]> cvs.zerfleddert.de Git - proxmark3-svn/blob - armsrc/iso14443a.c
Flash green LED during sample transmission ("data samples" and "data hexsamples"...
[proxmark3-svn] / armsrc / iso14443a.c
1 //-----------------------------------------------------------------------------
2 // Gerhard de Koning Gans - May 2008
3 // Hagen Fritsch - June 2010
4 //
5 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
6 // at your option, any later version. See the LICENSE.txt file for the text of
7 // the license.
8 //-----------------------------------------------------------------------------
9 // Routines to support ISO 14443 type A.
10 //-----------------------------------------------------------------------------
11
12 #include "proxmark3.h"
13 #include "apps.h"
14 #include "util.h"
15 #include "string.h"
16
17 #include "iso14443crc.h"
18 #include "iso14443a.h"
19
20 static uint8_t *trace = (uint8_t *) BigBuf;
21 static int traceLen = 0;
22 static int rsamples = 0;
23 static int tracing = TRUE;
24 static uint32_t iso14a_timeout;
25
26 // CARD TO READER
27 // Sequence D: 11110000 modulation with subcarrier during first half
28 // Sequence E: 00001111 modulation with subcarrier during second half
29 // Sequence F: 00000000 no modulation with subcarrier
30 // READER TO CARD
31 // Sequence X: 00001100 drop after half a period
32 // Sequence Y: 00000000 no drop
33 // Sequence Z: 11000000 drop at start
34 #define SEC_D 0xf0
35 #define SEC_E 0x0f
36 #define SEC_F 0x00
37 #define SEC_X 0x0c
38 #define SEC_Y 0x00
39 #define SEC_Z 0xc0
40
41 static const uint8_t OddByteParity[256] = {
42 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
43 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
44 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
45 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
46 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
47 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
48 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
49 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
50 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
51 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
52 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
53 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
54 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
55 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
56 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
57 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1
58 };
59
60 // BIG CHANGE - UNDERSTAND THIS BEFORE WE COMMIT
61 #define RECV_CMD_OFFSET 3032
62 #define RECV_RES_OFFSET 3096
63 #define DMA_BUFFER_OFFSET 3160
64 #define DMA_BUFFER_SIZE 4096
65 #define TRACE_LENGTH 3000
66
67 uint8_t trigger = 0;
68 void iso14a_set_trigger(int enable) {
69 trigger = enable;
70 }
71
72 //-----------------------------------------------------------------------------
73 // Generate the parity value for a byte sequence
74 //
75 //-----------------------------------------------------------------------------
76 uint32_t GetParity(const uint8_t * pbtCmd, int iLen)
77 {
78 int i;
79 uint32_t dwPar = 0;
80
81 // Generate the encrypted data
82 for (i = 0; i < iLen; i++) {
83 // Save the encrypted parity bit
84 dwPar |= ((OddByteParity[pbtCmd[i]]) << i);
85 }
86 return dwPar;
87 }
88
89 void AppendCrc14443a(uint8_t* data, int len)
90 {
91 ComputeCrc14443(CRC_14443_A,data,len,data+len,data+len+1);
92 }
93
94 int LogTrace(const uint8_t * btBytes, int iLen, int iSamples, uint32_t dwParity, int bReader)
95 {
96 // Return when trace is full
97 if (traceLen >= TRACE_LENGTH) return FALSE;
98
99 // Trace the random, i'm curious
100 rsamples += iSamples;
101 trace[traceLen++] = ((rsamples >> 0) & 0xff);
102 trace[traceLen++] = ((rsamples >> 8) & 0xff);
103 trace[traceLen++] = ((rsamples >> 16) & 0xff);
104 trace[traceLen++] = ((rsamples >> 24) & 0xff);
105 if (!bReader) {
106 trace[traceLen - 1] |= 0x80;
107 }
108 trace[traceLen++] = ((dwParity >> 0) & 0xff);
109 trace[traceLen++] = ((dwParity >> 8) & 0xff);
110 trace[traceLen++] = ((dwParity >> 16) & 0xff);
111 trace[traceLen++] = ((dwParity >> 24) & 0xff);
112 trace[traceLen++] = iLen;
113 memcpy(trace + traceLen, btBytes, iLen);
114 traceLen += iLen;
115 return TRUE;
116 }
117
118 //-----------------------------------------------------------------------------
119 // The software UART that receives commands from the reader, and its state
120 // variables.
121 //-----------------------------------------------------------------------------
122 static struct {
123 enum {
124 STATE_UNSYNCD,
125 STATE_START_OF_COMMUNICATION,
126 STATE_MILLER_X,
127 STATE_MILLER_Y,
128 STATE_MILLER_Z,
129 STATE_ERROR_WAIT
130 } state;
131 uint16_t shiftReg;
132 int bitCnt;
133 int byteCnt;
134 int byteCntMax;
135 int posCnt;
136 int syncBit;
137 int parityBits;
138 int samples;
139 int highCnt;
140 int bitBuffer;
141 enum {
142 DROP_NONE,
143 DROP_FIRST_HALF,
144 DROP_SECOND_HALF
145 } drop;
146 uint8_t *output;
147 } Uart;
148
149 static int MillerDecoding(int bit)
150 {
151 int error = 0;
152 int bitright;
153
154 if(!Uart.bitBuffer) {
155 Uart.bitBuffer = bit ^ 0xFF0;
156 return FALSE;
157 }
158 else {
159 Uart.bitBuffer <<= 4;
160 Uart.bitBuffer ^= bit;
161 }
162
163 int EOC = FALSE;
164
165 if(Uart.state != STATE_UNSYNCD) {
166 Uart.posCnt++;
167
168 if((Uart.bitBuffer & Uart.syncBit) ^ Uart.syncBit) {
169 bit = 0x00;
170 }
171 else {
172 bit = 0x01;
173 }
174 if(((Uart.bitBuffer << 1) & Uart.syncBit) ^ Uart.syncBit) {
175 bitright = 0x00;
176 }
177 else {
178 bitright = 0x01;
179 }
180 if(bit != bitright) { bit = bitright; }
181
182 if(Uart.posCnt == 1) {
183 // measurement first half bitperiod
184 if(!bit) {
185 Uart.drop = DROP_FIRST_HALF;
186 }
187 }
188 else {
189 // measurement second half bitperiod
190 if(!bit & (Uart.drop == DROP_NONE)) {
191 Uart.drop = DROP_SECOND_HALF;
192 }
193 else if(!bit) {
194 // measured a drop in first and second half
195 // which should not be possible
196 Uart.state = STATE_ERROR_WAIT;
197 error = 0x01;
198 }
199
200 Uart.posCnt = 0;
201
202 switch(Uart.state) {
203 case STATE_START_OF_COMMUNICATION:
204 Uart.shiftReg = 0;
205 if(Uart.drop == DROP_SECOND_HALF) {
206 // error, should not happen in SOC
207 Uart.state = STATE_ERROR_WAIT;
208 error = 0x02;
209 }
210 else {
211 // correct SOC
212 Uart.state = STATE_MILLER_Z;
213 }
214 break;
215
216 case STATE_MILLER_Z:
217 Uart.bitCnt++;
218 Uart.shiftReg >>= 1;
219 if(Uart.drop == DROP_NONE) {
220 // logic '0' followed by sequence Y
221 // end of communication
222 Uart.state = STATE_UNSYNCD;
223 EOC = TRUE;
224 }
225 // if(Uart.drop == DROP_FIRST_HALF) {
226 // Uart.state = STATE_MILLER_Z; stay the same
227 // we see a logic '0' }
228 if(Uart.drop == DROP_SECOND_HALF) {
229 // we see a logic '1'
230 Uart.shiftReg |= 0x100;
231 Uart.state = STATE_MILLER_X;
232 }
233 break;
234
235 case STATE_MILLER_X:
236 Uart.shiftReg >>= 1;
237 if(Uart.drop == DROP_NONE) {
238 // sequence Y, we see a '0'
239 Uart.state = STATE_MILLER_Y;
240 Uart.bitCnt++;
241 }
242 if(Uart.drop == DROP_FIRST_HALF) {
243 // Would be STATE_MILLER_Z
244 // but Z does not follow X, so error
245 Uart.state = STATE_ERROR_WAIT;
246 error = 0x03;
247 }
248 if(Uart.drop == DROP_SECOND_HALF) {
249 // We see a '1' and stay in state X
250 Uart.shiftReg |= 0x100;
251 Uart.bitCnt++;
252 }
253 break;
254
255 case STATE_MILLER_Y:
256 Uart.bitCnt++;
257 Uart.shiftReg >>= 1;
258 if(Uart.drop == DROP_NONE) {
259 // logic '0' followed by sequence Y
260 // end of communication
261 Uart.state = STATE_UNSYNCD;
262 EOC = TRUE;
263 }
264 if(Uart.drop == DROP_FIRST_HALF) {
265 // we see a '0'
266 Uart.state = STATE_MILLER_Z;
267 }
268 if(Uart.drop == DROP_SECOND_HALF) {
269 // We see a '1' and go to state X
270 Uart.shiftReg |= 0x100;
271 Uart.state = STATE_MILLER_X;
272 }
273 break;
274
275 case STATE_ERROR_WAIT:
276 // That went wrong. Now wait for at least two bit periods
277 // and try to sync again
278 if(Uart.drop == DROP_NONE) {
279 Uart.highCnt = 6;
280 Uart.state = STATE_UNSYNCD;
281 }
282 break;
283
284 default:
285 Uart.state = STATE_UNSYNCD;
286 Uart.highCnt = 0;
287 break;
288 }
289
290 Uart.drop = DROP_NONE;
291
292 // should have received at least one whole byte...
293 if((Uart.bitCnt == 2) && EOC && (Uart.byteCnt > 0)) {
294 return TRUE;
295 }
296
297 if(Uart.bitCnt == 9) {
298 Uart.output[Uart.byteCnt] = (Uart.shiftReg & 0xff);
299 Uart.byteCnt++;
300
301 Uart.parityBits <<= 1;
302 Uart.parityBits ^= ((Uart.shiftReg >> 8) & 0x01);
303
304 if(EOC) {
305 // when End of Communication received and
306 // all data bits processed..
307 return TRUE;
308 }
309 Uart.bitCnt = 0;
310 }
311
312 /*if(error) {
313 Uart.output[Uart.byteCnt] = 0xAA;
314 Uart.byteCnt++;
315 Uart.output[Uart.byteCnt] = error & 0xFF;
316 Uart.byteCnt++;
317 Uart.output[Uart.byteCnt] = 0xAA;
318 Uart.byteCnt++;
319 Uart.output[Uart.byteCnt] = (Uart.bitBuffer >> 8) & 0xFF;
320 Uart.byteCnt++;
321 Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
322 Uart.byteCnt++;
323 Uart.output[Uart.byteCnt] = (Uart.syncBit >> 3) & 0xFF;
324 Uart.byteCnt++;
325 Uart.output[Uart.byteCnt] = 0xAA;
326 Uart.byteCnt++;
327 return TRUE;
328 }*/
329 }
330
331 }
332 else {
333 bit = Uart.bitBuffer & 0xf0;
334 bit >>= 4;
335 bit ^= 0x0F;
336 if(bit) {
337 // should have been high or at least (4 * 128) / fc
338 // according to ISO this should be at least (9 * 128 + 20) / fc
339 if(Uart.highCnt == 8) {
340 // we went low, so this could be start of communication
341 // it turns out to be safer to choose a less significant
342 // syncbit... so we check whether the neighbour also represents the drop
343 Uart.posCnt = 1; // apparently we are busy with our first half bit period
344 Uart.syncBit = bit & 8;
345 Uart.samples = 3;
346 if(!Uart.syncBit) { Uart.syncBit = bit & 4; Uart.samples = 2; }
347 else if(bit & 4) { Uart.syncBit = bit & 4; Uart.samples = 2; bit <<= 2; }
348 if(!Uart.syncBit) { Uart.syncBit = bit & 2; Uart.samples = 1; }
349 else if(bit & 2) { Uart.syncBit = bit & 2; Uart.samples = 1; bit <<= 1; }
350 if(!Uart.syncBit) { Uart.syncBit = bit & 1; Uart.samples = 0;
351 if(Uart.syncBit & (Uart.bitBuffer & 8)) {
352 Uart.syncBit = 8;
353
354 // the first half bit period is expected in next sample
355 Uart.posCnt = 0;
356 Uart.samples = 3;
357 }
358 }
359 else if(bit & 1) { Uart.syncBit = bit & 1; Uart.samples = 0; }
360
361 Uart.syncBit <<= 4;
362 Uart.state = STATE_START_OF_COMMUNICATION;
363 Uart.drop = DROP_FIRST_HALF;
364 Uart.bitCnt = 0;
365 Uart.byteCnt = 0;
366 Uart.parityBits = 0;
367 error = 0;
368 }
369 else {
370 Uart.highCnt = 0;
371 }
372 }
373 else {
374 if(Uart.highCnt < 8) {
375 Uart.highCnt++;
376 }
377 }
378 }
379
380 return FALSE;
381 }
382
383 //=============================================================================
384 // ISO 14443 Type A - Manchester
385 //=============================================================================
386
387 static struct {
388 enum {
389 DEMOD_UNSYNCD,
390 DEMOD_START_OF_COMMUNICATION,
391 DEMOD_MANCHESTER_D,
392 DEMOD_MANCHESTER_E,
393 DEMOD_MANCHESTER_F,
394 DEMOD_ERROR_WAIT
395 } state;
396 int bitCount;
397 int posCount;
398 int syncBit;
399 int parityBits;
400 uint16_t shiftReg;
401 int buffer;
402 int buff;
403 int samples;
404 int len;
405 enum {
406 SUB_NONE,
407 SUB_FIRST_HALF,
408 SUB_SECOND_HALF
409 } sub;
410 uint8_t *output;
411 } Demod;
412
413 static int ManchesterDecoding(int v)
414 {
415 int bit;
416 int modulation;
417 int error = 0;
418
419 if(!Demod.buff) {
420 Demod.buff = 1;
421 Demod.buffer = v;
422 return FALSE;
423 }
424 else {
425 bit = Demod.buffer;
426 Demod.buffer = v;
427 }
428
429 if(Demod.state==DEMOD_UNSYNCD) {
430 Demod.output[Demod.len] = 0xfa;
431 Demod.syncBit = 0;
432 //Demod.samples = 0;
433 Demod.posCount = 1; // This is the first half bit period, so after syncing handle the second part
434 if(bit & 0x08) { Demod.syncBit = 0x08; }
435 if(!Demod.syncBit) {
436 if(bit & 0x04) { Demod.syncBit = 0x04; }
437 }
438 else if(bit & 0x04) { Demod.syncBit = 0x04; bit <<= 4; }
439 if(!Demod.syncBit) {
440 if(bit & 0x02) { Demod.syncBit = 0x02; }
441 }
442 else if(bit & 0x02) { Demod.syncBit = 0x02; bit <<= 4; }
443 if(!Demod.syncBit) {
444 if(bit & 0x01) { Demod.syncBit = 0x01; }
445
446 if(Demod.syncBit & (Demod.buffer & 0x08)) {
447 Demod.syncBit = 0x08;
448
449 // The first half bitperiod is expected in next sample
450 Demod.posCount = 0;
451 Demod.output[Demod.len] = 0xfb;
452 }
453 }
454 else if(bit & 0x01) { Demod.syncBit = 0x01; }
455
456 if(Demod.syncBit) {
457 Demod.len = 0;
458 Demod.state = DEMOD_START_OF_COMMUNICATION;
459 Demod.sub = SUB_FIRST_HALF;
460 Demod.bitCount = 0;
461 Demod.shiftReg = 0;
462 Demod.parityBits = 0;
463 Demod.samples = 0;
464 if(Demod.posCount) {
465 if(trigger) LED_A_OFF();
466 switch(Demod.syncBit) {
467 case 0x08: Demod.samples = 3; break;
468 case 0x04: Demod.samples = 2; break;
469 case 0x02: Demod.samples = 1; break;
470 case 0x01: Demod.samples = 0; break;
471 }
472 }
473 error = 0;
474 }
475 }
476 else {
477 //modulation = bit & Demod.syncBit;
478 modulation = ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
479
480 Demod.samples += 4;
481
482 if(Demod.posCount==0) {
483 Demod.posCount = 1;
484 if(modulation) {
485 Demod.sub = SUB_FIRST_HALF;
486 }
487 else {
488 Demod.sub = SUB_NONE;
489 }
490 }
491 else {
492 Demod.posCount = 0;
493 if(modulation && (Demod.sub == SUB_FIRST_HALF)) {
494 if(Demod.state!=DEMOD_ERROR_WAIT) {
495 Demod.state = DEMOD_ERROR_WAIT;
496 Demod.output[Demod.len] = 0xaa;
497 error = 0x01;
498 }
499 }
500 else if(modulation) {
501 Demod.sub = SUB_SECOND_HALF;
502 }
503
504 switch(Demod.state) {
505 case DEMOD_START_OF_COMMUNICATION:
506 if(Demod.sub == SUB_FIRST_HALF) {
507 Demod.state = DEMOD_MANCHESTER_D;
508 }
509 else {
510 Demod.output[Demod.len] = 0xab;
511 Demod.state = DEMOD_ERROR_WAIT;
512 error = 0x02;
513 }
514 break;
515
516 case DEMOD_MANCHESTER_D:
517 case DEMOD_MANCHESTER_E:
518 if(Demod.sub == SUB_FIRST_HALF) {
519 Demod.bitCount++;
520 Demod.shiftReg = (Demod.shiftReg >> 1) ^ 0x100;
521 Demod.state = DEMOD_MANCHESTER_D;
522 }
523 else if(Demod.sub == SUB_SECOND_HALF) {
524 Demod.bitCount++;
525 Demod.shiftReg >>= 1;
526 Demod.state = DEMOD_MANCHESTER_E;
527 }
528 else {
529 Demod.state = DEMOD_MANCHESTER_F;
530 }
531 break;
532
533 case DEMOD_MANCHESTER_F:
534 // Tag response does not need to be a complete byte!
535 if(Demod.len > 0 || Demod.bitCount > 0) {
536 if(Demod.bitCount > 0) {
537 Demod.shiftReg >>= (9 - Demod.bitCount);
538 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
539 Demod.len++;
540 // No parity bit, so just shift a 0
541 Demod.parityBits <<= 1;
542 }
543
544 Demod.state = DEMOD_UNSYNCD;
545 return TRUE;
546 }
547 else {
548 Demod.output[Demod.len] = 0xad;
549 Demod.state = DEMOD_ERROR_WAIT;
550 error = 0x03;
551 }
552 break;
553
554 case DEMOD_ERROR_WAIT:
555 Demod.state = DEMOD_UNSYNCD;
556 break;
557
558 default:
559 Demod.output[Demod.len] = 0xdd;
560 Demod.state = DEMOD_UNSYNCD;
561 break;
562 }
563
564 if(Demod.bitCount>=9) {
565 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
566 Demod.len++;
567
568 Demod.parityBits <<= 1;
569 Demod.parityBits ^= ((Demod.shiftReg >> 8) & 0x01);
570
571 Demod.bitCount = 0;
572 Demod.shiftReg = 0;
573 }
574
575 /*if(error) {
576 Demod.output[Demod.len] = 0xBB;
577 Demod.len++;
578 Demod.output[Demod.len] = error & 0xFF;
579 Demod.len++;
580 Demod.output[Demod.len] = 0xBB;
581 Demod.len++;
582 Demod.output[Demod.len] = bit & 0xFF;
583 Demod.len++;
584 Demod.output[Demod.len] = Demod.buffer & 0xFF;
585 Demod.len++;
586 Demod.output[Demod.len] = Demod.syncBit & 0xFF;
587 Demod.len++;
588 Demod.output[Demod.len] = 0xBB;
589 Demod.len++;
590 return TRUE;
591 }*/
592
593 }
594
595 } // end (state != UNSYNCED)
596
597 return FALSE;
598 }
599
600 //=============================================================================
601 // Finally, a `sniffer' for ISO 14443 Type A
602 // Both sides of communication!
603 //=============================================================================
604
605 //-----------------------------------------------------------------------------
606 // Record the sequence of commands sent by the reader to the tag, with
607 // triggering so that we start recording at the point that the tag is moved
608 // near the reader.
609 //-----------------------------------------------------------------------------
610 void SnoopIso14443a(void)
611 {
612 // #define RECV_CMD_OFFSET 2032 // original (working as of 21/2/09) values
613 // #define RECV_RES_OFFSET 2096 // original (working as of 21/2/09) values
614 // #define DMA_BUFFER_OFFSET 2160 // original (working as of 21/2/09) values
615 // #define DMA_BUFFER_SIZE 4096 // original (working as of 21/2/09) values
616 // #define TRACE_LENGTH 2000 // original (working as of 21/2/09) values
617
618 // We won't start recording the frames that we acquire until we trigger;
619 // a good trigger condition to get started is probably when we see a
620 // response from the tag.
621 int triggered = FALSE; // FALSE to wait first for card
622
623 // The command (reader -> tag) that we're receiving.
624 // The length of a received command will in most cases be no more than 18 bytes.
625 // So 32 should be enough!
626 uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
627 // The response (tag -> reader) that we're receiving.
628 uint8_t *receivedResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET);
629
630 // As we receive stuff, we copy it from receivedCmd or receivedResponse
631 // into trace, along with its length and other annotations.
632 //uint8_t *trace = (uint8_t *)BigBuf;
633 //int traceLen = 0;
634
635 // The DMA buffer, used to stream samples from the FPGA
636 int8_t *dmaBuf = ((int8_t *)BigBuf) + DMA_BUFFER_OFFSET;
637 int lastRxCounter;
638 int8_t *upTo;
639 int smpl;
640 int maxBehindBy = 0;
641
642 // Count of samples received so far, so that we can include timing
643 // information in the trace buffer.
644 int samples = 0;
645 int rsamples = 0;
646
647 memset(trace, 0x44, RECV_CMD_OFFSET);
648
649 // Set up the demodulator for tag -> reader responses.
650 Demod.output = receivedResponse;
651 Demod.len = 0;
652 Demod.state = DEMOD_UNSYNCD;
653
654 // Setup for the DMA.
655 FpgaSetupSsc();
656 upTo = dmaBuf;
657 lastRxCounter = DMA_BUFFER_SIZE;
658 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
659
660 // And the reader -> tag commands
661 memset(&Uart, 0, sizeof(Uart));
662 Uart.output = receivedCmd;
663 Uart.byteCntMax = 32; // was 100 (greg)////////////////////////////////////////////////////////////////////////
664 Uart.state = STATE_UNSYNCD;
665
666 // And put the FPGA in the appropriate mode
667 // Signal field is off with the appropriate LED
668 LED_D_OFF();
669 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER);
670 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
671
672
673 // And now we loop, receiving samples.
674 for(;;) {
675 LED_A_ON();
676 WDT_HIT();
677 int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) &
678 (DMA_BUFFER_SIZE-1);
679 if(behindBy > maxBehindBy) {
680 maxBehindBy = behindBy;
681 if(behindBy > 400) {
682 Dbprintf("blew circular buffer! behindBy=0x%x", behindBy);
683 goto done;
684 }
685 }
686 if(behindBy < 1) continue;
687
688 LED_A_OFF();
689 smpl = upTo[0];
690 upTo++;
691 lastRxCounter -= 1;
692 if(upTo - dmaBuf > DMA_BUFFER_SIZE) {
693 upTo -= DMA_BUFFER_SIZE;
694 lastRxCounter += DMA_BUFFER_SIZE;
695 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) upTo;
696 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
697 }
698
699 samples += 4;
700 if(MillerDecoding((smpl & 0xF0) >> 4)) {
701 rsamples = samples - Uart.samples;
702 LED_C_ON();
703 if(triggered) {
704 trace[traceLen++] = ((rsamples >> 0) & 0xff);
705 trace[traceLen++] = ((rsamples >> 8) & 0xff);
706 trace[traceLen++] = ((rsamples >> 16) & 0xff);
707 trace[traceLen++] = ((rsamples >> 24) & 0xff);
708 trace[traceLen++] = ((Uart.parityBits >> 0) & 0xff);
709 trace[traceLen++] = ((Uart.parityBits >> 8) & 0xff);
710 trace[traceLen++] = ((Uart.parityBits >> 16) & 0xff);
711 trace[traceLen++] = ((Uart.parityBits >> 24) & 0xff);
712 trace[traceLen++] = Uart.byteCnt;
713 memcpy(trace+traceLen, receivedCmd, Uart.byteCnt);
714 traceLen += Uart.byteCnt;
715 if(traceLen > TRACE_LENGTH) break;
716 }
717 /* And ready to receive another command. */
718 Uart.state = STATE_UNSYNCD;
719 /* And also reset the demod code, which might have been */
720 /* false-triggered by the commands from the reader. */
721 Demod.state = DEMOD_UNSYNCD;
722 LED_B_OFF();
723 }
724
725 if(ManchesterDecoding(smpl & 0x0F)) {
726 rsamples = samples - Demod.samples;
727 LED_B_ON();
728
729 // timestamp, as a count of samples
730 trace[traceLen++] = ((rsamples >> 0) & 0xff);
731 trace[traceLen++] = ((rsamples >> 8) & 0xff);
732 trace[traceLen++] = ((rsamples >> 16) & 0xff);
733 trace[traceLen++] = 0x80 | ((rsamples >> 24) & 0xff);
734 trace[traceLen++] = ((Demod.parityBits >> 0) & 0xff);
735 trace[traceLen++] = ((Demod.parityBits >> 8) & 0xff);
736 trace[traceLen++] = ((Demod.parityBits >> 16) & 0xff);
737 trace[traceLen++] = ((Demod.parityBits >> 24) & 0xff);
738 // length
739 trace[traceLen++] = Demod.len;
740 memcpy(trace+traceLen, receivedResponse, Demod.len);
741 traceLen += Demod.len;
742 if(traceLen > TRACE_LENGTH) break;
743
744 triggered = TRUE;
745
746 // And ready to receive another response.
747 memset(&Demod, 0, sizeof(Demod));
748 Demod.output = receivedResponse;
749 Demod.state = DEMOD_UNSYNCD;
750 LED_C_OFF();
751 }
752
753 if(BUTTON_PRESS()) {
754 DbpString("cancelled_a");
755 goto done;
756 }
757 }
758
759 DbpString("COMMAND FINISHED");
760
761 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
762 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
763
764 done:
765 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
766 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
767 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
768 LED_A_OFF();
769 LED_B_OFF();
770 LED_C_OFF();
771 LED_D_OFF();
772 }
773
774 //-----------------------------------------------------------------------------
775 // Prepare tag messages
776 //-----------------------------------------------------------------------------
777 static void CodeIso14443aAsTag(const uint8_t *cmd, int len)
778 {
779 int i;
780 int oddparity;
781
782 ToSendReset();
783
784 // Correction bit, might be removed when not needed
785 ToSendStuffBit(0);
786 ToSendStuffBit(0);
787 ToSendStuffBit(0);
788 ToSendStuffBit(0);
789 ToSendStuffBit(1); // 1
790 ToSendStuffBit(0);
791 ToSendStuffBit(0);
792 ToSendStuffBit(0);
793
794 // Send startbit
795 ToSend[++ToSendMax] = SEC_D;
796
797 for(i = 0; i < len; i++) {
798 int j;
799 uint8_t b = cmd[i];
800
801 // Data bits
802 oddparity = 0x01;
803 for(j = 0; j < 8; j++) {
804 oddparity ^= (b & 1);
805 if(b & 1) {
806 ToSend[++ToSendMax] = SEC_D;
807 } else {
808 ToSend[++ToSendMax] = SEC_E;
809 }
810 b >>= 1;
811 }
812
813 // Parity bit
814 if(oddparity) {
815 ToSend[++ToSendMax] = SEC_D;
816 } else {
817 ToSend[++ToSendMax] = SEC_E;
818 }
819 }
820
821 // Send stopbit
822 ToSend[++ToSendMax] = SEC_F;
823
824 // Flush the buffer in FPGA!!
825 for(i = 0; i < 5; i++) {
826 ToSend[++ToSendMax] = SEC_F;
827 }
828
829 // Convert from last byte pos to length
830 ToSendMax++;
831
832 // Add a few more for slop
833 ToSend[ToSendMax++] = 0x00;
834 ToSend[ToSendMax++] = 0x00;
835 //ToSendMax += 2;
836 }
837
838 //-----------------------------------------------------------------------------
839 // This is to send a NACK kind of answer, its only 3 bits, I know it should be 4
840 //-----------------------------------------------------------------------------
841 static void CodeStrangeAnswer()
842 {
843 int i;
844
845 ToSendReset();
846
847 // Correction bit, might be removed when not needed
848 ToSendStuffBit(0);
849 ToSendStuffBit(0);
850 ToSendStuffBit(0);
851 ToSendStuffBit(0);
852 ToSendStuffBit(1); // 1
853 ToSendStuffBit(0);
854 ToSendStuffBit(0);
855 ToSendStuffBit(0);
856
857 // Send startbit
858 ToSend[++ToSendMax] = SEC_D;
859
860 // 0
861 ToSend[++ToSendMax] = SEC_E;
862
863 // 0
864 ToSend[++ToSendMax] = SEC_E;
865
866 // 1
867 ToSend[++ToSendMax] = SEC_D;
868
869 // Send stopbit
870 ToSend[++ToSendMax] = SEC_F;
871
872 // Flush the buffer in FPGA!!
873 for(i = 0; i < 5; i++) {
874 ToSend[++ToSendMax] = SEC_F;
875 }
876
877 // Convert from last byte pos to length
878 ToSendMax++;
879
880 // Add a few more for slop
881 ToSend[ToSendMax++] = 0x00;
882 ToSend[ToSendMax++] = 0x00;
883 //ToSendMax += 2;
884 }
885
886 //-----------------------------------------------------------------------------
887 // Wait for commands from reader
888 // Stop when button is pressed
889 // Or return TRUE when command is captured
890 //-----------------------------------------------------------------------------
891 static int GetIso14443aCommandFromReader(uint8_t *received, int *len, int maxLen)
892 {
893 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
894 // only, since we are receiving, not transmitting).
895 // Signal field is off with the appropriate LED
896 LED_D_OFF();
897 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
898
899 // Now run a `software UART' on the stream of incoming samples.
900 Uart.output = received;
901 Uart.byteCntMax = maxLen;
902 Uart.state = STATE_UNSYNCD;
903
904 for(;;) {
905 WDT_HIT();
906
907 if(BUTTON_PRESS()) return FALSE;
908
909 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
910 AT91C_BASE_SSC->SSC_THR = 0x00;
911 }
912 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
913 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
914 if(MillerDecoding((b & 0xf0) >> 4)) {
915 *len = Uart.byteCnt;
916 return TRUE;
917 }
918 if(MillerDecoding(b & 0x0f)) {
919 *len = Uart.byteCnt;
920 return TRUE;
921 }
922 }
923 }
924 }
925
926 //-----------------------------------------------------------------------------
927 // Main loop of simulated tag: receive commands from reader, decide what
928 // response to send, and send it.
929 //-----------------------------------------------------------------------------
930 void SimulateIso14443aTag(int tagType, int TagUid)
931 {
932 // This function contains the tag emulation
933
934 // Prepare protocol messages
935 // static const uint8_t cmd1[] = { 0x26 };
936 // static const uint8_t response1[] = { 0x02, 0x00 }; // Says: I am Mifare 4k - original line - greg
937 //
938 static const uint8_t response1[] = { 0x44, 0x03 }; // Says: I am a DESFire Tag, ph33r me
939 // static const uint8_t response1[] = { 0x44, 0x00 }; // Says: I am a ULTRALITE Tag, 0wn me
940
941 // UID response
942 // static const uint8_t cmd2[] = { 0x93, 0x20 };
943 //static const uint8_t response2[] = { 0x9a, 0xe5, 0xe4, 0x43, 0xd8 }; // original value - greg
944
945 // my desfire
946 static const uint8_t response2[] = { 0x88, 0x04, 0x21, 0x3f, 0x4d }; // known uid - note cascade (0x88), 2nd byte (0x04) = NXP/Phillips
947
948
949 // When reader selects us during cascade1 it will send cmd3
950 //uint8_t response3[] = { 0x04, 0x00, 0x00 }; // SAK Select (cascade1) successful response (ULTRALITE)
951 uint8_t response3[] = { 0x24, 0x00, 0x00 }; // SAK Select (cascade1) successful response (DESFire)
952 ComputeCrc14443(CRC_14443_A, response3, 1, &response3[1], &response3[2]);
953
954 // send cascade2 2nd half of UID
955 static const uint8_t response2a[] = { 0x51, 0x48, 0x1d, 0x80, 0x84 }; // uid - cascade2 - 2nd half (4 bytes) of UID+ BCCheck
956 // NOTE : THE CRC on the above may be wrong as I have obfuscated the actual UID
957
958 // When reader selects us during cascade2 it will send cmd3a
959 //uint8_t response3a[] = { 0x00, 0x00, 0x00 }; // SAK Select (cascade2) successful response (ULTRALITE)
960 uint8_t response3a[] = { 0x20, 0x00, 0x00 }; // SAK Select (cascade2) successful response (DESFire)
961 ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
962
963 static const uint8_t response5[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce
964
965 uint8_t *resp;
966 int respLen;
967
968 // Longest possible response will be 16 bytes + 2 CRC = 18 bytes
969 // This will need
970 // 144 data bits (18 * 8)
971 // 18 parity bits
972 // 2 Start and stop
973 // 1 Correction bit (Answer in 1172 or 1236 periods, see FPGA)
974 // 1 just for the case
975 // ----------- +
976 // 166
977 //
978 // 166 bytes, since every bit that needs to be send costs us a byte
979 //
980
981 // Respond with card type
982 uint8_t *resp1 = (((uint8_t *)BigBuf) + 800);
983 int resp1Len;
984
985 // Anticollision cascade1 - respond with uid
986 uint8_t *resp2 = (((uint8_t *)BigBuf) + 970);
987 int resp2Len;
988
989 // Anticollision cascade2 - respond with 2nd half of uid if asked
990 // we're only going to be asked if we set the 1st byte of the UID (during cascade1) to 0x88
991 uint8_t *resp2a = (((uint8_t *)BigBuf) + 1140);
992 int resp2aLen;
993
994 // Acknowledge select - cascade 1
995 uint8_t *resp3 = (((uint8_t *)BigBuf) + 1310);
996 int resp3Len;
997
998 // Acknowledge select - cascade 2
999 uint8_t *resp3a = (((uint8_t *)BigBuf) + 1480);
1000 int resp3aLen;
1001
1002 // Response to a read request - not implemented atm
1003 uint8_t *resp4 = (((uint8_t *)BigBuf) + 1550);
1004 int resp4Len;
1005
1006 // Authenticate response - nonce
1007 uint8_t *resp5 = (((uint8_t *)BigBuf) + 1720);
1008 int resp5Len;
1009
1010 uint8_t *receivedCmd = (uint8_t *)BigBuf;
1011 int len;
1012
1013 int i;
1014 int u;
1015 uint8_t b;
1016
1017 // To control where we are in the protocol
1018 int order = 0;
1019 int lastorder;
1020
1021 // Just to allow some checks
1022 int happened = 0;
1023 int happened2 = 0;
1024
1025 int cmdsRecvd = 0;
1026
1027 int fdt_indicator;
1028
1029 memset(receivedCmd, 0x44, 400);
1030
1031 // Prepare the responses of the anticollision phase
1032 // there will be not enough time to do this at the moment the reader sends it REQA
1033
1034 // Answer to request
1035 CodeIso14443aAsTag(response1, sizeof(response1));
1036 memcpy(resp1, ToSend, ToSendMax); resp1Len = ToSendMax;
1037
1038 // Send our UID (cascade 1)
1039 CodeIso14443aAsTag(response2, sizeof(response2));
1040 memcpy(resp2, ToSend, ToSendMax); resp2Len = ToSendMax;
1041
1042 // Answer to select (cascade1)
1043 CodeIso14443aAsTag(response3, sizeof(response3));
1044 memcpy(resp3, ToSend, ToSendMax); resp3Len = ToSendMax;
1045
1046 // Send the cascade 2 2nd part of the uid
1047 CodeIso14443aAsTag(response2a, sizeof(response2a));
1048 memcpy(resp2a, ToSend, ToSendMax); resp2aLen = ToSendMax;
1049
1050 // Answer to select (cascade 2)
1051 CodeIso14443aAsTag(response3a, sizeof(response3a));
1052 memcpy(resp3a, ToSend, ToSendMax); resp3aLen = ToSendMax;
1053
1054 // Strange answer is an example of rare message size (3 bits)
1055 CodeStrangeAnswer();
1056 memcpy(resp4, ToSend, ToSendMax); resp4Len = ToSendMax;
1057
1058 // Authentication answer (random nonce)
1059 CodeIso14443aAsTag(response5, sizeof(response5));
1060 memcpy(resp5, ToSend, ToSendMax); resp5Len = ToSendMax;
1061
1062 // We need to listen to the high-frequency, peak-detected path.
1063 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1064 FpgaSetupSsc();
1065
1066 cmdsRecvd = 0;
1067
1068 LED_A_ON();
1069 for(;;) {
1070
1071 if(!GetIso14443aCommandFromReader(receivedCmd, &len, 100)) {
1072 DbpString("button press");
1073 break;
1074 }
1075 // doob - added loads of debug strings so we can see what the reader is saying to us during the sim as hi14alist is not populated
1076 // Okay, look at the command now.
1077 lastorder = order;
1078 i = 1; // first byte transmitted
1079 if(receivedCmd[0] == 0x26) {
1080 // Received a REQUEST
1081 resp = resp1; respLen = resp1Len; order = 1;
1082 //DbpString("Hello request from reader:");
1083 } else if(receivedCmd[0] == 0x52) {
1084 // Received a WAKEUP
1085 resp = resp1; respLen = resp1Len; order = 6;
1086 // //DbpString("Wakeup request from reader:");
1087
1088 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x93) { // greg - cascade 1 anti-collision
1089 // Received request for UID (cascade 1)
1090 resp = resp2; respLen = resp2Len; order = 2;
1091 // DbpString("UID (cascade 1) request from reader:");
1092 // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1093
1094
1095 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] ==0x95) { // greg - cascade 2 anti-collision
1096 // Received request for UID (cascade 2)
1097 resp = resp2a; respLen = resp2aLen; order = 20;
1098 // DbpString("UID (cascade 2) request from reader:");
1099 // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1100
1101
1102 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x93) { // greg - cascade 1 select
1103 // Received a SELECT
1104 resp = resp3; respLen = resp3Len; order = 3;
1105 // DbpString("Select (cascade 1) request from reader:");
1106 // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1107
1108
1109 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x95) { // greg - cascade 2 select
1110 // Received a SELECT
1111 resp = resp3a; respLen = resp3aLen; order = 30;
1112 // DbpString("Select (cascade 2) request from reader:");
1113 // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1114
1115
1116 } else if(receivedCmd[0] == 0x30) {
1117 // Received a READ
1118 resp = resp4; respLen = resp4Len; order = 4; // Do nothing
1119 Dbprintf("Read request from reader: %x %x %x",
1120 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1121
1122
1123 } else if(receivedCmd[0] == 0x50) {
1124 // Received a HALT
1125 resp = resp1; respLen = 0; order = 5; // Do nothing
1126 DbpString("Reader requested we HALT!:");
1127
1128 } else if(receivedCmd[0] == 0x60) {
1129 // Received an authentication request
1130 resp = resp5; respLen = resp5Len; order = 7;
1131 Dbprintf("Authenticate request from reader: %x %x %x",
1132 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1133
1134 } else if(receivedCmd[0] == 0xE0) {
1135 // Received a RATS request
1136 resp = resp1; respLen = 0;order = 70;
1137 Dbprintf("RATS request from reader: %x %x %x",
1138 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1139 } else {
1140 // Never seen this command before
1141 Dbprintf("Unknown command received from reader: %x %x %x %x %x %x %x %x %x",
1142 receivedCmd[0], receivedCmd[1], receivedCmd[2],
1143 receivedCmd[3], receivedCmd[3], receivedCmd[4],
1144 receivedCmd[5], receivedCmd[6], receivedCmd[7]);
1145 // Do not respond
1146 resp = resp1; respLen = 0; order = 0;
1147 }
1148
1149 // Count number of wakeups received after a halt
1150 if(order == 6 && lastorder == 5) { happened++; }
1151
1152 // Count number of other messages after a halt
1153 if(order != 6 && lastorder == 5) { happened2++; }
1154
1155 // Look at last parity bit to determine timing of answer
1156 if((Uart.parityBits & 0x01) || receivedCmd[0] == 0x52) {
1157 // 1236, so correction bit needed
1158 i = 0;
1159 }
1160
1161 memset(receivedCmd, 0x44, 32);
1162
1163 if(cmdsRecvd > 999) {
1164 DbpString("1000 commands later...");
1165 break;
1166 }
1167 else {
1168 cmdsRecvd++;
1169 }
1170
1171 if(respLen <= 0) continue;
1172
1173 // Modulate Manchester
1174 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD);
1175 AT91C_BASE_SSC->SSC_THR = 0x00;
1176 FpgaSetupSsc();
1177
1178 // ### Transmit the response ###
1179 u = 0;
1180 b = 0x00;
1181 fdt_indicator = FALSE;
1182 for(;;) {
1183 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1184 volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1185 (void)b;
1186 }
1187 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1188 if(i > respLen) {
1189 b = 0x00;
1190 u++;
1191 } else {
1192 b = resp[i];
1193 i++;
1194 }
1195 AT91C_BASE_SSC->SSC_THR = b;
1196
1197 if(u > 4) {
1198 break;
1199 }
1200 }
1201 if(BUTTON_PRESS()) {
1202 break;
1203 }
1204 }
1205
1206 }
1207
1208 Dbprintf("%x %x %x", happened, happened2, cmdsRecvd);
1209 LED_A_OFF();
1210 }
1211
1212 //-----------------------------------------------------------------------------
1213 // Transmit the command (to the tag) that was placed in ToSend[].
1214 //-----------------------------------------------------------------------------
1215 static void TransmitFor14443a(const uint8_t *cmd, int len, int *samples, int *wait)
1216 {
1217 int c;
1218
1219 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1220
1221 if (wait)
1222 if(*wait < 10)
1223 *wait = 10;
1224
1225 for(c = 0; c < *wait;) {
1226 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1227 AT91C_BASE_SSC->SSC_THR = 0x00; // For exact timing!
1228 c++;
1229 }
1230 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1231 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
1232 (void)r;
1233 }
1234 WDT_HIT();
1235 }
1236
1237 c = 0;
1238 for(;;) {
1239 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1240 AT91C_BASE_SSC->SSC_THR = cmd[c];
1241 c++;
1242 if(c >= len) {
1243 break;
1244 }
1245 }
1246 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1247 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
1248 (void)r;
1249 }
1250 WDT_HIT();
1251 }
1252 if (samples) *samples = (c + *wait) << 3;
1253 }
1254
1255 //-----------------------------------------------------------------------------
1256 // Code a 7-bit command without parity bit
1257 // This is especially for 0x26 and 0x52 (REQA and WUPA)
1258 //-----------------------------------------------------------------------------
1259 void ShortFrameFromReader(const uint8_t bt)
1260 {
1261 int j;
1262 int last;
1263 uint8_t b;
1264
1265 ToSendReset();
1266
1267 // Start of Communication (Seq. Z)
1268 ToSend[++ToSendMax] = SEC_Z;
1269 last = 0;
1270
1271 b = bt;
1272 for(j = 0; j < 7; j++) {
1273 if(b & 1) {
1274 // Sequence X
1275 ToSend[++ToSendMax] = SEC_X;
1276 last = 1;
1277 } else {
1278 if(last == 0) {
1279 // Sequence Z
1280 ToSend[++ToSendMax] = SEC_Z;
1281 }
1282 else {
1283 // Sequence Y
1284 ToSend[++ToSendMax] = SEC_Y;
1285 last = 0;
1286 }
1287 }
1288 b >>= 1;
1289 }
1290
1291 // End of Communication
1292 if(last == 0) {
1293 // Sequence Z
1294 ToSend[++ToSendMax] = SEC_Z;
1295 }
1296 else {
1297 // Sequence Y
1298 ToSend[++ToSendMax] = SEC_Y;
1299 last = 0;
1300 }
1301 // Sequence Y
1302 ToSend[++ToSendMax] = SEC_Y;
1303
1304 // Just to be sure!
1305 ToSend[++ToSendMax] = SEC_Y;
1306 ToSend[++ToSendMax] = SEC_Y;
1307 ToSend[++ToSendMax] = SEC_Y;
1308
1309 // Convert from last character reference to length
1310 ToSendMax++;
1311 }
1312
1313 //-----------------------------------------------------------------------------
1314 // Prepare reader command to send to FPGA
1315 //
1316 //-----------------------------------------------------------------------------
1317 void CodeIso14443aAsReaderPar(const uint8_t * cmd, int len, uint32_t dwParity)
1318 {
1319 int i, j;
1320 int last;
1321 uint8_t b;
1322
1323 ToSendReset();
1324
1325 // Start of Communication (Seq. Z)
1326 ToSend[++ToSendMax] = SEC_Z;
1327 last = 0;
1328
1329 // Generate send structure for the data bits
1330 for (i = 0; i < len; i++) {
1331 // Get the current byte to send
1332 b = cmd[i];
1333
1334 for (j = 0; j < 8; j++) {
1335 if (b & 1) {
1336 // Sequence X
1337 ToSend[++ToSendMax] = SEC_X;
1338 last = 1;
1339 } else {
1340 if (last == 0) {
1341 // Sequence Z
1342 ToSend[++ToSendMax] = SEC_Z;
1343 } else {
1344 // Sequence Y
1345 ToSend[++ToSendMax] = SEC_Y;
1346 last = 0;
1347 }
1348 }
1349 b >>= 1;
1350 }
1351
1352 // Get the parity bit
1353 if ((dwParity >> i) & 0x01) {
1354 // Sequence X
1355 ToSend[++ToSendMax] = SEC_X;
1356 last = 1;
1357 } else {
1358 if (last == 0) {
1359 // Sequence Z
1360 ToSend[++ToSendMax] = SEC_Z;
1361 } else {
1362 // Sequence Y
1363 ToSend[++ToSendMax] = SEC_Y;
1364 last = 0;
1365 }
1366 }
1367 }
1368
1369 // End of Communication
1370 if (last == 0) {
1371 // Sequence Z
1372 ToSend[++ToSendMax] = SEC_Z;
1373 } else {
1374 // Sequence Y
1375 ToSend[++ToSendMax] = SEC_Y;
1376 last = 0;
1377 }
1378 // Sequence Y
1379 ToSend[++ToSendMax] = SEC_Y;
1380
1381 // Just to be sure!
1382 ToSend[++ToSendMax] = SEC_Y;
1383 ToSend[++ToSendMax] = SEC_Y;
1384 ToSend[++ToSendMax] = SEC_Y;
1385
1386 // Convert from last character reference to length
1387 ToSendMax++;
1388 }
1389
1390 //-----------------------------------------------------------------------------
1391 // Wait a certain time for tag response
1392 // If a response is captured return TRUE
1393 // If it takes to long return FALSE
1394 //-----------------------------------------------------------------------------
1395 static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse, int maxLen, int *samples, int *elapsed) //uint8_t *buffer
1396 {
1397 // buffer needs to be 512 bytes
1398 int c;
1399
1400 // Set FPGA mode to "reader listen mode", no modulation (listen
1401 // only, since we are receiving, not transmitting).
1402 // Signal field is on with the appropriate LED
1403 LED_D_ON();
1404 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_LISTEN);
1405
1406 // Now get the answer from the card
1407 Demod.output = receivedResponse;
1408 Demod.len = 0;
1409 Demod.state = DEMOD_UNSYNCD;
1410
1411 uint8_t b;
1412 if (elapsed) *elapsed = 0;
1413
1414 c = 0;
1415 for(;;) {
1416 WDT_HIT();
1417
1418 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1419 AT91C_BASE_SSC->SSC_THR = 0x00; // To make use of exact timing of next command from reader!!
1420 if (elapsed) (*elapsed)++;
1421 }
1422 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1423 if(c < iso14a_timeout) { c++; } else { return FALSE; }
1424 b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1425 if(ManchesterDecoding((b>>4) & 0xf)) {
1426 *samples = ((c - 1) << 3) + 4;
1427 return TRUE;
1428 }
1429 if(ManchesterDecoding(b & 0x0f)) {
1430 *samples = c << 3;
1431 return TRUE;
1432 }
1433 }
1434 }
1435 }
1436
1437 void ReaderTransmitShort(const uint8_t* bt)
1438 {
1439 int wait = 0;
1440 int samples = 0;
1441
1442 ShortFrameFromReader(*bt);
1443
1444 // Select the card
1445 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
1446
1447 // Store reader command in buffer
1448 if (tracing) LogTrace(bt,1,0,GetParity(bt,1),TRUE);
1449 }
1450
1451 void ReaderTransmitPar(uint8_t* frame, int len, uint32_t par)
1452 {
1453 int wait = 0;
1454 int samples = 0;
1455
1456 // This is tied to other size changes
1457 // uint8_t* frame_addr = ((uint8_t*)BigBuf) + 2024;
1458 CodeIso14443aAsReaderPar(frame,len,par);
1459
1460 // Select the card
1461 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
1462 if(trigger)
1463 LED_A_ON();
1464
1465 // Store reader command in buffer
1466 if (tracing) LogTrace(frame,len,0,par,TRUE);
1467 }
1468
1469
1470 void ReaderTransmit(uint8_t* frame, int len)
1471 {
1472 // Generate parity and redirect
1473 ReaderTransmitPar(frame,len,GetParity(frame,len));
1474 }
1475
1476 int ReaderReceive(uint8_t* receivedAnswer)
1477 {
1478 int samples = 0;
1479 if (!GetIso14443aAnswerFromTag(receivedAnswer,100,&samples,0)) return FALSE;
1480 if (tracing) LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE);
1481 if(samples == 0) return FALSE;
1482 return Demod.len;
1483 }
1484
1485 /* performs iso14443a anticolision procedure
1486 * fills the uid pointer unless NULL
1487 * fills resp_data unless NULL */
1488 int iso14443a_select_card(uint8_t * uid_ptr, iso14a_card_select_t * resp_data) {
1489 uint8_t wupa[] = { 0x52 };
1490 uint8_t sel_all[] = { 0x93,0x20 };
1491 uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
1492 uint8_t rats[] = { 0xE0,0x80,0x00,0x00 }; // FSD=256, FSDI=8, CID=0
1493
1494 uint8_t* resp = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
1495 uint8_t* uid = resp + 7;
1496
1497 uint8_t sak = 0x04; // cascade uid
1498 int cascade_level = 0;
1499
1500 int len;
1501
1502 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1503 ReaderTransmitShort(wupa);
1504 // Receive the ATQA
1505 if(!ReaderReceive(resp)) return 0;
1506
1507 if(resp_data)
1508 memcpy(resp_data->atqa, resp, 2);
1509
1510 ReaderTransmit(sel_all,sizeof(sel_all));
1511 if(!ReaderReceive(uid)) return 0;
1512
1513 // OK we will select at least at cascade 1, lets see if first byte of UID was 0x88 in
1514 // which case we need to make a cascade 2 request and select - this is a long UID
1515 // While the UID is not complete, the 3nd bit (from the right) is set in the SAK.
1516 for(; sak & 0x04; cascade_level++)
1517 {
1518 // SELECT_* (L1: 0x93, L2: 0x95, L3: 0x97)
1519 sel_uid[0] = sel_all[0] = 0x93 + cascade_level * 2;
1520
1521 // SELECT_ALL
1522 ReaderTransmit(sel_all,sizeof(sel_all));
1523 if (!ReaderReceive(resp)) return 0;
1524 if(uid_ptr) memcpy(uid_ptr + cascade_level*4, resp, 4);
1525
1526 // Construct SELECT UID command
1527 memcpy(sel_uid+2,resp,5);
1528 AppendCrc14443a(sel_uid,7);
1529 ReaderTransmit(sel_uid,sizeof(sel_uid));
1530
1531 // Receive the SAK
1532 if (!ReaderReceive(resp)) return 0;
1533 sak = resp[0];
1534 }
1535 if(resp_data) {
1536 resp_data->sak = sak;
1537 resp_data->ats_len = 0;
1538 }
1539
1540 if( (sak & 0x20) == 0)
1541 return 2; // non iso14443a compliant tag
1542
1543 // Request for answer to select
1544 AppendCrc14443a(rats, 2);
1545 ReaderTransmit(rats, sizeof(rats));
1546 if (!(len = ReaderReceive(resp))) return 0;
1547 if(resp_data) {
1548 memcpy(resp_data->ats, resp, sizeof(resp_data->ats));
1549 resp_data->ats_len = len;
1550 }
1551
1552 return 1;
1553 }
1554
1555 void iso14443a_setup() {
1556 // Setup SSC
1557 FpgaSetupSsc();
1558 // Start from off (no field generated)
1559 // Signal field is off with the appropriate LED
1560 LED_D_OFF();
1561 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1562 SpinDelay(200);
1563
1564 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1565
1566 // Now give it time to spin up.
1567 // Signal field is on with the appropriate LED
1568 LED_D_ON();
1569 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1570 SpinDelay(200);
1571
1572 iso14a_timeout = 2048; //default
1573 }
1574
1575 int iso14_apdu(uint8_t * cmd, size_t cmd_len, void * data) {
1576 uint8_t real_cmd[cmd_len+4];
1577 real_cmd[0] = 0x0a; //I-Block
1578 real_cmd[1] = 0x00; //CID: 0 //FIXME: allow multiple selected cards
1579 memcpy(real_cmd+2, cmd, cmd_len);
1580 AppendCrc14443a(real_cmd,cmd_len+2);
1581
1582 ReaderTransmit(real_cmd, cmd_len+4);
1583 size_t len = ReaderReceive(data);
1584 if(!len)
1585 return -1; //DATA LINK ERROR
1586
1587 return len;
1588 }
1589
1590
1591 //-----------------------------------------------------------------------------
1592 // Read an ISO 14443a tag. Send out commands and store answers.
1593 //
1594 //-----------------------------------------------------------------------------
1595 void ReaderIso14443a(UsbCommand * c, UsbCommand * ack)
1596 {
1597 iso14a_command_t param = c->arg[0];
1598 uint8_t * cmd = c->d.asBytes;
1599 size_t len = c->arg[1];
1600
1601 if(param & ISO14A_REQUEST_TRIGGER) iso14a_set_trigger(1);
1602
1603 if(param & ISO14A_CONNECT) {
1604 iso14443a_setup();
1605 ack->arg[0] = iso14443a_select_card(ack->d.asBytes, (iso14a_card_select_t *) (ack->d.asBytes+12));
1606 UsbSendPacket((void *)ack, sizeof(UsbCommand));
1607 }
1608
1609 if(param & ISO14A_SET_TIMEOUT) {
1610 iso14a_timeout = c->arg[2];
1611 }
1612
1613 if(param & ISO14A_SET_TIMEOUT) {
1614 iso14a_timeout = c->arg[2];
1615 }
1616
1617 if(param & ISO14A_APDU) {
1618 ack->arg[0] = iso14_apdu(cmd, len, ack->d.asBytes);
1619 UsbSendPacket((void *)ack, sizeof(UsbCommand));
1620 }
1621
1622 if(param & ISO14A_RAW) {
1623 if(param & ISO14A_APPEND_CRC) {
1624 AppendCrc14443a(cmd,len);
1625 len += 2;
1626 }
1627 ReaderTransmit(cmd,len);
1628 ack->arg[0] = ReaderReceive(ack->d.asBytes);
1629 UsbSendPacket((void *)ack, sizeof(UsbCommand));
1630 }
1631
1632 if(param & ISO14A_REQUEST_TRIGGER) iso14a_set_trigger(0);
1633
1634 if(param & ISO14A_NO_DISCONNECT)
1635 return;
1636
1637 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1638 LEDsoff();
1639 }
1640 //-----------------------------------------------------------------------------
1641 // Read an ISO 14443a tag. Send out commands and store answers.
1642 //
1643 //-----------------------------------------------------------------------------
1644 void ReaderMifare(uint32_t parameter)
1645 {
1646 // Mifare AUTH
1647 uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b };
1648 uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
1649
1650 uint8_t* receivedAnswer = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
1651 traceLen = 0;
1652 tracing = false;
1653
1654 iso14443a_setup();
1655
1656 LED_A_ON();
1657 LED_B_OFF();
1658 LED_C_OFF();
1659
1660 byte_t nt_diff = 0;
1661 LED_A_OFF();
1662 byte_t par = 0;
1663 byte_t par_mask = 0xff;
1664 byte_t par_low = 0;
1665 int led_on = TRUE;
1666
1667 tracing = FALSE;
1668 byte_t nt[4];
1669 byte_t nt_attacked[4];
1670 byte_t par_list[8];
1671 byte_t ks_list[8];
1672 num_to_bytes(parameter,4,nt_attacked);
1673
1674 while(TRUE)
1675 {
1676 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1677 SpinDelay(200);
1678 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1679
1680 // Test if the action was cancelled
1681 if(BUTTON_PRESS()) {
1682 break;
1683 }
1684
1685 if(!iso14443a_select_card(NULL, NULL)) continue;
1686
1687 // Transmit MIFARE_CLASSIC_AUTH
1688 ReaderTransmit(mf_auth,sizeof(mf_auth));
1689
1690 // Receive the (16 bit) "random" nonce
1691 if (!ReaderReceive(receivedAnswer)) continue;
1692 memcpy(nt,receivedAnswer,4);
1693
1694 // Transmit reader nonce and reader answer
1695 ReaderTransmitPar(mf_nr_ar,sizeof(mf_nr_ar),par);
1696
1697 // Receive 4 bit answer
1698 if (ReaderReceive(receivedAnswer))
1699 {
1700 if (nt_diff == 0)
1701 {
1702 LED_A_ON();
1703 memcpy(nt_attacked,nt,4);
1704 par_mask = 0xf8;
1705 par_low = par & 0x07;
1706 }
1707
1708 if (memcmp(nt,nt_attacked,4) != 0) continue;
1709
1710 led_on = !led_on;
1711 if(led_on) LED_B_ON(); else LED_B_OFF();
1712 par_list[nt_diff] = par;
1713 ks_list[nt_diff] = receivedAnswer[0]^0x05;
1714
1715 // Test if the information is complete
1716 if (nt_diff == 0x07) break;
1717
1718 nt_diff = (nt_diff+1) & 0x07;
1719 mf_nr_ar[3] = nt_diff << 5;
1720 par = par_low;
1721 } else {
1722 if (nt_diff == 0)
1723 {
1724 par++;
1725 } else {
1726 par = (((par>>3)+1) << 3) | par_low;
1727 }
1728 }
1729 }
1730
1731 LogTrace(nt,4,0,GetParity(nt,4),TRUE);
1732 LogTrace(par_list,8,0,GetParity(par_list,8),TRUE);
1733 LogTrace(ks_list,8,0,GetParity(ks_list,8),TRUE);
1734
1735 // Thats it...
1736 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1737 LEDsoff();
1738 tracing = TRUE;
1739 }
Impressum, Datenschutz