]> cvs.zerfleddert.de Git - proxmark3-svn/blob - armsrc/iso14443b.c
projects / proxmark3-svn / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
fixing iso14443b (issue #103):
[proxmark3-svn] / armsrc / iso14443b.c
1 //-----------------------------------------------------------------------------
2 // Jonathan Westhues, split Nov 2006
3 //
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
6 // the license.
7 //-----------------------------------------------------------------------------
8 // Routines to support ISO 14443B. This includes both the reader software and
9 // the `fake tag' modes.
10 //-----------------------------------------------------------------------------
11
12 #include "proxmark3.h"
13 #include "apps.h"
14 #include "util.h"
15 #include "string.h"
16
17 #include "iso14443crc.h"
18
19 #define RECEIVE_SAMPLES_TIMEOUT 2000
20 #define ISO14443B_DMA_BUFFER_SIZE 256
21
22 //=============================================================================
23 // An ISO 14443 Type B tag. We listen for commands from the reader, using
24 // a UART kind of thing that's implemented in software. When we get a
25 // frame (i.e., a group of bytes between SOF and EOF), we check the CRC.
26 // If it's good, then we can do something appropriate with it, and send
27 // a response.
28 //=============================================================================
29
30 //-----------------------------------------------------------------------------
31 // Code up a string of octets at layer 2 (including CRC, we don't generate
32 // that here) so that they can be transmitted to the reader. Doesn't transmit
33 // them yet, just leaves them ready to send in ToSend[].
34 //-----------------------------------------------------------------------------
35 static void CodeIso14443bAsTag(const uint8_t *cmd, int len)
36 {
37 int i;
38
39 ToSendReset();
40
41 // Transmit a burst of ones, as the initial thing that lets the
42 // reader get phase sync. This (TR1) must be > 80/fs, per spec,
43 // but tag that I've tried (a Paypass) exceeds that by a fair bit,
44 // so I will too.
45 for(i = 0; i < 20; i++) {
46 ToSendStuffBit(1);
47 ToSendStuffBit(1);
48 ToSendStuffBit(1);
49 ToSendStuffBit(1);
50 }
51
52 // Send SOF.
53 for(i = 0; i < 10; i++) {
54 ToSendStuffBit(0);
55 ToSendStuffBit(0);
56 ToSendStuffBit(0);
57 ToSendStuffBit(0);
58 }
59 for(i = 0; i < 2; i++) {
60 ToSendStuffBit(1);
61 ToSendStuffBit(1);
62 ToSendStuffBit(1);
63 ToSendStuffBit(1);
64 }
65
66 for(i = 0; i < len; i++) {
67 int j;
68 uint8_t b = cmd[i];
69
70 // Start bit
71 ToSendStuffBit(0);
72 ToSendStuffBit(0);
73 ToSendStuffBit(0);
74 ToSendStuffBit(0);
75
76 // Data bits
77 for(j = 0; j < 8; j++) {
78 if(b & 1) {
79 ToSendStuffBit(1);
80 ToSendStuffBit(1);
81 ToSendStuffBit(1);
82 ToSendStuffBit(1);
83 } else {
84 ToSendStuffBit(0);
85 ToSendStuffBit(0);
86 ToSendStuffBit(0);
87 ToSendStuffBit(0);
88 }
89 b >>= 1;
90 }
91
92 // Stop bit
93 ToSendStuffBit(1);
94 ToSendStuffBit(1);
95 ToSendStuffBit(1);
96 ToSendStuffBit(1);
97 }
98
99 // Send EOF.
100 for(i = 0; i < 10; i++) {
101 ToSendStuffBit(0);
102 ToSendStuffBit(0);
103 ToSendStuffBit(0);
104 ToSendStuffBit(0);
105 }
106 for(i = 0; i < 2; i++) {
107 ToSendStuffBit(1);
108 ToSendStuffBit(1);
109 ToSendStuffBit(1);
110 ToSendStuffBit(1);
111 }
112
113 // Convert from last byte pos to length
114 ToSendMax++;
115 }
116
117 //-----------------------------------------------------------------------------
118 // The software UART that receives commands from the reader, and its state
119 // variables.
120 //-----------------------------------------------------------------------------
121 static struct {
122 enum {
123 STATE_UNSYNCD,
124 STATE_GOT_FALLING_EDGE_OF_SOF,
125 STATE_AWAITING_START_BIT,
126 STATE_RECEIVING_DATA
127 } state;
128 uint16_t shiftReg;
129 int bitCnt;
130 int byteCnt;
131 int byteCntMax;
132 int posCnt;
133 uint8_t *output;
134 } Uart;
135
136 /* Receive & handle a bit coming from the reader.
137 *
138 * This function is called 4 times per bit (every 2 subcarrier cycles).
139 * Subcarrier frequency fs is 848kHz, 1/fs = 1,18us, i.e. function is called every 2,36us
140 *
141 * LED handling:
142 * LED A -> ON once we have received the SOF and are expecting the rest.
143 * LED A -> OFF once we have received EOF or are in error state or unsynced
144 *
145 * Returns: true if we received a EOF
146 * false if we are still waiting for some more
147 */
148 static RAMFUNC int Handle14443bUartBit(uint8_t bit)
149 {
150 switch(Uart.state) {
151 case STATE_UNSYNCD:
152 if(!bit) {
153 // we went low, so this could be the beginning
154 // of an SOF
155 Uart.state = STATE_GOT_FALLING_EDGE_OF_SOF;
156 Uart.posCnt = 0;
157 Uart.bitCnt = 0;
158 }
159 break;
160
161 case STATE_GOT_FALLING_EDGE_OF_SOF:
162 Uart.posCnt++;
163 if(Uart.posCnt == 2) { // sample every 4 1/fs in the middle of a bit
164 if(bit) {
165 if(Uart.bitCnt > 9) {
166 // we've seen enough consecutive
167 // zeros that it's a valid SOF
168 Uart.posCnt = 0;
169 Uart.byteCnt = 0;
170 Uart.state = STATE_AWAITING_START_BIT;
171 LED_A_ON(); // Indicate we got a valid SOF
172 } else {
173 // didn't stay down long enough
174 // before going high, error
175 Uart.state = STATE_UNSYNCD;
176 }
177 } else {
178 // do nothing, keep waiting
179 }
180 Uart.bitCnt++;
181 }
182 if(Uart.posCnt >= 4) Uart.posCnt = 0;
183 if(Uart.bitCnt > 12) {
184 // Give up if we see too many zeros without
185 // a one, too.
186 LED_A_OFF();
187 Uart.state = STATE_UNSYNCD;
188 }
189 break;
190
191 case STATE_AWAITING_START_BIT:
192 Uart.posCnt++;
193 if(bit) {
194 if(Uart.posCnt > 50/2) { // max 57us between characters = 49 1/fs, max 3 etus after low phase of SOF = 24 1/fs
195 // stayed high for too long between
196 // characters, error
197 Uart.state = STATE_UNSYNCD;
198 }
199 } else {
200 // falling edge, this starts the data byte
201 Uart.posCnt = 0;
202 Uart.bitCnt = 0;
203 Uart.shiftReg = 0;
204 Uart.state = STATE_RECEIVING_DATA;
205 }
206 break;
207
208 case STATE_RECEIVING_DATA:
209 Uart.posCnt++;
210 if(Uart.posCnt == 2) {
211 // time to sample a bit
212 Uart.shiftReg >>= 1;
213 if(bit) {
214 Uart.shiftReg |= 0x200;
215 }
216 Uart.bitCnt++;
217 }
218 if(Uart.posCnt >= 4) {
219 Uart.posCnt = 0;
220 }
221 if(Uart.bitCnt == 10) {
222 if((Uart.shiftReg & 0x200) && !(Uart.shiftReg & 0x001))
223 {
224 // this is a data byte, with correct
225 // start and stop bits
226 Uart.output[Uart.byteCnt] = (Uart.shiftReg >> 1) & 0xff;
227 Uart.byteCnt++;
228
229 if(Uart.byteCnt >= Uart.byteCntMax) {
230 // Buffer overflowed, give up
231 LED_A_OFF();
232 Uart.state = STATE_UNSYNCD;
233 } else {
234 // so get the next byte now
235 Uart.posCnt = 0;
236 Uart.state = STATE_AWAITING_START_BIT;
237 }
238 } else if (Uart.shiftReg == 0x000) {
239 // this is an EOF byte
240 LED_A_OFF(); // Finished receiving
241 Uart.state = STATE_UNSYNCD;
242 if (Uart.byteCnt != 0) {
243 return TRUE;
244 }
245 } else {
246 // this is an error
247 LED_A_OFF();
248 Uart.state = STATE_UNSYNCD;
249 }
250 }
251 break;
252
253 default:
254 LED_A_OFF();
255 Uart.state = STATE_UNSYNCD;
256 break;
257 }
258
259 return FALSE;
260 }
261
262
263 static void UartReset()
264 {
265 Uart.byteCntMax = MAX_FRAME_SIZE;
266 Uart.state = STATE_UNSYNCD;
267 Uart.byteCnt = 0;
268 Uart.bitCnt = 0;
269 }
270
271
272 static void UartInit(uint8_t *data)
273 {
274 Uart.output = data;
275 UartReset();
276 }
277
278
279 //-----------------------------------------------------------------------------
280 // Receive a command (from the reader to us, where we are the simulated tag),
281 // and store it in the given buffer, up to the given maximum length. Keeps
282 // spinning, waiting for a well-framed command, until either we get one
283 // (returns TRUE) or someone presses the pushbutton on the board (FALSE).
284 //
285 // Assume that we're called with the SSC (to the FPGA) and ADC path set
286 // correctly.
287 //-----------------------------------------------------------------------------
288 static int GetIso14443bCommandFromReader(uint8_t *received, uint16_t *len)
289 {
290 // Set FPGA mode to "simulated ISO 14443B tag", no modulation (listen
291 // only, since we are receiving, not transmitting).
292 // Signal field is off with the appropriate LED
293 LED_D_OFF();
294 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_NO_MODULATION);
295
296 // Now run a `software UART' on the stream of incoming samples.
297 UartInit(received);
298
299 for(;;) {
300 WDT_HIT();
301
302 if(BUTTON_PRESS()) return FALSE;
303
304 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
305 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
306 for(uint8_t mask = 0x80; mask != 0x00; mask >>= 1) {
307 if(Handle14443bUartBit(b & mask)) {
308 *len = Uart.byteCnt;
309 return TRUE;
310 }
311 }
312 }
313 }
314
315 return FALSE;
316 }
317
318 //-----------------------------------------------------------------------------
319 // Main loop of simulated tag: receive commands from reader, decide what
320 // response to send, and send it.
321 //-----------------------------------------------------------------------------
322 void SimulateIso14443bTag(void)
323 {
324 // the only commands we understand is REQB, AFI=0, Select All, N=0:
325 static const uint8_t cmd1[] = { 0x05, 0x00, 0x08, 0x39, 0x73 };
326 // ... and REQB, AFI=0, Normal Request, N=0:
327 static const uint8_t cmd2[] = { 0x05, 0x00, 0x00, 0x71, 0xFF };
328
329 // ... and we always respond with ATQB, PUPI = 820de174, Application Data = 0x20381922,
330 // supports only 106kBit/s in both directions, max frame size = 32Bytes,
331 // supports ISO14443-4, FWI=8 (77ms), NAD supported, CID not supported:
332 static const uint8_t response1[] = {
333 0x50, 0x82, 0x0d, 0xe1, 0x74, 0x20, 0x38, 0x19, 0x22,
334 0x00, 0x21, 0x85, 0x5e, 0xd7
335 };
336
337 clear_trace();
338 set_tracing(TRUE);
339
340 const uint8_t *resp;
341 uint8_t *respCode;
342 uint16_t respLen, respCodeLen;
343
344 // allocate command receive buffer
345 BigBuf_free();
346 uint8_t *receivedCmd = BigBuf_malloc(MAX_FRAME_SIZE);
347
348 uint16_t len;
349 uint16_t cmdsRecvd = 0;
350
351 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
352
353 // prepare the (only one) tag answer:
354 CodeIso14443bAsTag(response1, sizeof(response1));
355 uint8_t *resp1Code = BigBuf_malloc(ToSendMax);
356 memcpy(resp1Code, ToSend, ToSendMax);
357 uint16_t resp1CodeLen = ToSendMax;
358
359 // We need to listen to the high-frequency, peak-detected path.
360 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
361 FpgaSetupSsc();
362
363 cmdsRecvd = 0;
364
365 for(;;) {
366
367 if(!GetIso14443bCommandFromReader(receivedCmd, &len)) {
368 Dbprintf("button pressed, received %d commands", cmdsRecvd);
369 break;
370 }
371
372 if (tracing) {
373 uint8_t parity[MAX_PARITY_SIZE];
374 LogTrace(receivedCmd, len, 0, 0, parity, TRUE);
375 }
376
377 // Good, look at the command now.
378 if ( (len == sizeof(cmd1) && memcmp(receivedCmd, cmd1, len) == 0)
379 || (len == sizeof(cmd2) && memcmp(receivedCmd, cmd2, len) == 0) ) {
380 resp = response1;
381 respLen = sizeof(response1);
382 respCode = resp1Code;
383 respCodeLen = resp1CodeLen;
384 } else {
385 Dbprintf("new cmd from reader: len=%d, cmdsRecvd=%d", len, cmdsRecvd);
386 // And print whether the CRC fails, just for good measure
387 uint8_t b1, b2;
388 ComputeCrc14443(CRC_14443_B, receivedCmd, len-2, &b1, &b2);
389 if(b1 != receivedCmd[len-2] || b2 != receivedCmd[len-1]) {
390 // Not so good, try again.
391 DbpString("+++CRC fail");
392 } else {
393 DbpString("CRC passes");
394 }
395 break;
396 }
397
398 cmdsRecvd++;
399
400 if(cmdsRecvd > 0x30) {
401 DbpString("many commands later...");
402 break;
403 }
404
405 if(respCodeLen <= 0) continue;
406
407 // Modulate BPSK
408 // Signal field is off with the appropriate LED
409 LED_D_OFF();
410 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_MODULATE_BPSK);
411 AT91C_BASE_SSC->SSC_THR = 0xff;
412 FpgaSetupSsc();
413
414 // Transmit the response.
415 uint16_t i = 0;
416 for(;;) {
417 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
418 uint8_t b = respCode[i];
419
420 AT91C_BASE_SSC->SSC_THR = b;
421
422 i++;
423 if(i > respCodeLen) {
424 break;
425 }
426 }
427 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
428 volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
429 (void)b;
430 }
431 }
432
433 // trace the response:
434 if (tracing) {
435 uint8_t parity[MAX_PARITY_SIZE];
436 LogTrace(resp, respLen, 0, 0, parity, FALSE);
437 }
438
439 }
440 }
441
442 //=============================================================================
443 // An ISO 14443 Type B reader. We take layer two commands, code them
444 // appropriately, and then send them to the tag. We then listen for the
445 // tag's response, which we leave in the buffer to be demodulated on the
446 // PC side.
447 //=============================================================================
448
449 static struct {
450 enum {
451 DEMOD_UNSYNCD,
452 DEMOD_PHASE_REF_TRAINING,
453 DEMOD_AWAITING_FALLING_EDGE_OF_SOF,
454 DEMOD_GOT_FALLING_EDGE_OF_SOF,
455 DEMOD_AWAITING_START_BIT,
456 DEMOD_RECEIVING_DATA
457 } state;
458 int bitCount;
459 int posCount;
460 int thisBit;
461 /* this had been used to add RSSI (Received Signal Strength Indication) to traces. Currently not implemented.
462 int metric;
463 int metricN;
464 */
465 uint16_t shiftReg;
466 uint8_t *output;
467 int len;
468 int sumI;
469 int sumQ;
470 } Demod;
471
472 /*
473 * Handles reception of a bit from the tag
474 *
475 * This function is called 2 times per bit (every 4 subcarrier cycles).
476 * Subcarrier frequency fs is 848kHz, 1/fs = 1,18us, i.e. function is called every 4,72us
477 *
478 * LED handling:
479 * LED C -> ON once we have received the SOF and are expecting the rest.
480 * LED C -> OFF once we have received EOF or are unsynced
481 *
482 * Returns: true if we received a EOF
483 * false if we are still waiting for some more
484 *
485 */
486 static RAMFUNC int Handle14443bSamplesDemod(int ci, int cq)
487 {
488 int v;
489
490 // The soft decision on the bit uses an estimate of just the
491 // quadrant of the reference angle, not the exact angle.
492 #define MAKE_SOFT_DECISION() { \
493 if(Demod.sumI > 0) { \
494 v = ci; \
495 } else { \
496 v = -ci; \
497 } \
498 if(Demod.sumQ > 0) { \
499 v += cq; \
500 } else { \
501 v -= cq; \
502 } \
503 }
504
505 #define SUBCARRIER_DETECT_THRESHOLD 8
506
507 // Subcarrier amplitude v = sqrt(ci^2 + cq^2), approximated here by abs(ci) + abs(cq)
508 /* #define CHECK_FOR_SUBCARRIER() { \
509 v = ci; \
510 if(v < 0) v = -v; \
511 if(cq > 0) { \
512 v += cq; \
513 } else { \
514 v -= cq; \
515 } \
516 }
517 */
518 // Subcarrier amplitude v = sqrt(ci^2 + cq^2), approximated here by max(abs(ci),abs(cq)) + 1/2*min(abs(ci),abs(cq)))
519 #define CHECK_FOR_SUBCARRIER() { \
520 if(ci < 0) { \
521 if(cq < 0) { /* ci < 0, cq < 0 */ \
522 if (cq < ci) { \
523 v = -cq - (ci >> 1); \
524 } else { \
525 v = -ci - (cq >> 1); \
526 } \
527 } else { /* ci < 0, cq >= 0 */ \
528 if (cq < -ci) { \
529 v = -ci + (cq >> 1); \
530 } else { \
531 v = cq - (ci >> 1); \
532 } \
533 } \
534 } else { \
535 if(cq < 0) { /* ci >= 0, cq < 0 */ \
536 if (-cq < ci) { \
537 v = ci - (cq >> 1); \
538 } else { \
539 v = -cq + (ci >> 1); \
540 } \
541 } else { /* ci >= 0, cq >= 0 */ \
542 if (cq < ci) { \
543 v = ci + (cq >> 1); \
544 } else { \
545 v = cq + (ci >> 1); \
546 } \
547 } \
548 } \
549 }
550
551 switch(Demod.state) {
552 case DEMOD_UNSYNCD:
553 CHECK_FOR_SUBCARRIER();
554 if(v > SUBCARRIER_DETECT_THRESHOLD) { // subcarrier detected
555 Demod.state = DEMOD_PHASE_REF_TRAINING;
556 Demod.sumI = ci;
557 Demod.sumQ = cq;
558 Demod.posCount = 1;
559 }
560 break;
561
562 case DEMOD_PHASE_REF_TRAINING:
563 if(Demod.posCount < 8) {
564 CHECK_FOR_SUBCARRIER();
565 if (v > SUBCARRIER_DETECT_THRESHOLD) {
566 // set the reference phase (will code a logic '1') by averaging over 32 1/fs.
567 // note: synchronization time > 80 1/fs
568 Demod.sumI += ci;
569 Demod.sumQ += cq;
570 Demod.posCount++;
571 } else { // subcarrier lost
572 Demod.state = DEMOD_UNSYNCD;
573 }
574 } else {
575 Demod.state = DEMOD_AWAITING_FALLING_EDGE_OF_SOF;
576 }
577 break;
578
579 case DEMOD_AWAITING_FALLING_EDGE_OF_SOF:
580 MAKE_SOFT_DECISION();
581 if(v < 0) { // logic '0' detected
582 Demod.state = DEMOD_GOT_FALLING_EDGE_OF_SOF;
583 Demod.posCount = 0; // start of SOF sequence
584 } else {
585 if(Demod.posCount > 200/4) { // maximum length of TR1 = 200 1/fs
586 Demod.state = DEMOD_UNSYNCD;
587 }
588 }
589 Demod.posCount++;
590 break;
591
592 case DEMOD_GOT_FALLING_EDGE_OF_SOF:
593 Demod.posCount++;
594 MAKE_SOFT_DECISION();
595 if(v > 0) {
596 if(Demod.posCount < 9*2) { // low phase of SOF too short (< 9 etu). Note: spec is >= 10, but FPGA tends to "smear" edges
597 Demod.state = DEMOD_UNSYNCD;
598 } else {
599 LED_C_ON(); // Got SOF
600 Demod.state = DEMOD_AWAITING_START_BIT;
601 Demod.posCount = 0;
602 Demod.len = 0;
603 /* this had been used to add RSSI (Received Signal Strength Indication) to traces. Currently not implemented.
604 Demod.metricN = 0;
605 Demod.metric = 0;
606 */
607 }
608 } else {
609 if(Demod.posCount > 12*2) { // low phase of SOF too long (> 12 etu)
610 Demod.state = DEMOD_UNSYNCD;
611 LED_C_OFF();
612 }
613 }
614 break;
615
616 case DEMOD_AWAITING_START_BIT:
617 Demod.posCount++;
618 MAKE_SOFT_DECISION();
619 if(v > 0) {
620 if(Demod.posCount > 3*2) { // max 19us between characters = 16 1/fs, max 3 etu after low phase of SOF = 24 1/fs
621 Demod.state = DEMOD_UNSYNCD;
622 LED_C_OFF();
623 }
624 } else { // start bit detected
625 Demod.bitCount = 0;
626 Demod.posCount = 1; // this was the first half
627 Demod.thisBit = v;
628 Demod.shiftReg = 0;
629 Demod.state = DEMOD_RECEIVING_DATA;
630 }
631 break;
632
633 case DEMOD_RECEIVING_DATA:
634 MAKE_SOFT_DECISION();
635 if(Demod.posCount == 0) { // first half of bit
636 Demod.thisBit = v;
637 Demod.posCount = 1;
638 } else { // second half of bit
639 Demod.thisBit += v;
640
641 /* this had been used to add RSSI (Received Signal Strength Indication) to traces. Currently not implemented.
642 if(Demod.thisBit > 0) {
643 Demod.metric += Demod.thisBit;
644 } else {
645 Demod.metric -= Demod.thisBit;
646 }
647 (Demod.metricN)++;
648 */
649
650 Demod.shiftReg >>= 1;
651 if(Demod.thisBit > 0) { // logic '1'
652 Demod.shiftReg |= 0x200;
653 }
654
655 Demod.bitCount++;
656 if(Demod.bitCount == 10) {
657 uint16_t s = Demod.shiftReg;
658 if((s & 0x200) && !(s & 0x001)) { // stop bit == '1', start bit == '0'
659 uint8_t b = (s >> 1);
660 Demod.output[Demod.len] = b;
661 Demod.len++;
662 Demod.state = DEMOD_AWAITING_START_BIT;
663 } else {
664 Demod.state = DEMOD_UNSYNCD;
665 LED_C_OFF();
666 if(s == 0x000) {
667 // This is EOF (start, stop and all data bits == '0'
668 return TRUE;
669 }
670 }
671 }
672 Demod.posCount = 0;
673 }
674 break;
675
676 default:
677 Demod.state = DEMOD_UNSYNCD;
678 LED_C_OFF();
679 break;
680 }
681
682 return FALSE;
683 }
684
685
686 static void DemodReset()
687 {
688 // Clear out the state of the "UART" that receives from the tag.
689 Demod.len = 0;
690 Demod.state = DEMOD_UNSYNCD;
691 Demod.posCount = 0;
692 memset(Demod.output, 0x00, MAX_FRAME_SIZE);
693 }
694
695
696 static void DemodInit(uint8_t *data)
697 {
698 Demod.output = data;
699 DemodReset();
700 }
701
702
703 /*
704 * Demodulate the samples we received from the tag, also log to tracebuffer
705 * quiet: set to 'TRUE' to disable debug output
706 */
707 static void GetSamplesFor14443bDemod(int n, bool quiet)
708 {
709 int max = 0;
710 bool gotFrame = FALSE;
711 int lastRxCounter, ci, cq, samples = 0;
712
713 // Allocate memory from BigBuf for some buffers
714 // free all previous allocations first
715 BigBuf_free();
716
717 // The response (tag -> reader) that we're receiving.
718 uint8_t *receivedResponse = BigBuf_malloc(MAX_FRAME_SIZE);
719
720 // The DMA buffer, used to stream samples from the FPGA
721 int8_t *dmaBuf = (int8_t*) BigBuf_malloc(ISO14443B_DMA_BUFFER_SIZE);
722
723 // Set up the demodulator for tag -> reader responses.
724 DemodInit(receivedResponse);
725
726 // Setup and start DMA.
727 FpgaSetupSscDma((uint8_t*) dmaBuf, ISO14443B_DMA_BUFFER_SIZE);
728
729 int8_t *upTo = dmaBuf;
730 lastRxCounter = ISO14443B_DMA_BUFFER_SIZE;
731
732 // Signal field is ON with the appropriate LED:
733 LED_D_ON();
734 // And put the FPGA in the appropriate mode
735 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR | FPGA_HF_READER_RX_XCORR_848_KHZ);
736
737 for(;;) {
738 int behindBy = lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR;
739 if(behindBy > max) max = behindBy;
740
741 while(((lastRxCounter-AT91C_BASE_PDC_SSC->PDC_RCR) & (ISO14443B_DMA_BUFFER_SIZE-1)) > 2) {
742 ci = upTo[0];
743 cq = upTo[1];
744 upTo += 2;
745 if(upTo >= dmaBuf + ISO14443B_DMA_BUFFER_SIZE) {
746 upTo = dmaBuf;
747 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) upTo;
748 AT91C_BASE_PDC_SSC->PDC_RNCR = ISO14443B_DMA_BUFFER_SIZE;
749 }
750 lastRxCounter -= 2;
751 if(lastRxCounter <= 0) {
752 lastRxCounter += ISO14443B_DMA_BUFFER_SIZE;
753 }
754
755 samples += 2;
756
757 if(Handle14443bSamplesDemod(ci, cq)) {
758 gotFrame = TRUE;
759 break;
760 }
761 }
762
763 if(samples > n || gotFrame) {
764 break;
765 }
766 }
767
768 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
769
770 if (!quiet) Dbprintf("max behindby = %d, samples = %d, gotFrame = %d, Demod.len = %d, Demod.sumI = %d, Demod.sumQ = %d", max, samples, gotFrame, Demod.len, Demod.sumI, Demod.sumQ);
771 //Tracing
772 if (tracing && Demod.len > 0) {
773 uint8_t parity[MAX_PARITY_SIZE];
774 LogTrace(Demod.output, Demod.len, 0, 0, parity, FALSE);
775 }
776 }
777
778
779 //-----------------------------------------------------------------------------
780 // Transmit the command (to the tag) that was placed in ToSend[].
781 //-----------------------------------------------------------------------------
782 static void TransmitFor14443b(void)
783 {
784 int c;
785
786 FpgaSetupSsc();
787
788 while(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
789 AT91C_BASE_SSC->SSC_THR = 0xff;
790 }
791
792 // Signal field is ON with the appropriate Red LED
793 LED_D_ON();
794 // Signal we are transmitting with the Green LED
795 LED_B_ON();
796 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_TX | FPGA_HF_READER_TX_SHALLOW_MOD);
797
798 for(c = 0; c < 10;) {
799 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
800 AT91C_BASE_SSC->SSC_THR = 0xff;
801 c++;
802 }
803 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
804 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
805 (void)r;
806 }
807 WDT_HIT();
808 }
809
810 c = 0;
811 for(;;) {
812 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
813 AT91C_BASE_SSC->SSC_THR = ToSend[c];
814 c++;
815 if(c >= ToSendMax) {
816 break;
817 }
818 }
819 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
820 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
821 (void)r;
822 }
823 WDT_HIT();
824 }
825 LED_B_OFF(); // Finished sending
826 }
827
828
829 //-----------------------------------------------------------------------------
830 // Code a layer 2 command (string of octets, including CRC) into ToSend[],
831 // so that it is ready to transmit to the tag using TransmitFor14443b().
832 //-----------------------------------------------------------------------------
833 static void CodeIso14443bAsReader(const uint8_t *cmd, int len)
834 {
835 int i, j;
836 uint8_t b;
837
838 ToSendReset();
839
840 // Establish initial reference level
841 for(i = 0; i < 40; i++) {
842 ToSendStuffBit(1);
843 }
844 // Send SOF
845 for(i = 0; i < 10; i++) {
846 ToSendStuffBit(0);
847 }
848
849 for(i = 0; i < len; i++) {
850 // Stop bits/EGT
851 ToSendStuffBit(1);
852 ToSendStuffBit(1);
853 // Start bit
854 ToSendStuffBit(0);
855 // Data bits
856 b = cmd[i];
857 for(j = 0; j < 8; j++) {
858 if(b & 1) {
859 ToSendStuffBit(1);
860 } else {
861 ToSendStuffBit(0);
862 }
863 b >>= 1;
864 }
865 }
866 // Send EOF
867 ToSendStuffBit(1);
868 for(i = 0; i < 10; i++) {
869 ToSendStuffBit(0);
870 }
871 for(i = 0; i < 8; i++) {
872 ToSendStuffBit(1);
873 }
874
875 // And then a little more, to make sure that the last character makes
876 // it out before we switch to rx mode.
877 for(i = 0; i < 24; i++) {
878 ToSendStuffBit(1);
879 }
880
881 // Convert from last character reference to length
882 ToSendMax++;
883 }
884
885
886 /**
887 Convenience function to encode, transmit and trace iso 14443b comms
888 **/
889 static void CodeAndTransmit14443bAsReader(const uint8_t *cmd, int len)
890 {
891 CodeIso14443bAsReader(cmd, len);
892 TransmitFor14443b();
893 if (tracing) {
894 uint8_t parity[MAX_PARITY_SIZE];
895 LogTrace(cmd,len, 0, 0, parity, TRUE);
896 }
897 }
898
899
900 //-----------------------------------------------------------------------------
901 // Read a SRI512 ISO 14443B tag.
902 //
903 // SRI512 tags are just simple memory tags, here we're looking at making a dump
904 // of the contents of the memory. No anticollision algorithm is done, we assume
905 // we have a single tag in the field.
906 //
907 // I tried to be systematic and check every answer of the tag, every CRC, etc...
908 //-----------------------------------------------------------------------------
909 void ReadSTMemoryIso14443b(uint32_t dwLast)
910 {
911 clear_trace();
912 set_tracing(TRUE);
913
914 uint8_t i = 0x00;
915
916 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
917 // Make sure that we start from off, since the tags are stateful;
918 // confusing things will happen if we don't reset them between reads.
919 LED_D_OFF();
920 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
921 SpinDelay(200);
922
923 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
924 FpgaSetupSsc();
925
926 // Now give it time to spin up.
927 // Signal field is on with the appropriate LED
928 LED_D_ON();
929 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR | FPGA_HF_READER_RX_XCORR_848_KHZ);
930 SpinDelay(200);
931
932 // First command: wake up the tag using the INITIATE command
933 uint8_t cmd1[] = {0x06, 0x00, 0x97, 0x5b};
934 CodeAndTransmit14443bAsReader(cmd1, sizeof(cmd1));
935 GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, TRUE);
936
937 if (Demod.len == 0) {
938 DbpString("No response from tag");
939 return;
940 } else {
941 Dbprintf("Randomly generated Chip ID (+ 2 byte CRC): %02x %02x %02x",
942 Demod.output[0], Demod.output[1], Demod.output[2]);
943 }
944
945 // There is a response, SELECT the uid
946 DbpString("Now SELECT tag:");
947 cmd1[0] = 0x0E; // 0x0E is SELECT
948 cmd1[1] = Demod.output[0];
949 ComputeCrc14443(CRC_14443_B, cmd1, 2, &cmd1[2], &cmd1[3]);
950 CodeAndTransmit14443bAsReader(cmd1, sizeof(cmd1));
951 GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, TRUE);
952 if (Demod.len != 3) {
953 Dbprintf("Expected 3 bytes from tag, got %d", Demod.len);
954 return;
955 }
956 // Check the CRC of the answer:
957 ComputeCrc14443(CRC_14443_B, Demod.output, 1 , &cmd1[2], &cmd1[3]);
958 if(cmd1[2] != Demod.output[1] || cmd1[3] != Demod.output[2]) {
959 DbpString("CRC Error reading select response.");
960 return;
961 }
962 // Check response from the tag: should be the same UID as the command we just sent:
963 if (cmd1[1] != Demod.output[0]) {
964 Dbprintf("Bad response to SELECT from Tag, aborting: %02x %02x", cmd1[1], Demod.output[0]);
965 return;
966 }
967
968 // Tag is now selected,
969 // First get the tag's UID:
970 cmd1[0] = 0x0B;
971 ComputeCrc14443(CRC_14443_B, cmd1, 1 , &cmd1[1], &cmd1[2]);
972 CodeAndTransmit14443bAsReader(cmd1, 3); // Only first three bytes for this one
973 GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, TRUE);
974 if (Demod.len != 10) {
975 Dbprintf("Expected 10 bytes from tag, got %d", Demod.len);
976 return;
977 }
978 // The check the CRC of the answer (use cmd1 as temporary variable):
979 ComputeCrc14443(CRC_14443_B, Demod.output, 8, &cmd1[2], &cmd1[3]);
980 if(cmd1[2] != Demod.output[8] || cmd1[3] != Demod.output[9]) {
981 Dbprintf("CRC Error reading block! Expected: %04x got: %04x",
982 (cmd1[2]<<8)+cmd1[3], (Demod.output[8]<<8)+Demod.output[9]);
983 // Do not return;, let's go on... (we should retry, maybe ?)
984 }
985 Dbprintf("Tag UID (64 bits): %08x %08x",
986 (Demod.output[7]<<24) + (Demod.output[6]<<16) + (Demod.output[5]<<8) + Demod.output[4],
987 (Demod.output[3]<<24) + (Demod.output[2]<<16) + (Demod.output[1]<<8) + Demod.output[0]);
988
989 // Now loop to read all 16 blocks, address from 0 to last block
990 Dbprintf("Tag memory dump, block 0 to %d", dwLast);
991 cmd1[0] = 0x08;
992 i = 0x00;
993 dwLast++;
994 for (;;) {
995 if (i == dwLast) {
996 DbpString("System area block (0xff):");
997 i = 0xff;
998 }
999 cmd1[1] = i;
1000 ComputeCrc14443(CRC_14443_B, cmd1, 2, &cmd1[2], &cmd1[3]);
1001 CodeAndTransmit14443bAsReader(cmd1, sizeof(cmd1));
1002 GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, TRUE);
1003 if (Demod.len != 6) { // Check if we got an answer from the tag
1004 DbpString("Expected 6 bytes from tag, got less...");
1005 return;
1006 }
1007 // The check the CRC of the answer (use cmd1 as temporary variable):
1008 ComputeCrc14443(CRC_14443_B, Demod.output, 4, &cmd1[2], &cmd1[3]);
1009 if(cmd1[2] != Demod.output[4] || cmd1[3] != Demod.output[5]) {
1010 Dbprintf("CRC Error reading block! Expected: %04x got: %04x",
1011 (cmd1[2]<<8)+cmd1[3], (Demod.output[4]<<8)+Demod.output[5]);
1012 // Do not return;, let's go on... (we should retry, maybe ?)
1013 }
1014 // Now print out the memory location:
1015 Dbprintf("Address=%02x, Contents=%08x, CRC=%04x", i,
1016 (Demod.output[3]<<24) + (Demod.output[2]<<16) + (Demod.output[1]<<8) + Demod.output[0],
1017 (Demod.output[4]<<8)+Demod.output[5]);
1018 if (i == 0xff) {
1019 break;
1020 }
1021 i++;
1022 }
1023 }
1024
1025
1026 //=============================================================================
1027 // Finally, the `sniffer' combines elements from both the reader and
1028 // simulated tag, to show both sides of the conversation.
1029 //=============================================================================
1030
1031 //-----------------------------------------------------------------------------
1032 // Record the sequence of commands sent by the reader to the tag, with
1033 // triggering so that we start recording at the point that the tag is moved
1034 // near the reader.
1035 //-----------------------------------------------------------------------------
1036 /*
1037 * Memory usage for this function, (within BigBuf)
1038 * Last Received command (reader->tag) - MAX_FRAME_SIZE
1039 * Last Received command (tag->reader) - MAX_FRAME_SIZE
1040 * DMA Buffer - ISO14443B_DMA_BUFFER_SIZE
1041 * Demodulated samples received - all the rest
1042 */
1043 void RAMFUNC SnoopIso14443b(void)
1044 {
1045 // We won't start recording the frames that we acquire until we trigger;
1046 // a good trigger condition to get started is probably when we see a
1047 // response from the tag.
1048 int triggered = TRUE; // TODO: set and evaluate trigger condition
1049
1050 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1051 BigBuf_free();
1052
1053 clear_trace();
1054 set_tracing(TRUE);
1055
1056 // The DMA buffer, used to stream samples from the FPGA
1057 int8_t *dmaBuf = (int8_t*) BigBuf_malloc(ISO14443B_DMA_BUFFER_SIZE);
1058 int lastRxCounter;
1059 int8_t *upTo;
1060 int ci, cq;
1061 int maxBehindBy = 0;
1062
1063 // Count of samples received so far, so that we can include timing
1064 // information in the trace buffer.
1065 int samples = 0;
1066
1067 DemodInit(BigBuf_malloc(MAX_FRAME_SIZE));
1068 UartInit(BigBuf_malloc(MAX_FRAME_SIZE));
1069
1070 // Print some debug information about the buffer sizes
1071 Dbprintf("Snooping buffers initialized:");
1072 Dbprintf(" Trace: %i bytes", BigBuf_max_traceLen());
1073 Dbprintf(" Reader -> tag: %i bytes", MAX_FRAME_SIZE);
1074 Dbprintf(" tag -> Reader: %i bytes", MAX_FRAME_SIZE);
1075 Dbprintf(" DMA: %i bytes", ISO14443B_DMA_BUFFER_SIZE);
1076
1077 // Signal field is off, no reader signal, no tag signal
1078 LEDsoff();
1079
1080 // And put the FPGA in the appropriate mode
1081 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR | FPGA_HF_READER_RX_XCORR_848_KHZ | FPGA_HF_READER_RX_XCORR_SNOOP);
1082 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1083
1084 // Setup for the DMA.
1085 FpgaSetupSsc();
1086 upTo = dmaBuf;
1087 lastRxCounter = ISO14443B_DMA_BUFFER_SIZE;
1088 FpgaSetupSscDma((uint8_t*) dmaBuf, ISO14443B_DMA_BUFFER_SIZE);
1089 uint8_t parity[MAX_PARITY_SIZE];
1090
1091 bool TagIsActive = FALSE;
1092 bool ReaderIsActive = FALSE;
1093
1094 // And now we loop, receiving samples.
1095 for(;;) {
1096 int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) &
1097 (ISO14443B_DMA_BUFFER_SIZE-1);
1098 if(behindBy > maxBehindBy) {
1099 maxBehindBy = behindBy;
1100 }
1101
1102 if(behindBy < 2) continue;
1103
1104 ci = upTo[0];
1105 cq = upTo[1];
1106 upTo += 2;
1107 lastRxCounter -= 2;
1108 if(upTo >= dmaBuf + ISO14443B_DMA_BUFFER_SIZE) {
1109 upTo = dmaBuf;
1110 lastRxCounter += ISO14443B_DMA_BUFFER_SIZE;
1111 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dmaBuf;
1112 AT91C_BASE_PDC_SSC->PDC_RNCR = ISO14443B_DMA_BUFFER_SIZE;
1113 WDT_HIT();
1114 if(behindBy > (9*ISO14443B_DMA_BUFFER_SIZE/10)) { // TODO: understand whether we can increase/decrease as we want or not?
1115 Dbprintf("blew circular buffer! behindBy=%d", behindBy);
1116 break;
1117 }
1118 if(!tracing) {
1119 DbpString("Reached trace limit");
1120 break;
1121 }
1122 if(BUTTON_PRESS()) {
1123 DbpString("cancelled");
1124 break;
1125 }
1126 }
1127
1128 samples += 2;
1129
1130 if (!TagIsActive) { // no need to try decoding reader data if the tag is sending
1131 if(Handle14443bUartBit(ci & 0x01)) {
1132 if(triggered && tracing) {
1133 LogTrace(Uart.output, Uart.byteCnt, samples, samples, parity, TRUE);
1134 }
1135 /* And ready to receive another command. */
1136 UartReset();
1137 /* And also reset the demod code, which might have been */
1138 /* false-triggered by the commands from the reader. */
1139 DemodReset();
1140 }
1141 if(Handle14443bUartBit(cq & 0x01)) {
1142 if(triggered && tracing) {
1143 LogTrace(Uart.output, Uart.byteCnt, samples, samples, parity, TRUE);
1144 }
1145 /* And ready to receive another command. */
1146 UartReset();
1147 /* And also reset the demod code, which might have been */
1148 /* false-triggered by the commands from the reader. */
1149 DemodReset();
1150 }
1151 ReaderIsActive = (Uart.state > STATE_GOT_FALLING_EDGE_OF_SOF);
1152 }
1153
1154 if(!ReaderIsActive) { // no need to try decoding tag data if the reader is sending - and we cannot afford the time
1155 if(Handle14443bSamplesDemod(ci | 0x01, cq | 0x01)) {
1156
1157 //Use samples as a time measurement
1158 if(tracing)
1159 {
1160 uint8_t parity[MAX_PARITY_SIZE];
1161 LogTrace(Demod.output, Demod.len, samples, samples, parity, FALSE);
1162 }
1163 triggered = TRUE;
1164
1165 // And ready to receive another response.
1166 DemodReset();
1167 }
1168 TagIsActive = (Demod.state > DEMOD_GOT_FALLING_EDGE_OF_SOF);
1169 }
1170
1171 }
1172
1173 FpgaDisableSscDma();
1174 LEDsoff();
1175 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
1176 DbpString("Snoop statistics:");
1177 Dbprintf(" Max behind by: %i", maxBehindBy);
1178 Dbprintf(" Uart State: %x", Uart.state);
1179 Dbprintf(" Uart ByteCnt: %i", Uart.byteCnt);
1180 Dbprintf(" Uart ByteCntMax: %i", Uart.byteCntMax);
1181 Dbprintf(" Trace length: %i", BigBuf_get_traceLen());
1182 }
1183
1184
1185 /*
1186 * Send raw command to tag ISO14443B
1187 * @Input
1188 * datalen len of buffer data
1189 * recv bool when true wait for data from tag and send to client
1190 * powerfield bool leave the field on when true
1191 * data buffer with byte to send
1192 *
1193 * @Output
1194 * none
1195 *
1196 */
1197 void SendRawCommand14443B(uint32_t datalen, uint32_t recv, uint8_t powerfield, uint8_t data[])
1198 {
1199 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1200 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1201 FpgaSetupSsc();
1202
1203 set_tracing(TRUE);
1204
1205 CodeAndTransmit14443bAsReader(data, datalen);
1206
1207 if(recv) {
1208 GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, TRUE);
1209 uint16_t iLen = MIN(Demod.len, USB_CMD_DATA_SIZE);
1210 cmd_send(CMD_ACK, iLen, 0, 0, Demod.output, iLen);
1211 }
1212
1213 if(!powerfield) {
1214 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1215 LED_D_OFF();
1216 }
1217 }
1218
Proxmark3 GIT tracking
Impressum, Datenschutz