-void LegicRfSimulate(void)
-{
- /* ADC path high-frequency peak detector, FPGA in high-frequency simulator mode,
- * modulation mode set to 212kHz subcarrier. We are getting the incoming raw
- * envelope waveform on DIN and should send our response on DOUT.
- *
- * The LEGIC RF protocol is pulse-pause-encoding from reader to card, so we'll
- * measure the time between two rising edges on DIN, and no encoding on the
- * subcarrier from card to reader, so we'll just shift out our verbatim data
- * on DOUT, 1 bit is 100us. The time from reader to card frame is still unclear,
- * seems to be 300us-ish.
- */
- SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
- FpgaSetupSsc();
- FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_MODULATE_212K);
-
- /* Bitbang the receiver */
- AT91C_BASE_PIOA->PIO_ODR = GPIO_SSC_DIN;
- AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DIN;
-
- /* Set up Timer 1 to use for measuring time between pulses. Since we're bit-banging
- * this it won't be terribly accurate but should be good enough.
- */
- AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
- AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
- AT91C_BASE_TC1->TC_CMR = TC_CMR_TCCLKS_TIMER_CLOCK3;
- AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
- int old_level = 0;
-
-/* At TIMER_CLOCK3 (MCK/32) */
-#define BIT_TIME_1 150
-#define BIT_TIME_0 90
-#define BIT_TIME_FUZZ 20
-
- int active = 0;
- while(!BUTTON_PRESS()) {
- int level = !!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_DIN);
- int time = AT91C_BASE_TC1->TC_CV;
-
- if(level != old_level) {
- if(level == 1) {
- AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
- if(time > (BIT_TIME_1-BIT_TIME_FUZZ) && time < (BIT_TIME_1+BIT_TIME_FUZZ)) {
- /* 1 bit */
- emit(1);
- active = 1;
- LED_B_ON();
- } else if(time > (BIT_TIME_0-BIT_TIME_FUZZ) && time < (BIT_TIME_0+BIT_TIME_FUZZ)) {
- /* 0 bit */
- emit(0);
- active = 1;
- LED_B_ON();
- } else if(active) {
- /* invalid */
- emit(-1);
- active = 0;
- LED_B_OFF();
- }
- }
- }
-
- if(time >= (BIT_TIME_1+BIT_TIME_FUZZ) && active) {
- /* Frame end */
- emit(-1);
- active = 0;
- LED_B_OFF();
- }
-
- if(time >= (20*BIT_TIME_1) && (AT91C_BASE_TC1->TC_SR & AT91C_TC_CLKSTA)) {
- AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
- }
-
-
- old_level = level;
- WDT_HIT();
- }
+static void init_reader(bool clear_mem) {
+ // configure FPGA
+ FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
+ FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR
+ | FPGA_HF_READER_RX_XCORR_848_KHZ
+ | FPGA_HF_READER_RX_XCORR_QUARTER_FREQ);
+ SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
+ LED_D_ON();
+
+ // configure SSC with defaults
+ FpgaSetupSsc();
+
+ // re-claim GPIO_SSC_DOUT as GPIO and enable output
+ AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
+ AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
+ HIGH(GPIO_SSC_DOUT);
+
+ // init crc calculator
+ crc_init(&legic_crc, 4, 0x19 >> 1, 0x05, 0);
+
+ // start us timer
+ StartTicks();
+}
+
+// Setup reader to card connection
+//
+// The setup consists of a three way handshake:
+// - Transmit initialisation vector 7 bits
+// - Receive card type 6 bits
+// - Transmit Acknowledge 6 bits
+static uint32_t setup_phase(uint8_t iv) {
+ // init coordination timestamp
+ last_frame_end = GET_TICKS;
+
+ // Switch on carrier and let the card charge for 5ms.
+ last_frame_end += 7500;
+ while(GET_TICKS < last_frame_end) { };
+
+ legic_prng_init(0);
+ tx_frame(iv, 7);
+
+ // configure prng
+ legic_prng_init(iv);
+ legic_prng_forward(2);
+
+ // receive card type
+ int32_t card_type = rx_frame(6);
+ legic_prng_forward(3);
+
+ // send obsfuscated acknowledgment frame
+ switch (card_type) {
+ case 0x0D:
+ tx_frame(0x19, 6); // MIM22 | READCMD = 0x18 | 0x01
+ break;
+ case 0x1D:
+ case 0x3D:
+ tx_frame(0x39, 6); // MIM256 | READCMD = 0x38 | 0x01
+ break;
+ }
+
+ return card_type;
+}
+
+static uint8_t calc_crc4(uint16_t cmd, uint8_t cmd_sz, uint8_t value) {
+ crc_clear(&legic_crc);
+ crc_update(&legic_crc, (value << cmd_sz) | cmd, 8 + cmd_sz);
+ return crc_finish(&legic_crc);
+}
+
+static int16_t read_byte(uint16_t index, uint8_t cmd_sz) {
+ uint16_t cmd = (index << 1) | LEGIC_READ;
+
+ // read one byte
+ LED_B_ON();
+ legic_prng_forward(2);
+ tx_frame(cmd, cmd_sz);
+ legic_prng_forward(2);
+ uint32_t frame = rx_frame(12);
+ LED_B_OFF();
+
+ // split frame into data and crc
+ uint8_t byte = BYTEx(frame, 0);
+ uint8_t crc = BYTEx(frame, 1);
+
+ // check received against calculated crc
+ uint8_t calc_crc = calc_crc4(cmd, cmd_sz, byte);
+ if(calc_crc != crc) {
+ Dbprintf("!!! crc mismatch: %x != %x !!!", calc_crc, crc);
+ return -1;
+ }
+
+ legic_prng_forward(1);
+
+ return byte;
+}
+
+// Transmit write command, wait until (3.6ms) the tag sends back an unencrypted
+// ACK ('1' bit) and forward the prng time based.
+bool write_byte(uint16_t index, uint8_t byte, uint8_t addr_sz) {
+ uint32_t cmd = index << 1 | LEGIC_WRITE; // prepare command
+ uint8_t crc = calc_crc4(cmd, addr_sz + 1, byte); // calculate crc
+ cmd |= byte << (addr_sz + 1); // append value
+ cmd |= (crc & 0xF) << (addr_sz + 1 + 8); // and crc
+
+ // send write command
+ LED_C_ON();
+ legic_prng_forward(2);
+ tx_frame(cmd, addr_sz + 1 + 8 + 4); // sz = addr_sz + cmd + data + crc
+ legic_prng_forward(3);
+ LED_C_OFF();
+
+ // wait for ack
+ return rx_ack();
+}
+
+//-----------------------------------------------------------------------------
+// Command Line Interface
+//
+// Only this functions are public / called from appmain.c
+//-----------------------------------------------------------------------------
+void LegicRfReader(int offset, int bytes) {
+ uint8_t *BigBuf = BigBuf_get_addr();
+ memset(BigBuf, 0, 1024);
+
+ // configure ARM and FPGA
+ init_reader(false);
+
+ // establish shared secret and detect card type
+ DbpString("Reading card ...");
+ uint8_t card_type = setup_phase(SESSION_IV);
+ if(init_card(card_type, &card) != 0) {
+ Dbprintf("No or unknown card found, aborting");
+ goto OUT;
+ }
+
+ // if no argument is specified create full dump
+ if(bytes == -1) {
+ bytes = card.cardsize;
+ }
+
+ // do not read beyond card memory
+ if(bytes + offset > card.cardsize) {
+ bytes = card.cardsize - offset;
+ }
+
+ for(uint16_t i = 0; i < bytes; ++i) {
+ int16_t byte = read_byte(offset + i, card.cmdsize);
+ if(byte == -1) {
+ Dbprintf("operation failed @ 0x%03.3x", bytes);
+ goto OUT;
+ }
+ BigBuf[i] = byte;
+ }
+
+ // OK
+ Dbprintf("Card (MIM %i) read, use 'hf legic decode' or", card.cardsize);
+ Dbprintf("'data hexsamples %d' to view results", (bytes+7) & ~7);
+
+OUT:
+ FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+ LED_B_OFF();
+ LED_C_OFF();
+ LED_D_OFF();
+ StopTicks();
+}
+
+void LegicRfWriter(int bytes, int offset) {
+ uint8_t *BigBuf = BigBuf_get_addr();
+
+ // configure ARM and FPGA
+ init_reader(false);
+
+ // uid is not writeable
+ if(offset <= WRITE_LOWERLIMIT) {
+ goto OUT;
+ }
+
+ // establish shared secret and detect card type
+ Dbprintf("Writing 0x%02.2x - 0x%02.2x ...", offset, offset+bytes);
+ uint8_t card_type = setup_phase(SESSION_IV);
+ if(init_card(card_type, &card) != 0) {
+ Dbprintf("No or unknown card found, aborting");
+ goto OUT;
+ }
+
+ // do not write beyond card memory
+ if(bytes + offset > card.cardsize) {
+ bytes = card.cardsize - offset;
+ }
+
+ // write in reverse order, only then is DCF (decremental field) writable
+ while(bytes-- > 0 && !BUTTON_PRESS()) {
+ if(!write_byte(bytes + offset, BigBuf[bytes + offset], card.addrsize)) {
+ Dbprintf("operation failed @ 0x%03.3x", bytes);
+ goto OUT;
+ }
+ }
+
+ // OK
+ DbpString("Write successful");
+
+OUT:
+ FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+ LED_B_OFF();
+ LED_C_OFF();
+ LED_D_OFF();
+ StopTicks();
projects / proxmark3-svn / blobdiff