// param:
// bit 0 - trigger from first card answer
// bit 1 - trigger from first reader 7-bit request
-
LEDsoff();
- // We won't start recording the frames that we acquire until we trigger;
- // a good trigger condition to get started is probably when we see a
- // response from the tag.
- // triggered == FALSE -- to wait first for card
- bool triggered = !(param & 0x03);
+ iso14443a_setup(FPGA_HF_ISO14443A_SNIFFER);
// Allocate memory from BigBuf for some buffers
// free all previous allocations first
BigBuf_free();
-
+
+ // init trace buffer
+ clear_trace();
+ set_tracing(TRUE);
+
// The command (reader -> tag) that we're receiving.
uint8_t *receivedCmd = BigBuf_malloc(MAX_FRAME_SIZE);
uint8_t *receivedCmdPar = BigBuf_malloc(MAX_PARITY_SIZE);
// The DMA buffer, used to stream samples from the FPGA
uint8_t *dmaBuf = BigBuf_malloc(DMA_BUFFER_SIZE);
- // init trace buffer
- clear_trace();
- set_tracing(TRUE);
-
uint8_t *data = dmaBuf;
uint8_t previous_data = 0;
int maxDataLen = 0;
bool TagIsActive = FALSE;
bool ReaderIsActive = FALSE;
- iso14443a_setup(FPGA_HF_ISO14443A_SNIFFER);
-
// Set up the demodulator for tag -> reader responses.
DemodInit(receivedResponse, receivedResponsePar);
// Setup and start DMA.
FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
+ // We won't start recording the frames that we acquire until we trigger;
+ // a good trigger condition to get started is probably when we see a
+ // response from the tag.
+ // triggered == FALSE -- to wait first for card
+ bool triggered = !(param & 0x03);
+
// And now we loop, receiving samples.
for(uint32_t rsamples = 0; TRUE; ) {
}
/* And ready to receive another command. */
UartReset();
- //UartInit(receivedCmd, receivedCmdPar);
/* And also reset the demod code, which might have been */
/* false-triggered by the commands from the reader. */
DemodReset();
}
} // main cycle
- DbpString("COMMAND FINISHED");
-
FpgaDisableSscDma();
+ LEDsoff();
+
Dbprintf("maxDataLen=%d, Uart.state=%x, Uart.len=%d", maxDataLen, Uart.state, Uart.len);
Dbprintf("traceLen=%d, Uart.output[0]=%08x", BigBuf_get_traceLen(), (uint32_t)Uart.output[0]);
- LEDsoff();
}
//-----------------------------------------------------------------------------
// Main loop of simulated tag: receive commands from reader, decide what
// response to send, and send it.
//-----------------------------------------------------------------------------
-void SimulateIso14443aTag(int tagType, int flags, int uid_2nd, byte_t* data)
+void SimulateIso14443aTag(int tagType, int flags, byte_t* data)
{
//Here, we collect UID,NT,AR,NR,UID2,NT2,AR2,NR2
.modulation_n = 0
};
+ // We need to listen to the high-frequency, peak-detected path.
+ iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN);
+
BigBuf_free_keep_EM();
// allocate buffers:
int happened2 = 0;
int cmdsRecvd = 0;
- // We need to listen to the high-frequency, peak-detected path.
- iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN);
-
cmdsRecvd = 0;
tag_response_info_t* p_response;
ar_nr_responses[8], // AR2
ar_nr_responses[9] // NR2
);
+ Dbprintf("../tools/mfkey/mfkey32v2 %06x%08x %08x %08x %08x %08x %08x %08x",
+ ar_nr_responses[0], // UID1
+ ar_nr_responses[1], // UID2
+ ar_nr_responses[2], // NT1
+ ar_nr_responses[3], // AR1
+ ar_nr_responses[4], // NR1
+ ar_nr_responses[7], // NT2
+ ar_nr_responses[8], // AR2
+ ar_nr_responses[9] // NR2
+ );
}
uint8_t len = ar_nr_collected*5*4;
cmd_send(CMD_ACK,CMD_SIMULATE_MIFARE_CARD,len,0,&ar_nr_responses,len);
else {
// Check for ISO 14443A-4 compliant commands, look at left nibble
switch (receivedCmd[0]) {
-
+ case 0x02:
+ case 0x03: { // IBlock (command no CID)
+ dynamic_response_info.response[0] = receivedCmd[0];
+ dynamic_response_info.response[1] = 0x90;
+ dynamic_response_info.response[2] = 0x00;
+ dynamic_response_info.response_n = 3;
+ } break;
case 0x0B:
- case 0x0A: { // IBlock (command)
+ case 0x0A: { // IBlock (command CID)
dynamic_response_info.response[0] = receivedCmd[0];
dynamic_response_info.response[1] = 0x00;
dynamic_response_info.response[2] = 0x90;
dynamic_response_info.response_n = 2;
} break;
- case 0xBA: { //
- memcpy(dynamic_response_info.response,"\xAB\x00",2);
- dynamic_response_info.response_n = 2;
+ case 0xBA: { // ping / pong
+ dynamic_response_info.response[0] = 0xAB;
+ dynamic_response_info.response[1] = 0x00;
+ dynamic_response_info.response_n = 2;
} break;
case 0xCA:
case 0xC2: { // Readers sends deselect command
- memcpy(dynamic_response_info.response,"\xCA\x00",2);
- dynamic_response_info.response_n = 2;
+ dynamic_response_info.response[0] = 0xCA;
+ dynamic_response_info.response[1] = 0x00;
+ dynamic_response_info.response_n = 2;
} break;
default: {
}
}
-
void ReaderTransmitBitsPar(uint8_t* frame, uint16_t bits, uint8_t *par, uint32_t *timing)
{
CodeIso14443aBitsAsReaderPar(frame, bits, par);
}
}
-
void ReaderTransmitPar(uint8_t* frame, uint16_t len, uint8_t *par, uint32_t *timing)
{
ReaderTransmitBitsPar(frame, len*8, par, timing);
}
-
void ReaderTransmitBits(uint8_t* frame, uint16_t len, uint32_t *timing)
{
// Generate parity and redirect
ReaderTransmitBitsPar(frame, len, par, timing);
}
-
void ReaderTransmit(uint8_t* frame, uint16_t len, uint32_t *timing)
{
// Generate parity and redirect
uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];
+ if (first_try) {
+ iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
+ }
+
// free eventually allocated BigBuf memory. We want all for tracing.
BigBuf_free();
if (first_try) {
mf_nr_ar3 = 0;
- iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
sync_time = GetCountSspClk() & 0xfffffff8;
sync_cycles = 65536; // theory: Mifare Classic's random generator repeats every 2^16 cycles (and so do the nonces).
nt_attacked = 0;
cmd_send(CMD_ACK,isOK,0,0,buf,28);
- set_tracing(FALSE);
+ // Thats it...
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
LEDsoff();
+
+ set_tracing(FALSE);
}
uint32_t ar_nr_responses[] = {0,0,0,0,0,0,0,0,0,0};
uint8_t ar_nr_collected = 0;
- // free eventually allocated BigBuf memory but keep Emulator Memory
- BigBuf_free_keep_EM();
-
- // clear trace
- clear_trace();
- set_tracing(TRUE);
-
// Authenticate response - nonce
uint32_t nonce = bytes_to_num(rAUTH_NT, 4);
rUIDBCC2[4] = rUIDBCC2[0] ^ rUIDBCC2[1] ^ rUIDBCC2[2] ^ rUIDBCC2[3];
}
- // We need to listen to the high-frequency, peak-detected path.
- iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN);
-
-
if (MF_DBGLEVEL >= 1) {
if (!_7BUID) {
Dbprintf("4B UID: %02x%02x%02x%02x",
}
}
+ // We need to listen to the high-frequency, peak-detected path.
+ iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN);
+
+ // free eventually allocated BigBuf memory but keep Emulator Memory
+ BigBuf_free_keep_EM();
+
+ // clear trace
+ clear_trace();
+ set_tracing(TRUE);
+
+
bool finished = FALSE;
while (!BUTTON_PRESS() && !finished) {
WDT_HIT();
ar_nr_responses[8], // AR2
ar_nr_responses[9] // NR2
);
+ Dbprintf("../tools/mfkey/mfkey32v2 %06x%08x %08x %08x %08x %08x %08x %08x",
+ ar_nr_responses[0], // UID1
+ ar_nr_responses[1], // UID2
+ ar_nr_responses[2], // NT1
+ ar_nr_responses[3], // AR1
+ ar_nr_responses[4], // NR1
+ ar_nr_responses[7], // NT2
+ ar_nr_responses[8], // AR2
+ ar_nr_responses[9] // NR2
+ );
} else {
Dbprintf("Failed to obtain two AR/NR pairs!");
if(ar_nr_collected > 0 ) {
// bit 0 - trigger from first card answer
// bit 1 - trigger from first reader 7-bit request
- // free eventually allocated BigBuf memory
- BigBuf_free();
-
// C(red) A(yellow) B(green)
LEDsoff();
// init trace buffer
uint8_t receivedResponse[MAX_MIFARE_FRAME_SIZE];
uint8_t receivedResponsePar[MAX_MIFARE_PARITY_SIZE];
+ iso14443a_setup(FPGA_HF_ISO14443A_SNIFFER);
+
+ // free eventually allocated BigBuf memory
+ BigBuf_free();
// allocate the DMA buffer, used to stream samples from the FPGA
uint8_t *dmaBuf = BigBuf_malloc(DMA_BUFFER_SIZE);
uint8_t *data = dmaBuf;
bool ReaderIsActive = FALSE;
bool TagIsActive = FALSE;
- iso14443a_setup(FPGA_HF_ISO14443A_SNIFFER);
-
// Set up the demodulator for tag -> reader responses.
DemodInit(receivedResponse, receivedResponsePar);
if (MfSniffLogic(receivedCmd, Uart.len, Uart.parity, Uart.bitCount, TRUE)) break;
/* And ready to receive another command. */
- //UartInit(receivedCmd, receivedCmdPar);
UartReset();
/* And also reset the demod code */
// And reset the Miller decoder including its (now outdated) input buffer
UartInit(receivedCmd, receivedCmdPar);
+ // why not UartReset?
}
TagIsActive = (Demod.state != DEMOD_UNSYNCD);
}
} // main cycle
- DbpString("COMMAND FINISHED");
-
FpgaDisableSscDma();
MfSniffEnd();
-
- Dbprintf("maxDataLen=%x, Uart.state=%x, Uart.len=%x", maxDataLen, Uart.state, Uart.len);
LEDsoff();
+ Dbprintf("maxDataLen=%x, Uart.state=%x, Uart.len=%x", maxDataLen, Uart.state, Uart.len);
}