1 //-----------------------------------------------------------------------------
2 // Gerhard de Koning Gans - May 2008
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
7 //-----------------------------------------------------------------------------
8 // Routines to support ISO 14443 type A.
9 //-----------------------------------------------------------------------------
11 #include "proxmark3.h"
16 #include "iso14443crc.h"
18 static uint8_t *trace
= (uint8_t *) BigBuf
;
19 static int traceLen
= 0;
20 static int rsamples
= 0;
21 static int tracing
= TRUE
;
24 // Sequence D: 11110000 modulation with subcarrier during first half
25 // Sequence E: 00001111 modulation with subcarrier during second half
26 // Sequence F: 00000000 no modulation with subcarrier
28 // Sequence X: 00001100 drop after half a period
29 // Sequence Y: 00000000 no drop
30 // Sequence Z: 11000000 drop at start
38 static const uint8_t OddByteParity
[256] = {
39 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
40 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
41 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
42 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
43 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
44 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
45 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
46 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
47 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
48 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
49 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
50 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
51 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
52 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
53 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
54 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1
57 // BIG CHANGE - UNDERSTAND THIS BEFORE WE COMMIT
58 #define RECV_CMD_OFFSET 3032
59 #define RECV_RES_OFFSET 3096
60 #define DMA_BUFFER_OFFSET 3160
61 #define DMA_BUFFER_SIZE 4096
62 #define TRACE_LENGTH 3000
64 //-----------------------------------------------------------------------------
65 // Generate the parity value for a byte sequence
67 //-----------------------------------------------------------------------------
68 uint32_t GetParity(const uint8_t * pbtCmd
, int iLen
)
73 // Generate the encrypted data
74 for (i
= 0; i
< iLen
; i
++) {
75 // Save the encrypted parity bit
76 dwPar
|= ((OddByteParity
[pbtCmd
[i
]]) << i
);
81 static void AppendCrc14443a(uint8_t* data
, int len
)
83 ComputeCrc14443(CRC_14443_A
,data
,len
,data
+len
,data
+len
+1);
86 int LogTrace(const uint8_t * btBytes
, int iLen
, int iSamples
, uint32_t dwParity
, int bReader
)
88 // Return when trace is full
89 if (traceLen
>= TRACE_LENGTH
) return FALSE
;
91 // Trace the random, i'm curious
93 trace
[traceLen
++] = ((rsamples
>> 0) & 0xff);
94 trace
[traceLen
++] = ((rsamples
>> 8) & 0xff);
95 trace
[traceLen
++] = ((rsamples
>> 16) & 0xff);
96 trace
[traceLen
++] = ((rsamples
>> 24) & 0xff);
98 trace
[traceLen
- 1] |= 0x80;
100 trace
[traceLen
++] = ((dwParity
>> 0) & 0xff);
101 trace
[traceLen
++] = ((dwParity
>> 8) & 0xff);
102 trace
[traceLen
++] = ((dwParity
>> 16) & 0xff);
103 trace
[traceLen
++] = ((dwParity
>> 24) & 0xff);
104 trace
[traceLen
++] = iLen
;
105 memcpy(trace
+ traceLen
, btBytes
, iLen
);
110 //-----------------------------------------------------------------------------
111 // The software UART that receives commands from the reader, and its state
113 //-----------------------------------------------------------------------------
117 STATE_START_OF_COMMUNICATION
,
141 static int MillerDecoding(int bit
)
146 if(!Uart
.bitBuffer
) {
147 Uart
.bitBuffer
= bit
^ 0xFF0;
151 Uart
.bitBuffer
<<= 4;
152 Uart
.bitBuffer
^= bit
;
157 if(Uart
.state
!= STATE_UNSYNCD
) {
160 if((Uart
.bitBuffer
& Uart
.syncBit
) ^ Uart
.syncBit
) {
166 if(((Uart
.bitBuffer
<< 1) & Uart
.syncBit
) ^ Uart
.syncBit
) {
172 if(bit
!= bitright
) { bit
= bitright
; }
174 if(Uart
.posCnt
== 1) {
175 // measurement first half bitperiod
177 Uart
.drop
= DROP_FIRST_HALF
;
181 // measurement second half bitperiod
182 if(!bit
& (Uart
.drop
== DROP_NONE
)) {
183 Uart
.drop
= DROP_SECOND_HALF
;
186 // measured a drop in first and second half
187 // which should not be possible
188 Uart
.state
= STATE_ERROR_WAIT
;
195 case STATE_START_OF_COMMUNICATION
:
197 if(Uart
.drop
== DROP_SECOND_HALF
) {
198 // error, should not happen in SOC
199 Uart
.state
= STATE_ERROR_WAIT
;
204 Uart
.state
= STATE_MILLER_Z
;
211 if(Uart
.drop
== DROP_NONE
) {
212 // logic '0' followed by sequence Y
213 // end of communication
214 Uart
.state
= STATE_UNSYNCD
;
217 // if(Uart.drop == DROP_FIRST_HALF) {
218 // Uart.state = STATE_MILLER_Z; stay the same
219 // we see a logic '0' }
220 if(Uart
.drop
== DROP_SECOND_HALF
) {
221 // we see a logic '1'
222 Uart
.shiftReg
|= 0x100;
223 Uart
.state
= STATE_MILLER_X
;
229 if(Uart
.drop
== DROP_NONE
) {
230 // sequence Y, we see a '0'
231 Uart
.state
= STATE_MILLER_Y
;
234 if(Uart
.drop
== DROP_FIRST_HALF
) {
235 // Would be STATE_MILLER_Z
236 // but Z does not follow X, so error
237 Uart
.state
= STATE_ERROR_WAIT
;
240 if(Uart
.drop
== DROP_SECOND_HALF
) {
241 // We see a '1' and stay in state X
242 Uart
.shiftReg
|= 0x100;
250 if(Uart
.drop
== DROP_NONE
) {
251 // logic '0' followed by sequence Y
252 // end of communication
253 Uart
.state
= STATE_UNSYNCD
;
256 if(Uart
.drop
== DROP_FIRST_HALF
) {
258 Uart
.state
= STATE_MILLER_Z
;
260 if(Uart
.drop
== DROP_SECOND_HALF
) {
261 // We see a '1' and go to state X
262 Uart
.shiftReg
|= 0x100;
263 Uart
.state
= STATE_MILLER_X
;
267 case STATE_ERROR_WAIT
:
268 // That went wrong. Now wait for at least two bit periods
269 // and try to sync again
270 if(Uart
.drop
== DROP_NONE
) {
272 Uart
.state
= STATE_UNSYNCD
;
277 Uart
.state
= STATE_UNSYNCD
;
282 Uart
.drop
= DROP_NONE
;
284 // should have received at least one whole byte...
285 if((Uart
.bitCnt
== 2) && EOC
&& (Uart
.byteCnt
> 0)) {
289 if(Uart
.bitCnt
== 9) {
290 Uart
.output
[Uart
.byteCnt
] = (Uart
.shiftReg
& 0xff);
293 Uart
.parityBits
<<= 1;
294 Uart
.parityBits
^= ((Uart
.shiftReg
>> 8) & 0x01);
297 // when End of Communication received and
298 // all data bits processed..
305 Uart.output[Uart.byteCnt] = 0xAA;
307 Uart.output[Uart.byteCnt] = error & 0xFF;
309 Uart.output[Uart.byteCnt] = 0xAA;
311 Uart.output[Uart.byteCnt] = (Uart.bitBuffer >> 8) & 0xFF;
313 Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
315 Uart.output[Uart.byteCnt] = (Uart.syncBit >> 3) & 0xFF;
317 Uart.output[Uart.byteCnt] = 0xAA;
325 bit
= Uart
.bitBuffer
& 0xf0;
329 // should have been high or at least (4 * 128) / fc
330 // according to ISO this should be at least (9 * 128 + 20) / fc
331 if(Uart
.highCnt
== 8) {
332 // we went low, so this could be start of communication
333 // it turns out to be safer to choose a less significant
334 // syncbit... so we check whether the neighbour also represents the drop
335 Uart
.posCnt
= 1; // apparently we are busy with our first half bit period
336 Uart
.syncBit
= bit
& 8;
338 if(!Uart
.syncBit
) { Uart
.syncBit
= bit
& 4; Uart
.samples
= 2; }
339 else if(bit
& 4) { Uart
.syncBit
= bit
& 4; Uart
.samples
= 2; bit
<<= 2; }
340 if(!Uart
.syncBit
) { Uart
.syncBit
= bit
& 2; Uart
.samples
= 1; }
341 else if(bit
& 2) { Uart
.syncBit
= bit
& 2; Uart
.samples
= 1; bit
<<= 1; }
342 if(!Uart
.syncBit
) { Uart
.syncBit
= bit
& 1; Uart
.samples
= 0;
343 if(Uart
.syncBit
& (Uart
.bitBuffer
& 8)) {
346 // the first half bit period is expected in next sample
351 else if(bit
& 1) { Uart
.syncBit
= bit
& 1; Uart
.samples
= 0; }
354 Uart
.state
= STATE_START_OF_COMMUNICATION
;
355 Uart
.drop
= DROP_FIRST_HALF
;
366 if(Uart
.highCnt
< 8) {
375 //=============================================================================
376 // ISO 14443 Type A - Manchester
377 //=============================================================================
382 DEMOD_START_OF_COMMUNICATION
,
405 static int ManchesterDecoding(int v
)
421 if(Demod
.state
==DEMOD_UNSYNCD
) {
422 Demod
.output
[Demod
.len
] = 0xfa;
425 Demod
.posCount
= 1; // This is the first half bit period, so after syncing handle the second part
426 if(bit
& 0x08) { Demod
.syncBit
= 0x08; }
428 if(bit
& 0x04) { Demod
.syncBit
= 0x04; }
430 else if(bit
& 0x04) { Demod
.syncBit
= 0x04; bit
<<= 4; }
432 if(bit
& 0x02) { Demod
.syncBit
= 0x02; }
434 else if(bit
& 0x02) { Demod
.syncBit
= 0x02; bit
<<= 4; }
436 if(bit
& 0x01) { Demod
.syncBit
= 0x01; }
438 if(Demod
.syncBit
& (Demod
.buffer
& 0x08)) {
439 Demod
.syncBit
= 0x08;
441 // The first half bitperiod is expected in next sample
443 Demod
.output
[Demod
.len
] = 0xfb;
446 else if(bit
& 0x01) { Demod
.syncBit
= 0x01; }
450 Demod
.state
= DEMOD_START_OF_COMMUNICATION
;
451 Demod
.sub
= SUB_FIRST_HALF
;
454 Demod
.parityBits
= 0;
457 switch(Demod
.syncBit
) {
458 case 0x08: Demod
.samples
= 3; break;
459 case 0x04: Demod
.samples
= 2; break;
460 case 0x02: Demod
.samples
= 1; break;
461 case 0x01: Demod
.samples
= 0; break;
468 //modulation = bit & Demod.syncBit;
469 modulation
= ((bit
<< 1) ^ ((Demod
.buffer
& 0x08) >> 3)) & Demod
.syncBit
;
473 if(Demod
.posCount
==0) {
476 Demod
.sub
= SUB_FIRST_HALF
;
479 Demod
.sub
= SUB_NONE
;
484 if(modulation
&& (Demod
.sub
== SUB_FIRST_HALF
)) {
485 if(Demod
.state
!=DEMOD_ERROR_WAIT
) {
486 Demod
.state
= DEMOD_ERROR_WAIT
;
487 Demod
.output
[Demod
.len
] = 0xaa;
491 else if(modulation
) {
492 Demod
.sub
= SUB_SECOND_HALF
;
495 switch(Demod
.state
) {
496 case DEMOD_START_OF_COMMUNICATION
:
497 if(Demod
.sub
== SUB_FIRST_HALF
) {
498 Demod
.state
= DEMOD_MANCHESTER_D
;
501 Demod
.output
[Demod
.len
] = 0xab;
502 Demod
.state
= DEMOD_ERROR_WAIT
;
507 case DEMOD_MANCHESTER_D
:
508 case DEMOD_MANCHESTER_E
:
509 if(Demod
.sub
== SUB_FIRST_HALF
) {
511 Demod
.shiftReg
= (Demod
.shiftReg
>> 1) ^ 0x100;
512 Demod
.state
= DEMOD_MANCHESTER_D
;
514 else if(Demod
.sub
== SUB_SECOND_HALF
) {
516 Demod
.shiftReg
>>= 1;
517 Demod
.state
= DEMOD_MANCHESTER_E
;
520 Demod
.state
= DEMOD_MANCHESTER_F
;
524 case DEMOD_MANCHESTER_F
:
525 // Tag response does not need to be a complete byte!
526 if(Demod
.len
> 0 || Demod
.bitCount
> 0) {
527 if(Demod
.bitCount
> 0) {
528 Demod
.shiftReg
>>= (9 - Demod
.bitCount
);
529 Demod
.output
[Demod
.len
] = Demod
.shiftReg
& 0xff;
531 // No parity bit, so just shift a 0
532 Demod
.parityBits
<<= 1;
535 Demod
.state
= DEMOD_UNSYNCD
;
539 Demod
.output
[Demod
.len
] = 0xad;
540 Demod
.state
= DEMOD_ERROR_WAIT
;
545 case DEMOD_ERROR_WAIT
:
546 Demod
.state
= DEMOD_UNSYNCD
;
550 Demod
.output
[Demod
.len
] = 0xdd;
551 Demod
.state
= DEMOD_UNSYNCD
;
555 if(Demod
.bitCount
>=9) {
556 Demod
.output
[Demod
.len
] = Demod
.shiftReg
& 0xff;
559 Demod
.parityBits
<<= 1;
560 Demod
.parityBits
^= ((Demod
.shiftReg
>> 8) & 0x01);
567 Demod.output[Demod.len] = 0xBB;
569 Demod.output[Demod.len] = error & 0xFF;
571 Demod.output[Demod.len] = 0xBB;
573 Demod.output[Demod.len] = bit & 0xFF;
575 Demod.output[Demod.len] = Demod.buffer & 0xFF;
577 Demod.output[Demod.len] = Demod.syncBit & 0xFF;
579 Demod.output[Demod.len] = 0xBB;
586 } // end (state != UNSYNCED)
591 //=============================================================================
592 // Finally, a `sniffer' for ISO 14443 Type A
593 // Both sides of communication!
594 //=============================================================================
596 //-----------------------------------------------------------------------------
597 // Record the sequence of commands sent by the reader to the tag, with
598 // triggering so that we start recording at the point that the tag is moved
600 //-----------------------------------------------------------------------------
601 void SnoopIso14443a(void)
603 // #define RECV_CMD_OFFSET 2032 // original (working as of 21/2/09) values
604 // #define RECV_RES_OFFSET 2096 // original (working as of 21/2/09) values
605 // #define DMA_BUFFER_OFFSET 2160 // original (working as of 21/2/09) values
606 // #define DMA_BUFFER_SIZE 4096 // original (working as of 21/2/09) values
607 // #define TRACE_LENGTH 2000 // original (working as of 21/2/09) values
609 // We won't start recording the frames that we acquire until we trigger;
610 // a good trigger condition to get started is probably when we see a
611 // response from the tag.
612 int triggered
= FALSE
; // FALSE to wait first for card
614 // The command (reader -> tag) that we're receiving.
615 // The length of a received command will in most cases be no more than 18 bytes.
616 // So 32 should be enough!
617 uint8_t *receivedCmd
= (((uint8_t *)BigBuf
) + RECV_CMD_OFFSET
);
618 // The response (tag -> reader) that we're receiving.
619 uint8_t *receivedResponse
= (((uint8_t *)BigBuf
) + RECV_RES_OFFSET
);
621 // As we receive stuff, we copy it from receivedCmd or receivedResponse
622 // into trace, along with its length and other annotations.
623 //uint8_t *trace = (uint8_t *)BigBuf;
626 // The DMA buffer, used to stream samples from the FPGA
627 int8_t *dmaBuf
= ((int8_t *)BigBuf
) + DMA_BUFFER_OFFSET
;
633 // Count of samples received so far, so that we can include timing
634 // information in the trace buffer.
638 memset(trace
, 0x44, RECV_CMD_OFFSET
);
640 // Set up the demodulator for tag -> reader responses.
641 Demod
.output
= receivedResponse
;
643 Demod
.state
= DEMOD_UNSYNCD
;
645 // Setup for the DMA.
648 lastRxCounter
= DMA_BUFFER_SIZE
;
649 FpgaSetupSscDma((uint8_t *)dmaBuf
, DMA_BUFFER_SIZE
);
651 // And the reader -> tag commands
652 memset(&Uart
, 0, sizeof(Uart
));
653 Uart
.output
= receivedCmd
;
654 Uart
.byteCntMax
= 32; // was 100 (greg)////////////////////////////////////////////////////////////////////////
655 Uart
.state
= STATE_UNSYNCD
;
657 // And put the FPGA in the appropriate mode
658 // Signal field is off with the appropriate LED
660 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A
| FPGA_HF_ISO14443A_SNIFFER
);
661 SetAdcMuxFor(GPIO_MUXSEL_HIPKD
);
664 // And now we loop, receiving samples.
668 int behindBy
= (lastRxCounter
- AT91C_BASE_PDC_SSC
->PDC_RCR
) &
670 if(behindBy
> maxBehindBy
) {
671 maxBehindBy
= behindBy
;
673 Dbprintf("blew circular buffer! behindBy=0x%x", behindBy
);
677 if(behindBy
< 1) continue;
683 if(upTo
- dmaBuf
> DMA_BUFFER_SIZE
) {
684 upTo
-= DMA_BUFFER_SIZE
;
685 lastRxCounter
+= DMA_BUFFER_SIZE
;
686 AT91C_BASE_PDC_SSC
->PDC_RNPR
= (uint32_t) upTo
;
687 AT91C_BASE_PDC_SSC
->PDC_RNCR
= DMA_BUFFER_SIZE
;
691 if(MillerDecoding((smpl
& 0xF0) >> 4)) {
692 rsamples
= samples
- Uart
.samples
;
695 trace
[traceLen
++] = ((rsamples
>> 0) & 0xff);
696 trace
[traceLen
++] = ((rsamples
>> 8) & 0xff);
697 trace
[traceLen
++] = ((rsamples
>> 16) & 0xff);
698 trace
[traceLen
++] = ((rsamples
>> 24) & 0xff);
699 trace
[traceLen
++] = ((Uart
.parityBits
>> 0) & 0xff);
700 trace
[traceLen
++] = ((Uart
.parityBits
>> 8) & 0xff);
701 trace
[traceLen
++] = ((Uart
.parityBits
>> 16) & 0xff);
702 trace
[traceLen
++] = ((Uart
.parityBits
>> 24) & 0xff);
703 trace
[traceLen
++] = Uart
.byteCnt
;
704 memcpy(trace
+traceLen
, receivedCmd
, Uart
.byteCnt
);
705 traceLen
+= Uart
.byteCnt
;
706 if(traceLen
> TRACE_LENGTH
) break;
708 /* And ready to receive another command. */
709 Uart
.state
= STATE_UNSYNCD
;
710 /* And also reset the demod code, which might have been */
711 /* false-triggered by the commands from the reader. */
712 Demod
.state
= DEMOD_UNSYNCD
;
716 if(ManchesterDecoding(smpl
& 0x0F)) {
717 rsamples
= samples
- Demod
.samples
;
720 // timestamp, as a count of samples
721 trace
[traceLen
++] = ((rsamples
>> 0) & 0xff);
722 trace
[traceLen
++] = ((rsamples
>> 8) & 0xff);
723 trace
[traceLen
++] = ((rsamples
>> 16) & 0xff);
724 trace
[traceLen
++] = 0x80 | ((rsamples
>> 24) & 0xff);
725 trace
[traceLen
++] = ((Demod
.parityBits
>> 0) & 0xff);
726 trace
[traceLen
++] = ((Demod
.parityBits
>> 8) & 0xff);
727 trace
[traceLen
++] = ((Demod
.parityBits
>> 16) & 0xff);
728 trace
[traceLen
++] = ((Demod
.parityBits
>> 24) & 0xff);
730 trace
[traceLen
++] = Demod
.len
;
731 memcpy(trace
+traceLen
, receivedResponse
, Demod
.len
);
732 traceLen
+= Demod
.len
;
733 if(traceLen
> TRACE_LENGTH
) break;
737 // And ready to receive another response.
738 memset(&Demod
, 0, sizeof(Demod
));
739 Demod
.output
= receivedResponse
;
740 Demod
.state
= DEMOD_UNSYNCD
;
745 DbpString("cancelled_a");
750 DbpString("COMMAND FINISHED");
752 Dbprintf("%x %x %x", maxBehindBy
, Uart
.state
, Uart
.byteCnt
);
753 Dbprintf("%x %x %x", Uart
.byteCntMax
, traceLen
, (int)Uart
.output
[0]);
756 AT91C_BASE_PDC_SSC
->PDC_PTCR
= AT91C_PDC_RXTDIS
;
757 Dbprintf("%x %x %x", maxBehindBy
, Uart
.state
, Uart
.byteCnt
);
758 Dbprintf("%x %x %x", Uart
.byteCntMax
, traceLen
, (int)Uart
.output
[0]);
765 //-----------------------------------------------------------------------------
766 // Prepare tag messages
767 //-----------------------------------------------------------------------------
768 static void CodeIso14443aAsTag(const uint8_t *cmd
, int len
)
775 // Correction bit, might be removed when not needed
780 ToSendStuffBit(1); // 1
786 ToSend
[++ToSendMax
] = SEC_D
;
788 for(i
= 0; i
< len
; i
++) {
794 for(j
= 0; j
< 8; j
++) {
795 oddparity
^= (b
& 1);
797 ToSend
[++ToSendMax
] = SEC_D
;
799 ToSend
[++ToSendMax
] = SEC_E
;
806 ToSend
[++ToSendMax
] = SEC_D
;
808 ToSend
[++ToSendMax
] = SEC_E
;
813 ToSend
[++ToSendMax
] = SEC_F
;
815 // Flush the buffer in FPGA!!
816 for(i
= 0; i
< 5; i
++) {
817 ToSend
[++ToSendMax
] = SEC_F
;
820 // Convert from last byte pos to length
823 // Add a few more for slop
824 ToSend
[ToSendMax
++] = 0x00;
825 ToSend
[ToSendMax
++] = 0x00;
829 //-----------------------------------------------------------------------------
830 // This is to send a NACK kind of answer, its only 3 bits, I know it should be 4
831 //-----------------------------------------------------------------------------
832 static void CodeStrangeAnswer()
838 // Correction bit, might be removed when not needed
843 ToSendStuffBit(1); // 1
849 ToSend
[++ToSendMax
] = SEC_D
;
852 ToSend
[++ToSendMax
] = SEC_E
;
855 ToSend
[++ToSendMax
] = SEC_E
;
858 ToSend
[++ToSendMax
] = SEC_D
;
861 ToSend
[++ToSendMax
] = SEC_F
;
863 // Flush the buffer in FPGA!!
864 for(i
= 0; i
< 5; i
++) {
865 ToSend
[++ToSendMax
] = SEC_F
;
868 // Convert from last byte pos to length
871 // Add a few more for slop
872 ToSend
[ToSendMax
++] = 0x00;
873 ToSend
[ToSendMax
++] = 0x00;
877 //-----------------------------------------------------------------------------
878 // Wait for commands from reader
879 // Stop when button is pressed
880 // Or return TRUE when command is captured
881 //-----------------------------------------------------------------------------
882 static int GetIso14443aCommandFromReader(uint8_t *received
, int *len
, int maxLen
)
884 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
885 // only, since we are receiving, not transmitting).
886 // Signal field is off with the appropriate LED
888 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A
| FPGA_HF_ISO14443A_TAGSIM_LISTEN
);
890 // Now run a `software UART' on the stream of incoming samples.
891 Uart
.output
= received
;
892 Uart
.byteCntMax
= maxLen
;
893 Uart
.state
= STATE_UNSYNCD
;
898 if(BUTTON_PRESS()) return FALSE
;
900 if(AT91C_BASE_SSC
->SSC_SR
& (AT91C_SSC_TXRDY
)) {
901 AT91C_BASE_SSC
->SSC_THR
= 0x00;
903 if(AT91C_BASE_SSC
->SSC_SR
& (AT91C_SSC_RXRDY
)) {
904 uint8_t b
= (uint8_t)AT91C_BASE_SSC
->SSC_RHR
;
905 if(MillerDecoding((b
& 0xf0) >> 4)) {
909 if(MillerDecoding(b
& 0x0f)) {
917 //-----------------------------------------------------------------------------
918 // Main loop of simulated tag: receive commands from reader, decide what
919 // response to send, and send it.
920 //-----------------------------------------------------------------------------
921 void SimulateIso14443aTag(int tagType
, int TagUid
)
923 // This function contains the tag emulation
925 // Prepare protocol messages
926 // static const uint8_t cmd1[] = { 0x26 };
927 // static const uint8_t response1[] = { 0x02, 0x00 }; // Says: I am Mifare 4k - original line - greg
929 static const uint8_t response1
[] = { 0x44, 0x03 }; // Says: I am a DESFire Tag, ph33r me
930 // static const uint8_t response1[] = { 0x44, 0x00 }; // Says: I am a ULTRALITE Tag, 0wn me
933 // static const uint8_t cmd2[] = { 0x93, 0x20 };
934 //static const uint8_t response2[] = { 0x9a, 0xe5, 0xe4, 0x43, 0xd8 }; // original value - greg
937 static const uint8_t response2
[] = { 0x88, 0x04, 0x21, 0x3f, 0x4d }; // known uid - note cascade (0x88), 2nd byte (0x04) = NXP/Phillips
940 // When reader selects us during cascade1 it will send cmd3
941 //uint8_t response3[] = { 0x04, 0x00, 0x00 }; // SAK Select (cascade1) successful response (ULTRALITE)
942 uint8_t response3
[] = { 0x24, 0x00, 0x00 }; // SAK Select (cascade1) successful response (DESFire)
943 ComputeCrc14443(CRC_14443_A
, response3
, 1, &response3
[1], &response3
[2]);
945 // send cascade2 2nd half of UID
946 static const uint8_t response2a
[] = { 0x51, 0x48, 0x1d, 0x80, 0x84 }; // uid - cascade2 - 2nd half (4 bytes) of UID+ BCCheck
947 // NOTE : THE CRC on the above may be wrong as I have obfuscated the actual UID
949 // When reader selects us during cascade2 it will send cmd3a
950 //uint8_t response3a[] = { 0x00, 0x00, 0x00 }; // SAK Select (cascade2) successful response (ULTRALITE)
951 uint8_t response3a
[] = { 0x20, 0x00, 0x00 }; // SAK Select (cascade2) successful response (DESFire)
952 ComputeCrc14443(CRC_14443_A
, response3a
, 1, &response3a
[1], &response3a
[2]);
954 static const uint8_t response5
[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce
959 // Longest possible response will be 16 bytes + 2 CRC = 18 bytes
961 // 144 data bits (18 * 8)
964 // 1 Correction bit (Answer in 1172 or 1236 periods, see FPGA)
965 // 1 just for the case
969 // 166 bytes, since every bit that needs to be send costs us a byte
972 // Respond with card type
973 uint8_t *resp1
= (((uint8_t *)BigBuf
) + 800);
976 // Anticollision cascade1 - respond with uid
977 uint8_t *resp2
= (((uint8_t *)BigBuf
) + 970);
980 // Anticollision cascade2 - respond with 2nd half of uid if asked
981 // we're only going to be asked if we set the 1st byte of the UID (during cascade1) to 0x88
982 uint8_t *resp2a
= (((uint8_t *)BigBuf
) + 1140);
985 // Acknowledge select - cascade 1
986 uint8_t *resp3
= (((uint8_t *)BigBuf
) + 1310);
989 // Acknowledge select - cascade 2
990 uint8_t *resp3a
= (((uint8_t *)BigBuf
) + 1480);
993 // Response to a read request - not implemented atm
994 uint8_t *resp4
= (((uint8_t *)BigBuf
) + 1550);
997 // Authenticate response - nonce
998 uint8_t *resp5
= (((uint8_t *)BigBuf
) + 1720);
1001 uint8_t *receivedCmd
= (uint8_t *)BigBuf
;
1008 // To control where we are in the protocol
1012 // Just to allow some checks
1020 memset(receivedCmd
, 0x44, 400);
1022 // Prepare the responses of the anticollision phase
1023 // there will be not enough time to do this at the moment the reader sends it REQA
1025 // Answer to request
1026 CodeIso14443aAsTag(response1
, sizeof(response1
));
1027 memcpy(resp1
, ToSend
, ToSendMax
); resp1Len
= ToSendMax
;
1029 // Send our UID (cascade 1)
1030 CodeIso14443aAsTag(response2
, sizeof(response2
));
1031 memcpy(resp2
, ToSend
, ToSendMax
); resp2Len
= ToSendMax
;
1033 // Answer to select (cascade1)
1034 CodeIso14443aAsTag(response3
, sizeof(response3
));
1035 memcpy(resp3
, ToSend
, ToSendMax
); resp3Len
= ToSendMax
;
1037 // Send the cascade 2 2nd part of the uid
1038 CodeIso14443aAsTag(response2a
, sizeof(response2a
));
1039 memcpy(resp2a
, ToSend
, ToSendMax
); resp2aLen
= ToSendMax
;
1041 // Answer to select (cascade 2)
1042 CodeIso14443aAsTag(response3a
, sizeof(response3a
));
1043 memcpy(resp3a
, ToSend
, ToSendMax
); resp3aLen
= ToSendMax
;
1045 // Strange answer is an example of rare message size (3 bits)
1046 CodeStrangeAnswer();
1047 memcpy(resp4
, ToSend
, ToSendMax
); resp4Len
= ToSendMax
;
1049 // Authentication answer (random nonce)
1050 CodeIso14443aAsTag(response5
, sizeof(response5
));
1051 memcpy(resp5
, ToSend
, ToSendMax
); resp5Len
= ToSendMax
;
1053 // We need to listen to the high-frequency, peak-detected path.
1054 SetAdcMuxFor(GPIO_MUXSEL_HIPKD
);
1062 if(!GetIso14443aCommandFromReader(receivedCmd
, &len
, 100)) {
1063 DbpString("button press");
1066 // doob - added loads of debug strings so we can see what the reader is saying to us during the sim as hi14alist is not populated
1067 // Okay, look at the command now.
1069 i
= 1; // first byte transmitted
1070 if(receivedCmd
[0] == 0x26) {
1071 // Received a REQUEST
1072 resp
= resp1
; respLen
= resp1Len
; order
= 1;
1073 //DbpString("Hello request from reader:");
1074 } else if(receivedCmd
[0] == 0x52) {
1075 // Received a WAKEUP
1076 resp
= resp1
; respLen
= resp1Len
; order
= 6;
1077 // //DbpString("Wakeup request from reader:");
1079 } else if(receivedCmd
[1] == 0x20 && receivedCmd
[0] == 0x93) { // greg - cascade 1 anti-collision
1080 // Received request for UID (cascade 1)
1081 resp
= resp2
; respLen
= resp2Len
; order
= 2;
1082 // DbpString("UID (cascade 1) request from reader:");
1083 // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1086 } else if(receivedCmd
[1] == 0x20 && receivedCmd
[0] ==0x95) { // greg - cascade 2 anti-collision
1087 // Received request for UID (cascade 2)
1088 resp
= resp2a
; respLen
= resp2aLen
; order
= 20;
1089 // DbpString("UID (cascade 2) request from reader:");
1090 // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1093 } else if(receivedCmd
[1] == 0x70 && receivedCmd
[0] ==0x93) { // greg - cascade 1 select
1094 // Received a SELECT
1095 resp
= resp3
; respLen
= resp3Len
; order
= 3;
1096 // DbpString("Select (cascade 1) request from reader:");
1097 // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1100 } else if(receivedCmd
[1] == 0x70 && receivedCmd
[0] ==0x95) { // greg - cascade 2 select
1101 // Received a SELECT
1102 resp
= resp3a
; respLen
= resp3aLen
; order
= 30;
1103 // DbpString("Select (cascade 2) request from reader:");
1104 // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1107 } else if(receivedCmd
[0] == 0x30) {
1109 resp
= resp4
; respLen
= resp4Len
; order
= 4; // Do nothing
1110 Dbprintf("Read request from reader: %x %x %x",
1111 receivedCmd
[0], receivedCmd
[1], receivedCmd
[2]);
1114 } else if(receivedCmd
[0] == 0x50) {
1116 resp
= resp1
; respLen
= 0; order
= 5; // Do nothing
1117 DbpString("Reader requested we HALT!:");
1119 } else if(receivedCmd
[0] == 0x60) {
1120 // Received an authentication request
1121 resp
= resp5
; respLen
= resp5Len
; order
= 7;
1122 Dbprintf("Authenticate request from reader: %x %x %x",
1123 receivedCmd
[0], receivedCmd
[1], receivedCmd
[2]);
1125 } else if(receivedCmd
[0] == 0xE0) {
1126 // Received a RATS request
1127 resp
= resp1
; respLen
= 0;order
= 70;
1128 Dbprintf("RATS request from reader: %x %x %x",
1129 receivedCmd
[0], receivedCmd
[1], receivedCmd
[2]);
1131 // Never seen this command before
1132 Dbprintf("Unknown command received from reader: %x %x %x %x %x %x %x %x %x",
1133 receivedCmd
[0], receivedCmd
[1], receivedCmd
[2],
1134 receivedCmd
[3], receivedCmd
[3], receivedCmd
[4],
1135 receivedCmd
[5], receivedCmd
[6], receivedCmd
[7]);
1137 resp
= resp1
; respLen
= 0; order
= 0;
1140 // Count number of wakeups received after a halt
1141 if(order
== 6 && lastorder
== 5) { happened
++; }
1143 // Count number of other messages after a halt
1144 if(order
!= 6 && lastorder
== 5) { happened2
++; }
1146 // Look at last parity bit to determine timing of answer
1147 if((Uart
.parityBits
& 0x01) || receivedCmd
[0] == 0x52) {
1148 // 1236, so correction bit needed
1152 memset(receivedCmd
, 0x44, 32);
1154 if(cmdsRecvd
> 999) {
1155 DbpString("1000 commands later...");
1162 if(respLen
<= 0) continue;
1164 // Modulate Manchester
1165 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A
| FPGA_HF_ISO14443A_TAGSIM_MOD
);
1166 AT91C_BASE_SSC
->SSC_THR
= 0x00;
1169 // ### Transmit the response ###
1172 fdt_indicator
= FALSE
;
1174 if(AT91C_BASE_SSC
->SSC_SR
& (AT91C_SSC_RXRDY
)) {
1175 volatile uint8_t b
= (uint8_t)AT91C_BASE_SSC
->SSC_RHR
;
1178 if(AT91C_BASE_SSC
->SSC_SR
& (AT91C_SSC_TXRDY
)) {
1186 AT91C_BASE_SSC
->SSC_THR
= b
;
1192 if(BUTTON_PRESS()) {
1199 Dbprintf("%x %x %x", happened
, happened2
, cmdsRecvd
);
1203 //-----------------------------------------------------------------------------
1204 // Transmit the command (to the tag) that was placed in ToSend[].
1205 //-----------------------------------------------------------------------------
1206 static void TransmitFor14443a(const uint8_t *cmd
, int len
, int *samples
, int *wait
)
1210 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A
| FPGA_HF_ISO14443A_READER_MOD
);
1216 for(c
= 0; c
< *wait
;) {
1217 if(AT91C_BASE_SSC
->SSC_SR
& (AT91C_SSC_TXRDY
)) {
1218 AT91C_BASE_SSC
->SSC_THR
= 0x00; // For exact timing!
1221 if(AT91C_BASE_SSC
->SSC_SR
& (AT91C_SSC_RXRDY
)) {
1222 volatile uint32_t r
= AT91C_BASE_SSC
->SSC_RHR
;
1230 if(AT91C_BASE_SSC
->SSC_SR
& (AT91C_SSC_TXRDY
)) {
1231 AT91C_BASE_SSC
->SSC_THR
= cmd
[c
];
1237 if(AT91C_BASE_SSC
->SSC_SR
& (AT91C_SSC_RXRDY
)) {
1238 volatile uint32_t r
= AT91C_BASE_SSC
->SSC_RHR
;
1243 if (samples
) *samples
= (c
+ *wait
) << 3;
1246 //-----------------------------------------------------------------------------
1247 // Code a 7-bit command without parity bit
1248 // This is especially for 0x26 and 0x52 (REQA and WUPA)
1249 //-----------------------------------------------------------------------------
1250 void ShortFrameFromReader(const uint8_t bt
)
1258 // Start of Communication (Seq. Z)
1259 ToSend
[++ToSendMax
] = SEC_Z
;
1263 for(j
= 0; j
< 7; j
++) {
1266 ToSend
[++ToSendMax
] = SEC_X
;
1271 ToSend
[++ToSendMax
] = SEC_Z
;
1275 ToSend
[++ToSendMax
] = SEC_Y
;
1282 // End of Communication
1285 ToSend
[++ToSendMax
] = SEC_Z
;
1289 ToSend
[++ToSendMax
] = SEC_Y
;
1293 ToSend
[++ToSendMax
] = SEC_Y
;
1296 ToSend
[++ToSendMax
] = SEC_Y
;
1297 ToSend
[++ToSendMax
] = SEC_Y
;
1298 ToSend
[++ToSendMax
] = SEC_Y
;
1300 // Convert from last character reference to length
1304 //-----------------------------------------------------------------------------
1305 // Prepare reader command to send to FPGA
1307 //-----------------------------------------------------------------------------
1308 void CodeIso14443aAsReaderPar(const uint8_t * cmd
, int len
, uint32_t dwParity
)
1316 // Start of Communication (Seq. Z)
1317 ToSend
[++ToSendMax
] = SEC_Z
;
1320 // Generate send structure for the data bits
1321 for (i
= 0; i
< len
; i
++) {
1322 // Get the current byte to send
1325 for (j
= 0; j
< 8; j
++) {
1328 ToSend
[++ToSendMax
] = SEC_X
;
1333 ToSend
[++ToSendMax
] = SEC_Z
;
1336 ToSend
[++ToSendMax
] = SEC_Y
;
1343 // Get the parity bit
1344 if ((dwParity
>> i
) & 0x01) {
1346 ToSend
[++ToSendMax
] = SEC_X
;
1351 ToSend
[++ToSendMax
] = SEC_Z
;
1354 ToSend
[++ToSendMax
] = SEC_Y
;
1360 // End of Communication
1363 ToSend
[++ToSendMax
] = SEC_Z
;
1366 ToSend
[++ToSendMax
] = SEC_Y
;
1370 ToSend
[++ToSendMax
] = SEC_Y
;
1373 ToSend
[++ToSendMax
] = SEC_Y
;
1374 ToSend
[++ToSendMax
] = SEC_Y
;
1375 ToSend
[++ToSendMax
] = SEC_Y
;
1377 // Convert from last character reference to length
1381 //-----------------------------------------------------------------------------
1382 // Wait a certain time for tag response
1383 // If a response is captured return TRUE
1384 // If it takes to long return FALSE
1385 //-----------------------------------------------------------------------------
1386 static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse
, int maxLen
, int *samples
, int *elapsed
) //uint8_t *buffer
1388 // buffer needs to be 512 bytes
1391 // Set FPGA mode to "reader listen mode", no modulation (listen
1392 // only, since we are receiving, not transmitting).
1393 // Signal field is on with the appropriate LED
1395 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A
| FPGA_HF_ISO14443A_READER_LISTEN
);
1397 // Now get the answer from the card
1398 Demod
.output
= receivedResponse
;
1400 Demod
.state
= DEMOD_UNSYNCD
;
1403 if (elapsed
) *elapsed
= 0;
1409 if(AT91C_BASE_SSC
->SSC_SR
& (AT91C_SSC_TXRDY
)) {
1410 AT91C_BASE_SSC
->SSC_THR
= 0x00; // To make use of exact timing of next command from reader!!
1411 if (elapsed
) (*elapsed
)++;
1413 if(AT91C_BASE_SSC
->SSC_SR
& (AT91C_SSC_RXRDY
)) {
1414 if(c
< 2048) { c
++; } else { return FALSE
; }
1415 b
= (uint8_t)AT91C_BASE_SSC
->SSC_RHR
;
1416 if(ManchesterDecoding((b
>>4) & 0xf)) {
1417 *samples
= ((c
- 1) << 3) + 4;
1420 if(ManchesterDecoding(b
& 0x0f)) {
1428 void ReaderTransmitShort(const uint8_t* bt
)
1433 ShortFrameFromReader(*bt
);
1436 TransmitFor14443a(ToSend
, ToSendMax
, &samples
, &wait
);
1438 // Store reader command in buffer
1439 if (tracing
) LogTrace(bt
,1,0,GetParity(bt
,1),TRUE
);
1442 void ReaderTransmitPar(uint8_t* frame
, int len
, uint32_t par
)
1447 // This is tied to other size changes
1448 // uint8_t* frame_addr = ((uint8_t*)BigBuf) + 2024;
1449 CodeIso14443aAsReaderPar(frame
,len
,par
);
1452 TransmitFor14443a(ToSend
, ToSendMax
, &samples
, &wait
);
1454 // Store reader command in buffer
1455 if (tracing
) LogTrace(frame
,len
,0,par
,TRUE
);
1459 void ReaderTransmit(uint8_t* frame
, int len
)
1461 // Generate parity and redirect
1462 ReaderTransmitPar(frame
,len
,GetParity(frame
,len
));
1465 int ReaderReceive(uint8_t* receivedAnswer
)
1468 if (!GetIso14443aAnswerFromTag(receivedAnswer
,100,&samples
,0)) return FALSE
;
1469 if (tracing
) LogTrace(receivedAnswer
,Demod
.len
,samples
,Demod
.parityBits
,FALSE
);
1470 if(samples
== 0) return FALSE
;
1474 /* performs iso14443a anticolision procedure
1475 * fills the uid pointer */
1476 int iso14443a_select_card(uint8_t * uid_ptr
) {
1477 uint8_t wupa
[] = { 0x52 };
1478 uint8_t sel_all
[] = { 0x93,0x20 };
1479 uint8_t sel_uid
[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
1480 uint8_t sel_all_c2
[] = { 0x95,0x20 };
1481 uint8_t sel_uid_c2
[] = { 0x95,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
1482 uint8_t rats
[] = { 0xE0,0x80,0x00,0x00 }; // FSD=256, FSDI=8, CID=0
1484 uint8_t* resp
= (((uint8_t *)BigBuf
) + 3560); // was 3560 - tied to other size changes
1485 uint8_t* uid
= resp
+ 7;
1489 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1490 ReaderTransmitShort(wupa
);
1492 if(!ReaderReceive(resp
)) return 0;
1493 // if(*(uint16_t *) resp == 0x4403) MIFARE_CLASSIC
1494 // if(*(uint16_t *) resp == 0x0400) MIFARE_DESFIRE
1496 ReaderTransmit(sel_all
,sizeof(sel_all
)); // SELECT_ALL
1497 if(!ReaderReceive(uid
)) return 0;
1499 // Construct SELECT UID command
1500 // First copy the 5 bytes (Mifare Classic) after the 93 70
1501 memcpy(sel_uid
+2,uid
,5);
1502 // Secondly compute the two CRC bytes at the end
1503 AppendCrc14443a(sel_uid
,7);
1505 ReaderTransmit(sel_uid
,sizeof(sel_uid
));
1507 if (!ReaderReceive(resp
)) return 0;
1509 // OK we have selected at least at cascade 1, lets see if first byte of UID was 0x88 in
1510 // which case we need to make a cascade 2 request and select - this is a long UID
1511 // When the UID is not complete, the 3nd bit (from the right) is set in the SAK.
1512 if (resp
[0] &= 0x04)
1514 ReaderTransmit(sel_all_c2
,sizeof(sel_all_c2
));
1515 if (!ReaderReceive(uid
+5)) return 0;
1517 // Construct SELECT UID command
1518 memcpy(sel_uid_c2
+2,uid
+5,5);
1519 AppendCrc14443a(sel_uid_c2
,7);
1520 ReaderTransmit(sel_uid_c2
,sizeof(sel_uid_c2
));
1522 if (!ReaderReceive(resp
)) return 0;
1524 if(uid_ptr
) memcpy(uid_ptr
, uid
, 10);
1525 if( (resp
[0] & 0x20) == 0)
1526 return 2; // non iso14443a compliant tag
1527 // Request for answer to select
1528 AppendCrc14443a(rats
, 2);
1529 ReaderTransmit(rats
, sizeof(rats
));
1530 if (!(len
= ReaderReceive(resp
))) return 0;
1534 void iso14443a_setup() {
1537 // Start from off (no field generated)
1538 // Signal field is off with the appropriate LED
1540 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
1543 SetAdcMuxFor(GPIO_MUXSEL_HIPKD
);
1545 // Now give it time to spin up.
1546 // Signal field is on with the appropriate LED
1548 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A
| FPGA_HF_ISO14443A_READER_MOD
);
1552 //-----------------------------------------------------------------------------
1553 // Read an ISO 14443a tag. Send out commands and store answers.
1555 //-----------------------------------------------------------------------------
1556 void ReaderIso14443a(uint32_t parameter
)
1560 uint8_t mf_auth
[] = { 0x60,0x00,0xf5,0x7b };
1561 // uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00 };
1563 uint8_t* receivedAnswer
= (((uint8_t *)BigBuf
) + 3560); // was 3560 - tied to other size changes
1572 while(traceLen
< TRACE_LENGTH
)
1574 // Test if the action was cancelled
1575 if(BUTTON_PRESS()) break;
1577 if(!iso14443a_select_card(NULL
)) {
1578 DbpString("iso14443a setup failed");
1582 // Transmit MIFARE_CLASSIC_AUTH
1583 ReaderTransmit(mf_auth
,sizeof(mf_auth
));
1585 // Receive the (16 bit) "random" nonce
1586 if (!ReaderReceive(receivedAnswer
)) continue;
1590 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
1592 Dbprintf("%x %x %x", rsamples
, 0xCC, 0xCC);
1593 DbpString("ready..");
1596 //-----------------------------------------------------------------------------
1597 // Read an ISO 14443a tag. Send out commands and store answers.
1599 //-----------------------------------------------------------------------------
1600 void ReaderMifare(uint32_t parameter
)
1603 uint8_t mf_auth
[] = { 0x60,0x00,0xf5,0x7b };
1604 uint8_t mf_nr_ar
[] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
1606 uint8_t* receivedAnswer
= (((uint8_t *)BigBuf
) + 3560); // was 3560 - tied to other size changes
1619 byte_t par_mask
= 0xff;
1625 byte_t nt_attacked
[4];
1628 num_to_bytes(parameter
,4,nt_attacked
);
1632 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
1634 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A
| FPGA_HF_ISO14443A_READER_MOD
);
1636 // Test if the action was cancelled
1637 if(BUTTON_PRESS()) {
1641 if(!iso14443a_select_card(NULL
)) continue;
1643 // Transmit MIFARE_CLASSIC_AUTH
1644 ReaderTransmit(mf_auth
,sizeof(mf_auth
));
1646 // Receive the (16 bit) "random" nonce
1647 if (!ReaderReceive(receivedAnswer
)) continue;
1648 memcpy(nt
,receivedAnswer
,4);
1650 // Transmit reader nonce and reader answer
1651 ReaderTransmitPar(mf_nr_ar
,sizeof(mf_nr_ar
),par
);
1653 // Receive 4 bit answer
1654 if (ReaderReceive(receivedAnswer
))
1659 memcpy(nt_attacked
,nt
,4);
1661 par_low
= par
& 0x07;
1664 if (memcmp(nt
,nt_attacked
,4) != 0) continue;
1667 if(led_on
) LED_B_ON(); else LED_B_OFF();
1668 par_list
[nt_diff
] = par
;
1669 ks_list
[nt_diff
] = receivedAnswer
[0]^0x05;
1671 // Test if the information is complete
1672 if (nt_diff
== 0x07) break;
1674 nt_diff
= (nt_diff
+1) & 0x07;
1675 mf_nr_ar
[3] = nt_diff
<< 5;
1682 par
= (((par
>>3)+1) << 3) | par_low
;
1687 LogTrace(nt
,4,0,GetParity(nt
,4),TRUE
);
1688 LogTrace(par_list
,8,0,GetParity(par_list
,8),TRUE
);
1689 LogTrace(ks_list
,8,0,GetParity(ks_list
,8),TRUE
);
1692 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);