]> cvs.zerfleddert.de Git - proxmark3-svn/blob - armsrc/iso14443a.c
projects / proxmark3-svn / blob
? search:


e60f3198cb18172747ff5e716a52c53b54cc51ac
[proxmark3-svn] / armsrc / iso14443a.c
1 //-----------------------------------------------------------------------------
2 // Routines to support ISO 14443 type A.
3 //
4 // Gerhard de Koning Gans - May 2008
5 //-----------------------------------------------------------------------------
6 #include "proxmark3.h"
7 #include "apps.h"
8 #include "util.h"
9 #include "string.h"
10
11 #include "iso14443crc.h"
12
13 static uint8_t *trace = (uint8_t *) BigBuf;
14 static int traceLen = 0;
15 static int rsamples = 0;
16 static int tracing = TRUE;
17
18 typedef enum {
19 SEC_D = 1,
20 SEC_E = 2,
21 SEC_F = 3,
22 SEC_X = 4,
23 SEC_Y = 5,
24 SEC_Z = 6
25 } SecType;
26
27 static const uint8_t OddByteParity[256] = {
28 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
29 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
30 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
31 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
32 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
33 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
34 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
35 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
36 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
37 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
38 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
39 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
40 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
41 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
42 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
43 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1
44 };
45
46 // BIG CHANGE - UNDERSTAND THIS BEFORE WE COMMIT
47 #define RECV_CMD_OFFSET 3032
48 #define RECV_RES_OFFSET 3096
49 #define DMA_BUFFER_OFFSET 3160
50 #define DMA_BUFFER_SIZE 4096
51 #define TRACE_LENGTH 3000
52
53 //-----------------------------------------------------------------------------
54 // Generate the parity value for a byte sequence
55 //
56 //-----------------------------------------------------------------------------
57 uint32_t GetParity(const uint8_t * pbtCmd, int iLen)
58 {
59 int i;
60 uint32_t dwPar = 0;
61
62 // Generate the encrypted data
63 for (i = 0; i < iLen; i++) {
64 // Save the encrypted parity bit
65 dwPar |= ((OddByteParity[pbtCmd[i]]) << i);
66 }
67 return dwPar;
68 }
69
70 static void AppendCrc14443a(uint8_t* data, int len)
71 {
72 ComputeCrc14443(CRC_14443_A,data,len,data+len,data+len+1);
73 }
74
75 int LogTrace(const uint8_t * btBytes, int iLen, int iSamples, uint32_t dwParity, int bReader)
76 {
77 // Return when trace is full
78 if (traceLen >= TRACE_LENGTH) return FALSE;
79
80 // Trace the random, i'm curious
81 rsamples += iSamples;
82 trace[traceLen++] = ((rsamples >> 0) & 0xff);
83 trace[traceLen++] = ((rsamples >> 8) & 0xff);
84 trace[traceLen++] = ((rsamples >> 16) & 0xff);
85 trace[traceLen++] = ((rsamples >> 24) & 0xff);
86 if (!bReader) {
87 trace[traceLen - 1] |= 0x80;
88 }
89 trace[traceLen++] = ((dwParity >> 0) & 0xff);
90 trace[traceLen++] = ((dwParity >> 8) & 0xff);
91 trace[traceLen++] = ((dwParity >> 16) & 0xff);
92 trace[traceLen++] = ((dwParity >> 24) & 0xff);
93 trace[traceLen++] = iLen;
94 memcpy(trace + traceLen, btBytes, iLen);
95 traceLen += iLen;
96 return TRUE;
97 }
98
99 int LogTraceInfo(byte_t* data, size_t len)
100 {
101 return LogTrace(data,len,0,GetParity(data,len),TRUE);
102 }
103
104 //-----------------------------------------------------------------------------
105 // The software UART that receives commands from the reader, and its state
106 // variables.
107 //-----------------------------------------------------------------------------
108 static struct {
109 enum {
110 STATE_UNSYNCD,
111 STATE_START_OF_COMMUNICATION,
112 STATE_MILLER_X,
113 STATE_MILLER_Y,
114 STATE_MILLER_Z,
115 STATE_ERROR_WAIT
116 } state;
117 uint16_t shiftReg;
118 int bitCnt;
119 int byteCnt;
120 int byteCntMax;
121 int posCnt;
122 int syncBit;
123 int parityBits;
124 int samples;
125 int highCnt;
126 int bitBuffer;
127 enum {
128 DROP_NONE,
129 DROP_FIRST_HALF,
130 DROP_SECOND_HALF
131 } drop;
132 uint8_t *output;
133 } Uart;
134
135 static int MillerDecoding(int bit)
136 {
137 int error = 0;
138 int bitright;
139
140 if(!Uart.bitBuffer) {
141 Uart.bitBuffer = bit ^ 0xFF0;
142 return FALSE;
143 }
144 else {
145 Uart.bitBuffer <<= 4;
146 Uart.bitBuffer ^= bit;
147 }
148
149 int EOC = FALSE;
150
151 if(Uart.state != STATE_UNSYNCD) {
152 Uart.posCnt++;
153
154 if((Uart.bitBuffer & Uart.syncBit) ^ Uart.syncBit) {
155 bit = 0x00;
156 }
157 else {
158 bit = 0x01;
159 }
160 if(((Uart.bitBuffer << 1) & Uart.syncBit) ^ Uart.syncBit) {
161 bitright = 0x00;
162 }
163 else {
164 bitright = 0x01;
165 }
166 if(bit != bitright) { bit = bitright; }
167
168 if(Uart.posCnt == 1) {
169 // measurement first half bitperiod
170 if(!bit) {
171 Uart.drop = DROP_FIRST_HALF;
172 }
173 }
174 else {
175 // measurement second half bitperiod
176 if(!bit & (Uart.drop == DROP_NONE)) {
177 Uart.drop = DROP_SECOND_HALF;
178 }
179 else if(!bit) {
180 // measured a drop in first and second half
181 // which should not be possible
182 Uart.state = STATE_ERROR_WAIT;
183 error = 0x01;
184 }
185
186 Uart.posCnt = 0;
187
188 switch(Uart.state) {
189 case STATE_START_OF_COMMUNICATION:
190 Uart.shiftReg = 0;
191 if(Uart.drop == DROP_SECOND_HALF) {
192 // error, should not happen in SOC
193 Uart.state = STATE_ERROR_WAIT;
194 error = 0x02;
195 }
196 else {
197 // correct SOC
198 Uart.state = STATE_MILLER_Z;
199 }
200 break;
201
202 case STATE_MILLER_Z:
203 Uart.bitCnt++;
204 Uart.shiftReg >>= 1;
205 if(Uart.drop == DROP_NONE) {
206 // logic '0' followed by sequence Y
207 // end of communication
208 Uart.state = STATE_UNSYNCD;
209 EOC = TRUE;
210 }
211 // if(Uart.drop == DROP_FIRST_HALF) {
212 // Uart.state = STATE_MILLER_Z; stay the same
213 // we see a logic '0' }
214 if(Uart.drop == DROP_SECOND_HALF) {
215 // we see a logic '1'
216 Uart.shiftReg |= 0x100;
217 Uart.state = STATE_MILLER_X;
218 }
219 break;
220
221 case STATE_MILLER_X:
222 Uart.shiftReg >>= 1;
223 if(Uart.drop == DROP_NONE) {
224 // sequence Y, we see a '0'
225 Uart.state = STATE_MILLER_Y;
226 Uart.bitCnt++;
227 }
228 if(Uart.drop == DROP_FIRST_HALF) {
229 // Would be STATE_MILLER_Z
230 // but Z does not follow X, so error
231 Uart.state = STATE_ERROR_WAIT;
232 error = 0x03;
233 }
234 if(Uart.drop == DROP_SECOND_HALF) {
235 // We see a '1' and stay in state X
236 Uart.shiftReg |= 0x100;
237 Uart.bitCnt++;
238 }
239 break;
240
241 case STATE_MILLER_Y:
242 Uart.bitCnt++;
243 Uart.shiftReg >>= 1;
244 if(Uart.drop == DROP_NONE) {
245 // logic '0' followed by sequence Y
246 // end of communication
247 Uart.state = STATE_UNSYNCD;
248 EOC = TRUE;
249 }
250 if(Uart.drop == DROP_FIRST_HALF) {
251 // we see a '0'
252 Uart.state = STATE_MILLER_Z;
253 }
254 if(Uart.drop == DROP_SECOND_HALF) {
255 // We see a '1' and go to state X
256 Uart.shiftReg |= 0x100;
257 Uart.state = STATE_MILLER_X;
258 }
259 break;
260
261 case STATE_ERROR_WAIT:
262 // That went wrong. Now wait for at least two bit periods
263 // and try to sync again
264 if(Uart.drop == DROP_NONE) {
265 Uart.highCnt = 6;
266 Uart.state = STATE_UNSYNCD;
267 }
268 break;
269
270 default:
271 Uart.state = STATE_UNSYNCD;
272 Uart.highCnt = 0;
273 break;
274 }
275
276 Uart.drop = DROP_NONE;
277
278 // should have received at least one whole byte...
279 if((Uart.bitCnt == 2) && EOC && (Uart.byteCnt > 0)) {
280 return TRUE;
281 }
282
283 if(Uart.bitCnt == 9) {
284 Uart.output[Uart.byteCnt] = (Uart.shiftReg & 0xff);
285 Uart.byteCnt++;
286
287 Uart.parityBits <<= 1;
288 Uart.parityBits ^= ((Uart.shiftReg >> 8) & 0x01);
289
290 if(EOC) {
291 // when End of Communication received and
292 // all data bits processed..
293 return TRUE;
294 }
295 Uart.bitCnt = 0;
296 }
297
298 /*if(error) {
299 Uart.output[Uart.byteCnt] = 0xAA;
300 Uart.byteCnt++;
301 Uart.output[Uart.byteCnt] = error & 0xFF;
302 Uart.byteCnt++;
303 Uart.output[Uart.byteCnt] = 0xAA;
304 Uart.byteCnt++;
305 Uart.output[Uart.byteCnt] = (Uart.bitBuffer >> 8) & 0xFF;
306 Uart.byteCnt++;
307 Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
308 Uart.byteCnt++;
309 Uart.output[Uart.byteCnt] = (Uart.syncBit >> 3) & 0xFF;
310 Uart.byteCnt++;
311 Uart.output[Uart.byteCnt] = 0xAA;
312 Uart.byteCnt++;
313 return TRUE;
314 }*/
315 }
316
317 }
318 else {
319 bit = Uart.bitBuffer & 0xf0;
320 bit >>= 4;
321 bit ^= 0x0F;
322 if(bit) {
323 // should have been high or at least (4 * 128) / fc
324 // according to ISO this should be at least (9 * 128 + 20) / fc
325 if(Uart.highCnt == 8) {
326 // we went low, so this could be start of communication
327 // it turns out to be safer to choose a less significant
328 // syncbit... so we check whether the neighbour also represents the drop
329 Uart.posCnt = 1; // apparently we are busy with our first half bit period
330 Uart.syncBit = bit & 8;
331 Uart.samples = 3;
332 if(!Uart.syncBit) { Uart.syncBit = bit & 4; Uart.samples = 2; }
333 else if(bit & 4) { Uart.syncBit = bit & 4; Uart.samples = 2; bit <<= 2; }
334 if(!Uart.syncBit) { Uart.syncBit = bit & 2; Uart.samples = 1; }
335 else if(bit & 2) { Uart.syncBit = bit & 2; Uart.samples = 1; bit <<= 1; }
336 if(!Uart.syncBit) { Uart.syncBit = bit & 1; Uart.samples = 0;
337 if(Uart.syncBit & (Uart.bitBuffer & 8)) {
338 Uart.syncBit = 8;
339
340 // the first half bit period is expected in next sample
341 Uart.posCnt = 0;
342 Uart.samples = 3;
343 }
344 }
345 else if(bit & 1) { Uart.syncBit = bit & 1; Uart.samples = 0; }
346
347 Uart.syncBit <<= 4;
348 Uart.state = STATE_START_OF_COMMUNICATION;
349 Uart.drop = DROP_FIRST_HALF;
350 Uart.bitCnt = 0;
351 Uart.byteCnt = 0;
352 Uart.parityBits = 0;
353 error = 0;
354 }
355 else {
356 Uart.highCnt = 0;
357 }
358 }
359 else {
360 if(Uart.highCnt < 8) {
361 Uart.highCnt++;
362 }
363 }
364 }
365
366 return FALSE;
367 }
368
369 //=============================================================================
370 // ISO 14443 Type A - Manchester
371 //=============================================================================
372
373 static struct {
374 enum {
375 DEMOD_UNSYNCD,
376 DEMOD_START_OF_COMMUNICATION,
377 DEMOD_MANCHESTER_D,
378 DEMOD_MANCHESTER_E,
379 DEMOD_MANCHESTER_F,
380 DEMOD_ERROR_WAIT
381 } state;
382 int bitCount;
383 int posCount;
384 int syncBit;
385 int parityBits;
386 uint16_t shiftReg;
387 int buffer;
388 int buff;
389 int samples;
390 int len;
391 enum {
392 SUB_NONE,
393 SUB_FIRST_HALF,
394 SUB_SECOND_HALF
395 } sub;
396 uint8_t *output;
397 } Demod;
398
399 static int ManchesterDecoding(int v)
400 {
401 int bit;
402 int modulation;
403 int error = 0;
404
405 if(!Demod.buff) {
406 Demod.buff = 1;
407 Demod.buffer = v;
408 return FALSE;
409 }
410 else {
411 bit = Demod.buffer;
412 Demod.buffer = v;
413 }
414
415 if(Demod.state==DEMOD_UNSYNCD) {
416 Demod.output[Demod.len] = 0xfa;
417 Demod.syncBit = 0;
418 //Demod.samples = 0;
419 Demod.posCount = 1; // This is the first half bit period, so after syncing handle the second part
420 if(bit & 0x08) { Demod.syncBit = 0x08; }
421 if(!Demod.syncBit) {
422 if(bit & 0x04) { Demod.syncBit = 0x04; }
423 }
424 else if(bit & 0x04) { Demod.syncBit = 0x04; bit <<= 4; }
425 if(!Demod.syncBit) {
426 if(bit & 0x02) { Demod.syncBit = 0x02; }
427 }
428 else if(bit & 0x02) { Demod.syncBit = 0x02; bit <<= 4; }
429 if(!Demod.syncBit) {
430 if(bit & 0x01) { Demod.syncBit = 0x01; }
431
432 if(Demod.syncBit & (Demod.buffer & 0x08)) {
433 Demod.syncBit = 0x08;
434
435 // The first half bitperiod is expected in next sample
436 Demod.posCount = 0;
437 Demod.output[Demod.len] = 0xfb;
438 }
439 }
440 else if(bit & 0x01) { Demod.syncBit = 0x01; }
441
442 if(Demod.syncBit) {
443 Demod.len = 0;
444 Demod.state = DEMOD_START_OF_COMMUNICATION;
445 Demod.sub = SUB_FIRST_HALF;
446 Demod.bitCount = 0;
447 Demod.shiftReg = 0;
448 Demod.parityBits = 0;
449 Demod.samples = 0;
450 if(Demod.posCount) {
451 switch(Demod.syncBit) {
452 case 0x08: Demod.samples = 3; break;
453 case 0x04: Demod.samples = 2; break;
454 case 0x02: Demod.samples = 1; break;
455 case 0x01: Demod.samples = 0; break;
456 }
457 }
458 error = 0;
459 }
460 }
461 else {
462 //modulation = bit & Demod.syncBit;
463 modulation = ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
464
465 Demod.samples += 4;
466
467 if(Demod.posCount==0) {
468 Demod.posCount = 1;
469 if(modulation) {
470 Demod.sub = SUB_FIRST_HALF;
471 }
472 else {
473 Demod.sub = SUB_NONE;
474 }
475 }
476 else {
477 Demod.posCount = 0;
478 if(modulation && (Demod.sub == SUB_FIRST_HALF)) {
479 if(Demod.state!=DEMOD_ERROR_WAIT) {
480 Demod.state = DEMOD_ERROR_WAIT;
481 Demod.output[Demod.len] = 0xaa;
482 error = 0x01;
483 }
484 }
485 else if(modulation) {
486 Demod.sub = SUB_SECOND_HALF;
487 }
488
489 switch(Demod.state) {
490 case DEMOD_START_OF_COMMUNICATION:
491 if(Demod.sub == SUB_FIRST_HALF) {
492 Demod.state = DEMOD_MANCHESTER_D;
493 }
494 else {
495 Demod.output[Demod.len] = 0xab;
496 Demod.state = DEMOD_ERROR_WAIT;
497 error = 0x02;
498 }
499 break;
500
501 case DEMOD_MANCHESTER_D:
502 case DEMOD_MANCHESTER_E:
503 if(Demod.sub == SUB_FIRST_HALF) {
504 Demod.bitCount++;
505 Demod.shiftReg = (Demod.shiftReg >> 1) ^ 0x100;
506 Demod.state = DEMOD_MANCHESTER_D;
507 }
508 else if(Demod.sub == SUB_SECOND_HALF) {
509 Demod.bitCount++;
510 Demod.shiftReg >>= 1;
511 Demod.state = DEMOD_MANCHESTER_E;
512 }
513 else {
514 Demod.state = DEMOD_MANCHESTER_F;
515 }
516 break;
517
518 case DEMOD_MANCHESTER_F:
519 // Tag response does not need to be a complete byte!
520 if(Demod.len > 0 || Demod.bitCount > 0) {
521 if(Demod.bitCount > 0) {
522 Demod.shiftReg >>= (9 - Demod.bitCount);
523 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
524 Demod.len++;
525 // No parity bit, so just shift a 0
526 Demod.parityBits <<= 1;
527 }
528
529 Demod.state = DEMOD_UNSYNCD;
530 return TRUE;
531 }
532 else {
533 Demod.output[Demod.len] = 0xad;
534 Demod.state = DEMOD_ERROR_WAIT;
535 error = 0x03;
536 }
537 break;
538
539 case DEMOD_ERROR_WAIT:
540 Demod.state = DEMOD_UNSYNCD;
541 break;
542
543 default:
544 Demod.output[Demod.len] = 0xdd;
545 Demod.state = DEMOD_UNSYNCD;
546 break;
547 }
548
549 if(Demod.bitCount>=9) {
550 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
551 Demod.len++;
552
553 Demod.parityBits <<= 1;
554 Demod.parityBits ^= ((Demod.shiftReg >> 8) & 0x01);
555
556 Demod.bitCount = 0;
557 Demod.shiftReg = 0;
558 }
559
560 /*if(error) {
561 Demod.output[Demod.len] = 0xBB;
562 Demod.len++;
563 Demod.output[Demod.len] = error & 0xFF;
564 Demod.len++;
565 Demod.output[Demod.len] = 0xBB;
566 Demod.len++;
567 Demod.output[Demod.len] = bit & 0xFF;
568 Demod.len++;
569 Demod.output[Demod.len] = Demod.buffer & 0xFF;
570 Demod.len++;
571 Demod.output[Demod.len] = Demod.syncBit & 0xFF;
572 Demod.len++;
573 Demod.output[Demod.len] = 0xBB;
574 Demod.len++;
575 return TRUE;
576 }*/
577
578 }
579
580 } // end (state != UNSYNCED)
581
582 return FALSE;
583 }
584
585 //=============================================================================
586 // Finally, a `sniffer' for ISO 14443 Type A
587 // Both sides of communication!
588 //=============================================================================
589
590 //-----------------------------------------------------------------------------
591 // Record the sequence of commands sent by the reader to the tag, with
592 // triggering so that we start recording at the point that the tag is moved
593 // near the reader.
594 //-----------------------------------------------------------------------------
595 void SnoopIso14443a(void)
596 {
597 // #define RECV_CMD_OFFSET 2032 // original (working as of 21/2/09) values
598 // #define RECV_RES_OFFSET 2096 // original (working as of 21/2/09) values
599 // #define DMA_BUFFER_OFFSET 2160 // original (working as of 21/2/09) values
600 // #define DMA_BUFFER_SIZE 4096 // original (working as of 21/2/09) values
601 // #define TRACE_LENGTH 2000 // original (working as of 21/2/09) values
602
603 // We won't start recording the frames that we acquire until we trigger;
604 // a good trigger condition to get started is probably when we see a
605 // response from the tag.
606 int triggered = TRUE; // FALSE to wait first for card
607
608 // The command (reader -> tag) that we're receiving.
609 // The length of a received command will in most cases be no more than 18 bytes.
610 // So 32 should be enough!
611 uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
612 // The response (tag -> reader) that we're receiving.
613 uint8_t *receivedResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET);
614
615 // As we receive stuff, we copy it from receivedCmd or receivedResponse
616 // into trace, along with its length and other annotations.
617 //uint8_t *trace = (uint8_t *)BigBuf;
618 //int traceLen = 0;
619
620 // The DMA buffer, used to stream samples from the FPGA
621 int8_t *dmaBuf = ((int8_t *)BigBuf) + DMA_BUFFER_OFFSET;
622 int lastRxCounter;
623 int8_t *upTo;
624 int smpl;
625 int maxBehindBy = 0;
626
627 // Count of samples received so far, so that we can include timing
628 // information in the trace buffer.
629 int samples = 0;
630 int rsamples = 0;
631
632 memset(trace, 0x44, RECV_CMD_OFFSET);
633
634 // Set up the demodulator for tag -> reader responses.
635 Demod.output = receivedResponse;
636 Demod.len = 0;
637 Demod.state = DEMOD_UNSYNCD;
638
639 // And the reader -> tag commands
640 memset(&Uart, 0, sizeof(Uart));
641 Uart.output = receivedCmd;
642 Uart.byteCntMax = 32; // was 100 (greg)////////////////////////////////////////////////////////////////////////
643 Uart.state = STATE_UNSYNCD;
644
645 // And put the FPGA in the appropriate mode
646 // Signal field is off with the appropriate LED
647 LED_D_OFF();
648 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER);
649 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
650
651 // Setup for the DMA.
652 FpgaSetupSsc();
653 upTo = dmaBuf;
654 lastRxCounter = DMA_BUFFER_SIZE;
655 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
656
657 LED_A_ON();
658
659 // And now we loop, receiving samples.
660 for(;;) {
661 WDT_HIT();
662 int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) &
663 (DMA_BUFFER_SIZE-1);
664 if(behindBy > maxBehindBy) {
665 maxBehindBy = behindBy;
666 if(behindBy > 400) {
667 DbpString("blew circular buffer!");
668 goto done;
669 }
670 }
671 if(behindBy < 1) continue;
672
673 smpl = upTo[0];
674 upTo++;
675 lastRxCounter -= 1;
676 if(upTo - dmaBuf > DMA_BUFFER_SIZE) {
677 upTo -= DMA_BUFFER_SIZE;
678 lastRxCounter += DMA_BUFFER_SIZE;
679 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) upTo;
680 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
681 }
682
683 samples += 4;
684 #define HANDLE_BIT_IF_BODY \
685 LED_C_ON(); \
686 if(triggered) { \
687 trace[traceLen++] = ((rsamples >> 0) & 0xff); \
688 trace[traceLen++] = ((rsamples >> 8) & 0xff); \
689 trace[traceLen++] = ((rsamples >> 16) & 0xff); \
690 trace[traceLen++] = ((rsamples >> 24) & 0xff); \
691 trace[traceLen++] = ((Uart.parityBits >> 0) & 0xff); \
692 trace[traceLen++] = ((Uart.parityBits >> 8) & 0xff); \
693 trace[traceLen++] = ((Uart.parityBits >> 16) & 0xff); \
694 trace[traceLen++] = ((Uart.parityBits >> 24) & 0xff); \
695 trace[traceLen++] = Uart.byteCnt; \
696 memcpy(trace+traceLen, receivedCmd, Uart.byteCnt); \
697 traceLen += Uart.byteCnt; \
698 if(traceLen > TRACE_LENGTH) break; \
699 } \
700 /* And ready to receive another command. */ \
701 Uart.state = STATE_UNSYNCD; \
702 /* And also reset the demod code, which might have been */ \
703 /* false-triggered by the commands from the reader. */ \
704 Demod.state = DEMOD_UNSYNCD; \
705 LED_B_OFF(); \
706
707 if(MillerDecoding((smpl & 0xF0) >> 4)) {
708 rsamples = samples - Uart.samples;
709 HANDLE_BIT_IF_BODY
710 }
711 if(ManchesterDecoding(smpl & 0x0F)) {
712 rsamples = samples - Demod.samples;
713 LED_B_ON();
714
715 // timestamp, as a count of samples
716 trace[traceLen++] = ((rsamples >> 0) & 0xff);
717 trace[traceLen++] = ((rsamples >> 8) & 0xff);
718 trace[traceLen++] = ((rsamples >> 16) & 0xff);
719 trace[traceLen++] = 0x80 | ((rsamples >> 24) & 0xff);
720 trace[traceLen++] = ((Demod.parityBits >> 0) & 0xff);
721 trace[traceLen++] = ((Demod.parityBits >> 8) & 0xff);
722 trace[traceLen++] = ((Demod.parityBits >> 16) & 0xff);
723 trace[traceLen++] = ((Demod.parityBits >> 24) & 0xff);
724 // length
725 trace[traceLen++] = Demod.len;
726 memcpy(trace+traceLen, receivedResponse, Demod.len);
727 traceLen += Demod.len;
728 if(traceLen > TRACE_LENGTH) break;
729
730 triggered = TRUE;
731
732 // And ready to receive another response.
733 memset(&Demod, 0, sizeof(Demod));
734 Demod.output = receivedResponse;
735 Demod.state = DEMOD_UNSYNCD;
736 LED_C_OFF();
737 }
738
739 if(BUTTON_PRESS()) {
740 DbpString("cancelled_a");
741 goto done;
742 }
743 }
744
745 DbpString("COMMAND FINISHED");
746
747 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
748 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
749
750 done:
751 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
752 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
753 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
754 LED_A_OFF();
755 LED_B_OFF();
756 LED_C_OFF();
757 LED_D_OFF();
758 }
759
760 // Prepare communication bits to send to FPGA
761 void Sequence(SecType seq)
762 {
763 ToSendMax++;
764 switch(seq) {
765 // CARD TO READER
766 case SEC_D:
767 // Sequence D: 11110000
768 // modulation with subcarrier during first half
769 ToSend[ToSendMax] = 0xf0;
770 break;
771 case SEC_E:
772 // Sequence E: 00001111
773 // modulation with subcarrier during second half
774 ToSend[ToSendMax] = 0x0f;
775 break;
776 case SEC_F:
777 // Sequence F: 00000000
778 // no modulation with subcarrier
779 ToSend[ToSendMax] = 0x00;
780 break;
781 // READER TO CARD
782 case SEC_X:
783 // Sequence X: 00001100
784 // drop after half a period
785 ToSend[ToSendMax] = 0x0c;
786 break;
787 case SEC_Y:
788 default:
789 // Sequence Y: 00000000
790 // no drop
791 ToSend[ToSendMax] = 0x00;
792 break;
793 case SEC_Z:
794 // Sequence Z: 11000000
795 // drop at start
796 ToSend[ToSendMax] = 0xc0;
797 break;
798 }
799 }
800
801 //-----------------------------------------------------------------------------
802 // Prepare tag messages
803 //-----------------------------------------------------------------------------
804 static void CodeIso14443aAsTag(const uint8_t *cmd, int len)
805 {
806 int i;
807 int oddparity;
808
809 ToSendReset();
810
811 // Correction bit, might be removed when not needed
812 ToSendStuffBit(0);
813 ToSendStuffBit(0);
814 ToSendStuffBit(0);
815 ToSendStuffBit(0);
816 ToSendStuffBit(1); // 1
817 ToSendStuffBit(0);
818 ToSendStuffBit(0);
819 ToSendStuffBit(0);
820
821 // Send startbit
822 Sequence(SEC_D);
823
824 for(i = 0; i < len; i++) {
825 int j;
826 uint8_t b = cmd[i];
827
828 // Data bits
829 oddparity = 0x01;
830 for(j = 0; j < 8; j++) {
831 oddparity ^= (b & 1);
832 if(b & 1) {
833 Sequence(SEC_D);
834 } else {
835 Sequence(SEC_E);
836 }
837 b >>= 1;
838 }
839
840 // Parity bit
841 if(oddparity) {
842 Sequence(SEC_D);
843 } else {
844 Sequence(SEC_E);
845 }
846 }
847
848 // Send stopbit
849 Sequence(SEC_F);
850
851 // Flush the buffer in FPGA!!
852 for(i = 0; i < 5; i++) {
853 Sequence(SEC_F);
854 }
855
856 // Convert from last byte pos to length
857 ToSendMax++;
858
859 // Add a few more for slop
860 ToSend[ToSendMax++] = 0x00;
861 ToSend[ToSendMax++] = 0x00;
862 //ToSendMax += 2;
863 }
864
865 //-----------------------------------------------------------------------------
866 // This is to send a NACK kind of answer, its only 3 bits, I know it should be 4
867 //-----------------------------------------------------------------------------
868 static void CodeStrangeAnswer()
869 {
870 int i;
871
872 ToSendReset();
873
874 // Correction bit, might be removed when not needed
875 ToSendStuffBit(0);
876 ToSendStuffBit(0);
877 ToSendStuffBit(0);
878 ToSendStuffBit(0);
879 ToSendStuffBit(1); // 1
880 ToSendStuffBit(0);
881 ToSendStuffBit(0);
882 ToSendStuffBit(0);
883
884 // Send startbit
885 Sequence(SEC_D);
886
887 // 0
888 Sequence(SEC_E);
889
890 // 0
891 Sequence(SEC_E);
892
893 // 1
894 Sequence(SEC_D);
895
896 // Send stopbit
897 Sequence(SEC_F);
898
899 // Flush the buffer in FPGA!!
900 for(i = 0; i < 5; i++) {
901 Sequence(SEC_F);
902 }
903
904 // Convert from last byte pos to length
905 ToSendMax++;
906
907 // Add a few more for slop
908 ToSend[ToSendMax++] = 0x00;
909 ToSend[ToSendMax++] = 0x00;
910 //ToSendMax += 2;
911 }
912
913 //-----------------------------------------------------------------------------
914 // Wait for commands from reader
915 // Stop when button is pressed
916 // Or return TRUE when command is captured
917 //-----------------------------------------------------------------------------
918 static int GetIso14443aCommandFromReader(uint8_t *received, int *len, int maxLen)
919 {
920 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
921 // only, since we are receiving, not transmitting).
922 // Signal field is off with the appropriate LED
923 LED_D_OFF();
924 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
925
926 // Now run a `software UART' on the stream of incoming samples.
927 Uart.output = received;
928 Uart.byteCntMax = maxLen;
929 Uart.state = STATE_UNSYNCD;
930
931 for(;;) {
932 WDT_HIT();
933
934 if(BUTTON_PRESS()) return FALSE;
935
936 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
937 AT91C_BASE_SSC->SSC_THR = 0x00;
938 }
939 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
940 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
941 if(MillerDecoding((b & 0xf0) >> 4)) {
942 *len = Uart.byteCnt;
943 return TRUE;
944 }
945 if(MillerDecoding(b & 0x0f)) {
946 *len = Uart.byteCnt;
947 return TRUE;
948 }
949 }
950 }
951 }
952
953 //-----------------------------------------------------------------------------
954 // Main loop of simulated tag: receive commands from reader, decide what
955 // response to send, and send it.
956 //-----------------------------------------------------------------------------
957 void SimulateIso14443aTag(int tagType, int TagUid)
958 {
959 // This function contains the tag emulation
960
961 // Prepare protocol messages
962 // static const uint8_t cmd1[] = { 0x26 };
963 // static const uint8_t response1[] = { 0x02, 0x00 }; // Says: I am Mifare 4k - original line - greg
964 //
965 static const uint8_t response1[] = { 0x44, 0x03 }; // Says: I am a DESFire Tag, ph33r me
966 // static const uint8_t response1[] = { 0x44, 0x00 }; // Says: I am a ULTRALITE Tag, 0wn me
967
968 // UID response
969 // static const uint8_t cmd2[] = { 0x93, 0x20 };
970 //static const uint8_t response2[] = { 0x9a, 0xe5, 0xe4, 0x43, 0xd8 }; // original value - greg
971
972
973
974 // my desfire
975 static const uint8_t response2[] = { 0x88, 0x04, 0x21, 0x3f, 0x4d }; // known uid - note cascade (0x88), 2nd byte (0x04) = NXP/Phillips
976
977
978 // When reader selects us during cascade1 it will send cmd3
979 //uint8_t response3[] = { 0x04, 0x00, 0x00 }; // SAK Select (cascade1) successful response (ULTRALITE)
980 uint8_t response3[] = { 0x24, 0x00, 0x00 }; // SAK Select (cascade1) successful response (DESFire)
981 ComputeCrc14443(CRC_14443_A, response3, 1, &response3[1], &response3[2]);
982
983 // send cascade2 2nd half of UID
984 static const uint8_t response2a[] = { 0x51, 0x48, 0x1d, 0x80, 0x84 }; // uid - cascade2 - 2nd half (4 bytes) of UID+ BCCheck
985 // NOTE : THE CRC on the above may be wrong as I have obfuscated the actual UID
986
987
988 // When reader selects us during cascade2 it will send cmd3a
989 //uint8_t response3a[] = { 0x00, 0x00, 0x00 }; // SAK Select (cascade2) successful response (ULTRALITE)
990 uint8_t response3a[] = { 0x20, 0x00, 0x00 }; // SAK Select (cascade2) successful response (DESFire)
991 ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
992
993 static const uint8_t response5[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce
994
995 uint8_t *resp;
996 int respLen;
997
998 // Longest possible response will be 16 bytes + 2 CRC = 18 bytes
999 // This will need
1000 // 144 data bits (18 * 8)
1001 // 18 parity bits
1002 // 2 Start and stop
1003 // 1 Correction bit (Answer in 1172 or 1236 periods, see FPGA)
1004 // 1 just for the case
1005 // ----------- +
1006 // 166
1007 //
1008 // 166 bytes, since every bit that needs to be send costs us a byte
1009 //
1010
1011
1012 // Respond with card type
1013 uint8_t *resp1 = (((uint8_t *)BigBuf) + 800);
1014 int resp1Len;
1015
1016 // Anticollision cascade1 - respond with uid
1017 uint8_t *resp2 = (((uint8_t *)BigBuf) + 970);
1018 int resp2Len;
1019
1020 // Anticollision cascade2 - respond with 2nd half of uid if asked
1021 // we're only going to be asked if we set the 1st byte of the UID (during cascade1) to 0x88
1022 uint8_t *resp2a = (((uint8_t *)BigBuf) + 1140);
1023 int resp2aLen;
1024
1025 // Acknowledge select - cascade 1
1026 uint8_t *resp3 = (((uint8_t *)BigBuf) + 1310);
1027 int resp3Len;
1028
1029 // Acknowledge select - cascade 2
1030 uint8_t *resp3a = (((uint8_t *)BigBuf) + 1480);
1031 int resp3aLen;
1032
1033 // Response to a read request - not implemented atm
1034 uint8_t *resp4 = (((uint8_t *)BigBuf) + 1550);
1035 int resp4Len;
1036
1037 // Authenticate response - nonce
1038 uint8_t *resp5 = (((uint8_t *)BigBuf) + 1720);
1039 int resp5Len;
1040
1041 uint8_t *receivedCmd = (uint8_t *)BigBuf;
1042 int len;
1043
1044 int i;
1045 int u;
1046 uint8_t b;
1047
1048 // To control where we are in the protocol
1049 int order = 0;
1050 int lastorder;
1051
1052 // Just to allow some checks
1053 int happened = 0;
1054 int happened2 = 0;
1055
1056 int cmdsRecvd = 0;
1057
1058 int fdt_indicator;
1059
1060 memset(receivedCmd, 0x44, 400);
1061
1062 // Prepare the responses of the anticollision phase
1063 // there will be not enough time to do this at the moment the reader sends it REQA
1064
1065 // Answer to request
1066 CodeIso14443aAsTag(response1, sizeof(response1));
1067 memcpy(resp1, ToSend, ToSendMax); resp1Len = ToSendMax;
1068
1069 // Send our UID (cascade 1)
1070 CodeIso14443aAsTag(response2, sizeof(response2));
1071 memcpy(resp2, ToSend, ToSendMax); resp2Len = ToSendMax;
1072
1073 // Answer to select (cascade1)
1074 CodeIso14443aAsTag(response3, sizeof(response3));
1075 memcpy(resp3, ToSend, ToSendMax); resp3Len = ToSendMax;
1076
1077 // Send the cascade 2 2nd part of the uid
1078 CodeIso14443aAsTag(response2a, sizeof(response2a));
1079 memcpy(resp2a, ToSend, ToSendMax); resp2aLen = ToSendMax;
1080
1081 // Answer to select (cascade 2)
1082 CodeIso14443aAsTag(response3a, sizeof(response3a));
1083 memcpy(resp3a, ToSend, ToSendMax); resp3aLen = ToSendMax;
1084
1085 // Strange answer is an example of rare message size (3 bits)
1086 CodeStrangeAnswer();
1087 memcpy(resp4, ToSend, ToSendMax); resp4Len = ToSendMax;
1088
1089 // Authentication answer (random nonce)
1090 CodeIso14443aAsTag(response5, sizeof(response5));
1091 memcpy(resp5, ToSend, ToSendMax); resp5Len = ToSendMax;
1092
1093 // We need to listen to the high-frequency, peak-detected path.
1094 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1095 FpgaSetupSsc();
1096
1097 cmdsRecvd = 0;
1098
1099 LED_A_ON();
1100 for(;;) {
1101
1102 if(!GetIso14443aCommandFromReader(receivedCmd, &len, 100)) {
1103 DbpString("button press");
1104 break;
1105 }
1106 // doob - added loads of debug strings so we can see what the reader is saying to us during the sim as hi14alist is not populated
1107 // Okay, look at the command now.
1108 lastorder = order;
1109 i = 1; // first byte transmitted
1110 if(receivedCmd[0] == 0x26) {
1111 // Received a REQUEST
1112 resp = resp1; respLen = resp1Len; order = 1;
1113 //DbpString("Hello request from reader:");
1114 } else if(receivedCmd[0] == 0x52) {
1115 // Received a WAKEUP
1116 resp = resp1; respLen = resp1Len; order = 6;
1117 // //DbpString("Wakeup request from reader:");
1118
1119 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x93) { // greg - cascade 1 anti-collision
1120 // Received request for UID (cascade 1)
1121 resp = resp2; respLen = resp2Len; order = 2;
1122 // DbpString("UID (cascade 1) request from reader:");
1123 // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1124
1125
1126 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] ==0x95) { // greg - cascade 2 anti-collision
1127 // Received request for UID (cascade 2)
1128 resp = resp2a; respLen = resp2aLen; order = 20;
1129 // DbpString("UID (cascade 2) request from reader:");
1130 // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1131
1132
1133 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x93) { // greg - cascade 1 select
1134 // Received a SELECT
1135 resp = resp3; respLen = resp3Len; order = 3;
1136 // DbpString("Select (cascade 1) request from reader:");
1137 // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1138
1139
1140 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x95) { // greg - cascade 2 select
1141 // Received a SELECT
1142 resp = resp3a; respLen = resp3aLen; order = 30;
1143 // DbpString("Select (cascade 2) request from reader:");
1144 // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1145
1146
1147 } else if(receivedCmd[0] == 0x30) {
1148 // Received a READ
1149 resp = resp4; respLen = resp4Len; order = 4; // Do nothing
1150 Dbprintf("Read request from reader: %x %x %x",
1151 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1152
1153
1154 } else if(receivedCmd[0] == 0x50) {
1155 // Received a HALT
1156 resp = resp1; respLen = 0; order = 5; // Do nothing
1157 DbpString("Reader requested we HALT!:");
1158
1159 } else if(receivedCmd[0] == 0x60) {
1160 // Received an authentication request
1161 resp = resp5; respLen = resp5Len; order = 7;
1162 Dbprintf("Authenticate request from reader: %x %x %x",
1163 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1164
1165 } else if(receivedCmd[0] == 0xE0) {
1166 // Received a RATS request
1167 resp = resp1; respLen = 0;order = 70;
1168 Dbprintf("RATS request from reader: %x %x %x",
1169 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1170 } else {
1171 // Never seen this command before
1172 Dbprintf("Unknown command received from reader: %x %x %x %x %x %x %x %x %x",
1173 receivedCmd[0], receivedCmd[1], receivedCmd[2],
1174 receivedCmd[3], receivedCmd[3], receivedCmd[4],
1175 receivedCmd[5], receivedCmd[6], receivedCmd[7]);
1176 // Do not respond
1177 resp = resp1; respLen = 0; order = 0;
1178 }
1179
1180 // Count number of wakeups received after a halt
1181 if(order == 6 && lastorder == 5) { happened++; }
1182
1183 // Count number of other messages after a halt
1184 if(order != 6 && lastorder == 5) { happened2++; }
1185
1186 // Look at last parity bit to determine timing of answer
1187 if((Uart.parityBits & 0x01) || receivedCmd[0] == 0x52) {
1188 // 1236, so correction bit needed
1189 i = 0;
1190 }
1191
1192 memset(receivedCmd, 0x44, 32);
1193
1194 if(cmdsRecvd > 999) {
1195 DbpString("1000 commands later...");
1196 break;
1197 }
1198 else {
1199 cmdsRecvd++;
1200 }
1201
1202 if(respLen <= 0) continue;
1203
1204 // Modulate Manchester
1205 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD);
1206 AT91C_BASE_SSC->SSC_THR = 0x00;
1207 FpgaSetupSsc();
1208
1209 // ### Transmit the response ###
1210 u = 0;
1211 b = 0x00;
1212 fdt_indicator = FALSE;
1213 for(;;) {
1214 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1215 volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1216 (void)b;
1217 }
1218 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1219 if(i > respLen) {
1220 b = 0x00;
1221 u++;
1222 } else {
1223 b = resp[i];
1224 i++;
1225 }
1226 AT91C_BASE_SSC->SSC_THR = b;
1227
1228 if(u > 4) {
1229 break;
1230 }
1231 }
1232 if(BUTTON_PRESS()) {
1233 break;
1234 }
1235 }
1236
1237 }
1238
1239 Dbprintf("%x %x %x", happened, happened2, cmdsRecvd);
1240 LED_A_OFF();
1241 }
1242
1243 //-----------------------------------------------------------------------------
1244 // Transmit the command (to the tag) that was placed in ToSend[].
1245 //-----------------------------------------------------------------------------
1246 static void TransmitFor14443a(const uint8_t *cmd, int len, int *samples, int *wait)
1247 {
1248 int c;
1249
1250 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1251
1252 if (wait)
1253 if(*wait < 10)
1254 *wait = 10;
1255
1256 for(c = 0; c < *wait;) {
1257 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1258 AT91C_BASE_SSC->SSC_THR = 0x00; // For exact timing!
1259 c++;
1260 }
1261 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1262 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
1263 (void)r;
1264 }
1265 WDT_HIT();
1266 }
1267
1268 c = 0;
1269 for(;;) {
1270 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1271 AT91C_BASE_SSC->SSC_THR = cmd[c];
1272 c++;
1273 if(c >= len) {
1274 break;
1275 }
1276 }
1277 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1278 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
1279 (void)r;
1280 }
1281 WDT_HIT();
1282 }
1283 if (samples) *samples = (c + *wait) << 3;
1284 }
1285
1286 //-----------------------------------------------------------------------------
1287 // To generate an arbitrary stream from reader
1288 //
1289 //-----------------------------------------------------------------------------
1290 void ArbitraryFromReader(const uint8_t *cmd, int parity, int len)
1291 {
1292 int i;
1293 int j;
1294 int last;
1295 uint8_t b;
1296
1297 ToSendReset();
1298
1299 // Start of Communication (Seq. Z)
1300 Sequence(SEC_Z);
1301 last = 0;
1302
1303 for(i = 0; i < len; i++) {
1304 // Data bits
1305 b = cmd[i];
1306 for(j = 0; j < 8; j++) {
1307 if(b & 1) {
1308 // Sequence X
1309 Sequence(SEC_X);
1310 last = 1;
1311 } else {
1312 if(last == 0) {
1313 // Sequence Z
1314 Sequence(SEC_Z);
1315 }
1316 else {
1317 // Sequence Y
1318 Sequence(SEC_Y);
1319 last = 0;
1320 }
1321 }
1322 b >>= 1;
1323
1324 }
1325
1326 // Predefined parity bit, the flipper flips when needed, because of flips in byte sent
1327 if(((parity >> (len - i - 1)) & 1)) {
1328 // Sequence X
1329 Sequence(SEC_X);
1330 last = 1;
1331 } else {
1332 if(last == 0) {
1333 // Sequence Z
1334 Sequence(SEC_Z);
1335 }
1336 else {
1337 // Sequence Y
1338 Sequence(SEC_Y);
1339 last = 0;
1340 }
1341 }
1342 }
1343
1344 // End of Communication
1345 if(last == 0) {
1346 // Sequence Z
1347 Sequence(SEC_Z);
1348 }
1349 else {
1350 // Sequence Y
1351 Sequence(SEC_Y);
1352 last = 0;
1353 }
1354 // Sequence Y
1355 Sequence(SEC_Y);
1356
1357 // Just to be sure!
1358 Sequence(SEC_Y);
1359 Sequence(SEC_Y);
1360 Sequence(SEC_Y);
1361
1362 // Convert from last character reference to length
1363 ToSendMax++;
1364 }
1365
1366 //-----------------------------------------------------------------------------
1367 // Code a 7-bit command without parity bit
1368 // This is especially for 0x26 and 0x52 (REQA and WUPA)
1369 //-----------------------------------------------------------------------------
1370 void ShortFrameFromReader(const uint8_t bt)
1371 {
1372 int j;
1373 int last;
1374 uint8_t b;
1375
1376 ToSendReset();
1377
1378 // Start of Communication (Seq. Z)
1379 Sequence(SEC_Z);
1380 last = 0;
1381
1382 b = bt;
1383 for(j = 0; j < 7; j++) {
1384 if(b & 1) {
1385 // Sequence X
1386 Sequence(SEC_X);
1387 last = 1;
1388 } else {
1389 if(last == 0) {
1390 // Sequence Z
1391 Sequence(SEC_Z);
1392 }
1393 else {
1394 // Sequence Y
1395 Sequence(SEC_Y);
1396 last = 0;
1397 }
1398 }
1399 b >>= 1;
1400 }
1401
1402 // End of Communication
1403 if(last == 0) {
1404 // Sequence Z
1405 Sequence(SEC_Z);
1406 }
1407 else {
1408 // Sequence Y
1409 Sequence(SEC_Y);
1410 last = 0;
1411 }
1412 // Sequence Y
1413 Sequence(SEC_Y);
1414
1415 // Just to be sure!
1416 Sequence(SEC_Y);
1417 Sequence(SEC_Y);
1418 Sequence(SEC_Y);
1419
1420 // Convert from last character reference to length
1421 ToSendMax++;
1422 }
1423
1424 //-----------------------------------------------------------------------------
1425 // Prepare reader command to send to FPGA
1426 //
1427 //-----------------------------------------------------------------------------
1428 void CodeIso14443aAsReaderPar(const uint8_t * cmd, int len, uint32_t dwParity)
1429 {
1430 int i, j;
1431 int last;
1432 uint8_t b;
1433
1434 ToSendReset();
1435
1436 // Start of Communication (Seq. Z)
1437 Sequence(SEC_Z);
1438 last = 0;
1439
1440 // Generate send structure for the data bits
1441 for (i = 0; i < len; i++) {
1442 // Get the current byte to send
1443 b = cmd[i];
1444
1445 for (j = 0; j < 8; j++) {
1446 if (b & 1) {
1447 // Sequence X
1448 Sequence(SEC_X);
1449 last = 1;
1450 } else {
1451 if (last == 0) {
1452 // Sequence Z
1453 Sequence(SEC_Z);
1454 } else {
1455 // Sequence Y
1456 Sequence(SEC_Y);
1457 last = 0;
1458 }
1459 }
1460 b >>= 1;
1461 }
1462
1463 // Get the parity bit
1464 if ((dwParity >> i) & 0x01) {
1465 // Sequence X
1466 Sequence(SEC_X);
1467 last = 1;
1468 } else {
1469 if (last == 0) {
1470 // Sequence Z
1471 Sequence(SEC_Z);
1472 } else {
1473 // Sequence Y
1474 Sequence(SEC_Y);
1475 last = 0;
1476 }
1477 }
1478 }
1479
1480 // End of Communication
1481 if (last == 0) {
1482 // Sequence Z
1483 Sequence(SEC_Z);
1484 } else {
1485 // Sequence Y
1486 Sequence(SEC_Y);
1487 last = 0;
1488 }
1489 // Sequence Y
1490 Sequence(SEC_Y);
1491
1492 // Just to be sure!
1493 Sequence(SEC_Y);
1494 Sequence(SEC_Y);
1495 Sequence(SEC_Y);
1496
1497 // Convert from last character reference to length
1498 ToSendMax++;
1499 }
1500
1501 //-----------------------------------------------------------------------------
1502 // Wait a certain time for tag response
1503 // If a response is captured return TRUE
1504 // If it takes to long return FALSE
1505 //-----------------------------------------------------------------------------
1506 static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse, int maxLen, int *samples, int *elapsed) //uint8_t *buffer
1507 {
1508 // buffer needs to be 512 bytes
1509 int c;
1510
1511 // Set FPGA mode to "reader listen mode", no modulation (listen
1512 // only, since we are receiving, not transmitting).
1513 // Signal field is on with the appropriate LED
1514 LED_D_ON();
1515 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_LISTEN);
1516
1517 // Now get the answer from the card
1518 Demod.output = receivedResponse;
1519 Demod.len = 0;
1520 Demod.state = DEMOD_UNSYNCD;
1521
1522 uint8_t b;
1523 if (elapsed) *elapsed = 0;
1524
1525 c = 0;
1526 for(;;) {
1527 WDT_HIT();
1528
1529 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1530 AT91C_BASE_SSC->SSC_THR = 0x00; // To make use of exact timing of next command from reader!!
1531 if (elapsed) (*elapsed)++;
1532 }
1533 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1534 if(c < 512) { c++; } else { return FALSE; }
1535 b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1536 if(ManchesterDecoding((b & 0xf0) >> 4)) {
1537 *samples = ((c - 1) << 3) + 4;
1538 return TRUE;
1539 }
1540 if(ManchesterDecoding(b & 0x0f)) {
1541 *samples = c << 3;
1542 return TRUE;
1543 }
1544 }
1545 }
1546 }
1547
1548 void ReaderTransmitShort(const uint8_t* bt)
1549 {
1550 int wait = 0;
1551 int samples = 0;
1552
1553 ShortFrameFromReader(*bt);
1554
1555 // Select the card
1556 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
1557
1558 // Store reader command in buffer
1559 if (tracing) LogTrace(bt,1,0,GetParity(bt,1),TRUE);
1560 }
1561
1562 void ReaderTransmitPar(uint8_t* frame, int len, uint32_t par)
1563 {
1564 int wait = 0;
1565 int samples = 0;
1566
1567 // This is tied to other size changes
1568 // uint8_t* frame_addr = ((uint8_t*)BigBuf) + 2024;
1569 CodeIso14443aAsReaderPar(frame,len,par);
1570
1571 // Select the card
1572 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
1573
1574 // Store reader command in buffer
1575 if (tracing) LogTrace(frame,len,0,par,TRUE);
1576 }
1577
1578
1579 void ReaderTransmit(uint8_t* frame, int len)
1580 {
1581 // Generate parity and redirect
1582 ReaderTransmitPar(frame,len,GetParity(frame,len));
1583 }
1584
1585 int ReaderReceive(uint8_t* receivedAnswer)
1586 {
1587 int samples = 0;
1588 if (!GetIso14443aAnswerFromTag(receivedAnswer,100,&samples,0)) return FALSE;
1589 if (tracing) LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE);
1590 return TRUE;
1591 }
1592
1593 //-----------------------------------------------------------------------------
1594 // Read an ISO 14443a tag. Send out commands and store answers.
1595 //
1596 //-----------------------------------------------------------------------------
1597 void ReaderIso14443a(uint32_t parameter)
1598 {
1599 // Anticollision
1600 uint8_t wupa[] = { 0x52 };
1601 uint8_t sel_all[] = { 0x93,0x20 };
1602 uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
1603 uint8_t sel_all_c2[] = { 0x95,0x20 };
1604 uint8_t sel_uid_c2[] = { 0x95,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
1605
1606 // Mifare AUTH
1607 uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b };
1608 // uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00 };
1609
1610 uint8_t* receivedAnswer = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
1611 traceLen = 0;
1612
1613 // Setup SSC
1614 FpgaSetupSsc();
1615
1616 // Start from off (no field generated)
1617 // Signal field is off with the appropriate LED
1618 LED_D_OFF();
1619 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1620 SpinDelay(200);
1621
1622 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1623 FpgaSetupSsc();
1624
1625 // Now give it time to spin up.
1626 // Signal field is on with the appropriate LED
1627 LED_D_ON();
1628 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1629 SpinDelay(200);
1630
1631 LED_A_ON();
1632 LED_B_OFF();
1633 LED_C_OFF();
1634
1635 while(traceLen < TRACE_LENGTH)
1636 {
1637 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1638 ReaderTransmitShort(wupa);
1639
1640 // Test if the action was cancelled
1641 if(BUTTON_PRESS()) {
1642 break;
1643 }
1644
1645 // Receive the ATQA
1646 if (!ReaderReceive(receivedAnswer)) continue;
1647
1648 // Transmit SELECT_ALL
1649 ReaderTransmit(sel_all,sizeof(sel_all));
1650
1651 // Receive the UID
1652 if (!ReaderReceive(receivedAnswer)) continue;
1653
1654 // Construct SELECT UID command
1655 // First copy the 5 bytes (Mifare Classic) after the 93 70
1656 memcpy(sel_uid+2,receivedAnswer,5);
1657 // Secondly compute the two CRC bytes at the end
1658 AppendCrc14443a(sel_uid,7);
1659
1660 // Transmit SELECT_UID
1661 ReaderTransmit(sel_uid,sizeof(sel_uid));
1662
1663 // Receive the SAK
1664 if (!ReaderReceive(receivedAnswer)) continue;
1665
1666 // OK we have selected at least at cascade 1, lets see if first byte of UID was 0x88 in
1667 // which case we need to make a cascade 2 request and select - this is a long UID
1668 // When the UID is not complete, the 3nd bit (from the right) is set in the SAK.
1669 if (receivedAnswer[0] &= 0x04)
1670 {
1671 // Transmit SELECT_ALL
1672 ReaderTransmit(sel_all_c2,sizeof(sel_all_c2));
1673
1674 // Receive the UID
1675 if (!ReaderReceive(receivedAnswer)) continue;
1676
1677 // Construct SELECT UID command
1678 memcpy(sel_uid_c2+2,receivedAnswer,5);
1679 // Secondly compute the two CRC bytes at the end
1680 AppendCrc14443a(sel_uid_c2,7);
1681
1682 // Transmit SELECT_UID
1683 ReaderTransmit(sel_uid_c2,sizeof(sel_uid_c2));
1684
1685 // Receive the SAK
1686 if (!ReaderReceive(receivedAnswer)) continue;
1687 }
1688
1689 // Transmit MIFARE_CLASSIC_AUTH
1690 ReaderTransmit(mf_auth,sizeof(mf_auth));
1691
1692 // Receive the (16 bit) "random" nonce
1693 if (!ReaderReceive(receivedAnswer)) continue;
1694 }
1695
1696 // Thats it...
1697 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1698 LEDsoff();
1699 Dbprintf("%x %x %x", rsamples, 0xCC, 0xCC);
1700 DbpString("ready..");
1701 }
1702
1703 //-----------------------------------------------------------------------------
1704 // Read an ISO 14443a tag. Send out commands and store answers.
1705 //
1706 //-----------------------------------------------------------------------------
1707 void ReaderMifare(uint32_t parameter)
1708 {
1709
1710 // Anticollision
1711 uint8_t wupa[] = { 0x52 };
1712 uint8_t sel_all[] = { 0x93,0x20 };
1713 uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
1714
1715 // Mifare AUTH
1716 uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b };
1717 uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
1718
1719 uint8_t* receivedAnswer = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
1720 traceLen = 0;
1721 tracing = false;
1722
1723 // Setup SSC
1724 FpgaSetupSsc();
1725
1726 // Start from off (no field generated)
1727 // Signal field is off with the appropriate LED
1728 LED_D_OFF();
1729 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1730 SpinDelay(200);
1731
1732 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1733 FpgaSetupSsc();
1734
1735 // Now give it time to spin up.
1736 // Signal field is on with the appropriate LED
1737 LED_D_ON();
1738 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1739 SpinDelay(200);
1740
1741 LED_A_ON();
1742 LED_B_OFF();
1743 LED_C_OFF();
1744
1745 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1746 ReaderTransmitShort(wupa);
1747 // Receive the ATQA
1748 ReaderReceive(receivedAnswer);
1749 // Transmit SELECT_ALL
1750 ReaderTransmit(sel_all,sizeof(sel_all));
1751 // Receive the UID
1752 ReaderReceive(receivedAnswer);
1753 // Construct SELECT UID command
1754 // First copy the 5 bytes (Mifare Classic) after the 93 70
1755 memcpy(sel_uid+2,receivedAnswer,5);
1756 // Secondly compute the two CRC bytes at the end
1757 AppendCrc14443a(sel_uid,7);
1758
1759 byte_t nt_diff = 0;
1760 LED_A_OFF();
1761 byte_t par = 0;
1762 byte_t par_mask = 0xff;
1763 byte_t par_low = 0;
1764 int led_on = TRUE;
1765
1766 tracing = FALSE;
1767 byte_t nt[4];
1768 byte_t nt_attacked[4];
1769 byte_t par_list[8];
1770 byte_t ks_list[8];
1771 num_to_bytes(parameter,4,nt_attacked);
1772
1773 while(TRUE)
1774 {
1775 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1776 SpinDelay(200);
1777 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1778
1779 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1780 ReaderTransmitShort(wupa);
1781
1782 // Test if the action was cancelled
1783 if(BUTTON_PRESS()) {
1784 break;
1785 }
1786
1787 // Receive the ATQA
1788 if (!ReaderReceive(receivedAnswer)) continue;
1789
1790 // Transmit SELECT_ALL
1791 ReaderTransmit(sel_all,sizeof(sel_all));
1792
1793 // Receive the UID
1794 if (!ReaderReceive(receivedAnswer)) continue;
1795
1796 // Transmit SELECT_UID
1797 ReaderTransmit(sel_uid,sizeof(sel_uid));
1798
1799 // Receive the SAK
1800 if (!ReaderReceive(receivedAnswer)) continue;
1801
1802 // Transmit MIFARE_CLASSIC_AUTH
1803 ReaderTransmit(mf_auth,sizeof(mf_auth));
1804
1805 // Receive the (16 bit) "random" nonce
1806 if (!ReaderReceive(receivedAnswer)) continue;
1807 memcpy(nt,receivedAnswer,4);
1808
1809 // Transmit reader nonce and reader answer
1810 ReaderTransmitPar(mf_nr_ar,sizeof(mf_nr_ar),par);
1811
1812 // Receive 4 bit answer
1813 if (ReaderReceive(receivedAnswer))
1814 {
1815 if (nt_diff == 0)
1816 {
1817 LED_A_ON();
1818 memcpy(nt_attacked,nt,4);
1819 par_mask = 0xf8;
1820 par_low = par & 0x07;
1821 }
1822
1823 if (memcmp(nt,nt_attacked,4) != 0) continue;
1824
1825 led_on = !led_on;
1826 if(led_on) LED_B_ON(); else LED_B_OFF();
1827 par_list[nt_diff] = par;
1828 ks_list[nt_diff] = receivedAnswer[0]^0x05;
1829
1830 // Test if the information is complete
1831 if (nt_diff == 0x07) break;
1832
1833 nt_diff = (nt_diff+1) & 0x07;
1834 mf_nr_ar[3] = nt_diff << 5;
1835 par = par_low;
1836 } else {
1837 if (nt_diff == 0)
1838 {
1839 par++;
1840 } else {
1841 par = (((par>>3)+1) << 3) | par_low;
1842 }
1843 }
1844 }
1845
1846 LogTraceInfo(sel_uid+2,4);
1847 LogTraceInfo(nt,4);
1848 LogTraceInfo(par_list,8);
1849 LogTraceInfo(ks_list,8);
1850
1851 // Thats it...
1852 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1853 LEDsoff();
1854 tracing = TRUE;
1855 }
Proxmark3 GIT tracking
Impressum, Datenschutz