X-Git-Url: http://cvs.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/111c6934d4e5c58883d08210399afe8eaeccc5c3..24c49d36ba3ea8acb9be21bdbb51503969a5a113:/armsrc/legicrf.c diff --git a/armsrc/legicrf.c b/armsrc/legicrf.c index 572a870e..e8a2e1aa 100644 --- a/armsrc/legicrf.c +++ b/armsrc/legicrf.c @@ -7,7 +7,6 @@ //----------------------------------------------------------------------------- // LEGIC RF simulation code //----------------------------------------------------------------------------- - #include "legicrf.h" static struct legic_frame { @@ -73,7 +72,7 @@ static void setup_timer(void) { //#define RWD_TIME_0 90 /* RWD_TIME_PAUSE off, 40us on = 60us */ //#define RWD_TIME_PAUSE 30 /* 20us */ -// testing calculating in ticks instead of (us) microseconds. +// testing calculating in (us) microseconds. #define RWD_TIME_1 120 // READER_TIME_PAUSE 20us off, 80us on = 100us 80 * 1.5 == 120ticks #define RWD_TIME_0 60 // READER_TIME_PAUSE 20us off, 40us on = 60us 40 * 1.5 == 60ticks #define RWD_TIME_PAUSE 30 // 20us == 20 * 1.5 == 30ticks */ @@ -98,7 +97,7 @@ static void setup_timer(void) { # define OPEN_COIL HIGH(GPIO_SSC_DOUT); #endif -uint32_t stop_send_frame_us = 0; +uint32_t sendFrameStop = 0; // Pause pulse, off in 20us / 30ticks, // ONE / ZERO bit pulse, @@ -107,36 +106,17 @@ uint32_t stop_send_frame_us = 0; #ifndef COIL_PULSE # define COIL_PULSE(x) { \ SHORT_COIL; \ - Wait(RWD_TIME_PAUSE); \ + WaitTicks(RWD_TIME_PAUSE); \ OPEN_COIL; \ - Wait((x)); \ + WaitTicks((x)); \ } #endif -#ifndef GET_TICKS -# define GET_TICKS AT91C_BASE_TC0->TC_CV -#endif // ToDo: define a meaningful maximum size for auth_table. The bigger this is, the lower will be the available memory for traces. // Historically it used to be FREE_BUFFER_SIZE, which was 2744. #define LEGIC_CARD_MEMSIZE 1024 static uint8_t* cardmem; -static void Wait(uint32_t time){ - if ( time == 0 ) return; - time += GET_TICKS; - while (GET_TICKS < time); -} -// Starts Clock and waits until its reset -static void Reset(AT91PS_TC clock){ - clock->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG; - while(clock->TC_CV > 1) ; -} - -// Starts Clock and waits until its reset -static void ResetClock(void){ - Reset(timer); -} - static void frame_append_bit(struct legic_frame * const f, int bit) { // Overflow, won't happen if (f->bits >= 31) return; @@ -154,7 +134,7 @@ static void frame_clean(struct legic_frame * const f) { // and while sending/receiving in bit frames (100, 60) /*static void CalibratePrng( uint32_t time){ // Calculate Cycles based on timer 100us - uint32_t i = (time - stop_send_frame_us) / 100 ; + uint32_t i = (time - sendFrameStop) / 100 ; // substract cycles of finished frames int k = i - legic_prng_count()+1; @@ -166,8 +146,7 @@ static void frame_clean(struct legic_frame * const f) { */ /* Generate Keystream */ -static uint32_t get_key_stream(int skip, int count) -{ +uint32_t get_key_stream(int skip, int count) { uint32_t key = 0; int i; @@ -175,7 +154,7 @@ static uint32_t get_key_stream(int skip, int count) legic_prng_bc += prng_timer->TC_CV; // reset the prng timer. - Reset(prng_timer); + ResetTimer(prng_timer); /* If skip == -1, forward prng time based */ if(skip == -1) { @@ -209,7 +188,7 @@ static uint32_t get_key_stream(int skip, int count) /* Send a frame in tag mode, the FPGA must have been set up by * LegicRfSimulate */ -static void frame_send_tag(uint16_t response, uint8_t bits, uint8_t crypt) { +void frame_send_tag(uint16_t response, uint8_t bits, uint8_t crypt) { /* Bitbang the response */ LOW(GPIO_SSC_DOUT); AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT; @@ -222,7 +201,7 @@ static void frame_send_tag(uint16_t response, uint8_t bits, uint8_t crypt) { } /* Wait for the frame start */ - Wait( TAG_FRAME_WAIT ); + WaitUS( TAG_FRAME_WAIT ); uint8_t bit = 0; for(int i = 0; i < bits; i++) { @@ -235,7 +214,7 @@ static void frame_send_tag(uint16_t response, uint8_t bits, uint8_t crypt) { else LOW(GPIO_SSC_DOUT); - Wait(100); + WaitUS(100); } LOW(GPIO_SSC_DOUT); } @@ -243,7 +222,7 @@ static void frame_send_tag(uint16_t response, uint8_t bits, uint8_t crypt) { /* Send a frame in reader mode, the FPGA must have been set up by * LegicRfReader */ -static void frame_sendAsReader(uint32_t data, uint8_t bits){ +void frame_sendAsReader(uint32_t data, uint8_t bits){ uint32_t starttime = GET_TICKS, send = 0; uint16_t mask = 1; @@ -263,7 +242,7 @@ static void frame_sendAsReader(uint32_t data, uint8_t bits){ // Final pause to mark the end of the frame COIL_PULSE(0); - stop_send_frame_us = GET_TICKS; + sendFrameStop = GET_TICKS; uint8_t cmdbytes[] = { BYTEx(data, 0), BYTEx(data, 1), @@ -271,7 +250,7 @@ static void frame_sendAsReader(uint32_t data, uint8_t bits){ prng1, legic_prng_count() }; - LogTrace(cmdbytes, sizeof(cmdbytes), starttime, stop_send_frame_us, NULL, TRUE); + LogTrace(cmdbytes, sizeof(cmdbytes), starttime, sendFrameStop, NULL, TRUE); } /* Receive a frame from the card in reader emulation mode, the FPGA and @@ -298,14 +277,13 @@ static void frame_sendAsReader(uint32_t data, uint8_t bits){ static void frame_receiveAsReader(struct legic_frame * const f, uint8_t bits) { frame_clean(f); + if ( bits > 32 ) return; - uint8_t i = 0, edges = 0; + uint8_t i = bits, edges = 0; uint16_t lsfr = 0; uint32_t the_bit = 1, next_bit_at = 0, data; int old_level = 0, level = 0; - if(bits > 32) bits = 32; - AT91C_BASE_PIOA->PIO_ODR = GPIO_SSC_DIN; AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DIN; @@ -320,13 +298,14 @@ static void frame_receiveAsReader(struct legic_frame * const f, uint8_t bits) { data = lsfr; //FIXED time between sending frame and now listening frame. 330us - Wait( TAG_FRAME_WAIT ); + //WaitTicks( GET_TICKS - sendFrameStop - TAG_FRAME_WAIT); + WaitTicks( 490 ); uint32_t starttime = GET_TICKS; next_bit_at = GET_TICKS + TAG_BIT_PERIOD; - for( i = 0; i < bits; i++) { + while ( i-- ){ edges = 0; while ( GET_TICKS < next_bit_at) { @@ -340,10 +319,10 @@ static void frame_receiveAsReader(struct legic_frame * const f, uint8_t bits) { next_bit_at += TAG_BIT_PERIOD; // We expect 42 edges == ONE - if(edges > 20 && edges < 60) { + if(edges > 30 && edges < 64) data ^= the_bit; - } - the_bit <<= 1; + + the_bit <<= 1; } // output @@ -351,7 +330,7 @@ static void frame_receiveAsReader(struct legic_frame * const f, uint8_t bits) { f->bits = bits; // log - stop_send_frame_us = GET_TICKS; + sendFrameStop = GET_TICKS; uint8_t cmdbytes[] = { BYTEx(data,0), @@ -359,20 +338,22 @@ static void frame_receiveAsReader(struct legic_frame * const f, uint8_t bits) { bits, BYTEx(lsfr,0), BYTEx(lsfr,1), + BYTEx(data, 0) ^ BYTEx(lsfr,0), + BYTEx(data, 1) ^ BYTEx(lsfr,1), prng_before, legic_prng_count() }; - LogTrace(cmdbytes, sizeof(cmdbytes), starttime, stop_send_frame_us, NULL, FALSE); + LogTrace(cmdbytes, sizeof(cmdbytes), starttime, sendFrameStop, NULL, FALSE); } // Setup pm3 as a Legic Reader -static uint32_t perform_setup_phase_rwd(uint8_t iv) { - +static uint32_t setup_phase_reader(uint8_t iv) { + // Switch on carrier and let the tag charge for 1ms HIGH(GPIO_SSC_DOUT); - SpinDelay(40); + WaitUS(300); - ResetUSClock(); + ResetTicks(); // no keystream yet legic_prng_init(0); @@ -386,31 +367,26 @@ static uint32_t perform_setup_phase_rwd(uint8_t iv) { frame_receiveAsReader(¤t_frame, 6); // fixed delay before sending ack. - Wait(TAG_FRAME_WAIT); - legic_prng_forward(4); + WaitTicks(387); // 244us + legic_prng_forward(3); //240us / 100 == 2.4 iterations // Send obsfuscated acknowledgment frame. // 0x19 = 0x18 MIM22, 0x01 LSB READCMD // 0x39 = 0x38 MIM256, MIM1024 0x01 LSB READCMD switch ( current_frame.data ) { - case 0x0D: - frame_sendAsReader(0x19, 6); - break; - case 0x1D: - case 0x3D: - frame_sendAsReader(0x39, 6); - break; - default: - break; + case 0x0D: frame_sendAsReader(0x19, 6); break; + case 0x1D: + case 0x3D: frame_sendAsReader(0x39, 6); break; + default: break; } return current_frame.data; } -static void LegicCommonInit(void) { +static void LegicCommonInit(void) { + FpgaDownloadAndGo(FPGA_BITSTREAM_HF); FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_TX); SetAdcMuxFor(GPIO_MUXSEL_HIPKD); - FpgaSetupSsc(); /* Bitbang the transmitter */ LOW(GPIO_SSC_DOUT); @@ -425,33 +401,43 @@ static void LegicCommonInit(void) { set_tracing(TRUE); crc_init(&legic_crc, 4, 0x19 >> 1, 0x5, 0); - StartCountUS(); + StartTicks(); } // Switch off carrier, make sure tag is reset static void switch_off_tag_rwd(void) { LOW(GPIO_SSC_DOUT); - SpinDelay(10); + WaitUS(200); WDT_HIT(); + Dbprintf("Exit Switch_off_tag_rwd"); } // calculate crc4 for a legic READ command // 5,8,10 address size. static uint32_t legic4Crc(uint8_t legicCmd, uint16_t byte_index, uint8_t value, uint8_t cmd_sz) { crc_clear(&legic_crc); - uint32_t temp = (value << cmd_sz) | (byte_index << 1) | legicCmd; - crc_update(&legic_crc, temp, cmd_sz + 8 ); + //uint32_t temp = (value << cmd_sz) | (byte_index << 1) | legicCmd; + //crc_update(&legic_crc, temp, cmd_sz + 8 ); + crc_update(&legic_crc, 1, 1); /* CMD_READ */ + crc_update(&legic_crc, byte_index, cmd_sz-1); + crc_update(&legic_crc, value, 8); return crc_finish(&legic_crc); } int legic_read_byte(int byte_index, int cmd_sz) { - uint8_t byte = 0, crc = 0; - uint32_t calcCrc = 0; + // (us)| ticks + // ------------- + // 330 | 495 + // 460 | 690 + // 258 | 387 + // 244 | 366 + WaitTicks(332); + legic_prng_forward(2); // 460 / 100 = 4.6 iterations + + uint8_t byte = 0, crc = 0, calcCrc = 0; uint32_t cmd = (byte_index << 1) | LEGIC_READ; - Wait(TAG_FRAME_WAIT); - frame_sendAsReader(cmd, cmd_sz); frame_receiveAsReader(¤t_frame, 12); @@ -463,7 +449,9 @@ int legic_read_byte(int byte_index, int cmd_sz) { Dbprintf("!!! crc mismatch: expected %x but got %x !!!", calcCrc, crc); return -1; } - legic_prng_forward(4); + + +// legic_prng_forward(2); // 460 / 100 = 4.6 iterations return byte; } @@ -499,7 +487,7 @@ int legic_write_byte(uint8_t byte, uint16_t addr, uint8_t addr_sz) { legic_prng_forward(2); /* we wait anyways */ - Wait(TAG_FRAME_WAIT); + WaitUS(TAG_FRAME_WAIT); frame_sendAsReader(cmd, cmd_sz); @@ -511,7 +499,7 @@ int legic_write_byte(uint8_t byte, uint16_t addr, uint8_t addr_sz) { int t, old_level = 0, edges = 0; int next_bit_at = 0; - Wait(TAG_FRAME_WAIT); + WaitUS(TAG_FRAME_WAIT); for( t = 0; t < 80; ++t) { edges = 0; @@ -527,13 +515,13 @@ int legic_write_byte(uint8_t byte, uint16_t addr, uint8_t addr_sz) { int t = timer->TC_CV; int c = t / TAG_BIT_PERIOD; - ResetClock(); + ResetTimer(timer); legic_prng_forward(c); return 0; } } - ResetClock(); + ResetTimer(timer); return -1; } @@ -542,13 +530,14 @@ int LegicRfReader(int offset, int bytes, int iv) { uint16_t byte_index = 0; uint8_t cmd_sz = 0; int card_sz = 0; - + uint8_t isOK = 1; + if ( MF_DBGLEVEL >= 2) - Dbprintf("setting up legic card, IV = 0x%03.3x", iv); + Dbprintf("setting up legic card, IV = 0x%02x", iv); LegicCommonInit(); - uint32_t tag_type = perform_setup_phase_rwd(iv); + uint32_t tag_type = setup_phase_reader(iv); //we lose to mutch time with dprintf switch_off_tag_rwd(); @@ -571,7 +560,9 @@ int LegicRfReader(int offset, int bytes, int iv) { break; default: if ( MF_DBGLEVEL >= 1) Dbprintf("Unknown card format: %x", tag_type); - return 1; + isOK = 0; + goto OUT; + break; } if (bytes == -1) bytes = card_sz; @@ -580,28 +571,27 @@ int LegicRfReader(int offset, int bytes, int iv) { bytes = card_sz - offset; // Start setup and read bytes. - perform_setup_phase_rwd(iv); - + setup_phase_reader(iv); + LED_B_ON(); while (byte_index < bytes) { int r = legic_read_byte(byte_index + offset, cmd_sz); if (r == -1 || BUTTON_PRESS()) { - switch_off_tag_rwd(); - LEDsoff(); if ( MF_DBGLEVEL >= 2) DbpString("operation aborted"); - cmd_send(CMD_ACK,0,0,0,0,0); - return 1; + isOK = 0; + goto OUT; } cardmem[++byte_index] = r; - //byte_index++; + //byte_index++; WDT_HIT(); } +OUT: switch_off_tag_rwd(); LEDsoff(); uint8_t len = (bytes & 0x3FF); - cmd_send(CMD_ACK,1,len,0,0,0); + cmd_send(CMD_ACK,isOK,len,0,cardmem,len); return 0; } @@ -609,7 +599,7 @@ int LegicRfReader(int offset, int bytes, int iv) { int byte_index=0; LED_B_ON(); - perform_setup_phase_rwd(iv); + setup_phase_reader(iv); //legic_prng_forward(2); while(byte_index < bytes) { int r; @@ -654,7 +644,7 @@ void LegicRfWriter(int offset, int bytes, int iv) { if ( MF_DBGLEVEL >= 2) DbpString("setting up legic card"); - uint32_t tag_type = perform_setup_phase_rwd(iv); + uint32_t tag_type = setup_phase_reader(iv); switch_off_tag_rwd(); @@ -689,7 +679,7 @@ void LegicRfWriter(int offset, int bytes, int iv) { } LED_B_ON(); - perform_setup_phase_rwd(iv); + setup_phase_reader(iv); int r = 0; while(byte_index < bytes) { @@ -730,7 +720,7 @@ void LegicRfRawWriter(int address, int byte, int iv) { if ( MF_DBGLEVEL >= 2) DbpString("setting up legic card"); - uint32_t tag_type = perform_setup_phase_rwd(iv); + uint32_t tag_type = setup_phase_reader(iv); switch_off_tag_rwd(); @@ -767,7 +757,7 @@ void LegicRfRawWriter(int address, int byte, int iv) { Dbprintf("integer value: %d address: %d addr_sz: %d", byte, address, addr_sz); LED_B_ON(); - perform_setup_phase_rwd(iv); + setup_phase_reader(iv); int r = legic_write_byte(byte, address, addr_sz); @@ -795,7 +785,7 @@ static void frame_handle_tag(struct legic_frame const * const f) LED_C_ON(); // Reset prng timer - Reset(prng_timer); + ResetTimer(prng_timer); legic_prng_init(f->data); frame_send_tag(0x3d, 6, 1); /* 0x3d^0x26 = 0x1B */ @@ -805,8 +795,8 @@ static void frame_handle_tag(struct legic_frame const * const f) legic_prng_iv = f->data; - ResetClock(); - Wait(280); + ResetTimer(timer); + WaitUS(280); return; } @@ -817,8 +807,8 @@ static void frame_handle_tag(struct legic_frame const * const f) if((f->bits == 6) && (f->data == xored)) { legic_state = STATE_CON; - ResetClock(); - Wait(200); + ResetTimer(timer); + WaitUS(200); return; } else { @@ -844,9 +834,9 @@ static void frame_handle_tag(struct legic_frame const * const f) frame_send_tag(hash | data, 12, 1); - ResetClock(); + ResetTimer(timer); legic_prng_forward(2); - Wait(180); + WaitUS(180); return; } } @@ -997,10 +987,6 @@ void LegicRfSimulate(int phase, int frame, int reqresp) LEDsoff(); } -//----------------------------------------------------------------------------- -//----------------------------------------------------------------------------- - - //----------------------------------------------------------------------------- // Code up a string of octets at layer 2 (including CRC, we don't generate // that here) so that they can be transmitted to the reader. Doesn't transmit