]> cvs.zerfleddert.de Git - proxmark3-svn/blob - armsrc/iso14443a.c
projects / proxmark3-svn / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
I just merged @marshmellow's branch "iclass" and that was a lot of new functionality...
[proxmark3-svn] / armsrc / iso14443a.c
1 //-----------------------------------------------------------------------------
2 // Merlok - June 2011, 2012
3 // Gerhard de Koning Gans - May 2008
4 // Hagen Fritsch - June 2010
5 //
6 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
7 // at your option, any later version. See the LICENSE.txt file for the text of
8 // the license.
9 //-----------------------------------------------------------------------------
10 // Routines to support ISO 14443 type A.
11 //-----------------------------------------------------------------------------
12
13 #include "proxmark3.h"
14 #include "apps.h"
15 #include "util.h"
16 #include "string.h"
17 #include "cmd.h"
18 #include "iso14443crc.h"
19 #include "iso14443a.h"
20 #include "crapto1.h"
21 #include "mifareutil.h"
22 #include "BigBuf.h"
23 static uint32_t iso14a_timeout;
24 int rsamples = 0;
25 uint8_t trigger = 0;
26 // the block number for the ISO14443-4 PCB
27 static uint8_t iso14_pcb_blocknum = 0;
28
29 //
30 // ISO14443 timing:
31 //
32 // minimum time between the start bits of consecutive transfers from reader to tag: 7000 carrier (13.56Mhz) cycles
33 #define REQUEST_GUARD_TIME (7000/16 + 1)
34 // minimum time between last modulation of tag and next start bit from reader to tag: 1172 carrier cycles
35 #define FRAME_DELAY_TIME_PICC_TO_PCD (1172/16 + 1)
36 // bool LastCommandWasRequest = FALSE;
37
38 //
39 // Total delays including SSC-Transfers between ARM and FPGA. These are in carrier clock cycles (1/13,56MHz)
40 //
41 // When the PM acts as reader and is receiving tag data, it takes
42 // 3 ticks delay in the AD converter
43 // 16 ticks until the modulation detector completes and sets curbit
44 // 8 ticks until bit_to_arm is assigned from curbit
45 // 8*16 ticks for the transfer from FPGA to ARM
46 // 4*16 ticks until we measure the time
47 // - 8*16 ticks because we measure the time of the previous transfer
48 #define DELAY_AIR2ARM_AS_READER (3 + 16 + 8 + 8*16 + 4*16 - 8*16)
49
50 // When the PM acts as a reader and is sending, it takes
51 // 4*16 ticks until we can write data to the sending hold register
52 // 8*16 ticks until the SHR is transferred to the Sending Shift Register
53 // 8 ticks until the first transfer starts
54 // 8 ticks later the FPGA samples the data
55 // 1 tick to assign mod_sig_coil
56 #define DELAY_ARM2AIR_AS_READER (4*16 + 8*16 + 8 + 8 + 1)
57
58 // When the PM acts as tag and is receiving it takes
59 // 2 ticks delay in the RF part (for the first falling edge),
60 // 3 ticks for the A/D conversion,
61 // 8 ticks on average until the start of the SSC transfer,
62 // 8 ticks until the SSC samples the first data
63 // 7*16 ticks to complete the transfer from FPGA to ARM
64 // 8 ticks until the next ssp_clk rising edge
65 // 4*16 ticks until we measure the time
66 // - 8*16 ticks because we measure the time of the previous transfer
67 #define DELAY_AIR2ARM_AS_TAG (2 + 3 + 8 + 8 + 7*16 + 8 + 4*16 - 8*16)
68
69 // The FPGA will report its internal sending delay in
70 uint16_t FpgaSendQueueDelay;
71 // the 5 first bits are the number of bits buffered in mod_sig_buf
72 // the last three bits are the remaining ticks/2 after the mod_sig_buf shift
73 #define DELAY_FPGA_QUEUE (FpgaSendQueueDelay<<1)
74
75 // When the PM acts as tag and is sending, it takes
76 // 4*16 ticks until we can write data to the sending hold register
77 // 8*16 ticks until the SHR is transferred to the Sending Shift Register
78 // 8 ticks until the first transfer starts
79 // 8 ticks later the FPGA samples the data
80 // + a varying number of ticks in the FPGA Delay Queue (mod_sig_buf)
81 // + 1 tick to assign mod_sig_coil
82 #define DELAY_ARM2AIR_AS_TAG (4*16 + 8*16 + 8 + 8 + DELAY_FPGA_QUEUE + 1)
83
84 // When the PM acts as sniffer and is receiving tag data, it takes
85 // 3 ticks A/D conversion
86 // 14 ticks to complete the modulation detection
87 // 8 ticks (on average) until the result is stored in to_arm
88 // + the delays in transferring data - which is the same for
89 // sniffing reader and tag data and therefore not relevant
90 #define DELAY_TAG_AIR2ARM_AS_SNIFFER (3 + 14 + 8)
91
92 // When the PM acts as sniffer and is receiving reader data, it takes
93 // 2 ticks delay in analogue RF receiver (for the falling edge of the
94 // start bit, which marks the start of the communication)
95 // 3 ticks A/D conversion
96 // 8 ticks on average until the data is stored in to_arm.
97 // + the delays in transferring data - which is the same for
98 // sniffing reader and tag data and therefore not relevant
99 #define DELAY_READER_AIR2ARM_AS_SNIFFER (2 + 3 + 8)
100
101 //variables used for timing purposes:
102 //these are in ssp_clk cycles:
103 static uint32_t NextTransferTime;
104 static uint32_t LastTimeProxToAirStart;
105 static uint32_t LastProxToAirDuration;
106
107
108
109 // CARD TO READER - manchester
110 // Sequence D: 11110000 modulation with subcarrier during first half
111 // Sequence E: 00001111 modulation with subcarrier during second half
112 // Sequence F: 00000000 no modulation with subcarrier
113 // READER TO CARD - miller
114 // Sequence X: 00001100 drop after half a period
115 // Sequence Y: 00000000 no drop
116 // Sequence Z: 11000000 drop at start
117 #define SEC_D 0xf0
118 #define SEC_E 0x0f
119 #define SEC_F 0x00
120 #define SEC_X 0x0c
121 #define SEC_Y 0x00
122 #define SEC_Z 0xc0
123
124 const uint8_t OddByteParity[256] = {
125 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
126 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
127 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
128 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
129 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
130 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
131 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
132 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
133 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
134 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
135 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
136 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
137 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
138 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
139 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
140 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1
141 };
142
143
144 void iso14a_set_trigger(bool enable) {
145 trigger = enable;
146 }
147
148
149 void iso14a_set_timeout(uint32_t timeout) {
150 iso14a_timeout = timeout;
151 if(MF_DBGLEVEL >= 3) Dbprintf("ISO14443A Timeout set to %ld (%dms)", iso14a_timeout, iso14a_timeout / 106);
152 }
153
154
155 void iso14a_set_ATS_timeout(uint8_t *ats) {
156
157 uint8_t tb1;
158 uint8_t fwi;
159 uint32_t fwt;
160
161 if (ats[0] > 1) { // there is a format byte T0
162 if ((ats[1] & 0x20) == 0x20) { // there is an interface byte TB(1)
163 if ((ats[1] & 0x10) == 0x10) { // there is an interface byte TA(1) preceding TB(1)
164 tb1 = ats[3];
165 } else {
166 tb1 = ats[2];
167 }
168 fwi = (tb1 & 0xf0) >> 4; // frame waiting indicator (FWI)
169 fwt = 256 * 16 * (1 << fwi); // frame waiting time (FWT) in 1/fc
170
171 iso14a_set_timeout(fwt/(8*16));
172 }
173 }
174 }
175
176
177 //-----------------------------------------------------------------------------
178 // Generate the parity value for a byte sequence
179 //
180 //-----------------------------------------------------------------------------
181 byte_t oddparity (const byte_t bt)
182 {
183 return OddByteParity[bt];
184 }
185
186 void GetParity(const uint8_t *pbtCmd, uint16_t iLen, uint8_t *par)
187 {
188 uint16_t paritybit_cnt = 0;
189 uint16_t paritybyte_cnt = 0;
190 uint8_t parityBits = 0;
191
192 for (uint16_t i = 0; i < iLen; i++) {
193 // Generate the parity bits
194 parityBits |= ((OddByteParity[pbtCmd[i]]) << (7-paritybit_cnt));
195 if (paritybit_cnt == 7) {
196 par[paritybyte_cnt] = parityBits; // save 8 Bits parity
197 parityBits = 0; // and advance to next Parity Byte
198 paritybyte_cnt++;
199 paritybit_cnt = 0;
200 } else {
201 paritybit_cnt++;
202 }
203 }
204
205 // save remaining parity bits
206 par[paritybyte_cnt] = parityBits;
207
208 }
209
210 void AppendCrc14443a(uint8_t* data, int len)
211 {
212 ComputeCrc14443(CRC_14443_A,data,len,data+len,data+len+1);
213 }
214
215 void AppendCrc14443b(uint8_t* data, int len)
216 {
217 ComputeCrc14443(CRC_14443_B,data,len,data+len,data+len+1);
218 }
219
220
221 //=============================================================================
222 // ISO 14443 Type A - Miller decoder
223 //=============================================================================
224 // Basics:
225 // This decoder is used when the PM3 acts as a tag.
226 // The reader will generate "pauses" by temporarily switching of the field.
227 // At the PM3 antenna we will therefore measure a modulated antenna voltage.
228 // The FPGA does a comparison with a threshold and would deliver e.g.:
229 // ........ 1 1 1 1 1 1 0 0 1 1 1 1 1 1 1 1 1 1 0 0 1 1 1 1 1 1 1 1 1 1 .......
230 // The Miller decoder needs to identify the following sequences:
231 // 2 (or 3) ticks pause followed by 6 (or 5) ticks unmodulated: pause at beginning - Sequence Z ("start of communication" or a "0")
232 // 8 ticks without a modulation: no pause - Sequence Y (a "0" or "end of communication" or "no information")
233 // 4 ticks unmodulated followed by 2 (or 3) ticks pause: pause in second half - Sequence X (a "1")
234 // Note 1: the bitstream may start at any time. We therefore need to sync.
235 // Note 2: the interpretation of Sequence Y and Z depends on the preceding sequence.
236 //-----------------------------------------------------------------------------
237 static tUart Uart;
238
239 // Lookup-Table to decide if 4 raw bits are a modulation.
240 // We accept the following:
241 // 0001 - a 3 tick wide pause
242 // 0011 - a 2 tick wide pause, or a three tick wide pause shifted left
243 // 0111 - a 2 tick wide pause shifted left
244 // 1001 - a 2 tick wide pause shifted right
245 const bool Mod_Miller_LUT[] = {
246 FALSE, TRUE, FALSE, TRUE, FALSE, FALSE, FALSE, TRUE,
247 FALSE, TRUE, FALSE, FALSE, FALSE, FALSE, FALSE, FALSE
248 };
249 #define IsMillerModulationNibble1(b) (Mod_Miller_LUT[(b & 0x000000F0) >> 4])
250 #define IsMillerModulationNibble2(b) (Mod_Miller_LUT[(b & 0x0000000F)])
251
252 void UartReset()
253 {
254 Uart.state = STATE_UNSYNCD;
255 Uart.bitCount = 0;
256 Uart.len = 0; // number of decoded data bytes
257 Uart.parityLen = 0; // number of decoded parity bytes
258 Uart.shiftReg = 0; // shiftreg to hold decoded data bits
259 Uart.parityBits = 0; // holds 8 parity bits
260 Uart.startTime = 0;
261 Uart.endTime = 0;
262
263 Uart.byteCntMax = 0;
264 Uart.posCnt = 0;
265 Uart.syncBit = 9999;
266 }
267
268 void UartInit(uint8_t *data, uint8_t *parity)
269 {
270 Uart.output = data;
271 Uart.parity = parity;
272 Uart.fourBits = 0x00000000; // clear the buffer for 4 Bits
273 UartReset();
274 }
275
276 // use parameter non_real_time to provide a timestamp. Set to 0 if the decoder should measure real time
277 static RAMFUNC bool MillerDecoding(uint8_t bit, uint32_t non_real_time)
278 {
279
280 Uart.fourBits = (Uart.fourBits << 8) | bit;
281
282 if (Uart.state == STATE_UNSYNCD) { // not yet synced
283
284 Uart.syncBit = 9999; // not set
285
286 // 00x11111 2|3 ticks pause followed by 6|5 ticks unmodulated Sequence Z (a "0" or "start of communication")
287 // 11111111 8 ticks unmodulation Sequence Y (a "0" or "end of communication" or "no information")
288 // 111100x1 4 ticks unmodulated followed by 2|3 ticks pause Sequence X (a "1")
289
290 // The start bit is one ore more Sequence Y followed by a Sequence Z (... 11111111 00x11111). We need to distinguish from
291 // Sequence X followed by Sequence Y followed by Sequence Z (111100x1 11111111 00x11111)
292 // we therefore look for a ...xx1111 11111111 00x11111xxxxxx... pattern
293 // (12 '1's followed by 2 '0's, eventually followed by another '0', followed by 5 '1's)
294 //
295 #define ISO14443A_STARTBIT_MASK 0x07FFEF80 // mask is 00001111 11111111 1110 1111 10000000
296 #define ISO14443A_STARTBIT_PATTERN 0x07FF8F80 // pattern is 00001111 11111111 1000 1111 10000000
297
298 if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 0)) == ISO14443A_STARTBIT_PATTERN >> 0) Uart.syncBit = 7;
299 else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 1)) == ISO14443A_STARTBIT_PATTERN >> 1) Uart.syncBit = 6;
300 else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 2)) == ISO14443A_STARTBIT_PATTERN >> 2) Uart.syncBit = 5;
301 else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 3)) == ISO14443A_STARTBIT_PATTERN >> 3) Uart.syncBit = 4;
302 else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 4)) == ISO14443A_STARTBIT_PATTERN >> 4) Uart.syncBit = 3;
303 else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 5)) == ISO14443A_STARTBIT_PATTERN >> 5) Uart.syncBit = 2;
304 else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 6)) == ISO14443A_STARTBIT_PATTERN >> 6) Uart.syncBit = 1;
305 else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 7)) == ISO14443A_STARTBIT_PATTERN >> 7) Uart.syncBit = 0;
306
307 if (Uart.syncBit != 9999) { // found a sync bit
308 Uart.startTime = non_real_time?non_real_time:(GetCountSspClk() & 0xfffffff8);
309 Uart.startTime -= Uart.syncBit;
310 Uart.endTime = Uart.startTime;
311 Uart.state = STATE_START_OF_COMMUNICATION;
312 }
313
314 } else {
315
316 if (IsMillerModulationNibble1(Uart.fourBits >> Uart.syncBit)) {
317 if (IsMillerModulationNibble2(Uart.fourBits >> Uart.syncBit)) { // Modulation in both halves - error
318 UartReset();
319 } else { // Modulation in first half = Sequence Z = logic "0"
320 if (Uart.state == STATE_MILLER_X) { // error - must not follow after X
321 UartReset();
322 } else {
323 Uart.bitCount++;
324 Uart.shiftReg = (Uart.shiftReg >> 1); // add a 0 to the shiftreg
325 Uart.state = STATE_MILLER_Z;
326 Uart.endTime = Uart.startTime + 8*(9*Uart.len + Uart.bitCount + 1) - 6;
327 if(Uart.bitCount >= 9) { // if we decoded a full byte (including parity)
328 Uart.output[Uart.len++] = (Uart.shiftReg & 0xff);
329 Uart.parityBits <<= 1; // make room for the parity bit
330 Uart.parityBits |= ((Uart.shiftReg >> 8) & 0x01); // store parity bit
331 Uart.bitCount = 0;
332 Uart.shiftReg = 0;
333 if((Uart.len&0x0007) == 0) { // every 8 data bytes
334 Uart.parity[Uart.parityLen++] = Uart.parityBits; // store 8 parity bits
335 Uart.parityBits = 0;
336 }
337 }
338 }
339 }
340 } else {
341 if (IsMillerModulationNibble2(Uart.fourBits >> Uart.syncBit)) { // Modulation second half = Sequence X = logic "1"
342 Uart.bitCount++;
343 Uart.shiftReg = (Uart.shiftReg >> 1) | 0x100; // add a 1 to the shiftreg
344 Uart.state = STATE_MILLER_X;
345 Uart.endTime = Uart.startTime + 8*(9*Uart.len + Uart.bitCount + 1) - 2;
346 if(Uart.bitCount >= 9) { // if we decoded a full byte (including parity)
347 Uart.output[Uart.len++] = (Uart.shiftReg & 0xff);
348 Uart.parityBits <<= 1; // make room for the new parity bit
349 Uart.parityBits |= ((Uart.shiftReg >> 8) & 0x01); // store parity bit
350 Uart.bitCount = 0;
351 Uart.shiftReg = 0;
352 if ((Uart.len&0x0007) == 0) { // every 8 data bytes
353 Uart.parity[Uart.parityLen++] = Uart.parityBits; // store 8 parity bits
354 Uart.parityBits = 0;
355 }
356 }
357 } else { // no modulation in both halves - Sequence Y
358 if (Uart.state == STATE_MILLER_Z || Uart.state == STATE_MILLER_Y) { // Y after logic "0" - End of Communication
359 Uart.state = STATE_UNSYNCD;
360 Uart.bitCount--; // last "0" was part of EOC sequence
361 Uart.shiftReg <<= 1; // drop it
362 if(Uart.bitCount > 0) { // if we decoded some bits
363 Uart.shiftReg >>= (9 - Uart.bitCount); // right align them
364 Uart.output[Uart.len++] = (Uart.shiftReg & 0xff); // add last byte to the output
365 Uart.parityBits <<= 1; // add a (void) parity bit
366 Uart.parityBits <<= (8 - (Uart.len&0x0007)); // left align parity bits
367 Uart.parity[Uart.parityLen++] = Uart.parityBits; // and store it
368 return TRUE;
369 } else if (Uart.len & 0x0007) { // there are some parity bits to store
370 Uart.parityBits <<= (8 - (Uart.len&0x0007)); // left align remaining parity bits
371 Uart.parity[Uart.parityLen++] = Uart.parityBits; // and store them
372 }
373 if (Uart.len) {
374 return TRUE; // we are finished with decoding the raw data sequence
375 } else {
376 UartReset(); // Nothing received - start over
377 }
378 }
379 if (Uart.state == STATE_START_OF_COMMUNICATION) { // error - must not follow directly after SOC
380 UartReset();
381 } else { // a logic "0"
382 Uart.bitCount++;
383 Uart.shiftReg = (Uart.shiftReg >> 1); // add a 0 to the shiftreg
384 Uart.state = STATE_MILLER_Y;
385 if(Uart.bitCount >= 9) { // if we decoded a full byte (including parity)
386 Uart.output[Uart.len++] = (Uart.shiftReg & 0xff);
387 Uart.parityBits <<= 1; // make room for the parity bit
388 Uart.parityBits |= ((Uart.shiftReg >> 8) & 0x01); // store parity bit
389 Uart.bitCount = 0;
390 Uart.shiftReg = 0;
391 if ((Uart.len&0x0007) == 0) { // every 8 data bytes
392 Uart.parity[Uart.parityLen++] = Uart.parityBits; // store 8 parity bits
393 Uart.parityBits = 0;
394 }
395 }
396 }
397 }
398 }
399
400 }
401
402 return FALSE; // not finished yet, need more data
403 }
404
405
406
407 //=============================================================================
408 // ISO 14443 Type A - Manchester decoder
409 //=============================================================================
410 // Basics:
411 // This decoder is used when the PM3 acts as a reader.
412 // The tag will modulate the reader field by asserting different loads to it. As a consequence, the voltage
413 // at the reader antenna will be modulated as well. The FPGA detects the modulation for us and would deliver e.g. the following:
414 // ........ 0 0 1 1 1 1 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 .......
415 // The Manchester decoder needs to identify the following sequences:
416 // 4 ticks modulated followed by 4 ticks unmodulated: Sequence D = 1 (also used as "start of communication")
417 // 4 ticks unmodulated followed by 4 ticks modulated: Sequence E = 0
418 // 8 ticks unmodulated: Sequence F = end of communication
419 // 8 ticks modulated: A collision. Save the collision position and treat as Sequence D
420 // Note 1: the bitstream may start at any time. We therefore need to sync.
421 // Note 2: parameter offset is used to determine the position of the parity bits (required for the anticollision command only)
422 static tDemod Demod;
423
424 // Lookup-Table to decide if 4 raw bits are a modulation.
425 // We accept three or four "1" in any position
426 const bool Mod_Manchester_LUT[] = {
427 FALSE, FALSE, FALSE, FALSE, FALSE, FALSE, FALSE, TRUE,
428 FALSE, FALSE, FALSE, TRUE, FALSE, TRUE, TRUE, TRUE
429 };
430
431 #define IsManchesterModulationNibble1(b) (Mod_Manchester_LUT[(b & 0x00F0) >> 4])
432 #define IsManchesterModulationNibble2(b) (Mod_Manchester_LUT[(b & 0x000F)])
433
434
435 void DemodReset()
436 {
437 Demod.state = DEMOD_UNSYNCD;
438 Demod.len = 0; // number of decoded data bytes
439 Demod.parityLen = 0;
440 Demod.shiftReg = 0; // shiftreg to hold decoded data bits
441 Demod.parityBits = 0; //
442 Demod.collisionPos = 0; // Position of collision bit
443 Demod.twoBits = 0xffff; // buffer for 2 Bits
444 Demod.highCnt = 0;
445 Demod.startTime = 0;
446 Demod.endTime = 0;
447
448 //
449 Demod.bitCount = 0;
450 Demod.syncBit = 0xFFFF;
451 Demod.samples = 0;
452 }
453
454 void DemodInit(uint8_t *data, uint8_t *parity)
455 {
456 Demod.output = data;
457 Demod.parity = parity;
458 DemodReset();
459 }
460
461 // use parameter non_real_time to provide a timestamp. Set to 0 if the decoder should measure real time
462 static RAMFUNC int ManchesterDecoding(uint8_t bit, uint16_t offset, uint32_t non_real_time)
463 {
464
465 Demod.twoBits = (Demod.twoBits << 8) | bit;
466
467 if (Demod.state == DEMOD_UNSYNCD) {
468
469 if (Demod.highCnt < 2) { // wait for a stable unmodulated signal
470 if (Demod.twoBits == 0x0000) {
471 Demod.highCnt++;
472 } else {
473 Demod.highCnt = 0;
474 }
475 } else {
476 Demod.syncBit = 0xFFFF; // not set
477 if ((Demod.twoBits & 0x7700) == 0x7000) Demod.syncBit = 7;
478 else if ((Demod.twoBits & 0x3B80) == 0x3800) Demod.syncBit = 6;
479 else if ((Demod.twoBits & 0x1DC0) == 0x1C00) Demod.syncBit = 5;
480 else if ((Demod.twoBits & 0x0EE0) == 0x0E00) Demod.syncBit = 4;
481 else if ((Demod.twoBits & 0x0770) == 0x0700) Demod.syncBit = 3;
482 else if ((Demod.twoBits & 0x03B8) == 0x0380) Demod.syncBit = 2;
483 else if ((Demod.twoBits & 0x01DC) == 0x01C0) Demod.syncBit = 1;
484 else if ((Demod.twoBits & 0x00EE) == 0x00E0) Demod.syncBit = 0;
485 if (Demod.syncBit != 0xFFFF) {
486 Demod.startTime = non_real_time?non_real_time:(GetCountSspClk() & 0xfffffff8);
487 Demod.startTime -= Demod.syncBit;
488 Demod.bitCount = offset; // number of decoded data bits
489 Demod.state = DEMOD_MANCHESTER_DATA;
490 }
491 }
492
493 } else {
494
495 if (IsManchesterModulationNibble1(Demod.twoBits >> Demod.syncBit)) { // modulation in first half
496 if (IsManchesterModulationNibble2(Demod.twoBits >> Demod.syncBit)) { // ... and in second half = collision
497 if (!Demod.collisionPos) {
498 Demod.collisionPos = (Demod.len << 3) + Demod.bitCount;
499 }
500 } // modulation in first half only - Sequence D = 1
501 Demod.bitCount++;
502 Demod.shiftReg = (Demod.shiftReg >> 1) | 0x100; // in both cases, add a 1 to the shiftreg
503 if(Demod.bitCount == 9) { // if we decoded a full byte (including parity)
504 Demod.output[Demod.len++] = (Demod.shiftReg & 0xff);
505 Demod.parityBits <<= 1; // make room for the parity bit
506 Demod.parityBits |= ((Demod.shiftReg >> 8) & 0x01); // store parity bit
507 Demod.bitCount = 0;
508 Demod.shiftReg = 0;
509 if((Demod.len&0x0007) == 0) { // every 8 data bytes
510 Demod.parity[Demod.parityLen++] = Demod.parityBits; // store 8 parity bits
511 Demod.parityBits = 0;
512 }
513 }
514 Demod.endTime = Demod.startTime + 8*(9*Demod.len + Demod.bitCount + 1) - 4;
515 } else { // no modulation in first half
516 if (IsManchesterModulationNibble2(Demod.twoBits >> Demod.syncBit)) { // and modulation in second half = Sequence E = 0
517 Demod.bitCount++;
518 Demod.shiftReg = (Demod.shiftReg >> 1); // add a 0 to the shiftreg
519 if(Demod.bitCount >= 9) { // if we decoded a full byte (including parity)
520 Demod.output[Demod.len++] = (Demod.shiftReg & 0xff);
521 Demod.parityBits <<= 1; // make room for the new parity bit
522 Demod.parityBits |= ((Demod.shiftReg >> 8) & 0x01); // store parity bit
523 Demod.bitCount = 0;
524 Demod.shiftReg = 0;
525 if ((Demod.len&0x0007) == 0) { // every 8 data bytes
526 Demod.parity[Demod.parityLen++] = Demod.parityBits; // store 8 parity bits1
527 Demod.parityBits = 0;
528 }
529 }
530 Demod.endTime = Demod.startTime + 8*(9*Demod.len + Demod.bitCount + 1);
531 } else { // no modulation in both halves - End of communication
532 if(Demod.bitCount > 0) { // there are some remaining data bits
533 Demod.shiftReg >>= (9 - Demod.bitCount); // right align the decoded bits
534 Demod.output[Demod.len++] = Demod.shiftReg & 0xff; // and add them to the output
535 Demod.parityBits <<= 1; // add a (void) parity bit
536 Demod.parityBits <<= (8 - (Demod.len&0x0007)); // left align remaining parity bits
537 Demod.parity[Demod.parityLen++] = Demod.parityBits; // and store them
538 return TRUE;
539 } else if (Demod.len & 0x0007) { // there are some parity bits to store
540 Demod.parityBits <<= (8 - (Demod.len&0x0007)); // left align remaining parity bits
541 Demod.parity[Demod.parityLen++] = Demod.parityBits; // and store them
542 }
543 if (Demod.len) {
544 return TRUE; // we are finished with decoding the raw data sequence
545 } else { // nothing received. Start over
546 DemodReset();
547 }
548 }
549 }
550 }
551 return FALSE; // not finished yet, need more data
552 }
553
554 //=============================================================================
555 // Finally, a `sniffer' for ISO 14443 Type A
556 // Both sides of communication!
557 //=============================================================================
558
559 //-----------------------------------------------------------------------------
560 // Record the sequence of commands sent by the reader to the tag, with
561 // triggering so that we start recording at the point that the tag is moved
562 // near the reader.
563 //-----------------------------------------------------------------------------
564 void RAMFUNC SniffIso14443a(uint8_t param) {
565 // param:
566 // bit 0 - trigger from first card answer
567 // bit 1 - trigger from first reader 7-bit request
568 LEDsoff();
569
570 iso14443a_setup(FPGA_HF_ISO14443A_SNIFFER);
571
572 // Allocate memory from BigBuf for some buffers
573 // free all previous allocations first
574 BigBuf_free();
575
576 // init trace buffer
577 clear_trace();
578 set_tracing(TRUE);
579
580 // The command (reader -> tag) that we're receiving.
581 uint8_t *receivedCmd = BigBuf_malloc(MAX_FRAME_SIZE);
582 uint8_t *receivedCmdPar = BigBuf_malloc(MAX_PARITY_SIZE);
583
584 // The response (tag -> reader) that we're receiving.
585 uint8_t *receivedResponse = BigBuf_malloc(MAX_FRAME_SIZE);
586 uint8_t *receivedResponsePar = BigBuf_malloc(MAX_PARITY_SIZE);
587
588 // The DMA buffer, used to stream samples from the FPGA
589 uint8_t *dmaBuf = BigBuf_malloc(DMA_BUFFER_SIZE);
590
591 uint8_t *data = dmaBuf;
592 uint8_t previous_data = 0;
593 int maxDataLen = 0;
594 int dataLen = 0;
595 bool TagIsActive = FALSE;
596 bool ReaderIsActive = FALSE;
597
598 // Set up the demodulator for tag -> reader responses.
599 DemodInit(receivedResponse, receivedResponsePar);
600
601 // Set up the demodulator for the reader -> tag commands
602 UartInit(receivedCmd, receivedCmdPar);
603
604 // Setup and start DMA.
605 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
606
607 // We won't start recording the frames that we acquire until we trigger;
608 // a good trigger condition to get started is probably when we see a
609 // response from the tag.
610 // triggered == FALSE -- to wait first for card
611 bool triggered = !(param & 0x03);
612
613 // And now we loop, receiving samples.
614 for(uint32_t rsamples = 0; TRUE; ) {
615
616 if(BUTTON_PRESS()) {
617 DbpString("cancelled by button");
618 break;
619 }
620
621 LED_A_ON();
622 WDT_HIT();
623
624 int register readBufDataP = data - dmaBuf;
625 int register dmaBufDataP = DMA_BUFFER_SIZE - AT91C_BASE_PDC_SSC->PDC_RCR;
626 if (readBufDataP <= dmaBufDataP){
627 dataLen = dmaBufDataP - readBufDataP;
628 } else {
629 dataLen = DMA_BUFFER_SIZE - readBufDataP + dmaBufDataP;
630 }
631 // test for length of buffer
632 if(dataLen > maxDataLen) {
633 maxDataLen = dataLen;
634 if(dataLen > (9 * DMA_BUFFER_SIZE / 10)) {
635 Dbprintf("blew circular buffer! dataLen=%d", dataLen);
636 break;
637 }
638 }
639 if(dataLen < 1) continue;
640
641 // primary buffer was stopped( <-- we lost data!
642 if (!AT91C_BASE_PDC_SSC->PDC_RCR) {
643 AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) dmaBuf;
644 AT91C_BASE_PDC_SSC->PDC_RCR = DMA_BUFFER_SIZE;
645 Dbprintf("RxEmpty ERROR!!! data length:%d", dataLen); // temporary
646 }
647 // secondary buffer sets as primary, secondary buffer was stopped
648 if (!AT91C_BASE_PDC_SSC->PDC_RNCR) {
649 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dmaBuf;
650 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
651 }
652
653 LED_A_OFF();
654
655 if (rsamples & 0x01) { // Need two samples to feed Miller and Manchester-Decoder
656
657 if(!TagIsActive) { // no need to try decoding reader data if the tag is sending
658 uint8_t readerdata = (previous_data & 0xF0) | (*data >> 4);
659 if (MillerDecoding(readerdata, (rsamples-1)*4)) {
660 LED_C_ON();
661
662 // check - if there is a short 7bit request from reader
663 if ((!triggered) && (param & 0x02) && (Uart.len == 1) && (Uart.bitCount == 7)) triggered = TRUE;
664
665 if(triggered) {
666 if (!LogTrace(receivedCmd,
667 Uart.len,
668 Uart.startTime*16 - DELAY_READER_AIR2ARM_AS_SNIFFER,
669 Uart.endTime*16 - DELAY_READER_AIR2ARM_AS_SNIFFER,
670 Uart.parity,
671 TRUE)) break;
672 }
673 /* And ready to receive another command. */
674 UartReset();
675 /* And also reset the demod code, which might have been */
676 /* false-triggered by the commands from the reader. */
677 DemodReset();
678 LED_B_OFF();
679 }
680 ReaderIsActive = (Uart.state != STATE_UNSYNCD);
681 }
682
683 if(!ReaderIsActive) { // no need to try decoding tag data if the reader is sending - and we cannot afford the time
684 uint8_t tagdata = (previous_data << 4) | (*data & 0x0F);
685 if(ManchesterDecoding(tagdata, 0, (rsamples-1)*4)) {
686 LED_B_ON();
687
688 if (!LogTrace(receivedResponse,
689 Demod.len,
690 Demod.startTime*16 - DELAY_TAG_AIR2ARM_AS_SNIFFER,
691 Demod.endTime*16 - DELAY_TAG_AIR2ARM_AS_SNIFFER,
692 Demod.parity,
693 FALSE)) break;
694
695 if ((!triggered) && (param & 0x01)) triggered = TRUE;
696
697 // And ready to receive another response.
698 DemodReset();
699 // And reset the Miller decoder including itS (now outdated) input buffer
700 UartInit(receivedCmd, receivedCmdPar);
701
702 LED_C_OFF();
703 }
704 TagIsActive = (Demod.state != DEMOD_UNSYNCD);
705 }
706 }
707
708 previous_data = *data;
709 rsamples++;
710 data++;
711 if(data == dmaBuf + DMA_BUFFER_SIZE) {
712 data = dmaBuf;
713 }
714 } // main cycle
715
716 FpgaDisableSscDma();
717 LEDsoff();
718
719 Dbprintf("maxDataLen=%d, Uart.state=%x, Uart.len=%d", maxDataLen, Uart.state, Uart.len);
720 Dbprintf("traceLen=%d, Uart.output[0]=%08x", BigBuf_get_traceLen(), (uint32_t)Uart.output[0]);
721 }
722
723 //-----------------------------------------------------------------------------
724 // Prepare tag messages
725 //-----------------------------------------------------------------------------
726 static void CodeIso14443aAsTagPar(const uint8_t *cmd, uint16_t len, uint8_t *parity)
727 {
728 ToSendReset();
729
730 // Correction bit, might be removed when not needed
731 ToSendStuffBit(0);
732 ToSendStuffBit(0);
733 ToSendStuffBit(0);
734 ToSendStuffBit(0);
735 ToSendStuffBit(1); // 1
736 ToSendStuffBit(0);
737 ToSendStuffBit(0);
738 ToSendStuffBit(0);
739
740 // Send startbit
741 ToSend[++ToSendMax] = SEC_D;
742 LastProxToAirDuration = 8 * ToSendMax - 4;
743
744 for(uint16_t i = 0; i < len; i++) {
745 uint8_t b = cmd[i];
746
747 // Data bits
748 for(uint16_t j = 0; j < 8; j++) {
749 if(b & 1) {
750 ToSend[++ToSendMax] = SEC_D;
751 } else {
752 ToSend[++ToSendMax] = SEC_E;
753 }
754 b >>= 1;
755 }
756
757 // Get the parity bit
758 if (parity[i>>3] & (0x80>>(i&0x0007))) {
759 ToSend[++ToSendMax] = SEC_D;
760 LastProxToAirDuration = 8 * ToSendMax - 4;
761 } else {
762 ToSend[++ToSendMax] = SEC_E;
763 LastProxToAirDuration = 8 * ToSendMax;
764 }
765 }
766
767 // Send stopbit
768 ToSend[++ToSendMax] = SEC_F;
769
770 // Convert from last byte pos to length
771 ToSendMax++;
772 }
773
774 static void CodeIso14443aAsTag(const uint8_t *cmd, uint16_t len)
775 {
776 uint8_t par[MAX_PARITY_SIZE];
777
778 GetParity(cmd, len, par);
779 CodeIso14443aAsTagPar(cmd, len, par);
780 }
781
782
783 static void Code4bitAnswerAsTag(uint8_t cmd)
784 {
785 int i;
786
787 ToSendReset();
788
789 // Correction bit, might be removed when not needed
790 ToSendStuffBit(0);
791 ToSendStuffBit(0);
792 ToSendStuffBit(0);
793 ToSendStuffBit(0);
794 ToSendStuffBit(1); // 1
795 ToSendStuffBit(0);
796 ToSendStuffBit(0);
797 ToSendStuffBit(0);
798
799 // Send startbit
800 ToSend[++ToSendMax] = SEC_D;
801
802 uint8_t b = cmd;
803 for(i = 0; i < 4; i++) {
804 if(b & 1) {
805 ToSend[++ToSendMax] = SEC_D;
806 LastProxToAirDuration = 8 * ToSendMax - 4;
807 } else {
808 ToSend[++ToSendMax] = SEC_E;
809 LastProxToAirDuration = 8 * ToSendMax;
810 }
811 b >>= 1;
812 }
813
814 // Send stopbit
815 ToSend[++ToSendMax] = SEC_F;
816
817 // Convert from last byte pos to length
818 ToSendMax++;
819 }
820
821 //-----------------------------------------------------------------------------
822 // Wait for commands from reader
823 // Stop when button is pressed
824 // Or return TRUE when command is captured
825 //-----------------------------------------------------------------------------
826 static int GetIso14443aCommandFromReader(uint8_t *received, uint8_t *parity, int *len)
827 {
828 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
829 // only, since we are receiving, not transmitting).
830 // Signal field is off with the appropriate LED
831 LED_D_OFF();
832 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
833
834 // Now run a `software UART' on the stream of incoming samples.
835 UartInit(received, parity);
836
837 // clear RXRDY:
838 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
839
840 for(;;) {
841 WDT_HIT();
842
843 if(BUTTON_PRESS()) return FALSE;
844
845 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
846 b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
847 if(MillerDecoding(b, 0)) {
848 *len = Uart.len;
849 return TRUE;
850 }
851 }
852 }
853 }
854
855 static int EmSendCmd14443aRaw(uint8_t *resp, uint16_t respLen, bool correctionNeeded);
856 int EmSend4bitEx(uint8_t resp, bool correctionNeeded);
857 int EmSend4bit(uint8_t resp);
858 int EmSendCmdExPar(uint8_t *resp, uint16_t respLen, bool correctionNeeded, uint8_t *par);
859 int EmSendCmdEx(uint8_t *resp, uint16_t respLen, bool correctionNeeded);
860 int EmSendCmd(uint8_t *resp, uint16_t respLen);
861 int EmSendCmdPar(uint8_t *resp, uint16_t respLen, uint8_t *par);
862 bool EmLogTrace(uint8_t *reader_data, uint16_t reader_len, uint32_t reader_StartTime, uint32_t reader_EndTime, uint8_t *reader_Parity,
863 uint8_t *tag_data, uint16_t tag_len, uint32_t tag_StartTime, uint32_t tag_EndTime, uint8_t *tag_Parity);
864
865 static uint8_t* free_buffer_pointer;
866
867 typedef struct {
868 uint8_t* response;
869 size_t response_n;
870 uint8_t* modulation;
871 size_t modulation_n;
872 uint32_t ProxToAirDuration;
873 } tag_response_info_t;
874
875 bool prepare_tag_modulation(tag_response_info_t* response_info, size_t max_buffer_size) {
876 // Example response, answer to MIFARE Classic read block will be 16 bytes + 2 CRC = 18 bytes
877 // This will need the following byte array for a modulation sequence
878 // 144 data bits (18 * 8)
879 // 18 parity bits
880 // 2 Start and stop
881 // 1 Correction bit (Answer in 1172 or 1236 periods, see FPGA)
882 // 1 just for the case
883 // ----------- +
884 // 166 bytes, since every bit that needs to be send costs us a byte
885 //
886
887
888 // Prepare the tag modulation bits from the message
889 CodeIso14443aAsTag(response_info->response,response_info->response_n);
890
891 // Make sure we do not exceed the free buffer space
892 if (ToSendMax > max_buffer_size) {
893 Dbprintf("Out of memory, when modulating bits for tag answer:");
894 Dbhexdump(response_info->response_n,response_info->response,false);
895 return false;
896 }
897
898 // Copy the byte array, used for this modulation to the buffer position
899 memcpy(response_info->modulation,ToSend,ToSendMax);
900
901 // Store the number of bytes that were used for encoding/modulation and the time needed to transfer them
902 response_info->modulation_n = ToSendMax;
903 response_info->ProxToAirDuration = LastProxToAirDuration;
904
905 return true;
906 }
907
908
909 // "precompile" responses. There are 7 predefined responses with a total of 28 bytes data to transmit.
910 // Coded responses need one byte per bit to transfer (data, parity, start, stop, correction)
911 // 28 * 8 data bits, 28 * 1 parity bits, 7 start bits, 7 stop bits, 7 correction bits
912 // -> need 273 bytes buffer
913 // 44 * 8 data bits, 44 * 1 parity bits, 9 start bits, 9 stop bits, 9 correction bits --370
914 // 47 * 8 data bits, 47 * 1 parity bits, 10 start bits, 10 stop bits, 10 correction bits
915 #define ALLOCATED_TAG_MODULATION_BUFFER_SIZE 453
916
917 bool prepare_allocated_tag_modulation(tag_response_info_t* response_info) {
918 // Retrieve and store the current buffer index
919 response_info->modulation = free_buffer_pointer;
920
921 // Determine the maximum size we can use from our buffer
922 size_t max_buffer_size = ALLOCATED_TAG_MODULATION_BUFFER_SIZE;
923
924 // Forward the prepare tag modulation function to the inner function
925 if (prepare_tag_modulation(response_info, max_buffer_size)) {
926 // Update the free buffer offset
927 free_buffer_pointer += ToSendMax;
928 return true;
929 } else {
930 return false;
931 }
932 }
933
934 //-----------------------------------------------------------------------------
935 // Main loop of simulated tag: receive commands from reader, decide what
936 // response to send, and send it.
937 //-----------------------------------------------------------------------------
938 void SimulateIso14443aTag(int tagType, int flags, byte_t* data)
939 {
940
941 //Here, we collect UID,NT,AR,NR,UID2,NT2,AR2,NR2
942 // This can be used in a reader-only attack.
943 // (it can also be retrieved via 'hf 14a list', but hey...
944 uint32_t ar_nr_responses[] = {0,0,0,0,0,0,0,0,0,0};
945 uint8_t ar_nr_collected = 0;
946
947 uint8_t sak;
948
949 // PACK response to PWD AUTH for EV1/NTAG
950 uint8_t response8[4] = {0,0,0,0};
951
952 // The first response contains the ATQA (note: bytes are transmitted in reverse order).
953 uint8_t response1[2] = {0,0};
954
955 switch (tagType) {
956 case 1: { // MIFARE Classic
957 // Says: I am Mifare 1k - original line
958 response1[0] = 0x04;
959 response1[1] = 0x00;
960 sak = 0x08;
961 } break;
962 case 2: { // MIFARE Ultralight
963 // Says: I am a stupid memory tag, no crypto
964 response1[0] = 0x44;
965 response1[1] = 0x00;
966 sak = 0x00;
967 } break;
968 case 3: { // MIFARE DESFire
969 // Says: I am a DESFire tag, ph33r me
970 response1[0] = 0x04;
971 response1[1] = 0x03;
972 sak = 0x20;
973 } break;
974 case 4: { // ISO/IEC 14443-4
975 // Says: I am a javacard (JCOP)
976 response1[0] = 0x04;
977 response1[1] = 0x00;
978 sak = 0x28;
979 } break;
980 case 5: { // MIFARE TNP3XXX
981 // Says: I am a toy
982 response1[0] = 0x01;
983 response1[1] = 0x0f;
984 sak = 0x01;
985 } break;
986 case 6: { // MIFARE Mini
987 // Says: I am a Mifare Mini, 320b
988 response1[0] = 0x44;
989 response1[1] = 0x00;
990 sak = 0x09;
991 } break;
992 case 7: { // NTAG?
993 // Says: I am a NTAG,
994 response1[0] = 0x44;
995 response1[1] = 0x00;
996 sak = 0x00;
997 // PACK
998 response8[0] = 0x80;
999 response8[1] = 0x80;
1000 ComputeCrc14443(CRC_14443_A, response8, 2, &response8[2], &response8[3]);
1001 } break;
1002 default: {
1003 Dbprintf("Error: unkown tagtype (%d)",tagType);
1004 return;
1005 } break;
1006 }
1007
1008 // The second response contains the (mandatory) first 24 bits of the UID
1009 uint8_t response2[5] = {0x00};
1010
1011 // Check if the uid uses the (optional) part
1012 uint8_t response2a[5] = {0x00};
1013
1014 if (flags & FLAG_7B_UID_IN_DATA) {
1015 response2[0] = 0x88;
1016 response2[1] = data[0];
1017 response2[2] = data[1];
1018 response2[3] = data[2];
1019
1020 response2a[0] = data[3];
1021 response2a[1] = data[4];
1022 response2a[2] = data[5];
1023 response2a[3] = data[6]; //??
1024 response2a[4] = response2a[0] ^ response2a[1] ^ response2a[2] ^ response2a[3];
1025
1026 // Configure the ATQA and SAK accordingly
1027 response1[0] |= 0x40;
1028 sak |= 0x04;
1029 } else {
1030 memcpy(response2, data, 4);
1031 //num_to_bytes(uid_1st,4,response2);
1032 // Configure the ATQA and SAK accordingly
1033 response1[0] &= 0xBF;
1034 sak &= 0xFB;
1035 }
1036
1037 // Calculate the BitCountCheck (BCC) for the first 4 bytes of the UID.
1038 response2[4] = response2[0] ^ response2[1] ^ response2[2] ^ response2[3];
1039
1040 // Prepare the mandatory SAK (for 4 and 7 byte UID)
1041 uint8_t response3[3] = {0x00};
1042 response3[0] = sak;
1043 ComputeCrc14443(CRC_14443_A, response3, 1, &response3[1], &response3[2]);
1044
1045 // Prepare the optional second SAK (for 7 byte UID), drop the cascade bit
1046 uint8_t response3a[3] = {0x00};
1047 response3a[0] = sak & 0xFB;
1048 ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
1049
1050 uint8_t response5[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce
1051 uint8_t response6[] = { 0x04, 0x58, 0x80, 0x02, 0x00, 0x00 }; // dummy ATS (pseudo-ATR), answer to RATS:
1052 // Format byte = 0x58: FSCI=0x08 (FSC=256), TA(1) and TC(1) present,
1053 // TA(1) = 0x80: different divisors not supported, DR = 1, DS = 1
1054 // TB(1) = not present. Defaults: FWI = 4 (FWT = 256 * 16 * 2^4 * 1/fc = 4833us), SFGI = 0 (SFG = 256 * 16 * 2^0 * 1/fc = 302us)
1055 // TC(1) = 0x02: CID supported, NAD not supported
1056 ComputeCrc14443(CRC_14443_A, response6, 4, &response6[4], &response6[5]);
1057
1058 // Prepare GET_VERSION (different for EV-1 / NTAG)
1059 //uint8_t response7_EV1[] = {0x00, 0x04, 0x03, 0x01, 0x01, 0x00, 0x0b, 0x03, 0xfd, 0xf7}; //EV1 48bytes VERSION.
1060 uint8_t response7_NTAG[] = {0x00, 0x04, 0x04, 0x02, 0x01, 0x00, 0x11, 0x03, 0x01, 0x9e}; //NTAG 215
1061
1062 // Prepare CHK_TEARING
1063 uint8_t response9[] = {0xBD,0x90,0x3f};
1064
1065 #define TAG_RESPONSE_COUNT 10
1066 tag_response_info_t responses[TAG_RESPONSE_COUNT] = {
1067 { .response = response1, .response_n = sizeof(response1) }, // Answer to request - respond with card type
1068 { .response = response2, .response_n = sizeof(response2) }, // Anticollision cascade1 - respond with uid
1069 { .response = response2a, .response_n = sizeof(response2a) }, // Anticollision cascade2 - respond with 2nd half of uid if asked
1070 { .response = response3, .response_n = sizeof(response3) }, // Acknowledge select - cascade 1
1071 { .response = response3a, .response_n = sizeof(response3a) }, // Acknowledge select - cascade 2
1072 { .response = response5, .response_n = sizeof(response5) }, // Authentication answer (random nonce)
1073 { .response = response6, .response_n = sizeof(response6) }, // dummy ATS (pseudo-ATR), answer to RATS
1074 { .response = response7_NTAG, .response_n = sizeof(response7_NTAG) }, // EV1/NTAG GET_VERSION response
1075 { .response = response8, .response_n = sizeof(response8) }, // EV1/NTAG PACK response
1076 { .response = response9, .response_n = sizeof(response9) } // EV1/NTAG CHK_TEAR response
1077 };
1078
1079 // Allocate 512 bytes for the dynamic modulation, created when the reader queries for it
1080 // Such a response is less time critical, so we can prepare them on the fly
1081 #define DYNAMIC_RESPONSE_BUFFER_SIZE 64
1082 #define DYNAMIC_MODULATION_BUFFER_SIZE 512
1083 uint8_t dynamic_response_buffer[DYNAMIC_RESPONSE_BUFFER_SIZE];
1084 uint8_t dynamic_modulation_buffer[DYNAMIC_MODULATION_BUFFER_SIZE];
1085 tag_response_info_t dynamic_response_info = {
1086 .response = dynamic_response_buffer,
1087 .response_n = 0,
1088 .modulation = dynamic_modulation_buffer,
1089 .modulation_n = 0
1090 };
1091
1092 // We need to listen to the high-frequency, peak-detected path.
1093 iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN);
1094
1095 BigBuf_free_keep_EM();
1096
1097 // allocate buffers:
1098 uint8_t *receivedCmd = BigBuf_malloc(MAX_FRAME_SIZE);
1099 uint8_t *receivedCmdPar = BigBuf_malloc(MAX_PARITY_SIZE);
1100 free_buffer_pointer = BigBuf_malloc(ALLOCATED_TAG_MODULATION_BUFFER_SIZE);
1101
1102 // clear trace
1103 clear_trace();
1104 set_tracing(TRUE);
1105
1106 // Prepare the responses of the anticollision phase
1107 // there will be not enough time to do this at the moment the reader sends it REQA
1108 for (size_t i=0; i<TAG_RESPONSE_COUNT; i++) {
1109 prepare_allocated_tag_modulation(&responses[i]);
1110 }
1111
1112 int len = 0;
1113
1114 // To control where we are in the protocol
1115 int order = 0;
1116 int lastorder;
1117
1118 // Just to allow some checks
1119 int happened = 0;
1120 int happened2 = 0;
1121 int cmdsRecvd = 0;
1122
1123 cmdsRecvd = 0;
1124 tag_response_info_t* p_response;
1125
1126 LED_A_ON();
1127 for(;;) {
1128 // Clean receive command buffer
1129
1130 if(!GetIso14443aCommandFromReader(receivedCmd, receivedCmdPar, &len)) {
1131 DbpString("Button press");
1132 break;
1133 }
1134
1135 p_response = NULL;
1136
1137 // Okay, look at the command now.
1138 lastorder = order;
1139 if(receivedCmd[0] == 0x26) { // Received a REQUEST
1140 p_response = &responses[0]; order = 1;
1141 } else if(receivedCmd[0] == 0x52) { // Received a WAKEUP
1142 p_response = &responses[0]; order = 6;
1143 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x93) { // Received request for UID (cascade 1)
1144 p_response = &responses[1]; order = 2;
1145 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x95) { // Received request for UID (cascade 2)
1146 p_response = &responses[2]; order = 20;
1147 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] == 0x93) { // Received a SELECT (cascade 1)
1148 p_response = &responses[3]; order = 3;
1149 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] == 0x95) { // Received a SELECT (cascade 2)
1150 p_response = &responses[4]; order = 30;
1151 } else if(receivedCmd[0] == 0x30) { // Received a (plain) READ
1152 uint8_t block = receivedCmd[1];
1153 if ( tagType == 7 ) {
1154 uint16_t start = 4 * block;
1155
1156 /*if ( block < 4 ) {
1157 //NTAG 215
1158 uint8_t blockdata[50] = {
1159 data[0],data[1],data[2], 0x88 ^ data[0] ^ data[1] ^ data[2],
1160 data[3],data[4],data[5],data[6],
1161 data[3] ^ data[4] ^ data[5] ^ data[6],0x48,0x0f,0xe0,
1162 0xe1,0x10,0x12,0x00,
1163 0x03,0x00,0xfe,0x00,
1164 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
1165 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
1166 0x00,0x00,0x00,0x00,
1167 0x00,0x00};
1168 AppendCrc14443a(blockdata+start, 16);
1169 EmSendCmdEx( blockdata+start, MAX_MIFARE_FRAME_SIZE, false);
1170 } else {*/
1171 uint8_t emdata[MAX_MIFARE_FRAME_SIZE];
1172 emlGetMemBt( emdata, start, 16);
1173 AppendCrc14443a(emdata, 16);
1174 EmSendCmdEx(emdata, sizeof(emdata), false);
1175 //}
1176 p_response = NULL;
1177
1178 } else {
1179 EmSendCmdEx(data+(4*block),16,false);
1180 // Dbprintf("Read request from reader: %x %x",receivedCmd[0],receivedCmd[1]);
1181 // We already responded, do not send anything with the EmSendCmd14443aRaw() that is called below
1182 p_response = NULL;
1183 }
1184 } else if(receivedCmd[0] == 0x3A) { // Received a FAST READ (ranged read) -- just returns all zeros.
1185
1186 uint8_t emdata[MAX_FRAME_SIZE];
1187 int start = receivedCmd[1] * 4;
1188 int len = (receivedCmd[2] - receivedCmd[1] + 1) * 4;
1189 emlGetMemBt( emdata, start, len);
1190 AppendCrc14443a(emdata, len);
1191 EmSendCmdEx(emdata, len+2, false);
1192 p_response = NULL;
1193
1194 } else if(receivedCmd[0] == 0x3C && tagType == 7) { // Received a READ SIGNATURE --
1195 // ECC data, taken from a NTAG215 amiibo token. might work. LEN: 32, + 2 crc
1196 uint8_t data[] = {0x56,0x06,0xa6,0x4f,0x43,0x32,0x53,0x6f,
1197 0x43,0xda,0x45,0xd6,0x61,0x38,0xaa,0x1e,
1198 0xcf,0xd3,0x61,0x36,0xca,0x5f,0xbb,0x05,
1199 0xce,0x21,0x24,0x5b,0xa6,0x7a,0x79,0x07,
1200 0x00,0x00};
1201 AppendCrc14443a(data, sizeof(data)-2);
1202 EmSendCmdEx(data,sizeof(data),false);
1203 p_response = NULL;
1204 } else if(receivedCmd[0] == 0x39 && tagType == 7) { // Received a READ COUNTER --
1205 uint8_t data[] = {0x00,0x00,0x00,0x14,0xa5};
1206 EmSendCmdEx(data,sizeof(data),false);
1207 p_response = NULL;
1208 } else if(receivedCmd[0] == 0xA5 && tagType == 7) { // Received a INC COUNTER --
1209 // number of counter
1210 //uint8_t counter = receivedCmd[1];
1211 //uint32_t val = bytes_to_num(receivedCmd+2,4);
1212
1213 // send ACK
1214 uint8_t ack[] = {0x0a};
1215 EmSendCmdEx(ack,sizeof(ack),false);
1216 p_response = NULL;
1217
1218 } else if(receivedCmd[0] == 0x3E && tagType == 7) { // Received a CHECK_TEARING_EVENT --
1219 p_response = &responses[9];
1220 } else if(receivedCmd[0] == 0x50) { // Received a HALT
1221
1222 if (tracing) {
1223 LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
1224 }
1225 p_response = NULL;
1226 } else if(receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61) { // Received an authentication request
1227
1228 if ( tagType == 7 ) { // IF NTAG /EV1 0x60 == GET_VERSION, not a authentication request.
1229 p_response = &responses[7];
1230 } else {
1231 p_response = &responses[5]; order = 7;
1232 }
1233 } else if(receivedCmd[0] == 0xE0) { // Received a RATS request
1234 if (tagType == 1 || tagType == 2) { // RATS not supported
1235 EmSend4bit(CARD_NACK_NA);
1236 p_response = NULL;
1237 } else {
1238 p_response = &responses[6]; order = 70;
1239 }
1240 } else if (order == 7 && len == 8) { // Received {nr] and {ar} (part of authentication)
1241 if (tracing) {
1242 LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
1243 }
1244 uint32_t nonce = bytes_to_num(response5,4);
1245 uint32_t nr = bytes_to_num(receivedCmd,4);
1246 uint32_t ar = bytes_to_num(receivedCmd+4,4);
1247 //Dbprintf("Auth attempt {nonce}{nr}{ar}: %08x %08x %08x", nonce, nr, ar);
1248
1249 if(flags & FLAG_NR_AR_ATTACK )
1250 {
1251 if(ar_nr_collected < 2){
1252 // Avoid duplicates... probably not necessary, nr should vary.
1253 //if(ar_nr_responses[3] != nr){
1254 ar_nr_responses[ar_nr_collected*5] = 0;
1255 ar_nr_responses[ar_nr_collected*5+1] = 0;
1256 ar_nr_responses[ar_nr_collected*5+2] = nonce;
1257 ar_nr_responses[ar_nr_collected*5+3] = nr;
1258 ar_nr_responses[ar_nr_collected*5+4] = ar;
1259 ar_nr_collected++;
1260 //}
1261 }
1262
1263 if(ar_nr_collected > 1 ) {
1264
1265 if (MF_DBGLEVEL >= 2) {
1266 Dbprintf("Collected two pairs of AR/NR which can be used to extract keys from reader:");
1267 Dbprintf("../tools/mfkey/mfkey32 %07x%08x %08x %08x %08x %08x %08x",
1268 ar_nr_responses[0], // UID1
1269 ar_nr_responses[1], // UID2
1270 ar_nr_responses[2], // NT
1271 ar_nr_responses[3], // AR1
1272 ar_nr_responses[4], // NR1
1273 ar_nr_responses[8], // AR2
1274 ar_nr_responses[9] // NR2
1275 );
1276 Dbprintf("../tools/mfkey/mfkey32v2 %06x%08x %08x %08x %08x %08x %08x %08x",
1277 ar_nr_responses[0], // UID1
1278 ar_nr_responses[1], // UID2
1279 ar_nr_responses[2], // NT1
1280 ar_nr_responses[3], // AR1
1281 ar_nr_responses[4], // NR1
1282 ar_nr_responses[7], // NT2
1283 ar_nr_responses[8], // AR2
1284 ar_nr_responses[9] // NR2
1285 );
1286 }
1287 uint8_t len = ar_nr_collected*5*4;
1288 cmd_send(CMD_ACK,CMD_SIMULATE_MIFARE_CARD,len,0,&ar_nr_responses,len);
1289 ar_nr_collected = 0;
1290 memset(ar_nr_responses, 0x00, len);
1291 }
1292 }
1293 } else if (receivedCmd[0] == 0x1a ) // ULC authentication
1294 {
1295
1296 }
1297 else if (receivedCmd[0] == 0x1b) // NTAG / EV-1 authentication
1298 {
1299 if ( tagType == 7 ) {
1300 p_response = &responses[8]; // PACK response
1301 uint32_t pwd = bytes_to_num(receivedCmd+1,4);
1302
1303 if ( MF_DBGLEVEL >= 3) Dbprintf("Auth attempt: %08x", pwd);
1304 }
1305 }
1306 else {
1307 // Check for ISO 14443A-4 compliant commands, look at left nibble
1308 switch (receivedCmd[0]) {
1309 case 0x02:
1310 case 0x03: { // IBlock (command no CID)
1311 dynamic_response_info.response[0] = receivedCmd[0];
1312 dynamic_response_info.response[1] = 0x90;
1313 dynamic_response_info.response[2] = 0x00;
1314 dynamic_response_info.response_n = 3;
1315 } break;
1316 case 0x0B:
1317 case 0x0A: { // IBlock (command CID)
1318 dynamic_response_info.response[0] = receivedCmd[0];
1319 dynamic_response_info.response[1] = 0x00;
1320 dynamic_response_info.response[2] = 0x90;
1321 dynamic_response_info.response[3] = 0x00;
1322 dynamic_response_info.response_n = 4;
1323 } break;
1324
1325 case 0x1A:
1326 case 0x1B: { // Chaining command
1327 dynamic_response_info.response[0] = 0xaa | ((receivedCmd[0]) & 1);
1328 dynamic_response_info.response_n = 2;
1329 } break;
1330
1331 case 0xaa:
1332 case 0xbb: {
1333 dynamic_response_info.response[0] = receivedCmd[0] ^ 0x11;
1334 dynamic_response_info.response_n = 2;
1335 } break;
1336
1337 case 0xBA: { // ping / pong
1338 dynamic_response_info.response[0] = 0xAB;
1339 dynamic_response_info.response[1] = 0x00;
1340 dynamic_response_info.response_n = 2;
1341 } break;
1342
1343 case 0xCA:
1344 case 0xC2: { // Readers sends deselect command
1345 dynamic_response_info.response[0] = 0xCA;
1346 dynamic_response_info.response[1] = 0x00;
1347 dynamic_response_info.response_n = 2;
1348 } break;
1349
1350 default: {
1351 // Never seen this command before
1352 if (tracing) {
1353 LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
1354 }
1355 Dbprintf("Received unknown command (len=%d):",len);
1356 Dbhexdump(len,receivedCmd,false);
1357 // Do not respond
1358 dynamic_response_info.response_n = 0;
1359 } break;
1360 }
1361
1362 if (dynamic_response_info.response_n > 0) {
1363 // Copy the CID from the reader query
1364 dynamic_response_info.response[1] = receivedCmd[1];
1365
1366 // Add CRC bytes, always used in ISO 14443A-4 compliant cards
1367 AppendCrc14443a(dynamic_response_info.response,dynamic_response_info.response_n);
1368 dynamic_response_info.response_n += 2;
1369
1370 if (prepare_tag_modulation(&dynamic_response_info,DYNAMIC_MODULATION_BUFFER_SIZE) == false) {
1371 Dbprintf("Error preparing tag response");
1372 if (tracing) {
1373 LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
1374 }
1375 break;
1376 }
1377 p_response = &dynamic_response_info;
1378 }
1379 }
1380
1381 // Count number of wakeups received after a halt
1382 if(order == 6 && lastorder == 5) { happened++; }
1383
1384 // Count number of other messages after a halt
1385 if(order != 6 && lastorder == 5) { happened2++; }
1386
1387 if(cmdsRecvd > 999) {
1388 DbpString("1000 commands later...");
1389 break;
1390 }
1391 cmdsRecvd++;
1392
1393 if (p_response != NULL) {
1394 EmSendCmd14443aRaw(p_response->modulation, p_response->modulation_n, receivedCmd[0] == 0x52);
1395 // do the tracing for the previous reader request and this tag answer:
1396 uint8_t par[MAX_PARITY_SIZE];
1397 GetParity(p_response->response, p_response->response_n, par);
1398
1399 EmLogTrace(Uart.output,
1400 Uart.len,
1401 Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG,
1402 Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG,
1403 Uart.parity,
1404 p_response->response,
1405 p_response->response_n,
1406 LastTimeProxToAirStart*16 + DELAY_ARM2AIR_AS_TAG,
1407 (LastTimeProxToAirStart + p_response->ProxToAirDuration)*16 + DELAY_ARM2AIR_AS_TAG,
1408 par);
1409 }
1410
1411 if (!tracing) {
1412 Dbprintf("Trace Full. Simulation stopped.");
1413 break;
1414 }
1415 }
1416
1417 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1418 BigBuf_free_keep_EM();
1419 LED_A_OFF();
1420
1421 if (MF_DBGLEVEL >= 4){
1422 Dbprintf("-[ Wake ups after halt [%d]", happened);
1423 Dbprintf("-[ Messages after halt [%d]", happened2);
1424 Dbprintf("-[ Num of received cmd [%d]", cmdsRecvd);
1425 }
1426 }
1427
1428
1429 // prepare a delayed transfer. This simply shifts ToSend[] by a number
1430 // of bits specified in the delay parameter.
1431 void PrepareDelayedTransfer(uint16_t delay)
1432 {
1433 uint8_t bitmask = 0;
1434 uint8_t bits_to_shift = 0;
1435 uint8_t bits_shifted = 0;
1436
1437 delay &= 0x07;
1438 if (delay) {
1439 for (uint16_t i = 0; i < delay; i++) {
1440 bitmask |= (0x01 << i);
1441 }
1442 ToSend[ToSendMax++] = 0x00;
1443 for (uint16_t i = 0; i < ToSendMax; i++) {
1444 bits_to_shift = ToSend[i] & bitmask;
1445 ToSend[i] = ToSend[i] >> delay;
1446 ToSend[i] = ToSend[i] | (bits_shifted << (8 - delay));
1447 bits_shifted = bits_to_shift;
1448 }
1449 }
1450 }
1451
1452
1453 //-------------------------------------------------------------------------------------
1454 // Transmit the command (to the tag) that was placed in ToSend[].
1455 // Parameter timing:
1456 // if NULL: transfer at next possible time, taking into account
1457 // request guard time and frame delay time
1458 // if == 0: transfer immediately and return time of transfer
1459 // if != 0: delay transfer until time specified
1460 //-------------------------------------------------------------------------------------
1461 static void TransmitFor14443a(const uint8_t *cmd, uint16_t len, uint32_t *timing)
1462 {
1463
1464 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1465
1466 uint32_t ThisTransferTime = 0;
1467
1468 if (timing) {
1469 if(*timing == 0) { // Measure time
1470 *timing = (GetCountSspClk() + 8) & 0xfffffff8;
1471 } else {
1472 PrepareDelayedTransfer(*timing & 0x00000007); // Delay transfer (fine tuning - up to 7 MF clock ticks)
1473 }
1474 if(MF_DBGLEVEL >= 4 && GetCountSspClk() >= (*timing & 0xfffffff8)) Dbprintf("TransmitFor14443a: Missed timing");
1475 while(GetCountSspClk() < (*timing & 0xfffffff8)); // Delay transfer (multiple of 8 MF clock ticks)
1476 LastTimeProxToAirStart = *timing;
1477 } else {
1478 ThisTransferTime = ((MAX(NextTransferTime, GetCountSspClk()) & 0xfffffff8) + 8);
1479 while(GetCountSspClk() < ThisTransferTime);
1480 LastTimeProxToAirStart = ThisTransferTime;
1481 }
1482
1483 // clear TXRDY
1484 AT91C_BASE_SSC->SSC_THR = SEC_Y;
1485
1486 uint16_t c = 0;
1487 for(;;) {
1488 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1489 AT91C_BASE_SSC->SSC_THR = cmd[c];
1490 c++;
1491 if(c >= len) {
1492 break;
1493 }
1494 }
1495 }
1496
1497 NextTransferTime = MAX(NextTransferTime, LastTimeProxToAirStart + REQUEST_GUARD_TIME);
1498 }
1499
1500
1501 //-----------------------------------------------------------------------------
1502 // Prepare reader command (in bits, support short frames) to send to FPGA
1503 //-----------------------------------------------------------------------------
1504 void CodeIso14443aBitsAsReaderPar(const uint8_t *cmd, uint16_t bits, const uint8_t *parity)
1505 {
1506 int i, j;
1507 int last;
1508 uint8_t b;
1509
1510 ToSendReset();
1511
1512 // Start of Communication (Seq. Z)
1513 ToSend[++ToSendMax] = SEC_Z;
1514 LastProxToAirDuration = 8 * (ToSendMax+1) - 6;
1515 last = 0;
1516
1517 size_t bytecount = nbytes(bits);
1518 // Generate send structure for the data bits
1519 for (i = 0; i < bytecount; i++) {
1520 // Get the current byte to send
1521 b = cmd[i];
1522 size_t bitsleft = MIN((bits-(i*8)),8);
1523
1524 for (j = 0; j < bitsleft; j++) {
1525 if (b & 1) {
1526 // Sequence X
1527 ToSend[++ToSendMax] = SEC_X;
1528 LastProxToAirDuration = 8 * (ToSendMax+1) - 2;
1529 last = 1;
1530 } else {
1531 if (last == 0) {
1532 // Sequence Z
1533 ToSend[++ToSendMax] = SEC_Z;
1534 LastProxToAirDuration = 8 * (ToSendMax+1) - 6;
1535 } else {
1536 // Sequence Y
1537 ToSend[++ToSendMax] = SEC_Y;
1538 last = 0;
1539 }
1540 }
1541 b >>= 1;
1542 }
1543
1544 // Only transmit parity bit if we transmitted a complete byte
1545 if (j == 8 && parity != NULL) {
1546 // Get the parity bit
1547 if (parity[i>>3] & (0x80 >> (i&0x0007))) {
1548 // Sequence X
1549 ToSend[++ToSendMax] = SEC_X;
1550 LastProxToAirDuration = 8 * (ToSendMax+1) - 2;
1551 last = 1;
1552 } else {
1553 if (last == 0) {
1554 // Sequence Z
1555 ToSend[++ToSendMax] = SEC_Z;
1556 LastProxToAirDuration = 8 * (ToSendMax+1) - 6;
1557 } else {
1558 // Sequence Y
1559 ToSend[++ToSendMax] = SEC_Y;
1560 last = 0;
1561 }
1562 }
1563 }
1564 }
1565
1566 // End of Communication: Logic 0 followed by Sequence Y
1567 if (last == 0) {
1568 // Sequence Z
1569 ToSend[++ToSendMax] = SEC_Z;
1570 LastProxToAirDuration = 8 * (ToSendMax+1) - 6;
1571 } else {
1572 // Sequence Y
1573 ToSend[++ToSendMax] = SEC_Y;
1574 last = 0;
1575 }
1576 ToSend[++ToSendMax] = SEC_Y;
1577
1578 // Convert to length of command:
1579 ToSendMax++;
1580 }
1581
1582 //-----------------------------------------------------------------------------
1583 // Prepare reader command to send to FPGA
1584 //-----------------------------------------------------------------------------
1585 void CodeIso14443aAsReaderPar(const uint8_t *cmd, uint16_t len, const uint8_t *parity)
1586 {
1587 CodeIso14443aBitsAsReaderPar(cmd, len*8, parity);
1588 }
1589
1590
1591 //-----------------------------------------------------------------------------
1592 // Wait for commands from reader
1593 // Stop when button is pressed (return 1) or field was gone (return 2)
1594 // Or return 0 when command is captured
1595 //-----------------------------------------------------------------------------
1596 static int EmGetCmd(uint8_t *received, uint16_t *len, uint8_t *parity)
1597 {
1598 *len = 0;
1599
1600 uint32_t timer = 0, vtime = 0;
1601 int analogCnt = 0;
1602 int analogAVG = 0;
1603
1604 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
1605 // only, since we are receiving, not transmitting).
1606 // Signal field is off with the appropriate LED
1607 LED_D_OFF();
1608 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
1609
1610 // Set ADC to read field strength
1611 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_SWRST;
1612 AT91C_BASE_ADC->ADC_MR =
1613 ADC_MODE_PRESCALE(63) |
1614 ADC_MODE_STARTUP_TIME(1) |
1615 ADC_MODE_SAMPLE_HOLD_TIME(15);
1616 AT91C_BASE_ADC->ADC_CHER = ADC_CHANNEL(ADC_CHAN_HF);
1617 // start ADC
1618 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
1619
1620 // Now run a 'software UART' on the stream of incoming samples.
1621 UartInit(received, parity);
1622
1623 // Clear RXRDY:
1624 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1625
1626 for(;;) {
1627 WDT_HIT();
1628
1629 if (BUTTON_PRESS()) return 1;
1630
1631 // test if the field exists
1632 if (AT91C_BASE_ADC->ADC_SR & ADC_END_OF_CONVERSION(ADC_CHAN_HF)) {
1633 analogCnt++;
1634 analogAVG += AT91C_BASE_ADC->ADC_CDR[ADC_CHAN_HF];
1635 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
1636 if (analogCnt >= 32) {
1637 if ((MAX_ADC_HF_VOLTAGE * (analogAVG / analogCnt) >> 10) < MF_MINFIELDV) {
1638 vtime = GetTickCount();
1639 if (!timer) timer = vtime;
1640 // 50ms no field --> card to idle state
1641 if (vtime - timer > 50) return 2;
1642 } else
1643 if (timer) timer = 0;
1644 analogCnt = 0;
1645 analogAVG = 0;
1646 }
1647 }
1648
1649 // receive and test the miller decoding
1650 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1651 b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1652 if(MillerDecoding(b, 0)) {
1653 *len = Uart.len;
1654 return 0;
1655 }
1656 }
1657
1658 }
1659 }
1660
1661
1662 static int EmSendCmd14443aRaw(uint8_t *resp, uint16_t respLen, bool correctionNeeded)
1663 {
1664 uint8_t b;
1665 uint16_t i = 0;
1666 uint32_t ThisTransferTime;
1667
1668 // Modulate Manchester
1669 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD);
1670
1671 // include correction bit if necessary
1672 if (Uart.parityBits & 0x01) {
1673 correctionNeeded = TRUE;
1674 }
1675 if(correctionNeeded) {
1676 // 1236, so correction bit needed
1677 i = 0;
1678 } else {
1679 i = 1;
1680 }
1681
1682 // clear receiving shift register and holding register
1683 while(!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY));
1684 b = AT91C_BASE_SSC->SSC_RHR; (void) b;
1685 while(!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY));
1686 b = AT91C_BASE_SSC->SSC_RHR; (void) b;
1687
1688 // wait for the FPGA to signal fdt_indicator == 1 (the FPGA is ready to queue new data in its delay line)
1689 for (uint16_t j = 0; j < 5; j++) { // allow timeout - better late than never
1690 while(!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY));
1691 if (AT91C_BASE_SSC->SSC_RHR) break;
1692 }
1693
1694 while ((ThisTransferTime = GetCountSspClk()) & 0x00000007);
1695
1696 // Clear TXRDY:
1697 AT91C_BASE_SSC->SSC_THR = SEC_F;
1698
1699 // send cycle
1700 for(; i < respLen; ) {
1701 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1702 AT91C_BASE_SSC->SSC_THR = resp[i++];
1703 FpgaSendQueueDelay = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1704 }
1705
1706 if(BUTTON_PRESS()) break;
1707 }
1708
1709 // Ensure that the FPGA Delay Queue is empty before we switch to TAGSIM_LISTEN again:
1710 uint8_t fpga_queued_bits = FpgaSendQueueDelay >> 3;
1711 for (i = 0; i <= fpga_queued_bits/8 + 1; ) {
1712 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1713 AT91C_BASE_SSC->SSC_THR = SEC_F;
1714 FpgaSendQueueDelay = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1715 i++;
1716 }
1717 }
1718
1719 LastTimeProxToAirStart = ThisTransferTime + (correctionNeeded?8:0);
1720
1721 return 0;
1722 }
1723
1724 int EmSend4bitEx(uint8_t resp, bool correctionNeeded){
1725 Code4bitAnswerAsTag(resp);
1726 int res = EmSendCmd14443aRaw(ToSend, ToSendMax, correctionNeeded);
1727 // do the tracing for the previous reader request and this tag answer:
1728 uint8_t par[1];
1729 GetParity(&resp, 1, par);
1730 EmLogTrace(Uart.output,
1731 Uart.len,
1732 Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG,
1733 Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG,
1734 Uart.parity,
1735 &resp,
1736 1,
1737 LastTimeProxToAirStart*16 + DELAY_ARM2AIR_AS_TAG,
1738 (LastTimeProxToAirStart + LastProxToAirDuration)*16 + DELAY_ARM2AIR_AS_TAG,
1739 par);
1740 return res;
1741 }
1742
1743 int EmSend4bit(uint8_t resp){
1744 return EmSend4bitEx(resp, false);
1745 }
1746
1747 int EmSendCmdExPar(uint8_t *resp, uint16_t respLen, bool correctionNeeded, uint8_t *par){
1748 CodeIso14443aAsTagPar(resp, respLen, par);
1749 int res = EmSendCmd14443aRaw(ToSend, ToSendMax, correctionNeeded);
1750 // do the tracing for the previous reader request and this tag answer:
1751 EmLogTrace(Uart.output,
1752 Uart.len,
1753 Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG,
1754 Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG,
1755 Uart.parity,
1756 resp,
1757 respLen,
1758 LastTimeProxToAirStart*16 + DELAY_ARM2AIR_AS_TAG,
1759 (LastTimeProxToAirStart + LastProxToAirDuration)*16 + DELAY_ARM2AIR_AS_TAG,
1760 par);
1761 return res;
1762 }
1763
1764 int EmSendCmdEx(uint8_t *resp, uint16_t respLen, bool correctionNeeded){
1765 uint8_t par[MAX_PARITY_SIZE];
1766 GetParity(resp, respLen, par);
1767 return EmSendCmdExPar(resp, respLen, correctionNeeded, par);
1768 }
1769
1770 int EmSendCmd(uint8_t *resp, uint16_t respLen){
1771 uint8_t par[MAX_PARITY_SIZE];
1772 GetParity(resp, respLen, par);
1773 return EmSendCmdExPar(resp, respLen, false, par);
1774 }
1775
1776 int EmSendCmdPar(uint8_t *resp, uint16_t respLen, uint8_t *par){
1777 return EmSendCmdExPar(resp, respLen, false, par);
1778 }
1779
1780 bool EmLogTrace(uint8_t *reader_data, uint16_t reader_len, uint32_t reader_StartTime, uint32_t reader_EndTime, uint8_t *reader_Parity,
1781 uint8_t *tag_data, uint16_t tag_len, uint32_t tag_StartTime, uint32_t tag_EndTime, uint8_t *tag_Parity)
1782 {
1783 if (tracing) {
1784 // we cannot exactly measure the end and start of a received command from reader. However we know that the delay from
1785 // end of the received command to start of the tag's (simulated by us) answer is n*128+20 or n*128+84 resp.
1786 // with n >= 9. The start of the tags answer can be measured and therefore the end of the received command be calculated:
1787 uint16_t reader_modlen = reader_EndTime - reader_StartTime;
1788 uint16_t approx_fdt = tag_StartTime - reader_EndTime;
1789 uint16_t exact_fdt = (approx_fdt - 20 + 32)/64 * 64 + 20;
1790 reader_EndTime = tag_StartTime - exact_fdt;
1791 reader_StartTime = reader_EndTime - reader_modlen;
1792 if (!LogTrace(reader_data, reader_len, reader_StartTime, reader_EndTime, reader_Parity, TRUE)) {
1793 return FALSE;
1794 } else return(!LogTrace(tag_data, tag_len, tag_StartTime, tag_EndTime, tag_Parity, FALSE));
1795 } else {
1796 return TRUE;
1797 }
1798 }
1799
1800 //-----------------------------------------------------------------------------
1801 // Wait a certain time for tag response
1802 // If a response is captured return TRUE
1803 // If it takes too long return FALSE
1804 //-----------------------------------------------------------------------------
1805 static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse, uint8_t *receivedResponsePar, uint16_t offset)
1806 {
1807 uint32_t c = 0x00;
1808
1809 // Set FPGA mode to "reader listen mode", no modulation (listen
1810 // only, since we are receiving, not transmitting).
1811 // Signal field is on with the appropriate LED
1812 LED_D_ON();
1813 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_LISTEN);
1814
1815 // Now get the answer from the card
1816 DemodInit(receivedResponse, receivedResponsePar);
1817
1818 // clear RXRDY:
1819 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1820
1821 for(;;) {
1822 WDT_HIT();
1823
1824 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1825 b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1826 if(ManchesterDecoding(b, offset, 0)) {
1827 NextTransferTime = MAX(NextTransferTime, Demod.endTime - (DELAY_AIR2ARM_AS_READER + DELAY_ARM2AIR_AS_READER)/16 + FRAME_DELAY_TIME_PICC_TO_PCD);
1828 return TRUE;
1829 } else if (c++ > iso14a_timeout && Demod.state == DEMOD_UNSYNCD) {
1830 return FALSE;
1831 }
1832 }
1833 }
1834 }
1835
1836 void ReaderTransmitBitsPar(uint8_t* frame, uint16_t bits, uint8_t *par, uint32_t *timing)
1837 {
1838 CodeIso14443aBitsAsReaderPar(frame, bits, par);
1839
1840 // Send command to tag
1841 TransmitFor14443a(ToSend, ToSendMax, timing);
1842 if(trigger)
1843 LED_A_ON();
1844
1845 // Log reader command in trace buffer
1846 if (tracing) {
1847 LogTrace(frame, nbytes(bits), LastTimeProxToAirStart*16 + DELAY_ARM2AIR_AS_READER, (LastTimeProxToAirStart + LastProxToAirDuration)*16 + DELAY_ARM2AIR_AS_READER, par, TRUE);
1848 }
1849 }
1850
1851 void ReaderTransmitPar(uint8_t* frame, uint16_t len, uint8_t *par, uint32_t *timing)
1852 {
1853 ReaderTransmitBitsPar(frame, len*8, par, timing);
1854 }
1855
1856 void ReaderTransmitBits(uint8_t* frame, uint16_t len, uint32_t *timing)
1857 {
1858 // Generate parity and redirect
1859 uint8_t par[MAX_PARITY_SIZE];
1860 GetParity(frame, len/8, par);
1861 ReaderTransmitBitsPar(frame, len, par, timing);
1862 }
1863
1864 void ReaderTransmit(uint8_t* frame, uint16_t len, uint32_t *timing)
1865 {
1866 // Generate parity and redirect
1867 uint8_t par[MAX_PARITY_SIZE];
1868 GetParity(frame, len, par);
1869 ReaderTransmitBitsPar(frame, len*8, par, timing);
1870 }
1871
1872 int ReaderReceiveOffset(uint8_t* receivedAnswer, uint16_t offset, uint8_t *parity)
1873 {
1874 if (!GetIso14443aAnswerFromTag(receivedAnswer, parity, offset)) return FALSE;
1875 if (tracing) {
1876 LogTrace(receivedAnswer, Demod.len, Demod.startTime*16 - DELAY_AIR2ARM_AS_READER, Demod.endTime*16 - DELAY_AIR2ARM_AS_READER, parity, FALSE);
1877 }
1878 return Demod.len;
1879 }
1880
1881 int ReaderReceive(uint8_t *receivedAnswer, uint8_t *parity)
1882 {
1883 if (!GetIso14443aAnswerFromTag(receivedAnswer, parity, 0)) return FALSE;
1884 if (tracing) {
1885 LogTrace(receivedAnswer, Demod.len, Demod.startTime*16 - DELAY_AIR2ARM_AS_READER, Demod.endTime*16 - DELAY_AIR2ARM_AS_READER, parity, FALSE);
1886 }
1887 return Demod.len;
1888 }
1889
1890 /* performs iso14443a anticollision procedure
1891 * fills the uid pointer unless NULL
1892 * fills resp_data unless NULL */
1893 int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, uint32_t *cuid_ptr) {
1894 uint8_t wupa[] = { 0x52 }; // 0x26 - REQA 0x52 - WAKE-UP
1895 uint8_t sel_all[] = { 0x93,0x20 };
1896 uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
1897 uint8_t rats[] = { 0xE0,0x80,0x00,0x00 }; // FSD=256, FSDI=8, CID=0
1898 uint8_t resp[MAX_FRAME_SIZE]; // theoretically. A usual RATS will be much smaller
1899 uint8_t resp_par[MAX_PARITY_SIZE];
1900 byte_t uid_resp[4];
1901 size_t uid_resp_len;
1902
1903 uint8_t sak = 0x04; // cascade uid
1904 int cascade_level = 0;
1905 int len;
1906
1907 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1908 ReaderTransmitBitsPar(wupa,7,0, NULL);
1909
1910 // Receive the ATQA
1911 if(!ReaderReceive(resp, resp_par)) return 0;
1912
1913 if(p_hi14a_card) {
1914 memcpy(p_hi14a_card->atqa, resp, 2);
1915 p_hi14a_card->uidlen = 0;
1916 memset(p_hi14a_card->uid,0,10);
1917 }
1918
1919 // clear uid
1920 if (uid_ptr) {
1921 memset(uid_ptr,0,10);
1922 }
1923
1924 // check for proprietary anticollision:
1925 if ((resp[0] & 0x1F) == 0) {
1926 return 3;
1927 }
1928
1929 // OK we will select at least at cascade 1, lets see if first byte of UID was 0x88 in
1930 // which case we need to make a cascade 2 request and select - this is a long UID
1931 // While the UID is not complete, the 3nd bit (from the right) is set in the SAK.
1932 for(; sak & 0x04; cascade_level++) {
1933 // SELECT_* (L1: 0x93, L2: 0x95, L3: 0x97)
1934 sel_uid[0] = sel_all[0] = 0x93 + cascade_level * 2;
1935
1936 // SELECT_ALL
1937 ReaderTransmit(sel_all, sizeof(sel_all), NULL);
1938 if (!ReaderReceive(resp, resp_par)) return 0;
1939
1940 if (Demod.collisionPos) { // we had a collision and need to construct the UID bit by bit
1941 memset(uid_resp, 0, 4);
1942 uint16_t uid_resp_bits = 0;
1943 uint16_t collision_answer_offset = 0;
1944 // anti-collision-loop:
1945 while (Demod.collisionPos) {
1946 Dbprintf("Multiple tags detected. Collision after Bit %d", Demod.collisionPos);
1947 for (uint16_t i = collision_answer_offset; i < Demod.collisionPos; i++, uid_resp_bits++) { // add valid UID bits before collision point
1948 uint16_t UIDbit = (resp[i/8] >> (i % 8)) & 0x01;
1949 uid_resp[uid_resp_bits / 8] |= UIDbit << (uid_resp_bits % 8);
1950 }
1951 uid_resp[uid_resp_bits/8] |= 1 << (uid_resp_bits % 8); // next time select the card(s) with a 1 in the collision position
1952 uid_resp_bits++;
1953 // construct anticollosion command:
1954 sel_uid[1] = ((2 + uid_resp_bits/8) << 4) | (uid_resp_bits & 0x07); // length of data in bytes and bits
1955 for (uint16_t i = 0; i <= uid_resp_bits/8; i++) {
1956 sel_uid[2+i] = uid_resp[i];
1957 }
1958 collision_answer_offset = uid_resp_bits%8;
1959 ReaderTransmitBits(sel_uid, 16 + uid_resp_bits, NULL);
1960 if (!ReaderReceiveOffset(resp, collision_answer_offset, resp_par)) return 0;
1961 }
1962 // finally, add the last bits and BCC of the UID
1963 for (uint16_t i = collision_answer_offset; i < (Demod.len-1)*8; i++, uid_resp_bits++) {
1964 uint16_t UIDbit = (resp[i/8] >> (i%8)) & 0x01;
1965 uid_resp[uid_resp_bits/8] |= UIDbit << (uid_resp_bits % 8);
1966 }
1967
1968 } else { // no collision, use the response to SELECT_ALL as current uid
1969 memcpy(uid_resp, resp, 4);
1970 }
1971 uid_resp_len = 4;
1972
1973 // calculate crypto UID. Always use last 4 Bytes.
1974 if(cuid_ptr) {
1975 *cuid_ptr = bytes_to_num(uid_resp, 4);
1976 }
1977
1978 // Construct SELECT UID command
1979 sel_uid[1] = 0x70; // transmitting a full UID (1 Byte cmd, 1 Byte NVB, 4 Byte UID, 1 Byte BCC, 2 Bytes CRC)
1980 memcpy(sel_uid+2, uid_resp, 4); // the UID
1981 sel_uid[6] = sel_uid[2] ^ sel_uid[3] ^ sel_uid[4] ^ sel_uid[5]; // calculate and add BCC
1982 AppendCrc14443a(sel_uid, 7); // calculate and add CRC
1983 ReaderTransmit(sel_uid, sizeof(sel_uid), NULL);
1984
1985 // Receive the SAK
1986 if (!ReaderReceive(resp, resp_par)) return 0;
1987 sak = resp[0];
1988
1989 // Test if more parts of the uid are coming
1990 if ((sak & 0x04) /* && uid_resp[0] == 0x88 */) {
1991 // Remove first byte, 0x88 is not an UID byte, it CT, see page 3 of:
1992 // http://www.nxp.com/documents/application_note/AN10927.pdf
1993 uid_resp[0] = uid_resp[1];
1994 uid_resp[1] = uid_resp[2];
1995 uid_resp[2] = uid_resp[3];
1996
1997 uid_resp_len = 3;
1998 }
1999
2000 if(uid_ptr) {
2001 memcpy(uid_ptr + (cascade_level*3), uid_resp, uid_resp_len);
2002 }
2003
2004 if(p_hi14a_card) {
2005 memcpy(p_hi14a_card->uid + (cascade_level*3), uid_resp, uid_resp_len);
2006 p_hi14a_card->uidlen += uid_resp_len;
2007 }
2008 }
2009
2010 if(p_hi14a_card) {
2011 p_hi14a_card->sak = sak;
2012 p_hi14a_card->ats_len = 0;
2013 }
2014
2015 // non iso14443a compliant tag
2016 if( (sak & 0x20) == 0) return 2;
2017
2018 // Request for answer to select
2019 AppendCrc14443a(rats, 2);
2020 ReaderTransmit(rats, sizeof(rats), NULL);
2021
2022 if (!(len = ReaderReceive(resp, resp_par))) return 0;
2023
2024
2025 if(p_hi14a_card) {
2026 memcpy(p_hi14a_card->ats, resp, sizeof(p_hi14a_card->ats));
2027 p_hi14a_card->ats_len = len;
2028 }
2029
2030 // reset the PCB block number
2031 iso14_pcb_blocknum = 0;
2032
2033 // set default timeout based on ATS
2034 iso14a_set_ATS_timeout(resp);
2035
2036 return 1;
2037 }
2038
2039 void iso14443a_setup(uint8_t fpga_minor_mode) {
2040 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
2041 // Set up the synchronous serial port
2042 FpgaSetupSsc();
2043 // connect Demodulated Signal to ADC:
2044 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
2045
2046 // Signal field is on with the appropriate LED
2047 if (fpga_minor_mode == FPGA_HF_ISO14443A_READER_MOD
2048 || fpga_minor_mode == FPGA_HF_ISO14443A_READER_LISTEN) {
2049 LED_D_ON();
2050 } else {
2051 LED_D_OFF();
2052 }
2053 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | fpga_minor_mode);
2054
2055 // Start the timer
2056 StartCountSspClk();
2057
2058 DemodReset();
2059 UartReset();
2060 NextTransferTime = 2*DELAY_ARM2AIR_AS_READER;
2061 iso14a_set_timeout(10*106); // 10ms default
2062 }
2063
2064 int iso14_apdu(uint8_t *cmd, uint16_t cmd_len, void *data) {
2065 uint8_t parity[MAX_PARITY_SIZE];
2066 uint8_t real_cmd[cmd_len+4];
2067 real_cmd[0] = 0x0a; //I-Block
2068 // put block number into the PCB
2069 real_cmd[0] |= iso14_pcb_blocknum;
2070 real_cmd[1] = 0x00; //CID: 0 //FIXME: allow multiple selected cards
2071 memcpy(real_cmd+2, cmd, cmd_len);
2072 AppendCrc14443a(real_cmd,cmd_len+2);
2073
2074 ReaderTransmit(real_cmd, cmd_len+4, NULL);
2075 size_t len = ReaderReceive(data, parity);
2076 uint8_t *data_bytes = (uint8_t *) data;
2077 if (!len)
2078 return 0; //DATA LINK ERROR
2079 // if we received an I- or R(ACK)-Block with a block number equal to the
2080 // current block number, toggle the current block number
2081 else if (len >= 4 // PCB+CID+CRC = 4 bytes
2082 && ((data_bytes[0] & 0xC0) == 0 // I-Block
2083 || (data_bytes[0] & 0xD0) == 0x80) // R-Block with ACK bit set to 0
2084 && (data_bytes[0] & 0x01) == iso14_pcb_blocknum) // equal block numbers
2085 {
2086 iso14_pcb_blocknum ^= 1;
2087 }
2088
2089 return len;
2090 }
2091
2092 //-----------------------------------------------------------------------------
2093 // Read an ISO 14443a tag. Send out commands and store answers.
2094 //
2095 //-----------------------------------------------------------------------------
2096 void ReaderIso14443a(UsbCommand *c)
2097 {
2098 iso14a_command_t param = c->arg[0];
2099 uint8_t *cmd = c->d.asBytes;
2100 size_t len = c->arg[1] & 0xffff;
2101 size_t lenbits = c->arg[1] >> 16;
2102 uint32_t timeout = c->arg[2];
2103 uint32_t arg0 = 0;
2104 byte_t buf[USB_CMD_DATA_SIZE];
2105 uint8_t par[MAX_PARITY_SIZE];
2106
2107 if(param & ISO14A_CONNECT) {
2108 clear_trace();
2109 }
2110
2111 set_tracing(TRUE);
2112
2113 if(param & ISO14A_REQUEST_TRIGGER) {
2114 iso14a_set_trigger(TRUE);
2115 }
2116
2117 if(param & ISO14A_CONNECT) {
2118 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
2119 if(!(param & ISO14A_NO_SELECT)) {
2120 iso14a_card_select_t *card = (iso14a_card_select_t*)buf;
2121 arg0 = iso14443a_select_card(NULL,card,NULL);
2122 cmd_send(CMD_ACK,arg0,card->uidlen,0,buf,sizeof(iso14a_card_select_t));
2123 }
2124 }
2125
2126 if(param & ISO14A_SET_TIMEOUT) {
2127 iso14a_set_timeout(timeout);
2128 }
2129
2130 if(param & ISO14A_APDU) {
2131 arg0 = iso14_apdu(cmd, len, buf);
2132 cmd_send(CMD_ACK,arg0,0,0,buf,sizeof(buf));
2133 }
2134
2135 if(param & ISO14A_RAW) {
2136 if(param & ISO14A_APPEND_CRC) {
2137 if(param & ISO14A_TOPAZMODE) {
2138 AppendCrc14443b(cmd,len);
2139 } else {
2140 AppendCrc14443a(cmd,len);
2141 }
2142 len += 2;
2143 if (lenbits) lenbits += 16;
2144 }
2145 if(lenbits>0) { // want to send a specific number of bits (e.g. short commands)
2146 if(param & ISO14A_TOPAZMODE) {
2147 int bits_to_send = lenbits;
2148 uint16_t i = 0;
2149 ReaderTransmitBitsPar(&cmd[i++], MIN(bits_to_send, 7), NULL, NULL); // first byte is always short (7bits) and no parity
2150 bits_to_send -= 7;
2151 while (bits_to_send > 0) {
2152 ReaderTransmitBitsPar(&cmd[i++], MIN(bits_to_send, 8), NULL, NULL); // following bytes are 8 bit and no parity
2153 bits_to_send -= 8;
2154 }
2155 } else {
2156 GetParity(cmd, lenbits/8, par);
2157 ReaderTransmitBitsPar(cmd, lenbits, par, NULL); // bytes are 8 bit with odd parity
2158 }
2159 } else { // want to send complete bytes only
2160 if(param & ISO14A_TOPAZMODE) {
2161 uint16_t i = 0;
2162 ReaderTransmitBitsPar(&cmd[i++], 7, NULL, NULL); // first byte: 7 bits, no paritiy
2163 while (i < len) {
2164 ReaderTransmitBitsPar(&cmd[i++], 8, NULL, NULL); // following bytes: 8 bits, no paritiy
2165 }
2166 } else {
2167 ReaderTransmit(cmd,len, NULL); // 8 bits, odd parity
2168 }
2169 }
2170 arg0 = ReaderReceive(buf, par);
2171 cmd_send(CMD_ACK,arg0,0,0,buf,sizeof(buf));
2172 }
2173
2174 if(param & ISO14A_REQUEST_TRIGGER) {
2175 iso14a_set_trigger(FALSE);
2176 }
2177
2178 if(param & ISO14A_NO_DISCONNECT) {
2179 return;
2180 }
2181
2182 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2183 LEDsoff();
2184 }
2185
2186
2187 // Determine the distance between two nonces.
2188 // Assume that the difference is small, but we don't know which is first.
2189 // Therefore try in alternating directions.
2190 int32_t dist_nt(uint32_t nt1, uint32_t nt2) {
2191
2192 uint16_t i;
2193 uint32_t nttmp1, nttmp2;
2194
2195 if (nt1 == nt2) return 0;
2196
2197 nttmp1 = nt1;
2198 nttmp2 = nt2;
2199
2200 for (i = 1; i < 0xFFFF; i++) {
2201 nttmp1 = prng_successor(nttmp1, 1);
2202 if (nttmp1 == nt2) return i;
2203 nttmp2 = prng_successor(nttmp2, 1);
2204 if (nttmp2 == nt1) return -i;
2205 }
2206
2207 return(-99999); // either nt1 or nt2 are invalid nonces
2208 }
2209
2210
2211 //-----------------------------------------------------------------------------
2212 // Recover several bits of the cypher stream. This implements (first stages of)
2213 // the algorithm described in "The Dark Side of Security by Obscurity and
2214 // Cloning MiFare Classic Rail and Building Passes, Anywhere, Anytime"
2215 // (article by Nicolas T. Courtois, 2009)
2216 //-----------------------------------------------------------------------------
2217 void ReaderMifare(bool first_try)
2218 {
2219 // Mifare AUTH
2220 uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b };
2221 uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
2222 static uint8_t mf_nr_ar3;
2223
2224 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
2225 uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];
2226
2227 if (first_try) {
2228 iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
2229 }
2230
2231 // free eventually allocated BigBuf memory. We want all for tracing.
2232 BigBuf_free();
2233
2234 clear_trace();
2235 set_tracing(TRUE);
2236
2237 byte_t nt_diff = 0;
2238 uint8_t par[1] = {0}; // maximum 8 Bytes to be sent here, 1 byte parity is therefore enough
2239 static byte_t par_low = 0;
2240 bool led_on = TRUE;
2241 uint8_t uid[10] ={0};
2242 uint32_t cuid;
2243
2244 uint32_t nt = 0;
2245 uint32_t previous_nt = 0;
2246 static uint32_t nt_attacked = 0;
2247 byte_t par_list[8] = {0x00};
2248 byte_t ks_list[8] = {0x00};
2249
2250 #define PRNG_SEQUENCE_LENGTH (1 << 16);
2251 static uint32_t sync_time = 0;
2252 static uint32_t sync_cycles = 0;
2253 int catch_up_cycles = 0;
2254 int last_catch_up = 0;
2255 uint16_t consecutive_resyncs = 0;
2256 int isOK = 0;
2257
2258 if (first_try) {
2259 mf_nr_ar3 = 0;
2260 sync_time = GetCountSspClk() & 0xfffffff8;
2261 sync_cycles = PRNG_SEQUENCE_LENGTH; //65536; //0x10000 // theory: Mifare Classic's random generator repeats every 2^16 cycles (and so do the nonces).
2262 nt_attacked = 0;
2263 nt = 0;
2264 par[0] = 0;
2265 }
2266 else {
2267 // we were unsuccessful on a previous call. Try another READER nonce (first 3 parity bits remain the same)
2268 mf_nr_ar3++;
2269 mf_nr_ar[3] = mf_nr_ar3;
2270 par[0] = par_low;
2271 }
2272
2273 LED_A_ON();
2274 LED_B_OFF();
2275 LED_C_OFF();
2276
2277
2278 #define MAX_UNEXPECTED_RANDOM 5 // maximum number of unexpected (i.e. real) random numbers when trying to sync. Then give up.
2279 #define MAX_SYNC_TRIES 16
2280 uint16_t unexpected_random = 0;
2281 uint16_t sync_tries = 0;
2282 int16_t debug_info_nr = -1;
2283 uint32_t debug_info[MAX_SYNC_TRIES];
2284
2285 for(uint16_t i = 0; TRUE; i++) {
2286
2287 LED_C_ON();
2288 WDT_HIT();
2289
2290 // Test if the action was cancelled
2291 if(BUTTON_PRESS()) {
2292 isOK = -1;
2293 break;
2294 }
2295
2296 if(!iso14443a_select_card(uid, NULL, &cuid)) {
2297 if (MF_DBGLEVEL >= 1) Dbprintf("Mifare: Can't select card");
2298 continue;
2299 }
2300
2301 if (debug_info_nr == -1) {
2302 sync_time = (sync_time & 0xfffffff8) + sync_cycles + catch_up_cycles;
2303 catch_up_cycles = 0;
2304
2305 // if we missed the sync time already, advance to the next nonce repeat
2306 while(GetCountSspClk() > sync_time) {
2307 sync_time = (sync_time & 0xfffffff8) + sync_cycles;
2308 }
2309
2310 // Transmit MIFARE_CLASSIC_AUTH at synctime. Should result in returning the same tag nonce (== nt_attacked)
2311 ReaderTransmit(mf_auth, sizeof(mf_auth), &sync_time);
2312 } else {
2313 ReaderTransmit(mf_auth, sizeof(mf_auth), NULL);
2314 }
2315
2316 // Receive the (4 Byte) "random" nonce
2317 if (!ReaderReceive(receivedAnswer, receivedAnswerPar)) {
2318 if (MF_DBGLEVEL >= 1) Dbprintf("Mifare: Couldn't receive tag nonce");
2319 continue;
2320 }
2321
2322 previous_nt = nt;
2323 nt = bytes_to_num(receivedAnswer, 4);
2324
2325 // Transmit reader nonce with fake par
2326 ReaderTransmitPar(mf_nr_ar, sizeof(mf_nr_ar), par, NULL);
2327
2328 if (first_try && previous_nt && !nt_attacked) { // we didn't calibrate our clock yet
2329 int nt_distance = dist_nt(previous_nt, nt);
2330 if (nt_distance == 0) {
2331 nt_attacked = nt;
2332 } else {
2333 if (nt_distance == -99999) { // invalid nonce received
2334 unexpected_random++;
2335 if (!nt_attacked && unexpected_random > MAX_UNEXPECTED_RANDOM) {
2336 isOK = -3; // Card has an unpredictable PRNG. Give up
2337 break;
2338 } else {
2339 continue; // continue trying...
2340 }
2341 }
2342 if (++sync_tries > MAX_SYNC_TRIES) {
2343 if (sync_tries > 2 * MAX_SYNC_TRIES) {
2344 isOK = -4; // Card's PRNG runs at an unexpected frequency or resets unexpectedly
2345 break;
2346 } else { // continue for a while, just to collect some debug info
2347 debug_info[++debug_info_nr] = nt_distance;
2348 continue;
2349 }
2350 }
2351 sync_cycles = (sync_cycles - nt_distance);
2352 if (sync_cycles <= 0) {
2353 sync_cycles += PRNG_SEQUENCE_LENGTH;
2354 }
2355 if (MF_DBGLEVEL >= 3) {
2356 Dbprintf("calibrating in cycle %d. nt_distance=%d, Sync_cycles: %d\n", i, nt_distance, sync_cycles);
2357 }
2358 continue;
2359 }
2360 }
2361
2362 if ((nt != nt_attacked) && nt_attacked) { // we somehow lost sync. Try to catch up again...
2363 catch_up_cycles = -dist_nt(nt_attacked, nt);
2364 if (catch_up_cycles == 99999) { // invalid nonce received. Don't resync on that one.
2365 catch_up_cycles = 0;
2366 continue;
2367 }
2368 if (catch_up_cycles == last_catch_up) {
2369 consecutive_resyncs++;
2370 }
2371 else {
2372 last_catch_up = catch_up_cycles;
2373 consecutive_resyncs = 0;
2374 }
2375 if (consecutive_resyncs < 3) {
2376 if (MF_DBGLEVEL >= 3) Dbprintf("Lost sync in cycle %d. nt_distance=%d. Consecutive Resyncs = %d. Trying one time catch up...\n", i, -catch_up_cycles, consecutive_resyncs);
2377 }
2378 else {
2379 sync_cycles = sync_cycles + catch_up_cycles;
2380 if (MF_DBGLEVEL >= 3) Dbprintf("Lost sync in cycle %d for the fourth time consecutively (nt_distance = %d). Adjusting sync_cycles to %d.\n", i, -catch_up_cycles, sync_cycles);
2381 }
2382 continue;
2383 }
2384
2385 consecutive_resyncs = 0;
2386
2387 // Receive answer. This will be a 4 Bit NACK when the 8 parity bits are OK after decoding
2388 if (ReaderReceive(receivedAnswer, receivedAnswerPar))
2389 {
2390 catch_up_cycles = 8; // the PRNG is delayed by 8 cycles due to the NAC (4Bits = 0x05 encrypted) transfer
2391
2392 if (nt_diff == 0)
2393 {
2394 par_low = par[0] & 0xE0; // there is no need to check all parities for other nt_diff. Parity Bits for mf_nr_ar[0..2] won't change
2395 }
2396
2397 led_on = !led_on;
2398 if(led_on) LED_B_ON(); else LED_B_OFF();
2399
2400 par_list[nt_diff] = SwapBits(par[0], 8);
2401 ks_list[nt_diff] = receivedAnswer[0] ^ 0x05;
2402
2403 // Test if the information is complete
2404 if (nt_diff == 0x07) {
2405 isOK = 1;
2406 break;
2407 }
2408
2409 nt_diff = (nt_diff + 1) & 0x07;
2410 mf_nr_ar[3] = (mf_nr_ar[3] & 0x1F) | (nt_diff << 5);
2411 par[0] = par_low;
2412 } else {
2413 if (nt_diff == 0 && first_try)
2414 {
2415 par[0]++;
2416 if (par[0] == 0x00) { // tried all 256 possible parities without success. Card doesn't send NACK.
2417 isOK = -2;
2418 break;
2419 }
2420 } else {
2421 par[0] = ((par[0] & 0x1F) + 1) | par_low;
2422 }
2423 }
2424 }
2425
2426
2427 mf_nr_ar[3] &= 0x1F;
2428
2429 if (isOK == -4) {
2430 if (MF_DBGLEVEL >= 3) {
2431 for(uint16_t i = 0; i < MAX_SYNC_TRIES; i++) {
2432 Dbprintf("collected debug info[%d] = %d\n", i, debug_info[i]);
2433 }
2434 }
2435 }
2436
2437 byte_t buf[28];
2438 memcpy(buf + 0, uid, 4);
2439 num_to_bytes(nt, 4, buf + 4);
2440 memcpy(buf + 8, par_list, 8);
2441 memcpy(buf + 16, ks_list, 8);
2442 memcpy(buf + 24, mf_nr_ar, 4);
2443
2444 cmd_send(CMD_ACK,isOK,0,0,buf,28);
2445
2446 // Thats it...
2447 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2448 LEDsoff();
2449
2450 set_tracing(FALSE);
2451 }
2452
2453 /**
2454 *MIFARE 1K simulate.
2455 *
2456 *@param flags :
2457 * FLAG_INTERACTIVE - In interactive mode, we are expected to finish the operation with an ACK
2458 * 4B_FLAG_UID_IN_DATA - means that there is a 4-byte UID in the data-section, we're expected to use that
2459 * 7B_FLAG_UID_IN_DATA - means that there is a 7-byte UID in the data-section, we're expected to use that
2460 * FLAG_NR_AR_ATTACK - means we should collect NR_AR responses for bruteforcing later
2461 *@param exitAfterNReads, exit simulation after n blocks have been read, 0 is inifite
2462 */
2463 void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *datain)
2464 {
2465 int cardSTATE = MFEMUL_NOFIELD;
2466 int _7BUID = 0;
2467 int vHf = 0; // in mV
2468 int res;
2469 uint32_t selTimer = 0;
2470 uint32_t authTimer = 0;
2471 uint16_t len = 0;
2472 uint8_t cardWRBL = 0;
2473 uint8_t cardAUTHSC = 0;
2474 uint8_t cardAUTHKEY = 0xff; // no authentication
2475 // uint32_t cardRr = 0;
2476 uint32_t cuid = 0;
2477 //uint32_t rn_enc = 0;
2478 uint32_t ans = 0;
2479 uint32_t cardINTREG = 0;
2480 uint8_t cardINTBLOCK = 0;
2481 struct Crypto1State mpcs = {0, 0};
2482 struct Crypto1State *pcs;
2483 pcs = &mpcs;
2484 uint32_t numReads = 0;//Counts numer of times reader read a block
2485 uint8_t receivedCmd[MAX_MIFARE_FRAME_SIZE];
2486 uint8_t receivedCmd_par[MAX_MIFARE_PARITY_SIZE];
2487 uint8_t response[MAX_MIFARE_FRAME_SIZE];
2488 uint8_t response_par[MAX_MIFARE_PARITY_SIZE];
2489
2490 uint8_t rATQA[] = {0x04, 0x00}; // Mifare classic 1k 4BUID
2491 uint8_t rUIDBCC1[] = {0xde, 0xad, 0xbe, 0xaf, 0x62};
2492 uint8_t rUIDBCC2[] = {0xde, 0xad, 0xbe, 0xaf, 0x62}; // !!!
2493 //uint8_t rSAK[] = {0x08, 0xb6, 0xdd}; // Mifare Classic
2494 uint8_t rSAK[] = {0x09, 0x3f, 0xcc }; // Mifare Mini
2495 uint8_t rSAK1[] = {0x04, 0xda, 0x17};
2496
2497 uint8_t rAUTH_NT[] = {0x01, 0x01, 0x01, 0x01};
2498 uint8_t rAUTH_AT[] = {0x00, 0x00, 0x00, 0x00};
2499
2500 //Here, we collect UID,NT,AR,NR,UID2,NT2,AR2,NR2
2501 // This can be used in a reader-only attack.
2502 // (it can also be retrieved via 'hf 14a list', but hey...
2503 uint32_t ar_nr_responses[] = {0,0,0,0,0,0,0,0,0,0};
2504 uint8_t ar_nr_collected = 0;
2505
2506 // Authenticate response - nonce
2507 uint32_t nonce = bytes_to_num(rAUTH_NT, 4);
2508
2509 //-- Determine the UID
2510 // Can be set from emulator memory, incoming data
2511 // and can be 7 or 4 bytes long
2512 if (flags & FLAG_4B_UID_IN_DATA)
2513 {
2514 // 4B uid comes from data-portion of packet
2515 memcpy(rUIDBCC1,datain,4);
2516 rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
2517
2518 } else if (flags & FLAG_7B_UID_IN_DATA) {
2519 // 7B uid comes from data-portion of packet
2520 memcpy(&rUIDBCC1[1],datain,3);
2521 memcpy(rUIDBCC2, datain+3, 4);
2522 _7BUID = true;
2523 } else {
2524 // get UID from emul memory
2525 emlGetMemBt(receivedCmd, 7, 1);
2526 _7BUID = !(receivedCmd[0] == 0x00);
2527 if (!_7BUID) { // ---------- 4BUID
2528 emlGetMemBt(rUIDBCC1, 0, 4);
2529 } else { // ---------- 7BUID
2530 emlGetMemBt(&rUIDBCC1[1], 0, 3);
2531 emlGetMemBt(rUIDBCC2, 3, 4);
2532 }
2533 }
2534
2535 // save uid.
2536 ar_nr_responses[0*5] = bytes_to_num(rUIDBCC1+1, 3);
2537 if ( _7BUID )
2538 ar_nr_responses[0*5+1] = bytes_to_num(rUIDBCC2, 4);
2539
2540 /*
2541 * Regardless of what method was used to set the UID, set fifth byte and modify
2542 * the ATQA for 4 or 7-byte UID
2543 */
2544 rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
2545 if (_7BUID) {
2546 rATQA[0] = 0x44;
2547 rUIDBCC1[0] = 0x88;
2548 rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
2549 rUIDBCC2[4] = rUIDBCC2[0] ^ rUIDBCC2[1] ^ rUIDBCC2[2] ^ rUIDBCC2[3];
2550 }
2551
2552 if (MF_DBGLEVEL >= 1) {
2553 if (!_7BUID) {
2554 Dbprintf("4B UID: %02x%02x%02x%02x",
2555 rUIDBCC1[0], rUIDBCC1[1], rUIDBCC1[2], rUIDBCC1[3]);
2556 } else {
2557 Dbprintf("7B UID: (%02x)%02x%02x%02x%02x%02x%02x%02x",
2558 rUIDBCC1[0], rUIDBCC1[1], rUIDBCC1[2], rUIDBCC1[3],
2559 rUIDBCC2[0], rUIDBCC2[1] ,rUIDBCC2[2], rUIDBCC2[3]);
2560 }
2561 }
2562
2563 // We need to listen to the high-frequency, peak-detected path.
2564 iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN);
2565
2566 // free eventually allocated BigBuf memory but keep Emulator Memory
2567 BigBuf_free_keep_EM();
2568
2569 // clear trace
2570 clear_trace();
2571 set_tracing(TRUE);
2572
2573
2574 bool finished = FALSE;
2575 while (!BUTTON_PRESS() && !finished) {
2576 WDT_HIT();
2577
2578 // find reader field
2579 if (cardSTATE == MFEMUL_NOFIELD) {
2580 vHf = (MAX_ADC_HF_VOLTAGE * AvgAdc(ADC_CHAN_HF)) >> 10;
2581 if (vHf > MF_MINFIELDV) {
2582 cardSTATE_TO_IDLE();
2583 LED_A_ON();
2584 }
2585 }
2586 if(cardSTATE == MFEMUL_NOFIELD) continue;
2587
2588 //Now, get data
2589 res = EmGetCmd(receivedCmd, &len, receivedCmd_par);
2590 if (res == 2) { //Field is off!
2591 cardSTATE = MFEMUL_NOFIELD;
2592 LEDsoff();
2593 continue;
2594 } else if (res == 1) {
2595 break; //return value 1 means button press
2596 }
2597
2598 // REQ or WUP request in ANY state and WUP in HALTED state
2599 if (len == 1 && ((receivedCmd[0] == 0x26 && cardSTATE != MFEMUL_HALTED) || receivedCmd[0] == 0x52)) {
2600 selTimer = GetTickCount();
2601 EmSendCmdEx(rATQA, sizeof(rATQA), (receivedCmd[0] == 0x52));
2602 cardSTATE = MFEMUL_SELECT1;
2603
2604 // init crypto block
2605 LED_B_OFF();
2606 LED_C_OFF();
2607 crypto1_destroy(pcs);
2608 cardAUTHKEY = 0xff;
2609 continue;
2610 }
2611
2612 switch (cardSTATE) {
2613 case MFEMUL_NOFIELD:
2614 case MFEMUL_HALTED:
2615 case MFEMUL_IDLE:{
2616 LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
2617 break;
2618 }
2619 case MFEMUL_SELECT1:{
2620 // select all
2621 if (len == 2 && (receivedCmd[0] == 0x93 && receivedCmd[1] == 0x20)) {
2622 if (MF_DBGLEVEL >= 4) Dbprintf("SELECT ALL received");
2623 EmSendCmd(rUIDBCC1, sizeof(rUIDBCC1));
2624 break;
2625 }
2626
2627 if (MF_DBGLEVEL >= 4 && len == 9 && receivedCmd[0] == 0x93 && receivedCmd[1] == 0x70 )
2628 {
2629 Dbprintf("SELECT %02x%02x%02x%02x received",receivedCmd[2],receivedCmd[3],receivedCmd[4],receivedCmd[5]);
2630 }
2631 // select card
2632 if (len == 9 &&
2633 (receivedCmd[0] == 0x93 && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], rUIDBCC1, 4) == 0)) {
2634 EmSendCmd(_7BUID?rSAK1:rSAK, _7BUID?sizeof(rSAK1):sizeof(rSAK));
2635 cuid = bytes_to_num(rUIDBCC1, 4);
2636 if (!_7BUID) {
2637 cardSTATE = MFEMUL_WORK;
2638 LED_B_ON();
2639 if (MF_DBGLEVEL >= 4) Dbprintf("--> WORK. anticol1 time: %d", GetTickCount() - selTimer);
2640 break;
2641 } else {
2642 cardSTATE = MFEMUL_SELECT2;
2643 }
2644 }
2645 break;
2646 }
2647 case MFEMUL_AUTH1:{
2648 if( len != 8)
2649 {
2650 cardSTATE_TO_IDLE();
2651 LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
2652 break;
2653 }
2654
2655 uint32_t ar = bytes_to_num(receivedCmd, 4);
2656 uint32_t nr = bytes_to_num(&receivedCmd[4], 4);
2657
2658 //Collect AR/NR
2659 //if(ar_nr_collected < 2 && cardAUTHSC == 2){
2660 if(ar_nr_collected < 2){
2661 if(ar_nr_responses[2] != ar)
2662 {// Avoid duplicates... probably not necessary, ar should vary.
2663 //ar_nr_responses[ar_nr_collected*5] = 0;
2664 //ar_nr_responses[ar_nr_collected*5+1] = 0;
2665 ar_nr_responses[ar_nr_collected*5+2] = nonce;
2666 ar_nr_responses[ar_nr_collected*5+3] = nr;
2667 ar_nr_responses[ar_nr_collected*5+4] = ar;
2668 ar_nr_collected++;
2669 }
2670 // Interactive mode flag, means we need to send ACK
2671 if(flags & FLAG_INTERACTIVE && ar_nr_collected == 2)
2672 {
2673 finished = true;
2674 }
2675 }
2676
2677 // --- crypto
2678 //crypto1_word(pcs, ar , 1);
2679 //cardRr = nr ^ crypto1_word(pcs, 0, 0);
2680
2681 //test if auth OK
2682 //if (cardRr != prng_successor(nonce, 64)){
2683
2684 //if (MF_DBGLEVEL >= 4) Dbprintf("AUTH FAILED for sector %d with key %c. cardRr=%08x, succ=%08x",
2685 // cardAUTHSC, cardAUTHKEY == 0 ? 'A' : 'B',
2686 // cardRr, prng_successor(nonce, 64));
2687 // Shouldn't we respond anything here?
2688 // Right now, we don't nack or anything, which causes the
2689 // reader to do a WUPA after a while. /Martin
2690 // -- which is the correct response. /piwi
2691 //cardSTATE_TO_IDLE();
2692 //LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
2693 //break;
2694 //}
2695
2696 ans = prng_successor(nonce, 96) ^ crypto1_word(pcs, 0, 0);
2697
2698 num_to_bytes(ans, 4, rAUTH_AT);
2699 // --- crypto
2700 EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
2701 LED_C_ON();
2702 cardSTATE = MFEMUL_WORK;
2703 if (MF_DBGLEVEL >= 4) Dbprintf("AUTH COMPLETED for sector %d with key %c. time=%d",
2704 cardAUTHSC, cardAUTHKEY == 0 ? 'A' : 'B',
2705 GetTickCount() - authTimer);
2706 break;
2707 }
2708 case MFEMUL_SELECT2:{
2709 if (!len) {
2710 LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
2711 break;
2712 }
2713 if (len == 2 && (receivedCmd[0] == 0x95 && receivedCmd[1] == 0x20)) {
2714 EmSendCmd(rUIDBCC2, sizeof(rUIDBCC2));
2715 break;
2716 }
2717
2718 // select 2 card
2719 if (len == 9 &&
2720 (receivedCmd[0] == 0x95 && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], rUIDBCC2, 4) == 0)) {
2721 EmSendCmd(rSAK, sizeof(rSAK));
2722 cuid = bytes_to_num(rUIDBCC2, 4);
2723 cardSTATE = MFEMUL_WORK;
2724 LED_B_ON();
2725 if (MF_DBGLEVEL >= 4) Dbprintf("--> WORK. anticol2 time: %d", GetTickCount() - selTimer);
2726 break;
2727 }
2728
2729 // i guess there is a command). go into the work state.
2730 if (len != 4) {
2731 LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
2732 break;
2733 }
2734 cardSTATE = MFEMUL_WORK;
2735 //goto lbWORK;
2736 //intentional fall-through to the next case-stmt
2737 }
2738
2739 case MFEMUL_WORK:{
2740 if (len == 0) {
2741 LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
2742 break;
2743 }
2744
2745 bool encrypted_data = (cardAUTHKEY != 0xFF) ;
2746
2747 if(encrypted_data) {
2748 // decrypt seqence
2749 mf_crypto1_decrypt(pcs, receivedCmd, len);
2750 }
2751
2752 if (len == 4 && (receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61)) {
2753 authTimer = GetTickCount();
2754 cardAUTHSC = receivedCmd[1] / 4; // received block num
2755 cardAUTHKEY = receivedCmd[0] - 0x60;
2756 crypto1_destroy(pcs);//Added by martin
2757 crypto1_create(pcs, emlGetKey(cardAUTHSC, cardAUTHKEY));
2758
2759 if (!encrypted_data) { // first authentication
2760 if (MF_DBGLEVEL >= 4) Dbprintf("Reader authenticating for block %d (0x%02x) with key %d",receivedCmd[1] ,receivedCmd[1],cardAUTHKEY );
2761
2762 crypto1_word(pcs, cuid ^ nonce, 0);//Update crypto state
2763 num_to_bytes(nonce, 4, rAUTH_AT); // Send nonce
2764 } else { // nested authentication
2765 if (MF_DBGLEVEL >= 4) Dbprintf("Reader doing nested authentication for block %d (0x%02x) with key %d",receivedCmd[1] ,receivedCmd[1],cardAUTHKEY );
2766 ans = nonce ^ crypto1_word(pcs, cuid ^ nonce, 0);
2767 num_to_bytes(ans, 4, rAUTH_AT);
2768 }
2769
2770 EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
2771 //Dbprintf("Sending rAUTH %02x%02x%02x%02x", rAUTH_AT[0],rAUTH_AT[1],rAUTH_AT[2],rAUTH_AT[3]);
2772 cardSTATE = MFEMUL_AUTH1;
2773 break;
2774 }
2775
2776 // rule 13 of 7.5.3. in ISO 14443-4. chaining shall be continued
2777 // BUT... ACK --> NACK
2778 if (len == 1 && receivedCmd[0] == CARD_ACK) {
2779 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2780 break;
2781 }
2782
2783 // rule 12 of 7.5.3. in ISO 14443-4. R(NAK) --> R(ACK)
2784 if (len == 1 && receivedCmd[0] == CARD_NACK_NA) {
2785 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
2786 break;
2787 }
2788
2789 if(len != 4) {
2790 LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
2791 break;
2792 }
2793
2794 if(receivedCmd[0] == 0x30 // read block
2795 || receivedCmd[0] == 0xA0 // write block
2796 || receivedCmd[0] == 0xC0 // inc
2797 || receivedCmd[0] == 0xC1 // dec
2798 || receivedCmd[0] == 0xC2 // restore
2799 || receivedCmd[0] == 0xB0) { // transfer
2800 if (receivedCmd[1] >= 16 * 4) {
2801 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2802 if (MF_DBGLEVEL >= 4) Dbprintf("Reader tried to operate (0x%02) on out of range block: %d (0x%02x), nacking",receivedCmd[0],receivedCmd[1],receivedCmd[1]);
2803 break;
2804 }
2805
2806 if (receivedCmd[1] / 4 != cardAUTHSC) {
2807 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2808 if (MF_DBGLEVEL >= 4) Dbprintf("Reader tried to operate (0x%02) on block (0x%02x) not authenticated for (0x%02x), nacking",receivedCmd[0],receivedCmd[1],cardAUTHSC);
2809 break;
2810 }
2811 }
2812 // read block
2813 if (receivedCmd[0] == 0x30) {
2814 if (MF_DBGLEVEL >= 4) {
2815 Dbprintf("Reader reading block %d (0x%02x)",receivedCmd[1],receivedCmd[1]);
2816 }
2817 emlGetMem(response, receivedCmd[1], 1);
2818 AppendCrc14443a(response, 16);
2819 mf_crypto1_encrypt(pcs, response, 18, response_par);
2820 EmSendCmdPar(response, 18, response_par);
2821 numReads++;
2822 if(exitAfterNReads > 0 && numReads >= exitAfterNReads) {
2823 Dbprintf("%d reads done, exiting", numReads);
2824 finished = true;
2825 }
2826 break;
2827 }
2828 // write block
2829 if (receivedCmd[0] == 0xA0) {
2830 if (MF_DBGLEVEL >= 4) Dbprintf("RECV 0xA0 write block %d (%02x)",receivedCmd[1],receivedCmd[1]);
2831 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
2832 cardSTATE = MFEMUL_WRITEBL2;
2833 cardWRBL = receivedCmd[1];
2834 break;
2835 }
2836 // increment, decrement, restore
2837 if (receivedCmd[0] == 0xC0 || receivedCmd[0] == 0xC1 || receivedCmd[0] == 0xC2) {
2838 if (MF_DBGLEVEL >= 4) Dbprintf("RECV 0x%02x inc(0xC1)/dec(0xC0)/restore(0xC2) block %d (%02x)",receivedCmd[0],receivedCmd[1],receivedCmd[1]);
2839 if (emlCheckValBl(receivedCmd[1])) {
2840 if (MF_DBGLEVEL >= 4) Dbprintf("Reader tried to operate on block, but emlCheckValBl failed, nacking");
2841 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2842 break;
2843 }
2844 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
2845 if (receivedCmd[0] == 0xC1)
2846 cardSTATE = MFEMUL_INTREG_INC;
2847 if (receivedCmd[0] == 0xC0)
2848 cardSTATE = MFEMUL_INTREG_DEC;
2849 if (receivedCmd[0] == 0xC2)
2850 cardSTATE = MFEMUL_INTREG_REST;
2851 cardWRBL = receivedCmd[1];
2852 break;
2853 }
2854 // transfer
2855 if (receivedCmd[0] == 0xB0) {
2856 if (MF_DBGLEVEL >= 4) Dbprintf("RECV 0x%02x transfer block %d (%02x)",receivedCmd[0],receivedCmd[1],receivedCmd[1]);
2857 if (emlSetValBl(cardINTREG, cardINTBLOCK, receivedCmd[1]))
2858 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2859 else
2860 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
2861 break;
2862 }
2863 // halt
2864 if (receivedCmd[0] == 0x50 && receivedCmd[1] == 0x00) {
2865 LED_B_OFF();
2866 LED_C_OFF();
2867 cardSTATE = MFEMUL_HALTED;
2868 if (MF_DBGLEVEL >= 4) Dbprintf("--> HALTED. Selected time: %d ms", GetTickCount() - selTimer);
2869 LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
2870 break;
2871 }
2872 // RATS
2873 if (receivedCmd[0] == 0xe0) {//RATS
2874 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2875 break;
2876 }
2877 // command not allowed
2878 if (MF_DBGLEVEL >= 4) Dbprintf("Received command not allowed, nacking");
2879 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2880 break;
2881 }
2882 case MFEMUL_WRITEBL2:{
2883 if (len == 18){
2884 mf_crypto1_decrypt(pcs, receivedCmd, len);
2885 emlSetMem(receivedCmd, cardWRBL, 1);
2886 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
2887 cardSTATE = MFEMUL_WORK;
2888 } else {
2889 cardSTATE_TO_IDLE();
2890 LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
2891 }
2892 break;
2893 }
2894
2895 case MFEMUL_INTREG_INC:{
2896 mf_crypto1_decrypt(pcs, receivedCmd, len);
2897 memcpy(&ans, receivedCmd, 4);
2898 if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
2899 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2900 cardSTATE_TO_IDLE();
2901 break;
2902 }
2903 LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
2904 cardINTREG = cardINTREG + ans;
2905 cardSTATE = MFEMUL_WORK;
2906 break;
2907 }
2908 case MFEMUL_INTREG_DEC:{
2909 mf_crypto1_decrypt(pcs, receivedCmd, len);
2910 memcpy(&ans, receivedCmd, 4);
2911 if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
2912 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2913 cardSTATE_TO_IDLE();
2914 break;
2915 }
2916 LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
2917 cardINTREG = cardINTREG - ans;
2918 cardSTATE = MFEMUL_WORK;
2919 break;
2920 }
2921 case MFEMUL_INTREG_REST:{
2922 mf_crypto1_decrypt(pcs, receivedCmd, len);
2923 memcpy(&ans, receivedCmd, 4);
2924 if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
2925 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2926 cardSTATE_TO_IDLE();
2927 break;
2928 }
2929 LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
2930 cardSTATE = MFEMUL_WORK;
2931 break;
2932 }
2933 }
2934 }
2935
2936 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2937 LEDsoff();
2938
2939 if(flags & FLAG_INTERACTIVE)// Interactive mode flag, means we need to send ACK
2940 {
2941 //May just aswell send the collected ar_nr in the response aswell
2942 uint8_t len = ar_nr_collected*5*4;
2943 cmd_send(CMD_ACK, CMD_SIMULATE_MIFARE_CARD, len, 0, &ar_nr_responses, len);
2944 }
2945
2946 if(flags & FLAG_NR_AR_ATTACK && MF_DBGLEVEL >= 1 )
2947 {
2948 if(ar_nr_collected > 1 ) {
2949 Dbprintf("Collected two pairs of AR/NR which can be used to extract keys from reader:");
2950 Dbprintf("../tools/mfkey/mfkey32 %06x%08x %08x %08x %08x %08x %08x",
2951 ar_nr_responses[0], // UID1
2952 ar_nr_responses[1], // UID2
2953 ar_nr_responses[2], // NT
2954 ar_nr_responses[3], // AR1
2955 ar_nr_responses[4], // NR1
2956 ar_nr_responses[8], // AR2
2957 ar_nr_responses[9] // NR2
2958 );
2959 Dbprintf("../tools/mfkey/mfkey32v2 %06x%08x %08x %08x %08x %08x %08x %08x",
2960 ar_nr_responses[0], // UID1
2961 ar_nr_responses[1], // UID2
2962 ar_nr_responses[2], // NT1
2963 ar_nr_responses[3], // AR1
2964 ar_nr_responses[4], // NR1
2965 ar_nr_responses[7], // NT2
2966 ar_nr_responses[8], // AR2
2967 ar_nr_responses[9] // NR2
2968 );
2969 } else {
2970 Dbprintf("Failed to obtain two AR/NR pairs!");
2971 if(ar_nr_collected > 0 ) {
2972 Dbprintf("Only got these: UID=%07x%08x, nonce=%08x, AR1=%08x, NR1=%08x",
2973 ar_nr_responses[0], // UID1
2974 ar_nr_responses[1], // UID2
2975 ar_nr_responses[2], // NT
2976 ar_nr_responses[3], // AR1
2977 ar_nr_responses[4] // NR1
2978 );
2979 }
2980 }
2981 }
2982 if (MF_DBGLEVEL >= 1) Dbprintf("Emulator stopped. Tracing: %d trace length: %d ", tracing, BigBuf_get_traceLen());
2983 }
2984
2985
2986 //-----------------------------------------------------------------------------
2987 // MIFARE sniffer.
2988 //
2989 //-----------------------------------------------------------------------------
2990 void RAMFUNC SniffMifare(uint8_t param) {
2991 // param:
2992 // bit 0 - trigger from first card answer
2993 // bit 1 - trigger from first reader 7-bit request
2994
2995 // C(red) A(yellow) B(green)
2996 LEDsoff();
2997 // init trace buffer
2998 clear_trace();
2999 set_tracing(TRUE);
3000
3001 // The command (reader -> tag) that we're receiving.
3002 // The length of a received command will in most cases be no more than 18 bytes.
3003 // So 32 should be enough!
3004 uint8_t receivedCmd[MAX_MIFARE_FRAME_SIZE];
3005 uint8_t receivedCmdPar[MAX_MIFARE_PARITY_SIZE];
3006 // The response (tag -> reader) that we're receiving.
3007 uint8_t receivedResponse[MAX_MIFARE_FRAME_SIZE];
3008 uint8_t receivedResponsePar[MAX_MIFARE_PARITY_SIZE];
3009
3010 iso14443a_setup(FPGA_HF_ISO14443A_SNIFFER);
3011
3012 // free eventually allocated BigBuf memory
3013 BigBuf_free();
3014 // allocate the DMA buffer, used to stream samples from the FPGA
3015 uint8_t *dmaBuf = BigBuf_malloc(DMA_BUFFER_SIZE);
3016 uint8_t *data = dmaBuf;
3017 uint8_t previous_data = 0;
3018 int maxDataLen = 0;
3019 int dataLen = 0;
3020 bool ReaderIsActive = FALSE;
3021 bool TagIsActive = FALSE;
3022
3023 // Set up the demodulator for tag -> reader responses.
3024 DemodInit(receivedResponse, receivedResponsePar);
3025
3026 // Set up the demodulator for the reader -> tag commands
3027 UartInit(receivedCmd, receivedCmdPar);
3028
3029 // Setup for the DMA.
3030 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE); // set transfer address and number of bytes. Start transfer.
3031
3032 LED_D_OFF();
3033
3034 // init sniffer
3035 MfSniffInit();
3036
3037 // And now we loop, receiving samples.
3038 for(uint32_t sniffCounter = 0; TRUE; ) {
3039
3040 if(BUTTON_PRESS()) {
3041 DbpString("cancelled by button");
3042 break;
3043 }
3044
3045 LED_A_ON();
3046 WDT_HIT();
3047
3048 if ((sniffCounter & 0x0000FFFF) == 0) { // from time to time
3049 // check if a transaction is completed (timeout after 2000ms).
3050 // if yes, stop the DMA transfer and send what we have so far to the client
3051 if (MfSniffSend(2000)) {
3052 // Reset everything - we missed some sniffed data anyway while the DMA was stopped
3053 sniffCounter = 0;
3054 data = dmaBuf;
3055 maxDataLen = 0;
3056 ReaderIsActive = FALSE;
3057 TagIsActive = FALSE;
3058 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE); // set transfer address and number of bytes. Start transfer.
3059 }
3060 }
3061
3062 int register readBufDataP = data - dmaBuf; // number of bytes we have processed so far
3063 int register dmaBufDataP = DMA_BUFFER_SIZE - AT91C_BASE_PDC_SSC->PDC_RCR; // number of bytes already transferred
3064 if (readBufDataP <= dmaBufDataP){ // we are processing the same block of data which is currently being transferred
3065 dataLen = dmaBufDataP - readBufDataP; // number of bytes still to be processed
3066 } else {
3067 dataLen = DMA_BUFFER_SIZE - readBufDataP + dmaBufDataP; // number of bytes still to be processed
3068 }
3069 // test for length of buffer
3070 if(dataLen > maxDataLen) { // we are more behind than ever...
3071 maxDataLen = dataLen;
3072 if(dataLen > (9 * DMA_BUFFER_SIZE / 10)) {
3073 Dbprintf("blew circular buffer! dataLen=0x%x", dataLen);
3074 break;
3075 }
3076 }
3077 if(dataLen < 1) continue;
3078
3079 // primary buffer was stopped ( <-- we lost data!
3080 if (!AT91C_BASE_PDC_SSC->PDC_RCR) {
3081 AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) dmaBuf;
3082 AT91C_BASE_PDC_SSC->PDC_RCR = DMA_BUFFER_SIZE;
3083 Dbprintf("RxEmpty ERROR!!! data length:%d", dataLen); // temporary
3084 }
3085 // secondary buffer sets as primary, secondary buffer was stopped
3086 if (!AT91C_BASE_PDC_SSC->PDC_RNCR) {
3087 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dmaBuf;
3088 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
3089 }
3090
3091 LED_A_OFF();
3092
3093 if (sniffCounter & 0x01) {
3094
3095 if(!TagIsActive) { // no need to try decoding tag data if the reader is sending
3096 uint8_t readerdata = (previous_data & 0xF0) | (*data >> 4);
3097 if(MillerDecoding(readerdata, (sniffCounter-1)*4)) {
3098 LED_C_INV();
3099 if (MfSniffLogic(receivedCmd, Uart.len, Uart.parity, Uart.bitCount, TRUE)) break;
3100
3101 /* And ready to receive another command. */
3102 UartReset();
3103
3104 /* And also reset the demod code */
3105 DemodReset();
3106 }
3107 ReaderIsActive = (Uart.state != STATE_UNSYNCD);
3108 }
3109
3110 if(!ReaderIsActive) { // no need to try decoding tag data if the reader is sending
3111 uint8_t tagdata = (previous_data << 4) | (*data & 0x0F);
3112 if(ManchesterDecoding(tagdata, 0, (sniffCounter-1)*4)) {
3113 LED_C_INV();
3114
3115 if (MfSniffLogic(receivedResponse, Demod.len, Demod.parity, Demod.bitCount, FALSE)) break;
3116
3117 // And ready to receive another response.
3118 DemodReset();
3119
3120 // And reset the Miller decoder including its (now outdated) input buffer
3121 UartInit(receivedCmd, receivedCmdPar);
3122 // why not UartReset?
3123 }
3124 TagIsActive = (Demod.state != DEMOD_UNSYNCD);
3125 }
3126 }
3127
3128 previous_data = *data;
3129 sniffCounter++;
3130 data++;
3131 if(data == dmaBuf + DMA_BUFFER_SIZE) {
3132 data = dmaBuf;
3133 }
3134
3135 } // main cycle
3136
3137 FpgaDisableSscDma();
3138 MfSniffEnd();
3139 LEDsoff();
3140 Dbprintf("maxDataLen=%x, Uart.state=%x, Uart.len=%x", maxDataLen, Uart.state, Uart.len);
3141 }
Proxmark3 GIT tracking
Impressum, Datenschutz