]> cvs.zerfleddert.de Git - proxmark3-svn/blob - armsrc/appmain.c
add l/h option to hw tune and optimize order of tuning
[proxmark3-svn] / armsrc / appmain.c
1 //-----------------------------------------------------------------------------
2 // Jonathan Westhues, Mar 2006
3 // Edits by Gerhard de Koning Gans, Sep 2007 (##)
4 //
5 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
6 // at your option, any later version. See the LICENSE.txt file for the text of
7 // the license.
8 //-----------------------------------------------------------------------------
9 // The main application code. This is the first thing called after start.c
10 // executes.
11 //-----------------------------------------------------------------------------
12
13 #include "usb_cdc.h"
14 #include "cmd.h"
15
16 #include "proxmark3.h"
17 #include "apps.h"
18 #include "util.h"
19 #include "printf.h"
20 #include "string.h"
21
22 #include <stdarg.h>
23
24 #include "legicrf.h"
25 #include <hitag2.h>
26 #include <hitagS.h>
27 #include "lfsampling.h"
28 #include "BigBuf.h"
29 #include "mifareutil.h"
30 #include "pcf7931.h"
31 #ifdef WITH_LCD
32 #include "LCD.h"
33 #endif
34
35 // Craig Young - 14a stand-alone code
36 #ifdef WITH_ISO14443a_StandAlone
37 #include "iso14443a.h"
38 #endif
39
40 #define abs(x) ( ((x)<0) ? -(x) : (x) )
41
42 //=============================================================================
43 // A buffer where we can queue things up to be sent through the FPGA, for
44 // any purpose (fake tag, as reader, whatever). We go MSB first, since that
45 // is the order in which they go out on the wire.
46 //=============================================================================
47
48 #define TOSEND_BUFFER_SIZE (9*MAX_FRAME_SIZE + 1 + 1 + 2) // 8 data bits and 1 parity bit per payload byte, 1 correction bit, 1 SOC bit, 2 EOC bits
49 uint8_t ToSend[TOSEND_BUFFER_SIZE];
50 int ToSendMax;
51 static int ToSendBit;
52 struct common_area common_area __attribute__((section(".commonarea")));
53
54 void ToSendReset(void)
55 {
56 ToSendMax = -1;
57 ToSendBit = 8;
58 }
59
60 void ToSendStuffBit(int b)
61 {
62 if(ToSendBit >= 8) {
63 ToSendMax++;
64 ToSend[ToSendMax] = 0;
65 ToSendBit = 0;
66 }
67
68 if(b) {
69 ToSend[ToSendMax] |= (1 << (7 - ToSendBit));
70 }
71
72 ToSendBit++;
73
74 if(ToSendMax >= sizeof(ToSend)) {
75 ToSendBit = 0;
76 DbpString("ToSendStuffBit overflowed!");
77 }
78 }
79
80 //=============================================================================
81 // Debug print functions, to go out over USB, to the usual PC-side client.
82 //=============================================================================
83
84 void DbpString(char *str)
85 {
86 byte_t len = strlen(str);
87 cmd_send(CMD_DEBUG_PRINT_STRING,len,0,0,(byte_t*)str,len);
88 }
89
90 #if 0
91 void DbpIntegers(int x1, int x2, int x3)
92 {
93 cmd_send(CMD_DEBUG_PRINT_INTEGERS,x1,x2,x3,0,0);
94 }
95 #endif
96
97 void Dbprintf(const char *fmt, ...) {
98 // should probably limit size here; oh well, let's just use a big buffer
99 char output_string[128];
100 va_list ap;
101
102 va_start(ap, fmt);
103 kvsprintf(fmt, output_string, 10, ap);
104 va_end(ap);
105
106 DbpString(output_string);
107 }
108
109 // prints HEX & ASCII
110 void Dbhexdump(int len, uint8_t *d, bool bAsci) {
111 int l=0,i;
112 char ascii[9];
113
114 while (len>0) {
115 if (len>8) l=8;
116 else l=len;
117
118 memcpy(ascii,d,l);
119 ascii[l]=0;
120
121 // filter safe ascii
122 for (i=0;i<l;i++)
123 if (ascii[i]<32 || ascii[i]>126) ascii[i]='.';
124
125 if (bAsci) {
126 Dbprintf("%-8s %*D",ascii,l,d," ");
127 } else {
128 Dbprintf("%*D",l,d," ");
129 }
130
131 len-=8;
132 d+=8;
133 }
134 }
135
136 //-----------------------------------------------------------------------------
137 // Read an ADC channel and block till it completes, then return the result
138 // in ADC units (0 to 1023). Also a routine to average 32 samples and
139 // return that.
140 //-----------------------------------------------------------------------------
141 static int ReadAdc(int ch)
142 {
143 uint32_t d;
144
145 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_SWRST;
146 AT91C_BASE_ADC->ADC_MR =
147 ADC_MODE_PRESCALE(63 /* was 32 */) | // ADC_CLK = MCK / ((63+1) * 2) = 48MHz / 128 = 375kHz
148 ADC_MODE_STARTUP_TIME(1 /* was 16 */) | // Startup Time = (1+1) * 8 / ADC_CLK = 16 / 375kHz = 42,7us Note: must be > 20us
149 ADC_MODE_SAMPLE_HOLD_TIME(15 /* was 8 */); // Sample & Hold Time SHTIM = 15 / ADC_CLK = 15 / 375kHz = 40us
150
151 // Note: ADC_MODE_PRESCALE and ADC_MODE_SAMPLE_HOLD_TIME are set to the maximum allowed value.
152 // Both AMPL_LO and AMPL_HI are very high impedance (10MOhm) outputs, the input capacitance of the ADC is 12pF (typical). This results in a time constant
153 // of RC = 10MOhm * 12pF = 120us. Even after the maximum configurable sample&hold time of 40us the input capacitor will not be fully charged.
154 //
155 // The maths are:
156 // If there is a voltage v_in at the input, the voltage v_cap at the capacitor (this is what we are measuring) will be
157 //
158 // v_cap = v_in * (1 - exp(-RC/SHTIM)) = v_in * (1 - exp(-3)) = v_in * 0,95 (i.e. an error of 5%)
159 //
160 // Note: with the "historic" values in the comments above, the error was 34% !!!
161
162 AT91C_BASE_ADC->ADC_CHER = ADC_CHANNEL(ch);
163
164 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
165
166 while(!(AT91C_BASE_ADC->ADC_SR & ADC_END_OF_CONVERSION(ch)))
167 ;
168 d = AT91C_BASE_ADC->ADC_CDR[ch];
169
170 return d;
171 }
172
173 int AvgAdc(int ch) // was static - merlok
174 {
175 int i;
176 int a = 0;
177
178 for(i = 0; i < 32; i++) {
179 a += ReadAdc(ch);
180 }
181
182 return (a + 15) >> 5;
183 }
184
185 void MeasureAntennaTuningLfOnly(int *vLf125, int *vLf134, int *peakf, int *peakv, uint8_t LF_Results[])
186 {
187 int i, adcval = 0, peak = 0;
188
189 /*
190 * Sweeps the useful LF range of the proxmark from
191 * 46.8kHz (divisor=255) to 600kHz (divisor=19) and
192 * read the voltage in the antenna, the result left
193 * in the buffer is a graph which should clearly show
194 * the resonating frequency of your LF antenna
195 * ( hopefully around 95 if it is tuned to 125kHz!)
196 */
197
198 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
199 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
200 for (i=255; i>=19; i--) {
201 WDT_HIT();
202 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, i);
203 SpinDelay(20);
204 adcval = ((MAX_ADC_LF_VOLTAGE * AvgAdc(ADC_CHAN_LF)) >> 10);
205 if (i==95) *vLf125 = adcval; // voltage at 125Khz
206 if (i==89) *vLf134 = adcval; // voltage at 134Khz
207
208 LF_Results[i] = adcval>>8; // scale int to fit in byte for graphing purposes
209 if(LF_Results[i] > peak) {
210 *peakv = adcval;
211 peak = LF_Results[i];
212 *peakf = i;
213 //ptr = i;
214 }
215 }
216
217 for (i=18; i >= 0; i--) LF_Results[i] = 0;
218
219 return;
220 }
221
222 void MeasureAntennaTuningHfOnly(int *vHf)
223 {
224 // Let the FPGA drive the high-frequency antenna around 13.56 MHz.
225 LED_A_ON();
226 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
227 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR);
228 SpinDelay(20);
229 *vHf = (MAX_ADC_HF_VOLTAGE * AvgAdc(ADC_CHAN_HF)) >> 10;
230 LED_A_OFF();
231
232 return;
233 }
234
235 void MeasureAntennaTuning(int mode)
236 {
237 uint8_t LF_Results[256] = {0};
238 int peakv = 0, peakf = 0;
239 int vLf125 = 0, vLf134 = 0, vHf = 0; // in mV
240
241 LED_B_ON();
242
243 if (((mode & FLAG_TUNE_ALL) == FLAG_TUNE_ALL) && (FpgaGetCurrent() == FPGA_BITSTREAM_HF)) {
244 // Reverse "standard" order if HF already loaded, to avoid unnecessary swap.
245 MeasureAntennaTuningHfOnly(&vHf);
246 MeasureAntennaTuningLfOnly(&vLf125, &vLf134, &peakf, &peakv, LF_Results);
247 } else {
248 if (mode & FLAG_TUNE_LF) {
249 MeasureAntennaTuningLfOnly(&vLf125, &vLf134, &peakf, &peakv, LF_Results);
250 }
251 if (mode & FLAG_TUNE_HF) {
252 MeasureAntennaTuningHfOnly(&vHf);
253 }
254 }
255
256 cmd_send(CMD_MEASURED_ANTENNA_TUNING, vLf125 | (vLf134<<16), vHf, peakf | (peakv<<16), LF_Results, 256);
257 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
258 LED_B_OFF();
259 return;
260 }
261
262 void MeasureAntennaTuningHf(void)
263 {
264 int vHf = 0; // in mV
265
266 DbpString("Measuring HF antenna, press button to exit");
267
268 // Let the FPGA drive the high-frequency antenna around 13.56 MHz.
269 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
270 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR);
271
272 for (;;) {
273 SpinDelay(20);
274 vHf = (MAX_ADC_HF_VOLTAGE * AvgAdc(ADC_CHAN_HF)) >> 10;
275
276 Dbprintf("%d mV",vHf);
277 if (BUTTON_PRESS()) break;
278 }
279 DbpString("cancelled");
280
281 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
282
283 }
284
285
286 void ReadMem(int addr)
287 {
288 const uint8_t *data = ((uint8_t *)addr);
289
290 Dbprintf("%x: %02x %02x %02x %02x %02x %02x %02x %02x",
291 addr, data[0], data[1], data[2], data[3], data[4], data[5], data[6], data[7]);
292 }
293
294 /* osimage version information is linked in */
295 extern struct version_information version_information;
296 /* bootrom version information is pointed to from _bootphase1_version_pointer */
297 extern char *_bootphase1_version_pointer, _flash_start, _flash_end, _bootrom_start, _bootrom_end, __data_src_start__;
298 void SendVersion(void)
299 {
300 char temp[USB_CMD_DATA_SIZE]; /* Limited data payload in USB packets */
301 char VersionString[USB_CMD_DATA_SIZE] = { '\0' };
302
303 /* Try to find the bootrom version information. Expect to find a pointer at
304 * symbol _bootphase1_version_pointer, perform slight sanity checks on the
305 * pointer, then use it.
306 */
307 char *bootrom_version = *(char**)&_bootphase1_version_pointer;
308 if( bootrom_version < &_flash_start || bootrom_version >= &_flash_end ) {
309 strcat(VersionString, "bootrom version information appears invalid\n");
310 } else {
311 FormatVersionInformation(temp, sizeof(temp), "bootrom: ", bootrom_version);
312 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
313 }
314
315 FormatVersionInformation(temp, sizeof(temp), "os: ", &version_information);
316 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
317
318 FpgaGatherVersion(FPGA_BITSTREAM_LF, temp, sizeof(temp));
319 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
320 FpgaGatherVersion(FPGA_BITSTREAM_HF, temp, sizeof(temp));
321 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
322
323 // Send Chip ID and used flash memory
324 uint32_t text_and_rodata_section_size = (uint32_t)&__data_src_start__ - (uint32_t)&_flash_start;
325 uint32_t compressed_data_section_size = common_area.arg1;
326 cmd_send(CMD_ACK, *(AT91C_DBGU_CIDR), text_and_rodata_section_size + compressed_data_section_size, 0, VersionString, strlen(VersionString));
327 }
328
329 // measure the USB Speed by sending SpeedTestBufferSize bytes to client and measuring the elapsed time.
330 // Note: this mimics GetFromBigbuf(), i.e. we have the overhead of the UsbCommand structure included.
331 void printUSBSpeed(void)
332 {
333 Dbprintf("USB Speed:");
334 Dbprintf(" Sending USB packets to client...");
335
336 #define USB_SPEED_TEST_MIN_TIME 1500 // in milliseconds
337 uint8_t *test_data = BigBuf_get_addr();
338 uint32_t end_time;
339
340 uint32_t start_time = end_time = GetTickCount();
341 uint32_t bytes_transferred = 0;
342
343 LED_B_ON();
344 while(end_time < start_time + USB_SPEED_TEST_MIN_TIME) {
345 cmd_send(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K, 0, USB_CMD_DATA_SIZE, 0, test_data, USB_CMD_DATA_SIZE);
346 end_time = GetTickCount();
347 bytes_transferred += USB_CMD_DATA_SIZE;
348 }
349 LED_B_OFF();
350
351 Dbprintf(" Time elapsed: %dms", end_time - start_time);
352 Dbprintf(" Bytes transferred: %d", bytes_transferred);
353 Dbprintf(" USB Transfer Speed PM3 -> Client = %d Bytes/s",
354 1000 * bytes_transferred / (end_time - start_time));
355
356 }
357
358 /**
359 * Prints runtime information about the PM3.
360 **/
361 void SendStatus(void)
362 {
363 BigBuf_print_status();
364 Fpga_print_status();
365 printConfig(); //LF Sampling config
366 printUSBSpeed();
367 Dbprintf("Various");
368 Dbprintf(" MF_DBGLEVEL......%d", MF_DBGLEVEL);
369 Dbprintf(" ToSendMax........%d",ToSendMax);
370 Dbprintf(" ToSendBit........%d",ToSendBit);
371
372 cmd_send(CMD_ACK,1,0,0,0,0);
373 }
374
375 #if defined(WITH_ISO14443a_StandAlone) || defined(WITH_LF)
376
377 #define OPTS 2
378
379 void StandAloneMode()
380 {
381 DbpString("Stand-alone mode! No PC necessary.");
382 // Oooh pretty -- notify user we're in elite samy mode now
383 LED(LED_RED, 200);
384 LED(LED_ORANGE, 200);
385 LED(LED_GREEN, 200);
386 LED(LED_ORANGE, 200);
387 LED(LED_RED, 200);
388 LED(LED_ORANGE, 200);
389 LED(LED_GREEN, 200);
390 LED(LED_ORANGE, 200);
391 LED(LED_RED, 200);
392
393 }
394
395 #endif
396
397
398
399 #ifdef WITH_ISO14443a_StandAlone
400 void StandAloneMode14a()
401 {
402 StandAloneMode();
403 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
404
405 int selected = 0;
406 int playing = 0, iGotoRecord = 0, iGotoClone = 0;
407 int cardRead[OPTS] = {0};
408 uint8_t readUID[10] = {0};
409 uint32_t uid_1st[OPTS]={0};
410 uint32_t uid_2nd[OPTS]={0};
411 uint32_t uid_tmp1 = 0;
412 uint32_t uid_tmp2 = 0;
413 iso14a_card_select_t hi14a_card[OPTS];
414
415 LED(selected + 1, 0);
416
417 for (;;)
418 {
419 usb_poll();
420 WDT_HIT();
421 SpinDelay(300);
422
423 if (iGotoRecord == 1 || cardRead[selected] == 0)
424 {
425 iGotoRecord = 0;
426 LEDsoff();
427 LED(selected + 1, 0);
428 LED(LED_RED2, 0);
429
430 // record
431 Dbprintf("Enabling iso14443a reader mode for [Bank: %u]...", selected);
432 /* need this delay to prevent catching some weird data */
433 SpinDelay(500);
434 /* Code for reading from 14a tag */
435 uint8_t uid[10] ={0};
436 uint32_t cuid;
437 iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
438
439 for ( ; ; )
440 {
441 WDT_HIT();
442 if (BUTTON_PRESS()) {
443 if (cardRead[selected]) {
444 Dbprintf("Button press detected -- replaying card in bank[%d]", selected);
445 break;
446 }
447 else if (cardRead[(selected+1)%OPTS]) {
448 Dbprintf("Button press detected but no card in bank[%d] so playing from bank[%d]", selected, (selected+1)%OPTS);
449 selected = (selected+1)%OPTS;
450 break; // playing = 1;
451 }
452 else {
453 Dbprintf("Button press detected but no stored tag to play. (Ignoring button)");
454 SpinDelay(300);
455 }
456 }
457 if (!iso14443a_select_card(uid, &hi14a_card[selected], &cuid))
458 continue;
459 else
460 {
461 Dbprintf("Read UID:"); Dbhexdump(10,uid,0);
462 memcpy(readUID,uid,10*sizeof(uint8_t));
463 uint8_t *dst = (uint8_t *)&uid_tmp1;
464 // Set UID byte order
465 for (int i=0; i<4; i++)
466 dst[i] = uid[3-i];
467 dst = (uint8_t *)&uid_tmp2;
468 for (int i=0; i<4; i++)
469 dst[i] = uid[7-i];
470 if (uid_1st[(selected+1)%OPTS] == uid_tmp1 && uid_2nd[(selected+1)%OPTS] == uid_tmp2) {
471 Dbprintf("Card selected has same UID as what is stored in the other bank. Skipping.");
472 }
473 else {
474 if (uid_tmp2) {
475 Dbprintf("Bank[%d] received a 7-byte UID",selected);
476 uid_1st[selected] = (uid_tmp1)>>8;
477 uid_2nd[selected] = (uid_tmp1<<24) + (uid_tmp2>>8);
478 }
479 else {
480 Dbprintf("Bank[%d] received a 4-byte UID",selected);
481 uid_1st[selected] = uid_tmp1;
482 uid_2nd[selected] = uid_tmp2;
483 }
484 break;
485 }
486 }
487 }
488 Dbprintf("ATQA = %02X%02X",hi14a_card[selected].atqa[0],hi14a_card[selected].atqa[1]);
489 Dbprintf("SAK = %02X",hi14a_card[selected].sak);
490 LEDsoff();
491 LED(LED_GREEN, 200);
492 LED(LED_ORANGE, 200);
493 LED(LED_GREEN, 200);
494 LED(LED_ORANGE, 200);
495
496 LEDsoff();
497 LED(selected + 1, 0);
498
499 // Next state is replay:
500 playing = 1;
501
502 cardRead[selected] = 1;
503 }
504 /* MF Classic UID clone */
505 else if (iGotoClone==1)
506 {
507 iGotoClone=0;
508 LEDsoff();
509 LED(selected + 1, 0);
510 LED(LED_ORANGE, 250);
511
512
513 // record
514 Dbprintf("Preparing to Clone card [Bank: %x]; uid: %08x", selected, uid_1st[selected]);
515
516 // wait for button to be released
517 while(BUTTON_PRESS())
518 {
519 // Delay cloning until card is in place
520 WDT_HIT();
521 }
522 Dbprintf("Starting clone. [Bank: %u]", selected);
523 // need this delay to prevent catching some weird data
524 SpinDelay(500);
525 // Begin clone function here:
526 /* Example from client/mifarehost.c for commanding a block write for "magic Chinese" cards:
527 UsbCommand c = {CMD_MIFARE_CSETBLOCK, {wantWipe, params & (0xFE | (uid == NULL ? 0:1)), blockNo}};
528 memcpy(c.d.asBytes, data, 16);
529 SendCommand(&c);
530
531 Block read is similar:
532 UsbCommand c = {CMD_MIFARE_CGETBLOCK, {params, 0, blockNo}};
533 We need to imitate that call with blockNo 0 to set a uid.
534
535 The get and set commands are handled in this file:
536 // Work with "magic Chinese" card
537 case CMD_MIFARE_CSETBLOCK:
538 MifareCSetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
539 break;
540 case CMD_MIFARE_CGETBLOCK:
541 MifareCGetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
542 break;
543
544 mfCSetUID provides example logic for UID set workflow:
545 -Read block0 from card in field with MifareCGetBlock()
546 -Configure new values without replacing reserved bytes
547 memcpy(block0, uid, 4); // Copy UID bytes from byte array
548 // Mifare UID BCC
549 block0[4] = block0[0]^block0[1]^block0[2]^block0[3]; // BCC on byte 5
550 Bytes 5-7 are reserved SAK and ATQA for mifare classic
551 -Use mfCSetBlock(0, block0, oldUID, wantWipe, CSETBLOCK_SINGLE_OPER) to write it
552 */
553 uint8_t oldBlock0[16] = {0}, newBlock0[16] = {0}, testBlock0[16] = {0};
554 // arg0 = Flags == CSETBLOCK_SINGLE_OPER=0x1F, arg1=returnSlot, arg2=blockNo
555 MifareCGetBlock(0x3F, 1, 0, oldBlock0);
556 if (oldBlock0[0] == 0 && oldBlock0[0] == oldBlock0[1] && oldBlock0[1] == oldBlock0[2] && oldBlock0[2] == oldBlock0[3]) {
557 Dbprintf("No changeable tag detected. Returning to replay mode for bank[%d]", selected);
558 playing = 1;
559 }
560 else {
561 Dbprintf("UID from target tag: %02X%02X%02X%02X", oldBlock0[0],oldBlock0[1],oldBlock0[2],oldBlock0[3]);
562 memcpy(newBlock0,oldBlock0,16);
563 // Copy uid_1st for bank (2nd is for longer UIDs not supported if classic)
564
565 newBlock0[0] = uid_1st[selected]>>24;
566 newBlock0[1] = 0xFF & (uid_1st[selected]>>16);
567 newBlock0[2] = 0xFF & (uid_1st[selected]>>8);
568 newBlock0[3] = 0xFF & (uid_1st[selected]);
569 newBlock0[4] = newBlock0[0]^newBlock0[1]^newBlock0[2]^newBlock0[3];
570 // arg0 = needWipe, arg1 = workFlags, arg2 = blockNo, datain
571 MifareCSetBlock(0, 0xFF,0, newBlock0);
572 MifareCGetBlock(0x3F, 1, 0, testBlock0);
573 if (memcmp(testBlock0,newBlock0,16)==0)
574 {
575 DbpString("Cloned successfull!");
576 cardRead[selected] = 0; // Only if the card was cloned successfully should we clear it
577 playing = 0;
578 iGotoRecord = 1;
579 selected = (selected+1) % OPTS;
580 }
581 else {
582 Dbprintf("Clone failed. Back to replay mode on bank[%d]", selected);
583 playing = 1;
584 }
585 }
586 LEDsoff();
587 LED(selected + 1, 0);
588
589 }
590 // Change where to record (or begin playing)
591 else if (playing==1) // button_pressed == BUTTON_SINGLE_CLICK && cardRead[selected])
592 {
593 LEDsoff();
594 LED(selected + 1, 0);
595
596 // Begin transmitting
597 if (playing)
598 {
599 LED(LED_GREEN, 0);
600 DbpString("Playing");
601 for ( ; ; ) {
602 WDT_HIT();
603 int button_action = BUTTON_HELD(1000);
604 if (button_action == 0) { // No button action, proceed with sim
605 uint8_t data[512] = {0}; // in case there is a read command received we shouldn't break
606 Dbprintf("Simulating ISO14443a tag with uid[0]: %08x, uid[1]: %08x [Bank: %u]", uid_1st[selected],uid_2nd[selected],selected);
607 if (hi14a_card[selected].sak == 8 && hi14a_card[selected].atqa[0] == 4 && hi14a_card[selected].atqa[1] == 0) {
608 DbpString("Mifare Classic");
609 SimulateIso14443aTag(1,uid_1st[selected], uid_2nd[selected], data); // Mifare Classic
610 }
611 else if (hi14a_card[selected].sak == 0 && hi14a_card[selected].atqa[0] == 0x44 && hi14a_card[selected].atqa[1] == 0) {
612 DbpString("Mifare Ultralight");
613 SimulateIso14443aTag(2,uid_1st[selected],uid_2nd[selected],data); // Mifare Ultralight
614 }
615 else if (hi14a_card[selected].sak == 20 && hi14a_card[selected].atqa[0] == 0x44 && hi14a_card[selected].atqa[1] == 3) {
616 DbpString("Mifare DESFire");
617 SimulateIso14443aTag(3,uid_1st[selected],uid_2nd[selected],data); // Mifare DESFire
618 }
619 else {
620 Dbprintf("Unrecognized tag type -- defaulting to Mifare Classic emulation");
621 SimulateIso14443aTag(1,uid_1st[selected], uid_2nd[selected], data);
622 }
623 }
624 else if (button_action == BUTTON_SINGLE_CLICK) {
625 selected = (selected + 1) % OPTS;
626 Dbprintf("Done playing. Switching to record mode on bank %d",selected);
627 iGotoRecord = 1;
628 break;
629 }
630 else if (button_action == BUTTON_HOLD) {
631 Dbprintf("Playtime over. Begin cloning...");
632 iGotoClone = 1;
633 break;
634 }
635 WDT_HIT();
636 }
637
638 /* We pressed a button so ignore it here with a delay */
639 SpinDelay(300);
640 LEDsoff();
641 LED(selected + 1, 0);
642 }
643 else
644 while(BUTTON_PRESS())
645 WDT_HIT();
646 }
647 }
648 }
649 #elif WITH_LF
650 // samy's sniff and repeat routine
651 void SamyRun()
652 {
653 StandAloneMode();
654 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
655
656 int high[OPTS], low[OPTS];
657 int selected = 0;
658 int playing = 0;
659 int cardRead = 0;
660
661 // Turn on selected LED
662 LED(selected + 1, 0);
663
664 for (;;)
665 {
666 usb_poll();
667 WDT_HIT();
668
669 // Was our button held down or pressed?
670 int button_pressed = BUTTON_HELD(1000);
671 SpinDelay(300);
672
673 // Button was held for a second, begin recording
674 if (button_pressed > 0 && cardRead == 0)
675 {
676 LEDsoff();
677 LED(selected + 1, 0);
678 LED(LED_RED2, 0);
679
680 // record
681 DbpString("Starting recording");
682
683 // wait for button to be released
684 while(BUTTON_PRESS())
685 WDT_HIT();
686
687 /* need this delay to prevent catching some weird data */
688 SpinDelay(500);
689
690 CmdHIDdemodFSK(1, &high[selected], &low[selected], 0);
691 Dbprintf("Recorded %x %x%08x", selected, high[selected], low[selected]);
692
693 LEDsoff();
694 LED(selected + 1, 0);
695 // Finished recording
696
697 // If we were previously playing, set playing off
698 // so next button push begins playing what we recorded
699 playing = 0;
700
701 cardRead = 1;
702
703 }
704
705 else if (button_pressed > 0 && cardRead == 1)
706 {
707 LEDsoff();
708 LED(selected + 1, 0);
709 LED(LED_ORANGE, 0);
710
711 // record
712 Dbprintf("Cloning %x %x%08x", selected, high[selected], low[selected]);
713
714 // wait for button to be released
715 while(BUTTON_PRESS())
716 WDT_HIT();
717
718 /* need this delay to prevent catching some weird data */
719 SpinDelay(500);
720
721 CopyHIDtoT55x7(0, high[selected], low[selected], 0);
722 Dbprintf("Cloned %x %x%08x", selected, high[selected], low[selected]);
723
724 LEDsoff();
725 LED(selected + 1, 0);
726 // Finished recording
727
728 // If we were previously playing, set playing off
729 // so next button push begins playing what we recorded
730 playing = 0;
731
732 cardRead = 0;
733
734 }
735
736 // Change where to record (or begin playing)
737 else if (button_pressed)
738 {
739 // Next option if we were previously playing
740 if (playing)
741 selected = (selected + 1) % OPTS;
742 playing = !playing;
743
744 LEDsoff();
745 LED(selected + 1, 0);
746
747 // Begin transmitting
748 if (playing)
749 {
750 LED(LED_GREEN, 0);
751 DbpString("Playing");
752 // wait for button to be released
753 while(BUTTON_PRESS())
754 WDT_HIT();
755 Dbprintf("%x %x%08x", selected, high[selected], low[selected]);
756 CmdHIDsimTAG(high[selected], low[selected], 0);
757 DbpString("Done playing");
758 if (BUTTON_HELD(1000) > 0)
759 {
760 DbpString("Exiting");
761 LEDsoff();
762 return;
763 }
764
765 /* We pressed a button so ignore it here with a delay */
766 SpinDelay(300);
767
768 // when done, we're done playing, move to next option
769 selected = (selected + 1) % OPTS;
770 playing = !playing;
771 LEDsoff();
772 LED(selected + 1, 0);
773 }
774 else
775 while(BUTTON_PRESS())
776 WDT_HIT();
777 }
778 }
779 }
780
781 #endif
782 /*
783 OBJECTIVE
784 Listen and detect an external reader. Determine the best location
785 for the antenna.
786
787 INSTRUCTIONS:
788 Inside the ListenReaderField() function, there is two mode.
789 By default, when you call the function, you will enter mode 1.
790 If you press the PM3 button one time, you will enter mode 2.
791 If you press the PM3 button a second time, you will exit the function.
792
793 DESCRIPTION OF MODE 1:
794 This mode just listens for an external reader field and lights up green
795 for HF and/or red for LF. This is the original mode of the detectreader
796 function.
797
798 DESCRIPTION OF MODE 2:
799 This mode will visually represent, using the LEDs, the actual strength of the
800 current compared to the maximum current detected. Basically, once you know
801 what kind of external reader is present, it will help you spot the best location to place
802 your antenna. You will probably not get some good results if there is a LF and a HF reader
803 at the same place! :-)
804
805 LIGHT SCHEME USED:
806 */
807 static const char LIGHT_SCHEME[] = {
808 0x0, /* ---- | No field detected */
809 0x1, /* X--- | 14% of maximum current detected */
810 0x2, /* -X-- | 29% of maximum current detected */
811 0x4, /* --X- | 43% of maximum current detected */
812 0x8, /* ---X | 57% of maximum current detected */
813 0xC, /* --XX | 71% of maximum current detected */
814 0xE, /* -XXX | 86% of maximum current detected */
815 0xF, /* XXXX | 100% of maximum current detected */
816 };
817 static const int LIGHT_LEN = sizeof(LIGHT_SCHEME)/sizeof(LIGHT_SCHEME[0]);
818
819 void ListenReaderField(int limit)
820 {
821 int lf_av, lf_av_new, lf_baseline= 0, lf_max;
822 int hf_av, hf_av_new, hf_baseline= 0, hf_max;
823 int mode=1, display_val, display_max, i;
824
825 #define LF_ONLY 1
826 #define HF_ONLY 2
827 #define REPORT_CHANGE 10 // report new values only if they have changed at least by REPORT_CHANGE
828
829
830 // switch off FPGA - we don't want to measure our own signal
831 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
832 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
833
834 LEDsoff();
835
836 lf_av = lf_max = AvgAdc(ADC_CHAN_LF);
837
838 if(limit != HF_ONLY) {
839 Dbprintf("LF 125/134kHz Baseline: %dmV", (MAX_ADC_LF_VOLTAGE * lf_av) >> 10);
840 lf_baseline = lf_av;
841 }
842
843 hf_av = hf_max = AvgAdc(ADC_CHAN_HF);
844
845 if (limit != LF_ONLY) {
846 Dbprintf("HF 13.56MHz Baseline: %dmV", (MAX_ADC_HF_VOLTAGE * hf_av) >> 10);
847 hf_baseline = hf_av;
848 }
849
850 for(;;) {
851 if (BUTTON_PRESS()) {
852 SpinDelay(500);
853 switch (mode) {
854 case 1:
855 mode=2;
856 DbpString("Signal Strength Mode");
857 break;
858 case 2:
859 default:
860 DbpString("Stopped");
861 LEDsoff();
862 return;
863 break;
864 }
865 }
866 WDT_HIT();
867
868 if (limit != HF_ONLY) {
869 if(mode == 1) {
870 if (abs(lf_av - lf_baseline) > REPORT_CHANGE)
871 LED_D_ON();
872 else
873 LED_D_OFF();
874 }
875
876 lf_av_new = AvgAdc(ADC_CHAN_LF);
877 // see if there's a significant change
878 if(abs(lf_av - lf_av_new) > REPORT_CHANGE) {
879 Dbprintf("LF 125/134kHz Field Change: %5dmV", (MAX_ADC_LF_VOLTAGE * lf_av_new) >> 10);
880 lf_av = lf_av_new;
881 if (lf_av > lf_max)
882 lf_max = lf_av;
883 }
884 }
885
886 if (limit != LF_ONLY) {
887 if (mode == 1){
888 if (abs(hf_av - hf_baseline) > REPORT_CHANGE)
889 LED_B_ON();
890 else
891 LED_B_OFF();
892 }
893
894 hf_av_new = AvgAdc(ADC_CHAN_HF);
895 // see if there's a significant change
896 if(abs(hf_av - hf_av_new) > REPORT_CHANGE) {
897 Dbprintf("HF 13.56MHz Field Change: %5dmV", (MAX_ADC_HF_VOLTAGE * hf_av_new) >> 10);
898 hf_av = hf_av_new;
899 if (hf_av > hf_max)
900 hf_max = hf_av;
901 }
902 }
903
904 if(mode == 2) {
905 if (limit == LF_ONLY) {
906 display_val = lf_av;
907 display_max = lf_max;
908 } else if (limit == HF_ONLY) {
909 display_val = hf_av;
910 display_max = hf_max;
911 } else { /* Pick one at random */
912 if( (hf_max - hf_baseline) > (lf_max - lf_baseline) ) {
913 display_val = hf_av;
914 display_max = hf_max;
915 } else {
916 display_val = lf_av;
917 display_max = lf_max;
918 }
919 }
920 for (i=0; i<LIGHT_LEN; i++) {
921 if (display_val >= ((display_max/LIGHT_LEN)*i) && display_val <= ((display_max/LIGHT_LEN)*(i+1))) {
922 if (LIGHT_SCHEME[i] & 0x1) LED_C_ON(); else LED_C_OFF();
923 if (LIGHT_SCHEME[i] & 0x2) LED_A_ON(); else LED_A_OFF();
924 if (LIGHT_SCHEME[i] & 0x4) LED_B_ON(); else LED_B_OFF();
925 if (LIGHT_SCHEME[i] & 0x8) LED_D_ON(); else LED_D_OFF();
926 break;
927 }
928 }
929 }
930 }
931 }
932
933 void UsbPacketReceived(uint8_t *packet, int len)
934 {
935 UsbCommand *c = (UsbCommand *)packet;
936
937 // Dbprintf("received %d bytes, with command: 0x%04x and args: %d %d %d",len,c->cmd,c->arg[0],c->arg[1],c->arg[2]);
938
939 switch(c->cmd) {
940 #ifdef WITH_LF
941 case CMD_SET_LF_SAMPLING_CONFIG:
942 setSamplingConfig((sample_config *) c->d.asBytes);
943 break;
944 case CMD_ACQUIRE_RAW_ADC_SAMPLES_125K:
945 cmd_send(CMD_ACK,SampleLF(c->arg[0]),0,0,0,0);
946 break;
947 case CMD_MOD_THEN_ACQUIRE_RAW_ADC_SAMPLES_125K:
948 ModThenAcquireRawAdcSamples125k(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
949 break;
950 case CMD_LF_SNOOP_RAW_ADC_SAMPLES:
951 cmd_send(CMD_ACK,SnoopLF(),0,0,0,0);
952 break;
953 case CMD_HID_DEMOD_FSK:
954 CmdHIDdemodFSK(c->arg[0], 0, 0, 1);
955 break;
956 case CMD_HID_SIM_TAG:
957 CmdHIDsimTAG(c->arg[0], c->arg[1], 1);
958 break;
959 case CMD_FSK_SIM_TAG:
960 CmdFSKsimTAG(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
961 break;
962 case CMD_ASK_SIM_TAG:
963 CmdASKsimTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
964 break;
965 case CMD_PSK_SIM_TAG:
966 CmdPSKsimTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
967 break;
968 case CMD_HID_CLONE_TAG:
969 CopyHIDtoT55x7(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]);
970 break;
971 case CMD_IO_DEMOD_FSK:
972 CmdIOdemodFSK(c->arg[0], 0, 0, 1);
973 break;
974 case CMD_IO_CLONE_TAG:
975 CopyIOtoT55x7(c->arg[0], c->arg[1]);
976 break;
977 case CMD_EM410X_DEMOD:
978 CmdEM410xdemod(c->arg[0], 0, 0, 1);
979 break;
980 case CMD_EM410X_WRITE_TAG:
981 WriteEM410x(c->arg[0], c->arg[1], c->arg[2]);
982 break;
983 case CMD_READ_TI_TYPE:
984 ReadTItag();
985 break;
986 case CMD_WRITE_TI_TYPE:
987 WriteTItag(c->arg[0],c->arg[1],c->arg[2]);
988 break;
989 case CMD_SIMULATE_TAG_125K:
990 LED_A_ON();
991 SimulateTagLowFrequency(c->arg[0], c->arg[1], 1);
992 LED_A_OFF();
993 break;
994 case CMD_LF_SIMULATE_BIDIR:
995 SimulateTagLowFrequencyBidir(c->arg[0], c->arg[1]);
996 break;
997 case CMD_INDALA_CLONE_TAG:
998 CopyIndala64toT55x7(c->arg[0], c->arg[1]);
999 break;
1000 case CMD_INDALA_CLONE_TAG_L:
1001 CopyIndala224toT55x7(c->d.asDwords[0], c->d.asDwords[1], c->d.asDwords[2], c->d.asDwords[3], c->d.asDwords[4], c->d.asDwords[5], c->d.asDwords[6]);
1002 break;
1003 case CMD_T55XX_READ_BLOCK:
1004 T55xxReadBlock(c->arg[0], c->arg[1], c->arg[2]);
1005 break;
1006 case CMD_T55XX_WRITE_BLOCK:
1007 T55xxWriteBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]);
1008 break;
1009 case CMD_T55XX_WAKEUP:
1010 T55xxWakeUp(c->arg[0]);
1011 break;
1012 case CMD_T55XX_RESET_READ:
1013 T55xxResetRead();
1014 break;
1015 case CMD_PCF7931_READ:
1016 ReadPCF7931();
1017 break;
1018 case CMD_PCF7931_WRITE:
1019 WritePCF7931(c->d.asBytes[0],c->d.asBytes[1],c->d.asBytes[2],c->d.asBytes[3],c->d.asBytes[4],c->d.asBytes[5],c->d.asBytes[6], c->d.asBytes[9], c->d.asBytes[7]-128,c->d.asBytes[8]-128, c->arg[0], c->arg[1], c->arg[2]);
1020 break;
1021 case CMD_EM4X_READ_WORD:
1022 EM4xReadWord(c->arg[1], c->arg[2],c->d.asBytes[0]);
1023 break;
1024 case CMD_EM4X_WRITE_WORD:
1025 EM4xWriteWord(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]);
1026 break;
1027 case CMD_AWID_DEMOD_FSK: // Set realtime AWID demodulation
1028 CmdAWIDdemodFSK(c->arg[0], 0, 0, 1);
1029 break;
1030 case CMD_VIKING_CLONE_TAG:
1031 CopyVikingtoT55xx(c->arg[0], c->arg[1], c->arg[2]);
1032 break;
1033 #endif
1034
1035 #ifdef WITH_HITAG
1036 case CMD_SNOOP_HITAG: // Eavesdrop Hitag tag, args = type
1037 SnoopHitag(c->arg[0]);
1038 break;
1039 case CMD_SIMULATE_HITAG: // Simulate Hitag tag, args = memory content
1040 SimulateHitagTag((bool)c->arg[0],(byte_t*)c->d.asBytes);
1041 break;
1042 case CMD_READER_HITAG: // Reader for Hitag tags, args = type and function
1043 ReaderHitag((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes);
1044 break;
1045 case CMD_SIMULATE_HITAG_S:// Simulate Hitag s tag, args = memory content
1046 SimulateHitagSTag((bool)c->arg[0],(byte_t*)c->d.asBytes);
1047 break;
1048 case CMD_TEST_HITAGS_TRACES:// Tests every challenge within the given file
1049 check_challenges((bool)c->arg[0],(byte_t*)c->d.asBytes);
1050 break;
1051 case CMD_READ_HITAG_S://Reader for only Hitag S tags, args = key or challenge
1052 ReadHitagS((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes);
1053 break;
1054 case CMD_WR_HITAG_S://writer for Hitag tags args=data to write,page and key or challenge
1055 WritePageHitagS((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes,c->arg[2]);
1056 break;
1057 #endif
1058
1059 #ifdef WITH_ISO15693
1060 case CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_15693:
1061 AcquireRawAdcSamplesIso15693();
1062 break;
1063 case CMD_RECORD_RAW_ADC_SAMPLES_ISO_15693:
1064 RecordRawAdcSamplesIso15693();
1065 break;
1066
1067 case CMD_ISO_15693_COMMAND:
1068 DirectTag15693Command(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
1069 break;
1070
1071 case CMD_ISO_15693_FIND_AFI:
1072 BruteforceIso15693Afi(c->arg[0]);
1073 break;
1074
1075 case CMD_ISO_15693_DEBUG:
1076 SetDebugIso15693(c->arg[0]);
1077 break;
1078
1079 case CMD_READER_ISO_15693:
1080 ReaderIso15693(c->arg[0]);
1081 break;
1082 case CMD_SIMTAG_ISO_15693:
1083 SimTagIso15693(c->arg[0], c->d.asBytes);
1084 break;
1085 #endif
1086
1087 #ifdef WITH_LEGICRF
1088 case CMD_SIMULATE_TAG_LEGIC_RF:
1089 LegicRfSimulate(c->arg[0], c->arg[1], c->arg[2]);
1090 break;
1091
1092 case CMD_WRITER_LEGIC_RF:
1093 LegicRfWriter(c->arg[1], c->arg[0]);
1094 break;
1095
1096 case CMD_READER_LEGIC_RF:
1097 LegicRfReader(c->arg[0], c->arg[1]);
1098 break;
1099 #endif
1100
1101 #ifdef WITH_ISO14443b
1102 case CMD_READ_SRI512_TAG:
1103 ReadSTMemoryIso14443b(0x0F);
1104 break;
1105 case CMD_READ_SRIX4K_TAG:
1106 ReadSTMemoryIso14443b(0x7F);
1107 break;
1108 case CMD_SNOOP_ISO_14443B:
1109 SnoopIso14443b();
1110 break;
1111 case CMD_SIMULATE_TAG_ISO_14443B:
1112 SimulateIso14443bTag();
1113 break;
1114 case CMD_ISO_14443B_COMMAND:
1115 SendRawCommand14443B(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
1116 break;
1117 #endif
1118
1119 #ifdef WITH_ISO14443a
1120 case CMD_SNOOP_ISO_14443a:
1121 SnoopIso14443a(c->arg[0]);
1122 break;
1123 case CMD_READER_ISO_14443a:
1124 ReaderIso14443a(c);
1125 break;
1126 case CMD_SIMULATE_TAG_ISO_14443a:
1127 SimulateIso14443aTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); // ## Simulate iso14443a tag - pass tag type & UID
1128 break;
1129
1130 case CMD_EPA_PACE_COLLECT_NONCE:
1131 EPA_PACE_Collect_Nonce(c);
1132 break;
1133 case CMD_EPA_PACE_REPLAY:
1134 EPA_PACE_Replay(c);
1135 break;
1136
1137 case CMD_READER_MIFARE:
1138 ReaderMifare(c->arg[0]);
1139 break;
1140 case CMD_MIFARE_READBL:
1141 MifareReadBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1142 break;
1143 case CMD_MIFAREU_READBL:
1144 MifareUReadBlock(c->arg[0],c->arg[1], c->d.asBytes);
1145 break;
1146 case CMD_MIFAREUC_AUTH:
1147 MifareUC_Auth(c->arg[0],c->d.asBytes);
1148 break;
1149 case CMD_MIFAREU_READCARD:
1150 MifareUReadCard(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1151 break;
1152 case CMD_MIFAREUC_SETPWD:
1153 MifareUSetPwd(c->arg[0], c->d.asBytes);
1154 break;
1155 case CMD_MIFARE_READSC:
1156 MifareReadSector(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1157 break;
1158 case CMD_MIFARE_WRITEBL:
1159 MifareWriteBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1160 break;
1161 //case CMD_MIFAREU_WRITEBL_COMPAT:
1162 //MifareUWriteBlockCompat(c->arg[0], c->d.asBytes);
1163 //break;
1164 case CMD_MIFAREU_WRITEBL:
1165 MifareUWriteBlock(c->arg[0], c->arg[1], c->d.asBytes);
1166 break;
1167 case CMD_MIFARE_NESTED:
1168 MifareNested(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1169 break;
1170 case CMD_MIFARE_CHKKEYS:
1171 MifareChkKeys(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1172 break;
1173 case CMD_SIMULATE_MIFARE_CARD:
1174 Mifare1ksim(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1175 break;
1176
1177 // emulator
1178 case CMD_MIFARE_SET_DBGMODE:
1179 MifareSetDbgLvl(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1180 break;
1181 case CMD_MIFARE_EML_MEMCLR:
1182 MifareEMemClr(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1183 break;
1184 case CMD_MIFARE_EML_MEMSET:
1185 MifareEMemSet(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1186 break;
1187 case CMD_MIFARE_EML_MEMGET:
1188 MifareEMemGet(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1189 break;
1190 case CMD_MIFARE_EML_CARDLOAD:
1191 MifareECardLoad(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1192 break;
1193
1194 // Work with "magic Chinese" card
1195 case CMD_MIFARE_CSETBLOCK:
1196 MifareCSetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1197 break;
1198 case CMD_MIFARE_CGETBLOCK:
1199 MifareCGetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1200 break;
1201 case CMD_MIFARE_CIDENT:
1202 MifareCIdent();
1203 break;
1204
1205 // mifare sniffer
1206 case CMD_MIFARE_SNIFFER:
1207 SniffMifare(c->arg[0]);
1208 break;
1209
1210 #endif
1211
1212 #ifdef WITH_ICLASS
1213 // Makes use of ISO14443a FPGA Firmware
1214 case CMD_SNOOP_ICLASS:
1215 SnoopIClass();
1216 break;
1217 case CMD_SIMULATE_TAG_ICLASS:
1218 SimulateIClass(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1219 break;
1220 case CMD_READER_ICLASS:
1221 ReaderIClass(c->arg[0]);
1222 break;
1223 case CMD_READER_ICLASS_REPLAY:
1224 ReaderIClass_Replay(c->arg[0], c->d.asBytes);
1225 break;
1226 case CMD_ICLASS_EML_MEMSET:
1227 emlSet(c->d.asBytes,c->arg[0], c->arg[1]);
1228 break;
1229 case CMD_ICLASS_WRITEBLOCK:
1230 iClass_WriteBlock(c->arg[0], c->d.asBytes);
1231 break;
1232 case CMD_ICLASS_READCHECK: // auth step 1
1233 iClass_ReadCheck(c->arg[0], c->arg[1]);
1234 break;
1235 case CMD_ICLASS_READBLOCK:
1236 iClass_ReadBlk(c->arg[0]);
1237 break;
1238 case CMD_ICLASS_AUTHENTICATION: //check
1239 iClass_Authentication(c->d.asBytes);
1240 break;
1241 case CMD_ICLASS_DUMP:
1242 iClass_Dump(c->arg[0], c->arg[1]);
1243 break;
1244 case CMD_ICLASS_CLONE:
1245 iClass_Clone(c->arg[0], c->arg[1], c->d.asBytes);
1246 break;
1247 #endif
1248 #ifdef WITH_HFSNOOP
1249 case CMD_HF_SNIFFER:
1250 HfSnoop(c->arg[0], c->arg[1]);
1251 break;
1252 #endif
1253
1254 case CMD_BUFF_CLEAR:
1255 BigBuf_Clear();
1256 break;
1257
1258 case CMD_MEASURE_ANTENNA_TUNING:
1259 MeasureAntennaTuning(c->arg[0]);
1260 break;
1261
1262 case CMD_MEASURE_ANTENNA_TUNING_HF:
1263 MeasureAntennaTuningHf();
1264 break;
1265
1266 case CMD_LISTEN_READER_FIELD:
1267 ListenReaderField(c->arg[0]);
1268 break;
1269
1270 case CMD_FPGA_MAJOR_MODE_OFF: // ## FPGA Control
1271 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1272 SpinDelay(200);
1273 LED_D_OFF(); // LED D indicates field ON or OFF
1274 break;
1275
1276 case CMD_DOWNLOAD_RAW_ADC_SAMPLES_125K:
1277
1278 LED_B_ON();
1279 uint8_t *BigBuf = BigBuf_get_addr();
1280 for(size_t i=0; i<c->arg[1]; i += USB_CMD_DATA_SIZE) {
1281 size_t len = MIN((c->arg[1] - i),USB_CMD_DATA_SIZE);
1282 cmd_send(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K,i,len,BigBuf_get_traceLen(),BigBuf+c->arg[0]+i,len);
1283 }
1284 // Trigger a finish downloading signal with an ACK frame
1285 cmd_send(CMD_ACK,1,0,BigBuf_get_traceLen(),getSamplingConfig(),sizeof(sample_config));
1286 LED_B_OFF();
1287 break;
1288
1289 case CMD_DOWNLOADED_SIM_SAMPLES_125K: {
1290 uint8_t *b = BigBuf_get_addr();
1291 memcpy(b+c->arg[0], c->d.asBytes, USB_CMD_DATA_SIZE);
1292 cmd_send(CMD_ACK,0,0,0,0,0);
1293 break;
1294 }
1295 case CMD_READ_MEM:
1296 ReadMem(c->arg[0]);
1297 break;
1298
1299 case CMD_SET_LF_DIVISOR:
1300 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1301 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, c->arg[0]);
1302 break;
1303
1304 case CMD_SET_ADC_MUX:
1305 switch(c->arg[0]) {
1306 case 0: SetAdcMuxFor(GPIO_MUXSEL_LOPKD); break;
1307 case 1: SetAdcMuxFor(GPIO_MUXSEL_LORAW); break;
1308 case 2: SetAdcMuxFor(GPIO_MUXSEL_HIPKD); break;
1309 case 3: SetAdcMuxFor(GPIO_MUXSEL_HIRAW); break;
1310 }
1311 break;
1312
1313 case CMD_VERSION:
1314 SendVersion();
1315 break;
1316 case CMD_STATUS:
1317 SendStatus();
1318 break;
1319 case CMD_PING:
1320 cmd_send(CMD_ACK,0,0,0,0,0);
1321 break;
1322 #ifdef WITH_LCD
1323 case CMD_LCD_RESET:
1324 LCDReset();
1325 break;
1326 case CMD_LCD:
1327 LCDSend(c->arg[0]);
1328 break;
1329 #endif
1330 case CMD_SETUP_WRITE:
1331 case CMD_FINISH_WRITE:
1332 case CMD_HARDWARE_RESET:
1333 usb_disable();
1334 SpinDelay(1000);
1335 SpinDelay(1000);
1336 AT91C_BASE_RSTC->RSTC_RCR = RST_CONTROL_KEY | AT91C_RSTC_PROCRST;
1337 for(;;) {
1338 // We're going to reset, and the bootrom will take control.
1339 }
1340 break;
1341
1342 case CMD_START_FLASH:
1343 if(common_area.flags.bootrom_present) {
1344 common_area.command = COMMON_AREA_COMMAND_ENTER_FLASH_MODE;
1345 }
1346 usb_disable();
1347 AT91C_BASE_RSTC->RSTC_RCR = RST_CONTROL_KEY | AT91C_RSTC_PROCRST;
1348 for(;;);
1349 break;
1350
1351 case CMD_DEVICE_INFO: {
1352 uint32_t dev_info = DEVICE_INFO_FLAG_OSIMAGE_PRESENT | DEVICE_INFO_FLAG_CURRENT_MODE_OS;
1353 if(common_area.flags.bootrom_present) dev_info |= DEVICE_INFO_FLAG_BOOTROM_PRESENT;
1354 cmd_send(CMD_DEVICE_INFO,dev_info,0,0,0,0);
1355 break;
1356 }
1357 default:
1358 Dbprintf("%s: 0x%04x","unknown command:",c->cmd);
1359 break;
1360 }
1361 }
1362
1363 void __attribute__((noreturn)) AppMain(void)
1364 {
1365 SpinDelay(100);
1366 clear_trace();
1367 if(common_area.magic != COMMON_AREA_MAGIC || common_area.version != 1) {
1368 /* Initialize common area */
1369 memset(&common_area, 0, sizeof(common_area));
1370 common_area.magic = COMMON_AREA_MAGIC;
1371 common_area.version = 1;
1372 }
1373 common_area.flags.osimage_present = 1;
1374
1375 LED_D_OFF();
1376 LED_C_OFF();
1377 LED_B_OFF();
1378 LED_A_OFF();
1379
1380 // Init USB device
1381 usb_enable();
1382
1383 // The FPGA gets its clock from us from PCK0 output, so set that up.
1384 AT91C_BASE_PIOA->PIO_BSR = GPIO_PCK0;
1385 AT91C_BASE_PIOA->PIO_PDR = GPIO_PCK0;
1386 AT91C_BASE_PMC->PMC_SCER = AT91C_PMC_PCK0;
1387 // PCK0 is PLL clock / 4 = 96Mhz / 4 = 24Mhz
1388 AT91C_BASE_PMC->PMC_PCKR[0] = AT91C_PMC_CSS_PLL_CLK |
1389 AT91C_PMC_PRES_CLK_4; // 4 for 24Mhz pck0, 2 for 48 MHZ pck0
1390 AT91C_BASE_PIOA->PIO_OER = GPIO_PCK0;
1391
1392 // Reset SPI
1393 AT91C_BASE_SPI->SPI_CR = AT91C_SPI_SWRST;
1394 // Reset SSC
1395 AT91C_BASE_SSC->SSC_CR = AT91C_SSC_SWRST;
1396
1397 // Load the FPGA image, which we have stored in our flash.
1398 // (the HF version by default)
1399 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1400
1401 StartTickCount();
1402
1403 #ifdef WITH_LCD
1404 LCDInit();
1405 #endif
1406
1407 byte_t rx[sizeof(UsbCommand)];
1408 size_t rx_len;
1409
1410 for(;;) {
1411 if (usb_poll()) {
1412 rx_len = usb_read(rx,sizeof(UsbCommand));
1413 if (rx_len) {
1414 UsbPacketReceived(rx,rx_len);
1415 }
1416 }
1417 WDT_HIT();
1418
1419 #ifdef WITH_LF
1420 #ifndef WITH_ISO14443a_StandAlone
1421 if (BUTTON_HELD(1000) > 0)
1422 SamyRun();
1423 #endif
1424 #endif
1425 #ifdef WITH_ISO14443a
1426 #ifdef WITH_ISO14443a_StandAlone
1427 if (BUTTON_HELD(1000) > 0)
1428 StandAloneMode14a();
1429 #endif
1430 #endif
1431 }
1432 }
Impressum, Datenschutz