]> cvs.zerfleddert.de Git - proxmark3-svn/blob - armsrc/iso14443b.c
projects / proxmark3-svn / blob
? search:


e89c3becdd8a8777c91c1dce13dded2003e0775f
[proxmark3-svn] / armsrc / iso14443b.c
1 //-----------------------------------------------------------------------------
2 // Jonathan Westhues, split Nov 2006
3 //
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
6 // the license.
7 //-----------------------------------------------------------------------------
8 // Routines to support ISO 14443B. This includes both the reader software and
9 // the `fake tag' modes.
10 //-----------------------------------------------------------------------------
11 #include "iso14443b.h"
12
13 #define RECEIVE_SAMPLES_TIMEOUT 50000
14 #define ISO14443B_DMA_BUFFER_SIZE 256
15
16 // Guard Time (per 14443-2)
17 #define TR0 0
18 // Synchronization time (per 14443-2)
19 #define TR1 0
20 // Frame Delay Time PICC to PCD (per 14443-3 Amendment 1)
21 #define TR2 0
22
23 // 4sample
24 #define SEND4STUFFBIT(x) ToSendStuffBit(x);ToSendStuffBit(x);ToSendStuffBit(x);ToSendStuffBit(x);
25 //#define SEND4STUFFBIT(x) ToSendStuffBit(x);
26
27 static void switch_off(void);
28
29 // the block number for the ISO14443-4 PCB (used with APDUs)
30 static uint8_t pcb_blocknum = 0;
31
32 static uint32_t iso14b_timeout = RECEIVE_SAMPLES_TIMEOUT;
33 // param timeout is in ftw_
34 void iso14b_set_timeout(uint32_t timeout) {
35 // 9.4395us = 1etu.
36 // clock is about 1.5 us
37 iso14b_timeout = timeout;
38 if(MF_DBGLEVEL >= 2) Dbprintf("ISO14443B Timeout set to %ld fwt", iso14b_timeout);
39 }
40
41 static void switch_off(void){
42 if (MF_DBGLEVEL > 3) Dbprintf("switch_off");
43 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
44 SpinDelay(100);
45 FpgaDisableSscDma();
46 set_tracing(FALSE);
47 LEDsoff();
48 }
49
50 //=============================================================================
51 // An ISO 14443 Type B tag. We listen for commands from the reader, using
52 // a UART kind of thing that's implemented in software. When we get a
53 // frame (i.e., a group of bytes between SOF and EOF), we check the CRC.
54 // If it's good, then we can do something appropriate with it, and send
55 // a response.
56 //=============================================================================
57
58
59 //-----------------------------------------------------------------------------
60 // The software UART that receives commands from the reader, and its state variables.
61 //-----------------------------------------------------------------------------
62 static struct {
63 enum {
64 STATE_UNSYNCD,
65 STATE_GOT_FALLING_EDGE_OF_SOF,
66 STATE_AWAITING_START_BIT,
67 STATE_RECEIVING_DATA
68 } state;
69 uint16_t shiftReg;
70 int bitCnt;
71 int byteCnt;
72 int byteCntMax;
73 int posCnt;
74 uint8_t *output;
75 } Uart;
76
77 static void UartReset() {
78 Uart.state = STATE_UNSYNCD;
79 Uart.shiftReg = 0;
80 Uart.bitCnt = 0;
81 Uart.byteCnt = 0;
82 Uart.byteCntMax = MAX_FRAME_SIZE;
83 Uart.posCnt = 0;
84 }
85
86 static void UartInit(uint8_t *data) {
87 Uart.output = data;
88 UartReset();
89 // memset(Uart.output, 0x00, MAX_FRAME_SIZE);
90 }
91
92 //-----------------------------------------------------------------------------
93 // The software Demod that receives commands from the tag, and its state variables.
94 //-----------------------------------------------------------------------------
95 static struct {
96 enum {
97 DEMOD_UNSYNCD,
98 DEMOD_PHASE_REF_TRAINING,
99 DEMOD_AWAITING_FALLING_EDGE_OF_SOF,
100 DEMOD_GOT_FALLING_EDGE_OF_SOF,
101 DEMOD_AWAITING_START_BIT,
102 DEMOD_RECEIVING_DATA
103 } state;
104 uint16_t bitCount;
105 int posCount;
106 int thisBit;
107 /* this had been used to add RSSI (Received Signal Strength Indication) to traces. Currently not implemented.
108 int metric;
109 int metricN;
110 */
111 uint16_t shiftReg;
112 uint8_t *output;
113 uint16_t len;
114 int sumI;
115 int sumQ;
116 uint32_t startTime, endTime;
117 } Demod;
118
119 // Clear out the state of the "UART" that receives from the tag.
120 static void DemodReset() {
121 Demod.state = DEMOD_UNSYNCD;
122 Demod.bitCount = 0;
123 Demod.posCount = 0;
124 Demod.thisBit = 0;
125 Demod.shiftReg = 0;
126 Demod.len = 0;
127 Demod.sumI = 0;
128 Demod.sumQ = 0;
129 Demod.startTime = 0;
130 Demod.endTime = 0;
131 }
132
133 static void DemodInit(uint8_t *data) {
134 Demod.output = data;
135 DemodReset();
136 // memset(Demod.output, 0x00, MAX_FRAME_SIZE);
137 }
138
139 void AppendCrc14443b(uint8_t* data, int len) {
140 ComputeCrc14443(CRC_14443_B, data, len, data+len, data+len+1);
141 }
142
143 //-----------------------------------------------------------------------------
144 // Code up a string of octets at layer 2 (including CRC, we don't generate
145 // that here) so that they can be transmitted to the reader. Doesn't transmit
146 // them yet, just leaves them ready to send in ToSend[].
147 //-----------------------------------------------------------------------------
148 static void CodeIso14443bAsTag(const uint8_t *cmd, int len) {
149 /* ISO 14443 B
150 *
151 * Reader to card | ASK - Amplitude Shift Keying Modulation (PCD to PICC for Type B) (NRZ-L encodig)
152 * Card to reader | BPSK - Binary Phase Shift Keying Modulation, (PICC to PCD for Type B)
153 *
154 * fc - carrier frequency 13.56mHz
155 * TR0 - Guard Time per 14443-2
156 * TR1 - Synchronization Time per 14443-2
157 * TR2 - PICC to PCD Frame Delay Time (per 14443-3 Amendment 1)
158 *
159 * Elementary Time Unit (ETU) is
160 * - 128 Carrier Cycles (9.4395 µS) = 8 Subcarrier Units
161 * - 1 ETU = 1 bit
162 * - 10 ETU = 1 startbit, 8 databits, 1 stopbit (10bits length)
163 * - startbit is a 0
164 * - stopbit is a 1
165 *
166 * Start of frame (SOF) is
167 * - [10-11] ETU of ZEROS, unmodulated time
168 * - [2-3] ETU of ONES,
169 *
170 * End of frame (EOF) is
171 * - [10-11] ETU of ZEROS, unmodulated time
172 *
173 * -TO VERIFY THIS BELOW-
174 * The mode FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_MODULATE_BPSK which we use to simulate tag
175 * works like this:
176 * - A 1-bit input to the FPGA becomes 8 pulses at 847.5kHz (9.44µS)
177 * - A 0-bit input to the FPGA becomes an unmodulated time of 9.44µS
178 *
179 *
180 *
181 * Card sends data ub 847.e kHz subcarrier
182 * 848k = 9.44µS = 128 fc
183 * 424k = 18.88µS = 256 fc
184 * 212k = 37.76µS = 512 fc
185 * 106k = 75.52µS = 1024 fc
186 *
187 * Reader data transmission:
188 * - no modulation ONES
189 * - SOF
190 * - Command, data and CRC_B
191 * - EOF
192 * - no modulation ONES
193 *
194 * Card data transmission
195 * - TR1
196 * - SOF
197 * - data (each bytes is: 1startbit,8bits, 1stopbit)
198 * - CRC_B
199 * - EOF
200 *
201 * FPGA implementation :
202 * At this point only Type A is implemented. This means that we are using a
203 * bit rate of 106 kbit/s, or fc/128. Oversample by 4, which ought to make
204 * things practical for the ARM (fc/32, 423.8 kbits/s, ~50 kbytes/s)
205 *
206 */
207
208 int i,j;
209 uint8_t b;
210
211 ToSendReset();
212
213 // Transmit a burst of ones, as the initial thing that lets the
214 // reader get phase sync.
215 // This loop is TR1, per specification
216 // TR1 minimum must be > 80/fs
217 // TR1 maximum 200/fs
218 // 80/fs < TR1 < 200/fs
219 // 10 ETU < TR1 < 24 ETU
220
221 // Send SOF.
222 // 10-11 ETU * 4times samples ZEROS
223 for(i = 0; i < 10; i++) { SEND4STUFFBIT(0); }
224 //for(i = 0; i < 10; i++) { ToSendStuffBit(0); }
225
226 // 2-3 ETU * 4times samples ONES
227 for(i = 0; i < 3; i++) { SEND4STUFFBIT(1); }
228 //for(i = 0; i < 3; i++) { ToSendStuffBit(1); }
229
230 // data
231 for(i = 0; i < len; ++i) {
232
233 // Start bit
234 SEND4STUFFBIT(0);
235 //ToSendStuffBit(0);
236
237 // Data bits
238 b = cmd[i];
239 for(j = 0; j < 8; ++j) {
240 if(b & 1) {
241 SEND4STUFFBIT(1);
242 //ToSendStuffBit(1);
243 } else {
244 SEND4STUFFBIT(0);
245 //ToSendStuffBit(0);
246 }
247 b >>= 1;
248 }
249
250 // Stop bit
251 SEND4STUFFBIT(1);
252 //ToSendStuffBit(1);
253
254 // Extra Guard bit
255 // For PICC it ranges 0-18us (1etu = 9us)
256 SEND4STUFFBIT(1);
257 //ToSendStuffBit(1);
258 }
259
260 // Send EOF.
261 // 10-11 ETU * 4 sample rate = ZEROS
262 for(i = 0; i < 10; i++) { SEND4STUFFBIT(0); }
263 //for(i = 0; i < 10; i++) { ToSendStuffBit(0); }
264
265 // why this?
266 for(i = 0; i < 40; i++) { SEND4STUFFBIT(1); }
267 //for(i = 0; i < 40; i++) { ToSendStuffBit(1); }
268
269 // Convert from last byte pos to length
270 ++ToSendMax;
271 }
272
273
274 /* Receive & handle a bit coming from the reader.
275 *
276 * This function is called 4 times per bit (every 2 subcarrier cycles).
277 * Subcarrier frequency fs is 848kHz, 1/fs = 1,18us, i.e. function is called every 2,36us
278 *
279 * LED handling:
280 * LED A -> ON once we have received the SOF and are expecting the rest.
281 * LED A -> OFF once we have received EOF or are in error state or unsynced
282 *
283 * Returns: true if we received a EOF
284 * false if we are still waiting for some more
285 */
286 static RAMFUNC int Handle14443bReaderUartBit(uint8_t bit) {
287 switch(Uart.state) {
288 case STATE_UNSYNCD:
289 if(!bit) {
290 // we went low, so this could be the beginning of an SOF
291 Uart.state = STATE_GOT_FALLING_EDGE_OF_SOF;
292 Uart.posCnt = 0;
293 Uart.bitCnt = 0;
294 }
295 break;
296
297 case STATE_GOT_FALLING_EDGE_OF_SOF:
298 Uart.posCnt++;
299 if(Uart.posCnt == 2) { // sample every 4 1/fs in the middle of a bit
300 if(bit) {
301 if(Uart.bitCnt > 9) {
302 // we've seen enough consecutive
303 // zeros that it's a valid SOF
304 Uart.posCnt = 0;
305 Uart.byteCnt = 0;
306 Uart.state = STATE_AWAITING_START_BIT;
307 LED_A_ON(); // Indicate we got a valid SOF
308 } else {
309 // didn't stay down long enough
310 // before going high, error
311 Uart.state = STATE_UNSYNCD;
312 }
313 } else {
314 // do nothing, keep waiting
315 }
316 Uart.bitCnt++;
317 }
318 if(Uart.posCnt >= 4) Uart.posCnt = 0;
319 if(Uart.bitCnt > 12) {
320 // Give up if we see too many zeros without
321 // a one, too.
322 LED_A_OFF();
323 Uart.state = STATE_UNSYNCD;
324 }
325 break;
326
327 case STATE_AWAITING_START_BIT:
328 Uart.posCnt++;
329 if(bit) {
330 if(Uart.posCnt > 50/2) { // max 57us between characters = 49 1/fs, max 3 etus after low phase of SOF = 24 1/fs
331 // stayed high for too long between
332 // characters, error
333 Uart.state = STATE_UNSYNCD;
334 }
335 } else {
336 // falling edge, this starts the data byte
337 Uart.posCnt = 0;
338 Uart.bitCnt = 0;
339 Uart.shiftReg = 0;
340 Uart.state = STATE_RECEIVING_DATA;
341 }
342 break;
343
344 case STATE_RECEIVING_DATA:
345 Uart.posCnt++;
346 if(Uart.posCnt == 2) {
347 // time to sample a bit
348 Uart.shiftReg >>= 1;
349 if(bit) {
350 Uart.shiftReg |= 0x200;
351 }
352 Uart.bitCnt++;
353 }
354 if(Uart.posCnt >= 4) {
355 Uart.posCnt = 0;
356 }
357 if(Uart.bitCnt == 10) {
358 if((Uart.shiftReg & 0x200) && !(Uart.shiftReg & 0x001))
359 {
360 // this is a data byte, with correct
361 // start and stop bits
362 Uart.output[Uart.byteCnt] = (Uart.shiftReg >> 1) & 0xff;
363 Uart.byteCnt++;
364
365 if(Uart.byteCnt >= Uart.byteCntMax) {
366 // Buffer overflowed, give up
367 LED_A_OFF();
368 Uart.state = STATE_UNSYNCD;
369 } else {
370 // so get the next byte now
371 Uart.posCnt = 0;
372 Uart.state = STATE_AWAITING_START_BIT;
373 }
374 } else if (Uart.shiftReg == 0x000) {
375 // this is an EOF byte
376 LED_A_OFF(); // Finished receiving
377 Uart.state = STATE_UNSYNCD;
378 if (Uart.byteCnt != 0) {
379 return TRUE;
380 }
381 } else {
382 // this is an error
383 LED_A_OFF();
384 Uart.state = STATE_UNSYNCD;
385 }
386 }
387 break;
388
389 default:
390 LED_A_OFF();
391 Uart.state = STATE_UNSYNCD;
392 break;
393 }
394
395 return FALSE;
396 }
397
398 //-----------------------------------------------------------------------------
399 // Receive a command (from the reader to us, where we are the simulated tag),
400 // and store it in the given buffer, up to the given maximum length. Keeps
401 // spinning, waiting for a well-framed command, until either we get one
402 // (returns TRUE) or someone presses the pushbutton on the board (FALSE).
403 //
404 // Assume that we're called with the SSC (to the FPGA) and ADC path set
405 // correctly.
406 //-----------------------------------------------------------------------------
407 static int GetIso14443bCommandFromReader(uint8_t *received, uint16_t *len) {
408 // Set FPGA mode to "simulated ISO 14443B tag", no modulation (listen
409 // only, since we are receiving, not transmitting).
410 // Signal field is off with the appropriate LED
411 LED_D_OFF();
412 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_NO_MODULATION);
413
414 StartCountSspClk();
415
416 volatile uint8_t b;
417
418 // clear receiving shift register and holding register
419 // What does this loop do? Is it TR1?
420 for(uint8_t c = 0; c < 10;) {
421 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
422 AT91C_BASE_SSC->SSC_THR = 0xFF;
423 ++c;
424 }
425 }
426
427 // Now run a `software UART' on the stream of incoming samples.
428 UartInit(received);
429
430 b = 0;
431 uint8_t mask;
432 while( !BUTTON_PRESS() ) {
433 WDT_HIT();
434
435 if ( AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY ) {
436 b = (uint8_t) AT91C_BASE_SSC->SSC_RHR;
437 for ( mask = 0x80; mask != 0; mask >>= 1) {
438 if ( Handle14443bReaderUartBit(b & mask)) {
439 *len = Uart.byteCnt;
440 return TRUE;
441 }
442 }
443 }
444 }
445 return FALSE;
446 }
447
448 void ClearFpgaShiftingRegisters(void){
449
450 volatile uint8_t b;
451
452 // clear receiving shift register and holding register
453 while(!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY));
454
455 b = AT91C_BASE_SSC->SSC_RHR; (void) b;
456
457 while(!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY));
458
459 b = AT91C_BASE_SSC->SSC_RHR; (void) b;
460
461
462 // wait for the FPGA to signal fdt_indicator == 1 (the FPGA is ready to queue new data in its delay line)
463 for (uint8_t j = 0; j < 5; j++) { // allow timeout - better late than never
464 while(!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY));
465 if (AT91C_BASE_SSC->SSC_RHR) break;
466 }
467
468 // Clear TXRDY:
469 //AT91C_BASE_SSC->SSC_THR = 0xFF;
470 }
471
472 void WaitForFpgaDelayQueueIsEmpty( uint16_t delay ){
473 // Ensure that the FPGA Delay Queue is empty before we switch to TAGSIM_LISTEN again:
474 uint8_t fpga_queued_bits = delay >> 3; // twich /8 ?? >>3,
475 for (uint8_t i = 0; i <= fpga_queued_bits/8 + 1; ) {
476 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
477 AT91C_BASE_SSC->SSC_THR = 0xFF;
478 i++;
479 }
480 }
481 }
482
483 static void TransmitFor14443b_AsTag( uint8_t *response, uint16_t len) {
484
485 // Signal field is off with the appropriate LED
486 LED_D_OFF();
487 //uint16_t fpgasendQueueDelay = 0;
488
489 // Modulate BPSK
490 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_MODULATE_BPSK);
491
492 ClearFpgaShiftingRegisters();
493
494 FpgaSetupSsc();
495 volatile uint32_t b;
496
497 // Transmit the response.
498 for(uint16_t i = 0; i < len;) {
499 if(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXRDY) {
500 AT91C_BASE_SSC->SSC_THR = response[++i];
501 }
502 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
503 b = AT91C_BASE_SSC->SSC_RHR;
504 (void)b;
505 }
506 }
507
508 //WaitForFpgaDelayQueueIsEmpty(fpgasendQueueDelay);
509 AT91C_BASE_SSC->SSC_THR = 0xFF;
510 }
511 //-----------------------------------------------------------------------------
512 // Main loop of simulated tag: receive commands from reader, decide what
513 // response to send, and send it.
514 //-----------------------------------------------------------------------------
515 void SimulateIso14443bTag(uint32_t pupi) {
516
517 ///////////// setup device.
518 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
519
520 // allocate command receive buffer
521 BigBuf_free();
522 BigBuf_Clear_ext(false);
523 clear_trace(); //sim
524 set_tracing(TRUE);
525
526 // connect Demodulated Signal to ADC:
527 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
528
529 // Set up the synchronous serial port
530 FpgaSetupSsc();
531 /////////////
532
533 uint16_t len, cmdsReceived = 0;
534 int cardSTATE = SIM_NOFIELD;
535 int vHf = 0; // in mV
536 // uint32_t time_0 = 0;
537 // uint32_t t2r_time = 0;
538 // uint32_t r2t_time = 0;
539 uint8_t *receivedCmd = BigBuf_malloc(MAX_FRAME_SIZE);
540
541 // the only commands we understand is WUPB, AFI=0, Select All, N=1:
542 // static const uint8_t cmdWUPB[] = { ISO14443B_REQB, 0x00, 0x08, 0x39, 0x73 }; // WUPB
543 // ... and REQB, AFI=0, Normal Request, N=1:
544 // static const uint8_t cmdREQB[] = { ISO14443B_REQB, 0x00, 0x00, 0x71, 0xFF }; // REQB
545 // ... and ATTRIB
546 // static const uint8_t cmdATTRIB[] = { ISO14443B_ATTRIB, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}; // ATTRIB
547
548 // ... if not PUPI/UID is supplied we always respond with ATQB, PUPI = 820de174, Application Data = 0x20381922,
549 // supports only 106kBit/s in both directions, max frame size = 32Bytes,
550 // supports ISO14443-4, FWI=8 (77ms), NAD supported, CID not supported:
551 uint8_t respATQB[] = { 0x50, 0x82, 0x0d, 0xe1, 0x74, 0x20, 0x38, 0x19,
552 0x22, 0x00, 0x21, 0x85, 0x5e, 0xd7 };
553
554 // response to HLTB and ATTRIB
555 static const uint8_t respOK[] = {0x00, 0x78, 0xF0};
556
557 // ...PUPI/UID supplied from user. Adjust ATQB response accordingly
558 if ( pupi > 0 ) {
559 uint8_t len = sizeof(respATQB);
560 num_to_bytes(pupi, 4, respATQB+1);
561 ComputeCrc14443(CRC_14443_B, respATQB, 12, &respATQB[len-2], &respATQB[len-1]);
562 }
563
564 // prepare "ATQB" tag answer (encoded):
565 CodeIso14443bAsTag(respATQB, sizeof(respATQB));
566 uint8_t *encodedATQB = BigBuf_malloc(ToSendMax);
567 uint16_t encodedATQBLen = ToSendMax;
568 memcpy(encodedATQB, ToSend, ToSendMax);
569
570
571 // prepare "OK" tag answer (encoded):
572 CodeIso14443bAsTag(respOK, sizeof(respOK));
573 uint8_t *encodedOK = BigBuf_malloc(ToSendMax);
574 uint16_t encodedOKLen = ToSendMax;
575 memcpy(encodedOK, ToSend, ToSendMax);
576
577 // Simulation loop
578 while (!BUTTON_PRESS() && !usb_poll_validate_length()) {
579 WDT_HIT();
580
581 // find reader field
582 if (cardSTATE == SIM_NOFIELD) {
583 vHf = (MAX_ADC_HF_VOLTAGE * AvgAdc(ADC_CHAN_HF)) >> 10;
584 if ( vHf > MF_MINFIELDV ) {
585 cardSTATE = SIM_IDLE;
586 LED_A_ON();
587 }
588 }
589 if (cardSTATE == SIM_NOFIELD) continue;
590
591 // Get reader command
592 if (!GetIso14443bCommandFromReader(receivedCmd, &len)) {
593 Dbprintf("button pressed, received %d commands", cmdsReceived);
594 break;
595 }
596
597 // ISO14443-B protocol states:
598 // REQ or WUP request in ANY state
599 // WUP in HALTED state
600 if (len == 5 ) {
601 if ( (receivedCmd[0] == ISO14443B_REQB && (receivedCmd[2] & 0x8)== 0x8 && cardSTATE == SIM_HALTED) ||
602 receivedCmd[0] == ISO14443B_REQB ){
603 LogTrace(receivedCmd, len, 0, 0, NULL, TRUE);
604 cardSTATE = SIM_SELECTING;
605 }
606 }
607
608 /*
609 * How should this flow go?
610 * REQB or WUPB
611 * send response ( waiting for Attrib)
612 * ATTRIB
613 * send response ( waiting for commands 7816)
614 * HALT
615 send halt response ( waiting for wupb )
616 */
617
618 switch(cardSTATE){
619 case SIM_NOFIELD:
620 case SIM_HALTED:
621 case SIM_IDLE:{
622 LogTrace(receivedCmd, len, 0, 0, NULL, TRUE);
623 break;
624 }
625 case SIM_SELECTING: {
626 TransmitFor14443b_AsTag( encodedATQB, encodedATQBLen );
627 LogTrace(respATQB, sizeof(respATQB), 0, 0, NULL, FALSE);
628 cardSTATE = SIM_WORK;
629 break;
630 }
631 case SIM_HALTING: {
632 TransmitFor14443b_AsTag( encodedOK, encodedOKLen );
633 LogTrace(respOK, sizeof(respOK), 0, 0, NULL, FALSE);
634 cardSTATE = SIM_HALTED;
635 break;
636 }
637 case SIM_ACKNOWLEDGE:{
638 TransmitFor14443b_AsTag( encodedOK, encodedOKLen );
639 LogTrace(respOK, sizeof(respOK), 0, 0, NULL, FALSE);
640 cardSTATE = SIM_IDLE;
641 break;
642 }
643 case SIM_WORK:{
644 if ( len == 7 && receivedCmd[0] == ISO14443B_HALT ) {
645 cardSTATE = SIM_HALTED;
646 } else if ( len == 11 && receivedCmd[0] == ISO14443B_ATTRIB ) {
647 cardSTATE = SIM_ACKNOWLEDGE;
648 } else {
649 // Todo:
650 // - SLOT MARKER
651 // - ISO7816
652 // - emulate with a memory dump
653 Dbprintf("new cmd from reader: len=%d, cmdsRecvd=%d", len, cmdsReceived);
654
655 // CRC Check
656 uint8_t b1, b2;
657 if (len >= 3){ // if crc exists
658 ComputeCrc14443(CRC_14443_B, receivedCmd, len-2, &b1, &b2);
659 if(b1 != receivedCmd[len-2] || b2 != receivedCmd[len-1])
660 DbpString("+++CRC fail");
661 else
662 DbpString("CRC passes");
663 }
664 cardSTATE = SIM_IDLE;
665 }
666 break;
667 }
668 default: break;
669 }
670
671 ++cmdsReceived;
672 if(cmdsReceived > 1000) {
673 DbpString("14B Simulate, 1000 commands later...");
674 break;
675 }
676 }
677 if (MF_DBGLEVEL >= 1) Dbprintf("Emulator stopped. Tracing: %d trace length: %d ", tracing, BigBuf_get_traceLen());
678 switch_off(); //simulate
679 }
680
681 //=============================================================================
682 // An ISO 14443 Type B reader. We take layer two commands, code them
683 // appropriately, and then send them to the tag. We then listen for the
684 // tag's response, which we leave in the buffer to be demodulated on the
685 // PC side.
686 //=============================================================================
687
688 /*
689 * Handles reception of a bit from the tag
690 *
691 * This function is called 2 times per bit (every 4 subcarrier cycles).
692 * Subcarrier frequency fs is 848kHz, 1/fs = 1,18us, i.e. function is called every 4,72us
693 *
694 * LED handling:
695 * LED C -> ON once we have received the SOF and are expecting the rest.
696 * LED C -> OFF once we have received EOF or are unsynced
697 *
698 * Returns: true if we received a EOF
699 * false if we are still waiting for some more
700 *
701 */
702 #ifndef SUBCARRIER_DETECT_THRESHOLD
703 # define SUBCARRIER_DETECT_THRESHOLD 8
704 #endif
705
706 static RAMFUNC int Handle14443bTagSamplesDemod(int ci, int cq) {
707 int v=0;// , myI, myQ = 0;
708 // The soft decision on the bit uses an estimate of just the
709 // quadrant of the reference angle, not the exact angle.
710 #define MAKE_SOFT_DECISION() { \
711 if(Demod.sumI > 0) { \
712 v = ci; \
713 } else { \
714 v = -ci; \
715 } \
716 if(Demod.sumQ > 0) { \
717 v += cq; \
718 } else { \
719 v -= cq; \
720 } \
721 }
722
723 // Subcarrier amplitude v = sqrt(ci^2 + cq^2), approximated here by abs(ci) + abs(cq)
724 // Subcarrier amplitude v = sqrt(ci^2 + cq^2), approximated here by max(abs(ci),abs(cq)) + 1/2*min(abs(ci),abs(cq)))
725 #define CHECK_FOR_SUBCARRIER() { \
726 if(ci < 0) { \
727 if(cq < 0) { /* ci < 0, cq < 0 */ \
728 if (cq < ci) { \
729 v = -cq - (ci >> 1); \
730 } else { \
731 v = -ci - (cq >> 1); \
732 } \
733 } else { /* ci < 0, cq >= 0 */ \
734 if (cq < -ci) { \
735 v = -ci + (cq >> 1); \
736 } else { \
737 v = cq - (ci >> 1); \
738 } \
739 } \
740 } else { \
741 if(cq < 0) { /* ci >= 0, cq < 0 */ \
742 if (-cq < ci) { \
743 v = ci - (cq >> 1); \
744 } else { \
745 v = -cq + (ci >> 1); \
746 } \
747 } else { /* ci >= 0, cq >= 0 */ \
748 if (cq < ci) { \
749 v = ci + (cq >> 1); \
750 } else { \
751 v = cq + (ci >> 1); \
752 } \
753 } \
754 } \
755 }
756
757 //note: couldn't we just use MAX(ABS(ci),ABS(cq)) + (MIN(ABS(ci),ABS(cq))/2) from common.h - marshmellow
758 #define CHECK_FOR_SUBCARRIER_un() { \
759 myI = ABS(ci); \
760 myQ = ABS(cq); \
761 v = MAX(myI,myQ) + (MIN(myI,myQ) >> 1); \
762 }
763
764 switch(Demod.state) {
765 case DEMOD_UNSYNCD:
766
767 CHECK_FOR_SUBCARRIER();
768
769 // subcarrier detected
770 if(v > SUBCARRIER_DETECT_THRESHOLD) {
771 Demod.state = DEMOD_PHASE_REF_TRAINING;
772 Demod.sumI = ci;
773 Demod.sumQ = cq;
774 Demod.posCount = 1;
775 }
776 break;
777
778 case DEMOD_PHASE_REF_TRAINING:
779 if(Demod.posCount < 8) {
780
781 CHECK_FOR_SUBCARRIER();
782
783 if (v > SUBCARRIER_DETECT_THRESHOLD) {
784 // set the reference phase (will code a logic '1') by averaging over 32 1/fs.
785 // note: synchronization time > 80 1/fs
786 Demod.sumI += ci;
787 Demod.sumQ += cq;
788 ++Demod.posCount;
789 } else {
790 // subcarrier lost
791 Demod.state = DEMOD_UNSYNCD;
792 }
793 } else {
794 Demod.state = DEMOD_AWAITING_FALLING_EDGE_OF_SOF;
795 }
796 break;
797
798 case DEMOD_AWAITING_FALLING_EDGE_OF_SOF:
799
800 MAKE_SOFT_DECISION();
801
802 if(v < 0) { // logic '0' detected
803 Demod.state = DEMOD_GOT_FALLING_EDGE_OF_SOF;
804 Demod.posCount = 0; // start of SOF sequence
805 } else {
806 // maximum length of TR1 = 200 1/fs
807 if(Demod.posCount > 26*2) Demod.state = DEMOD_UNSYNCD;
808 }
809 ++Demod.posCount;
810 break;
811
812 case DEMOD_GOT_FALLING_EDGE_OF_SOF:
813 ++Demod.posCount;
814
815 MAKE_SOFT_DECISION();
816
817 if(v > 0) {
818 // low phase of SOF too short (< 9 etu). Note: spec is >= 10, but FPGA tends to "smear" edges
819 if(Demod.posCount < 8*2) {
820 Demod.state = DEMOD_UNSYNCD;
821 } else {
822 LED_C_ON(); // Got SOF
823 Demod.startTime = GetCountSspClk();
824 Demod.state = DEMOD_AWAITING_START_BIT;
825 Demod.posCount = 0;
826 Demod.len = 0;
827 }
828 } else {
829 // low phase of SOF too long (> 12 etu)
830 if (Demod.posCount > 14*2) {
831 Demod.state = DEMOD_UNSYNCD;
832 LED_C_OFF();
833 }
834 }
835 break;
836
837 case DEMOD_AWAITING_START_BIT:
838 ++Demod.posCount;
839
840 MAKE_SOFT_DECISION();
841
842 if (v > 0) {
843 if(Demod.posCount > 2*2) { // max 19us between characters = 16 1/fs, max 3 etu after low phase of SOF = 24 1/fs
844 Demod.state = DEMOD_UNSYNCD;
845 LED_C_OFF();
846 }
847 } else { // start bit detected
848 Demod.bitCount = 0;
849 Demod.posCount = 1; // this was the first half
850 Demod.thisBit = v;
851 Demod.shiftReg = 0;
852 Demod.state = DEMOD_RECEIVING_DATA;
853 }
854 break;
855
856 case DEMOD_RECEIVING_DATA:
857
858 MAKE_SOFT_DECISION();
859
860 if (Demod.posCount == 0) {
861 // first half of bit
862 Demod.thisBit = v;
863 Demod.posCount = 1;
864 } else {
865 // second half of bit
866 Demod.thisBit += v;
867 Demod.shiftReg >>= 1;
868
869 // logic '1'
870 if(Demod.thisBit > 0) Demod.shiftReg |= 0x200;
871
872 ++Demod.bitCount;
873
874 if(Demod.bitCount == 10) {
875
876 uint16_t s = Demod.shiftReg;
877
878 // stop bit == '1', start bit == '0'
879 if((s & 0x200) && !(s & 0x001)) {
880 uint8_t b = (s >> 1);
881 Demod.output[Demod.len] = b;
882 ++Demod.len;
883 Demod.state = DEMOD_AWAITING_START_BIT;
884 } else {
885 Demod.state = DEMOD_UNSYNCD;
886 Demod.endTime = GetCountSspClk();
887 LED_C_OFF();
888
889 // This is EOF (start, stop and all data bits == '0'
890 if(s == 0) return TRUE;
891 }
892 }
893 Demod.posCount = 0;
894 }
895 break;
896
897 default:
898 Demod.state = DEMOD_UNSYNCD;
899 LED_C_OFF();
900 break;
901 }
902 return FALSE;
903 }
904
905
906 /*
907 * Demodulate the samples we received from the tag, also log to tracebuffer
908 * quiet: set to 'TRUE' to disable debug output
909 */
910 static void GetTagSamplesFor14443bDemod() {
911 bool gotFrame = FALSE;
912 int lastRxCounter = ISO14443B_DMA_BUFFER_SIZE;
913 int max = 0, ci = 0, cq = 0, samples = 0;
914 uint32_t time_0 = 0, time_stop = 0;
915
916 BigBuf_free();
917
918 // Set up the demodulator for tag -> reader responses.
919 DemodInit(BigBuf_malloc(MAX_FRAME_SIZE));
920
921 // The DMA buffer, used to stream samples from the FPGA
922 int8_t *dmaBuf = (int8_t*) BigBuf_malloc(ISO14443B_DMA_BUFFER_SIZE);
923 int8_t *upTo = dmaBuf;
924
925 // Setup and start DMA.
926 if ( !FpgaSetupSscDma((uint8_t*) dmaBuf, ISO14443B_DMA_BUFFER_SIZE) ){
927 if (MF_DBGLEVEL > 1) Dbprintf("FpgaSetupSscDma failed. Exiting");
928 return;
929 }
930
931 time_0 = GetCountSspClk();
932
933 // And put the FPGA in the appropriate mode
934 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR | FPGA_HF_READER_RX_XCORR_848_KHZ);
935
936 while( !BUTTON_PRESS() ) {
937 WDT_HIT();
938
939 int behindBy = lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR;
940 if(behindBy > max) max = behindBy;
941
942 // rx counter - dma counter? (how much?) & (mod) dma buff / 2. (since 2bytes at the time is read)
943 while(((lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) & (ISO14443B_DMA_BUFFER_SIZE-1)) > 2) {
944
945 ci = upTo[0];
946 cq = upTo[1];
947 upTo += 2;
948 samples += 2;
949
950 // restart DMA buffer to receive again.
951 if(upTo >= dmaBuf + ISO14443B_DMA_BUFFER_SIZE) {
952 upTo = dmaBuf;
953 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) upTo;
954 AT91C_BASE_PDC_SSC->PDC_RNCR = ISO14443B_DMA_BUFFER_SIZE;
955 }
956
957 lastRxCounter -= 2;
958 if(lastRxCounter <= 0)
959 lastRxCounter += ISO14443B_DMA_BUFFER_SIZE;
960
961 // is this | 0x01 the error? & 0xfe in https://github.com/Proxmark/proxmark3/issues/103
962 //gotFrame = Handle14443bTagSamplesDemod(ci & 0xfe, cq & 0xfe);
963 gotFrame = Handle14443bTagSamplesDemod(ci, cq);
964 if ( gotFrame ) break;
965 LED_A_INV();
966 }
967
968 time_stop = GetCountSspClk() - time_0;
969
970 if(time_stop > iso14b_timeout || gotFrame) break;
971 }
972
973 FpgaDisableSscDma();
974
975 if (MF_DBGLEVEL >= 3) {
976 Dbprintf("max behindby = %d, samples = %d, gotFrame = %s, Demod.state = %d, Demod.len = %u",
977 max,
978 samples,
979 (gotFrame) ? "true" : "false",
980 Demod.state,
981 Demod.len
982 );
983 }
984 if ( Demod.len > 0 )
985 LogTrace(Demod.output, Demod.len, Demod.startTime, Demod.endTime, NULL, FALSE);
986 }
987
988
989 //-----------------------------------------------------------------------------
990 // Transmit the command (to the tag) that was placed in ToSend[].
991 //-----------------------------------------------------------------------------
992 static void TransmitFor14443b_AsReader(void) {
993
994 // we could been in following mode:
995 // FPGA_MAJOR_MODE_HF_READER_RX_XCORR | FPGA_HF_READER_RX_XCORR_848_KHZ
996 // if its second call or more
997
998 // while(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
999 // AT91C_BASE_SSC->SSC_THR = 0XFF;
1000 // }
1001
1002 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_TX | FPGA_HF_READER_TX_SHALLOW_MOD);
1003 SpinDelay(40);
1004
1005 int c;
1006 volatile uint32_t b;
1007
1008 // What does this loop do? Is it TR1?
1009 // 0xFF = 8 bits of 1. 1 bit == 1Etu,..
1010 // loop 10 * 8 = 80 ETU of delay, with a non modulated signal. why?
1011 // 80*9 = 720us.
1012 for(c = 0; c < 50;) {
1013 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1014 AT91C_BASE_SSC->SSC_THR = 0xFF;
1015 ++c;
1016 }
1017 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1018 b = AT91C_BASE_SSC->SSC_RHR;
1019 (void)b;
1020 }
1021 }
1022
1023 // Send frame loop
1024 for(c = 0; c < ToSendMax;) {
1025 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1026 AT91C_BASE_SSC->SSC_THR = ToSend[c++];
1027 }
1028 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1029 b = AT91C_BASE_SSC->SSC_RHR;
1030 (void)b;
1031 }
1032 }
1033 //WaitForFpgaDelayQueueIsEmpty(delay);
1034 // We should wait here for the FPGA to send all bits.
1035 WDT_HIT();
1036 }
1037
1038 //-----------------------------------------------------------------------------
1039 // Code a layer 2 command (string of octets, including CRC) into ToSend[],
1040 // so that it is ready to transmit to the tag using TransmitFor14443b().
1041 //-----------------------------------------------------------------------------
1042 static void CodeIso14443bAsReader(const uint8_t *cmd, int len)
1043 {
1044 /*
1045 * Reader data transmission:
1046 * - no modulation ONES
1047 * - SOF
1048 * - Command, data and CRC_B
1049 * - EOF
1050 * - no modulation ONES
1051 *
1052 * 1 ETU == 1 BIT!
1053 * TR0 - 8 ETUS minimum.
1054 *
1055 * QUESTION: how long is a 1 or 0 in pulses in the xcorr_848 mode?
1056 * 1 "stuffbit" = 1ETU (9us)
1057 */
1058 int i;
1059 uint8_t b;
1060
1061 ToSendReset();
1062
1063 // Send SOF
1064 // 10-11 ETUs of ZERO
1065 for(i = 0; i < 10; ++i) ToSendStuffBit(0);
1066
1067 // 2-3 ETUs of ONE
1068 ToSendStuffBit(1);
1069 ToSendStuffBit(1);
1070 ToSendStuffBit(1);
1071
1072 // Sending cmd, LSB
1073 // from here we add BITS
1074 for(i = 0; i < len; ++i) {
1075 // Start bit
1076 ToSendStuffBit(0);
1077 // Data bits
1078 b = cmd[i];
1079 if ( b & 1 ) ToSendStuffBit(1); else ToSendStuffBit(0);
1080 if ( (b>>1) & 1) ToSendStuffBit(1); else ToSendStuffBit(0);
1081 if ( (b>>2) & 1) ToSendStuffBit(1); else ToSendStuffBit(0);
1082 if ( (b>>3) & 1) ToSendStuffBit(1); else ToSendStuffBit(0);
1083 if ( (b>>4) & 1) ToSendStuffBit(1); else ToSendStuffBit(0);
1084 if ( (b>>5) & 1) ToSendStuffBit(1); else ToSendStuffBit(0);
1085 if ( (b>>6) & 1) ToSendStuffBit(1); else ToSendStuffBit(0);
1086 if ( (b>>7) & 1) ToSendStuffBit(1); else ToSendStuffBit(0);
1087 // Stop bit
1088 ToSendStuffBit(1);
1089 // EGT extra guard time
1090 // For PCD it ranges 0-57us (1etu = 9us)
1091 ToSendStuffBit(1);
1092 ToSendStuffBit(1);
1093 ToSendStuffBit(1);
1094 }
1095
1096 // Send EOF
1097 // 10-11 ETUs of ZERO
1098 for(i = 0; i < 10; ++i) ToSendStuffBit(0);
1099
1100 // Transition time. TR0 - guard time
1101 // 8ETUS minum?
1102 // Per specification, Subcarrier must be stopped no later than 2 ETUs after EOF.
1103 // I'm guessing this is for the FPGA to be able to send all bits before we switch to listening mode
1104 for(i = 0; i < 32 ; ++i) ToSendStuffBit(1);
1105
1106 // TR1 - Synchronization time
1107 // Convert from last character reference to length
1108 ++ToSendMax;
1109 }
1110
1111
1112 /**
1113 Convenience function to encode, transmit and trace iso 14443b comms
1114 **/
1115 static void CodeAndTransmit14443bAsReader(const uint8_t *cmd, int len) {
1116
1117 CodeIso14443bAsReader(cmd, len);
1118
1119 uint32_t time_start = GetCountSspClk();
1120
1121 TransmitFor14443b_AsReader();
1122
1123 if(trigger) LED_A_ON();
1124
1125 LogTrace(cmd, len, time_start, GetCountSspClk()-time_start, NULL, TRUE);
1126 }
1127
1128 /* Sends an APDU to the tag
1129 * TODO: check CRC and preamble
1130 */
1131 uint8_t iso14443b_apdu(uint8_t const *message, size_t message_length, uint8_t *response)
1132 {
1133 uint8_t crc[2] = {0x00, 0x00};
1134 uint8_t message_frame[message_length + 4];
1135 // PCB
1136 message_frame[0] = 0x0A | pcb_blocknum;
1137 pcb_blocknum ^= 1;
1138 // CID
1139 message_frame[1] = 0;
1140 // INF
1141 memcpy(message_frame + 2, message, message_length);
1142 // EDC (CRC)
1143 ComputeCrc14443(CRC_14443_B, message_frame, message_length + 2, &message_frame[message_length + 2], &message_frame[message_length + 3]);
1144 // send
1145 CodeAndTransmit14443bAsReader(message_frame, message_length + 4); //no
1146 // get response
1147 GetTagSamplesFor14443bDemod(); //no
1148 if(Demod.len < 3)
1149 return 0;
1150
1151 // VALIDATE CRC
1152 ComputeCrc14443(CRC_14443_B, Demod.output, Demod.len-2, &crc[0], &crc[1]);
1153 if ( crc[0] != Demod.output[Demod.len-2] || crc[1] != Demod.output[Demod.len-1] )
1154 return 0;
1155
1156 // copy response contents
1157 if(response != NULL)
1158 memcpy(response, Demod.output, Demod.len);
1159
1160 return Demod.len;
1161 }
1162
1163 /**
1164 * SRx Initialise.
1165 */
1166 uint8_t iso14443b_select_srx_card(iso14b_card_select_t *card )
1167 {
1168 // INITIATE command: wake up the tag using the INITIATE
1169 static const uint8_t init_srx[] = { ISO14443B_INITIATE, 0x00, 0x97, 0x5b };
1170 // SELECT command (with space for CRC)
1171 uint8_t select_srx[] = { ISO14443B_SELECT, 0x00, 0x00, 0x00};
1172 // temp to calc crc.
1173 uint8_t crc[2] = {0x00, 0x00};
1174
1175 CodeAndTransmit14443bAsReader(init_srx, sizeof(init_srx));
1176 GetTagSamplesFor14443bDemod(); //no
1177
1178 if (Demod.len == 0) return 2;
1179
1180 // Randomly generated Chip ID
1181 if (card) card->chipid = Demod.output[0];
1182
1183 select_srx[1] = Demod.output[0];
1184
1185 ComputeCrc14443(CRC_14443_B, select_srx, 2, &select_srx[2], &select_srx[3]);
1186 CodeAndTransmit14443bAsReader(select_srx, sizeof(select_srx));
1187 GetTagSamplesFor14443bDemod(); //no
1188
1189 if (Demod.len != 3) return 2;
1190
1191 // Check the CRC of the answer:
1192 ComputeCrc14443(CRC_14443_B, Demod.output, Demod.len-2 , &crc[0], &crc[1]);
1193 if(crc[0] != Demod.output[1] || crc[1] != Demod.output[2]) return 3;
1194
1195 // Check response from the tag: should be the same UID as the command we just sent:
1196 if (select_srx[1] != Demod.output[0]) return 1;
1197
1198 // First get the tag's UID:
1199 select_srx[0] = ISO14443B_GET_UID;
1200
1201 ComputeCrc14443(CRC_14443_B, select_srx, 1 , &select_srx[1], &select_srx[2]);
1202 CodeAndTransmit14443bAsReader(select_srx, 3); // Only first three bytes for this one
1203 GetTagSamplesFor14443bDemod(); //no
1204
1205 if (Demod.len != 10) return 2;
1206
1207 // The check the CRC of the answer
1208 ComputeCrc14443(CRC_14443_B, Demod.output, Demod.len-2, &crc[0], &crc[1]);
1209 if(crc[0] != Demod.output[8] || crc[1] != Demod.output[9]) return 3;
1210
1211 if (card) {
1212 card->uidlen = 8;
1213 memcpy(card->uid, Demod.output, 8);
1214 }
1215
1216 return 0;
1217 }
1218 /* Perform the ISO 14443 B Card Selection procedure
1219 * Currently does NOT do any collision handling.
1220 * It expects 0-1 cards in the device's range.
1221 * TODO: Support multiple cards (perform anticollision)
1222 * TODO: Verify CRC checksums
1223 */
1224 uint8_t iso14443b_select_card(iso14b_card_select_t *card )
1225 {
1226 // WUPB command (including CRC)
1227 // Note: WUPB wakes up all tags, REQB doesn't wake up tags in HALT state
1228 static const uint8_t wupb[] = { ISO14443B_REQB, 0x00, 0x08, 0x39, 0x73 };
1229 // ATTRIB command (with space for CRC)
1230 uint8_t attrib[] = { ISO14443B_ATTRIB, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00};
1231
1232 // temp to calc crc.
1233 uint8_t crc[2] = {0x00, 0x00};
1234
1235 // first, wake up the tag
1236 CodeAndTransmit14443bAsReader(wupb, sizeof(wupb));
1237 GetTagSamplesFor14443bDemod(); //select_card
1238
1239 // ATQB too short?
1240 if (Demod.len < 14) return 2;
1241
1242 // VALIDATE CRC
1243 ComputeCrc14443(CRC_14443_B, Demod.output, Demod.len-2, &crc[0], &crc[1]);
1244 if ( crc[0] != Demod.output[12] || crc[1] != Demod.output[13] )
1245 return 3;
1246
1247 if (card) {
1248 card->uidlen = 4;
1249 memcpy(card->uid, Demod.output+1, 4);
1250 memcpy(card->atqb, Demod.output+5, 7);
1251 }
1252
1253 // copy the PUPI to ATTRIB ( PUPI == UID )
1254 memcpy(attrib + 1, Demod.output + 1, 4);
1255
1256 // copy the protocol info from ATQB (Protocol Info -> Protocol_Type) into ATTRIB (Param 3)
1257 attrib[7] = Demod.output[10] & 0x0F;
1258 ComputeCrc14443(CRC_14443_B, attrib, 9, attrib + 9, attrib + 10);
1259
1260 CodeAndTransmit14443bAsReader(attrib, sizeof(attrib));
1261 GetTagSamplesFor14443bDemod();//select_card
1262
1263 // Answer to ATTRIB too short?
1264 if(Demod.len < 3) return 2;
1265
1266 // VALIDATE CRC
1267 ComputeCrc14443(CRC_14443_B, Demod.output, Demod.len-2, &crc[0], &crc[1]);
1268 if ( crc[0] != Demod.output[1] || crc[1] != Demod.output[2] )
1269 return 3;
1270
1271 // CID
1272 if (card) {
1273 card->cid = Demod.output[0];
1274 uint8_t fwt = card->atqb[6] >> 4;
1275 if ( fwt < 16 ){
1276 uint32_t fwt_time = (302 << fwt);
1277 iso14b_set_timeout( fwt_time);
1278 }
1279 }
1280 // reset PCB block number
1281 pcb_blocknum = 0;
1282 return 0;
1283 }
1284
1285 // Set up ISO 14443 Type B communication (similar to iso14443a_setup)
1286 // field is setup for "Sending as Reader"
1287 void iso14443b_setup() {
1288 if (MF_DBGLEVEL > 3) Dbprintf("iso1443b_setup Enter");
1289 LEDsoff();
1290 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1291 //BigBuf_free();
1292 //BigBuf_Clear_ext(false);
1293
1294 // Initialize Demod and Uart structs
1295 DemodInit(BigBuf_malloc(MAX_FRAME_SIZE));
1296 UartInit(BigBuf_malloc(MAX_FRAME_SIZE));
1297
1298 // connect Demodulated Signal to ADC:
1299 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1300
1301 // Set up the synchronous serial port
1302 FpgaSetupSsc();
1303
1304 // Signal field is on with the appropriate LED
1305 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_TX | FPGA_HF_READER_TX_SHALLOW_MOD);
1306 SpinDelay(100);
1307
1308 // Start the timer
1309 StartCountSspClk();
1310
1311 LED_D_ON();
1312 if (MF_DBGLEVEL > 3) Dbprintf("iso1443b_setup Exit");
1313 }
1314
1315 //-----------------------------------------------------------------------------
1316 // Read a SRI512 ISO 14443B tag.
1317 //
1318 // SRI512 tags are just simple memory tags, here we're looking at making a dump
1319 // of the contents of the memory. No anticollision algorithm is done, we assume
1320 // we have a single tag in the field.
1321 //
1322 // I tried to be systematic and check every answer of the tag, every CRC, etc...
1323 //-----------------------------------------------------------------------------
1324 void ReadSTMemoryIso14443b(uint8_t numofblocks)
1325 {
1326 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1327
1328 // Make sure that we start from off, since the tags are stateful;
1329 // confusing things will happen if we don't reset them between reads.
1330 switch_off(); // before ReadStMemory
1331
1332 set_tracing(TRUE);
1333
1334 uint8_t i = 0x00;
1335
1336 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1337 FpgaSetupSsc();
1338
1339 // Now give it time to spin up.
1340 // Signal field is on with the appropriate LED
1341 LED_D_ON();
1342 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR | FPGA_HF_READER_RX_XCORR_848_KHZ);
1343 SpinDelay(20);
1344
1345 // First command: wake up the tag using the INITIATE command
1346 uint8_t cmd1[] = {ISO14443B_INITIATE, 0x00, 0x97, 0x5b};
1347 CodeAndTransmit14443bAsReader(cmd1, sizeof(cmd1)); //no
1348 GetTagSamplesFor14443bDemod(); // no
1349
1350 if (Demod.len == 0) {
1351 DbpString("No response from tag");
1352 set_tracing(FALSE);
1353 return;
1354 } else {
1355 Dbprintf("Randomly generated Chip ID (+ 2 byte CRC): %02x %02x %02x",
1356 Demod.output[0], Demod.output[1], Demod.output[2]);
1357 }
1358
1359 // There is a response, SELECT the uid
1360 DbpString("Now SELECT tag:");
1361 cmd1[0] = ISO14443B_SELECT; // 0x0E is SELECT
1362 cmd1[1] = Demod.output[0];
1363 ComputeCrc14443(CRC_14443_B, cmd1, 2, &cmd1[2], &cmd1[3]);
1364 CodeAndTransmit14443bAsReader(cmd1, sizeof(cmd1)); //no
1365 GetTagSamplesFor14443bDemod(); //no
1366 if (Demod.len != 3) {
1367 Dbprintf("Expected 3 bytes from tag, got %d", Demod.len);
1368 set_tracing(FALSE);
1369 return;
1370 }
1371 // Check the CRC of the answer:
1372 ComputeCrc14443(CRC_14443_B, Demod.output, 1 , &cmd1[2], &cmd1[3]);
1373 if(cmd1[2] != Demod.output[1] || cmd1[3] != Demod.output[2]) {
1374 DbpString("CRC Error reading select response.");
1375 set_tracing(FALSE);
1376 return;
1377 }
1378 // Check response from the tag: should be the same UID as the command we just sent:
1379 if (cmd1[1] != Demod.output[0]) {
1380 Dbprintf("Bad response to SELECT from Tag, aborting: %02x %02x", cmd1[1], Demod.output[0]);
1381 set_tracing(FALSE);
1382 return;
1383 }
1384
1385 // Tag is now selected,
1386 // First get the tag's UID:
1387 cmd1[0] = ISO14443B_GET_UID;
1388 ComputeCrc14443(CRC_14443_B, cmd1, 1 , &cmd1[1], &cmd1[2]);
1389 CodeAndTransmit14443bAsReader(cmd1, 3); // no -- Only first three bytes for this one
1390 GetTagSamplesFor14443bDemod(); //no
1391 if (Demod.len != 10) {
1392 Dbprintf("Expected 10 bytes from tag, got %d", Demod.len);
1393 set_tracing(FALSE);
1394 return;
1395 }
1396 // The check the CRC of the answer (use cmd1 as temporary variable):
1397 ComputeCrc14443(CRC_14443_B, Demod.output, 8, &cmd1[2], &cmd1[3]);
1398 if(cmd1[2] != Demod.output[8] || cmd1[3] != Demod.output[9]) {
1399 Dbprintf("CRC Error reading block! Expected: %04x got: %04x",
1400 (cmd1[2]<<8)+cmd1[3], (Demod.output[8]<<8)+Demod.output[9]);
1401 // Do not return;, let's go on... (we should retry, maybe ?)
1402 }
1403 Dbprintf("Tag UID (64 bits): %08x %08x",
1404 (Demod.output[7]<<24) + (Demod.output[6]<<16) + (Demod.output[5]<<8) + Demod.output[4],
1405 (Demod.output[3]<<24) + (Demod.output[2]<<16) + (Demod.output[1]<<8) + Demod.output[0]);
1406
1407 // Now loop to read all 16 blocks, address from 0 to last block
1408 Dbprintf("Tag memory dump, block 0 to %d", numofblocks);
1409 cmd1[0] = 0x08;
1410 i = 0x00;
1411 ++numofblocks;
1412
1413 for (;;) {
1414 if (i == numofblocks) {
1415 DbpString("System area block (0xff):");
1416 i = 0xff;
1417 }
1418 cmd1[1] = i;
1419 ComputeCrc14443(CRC_14443_B, cmd1, 2, &cmd1[2], &cmd1[3]);
1420 CodeAndTransmit14443bAsReader(cmd1, sizeof(cmd1)); //no
1421 GetTagSamplesFor14443bDemod(); //no
1422
1423 if (Demod.len != 6) { // Check if we got an answer from the tag
1424 DbpString("Expected 6 bytes from tag, got less...");
1425 return;
1426 }
1427 // The check the CRC of the answer (use cmd1 as temporary variable):
1428 ComputeCrc14443(CRC_14443_B, Demod.output, 4, &cmd1[2], &cmd1[3]);
1429 if(cmd1[2] != Demod.output[4] || cmd1[3] != Demod.output[5]) {
1430 Dbprintf("CRC Error reading block! Expected: %04x got: %04x",
1431 (cmd1[2]<<8)+cmd1[3], (Demod.output[4]<<8)+Demod.output[5]);
1432 // Do not return;, let's go on... (we should retry, maybe ?)
1433 }
1434 // Now print out the memory location:
1435 Dbprintf("Address=%02x, Contents=%08x, CRC=%04x", i,
1436 (Demod.output[3]<<24) + (Demod.output[2]<<16) + (Demod.output[1]<<8) + Demod.output[0],
1437 (Demod.output[4]<<8)+Demod.output[5]);
1438
1439 if (i == 0xff) break;
1440 ++i;
1441 }
1442
1443 set_tracing(FALSE);
1444 }
1445
1446
1447 static void iso1444b_setup_snoop(void){
1448 if (MF_DBGLEVEL > 3) Dbprintf("iso1443b_setup_snoop Enter");
1449 LEDsoff();
1450 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1451 BigBuf_free();
1452 BigBuf_Clear_ext(false);
1453 clear_trace();//setup snoop
1454 set_tracing(TRUE);
1455
1456 // Initialize Demod and Uart structs
1457 DemodInit(BigBuf_malloc(MAX_FRAME_SIZE));
1458 UartInit(BigBuf_malloc(MAX_FRAME_SIZE));
1459
1460 if (MF_DBGLEVEL > 1) {
1461 // Print debug information about the buffer sizes
1462 Dbprintf("Snooping buffers initialized:");
1463 Dbprintf(" Trace: %i bytes", BigBuf_max_traceLen());
1464 Dbprintf(" Reader -> tag: %i bytes", MAX_FRAME_SIZE);
1465 Dbprintf(" tag -> Reader: %i bytes", MAX_FRAME_SIZE);
1466 Dbprintf(" DMA: %i bytes", ISO14443B_DMA_BUFFER_SIZE);
1467 }
1468
1469 // connect Demodulated Signal to ADC:
1470 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1471
1472 // Setup for the DMA.
1473 FpgaSetupSsc();
1474
1475 // Set FPGA in the appropriate mode
1476 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR | FPGA_HF_READER_RX_XCORR_848_KHZ | FPGA_HF_READER_RX_XCORR_SNOOP);
1477 SpinDelay(20);
1478
1479 // Start the SSP timer
1480 StartCountSspClk();
1481 if (MF_DBGLEVEL > 3) Dbprintf("iso1443b_setup_snoop Exit");
1482 }
1483
1484 //=============================================================================
1485 // Finally, the `sniffer' combines elements from both the reader and
1486 // simulated tag, to show both sides of the conversation.
1487 //=============================================================================
1488
1489 //-----------------------------------------------------------------------------
1490 // Record the sequence of commands sent by the reader to the tag, with
1491 // triggering so that we start recording at the point that the tag is moved
1492 // near the reader.
1493 //-----------------------------------------------------------------------------
1494 /*
1495 * Memory usage for this function, (within BigBuf)
1496 * Last Received command (reader->tag) - MAX_FRAME_SIZE
1497 * Last Received command (tag->reader) - MAX_FRAME_SIZE
1498 * DMA Buffer - ISO14443B_DMA_BUFFER_SIZE
1499 * Demodulated samples received - all the rest
1500 */
1501 void RAMFUNC SnoopIso14443b(void) {
1502
1503 uint32_t time_0 = 0, time_start = 0, time_stop = 0;
1504
1505 // We won't start recording the frames that we acquire until we trigger;
1506 // a good trigger condition to get started is probably when we see a
1507 // response from the tag.
1508 int triggered = TRUE; // TODO: set and evaluate trigger condition
1509 int ci, cq;
1510 int maxBehindBy = 0;
1511 //int behindBy = 0;
1512 int lastRxCounter = ISO14443B_DMA_BUFFER_SIZE;
1513
1514 bool TagIsActive = FALSE;
1515 bool ReaderIsActive = FALSE;
1516
1517 iso1444b_setup_snoop();
1518
1519 // The DMA buffer, used to stream samples from the FPGA
1520 int8_t *dmaBuf = (int8_t*) BigBuf_malloc(ISO14443B_DMA_BUFFER_SIZE);
1521 int8_t *upTo = dmaBuf;
1522
1523 // Setup and start DMA.
1524 if ( !FpgaSetupSscDma((uint8_t*) dmaBuf, ISO14443B_DMA_BUFFER_SIZE) ){
1525 if (MF_DBGLEVEL > 1) Dbprintf("FpgaSetupSscDma failed. Exiting");
1526 BigBuf_free();
1527 return;
1528 }
1529
1530 time_0 = GetCountSspClk();
1531
1532 // And now we loop, receiving samples.
1533 for(;;) {
1534
1535 WDT_HIT();
1536
1537 int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) & (ISO14443B_DMA_BUFFER_SIZE-1);
1538
1539 if ( behindBy > maxBehindBy )
1540 maxBehindBy = behindBy;
1541
1542 if ( behindBy < 2 ) continue;
1543
1544 ci = upTo[0];
1545 cq = upTo[1];
1546 upTo += 2;
1547
1548 lastRxCounter -= 2;
1549
1550 if (upTo >= dmaBuf + ISO14443B_DMA_BUFFER_SIZE) {
1551 upTo = dmaBuf;
1552 lastRxCounter += ISO14443B_DMA_BUFFER_SIZE;
1553 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dmaBuf;
1554 AT91C_BASE_PDC_SSC->PDC_RNCR = ISO14443B_DMA_BUFFER_SIZE;
1555 WDT_HIT();
1556
1557 // TODO: understand whether we can increase/decrease as we want or not?
1558 if ( behindBy > ( 9 * ISO14443B_DMA_BUFFER_SIZE/10) ) {
1559 Dbprintf("blew circular buffer! behindBy=%d", behindBy);
1560 break;
1561 }
1562
1563 if(!tracing) {
1564 DbpString("Trace full");
1565 break;
1566 }
1567
1568 if(BUTTON_PRESS()) {
1569 DbpString("cancelled");
1570 break;
1571 }
1572 }
1573
1574 if (!TagIsActive) {
1575
1576 LED_A_ON();
1577
1578 // no need to try decoding reader data if the tag is sending
1579 if (Handle14443bReaderUartBit(ci & 0x01)) {
1580
1581 time_stop = (GetCountSspClk()-time_0);
1582
1583 if (triggered)
1584 LogTrace(Uart.output, Uart.byteCnt, time_start, time_stop, NULL, TRUE);
1585
1586 /* And ready to receive another command. */
1587 UartReset();
1588 /* And also reset the demod code, which might have been */
1589 /* false-triggered by the commands from the reader. */
1590 DemodReset();
1591 } else {
1592 time_start = (GetCountSspClk()-time_0);
1593 }
1594
1595 if (Handle14443bReaderUartBit(cq & 0x01)) {
1596
1597 time_stop = (GetCountSspClk()-time_0);
1598
1599 if (triggered)
1600 LogTrace(Uart.output, Uart.byteCnt, time_start, time_stop, NULL, TRUE);
1601
1602 /* And ready to receive another command. */
1603 UartReset();
1604 /* And also reset the demod code, which might have been */
1605 /* false-triggered by the commands from the reader. */
1606 DemodReset();
1607 } else {
1608 time_start = (GetCountSspClk()-time_0);
1609 }
1610 ReaderIsActive = (Uart.state > STATE_GOT_FALLING_EDGE_OF_SOF);
1611 LED_A_OFF();
1612 }
1613
1614 if(!ReaderIsActive) {
1615 // no need to try decoding tag data if the reader is sending - and we cannot afford the time
1616 // is this | 0x01 the error? & 0xfe in https://github.com/Proxmark/proxmark3/issues/103
1617 if(Handle14443bTagSamplesDemod(ci & 0xFE, cq & 0xFE)) {
1618
1619 time_stop = (GetCountSspClk()-time_0);
1620
1621 LogTrace(Demod.output, Demod.len, time_start, time_stop, NULL, FALSE);
1622
1623 triggered = TRUE;
1624
1625 // And ready to receive another response.
1626 DemodReset();
1627 } else {
1628 time_start = (GetCountSspClk()-time_0);
1629 }
1630 TagIsActive = (Demod.state > DEMOD_GOT_FALLING_EDGE_OF_SOF);
1631 }
1632 }
1633
1634 switch_off(); // Snoop
1635
1636 DbpString("Snoop statistics:");
1637 Dbprintf(" Max behind by: %i", maxBehindBy);
1638 Dbprintf(" Uart State: %x ByteCount: %i ByteCountMax: %i", Uart.state, Uart.byteCnt, Uart.byteCntMax);
1639 Dbprintf(" Trace length: %i", BigBuf_get_traceLen());
1640
1641 // free mem refs.
1642 if ( upTo ) upTo = NULL;
1643
1644 // Uart.byteCntMax should be set with ATQB value..
1645 }
1646
1647 void iso14b_set_trigger(bool enable) {
1648 trigger = enable;
1649 }
1650
1651 /*
1652 * Send raw command to tag ISO14443B
1653 * @Input
1654 * param flags enum ISO14B_COMMAND. (mifare.h)
1655 * len len of buffer data
1656 * data buffer with bytes to send
1657 *
1658 * @Output
1659 * none
1660 *
1661 */
1662 void SendRawCommand14443B_Ex(UsbCommand *c)
1663 {
1664 iso14b_command_t param = c->arg[0];
1665 size_t len = c->arg[1] & 0xffff;
1666 uint8_t *cmd = c->d.asBytes;
1667 uint8_t status = 0;
1668 uint32_t sendlen = sizeof(iso14b_card_select_t);
1669 uint8_t buf[USB_CMD_DATA_SIZE] = {0x00};
1670
1671 if (MF_DBGLEVEL > 3) Dbprintf("14b raw: param, %04x", param );
1672
1673 // turn on trigger (LED_A)
1674 if ((param & ISO14B_REQUEST_TRIGGER) == ISO14B_REQUEST_TRIGGER)
1675 iso14b_set_trigger(TRUE);
1676
1677 if ((param & ISO14B_CONNECT) == ISO14B_CONNECT) {
1678 // Make sure that we start from off, since the tags are stateful;
1679 // confusing things will happen if we don't reset them between reads.
1680 //switch_off(); // before connect in raw
1681 iso14443b_setup();
1682 }
1683
1684 set_tracing(TRUE);
1685
1686 if ((param & ISO14B_SELECT_STD) == ISO14B_SELECT_STD) {
1687 iso14b_card_select_t *card = (iso14b_card_select_t*)buf;
1688 status = iso14443b_select_card(card);
1689 cmd_send(CMD_ACK, status, sendlen, 0, buf, sendlen);
1690 // 0: OK 2: attrib fail, 3:crc fail,
1691 if ( status > 0 ) return;
1692 }
1693
1694 if ((param & ISO14B_SELECT_SR) == ISO14B_SELECT_SR) {
1695 iso14b_card_select_t *card = (iso14b_card_select_t*)buf;
1696 status = iso14443b_select_srx_card(card);
1697 cmd_send(CMD_ACK, status, sendlen, 0, buf, sendlen);
1698 // 0: OK 2: attrib fail, 3:crc fail,
1699 if ( status > 0 ) return;
1700 }
1701
1702 if ((param & ISO14B_APDU) == ISO14B_APDU) {
1703 status = iso14443b_apdu(cmd, len, buf);
1704 cmd_send(CMD_ACK, status, status, 0, buf, status);
1705 }
1706
1707 if ((param & ISO14B_RAW) == ISO14B_RAW) {
1708 if((param & ISO14B_APPEND_CRC) == ISO14B_APPEND_CRC) {
1709 AppendCrc14443b(cmd, len);
1710 len += 2;
1711 }
1712
1713 CodeAndTransmit14443bAsReader(cmd, len); // raw
1714 GetTagSamplesFor14443bDemod(); // raw
1715
1716 sendlen = MIN(Demod.len, USB_CMD_DATA_SIZE);
1717 status = (Demod.len > 0) ? 0 : 1;
1718 cmd_send(CMD_ACK, status, sendlen, 0, Demod.output, sendlen);
1719 }
1720
1721 // turn off trigger (LED_A)
1722 if ((param & ISO14B_REQUEST_TRIGGER) == ISO14B_REQUEST_TRIGGER)
1723 iso14b_set_trigger(FALSE);
1724
1725 // turn off antenna et al
1726 // we don't send a HALT command.
1727 if ((param & ISO14B_DISCONNECT) == ISO14B_DISCONNECT) {
1728 if (MF_DBGLEVEL > 3) Dbprintf("disconnect");
1729 switch_off(); // disconnect raw
1730 } else {
1731 //FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_TX | FPGA_HF_READER_TX_SHALLOW_MOD);
1732 }
1733
1734 }
Proxmark3 GIT tracking
Impressum, Datenschutz