]> cvs.zerfleddert.de Git - proxmark3-svn/blobdiff - armsrc/iso14443a.c
Added mifare trailer block decoding for sector commands (#734)
[proxmark3-svn] / armsrc / iso14443a.c
index 89ef23d484bfb836b776422c773a2702e2c65c57..7bf8f5af7d110e4f440b933ebed4f5c1f8138052 100644 (file)
@@ -189,33 +189,16 @@ void iso14a_set_trigger(bool enable) {
 
 
 void iso14a_set_timeout(uint32_t timeout) {
-       iso14a_timeout = timeout;
-       if(MF_DBGLEVEL >= 3) Dbprintf("ISO14443A Timeout set to %ld (%dms)", iso14a_timeout, iso14a_timeout / 106);
+       // adjust timeout by FPGA delays and 2 additional ssp_frames to detect SOF
+       iso14a_timeout = timeout + (DELAY_AIR2ARM_AS_READER + DELAY_ARM2AIR_AS_READER)/(16*8) + 2;
+       if(MF_DBGLEVEL >= 3) Dbprintf("ISO14443A Timeout set to %ld (%dms)", timeout, timeout / 106);
 }
 
 
-static void iso14a_set_ATS_timeout(uint8_t *ats) {
-
-       uint8_t tb1;
-       uint8_t fwi; 
-       uint32_t fwt;
-       
-       if (ats[0] > 1) {                                                       // there is a format byte T0
-               if ((ats[1] & 0x20) == 0x20) {                  // there is an interface byte TB(1)
-                       if ((ats[1] & 0x10) == 0x10) {          // there is an interface byte TA(1) preceding TB(1)
-                               tb1 = ats[3];
-                       } else {
-                               tb1 = ats[2];
-                       }
-                       fwi = (tb1 & 0xf0) >> 4;                        // frame waiting indicator (FWI)
-                       fwt = 256 * 16 * (1 << fwi);            // frame waiting time (FWT) in 1/fc
-                       
-                       iso14a_set_timeout(fwt/(8*16));
-               }
-       }
+uint32_t iso14a_get_timeout(void) {
+       return iso14a_timeout - (DELAY_AIR2ARM_AS_READER + DELAY_ARM2AIR_AS_READER)/(16*8) - 2;
 }
 
-
 //-----------------------------------------------------------------------------
 // Generate the parity value for a byte sequence
 //
@@ -1277,7 +1260,7 @@ static void PrepareDelayedTransfer(uint16_t delay)
 // Transmit the command (to the tag) that was placed in ToSend[].
 // Parameter timing:
 // if NULL: transfer at next possible time, taking into account
-//                     request guard time and frame delay time
+//                     request guard time, startup frame guard time and frame delay time
 // if == 0:    transfer immediately and return time of transfer
 // if != 0: delay transfer until time specified
 //-------------------------------------------------------------------------------------
@@ -1422,7 +1405,7 @@ int EmGetCmd(uint8_t *received, uint16_t *len, uint8_t *parity)
                                ADC_MODE_PRESCALE(63) |
                                ADC_MODE_STARTUP_TIME(1) |
                                ADC_MODE_SAMPLE_HOLD_TIME(15);
-       AT91C_BASE_ADC->ADC_CHER = ADC_CHANNEL(ADC_CHAN_HF);
+       AT91C_BASE_ADC->ADC_CHER = ADC_CHANNEL(ADC_CHAN_HF_LOW);
        // start ADC
        AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
        
@@ -1449,12 +1432,12 @@ int EmGetCmd(uint8_t *received, uint16_t *len, uint8_t *parity)
                if (BUTTON_PRESS()) return 1;
 
                // test if the field exists
-               if (AT91C_BASE_ADC->ADC_SR & ADC_END_OF_CONVERSION(ADC_CHAN_HF)) {
+               if (AT91C_BASE_ADC->ADC_SR & ADC_END_OF_CONVERSION(ADC_CHAN_HF_LOW)) {
                        analogCnt++;
-                       analogAVG += AT91C_BASE_ADC->ADC_CDR[ADC_CHAN_HF];
+                       analogAVG += AT91C_BASE_ADC->ADC_CDR[ADC_CHAN_HF_LOW];
                        AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
                        if (analogCnt >= 32) {
-                               if ((MAX_ADC_HF_VOLTAGE * (analogAVG / analogCnt) >> 10) < MF_MINFIELDV) {
+                               if ((MAX_ADC_HF_VOLTAGE_LOW * (analogAVG / analogCnt) >> 10) < MF_MINFIELDV) {
                                        vtime = GetTickCount();
                                        if (!timer) timer = vtime;
                                        // 50ms no field --> card to idle state
@@ -1685,6 +1668,59 @@ int ReaderReceive(uint8_t *receivedAnswer, uint8_t *parity)
        return Demod.len;
 }
 
+
+static void iso14a_set_ATS_times(uint8_t *ats) {
+
+       uint8_t tb1;
+       uint8_t fwi, sfgi; 
+       uint32_t fwt, sfgt;
+       
+       if (ats[0] > 1) {                                                       // there is a format byte T0
+               if ((ats[1] & 0x20) == 0x20) {                  // there is an interface byte TB(1)
+                       if ((ats[1] & 0x10) == 0x10) {          // there is an interface byte TA(1) preceding TB(1)
+                               tb1 = ats[3];
+                       } else {
+                               tb1 = ats[2];
+                       }
+                       fwi = (tb1 & 0xf0) >> 4;                        // frame waiting time integer (FWI)
+                       if (fwi != 15) {
+                               fwt = 256 * 16 * (1 << fwi);    // frame waiting time (FWT) in 1/fc
+                               iso14a_set_timeout(fwt/(8*16));
+                       }
+                       sfgi = tb1 & 0x0f;                                      // startup frame guard time integer (SFGI)
+                       if (sfgi != 0 && sfgi != 15) {
+                               sfgt = 256 * 16 * (1 << sfgi);  // startup frame guard time (SFGT) in 1/fc
+                               NextTransferTime = MAX(NextTransferTime, Demod.endTime + (sfgt - DELAY_AIR2ARM_AS_READER - DELAY_ARM2AIR_AS_READER)/16);
+                       }
+               }
+       }
+}
+
+
+static int GetATQA(uint8_t *resp, uint8_t *resp_par) {
+
+#define WUPA_RETRY_TIMEOUT     10      // 10ms
+       uint8_t wupa[]       = { 0x52 };  // 0x26 - REQA  0x52 - WAKE-UP
+
+       uint32_t save_iso14a_timeout = iso14a_get_timeout();
+       iso14a_set_timeout(1236/(16*8)+1);              // response to WUPA is expected at exactly 1236/fc. No need to wait longer.
+       
+       uint32_t start_time = GetTickCount();
+       int len;
+       
+       // we may need several tries if we did send an unknown command or a wrong authentication before...
+       do {
+               // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
+               ReaderTransmitBitsPar(wupa, 7, NULL, NULL);
+               // Receive the ATQA
+               len = ReaderReceive(resp, resp_par);
+       } while (len == 0 && GetTickCount() <= start_time + WUPA_RETRY_TIMEOUT);
+                       
+       iso14a_set_timeout(save_iso14a_timeout);
+       return len;
+}
+
+
 // performs iso14443a anticollision (optional) and card select procedure
 // fills the uid and cuid pointer unless NULL
 // fills the card info record unless NULL
@@ -1692,7 +1728,6 @@ int ReaderReceive(uint8_t *receivedAnswer, uint8_t *parity)
 // and num_cascades must be set (1: 4 Byte UID, 2: 7 Byte UID, 3: 10 Byte UID)
 // requests ATS unless no_rats is true
 int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, uint32_t *cuid_ptr, bool anticollision, uint8_t num_cascades, bool no_rats) {
-       uint8_t wupa[]       = { 0x52 };  // 0x26 - REQA  0x52 - WAKE-UP
        uint8_t sel_all[]    = { 0x93,0x20 };
        uint8_t sel_uid[]    = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
        uint8_t rats[]       = { 0xE0,0x80,0x00,0x00 }; // FSD=256, FSDI=8, CID=0
@@ -1712,11 +1747,9 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u
                p_hi14a_card->ats_len = 0;
        }
 
-       // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
-    ReaderTransmitBitsPar(wupa, 7, NULL, NULL);
-       
-       // Receive the ATQA
-       if(!ReaderReceive(resp, resp_par)) return 0;
+       if (!GetATQA(resp, resp_par)) {
+               return 0;
+       }
 
        if(p_hi14a_card) {
                memcpy(p_hi14a_card->atqa, resp, 2);
@@ -1845,8 +1878,9 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u
                // reset the PCB block number
                iso14_pcb_blocknum = 0;
 
-               // set default timeout based on ATS
-               iso14a_set_ATS_timeout(resp);
+               // set default timeout and delay next transfer based on ATS
+               iso14a_set_ATS_times(resp);
+               
        }
        return 1;       
 }
@@ -1855,7 +1889,7 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u
 void iso14443a_setup(uint8_t fpga_minor_mode) {
        FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
        // Set up the synchronous serial port
-       FpgaSetupSsc();
+       FpgaSetupSsc(FPGA_MAJOR_MODE_HF_ISO14443A);
        // connect Demodulated Signal to ADC:
        SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
 
@@ -1901,15 +1935,21 @@ b8 b7 b6 b5 b4 b3 b2 b1
 b5,b6 = 00 - DESELECT
         11 - WTX 
 */    
-int iso14_apdu(uint8_t *cmd, uint16_t cmd_len, void *data) {
+int iso14_apdu(uint8_t *cmd, uint16_t cmd_len, void *data, uint8_t *res) {
        uint8_t parity[MAX_PARITY_SIZE];
        uint8_t real_cmd[cmd_len + 4];
        
-       // ISO 14443 APDU frame: PCB [CID] [NAD] APDU CRC PCB=0x02
-       real_cmd[0] = 0x02; // bnr,nad,cid,chn=0; i-block(0x00) 
-       // put block number into the PCB
-       real_cmd[0] |= iso14_pcb_blocknum;
-       memcpy(real_cmd + 1, cmd, cmd_len);
+       if (cmd_len) {
+               // ISO 14443 APDU frame: PCB [CID] [NAD] APDU CRC PCB=0x02
+               real_cmd[0] = 0x02; // bnr,nad,cid,chn=0; i-block(0x00) 
+               // put block number into the PCB
+               real_cmd[0] |= iso14_pcb_blocknum;
+               memcpy(real_cmd + 1, cmd, cmd_len);
+       } else {
+               // R-block. ACK
+               real_cmd[0] = 0xA2; // r-block + ACK    
+               real_cmd[0] |= iso14_pcb_blocknum;
+       }
        AppendCrc14443a(real_cmd, cmd_len + 1);
  
        ReaderTransmit(real_cmd, cmd_len + 3, NULL);
@@ -1922,9 +1962,9 @@ int iso14_apdu(uint8_t *cmd, uint16_t cmd_len, void *data) {
        } else{
                // S-Block WTX 
                while((data_bytes[0] & 0xF2) == 0xF2) {
-                       uint32_t save_iso14a_timeout = iso14a_timeout;
+                       uint32_t save_iso14a_timeout = iso14a_get_timeout();
                        // temporarily increase timeout
-                       iso14a_timeout = MAX((data_bytes[1] & 0x3f) * iso14a_timeout, MAX_ISO14A_TIMEOUT);
+                       iso14a_set_timeout(MAX((data_bytes[1] & 0x3f) * save_iso14a_timeout, MAX_ISO14A_TIMEOUT));
                        // Transmit WTX back 
                        // byte1 - WTXM [1..59]. command FWT=FWT*WTXM
                        data_bytes[1] = data_bytes[1] & 0x3f; // 2 high bits mandatory set to 0b
@@ -1936,7 +1976,7 @@ int iso14_apdu(uint8_t *cmd, uint16_t cmd_len, void *data) {
                        len = ReaderReceive(data, parity);
                        data_bytes = data;
                        // restore timeout
-                       iso14a_timeout = save_iso14a_timeout;
+                       iso14a_set_timeout(save_iso14a_timeout);
                }
 
                // if we received an I- or R(ACK)-Block with a block number equal to the
@@ -1948,9 +1988,13 @@ int iso14_apdu(uint8_t *cmd, uint16_t cmd_len, void *data) {
                {
                        iso14_pcb_blocknum ^= 1;
                }
+               
+               // if we received I-block with chaining we need to send ACK and receive another block of data
+               if (res)
+                       *res = data_bytes[0];
 
                // crc check
-               if (len >=3 && !CheckCrc14443(CRC_14443_A, data_bytes, len)) {
+               if (len >= 3 && !CheckCrc14443(CRC_14443_A, data_bytes, len)) {
                        return -1;
                }
                
@@ -2016,9 +2060,10 @@ void ReaderIso14443a(UsbCommand *c)
        }
 
        if(param & ISO14A_APDU && !cantSELECT) {
-               arg0 = iso14_apdu(cmd, len, buf);
+               uint8_t res;
+               arg0 = iso14_apdu(cmd, len, buf, &res);
                LED_B_ON();
-               cmd_send(CMD_ACK, arg0, 0, 0, buf, sizeof(buf));
+               cmd_send(CMD_ACK, arg0, res, 0, buf, sizeof(buf));
                LED_B_OFF();
        }
 
@@ -2117,9 +2162,7 @@ void ReaderMifare(bool first_try)
        uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
        uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];
 
-       if (first_try) { 
-               iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
-       }
+       iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
        
        // free eventually allocated BigBuf memory. We want all for tracing.
        BigBuf_free();
@@ -2127,9 +2170,9 @@ void ReaderMifare(bool first_try)
        clear_trace();
        set_tracing(true);
 
-       byte_t nt_diff = 0;
+       uint8_t nt_diff = 0;
        uint8_t par[1] = {0};   // maximum 8 Bytes to be sent here, 1 byte parity is therefore enough
-       static byte_t par_low = 0;
+       static uint8_t par_low = 0;
        bool led_on = true;
        uint8_t uid[10]  ={0};
        uint32_t cuid;
@@ -2137,11 +2180,11 @@ void ReaderMifare(bool first_try)
        uint32_t nt = 0;
        uint32_t previous_nt = 0;
        static uint32_t nt_attacked = 0;
-       byte_t par_list[8] = {0x00};
-       byte_t ks_list[8] = {0x00};
+       uint8_t par_list[8] = {0x00};
+       uint8_t ks_list[8] = {0x00};
 
        #define PRNG_SEQUENCE_LENGTH  (1 << 16);
-       static uint32_t sync_time;
+       uint32_t sync_time = GetCountSspClk() & 0xfffffff8;
        static int32_t sync_cycles;
        int catch_up_cycles = 0;
        int last_catch_up = 0;
@@ -2151,10 +2194,9 @@ void ReaderMifare(bool first_try)
 
        if (first_try) { 
                mf_nr_ar3 = 0;
-               sync_time = GetCountSspClk() & 0xfffffff8;
+               par[0] = par_low = 0;
                sync_cycles = PRNG_SEQUENCE_LENGTH;                                                     // theory: Mifare Classic's random generator repeats every 2^16 cycles (and so do the tag nonces).
                nt_attacked = 0;
-               par[0] = 0;
        }
        else {
                // we were unsuccessful on a previous call. Try another READER nonce (first 3 parity bits remain the same)
@@ -2170,6 +2212,7 @@ void ReaderMifare(bool first_try)
 
        #define MAX_UNEXPECTED_RANDOM   4               // maximum number of unexpected (i.e. real) random numbers when trying to sync. Then give up.
        #define MAX_SYNC_TRIES                  32
+       #define SYNC_TIME_BUFFER                16              // if there is only SYNC_TIME_BUFFER left before next planned sync, wait for next PRNG cycle
        #define NUM_DEBUG_INFOS                 8               // per strategy
        #define MAX_STRATEGY                    3
        uint16_t unexpected_random = 0;
@@ -2219,8 +2262,8 @@ void ReaderMifare(bool first_try)
                        sync_time = (sync_time & 0xfffffff8) + sync_cycles + catch_up_cycles;
                        catch_up_cycles = 0;
 
-                       // if we missed the sync time already, advance to the next nonce repeat
-                       while(GetCountSspClk() > sync_time) {
+                       // if we missed the sync time already or are about to miss it, advance to the next nonce repeat
+                       while(sync_time < GetCountSspClk() + SYNC_TIME_BUFFER) {
                                elapsed_prng_sequences++;
                                sync_time = (sync_time & 0xfffffff8) + sync_cycles;
                        }
@@ -2376,14 +2419,14 @@ void ReaderMifare(bool first_try)
                }
        }
        
-       byte_t buf[28];
+       uint8_t buf[32];
        memcpy(buf + 0,  uid, 4);
        num_to_bytes(nt, 4, buf + 4);
        memcpy(buf + 8,  par_list, 8);
        memcpy(buf + 16, ks_list, 8);
-       memcpy(buf + 24, mf_nr_ar, 4);
+       memcpy(buf + 24, mf_nr_ar, 8);
                
-       cmd_send(CMD_ACK, isOK, 0, 0, buf, 28);
+       cmd_send(CMD_ACK, isOK, 0, 0, buf, 32);
 
        // Thats it...
        FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
@@ -2448,7 +2491,7 @@ void RAMFUNC SniffMifare(uint8_t param) {
        for(uint32_t sniffCounter = 0; true; ) {
        
                if(BUTTON_PRESS()) {
-                       DbpString("cancelled by button");
+                       DbpString("Canceled by button.");
                        break;
                }
 
@@ -2505,7 +2548,9 @@ void RAMFUNC SniffMifare(uint8_t param) {
                        if(!TagIsActive) {              // no need to try decoding tag data if the reader is sending
                                uint8_t readerdata = (previous_data & 0xF0) | (*data >> 4);
                                if(MillerDecoding(readerdata, (sniffCounter-1)*4)) {
-                                       LED_C_INV();
+                                       LED_B_ON();
+                                       LED_C_OFF();
+
                                        if (MfSniffLogic(receivedCmd, Uart.len, Uart.parity, Uart.bitCount, true)) break;
 
                                        /* And ready to receive another command. */
@@ -2520,7 +2565,8 @@ void RAMFUNC SniffMifare(uint8_t param) {
                        if(!ReaderIsActive) {           // no need to try decoding tag data if the reader is sending
                                uint8_t tagdata = (previous_data << 4) | (*data & 0x0F);
                                if(ManchesterDecoding(tagdata, 0, (sniffCounter-1)*4)) {
-                                       LED_C_INV();
+                                       LED_B_OFF();
+                                       LED_C_ON();
 
                                        if (MfSniffLogic(receivedResponse, Demod.len, Demod.parity, Demod.bitCount, false)) break;
 
@@ -2542,7 +2588,7 @@ void RAMFUNC SniffMifare(uint8_t param) {
 
        } // main cycle
 
-       DbpString("COMMAND FINISHED");
+       DbpString("COMMAND FINISHED.");
 
        FpgaDisableSscDma();
        MfSniffEnd();
Impressum, Datenschutz