1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1
};
+
void iso14a_set_trigger(bool enable) {
trigger = enable;
}
-
void iso14a_set_timeout(uint32_t timeout) {
iso14a_timeout = timeout;
+ if(MF_DBGLEVEL >= 3) Dbprintf("ISO14443A Timeout set to %ld (%dms)", iso14a_timeout, iso14a_timeout / 106);
+}
+
+
+void iso14a_set_ATS_timeout(uint8_t *ats) {
+
+ uint8_t tb1;
+ uint8_t fwi;
+ uint32_t fwt;
+
+ if (ats[0] > 1) { // there is a format byte T0
+ if ((ats[1] & 0x20) == 0x20) { // there is an interface byte TB(1)
+ if ((ats[1] & 0x10) == 0x10) { // there is an interface byte TA(1) preceding TB(1)
+ tb1 = ats[3];
+ } else {
+ tb1 = ats[2];
+ }
+ fwi = (tb1 & 0xf0) >> 4; // frame waiting indicator (FWI)
+ fwt = 256 * 16 * (1 << fwi); // frame waiting time (FWT) in 1/fc
+
+ iso14a_set_timeout(fwt/(8*16));
+ }
+ }
}
+
//-----------------------------------------------------------------------------
// Generate the parity value for a byte sequence
//
Uart.parityLen = 0; // number of decoded parity bytes
Uart.shiftReg = 0; // shiftreg to hold decoded data bits
Uart.parityBits = 0; // holds 8 parity bits
- Uart.twoBits = 0x0000; // buffer for 2 Bits
- Uart.highCnt = 0;
+ Uart.fourBits = 0x00000000; // buffer for 4 Bits
Uart.startTime = 0;
Uart.endTime = 0;
}
static RAMFUNC bool MillerDecoding(uint8_t bit, uint32_t non_real_time)
{
- Uart.twoBits = (Uart.twoBits << 8) | bit;
+ Uart.fourBits = (Uart.fourBits << 8) | bit;
- if (Uart.state == STATE_UNSYNCD) { // not yet synced
+ if (Uart.state == STATE_UNSYNCD) { // not yet synced
- if (Uart.highCnt < 7) { // wait for a stable unmodulated signal
- if (Uart.twoBits == 0xffff) {
- Uart.highCnt++;
- } else {
- Uart.highCnt = 0;
- }
- } else {
- Uart.syncBit = 0xFFFF; // not set
- // look for 00xx1111 (the start bit)
- if ((Uart.twoBits & 0x6780) == 0x0780) Uart.syncBit = 7;
- else if ((Uart.twoBits & 0x33C0) == 0x03C0) Uart.syncBit = 6;
- else if ((Uart.twoBits & 0x19E0) == 0x01E0) Uart.syncBit = 5;
- else if ((Uart.twoBits & 0x0CF0) == 0x00F0) Uart.syncBit = 4;
- else if ((Uart.twoBits & 0x0678) == 0x0078) Uart.syncBit = 3;
- else if ((Uart.twoBits & 0x033C) == 0x003C) Uart.syncBit = 2;
- else if ((Uart.twoBits & 0x019E) == 0x001E) Uart.syncBit = 1;
- else if ((Uart.twoBits & 0x00CF) == 0x000F) Uart.syncBit = 0;
- if (Uart.syncBit != 0xFFFF) {
- Uart.startTime = non_real_time?non_real_time:(GetCountSspClk() & 0xfffffff8);
- Uart.startTime -= Uart.syncBit;
- Uart.endTime = Uart.startTime;
- Uart.state = STATE_START_OF_COMMUNICATION;
- }
+ Uart.syncBit = 9999; // not set
+ // we look for a ...xxxx1111111100x11111xxxxxx pattern
+ // (unmodulated, followed by the start bit = 8 '1's followed by 2 '0's, eventually followed by another '0', followed by 5 '1's)
+#define ISO14443A_STARTBIT_MASK 0x007FEF80 // mask is 00000000 01111111 11101111 10000000
+#define ISO14443A_STARTBIT_PATTERN 0x007F8F80 // pattern is 00000000 01111111 10001111 10000000
+ if ((Uart.fourBits & ISO14443A_STARTBIT_MASK) >> 0 == ISO14443A_STARTBIT_PATTERN >> 0) Uart.syncBit = 7;
+ else if ((Uart.fourBits & ISO14443A_STARTBIT_MASK) >> 1 == ISO14443A_STARTBIT_PATTERN >> 1) Uart.syncBit = 6;
+ else if ((Uart.fourBits & ISO14443A_STARTBIT_MASK) >> 2 == ISO14443A_STARTBIT_PATTERN >> 2) Uart.syncBit = 5;
+ else if ((Uart.fourBits & ISO14443A_STARTBIT_MASK) >> 3 == ISO14443A_STARTBIT_PATTERN >> 3) Uart.syncBit = 4;
+ else if ((Uart.fourBits & ISO14443A_STARTBIT_MASK) >> 4 == ISO14443A_STARTBIT_PATTERN >> 4) Uart.syncBit = 3;
+ else if ((Uart.fourBits & ISO14443A_STARTBIT_MASK) >> 5 == ISO14443A_STARTBIT_PATTERN >> 5) Uart.syncBit = 2;
+ else if ((Uart.fourBits & ISO14443A_STARTBIT_MASK) >> 6 == ISO14443A_STARTBIT_PATTERN >> 6) Uart.syncBit = 1;
+ else if ((Uart.fourBits & ISO14443A_STARTBIT_MASK) >> 7 == ISO14443A_STARTBIT_PATTERN >> 7) Uart.syncBit = 0;
+ if (Uart.syncBit != 9999) { // found a sync bit
+ Uart.startTime = non_real_time?non_real_time:(GetCountSspClk() & 0xfffffff8);
+ Uart.startTime -= Uart.syncBit;
+ Uart.endTime = Uart.startTime;
+ Uart.state = STATE_START_OF_COMMUNICATION;
}
} else {
- if (IsMillerModulationNibble1(Uart.twoBits >> Uart.syncBit)) {
- if (IsMillerModulationNibble2(Uart.twoBits >> Uart.syncBit)) { // Modulation in both halves - error
+ if (IsMillerModulationNibble1(Uart.fourBits >> Uart.syncBit)) {
+ if (IsMillerModulationNibble2(Uart.fourBits >> Uart.syncBit)) { // Modulation in both halves - error
UartReset();
- Uart.highCnt = 6;
} else { // Modulation in first half = Sequence Z = logic "0"
if (Uart.state == STATE_MILLER_X) { // error - must not follow after X
UartReset();
- Uart.highCnt = 6;
} else {
Uart.bitCount++;
Uart.shiftReg = (Uart.shiftReg >> 1); // add a 0 to the shiftreg
}
}
} else {
- if (IsMillerModulationNibble2(Uart.twoBits >> Uart.syncBit)) { // Modulation second half = Sequence X = logic "1"
+ if (IsMillerModulationNibble2(Uart.fourBits >> Uart.syncBit)) { // Modulation second half = Sequence X = logic "1"
Uart.bitCount++;
Uart.shiftReg = (Uart.shiftReg >> 1) | 0x100; // add a 1 to the shiftreg
Uart.state = STATE_MILLER_X;
if (Uart.len) {
return TRUE; // we are finished with decoding the raw data sequence
} else {
- UartReset(); // Nothing receiver - start over
+ UartReset(); // Nothing received - start over
}
}
if (Uart.state == STATE_START_OF_COMMUNICATION) { // error - must not follow directly after SOC
UartReset();
- Uart.highCnt = 6;
} else { // a logic "0"
Uart.bitCount++;
Uart.shiftReg = (Uart.shiftReg >> 1); // add a 0 to the shiftreg
CodeIso14443aBitsAsReaderPar(cmd, len*8, parity);
}
+
//-----------------------------------------------------------------------------
// Wait for commands from reader
// Stop when button is pressed (return 1) or field was gone (return 2)
// Set ADC to read field strength
AT91C_BASE_ADC->ADC_CR = AT91C_ADC_SWRST;
AT91C_BASE_ADC->ADC_MR =
- ADC_MODE_PRESCALE(32) |
- ADC_MODE_STARTUP_TIME(16) |
- ADC_MODE_SAMPLE_HOLD_TIME(8);
+ ADC_MODE_PRESCALE(63) |
+ ADC_MODE_STARTUP_TIME(1) |
+ ADC_MODE_SAMPLE_HOLD_TIME(15);
AT91C_BASE_ADC->ADC_CHER = ADC_CHANNEL(ADC_CHAN_HF);
// start ADC
AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
// Clear RXRDY:
uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
-
+
for(;;) {
WDT_HIT();
analogAVG += AT91C_BASE_ADC->ADC_CDR[ADC_CHAN_HF];
AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
if (analogCnt >= 32) {
- if ((33000 * (analogAVG / analogCnt) >> 10) < MF_MINFIELDV) {
+ if ((MAX_ADC_HF_VOLTAGE * (analogAVG / analogCnt) >> 10) < MF_MINFIELDV) {
vtime = GetTickCount();
if (!timer) timer = vtime;
// 50ms no field --> card to idle state
}
// Ensure that the FPGA Delay Queue is empty before we switch to TAGSIM_LISTEN again:
- for (i = 0; i < 2 ; ) {
+ uint8_t fpga_queued_bits = FpgaSendQueueDelay >> 3;
+ for (i = 0; i <= fpga_queued_bits/8 + 1; ) {
if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
AT91C_BASE_SSC->SSC_THR = SEC_F;
FpgaSendQueueDelay = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
i++;
}
}
-
+
LastTimeProxToAirStart = ThisTransferTime + (correctionNeeded?8:0);
return 0;
// clear RXRDY:
uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
-
+
c = 0;
for(;;) {
WDT_HIT();
if(ManchesterDecoding(b, offset, 0)) {
NextTransferTime = MAX(NextTransferTime, Demod.endTime - (DELAY_AIR2ARM_AS_READER + DELAY_ARM2AIR_AS_READER)/16 + FRAME_DELAY_TIME_PICC_TO_PCD);
return TRUE;
- } else if (c++ > iso14a_timeout) {
+ } else if (c++ > iso14a_timeout && Demod.state == DEMOD_UNSYNCD) {
return FALSE;
}
}
memset(uid_ptr,0,10);
}
+ // check for proprietary anticollision:
+ if ((resp[0] & 0x1F) == 0) {
+ return 3;
+ }
+
// OK we will select at least at cascade 1, lets see if first byte of UID was 0x88 in
// which case we need to make a cascade 2 request and select - this is a long UID
// While the UID is not complete, the 3nd bit (from the right) is set in the SAK.
// reset the PCB block number
iso14_pcb_blocknum = 0;
+
+ // set default timeout based on ATS
+ iso14a_set_ATS_timeout(resp);
+
return 1;
}
{
iso14a_command_t param = c->arg[0];
uint8_t *cmd = c->d.asBytes;
- size_t len = c->arg[1];
- size_t lenbits = c->arg[2];
+ size_t len = c->arg[1] & 0xffff;
+ size_t lenbits = c->arg[1] >> 16;
+ uint32_t timeout = c->arg[2];
uint32_t arg0 = 0;
byte_t buf[USB_CMD_DATA_SIZE];
uint8_t par[MAX_PARITY_SIZE];
}
if(param & ISO14A_SET_TIMEOUT) {
- iso14a_set_timeout(c->arg[2]);
+ iso14a_set_timeout(timeout);
}
if(param & ISO14A_APDU) {
// free eventually allocated BigBuf memory but keep Emulator Memory
BigBuf_free_keep_EM();
+
// clear trace
clear_trace();
set_tracing(TRUE);
WDT_HIT();
// find reader field
- // Vref = 3300mV, and an 10:1 voltage divider on the input
- // can measure voltages up to 33000 mV
if (cardSTATE == MFEMUL_NOFIELD) {
- vHf = (33000 * AvgAdc(ADC_CHAN_HF)) >> 10;
+ vHf = (MAX_ADC_HF_VOLTAGE * AvgAdc(ADC_CHAN_HF)) >> 10;
if (vHf > MF_MINFIELDV) {
cardSTATE_TO_IDLE();
LED_A_ON();
LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
break;
}
+
uint32_t ar = bytes_to_num(receivedCmd, 4);
uint32_t nr = bytes_to_num(&receivedCmd[4], 4);
ans = nonce ^ crypto1_word(pcs, cuid ^ nonce, 0);
num_to_bytes(ans, 4, rAUTH_AT);
}
+
EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
//Dbprintf("Sending rAUTH %02x%02x%02x%02x", rAUTH_AT[0],rAUTH_AT[1],rAUTH_AT[2],rAUTH_AT[3]);
cardSTATE = MFEMUL_AUTH1;
if(ar_nr_collected > 1) {
Dbprintf("Collected two pairs of AR/NR which can be used to extract keys from reader:");
Dbprintf("../tools/mfkey/mfkey32 %08x %08x %08x %08x %08x %08x",
- ar_nr_responses[0], // UID
+ ar_nr_responses[0], // UID
ar_nr_responses[1], //NT
ar_nr_responses[2], //AR1
ar_nr_responses[3], //NR1
}
}
if (MF_DBGLEVEL >= 1) Dbprintf("Emulator stopped. Tracing: %d trace length: %d ", tracing, BigBuf_get_traceLen());
+
}
projects / proxmark3-svn / blobdiff