//-----------------------------------------------------------------------------
void FpgaSetupSscDma(uint8_t *buf, int len)
{
+ AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
+
AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) buf;
AT91C_BASE_PDC_SSC->PDC_RCR = len;
AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) buf;
AT91C_BASE_PDC_SSC->PDC_RNCR = len;
- AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTEN;
+
+ if (buf != NULL) {
+ AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTEN;
+ }
}
static void DownloadFPGA_byte(unsigned char w)
if (!AT91C_BASE_PDC_SSC->PDC_RCR) {
AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) dmaBuf;
AT91C_BASE_PDC_SSC->PDC_RCR = DMA_BUFFER_SIZE;
- Dbprintf("RxEmpty ERROR!!! %d", dataLen); // temporary
}
// secondary buffer sets as primary, secondary buffer was stopped
if (!AT91C_BASE_PDC_SSC->PDC_RNCR) {
// param:
// bit 0 - trigger from first card answer
// bit 1 - trigger from first reader 7-bit request
-
+
+ // C(red) A(yellow) B(green)
LEDsoff();
// init trace buffer
traceLen = 0;
int8_t *data = dmaBuf;
int maxDataLen = 0;
int dataLen = 0;
-// data = dmaBuf;
// Set up the demodulator for tag -> reader responses.
Demod.output = receivedResponse;
LED_D_OFF();
FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER);
SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
+
+ // init sniffer
+ MfSniffInit();
+ int sniffCounter = 0;
- // Count of samples received so far, so that we can include timing
- // information in the trace buffer.
- rsamples = 0;
// And now we loop, receiving samples.
while(true) {
if(BUTTON_PRESS()) {
LED_A_ON();
WDT_HIT();
+
+ if (++sniffCounter > 65) {
+ if (MfSniffSend(2000)) {
+ AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTEN;
+ }
+ sniffCounter = 0;
+ }
int register readBufDataP = data - dmaBuf;
int register dmaBufDataP = DMA_BUFFER_SIZE - AT91C_BASE_PDC_SSC->PDC_RCR;
LED_A_OFF();
- rsamples += 4;
if(MillerDecoding((data[0] & 0xF0) >> 4)) {
- LED_C_ON();
+ LED_C_INV();
// check - if there is a short 7bit request from reader
- if ((Uart.byteCnt == 1) && (Uart.bitCnt = 9)) {
-
- }
- if (!LogTrace(receivedCmd, Uart.byteCnt, 0 - Uart.samples, Uart.parityBits, TRUE)) break;
+ if (MfSniffLogic(receivedCmd, Uart.byteCnt, Uart.bitCnt, TRUE)) break;
/* And ready to receive another command. */
Uart.state = STATE_UNSYNCD;
- /* And also reset the demod code, which might have been */
- /* false-triggered by the commands from the reader. */
+
+ /* And also reset the demod code */
Demod.state = DEMOD_UNSYNCD;
- LED_B_OFF();
}
if(ManchesterDecoding(data[0] & 0x0F)) {
- LED_B_ON();
+ LED_C_INV();
- if (!LogTrace(receivedResponse, Demod.len, 0 - Demod.samples, Demod.parityBits, FALSE)) break;
+ if (MfSniffLogic(receivedResponse, Demod.len, Uart.bitCnt, FALSE)) break;
// And ready to receive another response.
memset(&Demod, 0, sizeof(Demod));
Demod.output = receivedResponse;
Demod.state = DEMOD_UNSYNCD;
- LED_C_OFF();
+
+ /* And also reset the uart code */
+ Uart.state = STATE_UNSYNCD;
}
data++;
done:
AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
+ MfSniffEnd();
+
Dbprintf("maxDataLen=%x, Uart.state=%x, Uart.byteCnt=%x", maxDataLen, Uart.state, Uart.byteCnt);
- Dbprintf("Uart.byteCntMax=%x, traceLen=%x, Uart.output[0]=%x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
+ Dbprintf("Uart.byteCntMax=%x, traceLen=%x", Uart.byteCntMax, traceLen);
LEDsoff();
}
\ No newline at end of file
#ifndef __ISO14443A_H
#define __ISO14443A_H
#include "common.h"
+#include "mifaresniff.h"
// mifare reader over DMA buffer (SnoopIso14443a())!!!
#define MIFARE_BUFF_OFFSET 3560 // \/ \/ \/
#include "mifaresniff.h"\r
#include "apps.h"\r
\r
+static int sniffState = SNF_INIT;\r
+static uint8_t sniffUIDType;\r
+static uint8_t sniffUID[8];\r
+static uint8_t sniffATQA[2];\r
+static uint8_t sniffSAK;\r
+static uint8_t sniffBuf[16];\r
+static int timerData = 0;\r
\r
\r
+int MfSniffInit(void){\r
+ rsamples = 0;\r
+ memset(sniffUID, 0x00, 8);\r
+ memset(sniffATQA, 0x00, 2);\r
+ sniffSAK = 0;\r
+ sniffUIDType = SNF_UID_4;\r
+\r
+ return 0;\r
+}\r
+\r
+int MfSniffEnd(void){\r
+ UsbCommand ack = {CMD_ACK, {0, 0, 0}};\r
+\r
+ LED_B_ON();\r
+ UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));\r
+ LED_B_OFF();\r
+\r
+ return 0;\r
+}\r
+\r
+int RAMFUNC MfSniffLogic(const uint8_t * data, int len, int bitCnt, int reader) {\r
+\r
+ if ((len == 1) && (bitCnt = 9)) { \r
+ sniffState = SNF_INIT;\r
+ }\r
+\r
+ switch (sniffState) {\r
+ case SNF_INIT:{\r
+ if ((reader) && (len == 1) && (bitCnt == 9) && ((data[0] == 0x26) || (data[0] == 0x52))) { \r
+ sniffUIDType = SNF_UID_4;\r
+ memset(sniffUID, 0x00, 8);\r
+ memset(sniffATQA, 0x00, 2);\r
+ sniffSAK = 0;\r
+\r
+ sniffState = SNF_WUPREQ;\r
+ }\r
+ break;\r
+ }\r
+ case SNF_WUPREQ:{\r
+ if ((!reader) && (len == 2)) { \r
+ memcpy(sniffATQA, data, 2);\r
+\r
+ sniffState = SNF_ATQA;\r
+ }\r
+ break;\r
+ }\r
+ case SNF_ATQA:{\r
+ if ((reader) && (len == 2) && (data[0] == 0x93) && (data[1] == 0x20)) { \r
+ sniffState = SNF_ANTICOL1;\r
+ }\r
+ break;\r
+ }\r
+ case SNF_ANTICOL1:{\r
+ if ((!reader) && (len == 5) && ((data[0] ^ data[1] ^ data[2] ^ data[3]) == data[4])) { \r
+ memcpy(sniffUID + 3, data, 4);\r
+ \r
+ sniffState = SNF_UID1;\r
+ }\r
+ break;\r
+ }\r
+ case SNF_UID1:{\r
+ if ((reader) && (len == 9) && (data[0] == 0x93) && (data[1] == 0x70) && (CheckCrc14443(CRC_14443_A, data, 9))) { \r
+ sniffState = SNF_SAK;\r
+ }\r
+ break;\r
+ }\r
+ case SNF_SAK:{\r
+ if ((!reader) && (len == 3) && (CheckCrc14443(CRC_14443_A, data, 3))) { \r
+ sniffSAK = data[0];\r
+ if (sniffUID[3] == 0x88) {\r
+ sniffState = SNF_ANTICOL2;\r
+ } else {\r
+ sniffState = SNF_CARD_IDLE;\r
+ }\r
+ }\r
+ break;\r
+ }\r
+ case SNF_ANTICOL2:{\r
+ if ((!reader) && (len == 5) && ((data[0] ^ data[1] ^ data[2] ^ data[3]) == data[4])) { \r
+ memcpy(sniffUID, data, 4);\r
+ sniffUIDType = SNF_UID_7;\r
+ \r
+ sniffState = SNF_UID2;\r
+ }\r
+ break;\r
+ }\r
+ case SNF_UID2:{\r
+ if ((reader) && (len == 9) && (data[0] == 0x95) && (data[1] == 0x70) && (CheckCrc14443(CRC_14443_A, data, 9))) { \r
+ sniffState = SNF_SAK;\r
+ Dbprintf("SNF_SAK"); \r
+ }\r
+ break;\r
+ }\r
+ case SNF_CARD_IDLE:{\r
+ sniffBuf[0] = 0xFF;\r
+ sniffBuf[1] = 0xFF;\r
+ memcpy(sniffBuf + 2, sniffUID, 7);\r
+ memcpy(sniffBuf + 9, sniffATQA, 2);\r
+ sniffBuf[11] = sniffSAK;\r
+ sniffBuf[12] = 0xFF;\r
+ sniffBuf[13] = 0xFF;\r
+ LogTrace(sniffBuf, 14, 0, 0, true);\r
+ timerData = GetTickCount();\r
+ }\r
+ case SNF_CARD_CMD:{\r
+ LogTrace(data, len, 0, 0, true);\r
+\r
+ sniffState = SNF_CARD_RESP;\r
+ timerData = GetTickCount();\r
+ break;\r
+ }\r
+ case SNF_CARD_RESP:{\r
+ LogTrace(data, len, 0, 0, false);\r
+\r
+ sniffState = SNF_CARD_CMD;\r
+ timerData = GetTickCount();\r
+ break;\r
+ }\r
+ \r
+ default:\r
+ sniffState = SNF_INIT;\r
+ break;\r
+ }\r
+\r
+ return 0;\r
+}\r
+\r
+int RAMFUNC MfSniffSend(int maxTimeoutMs) {\r
+ if (traceLen && (timerData + maxTimeoutMs < GetTickCount())) {\r
+ return intMfSniffSend();\r
+ }\r
+ return 0;\r
+}\r
+\r
+// internal seding function. not a RAMFUNC.\r
+int intMfSniffSend() {\r
+ \r
+ int pckSize = 0;\r
+ int pckLen = traceLen;\r
+ int pckNum = 0;\r
+ \r
+ if (!traceLen) return 0;\r
+\r
+ AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;\r
+\r
+ while (pckLen > 0) {\r
+ pckSize = min(32, pckLen);\r
+ UsbCommand ack = {CMD_ACK, {1, pckSize, pckNum}};\r
+ memcpy(ack.d.asBytes, trace + traceLen - pckLen, pckSize);\r
+ \r
+ LED_B_ON();\r
+ UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));\r
+ SpinDelay(20);\r
+ LED_B_OFF();\r
+\r
+ pckLen -= pckSize;\r
+ pckNum++;\r
+ }\r
+\r
+ UsbCommand ack = {CMD_ACK, {2, 0, 0}};\r
+\r
+ LED_B_ON();\r
+ UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));\r
+ LED_B_OFF();\r
+\r
+ traceLen = 0;\r
+ memset(trace, 0x44, TRACE_SIZE);\r
+ \r
+ return 1;\r
+}\r
#include "mifareutil.h"\r
#include "common.h"\r
\r
+#define SNF_INIT 0\r
+#define SNF_NO_FIELD 1\r
+#define SNF_WUPREQ 2\r
+#define SNF_ATQA 3\r
+#define SNF_ANTICOL1 4\r
+#define SNF_UID1 5\r
+#define SNF_ANTICOL2 6\r
+#define SNF_UID2 7\r
+#define SNF_SAK 8\r
+#define SNF_CARD_IDLE 9\r
+#define SNF_CARD_CMD 10\r
+#define SNF_CARD_RESP 11\r
+\r
+#define SNF_UID_4 0\r
+#define SNF_UID_7 0\r
+\r
+int MfSniffInit(void);\r
+int RAMFUNC MfSniffLogic(const uint8_t * data, int len, int bitCnt, int reader);\r
+int RAMFUNC MfSniffSend(int maxTimeoutMs);\r
+int intMfSniffSend();\r
+int MfSniffEnd(void);\r
\r
#endif
\ No newline at end of file
#define RAMFUNC __attribute((long_call, section(".ramfunc")))
#define BYTEx(x, n) (((x) >> (n * 8)) & 0xff )
+#define min(a, b) (((a) > (b)) ? (b) : (a))
#define LED_RED 1
#define LED_ORANGE 2
// message\r
printf("-------------------------------------------------------------------------\n");\r
printf("Executing command. It may take up to 30 min.\n");\r
- printf("Press the key on proxmark3 device to abort proxmark3.\n");\r
printf("Press the key on the proxmark3 device to abort both proxmark3 and client.\n");\r
printf("-------------------------------------------------------------------------\n");\r
\r
}\r
\r
int CmdHF14AMfSniff(const char *Cmd){\r
+ int res = 0;\r
+ int len = 0;\r
+ int blockLen = 0;\r
+ int num = 0;\r
+ int pckNum = 0;\r
+ uint8_t uid[8];\r
+ uint8_t atqa[2];\r
+ uint8_t sak;\r
+ bool isTag;\r
+ uint8_t buf[3000];\r
+ uint8_t * bufPtr = buf;\r
+ memset(buf, 0x00, 3000);\r
\r
if (param_getchar(Cmd, 0) == 'h') {\r
PrintAndLog("Usage: hf mf sniff ");\r
return 0;\r
} \r
\r
+ printf("-------------------------------------------------------------------------\n");\r
+ printf("Executing command. \n");\r
+ printf("Press the key on the proxmark3 device to abort both proxmark3 and client.\n");\r
+ printf("Press the key on pc keyboard to abort the client.\n");\r
+ printf("-------------------------------------------------------------------------\n");\r
+\r
UsbCommand c = {CMD_MIFARE_SNIFFER, {0, 0, 0}};\r
SendCommand(&c);\r
\r
+ // wait cycle\r
+ while (true) {\r
+ printf(".");\r
+ fflush(stdout);\r
+ if (ukbhit()) {\r
+ getchar();\r
+ printf("\naborted via keyboard!\n");\r
+ break;\r
+ }\r
+ \r
+ UsbCommand * resp = WaitForResponseTimeout(CMD_ACK, 2000);\r
+ if (resp != NULL) {\r
+ res = resp->arg[0] & 0xff;\r
+ len = resp->arg[1];\r
+ num = resp->arg[2];\r
+ \r
+ if (res == 0) return 0;\r
+ if (res == 1) {\r
+ if (num ==0) {\r
+ bufPtr = buf;\r
+ memset(buf, 0x00, 3000);\r
+ }\r
+ memcpy(bufPtr, resp->d.asBytes, len);\r
+ bufPtr += len;\r
+ pckNum++;\r
+ }\r
+ if (res == 2) {\r
+ blockLen = bufPtr - buf;\r
+ bufPtr = buf;\r
+ printf(">\n");\r
+ PrintAndLog("received trace len: %d packages: %d", blockLen, pckNum);\r
+ num = 0;\r
+ while (bufPtr - buf + 9 < blockLen) {\r
+ isTag = bufPtr[3] & 0x80 ? true:false;\r
+ bufPtr += 8;\r
+ len = bufPtr[0];\r
+ bufPtr++;\r
+ if ((len == 14) && (bufPtr[0] = 0xff) && (bufPtr[1] = 0xff)) {\r
+ memcpy(uid, bufPtr + 2, 7);\r
+ memcpy(atqa, bufPtr + 2 + 7, 2);\r
+ sak = bufPtr[11];\r
+ PrintAndLog("tag select uid:%s atqa:%02x %02x sak:0x%02x", sprint_hex(uid, 7), atqa[0], atqa[1], sak);\r
+ } else {\r
+ PrintAndLog("%s(%d):%s", isTag ? "TAG":"RDR", num, sprint_hex(bufPtr, len));\r
+ }\r
+ bufPtr += len;\r
+ num++;\r
+ }\r
+ }\r
+ } // resp not NILL\r
+ } // while (true)\r
return 0;\r
}\r
\r
}
void ComputeCrc14443(int CrcType,
- unsigned char *Data, int Length,
+ const unsigned char *Data, int Length,
unsigned char *TransmitFirst,
unsigned char *TransmitSecond)
{
*TransmitSecond = (unsigned char) ((wCrc >> 8) & 0xFF);
return;
}
+
+int CheckCrc14443(int CrcType, const unsigned char *Data, int Length) {
+ unsigned char b1;
+ unsigned char b2;
+ if (Length < 3) return 0;
+ ComputeCrc14443(CrcType, Data, Length - 2, &b1, &b2);
+ if ((b1 == Data[Length - 2]) && (b2 == Data[Length - 1])) return 1;
+ return 0;
+}
#ifndef __ISO14443CRC_H
#define __ISO14443CRC_H
+#include "common.h"
//-----------------------------------------------------------------------------
// Routines to compute the CRCs (two different flavours, just for confusion)
#define CRC_ICLASS 0xE012 /* ICLASS PRERFIX */
void ComputeCrc14443(int CrcType,
- unsigned char *Data, int Length,
+ const unsigned char *Data, int Length,
unsigned char *TransmitFirst,
unsigned char *TransmitSecond);
+int CheckCrc14443(int CrcType, const unsigned char *Data, int Length);
#endif
#define UDP_CSR_BYTES_RECEIVED(x) (((x) >> 16) & 0x7ff)
//**************************************************************
-#define LOW(x) AT91C_BASE_PIOA->PIO_CODR = (x)
-#define HIGH(x) AT91C_BASE_PIOA->PIO_SODR = (x)
+#define LOW(x) AT91C_BASE_PIOA->PIO_CODR = (x)
+#define HIGH(x) AT91C_BASE_PIOA->PIO_SODR = (x)
+#define GETBIT(x) (AT91C_BASE_PIOA->PIO_ODSR & (x)) ? 1:0
+#define SETBIT(x, y) (y) ? (HIGH(x)):(LOW(x))
+#define INVBIT(x) SETBIT((x), !(GETBIT(x)))
#define SPI_FPGA_MODE 0
#define SPI_LCD_MODE 1
#define LED_A_ON() HIGH(GPIO_LED_A)
#define LED_A_OFF() LOW(GPIO_LED_A)
+#define LED_A_INV() INVBIT(GPIO_LED_A)
#define LED_B_ON() HIGH(GPIO_LED_B)
#define LED_B_OFF() LOW(GPIO_LED_B)
+#define LED_B_INV() INVBIT(GPIO_LED_B)
#define LED_C_ON() HIGH(GPIO_LED_C)
#define LED_C_OFF() LOW(GPIO_LED_C)
+#define LED_C_INV() INVBIT(GPIO_LED_C)
#define LED_D_ON() HIGH(GPIO_LED_D)
#define LED_D_OFF() LOW(GPIO_LED_D)
+#define LED_D_INV() INVBIT(GPIO_LED_D)
#define RELAY_ON() HIGH(GPIO_RELAY)
#define RELAY_OFF() LOW(GPIO_RELAY)
#define BUTTON_PRESS() !(AT91C_BASE_PIOA->PIO_PDSR & GPIO_BUTTON)