]> cvs.zerfleddert.de Git - proxmark3-svn/blob - armsrc/pcf7931.c
'lf hitag writer': add Hitag2 password auth
[proxmark3-svn] / armsrc / pcf7931.c
1 #include "proxmark3.h"
2 #include "apps.h"
3 #include "lfsampling.h"
4 #include "pcf7931.h"
5 #include "util.h"
6 #include "string.h"
7 #include "fpgaloader.h"
8
9 #define T0_PCF 8 //period for the pcf7931 in us
10 #define ALLOC 16
11
12 size_t DemodPCF7931(uint8_t **outBlocks) {
13 uint8_t bits[256] = {0x00};
14 uint8_t blocks[8][16];
15 uint8_t *dest = BigBuf_get_addr();
16
17 int GraphTraceLen = BigBuf_max_traceLen();
18 if (GraphTraceLen > 18000)
19 GraphTraceLen = 18000;
20
21 int i, j, lastval, bitidx, half_switch;
22 int clock = 64;
23 int tolerance = clock / 8;
24 int pmc, block_done;
25 int lc, warnings = 0;
26 size_t num_blocks = 0;
27 int lmin=128, lmax=128;
28 uint8_t dir;
29 //clear read buffer
30 BigBuf_Clear_keep_EM();
31
32 LFSetupFPGAForADC(95, true);
33 DoAcquisition_default(0, true);
34
35 lmin = 64;
36 lmax = 192;
37
38 i = 2;
39
40 /* Find first local max/min */
41 if(dest[1] > dest[0]) {
42 while(i < GraphTraceLen) {
43 if( !(dest[i] > dest[i-1]) && dest[i] > lmax)
44 break;
45 i++;
46 }
47 dir = 0;
48 } else {
49 while(i < GraphTraceLen) {
50 if( !(dest[i] < dest[i-1]) && dest[i] < lmin)
51 break;
52 i++;
53 }
54 dir = 1;
55 }
56
57 lastval = i++;
58 half_switch = 0;
59 pmc = 0;
60 block_done = 0;
61
62 for (bitidx = 0; i < GraphTraceLen; i++) {
63 if ((dest[i-1] > dest[i] && dir == 1 && dest[i] > lmax) || (dest[i-1] < dest[i] && dir == 0 && dest[i] < lmin)) {
64 lc = i - lastval;
65 lastval = i;
66
67 // Switch depending on lc length:
68 // Tolerance is 1/8 of clock rate (arbitrary)
69 if (ABS(lc-clock/4) < tolerance) {
70 // 16T0
71 if((i - pmc) == lc) { /* 16T0 was previous one */
72 /* It's a PMC ! */
73 i += (128+127+16+32+33+16)-1;
74 lastval = i;
75 pmc = 0;
76 block_done = 1;
77 } else {
78 pmc = i;
79 }
80 } else if (ABS(lc-clock/2) < tolerance) {
81 // 32TO
82 if((i - pmc) == lc) { /* 16T0 was previous one */
83 /* It's a PMC ! */
84 i += (128+127+16+32+33)-1;
85 lastval = i;
86 pmc = 0;
87 block_done = 1;
88 } else if(half_switch == 1) {
89 bits[bitidx++] = 0;
90 half_switch = 0;
91 }
92 else
93 half_switch++;
94 } else if (ABS(lc-clock) < tolerance) {
95 // 64TO
96 bits[bitidx++] = 1;
97 } else {
98 // Error
99 if (++warnings > 10) {
100 Dbprintf("Error: too many detection errors, aborting.");
101 return 0;
102 }
103 }
104
105 if(block_done == 1) {
106 if(bitidx == 128) {
107 for(j = 0; j < 16; ++j) {
108 blocks[num_blocks][j] =
109 128 * bits[j*8 + 7]+
110 64 * bits[j*8 + 6] +
111 32 * bits[j*8 + 5] +
112 16 * bits[j*8 + 4] +
113 8 * bits[j*8 + 3] +
114 4 * bits[j*8 + 2] +
115 2 * bits[j*8 + 1] +
116 bits[j*8]
117 ;
118 }
119 num_blocks++;
120 }
121 bitidx = 0;
122 block_done = 0;
123 half_switch = 0;
124 }
125 if(i < GraphTraceLen)
126 dir = (dest[i-1] > dest[i]) ? 0 : 1;
127 }
128 if(bitidx==255)
129 bitidx=0;
130 warnings = 0;
131 if(num_blocks == 4) break;
132 }
133 memcpy(outBlocks, blocks, 16 * num_blocks);
134 return num_blocks;
135 }
136
137 bool IsBlock0PCF7931(uint8_t *block) {
138 // assuming all RFU bits are set to 0
139 // if PAC is enabled password is set to 0
140 if (block[7] == 0x01)
141 {
142 if (!memcmp(block, "\x00\x00\x00\x00\x00\x00\x00", 7) && !memcmp(block+9, "\x00\x00\x00\x00\x00\x00\x00", 7))
143 return true;
144 }
145 else if (block[7] == 0x00)
146 {
147 if (!memcmp(block+9, "\x00\x00\x00\x00\x00\x00\x00", 7))
148 return true;
149 }
150 return false;
151 }
152
153 bool IsBlock1PCF7931(uint8_t *block) {
154 // assuming all RFU bits are set to 0
155
156 uint8_t rb1 = block[14] & 0x80;
157 uint8_t rfb = block[14] & 0x7f;
158 uint8_t rlb = block[15];
159
160 if (block[10] == 0 && block[11] == 0 && block[12] == 0 && block[13] == 0)
161 // block 1 is sent only if (RLB >= 1 && RFB <= 1) or RB1 enabled
162 if(rfb <= rlb && rfb <= 9 && rlb <= 9 && ((rfb <= 1 && rlb >= 1) || rb1))
163 return true;
164
165 return false;
166 }
167
168 void ReadPCF7931() {
169 int found_blocks = 0; // successfully read blocks
170 int max_blocks = 8; // readable blocks
171 uint8_t memory_blocks[8][17]; // PCF content
172
173 uint8_t single_blocks[8][17]; // PFC blocks with unknown position
174 int single_blocks_cnt = 0;
175
176 size_t n = 0; // transmitted blocks
177 uint8_t tmp_blocks[4][16]; // temporary read buffer
178
179 uint8_t found_0_1 = 0; // flag: blocks 0 and 1 were found
180 int errors = 0; // error counter
181 int tries = 0; // tries counter
182
183 memset(memory_blocks, 0, 8*17*sizeof(uint8_t));
184 memset(single_blocks, 0, 8*17*sizeof(uint8_t));
185
186 int i = 0, j = 0;
187
188 do {
189 i = 0;
190
191 memset(tmp_blocks, 0, 4*16*sizeof(uint8_t));
192 n = DemodPCF7931((uint8_t**)tmp_blocks);
193 if(!n)
194 ++errors;
195
196 // exit if no block is received
197 if (errors >= 10 && found_blocks == 0 && single_blocks_cnt == 0) {
198 Dbprintf("Error, no tag or bad tag");
199 return;
200 }
201
202 // exit if too many errors during reading
203 if (tries > 50 && (2*errors > tries)) {
204 Dbprintf("Error reading the tag");
205 Dbprintf("Here is the partial content");
206 goto end;
207 }
208
209 // our logic breaks if we don't get at least two blocks
210 if (n < 2) {
211 // skip if all 0s block or no blocks
212 if (n == 0 || !memcmp(tmp_blocks[0], "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16))
213 continue;
214
215 // add block to single blocks list
216 if (single_blocks_cnt < max_blocks) {
217 for (i = 0; i < single_blocks_cnt; ++i) {
218 if (!memcmp(single_blocks[i], tmp_blocks[0], 16)) {
219 j = 1;
220 break;
221 }
222 }
223 if (j != 1) {
224 memcpy(single_blocks[single_blocks_cnt], tmp_blocks[0], 16);
225 print_result("got single block", single_blocks[single_blocks_cnt], 16);
226 single_blocks_cnt++;
227 }
228 j = 0;
229 }
230 ++tries;
231 continue;
232 }
233
234 Dbprintf("(dbg) got %d blocks (%d/%d found) (%d tries, %d errors)", n, found_blocks, (max_blocks == 0 ? found_blocks : max_blocks), tries, errors);
235 for (i = 0; i < n; ++i)
236 {
237 print_result("got consecutive blocks", tmp_blocks[i], 16);
238 }
239
240 i = 0;
241 if(!found_0_1) {
242 while (i < n - 1) {
243 if (IsBlock0PCF7931(tmp_blocks[i]) && IsBlock1PCF7931(tmp_blocks[i+1])) {
244 found_0_1 = 1;
245 memcpy(memory_blocks[0], tmp_blocks[i], 16);
246 memcpy(memory_blocks[1], tmp_blocks[i+1], 16);
247 memory_blocks[0][ALLOC] = memory_blocks[1][ALLOC] = 1;
248 // block 1 tells how many blocks are going to be sent
249 max_blocks = MAX((memory_blocks[1][14] & 0x7f), memory_blocks[1][15]) + 1;
250 found_blocks = 2;
251
252 Dbprintf("Found blocks 0 and 1. PCF is transmitting %d blocks.", max_blocks);
253
254 // handle the following blocks
255 for (j = i + 2; j < n; ++j) {
256 memcpy(memory_blocks[found_blocks], tmp_blocks[j], 16);
257 memory_blocks[found_blocks][ALLOC] = 1;
258 ++found_blocks;
259 }
260 break;
261 }
262 ++i;
263 }
264 } else {
265 // Trying to re-order blocks
266 // Look for identical block in memory blocks
267 while (i < n-1) {
268 // skip all zeroes blocks
269 if (memcmp(tmp_blocks[i], "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16)) {
270 for (j = 1; j < max_blocks - 1; ++j) {
271 if (!memcmp(tmp_blocks[i], memory_blocks[j], 16) && !memory_blocks[j+1][ALLOC]) {
272 memcpy(memory_blocks[j+1], tmp_blocks[i+1], 16);
273 memory_blocks[j+1][ALLOC] = 1;
274 if (++found_blocks >= max_blocks) goto end;
275 }
276 }
277 }
278 if (memcmp(tmp_blocks[i+1], "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16)) {
279 for (j = 0; j < max_blocks; ++j) {
280 if (!memcmp(tmp_blocks[i+1], memory_blocks[j], 16) && !memory_blocks[(j == 0 ? max_blocks : j) -1][ALLOC]) {
281 if (j == 0) {
282 memcpy(memory_blocks[max_blocks - 1], tmp_blocks[i], 16);
283 memory_blocks[max_blocks - 1][ALLOC] = 1;
284 } else {
285 memcpy(memory_blocks[j-1], tmp_blocks[i], 16);
286 memory_blocks[j-1][ALLOC] = 1;
287 }
288 if (++found_blocks >= max_blocks) goto end;
289 }
290 }
291 }
292 ++i;
293 }
294 }
295 ++tries;
296 if (BUTTON_PRESS()) {
297 Dbprintf("Button pressed, stopping.");
298 goto end;
299 }
300 }
301 while (found_blocks < max_blocks);
302
303 end:
304 Dbprintf("-----------------------------------------");
305 Dbprintf("Memory content:");
306 Dbprintf("-----------------------------------------");
307 for (i = 0; i < max_blocks; ++i) {
308 if (memory_blocks[i][ALLOC])
309 print_result("Block", memory_blocks[i], 16);
310 else
311 Dbprintf("<missing block %d>", i);
312 }
313 Dbprintf("-----------------------------------------");
314
315 if (found_blocks < max_blocks) {
316 Dbprintf("-----------------------------------------");
317 Dbprintf("Blocks with unknown position:");
318 Dbprintf("-----------------------------------------");
319 for (i = 0; i < single_blocks_cnt; ++i)
320 print_result("Block", single_blocks[i], 16);
321
322 Dbprintf("-----------------------------------------");
323 }
324 cmd_send(CMD_ACK,0,0,0,0,0);
325 }
326
327 static void RealWritePCF7931(uint8_t *pass, uint16_t init_delay, int32_t l, int32_t p, uint8_t address, uint8_t byte, uint8_t data) {
328 uint32_t tab[1024]={0}; // data times frame
329 uint32_t u = 0;
330 uint8_t parity = 0;
331 bool comp = 0;
332
333 //BUILD OF THE DATA FRAME
334 //alimentation of the tag (time for initializing)
335 AddPatternPCF7931(init_delay, 0, 8192/2*T0_PCF, tab);
336 AddPatternPCF7931(8192/2*T0_PCF + 319*T0_PCF+70, 3*T0_PCF, 29*T0_PCF, tab);
337 //password indication bit
338 AddBitPCF7931(1, tab, l, p);
339 // password (on 56 bits)
340 AddBytePCF7931(pass[0], tab, l, p);
341 AddBytePCF7931(pass[1], tab, l, p);
342 AddBytePCF7931(pass[2], tab, l, p);
343 AddBytePCF7931(pass[3], tab, l, p);
344 AddBytePCF7931(pass[4], tab, l, p);
345 AddBytePCF7931(pass[5], tab, l, p);
346 AddBytePCF7931(pass[6], tab, l, p);
347 //programming mode (0 or 1)
348 AddBitPCF7931(0, tab, l, p);
349
350 //block adress on 6 bits
351 for (u = 0; u < 6; ++u) {
352 if (address & (1 << u)) { // bit 1
353 ++parity;
354 AddBitPCF7931(1, tab, l, p);
355 } else { // bit 0
356 AddBitPCF7931(0, tab, l, p);
357 }
358 }
359
360 //byte address on 4 bits
361 for (u = 0; u < 4; ++u)
362 {
363 if (byte & (1 << u)) { // bit 1
364 parity++;
365 AddBitPCF7931(1, tab, l, p);
366 }
367 else // bit 0
368 AddBitPCF7931(0, tab, l, p);
369 }
370
371 //data on 8 bits
372 for (u=0; u<8; u++)
373 {
374 if (data&(1<<u)) { // bit 1
375 parity++;
376 AddBitPCF7931(1, tab, l, p);
377 }
378 else //bit 0
379 AddBitPCF7931(0, tab, l, p);
380 }
381
382 //parity bit
383 if ((parity % 2) == 0)
384 AddBitPCF7931(0, tab, l, p); //even parity
385 else
386 AddBitPCF7931(1, tab, l, p);//odd parity
387
388 //time access memory
389 AddPatternPCF7931(5120+2680, 0, 0, tab);
390
391 //conversion of the scale time
392 for (u = 0; u < 500; ++u)
393 tab[u] = (tab[u] * 3) / 2;
394
395 //compennsation of the counter reload
396 while (!comp) {
397 comp = 1;
398 for (u = 0; tab[u] != 0; ++u)
399 if(tab[u] > 0xFFFF) {
400 tab[u] -= 0xFFFF;
401 comp = 0;
402 }
403 }
404
405 SendCmdPCF7931(tab);
406 }
407
408 void BruteForcePCF7931(uint64_t password, uint8_t tries, uint16_t init_delay, int32_t l, int32_t p) {
409 uint8_t i = 0;
410 uint8_t pass_array[7];
411
412 while (password < 0x00FFFFFFFFFFFFFF) {
413 if (BUTTON_PRESS()) {
414 Dbprintf("Button pressed, stopping bruteforce ...");
415 return;
416 }
417
418 num_to_bytes(password, 7, pass_array);
419
420 Dbprintf("Trying: %02x %02x %02x %02x %02x %02x %02x ...",
421 pass_array[0],
422 pass_array[1],
423 pass_array[2],
424 pass_array[3],
425 pass_array[4],
426 pass_array[5],
427 pass_array[6]);
428
429 for (i = 0; i < tries; ++i)
430 RealWritePCF7931
431 (
432 pass_array,
433 init_delay,
434 l,
435 p,
436 0,
437 7,
438 0x01
439 );
440
441 ++password;
442 }
443 }
444
445 /* Write on a byte of a PCF7931 tag
446 * @param address : address of the block to write
447 @param byte : address of the byte to write
448 @param data : data to write
449 */
450 void WritePCF7931(uint8_t pass1, uint8_t pass2, uint8_t pass3, uint8_t pass4, uint8_t pass5, uint8_t pass6, uint8_t pass7, uint16_t init_delay, int32_t l, int32_t p, uint8_t address, uint8_t byte, uint8_t data) {
451 Dbprintf("Initialization delay : %d us", init_delay);
452 Dbprintf("Offsets : %d us on the low pulses width, %d us on the low pulses positions", l, p);
453 Dbprintf("Password (LSB first on each byte): %02x %02x %02x %02x %02x %02x %02x", pass1, pass2, pass3, pass4, pass5, pass6, pass7);
454 Dbprintf("Block address : %02x", address);
455 Dbprintf("Byte address : %02x", byte);
456 Dbprintf("Data : %02x", data);
457
458 uint8_t password[7] = {pass1, pass2, pass3, pass4, pass5, pass6, pass7};
459
460 RealWritePCF7931 (password, init_delay, l, p, address, byte, data);
461 }
462
463
464
465 /* Send a trame to a PCF7931 tags
466 * @param tab : array of the data frame
467 */
468
469 void SendCmdPCF7931(uint32_t * tab) {
470 uint16_t u=0;
471 uint16_t tempo=0;
472
473 Dbprintf("Sending data frame ...");
474
475 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
476 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
477 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_PASSTHRU );
478
479 LED_A_ON();
480
481 // steal this pin from the SSP and use it to control the modulation
482 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
483 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
484
485 //initialization of the timer
486 AT91C_BASE_PMC->PMC_PCER |= (0x1 << 12) | (0x1 << 13) | (0x1 << 14);
487 AT91C_BASE_TCB->TCB_BMR = AT91C_TCB_TC0XC0S_NONE | AT91C_TCB_TC1XC1S_TIOA0 | AT91C_TCB_TC2XC2S_NONE;
488 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS; // timer disable
489 AT91C_BASE_TC0->TC_CMR = AT91C_TC_CLKS_TIMER_DIV3_CLOCK; //clock at 48/32 MHz
490 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN;
491 AT91C_BASE_TCB->TCB_BCR = 1;
492
493 tempo = AT91C_BASE_TC0->TC_CV;
494 for (u = 0; tab[u] != 0; u += 3) {
495 // modulate antenna
496 HIGH(GPIO_SSC_DOUT);
497 while(tempo != tab[u])
498 tempo = AT91C_BASE_TC0->TC_CV;
499
500 // stop modulating antenna
501 LOW(GPIO_SSC_DOUT);
502 while(tempo != tab[u+1])
503 tempo = AT91C_BASE_TC0->TC_CV;
504
505 // modulate antenna
506 HIGH(GPIO_SSC_DOUT);
507 while(tempo != tab[u+2])
508 tempo = AT91C_BASE_TC0->TC_CV;
509 }
510
511 LED_A_OFF();
512 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
513 SpinDelay(200);
514
515 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS; // timer disable
516 DbpString("Data frame sent (multiple sends may be needed)");
517 LED(0xFFFF, 1000);
518 }
519
520
521 /* Add a byte for building the data frame of PCF7931 tags
522 * @param b : byte to add
523 * @param tab : array of the data frame
524 * @param l : offset on low pulse width
525 * @param p : offset on low pulse positioning
526 */
527 bool AddBytePCF7931(uint8_t byte, uint32_t * tab, int32_t l, int32_t p) {
528 uint32_t u;
529 for (u = 0; u < 8; ++u) {
530 if (byte & (1 << u)) { //bit is 1
531 if(AddBitPCF7931(1, tab, l, p)==1)return 1;
532 } else { //bit is 0
533 if(AddBitPCF7931(0, tab, l, p)==1)return 1;
534 }
535 }
536
537 return 0;
538 }
539
540 /* Add a bits for building the data frame of PCF7931 tags
541 * @param b : bit to add
542 * @param tab : array of the data frame
543 * @param l : offset on low pulse width
544 * @param p : offset on low pulse positioning
545 */
546 bool AddBitPCF7931(bool b, uint32_t * tab, int32_t l, int32_t p) {
547 uint8_t u = 0;
548
549 for (u = 0; tab[u] != 0; u += 3){} //we put the cursor at the last value of the array
550
551 if (b == 1) { //add a bit 1
552 if (u == 0) tab[u] = 34 * T0_PCF + p;
553 else tab[u] = 34 * T0_PCF + tab[u-1] + p;
554
555 tab[u+1] = 6 * T0_PCF+tab[u] + l;
556 tab[u+2] = 88 * T0_PCF+tab[u + 1] - l - p;
557 return 0;
558 } else { //add a bit 0
559
560 if (u == 0) tab[u] = 98 * T0_PCF + p;
561 else tab[u] = 98 * T0_PCF + tab[u-1] + p;
562
563 tab[u + 1] = 6 * T0_PCF + tab[u] + l;
564 tab[u + 2] = 24 * T0_PCF + tab[u + 1] - l - p;
565 return 0;
566 }
567
568 return 1;
569 }
570
571 /* Add a custom pattern in the data frame
572 * @param a : delay of the first high pulse
573 * @param b : delay of the low pulse
574 * @param c : delay of the last high pulse
575 * @param tab : array of the data frame
576 */
577 bool AddPatternPCF7931(uint32_t a, uint32_t b, uint32_t c, uint32_t * tab) {
578 uint32_t u = 0;
579 for(u = 0; tab[u] != 0; u += 3){} //we put the cursor at the last value of the array
580
581 if (u == 0) tab[u] = a;
582 else tab[u] = a + tab[u - 1];
583
584 tab[u + 1] = b + tab[u];
585 tab[u + 2] = c + tab[u + 1];
586
587 return 0;
588 }
Impressum, Datenschutz