // Correction bit, might be removed when not needed
817 ToSendStuffBit(0);
818 ToSendStuffBit(0);
819 ToSendStuffBit(0);
820 ToSendStuffBit(0);
821 ToSendStuffBit(1); // 1
822 ToSendStuffBit(0);
823 ToSendStuffBit(0);
824 ToSendStuffBit(0);
825
826 // Send startbit
827 Sequence(SEC_D);
828
829 for(i = 0; i < len; i++) {
830 int j;
831 uint8_t b = cmd[i];
832
833 // Data bits
834 oddparity = 0x01;
835 for(j = 0; j < 8; j++) {
836 oddparity ^= (b & 1);
837 if(b & 1) {
838 Sequence(SEC_D);
839 } else {
840 Sequence(SEC_E);
841 }
842 b >>= 1;
843 }
844
845 // Parity bit
846 if(oddparity) {
847 Sequence(SEC_D);
848 } else {
849 Sequence(SEC_E);
850 }
851 }
852
853 // Send stopbit
854 Sequence(SEC_F);
855
856 // Flush the buffer in FPGA!!
857 for(i = 0; i < 5; i++) {
858 Sequence(SEC_F);
859 }
860
861 // Convert from last byte pos to length
862 ToSendMax++;
863
864 // Add a few more for slop
865 ToSend[ToSendMax++] = 0x00;
866 ToSend[ToSendMax++] = 0x00;
867 //ToSendMax += 2;
868 }
869
870 //-----------------------------------------------------------------------------
871 // This is to send a NACK kind of answer, its only 3 bits, I know it should be 4
872 //-----------------------------------------------------------------------------
873 static void CodeStrangeAnswer()
874 {
875 int i;
876
877 ToSendReset();
878
879 // Correction bit, might be removed when not needed
880 ToSendStuffBit(0);
881 ToSendStuffBit(0);
882 ToSendStuffBit(0);
883 ToSendStuffBit(0);
884 ToSendStuffBit(1); // 1
885 ToSendStuffBit(0);
886 ToSendStuffBit(0);
887 ToSendStuffBit(0);
888
889 // Send startbit
890 Sequence(SEC_D);
891
892 // 0
893 Sequence(SEC_E);
894
895 // 0
896 Sequence(SEC_E);
897
898 // 1
899 Sequence(SEC_D);
900
901 // Send stopbit
902 Sequence(SEC_F);
903
904 // Flush the buffer in FPGA!!
905 for(i = 0; i < 5; i++) {
906 Sequence(SEC_F);
907 }
908
909 // Convert from last byte pos to length
910 ToSendMax++;
911
912 // Add a few more for slop
913 ToSend[ToSendMax++] = 0x00;
914 ToSend[ToSendMax++] = 0x00;
915 //ToSendMax += 2;
916 }
917
918 //-----------------------------------------------------------------------------
919 // Wait for commands from reader
920 // Stop when button is pressed
921 // Or return TRUE when command is captured
922 //-----------------------------------------------------------------------------
923 static int GetIso14443aCommandFromReader(uint8_t *received, int *len, int maxLen)
924 {
925 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
926 // only, since we are receiving, not transmitting).
927 // Signal field is off with the appropriate LED
928 LED_D_OFF();
929 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
930
931 // Now run a `software UART' on the stream of incoming samples.
932 Uart.output = received;
933 Uart.byteCntMax = maxLen;
934 Uart.state = STATE_UNSYNCD;
935
936 for(;;) {
937 WDT_HIT();
938
939 if(BUTTON_PRESS()) return FALSE;
940
941 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
942 AT91C_BASE_SSC->SSC_THR = 0x00;
943 }
944 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
945 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
946 if(MillerDecoding((b & 0xf0) >> 4)) {
947 *len = Uart.byteCnt;
948 return TRUE;
949 }
950 if(MillerDecoding(b & 0x0f)) {
951 *len = Uart.byteCnt;
952 return TRUE;
953 }
954 }
955 }
956 }
957
958 //-----------------------------------------------------------------------------
959 // Main loop of simulated tag: receive commands from reader, decide what
960 // response to send, and send it.
961 //-----------------------------------------------------------------------------
962 void SimulateIso14443aTag(int tagType, int TagUid)
963 {
964 // This function contains the tag emulation
965
966 // Prepare protocol messages
967 // static const uint8_t cmd1[] = { 0x26 };
968 // static const uint8_t response1[] = { 0x02, 0x00 }; // Says: I am Mifare 4k - original line - greg
969 //
970 static const uint8_t response1[] = { 0x44, 0x03 }; // Says: I am a DESFire Tag, ph33r me
971 // static const uint8_t response1[] = { 0x44, 0x00 }; // Says: I am a ULTRALITE Tag, 0wn me
972
973 // UID response
974 // static const uint8_t cmd2[] = { 0x93, 0x20 };
975 //static const uint8_t response2[] = { 0x9a, 0xe5, 0xe4, 0x43, 0xd8 }; // original value - greg
976
977
978
979 // my desfire
980 static const uint8_t response2[] = { 0x88, 0x04, 0x21, 0x3f, 0x4d }; // known uid - note cascade (0x88), 2nd byte (0x04) = NXP/Phillips
981
982
983 // When reader selects us during cascade1 it will send cmd3
984 //uint8_t response3[] = { 0x04, 0x00, 0x00 }; // SAK Select (cascade1) successful response (ULTRALITE)
985 uint8_t response3[] = { 0x24, 0x00, 0x00 }; // SAK Select (cascade1) successful response (DESFire)
986 ComputeCrc14443(CRC_14443_A, response3, 1, &response3[1], &response3[2]);
987
988 // send cascade2 2nd half of UID
989 static const uint8_t response2a[] = { 0x51, 0x48, 0x1d, 0x80, 0x84 }; // uid - cascade2 - 2nd half (4 bytes) of UID+ BCCheck
990 // NOTE : THE CRC on the above may be wrong as I have obfuscated the actual UID
991
992
993 // When reader selects us during cascade2 it will send cmd3a
994 //uint8_t response3a[] = { 0x00, 0x00, 0x00 }; // SAK Select (cascade2) successful response (ULTRALITE)
995 uint8_t response3a[] = { 0x20, 0x00, 0x00 }; // SAK Select (cascade2) successful response (DESFire)
996 ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
997
998 static const uint8_t response5[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce
999
1000 uint8_t *resp;
1001 int respLen;
1002
1003 // Longest possible response will be 16 bytes + 2 CRC = 18 bytes
1004 // This will need
1005 // 144 data bits (18 * 8)
1006 // 18 parity bits
1007 // 2 Start and stop
1008 // 1 Correction bit (Answer in 1172 or 1236 periods, see FPGA)
1009 // 1 just for the case
1010 // ----------- +
1011 // 166
1012 //
1013 // 166 bytes, since every bit that needs to be send costs us a byte
1014 //
1015
1016
1017 // Respond with card type
1018 uint8_t *resp1 = (((uint8_t *)BigBuf) + 800);
1019 int resp1Len;
1020
1021 // Anticollision cascade1 - respond with uid
1022 uint8_t *resp2 = (((uint8_t *)BigBuf) + 970);
1023 int resp2Len;
1024
1025 // Anticollision cascade2 - respond with 2nd half of uid if asked
1026 // we're only going to be asked if we set the 1st byte of the UID (during cascade1) to 0x88
1027 uint8_t *resp2a = (((uint8_t *)BigBuf) + 1140);
1028 int resp2aLen;
1029
1030 // Acknowledge select - cascade 1
1031 uint8_t *resp3 = (((uint8_t *)BigBuf) + 1310);
1032 int resp3Len;
1033
1034 // Acknowledge select - cascade 2
1035 uint8_t *resp3a = (((uint8_t *)BigBuf) + 1480);
1036 int resp3aLen;
1037
1038 // Response to a read request - not implemented atm
1039 uint8_t *resp4 = (((uint8_t *)BigBuf) + 1550);
1040 int resp4Len;
1041
1042 // Authenticate response - nonce
1043 uint8_t *resp5 = (((uint8_t *)BigBuf) + 1720);
1044 int resp5Len;
1045
1046 uint8_t *receivedCmd = (uint8_t *)BigBuf;
1047 int len;
1048
1049 int i;
1050 int u;
1051 uint8_t b;
1052
1053 // To control where we are in the protocol
1054 int order = 0;
1055 int lastorder;
1056
1057 // Just to allow some checks
1058 int happened = 0;
1059 int happened2 = 0;
1060
1061 int cmdsRecvd = 0;
1062
1063 int fdt_indicator;
1064
1065 memset(receivedCmd, 0x44, 400);
1066
1067 // Prepare the responses of the anticollision phase
1068 // there will be not enough time to do this at the moment the reader sends it REQA
1069
1070 // Answer to request
1071 CodeIso14443aAsTag(response1, sizeof(response1));
1072 memcpy(resp1, ToSend, ToSendMax); resp1Len = ToSendMax;
1073
1074 // Send our UID (cascade 1)
1075 CodeIso14443aAsTag(response2, sizeof(response2));
1076 memcpy(resp2, ToSend, ToSendMax); resp2Len = ToSendMax;
1077
1078 // Answer to select (cascade1)
1079 CodeIso14443aAsTag(response3, sizeof(response3));
1080 memcpy(resp3, ToSend, ToSendMax); resp3Len = ToSendMax;
1081
1082 // Send the cascade 2 2nd part of the uid
1083 CodeIso14443aAsTag(response2a, sizeof(response2a));
1084 memcpy(resp2a, ToSend, ToSendMax); resp2aLen = ToSendMax;
1085
1086 // Answer to select (cascade 2)
1087 CodeIso14443aAsTag(response3a, sizeof(response3a));
1088 memcpy(resp3a, ToSend, ToSendMax); resp3aLen = ToSendMax;
1089
1090 // Strange answer is an example of rare message size (3 bits)
1091 CodeStrangeAnswer();
1092 memcpy(resp4, ToSend, ToSendMax); resp4Len = ToSendMax;
1093
1094 // Authentication answer (random nonce)
1095 CodeIso14443aAsTag(response5, sizeof(response5));
1096 memcpy(resp5, ToSend, ToSendMax); resp5Len = ToSendMax;
1097
1098 // We need to listen to the high-frequency, peak-detected path.
1099 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1100 FpgaSetupSsc();
1101
1102 cmdsRecvd = 0;
1103
1104 LED_A_ON();
1105 for(;;) {
1106
1107 if(!GetIso14443aCommandFromReader(receivedCmd, &len, 100)) {
1108 DbpString("button press");
1109 break;
1110 }
1111 // doob - added loads of debug strings so we can see what the reader is saying to us during the sim as hi14alist is not populated
1112 // Okay, look at the command now.
1113 lastorder = order;
1114 i = 1; // first byte transmitted
1115 if(receivedCmd[0] == 0x26) {
1116 // Received a REQUEST
1117 resp = resp1; respLen = resp1Len; order = 1;
1118 //DbpString("Hello request from reader:");
1119 } else if(receivedCmd[0] == 0x52) {
1120 // Received a WAKEUP
1121 resp = resp1; respLen = resp1Len; order = 6;
1122 // //DbpString("Wakeup request from reader:");
1123
1124 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x93) { // greg - cascade 1 anti-collision
1125 // Received request for UID (cascade 1)
1126 resp = resp2; respLen = resp2Len; order = 2;
1127 // DbpString("UID (cascade 1) request from reader:");
1128 // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1129
1130
1131 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] ==0x95) { // greg - cascade 2 anti-collision
1132 // Received request for UID (cascade 2)
1133 resp = resp2a; respLen = resp2aLen; order = 20;
1134 // DbpString("UID (cascade 2) request from reader:");
1135 // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1136
1137
1138 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x93) { // greg - cascade 1 select
1139 // Received a SELECT
1140 resp = resp3; respLen = resp3Len; order = 3;
1141 // DbpString("Select (cascade 1) request from reader:");
1142 // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1143
1144
1145 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x95) { // greg - cascade 2 select
1146 // Received a SELECT
1147 resp = resp3a; respLen = resp3aLen; order = 30;
1148 // DbpString("Select (cascade 2) request from reader:");
1149 // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1150
1151
1152 } else if(receivedCmd[0] == 0x30) {
1153 // Received a READ
1154 resp = resp4; respLen = resp4Len; order = 4; // Do nothing
1155 Dbprintf("Read request from reader: %x %x %x",
1156 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1157
1158
1159 } else if(receivedCmd[0] == 0x50) {
1160 // Received a HALT
1161 resp = resp1; respLen = 0; order = 5; // Do nothing
1162 DbpString("Reader requested we HALT!:");
1163
1164 } else if(receivedCmd[0] == 0x60) {
1165 // Received an authentication request
1166 resp = resp5; respLen = resp5Len; order = 7;
1167 Dbprintf("Authenticate request from reader: %x %x %x",
1168 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1169
1170 } else if(receivedCmd[0] == 0xE0) {
1171 // Received a RATS request
1172 resp = resp1; respLen = 0;order = 70;
1173 Dbprintf("RATS request from reader: %x %x %x",
1174 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1175 } else {
1176 // Never seen this command before
1177 Dbprintf("Unknown command received from reader: %x %x %x %x %x %x %x %x %x",
1178 receivedCmd[0], receivedCmd[1], receivedCmd[2],
1179 receivedCmd[3], receivedCmd[3], receivedCmd[4],
1180 receivedCmd[5], receivedCmd[6], receivedCmd[7]);
1181 // Do not respond
1182 resp = resp1; respLen = 0; order = 0;
1183 }
1184
1185 // Count number of wakeups received after a halt
1186 if(order == 6 && lastorder == 5) { happened++; }
1187
1188 // Count number of other messages after a halt
1189 if(order != 6 && lastorder == 5) { happened2++; }
1190
1191 // Look at last parity bit to determine timing of answer
1192 if((Uart.parityBits & 0x01) || receivedCmd[0] == 0x52) {
1193 // 1236, so correction bit needed
1194 i = 0;
1195 }
1196
1197 memset(receivedCmd, 0x44, 32);
1198
1199 if(cmdsRecvd > 999) {
1200 DbpString("1000 commands later...");
1201 break;
1202 }
1203 else {
1204 cmdsRecvd++;
1205 }
1206
1207 if(respLen <= 0) continue;
1208
1209 // Modulate Manchester
1210 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD);
1211 AT91C_BASE_SSC->SSC_THR = 0x00;
1212 FpgaSetupSsc();
1213
1214 // ### Transmit the response ###
1215 u = 0;
1216 b = 0x00;
1217 fdt_indicator = FALSE;
1218 for(;;) {
1219 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1220 volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1221 (void)b;
1222 }
1223 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1224 if(i > respLen) {
1225 b = 0x00;
1226 u++;
1227 } else {
1228 b = resp[i];
1229 i++;
1230 }
1231 AT91C_BASE_SSC->SSC_THR = b;
1232
1233 if(u > 4) {
1234 break;
1235 }
1236 }
1237 if(BUTTON_PRESS()) {
1238 break;
1239 }
1240 }
1241
1242 }
1243
1244 Dbprintf("%x %x %x", happened, happened2, cmdsRecvd);
1245 LED_A_OFF();
1246 }
1247
1248 //-----------------------------------------------------------------------------
1249 // Transmit the command (to the tag) that was placed in ToSend[].
1250 //-----------------------------------------------------------------------------
1251 static void TransmitFor14443a(const uint8_t *cmd, int len, int *samples, int *wait)
1252 {
1253 int c;
1254
1255 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1256
1257 if (wait)
1258 if(*wait < 10)
1259 *wait = 10;
1260
1261 for(c = 0; c < *wait;) {
1262 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1263 AT91C_BASE_SSC->SSC_THR = 0x00; // For exact timing!
1264 c++;
1265 }
1266 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1267 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
1268 (void)r;
1269 }
1270 WDT_HIT();
1271 }
1272
1273 c = 0;
1274 for(;;) {
1275 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1276 AT91C_BASE_SSC->SSC_THR = cmd[c];
1277 c++;
1278 if(c >= len) {
1279 break;
1280 }
1281 }
1282 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1283 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
1284 (void)r;
1285 }
1286 WDT_HIT();
1287 }
1288 if (samples) *samples = (c + *wait) << 3;
1289 }
1290
1291 //-----------------------------------------------------------------------------
1292 // To generate an arbitrary stream from reader
1293 //
1294 //-----------------------------------------------------------------------------
1295 void ArbitraryFromReader(const uint8_t *cmd, int parity, int len)
1296 {
1297 int i;
1298 int j;
1299 int last;
1300 uint8_t b;
1301
1302 ToSendReset();
1303
1304 // Start of Communication (Seq. Z)
1305 Sequence(SEC_Z);
1306 last = 0;
1307
1308 for(i = 0; i < len; i++) {
1309 // Data bits
1310 b = cmd[i];
1311 for(j = 0; j < 8; j++) {
1312 if(b & 1) {
1313 // Sequence X
1314 Sequence(SEC_X);
1315 last = 1;
1316 } else {
1317 if(last == 0) {
1318 // Sequence Z
1319 Sequence(SEC_Z);
1320 }
1321 else {
1322 // Sequence Y
1323 Sequence(SEC_Y);
1324 last = 0;
1325 }
1326 }
1327 b >>= 1;
1328
1329 }
1330
1331 // Predefined parity bit, the flipper flips when needed, because of flips in byte sent
1332 if(((parity >> (len - i - 1)) & 1)) {
1333 // Sequence X
1334 Sequence(SEC_X);
1335 last = 1;
1336 } else {
1337 if(last == 0) {
1338 // Sequence Z
1339 Sequence(SEC_Z);
1340 }
1341 else {
1342 // Sequence Y
1343 Sequence(SEC_Y);
1344 last = 0;
1345 }
1346 }
1347 }
1348
1349 // End of Communication
1350 if(last == 0) {
1351 // Sequence Z
1352 Sequence(SEC_Z);
1353 }
1354 else {
1355 // Sequence Y
1356 Sequence(SEC_Y);
1357 last = 0;
1358 }
1359 // Sequence Y
1360 Sequence(SEC_Y);
1361
1362 // Just to be sure!
1363 Sequence(SEC_Y);
1364 Sequence(SEC_Y);
1365 Sequence(SEC_Y);
1366
1367 // Convert from last character reference to length
1368 ToSendMax++;
1369 }
1370
1371 //-----------------------------------------------------------------------------
1372 // Code a 7-bit command without parity bit
1373 // This is especially for 0x26 and 0x52 (REQA and WUPA)
1374 //-----------------------------------------------------------------------------
1375 void ShortFrameFromReader(const uint8_t bt)
1376 {
1377 int j;
1378 int last;
1379 uint8_t b;
1380
1381 ToSendReset();
1382
1383 // Start of Communication (Seq. Z)
1384 Sequence(SEC_Z);
1385 last = 0;
1386
1387 b = bt;
1388 for(j = 0; j < 7; j++) {
1389 if(b & 1) {
1390 // Sequence X
1391 Sequence(SEC_X);
1392 last = 1;
1393 } else {
1394 if(last == 0) {
1395 // Sequence Z
1396 Sequence(SEC_Z);
1397 }
1398 else {
1399 // Sequence Y
1400 Sequence(SEC_Y);
1401 last = 0;
1402 }
1403 }
1404 b >>= 1;
1405 }
1406
1407 // End of Communication
1408 if(last == 0) {
1409 // Sequence Z
1410 Sequence(SEC_Z);
1411 }
1412 else {
1413 // Sequence Y
1414 Sequence(SEC_Y);
1415 last = 0;
1416 }
1417 // Sequence Y
1418 Sequence(SEC_Y);
1419
1420 // Just to be sure!
1421 Sequence(SEC_Y);
1422 Sequence(SEC_Y);
1423 Sequence(SEC_Y);
1424
1425 // Convert from last character reference to length
1426 ToSendMax++;
1427 }
1428
1429 //-----------------------------------------------------------------------------
1430 // Prepare reader command to send to FPGA
1431 //
1432 //-----------------------------------------------------------------------------
1433 void CodeIso14443aAsReaderPar(const uint8_t * cmd, int len, uint32_t dwParity)
1434 {
1435 int i, j;
1436 int last;
1437 uint8_t b;
1438
1439 ToSendReset();
1440
1441 // Start of Communication (Seq. Z)
1442 Sequence(SEC_Z);
1443 last = 0;
1444
1445 // Generate send structure for the data bits
1446 for (i = 0; i < len; i++) {
1447 // Get the current byte to send
1448 b = cmd[i];
1449
1450 for (j = 0; j < 8; j++) {
1451 if (b & 1) {
1452 // Sequence X
1453 Sequence(SEC_X);
1454 last = 1;
1455 } else {
1456 if (last == 0) {
1457 // Sequence Z
1458 Sequence(SEC_Z);
1459 } else {
1460 // Sequence Y
1461 Sequence(SEC_Y);
1462 last = 0;
1463 }
1464 }
1465 b >>= 1;
1466 }
1467
1468 // Get the parity bit
1469 if ((dwParity >> i) & 0x01) {
1470 // Sequence X
1471 Sequence(SEC_X);
1472 last = 1;
1473 } else {
1474 if (last == 0) {
1475 // Sequence Z
1476 Sequence(SEC_Z);
1477 } else {
1478 // Sequence Y
1479 Sequence(SEC_Y);
1480 last = 0;
1481 }
1482 }
1483 }
1484
1485 // End of Communication
1486 if (last == 0) {
1487 // Sequence Z
1488 Sequence(SEC_Z);
1489 } else {
1490 // Sequence Y
1491 Sequence(SEC_Y);
1492 last = 0;
1493 }
1494 // Sequence Y
1495 Sequence(SEC_Y);
1496
1497 // Just to be sure!
1498 Sequence(SEC_Y);
1499 Sequence(SEC_Y);
1500 Sequence(SEC_Y);
1501
1502 // Convert from last character reference to length
1503 ToSendMax++;
1504 }
1505
1506 //-----------------------------------------------------------------------------
1507 // Wait a certain time for tag response
1508 // If a response is captured return TRUE
1509 // If it takes to long return FALSE
1510 //-----------------------------------------------------------------------------
1511 static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse, int maxLen, int *samples, int *elapsed) //uint8_t *buffer
1512 {
1513 // buffer needs to be 512 bytes
1514 int c;
1515
1516 // Set FPGA mode to "reader listen mode", no modulation (listen
1517 // only, since we are receiving, not transmitting).
1518 // Signal field is on with the appropriate LED
1519 LED_D_ON();
1520 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_LISTEN);
1521
1522 // Now get the answer from the card
1523 Demod.output = receivedResponse;
1524 Demod.len = 0;
1525 Demod.state = DEMOD_UNSYNCD;
1526
1527 uint8_t b;
1528 if (elapsed) *elapsed = 0;
1529
1530 c = 0;
1531 for(;;) {
1532 WDT_HIT();
1533
1534 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1535 AT91C_BASE_SSC->SSC_THR = 0x00; // To make use of exact timing of next command from reader!!
1536 if (elapsed) (*elapsed)++;
1537 }
1538 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1539 if(c < 512) { c++; } else { return FALSE; }
1540 b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1541 if(ManchesterDecoding((b & 0xf0) >> 4)) {
1542 *samples = ((c - 1) << 3) + 4;
1543 return TRUE;
1544 }
1545 if(ManchesterDecoding(b & 0x0f)) {
1546 *samples = c << 3;
1547 return TRUE;
1548 }
1549 }
1550 }
1551 }
1552
1553 void ReaderTransmitShort(const uint8_t* bt)
1554 {
1555 int wait = 0;
1556 int samples = 0;
1557
1558 ShortFrameFromReader(*bt);
1559
1560 // Select the card
1561 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
1562
1563 // Store reader command in buffer
1564 if (tracing) LogTrace(bt,1,0,GetParity(bt,1),TRUE);
1565 }
1566
1567 void ReaderTransmitPar(uint8_t* frame, int len, uint32_t par)
1568 {
1569 int wait = 0;
1570 int samples = 0;
1571
1572 // This is tied to other size changes
1573 // uint8_t* frame_addr = ((uint8_t*)BigBuf) + 2024;
1574 CodeIso14443aAsReaderPar(frame,len,par);
1575
1576 // Select the card
1577 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
1578
1579 // Store reader command in buffer
1580 if (tracing) LogTrace(frame,len,0,par,TRUE);
1581 }
1582
1583
1584 void ReaderTransmit(uint8_t* frame, int len)
1585 {
1586 // Generate parity and redirect
1587 ReaderTransmitPar(frame,len,GetParity(frame,len));
1588 }
1589
1590 int ReaderReceive(uint8_t* receivedAnswer)
1591 {
1592 int samples = 0;
1593 if (!GetIso14443aAnswerFromTag(receivedAnswer,100,&samples,0)) return FALSE;
1594 if (tracing) LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE);
1595 return TRUE;
1596 }
1597
1598 //-----------------------------------------------------------------------------
1599 // Read an ISO 14443a tag. Send out commands and store answers.
1600 //
1601 //-----------------------------------------------------------------------------
1602 void ReaderIso14443a(uint32_t parameter)
1603 {
1604 // Anticollision
1605 uint8_t wupa[] = { 0x52 };
1606 uint8_t sel_all[] = { 0x93,0x20 };
1607 uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
1608 uint8_t sel_all_c2[] = { 0x95,0x20 };
1609 uint8_t sel_uid_c2[] = { 0x95,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
1610
1611 // Mifare AUTH
1612 uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b };
1613 // uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00 };
1614
1615 uint8_t* receivedAnswer = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
1616 traceLen = 0;
1617
1618 // Setup SSC
1619 FpgaSetupSsc();
1620
1621 // Start from off (no field generated)
1622 // Signal field is off with the appropriate LED
1623 LED_D_OFF();
1624 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1625 SpinDelay(200);
1626
1627 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1628 FpgaSetupSsc();
1629
1630 // Now give it time to spin up.
1631 // Signal field is on with the appropriate LED
1632 LED_D_ON();
1633 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1634 SpinDelay(200);
1635
1636 LED_A_ON();
1637 LED_B_OFF();
1638 LED_C_OFF();
1639
1640 while(traceLen < TRACE_LENGTH)
1641 {
1642 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1643 ReaderTransmitShort(wupa);
1644
1645 // Test if the action was cancelled
1646 if(BUTTON_PRESS()) {
1647 break;
1648 }
1649
1650 // Receive the ATQA
1651 if (!ReaderReceive(receivedAnswer)) continue;
1652
1653 // Transmit SELECT_ALL
1654 ReaderTransmit(sel_all,sizeof(sel_all));
1655
1656 // Receive the UID
1657 if (!ReaderReceive(receivedAnswer)) continue;
1658
1659 // Construct SELECT UID command
1660 // First copy the 5 bytes (Mifare Classic) after the 93 70
1661 memcpy(sel_uid+2,receivedAnswer,5);
1662 // Secondly compute the two CRC bytes at the end
1663 AppendCrc14443a(sel_uid,7);
1664
1665 // Transmit SELECT_UID
1666 ReaderTransmit(sel_uid,sizeof(sel_uid));
1667
1668 // Receive the SAK
1669 if (!ReaderReceive(receivedAnswer)) continue;
1670
1671 // OK we have selected at least at cascade 1, lets see if first byte of UID was 0x88 in
1672 // which case we need to make a cascade 2 request and select - this is a long UID
1673 // When the UID is not complete, the 3nd bit (from the right) is set in the SAK.
1674 if (receivedAnswer[0] &= 0x04)
1675 {
1676 // Transmit SELECT_ALL
1677 ReaderTransmit(sel_all_c2,sizeof(sel_all_c2));
1678
1679 // Receive the UID
1680 if (!ReaderReceive(receivedAnswer)) continue;
1681
1682 // Construct SELECT UID command
1683 memcpy(sel_uid_c2+2,receivedAnswer,5);
1684 // Secondly compute the two CRC bytes at the end
1685 AppendCrc14443a(sel_uid_c2,7);
1686
1687 // Transmit SELECT_UID
1688 ReaderTransmit(sel_uid_c2,sizeof(sel_uid_c2));
1689
1690 // Receive the SAK
1691 if (!ReaderReceive(receivedAnswer)) continue;
1692 }
1693
1694 // Transmit MIFARE_CLASSIC_AUTH
1695 ReaderTransmit(mf_auth,sizeof(mf_auth));
1696
1697 // Receive the (16 bit) "random" nonce
1698 if (!ReaderReceive(receivedAnswer)) continue;
1699 }
1700
1701 // Thats it...
1702 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1703 LEDsoff();
1704 Dbprintf("%x %x %x", rsamples, 0xCC, 0xCC);
1705 DbpString("ready..");
1706 }
1707
1708 //-----------------------------------------------------------------------------
1709 // Read an ISO 14443a tag. Send out commands and store answers.
1710 //
1711 //-----------------------------------------------------------------------------
1712 void ReaderMifare(uint32_t parameter)
1713 {
1714
1715 // Anticollision
1716 uint8_t wupa[] = { 0x52 };
1717 uint8_t sel_all[] = { 0x93,0x20 };
1718 uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
1719
1720 // Mifare AUTH
1721 uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b };
1722 uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
1723
1724 uint8_t* receivedAnswer = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
1725 traceLen = 0;
1726 tracing = false;
1727
1728 // Setup SSC
1729 FpgaSetupSsc();
1730
1731 // Start from off (no field generated)
1732 // Signal field is off with the appropriate LED
1733 LED_D_OFF();
1734 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1735 SpinDelay(200);
1736
1737 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1738 FpgaSetupSsc();
1739
1740 // Now give it time to spin up.
1741 // Signal field is on with the appropriate LED
1742 LED_D_ON();
1743 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1744 SpinDelay(200);
1745
1746 LED_A_ON();
1747 LED_B_OFF();
1748 LED_C_OFF();
1749
1750 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1751 ReaderTransmitShort(wupa);
1752 // Receive the ATQA
1753 ReaderReceive(receivedAnswer);
1754 // Transmit SELECT_ALL
1755 ReaderTransmit(sel_all,sizeof(sel_all));
1756 // Receive the UID
1757 ReaderReceive(receivedAnswer);
1758 // Construct SELECT UID command
1759 // First copy the 5 bytes (Mifare Classic) after the 93 70
1760 memcpy(sel_uid+2,receivedAnswer,5);
1761 // Secondly compute the two CRC bytes at the end
1762 AppendCrc14443a(sel_uid,7);
1763
1764 byte_t nt_diff = 0;
1765 LED_A_OFF();
1766 byte_t par = 0;
1767 byte_t par_mask = 0xff;
1768 byte_t par_low = 0;
1769 int led_on = TRUE;
1770
1771 tracing = FALSE;
1772 byte_t nt[4];
1773 byte_t nt_attacked[4];
1774 byte_t par_list[8];
1775 byte_t ks_list[8];
1776 num_to_bytes(parameter,4,nt_attacked);
1777
1778 while(TRUE)
1779 {
1780 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1781 SpinDelay(200);
1782 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1783
1784 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1785 ReaderTransmitShort(wupa);
1786
1787 // Test if the action was cancelled
1788 if(BUTTON_PRESS()) {
1789 break;
1790 }
1791
1792 // Receive the ATQA
1793 if (!ReaderReceive(receivedAnswer)) continue;
1794
1795 // Transmit SELECT_ALL
1796 ReaderTransmit(sel_all,sizeof(sel_all));
1797
1798 // Receive the UID
1799 if (!ReaderReceive(receivedAnswer)) continue;
1800
1801 // Transmit SELECT_UID
1802 ReaderTransmit(sel_uid,sizeof(sel_uid));
1803
1804 // Receive the SAK
1805 if (!ReaderReceive(receivedAnswer)) continue;
1806
1807 // Transmit MIFARE_CLASSIC_AUTH
1808 ReaderTransmit(mf_auth,sizeof(mf_auth));
1809
1810 // Receive the (16 bit) "random" nonce
1811 if (!ReaderReceive(receivedAnswer)) continue;
1812 memcpy(nt,receivedAnswer,4);
1813
1814 // Transmit reader nonce and reader answer
1815 ReaderTransmitPar(mf_nr_ar,sizeof(mf_nr_ar),par);
1816
1817 // Receive 4 bit answer
1818 if (ReaderReceive(receivedAnswer))
1819 {
1820 if (nt_diff == 0)
1821 {
1822 LED_A_ON();
1823 memcpy(nt_attacked,nt,4);
1824 par_mask = 0xf8;
1825 par_low = par & 0x07;
1826 }
1827
1828 if (memcmp(nt,nt_attacked,4) != 0) continue;
1829
1830 led_on = !led_on;
1831 if(led_on) LED_B_ON(); else LED_B_OFF();
1832 par_list[nt_diff] = par;
1833 ks_list[nt_diff] = receivedAnswer[0]^0x05;
1834
1835 // Test if the information is complete
1836 if (nt_diff == 0x07) break;
1837
1838 nt_diff = (nt_diff+1) & 0x07;
1839 mf_nr_ar[3] = nt_diff << 5;
1840 par = par_low;
1841 } else {
1842 if (nt_diff == 0)
1843 {
1844 par++;
1845 } else {
1846 par = (((par>>3)+1) << 3) | par_low;
1847 }
1848 }
1849 }
1850
1851 LogTraceInfo(sel_uid+2,4);
1852 LogTraceInfo(nt,4);
1853 LogTraceInfo(par_list,8);
1854 LogTraceInfo(ks_list,8);
1855
1856 // Thats it...
1857 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1858 LEDsoff();
1859 tracing = TRUE;
1860 }
Impressum, Datenschutz