]> cvs.zerfleddert.de Git - proxmark3-svn/blob - armsrc/iso14443a.c
e228b7fd8246a73c6b1054a38d3de8343ea1a8b0
[proxmark3-svn] / armsrc / iso14443a.c
1 //-----------------------------------------------------------------------------
2 // Gerhard de Koning Gans - May 2008
3 //
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
6 // the license.
7 //-----------------------------------------------------------------------------
8 // Routines to support ISO 14443 type A.
9 //-----------------------------------------------------------------------------
10
11 #include "proxmark3.h"
12 #include "apps.h"
13 #include "util.h"
14 #include "string.h"
15
16 #include "iso14443crc.h"
17
18 static uint8_t *trace = (uint8_t *) BigBuf;
19 static int traceLen = 0;
20 static int rsamples = 0;
21 static int tracing = TRUE;
22
23 // CARD TO READER
24 // Sequence D: 11110000 modulation with subcarrier during first half
25 // Sequence E: 00001111 modulation with subcarrier during second half
26 // Sequence F: 00000000 no modulation with subcarrier
27 // READER TO CARD
28 // Sequence X: 00001100 drop after half a period
29 // Sequence Y: 00000000 no drop
30 // Sequence Z: 11000000 drop at start
31 #define SEC_D 0xf0
32 #define SEC_E 0x0f
33 #define SEC_F 0x00
34 #define SEC_X 0x0c
35 #define SEC_Y 0x00
36 #define SEC_Z 0xc0
37
38 static const uint8_t OddByteParity[256] = {
39 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
40 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
41 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
42 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
43 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
44 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
45 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
46 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
47 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
48 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
49 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
50 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
51 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
52 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
53 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
54 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1
55 };
56
57 // BIG CHANGE - UNDERSTAND THIS BEFORE WE COMMIT
58 #define RECV_CMD_OFFSET 3032
59 #define RECV_RES_OFFSET 3096
60 #define DMA_BUFFER_OFFSET 3160
61 #define DMA_BUFFER_SIZE 4096
62 #define TRACE_LENGTH 3000
63
64 //-----------------------------------------------------------------------------
65 // Generate the parity value for a byte sequence
66 //
67 //-----------------------------------------------------------------------------
68 uint32_t GetParity(const uint8_t * pbtCmd, int iLen)
69 {
70 int i;
71 uint32_t dwPar = 0;
72
73 // Generate the encrypted data
74 for (i = 0; i < iLen; i++) {
75 // Save the encrypted parity bit
76 dwPar |= ((OddByteParity[pbtCmd[i]]) << i);
77 }
78 return dwPar;
79 }
80
81 static void AppendCrc14443a(uint8_t* data, int len)
82 {
83 ComputeCrc14443(CRC_14443_A,data,len,data+len,data+len+1);
84 }
85
86 int LogTrace(const uint8_t * btBytes, int iLen, int iSamples, uint32_t dwParity, int bReader)
87 {
88 // Return when trace is full
89 if (traceLen >= TRACE_LENGTH) return FALSE;
90
91 // Trace the random, i'm curious
92 rsamples += iSamples;
93 trace[traceLen++] = ((rsamples >> 0) & 0xff);
94 trace[traceLen++] = ((rsamples >> 8) & 0xff);
95 trace[traceLen++] = ((rsamples >> 16) & 0xff);
96 trace[traceLen++] = ((rsamples >> 24) & 0xff);
97 if (!bReader) {
98 trace[traceLen - 1] |= 0x80;
99 }
100 trace[traceLen++] = ((dwParity >> 0) & 0xff);
101 trace[traceLen++] = ((dwParity >> 8) & 0xff);
102 trace[traceLen++] = ((dwParity >> 16) & 0xff);
103 trace[traceLen++] = ((dwParity >> 24) & 0xff);
104 trace[traceLen++] = iLen;
105 memcpy(trace + traceLen, btBytes, iLen);
106 traceLen += iLen;
107 return TRUE;
108 }
109
110 //-----------------------------------------------------------------------------
111 // The software UART that receives commands from the reader, and its state
112 // variables.
113 //-----------------------------------------------------------------------------
114 static struct {
115 enum {
116 STATE_UNSYNCD,
117 STATE_START_OF_COMMUNICATION,
118 STATE_MILLER_X,
119 STATE_MILLER_Y,
120 STATE_MILLER_Z,
121 STATE_ERROR_WAIT
122 } state;
123 uint16_t shiftReg;
124 int bitCnt;
125 int byteCnt;
126 int byteCntMax;
127 int posCnt;
128 int syncBit;
129 int parityBits;
130 int samples;
131 int highCnt;
132 int bitBuffer;
133 enum {
134 DROP_NONE,
135 DROP_FIRST_HALF,
136 DROP_SECOND_HALF
137 } drop;
138 uint8_t *output;
139 } Uart;
140
141 static int MillerDecoding(int bit)
142 {
143 int error = 0;
144 int bitright;
145
146 if(!Uart.bitBuffer) {
147 Uart.bitBuffer = bit ^ 0xFF0;
148 return FALSE;
149 }
150 else {
151 Uart.bitBuffer <<= 4;
152 Uart.bitBuffer ^= bit;
153 }
154
155 int EOC = FALSE;
156
157 if(Uart.state != STATE_UNSYNCD) {
158 Uart.posCnt++;
159
160 if((Uart.bitBuffer & Uart.syncBit) ^ Uart.syncBit) {
161 bit = 0x00;
162 }
163 else {
164 bit = 0x01;
165 }
166 if(((Uart.bitBuffer << 1) & Uart.syncBit) ^ Uart.syncBit) {
167 bitright = 0x00;
168 }
169 else {
170 bitright = 0x01;
171 }
172 if(bit != bitright) { bit = bitright; }
173
174 if(Uart.posCnt == 1) {
175 // measurement first half bitperiod
176 if(!bit) {
177 Uart.drop = DROP_FIRST_HALF;
178 }
179 }
180 else {
181 // measurement second half bitperiod
182 if(!bit & (Uart.drop == DROP_NONE)) {
183 Uart.drop = DROP_SECOND_HALF;
184 }
185 else if(!bit) {
186 // measured a drop in first and second half
187 // which should not be possible
188 Uart.state = STATE_ERROR_WAIT;
189 error = 0x01;
190 }
191
192 Uart.posCnt = 0;
193
194 switch(Uart.state) {
195 case STATE_START_OF_COMMUNICATION:
196 Uart.shiftReg = 0;
197 if(Uart.drop == DROP_SECOND_HALF) {
198 // error, should not happen in SOC
199 Uart.state = STATE_ERROR_WAIT;
200 error = 0x02;
201 }
202 else {
203 // correct SOC
204 Uart.state = STATE_MILLER_Z;
205 }
206 break;
207
208 case STATE_MILLER_Z:
209 Uart.bitCnt++;
210 Uart.shiftReg >>= 1;
211 if(Uart.drop == DROP_NONE) {
212 // logic '0' followed by sequence Y
213 // end of communication
214 Uart.state = STATE_UNSYNCD;
215 EOC = TRUE;
216 }
217 // if(Uart.drop == DROP_FIRST_HALF) {
218 // Uart.state = STATE_MILLER_Z; stay the same
219 // we see a logic '0' }
220 if(Uart.drop == DROP_SECOND_HALF) {
221 // we see a logic '1'
222 Uart.shiftReg |= 0x100;
223 Uart.state = STATE_MILLER_X;
224 }
225 break;
226
227 case STATE_MILLER_X:
228 Uart.shiftReg >>= 1;
229 if(Uart.drop == DROP_NONE) {
230 // sequence Y, we see a '0'
231 Uart.state = STATE_MILLER_Y;
232 Uart.bitCnt++;
233 }
234 if(Uart.drop == DROP_FIRST_HALF) {
235 // Would be STATE_MILLER_Z
236 // but Z does not follow X, so error
237 Uart.state = STATE_ERROR_WAIT;
238 error = 0x03;
239 }
240 if(Uart.drop == DROP_SECOND_HALF) {
241 // We see a '1' and stay in state X
242 Uart.shiftReg |= 0x100;
243 Uart.bitCnt++;
244 }
245 break;
246
247 case STATE_MILLER_Y:
248 Uart.bitCnt++;
249 Uart.shiftReg >>= 1;
250 if(Uart.drop == DROP_NONE) {
251 // logic '0' followed by sequence Y
252 // end of communication
253 Uart.state = STATE_UNSYNCD;
254 EOC = TRUE;
255 }
256 if(Uart.drop == DROP_FIRST_HALF) {
257 // we see a '0'
258 Uart.state = STATE_MILLER_Z;
259 }
260 if(Uart.drop == DROP_SECOND_HALF) {
261 // We see a '1' and go to state X
262 Uart.shiftReg |= 0x100;
263 Uart.state = STATE_MILLER_X;
264 }
265 break;
266
267 case STATE_ERROR_WAIT:
268 // That went wrong. Now wait for at least two bit periods
269 // and try to sync again
270 if(Uart.drop == DROP_NONE) {
271 Uart.highCnt = 6;
272 Uart.state = STATE_UNSYNCD;
273 }
274 break;
275
276 default:
277 Uart.state = STATE_UNSYNCD;
278 Uart.highCnt = 0;
279 break;
280 }
281
282 Uart.drop = DROP_NONE;
283
284 // should have received at least one whole byte...
285 if((Uart.bitCnt == 2) && EOC && (Uart.byteCnt > 0)) {
286 return TRUE;
287 }
288
289 if(Uart.bitCnt == 9) {
290 Uart.output[Uart.byteCnt] = (Uart.shiftReg & 0xff);
291 Uart.byteCnt++;
292
293 Uart.parityBits <<= 1;
294 Uart.parityBits ^= ((Uart.shiftReg >> 8) & 0x01);
295
296 if(EOC) {
297 // when End of Communication received and
298 // all data bits processed..
299 return TRUE;
300 }
301 Uart.bitCnt = 0;
302 }
303
304 /*if(error) {
305 Uart.output[Uart.byteCnt] = 0xAA;
306 Uart.byteCnt++;
307 Uart.output[Uart.byteCnt] = error & 0xFF;
308 Uart.byteCnt++;
309 Uart.output[Uart.byteCnt] = 0xAA;
310 Uart.byteCnt++;
311 Uart.output[Uart.byteCnt] = (Uart.bitBuffer >> 8) & 0xFF;
312 Uart.byteCnt++;
313 Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
314 Uart.byteCnt++;
315 Uart.output[Uart.byteCnt] = (Uart.syncBit >> 3) & 0xFF;
316 Uart.byteCnt++;
317 Uart.output[Uart.byteCnt] = 0xAA;
318 Uart.byteCnt++;
319 return TRUE;
320 }*/
321 }
322
323 }
324 else {
325 bit = Uart.bitBuffer & 0xf0;
326 bit >>= 4;
327 bit ^= 0x0F;
328 if(bit) {
329 // should have been high or at least (4 * 128) / fc
330 // according to ISO this should be at least (9 * 128 + 20) / fc
331 if(Uart.highCnt == 8) {
332 // we went low, so this could be start of communication
333 // it turns out to be safer to choose a less significant
334 // syncbit... so we check whether the neighbour also represents the drop
335 Uart.posCnt = 1; // apparently we are busy with our first half bit period
336 Uart.syncBit = bit & 8;
337 Uart.samples = 3;
338 if(!Uart.syncBit) { Uart.syncBit = bit & 4; Uart.samples = 2; }
339 else if(bit & 4) { Uart.syncBit = bit & 4; Uart.samples = 2; bit <<= 2; }
340 if(!Uart.syncBit) { Uart.syncBit = bit & 2; Uart.samples = 1; }
341 else if(bit & 2) { Uart.syncBit = bit & 2; Uart.samples = 1; bit <<= 1; }
342 if(!Uart.syncBit) { Uart.syncBit = bit & 1; Uart.samples = 0;
343 if(Uart.syncBit & (Uart.bitBuffer & 8)) {
344 Uart.syncBit = 8;
345
346 // the first half bit period is expected in next sample
347 Uart.posCnt = 0;
348 Uart.samples = 3;
349 }
350 }
351 else if(bit & 1) { Uart.syncBit = bit & 1; Uart.samples = 0; }
352
353 Uart.syncBit <<= 4;
354 Uart.state = STATE_START_OF_COMMUNICATION;
355 Uart.drop = DROP_FIRST_HALF;
356 Uart.bitCnt = 0;
357 Uart.byteCnt = 0;
358 Uart.parityBits = 0;
359 error = 0;
360 }
361 else {
362 Uart.highCnt = 0;
363 }
364 }
365 else {
366 if(Uart.highCnt < 8) {
367 Uart.highCnt++;
368 }
369 }
370 }
371
372 return FALSE;
373 }
374
375 //=============================================================================
376 // ISO 14443 Type A - Manchester
377 //=============================================================================
378
379 static struct {
380 enum {
381 DEMOD_UNSYNCD,
382 DEMOD_START_OF_COMMUNICATION,
383 DEMOD_MANCHESTER_D,
384 DEMOD_MANCHESTER_E,
385 DEMOD_MANCHESTER_F,
386 DEMOD_ERROR_WAIT
387 } state;
388 int bitCount;
389 int posCount;
390 int syncBit;
391 int parityBits;
392 uint16_t shiftReg;
393 int buffer;
394 int buff;
395 int samples;
396 int len;
397 enum {
398 SUB_NONE,
399 SUB_FIRST_HALF,
400 SUB_SECOND_HALF
401 } sub;
402 uint8_t *output;
403 } Demod;
404
405 static int ManchesterDecoding(int v)
406 {
407 int bit;
408 int modulation;
409 int error = 0;
410
411 if(!Demod.buff) {
412 Demod.buff = 1;
413 Demod.buffer = v;
414 return FALSE;
415 }
416 else {
417 bit = Demod.buffer;
418 Demod.buffer = v;
419 }
420
421 if(Demod.state==DEMOD_UNSYNCD) {
422 Demod.output[Demod.len] = 0xfa;
423 Demod.syncBit = 0;
424 //Demod.samples = 0;
425 Demod.posCount = 1; // This is the first half bit period, so after syncing handle the second part
426 if(bit & 0x08) { Demod.syncBit = 0x08; }
427 if(!Demod.syncBit) {
428 if(bit & 0x04) { Demod.syncBit = 0x04; }
429 }
430 else if(bit & 0x04) { Demod.syncBit = 0x04; bit <<= 4; }
431 if(!Demod.syncBit) {
432 if(bit & 0x02) { Demod.syncBit = 0x02; }
433 }
434 else if(bit & 0x02) { Demod.syncBit = 0x02; bit <<= 4; }
435 if(!Demod.syncBit) {
436 if(bit & 0x01) { Demod.syncBit = 0x01; }
437
438 if(Demod.syncBit & (Demod.buffer & 0x08)) {
439 Demod.syncBit = 0x08;
440
441 // The first half bitperiod is expected in next sample
442 Demod.posCount = 0;
443 Demod.output[Demod.len] = 0xfb;
444 }
445 }
446 else if(bit & 0x01) { Demod.syncBit = 0x01; }
447
448 if(Demod.syncBit) {
449 Demod.len = 0;
450 Demod.state = DEMOD_START_OF_COMMUNICATION;
451 Demod.sub = SUB_FIRST_HALF;
452 Demod.bitCount = 0;
453 Demod.shiftReg = 0;
454 Demod.parityBits = 0;
455 Demod.samples = 0;
456 if(Demod.posCount) {
457 switch(Demod.syncBit) {
458 case 0x08: Demod.samples = 3; break;
459 case 0x04: Demod.samples = 2; break;
460 case 0x02: Demod.samples = 1; break;
461 case 0x01: Demod.samples = 0; break;
462 }
463 }
464 error = 0;
465 }
466 }
467 else {
468 //modulation = bit & Demod.syncBit;
469 modulation = ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
470
471 Demod.samples += 4;
472
473 if(Demod.posCount==0) {
474 Demod.posCount = 1;
475 if(modulation) {
476 Demod.sub = SUB_FIRST_HALF;
477 }
478 else {
479 Demod.sub = SUB_NONE;
480 }
481 }
482 else {
483 Demod.posCount = 0;
484 if(modulation && (Demod.sub == SUB_FIRST_HALF)) {
485 if(Demod.state!=DEMOD_ERROR_WAIT) {
486 Demod.state = DEMOD_ERROR_WAIT;
487 Demod.output[Demod.len] = 0xaa;
488 error = 0x01;
489 }
490 }
491 else if(modulation) {
492 Demod.sub = SUB_SECOND_HALF;
493 }
494
495 switch(Demod.state) {
496 case DEMOD_START_OF_COMMUNICATION:
497 if(Demod.sub == SUB_FIRST_HALF) {
498 Demod.state = DEMOD_MANCHESTER_D;
499 }
500 else {
501 Demod.output[Demod.len] = 0xab;
502 Demod.state = DEMOD_ERROR_WAIT;
503 error = 0x02;
504 }
505 break;
506
507 case DEMOD_MANCHESTER_D:
508 case DEMOD_MANCHESTER_E:
509 if(Demod.sub == SUB_FIRST_HALF) {
510 Demod.bitCount++;
511 Demod.shiftReg = (Demod.shiftReg >> 1) ^ 0x100;
512 Demod.state = DEMOD_MANCHESTER_D;
513 }
514 else if(Demod.sub == SUB_SECOND_HALF) {
515 Demod.bitCount++;
516 Demod.shiftReg >>= 1;
517 Demod.state = DEMOD_MANCHESTER_E;
518 }
519 else {
520 Demod.state = DEMOD_MANCHESTER_F;
521 }
522 break;
523
524 case DEMOD_MANCHESTER_F:
525 // Tag response does not need to be a complete byte!
526 if(Demod.len > 0 || Demod.bitCount > 0) {
527 if(Demod.bitCount > 0) {
528 Demod.shiftReg >>= (9 - Demod.bitCount);
529 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
530 Demod.len++;
531 // No parity bit, so just shift a 0
532 Demod.parityBits <<= 1;
533 }
534
535 Demod.state = DEMOD_UNSYNCD;
536 return TRUE;
537 }
538 else {
539 Demod.output[Demod.len] = 0xad;
540 Demod.state = DEMOD_ERROR_WAIT;
541 error = 0x03;
542 }
543 break;
544
545 case DEMOD_ERROR_WAIT:
546 Demod.state = DEMOD_UNSYNCD;
547 break;
548
549 default:
550 Demod.output[Demod.len] = 0xdd;
551 Demod.state = DEMOD_UNSYNCD;
552 break;
553 }
554
555 if(Demod.bitCount>=9) {
556 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
557 Demod.len++;
558
559 Demod.parityBits <<= 1;
560 Demod.parityBits ^= ((Demod.shiftReg >> 8) & 0x01);
561
562 Demod.bitCount = 0;
563 Demod.shiftReg = 0;
564 }
565
566 /*if(error) {
567 Demod.output[Demod.len] = 0xBB;
568 Demod.len++;
569 Demod.output[Demod.len] = error & 0xFF;
570 Demod.len++;
571 Demod.output[Demod.len] = 0xBB;
572 Demod.len++;
573 Demod.output[Demod.len] = bit & 0xFF;
574 Demod.len++;
575 Demod.output[Demod.len] = Demod.buffer & 0xFF;
576 Demod.len++;
577 Demod.output[Demod.len] = Demod.syncBit & 0xFF;
578 Demod.len++;
579 Demod.output[Demod.len] = 0xBB;
580 Demod.len++;
581 return TRUE;
582 }*/
583
584 }
585
586 } // end (state != UNSYNCED)
587
588 return FALSE;
589 }
590
591 //=============================================================================
592 // Finally, a `sniffer' for ISO 14443 Type A
593 // Both sides of communication!
594 //=============================================================================
595
596 //-----------------------------------------------------------------------------
597 // Record the sequence of commands sent by the reader to the tag, with
598 // triggering so that we start recording at the point that the tag is moved
599 // near the reader.
600 //-----------------------------------------------------------------------------
601 void SnoopIso14443a(void)
602 {
603 // #define RECV_CMD_OFFSET 2032 // original (working as of 21/2/09) values
604 // #define RECV_RES_OFFSET 2096 // original (working as of 21/2/09) values
605 // #define DMA_BUFFER_OFFSET 2160 // original (working as of 21/2/09) values
606 // #define DMA_BUFFER_SIZE 4096 // original (working as of 21/2/09) values
607 // #define TRACE_LENGTH 2000 // original (working as of 21/2/09) values
608
609 // We won't start recording the frames that we acquire until we trigger;
610 // a good trigger condition to get started is probably when we see a
611 // response from the tag.
612 int triggered = FALSE; // FALSE to wait first for card
613
614 // The command (reader -> tag) that we're receiving.
615 // The length of a received command will in most cases be no more than 18 bytes.
616 // So 32 should be enough!
617 uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
618 // The response (tag -> reader) that we're receiving.
619 uint8_t *receivedResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET);
620
621 // As we receive stuff, we copy it from receivedCmd or receivedResponse
622 // into trace, along with its length and other annotations.
623 //uint8_t *trace = (uint8_t *)BigBuf;
624 //int traceLen = 0;
625
626 // The DMA buffer, used to stream samples from the FPGA
627 int8_t *dmaBuf = ((int8_t *)BigBuf) + DMA_BUFFER_OFFSET;
628 int lastRxCounter;
629 int8_t *upTo;
630 int smpl;
631 int maxBehindBy = 0;
632
633 // Count of samples received so far, so that we can include timing
634 // information in the trace buffer.
635 int samples = 0;
636 int rsamples = 0;
637
638 memset(trace, 0x44, RECV_CMD_OFFSET);
639
640 // Set up the demodulator for tag -> reader responses.
641 Demod.output = receivedResponse;
642 Demod.len = 0;
643 Demod.state = DEMOD_UNSYNCD;
644
645 // Setup for the DMA.
646 FpgaSetupSsc();
647 upTo = dmaBuf;
648 lastRxCounter = DMA_BUFFER_SIZE;
649 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
650
651 // And the reader -> tag commands
652 memset(&Uart, 0, sizeof(Uart));
653 Uart.output = receivedCmd;
654 Uart.byteCntMax = 32; // was 100 (greg)////////////////////////////////////////////////////////////////////////
655 Uart.state = STATE_UNSYNCD;
656
657 // And put the FPGA in the appropriate mode
658 // Signal field is off with the appropriate LED
659 LED_D_OFF();
660 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER);
661 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
662
663
664 // And now we loop, receiving samples.
665 for(;;) {
666 LED_A_ON();
667 WDT_HIT();
668 int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) &
669 (DMA_BUFFER_SIZE-1);
670 if(behindBy > maxBehindBy) {
671 maxBehindBy = behindBy;
672 if(behindBy > 400) {
673 Dbprintf("blew circular buffer! behindBy=0x%x", behindBy);
674 goto done;
675 }
676 }
677 if(behindBy < 1) continue;
678
679 LED_A_OFF();
680 smpl = upTo[0];
681 upTo++;
682 lastRxCounter -= 1;
683 if(upTo - dmaBuf > DMA_BUFFER_SIZE) {
684 upTo -= DMA_BUFFER_SIZE;
685 lastRxCounter += DMA_BUFFER_SIZE;
686 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) upTo;
687 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
688 }
689
690 samples += 4;
691 if(MillerDecoding((smpl & 0xF0) >> 4)) {
692 rsamples = samples - Uart.samples;
693 LED_C_ON();
694 if(triggered) {
695 trace[traceLen++] = ((rsamples >> 0) & 0xff);
696 trace[traceLen++] = ((rsamples >> 8) & 0xff);
697 trace[traceLen++] = ((rsamples >> 16) & 0xff);
698 trace[traceLen++] = ((rsamples >> 24) & 0xff);
699 trace[traceLen++] = ((Uart.parityBits >> 0) & 0xff);
700 trace[traceLen++] = ((Uart.parityBits >> 8) & 0xff);
701 trace[traceLen++] = ((Uart.parityBits >> 16) & 0xff);
702 trace[traceLen++] = ((Uart.parityBits >> 24) & 0xff);
703 trace[traceLen++] = Uart.byteCnt;
704 memcpy(trace+traceLen, receivedCmd, Uart.byteCnt);
705 traceLen += Uart.byteCnt;
706 if(traceLen > TRACE_LENGTH) break;
707 }
708 /* And ready to receive another command. */
709 Uart.state = STATE_UNSYNCD;
710 /* And also reset the demod code, which might have been */
711 /* false-triggered by the commands from the reader. */
712 Demod.state = DEMOD_UNSYNCD;
713 LED_B_OFF();
714 }
715
716 if(ManchesterDecoding(smpl & 0x0F)) {
717 rsamples = samples - Demod.samples;
718 LED_B_ON();
719
720 // timestamp, as a count of samples
721 trace[traceLen++] = ((rsamples >> 0) & 0xff);
722 trace[traceLen++] = ((rsamples >> 8) & 0xff);
723 trace[traceLen++] = ((rsamples >> 16) & 0xff);
724 trace[traceLen++] = 0x80 | ((rsamples >> 24) & 0xff);
725 trace[traceLen++] = ((Demod.parityBits >> 0) & 0xff);
726 trace[traceLen++] = ((Demod.parityBits >> 8) & 0xff);
727 trace[traceLen++] = ((Demod.parityBits >> 16) & 0xff);
728 trace[traceLen++] = ((Demod.parityBits >> 24) & 0xff);
729 // length
730 trace[traceLen++] = Demod.len;
731 memcpy(trace+traceLen, receivedResponse, Demod.len);
732 traceLen += Demod.len;
733 if(traceLen > TRACE_LENGTH) break;
734
735 triggered = TRUE;
736
737 // And ready to receive another response.
738 memset(&Demod, 0, sizeof(Demod));
739 Demod.output = receivedResponse;
740 Demod.state = DEMOD_UNSYNCD;
741 LED_C_OFF();
742 }
743
744 if(BUTTON_PRESS()) {
745 DbpString("cancelled_a");
746 goto done;
747 }
748 }
749
750 DbpString("COMMAND FINISHED");
751
752 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
753 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
754
755 done:
756 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
757 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
758 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
759 LED_A_OFF();
760 LED_B_OFF();
761 LED_C_OFF();
762 LED_D_OFF();
763 }
764
765 //-----------------------------------------------------------------------------
766 // Prepare tag messages
767 //-----------------------------------------------------------------------------
768 static void CodeIso14443aAsTag(const uint8_t *cmd, int len)
769 {
770 int i;
771 int oddparity;
772
773 ToSendReset();
774
775 // Correction bit, might be removed when not needed
776 ToSendStuffBit(0);
777 ToSendStuffBit(0);
778 ToSendStuffBit(0);
779 ToSendStuffBit(0);
780 ToSendStuffBit(1); // 1
781 ToSendStuffBit(0);
782 ToSendStuffBit(0);
783 ToSendStuffBit(0);
784
785 // Send startbit
786 ToSend[++ToSendMax] = SEC_D;
787
788 for(i = 0; i < len; i++) {
789 int j;
790 uint8_t b = cmd[i];
791
792 // Data bits
793 oddparity = 0x01;
794 for(j = 0; j < 8; j++) {
795 oddparity ^= (b & 1);
796 if(b & 1) {
797 ToSend[++ToSendMax] = SEC_D;
798 } else {
799 ToSend[++ToSendMax] = SEC_E;
800 }
801 b >>= 1;
802 }
803
804 // Parity bit
805 if(oddparity) {
806 ToSend[++ToSendMax] = SEC_D;
807 } else {
808 ToSend[++ToSendMax] = SEC_E;
809 }
810 }
811
812 // Send stopbit
813 ToSend[++ToSendMax] = SEC_F;
814
815 // Flush the buffer in FPGA!!
816 for(i = 0; i < 5; i++) {
817 ToSend[++ToSendMax] = SEC_F;
818 }
819
820 // Convert from last byte pos to length
821 ToSendMax++;
822
823 // Add a few more for slop
824 ToSend[ToSendMax++] = 0x00;
825 ToSend[ToSendMax++] = 0x00;
826 //ToSendMax += 2;
827 }
828
829 //-----------------------------------------------------------------------------
830 // This is to send a NACK kind of answer, its only 3 bits, I know it should be 4
831 //-----------------------------------------------------------------------------
832 static void CodeStrangeAnswer()
833 {
834 int i;
835
836 ToSendReset();
837
838 // Correction bit, might be removed when not needed
839 ToSendStuffBit(0);
840 ToSendStuffBit(0);
841 ToSendStuffBit(0);
842 ToSendStuffBit(0);
843 ToSendStuffBit(1); // 1
844 ToSendStuffBit(0);
845 ToSendStuffBit(0);
846 ToSendStuffBit(0);
847
848 // Send startbit
849 ToSend[++ToSendMax] = SEC_D;
850
851 // 0
852 ToSend[++ToSendMax] = SEC_E;
853
854 // 0
855 ToSend[++ToSendMax] = SEC_E;
856
857 // 1
858 ToSend[++ToSendMax] = SEC_D;
859
860 // Send stopbit
861 ToSend[++ToSendMax] = SEC_F;
862
863 // Flush the buffer in FPGA!!
864 for(i = 0; i < 5; i++) {
865 ToSend[++ToSendMax] = SEC_F;
866 }
867
868 // Convert from last byte pos to length
869 ToSendMax++;
870
871 // Add a few more for slop
872 ToSend[ToSendMax++] = 0x00;
873 ToSend[ToSendMax++] = 0x00;
874 //ToSendMax += 2;
875 }
876
877 //-----------------------------------------------------------------------------
878 // Wait for commands from reader
879 // Stop when button is pressed
880 // Or return TRUE when command is captured
881 //-----------------------------------------------------------------------------
882 static int GetIso14443aCommandFromReader(uint8_t *received, int *len, int maxLen)
883 {
884 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
885 // only, since we are receiving, not transmitting).
886 // Signal field is off with the appropriate LED
887 LED_D_OFF();
888 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
889
890 // Now run a `software UART' on the stream of incoming samples.
891 Uart.output = received;
892 Uart.byteCntMax = maxLen;
893 Uart.state = STATE_UNSYNCD;
894
895 for(;;) {
896 WDT_HIT();
897
898 if(BUTTON_PRESS()) return FALSE;
899
900 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
901 AT91C_BASE_SSC->SSC_THR = 0x00;
902 }
903 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
904 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
905 if(MillerDecoding((b & 0xf0) >> 4)) {
906 *len = Uart.byteCnt;
907 return TRUE;
908 }
909 if(MillerDecoding(b & 0x0f)) {
910 *len = Uart.byteCnt;
911 return TRUE;
912 }
913 }
914 }
915 }
916
917 //-----------------------------------------------------------------------------
918 // Main loop of simulated tag: receive commands from reader, decide what
919 // response to send, and send it.
920 //-----------------------------------------------------------------------------
921 void SimulateIso14443aTag(int tagType, int TagUid)
922 {
923 // This function contains the tag emulation
924
925 // Prepare protocol messages
926 // static const uint8_t cmd1[] = { 0x26 };
927 // static const uint8_t response1[] = { 0x02, 0x00 }; // Says: I am Mifare 4k - original line - greg
928 //
929 static const uint8_t response1[] = { 0x44, 0x03 }; // Says: I am a DESFire Tag, ph33r me
930 // static const uint8_t response1[] = { 0x44, 0x00 }; // Says: I am a ULTRALITE Tag, 0wn me
931
932 // UID response
933 // static const uint8_t cmd2[] = { 0x93, 0x20 };
934 //static const uint8_t response2[] = { 0x9a, 0xe5, 0xe4, 0x43, 0xd8 }; // original value - greg
935
936 // my desfire
937 static const uint8_t response2[] = { 0x88, 0x04, 0x21, 0x3f, 0x4d }; // known uid - note cascade (0x88), 2nd byte (0x04) = NXP/Phillips
938
939
940 // When reader selects us during cascade1 it will send cmd3
941 //uint8_t response3[] = { 0x04, 0x00, 0x00 }; // SAK Select (cascade1) successful response (ULTRALITE)
942 uint8_t response3[] = { 0x24, 0x00, 0x00 }; // SAK Select (cascade1) successful response (DESFire)
943 ComputeCrc14443(CRC_14443_A, response3, 1, &response3[1], &response3[2]);
944
945 // send cascade2 2nd half of UID
946 static const uint8_t response2a[] = { 0x51, 0x48, 0x1d, 0x80, 0x84 }; // uid - cascade2 - 2nd half (4 bytes) of UID+ BCCheck
947 // NOTE : THE CRC on the above may be wrong as I have obfuscated the actual UID
948
949 // When reader selects us during cascade2 it will send cmd3a
950 //uint8_t response3a[] = { 0x00, 0x00, 0x00 }; // SAK Select (cascade2) successful response (ULTRALITE)
951 uint8_t response3a[] = { 0x20, 0x00, 0x00 }; // SAK Select (cascade2) successful response (DESFire)
952 ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
953
954 static const uint8_t response5[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce
955
956 uint8_t *resp;
957 int respLen;
958
959 // Longest possible response will be 16 bytes + 2 CRC = 18 bytes
960 // This will need
961 // 144 data bits (18 * 8)
962 // 18 parity bits
963 // 2 Start and stop
964 // 1 Correction bit (Answer in 1172 or 1236 periods, see FPGA)
965 // 1 just for the case
966 // ----------- +
967 // 166
968 //
969 // 166 bytes, since every bit that needs to be send costs us a byte
970 //
971
972 // Respond with card type
973 uint8_t *resp1 = (((uint8_t *)BigBuf) + 800);
974 int resp1Len;
975
976 // Anticollision cascade1 - respond with uid
977 uint8_t *resp2 = (((uint8_t *)BigBuf) + 970);
978 int resp2Len;
979
980 // Anticollision cascade2 - respond with 2nd half of uid if asked
981 // we're only going to be asked if we set the 1st byte of the UID (during cascade1) to 0x88
982 uint8_t *resp2a = (((uint8_t *)BigBuf) + 1140);
983 int resp2aLen;
984
985 // Acknowledge select - cascade 1
986 uint8_t *resp3 = (((uint8_t *)BigBuf) + 1310);
987 int resp3Len;
988
989 // Acknowledge select - cascade 2
990 uint8_t *resp3a = (((uint8_t *)BigBuf) + 1480);
991 int resp3aLen;
992
993 // Response to a read request - not implemented atm
994 uint8_t *resp4 = (((uint8_t *)BigBuf) + 1550);
995 int resp4Len;
996
997 // Authenticate response - nonce
998 uint8_t *resp5 = (((uint8_t *)BigBuf) + 1720);
999 int resp5Len;
1000
1001 uint8_t *receivedCmd = (uint8_t *)BigBuf;
1002 int len;
1003
1004 int i;
1005 int u;
1006 uint8_t b;
1007
1008 // To control where we are in the protocol
1009 int order = 0;
1010 int lastorder;
1011
1012 // Just to allow some checks
1013 int happened = 0;
1014 int happened2 = 0;
1015
1016 int cmdsRecvd = 0;
1017
1018 int fdt_indicator;
1019
1020 memset(receivedCmd, 0x44, 400);
1021
1022 // Prepare the responses of the anticollision phase
1023 // there will be not enough time to do this at the moment the reader sends it REQA
1024
1025 // Answer to request
1026 CodeIso14443aAsTag(response1, sizeof(response1));
1027 memcpy(resp1, ToSend, ToSendMax); resp1Len = ToSendMax;
1028
1029 // Send our UID (cascade 1)
1030 CodeIso14443aAsTag(response2, sizeof(response2));
1031 memcpy(resp2, ToSend, ToSendMax); resp2Len = ToSendMax;
1032
1033 // Answer to select (cascade1)
1034 CodeIso14443aAsTag(response3, sizeof(response3));
1035 memcpy(resp3, ToSend, ToSendMax); resp3Len = ToSendMax;
1036
1037 // Send the cascade 2 2nd part of the uid
1038 CodeIso14443aAsTag(response2a, sizeof(response2a));
1039 memcpy(resp2a, ToSend, ToSendMax); resp2aLen = ToSendMax;
1040
1041 // Answer to select (cascade 2)
1042 CodeIso14443aAsTag(response3a, sizeof(response3a));
1043 memcpy(resp3a, ToSend, ToSendMax); resp3aLen = ToSendMax;
1044
1045 // Strange answer is an example of rare message size (3 bits)
1046 CodeStrangeAnswer();
1047 memcpy(resp4, ToSend, ToSendMax); resp4Len = ToSendMax;
1048
1049 // Authentication answer (random nonce)
1050 CodeIso14443aAsTag(response5, sizeof(response5));
1051 memcpy(resp5, ToSend, ToSendMax); resp5Len = ToSendMax;
1052
1053 // We need to listen to the high-frequency, peak-detected path.
1054 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1055 FpgaSetupSsc();
1056
1057 cmdsRecvd = 0;
1058
1059 LED_A_ON();
1060 for(;;) {
1061
1062 if(!GetIso14443aCommandFromReader(receivedCmd, &len, 100)) {
1063 DbpString("button press");
1064 break;
1065 }
1066 // doob - added loads of debug strings so we can see what the reader is saying to us during the sim as hi14alist is not populated
1067 // Okay, look at the command now.
1068 lastorder = order;
1069 i = 1; // first byte transmitted
1070 if(receivedCmd[0] == 0x26) {
1071 // Received a REQUEST
1072 resp = resp1; respLen = resp1Len; order = 1;
1073 //DbpString("Hello request from reader:");
1074 } else if(receivedCmd[0] == 0x52) {
1075 // Received a WAKEUP
1076 resp = resp1; respLen = resp1Len; order = 6;
1077 // //DbpString("Wakeup request from reader:");
1078
1079 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x93) { // greg - cascade 1 anti-collision
1080 // Received request for UID (cascade 1)
1081 resp = resp2; respLen = resp2Len; order = 2;
1082 // DbpString("UID (cascade 1) request from reader:");
1083 // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1084
1085
1086 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] ==0x95) { // greg - cascade 2 anti-collision
1087 // Received request for UID (cascade 2)
1088 resp = resp2a; respLen = resp2aLen; order = 20;
1089 // DbpString("UID (cascade 2) request from reader:");
1090 // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1091
1092
1093 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x93) { // greg - cascade 1 select
1094 // Received a SELECT
1095 resp = resp3; respLen = resp3Len; order = 3;
1096 // DbpString("Select (cascade 1) request from reader:");
1097 // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1098
1099
1100 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x95) { // greg - cascade 2 select
1101 // Received a SELECT
1102 resp = resp3a; respLen = resp3aLen; order = 30;
1103 // DbpString("Select (cascade 2) request from reader:");
1104 // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1105
1106
1107 } else if(receivedCmd[0] == 0x30) {
1108 // Received a READ
1109 resp = resp4; respLen = resp4Len; order = 4; // Do nothing
1110 Dbprintf("Read request from reader: %x %x %x",
1111 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1112
1113
1114 } else if(receivedCmd[0] == 0x50) {
1115 // Received a HALT
1116 resp = resp1; respLen = 0; order = 5; // Do nothing
1117 DbpString("Reader requested we HALT!:");
1118
1119 } else if(receivedCmd[0] == 0x60) {
1120 // Received an authentication request
1121 resp = resp5; respLen = resp5Len; order = 7;
1122 Dbprintf("Authenticate request from reader: %x %x %x",
1123 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1124
1125 } else if(receivedCmd[0] == 0xE0) {
1126 // Received a RATS request
1127 resp = resp1; respLen = 0;order = 70;
1128 Dbprintf("RATS request from reader: %x %x %x",
1129 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1130 } else {
1131 // Never seen this command before
1132 Dbprintf("Unknown command received from reader: %x %x %x %x %x %x %x %x %x",
1133 receivedCmd[0], receivedCmd[1], receivedCmd[2],
1134 receivedCmd[3], receivedCmd[3], receivedCmd[4],
1135 receivedCmd[5], receivedCmd[6], receivedCmd[7]);
1136 // Do not respond
1137 resp = resp1; respLen = 0; order = 0;
1138 }
1139
1140 // Count number of wakeups received after a halt
1141 if(order == 6 && lastorder == 5) { happened++; }
1142
1143 // Count number of other messages after a halt
1144 if(order != 6 && lastorder == 5) { happened2++; }
1145
1146 // Look at last parity bit to determine timing of answer
1147 if((Uart.parityBits & 0x01) || receivedCmd[0] == 0x52) {
1148 // 1236, so correction bit needed
1149 i = 0;
1150 }
1151
1152 memset(receivedCmd, 0x44, 32);
1153
1154 if(cmdsRecvd > 999) {
1155 DbpString("1000 commands later...");
1156 break;
1157 }
1158 else {
1159 cmdsRecvd++;
1160 }
1161
1162 if(respLen <= 0) continue;
1163
1164 // Modulate Manchester
1165 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD);
1166 AT91C_BASE_SSC->SSC_THR = 0x00;
1167 FpgaSetupSsc();
1168
1169 // ### Transmit the response ###
1170 u = 0;
1171 b = 0x00;
1172 fdt_indicator = FALSE;
1173 for(;;) {
1174 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1175 volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1176 (void)b;
1177 }
1178 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1179 if(i > respLen) {
1180 b = 0x00;
1181 u++;
1182 } else {
1183 b = resp[i];
1184 i++;
1185 }
1186 AT91C_BASE_SSC->SSC_THR = b;
1187
1188 if(u > 4) {
1189 break;
1190 }
1191 }
1192 if(BUTTON_PRESS()) {
1193 break;
1194 }
1195 }
1196
1197 }
1198
1199 Dbprintf("%x %x %x", happened, happened2, cmdsRecvd);
1200 LED_A_OFF();
1201 }
1202
1203 //-----------------------------------------------------------------------------
1204 // Transmit the command (to the tag) that was placed in ToSend[].
1205 //-----------------------------------------------------------------------------
1206 static void TransmitFor14443a(const uint8_t *cmd, int len, int *samples, int *wait)
1207 {
1208 int c;
1209
1210 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1211
1212 if (wait)
1213 if(*wait < 10)
1214 *wait = 10;
1215
1216 for(c = 0; c < *wait;) {
1217 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1218 AT91C_BASE_SSC->SSC_THR = 0x00; // For exact timing!
1219 c++;
1220 }
1221 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1222 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
1223 (void)r;
1224 }
1225 WDT_HIT();
1226 }
1227
1228 c = 0;
1229 for(;;) {
1230 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1231 AT91C_BASE_SSC->SSC_THR = cmd[c];
1232 c++;
1233 if(c >= len) {
1234 break;
1235 }
1236 }
1237 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1238 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
1239 (void)r;
1240 }
1241 WDT_HIT();
1242 }
1243 if (samples) *samples = (c + *wait) << 3;
1244 }
1245
1246 //-----------------------------------------------------------------------------
1247 // Code a 7-bit command without parity bit
1248 // This is especially for 0x26 and 0x52 (REQA and WUPA)
1249 //-----------------------------------------------------------------------------
1250 void ShortFrameFromReader(const uint8_t bt)
1251 {
1252 int j;
1253 int last;
1254 uint8_t b;
1255
1256 ToSendReset();
1257
1258 // Start of Communication (Seq. Z)
1259 ToSend[++ToSendMax] = SEC_Z;
1260 last = 0;
1261
1262 b = bt;
1263 for(j = 0; j < 7; j++) {
1264 if(b & 1) {
1265 // Sequence X
1266 ToSend[++ToSendMax] = SEC_X;
1267 last = 1;
1268 } else {
1269 if(last == 0) {
1270 // Sequence Z
1271 ToSend[++ToSendMax] = SEC_Z;
1272 }
1273 else {
1274 // Sequence Y
1275 ToSend[++ToSendMax] = SEC_Y;
1276 last = 0;
1277 }
1278 }
1279 b >>= 1;
1280 }
1281
1282 // End of Communication
1283 if(last == 0) {
1284 // Sequence Z
1285 ToSend[++ToSendMax] = SEC_Z;
1286 }
1287 else {
1288 // Sequence Y
1289 ToSend[++ToSendMax] = SEC_Y;
1290 last = 0;
1291 }
1292 // Sequence Y
1293 ToSend[++ToSendMax] = SEC_Y;
1294
1295 // Just to be sure!
1296 ToSend[++ToSendMax] = SEC_Y;
1297 ToSend[++ToSendMax] = SEC_Y;
1298 ToSend[++ToSendMax] = SEC_Y;
1299
1300 // Convert from last character reference to length
1301 ToSendMax++;
1302 }
1303
1304 //-----------------------------------------------------------------------------
1305 // Prepare reader command to send to FPGA
1306 //
1307 //-----------------------------------------------------------------------------
1308 void CodeIso14443aAsReaderPar(const uint8_t * cmd, int len, uint32_t dwParity)
1309 {
1310 int i, j;
1311 int last;
1312 uint8_t b;
1313
1314 ToSendReset();
1315
1316 // Start of Communication (Seq. Z)
1317 ToSend[++ToSendMax] = SEC_Z;
1318 last = 0;
1319
1320 // Generate send structure for the data bits
1321 for (i = 0; i < len; i++) {
1322 // Get the current byte to send
1323 b = cmd[i];
1324
1325 for (j = 0; j < 8; j++) {
1326 if (b & 1) {
1327 // Sequence X
1328 ToSend[++ToSendMax] = SEC_X;
1329 last = 1;
1330 } else {
1331 if (last == 0) {
1332 // Sequence Z
1333 ToSend[++ToSendMax] = SEC_Z;
1334 } else {
1335 // Sequence Y
1336 ToSend[++ToSendMax] = SEC_Y;
1337 last = 0;
1338 }
1339 }
1340 b >>= 1;
1341 }
1342
1343 // Get the parity bit
1344 if ((dwParity >> i) & 0x01) {
1345 // Sequence X
1346 ToSend[++ToSendMax] = SEC_X;
1347 last = 1;
1348 } else {
1349 if (last == 0) {
1350 // Sequence Z
1351 ToSend[++ToSendMax] = SEC_Z;
1352 } else {
1353 // Sequence Y
1354 ToSend[++ToSendMax] = SEC_Y;
1355 last = 0;
1356 }
1357 }
1358 }
1359
1360 // End of Communication
1361 if (last == 0) {
1362 // Sequence Z
1363 ToSend[++ToSendMax] = SEC_Z;
1364 } else {
1365 // Sequence Y
1366 ToSend[++ToSendMax] = SEC_Y;
1367 last = 0;
1368 }
1369 // Sequence Y
1370 ToSend[++ToSendMax] = SEC_Y;
1371
1372 // Just to be sure!
1373 ToSend[++ToSendMax] = SEC_Y;
1374 ToSend[++ToSendMax] = SEC_Y;
1375 ToSend[++ToSendMax] = SEC_Y;
1376
1377 // Convert from last character reference to length
1378 ToSendMax++;
1379 }
1380
1381 //-----------------------------------------------------------------------------
1382 // Wait a certain time for tag response
1383 // If a response is captured return TRUE
1384 // If it takes to long return FALSE
1385 //-----------------------------------------------------------------------------
1386 static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse, int maxLen, int *samples, int *elapsed) //uint8_t *buffer
1387 {
1388 // buffer needs to be 512 bytes
1389 int c;
1390
1391 // Set FPGA mode to "reader listen mode", no modulation (listen
1392 // only, since we are receiving, not transmitting).
1393 // Signal field is on with the appropriate LED
1394 LED_D_ON();
1395 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_LISTEN);
1396
1397 // Now get the answer from the card
1398 Demod.output = receivedResponse;
1399 Demod.len = 0;
1400 Demod.state = DEMOD_UNSYNCD;
1401
1402 uint8_t b;
1403 if (elapsed) *elapsed = 0;
1404
1405 c = 0;
1406 for(;;) {
1407 WDT_HIT();
1408
1409 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1410 AT91C_BASE_SSC->SSC_THR = 0x00; // To make use of exact timing of next command from reader!!
1411 if (elapsed) (*elapsed)++;
1412 }
1413 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1414 if(c < 2048) { c++; } else { return FALSE; }
1415 b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1416 if(ManchesterDecoding((b>>4) & 0xf)) {
1417 *samples = ((c - 1) << 3) + 4;
1418 return TRUE;
1419 }
1420 if(ManchesterDecoding(b & 0x0f)) {
1421 *samples = c << 3;
1422 return TRUE;
1423 }
1424 }
1425 }
1426 }
1427
1428 void ReaderTransmitShort(const uint8_t* bt)
1429 {
1430 int wait = 0;
1431 int samples = 0;
1432
1433 ShortFrameFromReader(*bt);
1434
1435 // Select the card
1436 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
1437
1438 // Store reader command in buffer
1439 if (tracing) LogTrace(bt,1,0,GetParity(bt,1),TRUE);
1440 }
1441
1442 void ReaderTransmitPar(uint8_t* frame, int len, uint32_t par)
1443 {
1444 int wait = 0;
1445 int samples = 0;
1446
1447 // This is tied to other size changes
1448 // uint8_t* frame_addr = ((uint8_t*)BigBuf) + 2024;
1449 CodeIso14443aAsReaderPar(frame,len,par);
1450
1451 // Select the card
1452 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
1453
1454 // Store reader command in buffer
1455 if (tracing) LogTrace(frame,len,0,par,TRUE);
1456 }
1457
1458
1459 void ReaderTransmit(uint8_t* frame, int len)
1460 {
1461 // Generate parity and redirect
1462 ReaderTransmitPar(frame,len,GetParity(frame,len));
1463 }
1464
1465 int ReaderReceive(uint8_t* receivedAnswer)
1466 {
1467 int samples = 0;
1468 if (!GetIso14443aAnswerFromTag(receivedAnswer,100,&samples,0)) return FALSE;
1469 if (tracing) LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE);
1470 if(samples == 0) return FALSE;
1471 return Demod.len;
1472 }
1473
1474 /* performs iso14443a anticolision procedure
1475 * fills the uid pointer */
1476 int iso14443a_select_card(uint8_t * uid_ptr) {
1477 uint8_t wupa[] = { 0x52 };
1478 uint8_t sel_all[] = { 0x93,0x20 };
1479 uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
1480 uint8_t sel_all_c2[] = { 0x95,0x20 };
1481 uint8_t sel_uid_c2[] = { 0x95,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
1482 uint8_t rats[] = { 0xE0,0x80,0x00,0x00 }; // FSD=256, FSDI=8, CID=0
1483
1484 uint8_t* resp = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
1485 uint8_t* uid = resp + 7;
1486
1487 int len;
1488
1489 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1490 ReaderTransmitShort(wupa);
1491 // Receive the ATQA
1492 if(!ReaderReceive(resp)) return 0;
1493 // if(*(uint16_t *) resp == 0x4403) MIFARE_CLASSIC
1494 // if(*(uint16_t *) resp == 0x0400) MIFARE_DESFIRE
1495
1496 ReaderTransmit(sel_all,sizeof(sel_all)); // SELECT_ALL
1497 if(!ReaderReceive(uid)) return 0;
1498
1499 // Construct SELECT UID command
1500 // First copy the 5 bytes (Mifare Classic) after the 93 70
1501 memcpy(sel_uid+2,uid,5);
1502 // Secondly compute the two CRC bytes at the end
1503 AppendCrc14443a(sel_uid,7);
1504
1505 ReaderTransmit(sel_uid,sizeof(sel_uid));
1506 // Receive the SAK
1507 if (!ReaderReceive(resp)) return 0;
1508
1509 // OK we have selected at least at cascade 1, lets see if first byte of UID was 0x88 in
1510 // which case we need to make a cascade 2 request and select - this is a long UID
1511 // When the UID is not complete, the 3nd bit (from the right) is set in the SAK.
1512 if (resp[0] &= 0x04)
1513 {
1514 ReaderTransmit(sel_all_c2,sizeof(sel_all_c2));
1515 if (!ReaderReceive(uid+5)) return 0;
1516
1517 // Construct SELECT UID command
1518 memcpy(sel_uid_c2+2,uid+5,5);
1519 AppendCrc14443a(sel_uid_c2,7);
1520 ReaderTransmit(sel_uid_c2,sizeof(sel_uid_c2));
1521 // Receive the SAK
1522 if (!ReaderReceive(resp)) return 0;
1523 }
1524 if(uid_ptr) memcpy(uid_ptr, uid, 10);
1525 if( (resp[0] & 0x20) == 0)
1526 return 2; // non iso14443a compliant tag
1527 // Request for answer to select
1528 AppendCrc14443a(rats, 2);
1529 ReaderTransmit(rats, sizeof(rats));
1530 if (!(len = ReaderReceive(resp))) return 0;
1531 return 1;
1532 }
1533
1534 void iso14443a_setup() {
1535 // Setup SSC
1536 FpgaSetupSsc();
1537 // Start from off (no field generated)
1538 // Signal field is off with the appropriate LED
1539 LED_D_OFF();
1540 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1541 SpinDelay(200);
1542
1543 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1544
1545 // Now give it time to spin up.
1546 // Signal field is on with the appropriate LED
1547 LED_D_ON();
1548 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1549 SpinDelay(200);
1550 }
1551
1552 //-----------------------------------------------------------------------------
1553 // Read an ISO 14443a tag. Send out commands and store answers.
1554 //
1555 //-----------------------------------------------------------------------------
1556 void ReaderIso14443a(uint32_t parameter)
1557 {
1558
1559 // Mifare AUTH
1560 uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b };
1561 // uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00 };
1562
1563 uint8_t* receivedAnswer = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
1564 traceLen = 0;
1565
1566 iso14443a_setup();
1567
1568 LED_A_ON();
1569 LED_B_OFF();
1570 LED_C_OFF();
1571
1572 while(traceLen < TRACE_LENGTH)
1573 {
1574 // Test if the action was cancelled
1575 if(BUTTON_PRESS()) break;
1576
1577 if(!iso14443a_select_card(NULL)) {
1578 DbpString("iso14443a setup failed");
1579 break;
1580 }
1581
1582 // Transmit MIFARE_CLASSIC_AUTH
1583 ReaderTransmit(mf_auth,sizeof(mf_auth));
1584
1585 // Receive the (16 bit) "random" nonce
1586 if (!ReaderReceive(receivedAnswer)) continue;
1587 }
1588
1589 // Thats it...
1590 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1591 LEDsoff();
1592 Dbprintf("%x %x %x", rsamples, 0xCC, 0xCC);
1593 DbpString("ready..");
1594 }
1595
1596 //-----------------------------------------------------------------------------
1597 // Read an ISO 14443a tag. Send out commands and store answers.
1598 //
1599 //-----------------------------------------------------------------------------
1600 void ReaderMifare(uint32_t parameter)
1601 {
1602 // Mifare AUTH
1603 uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b };
1604 uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
1605
1606 uint8_t* receivedAnswer = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
1607 traceLen = 0;
1608 tracing = false;
1609
1610 iso14443a_setup();
1611
1612 LED_A_ON();
1613 LED_B_OFF();
1614 LED_C_OFF();
1615
1616 byte_t nt_diff = 0;
1617 LED_A_OFF();
1618 byte_t par = 0;
1619 byte_t par_mask = 0xff;
1620 byte_t par_low = 0;
1621 int led_on = TRUE;
1622
1623 tracing = FALSE;
1624 byte_t nt[4];
1625 byte_t nt_attacked[4];
1626 byte_t par_list[8];
1627 byte_t ks_list[8];
1628 num_to_bytes(parameter,4,nt_attacked);
1629
1630 while(TRUE)
1631 {
1632 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1633 SpinDelay(200);
1634 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1635
1636 // Test if the action was cancelled
1637 if(BUTTON_PRESS()) {
1638 break;
1639 }
1640
1641 if(!iso14443a_select_card(NULL)) continue;
1642
1643 // Transmit MIFARE_CLASSIC_AUTH
1644 ReaderTransmit(mf_auth,sizeof(mf_auth));
1645
1646 // Receive the (16 bit) "random" nonce
1647 if (!ReaderReceive(receivedAnswer)) continue;
1648 memcpy(nt,receivedAnswer,4);
1649
1650 // Transmit reader nonce and reader answer
1651 ReaderTransmitPar(mf_nr_ar,sizeof(mf_nr_ar),par);
1652
1653 // Receive 4 bit answer
1654 if (ReaderReceive(receivedAnswer))
1655 {
1656 if (nt_diff == 0)
1657 {
1658 LED_A_ON();
1659 memcpy(nt_attacked,nt,4);
1660 par_mask = 0xf8;
1661 par_low = par & 0x07;
1662 }
1663
1664 if (memcmp(nt,nt_attacked,4) != 0) continue;
1665
1666 led_on = !led_on;
1667 if(led_on) LED_B_ON(); else LED_B_OFF();
1668 par_list[nt_diff] = par;
1669 ks_list[nt_diff] = receivedAnswer[0]^0x05;
1670
1671 // Test if the information is complete
1672 if (nt_diff == 0x07) break;
1673
1674 nt_diff = (nt_diff+1) & 0x07;
1675 mf_nr_ar[3] = nt_diff << 5;
1676 par = par_low;
1677 } else {
1678 if (nt_diff == 0)
1679 {
1680 par++;
1681 } else {
1682 par = (((par>>3)+1) << 3) | par_low;
1683 }
1684 }
1685 }
1686
1687 LogTrace(nt,4,0,GetParity(nt,4),TRUE);
1688 LogTrace(par_list,8,0,GetParity(par_list,8),TRUE);
1689 LogTrace(ks_list,8,0,GetParity(ks_list,8),TRUE);
1690
1691 // Thats it...
1692 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1693 LEDsoff();
1694 tracing = TRUE;
1695 }
Impressum, Datenschutz