]> cvs.zerfleddert.de Git - proxmark3-svn/blob - armsrc/iclass.c
improved version of "hf 14a mifare" command
[proxmark3-svn] / armsrc / iclass.c
1 //-----------------------------------------------------------------------------
2 // Gerhard de Koning Gans - May 2008
3 // Hagen Fritsch - June 2010
4 // Gerhard de Koning Gans - May 2011
5 //
6 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
7 // at your option, any later version. See the LICENSE.txt file for the text of
8 // the license.
9 //-----------------------------------------------------------------------------
10 // Routines to support iClass.
11 //-----------------------------------------------------------------------------
12 // Based on ISO14443a implementation. Still in experimental phase.
13 // Contribution made during a security research at Radboud University Nijmegen
14 //
15 // Please feel free to contribute and extend iClass support!!
16 //-----------------------------------------------------------------------------
17 //
18 // TODO:
19 // =====
20 // - iClass emulation
21 // - reader emulation
22 //
23 // FIX:
24 // ====
25 // We still have sometimes a demodulation error when snooping iClass communication.
26 // The resulting trace of a read-block-03 command may look something like this:
27 //
28 // + 22279: : 0c 03 e8 01
29 //
30 // ...with an incorrect answer...
31 //
32 // + 85: 0: TAG ff! ff! ff! ff! ff! ff! ff! ff! bb 33 bb 00 01! 0e! 04! bb !crc
33 //
34 // We still left the error signalling bytes in the traces like 0xbb
35 //
36 // A correct trace should look like this:
37 //
38 // + 21112: : 0c 03 e8 01
39 // + 85: 0: TAG ff ff ff ff ff ff ff ff ea f5
40 //
41 //-----------------------------------------------------------------------------
42
43 #include "proxmark3.h"
44 #include "apps.h"
45 #include "util.h"
46 #include "string.h"
47
48 #include "iclass.h"
49
50 static uint8_t *trace = (uint8_t *) BigBuf;
51 static int traceLen = 0;
52 static int rsamples = 0;
53
54 // CARD TO READER
55 // Sequence D: 11110000 modulation with subcarrier during first half
56 // Sequence E: 00001111 modulation with subcarrier during second half
57 // Sequence F: 00000000 no modulation with subcarrier
58 // READER TO CARD
59 // Sequence X: 00001100 drop after half a period
60 // Sequence Y: 00000000 no drop
61 // Sequence Z: 11000000 drop at start
62 #define SEC_D 0xf0
63 #define SEC_E 0x0f
64 #define SEC_F 0x00
65 #define SEC_X 0x0c
66 #define SEC_Y 0x00
67 #define SEC_Z 0xc0
68
69 static const uint8_t OddByteParity[256] = {
70 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
71 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
72 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
73 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
74 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
75 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
76 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
77 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
78 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
79 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
80 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
81 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
82 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
83 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
84 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
85 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1
86 };
87
88 //static const uint8_t MajorityNibble[16] = { 0, 0, 0, 1, 0, 0, 1, 1, 0, 0, 0, 1, 1, 1, 1, 1 };
89 //static const uint8_t MajorityNibble[16] = { 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1 };
90
91 // BIG CHANGE - UNDERSTAND THIS BEFORE WE COMMIT
92 #define RECV_CMD_OFFSET 3032
93 #define RECV_RES_OFFSET 3096
94 #define DMA_BUFFER_OFFSET 3160
95 #define DMA_BUFFER_SIZE 4096
96 #define TRACE_LENGTH 3000
97
98
99 //-----------------------------------------------------------------------------
100 // The software UART that receives commands from the reader, and its state
101 // variables.
102 //-----------------------------------------------------------------------------
103 static struct {
104 enum {
105 STATE_UNSYNCD,
106 STATE_START_OF_COMMUNICATION,
107 STATE_RECEIVING
108 } state;
109 uint16_t shiftReg;
110 int bitCnt;
111 int byteCnt;
112 int byteCntMax;
113 int posCnt;
114 int nOutOfCnt;
115 int OutOfCnt;
116 int syncBit;
117 int parityBits;
118 int samples;
119 int highCnt;
120 int swapper;
121 int counter;
122 int bitBuffer;
123 int dropPosition;
124 uint8_t *output;
125 } Uart;
126
127 static RAMFUNC int MillerDecoding(int bit)
128 {
129 int error = 0;
130 int bitright;
131
132 if(!Uart.bitBuffer) {
133 Uart.bitBuffer = bit ^ 0xFF0;
134 return FALSE;
135 }
136 else {
137 Uart.bitBuffer <<= 4;
138 Uart.bitBuffer ^= bit;
139 }
140
141 /*if(Uart.swapper) {
142 Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
143 Uart.byteCnt++;
144 Uart.swapper = 0;
145 if(Uart.byteCnt > 15) { return TRUE; }
146 }
147 else {
148 Uart.swapper = 1;
149 }*/
150
151 if(Uart.state != STATE_UNSYNCD) {
152 Uart.posCnt++;
153
154 if((Uart.bitBuffer & Uart.syncBit) ^ Uart.syncBit) {
155 bit = 0x00;
156 }
157 else {
158 bit = 0x01;
159 }
160 if(((Uart.bitBuffer << 1) & Uart.syncBit) ^ Uart.syncBit) {
161 bitright = 0x00;
162 }
163 else {
164 bitright = 0x01;
165 }
166 if(bit != bitright) { bit = bitright; }
167
168
169 // So, now we only have to deal with *bit*, lets see...
170 if(Uart.posCnt == 1) {
171 // measurement first half bitperiod
172 if(!bit) {
173 // Drop in first half means that we are either seeing
174 // an SOF or an EOF.
175
176 if(Uart.nOutOfCnt == 1) {
177 // End of Communication
178 Uart.state = STATE_UNSYNCD;
179 Uart.highCnt = 0;
180 if(Uart.byteCnt == 0) {
181 // Its not straightforward to show single EOFs
182 // So just leave it and do not return TRUE
183 Uart.output[Uart.byteCnt] = 0xf0;
184 Uart.byteCnt++;
185
186 // Calculate the parity bit for the client...
187 Uart.parityBits = 1;
188 }
189 else {
190 return TRUE;
191 }
192 }
193 else if(Uart.state != STATE_START_OF_COMMUNICATION) {
194 // When not part of SOF or EOF, it is an error
195 Uart.state = STATE_UNSYNCD;
196 Uart.highCnt = 0;
197 error = 4;
198 }
199 }
200 }
201 else {
202 // measurement second half bitperiod
203 // Count the bitslot we are in... (ISO 15693)
204 Uart.nOutOfCnt++;
205
206 if(!bit) {
207 if(Uart.dropPosition) {
208 if(Uart.state == STATE_START_OF_COMMUNICATION) {
209 error = 1;
210 }
211 else {
212 error = 7;
213 }
214 // It is an error if we already have seen a drop in current frame
215 Uart.state = STATE_UNSYNCD;
216 Uart.highCnt = 0;
217 }
218 else {
219 Uart.dropPosition = Uart.nOutOfCnt;
220 }
221 }
222
223 Uart.posCnt = 0;
224
225
226 if(Uart.nOutOfCnt == Uart.OutOfCnt && Uart.OutOfCnt == 4) {
227 Uart.nOutOfCnt = 0;
228
229 if(Uart.state == STATE_START_OF_COMMUNICATION) {
230 if(Uart.dropPosition == 4) {
231 Uart.state = STATE_RECEIVING;
232 Uart.OutOfCnt = 256;
233 }
234 else if(Uart.dropPosition == 3) {
235 Uart.state = STATE_RECEIVING;
236 Uart.OutOfCnt = 4;
237 //Uart.output[Uart.byteCnt] = 0xdd;
238 //Uart.byteCnt++;
239 }
240 else {
241 Uart.state = STATE_UNSYNCD;
242 Uart.highCnt = 0;
243 }
244 Uart.dropPosition = 0;
245 }
246 else {
247 // RECEIVING DATA
248 // 1 out of 4
249 if(!Uart.dropPosition) {
250 Uart.state = STATE_UNSYNCD;
251 Uart.highCnt = 0;
252 error = 9;
253 }
254 else {
255 Uart.shiftReg >>= 2;
256
257 // Swap bit order
258 Uart.dropPosition--;
259 //if(Uart.dropPosition == 1) { Uart.dropPosition = 2; }
260 //else if(Uart.dropPosition == 2) { Uart.dropPosition = 1; }
261
262 Uart.shiftReg ^= ((Uart.dropPosition & 0x03) << 6);
263 Uart.bitCnt += 2;
264 Uart.dropPosition = 0;
265
266 if(Uart.bitCnt == 8) {
267 Uart.output[Uart.byteCnt] = (Uart.shiftReg & 0xff);
268 Uart.byteCnt++;
269
270 // Calculate the parity bit for the client...
271 Uart.parityBits <<= 1;
272 Uart.parityBits ^= OddByteParity[(Uart.shiftReg & 0xff)];
273
274 Uart.bitCnt = 0;
275 Uart.shiftReg = 0;
276 }
277 }
278 }
279 }
280 else if(Uart.nOutOfCnt == Uart.OutOfCnt) {
281 // RECEIVING DATA
282 // 1 out of 256
283 if(!Uart.dropPosition) {
284 Uart.state = STATE_UNSYNCD;
285 Uart.highCnt = 0;
286 error = 3;
287 }
288 else {
289 Uart.dropPosition--;
290 Uart.output[Uart.byteCnt] = (Uart.dropPosition & 0xff);
291 Uart.byteCnt++;
292
293 // Calculate the parity bit for the client...
294 Uart.parityBits <<= 1;
295 Uart.parityBits ^= OddByteParity[(Uart.dropPosition & 0xff)];
296
297 Uart.bitCnt = 0;
298 Uart.shiftReg = 0;
299 Uart.nOutOfCnt = 0;
300 Uart.dropPosition = 0;
301 }
302 }
303
304 /*if(error) {
305 Uart.output[Uart.byteCnt] = 0xAA;
306 Uart.byteCnt++;
307 Uart.output[Uart.byteCnt] = error & 0xFF;
308 Uart.byteCnt++;
309 Uart.output[Uart.byteCnt] = 0xAA;
310 Uart.byteCnt++;
311 Uart.output[Uart.byteCnt] = (Uart.bitBuffer >> 8) & 0xFF;
312 Uart.byteCnt++;
313 Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
314 Uart.byteCnt++;
315 Uart.output[Uart.byteCnt] = (Uart.syncBit >> 3) & 0xFF;
316 Uart.byteCnt++;
317 Uart.output[Uart.byteCnt] = 0xAA;
318 Uart.byteCnt++;
319 return TRUE;
320 }*/
321 }
322
323 }
324 else {
325 bit = Uart.bitBuffer & 0xf0;
326 bit >>= 4;
327 bit ^= 0x0F; // drops become 1s ;-)
328 if(bit) {
329 // should have been high or at least (4 * 128) / fc
330 // according to ISO this should be at least (9 * 128 + 20) / fc
331 if(Uart.highCnt == 8) {
332 // we went low, so this could be start of communication
333 // it turns out to be safer to choose a less significant
334 // syncbit... so we check whether the neighbour also represents the drop
335 Uart.posCnt = 1; // apparently we are busy with our first half bit period
336 Uart.syncBit = bit & 8;
337 Uart.samples = 3;
338 if(!Uart.syncBit) { Uart.syncBit = bit & 4; Uart.samples = 2; }
339 else if(bit & 4) { Uart.syncBit = bit & 4; Uart.samples = 2; bit <<= 2; }
340 if(!Uart.syncBit) { Uart.syncBit = bit & 2; Uart.samples = 1; }
341 else if(bit & 2) { Uart.syncBit = bit & 2; Uart.samples = 1; bit <<= 1; }
342 if(!Uart.syncBit) { Uart.syncBit = bit & 1; Uart.samples = 0;
343 if(Uart.syncBit && (Uart.bitBuffer & 8)) {
344 Uart.syncBit = 8;
345
346 // the first half bit period is expected in next sample
347 Uart.posCnt = 0;
348 Uart.samples = 3;
349 }
350 }
351 else if(bit & 1) { Uart.syncBit = bit & 1; Uart.samples = 0; }
352
353 Uart.syncBit <<= 4;
354 Uart.state = STATE_START_OF_COMMUNICATION;
355 Uart.bitCnt = 0;
356 Uart.byteCnt = 0;
357 Uart.parityBits = 0;
358 Uart.nOutOfCnt = 0;
359 Uart.OutOfCnt = 4; // Start at 1/4, could switch to 1/256
360 Uart.dropPosition = 0;
361 Uart.shiftReg = 0;
362 error = 0;
363 }
364 else {
365 Uart.highCnt = 0;
366 }
367 }
368 else {
369 if(Uart.highCnt < 8) {
370 Uart.highCnt++;
371 }
372 }
373 }
374
375 return FALSE;
376 }
377
378 //=============================================================================
379 // ISO 14443 Type A - Manchester
380 //=============================================================================
381
382 static struct {
383 enum {
384 DEMOD_UNSYNCD,
385 DEMOD_START_OF_COMMUNICATION,
386 DEMOD_START_OF_COMMUNICATION2,
387 DEMOD_START_OF_COMMUNICATION3,
388 DEMOD_SOF_COMPLETE,
389 DEMOD_MANCHESTER_D,
390 DEMOD_MANCHESTER_E,
391 DEMOD_END_OF_COMMUNICATION,
392 DEMOD_END_OF_COMMUNICATION2,
393 DEMOD_MANCHESTER_F,
394 DEMOD_ERROR_WAIT
395 } state;
396 int bitCount;
397 int posCount;
398 int syncBit;
399 int parityBits;
400 uint16_t shiftReg;
401 int buffer;
402 int buffer2;
403 int buffer3;
404 int buff;
405 int samples;
406 int len;
407 enum {
408 SUB_NONE,
409 SUB_FIRST_HALF,
410 SUB_SECOND_HALF,
411 SUB_BOTH
412 } sub;
413 uint8_t *output;
414 } Demod;
415
416 static RAMFUNC int ManchesterDecoding(int v)
417 {
418 int bit;
419 int modulation;
420 int error = 0;
421
422 bit = Demod.buffer;
423 Demod.buffer = Demod.buffer2;
424 Demod.buffer2 = Demod.buffer3;
425 Demod.buffer3 = v;
426
427 if(Demod.buff < 3) {
428 Demod.buff++;
429 return FALSE;
430 }
431
432 if(Demod.state==DEMOD_UNSYNCD) {
433 Demod.output[Demod.len] = 0xfa;
434 Demod.syncBit = 0;
435 //Demod.samples = 0;
436 Demod.posCount = 1; // This is the first half bit period, so after syncing handle the second part
437 /* if(bit & 0x08) { Demod.syncBit = 0x08; }
438 if(!Demod.syncBit) {
439 if(bit & 0x04) { Demod.syncBit = 0x04; }
440 }
441 else if(bit & 0x04) { Demod.syncBit = 0x04; bit <<= 4; }
442 if(!Demod.syncBit) {
443 if(bit & 0x02) { Demod.syncBit = 0x02; }
444 }
445 else if(bit & 0x02) { Demod.syncBit = 0x02; bit <<= 4; }
446 if(!Demod.syncBit) {
447 if(bit & 0x01) { Demod.syncBit = 0x01; }
448
449 if(Demod.syncBit && (Demod.buffer & 0x08)) {
450 Demod.syncBit = 0x08;
451
452 // The first half bitperiod is expected in next sample
453 Demod.posCount = 0;
454 Demod.output[Demod.len] = 0xfb;
455 }
456 }
457 else if(bit & 0x01) { Demod.syncBit = 0x01; }
458 */
459
460 if(bit & 0x08) {
461 Demod.syncBit = 0x08;
462 }
463
464 if(bit & 0x04) {
465 if(Demod.syncBit) {
466 bit <<= 4;
467 }
468 Demod.syncBit = 0x04;
469 }
470
471 if(bit & 0x02) {
472 if(Demod.syncBit) {
473 bit <<= 2;
474 }
475 Demod.syncBit = 0x02;
476 }
477
478 if(bit & 0x01 && Demod.syncBit) {
479 Demod.syncBit = 0x01;
480 }
481
482 if(Demod.syncBit) {
483 Demod.len = 0;
484 Demod.state = DEMOD_START_OF_COMMUNICATION;
485 Demod.sub = SUB_FIRST_HALF;
486 Demod.bitCount = 0;
487 Demod.shiftReg = 0;
488 Demod.parityBits = 0;
489 Demod.samples = 0;
490 if(Demod.posCount) {
491 //if(trigger) LED_A_OFF(); // Not useful in this case...
492 switch(Demod.syncBit) {
493 case 0x08: Demod.samples = 3; break;
494 case 0x04: Demod.samples = 2; break;
495 case 0x02: Demod.samples = 1; break;
496 case 0x01: Demod.samples = 0; break;
497 }
498 // SOF must be long burst... otherwise stay unsynced!!!
499 if(!(Demod.buffer & Demod.syncBit) || !(Demod.buffer2 & Demod.syncBit)) {
500 Demod.state = DEMOD_UNSYNCD;
501 }
502 }
503 else {
504 // SOF must be long burst... otherwise stay unsynced!!!
505 if(!(Demod.buffer2 & Demod.syncBit) || !(Demod.buffer3 & Demod.syncBit)) {
506 Demod.state = DEMOD_UNSYNCD;
507 error = 0x88;
508 }
509
510 }
511 error = 0;
512
513 }
514 }
515 else {
516 modulation = bit & Demod.syncBit;
517 modulation |= ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
518 //modulation = ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
519
520 Demod.samples += 4;
521
522 if(Demod.posCount==0) {
523 Demod.posCount = 1;
524 if(modulation) {
525 Demod.sub = SUB_FIRST_HALF;
526 }
527 else {
528 Demod.sub = SUB_NONE;
529 }
530 }
531 else {
532 Demod.posCount = 0;
533 /*(modulation && (Demod.sub == SUB_FIRST_HALF)) {
534 if(Demod.state!=DEMOD_ERROR_WAIT) {
535 Demod.state = DEMOD_ERROR_WAIT;
536 Demod.output[Demod.len] = 0xaa;
537 error = 0x01;
538 }
539 }*/
540 //else if(modulation) {
541 if(modulation) {
542 if(Demod.sub == SUB_FIRST_HALF) {
543 Demod.sub = SUB_BOTH;
544 }
545 else {
546 Demod.sub = SUB_SECOND_HALF;
547 }
548 }
549 else if(Demod.sub == SUB_NONE) {
550 if(Demod.state == DEMOD_SOF_COMPLETE) {
551 Demod.output[Demod.len] = 0x0f;
552 Demod.len++;
553 Demod.parityBits <<= 1;
554 Demod.parityBits ^= OddByteParity[0x0f];
555 Demod.state = DEMOD_UNSYNCD;
556 // error = 0x0f;
557 return TRUE;
558 }
559 else {
560 Demod.state = DEMOD_ERROR_WAIT;
561 error = 0x33;
562 }
563 /*if(Demod.state!=DEMOD_ERROR_WAIT) {
564 Demod.state = DEMOD_ERROR_WAIT;
565 Demod.output[Demod.len] = 0xaa;
566 error = 0x01;
567 }*/
568 }
569
570 switch(Demod.state) {
571 case DEMOD_START_OF_COMMUNICATION:
572 if(Demod.sub == SUB_BOTH) {
573 //Demod.state = DEMOD_MANCHESTER_D;
574 Demod.state = DEMOD_START_OF_COMMUNICATION2;
575 Demod.posCount = 1;
576 Demod.sub = SUB_NONE;
577 }
578 else {
579 Demod.output[Demod.len] = 0xab;
580 Demod.state = DEMOD_ERROR_WAIT;
581 error = 0xd2;
582 }
583 break;
584 case DEMOD_START_OF_COMMUNICATION2:
585 if(Demod.sub == SUB_SECOND_HALF) {
586 Demod.state = DEMOD_START_OF_COMMUNICATION3;
587 }
588 else {
589 Demod.output[Demod.len] = 0xab;
590 Demod.state = DEMOD_ERROR_WAIT;
591 error = 0xd3;
592 }
593 break;
594 case DEMOD_START_OF_COMMUNICATION3:
595 if(Demod.sub == SUB_SECOND_HALF) {
596 // Demod.state = DEMOD_MANCHESTER_D;
597 Demod.state = DEMOD_SOF_COMPLETE;
598 //Demod.output[Demod.len] = Demod.syncBit & 0xFF;
599 //Demod.len++;
600 }
601 else {
602 Demod.output[Demod.len] = 0xab;
603 Demod.state = DEMOD_ERROR_WAIT;
604 error = 0xd4;
605 }
606 break;
607 case DEMOD_SOF_COMPLETE:
608 case DEMOD_MANCHESTER_D:
609 case DEMOD_MANCHESTER_E:
610 // OPPOSITE FROM ISO14443 - 11110000 = 0 (1 in 14443)
611 // 00001111 = 1 (0 in 14443)
612 if(Demod.sub == SUB_SECOND_HALF) { // SUB_FIRST_HALF
613 Demod.bitCount++;
614 Demod.shiftReg = (Demod.shiftReg >> 1) ^ 0x100;
615 Demod.state = DEMOD_MANCHESTER_D;
616 }
617 else if(Demod.sub == SUB_FIRST_HALF) { // SUB_SECOND_HALF
618 Demod.bitCount++;
619 Demod.shiftReg >>= 1;
620 Demod.state = DEMOD_MANCHESTER_E;
621 }
622 else if(Demod.sub == SUB_BOTH) {
623 Demod.state = DEMOD_MANCHESTER_F;
624 }
625 else {
626 Demod.state = DEMOD_ERROR_WAIT;
627 error = 0x55;
628 }
629 break;
630
631 case DEMOD_MANCHESTER_F:
632 // Tag response does not need to be a complete byte!
633 if(Demod.len > 0 || Demod.bitCount > 0) {
634 if(Demod.bitCount > 1) { // was > 0, do not interpret last closing bit, is part of EOF
635 Demod.shiftReg >>= (9 - Demod.bitCount);
636 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
637 Demod.len++;
638 // No parity bit, so just shift a 0
639 Demod.parityBits <<= 1;
640 }
641
642 Demod.state = DEMOD_UNSYNCD;
643 return TRUE;
644 }
645 else {
646 Demod.output[Demod.len] = 0xad;
647 Demod.state = DEMOD_ERROR_WAIT;
648 error = 0x03;
649 }
650 break;
651
652 case DEMOD_ERROR_WAIT:
653 Demod.state = DEMOD_UNSYNCD;
654 break;
655
656 default:
657 Demod.output[Demod.len] = 0xdd;
658 Demod.state = DEMOD_UNSYNCD;
659 break;
660 }
661
662 /*if(Demod.bitCount>=9) {
663 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
664 Demod.len++;
665
666 Demod.parityBits <<= 1;
667 Demod.parityBits ^= ((Demod.shiftReg >> 8) & 0x01);
668
669 Demod.bitCount = 0;
670 Demod.shiftReg = 0;
671 }*/
672 if(Demod.bitCount>=8) {
673 Demod.shiftReg >>= 1;
674 Demod.output[Demod.len] = (Demod.shiftReg & 0xff);
675 Demod.len++;
676
677 // FOR ISO15639 PARITY NOT SEND OTA, JUST CALCULATE IT FOR THE CLIENT
678 Demod.parityBits <<= 1;
679 Demod.parityBits ^= OddByteParity[(Demod.shiftReg & 0xff)];
680
681 Demod.bitCount = 0;
682 Demod.shiftReg = 0;
683 }
684
685 if(error) {
686 Demod.output[Demod.len] = 0xBB;
687 Demod.len++;
688 Demod.output[Demod.len] = error & 0xFF;
689 Demod.len++;
690 Demod.output[Demod.len] = 0xBB;
691 Demod.len++;
692 Demod.output[Demod.len] = bit & 0xFF;
693 Demod.len++;
694 Demod.output[Demod.len] = Demod.buffer & 0xFF;
695 Demod.len++;
696 // Look harder ;-)
697 Demod.output[Demod.len] = Demod.buffer2 & 0xFF;
698 Demod.len++;
699 Demod.output[Demod.len] = Demod.syncBit & 0xFF;
700 Demod.len++;
701 Demod.output[Demod.len] = 0xBB;
702 Demod.len++;
703 return TRUE;
704 }
705
706 }
707
708 } // end (state != UNSYNCED)
709
710 return FALSE;
711 }
712
713 //=============================================================================
714 // Finally, a `sniffer' for ISO 14443 Type A
715 // Both sides of communication!
716 //=============================================================================
717
718 //-----------------------------------------------------------------------------
719 // Record the sequence of commands sent by the reader to the tag, with
720 // triggering so that we start recording at the point that the tag is moved
721 // near the reader.
722 //-----------------------------------------------------------------------------
723 void RAMFUNC SnoopIClass(void)
724 {
725 // #define RECV_CMD_OFFSET 2032 // original (working as of 21/2/09) values
726 // #define RECV_RES_OFFSET 2096 // original (working as of 21/2/09) values
727 // #define DMA_BUFFER_OFFSET 2160 // original (working as of 21/2/09) values
728 // #define DMA_BUFFER_SIZE 4096 // original (working as of 21/2/09) values
729 // #define TRACE_LENGTH 2000 // original (working as of 21/2/09) values
730
731 // We won't start recording the frames that we acquire until we trigger;
732 // a good trigger condition to get started is probably when we see a
733 // response from the tag.
734 int triggered = FALSE; // FALSE to wait first for card
735
736 // The command (reader -> tag) that we're receiving.
737 // The length of a received command will in most cases be no more than 18 bytes.
738 // So 32 should be enough!
739 uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
740 // The response (tag -> reader) that we're receiving.
741 uint8_t *receivedResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET);
742
743 // As we receive stuff, we copy it from receivedCmd or receivedResponse
744 // into trace, along with its length and other annotations.
745 //uint8_t *trace = (uint8_t *)BigBuf;
746
747 traceLen = 0; // uncommented to fix ISSUE 15 - gerhard - jan2011
748
749 // The DMA buffer, used to stream samples from the FPGA
750 int8_t *dmaBuf = ((int8_t *)BigBuf) + DMA_BUFFER_OFFSET;
751 int lastRxCounter;
752 int8_t *upTo;
753 int smpl;
754 int maxBehindBy = 0;
755
756 // Count of samples received so far, so that we can include timing
757 // information in the trace buffer.
758 int samples = 0;
759 rsamples = 0;
760
761 memset(trace, 0x44, RECV_CMD_OFFSET);
762
763 // Set up the demodulator for tag -> reader responses.
764 Demod.output = receivedResponse;
765 Demod.len = 0;
766 Demod.state = DEMOD_UNSYNCD;
767
768 // Setup for the DMA.
769 FpgaSetupSsc();
770 upTo = dmaBuf;
771 lastRxCounter = DMA_BUFFER_SIZE;
772 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
773
774 // And the reader -> tag commands
775 memset(&Uart, 0, sizeof(Uart));
776 Uart.output = receivedCmd;
777 Uart.byteCntMax = 32; // was 100 (greg)////////////////////////////////////////////////////////////////////////
778 Uart.state = STATE_UNSYNCD;
779
780 // And put the FPGA in the appropriate mode
781 // Signal field is off with the appropriate LED
782 LED_D_OFF();
783 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER);
784 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
785
786 int div = 0;
787 //int div2 = 0;
788 int decbyte = 0;
789 int decbyter = 0;
790
791 // And now we loop, receiving samples.
792 for(;;) {
793 LED_A_ON();
794 WDT_HIT();
795 int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) &
796 (DMA_BUFFER_SIZE-1);
797 if(behindBy > maxBehindBy) {
798 maxBehindBy = behindBy;
799 if(behindBy > 400) {
800 Dbprintf("blew circular buffer! behindBy=0x%x", behindBy);
801 goto done;
802 }
803 }
804 if(behindBy < 1) continue;
805
806 LED_A_OFF();
807 smpl = upTo[0];
808 upTo++;
809 lastRxCounter -= 1;
810 if(upTo - dmaBuf > DMA_BUFFER_SIZE) {
811 upTo -= DMA_BUFFER_SIZE;
812 lastRxCounter += DMA_BUFFER_SIZE;
813 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) upTo;
814 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
815 }
816
817 //samples += 4;
818 samples += 1;
819 //div2++;
820
821 //if(div2 > 3) {
822 //div2 = 0;
823 //decbyte ^= ((smpl & 0x01) << (3 - div));
824 //decbyte ^= (((smpl & 0x01) | ((smpl & 0x02) >> 1)) << (3 - div)); // better already...
825 //decbyte ^= (((smpl & 0x01) | ((smpl & 0x02) >> 1) | ((smpl & 0x04) >> 2)) << (3 - div)); // even better...
826 if(smpl & 0xF) {
827 decbyte ^= (1 << (3 - div));
828 }
829 //decbyte ^= (MajorityNibble[(smpl & 0x0F)] << (3 - div));
830
831 // FOR READER SIDE COMMUMICATION...
832 //decbyte ^= ((smpl & 0x10) << (3 - div));
833 decbyter <<= 2;
834 decbyter ^= (smpl & 0x30);
835
836 div++;
837
838 if((div + 1) % 2 == 0) {
839 smpl = decbyter;
840 if(MillerDecoding((smpl & 0xF0) >> 4)) {
841 rsamples = samples - Uart.samples;
842 LED_C_ON();
843 //if(triggered) {
844 trace[traceLen++] = ((rsamples >> 0) & 0xff);
845 trace[traceLen++] = ((rsamples >> 8) & 0xff);
846 trace[traceLen++] = ((rsamples >> 16) & 0xff);
847 trace[traceLen++] = ((rsamples >> 24) & 0xff);
848 trace[traceLen++] = ((Uart.parityBits >> 0) & 0xff);
849 trace[traceLen++] = ((Uart.parityBits >> 8) & 0xff);
850 trace[traceLen++] = ((Uart.parityBits >> 16) & 0xff);
851 trace[traceLen++] = ((Uart.parityBits >> 24) & 0xff);
852 trace[traceLen++] = Uart.byteCnt;
853 memcpy(trace+traceLen, receivedCmd, Uart.byteCnt);
854 traceLen += Uart.byteCnt;
855 if(traceLen > TRACE_LENGTH) break;
856 //}
857 /* And ready to receive another command. */
858 Uart.state = STATE_UNSYNCD;
859 /* And also reset the demod code, which might have been */
860 /* false-triggered by the commands from the reader. */
861 Demod.state = DEMOD_UNSYNCD;
862 LED_B_OFF();
863 Uart.byteCnt = 0;
864 }
865 decbyter = 0;
866 }
867
868 if(div > 3) {
869 smpl = decbyte;
870 if(ManchesterDecoding(smpl & 0x0F)) {
871 rsamples = samples - Demod.samples;
872 LED_B_ON();
873
874 // timestamp, as a count of samples
875 trace[traceLen++] = ((rsamples >> 0) & 0xff);
876 trace[traceLen++] = ((rsamples >> 8) & 0xff);
877 trace[traceLen++] = ((rsamples >> 16) & 0xff);
878 trace[traceLen++] = 0x80 | ((rsamples >> 24) & 0xff);
879 trace[traceLen++] = ((Demod.parityBits >> 0) & 0xff);
880 trace[traceLen++] = ((Demod.parityBits >> 8) & 0xff);
881 trace[traceLen++] = ((Demod.parityBits >> 16) & 0xff);
882 trace[traceLen++] = ((Demod.parityBits >> 24) & 0xff);
883 // length
884 trace[traceLen++] = Demod.len;
885 memcpy(trace+traceLen, receivedResponse, Demod.len);
886 traceLen += Demod.len;
887 if(traceLen > TRACE_LENGTH) break;
888
889 triggered = TRUE;
890
891 // And ready to receive another response.
892 memset(&Demod, 0, sizeof(Demod));
893 Demod.output = receivedResponse;
894 Demod.state = DEMOD_UNSYNCD;
895 LED_C_OFF();
896 }
897
898 div = 0;
899 decbyte = 0x00;
900 }
901 //}
902
903 if(BUTTON_PRESS()) {
904 DbpString("cancelled_a");
905 goto done;
906 }
907 }
908
909 DbpString("COMMAND FINISHED");
910
911 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
912 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
913
914 done:
915 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
916 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
917 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
918 LED_A_OFF();
919 LED_B_OFF();
920 LED_C_OFF();
921 LED_D_OFF();
922 }
923
Impressum, Datenschutz