]> cvs.zerfleddert.de Git - proxmark3-svn/blob - armsrc/iso14443a.c
projects / proxmark3-svn / blob
? search:


ef10b033e5f171286bd7663fa47dd7ec2e0cf606
[proxmark3-svn] / armsrc / iso14443a.c
1 //-----------------------------------------------------------------------------
2 // Merlok - June 2011, 2012
3 // Gerhard de Koning Gans - May 2008
4 // Hagen Fritsch - June 2010
5 //
6 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
7 // at your option, any later version. See the LICENSE.txt file for the text of
8 // the license.
9 //-----------------------------------------------------------------------------
10 // Routines to support ISO 14443 type A.
11 //-----------------------------------------------------------------------------
12
13 #include "proxmark3.h"
14 #include "apps.h"
15 #include "util.h"
16 #include "string.h"
17 #include "cmd.h"
18 #include "iso14443crc.h"
19 #include "iso14443a.h"
20 #include "iso14443b.h"
21 #include "crapto1.h"
22 #include "mifareutil.h"
23 #include "BigBuf.h"
24 #include "parity.h"
25
26 static uint32_t iso14a_timeout;
27 int rsamples = 0;
28 uint8_t trigger = 0;
29 // the block number for the ISO14443-4 PCB
30 static uint8_t iso14_pcb_blocknum = 0;
31
32 //
33 // ISO14443 timing:
34 //
35 // minimum time between the start bits of consecutive transfers from reader to tag: 7000 carrier (13.56Mhz) cycles
36 #define REQUEST_GUARD_TIME (7000/16 + 1)
37 // minimum time between last modulation of tag and next start bit from reader to tag: 1172 carrier cycles
38 #define FRAME_DELAY_TIME_PICC_TO_PCD (1172/16 + 1)
39 // bool LastCommandWasRequest = FALSE;
40
41 //
42 // Total delays including SSC-Transfers between ARM and FPGA. These are in carrier clock cycles (1/13,56MHz)
43 //
44 // When the PM acts as reader and is receiving tag data, it takes
45 // 3 ticks delay in the AD converter
46 // 16 ticks until the modulation detector completes and sets curbit
47 // 8 ticks until bit_to_arm is assigned from curbit
48 // 8*16 ticks for the transfer from FPGA to ARM
49 // 4*16 ticks until we measure the time
50 // - 8*16 ticks because we measure the time of the previous transfer
51 #define DELAY_AIR2ARM_AS_READER (3 + 16 + 8 + 8*16 + 4*16 - 8*16)
52
53 // When the PM acts as a reader and is sending, it takes
54 // 4*16 ticks until we can write data to the sending hold register
55 // 8*16 ticks until the SHR is transferred to the Sending Shift Register
56 // 8 ticks until the first transfer starts
57 // 8 ticks later the FPGA samples the data
58 // 1 tick to assign mod_sig_coil
59 #define DELAY_ARM2AIR_AS_READER (4*16 + 8*16 + 8 + 8 + 1)
60
61 // When the PM acts as tag and is receiving it takes
62 // 2 ticks delay in the RF part (for the first falling edge),
63 // 3 ticks for the A/D conversion,
64 // 8 ticks on average until the start of the SSC transfer,
65 // 8 ticks until the SSC samples the first data
66 // 7*16 ticks to complete the transfer from FPGA to ARM
67 // 8 ticks until the next ssp_clk rising edge
68 // 4*16 ticks until we measure the time
69 // - 8*16 ticks because we measure the time of the previous transfer
70 #define DELAY_AIR2ARM_AS_TAG (2 + 3 + 8 + 8 + 7*16 + 8 + 4*16 - 8*16)
71
72 // The FPGA will report its internal sending delay in
73 uint16_t FpgaSendQueueDelay;
74 // the 5 first bits are the number of bits buffered in mod_sig_buf
75 // the last three bits are the remaining ticks/2 after the mod_sig_buf shift
76 #define DELAY_FPGA_QUEUE (FpgaSendQueueDelay<<1)
77
78 // When the PM acts as tag and is sending, it takes
79 // 4*16 ticks until we can write data to the sending hold register
80 // 8*16 ticks until the SHR is transferred to the Sending Shift Register
81 // 8 ticks until the first transfer starts
82 // 8 ticks later the FPGA samples the data
83 // + a varying number of ticks in the FPGA Delay Queue (mod_sig_buf)
84 // + 1 tick to assign mod_sig_coil
85 #define DELAY_ARM2AIR_AS_TAG (4*16 + 8*16 + 8 + 8 + DELAY_FPGA_QUEUE + 1)
86
87 // When the PM acts as sniffer and is receiving tag data, it takes
88 // 3 ticks A/D conversion
89 // 14 ticks to complete the modulation detection
90 // 8 ticks (on average) until the result is stored in to_arm
91 // + the delays in transferring data - which is the same for
92 // sniffing reader and tag data and therefore not relevant
93 #define DELAY_TAG_AIR2ARM_AS_SNIFFER (3 + 14 + 8)
94
95 // When the PM acts as sniffer and is receiving reader data, it takes
96 // 2 ticks delay in analogue RF receiver (for the falling edge of the
97 // start bit, which marks the start of the communication)
98 // 3 ticks A/D conversion
99 // 8 ticks on average until the data is stored in to_arm.
100 // + the delays in transferring data - which is the same for
101 // sniffing reader and tag data and therefore not relevant
102 #define DELAY_READER_AIR2ARM_AS_SNIFFER (2 + 3 + 8)
103
104 //variables used for timing purposes:
105 //these are in ssp_clk cycles:
106 static uint32_t NextTransferTime;
107 static uint32_t LastTimeProxToAirStart;
108 static uint32_t LastProxToAirDuration;
109
110 // CARD TO READER - manchester
111 // Sequence D: 11110000 modulation with subcarrier during first half
112 // Sequence E: 00001111 modulation with subcarrier during second half
113 // Sequence F: 00000000 no modulation with subcarrier
114 // READER TO CARD - miller
115 // Sequence X: 00001100 drop after half a period
116 // Sequence Y: 00000000 no drop
117 // Sequence Z: 11000000 drop at start
118 #define SEC_D 0xf0
119 #define SEC_E 0x0f
120 #define SEC_F 0x00
121 #define SEC_X 0x0c
122 #define SEC_Y 0x00
123 #define SEC_Z 0xc0
124
125 void iso14a_set_trigger(bool enable) {
126 trigger = enable;
127 }
128
129 void iso14a_set_timeout(uint32_t timeout) {
130 iso14a_timeout = timeout;
131 if(MF_DBGLEVEL >= 3) Dbprintf("ISO14443A Timeout set to %ld (%dms)", iso14a_timeout, iso14a_timeout / 106);
132 }
133
134 void iso14a_set_ATS_timeout(uint8_t *ats) {
135
136 uint8_t tb1;
137 uint8_t fwi;
138 uint32_t fwt;
139
140 if (ats[0] > 1) { // there is a format byte T0
141 if ((ats[1] & 0x20) == 0x20) { // there is an interface byte TB(1)
142
143 if ((ats[1] & 0x10) == 0x10) // there is an interface byte TA(1) preceding TB(1)
144 tb1 = ats[3];
145 else
146 tb1 = ats[2];
147
148 fwi = (tb1 & 0xf0) >> 4; // frame waiting indicator (FWI)
149 fwt = 256 * 16 * (1 << fwi); // frame waiting time (FWT) in 1/fc
150 //fwt = 4096 * (1 << fwi);
151
152 iso14a_set_timeout(fwt/(8*16));
153 //iso14a_set_timeout(fwt/128);
154 }
155 }
156 }
157
158 //-----------------------------------------------------------------------------
159 // Generate the parity value for a byte sequence
160 //
161 //-----------------------------------------------------------------------------
162 void GetParity(const uint8_t *pbtCmd, uint16_t iLen, uint8_t *par)
163 {
164 uint16_t paritybit_cnt = 0;
165 uint16_t paritybyte_cnt = 0;
166 uint8_t parityBits = 0;
167
168 for (uint16_t i = 0; i < iLen; i++) {
169 // Generate the parity bits
170 parityBits |= ((oddparity8(pbtCmd[i])) << (7-paritybit_cnt));
171 if (paritybit_cnt == 7) {
172 par[paritybyte_cnt] = parityBits; // save 8 Bits parity
173 parityBits = 0; // and advance to next Parity Byte
174 paritybyte_cnt++;
175 paritybit_cnt = 0;
176 } else {
177 paritybit_cnt++;
178 }
179 }
180
181 // save remaining parity bits
182 par[paritybyte_cnt] = parityBits;
183
184 }
185
186 void AppendCrc14443a(uint8_t* data, int len)
187 {
188 ComputeCrc14443(CRC_14443_A,data,len,data+len,data+len+1);
189 }
190
191 //=============================================================================
192 // ISO 14443 Type A - Miller decoder
193 //=============================================================================
194 // Basics:
195 // This decoder is used when the PM3 acts as a tag.
196 // The reader will generate "pauses" by temporarily switching of the field.
197 // At the PM3 antenna we will therefore measure a modulated antenna voltage.
198 // The FPGA does a comparison with a threshold and would deliver e.g.:
199 // ........ 1 1 1 1 1 1 0 0 1 1 1 1 1 1 1 1 1 1 0 0 1 1 1 1 1 1 1 1 1 1 .......
200 // The Miller decoder needs to identify the following sequences:
201 // 2 (or 3) ticks pause followed by 6 (or 5) ticks unmodulated: pause at beginning - Sequence Z ("start of communication" or a "0")
202 // 8 ticks without a modulation: no pause - Sequence Y (a "0" or "end of communication" or "no information")
203 // 4 ticks unmodulated followed by 2 (or 3) ticks pause: pause in second half - Sequence X (a "1")
204 // Note 1: the bitstream may start at any time. We therefore need to sync.
205 // Note 2: the interpretation of Sequence Y and Z depends on the preceding sequence.
206 //-----------------------------------------------------------------------------
207 static tUart Uart;
208
209 // Lookup-Table to decide if 4 raw bits are a modulation.
210 // We accept the following:
211 // 0001 - a 3 tick wide pause
212 // 0011 - a 2 tick wide pause, or a three tick wide pause shifted left
213 // 0111 - a 2 tick wide pause shifted left
214 // 1001 - a 2 tick wide pause shifted right
215 const bool Mod_Miller_LUT[] = {
216 FALSE, TRUE, FALSE, TRUE, FALSE, FALSE, FALSE, TRUE,
217 FALSE, TRUE, FALSE, FALSE, FALSE, FALSE, FALSE, FALSE
218 };
219 #define IsMillerModulationNibble1(b) (Mod_Miller_LUT[(b & 0x000000F0) >> 4])
220 #define IsMillerModulationNibble2(b) (Mod_Miller_LUT[(b & 0x0000000F)])
221
222 void UartReset()
223 {
224 Uart.state = STATE_UNSYNCD;
225 Uart.bitCount = 0;
226 Uart.len = 0; // number of decoded data bytes
227 Uart.parityLen = 0; // number of decoded parity bytes
228 Uart.shiftReg = 0; // shiftreg to hold decoded data bits
229 Uart.parityBits = 0; // holds 8 parity bits
230 Uart.startTime = 0;
231 Uart.endTime = 0;
232
233 Uart.byteCntMax = 0;
234 Uart.posCnt = 0;
235 Uart.syncBit = 9999;
236 }
237
238 void UartInit(uint8_t *data, uint8_t *parity)
239 {
240 Uart.output = data;
241 Uart.parity = parity;
242 Uart.fourBits = 0x00000000; // clear the buffer for 4 Bits
243 UartReset();
244 }
245
246 // use parameter non_real_time to provide a timestamp. Set to 0 if the decoder should measure real time
247 static RAMFUNC bool MillerDecoding(uint8_t bit, uint32_t non_real_time)
248 {
249
250 Uart.fourBits = (Uart.fourBits << 8) | bit;
251
252 if (Uart.state == STATE_UNSYNCD) { // not yet synced
253
254 Uart.syncBit = 9999; // not set
255
256 // 00x11111 2|3 ticks pause followed by 6|5 ticks unmodulated Sequence Z (a "0" or "start of communication")
257 // 11111111 8 ticks unmodulation Sequence Y (a "0" or "end of communication" or "no information")
258 // 111100x1 4 ticks unmodulated followed by 2|3 ticks pause Sequence X (a "1")
259
260 // The start bit is one ore more Sequence Y followed by a Sequence Z (... 11111111 00x11111). We need to distinguish from
261 // Sequence X followed by Sequence Y followed by Sequence Z (111100x1 11111111 00x11111)
262 // we therefore look for a ...xx1111 11111111 00x11111xxxxxx... pattern
263 // (12 '1's followed by 2 '0's, eventually followed by another '0', followed by 5 '1's)
264 //
265 #define ISO14443A_STARTBIT_MASK 0x07FFEF80 // mask is 00001111 11111111 1110 1111 10000000
266 #define ISO14443A_STARTBIT_PATTERN 0x07FF8F80 // pattern is 00001111 11111111 1000 1111 10000000
267
268 if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 0)) == ISO14443A_STARTBIT_PATTERN >> 0) Uart.syncBit = 7;
269 else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 1)) == ISO14443A_STARTBIT_PATTERN >> 1) Uart.syncBit = 6;
270 else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 2)) == ISO14443A_STARTBIT_PATTERN >> 2) Uart.syncBit = 5;
271 else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 3)) == ISO14443A_STARTBIT_PATTERN >> 3) Uart.syncBit = 4;
272 else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 4)) == ISO14443A_STARTBIT_PATTERN >> 4) Uart.syncBit = 3;
273 else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 5)) == ISO14443A_STARTBIT_PATTERN >> 5) Uart.syncBit = 2;
274 else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 6)) == ISO14443A_STARTBIT_PATTERN >> 6) Uart.syncBit = 1;
275 else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 7)) == ISO14443A_STARTBIT_PATTERN >> 7) Uart.syncBit = 0;
276
277 if (Uart.syncBit != 9999) { // found a sync bit
278 Uart.startTime = non_real_time?non_real_time:(GetCountSspClk() & 0xfffffff8);
279 Uart.startTime -= Uart.syncBit;
280 Uart.endTime = Uart.startTime;
281 Uart.state = STATE_START_OF_COMMUNICATION;
282 }
283
284 } else {
285
286 if (IsMillerModulationNibble1(Uart.fourBits >> Uart.syncBit)) {
287 if (IsMillerModulationNibble2(Uart.fourBits >> Uart.syncBit)) { // Modulation in both halves - error
288 UartReset();
289 } else { // Modulation in first half = Sequence Z = logic "0"
290 if (Uart.state == STATE_MILLER_X) { // error - must not follow after X
291 UartReset();
292 } else {
293 Uart.bitCount++;
294 Uart.shiftReg = (Uart.shiftReg >> 1); // add a 0 to the shiftreg
295 Uart.state = STATE_MILLER_Z;
296 Uart.endTime = Uart.startTime + 8*(9*Uart.len + Uart.bitCount + 1) - 6;
297 if(Uart.bitCount >= 9) { // if we decoded a full byte (including parity)
298 Uart.output[Uart.len++] = (Uart.shiftReg & 0xff);
299 Uart.parityBits <<= 1; // make room for the parity bit
300 Uart.parityBits |= ((Uart.shiftReg >> 8) & 0x01); // store parity bit
301 Uart.bitCount = 0;
302 Uart.shiftReg = 0;
303 if((Uart.len&0x0007) == 0) { // every 8 data bytes
304 Uart.parity[Uart.parityLen++] = Uart.parityBits; // store 8 parity bits
305 Uart.parityBits = 0;
306 }
307 }
308 }
309 }
310 } else {
311 if (IsMillerModulationNibble2(Uart.fourBits >> Uart.syncBit)) { // Modulation second half = Sequence X = logic "1"
312 Uart.bitCount++;
313 Uart.shiftReg = (Uart.shiftReg >> 1) | 0x100; // add a 1 to the shiftreg
314 Uart.state = STATE_MILLER_X;
315 Uart.endTime = Uart.startTime + 8*(9*Uart.len + Uart.bitCount + 1) - 2;
316 if(Uart.bitCount >= 9) { // if we decoded a full byte (including parity)
317 Uart.output[Uart.len++] = (Uart.shiftReg & 0xff);
318 Uart.parityBits <<= 1; // make room for the new parity bit
319 Uart.parityBits |= ((Uart.shiftReg >> 8) & 0x01); // store parity bit
320 Uart.bitCount = 0;
321 Uart.shiftReg = 0;
322 if ((Uart.len&0x0007) == 0) { // every 8 data bytes
323 Uart.parity[Uart.parityLen++] = Uart.parityBits; // store 8 parity bits
324 Uart.parityBits = 0;
325 }
326 }
327 } else { // no modulation in both halves - Sequence Y
328 if (Uart.state == STATE_MILLER_Z || Uart.state == STATE_MILLER_Y) { // Y after logic "0" - End of Communication
329 Uart.state = STATE_UNSYNCD;
330 Uart.bitCount--; // last "0" was part of EOC sequence
331 Uart.shiftReg <<= 1; // drop it
332 if(Uart.bitCount > 0) { // if we decoded some bits
333 Uart.shiftReg >>= (9 - Uart.bitCount); // right align them
334 Uart.output[Uart.len++] = (Uart.shiftReg & 0xff); // add last byte to the output
335 Uart.parityBits <<= 1; // add a (void) parity bit
336 Uart.parityBits <<= (8 - (Uart.len&0x0007)); // left align parity bits
337 Uart.parity[Uart.parityLen++] = Uart.parityBits; // and store it
338 return TRUE;
339 } else if (Uart.len & 0x0007) { // there are some parity bits to store
340 Uart.parityBits <<= (8 - (Uart.len&0x0007)); // left align remaining parity bits
341 Uart.parity[Uart.parityLen++] = Uart.parityBits; // and store them
342 }
343 if (Uart.len) {
344 return TRUE; // we are finished with decoding the raw data sequence
345 } else {
346 UartReset(); // Nothing received - start over
347 }
348 }
349 if (Uart.state == STATE_START_OF_COMMUNICATION) { // error - must not follow directly after SOC
350 UartReset();
351 } else { // a logic "0"
352 Uart.bitCount++;
353 Uart.shiftReg = (Uart.shiftReg >> 1); // add a 0 to the shiftreg
354 Uart.state = STATE_MILLER_Y;
355 if(Uart.bitCount >= 9) { // if we decoded a full byte (including parity)
356 Uart.output[Uart.len++] = (Uart.shiftReg & 0xff);
357 Uart.parityBits <<= 1; // make room for the parity bit
358 Uart.parityBits |= ((Uart.shiftReg >> 8) & 0x01); // store parity bit
359 Uart.bitCount = 0;
360 Uart.shiftReg = 0;
361 if ((Uart.len&0x0007) == 0) { // every 8 data bytes
362 Uart.parity[Uart.parityLen++] = Uart.parityBits; // store 8 parity bits
363 Uart.parityBits = 0;
364 }
365 }
366 }
367 }
368 }
369
370 }
371
372 return FALSE; // not finished yet, need more data
373 }
374
375
376
377 //=============================================================================
378 // ISO 14443 Type A - Manchester decoder
379 //=============================================================================
380 // Basics:
381 // This decoder is used when the PM3 acts as a reader.
382 // The tag will modulate the reader field by asserting different loads to it. As a consequence, the voltage
383 // at the reader antenna will be modulated as well. The FPGA detects the modulation for us and would deliver e.g. the following:
384 // ........ 0 0 1 1 1 1 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 .......
385 // The Manchester decoder needs to identify the following sequences:
386 // 4 ticks modulated followed by 4 ticks unmodulated: Sequence D = 1 (also used as "start of communication")
387 // 4 ticks unmodulated followed by 4 ticks modulated: Sequence E = 0
388 // 8 ticks unmodulated: Sequence F = end of communication
389 // 8 ticks modulated: A collision. Save the collision position and treat as Sequence D
390 // Note 1: the bitstream may start at any time. We therefore need to sync.
391 // Note 2: parameter offset is used to determine the position of the parity bits (required for the anticollision command only)
392 static tDemod Demod;
393
394 // Lookup-Table to decide if 4 raw bits are a modulation.
395 // We accept three or four "1" in any position
396 const bool Mod_Manchester_LUT[] = {
397 FALSE, FALSE, FALSE, FALSE, FALSE, FALSE, FALSE, TRUE,
398 FALSE, FALSE, FALSE, TRUE, FALSE, TRUE, TRUE, TRUE
399 };
400
401 #define IsManchesterModulationNibble1(b) (Mod_Manchester_LUT[(b & 0x00F0) >> 4])
402 #define IsManchesterModulationNibble2(b) (Mod_Manchester_LUT[(b & 0x000F)])
403
404
405 void DemodReset()
406 {
407 Demod.state = DEMOD_UNSYNCD;
408 Demod.len = 0; // number of decoded data bytes
409 Demod.parityLen = 0;
410 Demod.shiftReg = 0; // shiftreg to hold decoded data bits
411 Demod.parityBits = 0; //
412 Demod.collisionPos = 0; // Position of collision bit
413 Demod.twoBits = 0xffff; // buffer for 2 Bits
414 Demod.highCnt = 0;
415 Demod.startTime = 0;
416 Demod.endTime = 0;
417
418 //
419 Demod.bitCount = 0;
420 Demod.syncBit = 0xFFFF;
421 Demod.samples = 0;
422 }
423
424 void DemodInit(uint8_t *data, uint8_t *parity)
425 {
426 Demod.output = data;
427 Demod.parity = parity;
428 DemodReset();
429 }
430
431 // use parameter non_real_time to provide a timestamp. Set to 0 if the decoder should measure real time
432 static RAMFUNC int ManchesterDecoding(uint8_t bit, uint16_t offset, uint32_t non_real_time)
433 {
434 Demod.twoBits = (Demod.twoBits << 8) | bit;
435
436 if (Demod.state == DEMOD_UNSYNCD) {
437
438 if (Demod.highCnt < 2) { // wait for a stable unmodulated signal
439 if (Demod.twoBits == 0x0000) {
440 Demod.highCnt++;
441 } else {
442 Demod.highCnt = 0;
443 }
444 } else {
445 Demod.syncBit = 0xFFFF; // not set
446 if ((Demod.twoBits & 0x7700) == 0x7000) Demod.syncBit = 7;
447 else if ((Demod.twoBits & 0x3B80) == 0x3800) Demod.syncBit = 6;
448 else if ((Demod.twoBits & 0x1DC0) == 0x1C00) Demod.syncBit = 5;
449 else if ((Demod.twoBits & 0x0EE0) == 0x0E00) Demod.syncBit = 4;
450 else if ((Demod.twoBits & 0x0770) == 0x0700) Demod.syncBit = 3;
451 else if ((Demod.twoBits & 0x03B8) == 0x0380) Demod.syncBit = 2;
452 else if ((Demod.twoBits & 0x01DC) == 0x01C0) Demod.syncBit = 1;
453 else if ((Demod.twoBits & 0x00EE) == 0x00E0) Demod.syncBit = 0;
454 if (Demod.syncBit != 0xFFFF) {
455 Demod.startTime = non_real_time?non_real_time:(GetCountSspClk() & 0xfffffff8);
456 Demod.startTime -= Demod.syncBit;
457 Demod.bitCount = offset; // number of decoded data bits
458 Demod.state = DEMOD_MANCHESTER_DATA;
459 }
460 }
461
462 } else {
463
464 if (IsManchesterModulationNibble1(Demod.twoBits >> Demod.syncBit)) { // modulation in first half
465 if (IsManchesterModulationNibble2(Demod.twoBits >> Demod.syncBit)) { // ... and in second half = collision
466 if (!Demod.collisionPos) {
467 Demod.collisionPos = (Demod.len << 3) + Demod.bitCount;
468 }
469 } // modulation in first half only - Sequence D = 1
470 Demod.bitCount++;
471 Demod.shiftReg = (Demod.shiftReg >> 1) | 0x100; // in both cases, add a 1 to the shiftreg
472 if(Demod.bitCount == 9) { // if we decoded a full byte (including parity)
473 Demod.output[Demod.len++] = (Demod.shiftReg & 0xff);
474 Demod.parityBits <<= 1; // make room for the parity bit
475 Demod.parityBits |= ((Demod.shiftReg >> 8) & 0x01); // store parity bit
476 Demod.bitCount = 0;
477 Demod.shiftReg = 0;
478 if((Demod.len&0x0007) == 0) { // every 8 data bytes
479 Demod.parity[Demod.parityLen++] = Demod.parityBits; // store 8 parity bits
480 Demod.parityBits = 0;
481 }
482 }
483 Demod.endTime = Demod.startTime + 8*(9*Demod.len + Demod.bitCount + 1) - 4;
484 } else { // no modulation in first half
485 if (IsManchesterModulationNibble2(Demod.twoBits >> Demod.syncBit)) { // and modulation in second half = Sequence E = 0
486 Demod.bitCount++;
487 Demod.shiftReg = (Demod.shiftReg >> 1); // add a 0 to the shiftreg
488 if(Demod.bitCount >= 9) { // if we decoded a full byte (including parity)
489 Demod.output[Demod.len++] = (Demod.shiftReg & 0xff);
490 Demod.parityBits <<= 1; // make room for the new parity bit
491 Demod.parityBits |= ((Demod.shiftReg >> 8) & 0x01); // store parity bit
492 Demod.bitCount = 0;
493 Demod.shiftReg = 0;
494 if ((Demod.len&0x0007) == 0) { // every 8 data bytes
495 Demod.parity[Demod.parityLen++] = Demod.parityBits; // store 8 parity bits1
496 Demod.parityBits = 0;
497 }
498 }
499 Demod.endTime = Demod.startTime + 8*(9*Demod.len + Demod.bitCount + 1);
500 } else { // no modulation in both halves - End of communication
501 if(Demod.bitCount > 0) { // there are some remaining data bits
502 Demod.shiftReg >>= (9 - Demod.bitCount); // right align the decoded bits
503 Demod.output[Demod.len++] = Demod.shiftReg & 0xff; // and add them to the output
504 Demod.parityBits <<= 1; // add a (void) parity bit
505 Demod.parityBits <<= (8 - (Demod.len&0x0007)); // left align remaining parity bits
506 Demod.parity[Demod.parityLen++] = Demod.parityBits; // and store them
507 return TRUE;
508 } else if (Demod.len & 0x0007) { // there are some parity bits to store
509 Demod.parityBits <<= (8 - (Demod.len&0x0007)); // left align remaining parity bits
510 Demod.parity[Demod.parityLen++] = Demod.parityBits; // and store them
511 }
512 if (Demod.len) {
513 return TRUE; // we are finished with decoding the raw data sequence
514 } else { // nothing received. Start over
515 DemodReset();
516 }
517 }
518 }
519 }
520 return FALSE; // not finished yet, need more data
521 }
522
523 //=============================================================================
524 // Finally, a `sniffer' for ISO 14443 Type A
525 // Both sides of communication!
526 //=============================================================================
527
528 //-----------------------------------------------------------------------------
529 // Record the sequence of commands sent by the reader to the tag, with
530 // triggering so that we start recording at the point that the tag is moved
531 // near the reader.
532 //-----------------------------------------------------------------------------
533 void RAMFUNC SniffIso14443a(uint8_t param) {
534 // param:
535 // bit 0 - trigger from first card answer
536 // bit 1 - trigger from first reader 7-bit request
537 LEDsoff();
538
539 iso14443a_setup(FPGA_HF_ISO14443A_SNIFFER);
540
541 // Allocate memory from BigBuf for some buffers
542 // free all previous allocations first
543 BigBuf_free(); BigBuf_Clear_ext(false);
544
545 // init trace buffer
546 clear_trace();
547 set_tracing(TRUE);
548
549 // The command (reader -> tag) that we're receiving.
550 uint8_t *receivedCmd = BigBuf_malloc(MAX_FRAME_SIZE);
551 uint8_t *receivedCmdPar = BigBuf_malloc(MAX_PARITY_SIZE);
552
553 // The response (tag -> reader) that we're receiving.
554 uint8_t *receivedResponse = BigBuf_malloc(MAX_FRAME_SIZE);
555 uint8_t *receivedResponsePar = BigBuf_malloc(MAX_PARITY_SIZE);
556
557 // The DMA buffer, used to stream samples from the FPGA
558 uint8_t *dmaBuf = BigBuf_malloc(DMA_BUFFER_SIZE);
559
560 uint8_t *data = dmaBuf;
561 uint8_t previous_data = 0;
562 int maxDataLen = 0;
563 int dataLen = 0;
564 bool TagIsActive = FALSE;
565 bool ReaderIsActive = FALSE;
566
567 // Set up the demodulator for tag -> reader responses.
568 DemodInit(receivedResponse, receivedResponsePar);
569
570 // Set up the demodulator for the reader -> tag commands
571 UartInit(receivedCmd, receivedCmdPar);
572
573 // Setup and start DMA.
574 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
575
576 // We won't start recording the frames that we acquire until we trigger;
577 // a good trigger condition to get started is probably when we see a
578 // response from the tag.
579 // triggered == FALSE -- to wait first for card
580 bool triggered = !(param & 0x03);
581
582 // And now we loop, receiving samples.
583 for(uint32_t rsamples = 0; TRUE; ) {
584
585 if(BUTTON_PRESS()) {
586 DbpString("cancelled by button");
587 break;
588 }
589
590 LED_A_ON();
591 WDT_HIT();
592
593 int register readBufDataP = data - dmaBuf;
594 int register dmaBufDataP = DMA_BUFFER_SIZE - AT91C_BASE_PDC_SSC->PDC_RCR;
595 if (readBufDataP <= dmaBufDataP){
596 dataLen = dmaBufDataP - readBufDataP;
597 } else {
598 dataLen = DMA_BUFFER_SIZE - readBufDataP + dmaBufDataP;
599 }
600 // test for length of buffer
601 if(dataLen > maxDataLen) {
602 maxDataLen = dataLen;
603 if(dataLen > (9 * DMA_BUFFER_SIZE / 10)) {
604 Dbprintf("blew circular buffer! dataLen=%d", dataLen);
605 break;
606 }
607 }
608 if(dataLen < 1) continue;
609
610 // primary buffer was stopped( <-- we lost data!
611 if (!AT91C_BASE_PDC_SSC->PDC_RCR) {
612 AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) dmaBuf;
613 AT91C_BASE_PDC_SSC->PDC_RCR = DMA_BUFFER_SIZE;
614 Dbprintf("RxEmpty ERROR!!! data length:%d", dataLen); // temporary
615 }
616 // secondary buffer sets as primary, secondary buffer was stopped
617 if (!AT91C_BASE_PDC_SSC->PDC_RNCR) {
618 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dmaBuf;
619 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
620 }
621
622 LED_A_OFF();
623
624 if (rsamples & 0x01) { // Need two samples to feed Miller and Manchester-Decoder
625
626 if(!TagIsActive) { // no need to try decoding reader data if the tag is sending
627 uint8_t readerdata = (previous_data & 0xF0) | (*data >> 4);
628 if (MillerDecoding(readerdata, (rsamples-1)*4)) {
629 LED_C_ON();
630
631 // check - if there is a short 7bit request from reader
632 if ((!triggered) && (param & 0x02) && (Uart.len == 1) && (Uart.bitCount == 7)) triggered = TRUE;
633
634 if(triggered) {
635 if (!LogTrace(receivedCmd,
636 Uart.len,
637 Uart.startTime*16 - DELAY_READER_AIR2ARM_AS_SNIFFER,
638 Uart.endTime*16 - DELAY_READER_AIR2ARM_AS_SNIFFER,
639 Uart.parity,
640 TRUE)) break;
641 }
642 /* And ready to receive another command. */
643 UartReset();
644 /* And also reset the demod code, which might have been */
645 /* false-triggered by the commands from the reader. */
646 DemodReset();
647 LED_B_OFF();
648 }
649 ReaderIsActive = (Uart.state != STATE_UNSYNCD);
650 }
651
652 if(!ReaderIsActive) { // no need to try decoding tag data if the reader is sending - and we cannot afford the time
653 uint8_t tagdata = (previous_data << 4) | (*data & 0x0F);
654 if(ManchesterDecoding(tagdata, 0, (rsamples-1)*4)) {
655 LED_B_ON();
656
657 if (!LogTrace(receivedResponse,
658 Demod.len,
659 Demod.startTime*16 - DELAY_TAG_AIR2ARM_AS_SNIFFER,
660 Demod.endTime*16 - DELAY_TAG_AIR2ARM_AS_SNIFFER,
661 Demod.parity,
662 FALSE)) break;
663
664 if ((!triggered) && (param & 0x01)) triggered = TRUE;
665
666 // And ready to receive another response.
667 DemodReset();
668 // And reset the Miller decoder including itS (now outdated) input buffer
669 UartInit(receivedCmd, receivedCmdPar);
670
671 LED_C_OFF();
672 }
673 TagIsActive = (Demod.state != DEMOD_UNSYNCD);
674 }
675 }
676
677 previous_data = *data;
678 rsamples++;
679 data++;
680 if(data == dmaBuf + DMA_BUFFER_SIZE) {
681 data = dmaBuf;
682 }
683 } // main cycle
684
685 FpgaDisableSscDma();
686 LEDsoff();
687
688 Dbprintf("maxDataLen=%d, Uart.state=%x, Uart.len=%d", maxDataLen, Uart.state, Uart.len);
689 Dbprintf("traceLen=%d, Uart.output[0]=%08x", BigBuf_get_traceLen(), (uint32_t)Uart.output[0]);
690
691 set_tracing(FALSE);
692 }
693
694 //-----------------------------------------------------------------------------
695 // Prepare tag messages
696 //-----------------------------------------------------------------------------
697 static void CodeIso14443aAsTagPar(const uint8_t *cmd, uint16_t len, uint8_t *parity)
698 {
699 ToSendReset();
700
701 // Correction bit, might be removed when not needed
702 ToSendStuffBit(0);
703 ToSendStuffBit(0);
704 ToSendStuffBit(0);
705 ToSendStuffBit(0);
706 ToSendStuffBit(1); // 1
707 ToSendStuffBit(0);
708 ToSendStuffBit(0);
709 ToSendStuffBit(0);
710
711 // Send startbit
712 ToSend[++ToSendMax] = SEC_D;
713 LastProxToAirDuration = 8 * ToSendMax - 4;
714
715 for(uint16_t i = 0; i < len; i++) {
716 uint8_t b = cmd[i];
717
718 // Data bits
719 for(uint16_t j = 0; j < 8; j++) {
720 if(b & 1) {
721 ToSend[++ToSendMax] = SEC_D;
722 } else {
723 ToSend[++ToSendMax] = SEC_E;
724 }
725 b >>= 1;
726 }
727
728 // Get the parity bit
729 if (parity[i>>3] & (0x80>>(i&0x0007))) {
730 ToSend[++ToSendMax] = SEC_D;
731 LastProxToAirDuration = 8 * ToSendMax - 4;
732 } else {
733 ToSend[++ToSendMax] = SEC_E;
734 LastProxToAirDuration = 8 * ToSendMax;
735 }
736 }
737
738 // Send stopbit
739 ToSend[++ToSendMax] = SEC_F;
740
741 // Convert from last byte pos to length
742 ++ToSendMax;
743 }
744
745 static void CodeIso14443aAsTag(const uint8_t *cmd, uint16_t len)
746 {
747 uint8_t par[MAX_PARITY_SIZE] = {0};
748 GetParity(cmd, len, par);
749 CodeIso14443aAsTagPar(cmd, len, par);
750 }
751
752
753 static void Code4bitAnswerAsTag(uint8_t cmd)
754 {
755 int i;
756
757 ToSendReset();
758
759 // Correction bit, might be removed when not needed
760 ToSendStuffBit(0);
761 ToSendStuffBit(0);
762 ToSendStuffBit(0);
763 ToSendStuffBit(0);
764 ToSendStuffBit(1); // 1
765 ToSendStuffBit(0);
766 ToSendStuffBit(0);
767 ToSendStuffBit(0);
768
769 // Send startbit
770 ToSend[++ToSendMax] = SEC_D;
771
772 uint8_t b = cmd;
773 for(i = 0; i < 4; i++) {
774 if(b & 1) {
775 ToSend[++ToSendMax] = SEC_D;
776 LastProxToAirDuration = 8 * ToSendMax - 4;
777 } else {
778 ToSend[++ToSendMax] = SEC_E;
779 LastProxToAirDuration = 8 * ToSendMax;
780 }
781 b >>= 1;
782 }
783
784 // Send stopbit
785 ToSend[++ToSendMax] = SEC_F;
786
787 // Convert from last byte pos to length
788 ToSendMax++;
789 }
790
791 //-----------------------------------------------------------------------------
792 // Wait for commands from reader
793 // Stop when button is pressed
794 // Or return TRUE when command is captured
795 //-----------------------------------------------------------------------------
796 static int GetIso14443aCommandFromReader(uint8_t *received, uint8_t *parity, int *len)
797 {
798 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
799 // only, since we are receiving, not transmitting).
800 // Signal field is off with the appropriate LED
801 LED_D_OFF();
802 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
803
804 // Now run a `software UART` on the stream of incoming samples.
805 UartInit(received, parity);
806
807 // clear RXRDY:
808 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
809
810 for(;;) {
811 WDT_HIT();
812
813 if(BUTTON_PRESS()) return FALSE;
814
815 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
816 b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
817 if(MillerDecoding(b, 0)) {
818 *len = Uart.len;
819 return TRUE;
820 }
821 }
822 }
823 }
824
825 static int EmSendCmd14443aRaw(uint8_t *resp, uint16_t respLen, bool correctionNeeded);
826 int EmSend4bitEx(uint8_t resp, bool correctionNeeded);
827 int EmSend4bit(uint8_t resp);
828 int EmSendCmdExPar(uint8_t *resp, uint16_t respLen, bool correctionNeeded, uint8_t *par);
829 int EmSendCmdEx(uint8_t *resp, uint16_t respLen, bool correctionNeeded);
830 int EmSendCmd(uint8_t *resp, uint16_t respLen);
831 int EmSendCmdPar(uint8_t *resp, uint16_t respLen, uint8_t *par);
832 bool EmLogTrace(uint8_t *reader_data, uint16_t reader_len, uint32_t reader_StartTime, uint32_t reader_EndTime, uint8_t *reader_Parity,
833 uint8_t *tag_data, uint16_t tag_len, uint32_t tag_StartTime, uint32_t tag_EndTime, uint8_t *tag_Parity);
834
835 static uint8_t* free_buffer_pointer;
836
837 typedef struct {
838 uint8_t* response;
839 size_t response_n;
840 uint8_t* modulation;
841 size_t modulation_n;
842 uint32_t ProxToAirDuration;
843 } tag_response_info_t;
844
845 bool prepare_tag_modulation(tag_response_info_t* response_info, size_t max_buffer_size) {
846 // Example response, answer to MIFARE Classic read block will be 16 bytes + 2 CRC = 18 bytes
847 // This will need the following byte array for a modulation sequence
848 // 144 data bits (18 * 8)
849 // 18 parity bits
850 // 2 Start and stop
851 // 1 Correction bit (Answer in 1172 or 1236 periods, see FPGA)
852 // 1 just for the case
853 // ----------- +
854 // 166 bytes, since every bit that needs to be send costs us a byte
855 //
856
857
858 // Prepare the tag modulation bits from the message
859 CodeIso14443aAsTag(response_info->response,response_info->response_n);
860
861 // Make sure we do not exceed the free buffer space
862 if (ToSendMax > max_buffer_size) {
863 Dbprintf("Out of memory, when modulating bits for tag answer:");
864 Dbhexdump(response_info->response_n,response_info->response,false);
865 return false;
866 }
867
868 // Copy the byte array, used for this modulation to the buffer position
869 memcpy(response_info->modulation,ToSend,ToSendMax);
870
871 // Store the number of bytes that were used for encoding/modulation and the time needed to transfer them
872 response_info->modulation_n = ToSendMax;
873 response_info->ProxToAirDuration = LastProxToAirDuration;
874
875 return true;
876 }
877
878
879 // "precompile" responses. There are 7 predefined responses with a total of 28 bytes data to transmit.
880 // Coded responses need one byte per bit to transfer (data, parity, start, stop, correction)
881 // 28 * 8 data bits, 28 * 1 parity bits, 7 start bits, 7 stop bits, 7 correction bits
882 // -> need 273 bytes buffer
883 // 44 * 8 data bits, 44 * 1 parity bits, 9 start bits, 9 stop bits, 9 correction bits --370
884 // 47 * 8 data bits, 47 * 1 parity bits, 10 start bits, 10 stop bits, 10 correction bits
885 #define ALLOCATED_TAG_MODULATION_BUFFER_SIZE 453
886
887 bool prepare_allocated_tag_modulation(tag_response_info_t* response_info) {
888 // Retrieve and store the current buffer index
889 response_info->modulation = free_buffer_pointer;
890
891 // Determine the maximum size we can use from our buffer
892 size_t max_buffer_size = ALLOCATED_TAG_MODULATION_BUFFER_SIZE;
893
894 // Forward the prepare tag modulation function to the inner function
895 if (prepare_tag_modulation(response_info, max_buffer_size)) {
896 // Update the free buffer offset
897 free_buffer_pointer += ToSendMax;
898 return true;
899 } else {
900 return false;
901 }
902 }
903
904 //-----------------------------------------------------------------------------
905 // Main loop of simulated tag: receive commands from reader, decide what
906 // response to send, and send it.
907 //-----------------------------------------------------------------------------
908 void SimulateIso14443aTag(int tagType, int flags, byte_t* data)
909 {
910 uint32_t counters[] = {0,0,0};
911 //Here, we collect UID,NT,AR,NR,UID2,NT2,AR2,NR2
912 // This can be used in a reader-only attack.
913 // (it can also be retrieved via 'hf 14a list', but hey...
914 uint32_t ar_nr_responses[] = {0,0,0,0,0,0,0,0,0,0};
915 uint8_t ar_nr_collected = 0;
916
917 uint8_t sak;
918
919 // PACK response to PWD AUTH for EV1/NTAG
920 uint8_t response8[4] = {0,0,0,0};
921
922 // The first response contains the ATQA (note: bytes are transmitted in reverse order).
923 uint8_t response1[2] = {0,0};
924
925 switch (tagType) {
926 case 1: { // MIFARE Classic
927 // Says: I am Mifare 1k - original line
928 response1[0] = 0x04;
929 response1[1] = 0x00;
930 sak = 0x08;
931 } break;
932 case 2: { // MIFARE Ultralight
933 // Says: I am a stupid memory tag, no crypto
934 response1[0] = 0x44;
935 response1[1] = 0x00;
936 sak = 0x00;
937 } break;
938 case 3: { // MIFARE DESFire
939 // Says: I am a DESFire tag, ph33r me
940 response1[0] = 0x04;
941 response1[1] = 0x03;
942 sak = 0x20;
943 } break;
944 case 4: { // ISO/IEC 14443-4
945 // Says: I am a javacard (JCOP)
946 response1[0] = 0x04;
947 response1[1] = 0x00;
948 sak = 0x28;
949 } break;
950 case 5: { // MIFARE TNP3XXX
951 // Says: I am a toy
952 response1[0] = 0x01;
953 response1[1] = 0x0f;
954 sak = 0x01;
955 } break;
956 case 6: { // MIFARE Mini
957 // Says: I am a Mifare Mini, 320b
958 response1[0] = 0x44;
959 response1[1] = 0x00;
960 sak = 0x09;
961 } break;
962 case 7: { // NTAG?
963 // Says: I am a NTAG,
964 response1[0] = 0x44;
965 response1[1] = 0x00;
966 sak = 0x00;
967 // PACK
968 response8[0] = 0x80;
969 response8[1] = 0x80;
970 ComputeCrc14443(CRC_14443_A, response8, 2, &response8[2], &response8[3]);
971 // uid not supplied then get from emulator memory
972 if (data[0]==0) {
973 uint16_t start = 4 * (0+12);
974 uint8_t emdata[8];
975 emlGetMemBt( emdata, start, sizeof(emdata));
976 memcpy(data, emdata, 3); //uid bytes 0-2
977 memcpy(data+3, emdata+4, 4); //uid bytes 3-7
978 flags |= FLAG_7B_UID_IN_DATA;
979 }
980 } break;
981 default: {
982 Dbprintf("Error: unkown tagtype (%d)",tagType);
983 return;
984 } break;
985 }
986
987 // The second response contains the (mandatory) first 24 bits of the UID
988 uint8_t response2[5] = {0x00};
989
990 // Check if the uid uses the (optional) part
991 uint8_t response2a[5] = {0x00};
992
993 if (flags & FLAG_7B_UID_IN_DATA) {
994 response2[0] = 0x88;
995 response2[1] = data[0];
996 response2[2] = data[1];
997 response2[3] = data[2];
998
999 response2a[0] = data[3];
1000 response2a[1] = data[4];
1001 response2a[2] = data[5];
1002 response2a[3] = data[6]; //??
1003 response2a[4] = response2a[0] ^ response2a[1] ^ response2a[2] ^ response2a[3];
1004
1005 // Configure the ATQA and SAK accordingly
1006 response1[0] |= 0x40;
1007 sak |= 0x04;
1008 } else {
1009 memcpy(response2, data, 4);
1010 //num_to_bytes(uid_1st,4,response2);
1011 // Configure the ATQA and SAK accordingly
1012 response1[0] &= 0xBF;
1013 sak &= 0xFB;
1014 }
1015
1016 // Calculate the BitCountCheck (BCC) for the first 4 bytes of the UID.
1017 response2[4] = response2[0] ^ response2[1] ^ response2[2] ^ response2[3];
1018
1019 // Prepare the mandatory SAK (for 4 and 7 byte UID)
1020 uint8_t response3[3] = {0x00};
1021 response3[0] = sak;
1022 ComputeCrc14443(CRC_14443_A, response3, 1, &response3[1], &response3[2]);
1023
1024 // Prepare the optional second SAK (for 7 byte UID), drop the cascade bit
1025 uint8_t response3a[3] = {0x00};
1026 response3a[0] = sak & 0xFB;
1027 ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
1028
1029 uint8_t response5[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce
1030 uint8_t response6[] = { 0x04, 0x58, 0x80, 0x02, 0x00, 0x00 }; // dummy ATS (pseudo-ATR), answer to RATS:
1031 // Format byte = 0x58: FSCI=0x08 (FSC=256), TA(1) and TC(1) present,
1032 // TA(1) = 0x80: different divisors not supported, DR = 1, DS = 1
1033 // TB(1) = not present. Defaults: FWI = 4 (FWT = 256 * 16 * 2^4 * 1/fc = 4833us), SFGI = 0 (SFG = 256 * 16 * 2^0 * 1/fc = 302us)
1034 // TC(1) = 0x02: CID supported, NAD not supported
1035 ComputeCrc14443(CRC_14443_A, response6, 4, &response6[4], &response6[5]);
1036
1037 // Prepare GET_VERSION (different for UL EV-1 / NTAG)
1038 //uint8_t response7_EV1[] = {0x00, 0x04, 0x03, 0x01, 0x01, 0x00, 0x0b, 0x03, 0xfd, 0xf7}; //EV1 48bytes VERSION.
1039 //uint8_t response7_NTAG[] = {0x00, 0x04, 0x04, 0x02, 0x01, 0x00, 0x11, 0x03, 0x01, 0x9e}; //NTAG 215
1040
1041 // Prepare CHK_TEARING
1042 //uint8_t response9[] = {0xBD,0x90,0x3f};
1043
1044 #define TAG_RESPONSE_COUNT 10
1045 tag_response_info_t responses[TAG_RESPONSE_COUNT] = {
1046 { .response = response1, .response_n = sizeof(response1) }, // Answer to request - respond with card type
1047 { .response = response2, .response_n = sizeof(response2) }, // Anticollision cascade1 - respond with uid
1048 { .response = response2a, .response_n = sizeof(response2a) }, // Anticollision cascade2 - respond with 2nd half of uid if asked
1049 { .response = response3, .response_n = sizeof(response3) }, // Acknowledge select - cascade 1
1050 { .response = response3a, .response_n = sizeof(response3a) }, // Acknowledge select - cascade 2
1051 { .response = response5, .response_n = sizeof(response5) }, // Authentication answer (random nonce)
1052 { .response = response6, .response_n = sizeof(response6) }, // dummy ATS (pseudo-ATR), answer to RATS
1053
1054 { .response = response8, .response_n = sizeof(response8) } // EV1/NTAG PACK response
1055 };
1056 //{ .response = response7_NTAG, .response_n = sizeof(response7_NTAG)}, // EV1/NTAG GET_VERSION response
1057 //{ .response = response9, .response_n = sizeof(response9) } // EV1/NTAG CHK_TEAR response
1058
1059
1060 // Allocate 512 bytes for the dynamic modulation, created when the reader queries for it
1061 // Such a response is less time critical, so we can prepare them on the fly
1062 #define DYNAMIC_RESPONSE_BUFFER_SIZE 64
1063 #define DYNAMIC_MODULATION_BUFFER_SIZE 512
1064 uint8_t dynamic_response_buffer[DYNAMIC_RESPONSE_BUFFER_SIZE];
1065 uint8_t dynamic_modulation_buffer[DYNAMIC_MODULATION_BUFFER_SIZE];
1066 tag_response_info_t dynamic_response_info = {
1067 .response = dynamic_response_buffer,
1068 .response_n = 0,
1069 .modulation = dynamic_modulation_buffer,
1070 .modulation_n = 0
1071 };
1072
1073 // We need to listen to the high-frequency, peak-detected path.
1074 iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN);
1075
1076 BigBuf_free_keep_EM();
1077
1078 // allocate buffers:
1079 uint8_t *receivedCmd = BigBuf_malloc(MAX_FRAME_SIZE);
1080 uint8_t *receivedCmdPar = BigBuf_malloc(MAX_PARITY_SIZE);
1081 free_buffer_pointer = BigBuf_malloc(ALLOCATED_TAG_MODULATION_BUFFER_SIZE);
1082
1083 // clear trace
1084 clear_trace();
1085 set_tracing(TRUE);
1086
1087 // Prepare the responses of the anticollision phase
1088 // there will be not enough time to do this at the moment the reader sends it REQA
1089 for (size_t i=0; i<TAG_RESPONSE_COUNT; i++)
1090 prepare_allocated_tag_modulation(&responses[i]);
1091
1092 int len = 0;
1093
1094 // To control where we are in the protocol
1095 int order = 0;
1096 int lastorder;
1097
1098 // Just to allow some checks
1099 int happened = 0;
1100 int happened2 = 0;
1101 int cmdsRecvd = 0;
1102
1103 cmdsRecvd = 0;
1104 tag_response_info_t* p_response;
1105
1106 LED_A_ON();
1107 for(;;) {
1108
1109 WDT_HIT();
1110
1111 // Clean receive command buffer
1112 if(!GetIso14443aCommandFromReader(receivedCmd, receivedCmdPar, &len)) {
1113 DbpString("Button press");
1114 break;
1115 }
1116
1117 p_response = NULL;
1118
1119 // Okay, look at the command now.
1120 lastorder = order;
1121 if(receivedCmd[0] == 0x26) { // Received a REQUEST
1122 p_response = &responses[0]; order = 1;
1123 } else if(receivedCmd[0] == 0x52) { // Received a WAKEUP
1124 p_response = &responses[0]; order = 6;
1125 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x93) { // Received request for UID (cascade 1)
1126 p_response = &responses[1]; order = 2;
1127 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x95) { // Received request for UID (cascade 2)
1128 p_response = &responses[2]; order = 20;
1129 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] == 0x93) { // Received a SELECT (cascade 1)
1130 p_response = &responses[3]; order = 3;
1131 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] == 0x95) { // Received a SELECT (cascade 2)
1132 p_response = &responses[4]; order = 30;
1133 } else if(receivedCmd[0] == 0x30) { // Received a (plain) READ
1134 uint8_t block = receivedCmd[1];
1135 // if Ultralight or NTAG (4 byte blocks)
1136 if ( tagType == 7 || tagType == 2 ) {
1137 //first 12 blocks of emu are [getversion answer - check tearing - pack - 0x00 - signature]
1138 uint16_t start = 4 * (block+12);
1139 uint8_t emdata[MAX_MIFARE_FRAME_SIZE];
1140 emlGetMemBt( emdata, start, 16);
1141 AppendCrc14443a(emdata, 16);
1142 EmSendCmdEx(emdata, sizeof(emdata), false);
1143 // We already responded, do not send anything with the EmSendCmd14443aRaw() that is called below
1144 p_response = NULL;
1145 } else { // all other tags (16 byte block tags)
1146 EmSendCmdEx(data+(4*receivedCmd[1]),16,false);
1147 // Dbprintf("Read request from reader: %x %x",receivedCmd[0],receivedCmd[1]);
1148 // We already responded, do not send anything with the EmSendCmd14443aRaw() that is called below
1149 p_response = NULL;
1150 }
1151 } else if(receivedCmd[0] == 0x3A) { // Received a FAST READ (ranged read)
1152
1153 uint8_t emdata[MAX_FRAME_SIZE];
1154 //first 12 blocks of emu are [getversion answer - check tearing - pack - 0x00 - signature]
1155 int start = (receivedCmd[1]+12) * 4;
1156 int len = (receivedCmd[2] - receivedCmd[1] + 1) * 4;
1157 emlGetMemBt( emdata, start, len);
1158 AppendCrc14443a(emdata, len);
1159 EmSendCmdEx(emdata, len+2, false);
1160 p_response = NULL;
1161
1162 } else if(receivedCmd[0] == 0x3C && tagType == 7) { // Received a READ SIGNATURE --
1163 //first 12 blocks of emu are [getversion answer - check tearing - pack - 0x00 - signature]
1164 uint16_t start = 4 * 4;
1165 uint8_t emdata[34];
1166 emlGetMemBt( emdata, start, 32);
1167 AppendCrc14443a(emdata, 32);
1168 EmSendCmdEx(emdata, sizeof(emdata), false);
1169 p_response = NULL;
1170 } else if (receivedCmd[0] == 0x39 && tagType == 7) { // Received a READ COUNTER --
1171 uint8_t index = receivedCmd[1];
1172 uint8_t data[] = {0x00,0x00,0x00,0x14,0xa5};
1173 if ( counters[index] > 0) {
1174 num_to_bytes(counters[index], 3, data);
1175 AppendCrc14443a(data, sizeof(data)-2);
1176 }
1177 EmSendCmdEx(data,sizeof(data),false);
1178 p_response = NULL;
1179 } else if (receivedCmd[0] == 0xA5 && tagType == 7) { // Received a INC COUNTER --
1180 // number of counter
1181 uint8_t counter = receivedCmd[1];
1182 uint32_t val = bytes_to_num(receivedCmd+2,4);
1183 counters[counter] = val;
1184
1185 // send ACK
1186 uint8_t ack[] = {0x0a};
1187 EmSendCmdEx(ack,sizeof(ack),false);
1188 p_response = NULL;
1189
1190 } else if(receivedCmd[0] == 0x3E && tagType == 7) { // Received a CHECK_TEARING_EVENT --
1191 //first 12 blocks of emu are [getversion answer - check tearing - pack - 0x00 - signature]
1192 uint8_t emdata[3];
1193 uint8_t counter=0;
1194 if (receivedCmd[1]<3) counter = receivedCmd[1];
1195 emlGetMemBt( emdata, 10+counter, 1);
1196 AppendCrc14443a(emdata, sizeof(emdata)-2);
1197 EmSendCmdEx(emdata, sizeof(emdata), false);
1198 p_response = NULL;
1199 } else if(receivedCmd[0] == 0x50) { // Received a HALT
1200 LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
1201 p_response = NULL;
1202 } else if(receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61) { // Received an authentication request
1203
1204 if ( tagType == 7 ) { // IF NTAG /EV1 0x60 == GET_VERSION, not a authentication request.
1205 uint8_t emdata[10];
1206 emlGetMemBt( emdata, 0, 8 );
1207 AppendCrc14443a(emdata, sizeof(emdata)-2);
1208 EmSendCmdEx(emdata, sizeof(emdata), false);
1209 p_response = NULL;
1210 } else {
1211 p_response = &responses[5]; order = 7;
1212 }
1213 } else if(receivedCmd[0] == 0xE0) { // Received a RATS request
1214 if (tagType == 1 || tagType == 2) { // RATS not supported
1215 EmSend4bit(CARD_NACK_NA);
1216 p_response = NULL;
1217 } else {
1218 p_response = &responses[6]; order = 70;
1219 }
1220 } else if (order == 7 && len == 8) { // Received {nr] and {ar} (part of authentication)
1221 LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
1222 uint32_t nonce = bytes_to_num(response5,4);
1223 uint32_t nr = bytes_to_num(receivedCmd,4);
1224 uint32_t ar = bytes_to_num(receivedCmd+4,4);
1225 //Dbprintf("Auth attempt {nonce}{nr}{ar}: %08x %08x %08x", nonce, nr, ar);
1226
1227 if(flags & FLAG_NR_AR_ATTACK )
1228 {
1229 if(ar_nr_collected < 2){
1230 // Avoid duplicates... probably not necessary, nr should vary.
1231 //if(ar_nr_responses[3] != nr){
1232 ar_nr_responses[ar_nr_collected*5] = 0;
1233 ar_nr_responses[ar_nr_collected*5+1] = 0;
1234 ar_nr_responses[ar_nr_collected*5+2] = nonce;
1235 ar_nr_responses[ar_nr_collected*5+3] = nr;
1236 ar_nr_responses[ar_nr_collected*5+4] = ar;
1237 ar_nr_collected++;
1238 //}
1239 }
1240
1241 if(ar_nr_collected > 1 ) {
1242
1243 if (MF_DBGLEVEL >= 2) {
1244 Dbprintf("Collected two pairs of AR/NR which can be used to extract keys from reader:");
1245 Dbprintf("../tools/mfkey/mfkey32 %07x%08x %08x %08x %08x %08x %08x",
1246 ar_nr_responses[0], // UID1
1247 ar_nr_responses[1], // UID2
1248 ar_nr_responses[2], // NT
1249 ar_nr_responses[3], // AR1
1250 ar_nr_responses[4], // NR1
1251 ar_nr_responses[8], // AR2
1252 ar_nr_responses[9] // NR2
1253 );
1254 Dbprintf("../tools/mfkey/mfkey32v2 %06x%08x %08x %08x %08x %08x %08x %08x",
1255 ar_nr_responses[0], // UID1
1256 ar_nr_responses[1], // UID2
1257 ar_nr_responses[2], // NT1
1258 ar_nr_responses[3], // AR1
1259 ar_nr_responses[4], // NR1
1260 ar_nr_responses[7], // NT2
1261 ar_nr_responses[8], // AR2
1262 ar_nr_responses[9] // NR2
1263 );
1264 }
1265 uint8_t len = ar_nr_collected*5*4;
1266 cmd_send(CMD_ACK,CMD_SIMULATE_MIFARE_CARD,len,0,&ar_nr_responses,len);
1267 ar_nr_collected = 0;
1268 memset(ar_nr_responses, 0x00, len);
1269 }
1270 }
1271 } else if (receivedCmd[0] == 0x1a ) // ULC authentication
1272 {
1273
1274 }
1275 else if (receivedCmd[0] == 0x1b) // NTAG / EV-1 authentication
1276 {
1277 if ( tagType == 7 ) {
1278 uint16_t start = 13; //first 4 blocks of emu are [getversion answer - check tearing - pack - 0x00]
1279 uint8_t emdata[4];
1280 emlGetMemBt( emdata, start, 2);
1281 AppendCrc14443a(emdata, 2);
1282 EmSendCmdEx(emdata, sizeof(emdata), false);
1283 p_response = NULL;
1284 uint32_t pwd = bytes_to_num(receivedCmd+1,4);
1285
1286 if ( MF_DBGLEVEL >= 3) Dbprintf("Auth attempt: %08x", pwd);
1287 }
1288 } else {
1289 // Check for ISO 14443A-4 compliant commands, look at left nibble
1290 switch (receivedCmd[0]) {
1291 case 0x02:
1292 case 0x03: { // IBlock (command no CID)
1293 dynamic_response_info.response[0] = receivedCmd[0];
1294 dynamic_response_info.response[1] = 0x90;
1295 dynamic_response_info.response[2] = 0x00;
1296 dynamic_response_info.response_n = 3;
1297 } break;
1298 case 0x0B:
1299 case 0x0A: { // IBlock (command CID)
1300 dynamic_response_info.response[0] = receivedCmd[0];
1301 dynamic_response_info.response[1] = 0x00;
1302 dynamic_response_info.response[2] = 0x90;
1303 dynamic_response_info.response[3] = 0x00;
1304 dynamic_response_info.response_n = 4;
1305 } break;
1306
1307 case 0x1A:
1308 case 0x1B: { // Chaining command
1309 dynamic_response_info.response[0] = 0xaa | ((receivedCmd[0]) & 1);
1310 dynamic_response_info.response_n = 2;
1311 } break;
1312
1313 case 0xaa:
1314 case 0xbb: {
1315 dynamic_response_info.response[0] = receivedCmd[0] ^ 0x11;
1316 dynamic_response_info.response_n = 2;
1317 } break;
1318
1319 case 0xBA: { // ping / pong
1320 dynamic_response_info.response[0] = 0xAB;
1321 dynamic_response_info.response[1] = 0x00;
1322 dynamic_response_info.response_n = 2;
1323 } break;
1324
1325 case 0xCA:
1326 case 0xC2: { // Readers sends deselect command
1327 dynamic_response_info.response[0] = 0xCA;
1328 dynamic_response_info.response[1] = 0x00;
1329 dynamic_response_info.response_n = 2;
1330 } break;
1331
1332 default: {
1333 // Never seen this command before
1334 LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
1335 Dbprintf("Received unknown command (len=%d):",len);
1336 Dbhexdump(len,receivedCmd,false);
1337 // Do not respond
1338 dynamic_response_info.response_n = 0;
1339 } break;
1340 }
1341
1342 if (dynamic_response_info.response_n > 0) {
1343 // Copy the CID from the reader query
1344 dynamic_response_info.response[1] = receivedCmd[1];
1345
1346 // Add CRC bytes, always used in ISO 14443A-4 compliant cards
1347 AppendCrc14443a(dynamic_response_info.response,dynamic_response_info.response_n);
1348 dynamic_response_info.response_n += 2;
1349
1350 if (prepare_tag_modulation(&dynamic_response_info,DYNAMIC_MODULATION_BUFFER_SIZE) == false) {
1351 Dbprintf("Error preparing tag response");
1352 LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
1353 break;
1354 }
1355 p_response = &dynamic_response_info;
1356 }
1357 }
1358
1359 // Count number of wakeups received after a halt
1360 if(order == 6 && lastorder == 5) { happened++; }
1361
1362 // Count number of other messages after a halt
1363 if(order != 6 && lastorder == 5) { happened2++; }
1364
1365 if(cmdsRecvd > 999) {
1366 DbpString("1000 commands later...");
1367 break;
1368 }
1369 cmdsRecvd++;
1370
1371 if (p_response != NULL) {
1372 EmSendCmd14443aRaw(p_response->modulation, p_response->modulation_n, receivedCmd[0] == 0x52);
1373 // do the tracing for the previous reader request and this tag answer:
1374 uint8_t par[MAX_PARITY_SIZE] = {0x00};
1375 GetParity(p_response->response, p_response->response_n, par);
1376
1377 EmLogTrace(Uart.output,
1378 Uart.len,
1379 Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG,
1380 Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG,
1381 Uart.parity,
1382 p_response->response,
1383 p_response->response_n,
1384 LastTimeProxToAirStart*16 + DELAY_ARM2AIR_AS_TAG,
1385 (LastTimeProxToAirStart + p_response->ProxToAirDuration)*16 + DELAY_ARM2AIR_AS_TAG,
1386 par);
1387 }
1388
1389 if (!tracing) {
1390 Dbprintf("Trace Full. Simulation stopped.");
1391 break;
1392 }
1393 }
1394
1395 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1396 set_tracing(FALSE);
1397 BigBuf_free_keep_EM();
1398 LED_A_OFF();
1399
1400 if (MF_DBGLEVEL >= 4){
1401 Dbprintf("-[ Wake ups after halt [%d]", happened);
1402 Dbprintf("-[ Messages after halt [%d]", happened2);
1403 Dbprintf("-[ Num of received cmd [%d]", cmdsRecvd);
1404 }
1405 }
1406
1407
1408 // prepare a delayed transfer. This simply shifts ToSend[] by a number
1409 // of bits specified in the delay parameter.
1410 void PrepareDelayedTransfer(uint16_t delay)
1411 {
1412 delay &= 0x07;
1413 if (!delay) return;
1414
1415 uint8_t bitmask = 0;
1416 uint8_t bits_to_shift = 0;
1417 uint8_t bits_shifted = 0;
1418 uint16_t i = 0;
1419
1420 for (i = 0; i < delay; ++i)
1421 bitmask |= (0x01 << i);
1422
1423 ToSend[++ToSendMax] = 0x00;
1424
1425 for (i = 0; i < ToSendMax; ++i) {
1426 bits_to_shift = ToSend[i] & bitmask;
1427 ToSend[i] = ToSend[i] >> delay;
1428 ToSend[i] = ToSend[i] | (bits_shifted << (8 - delay));
1429 bits_shifted = bits_to_shift;
1430 }
1431 }
1432
1433
1434 //-------------------------------------------------------------------------------------
1435 // Transmit the command (to the tag) that was placed in ToSend[].
1436 // Parameter timing:
1437 // if NULL: transfer at next possible time, taking into account
1438 // request guard time and frame delay time
1439 // if == 0: transfer immediately and return time of transfer
1440 // if != 0: delay transfer until time specified
1441 //-------------------------------------------------------------------------------------
1442 static void TransmitFor14443a(const uint8_t *cmd, uint16_t len, uint32_t *timing)
1443 {
1444 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1445
1446 uint32_t ThisTransferTime = 0;
1447
1448 if (timing) {
1449 if(*timing == 0) { // Measure time
1450 *timing = (GetCountSspClk() + 8) & 0xfffffff8;
1451 } else {
1452 PrepareDelayedTransfer(*timing & 0x00000007); // Delay transfer (fine tuning - up to 7 MF clock ticks)
1453 }
1454 if(MF_DBGLEVEL >= 4 && GetCountSspClk() >= (*timing & 0xfffffff8)) Dbprintf("TransmitFor14443a: Missed timing");
1455 while(GetCountSspClk() < (*timing & 0xfffffff8)); // Delay transfer (multiple of 8 MF clock ticks)
1456 LastTimeProxToAirStart = *timing;
1457 } else {
1458 ThisTransferTime = ((MAX(NextTransferTime, GetCountSspClk()) & 0xfffffff8) + 8);
1459
1460 while(GetCountSspClk() < ThisTransferTime);
1461
1462 LastTimeProxToAirStart = ThisTransferTime;
1463 }
1464
1465 // clear TXRDY
1466 AT91C_BASE_SSC->SSC_THR = SEC_Y;
1467
1468 uint16_t c = 0;
1469 for(;;) {
1470 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1471 AT91C_BASE_SSC->SSC_THR = cmd[c];
1472 ++c;
1473 if(c >= len)
1474 break;
1475 }
1476 }
1477
1478 NextTransferTime = MAX(NextTransferTime, LastTimeProxToAirStart + REQUEST_GUARD_TIME);
1479 }
1480
1481
1482 //-----------------------------------------------------------------------------
1483 // Prepare reader command (in bits, support short frames) to send to FPGA
1484 //-----------------------------------------------------------------------------
1485 void CodeIso14443aBitsAsReaderPar(const uint8_t *cmd, uint16_t bits, const uint8_t *parity)
1486 {
1487 int i, j;
1488 int last = 0;
1489 uint8_t b;
1490
1491 ToSendReset();
1492
1493 // Start of Communication (Seq. Z)
1494 ToSend[++ToSendMax] = SEC_Z;
1495 LastProxToAirDuration = 8 * (ToSendMax+1) - 6;
1496
1497 size_t bytecount = nbytes(bits);
1498 // Generate send structure for the data bits
1499 for (i = 0; i < bytecount; i++) {
1500 // Get the current byte to send
1501 b = cmd[i];
1502 size_t bitsleft = MIN((bits-(i*8)),8);
1503
1504 for (j = 0; j < bitsleft; j++) {
1505 if (b & 1) {
1506 // Sequence X
1507 ToSend[++ToSendMax] = SEC_X;
1508 LastProxToAirDuration = 8 * (ToSendMax+1) - 2;
1509 last = 1;
1510 } else {
1511 if (last == 0) {
1512 // Sequence Z
1513 ToSend[++ToSendMax] = SEC_Z;
1514 LastProxToAirDuration = 8 * (ToSendMax+1) - 6;
1515 } else {
1516 // Sequence Y
1517 ToSend[++ToSendMax] = SEC_Y;
1518 last = 0;
1519 }
1520 }
1521 b >>= 1;
1522 }
1523
1524 // Only transmit parity bit if we transmitted a complete byte
1525 if (j == 8 && parity != NULL) {
1526 // Get the parity bit
1527 if (parity[i>>3] & (0x80 >> (i&0x0007))) {
1528 // Sequence X
1529 ToSend[++ToSendMax] = SEC_X;
1530 LastProxToAirDuration = 8 * (ToSendMax+1) - 2;
1531 last = 1;
1532 } else {
1533 if (last == 0) {
1534 // Sequence Z
1535 ToSend[++ToSendMax] = SEC_Z;
1536 LastProxToAirDuration = 8 * (ToSendMax+1) - 6;
1537 } else {
1538 // Sequence Y
1539 ToSend[++ToSendMax] = SEC_Y;
1540 last = 0;
1541 }
1542 }
1543 }
1544 }
1545
1546 // End of Communication: Logic 0 followed by Sequence Y
1547 if (last == 0) {
1548 // Sequence Z
1549 ToSend[++ToSendMax] = SEC_Z;
1550 LastProxToAirDuration = 8 * (ToSendMax+1) - 6;
1551 } else {
1552 // Sequence Y
1553 ToSend[++ToSendMax] = SEC_Y;
1554 last = 0;
1555 }
1556 ToSend[++ToSendMax] = SEC_Y;
1557
1558 // Convert to length of command:
1559 ++ToSendMax;
1560 }
1561
1562 //-----------------------------------------------------------------------------
1563 // Prepare reader command to send to FPGA
1564 //-----------------------------------------------------------------------------
1565 void CodeIso14443aAsReaderPar(const uint8_t *cmd, uint16_t len, const uint8_t *parity)
1566 {
1567 CodeIso14443aBitsAsReaderPar(cmd, len*8, parity);
1568 }
1569
1570
1571 //-----------------------------------------------------------------------------
1572 // Wait for commands from reader
1573 // Stop when button is pressed (return 1) or field was gone (return 2)
1574 // Or return 0 when command is captured
1575 //-----------------------------------------------------------------------------
1576 static int EmGetCmd(uint8_t *received, uint16_t *len, uint8_t *parity)
1577 {
1578 *len = 0;
1579
1580 uint32_t timer = 0, vtime = 0;
1581 int analogCnt = 0;
1582 int analogAVG = 0;
1583
1584 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
1585 // only, since we are receiving, not transmitting).
1586 // Signal field is off with the appropriate LED
1587 LED_D_OFF();
1588 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
1589
1590 // Set ADC to read field strength
1591 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_SWRST;
1592 AT91C_BASE_ADC->ADC_MR =
1593 ADC_MODE_PRESCALE(63) |
1594 ADC_MODE_STARTUP_TIME(1) |
1595 ADC_MODE_SAMPLE_HOLD_TIME(15);
1596 AT91C_BASE_ADC->ADC_CHER = ADC_CHANNEL(ADC_CHAN_HF);
1597 // start ADC
1598 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
1599
1600 // Now run a 'software UART' on the stream of incoming samples.
1601 UartInit(received, parity);
1602
1603 // Clear RXRDY:
1604 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1605
1606 for(;;) {
1607 WDT_HIT();
1608
1609 if (BUTTON_PRESS()) return 1;
1610
1611 // test if the field exists
1612 if (AT91C_BASE_ADC->ADC_SR & ADC_END_OF_CONVERSION(ADC_CHAN_HF)) {
1613 analogCnt++;
1614 analogAVG += AT91C_BASE_ADC->ADC_CDR[ADC_CHAN_HF];
1615 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
1616 if (analogCnt >= 32) {
1617 if ((MAX_ADC_HF_VOLTAGE * (analogAVG / analogCnt) >> 10) < MF_MINFIELDV) {
1618 vtime = GetTickCount();
1619 if (!timer) timer = vtime;
1620 // 50ms no field --> card to idle state
1621 if (vtime - timer > 50) return 2;
1622 } else
1623 if (timer) timer = 0;
1624 analogCnt = 0;
1625 analogAVG = 0;
1626 }
1627 }
1628
1629 // receive and test the miller decoding
1630 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1631 b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1632 if(MillerDecoding(b, 0)) {
1633 *len = Uart.len;
1634 return 0;
1635 }
1636 }
1637
1638 }
1639 }
1640
1641
1642 static int EmSendCmd14443aRaw(uint8_t *resp, uint16_t respLen, bool correctionNeeded)
1643 {
1644 uint8_t b;
1645 uint16_t i = 0;
1646 uint32_t ThisTransferTime;
1647
1648 // Modulate Manchester
1649 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD);
1650
1651 // include correction bit if necessary
1652 if (Uart.parityBits & 0x01) {
1653 correctionNeeded = TRUE;
1654 }
1655 if(correctionNeeded) {
1656 // 1236, so correction bit needed
1657 i = 0;
1658 } else {
1659 i = 1;
1660 }
1661
1662 // clear receiving shift register and holding register
1663 while(!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY));
1664 b = AT91C_BASE_SSC->SSC_RHR; (void) b;
1665 while(!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY));
1666 b = AT91C_BASE_SSC->SSC_RHR; (void) b;
1667
1668 // wait for the FPGA to signal fdt_indicator == 1 (the FPGA is ready to queue new data in its delay line)
1669 for (uint16_t j = 0; j < 5; j++) { // allow timeout - better late than never
1670 while(!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY));
1671 if (AT91C_BASE_SSC->SSC_RHR) break;
1672 }
1673
1674 while ((ThisTransferTime = GetCountSspClk()) & 0x00000007);
1675
1676 // Clear TXRDY:
1677 AT91C_BASE_SSC->SSC_THR = SEC_F;
1678
1679 // send cycle
1680 for(; i < respLen; ) {
1681 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1682 AT91C_BASE_SSC->SSC_THR = resp[i++];
1683 FpgaSendQueueDelay = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1684 }
1685
1686 if(BUTTON_PRESS()) break;
1687 }
1688
1689 // Ensure that the FPGA Delay Queue is empty before we switch to TAGSIM_LISTEN again:
1690 uint8_t fpga_queued_bits = FpgaSendQueueDelay >> 3; // twich /8 ?? >>3,
1691 for (i = 0; i <= fpga_queued_bits/8 + 1; ) {
1692 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1693 AT91C_BASE_SSC->SSC_THR = SEC_F;
1694 FpgaSendQueueDelay = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1695 i++;
1696 }
1697 }
1698
1699 LastTimeProxToAirStart = ThisTransferTime + (correctionNeeded?8:0);
1700
1701 return 0;
1702 }
1703
1704 int EmSend4bitEx(uint8_t resp, bool correctionNeeded){
1705 Code4bitAnswerAsTag(resp);
1706 int res = EmSendCmd14443aRaw(ToSend, ToSendMax, correctionNeeded);
1707 // do the tracing for the previous reader request and this tag answer:
1708 uint8_t par[1] = {0x00};
1709 GetParity(&resp, 1, par);
1710 EmLogTrace(Uart.output,
1711 Uart.len,
1712 Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG,
1713 Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG,
1714 Uart.parity,
1715 &resp,
1716 1,
1717 LastTimeProxToAirStart*16 + DELAY_ARM2AIR_AS_TAG,
1718 (LastTimeProxToAirStart + LastProxToAirDuration)*16 + DELAY_ARM2AIR_AS_TAG,
1719 par);
1720 return res;
1721 }
1722
1723 int EmSend4bit(uint8_t resp){
1724 return EmSend4bitEx(resp, false);
1725 }
1726
1727 int EmSendCmdExPar(uint8_t *resp, uint16_t respLen, bool correctionNeeded, uint8_t *par){
1728 CodeIso14443aAsTagPar(resp, respLen, par);
1729 int res = EmSendCmd14443aRaw(ToSend, ToSendMax, correctionNeeded);
1730 // do the tracing for the previous reader request and this tag answer:
1731 EmLogTrace(Uart.output,
1732 Uart.len,
1733 Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG,
1734 Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG,
1735 Uart.parity,
1736 resp,
1737 respLen,
1738 LastTimeProxToAirStart*16 + DELAY_ARM2AIR_AS_TAG,
1739 (LastTimeProxToAirStart + LastProxToAirDuration)*16 + DELAY_ARM2AIR_AS_TAG,
1740 par);
1741 return res;
1742 }
1743
1744 int EmSendCmdEx(uint8_t *resp, uint16_t respLen, bool correctionNeeded){
1745 uint8_t par[MAX_PARITY_SIZE] = {0x00};
1746 GetParity(resp, respLen, par);
1747 return EmSendCmdExPar(resp, respLen, correctionNeeded, par);
1748 }
1749
1750 int EmSendCmd(uint8_t *resp, uint16_t respLen){
1751 uint8_t par[MAX_PARITY_SIZE] = {0x00};
1752 GetParity(resp, respLen, par);
1753 return EmSendCmdExPar(resp, respLen, false, par);
1754 }
1755
1756 int EmSendCmdPar(uint8_t *resp, uint16_t respLen, uint8_t *par){
1757 return EmSendCmdExPar(resp, respLen, false, par);
1758 }
1759
1760 bool EmLogTrace(uint8_t *reader_data, uint16_t reader_len, uint32_t reader_StartTime, uint32_t reader_EndTime, uint8_t *reader_Parity,
1761 uint8_t *tag_data, uint16_t tag_len, uint32_t tag_StartTime, uint32_t tag_EndTime, uint8_t *tag_Parity)
1762 {
1763 // we cannot exactly measure the end and start of a received command from reader. However we know that the delay from
1764 // end of the received command to start of the tag's (simulated by us) answer is n*128+20 or n*128+84 resp.
1765 // with n >= 9. The start of the tags answer can be measured and therefore the end of the received command be calculated:
1766 uint16_t reader_modlen = reader_EndTime - reader_StartTime;
1767 uint16_t approx_fdt = tag_StartTime - reader_EndTime;
1768 uint16_t exact_fdt = (approx_fdt - 20 + 32)/64 * 64 + 20;
1769 reader_EndTime = tag_StartTime - exact_fdt;
1770 reader_StartTime = reader_EndTime - reader_modlen;
1771
1772 if (!LogTrace(reader_data, reader_len, reader_StartTime, reader_EndTime, reader_Parity, TRUE))
1773 return FALSE;
1774 else
1775 return(!LogTrace(tag_data, tag_len, tag_StartTime, tag_EndTime, tag_Parity, FALSE));
1776
1777 }
1778
1779 //-----------------------------------------------------------------------------
1780 // Wait a certain time for tag response
1781 // If a response is captured return TRUE
1782 // If it takes too long return FALSE
1783 //-----------------------------------------------------------------------------
1784 static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse, uint8_t *receivedResponsePar, uint16_t offset)
1785 {
1786 uint32_t c = 0x00;
1787
1788 // Set FPGA mode to "reader listen mode", no modulation (listen
1789 // only, since we are receiving, not transmitting).
1790 // Signal field is on with the appropriate LED
1791 LED_D_ON();
1792 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_LISTEN);
1793
1794 // Now get the answer from the card
1795 DemodInit(receivedResponse, receivedResponsePar);
1796
1797 // clear RXRDY:
1798 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1799
1800 for(;;) {
1801 WDT_HIT();
1802
1803 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1804 b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1805 if(ManchesterDecoding(b, offset, 0)) {
1806 NextTransferTime = MAX(NextTransferTime, Demod.endTime - (DELAY_AIR2ARM_AS_READER + DELAY_ARM2AIR_AS_READER)/16 + FRAME_DELAY_TIME_PICC_TO_PCD);
1807 return TRUE;
1808 } else if (c++ > iso14a_timeout && Demod.state == DEMOD_UNSYNCD) {
1809 return FALSE;
1810 }
1811 }
1812 }
1813 }
1814
1815 void ReaderTransmitBitsPar(uint8_t* frame, uint16_t bits, uint8_t *par, uint32_t *timing)
1816 {
1817 CodeIso14443aBitsAsReaderPar(frame, bits, par);
1818
1819 // Send command to tag
1820 TransmitFor14443a(ToSend, ToSendMax, timing);
1821 if(trigger)
1822 LED_A_ON();
1823
1824 // Log reader command in trace buffer
1825 //LogTrace(frame, nbytes(bits), LastTimeProxToAirStart*16 + DELAY_ARM2AIR_AS_READER, (LastTimeProxToAirStart + LastProxToAirDuration)*16 + DELAY_ARM2AIR_AS_READER, par, TRUE);
1826 LogTrace(frame, nbytes(bits), (LastTimeProxToAirStart<<4) + DELAY_ARM2AIR_AS_READER, ((LastTimeProxToAirStart + LastProxToAirDuration)<<4) + DELAY_ARM2AIR_AS_READER, par, TRUE);
1827 }
1828
1829 void ReaderTransmitPar(uint8_t* frame, uint16_t len, uint8_t *par, uint32_t *timing)
1830 {
1831 ReaderTransmitBitsPar(frame, len*8, par, timing);
1832 }
1833
1834 void ReaderTransmitBits(uint8_t* frame, uint16_t len, uint32_t *timing)
1835 {
1836 // Generate parity and redirect
1837 uint8_t par[MAX_PARITY_SIZE] = {0x00};
1838 GetParity(frame, len/8, par);
1839 ReaderTransmitBitsPar(frame, len, par, timing);
1840 }
1841
1842 void ReaderTransmit(uint8_t* frame, uint16_t len, uint32_t *timing)
1843 {
1844 // Generate parity and redirect
1845 uint8_t par[MAX_PARITY_SIZE] = {0x00};
1846 GetParity(frame, len, par);
1847 ReaderTransmitBitsPar(frame, len*8, par, timing);
1848 }
1849
1850 int ReaderReceiveOffset(uint8_t* receivedAnswer, uint16_t offset, uint8_t *parity)
1851 {
1852 if (!GetIso14443aAnswerFromTag(receivedAnswer, parity, offset)) return FALSE;
1853 //if (tracing) {
1854 LogTrace(receivedAnswer, Demod.len, Demod.startTime*16 - DELAY_AIR2ARM_AS_READER, Demod.endTime*16 - DELAY_AIR2ARM_AS_READER, parity, FALSE);
1855 //}
1856 return Demod.len;
1857 }
1858
1859 int ReaderReceive(uint8_t *receivedAnswer, uint8_t *parity)
1860 {
1861 if (!GetIso14443aAnswerFromTag(receivedAnswer, parity, 0)) return FALSE;
1862 //if (tracing) {
1863 LogTrace(receivedAnswer, Demod.len, Demod.startTime*16 - DELAY_AIR2ARM_AS_READER, Demod.endTime*16 - DELAY_AIR2ARM_AS_READER, parity, FALSE);
1864 //}
1865 return Demod.len;
1866 }
1867
1868 // performs iso14443a anticollision (optional) and card select procedure
1869 // fills the uid and cuid pointer unless NULL
1870 // fills the card info record unless NULL
1871 // if anticollision is false, then the UID must be provided in uid_ptr[]
1872 // and num_cascades must be set (1: 4 Byte UID, 2: 7 Byte UID, 3: 10 Byte UID)
1873 int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, uint32_t *cuid_ptr, bool anticollision, uint8_t num_cascades) {
1874 uint8_t wupa[] = { 0x52 }; // 0x26 - REQA 0x52 - WAKE-UP
1875 uint8_t sel_all[] = { 0x93,0x20 };
1876 uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
1877 uint8_t rats[] = { 0xE0,0x80,0x00,0x00 }; // FSD=256, FSDI=8, CID=0
1878 uint8_t resp[MAX_FRAME_SIZE] = {0}; // theoretically. A usual RATS will be much smaller
1879 uint8_t resp_par[MAX_PARITY_SIZE] = {0};
1880 byte_t uid_resp[4] = {0};
1881 size_t uid_resp_len = 0;
1882
1883 uint8_t sak = 0x04; // cascade uid
1884 int cascade_level = 0;
1885 int len;
1886
1887 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1888 ReaderTransmitBitsPar(wupa, 7, NULL, NULL);
1889
1890 // Receive the ATQA
1891 if(!ReaderReceive(resp, resp_par)) return 0;
1892
1893 if(p_hi14a_card) {
1894 memcpy(p_hi14a_card->atqa, resp, 2);
1895 p_hi14a_card->uidlen = 0;
1896 memset(p_hi14a_card->uid,0,10);
1897 }
1898
1899 if (anticollision) {
1900 // clear uid
1901 if (uid_ptr)
1902 memset(uid_ptr,0,10);
1903 }
1904
1905 // check for proprietary anticollision:
1906 if ((resp[0] & 0x1F) == 0) return 3;
1907
1908 // OK we will select at least at cascade 1, lets see if first byte of UID was 0x88 in
1909 // which case we need to make a cascade 2 request and select - this is a long UID
1910 // While the UID is not complete, the 3nd bit (from the right) is set in the SAK.
1911 for(; sak & 0x04; cascade_level++) {
1912 // SELECT_* (L1: 0x93, L2: 0x95, L3: 0x97)
1913 sel_uid[0] = sel_all[0] = 0x93 + cascade_level * 2;
1914
1915 if (anticollision) {
1916 // SELECT_ALL
1917 ReaderTransmit(sel_all, sizeof(sel_all), NULL);
1918 if (!ReaderReceive(resp, resp_par)) return 0;
1919
1920 if (Demod.collisionPos) { // we had a collision and need to construct the UID bit by bit
1921 memset(uid_resp, 0, 4);
1922 uint16_t uid_resp_bits = 0;
1923 uint16_t collision_answer_offset = 0;
1924 // anti-collision-loop:
1925 while (Demod.collisionPos) {
1926 Dbprintf("Multiple tags detected. Collision after Bit %d", Demod.collisionPos);
1927 for (uint16_t i = collision_answer_offset; i < Demod.collisionPos; i++, uid_resp_bits++) { // add valid UID bits before collision point
1928 uint16_t UIDbit = (resp[i/8] >> (i % 8)) & 0x01;
1929 uid_resp[uid_resp_bits / 8] |= UIDbit << (uid_resp_bits % 8);
1930 }
1931 uid_resp[uid_resp_bits/8] |= 1 << (uid_resp_bits % 8); // next time select the card(s) with a 1 in the collision position
1932 uid_resp_bits++;
1933 // construct anticollosion command:
1934 sel_uid[1] = ((2 + uid_resp_bits/8) << 4) | (uid_resp_bits & 0x07); // length of data in bytes and bits
1935 for (uint16_t i = 0; i <= uid_resp_bits/8; i++) {
1936 sel_uid[2+i] = uid_resp[i];
1937 }
1938 collision_answer_offset = uid_resp_bits%8;
1939 ReaderTransmitBits(sel_uid, 16 + uid_resp_bits, NULL);
1940 if (!ReaderReceiveOffset(resp, collision_answer_offset, resp_par)) return 0;
1941 }
1942 // finally, add the last bits and BCC of the UID
1943 for (uint16_t i = collision_answer_offset; i < (Demod.len-1)*8; i++, uid_resp_bits++) {
1944 uint16_t UIDbit = (resp[i/8] >> (i%8)) & 0x01;
1945 uid_resp[uid_resp_bits/8] |= UIDbit << (uid_resp_bits % 8);
1946 }
1947
1948 } else { // no collision, use the response to SELECT_ALL as current uid
1949 memcpy(uid_resp, resp, 4);
1950 }
1951
1952 } else {
1953 if (cascade_level < num_cascades - 1) {
1954 uid_resp[0] = 0x88;
1955 memcpy(uid_resp+1, uid_ptr+cascade_level*3, 3);
1956 } else {
1957 memcpy(uid_resp, uid_ptr+cascade_level*3, 4);
1958 }
1959 }
1960 uid_resp_len = 4;
1961
1962 // calculate crypto UID. Always use last 4 Bytes.
1963 if(cuid_ptr)
1964 *cuid_ptr = bytes_to_num(uid_resp, 4);
1965
1966 // Construct SELECT UID command
1967 sel_uid[1] = 0x70; // transmitting a full UID (1 Byte cmd, 1 Byte NVB, 4 Byte UID, 1 Byte BCC, 2 Bytes CRC)
1968 memcpy(sel_uid+2, uid_resp, 4); // the UID received during anticollision, or the provided UID
1969 sel_uid[6] = sel_uid[2] ^ sel_uid[3] ^ sel_uid[4] ^ sel_uid[5]; // calculate and add BCC
1970 AppendCrc14443a(sel_uid, 7); // calculate and add CRC
1971 ReaderTransmit(sel_uid, sizeof(sel_uid), NULL);
1972
1973 // Receive the SAK
1974 if (!ReaderReceive(resp, resp_par)) return 0;
1975
1976 sak = resp[0];
1977
1978 // Test if more parts of the uid are coming
1979 if ((sak & 0x04) /* && uid_resp[0] == 0x88 */) {
1980 // Remove first byte, 0x88 is not an UID byte, it CT, see page 3 of:
1981 // http://www.nxp.com/documents/application_note/AN10927.pdf
1982 uid_resp[0] = uid_resp[1];
1983 uid_resp[1] = uid_resp[2];
1984 uid_resp[2] = uid_resp[3];
1985 uid_resp_len = 3;
1986 }
1987
1988 if(uid_ptr && anticollision)
1989 memcpy(uid_ptr + (cascade_level*3), uid_resp, uid_resp_len);
1990
1991 if(p_hi14a_card) {
1992 memcpy(p_hi14a_card->uid + (cascade_level*3), uid_resp, uid_resp_len);
1993 p_hi14a_card->uidlen += uid_resp_len;
1994 }
1995 }
1996
1997 if(p_hi14a_card) {
1998 p_hi14a_card->sak = sak;
1999 p_hi14a_card->ats_len = 0;
2000 }
2001
2002 // non iso14443a compliant tag
2003 if( (sak & 0x20) == 0) return 2;
2004
2005 // Request for answer to select
2006 AppendCrc14443a(rats, 2);
2007 ReaderTransmit(rats, sizeof(rats), NULL);
2008
2009 if (!(len = ReaderReceive(resp, resp_par))) return 0;
2010
2011 if(p_hi14a_card) {
2012 memcpy(p_hi14a_card->ats, resp, sizeof(p_hi14a_card->ats));
2013 p_hi14a_card->ats_len = len;
2014 }
2015
2016 // reset the PCB block number
2017 iso14_pcb_blocknum = 0;
2018
2019 // set default timeout based on ATS
2020 iso14a_set_ATS_timeout(resp);
2021
2022 return 1;
2023 }
2024
2025 void iso14443a_setup(uint8_t fpga_minor_mode) {
2026 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
2027 // Set up the synchronous serial port
2028 FpgaSetupSsc();
2029 // connect Demodulated Signal to ADC:
2030 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
2031
2032 LED_D_OFF();
2033 // Signal field is on with the appropriate LED
2034 if (fpga_minor_mode == FPGA_HF_ISO14443A_READER_MOD ||
2035 fpga_minor_mode == FPGA_HF_ISO14443A_READER_LISTEN)
2036 LED_D_ON();
2037
2038 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | fpga_minor_mode);
2039
2040 DemodReset();
2041 UartReset();
2042
2043 iso14a_set_timeout(10*106); // 10ms default
2044
2045 // Start the timer
2046 StartCountSspClk();
2047
2048 NextTransferTime = 2*DELAY_ARM2AIR_AS_READER;
2049 }
2050
2051 int iso14_apdu(uint8_t *cmd, uint16_t cmd_len, void *data) {
2052 uint8_t parity[MAX_PARITY_SIZE] = {0x00};
2053 uint8_t real_cmd[cmd_len+4];
2054 real_cmd[0] = 0x0a; //I-Block
2055 // put block number into the PCB
2056 real_cmd[0] |= iso14_pcb_blocknum;
2057 real_cmd[1] = 0x00; //CID: 0 //FIXME: allow multiple selected cards
2058 memcpy(real_cmd+2, cmd, cmd_len);
2059 AppendCrc14443a(real_cmd,cmd_len+2);
2060
2061 ReaderTransmit(real_cmd, cmd_len+4, NULL);
2062 size_t len = ReaderReceive(data, parity);
2063 //DATA LINK ERROR
2064 if (!len) return 0;
2065
2066 uint8_t *data_bytes = (uint8_t *) data;
2067
2068 // if we received an I- or R(ACK)-Block with a block number equal to the
2069 // current block number, toggle the current block number
2070 if (len >= 4 // PCB+CID+CRC = 4 bytes
2071 && ((data_bytes[0] & 0xC0) == 0 // I-Block
2072 || (data_bytes[0] & 0xD0) == 0x80) // R-Block with ACK bit set to 0
2073 && (data_bytes[0] & 0x01) == iso14_pcb_blocknum) // equal block numbers
2074 {
2075 iso14_pcb_blocknum ^= 1;
2076 }
2077
2078 return len;
2079 }
2080
2081 //-----------------------------------------------------------------------------
2082 // Read an ISO 14443a tag. Send out commands and store answers.
2083 //
2084 //-----------------------------------------------------------------------------
2085 void ReaderIso14443a(UsbCommand *c)
2086 {
2087 iso14a_command_t param = c->arg[0];
2088 uint8_t *cmd = c->d.asBytes;
2089 size_t len = c->arg[1] & 0xffff;
2090 size_t lenbits = c->arg[1] >> 16;
2091 uint32_t timeout = c->arg[2];
2092 uint32_t arg0 = 0;
2093 byte_t buf[USB_CMD_DATA_SIZE] = {0x00};
2094 uint8_t par[MAX_PARITY_SIZE] = {0x00};
2095
2096 if (param & ISO14A_CONNECT)
2097 clear_trace();
2098
2099 set_tracing(TRUE);
2100
2101 if (param & ISO14A_REQUEST_TRIGGER)
2102 iso14a_set_trigger(TRUE);
2103
2104 if (param & ISO14A_CONNECT) {
2105 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
2106 if(!(param & ISO14A_NO_SELECT)) {
2107 iso14a_card_select_t *card = (iso14a_card_select_t*)buf;
2108 arg0 = iso14443a_select_card(NULL,card,NULL, true, 0);
2109 cmd_send(CMD_ACK,arg0,card->uidlen,0,buf,sizeof(iso14a_card_select_t));
2110 // if it fails, the cmdhf14a.c client quites.. however this one still executes.
2111 if ( arg0 == 0 ) return;
2112 }
2113 }
2114
2115 if (param & ISO14A_SET_TIMEOUT)
2116 iso14a_set_timeout(timeout);
2117
2118 if (param & ISO14A_APDU) {
2119 arg0 = iso14_apdu(cmd, len, buf);
2120 cmd_send(CMD_ACK,arg0,0,0,buf,sizeof(buf));
2121 }
2122
2123 if (param & ISO14A_RAW) {
2124 if(param & ISO14A_APPEND_CRC) {
2125 if(param & ISO14A_TOPAZMODE) {
2126 AppendCrc14443b(cmd,len);
2127 } else {
2128 AppendCrc14443a(cmd,len);
2129 }
2130 len += 2;
2131 if (lenbits) lenbits += 16;
2132 }
2133 if(lenbits>0) { // want to send a specific number of bits (e.g. short commands)
2134 if(param & ISO14A_TOPAZMODE) {
2135 int bits_to_send = lenbits;
2136 uint16_t i = 0;
2137 ReaderTransmitBitsPar(&cmd[i++], MIN(bits_to_send, 7), NULL, NULL); // first byte is always short (7bits) and no parity
2138 bits_to_send -= 7;
2139 while (bits_to_send > 0) {
2140 ReaderTransmitBitsPar(&cmd[i++], MIN(bits_to_send, 8), NULL, NULL); // following bytes are 8 bit and no parity
2141 bits_to_send -= 8;
2142 }
2143 } else {
2144 GetParity(cmd, lenbits/8, par);
2145 ReaderTransmitBitsPar(cmd, lenbits, par, NULL); // bytes are 8 bit with odd parity
2146 }
2147 } else { // want to send complete bytes only
2148 if(param & ISO14A_TOPAZMODE) {
2149 uint16_t i = 0;
2150 ReaderTransmitBitsPar(&cmd[i++], 7, NULL, NULL); // first byte: 7 bits, no paritiy
2151 while (i < len) {
2152 ReaderTransmitBitsPar(&cmd[i++], 8, NULL, NULL); // following bytes: 8 bits, no paritiy
2153 }
2154 } else {
2155 ReaderTransmit(cmd,len, NULL); // 8 bits, odd parity
2156 }
2157 }
2158 arg0 = ReaderReceive(buf, par);
2159 cmd_send(CMD_ACK,arg0,0,0,buf,sizeof(buf));
2160 }
2161
2162 if (param & ISO14A_REQUEST_TRIGGER)
2163 iso14a_set_trigger(FALSE);
2164
2165
2166 if (param & ISO14A_NO_DISCONNECT)
2167 return;
2168
2169 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2170 set_tracing(FALSE);
2171 LEDsoff();
2172 }
2173
2174
2175 // Determine the distance between two nonces.
2176 // Assume that the difference is small, but we don't know which is first.
2177 // Therefore try in alternating directions.
2178 int32_t dist_nt(uint32_t nt1, uint32_t nt2) {
2179
2180 uint16_t i;
2181 uint32_t nttmp1, nttmp2;
2182
2183 if (nt1 == nt2) return 0;
2184
2185 nttmp1 = nt1;
2186 nttmp2 = nt2;
2187
2188 for (i = 1; i < 32768; i++) {
2189 nttmp1 = prng_successor(nttmp1, 1);
2190 if (nttmp1 == nt2) return i;
2191 nttmp2 = prng_successor(nttmp2, 1);
2192 if (nttmp2 == nt1) return -i;
2193 }
2194
2195 return(-99999); // either nt1 or nt2 are invalid nonces
2196 }
2197
2198
2199 //-----------------------------------------------------------------------------
2200 // Recover several bits of the cypher stream. This implements (first stages of)
2201 // the algorithm described in "The Dark Side of Security by Obscurity and
2202 // Cloning MiFare Classic Rail and Building Passes, Anywhere, Anytime"
2203 // (article by Nicolas T. Courtois, 2009)
2204 //-----------------------------------------------------------------------------
2205 void ReaderMifare(bool first_try, uint8_t block )
2206 {
2207 // Mifare AUTH
2208 //uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b };
2209 //uint8_t mf_auth[] = { 0x60,0x05, 0x58, 0x2c };
2210 uint8_t mf_auth[] = { 0x60,0x00, 0x00, 0x00 };
2211 uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
2212 uint8_t uid[10] = {0,0,0,0,0,0,0,0,0,0};
2213 uint8_t par_list[8] = {0,0,0,0,0,0,0,0};
2214 uint8_t ks_list[8] = {0,0,0,0,0,0,0,0};
2215 uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE] = {0x00};
2216 uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE] = {0x00};
2217 uint8_t par[1] = {0}; // maximum 8 Bytes to be sent here, 1 byte parity is therefore enough
2218
2219 mf_auth[1] = block;
2220 AppendCrc14443a(mf_auth, 2);
2221
2222 byte_t nt_diff = 0;
2223
2224 uint32_t nt = 0;
2225 uint32_t previous_nt = 0;
2226 uint32_t halt_time = 0;
2227 uint32_t cuid = 0;
2228
2229 int catch_up_cycles = 0;
2230 int last_catch_up = 0;
2231 int isOK = 0;
2232
2233 uint16_t elapsed_prng_sequences = 1;
2234 uint16_t consecutive_resyncs = 0;
2235 uint16_t unexpected_random = 0;
2236 uint16_t sync_tries = 0;
2237 uint16_t strategy = 0;
2238
2239 static uint32_t nt_attacked = 0;
2240 static uint32_t sync_time = 0;
2241 static int32_t sync_cycles = 0;
2242 static uint8_t par_low = 0;
2243 static uint8_t mf_nr_ar3 = 0;
2244
2245 #define PRNG_SEQUENCE_LENGTH (1 << 16)
2246 #define MAX_UNEXPECTED_RANDOM 4 // maximum number of unexpected (i.e. real) random numbers when trying to sync. Then give up.
2247 #define MAX_SYNC_TRIES 32
2248 #define MAX_STRATEGY 3
2249
2250 // free eventually allocated BigBuf memory
2251 BigBuf_free(); BigBuf_Clear_ext(false);
2252
2253 clear_trace();
2254 set_tracing(TRUE);
2255
2256 LED_A_ON();
2257
2258 if (first_try)
2259 iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
2260
2261 if (first_try) {
2262 sync_time = GetCountSspClk() & 0xfffffff8;
2263 sync_cycles = PRNG_SEQUENCE_LENGTH + 1100; //65536; //0x10000 // theory: Mifare Classic's random generator repeats every 2^16 cycles (and so do the nonces).
2264 mf_nr_ar3 = 0;
2265 nt_attacked = 0;
2266
2267 } else {
2268 // we were unsuccessful on a previous call.
2269 // Try another READER nonce (first 3 parity bits remain the same)
2270 ++mf_nr_ar3;
2271 mf_nr_ar[3] = mf_nr_ar3;
2272 par[0] = par_low;
2273 }
2274
2275 LED_A_ON();
2276 LED_C_ON();
2277 for(uint16_t i = 0; TRUE; ++i) {
2278
2279 WDT_HIT();
2280
2281 // Test if the action was cancelled
2282 if(BUTTON_PRESS()) {
2283 isOK = -1;
2284 break;
2285 }
2286
2287 if (strategy == 2) {
2288 // test with additional halt command
2289 halt_time = 0;
2290 int len = mifare_sendcmd_short(NULL, false, 0x50, 0x00, receivedAnswer, receivedAnswerPar, &halt_time);
2291
2292 if (len && MF_DBGLEVEL >= 3)
2293 Dbprintf("Unexpected response of %d bytes to halt command.", len);
2294 }
2295
2296 if (strategy == 3) {
2297 // test with FPGA power off/on
2298 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2299 SpinDelay(200);
2300 iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
2301 SpinDelay(100);
2302 sync_time = GetCountSspClk() & 0xfffffff8;
2303 WDT_HIT();
2304 }
2305
2306 if (!iso14443a_select_card(uid, NULL, &cuid, true, 0)) {
2307 if (MF_DBGLEVEL >= 2) Dbprintf("Mifare: Can't select card\n");
2308 continue;
2309 }
2310
2311 // Sending timeslot of ISO14443a frame
2312
2313 sync_time = (sync_time & 0xfffffff8) + sync_cycles + catch_up_cycles;
2314 catch_up_cycles = 0;
2315
2316 //catch_up_cycles = 0;
2317
2318 // if we missed the sync time already, advance to the next nonce repeat
2319 while(GetCountSspClk() > sync_time) {
2320 ++elapsed_prng_sequences;
2321 sync_time = (sync_time & 0xfffffff8) + sync_cycles;
2322 }
2323 // Transmit MIFARE_CLASSIC_AUTH at synctime. Should result in returning the same tag nonce (== nt_attacked)
2324 ReaderTransmit(mf_auth, sizeof(mf_auth), &sync_time);
2325
2326 // Receive the (4 Byte) "random" nonce
2327 if (!ReaderReceive(receivedAnswer, receivedAnswerPar))
2328 continue;
2329
2330 // Transmit reader nonce with fake par
2331 ReaderTransmitPar(mf_nr_ar, sizeof(mf_nr_ar), par, NULL);
2332
2333 previous_nt = nt;
2334 nt = bytes_to_num(receivedAnswer, 4);
2335
2336 if (first_try && previous_nt && !nt_attacked) { // we didn't calibrate our clock yet
2337 int nt_distance = dist_nt(previous_nt, nt);
2338 if (nt_distance == 0) {
2339 nt_attacked = nt;
2340 } else {
2341 if (nt_distance == -99999) { // invalid nonce received
2342 unexpected_random++;
2343 if (unexpected_random > MAX_UNEXPECTED_RANDOM) {
2344 isOK = -3; // Card has an unpredictable PRNG. Give up
2345 break;
2346 } else {
2347 continue; // continue trying...
2348 }
2349 }
2350
2351 if (++sync_tries > MAX_SYNC_TRIES) {
2352 if (strategy > MAX_STRATEGY || MF_DBGLEVEL < 3) {
2353 isOK = -4; // Card's PRNG runs at an unexpected frequency or resets unexpectedly
2354 break;
2355 } else {
2356 continue;
2357 }
2358 }
2359
2360 sync_cycles = (sync_cycles - nt_distance)/elapsed_prng_sequences;
2361 if (sync_cycles <= 0)
2362 sync_cycles += PRNG_SEQUENCE_LENGTH;
2363
2364 if (MF_DBGLEVEL >= 3)
2365 Dbprintf("calibrating in cycle %d. nt_distance=%d, elapsed_prng_sequences=%d, new sync_cycles: %d\n", i, nt_distance, elapsed_prng_sequences, sync_cycles);
2366
2367 continue;
2368 }
2369 }
2370
2371 if ((nt != nt_attacked) && nt_attacked) { // we somehow lost sync. Try to catch up again...
2372
2373 catch_up_cycles = -dist_nt(nt_attacked, nt);
2374 if (catch_up_cycles == 99999) { // invalid nonce received. Don't resync on that one.
2375 catch_up_cycles = 0;
2376 continue;
2377 }
2378
2379 // average?
2380 catch_up_cycles /= elapsed_prng_sequences;
2381
2382 if (catch_up_cycles == last_catch_up) {
2383 ++consecutive_resyncs;
2384 } else {
2385 last_catch_up = catch_up_cycles;
2386 consecutive_resyncs = 0;
2387 }
2388
2389 if (consecutive_resyncs < 3) {
2390 if (MF_DBGLEVEL >= 3)
2391 Dbprintf("Lost sync in cycle %d. nt_distance=%d. Consecutive Resyncs = %d. Trying one time catch up...\n", i, -catch_up_cycles, consecutive_resyncs);
2392 } else {
2393 sync_cycles += catch_up_cycles;
2394
2395 if (MF_DBGLEVEL >= 3)
2396 Dbprintf("Lost sync in cycle %d for the fourth time consecutively (nt_distance = %d). Adjusting sync_cycles to %d.\n", i, -catch_up_cycles, sync_cycles);
2397
2398 last_catch_up = 0;
2399 catch_up_cycles = 0;
2400 consecutive_resyncs = 0;
2401 }
2402 continue;
2403 }
2404
2405 // Receive answer. This will be a 4 Bit NACK when the 8 parity bits are OK after decoding
2406 if (!ReaderReceive(receivedAnswer, receivedAnswerPar)) {
2407 catch_up_cycles = 8; // the PRNG is delayed by 8 cycles due to the NAC (4Bits = 0x05 encrypted) transfer
2408
2409 if (nt_diff == 0)
2410 par_low = par[0] & 0xE0; // there is no need to check all parities for other nt_diff. Parity Bits for mf_nr_ar[0..2] won't change
2411
2412 par_list[nt_diff] = SwapBits(par[0], 8);
2413 ks_list[nt_diff] = receivedAnswer[0] ^ 0x05;
2414
2415 // Test if the information is complete
2416 if (nt_diff == 0x07) {
2417 isOK = 1;
2418 break;
2419 }
2420
2421 nt_diff = (nt_diff + 1) & 0x07;
2422 mf_nr_ar[3] = (mf_nr_ar[3] & 0x1F) | (nt_diff << 5);
2423 par[0] = par_low;
2424
2425 } else {
2426 // No NACK.
2427 if (nt_diff == 0 && first_try) {
2428 par[0]++;
2429 if (par[0] == 0x00) { // tried all 256 possible parities without success. Card doesn't send NACK.
2430 isOK = -2;
2431 break;
2432 }
2433 } else {
2434 // Why this?
2435 par[0] = ((par[0] & 0x1F) + 1) | par_low;
2436 }
2437 }
2438
2439 consecutive_resyncs = 0;
2440 }
2441
2442 mf_nr_ar[3] &= 0x1F;
2443
2444 WDT_HIT();
2445
2446 // reset sync_time.
2447 if ( isOK == 1) {
2448 sync_time = 0;
2449 sync_cycles = 0;
2450 mf_nr_ar3 = 0;
2451 nt_attacked = 0;
2452 par[0] = 0;
2453 }
2454
2455 uint8_t buf[28] = {0x00};
2456 num_to_bytes(cuid, 4, buf);
2457 num_to_bytes(nt, 4, buf + 4);
2458 memcpy(buf + 8, par_list, 8);
2459 memcpy(buf + 16, ks_list, 8);
2460 memcpy(buf + 24, mf_nr_ar, 4);
2461
2462 cmd_send(CMD_ACK,isOK,0,0,buf,28);
2463
2464 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2465 LEDsoff();
2466 set_tracing(FALSE);
2467 }
2468
2469 /**
2470 *MIFARE 1K simulate.
2471 *
2472 *@param flags :
2473 * FLAG_INTERACTIVE - In interactive mode, we are expected to finish the operation with an ACK
2474 * 4B_FLAG_UID_IN_DATA - means that there is a 4-byte UID in the data-section, we're expected to use that
2475 * 7B_FLAG_UID_IN_DATA - means that there is a 7-byte UID in the data-section, we're expected to use that
2476 * FLAG_NR_AR_ATTACK - means we should collect NR_AR responses for bruteforcing later
2477 *@param exitAfterNReads, exit simulation after n blocks have been read, 0 is inifite
2478 */
2479 void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *datain)
2480 {
2481 int cardSTATE = MFEMUL_NOFIELD;
2482 int _7BUID = 0;
2483 int vHf = 0; // in mV
2484 int res;
2485 uint32_t selTimer = 0;
2486 uint32_t authTimer = 0;
2487 uint16_t len = 0;
2488 uint8_t cardWRBL = 0;
2489 uint8_t cardAUTHSC = 0;
2490 uint8_t cardAUTHKEY = 0xff; // no authentication
2491 // uint32_t cardRr = 0;
2492 uint32_t cuid = 0;
2493 //uint32_t rn_enc = 0;
2494 uint32_t ans = 0;
2495 uint32_t cardINTREG = 0;
2496 uint8_t cardINTBLOCK = 0;
2497 struct Crypto1State mpcs = {0, 0};
2498 struct Crypto1State *pcs;
2499 pcs = &mpcs;
2500 uint32_t numReads = 0;//Counts numer of times reader read a block
2501 uint8_t receivedCmd[MAX_MIFARE_FRAME_SIZE] = {0x00};
2502 uint8_t receivedCmd_par[MAX_MIFARE_PARITY_SIZE] = {0x00};
2503 uint8_t response[MAX_MIFARE_FRAME_SIZE] = {0x00};
2504 uint8_t response_par[MAX_MIFARE_PARITY_SIZE] = {0x00};
2505
2506 uint8_t rATQA[] = {0x04, 0x00}; // Mifare classic 1k 4BUID
2507 uint8_t rUIDBCC1[] = {0xde, 0xad, 0xbe, 0xaf, 0x62};
2508 uint8_t rUIDBCC2[] = {0xde, 0xad, 0xbe, 0xaf, 0x62}; // !!!
2509 uint8_t rSAK[] = {0x08, 0xb6, 0xdd}; // Mifare Classic
2510 //uint8_t rSAK[] = {0x09, 0x3f, 0xcc }; // Mifare Mini
2511 uint8_t rSAK1[] = {0x04, 0xda, 0x17};
2512
2513 //uint8_t rAUTH_NT[] = {0x01, 0x01, 0x01, 0x01};
2514 uint8_t rAUTH_NT[] = {0x55, 0x41, 0x49, 0x92};
2515 uint8_t rAUTH_AT[] = {0x00, 0x00, 0x00, 0x00};
2516
2517 //Here, we collect UID1,UID2,NT,AR,NR,0,0,NT2,AR2,NR2
2518 // This can be used in a reader-only attack.
2519 // (it can also be retrieved via 'hf 14a list', but hey...
2520 uint32_t ar_nr_responses[] = {0,0,0,0,0,0,0,0,0,0};
2521 uint8_t ar_nr_collected = 0;
2522
2523 // Authenticate response - nonce
2524 uint32_t nonce = bytes_to_num(rAUTH_NT, 4);
2525
2526 //-- Determine the UID
2527 // Can be set from emulator memory, incoming data
2528 // and can be 7 or 4 bytes long
2529 if (flags & FLAG_4B_UID_IN_DATA)
2530 {
2531 // 4B uid comes from data-portion of packet
2532 memcpy(rUIDBCC1,datain,4);
2533 rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
2534
2535 } else if (flags & FLAG_7B_UID_IN_DATA) {
2536 // 7B uid comes from data-portion of packet
2537 memcpy(&rUIDBCC1[1],datain,3);
2538 memcpy(rUIDBCC2, datain+3, 4);
2539 _7BUID = true;
2540 } else {
2541 // get UID from emul memory
2542 emlGetMemBt(receivedCmd, 7, 1);
2543 _7BUID = !(receivedCmd[0] == 0x00);
2544 if (!_7BUID) { // ---------- 4BUID
2545 emlGetMemBt(rUIDBCC1, 0, 4);
2546 } else { // ---------- 7BUID
2547 emlGetMemBt(&rUIDBCC1[1], 0, 3);
2548 emlGetMemBt(rUIDBCC2, 3, 4);
2549 }
2550 }
2551
2552 // save uid.
2553 ar_nr_responses[0*5] = bytes_to_num(rUIDBCC1+1, 3);
2554 if ( _7BUID )
2555 ar_nr_responses[0*5+1] = bytes_to_num(rUIDBCC2, 4);
2556
2557 /*
2558 * Regardless of what method was used to set the UID, set fifth byte and modify
2559 * the ATQA for 4 or 7-byte UID
2560 */
2561 rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
2562 if (_7BUID) {
2563 rATQA[0] = 0x44;
2564 rUIDBCC1[0] = 0x88;
2565 rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
2566 rUIDBCC2[4] = rUIDBCC2[0] ^ rUIDBCC2[1] ^ rUIDBCC2[2] ^ rUIDBCC2[3];
2567 }
2568
2569 if (MF_DBGLEVEL >= 1) {
2570 if (!_7BUID) {
2571 Dbprintf("4B UID: %02x%02x%02x%02x",
2572 rUIDBCC1[0], rUIDBCC1[1], rUIDBCC1[2], rUIDBCC1[3]);
2573 } else {
2574 Dbprintf("7B UID: (%02x)%02x%02x%02x%02x%02x%02x%02x",
2575 rUIDBCC1[0], rUIDBCC1[1], rUIDBCC1[2], rUIDBCC1[3],
2576 rUIDBCC2[0], rUIDBCC2[1] ,rUIDBCC2[2], rUIDBCC2[3]);
2577 }
2578 }
2579
2580 // We need to listen to the high-frequency, peak-detected path.
2581 iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN);
2582
2583 // free eventually allocated BigBuf memory but keep Emulator Memory
2584 BigBuf_free_keep_EM();
2585
2586 // clear trace
2587 clear_trace();
2588 set_tracing(TRUE);
2589
2590
2591 bool finished = FALSE;
2592 while (!BUTTON_PRESS() && !finished && !usb_poll_validate_length()) {
2593 WDT_HIT();
2594
2595 // find reader field
2596 if (cardSTATE == MFEMUL_NOFIELD) {
2597 vHf = (MAX_ADC_HF_VOLTAGE * AvgAdc(ADC_CHAN_HF)) >> 10;
2598 if (vHf > MF_MINFIELDV) {
2599 cardSTATE_TO_IDLE();
2600 LED_A_ON();
2601 }
2602 }
2603 if(cardSTATE == MFEMUL_NOFIELD) continue;
2604
2605 //Now, get data
2606 res = EmGetCmd(receivedCmd, &len, receivedCmd_par);
2607 if (res == 2) { //Field is off!
2608 cardSTATE = MFEMUL_NOFIELD;
2609 LEDsoff();
2610 continue;
2611 } else if (res == 1) {
2612 break; //return value 1 means button press
2613 }
2614
2615 // REQ or WUP request in ANY state and WUP in HALTED state
2616 if (len == 1 && ((receivedCmd[0] == 0x26 && cardSTATE != MFEMUL_HALTED) || receivedCmd[0] == 0x52)) {
2617 selTimer = GetTickCount();
2618 EmSendCmdEx(rATQA, sizeof(rATQA), (receivedCmd[0] == 0x52));
2619 cardSTATE = MFEMUL_SELECT1;
2620
2621 // init crypto block
2622 LED_B_OFF();
2623 LED_C_OFF();
2624 crypto1_destroy(pcs);
2625 cardAUTHKEY = 0xff;
2626 continue;
2627 }
2628
2629 switch (cardSTATE) {
2630 case MFEMUL_NOFIELD:
2631 case MFEMUL_HALTED:
2632 case MFEMUL_IDLE:{
2633 LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
2634 break;
2635 }
2636 case MFEMUL_SELECT1:{
2637 // select all
2638 if (len == 2 && (receivedCmd[0] == 0x93 && receivedCmd[1] == 0x20)) {
2639 if (MF_DBGLEVEL >= 4) Dbprintf("SELECT ALL received");
2640 EmSendCmd(rUIDBCC1, sizeof(rUIDBCC1));
2641 break;
2642 }
2643
2644 if (MF_DBGLEVEL >= 4 && len == 9 && receivedCmd[0] == 0x93 && receivedCmd[1] == 0x70 )
2645 {
2646 Dbprintf("SELECT %02x%02x%02x%02x received",receivedCmd[2],receivedCmd[3],receivedCmd[4],receivedCmd[5]);
2647 }
2648 // select card
2649 if (len == 9 &&
2650 (receivedCmd[0] == 0x93 && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], rUIDBCC1, 4) == 0)) {
2651 EmSendCmd(_7BUID?rSAK1:rSAK, _7BUID?sizeof(rSAK1):sizeof(rSAK));
2652 cuid = bytes_to_num(rUIDBCC1, 4);
2653 if (!_7BUID) {
2654 cardSTATE = MFEMUL_WORK;
2655 LED_B_ON();
2656 if (MF_DBGLEVEL >= 4) Dbprintf("--> WORK. anticol1 time: %d", GetTickCount() - selTimer);
2657 break;
2658 } else {
2659 cardSTATE = MFEMUL_SELECT2;
2660 }
2661 }
2662 break;
2663 }
2664 case MFEMUL_AUTH1:{
2665 if( len != 8) {
2666 cardSTATE_TO_IDLE();
2667 LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
2668 break;
2669 }
2670
2671 uint32_t ar = bytes_to_num(receivedCmd, 4);
2672 uint32_t nr = bytes_to_num(&receivedCmd[4], 4);
2673
2674 //Collect AR/NR
2675 //if(ar_nr_collected < 2 && cardAUTHSC == 2){
2676 if(ar_nr_collected < 2) {
2677 if(ar_nr_responses[2] != ar) {
2678 // Avoid duplicates... probably not necessary, ar should vary.
2679 //ar_nr_responses[ar_nr_collected*5] = 0;
2680 //ar_nr_responses[ar_nr_collected*5+1] = 0;
2681 ar_nr_responses[ar_nr_collected*5+2] = nonce;
2682 ar_nr_responses[ar_nr_collected*5+3] = nr;
2683 ar_nr_responses[ar_nr_collected*5+4] = ar;
2684 ar_nr_collected++;
2685 }
2686 // Interactive mode flag, means we need to send ACK
2687 if(flags & FLAG_INTERACTIVE && ar_nr_collected == 2)
2688 finished = true;
2689 }
2690
2691 // --- crypto
2692 //crypto1_word(pcs, ar , 1);
2693 //cardRr = nr ^ crypto1_word(pcs, 0, 0);
2694
2695 //test if auth OK
2696 //if (cardRr != prng_successor(nonce, 64)){
2697
2698 //if (MF_DBGLEVEL >= 4) Dbprintf("AUTH FAILED for sector %d with key %c. cardRr=%08x, succ=%08x",
2699 // cardAUTHSC, cardAUTHKEY == 0 ? 'A' : 'B',
2700 // cardRr, prng_successor(nonce, 64));
2701 // Shouldn't we respond anything here?
2702 // Right now, we don't nack or anything, which causes the
2703 // reader to do a WUPA after a while. /Martin
2704 // -- which is the correct response. /piwi
2705 //cardSTATE_TO_IDLE();
2706 //LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
2707 //break;
2708 //}
2709
2710 ans = prng_successor(nonce, 96) ^ crypto1_word(pcs, 0, 0);
2711
2712 num_to_bytes(ans, 4, rAUTH_AT);
2713 // --- crypto
2714 EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
2715 LED_C_ON();
2716 cardSTATE = MFEMUL_WORK;
2717 if (MF_DBGLEVEL >= 4) {
2718 Dbprintf("AUTH COMPLETED for sector %d with key %c. time=%d",
2719 cardAUTHSC,
2720 cardAUTHKEY == 0 ? 'A' : 'B',
2721 GetTickCount() - authTimer
2722 );
2723 }
2724 break;
2725 }
2726 case MFEMUL_SELECT2:{
2727 if (!len) {
2728 LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
2729 break;
2730 }
2731 if (len == 2 && (receivedCmd[0] == 0x95 && receivedCmd[1] == 0x20)) {
2732 EmSendCmd(rUIDBCC2, sizeof(rUIDBCC2));
2733 break;
2734 }
2735
2736 // select 2 card
2737 if (len == 9 &&
2738 (receivedCmd[0] == 0x95 &&
2739 receivedCmd[1] == 0x70 &&
2740 memcmp(&receivedCmd[2], rUIDBCC2, 4) == 0) ) {
2741 EmSendCmd(rSAK, sizeof(rSAK));
2742 cuid = bytes_to_num(rUIDBCC2, 4);
2743 cardSTATE = MFEMUL_WORK;
2744 LED_B_ON();
2745 if (MF_DBGLEVEL >= 4) Dbprintf("--> WORK. anticol2 time: %d", GetTickCount() - selTimer);
2746 break;
2747 }
2748
2749 // i guess there is a command). go into the work state.
2750 if (len != 4) {
2751 LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
2752 break;
2753 }
2754 cardSTATE = MFEMUL_WORK;
2755 //goto lbWORK;
2756 //intentional fall-through to the next case-stmt
2757 }
2758
2759 case MFEMUL_WORK:{
2760 if (len == 0) {
2761 LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
2762 break;
2763 }
2764
2765 bool encrypted_data = (cardAUTHKEY != 0xFF) ;
2766
2767 // decrypt seqence
2768 if(encrypted_data)
2769 mf_crypto1_decrypt(pcs, receivedCmd, len);
2770
2771 if (len == 4 && (receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61)) {
2772 authTimer = GetTickCount();
2773 cardAUTHSC = receivedCmd[1] / 4; // received block num
2774 cardAUTHKEY = receivedCmd[0] - 0x60;
2775 crypto1_destroy(pcs);//Added by martin
2776 crypto1_create(pcs, emlGetKey(cardAUTHSC, cardAUTHKEY));
2777
2778 if (!encrypted_data) { // first authentication
2779 if (MF_DBGLEVEL >= 4) Dbprintf("Reader authenticating for block %d (0x%02x) with key %d",receivedCmd[1] ,receivedCmd[1],cardAUTHKEY );
2780
2781 crypto1_word(pcs, cuid ^ nonce, 0);//Update crypto state
2782 num_to_bytes(nonce, 4, rAUTH_AT); // Send nonce
2783 } else { // nested authentication
2784 if (MF_DBGLEVEL >= 4) Dbprintf("Reader doing nested authentication for block %d (0x%02x) with key %d",receivedCmd[1] ,receivedCmd[1],cardAUTHKEY );
2785 ans = nonce ^ crypto1_word(pcs, cuid ^ nonce, 0);
2786 num_to_bytes(ans, 4, rAUTH_AT);
2787 }
2788
2789 EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
2790 //Dbprintf("Sending rAUTH %02x%02x%02x%02x", rAUTH_AT[0],rAUTH_AT[1],rAUTH_AT[2],rAUTH_AT[3]);
2791 cardSTATE = MFEMUL_AUTH1;
2792 break;
2793 }
2794
2795 // rule 13 of 7.5.3. in ISO 14443-4. chaining shall be continued
2796 // BUT... ACK --> NACK
2797 if (len == 1 && receivedCmd[0] == CARD_ACK) {
2798 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2799 break;
2800 }
2801
2802 // rule 12 of 7.5.3. in ISO 14443-4. R(NAK) --> R(ACK)
2803 if (len == 1 && receivedCmd[0] == CARD_NACK_NA) {
2804 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
2805 break;
2806 }
2807
2808 if(len != 4) {
2809 LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
2810 break;
2811 }
2812
2813 if(receivedCmd[0] == 0x30 // read block
2814 || receivedCmd[0] == 0xA0 // write block
2815 || receivedCmd[0] == 0xC0 // inc
2816 || receivedCmd[0] == 0xC1 // dec
2817 || receivedCmd[0] == 0xC2 // restore
2818 || receivedCmd[0] == 0xB0) { // transfer
2819 if (receivedCmd[1] >= 16 * 4) {
2820 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2821 if (MF_DBGLEVEL >= 4) Dbprintf("Reader tried to operate (0x%02) on out of range block: %d (0x%02x), nacking",receivedCmd[0],receivedCmd[1],receivedCmd[1]);
2822 break;
2823 }
2824
2825 if (receivedCmd[1] / 4 != cardAUTHSC) {
2826 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2827 if (MF_DBGLEVEL >= 4) Dbprintf("Reader tried to operate (0x%02) on block (0x%02x) not authenticated for (0x%02x), nacking",receivedCmd[0],receivedCmd[1],cardAUTHSC);
2828 break;
2829 }
2830 }
2831 // read block
2832 if (receivedCmd[0] == 0x30) {
2833 if (MF_DBGLEVEL >= 4) Dbprintf("Reader reading block %d (0x%02x)",receivedCmd[1],receivedCmd[1]);
2834
2835 emlGetMem(response, receivedCmd[1], 1);
2836 AppendCrc14443a(response, 16);
2837 mf_crypto1_encrypt(pcs, response, 18, response_par);
2838 EmSendCmdPar(response, 18, response_par);
2839 numReads++;
2840 if(exitAfterNReads > 0 && numReads >= exitAfterNReads) {
2841 Dbprintf("%d reads done, exiting", numReads);
2842 finished = true;
2843 }
2844 break;
2845 }
2846 // write block
2847 if (receivedCmd[0] == 0xA0) {
2848 if (MF_DBGLEVEL >= 4) Dbprintf("RECV 0xA0 write block %d (%02x)",receivedCmd[1],receivedCmd[1]);
2849 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
2850 cardSTATE = MFEMUL_WRITEBL2;
2851 cardWRBL = receivedCmd[1];
2852 break;
2853 }
2854 // increment, decrement, restore
2855 if (receivedCmd[0] == 0xC0 || receivedCmd[0] == 0xC1 || receivedCmd[0] == 0xC2) {
2856 if (MF_DBGLEVEL >= 4) Dbprintf("RECV 0x%02x inc(0xC1)/dec(0xC0)/restore(0xC2) block %d (%02x)",receivedCmd[0],receivedCmd[1],receivedCmd[1]);
2857 if (emlCheckValBl(receivedCmd[1])) {
2858 if (MF_DBGLEVEL >= 4) Dbprintf("Reader tried to operate on block, but emlCheckValBl failed, nacking");
2859 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2860 break;
2861 }
2862 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
2863 if (receivedCmd[0] == 0xC1)
2864 cardSTATE = MFEMUL_INTREG_INC;
2865 if (receivedCmd[0] == 0xC0)
2866 cardSTATE = MFEMUL_INTREG_DEC;
2867 if (receivedCmd[0] == 0xC2)
2868 cardSTATE = MFEMUL_INTREG_REST;
2869 cardWRBL = receivedCmd[1];
2870 break;
2871 }
2872 // transfer
2873 if (receivedCmd[0] == 0xB0) {
2874 if (MF_DBGLEVEL >= 4) Dbprintf("RECV 0x%02x transfer block %d (%02x)",receivedCmd[0],receivedCmd[1],receivedCmd[1]);
2875 if (emlSetValBl(cardINTREG, cardINTBLOCK, receivedCmd[1]))
2876 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2877 else
2878 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
2879 break;
2880 }
2881 // halt
2882 if (receivedCmd[0] == 0x50 && receivedCmd[1] == 0x00) {
2883 LED_B_OFF();
2884 LED_C_OFF();
2885 cardSTATE = MFEMUL_HALTED;
2886 if (MF_DBGLEVEL >= 4) Dbprintf("--> HALTED. Selected time: %d ms", GetTickCount() - selTimer);
2887 LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
2888 break;
2889 }
2890 // RATS
2891 if (receivedCmd[0] == 0xe0) {//RATS
2892 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2893 break;
2894 }
2895 // command not allowed
2896 if (MF_DBGLEVEL >= 4) Dbprintf("Received command not allowed, nacking");
2897 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2898 break;
2899 }
2900 case MFEMUL_WRITEBL2:{
2901 if (len == 18) {
2902 mf_crypto1_decrypt(pcs, receivedCmd, len);
2903 emlSetMem(receivedCmd, cardWRBL, 1);
2904 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
2905 cardSTATE = MFEMUL_WORK;
2906 } else {
2907 cardSTATE_TO_IDLE();
2908 LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
2909 }
2910 break;
2911 }
2912
2913 case MFEMUL_INTREG_INC:{
2914 mf_crypto1_decrypt(pcs, receivedCmd, len);
2915 memcpy(&ans, receivedCmd, 4);
2916 if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
2917 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2918 cardSTATE_TO_IDLE();
2919 break;
2920 }
2921 LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
2922 cardINTREG = cardINTREG + ans;
2923 cardSTATE = MFEMUL_WORK;
2924 break;
2925 }
2926 case MFEMUL_INTREG_DEC:{
2927 mf_crypto1_decrypt(pcs, receivedCmd, len);
2928 memcpy(&ans, receivedCmd, 4);
2929 if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
2930 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2931 cardSTATE_TO_IDLE();
2932 break;
2933 }
2934 LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
2935 cardINTREG = cardINTREG - ans;
2936 cardSTATE = MFEMUL_WORK;
2937 break;
2938 }
2939 case MFEMUL_INTREG_REST:{
2940 mf_crypto1_decrypt(pcs, receivedCmd, len);
2941 memcpy(&ans, receivedCmd, 4);
2942 if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
2943 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2944 cardSTATE_TO_IDLE();
2945 break;
2946 }
2947 LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
2948 cardSTATE = MFEMUL_WORK;
2949 break;
2950 }
2951 }
2952 }
2953
2954 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2955 LEDsoff();
2956
2957 // Interactive mode flag, means we need to send ACK
2958 if(flags & FLAG_INTERACTIVE) {
2959 //May just aswell send the collected ar_nr in the response aswell
2960 uint8_t len = ar_nr_collected*5*4;
2961 cmd_send(CMD_ACK, CMD_SIMULATE_MIFARE_CARD, len, 0, &ar_nr_responses, len);
2962 }
2963
2964 if(flags & FLAG_NR_AR_ATTACK && MF_DBGLEVEL >= 1 ) {
2965 if(ar_nr_collected > 1 ) {
2966 Dbprintf("Collected two pairs of AR/NR which can be used to extract keys from reader:");
2967 Dbprintf("../tools/mfkey/mfkey32 %06x%08x %08x %08x %08x %08x %08x",
2968 ar_nr_responses[0], // UID1
2969 ar_nr_responses[1], // UID2
2970 ar_nr_responses[2], // NT
2971 ar_nr_responses[3], // AR1
2972 ar_nr_responses[4], // NR1
2973 ar_nr_responses[8], // AR2
2974 ar_nr_responses[9] // NR2
2975 );
2976 Dbprintf("../tools/mfkey/mfkey32v2 %06x%08x %08x %08x %08x %08x %08x %08x",
2977 ar_nr_responses[0], // UID1
2978 ar_nr_responses[1], // UID2
2979 ar_nr_responses[2], // NT1
2980 ar_nr_responses[3], // AR1
2981 ar_nr_responses[4], // NR1
2982 ar_nr_responses[7], // NT2
2983 ar_nr_responses[8], // AR2
2984 ar_nr_responses[9] // NR2
2985 );
2986 } else {
2987 Dbprintf("Failed to obtain two AR/NR pairs!");
2988 if(ar_nr_collected > 0 ) {
2989 Dbprintf("Only got these: UID=%06x%08x, nonce=%08x, AR1=%08x, NR1=%08x",
2990 ar_nr_responses[0], // UID1
2991 ar_nr_responses[1], // UID2
2992 ar_nr_responses[2], // NT
2993 ar_nr_responses[3], // AR1
2994 ar_nr_responses[4] // NR1
2995 );
2996 }
2997 }
2998 }
2999 if (MF_DBGLEVEL >= 1) Dbprintf("Emulator stopped. Tracing: %d trace length: %d ", tracing, BigBuf_get_traceLen());
3000
3001 set_tracing(FALSE);
3002 }
3003
3004
3005 //-----------------------------------------------------------------------------
3006 // MIFARE sniffer.
3007 //
3008 //-----------------------------------------------------------------------------
3009 void RAMFUNC SniffMifare(uint8_t param) {
3010 // param:
3011 // bit 0 - trigger from first card answer
3012 // bit 1 - trigger from first reader 7-bit request
3013 LEDsoff();
3014
3015 // free eventually allocated BigBuf memory
3016 BigBuf_free(); BigBuf_Clear_ext(false);
3017
3018 // init trace buffer
3019 clear_trace();
3020 set_tracing(TRUE);
3021
3022 // The command (reader -> tag) that we're receiving.
3023 // The length of a received command will in most cases be no more than 18 bytes.
3024 // So 32 should be enough!
3025 uint8_t receivedCmd[MAX_MIFARE_FRAME_SIZE] = {0x00};
3026 uint8_t receivedCmdPar[MAX_MIFARE_PARITY_SIZE] = {0x00};
3027
3028 // The response (tag -> reader) that we're receiving.
3029 uint8_t receivedResponse[MAX_MIFARE_FRAME_SIZE] = {0x00};
3030 uint8_t receivedResponsePar[MAX_MIFARE_PARITY_SIZE] = {0x00};
3031
3032 iso14443a_setup(FPGA_HF_ISO14443A_SNIFFER);
3033
3034 // allocate the DMA buffer, used to stream samples from the FPGA
3035 uint8_t *dmaBuf = BigBuf_malloc(DMA_BUFFER_SIZE);
3036 uint8_t *data = dmaBuf;
3037 uint8_t previous_data = 0;
3038 int maxDataLen = 0;
3039 int dataLen = 0;
3040 bool ReaderIsActive = FALSE;
3041 bool TagIsActive = FALSE;
3042
3043 // Set up the demodulator for tag -> reader responses.
3044 DemodInit(receivedResponse, receivedResponsePar);
3045
3046 // Set up the demodulator for the reader -> tag commands
3047 UartInit(receivedCmd, receivedCmdPar);
3048
3049 // Setup for the DMA.
3050 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE); // set transfer address and number of bytes. Start transfer.
3051
3052 LED_D_OFF();
3053
3054 // init sniffer
3055 MfSniffInit();
3056
3057 // And now we loop, receiving samples.
3058 for(uint32_t sniffCounter = 0; TRUE; ) {
3059
3060 if(BUTTON_PRESS()) {
3061 DbpString("cancelled by button");
3062 break;
3063 }
3064
3065 LED_A_ON();
3066 WDT_HIT();
3067
3068 if ((sniffCounter & 0x0000FFFF) == 0) { // from time to time
3069 // check if a transaction is completed (timeout after 2000ms).
3070 // if yes, stop the DMA transfer and send what we have so far to the client
3071 if (MfSniffSend(2000)) {
3072 // Reset everything - we missed some sniffed data anyway while the DMA was stopped
3073 sniffCounter = 0;
3074 data = dmaBuf;
3075 maxDataLen = 0;
3076 ReaderIsActive = FALSE;
3077 TagIsActive = FALSE;
3078 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE); // set transfer address and number of bytes. Start transfer.
3079 }
3080 }
3081
3082 int register readBufDataP = data - dmaBuf; // number of bytes we have processed so far
3083 int register dmaBufDataP = DMA_BUFFER_SIZE - AT91C_BASE_PDC_SSC->PDC_RCR; // number of bytes already transferred
3084
3085 if (readBufDataP <= dmaBufDataP) // we are processing the same block of data which is currently being transferred
3086 dataLen = dmaBufDataP - readBufDataP; // number of bytes still to be processed
3087 else
3088 dataLen = DMA_BUFFER_SIZE - readBufDataP + dmaBufDataP; // number of bytes still to be processed
3089
3090 // test for length of buffer
3091 if(dataLen > maxDataLen) { // we are more behind than ever...
3092 maxDataLen = dataLen;
3093 if(dataLen > (9 * DMA_BUFFER_SIZE / 10)) {
3094 Dbprintf("blew circular buffer! dataLen=0x%x", dataLen);
3095 break;
3096 }
3097 }
3098 if(dataLen < 1) continue;
3099
3100 // primary buffer was stopped ( <-- we lost data!
3101 if (!AT91C_BASE_PDC_SSC->PDC_RCR) {
3102 AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) dmaBuf;
3103 AT91C_BASE_PDC_SSC->PDC_RCR = DMA_BUFFER_SIZE;
3104 Dbprintf("RxEmpty ERROR!!! data length:%d", dataLen); // temporary
3105 }
3106 // secondary buffer sets as primary, secondary buffer was stopped
3107 if (!AT91C_BASE_PDC_SSC->PDC_RNCR) {
3108 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dmaBuf;
3109 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
3110 }
3111
3112 LED_A_OFF();
3113
3114 if (sniffCounter & 0x01) {
3115
3116 // no need to try decoding tag data if the reader is sending
3117 if(!TagIsActive) {
3118 uint8_t readerdata = (previous_data & 0xF0) | (*data >> 4);
3119 if(MillerDecoding(readerdata, (sniffCounter-1)*4)) {
3120 LED_C_INV();
3121
3122 if (MfSniffLogic(receivedCmd, Uart.len, Uart.parity, Uart.bitCount, TRUE)) break;
3123
3124 /* And ready to receive another command. */
3125 UartInit(receivedCmd, receivedCmdPar);
3126
3127 /* And also reset the demod code */
3128 DemodReset();
3129 }
3130 ReaderIsActive = (Uart.state != STATE_UNSYNCD);
3131 }
3132
3133 // no need to try decoding tag data if the reader is sending
3134 if(!ReaderIsActive) {
3135 uint8_t tagdata = (previous_data << 4) | (*data & 0x0F);
3136 if(ManchesterDecoding(tagdata, 0, (sniffCounter-1)*4)) {
3137 LED_C_INV();
3138
3139 if (MfSniffLogic(receivedResponse, Demod.len, Demod.parity, Demod.bitCount, FALSE)) break;
3140
3141 // And ready to receive another response.
3142 DemodReset();
3143
3144 // And reset the Miller decoder including its (now outdated) input buffer
3145 UartInit(receivedCmd, receivedCmdPar);
3146 }
3147 TagIsActive = (Demod.state != DEMOD_UNSYNCD);
3148 }
3149 }
3150
3151 previous_data = *data;
3152 sniffCounter++;
3153 data++;
3154
3155 if(data == dmaBuf + DMA_BUFFER_SIZE)
3156 data = dmaBuf;
3157
3158 } // main cycle
3159
3160 FpgaDisableSscDma();
3161 MfSniffEnd();
3162 LEDsoff();
3163 Dbprintf("maxDataLen=%x, Uart.state=%x, Uart.len=%x", maxDataLen, Uart.state, Uart.len);
3164 set_tracing(FALSE);
3165 }
Proxmark3 GIT tracking
Impressum, Datenschutz