diff --git a/armsrc/BigBuf.c b/armsrc/BigBuf.c index f41801a26..5737319d0 100644 --- a/armsrc/BigBuf.c +++ b/armsrc/BigBuf.c @@ -22,29 +22,56 @@ extern uint8_t _stack_start, __bss_end__; static uint8_t *BigBuf = &__bss_end__; /* BigBuf memory layout: -Pointer to highest available memory: BigBuf_hi - high BigBuf_size - reserved = BigBuf_malloc() subtracts amount from BigBuf_hi, +Pointer to highest available memory: s_bigbuf_hi + high s_bigbuf_size + reserved = BigBuf_malloc() subtracts amount from s_bigbuf_hi, low 0x00 */ -static uint32_t BigBuf_size = 0; +static uint32_t s_bigbuf_size = 0; // High memory mark -static uint32_t BigBuf_hi = 0; +static uint32_t s_bigbuf_hi = 0; // pointer to the emulator memory. static uint8_t *emulator_memory = NULL; +//============================================================================= +// The ToSend buffer. +// A buffer where we can queue things up to be sent through the FPGA, for +// any purpose (fake tag, as reader, whatever). We go MSB first, since that +// is the order in which they go out on the wire. +//============================================================================= +static tosend_t toSend = { + .max = -1, + .bit = 8, + .buf = NULL +}; +//============================================================================= +// The dmaBuf 16bit buffer. +// A buffer where we recive IQ samples sent from the FPGA, for demodulating +//============================================================================= +static dmabuf16_t dma_16 = { + .size = DMA_BUFFER_SIZE, + .buf = NULL +}; +// dmaBuf 8bit buffer +static dmabuf8_t dma_8 = { + .size = DMA_BUFFER_SIZE, + .buf = NULL +}; + + + // trace related variables -static uint32_t traceLen = 0; +static uint32_t trace_len = 0; static bool tracing = true; // compute the available size for BigBuf void BigBuf_initialize(void) { - BigBuf_size = (uint32_t)&_stack_start - (uint32_t)&__bss_end__; - BigBuf_hi = BigBuf_size; - traceLen = 0; + s_bigbuf_size = (uint32_t)&_stack_start - (uint32_t)&__bss_end__; + s_bigbuf_hi = s_bigbuf_size; + trace_len = 0; } // get the address of BigBuf @@ -53,7 +80,7 @@ uint8_t *BigBuf_get_addr(void) { } uint32_t BigBuf_get_size(void) { - return BigBuf_size; + return s_bigbuf_size; } // get the address of the emulator memory. Allocate part of Bigbuf for it, if not yet done @@ -64,6 +91,11 @@ uint8_t *BigBuf_get_EM_addr(void) { return emulator_memory; } +/* +uint32_t BigBuf_get_EM_size(void) { + return CARD_MEMORY_SIZE; +} +*/ // clear ALL of BigBuf void BigBuf_Clear(void) { @@ -72,9 +104,9 @@ void BigBuf_Clear(void) { // clear ALL of BigBuf void BigBuf_Clear_ext(bool verbose) { - memset(BigBuf, 0, BigBuf_size); + memset(BigBuf, 0, s_bigbuf_size); if (verbose) - Dbprintf("Buffer cleared (%i bytes)", BigBuf_size); + Dbprintf("Buffer cleared (%i bytes)", s_bigbuf_size); } void BigBuf_Clear_EM(void) { @@ -82,57 +114,66 @@ void BigBuf_Clear_EM(void) { } void BigBuf_Clear_keep_EM(void) { - memset(BigBuf, 0, BigBuf_hi); + memset(BigBuf, 0, s_bigbuf_hi); } // allocate a chunk of memory from BigBuf. We allocate high memory first. The unallocated memory // at the beginning of BigBuf is always for traces/samples uint8_t *BigBuf_malloc(uint16_t chunksize) { - if (BigBuf_hi < chunksize) + if (s_bigbuf_hi < chunksize) return NULL; // no memory left chunksize = (chunksize + 3) & 0xfffc; // round to next multiple of 4 - BigBuf_hi -= chunksize; // aligned to 4 Byte boundary - return (uint8_t *)BigBuf + BigBuf_hi; + s_bigbuf_hi -= chunksize; // aligned to 4 Byte boundary + return (uint8_t *)BigBuf + s_bigbuf_hi; } // free ALL allocated chunks. The whole BigBuf is available for traces or samples again. void BigBuf_free(void) { - BigBuf_hi = BigBuf_size; + s_bigbuf_hi = s_bigbuf_size; emulator_memory = NULL; // shouldn't this empty BigBuf also? + toSend.buf = NULL; + dma_16.buf = NULL; + dma_8.buf = NULL; } // free allocated chunks EXCEPT the emulator memory void BigBuf_free_keep_EM(void) { if (emulator_memory != NULL) - BigBuf_hi = emulator_memory - (uint8_t *)BigBuf; + s_bigbuf_hi = emulator_memory - (uint8_t *)BigBuf; else - BigBuf_hi = BigBuf_size; + s_bigbuf_hi = s_bigbuf_size; - // shouldn't this empty BigBuf also? + toSend.buf = NULL; + dma_16.buf = NULL; + dma_8.buf = NULL; } void BigBuf_print_status(void) { DbpString(_CYAN_("Memory")); - Dbprintf(" BigBuf_size.............%d", BigBuf_size); - Dbprintf(" Available memory........%d", BigBuf_hi); + Dbprintf(" BigBuf_size.............%d", s_bigbuf_size); + Dbprintf(" Available memory........%d", s_bigbuf_hi); DbpString(_CYAN_("Tracing")); Dbprintf(" tracing ................%d", tracing); - Dbprintf(" traceLen ...............%d", traceLen); + Dbprintf(" traceLen ...............%d", trace_len); + + Dbprintf(" dma8 memory.............%d", dma_8.buf - BigBuf_get_addr()); + Dbprintf(" dma16 memory............%d", (uint8_t*)dma_16.buf - BigBuf_get_addr()); + Dbprintf(" toSend memory...........%d", toSend.buf - BigBuf_get_addr() ); } // return the maximum trace length (i.e. the unallocated size of BigBuf) uint16_t BigBuf_max_traceLen(void) { - return BigBuf_hi; + return s_bigbuf_hi; } void clear_trace(void) { - traceLen = 0; + trace_len = 0; } void set_tracelen(uint32_t value) { - traceLen = value; + trace_len = value; } void set_tracing(bool enable) { @@ -148,7 +189,7 @@ bool get_tracing(void) { * @return */ uint32_t BigBuf_get_traceLen(void) { - return traceLen; + return trace_len; } /** @@ -158,16 +199,18 @@ uint32_t BigBuf_get_traceLen(void) { annotation of commands/responses. **/ bool RAMFUNC LogTrace(const uint8_t *btBytes, uint16_t iLen, uint32_t timestamp_start, uint32_t timestamp_end, uint8_t *parity, bool readerToTag) { - if (!tracing) return false; + if (tracing == false) { + return false; + } uint8_t *trace = BigBuf_get_addr(); - tracelog_hdr_t *hdr = (tracelog_hdr_t *)(trace + traceLen); + tracelog_hdr_t *hdr = (tracelog_hdr_t *)(trace + trace_len); uint32_t num_paritybytes = (iLen - 1) / 8 + 1; // number of valid paritybytes in *parity // Return when trace is full - if (TRACELOG_HDR_LEN + iLen + num_paritybytes >= BigBuf_max_traceLen() - traceLen) { - tracing = false; // don't trace any more + if (TRACELOG_HDR_LEN + iLen + num_paritybytes >= BigBuf_max_traceLen() - trace_len) { + tracing = false; return false; } @@ -178,39 +221,48 @@ bool RAMFUNC LogTrace(const uint8_t *btBytes, uint16_t iLen, uint32_t timestamp_ duration = (UINT32_MAX - timestamp_start) + timestamp_end; } - if (duration > 0x7FFF) { + if (duration > 0xFFFF) { + /* if (DBGLEVEL >= DBG_DEBUG) { - Dbprintf("Error in LogTrace: duration too long for 15 bits encoding: 0x%08x start:0x%08x end:0x%08x", duration, timestamp_start, timestamp_end); - Dbprintf("Forcing duration = 0"); + Dbprintf("Error in LogTrace: duration too long for 16 bits encoding: 0x%08x start: 0x%08x end: 0x%08x", duration, timestamp_start, timestamp_end); } + */ duration = 0; } - + hdr->timestamp = timestamp_start; - hdr->duration = duration; + hdr->duration = duration & 0xFFFF; hdr->data_len = iLen; hdr->isResponse = !readerToTag; - traceLen += TRACELOG_HDR_LEN; + trace_len += TRACELOG_HDR_LEN; // data bytes if (btBytes != NULL && iLen != 0) { - memcpy(trace + traceLen, btBytes, iLen); + memcpy(hdr->frame, btBytes, iLen); + trace_len += iLen; } - traceLen += iLen; // parity bytes if (num_paritybytes != 0) { if (parity != NULL) { - memcpy(trace + traceLen, parity, num_paritybytes); + memcpy(trace + trace_len, parity, num_paritybytes); } else { - memset(trace + traceLen, 0x00, num_paritybytes); + memset(trace + trace_len, 0x00, num_paritybytes); } + trace_len += num_paritybytes; } - traceLen += num_paritybytes; - return true; } +// specific LogTrace function for ISO15693: the duration needs to be scaled because otherwise it won't fit into a uint16_t +bool LogTrace_ISO15693(const uint8_t *bytes, uint16_t len, uint32_t ts_start, uint32_t ts_end, uint8_t *parity, bool reader2tag) { + uint32_t duration = ts_end - ts_start; + duration /= 32; + ts_end = ts_start + duration; + return LogTrace(bytes, len, ts_start, ts_end, parity, reader2tag); +} + + // Emulator memory uint8_t emlSet(uint8_t *data, uint32_t offset, uint32_t length) { uint8_t *mem = BigBuf_get_EM_addr(); @@ -221,3 +273,51 @@ uint8_t emlSet(uint8_t *data, uint32_t offset, uint32_t length) { Dbprintf("Error, trying to set memory outside of bounds! %d > %d", (offset + length), CARD_MEMORY_SIZE); return 1; } + + + +// get the address of the ToSend buffer. Allocate part of Bigbuf for it, if not yet done +tosend_t *get_tosend(void) { + + if (toSend.buf == NULL) + toSend.buf = BigBuf_malloc(TOSEND_BUFFER_SIZE); + + return &toSend; +} + +void tosend_reset(void) { + toSend.max = -1; + toSend.bit = 8; +} + +void tosend_stuffbit(int b) { + if (toSend.bit >= 8) { + toSend.max++; + toSend.buf[toSend.max] = 0; + toSend.bit = 0; + } + + if (b) + toSend.buf[ toSend.max] |= (1 << (7 - toSend.bit)); + + toSend.bit++; + + if (toSend.max >= TOSEND_BUFFER_SIZE) { + toSend.bit = 0; + } +} + +dmabuf16_t *get_dma16(void) { + if (dma_16.buf == NULL) + dma_16.buf = (uint16_t*)BigBuf_malloc(DMA_BUFFER_SIZE * sizeof(uint16_t)); + + return &dma_16; +} + +dmabuf8_t *get_dma8(void) { + if (dma_8.buf == NULL) + dma_8.buf = BigBuf_malloc(DMA_BUFFER_SIZE); + + return &dma_8; +} + diff --git a/armsrc/BigBuf.h b/armsrc/BigBuf.h index 60857e82a..8b570cb8c 100644 --- a/armsrc/BigBuf.h +++ b/armsrc/BigBuf.h @@ -19,7 +19,10 @@ #define MAX_MIFARE_FRAME_SIZE 18 // biggest Mifare frame is answer to a read (one block = 16 Bytes) + 2 Bytes CRC #define MAX_MIFARE_PARITY_SIZE 3 // need 18 parity bits for the 18 Byte above. 3 Bytes are enough to store these #define CARD_MEMORY_SIZE 4096 -#define DMA_BUFFER_SIZE 256 //128 (how big is the dma?!? +#define DMA_BUFFER_SIZE 256 + +// 8 data bits and 1 parity bit per payload byte, 1 correction bit, 1 SOC bit, 2 EOC bits +#define TOSEND_BUFFER_SIZE (9 * MAX_FRAME_SIZE + 1 + 1 + 2) uint8_t *BigBuf_get_addr(void); uint32_t BigBuf_get_size(void); @@ -39,7 +42,34 @@ void clear_trace(void); void set_tracing(bool enable); void set_tracelen(uint32_t value); bool get_tracing(void); + bool RAMFUNC LogTrace(const uint8_t *btBytes, uint16_t iLen, uint32_t timestamp_start, uint32_t timestamp_end, uint8_t *parity, bool readerToTag); +bool LogTrace_ISO15693(const uint8_t *bytes, uint16_t len, uint32_t ts_start, uint32_t ts_end, uint8_t *parity, bool reader2tag); + + uint8_t emlSet(uint8_t *data, uint32_t offset, uint32_t length); + +typedef struct { + int max; + int bit; + uint8_t *buf; +} tosend_t; + +tosend_t *get_tosend(void); +void tosend_reset(void); +void tosend_stuffbit(int b); + +typedef struct { + uint16_t size; + uint8_t *buf; +} dmabuf8_t; + +typedef struct { + uint16_t size; + uint16_t *buf; +} dmabuf16_t; + +dmabuf8_t *get_dma8(void); +dmabuf16_t *get_dma16(void); #endif /* __BIGBUF_H */ diff --git a/armsrc/Makefile b/armsrc/Makefile index 1bbbf2ba7..2768ab3a4 100644 --- a/armsrc/Makefile +++ b/armsrc/Makefile @@ -30,7 +30,7 @@ SRC_ISO14443b = iso14443b.c SRC_FELICA = felica.c SRC_CRAPTO1 = crypto1.c des.c desfire_crypto.c mifaredesfire.c aes.c platform_util.c SRC_CRC = crc.c crc16.c crc32.c -SRC_ICLASS = iclass.c optimized_cipher.c +SRC_ICLASS = iclass.c optimized_cipherutils.c optimized_ikeys.c optimized_elite.c optimized_cipher.c SRC_LEGIC = legicrf.c legicrfsim.c legic_prng.c SRC_NFCBARCODE = thinfilm.c @@ -79,7 +79,7 @@ endif include Standalone/Makefile.inc #the FPGA bitstream files. Note: order matters! -FPGA_BITSTREAMS = fpga_lf.bit fpga_hf.bit +FPGA_BITSTREAMS = fpga_lf.bit fpga_hf.bit fpga_felica.bit #the lz4 source files required for decompressing the fpga config at run time SRC_LZ4 = lz4.c diff --git a/armsrc/Standalone/Makefile.hal b/armsrc/Standalone/Makefile.hal index c6dc9952e..bd66d538c 100644 --- a/armsrc/Standalone/Makefile.hal +++ b/armsrc/Standalone/Makefile.hal @@ -44,6 +44,9 @@ define KNOWN_STANDALONE_DEFINITIONS | HF_COLIN | Mifare ultra fast sniff/sim/clone | | (RDV4 only) | - Colin Brigato | +----------------------------------------------------------+ +| HF_ICECLASS | Simulate HID iCLASS legacy ags | +| (RDV4 only) | storing in flashmem | ++----------------------------------------------------------+ | HF_LEGIC | Read/simulate Legic Prime tags | | | storing in flashmem | +----------------------------------------------------------+ @@ -59,9 +62,9 @@ define KNOWN_STANDALONE_DEFINITIONS endef STANDALONE_MODES := LF_SKELETON LF_EM4100EMUL LF_EM4100RSWB LF_EM4100RWC LF_HIDBRUTE LF_ICEHID LF_PROXBRUTE LF_SAMYRUN -STANDALONE_MODES += HF_14ASNIFF HF_BOG HF_COLIN HF_LEGIC HF_MATTYRUN HF_MSDSAL HF_YOUNG +STANDALONE_MODES += HF_14ASNIFF HF_BOG HF_COLIN HF_ICECLASS HF_LEGIC HF_MATTYRUN HF_MSDSAL HF_YOUNG STANDALONE_MODES_REQ_SMARTCARD := -STANDALONE_MODES_REQ_FLASH := LF_ICEHID HF_14ASNIFF HF_BOG HF_COLIN +STANDALONE_MODES_REQ_FLASH := LF_ICEHID HF_14ASNIFF HF_BOG HF_COLIN HF_ICECLASS ifneq ($(filter $(STANDALONE),$(STANDALONE_MODES)),) STANDALONE_PLATFORM_DEFS += -DWITH_STANDALONE_$(STANDALONE) ifneq ($(filter $(STANDALONE),$(STANDALONE_MODES_REQ_SMARTCARD)),) diff --git a/armsrc/Standalone/Makefile.inc b/armsrc/Standalone/Makefile.inc index a06cfe75e..131e26e79 100644 --- a/armsrc/Standalone/Makefile.inc +++ b/armsrc/Standalone/Makefile.inc @@ -57,7 +57,11 @@ endif ifneq (,$(findstring WITH_STANDALONE_HF_LEGIC,$(APP_CFLAGS))) SRC_STANDALONE = hf_legic.c endif -# WITH_STANDALONE_LF_MSDSAL +# WITH_STANDALONE_HF_MSDSAL ifneq (,$(findstring WITH_STANDALONE_HF_MSDSAL,$(APP_CFLAGS))) SRC_STANDALONE = hf_msdsal.c endif +# WITH_STANDALONE_HF_ICECLASS +ifneq (,$(findstring WITH_STANDALONE_HF_ICECLASS,$(APP_CFLAGS))) + SRC_STANDALONE = hf_iceclass.c +endif diff --git a/armsrc/Standalone/hf_iceclass.c b/armsrc/Standalone/hf_iceclass.c new file mode 100644 index 000000000..008401ab0 --- /dev/null +++ b/armsrc/Standalone/hf_iceclass.c @@ -0,0 +1,512 @@ +//----------------------------------------------------------------------------- +// Christian Herrmann, 2020 +// +// This code is licensed to you under the terms of the GNU GPL, version 2 or, +// at your option, any later version. See the LICENSE.txt file for the text of +// the license. +//----------------------------------------------------------------------------- +// main code for hf_iceclass by Iceman +//----------------------------------------------------------------------------- +#include "standalone.h" // standalone definitions +#include "proxmark3_arm.h" +#include "appmain.h" +#include "BigBuf.h" +#include "fpgaloader.h" +#include "util.h" +#include "ticks.h" +#include "dbprint.h" +#include "spiffs.h" +#include "iclass.h" +#include "iso15693.h" +#include "optimized_cipher.h" +#include "pm3_cmd.h" +#include "protocols.h" + + +#define ICE_STATE_NONE 0 +#define ICE_STATE_FULLSIM 1 +#define ICE_STATE_ATTACK 2 +#define ICE_STATE_READER 3 +#define ICE_STATE_CONFIGCARD 4 + +// ==================================================== +// Select which standalone function to be active. +// 4 possiblities. Uncomment the one you wanna use. + +#define ICE_USE ICE_STATE_FULLSIM +//#define ICE_USE ICE_STATE_ATTACK +//#define ICE_USE ICE_STATE_READER +//#define ICE_USE ICE_STATE_CONFIGCARD + +// ==================================================== + + +#define NUM_CSNS 9 +#define MAC_RESPONSES_SIZE (16 * NUM_CSNS) +#define HF_ICLASS_FULLSIM_ORIG_BIN "iceclass-orig.bin" +#define HF_ICLASS_FULLSIM_MOD "iceclass-modified" +#define HF_ICLASS_FULLSIM_MOD_BIN HF_ICLASS_FULLSIM_MOD".bin" +#define HF_ICLASS_FULLSIM_MOD_EML HF_ICLASS_FULLSIM_MOD".eml" +#define HF_ICLASS_ATTACK_BIN "iclass_mac_attack" + +#define HF_ICLASS_CC_A "iceclass_cc_a.bin" +#define HF_ICLASS_CC_B "iceclass_cc_b.bin" +char* cc_files[] = { HF_ICLASS_CC_A, HF_ICLASS_CC_B }; + + + +// times in ssp_clk_cycles @ 3,3625MHz when acting as reader +#ifndef DELAY_ICLASS_VICC_TO_VCD_READER +#define DELAY_ICLASS_VICC_TO_VCD_READER DELAY_ISO15693_VICC_TO_VCD_READER +#endif + +#ifndef ICLASS_16KS_SIZE +#define ICLASS_16KS_SIZE 0x100 * 8 +#endif + +// iclass card descriptors +char * card_types[] = { + "PicoPass 16K / 16", // 000 + "PicoPass 32K with current book 16K / 16", // 001 + "Unknown Card Type!", // 010 + "Unknown Card Type!", // 011 + "PicoPass 2K", // 100 + "Unknown Card Type!", // 101 + "PicoPass 16K / 2", // 110 + "PicoPass 32K with current book 16K / 2", // 111 +}; + +uint8_t card_app2_limit[] = { + 0xff, + 0xff, + 0xff, + 0xff, + 0x1f, + 0xff, + 0xff, + 0xff, +}; + +static uint8_t aa2_key[] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF}; +static uint8_t legacy_aa1_key[] = {0xAE, 0xA6, 0x84, 0xA6, 0xDA, 0xB2, 0x32, 0x78}; + +static bool have_aa2(void) { + return memcmp(aa2_key, "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF", 8); +} + +static uint8_t get_pagemap(const picopass_hdr *hdr) { + return (hdr->conf.fuses & (FUSE_CRYPT0 | FUSE_CRYPT1)) >> 3; +} + +static uint8_t csns[8 * NUM_CSNS] = { + 0x01, 0x0A, 0x0F, 0xFF, 0xF7, 0xFF, 0x12, 0xE0, + 0x0C, 0x06, 0x0C, 0xFE, 0xF7, 0xFF, 0x12, 0xE0, + 0x10, 0x97, 0x83, 0x7B, 0xF7, 0xFF, 0x12, 0xE0, + 0x13, 0x97, 0x82, 0x7A, 0xF7, 0xFF, 0x12, 0xE0, + 0x07, 0x0E, 0x0D, 0xF9, 0xF7, 0xFF, 0x12, 0xE0, + 0x14, 0x96, 0x84, 0x76, 0xF7, 0xFF, 0x12, 0xE0, + 0x17, 0x96, 0x85, 0x71, 0xF7, 0xFF, 0x12, 0xE0, + 0xCE, 0xC5, 0x0F, 0x77, 0xF7, 0xFF, 0x12, 0xE0, + 0xD2, 0x5A, 0x82, 0xF8, 0xF7, 0xFF, 0x12, 0xE0 +}; + +static void download_instructions(uint8_t t) { + DbpString(""); + switch (t) { + case ICE_STATE_FULLSIM: { + DbpString("The emulator memory was saved to SPIFFS"); + DbpString("1. " _YELLOW_("mem spiffs dump o " HF_ICLASS_FULLSIM_MOD_BIN " f " HF_ICLASS_FULLSIM_MOD" e")); + DbpString("2. " _YELLOW_("hf iclass view f " HF_ICLASS_FULLSIM_MOD_BIN)); + break; + } + case ICE_STATE_ATTACK: { + DbpString("The collected data was saved to SPIFFS. The file names below may differ"); + DbpString("1. " _YELLOW_("mem spiffs tree")); + DbpString("2. " _YELLOW_("mem spiffs dump o " HF_ICLASS_ATTACK_BIN " f " HF_ICLASS_ATTACK_BIN)); + DbpString("3. " _YELLOW_("hf iclass loclass f " HF_ICLASS_ATTACK_BIN)); + break; + } + case ICE_STATE_READER: { + DbpString("The found tags was saved to SPIFFS"); + DbpString("1. " _YELLOW_("mem spiffs tree")); + DbpString("2. " _YELLOW_("mem spiffs dump h")); + break; + } + } +} + +// Save to flash if file doesn't exist. +// Write over file if size of flash file is less than new datalen +static void save_to_flash(uint8_t *data, uint16_t datalen) { + + rdv40_spiffs_lazy_mount(); + + char fn[SPIFFS_OBJ_NAME_LEN]; + sprintf(fn, "iclass-%02X%02X%02X%02X%02X%02X%02X%02X.bin", + data[0], data[1], data[2], data[3], + data[4], data[5], data[6], data[7] + ); + + int res; + if (exists_in_spiffs(fn) == false) { + res = rdv40_spiffs_write(fn, data, datalen, RDV40_SPIFFS_SAFETY_SAFE); + if (res == SPIFFS_OK) { + Dbprintf("saved to " _GREEN_("%s"), fn); + } + } else { + + // if already exist, see if saved file is smaller.. + uint32_t fsize = 0; + res = rdv40_spiffs_stat(fn, &fsize, RDV40_SPIFFS_SAFETY_SAFE); + if (res == SPIFFS_OK) { + + if (fsize < datalen) { + res = rdv40_spiffs_write(fn, data, datalen, RDV40_SPIFFS_SAFETY_SAFE); + if (res == SPIFFS_OK) { + Dbprintf("wrote over " _GREEN_("%s"), fn); + } + } + } + } + + rdv40_spiffs_lazy_unmount(); +} + +static int fullsim_mode(void) { + + rdv40_spiffs_lazy_mount(); + + SpinOff(0); + uint8_t *emul = BigBuf_get_EM_addr(); + uint32_t fsize = size_in_spiffs(HF_ICLASS_FULLSIM_ORIG_BIN); + int res = rdv40_spiffs_read_as_filetype(HF_ICLASS_FULLSIM_ORIG_BIN, emul, fsize, RDV40_SPIFFS_SAFETY_SAFE); + rdv40_spiffs_lazy_unmount(); + if (res == SPIFFS_OK) { + Dbprintf("loaded " _GREEN_(HF_ICLASS_FULLSIM_ORIG_BIN) " (%u bytes)", fsize); + } + + iclass_simulate(ICLASS_SIM_MODE_FULL, 0 , false, NULL, NULL, NULL); + + LED_B_ON(); + rdv40_spiffs_lazy_mount(); + res = rdv40_spiffs_write(HF_ICLASS_FULLSIM_MOD_BIN, emul, fsize, RDV40_SPIFFS_SAFETY_SAFE); + rdv40_spiffs_lazy_unmount(); + LED_B_OFF(); + if (res == SPIFFS_OK) { + Dbprintf("wrote emulator memory to " _GREEN_(HF_ICLASS_FULLSIM_MOD_BIN)); + } else { + Dbprintf(_RED_("error") " writing "HF_ICLASS_FULLSIM_MOD_BIN" to flash ( %d )", res); + } + + DbpString("-=[ exiting " _CYAN_("`full simulation`") " mode ]=-"); + return PM3_SUCCESS; +} + +static int reader_attack_mode(void) { + + BigBuf_free(); + uint16_t mac_response_len = 0; + uint8_t *mac_responses = BigBuf_malloc(MAC_RESPONSES_SIZE); + + iclass_simulate(ICLASS_SIM_MODE_READER_ATTACK, NUM_CSNS, false, csns, mac_responses, &mac_response_len); + + if (mac_response_len > 0) { + + bool success = (mac_response_len == MAC_RESPONSES_SIZE); + uint8_t num_mac = (mac_response_len >> 4); + Dbprintf("%u out of %d MAC obtained [%s]", num_mac, NUM_CSNS, (success) ? _GREEN_("ok") : _RED_("fail")); + + size_t dumplen = NUM_CSNS * 24; + + uint8_t *dump = BigBuf_malloc(dumplen); + if (dump == false) { + Dbprintf("failed to allocate memory"); + return PM3_EMALLOC; + } + + // need zeroes for the EPURSE + memset(dump, 0, dumplen); + + for (uint8_t i = 0 ; i < NUM_CSNS ; i++) { + //copy CSN + memcpy(dump + (i * 24), csns + (i * 8), 8); + //copy epurse + memcpy(dump + (i * 24) + 8, mac_responses + (i * 16), 8); + // NR_MAC (eight bytes from the response) ( 8b csn + 8b epurse == 16) + memcpy(dump + (i * 24) + 16, mac_responses + (i * 16) + 8, 8); + } + + LED_B_ON(); + rdv40_spiffs_lazy_mount(); + + char fn[32]; + uint16_t p_namelen = strlen(HF_ICLASS_ATTACK_BIN); + uint16_t num = 1; + sprintf(fn, "%.*s%s", p_namelen, HF_ICLASS_ATTACK_BIN, ".bin"); + + while (exists_in_spiffs(fn)) { + sprintf(fn, "%.*s-%u%s", p_namelen, HF_ICLASS_ATTACK_BIN, num, ".bin"); + num++; + } + int res = rdv40_spiffs_write(fn, dump, dumplen, RDV40_SPIFFS_SAFETY_SAFE); + rdv40_spiffs_lazy_unmount(); + LED_B_OFF(); + if (res == SPIFFS_OK) { + Dbprintf("saved to " _GREEN_("%s"), fn); + } else { + Dbprintf(_RED_("error") " writing %s to flash ( %d )", fn, res); + } + } + BigBuf_free(); + DbpString("-=[ exiting " _CYAN_("`reader attack`") " mode ]=-"); + return PM3_SUCCESS; +} + +static int reader_dump_mode(void) { + + DbpString("this mode has no tracelog"); + if (have_aa2()) + DbpString("dumping of " _YELLOW_("AA2 enabled")); + + for (;;) { + + BigBuf_free(); + + uint8_t *card_data = BigBuf_malloc(ICLASS_16KS_SIZE); + memset(card_data, 0xFF, ICLASS_16KS_SIZE); + + if (BUTTON_PRESS()) { + DbpString("button pressed"); + break; + } + + // setup authenticate AA1 + iclass_auth_req_t auth = { + .use_raw = false, + .use_elite = false, + .use_credit_key = false, + .do_auth = true, + .send_reply = false, + }; + memcpy(auth.key, legacy_aa1_key, sizeof(auth.key)); + + Iso15693InitReader(); + set_tracing(false); + + // select tag. + uint32_t eof_time = 0; + bool res = select_iclass_tag(card_data, auth.use_credit_key, &eof_time); + if (res == false) { + switch_off(); + continue; + } + + picopass_hdr *hdr = (picopass_hdr *)card_data; + // sanity check of CSN. + if (hdr->csn[7] != 0xE0 && hdr->csn[6] != 0x12) { + switch_off(); + continue; + } + + uint32_t start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER; + + // get 3 config bits + uint8_t type = (hdr->conf.chip_config & 0x10) >> 2; + type |= (hdr->conf.mem_config & 0x80) >> 6; + type |= (hdr->conf.mem_config & 0x20) >> 5; + + Dbprintf(_GREEN_("%s") ", dumping...", card_types[type]); + + uint8_t pagemap = get_pagemap(hdr); + uint8_t app1_limit, app2_limit, start_block; + + // tags configured for NON SECURE PAGE, acts different + if (pagemap == PICOPASS_NON_SECURE_PAGEMODE) { + app1_limit = card_app2_limit[type]; + app2_limit = 0; + start_block = 3; + } else { + + app1_limit = hdr->conf.app_limit; + app2_limit = card_app2_limit[type]; + start_block = 5; + + res = authenticate_iclass_tag(&auth, hdr, &start_time, &eof_time, NULL); + if (res == false) { + switch_off(); + Dbprintf( _RED_("failed AA1 auth") ", skipping "); + continue; + } + + start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER; + } + + uint16_t dumped = 0; + + // main read loop + for (uint16_t i = start_block; i <= app1_limit; i++) { + if (iclass_read_block(i, card_data + (8 * i), &start_time, &eof_time)) { + dumped++; + } + } + + if (pagemap != PICOPASS_NON_SECURE_PAGEMODE && have_aa2()) { + + // authenticate AA2 + auth.use_raw = false; + auth.use_credit_key = true; + memcpy(auth.key, aa2_key, sizeof(auth.key)); + + res = select_iclass_tag(card_data, auth.use_credit_key, &eof_time); + if (res) { + + // sanity check of CSN. + if (hdr->csn[7] != 0xE0 && hdr->csn[6] != 0x12) { + switch_off(); + continue; + } + + res = authenticate_iclass_tag(&auth, hdr, &start_time, &eof_time, NULL); + if (res) { + start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER; + + for (uint16_t i = app1_limit + 1; i <= app2_limit; i++) { + if (iclass_read_block(i, card_data + (8 * i), &start_time, &eof_time)) { + dumped++; + } + } + } else { + DbpString(_RED_("failed AA2 auth")); + } + } else { + DbpString(_RED_("failed selecting AA2")); + + // sanity check of CSN. + if (hdr->csn[7] != 0xE0 && hdr->csn[6] != 0x12) { + switch_off(); + continue; + } + } + } + switch_off(); + save_to_flash(card_data, (start_block + dumped) * 8 ); + Dbprintf("%u bytes saved", (start_block + dumped) * 8); + } + DbpString("-=[ exiting " _CYAN_("`read & dump`") " mode ]=-"); + return PM3_SUCCESS; +} + +static int config_sim_mode(void) { + + uint8_t *emul = BigBuf_get_EM_addr(); + + for (uint8_t i = 0; i < 2; i++) { + SpinOff(0); + rdv40_spiffs_lazy_mount(); + uint32_t fsize = size_in_spiffs(cc_files[i]); + int res = rdv40_spiffs_read_as_filetype(cc_files[i], emul, fsize, RDV40_SPIFFS_SAFETY_SAFE); + rdv40_spiffs_lazy_unmount(); + + if (res == SPIFFS_OK) { + Dbprintf("loaded " _GREEN_("%s") " (%u bytes) to emulator memory", cc_files[i], fsize); + iclass_simulate(ICLASS_SIM_MODE_FULL, 0 , false, NULL, NULL, NULL); + } + } + + DbpString("-=[ exiting " _CYAN_("`glitch & config`") " mode ]=-"); + return PM3_SUCCESS; +} + +void ModInfo(void) { + DbpString(" HF iCLASS mode - aka iceCLASS (iceman)"); +} + +void RunMod(void) { + + uint8_t mode = ICE_USE; + uint8_t *bb = BigBuf_get_EM_addr(); + if (bb[0] > 0 && bb[0] < 5) { + mode = bb[0]; + } + + FpgaDownloadAndGo(FPGA_BITSTREAM_HF); + BigBuf_Clear_ext(false); + + StandAloneMode(); + Dbprintf(_YELLOW_("HF iCLASS mode a.k.a iceCLASS started")); + + + for (;;) { + + WDT_HIT(); + + if (mode == ICE_STATE_NONE) break; + if (data_available()) break; + + int res; + switch (mode) { + + case ICE_STATE_FULLSIM: { + DbpString("-=[ enter " _CYAN_("`full simulation`") " mode ]=-"); + + // Look for iCLASS dump file + rdv40_spiffs_lazy_mount(); + if (exists_in_spiffs(HF_ICLASS_FULLSIM_ORIG_BIN) == false) { + Dbprintf(_RED_("error") " " _YELLOW_(HF_ICLASS_FULLSIM_ORIG_BIN) " file missing"); + mode = ICE_STATE_NONE; + } + rdv40_spiffs_lazy_unmount(); + + if (mode == ICE_STATE_FULLSIM) { + res = fullsim_mode(); + if (res == PM3_SUCCESS) { + download_instructions(mode); + } + } + // the button press to exit sim, is captured in main loop here + mode = ICE_STATE_NONE; + break; + } + case ICE_STATE_ATTACK: { + DbpString("-=[ enter " _CYAN_("`reader attack`") " mode ]=-"); + res = reader_attack_mode(); + if (res == PM3_SUCCESS) + download_instructions(mode); + + mode = ICE_STATE_NONE; + break; + } + case ICE_STATE_READER: { + DbpString("-=[ enter " _CYAN_("`read & dump`") " mode, continuous scanning ]=-"); + res = reader_dump_mode(); + if (res == PM3_SUCCESS) + download_instructions(mode); + + mode = ICE_STATE_NONE; + break; + } + case ICE_STATE_CONFIGCARD: { + DbpString("-=[ enter " _CYAN_("`glitch & config`") " mode ]=-"); + + // Look for config cards + rdv40_spiffs_lazy_mount(); + for (uint8_t i =0; i < 2; i++) { + if (exists_in_spiffs(cc_files[i]) == false) { + Dbprintf(_RED_("error") ", " _YELLOW_("%s") " file missing", cc_files[i]); + mode = ICE_STATE_NONE; + } + } + rdv40_spiffs_lazy_unmount(); + + if (mode == ICE_STATE_CONFIGCARD) + config_sim_mode(); + + mode = ICE_STATE_NONE; + break; + } + } + } + + switch_off(); + Dbprintf("-=[ exit ]=-"); +} diff --git a/armsrc/Standalone/lf_em4100rwc.c b/armsrc/Standalone/lf_em4100rwc.c index c54e54fa2..7b269e89b 100644 --- a/armsrc/Standalone/lf_em4100rwc.c +++ b/armsrc/Standalone/lf_em4100rwc.c @@ -34,7 +34,7 @@ #endif #define MAX_IND 16 // 4 LEDs - 2^4 combinations -#define CLOCK 64 //for 125kHz +#define LF_CLOCK 64 // for 125kHz // low & high - array for storage IDs. Its length must be equal. // Predefined IDs must be stored in low[]. @@ -57,34 +57,35 @@ static uint64_t rev_quads(uint64_t bits) { } static void fillbuff(uint8_t bit) { - memset(bba + buflen, bit, CLOCK / 2); - buflen += (CLOCK / 2); - memset(bba + buflen, bit ^ 1, CLOCK / 2); - buflen += (CLOCK / 2); + memset(bba + buflen, bit, LF_CLOCK / 2); + buflen += (LF_CLOCK / 2); + memset(bba + buflen, bit ^ 1, LF_CLOCK / 2); + buflen += (LF_CLOCK / 2); } static void construct_EM410x_emul(uint64_t id) { - + + int i, j; int binary[4] = {0}; int parity[4] = {0}; buflen = 0; - for (uint8_t i = 0; i < 9; i++) + for (i = 0; i < 9; i++) fillbuff(1); - for (uint8_t i = 0; i < 10; i++) { - for (uint8_t j = 3; j > 0; j--, id /= 2) + for (i = 0; i < 10; i++) { + for (j = 3; j >= 0; j--, id /= 2) binary[j] = id % 2; - for (uint8_t j = 0; j < 4; j++) + for (j = 0; j < 4; j++) fillbuff(binary[j]); fillbuff(binary[0] ^ binary[1] ^ binary[2] ^ binary[3]); - for (uint8_t j = 0; j < 4; j++) + for (j = 0; j < 4; j++) parity[j] ^= binary[j]; } - for (uint8_t j = 0; j < 4; j++) + for (j = 0; j < 4; j++) fillbuff(parity[j]); fillbuff(0); @@ -207,7 +208,7 @@ void RunMod(void) { state = 0; } else if (button_pressed == BUTTON_SINGLE_CLICK) { // Click - write ID to tag - copy_em410x_to_t55xx(0, CLOCK, (uint32_t)(low[selected] >> 32), (uint32_t)(low[selected] & 0xffffffff)); + copy_em410x_to_t55xx(0, LF_CLOCK, (uint32_t)(low[selected] >> 32), (uint32_t)(low[selected] & 0xffffffff)); led_slot(selected); state = 0; // Switch to select mode } diff --git a/armsrc/appmain.c b/armsrc/appmain.c index cc1d299f3..04027bef0 100644 --- a/armsrc/appmain.c +++ b/armsrc/appmain.c @@ -20,6 +20,7 @@ #include "fpga.h" #include "fpgaloader.h" #include "string.h" +#include "printf.h" #include "legicrf.h" #include "BigBuf.h" #include "iso14443a.h" @@ -62,20 +63,7 @@ #include "spiffs.h" #endif -//============================================================================= -// A buffer where we can queue things up to be sent through the FPGA, for -// any purpose (fake tag, as reader, whatever). We go MSB first, since that -// is the order in which they go out on the wire. -//============================================================================= - -#define TOSEND_BUFFER_SIZE (9*MAX_FRAME_SIZE + 1 + 1 + 2) // 8 data bits and 1 parity bit per payload byte, 1 correction bit, 1 SOC bit, 2 EOC bits -uint8_t ToSend[TOSEND_BUFFER_SIZE]; -int ToSendMax = -1; - extern uint32_t _stack_start, _stack_end; - - -static int ToSendBit; struct common_area common_area __attribute__((section(".commonarea"))); static int button_status = BUTTON_NO_CLICK; static bool allow_send_wtx = false; @@ -86,29 +74,6 @@ inline void send_wtx(uint16_t wtx) { } } -void ToSendReset(void) { - ToSendMax = -1; - ToSendBit = 8; -} - -void ToSendStuffBit(int b) { - if (ToSendBit >= 8) { - ToSendMax++; - ToSend[ToSendMax] = 0; - ToSendBit = 0; - } - - if (b) - ToSend[ToSendMax] |= (1 << (7 - ToSendBit)); - - ToSendBit++; - - if (ToSendMax >= sizeof(ToSend)) { - ToSendBit = 0; - DbpString("ToSendStuffBit overflowed!"); - } -} - //----------------------------------------------------------------------------- // Read an ADC channel and block till it completes, then return the result // in ADC units (0 to 1023). Also a routine to sum up a number of samples and @@ -213,7 +178,7 @@ static void MeasureAntennaTuning(void) { LED_A_ON(); // Let the FPGA drive the high-frequency antenna around 13.56 MHz. FpgaDownloadAndGo(FPGA_BITSTREAM_HF); - FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR); + FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER); SpinDelay(50); #if defined RDV4 @@ -328,6 +293,28 @@ static void TimingIntervalAcquisition(void) { StartTickCount(); } +static void print_debug_level(void) { + char dbglvlstr[20] = {0}; + switch(DBGLEVEL) { + case DBG_NONE: + sprintf(dbglvlstr, "NONE"); + break; + case DBG_ERROR: + sprintf(dbglvlstr, "ERROR"); + break; + case DBG_INFO: + sprintf(dbglvlstr, "INFO"); + break; + case DBG_DEBUG: + sprintf(dbglvlstr, "DEBUG"); + break; + case DBG_EXTENDED: + sprintf(dbglvlstr, "EXTENDED"); + break; + } + Dbprintf(" DBGLEVEL................%d ( " _YELLOW_("%s")" )", DBGLEVEL, dbglvlstr); +} + // measure the Connection Speed by sending SpeedTestBufferSize bytes to client and measuring the elapsed time. // Note: this mimics GetFromBigbuf(), i.e. we have the overhead of the PacketCommandNG structure included. static void printConnSpeed(void) { @@ -374,10 +361,10 @@ static void SendStatus(void) { DbpString(_CYAN_("Various")); print_stack_usage(); - - Dbprintf(" DBGLEVEL................%d", DBGLEVEL); - Dbprintf(" ToSendMax...............%d", ToSendMax); - Dbprintf(" ToSendBit...............%d", ToSendBit); + print_debug_level(); + + tosend_t *ts = get_tosend(); + Dbprintf(" ToSendMax...............%d", ts->max ); Dbprintf(" ToSend BUFFERSIZE.......%d", TOSEND_BUFFER_SIZE); while ((AT91C_BASE_PMC->PMC_MCFR & AT91C_CKGR_MAINRDY) == 0); // Wait for MAINF value to become available... uint16_t mainf = AT91C_BASE_PMC->PMC_MCFR & AT91C_CKGR_MAINF; // Get # main clocks within 16 slow clocks @@ -515,6 +502,7 @@ static void SendCapabilities(void) { // Show some leds in a pattern to identify StandAlone mod is running void StandAloneMode(void) { + DbpString(""); DbpString("Stand-alone mode, no computer necessary"); SpinDown(50); SpinDelay(50); @@ -735,7 +723,7 @@ static void PacketReceived(PacketCommandNG *packet) { // emulator case CMD_SET_DBGMODE: { DBGLEVEL = packet->data.asBytes[0]; - Dbprintf("Debug level: %d", DBGLEVEL); + print_debug_level(); reply_ng(CMD_SET_DBGMODE, PM3_SUCCESS, NULL, 0); break; } @@ -793,7 +781,7 @@ static void PacketReceived(PacketCommandNG *packet) { case CMD_LF_HID_WATCH: { uint32_t high, low; int res = lf_hid_watch(0, &high, &low); - reply_ng(CMD_LF_HID_WATCH, res, NULL, 0); + reply_ng(CMD_LF_HID_WATCH, res, NULL, 0); break; } case CMD_LF_HID_SIMULATE: { @@ -974,6 +962,7 @@ static void PacketReceived(PacketCommandNG *packet) { case CMD_LF_HITAG_SNIFF: { // Eavesdrop Hitag tag, args = type SniffHitag2(); // SniffHitag2(packet->oldarg[0]); + reply_ng(CMD_LF_HITAG_SNIFF, PM3_SUCCESS, NULL, 0); break; } case CMD_LF_HITAG_SIMULATE: { // Simulate Hitag tag, args = memory content @@ -1034,8 +1023,18 @@ static void PacketReceived(PacketCommandNG *packet) { AcquireRawAdcSamplesIso15693(); break; } - case CMD_HF_ISO15693_RAWADC: { - RecordRawAdcSamplesIso15693(); + case CMD_HF_ISO15693_SNIFF: { + /* + struct p { + uint8_t jam_search_len; + uint8_t jam_search_string[]; + } PACKED; + struct p *payload = (struct p *) packet->data.asBytes; + + SniffIso15693(payload->jam_search_len, payload->jam_search_string); + */ + SniffIso15693(0, NULL); + reply_ng(CMD_HF_ISO15693_SNIFF, PM3_SUCCESS, NULL, 0); break; } case CMD_HF_ISO15693_COMMAND: { @@ -1051,7 +1050,11 @@ static void PacketReceived(PacketCommandNG *packet) { break; } case CMD_HF_ISO15693_SIMULATE: { - SimTagIso15693(packet->oldarg[0], packet->data.asBytes); + struct p { + uint8_t uid[10]; + } PACKED; + struct p *payload = (struct p *) packet->data.asBytes; + SimTagIso15693(payload->uid); break; } #endif @@ -1094,6 +1097,7 @@ static void PacketReceived(PacketCommandNG *packet) { } case CMD_HF_ISO14443B_SNIFF: { SniffIso14443b(); + reply_ng(CMD_HF_ISO14443B_SNIFF, PM3_SUCCESS, NULL, 0); break; } case CMD_HF_ISO14443B_SIMULATE: { @@ -1118,6 +1122,7 @@ static void PacketReceived(PacketCommandNG *packet) { } case CMD_HF_FELICA_SNIFF: { felica_sniff(packet->oldarg[0], packet->oldarg[1]); + reply_ng(CMD_HF_FELICA_SNIFF, PM3_SUCCESS, NULL, 0); break; } case CMD_HF_FELICALITE_DUMP: { @@ -1129,6 +1134,7 @@ static void PacketReceived(PacketCommandNG *packet) { #ifdef WITH_ISO14443a case CMD_HF_ISO14443A_SNIFF: { SniffIso14443a(packet->data.asBytes[0]); + reply_ng(CMD_HF_ISO14443A_SNIFF, PM3_SUCCESS, NULL, 0); break; } case CMD_HF_ISO14443A_READER: { @@ -1379,7 +1385,13 @@ static void PacketReceived(PacketCommandNG *packet) { #ifdef WITH_ICLASS // Makes use of ISO14443a FPGA Firmware case CMD_HF_ICLASS_SNIFF: { - SniffIClass(); + struct p { + uint8_t jam_search_len; + uint8_t jam_search_string[]; + } PACKED; + struct p *payload = (struct p *) packet->data.asBytes; + SniffIClass(payload->jam_search_len, payload->jam_search_string); + reply_ng(CMD_HF_ICLASS_SNIFF, PM3_SUCCESS, NULL, 0); break; } case CMD_HF_ICLASS_SIMULATE: { @@ -1391,7 +1403,12 @@ static void PacketReceived(PacketCommandNG *packet) { break; } case CMD_HF_ICLASS_REPLAY: { - ReaderIClass_Replay(packet->oldarg[0], packet->data.asBytes); + struct p { + uint8_t reader[4]; + uint8_t mac[4]; + } PACKED; + struct p *payload = (struct p *) packet->data.asBytes; + ReaderIClass_Replay(payload->reader, payload->mac); break; } case CMD_HF_ICLASS_EML_MEMSET: { @@ -1401,36 +1418,14 @@ static void PacketReceived(PacketCommandNG *packet) { break; } case CMD_HF_ICLASS_WRITEBL: { - struct p { - uint8_t blockno; - uint8_t data[12]; - } PACKED; - struct p *payload = (struct p *)packet->data.asBytes; - iClass_WriteBlock(payload->blockno, payload->data); - break; - } - // iceman2019, unused? - case CMD_HF_ICLASS_READCHECK: { // auth step 1 - iClass_ReadCheck(packet->oldarg[0], packet->oldarg[1]); + iClass_WriteBlock(packet->data.asBytes); break; } case CMD_HF_ICLASS_READBL: { - /* - struct p { - uint8_t blockno; - } PACKED; - struct p *payload = (struct p *)packet->data.asBytes; - */ - iClass_ReadBlk(packet->data.asBytes[0]); + iClass_ReadBlock(packet->data.asBytes); break; } case CMD_HF_ICLASS_AUTH: { //check - /* - struct p { - uint8_t mac[4]; - } PACKED; - struct p *payload = (struct p *)packet->data.asBytes; - */ iClass_Authentication(packet->data.asBytes); break; } @@ -1439,7 +1434,7 @@ static void PacketReceived(PacketCommandNG *packet) { break; } case CMD_HF_ICLASS_DUMP: { - iClass_Dump(packet->oldarg[0], packet->oldarg[1]); + iClass_Dump(packet->data.asBytes); break; } case CMD_HF_ICLASS_CLONE: { @@ -1452,6 +1447,10 @@ static void PacketReceived(PacketCommandNG *packet) { iClass_Clone(payload->startblock, payload->endblock, payload->data); break; } + case CMD_HF_ICLASS_RESTORE: { + iClass_Restore(packet->data.asBytes); + break; + } #endif #ifdef WITH_HFSNIFF @@ -1619,7 +1618,7 @@ static void PacketReceived(PacketCommandNG *packet) { case 1: // MEASURE_ANTENNA_TUNING_HF_START // Let the FPGA drive the high-frequency antenna around 13.56 MHz. FpgaDownloadAndGo(FPGA_BITSTREAM_HF); - FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR); + FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER); reply_ng(CMD_MEASURE_ANTENNA_TUNING_HF, PM3_SUCCESS, NULL, 0); break; case 2: @@ -1906,6 +1905,13 @@ static void PacketReceived(PacketCommandNG *packet) { LED_B_OFF(); break; } + case CMD_SPIFFS_WIPE: { + LED_B_ON(); + rdv40_spiffs_safe_wipe(); + reply_ng(CMD_SPIFFS_WIPE, PM3_SUCCESS, NULL, 0); + LED_B_OFF(); + break; + } case CMD_FLASHMEM_SET_SPIBAUDRATE: { if (packet->length != sizeof(uint32_t)) break; @@ -2063,6 +2069,8 @@ static void PacketReceived(PacketCommandNG *packet) { break; } case CMD_STANDALONE: { + uint8_t *bb = BigBuf_get_EM_addr(); + bb[0] = packet->data.asBytes[0]; RunMod(); break; } diff --git a/armsrc/em4x50.c b/armsrc/em4x50.c index 8344f7542..2b9ede4bf 100644 --- a/armsrc/em4x50.c +++ b/armsrc/em4x50.c @@ -100,7 +100,6 @@ int gLow = 0; static void init_tag(void) { // initialize global tag structure - for (int i = 0; i < 34; i++) for (int j = 0; j < 7; j++) tag.sectors[i][j] = 0x00; @@ -109,9 +108,7 @@ static void init_tag(void) { static uint8_t bits2byte(uint8_t *bits, int length) { // converts separate bits into a single "byte" - uint8_t byte = 0; - for (int i = 0; i < length; i++) { byte |= bits[i]; @@ -124,11 +121,10 @@ static uint8_t bits2byte(uint8_t *bits, int length) { } static void msb2lsb_word(uint8_t *word) { - + // reorders given according to EM4x50 datasheet (msb -> lsb) - + uint8_t buff[4]; - buff[0] = reflect8(word[3]); buff[1] = reflect8(word[2]); buff[2] = reflect8(word[1]); @@ -141,13 +137,12 @@ static void msb2lsb_word(uint8_t *word) { } static void save_word(int pos, uint8_t bits[EM4X50_TAG_WORD]) { - + // split "raw" word into data, row and column parity bits and stop bit and // save them in global tag structure - uint8_t row_parity[4]; uint8_t col_parity[8]; - + // data and row parities for (int i = 0; i < 4; i++) { tag.sectors[pos][i] = bits2byte(&bits[9*i],8); @@ -161,7 +156,7 @@ static void save_word(int pos, uint8_t bits[EM4X50_TAG_WORD]) { col_parity[i] = bits[36+i]; tag.sectors[pos][5] = bits2byte(col_parity,8); - + // stop bit tag.sectors[pos][6] = bits[44]; } @@ -169,7 +164,7 @@ static void save_word(int pos, uint8_t bits[EM4X50_TAG_WORD]) { static void wait_timer(int timer, uint32_t period) { // do nothing for using timer - + if (timer == FPGA_TIMER_0) { AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG; @@ -184,23 +179,22 @@ static void wait_timer(int timer, uint32_t period) { } static void em4x50_setup_read(void) { - + FpgaDownloadAndGo(FPGA_BITSTREAM_LF); - FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD); // 50ms for the resonant antenna to settle. SpinDelay(50); // Now set up the SSC to get the ADC samples that are now streaming at us. - FpgaSetupSsc(); + FpgaSetupSsc(FPGA_MAJOR_MODE_LF_READER); // start a 1.5ticks is 1us StartTicks(); - + FpgaSendCommand(FPGA_CMD_SET_DIVISOR, LF_DIVISOR_125); // Connect the A/D to the peak-detected low-frequency path. SetAdcMuxFor(GPIO_MUXSEL_LOPKD); - + // Steal this pin from the SSP (SPI communication channel with fpga) and // use it to control the modulation AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT; @@ -208,7 +202,7 @@ static void em4x50_setup_read(void) { // Disable modulation at default, which means enable the field LOW(GPIO_SSC_DOUT); - + // Enable Peripheral Clock for // TIMER_CLOCK0, used to measure exact timing before answering // TIMER_CLOCK1, used to capture edges of the tag frames @@ -221,17 +215,17 @@ static void em4x50_setup_read(void) { // TC0: Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), no triggers AT91C_BASE_TC0->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK; - + // TC1: Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), no triggers AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK; - + // Enable and reset counters AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG; AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG; - + // synchronized startup procedure while (AT91C_BASE_TC0->TC_CV > 0) {}; // wait until TC1 returned to zero - + // Watchdog hit WDT_HIT(); } @@ -239,21 +233,21 @@ static void em4x50_setup_read(void) { // functions for "reader" use case static bool get_signalproperties(void) { - + // calculate signal properties (mean amplitudes) from measured data: // 32 amplitudes (maximum values) -> mean amplitude value -> gHigh -> gLow - + bool signal_found = false; int no_periods = 32, pct = 75, noise = 140; - uint8_t sample = 0, sample_ref = 127; + uint8_t sample_ref = 127; uint8_t sample_max_mean = 0; uint8_t sample_max[no_periods]; uint32_t sample_max_sum = 0; + memcpy(sample_max, 0x00, sizeof(sample_max)); - // wait until signal/noise > 1 (max. 32 periods) for (int i = 0; i < T0 * no_periods; i++) { - + // about 2 samples per bit period wait_timer(0, T0 * EM4X50_T_TAG_HALF_PERIOD); @@ -261,9 +255,9 @@ static bool get_signalproperties(void) { signal_found = true; break; } - + } - + if (!signal_found) return false; @@ -273,39 +267,36 @@ static bool get_signalproperties(void) { AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG; while (AT91C_BASE_TC0->TC_CV < T0 * 3 * EM4X50_T_TAG_FULL_PERIOD) { - - sample = (uint8_t)AT91C_BASE_SSC->SSC_RHR; - + + volatile uint8_t sample = (uint8_t)AT91C_BASE_SSC->SSC_RHR; + if (sample > sample_max[i]) sample_max[i] = sample; - + } - + sample_max_sum += sample_max[i]; } - + sample_max_mean = sample_max_sum / no_periods; - + // set global envelope variables gHigh = sample_ref + pct * (sample_max_mean - sample_ref) / 100; gLow = sample_ref - pct * (sample_max_mean - sample_ref) / 100; - return true; } static int get_next_bit(void) { - + // returns bit value (or EM4X50_BIT_OTHER -> no bit pattern) by evaluating // a single sample within a bit period (given there is no LIW, ACK or NAK) // This function is not used for decoding, it is only used for identifying // a listen window (return value = EM4X50_BIT_OTHER) in functions // "find_double_listen_window" and "check_ack" - - uint8_t sample; // get sample at 3/4 of bit period wait_timer(0, T0 * EM4X50_T_TAG_THREE_QUARTER_PERIOD); - sample = (uint8_t)AT91C_BASE_SSC->SSC_RHR; + uint8_t sample = (uint8_t)AT91C_BASE_SSC->SSC_RHR; // wait until end of bit period wait_timer(0, T0 * EM4X50_T_TAG_QUARTER_PERIOD); @@ -315,7 +306,7 @@ static int get_next_bit(void) { return EM4X50_BIT_0; else if (sample < gLow) return EM4X50_BIT_1; - + return EM4X50_BIT_OTHER; } diff --git a/armsrc/felica.c b/armsrc/felica.c index f8375f0cc..53f78d17b 100644 --- a/armsrc/felica.c +++ b/armsrc/felica.c @@ -336,7 +336,7 @@ static void BuildFliteRdblk(uint8_t *idm, int blocknum, uint16_t *blocks) { } static void TransmitFor18092_AsReader(uint8_t *frame, int len, uint32_t *timing, uint8_t power, uint8_t highspeed) { - uint8_t flags = FPGA_MAJOR_MODE_HF_ISO18092; + uint16_t flags = FPGA_MAJOR_MODE_HF_ISO18092; if (power) flags |= FPGA_HF_ISO18092_FLAG_READER; if (highspeed) @@ -445,7 +445,7 @@ static void iso18092_setup(uint8_t fpga_minor_mode) { if (DBGLEVEL >= DBG_DEBUG) Dbprintf("Start iso18092_setup"); LEDsoff(); - FpgaDownloadAndGo(FPGA_BITSTREAM_HF); + FpgaDownloadAndGo(FPGA_BITSTREAM_HF_FELICA); // allocate command receive buffer BigBuf_free(); @@ -464,7 +464,7 @@ static void iso18092_setup(uint8_t fpga_minor_mode) { SetAdcMuxFor(GPIO_MUXSEL_HIPKD); // Set up the synchronous serial port - FpgaSetupSsc(); + FpgaSetupSsc(FPGA_MAJOR_MODE_HF_ISO18092); // LSB transfer. Remember to set it back to MSB with AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(8) | SSC_FRAME_MODE_WORDS_PER_TRANSFER(0); diff --git a/armsrc/fpgaloader.c b/armsrc/fpgaloader.c index f1f157eec..f76d1a189 100644 --- a/armsrc/fpgaloader.c +++ b/armsrc/fpgaloader.c @@ -134,7 +134,7 @@ void SetupSpi(int mode) { // Set up the synchronous serial port with the set of options that fits // the FPGA mode. Both RX and TX are always enabled. //----------------------------------------------------------------------------- -void FpgaSetupSsc(void) { +void FpgaSetupSsc(uint16_t fpga_mode) { // First configure the GPIOs, and get ourselves a clock. AT91C_BASE_PIOA->PIO_ASR = GPIO_SSC_FRAME | @@ -152,12 +152,16 @@ void FpgaSetupSsc(void) { // data and frame signal is sampled on falling edge of RK AT91C_BASE_SSC->SSC_RCMR = SSC_CLOCK_MODE_SELECT(1) | SSC_CLOCK_MODE_START(1); - // 8 bits per transfer, no loopback, MSB first, 1 transfer per sync + // 8, 16 or 32 bits per transfer, no loopback, MSB first, 1 transfer per sync // pulse, no output sync - AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(8) | AT91C_SSC_MSBF | SSC_FRAME_MODE_WORDS_PER_TRANSFER(0); + if ((fpga_mode & FPGA_MAJOR_MODE_MASK) == FPGA_MAJOR_MODE_HF_READER && FpgaGetCurrent() == FPGA_BITSTREAM_HF) { + AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(16) | AT91C_SSC_MSBF | SSC_FRAME_MODE_WORDS_PER_TRANSFER(0); + } else { + AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(8) | AT91C_SSC_MSBF | SSC_FRAME_MODE_WORDS_PER_TRANSFER(0); + } - // TX clock comes from TK pin, no clock output, outputs change on falling - // edge of TK, frame sync is sampled on rising edge of TK, start TX on rising edge of TF + // TX clock comes from TK pin, no clock output, outputs change on rising edge of TK, + // TF (frame sync) is sampled on falling edge of TK, start TX on rising edge of TF AT91C_BASE_SSC->SSC_TCMR = SSC_CLOCK_MODE_SELECT(2) | SSC_CLOCK_MODE_START(5); // tx framing is the same as the rx framing @@ -171,7 +175,7 @@ void FpgaSetupSsc(void) { // a single buffer as a circular buffer (so that we just chain back to // ourselves, not to another buffer). //----------------------------------------------------------------------------- -bool FpgaSetupSscDma(uint8_t *buf, int len) { +bool FpgaSetupSscDma(uint8_t *buf, uint16_t len) { if (buf == NULL) return false; FpgaDisableSscDma(); @@ -347,8 +351,10 @@ static void DownloadFPGA(int bitstream_version, int FpgaImageLen, lz4_streamp co * length. */ static int bitparse_find_section(int bitstream_version, char section_name, uint32_t *section_length, lz4_streamp compressed_fpga_stream, uint8_t *output_buffer) { - int result = 0; + #define MAX_FPGA_BIT_STREAM_HEADER_SEARCH 100 // maximum number of bytes to search for the requested section + + int result = 0; uint16_t numbytes = 0; while (numbytes < MAX_FPGA_BIT_STREAM_HEADER_SEARCH) { char current_name = get_from_fpga_stream(bitstream_version, compressed_fpga_stream, output_buffer); @@ -439,7 +445,7 @@ void FpgaDownloadAndGo(int bitstream_version) { // The bit format is: C3 C2 C1 C0 D11 D10 D9 D8 D7 D6 D5 D4 D3 D2 D1 D0 // where C is the 4 bit command and D is the 12 bit data // -// @params cmd and v gets or over eachother. Take careful note of overlapping bits. +// @params cmd and v gets OR:ED over each other. Take careful note of overlapping bits. //----------------------------------------------------------------------------- void FpgaSendCommand(uint16_t cmd, uint16_t v) { SetupSpi(SPI_FPGA_MODE); diff --git a/armsrc/fpgaloader.h b/armsrc/fpgaloader.h index 636c5b7b7..530dc21b4 100644 --- a/armsrc/fpgaloader.h +++ b/armsrc/fpgaloader.h @@ -20,6 +20,7 @@ // definitions for multiple FPGA config files support #define FPGA_BITSTREAM_LF 1 #define FPGA_BITSTREAM_HF 2 +#define FPGA_BITSTREAM_HF_FELICA 3 /* Communication between ARM / FPGA is done inside armsrc/fpgaloader.c (function FpgaSendCommand) @@ -52,23 +53,26 @@ thres| x x x x x x x x #define FPGA_CMD_TRACE_ENABLE (2<<12) // C // Definitions for the FPGA configuration word. +#define FPGA_MAJOR_MODE_MASK 0x01C0 +#define FPGA_MINOR_MODE_MASK 0x003F + // LF -#define FPGA_MAJOR_MODE_LF_READER (0<<5) -#define FPGA_MAJOR_MODE_LF_EDGE_DETECT (1<<5) -#define FPGA_MAJOR_MODE_LF_PASSTHRU (2<<5) -#define FPGA_MAJOR_MODE_LF_ADC (3<<5) +#define FPGA_MAJOR_MODE_LF_READER (0<<6) +#define FPGA_MAJOR_MODE_LF_EDGE_DETECT (1<<6) +#define FPGA_MAJOR_MODE_LF_PASSTHRU (2<<6) +#define FPGA_MAJOR_MODE_LF_ADC (3<<6) // HF -#define FPGA_MAJOR_MODE_HF_READER_TX (0<<5) // D -#define FPGA_MAJOR_MODE_HF_READER_RX_XCORR (1<<5) // D -#define FPGA_MAJOR_MODE_HF_SIMULATOR (2<<5) // D -#define FPGA_MAJOR_MODE_HF_ISO14443A (3<<5) // D -#define FPGA_MAJOR_MODE_HF_SNOOP (4<<5) // D -#define FPGA_MAJOR_MODE_HF_ISO18092 (5<<5) // D -#define FPGA_MAJOR_MODE_HF_GET_TRACE (6<<5) // D +#define FPGA_MAJOR_MODE_HF_READER (0<<6) // D +#define FPGA_MAJOR_MODE_HF_SIMULATOR (1<<6) // D +#define FPGA_MAJOR_MODE_HF_ISO14443A (2<<6) // D +#define FPGA_MAJOR_MODE_HF_SNIFF (3<<6) // D +#define FPGA_MAJOR_MODE_HF_ISO18092 (4<<6) // D +#define FPGA_MAJOR_MODE_HF_GET_TRACE (5<<6) // D // BOTH HF / LF -#define FPGA_MAJOR_MODE_OFF (7<<5) // D +#define FPGA_MAJOR_MODE_OFF (7<<6) // D + // Options for LF_READER #define FPGA_LF_ADC_READER_FIELD 0x1 @@ -78,13 +82,20 @@ thres| x x x x x x x x #define FPGA_LF_EDGE_DETECT_READER_FIELD 0x1 #define FPGA_LF_EDGE_DETECT_TOGGLE_MODE 0x2 -// Options for the HF reader, tx to tag -#define FPGA_HF_READER_TX_SHALLOW_MOD 0x1 +// Options for the HF reader +#define FPGA_HF_READER_MODE_RECEIVE_IQ (0<<0) +#define FPGA_HF_READER_MODE_RECEIVE_AMPLITUDE (1<<0) +#define FPGA_HF_READER_MODE_RECEIVE_PHASE (2<<0) +#define FPGA_HF_READER_MODE_SEND_FULL_MOD (3<<0) +#define FPGA_HF_READER_MODE_SEND_SHALLOW_MOD (4<<0) +#define FPGA_HF_READER_MODE_SNIFF_IQ (5<<0) +#define FPGA_HF_READER_MODE_SNIFF_AMPLITUDE (6<<0) +#define FPGA_HF_READER_MODE_SNIFF_PHASE (7<<0) +#define FPGA_HF_READER_MODE_SEND_JAM (8<<0) -// Options for the HF reader, correlating against rx from tag -#define FPGA_HF_READER_RX_XCORR_848_KHZ 0x1 -#define FPGA_HF_READER_RX_XCORR_SNOOP 0x2 -#define FPGA_HF_READER_RX_XCORR_QUARTER 0x4 +#define FPGA_HF_READER_SUBCARRIER_848_KHZ (0<<4) +#define FPGA_HF_READER_SUBCARRIER_424_KHZ (1<<4) +#define FPGA_HF_READER_SUBCARRIER_212_KHZ (2<<4) // Options for the HF simulated tag, how to modulate #define FPGA_HF_SIMULATOR_NO_MODULATION 0x0 // 0000 @@ -112,9 +123,9 @@ void FpgaEnableTracing(void); void FpgaDisableTracing(void); void FpgaDownloadAndGo(int bitstream_version); // void FpgaGatherVersion(int bitstream_version, char *dst, int len); -void FpgaSetupSsc(void); +void FpgaSetupSsc(uint16_t fpga_mode); void SetupSpi(int mode); -bool FpgaSetupSscDma(uint8_t *buf, int len); +bool FpgaSetupSscDma(uint8_t *buf, uint16_t len); void Fpga_print_status(void); int FpgaGetCurrent(void); void SetAdcMuxFor(uint32_t whichGpio); diff --git a/armsrc/hfsnoop.c b/armsrc/hfsnoop.c index 177a1f99e..ab2517187 100644 --- a/armsrc/hfsnoop.c +++ b/armsrc/hfsnoop.c @@ -41,12 +41,12 @@ int HfSniff(uint32_t samplesToSkip, uint32_t triggersToSkip, uint16_t *len) { SetAdcMuxFor(GPIO_MUXSEL_HIPKD); // Set up the synchronous serial port - FpgaSetupSsc(); + FpgaSetupSsc(FPGA_MAJOR_MODE_HF_SNIFF); // Setting Frame Mode For better performance on high speed data transfer. AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(16); - FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SNOOP); + FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SNIFF); SpinDelay(100); *len = (BigBuf_max_traceLen() & 0xFFFE); @@ -114,17 +114,18 @@ int HfSniff(uint32_t samplesToSkip, uint32_t triggersToSkip, uint16_t *len) { } void HfPlotDownload(void) { - uint8_t *buf = ToSend; - uint8_t *this_buf = buf; + + tosend_t *ts = get_tosend(); + uint8_t *this_buf = ts->buf; FpgaDownloadAndGo(FPGA_BITSTREAM_HF); - FpgaSetupSsc(); + FpgaSetupSsc(FPGA_MAJOR_MODE_HF_GET_TRACE); AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS; // Disable DMA Transfer AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) this_buf; // start transfer to this memory address AT91C_BASE_PDC_SSC->PDC_RCR = PM3_CMD_DATA_SIZE; // transfer this many samples - buf[0] = (uint8_t)AT91C_BASE_SSC->SSC_RHR; // clear receive register + ts->buf[0] = (uint8_t)AT91C_BASE_SSC->SSC_RHR; // clear receive register AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTEN; // Start DMA transfer FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_GET_TRACE); // let FPGA transfer its internal Block-RAM @@ -132,7 +133,7 @@ void HfPlotDownload(void) { LED_B_ON(); for (size_t i = 0; i < FPGA_TRACE_SIZE; i += PM3_CMD_DATA_SIZE) { // prepare next DMA transfer: - uint8_t *next_buf = buf + ((i + PM3_CMD_DATA_SIZE) % (2 * PM3_CMD_DATA_SIZE)); + uint8_t *next_buf = ts->buf + ((i + PM3_CMD_DATA_SIZE) % (2 * PM3_CMD_DATA_SIZE)); AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t)next_buf; AT91C_BASE_PDC_SSC->PDC_RNCR = PM3_CMD_DATA_SIZE; diff --git a/armsrc/i2c.c b/armsrc/i2c.c index 23ae07f10..27af218f0 100644 --- a/armsrc/i2c.c +++ b/armsrc/i2c.c @@ -225,7 +225,7 @@ static bool I2C_WaitForSim(void) { // 8051 speaks with smart card. // 1000*50*3.07 = 153.5ms // 1byte transfer == 1ms with max frame being 256bytes - if (!WaitSCL_H_delay(20 * 1000 * 50)) + if (!WaitSCL_H_delay(30 * 1000 * 50)) return false; return true; @@ -631,7 +631,7 @@ int I2C_get_version(uint8_t *maj, uint8_t *min) { } // Will read response from smart card module, retries 3 times to get the data. -static bool sc_rx_bytes(uint8_t *dest, uint8_t *destlen) { +bool sc_rx_bytes(uint8_t *dest, uint8_t *destlen) { uint8_t i = 3; int16_t len = 0; @@ -658,7 +658,7 @@ static bool sc_rx_bytes(uint8_t *dest, uint8_t *destlen) { return true; } -bool GetATR(smart_card_atr_t *card_ptr) { +bool GetATR(smart_card_atr_t *card_ptr, bool verbose) { if (!card_ptr) return false; @@ -666,19 +666,18 @@ bool GetATR(smart_card_atr_t *card_ptr) { card_ptr->atr_len = 0; memset(card_ptr->atr, 0, sizeof(card_ptr->atr)); - // Send ATR // start [C0 01] stop start C1 len aa bb cc stop] I2C_WriteCmd(I2C_DEVICE_CMD_GENERATE_ATR, I2C_DEVICE_ADDRESS_MAIN); //wait for sim card to answer. - // 1byte = 1ms , max frame 256bytes. SHould wait 256ms atleast just in case. - if (!I2C_WaitForSim()) + // 1byte = 1ms , max frame 256bytes. Should wait 256ms atleast just in case. + if (I2C_WaitForSim() == false) return false; // read bytes from module uint8_t len = sizeof(card_ptr->atr); - if (!sc_rx_bytes(card_ptr->atr, &len)) + if (sc_rx_bytes(card_ptr->atr, &len) == false) return false; uint8_t pos_td = 1; @@ -706,17 +705,19 @@ bool GetATR(smart_card_atr_t *card_ptr) { } card_ptr->atr_len = len; - LogTrace(card_ptr->atr, card_ptr->atr_len, 0, 0, NULL, false); + if (verbose) { + LogTrace(card_ptr->atr, card_ptr->atr_len, 0, 0, NULL, false); + } + return true; } void SmartCardAtr(void) { smart_card_atr_t card; LED_D_ON(); - clear_trace(); set_tracing(true); I2C_Reset_EnterMainProgram(); - bool isOK = GetATR(&card); + bool isOK = GetATR(&card, true); reply_mix(CMD_ACK, isOK, sizeof(smart_card_atr_t), 0, &card, sizeof(smart_card_atr_t)); set_tracing(false); LEDsoff(); @@ -730,10 +731,13 @@ void SmartCardRaw(uint64_t arg0, uint64_t arg1, uint8_t *data) { uint8_t *resp = BigBuf_malloc(ISO7618_MAX_FRAME); smartcard_command_t flags = arg0; - if ((flags & SC_CONNECT)) + if ((flags & SC_CLEARLOG) == SC_CLEARLOG) clear_trace(); - set_tracing(true); + if ((flags & SC_LOG) == SC_LOG) + set_tracing(true); + else + set_tracing(false); if ((flags & SC_CONNECT)) { @@ -741,7 +745,7 @@ void SmartCardRaw(uint64_t arg0, uint64_t arg1, uint8_t *data) { if ((flags & SC_SELECT)) { smart_card_atr_t card; - bool gotATR = GetATR(&card); + bool gotATR = GetATR(&card, true); //reply_old(CMD_ACK, gotATR, sizeof(smart_card_atr_t), 0, &card, sizeof(smart_card_atr_t)); if (!gotATR) goto OUT; diff --git a/armsrc/i2c.h b/armsrc/i2c.h index 7b1707502..5f0f6dd18 100644 --- a/armsrc/i2c.h +++ b/armsrc/i2c.h @@ -33,8 +33,9 @@ int16_t I2C_BufferRead(uint8_t *data, uint8_t len, uint8_t device_cmd, uint8_t d int16_t I2C_ReadFW(uint8_t *data, uint8_t len, uint8_t msb, uint8_t lsb, uint8_t device_address); bool I2C_WriteFW(uint8_t *data, uint8_t len, uint8_t msb, uint8_t lsb, uint8_t device_address); +bool sc_rx_bytes(uint8_t *dest, uint8_t *destlen); // -bool GetATR(smart_card_atr_t *card_ptr); +bool GetATR(smart_card_atr_t *card_ptr, bool verbose); // generice functions void SmartCardAtr(void); diff --git a/armsrc/iclass.c b/armsrc/iclass.c index 1e9bb671f..9721a5ec2 100644 --- a/armsrc/iclass.c +++ b/armsrc/iclass.c @@ -3,6 +3,7 @@ // Hagen Fritsch - June 2010 // Gerhard de Koning Gans - May 2011 // Gerhard de Koning Gans - June 2012 - Added iClass card and reader emulation +// piwi - 2019 // // This code is licensed to you under the terms of the GNU GPL, version 2 or, // at your option, any later version. See the LICENSE.txt file for the text of @@ -10,32 +11,10 @@ //----------------------------------------------------------------------------- // Routines to support iClass. //----------------------------------------------------------------------------- -// Based on ISO14443a implementation. Still in experimental phase. // Contribution made during a security research at Radboud University Nijmegen // // Please feel free to contribute and extend iClass support!! //----------------------------------------------------------------------------- -// -// FIX: -// ==== -// We still have sometimes a demodulation error when sniffing iClass communication. -// The resulting trace of a read-block-03 command may look something like this: -// -// + 22279: : 0c 03 e8 01 -// -// ...with an incorrect answer... -// -// + 85: 0: TAG ff! ff! ff! ff! ff! ff! ff! ff! bb 33 bb 00 01! 0e! 04! bb !crc -// -// We still left the error signalling bytes in the traces like 0xbb -// -// A correct trace should look like this: -// -// + 21112: : 0c 03 e8 01 -// + 85: 0: TAG ff ff ff ff ff ff ff ff ea f5 -// -//----------------------------------------------------------------------------- - #include "iclass.h" #include "proxmark3_arm.h" @@ -54,531 +33,38 @@ #include "dbprint.h" #include "protocols.h" #include "ticks.h" +#include "iso15693.h" -static int g_wait = 290; -static int timeout = 5000; -static uint32_t time_rdr = 0; -static uint32_t time_response = 0; - -static int SendIClassAnswer(uint8_t *resp, int respLen, uint16_t delay); -int doIClassSimulation(int simulationMode, uint8_t *reader_mac_buf); - -#define MODE_SIM_CSN 0 -#define MODE_EXIT_AFTER_MAC 1 -#define MODE_FULLSIM 2 - -#ifndef ICLASS_DMA_BUFFER_SIZE -# define ICLASS_DMA_BUFFER_SIZE 256 -#endif +static uint8_t get_pagemap(const picopass_hdr *hdr) { + return (hdr->conf.fuses & (FUSE_CRYPT0 | FUSE_CRYPT1)) >> 3; +} // The length of a received command will in most cases be no more than 18 bytes. -// 32 should be enough! +// we expect max 34 (32+2) bytes as tag answer (response to READ4) #ifndef ICLASS_BUFFER_SIZE -#define ICLASS_BUFFER_SIZE 32 +#define ICLASS_BUFFER_SIZE 34 + 2 #endif +#ifndef ICLASS_16KS_SIZE +#define ICLASS_16KS_SIZE 0x100 * 8 +#endif + +// iCLASS has a slightly different timing compared to ISO15693. According to the picopass data sheet the tag response is expected 330us after +// the reader command. This is measured from end of reader EOF to first modulation of the tag's SOF which starts with a 56,64us unmodulated period. +// 330us = 140 ssp_clk cycles @ 423,75kHz when simulating. +// 56,64us = 24 ssp_clk_cycles +#define DELAY_ICLASS_VCD_TO_VICC_SIM (140 - 26) // (140 - 24) + +// times in ssp_clk_cycles @ 3,3625MHz when acting as reader +#define DELAY_ICLASS_VICC_TO_VCD_READER DELAY_ISO15693_VICC_TO_VCD_READER + +// times in samples @ 212kHz when acting as reader +#define ICLASS_READER_TIMEOUT_ACTALL 330 // 1558us, nominal 330us + 7slots*160us = 1450us +#define ICLASS_READER_TIMEOUT_UPDATE 3390 // 16000us, nominal 4-15ms +#define ICLASS_READER_TIMEOUT_OTHERS 80 // 380us, nominal 330us + #define AddCrc(data, len) compute_crc(CRC_ICLASS, (data), (len), (data)+(len), (data)+(len)+1) -//----------------------------------------------------------------------------- -// The software UART that receives commands from the reader, and its state -// variables. -//----------------------------------------------------------------------------- -/* -typedef struct { - enum { - STATE_UNSYNCD, - STATE_START_OF_COMMUNICATION, - STATE_RECEIVING - } state; - uint16_t shiftReg; - int bitCnt; - int byteCnt; -// int byteCntMax; - int posCnt; - int nOutOfCnt; - int OutOfCnt; - int syncBit; - int samples; - int highCnt; - int swapper; - int counter; - int bitBuffer; - int dropPosition; - uint8_t *output; -} tUartIc; -*/ -typedef struct { - enum { - DEMOD_IC_UNSYNCD, - DEMOD_IC_START_OF_COMMUNICATION, - DEMOD_IC_START_OF_COMMUNICATION2, - DEMOD_IC_START_OF_COMMUNICATION3, - DEMOD_IC_SOF_COMPLETE, - DEMOD_IC_MANCHESTER_D, - DEMOD_IC_MANCHESTER_E, - DEMOD_IC_END_OF_COMMUNICATION, - DEMOD_IC_END_OF_COMMUNICATION2, - DEMOD_IC_MANCHESTER_F, - DEMOD_IC_ERROR_WAIT - } state; - int bitCount; - int posCount; - int syncBit; - uint16_t shiftReg; - uint32_t buffer; - uint32_t buffer2; - uint32_t buffer3; - int buff; - int samples; - int len; - enum { - SUB_NONE, - SUB_FIRST_HALF, - SUB_SECOND_HALF, - SUB_BOTH - } sub; - uint8_t *output; -} tDemodIc; - -/* -* Abrasive's uart implementation -* https://github.com/abrasive/proxmark3/commit/2b8bff7daea8ae1193bf7ee29b1fa46e95218902 -*/ -// Static vars for UART -typedef struct { - bool synced; - bool frame; - bool frame_done; - uint8_t *buf; - int len; -} tUartIc; -static tUartIc Uart; - -static void OnError(uint8_t reason) { - reply_mix(CMD_ACK, 0, reason, 0, 0, 0); - switch_off(); -} - -static void uart_reset(void) { - Uart.frame_done = false; - Uart.synced = false; - Uart.frame = false; -} - -static void uart_init(uint8_t *data) { - Uart.buf = data; - uart_reset(); -} - -static void uart_bit(uint8_t bit) { - static uint8_t buf = 0xff; - static uint8_t n_buf; - static int nmsg_byte; - buf <<= 1; - buf |= bit ? 1 : 0; - - if (!Uart.frame) { - if (buf == 0x7b) { // 0b0111 1011 - Uart.frame = true; - n_buf = 0; - Uart.len = 0; - nmsg_byte = 0; - } - } else { - static uint8_t msg_byte; - n_buf++; - if (n_buf == 8) { - msg_byte >>= 2; - switch (buf) { - case 0xbf: // 0 - 1011 1111 - break; - case 0xef: // 1 - 1110 1111 - msg_byte |= (1 << 6); - break; - case 0xfb: // 2 - 1111 1011 - msg_byte |= (2 << 6); - break; - case 0xfe: // 3 - 1111 1110 - msg_byte |= (3 << 6); - break; - case 0xdf: // eof - 1101 1111 - Uart.frame = false; - Uart.synced = false; - Uart.frame_done = true; - break; - default: - Uart.frame = false; - Uart.synced = false; - Dbprintf("[-] bad %02X at %d:%d", buf, Uart.len, nmsg_byte); - } - - if (Uart.frame) { // data bits - nmsg_byte += 2; - if (nmsg_byte >= 8) { - Uart.buf[Uart.len++] = msg_byte; - nmsg_byte = 0; - } - } - n_buf = 0; - buf = 0xff; - } - } -} - -static void uart_samples(uint8_t byte) { - static uint32_t buf; - static int window; - static int drop_next = 0; - - uint32_t falling; - int lz; - - if (!Uart.synced) { - if (byte == 0xFF) - return; - buf = 0xFFFFFFFF; - window = 0; - drop_next = 0; - Uart.synced = true; - } - - buf <<= 8; - buf |= byte; - - if (drop_next) { - drop_next = 0; - return; - } - -again: - falling = ~buf & ((buf >> 1) ^ buf) & (0xFF << window); - - uart_bit(!falling); - - if (!falling) - return; - - lz = __builtin_clz(falling) - 24 + window; - - // aim to get falling edge on fourth-leftmost bit of window - window += 3 - lz; - - if (window < 0) { - window += 8; - drop_next = 1; - } else if (window >= 8) { - window -= 8; - goto again; - } -} - - -/* -static void UartReset(){ - Uart.state = STATE_UNSYNCD; - Uart.shiftReg = 0; - Uart.bitCnt = 0; - Uart.byteCnt = 0; - Uart.posCnt = 0; - Uart.nOutOfCnt = 0; - Uart.OutOfCnt = 0; - Uart.syncBit = 0; - Uart.samples = 0; - Uart.highCnt = 0; - Uart.swapper = 0; - Uart.counter = 0; - Uart.bitBuffer = 0; - Uart.dropPosition = 0; -} -*/ - -/* -* READER TO CARD -* 1 out of 4 Decoding -* 1 out of 256 Decoding -*/ -/* -static RAMFUNC int OutOfNDecoding(int bit) { - //int error = 0; - int bitright; - - if (!Uart.bitBuffer) { - Uart.bitBuffer = bit ^ 0xFF0; - return false; - } else { - Uart.bitBuffer <<= 4; - Uart.bitBuffer ^= bit; - } - - // if (Uart.swapper) { - // Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF; - // Uart.byteCnt++; - // Uart.swapper = 0; - // if (Uart.byteCnt > 15) return true; - // } - // else { - // Uart.swapper = 1; - // } - - if (Uart.state != STATE_UNSYNCD) { - Uart.posCnt++; - - if ((Uart.bitBuffer & Uart.syncBit) ^ Uart.syncBit) - bit = 0; - else - bit = 1; - - if (((Uart.bitBuffer << 1) & Uart.syncBit) ^ Uart.syncBit) - bitright = 0; - else - bitright = 1; - - if(bit != bitright) - bit = bitright; - - - // So, now we only have to deal with *bit*, lets see... - if (Uart.posCnt == 1) { - // measurement first half bitperiod - if (!bit) { - // Drop in first half means that we are either seeing - // an SOF or an EOF. - - if (Uart.nOutOfCnt == 1) { - // End of Communication - Uart.state = STATE_UNSYNCD; - Uart.highCnt = 0; - if (Uart.byteCnt == 0) { - // Its not straightforward to show single EOFs - // So just leave it and do not return TRUE - Uart.output[0] = 0xf0; - Uart.byteCnt++; - } else { - return true; - } - } else if (Uart.state != STATE_START_OF_COMMUNICATION) { - // When not part of SOF or EOF, it is an error - Uart.state = STATE_UNSYNCD; - Uart.highCnt = 0; - //error = 4; - } - } - } else { - // measurement second half bitperiod - // Count the bitslot we are in... (ISO 15693) - Uart.nOutOfCnt++; - - if (!bit) { - if (Uart.dropPosition) { - if (Uart.state == STATE_START_OF_COMMUNICATION) { - //error = 1; - } else { - //error = 7; - } - // It is an error if we already have seen a drop in current frame - Uart.state = STATE_UNSYNCD; - Uart.highCnt = 0; - } else { - Uart.dropPosition = Uart.nOutOfCnt; - } - } - Uart.posCnt = 0; - - if (Uart.nOutOfCnt == Uart.OutOfCnt && Uart.OutOfCnt == 4) { - Uart.nOutOfCnt = 0; - - if (Uart.state == STATE_START_OF_COMMUNICATION) { - if (Uart.dropPosition == 4) { - Uart.state = STATE_RECEIVING; - Uart.OutOfCnt = 256; - } else if (Uart.dropPosition == 3) { - Uart.state = STATE_RECEIVING; - Uart.OutOfCnt = 4; - //Uart.output[Uart.byteCnt] = 0xdd; - //Uart.byteCnt++; - } else { - Uart.state = STATE_UNSYNCD; - Uart.highCnt = 0; - } - Uart.dropPosition = 0; - } else { - // RECEIVING DATA - // 1 out of 4 - if (!Uart.dropPosition) { - Uart.state = STATE_UNSYNCD; - Uart.highCnt = 0; - //error = 9; - } else { - Uart.shiftReg >>= 2; - - // Swap bit order - Uart.dropPosition--; - //if(Uart.dropPosition == 1) { Uart.dropPosition = 2; } - //else if(Uart.dropPosition == 2) { Uart.dropPosition = 1; } - - Uart.shiftReg ^= ((Uart.dropPosition & 0x03) << 6); - Uart.bitCnt += 2; - Uart.dropPosition = 0; - - if (Uart.bitCnt == 8) { - Uart.output[Uart.byteCnt] = (Uart.shiftReg & 0xff); - Uart.byteCnt++; - Uart.bitCnt = 0; - Uart.shiftReg = 0; - } - } - } - } else if (Uart.nOutOfCnt == Uart.OutOfCnt) { - // RECEIVING DATA - // 1 out of 256 - if (!Uart.dropPosition) { - Uart.state = STATE_UNSYNCD; - Uart.highCnt = 0; - //error = 3; - } else { - Uart.dropPosition--; - Uart.output[Uart.byteCnt] = (Uart.dropPosition & 0xff); - Uart.byteCnt++; - Uart.bitCnt = 0; - Uart.shiftReg = 0; - Uart.nOutOfCnt = 0; - Uart.dropPosition = 0; - } - } -*/ -/*if (error) { - Uart.output[Uart.byteCnt] = 0xAA; - Uart.byteCnt++; - Uart.output[Uart.byteCnt] = error & 0xFF; - Uart.byteCnt++; - Uart.output[Uart.byteCnt] = 0xAA; - Uart.byteCnt++; - Uart.output[Uart.byteCnt] = (Uart.bitBuffer >> 8) & 0xFF; - Uart.byteCnt++; - Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF; - Uart.byteCnt++; - Uart.output[Uart.byteCnt] = (Uart.syncBit >> 3) & 0xFF; - Uart.byteCnt++; - Uart.output[Uart.byteCnt] = 0xAA; - Uart.byteCnt++; - return true; -}*/ -/* - } - } else { - bit = Uart.bitBuffer & 0xf0; - bit >>= 4; - bit ^= 0x0F; // drops become 1s ;-) - if (bit) { - // should have been high or at least (4 * 128) / fc - // according to ISO this should be at least (9 * 128 + 20) / fc - if (Uart.highCnt == 8) { - // we went low, so this could be start of communication - // it turns out to be safer to choose a less significant - // syncbit... so we check whether the neighbour also represents the drop - Uart.posCnt = 1; // apparently we are busy with our first half bit period - Uart.syncBit = bit & 8; - Uart.samples = 3; - - if (!Uart.syncBit) { Uart.syncBit = bit & 4; Uart.samples = 2; } - else if (bit & 4) { Uart.syncBit = bit & 4; Uart.samples = 2; bit <<= 2; } - - if (!Uart.syncBit) { Uart.syncBit = bit & 2; Uart.samples = 1; } - else if (bit & 2) { Uart.syncBit = bit & 2; Uart.samples = 1; bit <<= 1; } - - if (!Uart.syncBit) { Uart.syncBit = bit & 1; Uart.samples = 0; - if (Uart.syncBit && (Uart.bitBuffer & 8)) { - Uart.syncBit = 8; - - // the first half bit period is expected in next sample - Uart.posCnt = 0; - Uart.samples = 3; - } - } else if (bit & 1) { Uart.syncBit = bit & 1; Uart.samples = 0; } - - Uart.syncBit <<= 4; - Uart.state = STATE_START_OF_COMMUNICATION; - Uart.bitCnt = 0; - Uart.byteCnt = 0; - Uart.nOutOfCnt = 0; - Uart.OutOfCnt = 4; // Start at 1/4, could switch to 1/256 - Uart.dropPosition = 0; - Uart.shiftReg = 0; - //error = 0; - } else { - Uart.highCnt = 0; - } - } else { - if (Uart.highCnt < 8) - Uart.highCnt++; - } - } - return false; -} -*/ -//============================================================================= -// Manchester -//============================================================================= -static tDemodIc Demod; -static void DemodIcReset(void) { - Demod.bitCount = 0; - Demod.posCount = 0; - Demod.syncBit = 0; - Demod.shiftReg = 0; - Demod.buffer = 0; - Demod.buffer2 = 0; - Demod.buffer3 = 0; - Demod.buff = 0; - Demod.samples = 0; - Demod.len = 0; - Demod.sub = SUB_NONE; - Demod.state = DEMOD_IC_UNSYNCD; -} -static void DemodIcInit(uint8_t *data) { - Demod.output = data; - DemodIcReset(); -} - -// UART debug -// it adds the debug values which will be put in the tracelog, -// visible on client when running 'hf list iclass' -/* -pm3 --> hf li iclass -Recorded Activity (TraceLen = 162 bytes) - Start | End | Src | Data (! denotes parity error) | CRC | Annotation | -------------|------------|-----|-----------------------------------------------------------------|-----|--------------------| - 0 | 0 | Rdr |0a | | ACTALL - 1280 | 1280 | Tag |bb! 33! bb! 01 02 04 08 bb! | ok | - 1280 | 1280 | Rdr |0c | | IDENTIFY - 1616 | 1616 | Tag |bb! 33! bb! 00! 02 00! 02 bb! | ok | - 1616 | 1616 | Rdr |0a | | ACTALL - 2336 | 2336 | Tag |bb! d4! bb! 02 08 00! 08 bb! | ok | - 2336 | 2336 | Rdr |0c | | IDENTIFY - 2448 | 2448 | Tag |bb! 33! bb! 00! 00! 00! 02 bb! | ok | - 2448 | 2448 | Rdr |0a | | ACTALL - 2720 | 2720 | Tag |bb! d4! bb! 08 0b 01 04 bb! | ok | - 2720 | 2720 | Rdr |0c | | IDENTIFY - 3232 | 3232 | Tag |bb! d4! bb! 02 02 08 04 bb! | ok | -*/ -static void uart_debug(int error, int bit) { - Demod.output[Demod.len] = 0xBB; - Demod.len++; - Demod.output[Demod.len] = error & 0xFF; - Demod.len++; - Demod.output[Demod.len] = 0xBB; - Demod.len++; - Demod.output[Demod.len] = bit & 0xFF; - Demod.len++; - Demod.output[Demod.len] = Demod.buffer & 0xFF; - Demod.len++; - // Look harder ;-) - Demod.output[Demod.len] = Demod.buffer2 & 0xFF; - Demod.len++; - Demod.output[Demod.len] = Demod.syncBit & 0xFF; - Demod.len++; - Demod.output[Demod.len] = 0xBB; - Demod.len++; -} /* * CARD TO READER @@ -596,568 +82,63 @@ static void uart_debug(int error, int bit) { * * So for current implementation in ISO15693, its 330 µs from end of reader, to start of card. */ -static RAMFUNC int ManchesterDecoding_iclass(uint32_t v) { - int bit; - int modulation; - int error = 0; - - bit = Demod.buffer; - Demod.buffer = Demod.buffer2; - Demod.buffer2 = Demod.buffer3; - Demod.buffer3 = v; - - // too few bits? - if (Demod.buff < 3) { - Demod.buff++; - return false; - } - - if (Demod.state == DEMOD_IC_UNSYNCD) { - Demod.output[Demod.len] = 0xfa; - Demod.syncBit = 0; - //Demod.samples = 0; - Demod.posCount = 1; // This is the first half bit period, so after syncing handle the second part - - if (bit & 0x08) - Demod.syncBit = 0x08; - - if (bit & 0x04) { - if (Demod.syncBit) - bit <<= 4; - - Demod.syncBit = 0x04; - } - - if (bit & 0x02) { - if (Demod.syncBit) - bit <<= 2; - - Demod.syncBit = 0x02; - } - - if (bit & 0x01 && Demod.syncBit) - Demod.syncBit = 0x01; - - if (Demod.syncBit) { - Demod.len = 0; - Demod.state = DEMOD_IC_START_OF_COMMUNICATION; - Demod.sub = SUB_FIRST_HALF; - Demod.bitCount = 0; - Demod.shiftReg = 0; - Demod.samples = 0; - - if (Demod.posCount) { - - switch (Demod.syncBit) { - case 0x08: - Demod.samples = 3; - break; - case 0x04: - Demod.samples = 2; - break; - case 0x02: - Demod.samples = 1; - break; - case 0x01: - Demod.samples = 0; - break; - } - // SOF must be long burst... otherwise stay unsynced!!! - if (!(Demod.buffer & Demod.syncBit) || !(Demod.buffer2 & Demod.syncBit)) - Demod.state = DEMOD_IC_UNSYNCD; - - } else { - // SOF must be long burst... otherwise stay unsynced!!! - if (!(Demod.buffer2 & Demod.syncBit) || !(Demod.buffer3 & Demod.syncBit)) { - Demod.state = DEMOD_IC_UNSYNCD; - error = 0x88; - uart_debug(error, bit); - return false; - } - } - } - return false; - } - - // state is DEMOD is in SYNC from here on. - - modulation = bit & Demod.syncBit; - modulation |= ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit; - Demod.samples += 4; - - if (Demod.posCount == 0) { - Demod.posCount = 1; - Demod.sub = (modulation) ? SUB_FIRST_HALF : SUB_NONE; - return false; - } - - Demod.posCount = 0; - - if (modulation) { - - if (Demod.sub == SUB_FIRST_HALF) - Demod.sub = SUB_BOTH; - else - Demod.sub = SUB_SECOND_HALF; - } - - if (Demod.sub == SUB_NONE) { - if (Demod.state == DEMOD_IC_SOF_COMPLETE) { - Demod.output[Demod.len] = 0x0f; - Demod.len++; - Demod.state = DEMOD_IC_UNSYNCD; - return true; - } else { - Demod.state = DEMOD_IC_ERROR_WAIT; - error = 0x33; - } - } - - switch (Demod.state) { - - case DEMOD_IC_START_OF_COMMUNICATION: - if (Demod.sub == SUB_BOTH) { - - Demod.state = DEMOD_IC_START_OF_COMMUNICATION2; - Demod.posCount = 1; - Demod.sub = SUB_NONE; - } else { - Demod.output[Demod.len] = 0xab; - Demod.state = DEMOD_IC_ERROR_WAIT; - error = 0xd2; - } - break; - - case DEMOD_IC_START_OF_COMMUNICATION2: - if (Demod.sub == SUB_SECOND_HALF) { - Demod.state = DEMOD_IC_START_OF_COMMUNICATION3; - } else { - Demod.output[Demod.len] = 0xab; - Demod.state = DEMOD_IC_ERROR_WAIT; - error = 0xd3; - } - break; - - case DEMOD_IC_START_OF_COMMUNICATION3: - if (Demod.sub == SUB_SECOND_HALF) { - Demod.state = DEMOD_IC_SOF_COMPLETE; - } else { - Demod.output[Demod.len] = 0xab; - Demod.state = DEMOD_IC_ERROR_WAIT; - error = 0xd4; - } - break; - - case DEMOD_IC_SOF_COMPLETE: - case DEMOD_IC_MANCHESTER_D: - case DEMOD_IC_MANCHESTER_E: - // OPPOSITE FROM ISO14443 - 11110000 = 0 (1 in 14443) - // 00001111 = 1 (0 in 14443) - if (Demod.sub == SUB_SECOND_HALF) { // SUB_FIRST_HALF - Demod.bitCount++; - Demod.shiftReg = (Demod.shiftReg >> 1) ^ 0x100; - Demod.state = DEMOD_IC_MANCHESTER_D; - } else if (Demod.sub == SUB_FIRST_HALF) { // SUB_SECOND_HALF - Demod.bitCount++; - Demod.shiftReg >>= 1; - Demod.state = DEMOD_IC_MANCHESTER_E; - } else if (Demod.sub == SUB_BOTH) { - Demod.state = DEMOD_IC_MANCHESTER_F; - } else { - Demod.state = DEMOD_IC_ERROR_WAIT; - error = 0x55; - } - break; - - case DEMOD_IC_MANCHESTER_F: - // Tag response does not need to be a complete byte! - if (Demod.len > 0 || Demod.bitCount > 0) { - if (Demod.bitCount > 1) { // was > 0, do not interpret last closing bit, is part of EOF - Demod.shiftReg >>= (9 - Demod.bitCount); // right align data - Demod.output[Demod.len] = Demod.shiftReg & 0xff; - Demod.len++; - } - - Demod.state = DEMOD_IC_UNSYNCD; - return true; - } else { - Demod.output[Demod.len] = 0xad; - Demod.state = DEMOD_IC_ERROR_WAIT; - error = 0x03; - } - break; - - case DEMOD_IC_ERROR_WAIT: - Demod.state = DEMOD_IC_UNSYNCD; - break; - - default: - Demod.output[Demod.len] = 0xdd; - Demod.state = DEMOD_IC_UNSYNCD; - break; - } - - if (Demod.bitCount >= 8) { - Demod.shiftReg >>= 1; - Demod.output[Demod.len] = (Demod.shiftReg & 0xff); - Demod.len++; - Demod.bitCount = 0; - Demod.shiftReg = 0; - } - - if (error) { - uart_debug(error, bit); - return true; - } - - return false; -} //============================================================================= -// Finally, a `sniffer' for iClass communication +// a `sniffer' for iClass communication // Both sides of communication! //============================================================================= -static void iclass_setup_sniff(void) { - if (DBGLEVEL > 3) Dbprintf("iclass_setup_sniff Enter"); - - LEDsoff(); - - FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); - - FpgaDownloadAndGo(FPGA_BITSTREAM_HF); - - // connect Demodulated Signal to ADC: - SetAdcMuxFor(GPIO_MUXSEL_HIPKD); - - // Set up the synchronous serial port - FpgaSetupSsc(); - - BigBuf_free(); - BigBuf_Clear_ext(false); - clear_trace(); - set_tracing(true); - - // Initialize Demod and Uart structs - DemodIcInit(BigBuf_malloc(ICLASS_BUFFER_SIZE)); - - uart_init(BigBuf_malloc(ICLASS_BUFFER_SIZE)); - //UartIcInit(BigBuf_malloc(ICLASS_BUFFER_SIZE)); - - if (DBGLEVEL > 1) { - // Print debug information about the buffer sizes - Dbprintf("[+] Sniffing buffers initialized:"); - Dbprintf(" Trace: %i bytes", BigBuf_max_traceLen()); - Dbprintf(" Reader -> tag: %i bytes", ICLASS_BUFFER_SIZE); - Dbprintf(" tag -> Reader: %i bytes", ICLASS_BUFFER_SIZE); - Dbprintf(" DMA: %i bytes", ICLASS_DMA_BUFFER_SIZE); - } - - // Set FPGA in the appropriate mode - // put the FPGA in the appropriate mode - FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER); - SpinDelay(200); - - // Start the SSP timer - StartCountSspClk(); - - LED_A_ON(); - if (DBGLEVEL > 3) Dbprintf("[+] iclass_setup_sniff Exit"); +void SniffIClass(uint8_t jam_search_len, uint8_t *jam_search_string) { + SniffIso15693(jam_search_len, jam_search_string); } -//----------------------------------------------------------------------------- -// Record the sequence of commands sent by the reader to the tag, with -// triggering so that we start recording at the point that the tag is moved -// near the reader. -//----------------------------------------------------------------------------- -// turn off afterwards -void RAMFUNC SniffIClass(void) { - - //int datalen = 0; - uint32_t previous_data = 0; - uint32_t time_0 = 0, time_start = 0, time_stop; - uint32_t sniffCounter = 0; - bool TagIsActive = false; - bool ReaderIsActive = false; - - iclass_setup_sniff(); - - // The DMA buffer, used to stream samples from the FPGA - // *dmaBuf is the start reference. - uint8_t *dmaBuf = BigBuf_malloc(ICLASS_DMA_BUFFER_SIZE); - // pointer to samples from fpga - uint8_t *data = dmaBuf; - - // Setup and start DMA. - if (!FpgaSetupSscDma(dmaBuf, ICLASS_DMA_BUFFER_SIZE)) { - if (DBGLEVEL > 1) DbpString("[-] FpgaSetupSscDma failed. Exiting"); - return; +static void rotateCSN(uint8_t *original_csn, uint8_t *rotated_csn) { + for (uint8_t i = 0; i < 8; i++) { + rotated_csn[i] = (original_csn[i] >> 3) | (original_csn[(i + 1) % 8] << 5); } - - // time ZERO, the point from which it all is calculated. - time_0 = GetCountSspClk(); - - // loop and listen - // every sample (1byte in data), - // contains HIGH nibble = reader data - // contains LOW nibble = tag data - // so two bytes are needed in order to get 1byte of either reader or tag data. (ie 2 sample bytes) - // since reader data is manchester encoded, we need 2bytes of data in order to get one demoded byte. (ie: 4 sample bytes) - uint16_t checked = 0; - for (;;) { - WDT_HIT(); - - if (checked == 1000) { - if (BUTTON_PRESS() || data_available()) break; - checked = 0; - } - ++checked; - - previous_data <<= 8; - previous_data |= *data; - - sniffCounter++; - data++; - - if (data == dmaBuf + ICLASS_DMA_BUFFER_SIZE) { - data = dmaBuf; - AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dmaBuf; - AT91C_BASE_PDC_SSC->PDC_RNCR = ICLASS_DMA_BUFFER_SIZE; - } - - // every odd sample - if (sniffCounter & 0x01) { - // no need to try decoding reader data if the tag is sending - // READER TO CARD - if (!TagIsActive) { - LED_C_INV(); - // HIGH nibble is always reader data. - uint8_t reader_byte = (previous_data & 0xF0) | (*data >> 4); - uart_samples(reader_byte); - if (Uart.frame_done) { - time_stop = GetCountSspClk() - time_0; - LogTrace(Uart.buf, Uart.len, time_start, time_stop, NULL, true); - DemodIcReset(); - uart_reset(); - } else { - time_start = GetCountSspClk() - time_0; - } - ReaderIsActive = Uart.frame_done; - } - } - // every four sample - if ((sniffCounter % 4) == 0) { - // need two samples to feed Manchester - // no need to try decoding tag data if the reader is sending - and we cannot afford the time - // CARD TO READER - if (!ReaderIsActive) { - LED_C_INV(); - // LOW nibble is always tag data. - /* - uint32_t tag_byte = - ((previous_data & 0x0F000000) >> 8 ) | - ((previous_data & 0x000F0000) >> 4 ) | - ((previous_data & 0x00000F00) ) | - ((previous_data & 0x0000000F) << 4 ) | - (*data & 0xF); - */ - - - uint8_t tag_byte = ((previous_data & 0xF) << 4) | (*data & 0xF); - if (ManchesterDecoding_iclass(tag_byte)) { - time_stop = GetCountSspClk() - time_0; - LogTrace(Demod.output, Demod.len, time_start, time_stop, NULL, false); - DemodIcReset(); - uart_reset(); - } else { - time_start = GetCountSspClk() - time_0; - } - TagIsActive = (Demod.state != DEMOD_IC_UNSYNCD); - } - } - } // end main loop - - /* - if (DBGLEVEL >= 1) { - DbpString("[+] Sniff statistics:"); - Dbhexdump(ICLASS_DMA_BUFFER_SIZE, data, false); - } - */ - switch_off(); } -static void rotateCSN(uint8_t *originalCSN, uint8_t *rotatedCSN) { - int i; - for (i = 0; i < 8; i++) - rotatedCSN[i] = (originalCSN[i] >> 3) | (originalCSN[(i + 1) % 8] << 5); -} - -//----------------------------------------------------------------------------- -// SIMULATION -// Wait for commands from reader -// Stop when button is pressed -// Or return TRUE when command is captured -//----------------------------------------------------------------------------- -static bool GetIClassCommandFromReader(uint8_t *received, int *len, int maxLen) { - // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen - // only, since we are receiving, not transmitting). - // Signal field is off with the appropriate LED - LED_D_OFF(); - uart_init(received); - - FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN); - // clear RXRDY: - uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR; - (void)b; - - uint16_t checked = 0; - for (;;) { - - WDT_HIT(); - - if (checked == 1000) { - if (BUTTON_PRESS() || data_available()) return false; - checked = 0; - } - ++checked; - - // keep tx buffer in a defined state anyway. - if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) - AT91C_BASE_SSC->SSC_THR = 0x00; - - // wait for byte to become available in rx holding register - if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) { - b = (uint8_t)AT91C_BASE_SSC->SSC_RHR; - - uart_samples(b); - if (Uart.frame_done) { - *len = Uart.len; - return true; - } - } - } - return false; +// Encode SOF only +static void CodeIClassTagSOF(void) { + tosend_reset(); + tosend_t *ts = get_tosend(); + ts->buf[++ts->max] = 0x1D; + ts->max++; } /* -static uint8_t encode4Bits(const uint8_t b) { - // OTA, the least significant bits first - // Manchester encoding added - // The columns are - // 1 - Bit value to send - // 2 - Reversed (big-endian) - // 3 - Machester Encoded - // 4 - Hex values - - uint8_t c = b & 0xF; - switch (c) { - // 1 2 3 4 - case 15: - return 0x55; // 1111 -> 1111 -> 01010101 -> 0x55 - case 14: - return 0x95; // 1110 -> 0111 -> 10010101 -> 0x95 - case 13: - return 0x65; // 1101 -> 1011 -> 01100101 -> 0x65 - case 12: - return 0xa5; // 1100 -> 0011 -> 10100101 -> 0xa5 - case 11: - return 0x59; // 1011 -> 1101 -> 01011001 -> 0x59 - case 10: - return 0x99; // 1010 -> 0101 -> 10011001 -> 0x99 - case 9: - return 0x69; // 1001 -> 1001 -> 01101001 -> 0x69 - case 8: - return 0xa9; // 1000 -> 0001 -> 10101001 -> 0xa9 - case 7: - return 0x56; // 0111 -> 1110 -> 01010110 -> 0x56 - case 6: - return 0x96; // 0110 -> 0110 -> 10010110 -> 0x96 - case 5: - return 0x66; // 0101 -> 1010 -> 01100110 -> 0x66 - case 4: - return 0xa6; // 0100 -> 0010 -> 10100110 -> 0xa6 - case 3: - return 0x5a; // 0011 -> 1100 -> 01011010 -> 0x5a - case 2: - return 0x9a; // 0010 -> 0100 -> 10011010 -> 0x9a - case 1: - return 0x6a; // 0001 -> 1000 -> 01101010 -> 0x6a - default: - return 0xaa; // 0000 -> 0000 -> 10101010 -> 0xaa - } -} -*/ - -static uint8_t lut_enc[] = { 0xAA, 0x6A, 0x9A, 0x5A, 0xA6, 0x66, 0x96, 0x56, 0xA9, 0x69, 0x99, 0x59, 0xA5, 0x65, 0x95, 0x55 }; - -//----------------------------------------------------------------------------- -// Prepare tag messages -//----------------------------------------------------------------------------- -static void CodeIClassTagAnswer(const uint8_t *cmd, int len) { - /* - * SOF comprises 3 parts; - * * An unmodulated time of 56.64 us - * * 24 pulses of 423.75 kHz (fc/32) - * * A logic 1, which starts with an unmodulated time of 18.88us - * followed by 8 pulses of 423.75kHz (fc/32) - * - * - * EOF comprises 3 parts: - * - A logic 0 (which starts with 8 pulses of fc/32 followed by an unmodulated - * time of 18.88us. - * - 24 pulses of fc/32 - * - An unmodulated time of 56.64 us - * - * - * A logic 0 starts with 8 pulses of fc/32 - * followed by an unmodulated time of 256/fc (~18,88us). - * - * A logic 0 starts with unmodulated time of 256/fc (~18,88us) followed by - * 8 pulses of fc/32 (also 18.88us) - * - * The mode FPGA_HF_SIMULATOR_MODULATE_424K_8BIT which we use to simulate tag, - * works like this. - * - A 1-bit input to the FPGA becomes 8 pulses on 423.5kHz (fc/32) (18.88us). - * - A 0-bit input to the FPGA becomes an unmodulated time of 18.88us - * - * In this mode - * SOF can be written as 00011101 = 0x1D - * EOF can be written as 10111000 = 0xb8 - * logic 1 be written as 01 = 0x1 - * logic 0 be written as 10 = 0x2 - * - * */ - ToSendReset(); - - // Send SOF - ToSend[++ToSendMax] = 0x1D; - - int i; - for (i = 0; i < len; i++) { - uint8_t b = cmd[i]; - ToSend[++ToSendMax] = lut_enc[b & 0xF]; // least significant half - ToSend[++ToSendMax] = lut_enc[(b >> 4) & 0xF]; // most significant half - } - - // Send EOF - ToSend[++ToSendMax] = 0xB8; - //lastProxToAirDuration = 8*ToSendMax - 3*8 - 3*8;//Not counting zeroes in the beginning or end - // Convert from last byte pos to length - ToSendMax++; -} - -// Only SOF -static void CodeIClassTagSOF(void) { - //So far a dummy implementation, not used - //int lastProxToAirDuration =0; - - ToSendReset(); - // Send SOF - ToSend[++ToSendMax] = 0x1D; - // lastProxToAirDuration = 8*ToSendMax - 3*8;//Not counting zeroes in the beginning - - // Convert from last byte pos to length - ToSendMax++; -} + * SOF comprises 3 parts; + * * An unmodulated time of 56.64 us + * * 24 pulses of 423.75 kHz (fc/32) + * * A logic 1, which starts with an unmodulated time of 18.88us + * followed by 8 pulses of 423.75kHz (fc/32) + * + * + * EOF comprises 3 parts: + * - A logic 0 (which starts with 8 pulses of fc/32 followed by an unmodulated + * time of 18.88us. + * - 24 pulses of fc/32 + * - An unmodulated time of 56.64 us + * + * + * A logic 0 starts with 8 pulses of fc/32 + * followed by an unmodulated time of 256/fc (~18,88us). + * + * A logic 0 starts with unmodulated time of 256/fc (~18,88us) followed by + * 8 pulses of fc/32 (also 18.88us) + * + * The mode FPGA_HF_SIMULATOR_MODULATE_424K_8BIT which we use to simulate tag, + * works like this. + * - A 1-bit input to the FPGA becomes 8 pulses on 423.5kHz (fc/32) (18.88us). + * - A 0-bit input to the FPGA becomes an unmodulated time of 18.88us + * + * In this mode + * SOF can be written as 00011101 = 0x1D + * EOF can be written as 10111000 = 0xb8 + * logic 1 be written as 01 = 0x1 + * logic 0 be written as 10 = 0x2 + * + * + */ /** * @brief SimulateIClass simulates an iClass card. @@ -1173,70 +154,90 @@ static void CodeIClassTagSOF(void) { */ // turn off afterwards void SimulateIClass(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain) { + iclass_simulate(arg0, arg1, arg2, datain, NULL, NULL); +} - if (DBGLEVEL > 3) Dbprintf("[+] iClass_simulate Enter"); +void iclass_simulate(uint8_t sim_type, uint8_t num_csns, bool send_reply, uint8_t *datain, uint8_t *dataout, uint16_t *dataoutlen) { LEDsoff(); - FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); - // this will clear out bigbuf memory, the eload command must select this before! - FpgaDownloadAndGo(FPGA_BITSTREAM_HF); - FpgaSetupSsc(); - SetAdcMuxFor(GPIO_MUXSEL_HIPKD); - - // Enable and clear the trace + Iso15693InitTag(); + clear_trace(); - set_tracing(true); - - uint32_t simType = arg0; - uint32_t numberOfCSNS = arg1; + + // only logg if we are called from the client. + set_tracing(send_reply); //Use the emulator memory for SIM uint8_t *emulator = BigBuf_get_EM_addr(); uint8_t mac_responses[PM3_CMD_DATA_SIZE] = { 0 }; - if (simType == 0) { + if (sim_type == ICLASS_SIM_MODE_CSN) { // Use the CSN from commandline memcpy(emulator, datain, 8); - doIClassSimulation(MODE_SIM_CSN, NULL); - } else if (simType == 1) { - //Default CSN - uint8_t csn_crc[] = { 0x03, 0x1f, 0xec, 0x8a, 0xf7, 0xff, 0x12, 0xe0, 0x00, 0x00 }; - // Use the CSN from commandline - memcpy(emulator, csn_crc, 8); - doIClassSimulation(MODE_SIM_CSN, NULL); - } else if (simType == 2) { + do_iclass_simulation(ICLASS_SIM_MODE_CSN, NULL); - Dbprintf("[+] going into attack mode, %d CSNS sent", numberOfCSNS); + } else if (sim_type == ICLASS_SIM_MODE_CSN_DEFAULT) { + //Default CSN + uint8_t csn[] = { 0x03, 0x1f, 0xec, 0x8a, 0xf7, 0xff, 0x12, 0xe0 }; + // Use the CSN from commandline + memcpy(emulator, csn, 8); + do_iclass_simulation(ICLASS_SIM_MODE_CSN, NULL); + + } else if (sim_type == ICLASS_SIM_MODE_READER_ATTACK) { + + Dbprintf("going into attack mode, %d CSNS sent", num_csns); // In this mode, a number of csns are within datain. We'll simulate each one, one at a time // in order to collect MAC's from the reader. This can later be used in an offlne-attack // in order to obtain the keys, as in the "dismantling iclass"-paper. -#define EPURSE_MAC_SIZE 16 + #define EPURSE_MAC_SIZE 16 int i = 0; - for (; i < numberOfCSNS && i * EPURSE_MAC_SIZE + 8 < PM3_CMD_DATA_SIZE; i++) { - // The usb data is 512 bytes, fitting 65 8-byte CSNs in there. + for (; i < num_csns && i * EPURSE_MAC_SIZE + 8 < PM3_CMD_DATA_SIZE; i++) { memcpy(emulator, datain + (i * 8), 8); - if (doIClassSimulation(MODE_EXIT_AFTER_MAC, mac_responses + i * EPURSE_MAC_SIZE)) { + if (do_iclass_simulation(ICLASS_SIM_MODE_EXIT_AFTER_MAC, mac_responses + i * EPURSE_MAC_SIZE)) { + + if (dataoutlen) + *dataoutlen = i * EPURSE_MAC_SIZE; + // Button pressed - reply_old(CMD_ACK, CMD_HF_ICLASS_SIMULATE, i, 0, mac_responses, i * EPURSE_MAC_SIZE); + if (send_reply) + reply_old(CMD_ACK, CMD_HF_ICLASS_SIMULATE, i, 0, mac_responses, i * EPURSE_MAC_SIZE); goto out; } } - reply_old(CMD_ACK, CMD_HF_ICLASS_SIMULATE, i, 0, mac_responses, i * EPURSE_MAC_SIZE); + if (dataoutlen) + *dataoutlen = i * EPURSE_MAC_SIZE; + + if (send_reply) + reply_old(CMD_ACK, CMD_HF_ICLASS_SIMULATE, i, 0, mac_responses, i * EPURSE_MAC_SIZE); + + } else if (sim_type == ICLASS_SIM_MODE_FULL) { - } else if (simType == 3) { //This is 'full sim' mode, where we use the emulator storage for data. //ie: BigBuf_get_EM_addr should be previously filled with data from the "eload" command - doIClassSimulation(MODE_FULLSIM, NULL); - } else if (simType == 4) { + picopass_hdr *hdr = (picopass_hdr *)BigBuf_get_EM_addr(); + uint8_t pagemap = get_pagemap(hdr); + if (pagemap == PICOPASS_NON_SECURE_PAGEMODE) { + do_iclass_simulation_nonsec(); + } else { + do_iclass_simulation(ICLASS_SIM_MODE_FULL, NULL); + } + + } else if (sim_type == ICLASS_SIM_MODE_CONFIG_CARD) { + + // config card + do_iclass_simulation(ICLASS_SIM_MODE_FULL, NULL); + // swap bin + + } else if (sim_type == ICLASS_SIM_MODE_READER_ATTACK_KEYROLL) { // This is the KEYROLL version of sim 2. // the collected data (mac_response) is doubled out since we are trying to collect both keys in the keyroll process. // Keyroll iceman 9 csns * 8 * 2 = 144 // keyroll CARL55 15csns * 8 * 2 = 15 * 8 * 2 = 240 - Dbprintf("[+] going into attack keyroll mode, %d CSNS sent", numberOfCSNS); + Dbprintf("going into attack keyroll mode, %d CSNS sent", num_csns); // In this mode, a number of csns are within datain. We'll simulate each one, one at a time // in order to collect MAC's from the reader. This can later be used in an offlne-attack // in order to obtain the keys, as in the "dismantling iclass"-paper. @@ -1245,53 +246,81 @@ void SimulateIClass(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain // attack below is same as SIM 2, but we run the CSN twice to collected the mac for both keys. int i = 0; // The usb data is 512 bytes, fitting 65 8-byte CSNs in there. iceman fork uses 9 CSNS - for (; i < numberOfCSNS && i * EPURSE_MAC_SIZE + 8 < PM3_CMD_DATA_SIZE; i++) { + for (; i < num_csns && i * EPURSE_MAC_SIZE + 8 < PM3_CMD_DATA_SIZE; i++) { memcpy(emulator, datain + (i * 8), 8); // keyroll 1 - if (doIClassSimulation(MODE_EXIT_AFTER_MAC, mac_responses + i * EPURSE_MAC_SIZE)) { - reply_old(CMD_ACK, CMD_HF_ICLASS_SIMULATE, i * 2, 0, mac_responses, i * EPURSE_MAC_SIZE * 2); + if (do_iclass_simulation(ICLASS_SIM_MODE_EXIT_AFTER_MAC, mac_responses + i * EPURSE_MAC_SIZE)) { + + if (dataoutlen) + *dataoutlen = i * EPURSE_MAC_SIZE * 2; + + if (send_reply) + reply_old(CMD_ACK, CMD_HF_ICLASS_SIMULATE, i * 2, 0, mac_responses, i * EPURSE_MAC_SIZE * 2); + // Button pressed goto out; } // keyroll 2 - if (doIClassSimulation(MODE_EXIT_AFTER_MAC, mac_responses + (i + numberOfCSNS) * EPURSE_MAC_SIZE)) { - reply_old(CMD_ACK, CMD_HF_ICLASS_SIMULATE, i * 2, 0, mac_responses, i * EPURSE_MAC_SIZE * 2); + if (do_iclass_simulation(ICLASS_SIM_MODE_EXIT_AFTER_MAC, mac_responses + (i + num_csns) * EPURSE_MAC_SIZE)) { + + if (dataoutlen) + *dataoutlen = i * EPURSE_MAC_SIZE * 2; + + if (send_reply) + reply_old(CMD_ACK, CMD_HF_ICLASS_SIMULATE, i * 2, 0, mac_responses, i * EPURSE_MAC_SIZE * 2); + // Button pressed goto out; } } - // double the amount of collected data. - reply_old(CMD_ACK, CMD_HF_ICLASS_SIMULATE, i * 2, 0, mac_responses, i * EPURSE_MAC_SIZE * 2); + if (dataoutlen) + *dataoutlen = i * EPURSE_MAC_SIZE * 2; + + // double the amount of collected data. + if (send_reply) + reply_old(CMD_ACK, CMD_HF_ICLASS_SIMULATE, i * 2, 0, mac_responses, i * EPURSE_MAC_SIZE * 2); + } else { // We may want a mode here where we hardcode the csns to use (from proxclone). // That will speed things up a little, but not required just yet. - DbpString("[-] the mode is not implemented, reserved for future use"); + DbpString("the mode is not implemented, reserved for future use"); } out: + if (dataout && dataoutlen) + memcpy(dataout, mac_responses, *dataoutlen); + switch_off(); BigBuf_free_keep_EM(); } /** + * Simulation assumes a SECURE PAGE simulation with authentication and application areas. + * + * * @brief Does the actual simulation * @param csn - csn to use * @param breakAfterMacReceived if true, returns after reader MAC has been received. */ -int doIClassSimulation(int simulationMode, uint8_t *reader_mac_buf) { +int do_iclass_simulation(int simulationMode, uint8_t *reader_mac_buf) { // free eventually allocated BigBuf memory BigBuf_free_keep_EM(); - State cipher_state; + uint16_t page_size = 32 * 8; + uint8_t current_page = 0; - uint8_t *csn = BigBuf_get_EM_addr(); - uint8_t *emulator = csn; - uint8_t sof_data[] = { 0x0F} ; + // maintain cipher states for both credit and debit key for each page + State cipher_state_KD[8]; + State cipher_state_KC[8]; + State *cipher_state = &cipher_state_KD[0]; + + uint8_t *emulator = BigBuf_get_EM_addr(); + uint8_t *csn = emulator; // CSN followed by two CRC bytes uint8_t anticoll_data[10] = { 0 }; @@ -1305,28 +334,614 @@ int doIClassSimulation(int simulationMode, uint8_t *reader_mac_buf) { AddCrc(anticoll_data, 8); AddCrc(csn_data, 8); - uint8_t diversified_key[8] = { 0 }; + uint8_t diversified_kd[8] = { 0 }; + uint8_t diversified_kc[8] = { 0 }; + uint8_t *diversified_key = diversified_kd; + + // configuration block + uint8_t conf_block[10] = {0x12, 0xFF, 0xFF, 0xFF, 0x7F, 0x1F, 0xFF, 0x3C, 0x00, 0x00}; // e-Purse uint8_t card_challenge_data[8] = { 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; - //uint8_t card_challenge_data[8] = { 0 }; - if (simulationMode == MODE_FULLSIM) { - //The diversified key should be stored on block 3 - //Get the diversified key from emulator memory - memcpy(diversified_key, emulator + (8 * 3), 8); - //Card challenge, a.k.a e-purse is on block 2 - memcpy(card_challenge_data, emulator + (8 * 2), 8); + // AIA + uint8_t aia_data[10] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00}; + + if (simulationMode == ICLASS_SIM_MODE_FULL) { - //Precalculate the cipher state, feeding it the CC - cipher_state = opt_doTagMAC_1(card_challenge_data, diversified_key); + memcpy(conf_block, emulator + (8 * 1), 8); // blk 1 + memcpy(card_challenge_data, emulator + (8 * 2), 8); // e-purse, blk 2 + memcpy(diversified_kd, emulator + (8 * 3), 8); // Kd, blk 3 + memcpy(diversified_kc, emulator + (8 * 4), 8); // Kc, blk 4 + + // (iceman) this only works for 2KS / 16KS tags. + // Use application data from block 5 + memcpy(aia_data, emulator + (8 * 5), 8); } + + AddCrc(conf_block, 8); + AddCrc(aia_data, 8); + // set epurse of sim2,4 attack if (reader_mac_buf != NULL) { memcpy(reader_mac_buf, card_challenge_data, 8); } - int exitLoop = 0; + if ((conf_block[5] & 0x80) == 0x80) { + page_size = 256 * 8; + } + + // From PicoPass DS: + // When the page is in personalization mode this bit is equal to 1. + // Once the application issuer has personalized and coded its dedicated areas, this bit must be set to 0: + // the page is then "in application mode". + bool personalization_mode = conf_block[7] & 0x80; + + uint8_t block_wr_lock = conf_block[3]; + + // chip memory may be divided in 8 pages + uint8_t max_page = ((conf_block[4] & 0x10) == 0x10) ? 0 : 7; + + // pre-calculate the cipher states, feeding it the CC + cipher_state_KD[0] = opt_doTagMAC_1(card_challenge_data, diversified_kd); + cipher_state_KC[0] = opt_doTagMAC_1(card_challenge_data, diversified_kc); + + if (simulationMode == ICLASS_SIM_MODE_FULL) { + + for (int i = 1; i < max_page; i++) { + + uint8_t *epurse = emulator + (i * page_size) + (8 * 2); + uint8_t *kd = emulator + (i * page_size) + (8 * 3); + uint8_t *kc = emulator + (i * page_size) + (8 * 4); + + cipher_state_KD[i] = opt_doTagMAC_1(epurse, kd); + cipher_state_KC[i] = opt_doTagMAC_1(epurse, kc); + } + } + + // Anti-collision process: + // Reader 0a + // Tag 0f + // Reader 0c + // Tag anticoll. CSN + // Reader 81 anticoll. CSN + // Tag CSN + + uint8_t *modulated_response = NULL; + int modulated_response_size = 0; + uint8_t *trace_data = NULL; + int trace_data_size = 0; + + // Respond SOF -- takes 1 bytes + uint8_t *resp_sof = BigBuf_malloc(1); + int resp_sof_len; + + // Anticollision CSN (rotated CSN) + // 22: Takes 2 bytes for SOF/EOF and 10 * 2 = 20 bytes (2 bytes/byte) + uint8_t *resp_anticoll = BigBuf_malloc(22); + int resp_anticoll_len; + + // CSN (block 0) + // 22: Takes 2 bytes for SOF/EOF and 10 * 2 = 20 bytes (2 bytes/byte) + uint8_t *resp_csn = BigBuf_malloc(22); + int resp_csn_len; + + // configuration (blk 1) PICOPASS 2ks + uint8_t *resp_conf = BigBuf_malloc(22); + int resp_conf_len; + + // e-Purse (blk 2) + // 18: Takes 2 bytes for SOF/EOF and 8 * 2 = 16 bytes (2 bytes/bit) + uint8_t *resp_cc = BigBuf_malloc(18); + int resp_cc_len; + + // Kd, Kc (blocks 3 and 4). Cannot be read. Always respond with 0xff bytes only + uint8_t *resp_ff = BigBuf_malloc(22); + int resp_ff_len; + uint8_t ff_data[10] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00}; + AddCrc(ff_data, 8); + + // Application Issuer Area (blk 5) + uint8_t *resp_aia = BigBuf_malloc(22); + int resp_aia_len; + + // receive command + uint8_t *receivedCmd = BigBuf_malloc(MAX_FRAME_SIZE); + + // Prepare card messages + tosend_t *ts = get_tosend(); + + // First card answer: SOF + CodeIClassTagSOF(); + memcpy(resp_sof, ts->buf, ts->max); + resp_sof_len = ts->max; + + // Anticollision CSN + CodeIso15693AsTag(anticoll_data, sizeof(anticoll_data)); + memcpy(resp_anticoll, ts->buf, ts->max); + resp_anticoll_len = ts->max; + + // CSN (block 0) + CodeIso15693AsTag(csn_data, sizeof(csn_data)); + memcpy(resp_csn, ts->buf, ts->max); + resp_csn_len = ts->max; + + // Configuration (block 1) + CodeIso15693AsTag(conf_block, sizeof(conf_block)); + memcpy(resp_conf, ts->buf, ts->max); + resp_conf_len = ts->max; + + // e-Purse (block 2) + CodeIso15693AsTag(card_challenge_data, sizeof(card_challenge_data)); + memcpy(resp_cc, ts->buf, ts->max); + resp_cc_len = ts->max; + + // Kd, Kc (blocks 3 and 4) + CodeIso15693AsTag(ff_data, sizeof(ff_data)); + memcpy(resp_ff, ts->buf, ts->max); + resp_ff_len = ts->max; + + // Application Issuer Area (block 5) + CodeIso15693AsTag(aia_data, sizeof(aia_data)); + memcpy(resp_aia, ts->buf, ts->max); + resp_aia_len = ts->max; + + //This is used for responding to READ-block commands or other data which is dynamically generated + //First the 'trace'-data, not encoded for FPGA + uint8_t *data_generic_trace = BigBuf_malloc(34); // 32 bytes data + 2byte CRC is max tag answer + + //Then storage for the modulated data + //Each bit is doubled when modulated for FPGA, and we also have SOF and EOF (2 bytes) + uint8_t *data_response = BigBuf_malloc((34 * 2) + 3); + + enum { IDLE, ACTIVATED, SELECTED, HALTED } chip_state = IDLE; + + bool button_pressed = false; + uint8_t cmd, options, block; + int len = 0; + bool exit_loop = false; + bool using_kc = false; + int kc_attempt = 0; + + while (exit_loop == false) { + WDT_HIT(); + + // Now look at the reader command and provide appropriate responses + // default is no response: + modulated_response = NULL; + modulated_response_size = 0; + trace_data = NULL; + trace_data_size = 0; + + uint32_t reader_eof_time = 0; + len = GetIso15693CommandFromReader(receivedCmd, MAX_FRAME_SIZE, &reader_eof_time); + if (len < 0) { + button_pressed = true; + exit_loop = true; + continue; + } + + // extra response data + cmd = receivedCmd[0] & 0xF; + options = (receivedCmd[0] >> 4) & 0xFF; + block = receivedCmd[1]; + + if (cmd == ICLASS_CMD_ACTALL && len == 1) { // 0x0A + // Reader in anti collision phase + modulated_response = resp_sof; + modulated_response_size = resp_sof_len; + chip_state = ACTIVATED; + goto send; + + } else if (cmd == ICLASS_CMD_READ_OR_IDENTIFY && len == 1) { // 0x0C + // Reader asks for anti collision CSN + if (chip_state == SELECTED || chip_state == ACTIVATED) { + modulated_response = resp_anticoll; + modulated_response_size = resp_anticoll_len; + trace_data = anticoll_data; + trace_data_size = sizeof(anticoll_data); + } + goto send; + + } else if (cmd == ICLASS_CMD_SELECT && len == 9) { + // Reader selects anticollision CSN. + // Tag sends the corresponding real CSN + if (chip_state == ACTIVATED || chip_state == SELECTED) { + if (!memcmp(receivedCmd + 1, anticoll_data, 8)) { + modulated_response = resp_csn; + modulated_response_size = resp_csn_len; + trace_data = csn_data; + trace_data_size = sizeof(csn_data); + chip_state = SELECTED; + } else { + chip_state = IDLE; + } + } else if (chip_state == HALTED || chip_state == IDLE) { + // RESELECT with CSN + if (!memcmp(receivedCmd + 1, csn_data, 8)) { + modulated_response = resp_csn; + modulated_response_size = resp_csn_len; + trace_data = csn_data; + trace_data_size = sizeof(csn_data); + chip_state = SELECTED; + } + } + goto send; + + + } else if (cmd == ICLASS_CMD_READ_OR_IDENTIFY && len == 4) { // 0x0C + + if (chip_state != SELECTED) { + goto send; + } + if (simulationMode == ICLASS_SIM_MODE_EXIT_AFTER_MAC) { + // provide defaults for blocks 0 ... 5 + + // block0,1,2,5 is always readable. + switch (block) { + case 0: { // csn (0c 00) + modulated_response = resp_csn; + modulated_response_size = resp_csn_len; + trace_data = csn_data; + trace_data_size = sizeof(csn_data); + goto send; + } + case 1: { // configuration (0c 01) + modulated_response = resp_conf; + modulated_response_size = resp_conf_len; + trace_data = conf_block; + trace_data_size = sizeof(conf_block); + goto send; + } + case 2: {// e-purse (0c 02) + modulated_response = resp_cc; + modulated_response_size = resp_cc_len; + trace_data = card_challenge_data; + trace_data_size = sizeof(card_challenge_data); + // set epurse of sim2,4 attack + if (reader_mac_buf != NULL) { + memcpy(reader_mac_buf, card_challenge_data, 8); + } + goto send; + } + case 3: + case 4: { // Kd, Kc, always respond with 0xff bytes + modulated_response = resp_ff; + modulated_response_size = resp_ff_len; + trace_data = ff_data; + trace_data_size = sizeof(ff_data); + goto send; + } + case 5: { // Application Issuer Area (0c 05) + modulated_response = resp_aia; + modulated_response_size = resp_aia_len; + trace_data = aia_data; + trace_data_size = sizeof(aia_data); + goto send; + } + } // switch + } else if (simulationMode == ICLASS_SIM_MODE_FULL) { + if (block == 3 || block == 4) { // Kd, Kc, always respond with 0xff bytes + modulated_response = resp_ff; + modulated_response_size = resp_ff_len; + trace_data = ff_data; + trace_data_size = sizeof(ff_data); + } else { // use data from emulator memory + memcpy(data_generic_trace, emulator + (current_page * page_size) + (block * 8), 8); + AddCrc(data_generic_trace, 8); + trace_data = data_generic_trace; + trace_data_size = 10; + CodeIso15693AsTag(trace_data, trace_data_size); + memcpy(data_response, ts->buf, ts->max); + modulated_response = data_response; + modulated_response_size = ts->max; + } + goto send; + } + + } else if (cmd == ICLASS_CMD_READCHECK && block == 0x02 && len == 2) { // 0x88 + // Read e-purse KD (88 02) KC (18 02) + if (chip_state != SELECTED) { + goto send; + } + + // debit key + if (receivedCmd[0] == 0x88 ){ + cipher_state = &cipher_state_KD[current_page]; + diversified_key = diversified_kd; + using_kc = false; + } else { + cipher_state = &cipher_state_KC[current_page]; + diversified_key = diversified_kc; + using_kc = true; + } + + modulated_response = resp_cc; + modulated_response_size = resp_cc_len; + trace_data = card_challenge_data; + trace_data_size = sizeof(card_challenge_data); + goto send; + + } else if (cmd == ICLASS_CMD_CHECK && len == 9) { // 0x05 + + // Reader random and reader MAC!!! + if (chip_state != SELECTED) { + goto send; + } + + if (simulationMode == ICLASS_SIM_MODE_FULL) { + // NR, from reader, is in receivedCmd +1 + opt_doTagMAC_2(*cipher_state, receivedCmd + 1, data_generic_trace, diversified_key); + + uint8_t _mac[4] = {0}; + opt_doReaderMAC_2(*cipher_state, receivedCmd + 1, _mac, diversified_key); + + if (_mac[0] != receivedCmd[5] || _mac[1] != receivedCmd[6] || _mac[2] != receivedCmd[7] || _mac[3] != receivedCmd[8]) { + Dbprintf("reader auth " _RED_("failed")); + Dbprintf("hf iclass lookup u %02x%02x%02x%02x%02x%02x%02x%02x p %02x%02x%02x%02x%02x%02x%02x%02x m %02x%02x%02x%02x%02x%02x%02x%02x f iclass_default_keys.dic", + csn_data[0],csn_data[1],csn_data[2],csn_data[3],csn_data[4],csn_data[5],csn_data[6],csn_data[7], + card_challenge_data[0],card_challenge_data[1],card_challenge_data[2],card_challenge_data[3], + card_challenge_data[4],card_challenge_data[5],card_challenge_data[6],card_challenge_data[7], + receivedCmd[1],receivedCmd[2],receivedCmd[3],receivedCmd[4], + receivedCmd[5],receivedCmd[6],receivedCmd[7],receivedCmd[8] + ); + + goto send; + } + + trace_data = data_generic_trace; + trace_data_size = 4; + CodeIso15693AsTag(trace_data, trace_data_size); + memcpy(data_response, ts->buf, ts->max); + modulated_response = data_response; + modulated_response_size = ts->max; + + if (using_kc) + kc_attempt++; + + } else { + // Not fullsim, we don't respond + chip_state = HALTED; + + if (simulationMode == ICLASS_SIM_MODE_EXIT_AFTER_MAC) { + + if (DBGLEVEL == DBG_EXTENDED) { + Dbprintf("CSN: %02x %02x %02x %02x %02x %02x %02x %02x", csn[0], csn[1], csn[2], csn[3], csn[4], csn[5], csn[6], csn[7]); + Dbprintf("RDR: (len=%02d): %02x %02x %02x %02x %02x %02x %02x %02x %02x", len, + receivedCmd[0], receivedCmd[1], receivedCmd[2], + receivedCmd[3], receivedCmd[4], receivedCmd[5], + receivedCmd[6], receivedCmd[7], receivedCmd[8]); + } else { + Dbprintf("CSN: %02x .... %02x OK", csn[0], csn[7]); + } + if (reader_mac_buf != NULL) { + // save NR and MAC for sim 2,4 + memcpy(reader_mac_buf + 8, receivedCmd + 1, 8); + } + exit_loop = true; + } + } + goto send; + + } else if (cmd == ICLASS_CMD_HALT && options == 0 && len == 1) { + + if (chip_state != SELECTED) { + goto send; + } + // Reader ends the session + modulated_response = resp_sof; + modulated_response_size = resp_sof_len; + chip_state = HALTED; + goto send; + + } else if (simulationMode == ICLASS_SIM_MODE_FULL && cmd == ICLASS_CMD_READ4 && len == 4) { // 0x06 + + if (chip_state != SELECTED) { + goto send; + } + //Read block + memcpy(data_generic_trace, emulator + (current_page * page_size) + (block * 8), 32); + AddCrc(data_generic_trace, 32); + trace_data = data_generic_trace; + trace_data_size = 34; + CodeIso15693AsTag(trace_data, trace_data_size); + memcpy(data_response, ts->buf, ts->max); + modulated_response = data_response; + modulated_response_size = ts->max; + goto send; + + } else if (cmd == ICLASS_CMD_UPDATE && (len == 12 || len == 14)) { + + // We're expected to respond with the data+crc, exactly what's already in the receivedCmd + // receivedCmd is now UPDATE 1b | ADDRESS 1b | DATA 8b | Signature 4b or CRC 2b + if (chip_state != SELECTED) { + goto send; + } + // is chip in ReadOnly (RO) + if ((block_wr_lock & 0x80) == 0) goto send; + + if ( block == 12 && (block_wr_lock & 0x40) == 0) goto send; + if ( block == 11 && (block_wr_lock & 0x20) == 0) goto send; + if ( block == 10 && (block_wr_lock & 0x10) == 0) goto send; + if ( block == 9 && (block_wr_lock & 0x08) == 0) goto send; + if ( block == 8 && (block_wr_lock & 0x04) == 0) goto send; + if ( block == 7 && (block_wr_lock & 0x02) == 0) goto send; + if ( block == 6 && (block_wr_lock & 0x01) == 0) goto send; + + if (block == 2) { // update e-purse + memcpy(card_challenge_data, receivedCmd + 2, 8); + CodeIso15693AsTag(card_challenge_data, sizeof(card_challenge_data)); + memcpy(resp_cc, ts->buf, ts->max); + resp_cc_len = ts->max; + cipher_state_KD[current_page] = opt_doTagMAC_1(card_challenge_data, diversified_kd); + cipher_state_KC[current_page] = opt_doTagMAC_1(card_challenge_data, diversified_kc); + if (simulationMode == ICLASS_SIM_MODE_FULL) { + memcpy(emulator + (current_page * page_size) + (8 * 2), card_challenge_data, 8); + } + } else if (block == 3) { // update Kd + for (int i = 0; i < 8; i++) { + if (personalization_mode) { + diversified_kd[i] = receivedCmd[2 + i]; + } else { + diversified_kd[i] ^= receivedCmd[2 + i]; + } + } + cipher_state_KD[current_page] = opt_doTagMAC_1(card_challenge_data, diversified_kd); + if (simulationMode == ICLASS_SIM_MODE_FULL) { + memcpy(emulator + (current_page * page_size) + (8 * 3), diversified_kd, 8); + } + } else if (block == 4) { // update Kc + for (int i = 0; i < 8; i++) { + if (personalization_mode) { + diversified_kc[i] = receivedCmd[2 + i]; + } else { + diversified_kc[i] ^= receivedCmd[2 + i]; + } + } + cipher_state_KC[current_page] = opt_doTagMAC_1(card_challenge_data, diversified_kc); + if (simulationMode == ICLASS_SIM_MODE_FULL) { + memcpy(emulator + (current_page * page_size) + (8 * 4), diversified_kc, 8); + } + } else if (simulationMode == ICLASS_SIM_MODE_FULL) { + // update emulator memory + memcpy(emulator + (current_page * page_size) + (8 * block), receivedCmd + 2, 8); + } + + memcpy(data_generic_trace, receivedCmd + 2, 8); + AddCrc(data_generic_trace, 8); + trace_data = data_generic_trace; + trace_data_size = 10; + CodeIso15693AsTag(trace_data, trace_data_size); + memcpy(data_response, ts->buf, ts->max); + modulated_response = data_response; + modulated_response_size = ts->max; + goto send; + + } else if (cmd == ICLASS_CMD_PAGESEL && len == 4) { // 0x84 + // Pagesel, + // - enables to select a page in the selected chip memory and return its configuration block + // Chips with a single page will not answer to this command + // Otherwise, we should answer 8bytes (conf block 1) + 2bytes CRC + if (chip_state != SELECTED) { + goto send; + } + + if (simulationMode == ICLASS_SIM_MODE_FULL && max_page > 0) { + + // if on 2k, always ignore 3msb, & 0x1F) + uint8_t page = receivedCmd[1] & 0x1F; + if ( page > max_page) { + goto send; + } + + current_page = page; + + memcpy(data_generic_trace, emulator + (current_page * page_size) + (8 * 1), 8); + memcpy(diversified_kd, emulator + (current_page * page_size) + (8 * 3), 8); + memcpy(diversified_kc, emulator + (current_page * page_size) + (8 * 4), 8); + + cipher_state = &cipher_state_KD[current_page]; + + personalization_mode = data_generic_trace[7] & 0x80; + block_wr_lock = data_generic_trace[3]; + + AddCrc(data_generic_trace, 8); + + trace_data = data_generic_trace; + trace_data_size = 10; + + CodeIso15693AsTag(trace_data, trace_data_size); + memcpy(data_response, ts->buf, ts->max); + modulated_response = data_response; + modulated_response_size = ts->max; + } + goto send; + + } else if(cmd == ICLASS_CMD_DETECT) { // 0x0F + // not supported yet, ignore + } else if (cmd == 0x26 && len == 5) { + // standard ISO15693 INVENTORY command. Ignore. + } else { + // Never seen this command before + if (DBGLEVEL >= DBG_EXTENDED) + print_result("Unhandled command received ", receivedCmd, len); + } + +send: + /** + A legit tag has about 330us delay between reader EOT and tag SOF. + **/ + if (modulated_response_size > 0) { + uint32_t response_time = reader_eof_time + DELAY_ICLASS_VCD_TO_VICC_SIM; + TransmitTo15693Reader(modulated_response, modulated_response_size, &response_time, 0, false); + LogTrace_ISO15693(trace_data, trace_data_size, response_time * 32, (response_time * 32) + (modulated_response_size * 32 * 64), NULL, false); + } + + if (chip_state == HALTED) { + uint32_t wait_time = GetCountSspClk() + ICLASS_READER_TIMEOUT_ACTALL; + while (GetCountSspClk() < wait_time) {}; + } + + // CC attack + // wait to trigger the reader bug, then wait 1000ms + if (kc_attempt > 3) { + uint32_t wait_time = GetCountSspClk() + (16000 * 100); + while (GetCountSspClk() < wait_time) {}; + kc_attempt = 0; + exit_loop = true; + } + } + + LEDsoff(); + + if (button_pressed) + DbpString("button pressed"); + + return button_pressed; +} + +int do_iclass_simulation_nonsec(void) { + // free eventually allocated BigBuf memory + BigBuf_free_keep_EM(); + + uint16_t page_size = 32 * 8; + uint8_t current_page = 0; + + uint8_t *emulator = BigBuf_get_EM_addr(); + uint8_t *csn = emulator; + + // CSN followed by two CRC bytes + uint8_t anticoll_data[10] = { 0 }; + uint8_t csn_data[10] = { 0 }; + memcpy(csn_data, csn, sizeof(csn_data)); + + // Construct anticollision-CSN + rotateCSN(csn_data, anticoll_data); + + // Compute CRC on both CSNs + AddCrc(anticoll_data, 8); + AddCrc(csn_data, 8); + + // configuration block + uint8_t conf_block[10] = {0x12, 0xFF, 0xFF, 0xFF, 0x7F, 0x1F, 0xFF, 0x3C, 0x00, 0x00}; + + // AIA + uint8_t aia_data[10] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00}; + + memcpy(conf_block, emulator + (8 * 1), 8); + memcpy(aia_data, emulator + (8 * 2), 8); + + AddCrc(conf_block, 8); + AddCrc(aia_data, 8); + + if ((conf_block[5] & 0x80) == 0x80) { + page_size = 256 * 8; + } + + // chip memory may be divided in 8 pages + uint8_t max_page = ((conf_block[4] & 0x10) == 0x10) ? 0 : 7; + + // Anti-collision process: // Reader 0a // Tag 0f // Reader 0c @@ -1341,7 +956,7 @@ int doIClassSimulation(int simulationMode, uint8_t *reader_mac_buf) { // Respond SOF -- takes 1 bytes uint8_t *resp_sof = BigBuf_malloc(2); - int resp_sof_Len; + int resp_sof_len; // Anticollision CSN (rotated CSN) // 22: Takes 2 bytes for SOF/EOF and 10 * 2 = 20 bytes (2 bytes/byte) @@ -1353,286 +968,256 @@ int doIClassSimulation(int simulationMode, uint8_t *reader_mac_buf) { uint8_t *resp_csn = BigBuf_malloc(28); int resp_csn_len; - // configuration Picopass 2ks + // configuration (blk 1) PICOPASS 2ks uint8_t *resp_conf = BigBuf_malloc(28); int resp_conf_len; - uint8_t conf_data[10] = {0x12, 0xFF, 0xFF, 0xFF, 0x7F, 0x1F, 0xFF, 0x3C, 0x00, 0x00}; - AddCrc(conf_data, 8); - // e-Purse - // 18: Takes 2 bytes for SOF/EOF and 8 * 2 = 16 bytes (2 bytes/bit) - uint8_t *resp_cc = BigBuf_malloc(28); - int resp_cc_len; - - // Application Issuer Area + // Application Issuer Area (blk 5) uint8_t *resp_aia = BigBuf_malloc(28); int resp_aia_len; - uint8_t aia_data[10] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00}; - if (simulationMode == MODE_FULLSIM) { - - // (iceman) this only works for 2KS / 16KS tags. - // Use application data from block 5 - memcpy(aia_data, emulator + (8 * 5), 8); - - // older 2K / 16K tags has its application issuer data on block 2 - } - AddCrc(aia_data, 8); // receive command uint8_t *receivedCmd = BigBuf_malloc(MAX_FRAME_SIZE); - int len = 0; // Prepare card messages - ToSendMax = 0; + tosend_t *ts = get_tosend(); + ts->max = 0; // First card answer: SOF CodeIClassTagSOF(); - memcpy(resp_sof, ToSend, ToSendMax); - resp_sof_Len = ToSendMax; + memcpy(resp_sof, ts->buf, ts->max); + resp_sof_len = ts->max; // Anticollision CSN - CodeIClassTagAnswer(anticoll_data, sizeof(anticoll_data)); - memcpy(resp_anticoll, ToSend, ToSendMax); - resp_anticoll_len = ToSendMax; + CodeIso15693AsTag(anticoll_data, sizeof(anticoll_data)); + memcpy(resp_anticoll, ts->buf, ts->max); + resp_anticoll_len = ts->max; - // CSN - CodeIClassTagAnswer(csn_data, sizeof(csn_data)); - memcpy(resp_csn, ToSend, ToSendMax); - resp_csn_len = ToSendMax; + // CSN (block 0) + CodeIso15693AsTag(csn_data, sizeof(csn_data)); + memcpy(resp_csn, ts->buf, ts->max); + resp_csn_len = ts->max; - // Configuration - CodeIClassTagAnswer(conf_data, sizeof(conf_data)); - memcpy(resp_conf, ToSend, ToSendMax); - resp_conf_len = ToSendMax; + // Configuration (block 1) + CodeIso15693AsTag(conf_block, sizeof(conf_block)); + memcpy(resp_conf, ts->buf, ts->max); + resp_conf_len = ts->max; - // e-Purse - CodeIClassTagAnswer(card_challenge_data, sizeof(card_challenge_data)); - memcpy(resp_cc, ToSend, ToSendMax); - resp_cc_len = ToSendMax; - - // Application Issuer Area - CodeIClassTagAnswer(aia_data, sizeof(aia_data)); - memcpy(resp_aia, ToSend, ToSendMax); - resp_aia_len = ToSendMax; + // Application Issuer Area (block 2) + CodeIso15693AsTag(aia_data, sizeof(aia_data)); + memcpy(resp_aia, ts->buf, ts->max); + resp_aia_len = ts->max; //This is used for responding to READ-block commands or other data which is dynamically generated //First the 'trace'-data, not encoded for FPGA - uint8_t *data_generic_trace = BigBuf_malloc((8 * 4) + 2);//8 bytes data + 2byte CRC is max tag answer + uint8_t *data_generic_trace = BigBuf_malloc(32 + 2); // 32 bytes data + 2byte CRC is max tag answer //Then storage for the modulated data //Each bit is doubled when modulated for FPGA, and we also have SOF and EOF (2 bytes) - uint8_t *data_response = BigBuf_malloc(((8 * 4) + 2) * 2 + 2); + uint8_t *data_response = BigBuf_malloc((32 + 2) * 2 + 2); - FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN); - SpinDelay(100); - StartCountSspClk(); + enum { IDLE, ACTIVATED, SELECTED, HALTED } chip_state = IDLE; - // To control where we are in the protocol - uint32_t time_0 = GetCountSspClk(); - uint32_t t2r_stime = 0, t2r_etime = 0; - uint32_t r2t_stime, r2t_etime = 0; - LED_A_ON(); - bool buttonPressed = false; + bool button_pressed = false; uint8_t cmd, options, block; + int len = 0; - while (!exitLoop) { + bool exit_loop = false; + while (exit_loop == false) { WDT_HIT(); - - //Signal tracer, can be used to get a trigger for an oscilloscope.. - LED_B_OFF(); - LED_C_OFF(); - - r2t_stime = (GetCountSspClk() - time_0) << 4; - if (!GetIClassCommandFromReader(receivedCmd, &len, 0)) { - buttonPressed = true; - exitLoop = true; + + uint32_t reader_eof_time = 0; + len = GetIso15693CommandFromReader(receivedCmd, MAX_FRAME_SIZE, &reader_eof_time); + if (len < 0) { + button_pressed = true; + exit_loop = true; continue; } - r2t_etime = ((GetCountSspClk() - time_0) << 4) - r2t_stime; - // 330us normal wait, adjusted for our execution - - LED_C_ON(); //Signal tracer + // Now look at the reader command and provide appropriate responses + // default is no response: + modulated_response = NULL; + modulated_response_size = 0; + trace_data = NULL; + trace_data_size = 0; + // extra response data cmd = receivedCmd[0] & 0xF; options = (receivedCmd[0] >> 4) & 0xFF; block = receivedCmd[1]; - if (cmd == ICLASS_CMD_ACTALL) { // 0x0A - // Reader in anticollission phase - modulated_response = resp_sof; - modulated_response_size = resp_sof_Len; //order = 1; - trace_data = sof_data; - trace_data_size = sizeof(sof_data); - // adjusted for 330 + (160*num of slot) + if (cmd == ICLASS_CMD_ACTALL && len == 1) { // 0x0A + // Reader in anti collision phase + if (chip_state != HALTED) { + modulated_response = resp_sof; + modulated_response_size = resp_sof_len; + chip_state = ACTIVATED; + } goto send; - } else if (cmd == ICLASS_CMD_READ_OR_IDENTIFY) { // 0x0C - if (len == 1) { - // Reader asks for anticollission CSN + + } else if (cmd == ICLASS_CMD_READ_OR_IDENTIFY && len == 1) { // 0x0C + // Reader asks for anti collision CSN + if (chip_state == SELECTED || chip_state == ACTIVATED) { modulated_response = resp_anticoll; - modulated_response_size = resp_anticoll_len; //order = 2; + modulated_response_size = resp_anticoll_len; trace_data = anticoll_data; trace_data_size = sizeof(anticoll_data); - goto send; } + goto send; - if (len == 4) { - // block0,1,2,5 is always readable. - switch (block) { - case 0: // csn (0c 00) - modulated_response = resp_csn; - modulated_response_size = resp_csn_len; - trace_data = csn_data; - trace_data_size = sizeof(csn_data); - goto send; - case 1: // configuration (0c 01) - modulated_response = resp_conf; - modulated_response_size = resp_conf_len; - trace_data = conf_data; - trace_data_size = sizeof(conf_data); - goto send; - case 2: // e-purse (0c 02) - modulated_response = resp_cc; - modulated_response_size = resp_cc_len; - trace_data = card_challenge_data; - trace_data_size = sizeof(card_challenge_data); - // set epurse of sim2,4 attack - if (reader_mac_buf != NULL) { - memcpy(reader_mac_buf, card_challenge_data, 8); - } - goto send; - case 5:// Application Issuer Area (0c 05) - modulated_response = resp_aia; - modulated_response_size = resp_aia_len; - trace_data = aia_data; - trace_data_size = sizeof(aia_data); - goto send; - default : { - if (simulationMode == MODE_FULLSIM) { // 0x0C - //Read block - //Take the data... - memcpy(data_generic_trace, emulator + (block << 3), 8); - AddCrc(data_generic_trace, 8); - trace_data = data_generic_trace; - trace_data_size = 10; - CodeIClassTagAnswer(trace_data, trace_data_size); - memcpy(modulated_response, ToSend, ToSendMax); - modulated_response_size = ToSendMax; - goto send; - } - break; - } - }//swith - }// if 4 - } else if (cmd == ICLASS_CMD_SELECT) { // 0x81 - // Reader selects anticollission CSN. + } else if (cmd == ICLASS_CMD_SELECT && len == 9) { + // Reader selects anticollision CSN. // Tag sends the corresponding real CSN - modulated_response = resp_csn; - modulated_response_size = resp_csn_len; //order = 3; - trace_data = csn_data; - trace_data_size = sizeof(csn_data); - goto send; - } else if (cmd == ICLASS_CMD_READCHECK) { // 0x88 - // Read e-purse KD (88 02) KC (18 02) - modulated_response = resp_cc; - modulated_response_size = resp_cc_len; //order = 4; - trace_data = card_challenge_data; - trace_data_size = sizeof(card_challenge_data); - LED_B_ON(); - goto send; - } else if (cmd == ICLASS_CMD_CHECK) { // 0x05 - // Reader random and reader MAC!!! - if (simulationMode == MODE_FULLSIM) { - // NR, from reader, is in receivedCmd +1 - opt_doTagMAC_2(cipher_state, receivedCmd + 1, data_generic_trace, diversified_key); - - trace_data = data_generic_trace; - trace_data_size = 4; - CodeIClassTagAnswer(trace_data, trace_data_size); - memcpy(data_response, ToSend, ToSendMax); - modulated_response = data_response; - modulated_response_size = ToSendMax; - } else { - // Not fullsim, we don't respond - // We do not know what to answer, so lets keep quiet - modulated_response = resp_sof; - modulated_response_size = 0; - trace_data = NULL; - trace_data_size = 0; - - if (simulationMode == MODE_EXIT_AFTER_MAC) { - - if (DBGLEVEL == DBG_EXTENDED) { - Dbprintf("[+] CSN: %02x %02x %02x %02x %02x %02x %02x %02x", csn[0], csn[1], csn[2], csn[3], csn[4], csn[5], csn[6], csn[7]); - Dbprintf("[+] RDR: (len=%02d): %02x %02x %02x %02x %02x %02x %02x %02x %02x", len, - receivedCmd[0], receivedCmd[1], receivedCmd[2], - receivedCmd[3], receivedCmd[4], receivedCmd[5], - receivedCmd[6], receivedCmd[7], receivedCmd[8]); - } else { - Dbprintf("[+] CSN: %02x .... %02x OK", csn[0], csn[7]); - } - if (reader_mac_buf != NULL) { - memcpy(reader_mac_buf + 8, receivedCmd + 1, 8); - } - exitLoop = true; + if (chip_state == ACTIVATED || chip_state == SELECTED) { + if (!memcmp(receivedCmd + 1, anticoll_data, 8)) { + modulated_response = resp_csn; + modulated_response_size = resp_csn_len; + trace_data = csn_data; + trace_data_size = sizeof(csn_data); + chip_state = SELECTED; + } else { + chip_state = IDLE; + } + } else if (chip_state == HALTED) { + // RESELECT with CSN + if (!memcmp(receivedCmd + 1, csn_data, 8)) { + modulated_response = resp_csn; + modulated_response_size = resp_csn_len; + trace_data = csn_data; + trace_data_size = sizeof(csn_data); + chip_state = SELECTED; } } goto send; + + + } else if (cmd == ICLASS_CMD_READ_OR_IDENTIFY && len == 4) { // 0x0C + + if (chip_state != SELECTED) { + goto send; + } + + switch (block) { + case 0: { // csn (0c 00) + modulated_response = resp_csn; + modulated_response_size = resp_csn_len; + trace_data = csn_data; + trace_data_size = sizeof(csn_data); + goto send; + } + case 1: { // configuration (0c 01) + modulated_response = resp_conf; + modulated_response_size = resp_conf_len; + trace_data = conf_block; + trace_data_size = sizeof(conf_block); + goto send; + } + case 2: { // Application Issuer Area (0c 02) + modulated_response = resp_aia; + modulated_response_size = resp_aia_len; + trace_data = aia_data; + trace_data_size = sizeof(aia_data); + goto send; + } + default : { + memcpy(data_generic_trace, emulator + (block << 3), 8); + AddCrc(data_generic_trace, 8); + trace_data = data_generic_trace; + trace_data_size = 10; + CodeIso15693AsTag(trace_data, trace_data_size); + memcpy(data_response, ts->buf, ts->max); + modulated_response = data_response; + modulated_response_size = ts->max; + goto send; + } + } // swith + + } else if (cmd == ICLASS_CMD_READCHECK) { // 0x88 + goto send; + + } else if (cmd == ICLASS_CMD_CHECK && len == 9) { // 0x05 + goto send; + } else if (cmd == ICLASS_CMD_HALT && options == 0 && len == 1) { + + if (chip_state != SELECTED) { + goto send; + } // Reader ends the session modulated_response = resp_sof; - modulated_response_size = 0; //order = 0; - trace_data = NULL; - trace_data_size = 0; + modulated_response_size = resp_sof_len; + chip_state = HALTED; goto send; - } else if (simulationMode == MODE_FULLSIM && cmd == ICLASS_CMD_READ4 && len == 4) { // 0x06 + + } else if (cmd == ICLASS_CMD_READ4 && len == 4) { // 0x06 + + if (chip_state != SELECTED) { + goto send; + } //Read block - //Take the data... - memcpy(data_generic_trace, emulator + (block << 3), 8 * 4); + memcpy(data_generic_trace, emulator + (current_page * page_size) + (block * 8), 8 * 4); AddCrc(data_generic_trace, 8 * 4); trace_data = data_generic_trace; trace_data_size = 34; - CodeIClassTagAnswer(trace_data, trace_data_size); - memcpy(modulated_response, ToSend, ToSendMax); - modulated_response_size = ToSendMax; + CodeIso15693AsTag(trace_data, trace_data_size); + memcpy(data_response, ts->buf, ts->max); + modulated_response = data_response; + modulated_response_size = ts->max; goto send; - } else if (simulationMode == MODE_FULLSIM && cmd == ICLASS_CMD_UPDATE) { - //Probably the reader wants to update the nonce. Let's just ignore that for now. - // OBS! If this is implemented, don't forget to regenerate the cipher_state - //We're expected to respond with the data+crc, exactly what's already in the receivedcmd - //receivedcmd is now UPDATE 1b | ADDRESS 1b| DATA 8b| Signature 4b or CRC 2b| + } else if (cmd == ICLASS_CMD_UPDATE && (len == 12 || len == 14)) { + + // We're expected to respond with the data+crc, exactly what's already in the receivedCmd + // receivedCmd is now UPDATE 1b | ADDRESS 1b | DATA 8b | Signature 4b or CRC 2b + if (chip_state != SELECTED) { + goto send; + } + + // update emulator memory + memcpy(emulator + (current_page * page_size) + (8 * block), receivedCmd + 2, 8); - //Take the data... memcpy(data_generic_trace, receivedCmd + 2, 8); AddCrc(data_generic_trace, 8); trace_data = data_generic_trace; trace_data_size = 10; - CodeIClassTagAnswer(trace_data, trace_data_size); - - memcpy(data_response, ToSend, ToSendMax); + CodeIso15693AsTag(trace_data, trace_data_size); + memcpy(data_response, ts->buf, ts->max); modulated_response = data_response; - modulated_response_size = ToSendMax; -// response_delay = 4600 * 1.5; // tPROG 4-15ms + modulated_response_size = ts->max; goto send; -// } else if(receivedCmd[0] == ICLASS_CMD_PAGESEL) { // 0x84 - //Pagesel - //Pagesel enables to select a page in the selected chip memory and return its configuration block - //Chips with a single page will not answer to this command - // It appears we're fine ignoring this. - //Otherwise, we should answer 8bytes (block) + 2bytes CRC -// } else if(receivedCmd[0] == ICLASS_CMD_DETECT) { // 0x0F - } else { - //#db# Unknown command received from reader (len=5): 26 1 0 f6 a 44 44 44 44 - // Never seen this command before - if (DBGLEVEL == DBG_EXTENDED) - print_result("[-] Unhandled command received ", receivedCmd, len); - // Do not respond - modulated_response = resp_sof; - modulated_response_size = 0; //order = 0; - trace_data = NULL; - trace_data_size = 0; + } else if (cmd == ICLASS_CMD_PAGESEL && len == 4) { // 0x84 + // Pagesel, + // - enables to select a page in the selected chip memory and return its configuration block + // Chips with a single page will not answer to this command + // Otherwise, we should answer 8bytes (conf block 1) + 2bytes CRC + if (chip_state != SELECTED) { + goto send; + } + + if (max_page > 0) { + + current_page = receivedCmd[1]; + + memcpy(data_generic_trace, emulator + (current_page * page_size) + (8 * 1), 8); + AddCrc(data_generic_trace, 8); + trace_data = data_generic_trace; + trace_data_size = 10; + + CodeIso15693AsTag(trace_data, trace_data_size); + memcpy(data_response, ts->buf, ts->max); + modulated_response = data_response; + modulated_response_size = ts->max; + } + goto send; + +// } else if(cmd == ICLASS_CMD_DETECT) { // 0x0F + } else if (cmd == 0x26 && len == 5) { + // standard ISO15693 INVENTORY command. Ignore. + } else { + // Never seen this command before + if (DBGLEVEL >= DBG_EXTENDED) + print_result("Unhandled command received ", receivedCmd, len); } send: @@ -1640,524 +1225,295 @@ send: A legit tag has about 330us delay between reader EOT and tag SOF. **/ if (modulated_response_size > 0) { - t2r_stime = GetCountSspClkDelta(time_0) << 4; - SendIClassAnswer(modulated_response, modulated_response_size, 0); - t2r_etime = ((GetCountSspClk() - time_0) << 4) - t2r_stime; + uint32_t response_time = reader_eof_time + DELAY_ICLASS_VCD_TO_VICC_SIM; + TransmitTo15693Reader(modulated_response, modulated_response_size, &response_time, 0, false); + LogTrace_ISO15693(trace_data, trace_data_size, response_time * 32, (response_time * 32) + (modulated_response_size * 32 * 64), NULL, false); } - - LogTrace(receivedCmd, len, r2t_stime, r2t_etime, NULL, true); - - if (trace_data != NULL) - LogTrace(trace_data, trace_data_size, t2r_stime, t2r_etime, NULL, false); } LEDsoff(); - if (buttonPressed) - DbpString("[+] button pressed"); + if (button_pressed) + DbpString("button pressed"); + + return button_pressed; - return buttonPressed; } -/** - * @brief sends our simulated tag answer - * @param resp - * @param respLen - * @param delay - */ -static int SendIClassAnswer(uint8_t *resp, int respLen, uint16_t delay) { - int i = 0; - volatile uint8_t b; +// THE READER CODE +static void iclass_send_as_reader(uint8_t *frame, int len, uint32_t *start_time, uint32_t *end_time) { + CodeIso15693AsReader(frame, len); + tosend_t *ts = get_tosend(); + TransmitTo15693Tag(ts->buf, ts->max, start_time); + *end_time = *start_time + (32 * ((8 * ts->max) - 4)); // substract the 4 padding bits after EOF + LogTrace_ISO15693(frame, len, (*start_time * 4), (*end_time * 4), NULL, true); +} - FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_MODULATE_424K_8BIT); +static bool iclass_send_cmd_with_retries(uint8_t* cmd, size_t cmdsize, uint8_t* resp, size_t max_resp_size, + uint8_t expected_size, uint8_t tries, uint32_t *start_time, + uint16_t timeout, uint32_t *eof_time) { + while (tries-- > 0) { - AT91C_BASE_SSC->SSC_THR = 0x00; - - uint16_t checked = 0; - for (;;) { - - if (checked == 1000) { - if (BUTTON_PRESS() || data_available()) return 0; - checked = 0; - } - ++checked; - - // Prevent rx holding register from overflowing - if ((AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY)) { - b = AT91C_BASE_SSC->SSC_RHR; - (void) b; + iclass_send_as_reader(cmd, cmdsize, start_time, eof_time); + + if (resp == NULL) { + return true; } - // Put byte into tx holding register as soon as it is ready - if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) { - b = 0x00; - if (i < respLen) { - b = resp[i]; - //Hack - //b = 0xAC; - } - i++; - AT91C_BASE_SSC->SSC_THR = b; - } -// if (i > respLen + 4) break; - if (i > respLen + 1) break; - } - return 0; -} - -/// THE READER CODE - -//----------------------------------------------------------------------------- -// Transmit the command (to the tag) that was placed in ToSend[]. -//----------------------------------------------------------------------------- -static void TransmitIClassCommand(const uint8_t *cmd, int len, int *wait) { - - int c = 0; - bool firstpart = true; - uint8_t sendbyte; - - time_rdr = 0; - - FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD); - - AT91C_BASE_SSC->SSC_THR = 0x00; - - // make sure we timeout previous comms. - if (*wait) - SpinDelayUs(*wait); - - for (;;) { - - WDT_HIT(); - - // Put byte into tx holding register as soon as it is ready - if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) { - - // DOUBLE THE SAMPLES! - if (firstpart) { - sendbyte = (cmd[c] & 0xf0) | (cmd[c] >> 4); - } else { - sendbyte = (cmd[c] & 0x0f) | (cmd[c] << 4); - c++; - } - - if (sendbyte == 0xff) - sendbyte = 0xfe; - - AT91C_BASE_SSC->SSC_THR = sendbyte; - firstpart = !firstpart; - - if (c >= len) break; - } - } - - time_rdr = GetCountSspClk(); -} - -//----------------------------------------------------------------------------- -// Prepare iClass reader command to send to FPGA -//----------------------------------------------------------------------------- -static void CodeIClassCommand(const uint8_t *cmd, int len) { - int i, j, k; - - ToSendReset(); - - // (SOC) Start of Communication: 1 out of 4 - ToSend[++ToSendMax] = 0xf0; - ToSend[++ToSendMax] = 0x00; - ToSend[++ToSendMax] = 0x0f; - ToSend[++ToSendMax] = 0x00; - - // Modulate the bytes - for (i = 0; i < len; i++) { - uint8_t b = cmd[i]; - for (j = 0; j < 4; j++) { - for (k = 0; k < 4; k++) { - - if (k == (b & 3)) - ToSend[++ToSendMax] = 0x0f; - else - ToSend[++ToSendMax] = 0x00; - } - b >>= 2; - } - } - - // (EOC) End of Communication - ToSend[++ToSendMax] = 0x00; - ToSend[++ToSendMax] = 0x00; - ToSend[++ToSendMax] = 0xf0; - ToSend[++ToSendMax] = 0x00; - - // Convert from last character reference to length - ToSendMax++; -} - -static void ReaderTransmitIClass_ext(uint8_t *frame, int len, int wait) { - - // This is tied to other size changes - CodeIClassCommand(frame, len); - - // Select the card - TransmitIClassCommand(ToSend, ToSendMax, &wait); - LED_A_ON(); - - LogTrace(frame, len, g_rsamples, g_rsamples, NULL, true); -} -static void ReaderTransmitIClass(uint8_t *frame, int len) { - ReaderTransmitIClass_ext(frame, len, 330); -} - -//----------------------------------------------------------------------------- -// Wait a certain time for tag response -// If a response is captured return TRUE -// If it takes too long return FALSE -//----------------------------------------------------------------------------- -static int GetIClassAnswer(uint8_t *receivedResponse, int maxLen, int *wait) { - // buffer needs to be 512 bytes - // maxLen is not used... - bool skip = false; - - LED_D_ON(); - // Set FPGA mode to "reader listen mode", no modulation (listen - // only, since we are receiving, not transmitting). - FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_LISTEN); - - // Setup UART/DEMOD to receive - DemodIcInit(receivedResponse); - - SpinDelayUs(g_wait); //310 Tout= 330us (iso15603-2) (330/21.3) take consideration for clock increments. - - // clear RXRDY: - uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR; - (void)b; - - uint16_t checked = 0; - - uint32_t card_start = GetCountSspClk(); - for (;;) { - WDT_HIT(); - - if (checked == 1000) { - if (BUTTON_PRESS() || data_available()) return false; - checked = 0; - } - ++checked; - - // Wait for byte be become available in rx holding register - if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) { - - b = (uint8_t)AT91C_BASE_SSC->SSC_RHR; - skip = !skip; - if (skip) continue; - - if (ManchesterDecoding_iclass(b & 0x0f)) { - time_response = GetCountSspClk() - card_start; - return true; - } else if (GetCountSspClkDelta(card_start) > timeout && Demod.state == DEMOD_IC_UNSYNCD) { - return false; - } - } - } - return false; -} - -static int ReaderReceiveIClass(uint8_t *receivedAnswer) { - - if (GetIClassAnswer(receivedAnswer, 0, NULL) == false) - return 0; - - LogTrace(receivedAnswer, Demod.len, g_rsamples, g_rsamples, NULL, false); - return Demod.len; -} - -static void setupIclassReader(void) { - - LEDsoff(); - - // Start from off (no field generated) - // Signal field is off with the appropriate LED - FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); - - FpgaDownloadAndGo(FPGA_BITSTREAM_HF); - - FpgaSetupSsc(); - - SetAdcMuxFor(GPIO_MUXSEL_HIPKD); - - clear_trace(); - set_tracing(true); - - // Now give it time to spin up. - // Signal field is on with the appropriate LED - FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD); - SpinDelay(500); - - StartCountSspClk(); - - LED_A_ON(); -} - -static bool sendCmdGetResponseWithRetries(uint8_t *command, size_t cmdsize, uint8_t *resp, uint8_t expected_size, int8_t retries) { - while (retries-- > 0) { - - ReaderTransmitIClass(command, cmdsize); - - //iceman - if received size is bigger than expected, we smash the stack here - // since its called with fixed sized arrays - - // update/write command takes 4ms to 15ms before responding - int old_wait = g_wait; - if ((command[0] & 0xF) == ICLASS_CMD_UPDATE) - g_wait = 3900; - - uint8_t got_n = ReaderReceiveIClass(resp); - - g_wait = old_wait; - - // 0xBB is the internal debug separator byte.. - if (expected_size != got_n || (resp[0] == 0xBB || resp[7] == 0xBB || resp[2] == 0xBB)) { - //try again -// SpinDelayUs(360); - continue; - } - - if (got_n == expected_size) + if (expected_size == GetIso15693AnswerFromTag(resp, max_resp_size, timeout, eof_time)) { return true; + } } return false; } /** * @brief Talks to an iclass tag, sends the commands to get CSN and CC. - * @param card_data where the CSN and CC are stored for return - * @return 0 = fail - * 1 = Got CSN - * 2 = Got CSN and CC + * @param card_data where the CSN, CONFIG, CC are stored for return + * 8 bytes csn + 8 bytes config + 8 bytes CC + * @return false = fail + * true = Got all. */ -static uint8_t handshakeIclassTag_ext(uint8_t *card_data, bool use_credit_key) { - - // act_all... - static uint8_t act_all[] = { ICLASS_CMD_ACTALL }; - static uint8_t identify[] = { ICLASS_CMD_READ_OR_IDENTIFY, 0x00, 0x73, 0x33 }; - static uint8_t select[] = { 0x80 | ICLASS_CMD_SELECT, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; - uint8_t readcheck_cc[] = { 0x80 | ICLASS_CMD_READCHECK, 0x02 }; - - // Bit 4: K.If this bit equals to one, the READCHECK will use the Credit Key (Kc); if equals to zero, Debit Key (Kd) willbe used - // bit 7: parity. - - if (use_credit_key) - readcheck_cc[0] = 0x10 | ICLASS_CMD_READCHECK; +static bool select_iclass_tag_ex(uint8_t *card_data, bool use_credit_key, uint32_t *eof_time, uint8_t *status) { + static uint8_t act_all[] = { ICLASS_CMD_ACTALL }; + static uint8_t identify[] = { ICLASS_CMD_READ_OR_IDENTIFY, 0x00, 0x73, 0x33 }; + static uint8_t read_conf[] = { ICLASS_CMD_READ_OR_IDENTIFY, 0x01, 0xfa, 0x22 }; + uint8_t select[] = { 0x80 | ICLASS_CMD_SELECT, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; + uint8_t read_aia[] = { ICLASS_CMD_READ_OR_IDENTIFY, 0x05, 0xde, 0x64}; + uint8_t read_check_cc[] = { 0x80 | ICLASS_CMD_READCHECK, 0x02 }; uint8_t resp[ICLASS_BUFFER_SIZE] = {0}; - // Send act_all ( 330 timeout + 160 timeslot); - ReaderTransmitIClass_ext(act_all, 1, 330 + 180); + picopass_hdr *hdr = (picopass_hdr *)card_data; + + // Bit 4: K.If this bit equals to one, the READCHECK will use the Credit Key (Kc); if equals to zero, Debit Key (Kd) will be used + // bit 7: parity. + if (use_credit_key) + read_check_cc[0] = 0x10 | ICLASS_CMD_READCHECK; - // Card present? - if (ReaderReceiveIClass(resp) == 0) - return 0; + // wakeup + uint32_t start_time = GetCountSspClk(); + iclass_send_as_reader(act_all, 1, &start_time, eof_time); + int len = GetIso15693AnswerFromTag(resp, sizeof(resp), ICLASS_READER_TIMEOUT_ACTALL, eof_time); + if (len < 0) + return false; + + // send Identify + start_time = *eof_time + DELAY_ICLASS_VICC_TO_VCD_READER; + iclass_send_as_reader(identify, 1, &start_time, eof_time); - //Send Identify - ReaderTransmitIClass(identify, 1); + // expect a 10-byte response here, 8 byte anticollision-CSN and 2 byte CRC + len = GetIso15693AnswerFromTag(resp, sizeof(resp), ICLASS_READER_TIMEOUT_OTHERS, eof_time); + if (len != 10) + return false; - //We expect a 10-byte response here, 8 byte anticollision-CSN and 2 byte CRC - if (ReaderReceiveIClass(resp) != 10) - return 0; - - //Copy the Anti-collision CSN to our select-packet + // copy the Anti-collision CSN to our select-packet memcpy(&select[1], resp, 8); - //Select the card - ReaderTransmitIClass(select, sizeof(select)); + // select the card + start_time = *eof_time + DELAY_ICLASS_VICC_TO_VCD_READER; + iclass_send_as_reader(select, sizeof(select), &start_time, eof_time); - //We expect a 10-byte response here, 8 byte CSN and 2 byte CRC - if (ReaderReceiveIClass(resp) != 10) - return 0; + // expect a 10-byte response here, 8 byte CSN and 2 byte CRC + len = GetIso15693AnswerFromTag(resp, sizeof(resp), ICLASS_READER_TIMEOUT_OTHERS, eof_time); + if (len != 10) + return false; - // Card selected, now read e-purse (cc) (block2) (only 8 bytes no CRC) - // ReaderTransmitIClass(readcheck_cc, sizeof(readcheck_cc)); - // if (ReaderReceiveIClass(resp) == 8) { - // //Save CC (e-purse) in response data - // memcpy(card_data+8, resp, 8); - // read_status++; - // } + // save CSN + memcpy(hdr->csn, resp, sizeof(hdr->csn)); - //Success - level 1, we got CSN - //Save CSN in response data - memcpy(card_data, resp, 8); + // card selected, now read config (block1) (only 8 bytes no CRC) + start_time = *eof_time + DELAY_ICLASS_VICC_TO_VCD_READER; + iclass_send_as_reader(read_conf, sizeof(read_conf), &start_time, eof_time); + + // expect a 8-byte response here + len = GetIso15693AnswerFromTag(resp, sizeof(resp), ICLASS_READER_TIMEOUT_OTHERS, eof_time); + if (len != 10) + return false; - bool isBlk_2 = sendCmdGetResponseWithRetries(readcheck_cc, sizeof(readcheck_cc), resp, 8, 3); + // save CONF + memcpy( (uint8_t*)&hdr->conf, resp, sizeof(hdr->conf)); + + if (status) + *status |= (FLAG_ICLASS_CSN | FLAG_ICLASS_CONF); - //Flag that we got to at least stage 1, read CSN - if (isBlk_2 == false) { - return 1; - } + uint8_t pagemap = get_pagemap(hdr); + if (pagemap != PICOPASS_NON_SECURE_PAGEMODE) { - //Save CC (e-purse) in response data - memcpy(card_data + 8, resp, 8); + // read App Issuer Area block 5 + start_time = *eof_time + DELAY_ICLASS_VICC_TO_VCD_READER; + iclass_send_as_reader(read_aia, sizeof(read_aia), &start_time, eof_time); + + // expect a 10-byte response here + len = GetIso15693AnswerFromTag(resp, sizeof(resp), ICLASS_READER_TIMEOUT_OTHERS, eof_time); + if (len != 10) + return false; + + if (status) { + *status |= FLAG_ICLASS_AIA; + memcpy(hdr->app_issuer_area, resp, sizeof(hdr->app_issuer_area)); + } - // we got all data; - return 2; + // card selected, now read e-purse (cc) (block2) (only 8 bytes no CRC) + start_time = *eof_time + DELAY_ICLASS_VICC_TO_VCD_READER; + iclass_send_as_reader(read_check_cc, sizeof(read_check_cc), &start_time, eof_time); + + // expect a 8-byte response here + len = GetIso15693AnswerFromTag(resp, sizeof(resp), ICLASS_READER_TIMEOUT_OTHERS, eof_time); + if (len != 8) + return false; + + memcpy(hdr->epurse, resp, sizeof(hdr->epurse)); + *status |= FLAG_ICLASS_CC; + + } else { + + // read App Issuer Area block 2 + read_aia[1] = 0x02; + read_aia[2] = 0x61; + read_aia[3] = 0x10; + + start_time = *eof_time + DELAY_ICLASS_VICC_TO_VCD_READER; + iclass_send_as_reader(read_aia, sizeof(read_aia), &start_time, eof_time); + + // expect a 10-byte response here + len = GetIso15693AnswerFromTag(resp, sizeof(resp), ICLASS_READER_TIMEOUT_OTHERS, eof_time); + if (len != 10) + return false; + + if (status) { + *status |= FLAG_ICLASS_AIA; + memcpy(card_data + (8 * 2), resp, 8); + } + } + + return true; } -static uint8_t handshakeIclassTag(uint8_t *card_data) { - return handshakeIclassTag_ext(card_data, false); + +bool select_iclass_tag(uint8_t *card_data, bool use_credit_key, uint32_t *eof_time) { + uint8_t result = 0; + return select_iclass_tag_ex(card_data, use_credit_key, eof_time, &result); } // Reader iClass Anticollission // turn off afterwards -void ReaderIClass(uint8_t arg0) { +void ReaderIClass(uint8_t flags) { - uint8_t card_data[6 * 8] = {0}; - uint8_t last_csn[8] = {0, 0, 0, 0, 0, 0, 0, 0}; - uint8_t resp[ICLASS_BUFFER_SIZE]; - - memset(card_data, 0xFF, sizeof(card_data)); + uint8_t card_data[6 * 8] = {0xFF}; +// uint8_t last_csn[8] = {0, 0, 0, 0, 0, 0, 0, 0}; + uint8_t resp[ICLASS_BUFFER_SIZE] = {0}; memset(resp, 0xFF, sizeof(resp)); - //Read conf block CRC(0x01) => 0xfa 0x22 - uint8_t readConf[] = { ICLASS_CMD_READ_OR_IDENTIFY, 0x01, 0xfa, 0x22}; +// bool flag_readonce = flags & FLAG_ICLASS_READER_ONLY_ONCE; // flag to read until one tag is found successfully + bool use_credit_key = flags & FLAG_ICLASS_READER_CREDITKEY; // flag to use credit key - //Read App Issuer Area block CRC(0x05) => 0xde 0x64 - uint8_t readAA[] = { ICLASS_CMD_READ_OR_IDENTIFY, 0x05, 0xde, 0x64}; - - uint16_t tryCnt = 0; - - bool abort_after_read = arg0 & FLAG_ICLASS_READER_ONLY_ONCE; // flag to read until one tag is found successfully - bool try_once = arg0 & FLAG_ICLASS_READER_ONE_TRY; // flag to not to loop continuously, looking for tag - bool use_credit_key = arg0 & FLAG_ICLASS_READER_CEDITKEY; // flag to use credit key - bool flagReadConfig = arg0 & FLAG_ICLASS_READER_CONF; // flag to read block1, configuration - bool flagReadCC = arg0 & FLAG_ICLASS_READER_CC; // flag to read block2, e-purse - bool flagReadAIA = arg0 & FLAG_ICLASS_READER_AIA; // flag to read block5, application issuer area - - setupIclassReader(); - - uint16_t checked = 0; - bool userCancelled = BUTTON_PRESS() || data_available(); - while (!userCancelled) { - - WDT_HIT(); - - // if only looking for one card try 2 times if we missed it the first time - if (try_once && tryCnt > 10) { - if (DBGLEVEL > 1) DbpString("Failed to find a tag"); - break; - } - - tryCnt++; - uint8_t result_status = 0; - - int read_status = handshakeIclassTag_ext(card_data, use_credit_key); - - if (read_status == 0) continue; - if (read_status == 1) result_status = FLAG_ICLASS_READER_CSN; - if (read_status == 2) result_status = FLAG_ICLASS_READER_CSN | FLAG_ICLASS_READER_CC; - - // handshakeIclass returns CSN|CC, but the actual block - // layout is CSN|CONFIG|CC, so here we reorder the data, - // moving CC forward 8 bytes - memcpy(card_data + 16, card_data + 8, 8); - - //Read block 1, config - if (flagReadConfig) { - if (sendCmdGetResponseWithRetries(readConf, sizeof(readConf), resp, 10, 5)) { - result_status |= FLAG_ICLASS_READER_CONF; - memcpy(card_data + 8, resp, 8); - } else { - if (DBGLEVEL > 1) DbpString("Failed to dump config block"); - } - } - - //Read block 5, AIA - if (flagReadAIA) { - if (sendCmdGetResponseWithRetries(readAA, sizeof(readAA), resp, 10, 5)) { - result_status |= FLAG_ICLASS_READER_AIA; - memcpy(card_data + (8 * 5), resp, 8); - } else { - if (DBGLEVEL > 1) DbpString("Failed to dump AA block"); - } - } - - // 0 : CSN - // 1 : Configuration - // 2 : e-purse - // 3 : kd / debit / aa2 (write-only) - // 4 : kc / credit / aa1 (write-only) - // 5 : AIA, Application issuer area - // - //Then we can 'ship' back the 6 * 8 bytes of data, - // with 0xFF:s in block 3 and 4. - - LED_B_ON(); - //Send back to client, but don't bother if we already sent this - - // only useful if looping in arm (not try_once && not abort_after_read) - if (memcmp(last_csn, card_data, 8) != 0) { - // If caller requires that we get Conf, CC, AA, continue until we got it - if (DBGLEVEL >= DBG_EXTENDED) { - Dbprintf("STATUS %02X | CSN %c | CONF %c | CC %c | AIA %c | ONCE %c | 1TRY %c", - result_status, - (result_status & FLAG_ICLASS_READER_CSN) ? 'Y' : 'N', - (result_status & FLAG_ICLASS_READER_CONF) ? 'Y' : 'N', - (result_status & FLAG_ICLASS_READER_CC) ? 'Y' : 'N', - (result_status & FLAG_ICLASS_READER_AIA) ? 'Y' : 'N' - ); - Dbprintf(" aar %c | to %c, | uc %c | frc %c | fra %c | cc %c", - abort_after_read ? 'Y' : 'N', - try_once ? 'Y' : 'N', - use_credit_key ? 'Y' : 'N', - flagReadConfig ? 'Y' : 'N', - flagReadAIA ? 'Y' : 'N', - flagReadCC ? 'Y' : 'N' - ); - } - - bool send = (result_status & FLAG_ICLASS_READER_CSN); - if (flagReadCC) - send |= (result_status & FLAG_ICLASS_READER_CC); - if (flagReadAIA) - send |= (result_status & FLAG_ICLASS_READER_AIA); - if (flagReadConfig) - send |= (result_status & FLAG_ICLASS_READER_CONF); - - if (DBGLEVEL >= DBG_EXTENDED) Dbprintf("SEND %c", send ? 'y' : 'n'); - - if (send) { - reply_mix(CMD_ACK, result_status, 0, 0, card_data, sizeof(card_data)); - if (abort_after_read) { - LED_B_OFF(); - return; - } - //Save that we already sent this.... - memcpy(last_csn, card_data, 8); - } - } - LED_B_OFF(); - - if (checked == 1000) { - userCancelled = BUTTON_PRESS() || data_available(); - checked = 0; - } - ++checked; + if ((flags & FLAG_ICLASS_READER_INIT) == FLAG_ICLASS_READER_INIT) { + Iso15693InitReader(); } - if (userCancelled) { + if ((flags & FLAG_ICLASS_READER_CLEARTRACE) == FLAG_ICLASS_READER_CLEARTRACE) { + clear_trace(); + } + + uint8_t result_status = 0; + uint32_t eof_time = 0; + bool status = select_iclass_tag_ex(card_data, use_credit_key, &eof_time, &result_status); + if (status == false) { reply_mix(CMD_ACK, 0xFF, 0, 0, card_data, 0); switch_off(); - } else { - reply_mix(CMD_ACK, 0, 0, 0, card_data, 0); + return; } + + + // Page mapping for secure mode + // 0 : CSN + // 1 : Configuration + // 2 : e-purse + // 3 : kd / debit / aa2 (write-only) + // 4 : kc / credit / aa1 (write-only) + // 5 : AIA, Application issuer area + // + // Page mapping for non secure mode + // 0 : CSN + // 1 : Configuration + // 2 : AIA, Application issuer area + + // Return to client, e 6 * 8 bytes of data. + // with 0xFF:s in block 3 and 4. + + LED_B_ON(); + reply_mix(CMD_ACK, result_status, 0, 0, card_data, sizeof(card_data)); + + //Send back to client, but don't bother if we already sent this - + // only useful if looping in arm (not try_once && not abort_after_read) + /* + if (memcmp(last_csn, card_data, 8) != 0) { + + reply_mix(CMD_ACK, result_status, 0, 0, card_data, sizeof(card_data)); + if (flag_readonce) { + LED_B_OFF(); + return; + } + LED_B_OFF(); + } + */ + +// if (userCancelled) { +// reply_mix(CMD_ACK, 0xFF, 0, 0, card_data, 0); +// switch_off(); +// } else { +// reply_mix(CMD_ACK, result_status, 0, 0, card_data, 0); +// } + + switch_off(); } // turn off afterwards -void ReaderIClass_Replay(uint8_t arg0, uint8_t *mac) { +void ReaderIClass_Replay(uint8_t *rnr, uint8_t *mac) { + + BigBuf_free(); - uint8_t cardsize = 0; - uint8_t mem = 0; - uint8_t check[] = { 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; - uint8_t read[] = { 0x0c, 0x00, 0x00, 0x00 }; - uint8_t card_data[PM3_CMD_DATA_SIZE] = {0}; - uint8_t resp[ICLASS_BUFFER_SIZE] = {0}; + uint8_t check[] = { ICLASS_CMD_CHECK, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; + memcpy(check + 1, rnr, 4); + memcpy(check + 5, mac, 4); + + uint8_t *card_data = BigBuf_malloc(ICLASS_16KS_SIZE); + if (card_data == NULL) { + DbpString("fail to allocate memory"); + reply_ng(CMD_HF_ICLASS_REPLAY, PM3_EMALLOC, NULL, 0); + return; + } + memset(card_data, 0xFF, ICLASS_16KS_SIZE); + + uint32_t start_time = 0; + uint32_t eof_time = 0; + + Iso15693InitReader(); + + picopass_hdr hdr = {0}; + bool res = select_iclass_tag( (uint8_t *)&hdr, false, &eof_time); + if (res == false) { + reply_ng(CMD_HF_ICLASS_REPLAY, PM3_ETIMEOUT, NULL, 0); + switch_off(); + return; + } + + uint8_t resp[10] = {0}; + + //for now replay captured auth (as cc not updated) + start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER; + res = iclass_send_cmd_with_retries(check, sizeof(check), resp, sizeof(resp), 4, 3, &start_time, ICLASS_READER_TIMEOUT_OTHERS, &eof_time); + if (res == false) { + reply_ng(CMD_HF_ICLASS_REPLAY, PM3_ETIMEOUT, NULL, 0); + switch_off(); + return; + } + + uint8_t mem = hdr.conf.mem_config; + uint8_t cardsize = ((mem & 0x80) == 0x80) ? 255 : 32; + +/* static struct memory_t { int k16; int book; @@ -2166,134 +1522,86 @@ void ReaderIClass_Replay(uint8_t arg0, uint8_t *mac) { int keyaccess; } memory; - setupIclassReader(); +// memory.k16 = ((mem & 0x80) == 0x80); +// memory.book = ((mem & 0x20) == 0x20); +// memory.k2 = ((mem & 0x08) == 0x08); +// memory.lockauth = ((mem & 0x02) == 0x02); +// memory.keyaccess = ((mem & 0x01) == 0x01); +// uint8_t cardsize = memory.k16 ? 255 : 32; +*/ - while (!BUTTON_PRESS()) { + bool dumpsuccess = true; - WDT_HIT(); + // main read loop + uint16_t i; + for (i = 0; i <= cardsize; i++) { - uint8_t read_status = handshakeIclassTag(card_data); - if (read_status < 2) continue; + uint8_t c[] = {ICLASS_CMD_READ_OR_IDENTIFY, i, 0x00, 0x00}; + AddCrc(c + 1, 1); - //for now replay captured auth (as cc not updated) - memcpy(check + 5, mac, 4); - - if (!sendCmdGetResponseWithRetries(check, sizeof(check), resp, 4, 5)) { - DbpString("Error: Authentication Fail!"); - continue; + res = iclass_send_cmd_with_retries(c, sizeof(c), resp, sizeof(resp), 10, 3, &start_time, ICLASS_READER_TIMEOUT_OTHERS, &eof_time); + if (res) { + memcpy(card_data + (8 * i), resp, 8); + } else { + Dbprintf("failed to read block %u ( 0x%02x)", i, i); + dumpsuccess = false; } - - //first get configuration block (block 1) - read[1] = 1; - AddCrc(read + 1, 1); - - if (!sendCmdGetResponseWithRetries(read, sizeof(read), resp, 10, 5)) { - DbpString("Dump config (block 1) failed"); - continue; - } - - mem = resp[5]; - memory.k16 = (mem & 0x80); - memory.book = (mem & 0x20); - memory.k2 = (mem & 0x8); - memory.lockauth = (mem & 0x2); - memory.keyaccess = (mem & 0x1); - - cardsize = memory.k16 ? 255 : 32; - - WDT_HIT(); - //Set card_data to all zeroes, we'll fill it with data - memset(card_data, 0x0, PM3_CMD_DATA_SIZE); - uint8_t failedRead = 0; - uint32_t stored_data_length = 0; - - //then loop around remaining blocks - for (uint16_t block = 0; block < cardsize; block++) { - - read[1] = block; - AddCrc(read + 1, 1); - - if (sendCmdGetResponseWithRetries(read, sizeof(read), resp, 10, 5)) { - Dbprintf(" %02x: %02x %02x %02x %02x %02x %02x %02x %02x", - block, resp[0], resp[1], resp[2], - resp[3], resp[4], resp[5], - resp[6], resp[7] - ); - - //Fill up the buffer - memcpy(card_data + stored_data_length, resp, 8); - stored_data_length += 8; - if (stored_data_length + 8 > PM3_CMD_DATA_SIZE) { - //Time to send this off and start afresh - reply_old(CMD_ACK, - stored_data_length,//data length - failedRead,//Failed blocks? - 0,//Not used ATM - card_data, - stored_data_length - ); - //reset - stored_data_length = 0; - failedRead = 0; - } - } else { - failedRead = 1; - stored_data_length += 8;//Otherwise, data becomes misaligned - Dbprintf("Failed to dump block %d", block); - } - } - - //Send off any remaining data - if (stored_data_length > 0) { - reply_old(CMD_ACK, - stored_data_length,//data length - failedRead,//Failed blocks? - 0,//Not used ATM - card_data, - stored_data_length - ); - } - //If we got here, let's break - break; } - //Signal end of transmission - reply_old(CMD_ACK, - 0,//data length - 0,//Failed blocks? - 0,//Not used ATM - card_data, - 0 - ); - switch_off(); -} -// not used. ?!? ( CMD_HF_ICLASS_READCHECK) -// turn off afterwards -void iClass_ReadCheck(uint8_t blockno, uint8_t keytype) { - uint8_t readcheck[] = { keytype, blockno }; - uint8_t resp[] = {0, 0, 0, 0, 0, 0, 0, 0}; - size_t isOK = 0; - isOK = sendCmdGetResponseWithRetries(readcheck, sizeof(readcheck), resp, sizeof(resp), 6); - reply_mix(CMD_ACK, isOK, 0, 0, 0, 0); + struct p { + bool isOK; + uint16_t block_cnt; + uint32_t bb_offset; + } PACKED response; + + response.isOK = dumpsuccess; + response.block_cnt = i; + response.bb_offset = card_data - BigBuf_get_addr(); + reply_ng(CMD_HF_ICLASS_REPLAY, PM3_SUCCESS, (uint8_t *)&response, sizeof(response)); + + BigBuf_free(); switch_off(); } // used with function select_and_auth (cmdhficlass.c) // which needs to authenticate before doing more things like read/write -void iClass_Authentication(uint8_t *mac) { - uint8_t check[] = { ICLASS_CMD_CHECK, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; - uint8_t resp[ICLASS_BUFFER_SIZE]; +// selects and authenticate to a card, sends back div_key and mac to client. +void iClass_Authentication(uint8_t *msg) { +} + +bool authenticate_iclass_tag(iclass_auth_req_t *payload, picopass_hdr *hdr, uint32_t *start_time, uint32_t *eof_time, uint8_t *mac_out) { + + uint8_t cmd_check[9] = { ICLASS_CMD_CHECK }; + uint8_t div_key[8] = {0}; + uint8_t mac[4] = {0}; + uint8_t resp_auth[4] = {0}; + uint8_t ccnr[12] = {0}; + + uint8_t *pmac = mac; + if (mac_out) + pmac = mac_out; + + memcpy(ccnr, hdr->epurse, sizeof(hdr->epurse)); + + if (payload->use_raw) + memcpy(div_key, payload->key, 8); + else + iclass_calc_div_key(hdr->csn, payload->key, div_key, payload->use_elite); + + if (payload->use_credit_key) + memcpy(hdr->key_c, div_key, sizeof(hdr->key_c)); + else + memcpy(hdr->key_d, div_key, sizeof(hdr->key_d)); + + opt_doReaderMAC(ccnr, div_key, pmac); // copy MAC to check command (readersignature) - check[5] = mac[0]; - check[6] = mac[1]; - check[7] = mac[2]; - check[8] = mac[3]; - //memcpy(check+5, mac, 4); + cmd_check[5] = pmac[0]; + cmd_check[6] = pmac[1]; + cmd_check[7] = pmac[2]; + cmd_check[8] = pmac[3]; - // 6 retries - uint8_t isOK = sendCmdGetResponseWithRetries(check, sizeof(check), resp, 4, 6); - reply_ng(CMD_HF_ICLASS_AUTH, PM3_SUCCESS, (uint8_t *)&isOK, sizeof(uint8_t)); + return iclass_send_cmd_with_retries(cmd_check, sizeof(cmd_check), resp_auth, sizeof(resp_auth), 4, 2, start_time, ICLASS_READER_TIMEOUT_OTHERS, eof_time); } typedef struct iclass_premac { @@ -2308,12 +1616,14 @@ typedef struct iclass_premac { * to cover debit and credit key. (AA1/AA2) */ void iClass_Authentication_fast(uint64_t arg0, uint64_t arg1, uint8_t *datain) { + uint8_t i = 0, isOK = 0; - uint8_t lastChunk = ((arg0 >> 8) & 0xFF); +// uint8_t lastChunk = ((arg0 >> 8) & 0xFF); bool use_credit_key = ((arg0 >> 16) & 0xFF); uint8_t keyCount = arg1 & 0xFF; - uint8_t check[] = { ICLASS_CMD_CHECK, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; - uint8_t resp[ICLASS_BUFFER_SIZE]; + + uint8_t check[9] = { ICLASS_CMD_CHECK }; + uint8_t resp[ICLASS_BUFFER_SIZE] = {0}; uint8_t readcheck_cc[] = { 0x80 | ICLASS_CMD_READCHECK, 0x02 }; if (use_credit_key) @@ -2326,39 +1636,28 @@ void iClass_Authentication_fast(uint64_t arg0, uint64_t arg1, uint8_t *datain) { LED_A_ON(); + // fresh start switch_off(); SpinDelay(20); + + Iso15693InitReader(); - setupIclassReader(); + uint32_t start_time = 0, eof_time = 0; + if (select_iclass_tag(card_data, use_credit_key, &eof_time) == false) + goto out; + + start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER; + + // since select_iclass_tag call sends s readcheck, we start with sending first response. uint16_t checked = 0; - int read_status = 0; - uint8_t startup_limit = 10; - while (read_status != 2) { - - if (checked == 1000) { - if (BUTTON_PRESS() || !data_available()) goto out; - checked = 0; - } - ++checked; - - read_status = handshakeIclassTag_ext(card_data, use_credit_key); - if (startup_limit-- == 0) { - Dbprintf("[-] Handshake status | %d (fail 10)", read_status); - isOK = 99; - goto out; - } - }; - // since handshakeIclassTag_ext call sends s readcheck, we start with sending first response. - - checked = 0; // Keychunk loop for (i = 0; i < keyCount; i++) { // Allow button press / usb cmd to interrupt device if (checked == 1000) { - if (BUTTON_PRESS() || !data_available()) goto out; + if (BUTTON_PRESS() || data_available()) goto out; checked = 0; } ++checked; @@ -2373,125 +1672,338 @@ void iClass_Authentication_fast(uint64_t arg0, uint64_t arg1, uint8_t *datain) { check[8] = keys[i].mac[3]; // expect 4bytes, 3 retries times.. - isOK = sendCmdGetResponseWithRetries(check, sizeof(check), resp, 4, 3); + isOK = iclass_send_cmd_with_retries(check, sizeof(check), resp, sizeof(resp), 4, 2, &start_time, ICLASS_READER_TIMEOUT_OTHERS, &eof_time); if (isOK) goto out; + start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER; // Auth Sequence MUST begin with reading e-purse. (block2) // Card selected, now read e-purse (cc) (block2) (only 8 bytes no CRC) - ReaderTransmitIClass(readcheck_cc, sizeof(readcheck_cc)); + iclass_send_as_reader(readcheck_cc, sizeof(readcheck_cc), &start_time, &eof_time); LED_B_OFF(); } out: // send keyindex. - reply_mix(CMD_ACK, isOK, i, 0, 0, 0); - - if (isOK >= 1 || lastChunk) { - switch_off(); - LED_A_OFF(); - } - - LED_B_OFF(); - LED_C_OFF(); + reply_mix(CMD_HF_ICLASS_CHKKEYS, isOK, i, 0, 0, 0); + switch_off(); } // Tries to read block. -// retries 10times. -bool iClass_ReadBlock(uint8_t blockno, uint8_t *data, uint8_t len) { +// retries 3times. +// reply 8 bytes block +bool iclass_read_block(uint16_t blockno, uint8_t *data, uint32_t *start_time, uint32_t *eof_time) { uint8_t resp[10]; - uint8_t cmd[] = {ICLASS_CMD_READ_OR_IDENTIFY, blockno, 0x00, 0x00}; - AddCrc(cmd + 1, 1); - // expect size 10, retry 5times - bool isOK = sendCmdGetResponseWithRetries(cmd, sizeof(cmd), resp, 10, 5); - memcpy(data, resp, len); + uint8_t c[] = {ICLASS_CMD_READ_OR_IDENTIFY, blockno, 0x00, 0x00}; + AddCrc(c + 1, 1); + bool isOK = iclass_send_cmd_with_retries(c, sizeof(c), resp, sizeof(resp), 10, 2, start_time, ICLASS_READER_TIMEOUT_OTHERS, eof_time); + if (isOK) + memcpy(data, resp, 8); return isOK; } // turn off afterwards -// readblock 8 + 2. only want 8. -void iClass_ReadBlk(uint8_t blockno) { - struct p { - bool isOK; - uint8_t blockdata[8]; - } PACKED result; +// send in authentication needed data, if to use auth. +// reply 8 bytes block if send_reply (for client) +void iClass_ReadBlock(uint8_t *msg) { - result.isOK = iClass_ReadBlock(blockno, result.blockdata, sizeof(result.blockdata)); - switch_off(); - reply_ng(CMD_HF_ICLASS_READBL, PM3_SUCCESS, (uint8_t *)&result, sizeof(result)); + iclass_auth_req_t *payload = (iclass_auth_req_t *)msg; + + iclass_readblock_resp_t response = { .isOK = true }; + memset(response.data, 0, sizeof(response.data)); + + uint8_t cmd_read[] = {ICLASS_CMD_READ_OR_IDENTIFY, payload->blockno, 0x00, 0x00}; + AddCrc(cmd_read + 1, 1); + + Iso15693InitReader(); + + // select tag. + uint32_t eof_time = 0; + picopass_hdr hdr = {0}; + bool res = select_iclass_tag( (uint8_t *)&hdr, payload->use_credit_key, &eof_time); + if (res == false) { + if (payload->send_reply) { + response.isOK = res; + reply_ng(CMD_HF_ICLASS_READBL, PM3_ETIMEOUT, (uint8_t *)&response, sizeof(response)); + } + goto out; + } + + uint32_t start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER; + + // authenticate + if (payload->do_auth) { + + res = authenticate_iclass_tag(payload, &hdr, &start_time, &eof_time, NULL); + if (res == false) { + if (payload->send_reply) { + response.isOK = res; + reply_ng(CMD_HF_ICLASS_READBL, PM3_ETIMEOUT, (uint8_t *)&response, sizeof(response)); + } + goto out; + } + } + + start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER; + + // read data + uint8_t resp[10]; + res = iclass_send_cmd_with_retries(cmd_read, sizeof(cmd_read), resp, sizeof(resp), 10, 3, &start_time, ICLASS_READER_TIMEOUT_OTHERS, &eof_time); + if (res) { + memcpy(response.data, resp, sizeof(response.data)); + if (payload->send_reply) { + reply_ng(CMD_HF_ICLASS_READBL, PM3_SUCCESS, (uint8_t *)&response, sizeof(response)); + } + } else { + if (payload->send_reply) { + response.isOK = res; + reply_ng(CMD_HF_ICLASS_READBL, PM3_ETIMEOUT, (uint8_t *)&response, sizeof(response)); + } + } + +out: + switch_off(); } - -// turn off afterwards -void iClass_Dump(uint8_t blockno, uint8_t numblks) { - uint8_t blockdata[] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; - bool isOK = false; - uint8_t blkCnt = 0; - + +// Dump command seems to dump a block related portion of card memory. +// I suppose it will need to do an authentatication to AA1, read its blocks by calling this. +// then authenticate AA2, and read those blocks by calling this. +// By the looks at it only 2K cards is supported, or first page dumps on larger cards. +// turn off afterwards +void iClass_Dump(uint8_t *msg) { + BigBuf_free(); - uint8_t *dataout = BigBuf_malloc(255 * 8); + + iclass_dump_req_t *cmd = (iclass_dump_req_t *)msg; + iclass_auth_req_t *req = &cmd->req; + + uint8_t *dataout = BigBuf_malloc(ICLASS_16KS_SIZE); if (dataout == NULL) { - DbpString("[!] fail to allocate memory"); - OnError(1); + DbpString("fail to allocate memory"); + if (req->send_reply) { + reply_ng(CMD_HF_ICLASS_DUMP, PM3_EMALLOC, NULL, 0); + } + switch_off(); return; } - // fill mem with 0xFF - memset(dataout, 0xFF, 255 * 8); + memset(dataout, 0xFF, ICLASS_16KS_SIZE); - for (; blkCnt < numblks; blkCnt++) { - isOK = iClass_ReadBlock(blockno + blkCnt, blockdata, sizeof(blockdata)); - - // 0xBB is the internal debug separator byte.. - if (!isOK || (blockdata[0] == 0xBB || blockdata[7] == 0xBB || blockdata[2] == 0xBB)) { //try again - isOK = iClass_ReadBlock(blockno + blkCnt, blockdata, sizeof(blockdata)); - if (!isOK) { - Dbprintf("[!] block %02X failed to read", blkCnt + blockno); - break; - } + Iso15693InitReader(); + + // select tag. + uint32_t eof_time = 0; + picopass_hdr hdr = {0}; + bool res = select_iclass_tag( (uint8_t *)&hdr, req->use_credit_key, &eof_time); + if (res == false) { + if (req->send_reply) { + reply_ng(CMD_HF_ICLASS_DUMP, PM3_ETIMEOUT, NULL, 0); + } + switch_off(); + return; + } + + uint32_t start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER; + + // authenticate + if (req->do_auth) { + res = authenticate_iclass_tag(req, &hdr, &start_time, &eof_time, NULL); + if (res == false) { + if (req->send_reply) { + reply_ng(CMD_HF_ICLASS_DUMP, PM3_ETIMEOUT, NULL, 0); + } + switch_off(); + return; } - memcpy(dataout + (blkCnt * 8), blockdata, 8); } - switch_off(); - //return pointer to dump memory in arg3 - reply_mix(CMD_ACK, isOK, blkCnt, BigBuf_max_traceLen(), 0, 0); + start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER; + + bool dumpsuccess = true; + + // main read loop + uint16_t i; + for (i = cmd->start_block; i <= cmd->end_block; i++) { + + uint8_t resp[10]; + uint8_t c[] = {ICLASS_CMD_READ_OR_IDENTIFY, i, 0x00, 0x00}; + AddCrc(c + 1, 1); + + res = iclass_send_cmd_with_retries(c, sizeof(c), resp, sizeof(resp), 10, 3, &start_time, ICLASS_READER_TIMEOUT_OTHERS, &eof_time); + if (res) { + memcpy(dataout + (8 * i), resp, 8); + } else { + Dbprintf("failed to read block %u ( 0x%02x)", i, i); + dumpsuccess = false; + } + } + + switch_off(); + + // copy diversified key back. + if (req->do_auth) { + if (req->use_credit_key) + memcpy(dataout + (8 * 4), hdr.key_c, 8); + else + memcpy(dataout + (8 * 3), hdr.key_d, 8); + } + + if (req->send_reply) { + struct p { + bool isOK; + uint16_t block_cnt; + uint32_t bb_offset; + } PACKED response; + + response.isOK = dumpsuccess; + response.block_cnt = i; + response.bb_offset = dataout - BigBuf_get_addr(); + reply_ng(CMD_HF_ICLASS_DUMP, PM3_SUCCESS, (uint8_t *)&response, sizeof(response)); + } + BigBuf_free(); } -static bool iClass_WriteBlock_ext(uint8_t blockno, uint8_t *data) { - uint8_t resp[] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; - uint8_t write[] = { 0x80 | ICLASS_CMD_UPDATE, blockno, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; +static bool iclass_writeblock_ext(uint8_t blockno, uint8_t *data) { + + uint8_t write[16] = { 0x80 | ICLASS_CMD_UPDATE, blockno }; memcpy(write + 2, data, 12); // data + mac AddCrc(write + 1, 13); - return sendCmdGetResponseWithRetries(write, sizeof(write), resp, sizeof(resp), 5); + + uint8_t resp[10] = {0}; + uint32_t eof_time = 0, start_time = 0; + bool isOK = iclass_send_cmd_with_retries(write, sizeof(write), resp, sizeof(resp), 10, 3, &start_time, ICLASS_READER_TIMEOUT_UPDATE, &eof_time); + if (isOK == false) { + return false; + } + + uint8_t all_ff[8] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}; + if (blockno == 2) { + // check response. e-purse update swaps first and second half + if (memcmp(data + 4, resp, 4) || memcmp(data, resp + 4, 4)) { + return false; + } + } else if (blockno == 3 || blockno == 4) { + // check response. Key updates always return 0xffffffffffffffff + if (memcmp(all_ff, resp, 8)) { + return false; + } + } else { + // check response. All other updates return unchanged data + if (memcmp(data, resp, 8)) { + return false; + } + } + + return true; } // turn off afterwards -void iClass_WriteBlock(uint8_t blockno, uint8_t *data) { - uint8_t isOK = iClass_WriteBlock_ext(blockno, data); +void iClass_WriteBlock(uint8_t *msg) { + + LED_A_ON(); + + iclass_writeblock_req_t *payload = (iclass_writeblock_req_t *)msg; + + uint8_t write[16] = { 0x80 | ICLASS_CMD_UPDATE, payload->req.blockno }; + + Iso15693InitReader(); + + // select tag. + uint32_t eof_time = 0; + picopass_hdr hdr = {0}; + bool res = select_iclass_tag( (uint8_t *)&hdr, payload->req.use_credit_key, &eof_time); + if (res == false) { + goto out; + } + + uint32_t start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER; + + uint8_t mac[4] = {0}; + + // authenticate + if (payload->req.do_auth) { + + res = authenticate_iclass_tag(&payload->req, &hdr, &start_time, &eof_time, mac); + if (res == false) { + goto out; + } + } + + // calc new mac for write + uint8_t wb[9]; + wb[0] = payload->req.blockno; + memcpy(wb + 1, payload->data, 8); + + if (payload->req.use_credit_key) + doMAC_N(wb, sizeof(wb), hdr.key_c, mac); + else + doMAC_N(wb, sizeof(wb), hdr.key_d, mac); + + memcpy(write + 2, payload->data, 8); // data + memcpy(write + 10, mac, sizeof(mac)); // mac + AddCrc(write + 1, 13); + + start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER; + + uint8_t resp[10] = {0}; + res = iclass_send_cmd_with_retries(write, sizeof(write), resp, sizeof(resp), 10, 3, &start_time, ICLASS_READER_TIMEOUT_UPDATE, &eof_time); + if (res == false) { + goto out; + } + + // verify write + uint8_t all_ff[8] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}; + if (payload->req.blockno == 2) { + // check response. e-purse update swaps first and second half + if (memcmp(payload->data + 4, resp, 4) || memcmp(payload->data, resp + 4, 4)) { + res = false; + goto out; + } + } else if (payload->req.blockno == 3 || payload->req.blockno == 4) { + // check response. Key updates always return 0xffffffffffffffff + if (memcmp(all_ff, resp, 8)) { + res = false; + goto out; + } + } else { + // check response. All other updates return unchanged data + if (memcmp(payload->data, resp, 8)) { + res = false; + goto out; + } + } + +out: switch_off(); - reply_ng(CMD_HF_ICLASS_WRITEBL, PM3_SUCCESS, (uint8_t *)&isOK, sizeof(uint8_t)); + + if (payload->req.send_reply) + reply_ng(CMD_HF_ICLASS_WRITEBL, PM3_SUCCESS, (uint8_t *)&res, sizeof(uint8_t)); } // turn off afterwards void iClass_Clone(uint8_t startblock, uint8_t endblock, uint8_t *data) { - int i, written = 0; - int total_block = (endblock - startblock) + 1; - for (i = 0; i < total_block; i++) { - // block number - if (iClass_WriteBlock_ext(startblock + i, data + (i * 12))) { - Dbprintf("Write block [%02x] successful", startblock + i); +} + +void iClass_Restore(uint8_t *msg) { + + iclass_restore_req_t *cmd = (iclass_restore_req_t *)msg; +// iclass_auth_req_t *req = &cmd->req; + + LED_A_ON(); + uint16_t written = 0; + uint16_t total_blocks = (cmd->end_block - cmd->start_block) + 1; + for (uint8_t b = cmd->start_block; b < total_blocks; b++) { + + if (iclass_writeblock_ext(b, cmd->data + ((b - cmd->start_block) * 12))) { + Dbprintf("Write block [%02x] successful", b); written++; } else { - Dbprintf("Write block [%02x] failed", startblock + i); + Dbprintf("Write block [%02x] failed", b); } } switch_off(); - - uint8_t isOK = 0; - if (written == total_block) - isOK = 1; - + uint8_t isOK = (written == total_blocks) ? 1 : 0; reply_ng(CMD_HF_ICLASS_CLONE, PM3_SUCCESS, (uint8_t *)&isOK, sizeof(uint8_t)); } diff --git a/armsrc/iclass.h b/armsrc/iclass.h index a9edbdfed..3776aa385 100644 --- a/armsrc/iclass.h +++ b/armsrc/iclass.h @@ -1,6 +1,7 @@ //----------------------------------------------------------------------------- // Jonathan Westhues, Aug 2005 // Gerhard de Koning Gans, April 2008, May 2011 +// Iceman, August 2020 // // This code is licensed to you under the terms of the GNU GPL, version 2 or, // at your option, any later version. See the LICENSE.txt file for the text of @@ -12,18 +13,30 @@ #define __ICLASS_H #include "common.h" +#include "pm3_cmd.h" -void RAMFUNC SniffIClass(void); -void SimulateIClass(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain); +void SniffIClass(uint8_t jam_search_len, uint8_t *jam_search_string); void ReaderIClass(uint8_t arg0); -void ReaderIClass_Replay(uint8_t arg0, uint8_t *mac); -void iClass_Authentication(uint8_t *mac); -void iClass_Authentication_fast(uint64_t arg0, uint64_t arg1, uint8_t *datain); -void iClass_WriteBlock(uint8_t blockno, uint8_t *data); -void iClass_ReadBlk(uint8_t blockno); -bool iClass_ReadBlock(uint8_t blockno, uint8_t *data, uint8_t len); -void iClass_Dump(uint8_t blockno, uint8_t numblks); -void iClass_Clone(uint8_t startblock, uint8_t endblock, uint8_t *data); -void iClass_ReadCheck(uint8_t blockno, uint8_t keytype); +void ReaderIClass_Replay(uint8_t *rnr, uint8_t *mac); +void iClass_WriteBlock(uint8_t *msg); +void iClass_Dump(uint8_t *msg); + +void iClass_Restore(uint8_t *msg); +void iClass_Clone(uint8_t startblock, uint8_t endblock, uint8_t *data); + +int do_iclass_simulation_nonsec(void); +int do_iclass_simulation(int simulationMode, uint8_t *reader_mac_buf); +void SimulateIClass(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain); +void iclass_simulate(uint8_t sim_type, uint8_t num_csns, bool send_reply, uint8_t *datain, uint8_t *dataout, uint16_t *dataoutlen); + +void iClass_Authentication_fast(uint64_t arg0, uint64_t arg1, uint8_t *datain); +void iClass_Authentication(uint8_t *bytes); +bool iclass_auth(iclass_auth_req_t *payload, uint8_t *out); + +void iClass_ReadBlock(uint8_t *msg); +bool iclass_read_block(uint16_t blockno, uint8_t *data, uint32_t *start_time, uint32_t *eof_time); + +bool select_iclass_tag(uint8_t *card_data, bool use_credit_key, uint32_t *eof_time); +bool authenticate_iclass_tag(iclass_auth_req_t *payload, picopass_hdr *hdr, uint32_t *start_time, uint32_t *eof_time, uint8_t *mac_out); #endif diff --git a/armsrc/iso14443a.c b/armsrc/iso14443a.c index 3b7b096a4..ce5d1bd0c 100644 --- a/armsrc/iso14443a.c +++ b/armsrc/iso14443a.c @@ -585,10 +585,6 @@ void RAMFUNC SniffIso14443a(uint8_t param) { uint8_t *receivedResp = BigBuf_malloc(MAX_FRAME_SIZE); uint8_t *receivedRespPar = BigBuf_malloc(MAX_PARITY_SIZE); - // The DMA buffer, used to stream samples from the FPGA - uint8_t *dmaBuf = BigBuf_malloc(DMA_BUFFER_SIZE); - uint8_t *data = dmaBuf; - uint8_t previous_data = 0; int maxDataLen = 0, dataLen; bool TagIsActive = false; @@ -600,10 +596,14 @@ void RAMFUNC SniffIso14443a(uint8_t param) { // Set up the demodulator for the reader -> tag commands Uart14aInit(receivedCmd, receivedCmdPar); - DbpString("Starting to sniff"); + Dbprintf("Starting to sniff. Press PM3 Button to stop."); + + // The DMA buffer, used to stream samples from the FPGA + dmabuf8_t *dma = get_dma8(); + uint8_t *data = dma->buf; // Setup and start DMA. - if (!FpgaSetupSscDma((uint8_t *) dmaBuf, DMA_BUFFER_SIZE)) { + if (!FpgaSetupSscDma((uint8_t *) dma->buf, DMA_BUFFER_SIZE)) { if (DBGLEVEL > 1) Dbprintf("FpgaSetupSscDma failed. Exiting"); return; } @@ -621,7 +621,7 @@ void RAMFUNC SniffIso14443a(uint8_t param) { WDT_HIT(); LED_A_ON(); - int register readBufDataP = data - dmaBuf; + int register readBufDataP = data - dma->buf; int register dmaBufDataP = DMA_BUFFER_SIZE - AT91C_BASE_PDC_SSC->PDC_RCR; if (readBufDataP <= dmaBufDataP) dataLen = dmaBufDataP - readBufDataP; @@ -640,13 +640,13 @@ void RAMFUNC SniffIso14443a(uint8_t param) { // primary buffer was stopped( <-- we lost data! if (!AT91C_BASE_PDC_SSC->PDC_RCR) { - AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) dmaBuf; + AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) dma->buf; AT91C_BASE_PDC_SSC->PDC_RCR = DMA_BUFFER_SIZE; Dbprintf("[-] RxEmpty ERROR | data length %d", dataLen); // temporary } // secondary buffer sets as primary, secondary buffer was stopped if (!AT91C_BASE_PDC_SSC->PDC_RNCR) { - AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dmaBuf; + AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dma->buf; AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE; } @@ -710,16 +710,15 @@ void RAMFUNC SniffIso14443a(uint8_t param) { previous_data = *data; rx_samples++; data++; - if (data == dmaBuf + DMA_BUFFER_SIZE) { - data = dmaBuf; + if (data == dma->buf + DMA_BUFFER_SIZE) { + data = dma->buf; } } // end main loop FpgaDisableTracing(); if (DBGLEVEL >= DBG_ERROR) { - Dbprintf("maxDataLen=%d, Uart.state=%x, Uart.len=%d", maxDataLen, Uart.state, Uart.len); - Dbprintf("traceLen=" _YELLOW_("%d")", Uart.output[0]="_YELLOW_("%08x"), BigBuf_get_traceLen(), (uint32_t)Uart.output[0]); + Dbprintf("trace len = " _YELLOW_("%d"), BigBuf_get_traceLen()); } switch_off(); } @@ -729,62 +728,61 @@ void RAMFUNC SniffIso14443a(uint8_t param) { //----------------------------------------------------------------------------- static void CodeIso14443aAsTagPar(const uint8_t *cmd, uint16_t len, uint8_t *par, bool collision) { - //uint8_t localCol = 0; - ToSendReset(); + tosend_reset(); + + tosend_t *ts = get_tosend(); // Correction bit, might be removed when not needed - ToSendStuffBit(0); - ToSendStuffBit(0); - ToSendStuffBit(0); - ToSendStuffBit(0); - ToSendStuffBit(1); // <----- - ToSendStuffBit(0); - ToSendStuffBit(0); - ToSendStuffBit(0); + tosend_stuffbit(0); + tosend_stuffbit(0); + tosend_stuffbit(0); + tosend_stuffbit(0); + tosend_stuffbit(1); // <----- + tosend_stuffbit(0); + tosend_stuffbit(0); + tosend_stuffbit(0); // Send startbit - ToSend[++ToSendMax] = SEC_D; - LastProxToAirDuration = 8 * ToSendMax - 4; + ts->buf[++ts->max] = SEC_D; + LastProxToAirDuration = 8 * ts->max - 4; for (uint16_t i = 0; i < len; i++) { uint8_t b = cmd[i]; // Data bits for (uint16_t j = 0; j < 8; j++) { - //if (collision && (localCol >= colpos)){ if (collision) { - ToSend[++ToSendMax] = SEC_COLL; - //localCol++; + ts->buf[++ts->max] = SEC_COLL; } else { if (b & 1) { - ToSend[++ToSendMax] = SEC_D; + ts->buf[++ts->max] = SEC_D; } else { - ToSend[++ToSendMax] = SEC_E; + ts->buf[++ts->max] = SEC_E; } b >>= 1; } } if (collision) { - ToSend[++ToSendMax] = SEC_COLL; - LastProxToAirDuration = 8 * ToSendMax; + ts->buf[++ts->max] = SEC_COLL; + LastProxToAirDuration = 8 * ts->max; } else { // Get the parity bit if (par[i >> 3] & (0x80 >> (i & 0x0007))) { - ToSend[++ToSendMax] = SEC_D; - LastProxToAirDuration = 8 * ToSendMax - 4; + ts->buf[++ts->max] = SEC_D; + LastProxToAirDuration = 8 * ts->max - 4; } else { - ToSend[++ToSendMax] = SEC_E; - LastProxToAirDuration = 8 * ToSendMax; + ts->buf[++ts->max] = SEC_E; + LastProxToAirDuration = 8 * ts->max; } } } // Send stopbit - ToSend[++ToSendMax] = SEC_F; + ts->buf[++ts->max] = SEC_F; // Convert from last byte pos to length - ToSendMax++; + ts->max++; } static void CodeIso14443aAsTagEx(const uint8_t *cmd, uint16_t len, bool collision) { @@ -799,37 +797,39 @@ static void CodeIso14443aAsTag(const uint8_t *cmd, uint16_t len) { static void Code4bitAnswerAsTag(uint8_t cmd) { uint8_t b = cmd; - ToSendReset(); + tosend_reset(); + + tosend_t *ts = get_tosend(); // Correction bit, might be removed when not needed - ToSendStuffBit(0); - ToSendStuffBit(0); - ToSendStuffBit(0); - ToSendStuffBit(0); - ToSendStuffBit(1); // 1 - ToSendStuffBit(0); - ToSendStuffBit(0); - ToSendStuffBit(0); + tosend_stuffbit(0); + tosend_stuffbit(0); + tosend_stuffbit(0); + tosend_stuffbit(0); + tosend_stuffbit(1); // 1 + tosend_stuffbit(0); + tosend_stuffbit(0); + tosend_stuffbit(0); // Send startbit - ToSend[++ToSendMax] = SEC_D; + ts->buf[++ts->max] = SEC_D; for (uint8_t i = 0; i < 4; i++) { if (b & 1) { - ToSend[++ToSendMax] = SEC_D; - LastProxToAirDuration = 8 * ToSendMax - 4; + ts->buf[++ts->max] = SEC_D; + LastProxToAirDuration = 8 * ts->max - 4; } else { - ToSend[++ToSendMax] = SEC_E; - LastProxToAirDuration = 8 * ToSendMax; + ts->buf[++ts->max] = SEC_E; + LastProxToAirDuration = 8 * ts->max; } b >>= 1; } // Send stopbit - ToSend[++ToSendMax] = SEC_F; + ts->buf[++ts->max] = SEC_F; // Convert from last byte pos to length - ToSendMax++; + ts->max++; } //----------------------------------------------------------------------------- @@ -887,32 +887,36 @@ bool prepare_tag_modulation(tag_response_info_t *response_info, size_t max_buffe // Prepare the tag modulation bits from the message CodeIso14443aAsTag(response_info->response, response_info->response_n); + tosend_t *ts = get_tosend(); + // Make sure we do not exceed the free buffer space - if (ToSendMax > max_buffer_size) { + if (ts->max > max_buffer_size) { Dbprintf("ToSend buffer, Out-of-bound, when modulating bits for tag answer:"); Dbhexdump(response_info->response_n, response_info->response, false); return false; } // Copy the byte array, used for this modulation to the buffer position - memcpy(response_info->modulation, ToSend, ToSendMax); + memcpy(response_info->modulation, ts->buf, ts->max); // Store the number of bytes that were used for encoding/modulation and the time needed to transfer them - response_info->modulation_n = ToSendMax; + response_info->modulation_n = ts->max; response_info->ProxToAirDuration = LastProxToAirDuration; return true; } bool prepare_allocated_tag_modulation(tag_response_info_t *response_info, uint8_t **buffer, size_t *max_buffer_size) { + tosend_t *ts = get_tosend(); + // Retrieve and store the current buffer index response_info->modulation = *buffer; // Forward the prepare tag modulation function to the inner function if (prepare_tag_modulation(response_info, *max_buffer_size)) { // Update the free buffer offset and the remaining buffer size - *buffer += ToSendMax; - *max_buffer_size -= ToSendMax; + *buffer += ts->max; + *max_buffer_size -= ts->max; return true; } else { return false; @@ -1499,10 +1503,13 @@ void SimulateIso14443aTag(uint8_t tagType, uint8_t flags, uint8_t *data) { uint8_t pwd[4]; emlGetMemBt(pwd, (pages - 1) * 4 + MFU_DUMP_PREFIX_LENGTH, sizeof(pwd)); if (memcmp(receivedCmd + 1, pwd, 4) == 0) { - uint8_t cmd[4]; - emlGetMemBt(cmd, pages * 4 + MFU_DUMP_PREFIX_LENGTH, 2); - AddCrc14A(cmd, sizeof(cmd) - 2); - EmSendCmd(cmd, sizeof(cmd)); + uint8_t pack[4]; + emlGetMemBt(pack, pages * 4 + MFU_DUMP_PREFIX_LENGTH, 2); + if (memcmp(pack, "\x00\x00\x00\x00", 4) == 0) { + memcpy(pack, "\x80\x80\x00\x00", 4); + } + AddCrc14A(pack, sizeof(pack) - 2); + EmSendCmd(pack, sizeof(pack)); } else { EmSend4bit(CARD_NACK_NA); if (DBGLEVEL >= DBG_DEBUG) Dbprintf("Auth attempt: %08x", bytes_to_num(receivedCmd + 1, 4)); @@ -1635,12 +1642,14 @@ static void PrepareDelayedTransfer(uint16_t delay) { for (uint16_t i = 0; i < delay; i++) bitmask |= (0x01 << i); - ToSend[ToSendMax++] = 0x00; + tosend_t *ts = get_tosend(); - for (uint16_t i = 0; i < ToSendMax; i++) { - uint8_t bits_to_shift = ToSend[i] & bitmask; - ToSend[i] = ToSend[i] >> delay; - ToSend[i] = ToSend[i] | (bits_shifted << (8 - delay)); + ts->buf[ts->max++] = 0x00; + + for (uint16_t i = 0; i < ts->max; i++) { + uint8_t bits_to_shift = ts->buf[i] & bitmask; + ts->buf[i] = ts->buf[i] >> delay; + ts->buf[i] = ts->buf[i] | (bits_shifted << (8 - delay)); bits_shifted = bits_to_shift; } } @@ -1698,11 +1707,12 @@ static void TransmitFor14443a(const uint8_t *cmd, uint16_t len, uint32_t *timing static void CodeIso14443aBitsAsReaderPar(const uint8_t *cmd, uint16_t bits, const uint8_t *par) { int last = 0; - ToSendReset(); + tosend_reset(); + tosend_t *ts = get_tosend(); // Start of Communication (Seq. Z) - ToSend[++ToSendMax] = SEC_Z; - LastProxToAirDuration = 8 * (ToSendMax + 1) - 6; + ts->buf[++ts->max] = SEC_Z; + LastProxToAirDuration = 8 * (ts->max + 1) - 6; size_t bytecount = nbytes(bits); // Generate send structure for the data bits @@ -1714,17 +1724,17 @@ static void CodeIso14443aBitsAsReaderPar(const uint8_t *cmd, uint16_t bits, cons for (j = 0; j < bitsleft; j++) { if (b & 1) { // Sequence X - ToSend[++ToSendMax] = SEC_X; - LastProxToAirDuration = 8 * (ToSendMax + 1) - 2; + ts->buf[++ts->max] = SEC_X; + LastProxToAirDuration = 8 * (ts->max + 1) - 2; last = 1; } else { if (last == 0) { // Sequence Z - ToSend[++ToSendMax] = SEC_Z; - LastProxToAirDuration = 8 * (ToSendMax + 1) - 6; + ts->buf[++ts->max] = SEC_Z; + LastProxToAirDuration = 8 * (ts->max + 1) - 6; } else { // Sequence Y - ToSend[++ToSendMax] = SEC_Y; + ts->buf[++ts->max] = SEC_Y; last = 0; } } @@ -1736,17 +1746,17 @@ static void CodeIso14443aBitsAsReaderPar(const uint8_t *cmd, uint16_t bits, cons // Get the parity bit if (par[i >> 3] & (0x80 >> (i & 0x0007))) { // Sequence X - ToSend[++ToSendMax] = SEC_X; - LastProxToAirDuration = 8 * (ToSendMax + 1) - 2; + ts->buf[++ts->max] = SEC_X; + LastProxToAirDuration = 8 * (ts->max + 1) - 2; last = 1; } else { if (last == 0) { // Sequence Z - ToSend[++ToSendMax] = SEC_Z; - LastProxToAirDuration = 8 * (ToSendMax + 1) - 6; + ts->buf[++ts->max] = SEC_Z; + LastProxToAirDuration = 8 * (ts->max + 1) - 6; } else { // Sequence Y - ToSend[++ToSendMax] = SEC_Y; + ts->buf[++ts->max] = SEC_Y; last = 0; } } @@ -1756,16 +1766,16 @@ static void CodeIso14443aBitsAsReaderPar(const uint8_t *cmd, uint16_t bits, cons // End of Communication: Logic 0 followed by Sequence Y if (last == 0) { // Sequence Z - ToSend[++ToSendMax] = SEC_Z; - LastProxToAirDuration = 8 * (ToSendMax + 1) - 6; + ts->buf[++ts->max] = SEC_Z; + LastProxToAirDuration = 8 * (ts->max + 1) - 6; } else { // Sequence Y - ToSend[++ToSendMax] = SEC_Y; + ts->buf[++ts->max] = SEC_Y; } - ToSend[++ToSendMax] = SEC_Y; + ts->buf[++ts->max] = SEC_Y; // Convert to length of command: - ToSendMax++; + ts->max++; } //----------------------------------------------------------------------------- @@ -1967,7 +1977,8 @@ int EmSendCmd14443aRaw(uint8_t *resp, uint16_t respLen) { int EmSend4bit(uint8_t resp) { Code4bitAnswerAsTag(resp); - int res = EmSendCmd14443aRaw(ToSend, ToSendMax); + tosend_t *ts = get_tosend(); + int res = EmSendCmd14443aRaw(ts->buf, ts->max); // do the tracing for the previous reader request and this tag answer: uint8_t par[1] = {0x00}; GetParity(&resp, 1, par); @@ -1988,7 +1999,9 @@ int EmSendCmdPar(uint8_t *resp, uint16_t respLen, uint8_t *par) { } int EmSendCmdParEx(uint8_t *resp, uint16_t respLen, uint8_t *par, bool collision) { CodeIso14443aAsTagPar(resp, respLen, par, collision); - int res = EmSendCmd14443aRaw(ToSend, ToSendMax); + tosend_t *ts = get_tosend(); + int res = EmSendCmd14443aRaw(ts->buf, ts->max); + // do the tracing for the previous reader request and this tag answer: EmLogTrace(Uart.output, Uart.len, @@ -2149,7 +2162,8 @@ void ReaderTransmitBitsPar(uint8_t *frame, uint16_t bits, uint8_t *par, uint32_t CodeIso14443aBitsAsReaderPar(frame, bits, par); // Send command to tag - TransmitFor14443a(ToSend, ToSendMax, timing); + tosend_t *ts = get_tosend(); + TransmitFor14443a(ts->buf, ts->max, timing); if (g_trigger) LED_A_ON(); LogTrace(frame, nbytes(bits), (LastTimeProxToAirStart << 4) + DELAY_ARM2AIR_AS_READER, ((LastTimeProxToAirStart + LastProxToAirDuration) << 4) + DELAY_ARM2AIR_AS_READER, par, true); @@ -2527,7 +2541,7 @@ void iso14443a_setup(uint8_t fpga_minor_mode) { FpgaDownloadAndGo(FPGA_BITSTREAM_HF); // Set up the synchronous serial port - FpgaSetupSsc(); + FpgaSetupSsc(FPGA_MAJOR_MODE_HF_ISO14443A); // connect Demodulated Signal to ADC: SetAdcMuxFor(GPIO_MUXSEL_HIPKD); @@ -2551,7 +2565,6 @@ void iso14443a_setup(uint8_t fpga_minor_mode) { hf_field_active = true; } - void hf_field_off(void) { FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); LEDsoff(); diff --git a/armsrc/iso14443b.c b/armsrc/iso14443b.c index 4999c4d85..e26ebb017 100644 --- a/armsrc/iso14443b.c +++ b/armsrc/iso14443b.c @@ -1,5 +1,6 @@ //----------------------------------------------------------------------------- // Jonathan Westhues, split Nov 2006 +// piwi 2018 // // This code is licensed to you under the terms of the GNU GPL, version 2 or, // at your option, any later version. See the LICENSE.txt file for the text of @@ -24,20 +25,16 @@ #include "dbprint.h" #include "ticks.h" -#ifndef FWT_TIMEOUT_14B -// defaults to 2000ms -# define FWT_TIMEOUT_14B 35312 -#endif -#ifndef ISO14443B_DMA_BUFFER_SIZE -# define ISO14443B_DMA_BUFFER_SIZE 512 //changed this from 256 -#endif + #ifndef RECEIVE_MASK -# define RECEIVE_MASK (ISO14443B_DMA_BUFFER_SIZE-1) +# define RECEIVE_MASK (DMA_BUFFER_SIZE - 1) #endif +#define RECEIVE_SAMPLES_TIMEOUT 64 + // Guard Time (per 14443-2) #ifndef TR0 -# define TR0 32 //this value equals 8 ETU = 32 ssp clk (w/ 424 khz) +# define TR0 64 // TR0 max is 256/fs = 256/(848kHz) = 302us or 64 samples from FPGA #endif // Synchronization time (per 14443-2) @@ -50,31 +47,163 @@ #endif // 4sample -#define SEND4STUFFBIT(x) ToSendStuffBit(x);ToSendStuffBit(x);ToSendStuffBit(x);ToSendStuffBit(x); -//#define SEND4STUFFBIT(x) ToSendStuffBit(x); -// iceman, this threshold value, what makes 8 a good amplitude for this IQ values? -#ifndef SUBCARRIER_DETECT_THRESHOLD -# define SUBCARRIER_DETECT_THRESHOLD 8 -#endif +#define SEND4STUFFBIT(x) tosend_stuffbit(x);tosend_stuffbit(x);tosend_stuffbit(x);tosend_stuffbit(x); static void iso14b_set_timeout(uint32_t timeout); static void iso14b_set_maxframesize(uint16_t size); // the block number for the ISO14443-4 PCB (used with APDUs) static uint8_t pcb_blocknum = 0; -static uint32_t iso14b_timeout = FWT_TIMEOUT_14B; +static uint32_t iso14b_timeout = TR0; + + +/* ISO 14443 B +* +* Reader to card | ASK - Amplitude Shift Keying Modulation (PCD to PICC for Type B) (NRZ-L encodig) +* Card to reader | BPSK - Binary Phase Shift Keying Modulation, (PICC to PCD for Type B) +* +* fc - carrier frequency 13.56 MHz +* TR0 - Guard Time per 14443-2 +* TR1 - Synchronization Time per 14443-2 +* TR2 - PICC to PCD Frame Delay Time (per 14443-3 Amendment 1) +* +* Elementary Time Unit (ETU) is +* - 128 Carrier Cycles (9.4395 µS) = 8 Subcarrier Units +* - 1 ETU = 1 bit +* - 10 ETU = 1 startbit, 8 databits, 1 stopbit (10bits length) +* - startbit is a 0 +* - stopbit is a 1 +* +* Start of frame (SOF) is +* - [10-11] ETU of ZEROS, unmodulated time +* - [2-3] ETU of ONES, +* +* End of frame (EOF) is +* - [10-11] ETU of ZEROS, unmodulated time +* +* -TO VERIFY THIS BELOW- +* The mode FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_MODULATE_BPSK which we use to simulate tag +* works like this: +* - A 1-bit input to the FPGA becomes 8 pulses at 847.5kHz (1.18µS / pulse) == 9.44us +* - A 0-bit input to the FPGA becomes an unmodulated time of 1.18µS or does it become 8 nonpulses for 9.44us +* +* FPGA doesn't seem to work with ETU. It seems to work with pulse / duration instead. +* +* Card sends data ub 847.e kHz subcarrier +* subcar |duration| FC division +* -------+--------+------------ +* 106kHz | 9.44µS | FC/128 +* 212kHz | 4.72µS | FC/64 +* 424kHz | 2.36µS | FC/32 +* 848kHz | 1.18µS | FC/16 +* -------+--------+------------ +* +* Reader data transmission: +* - no modulation ONES +* - SOF +* - Command, data and CRC_B +* - EOF +* - no modulation ONES +* +* Card data transmission +* - TR1 +* - SOF +* - data (each bytes is: 1startbit, 8bits, 1stopbit) +* - CRC_B +* - EOF +* +* FPGA implementation : +* At this point only Type A is implemented. This means that we are using a +* bit rate of 106 kbit/s, or fc/128. Oversample by 4, which ought to make +* things practical for the ARM (fc/32, 423.8 kbits/s, ~50 kbytes/s) +* +*/ + + //============================================================================= // An ISO 14443 Type B tag. We listen for commands from the reader, using -// a kind of thing that's implemented in software. When we get a +// a UART kind of thing that's implemented in software. When we get a // frame (i.e., a group of bytes between SOF and EOF), we check the CRC. // If it's good, then we can do something appropriate with it, and send // a response. //============================================================================= +//----------------------------------------------------------------------------- +// Code up a string of octets at layer 2 (including CRC, we don't generate +// that here) so that they can be transmitted to the reader. Doesn't transmit +// them yet, just leaves them ready to send in ToSend[]. +//----------------------------------------------------------------------------- +static void CodeIso14443bAsTag(const uint8_t *cmd, int len) { + int i; + + tosend_reset(); + + // Transmit a burst of ones, as the initial thing that lets the + // reader get phase sync. + // This loop is TR1, per specification + // TR1 minimum must be > 80/fs + // TR1 maximum 200/fs + // 80/fs < TR1 < 200/fs + // 10 ETU < TR1 < 24 ETU + + // Send TR1. + // 10-11 ETU * 4times samples ONES + for (i = 0; i < 20; i++) { + SEND4STUFFBIT(1); + } + + // Send SOF. + // 10-11 ETU * 4times samples ZEROS + for (i = 0; i < 10; i++) { + SEND4STUFFBIT(0); + } + + // 2-3 ETU * 4times samples ONES + for (i = 0; i < 2; i++) { + SEND4STUFFBIT(1); + } + + // data + for (i = 0; i < len; i++) { + + // Start bit + SEND4STUFFBIT(0); + + // Data bits + uint8_t b = cmd[i]; + for (int j = 0; j < 8; j++) { + SEND4STUFFBIT(b & 1); + b >>= 1; + } + + // Stop bit + SEND4STUFFBIT(1); + + // Extra Guard bit + // For PICC it ranges 0-18us (1etu = 9us) + //SEND4STUFFBIT(1); + } + + // Send EOF. + // 10-11 ETU * 4 sample rate = ZEROS + for(i = 0; i < 10; i++) { + SEND4STUFFBIT(0); + } + + // why this? + for(i = 0; i < 2; i++) { + SEND4STUFFBIT(1); + } + + tosend_t *ts = get_tosend(); + // Convert from last byte pos to length + ts->max++; +} //----------------------------------------------------------------------------- -// The software that receives commands from the reader, and its state variables. +// The software UART that receives commands from the reader, and its state +// variables. //----------------------------------------------------------------------------- static struct { enum { @@ -103,7 +232,6 @@ static void Uart14bReset(void) { static void Uart14bInit(uint8_t *data) { Uart.output = data; Uart14bReset(); -// memset(Uart.output, 0x00, MAX_FRAME_SIZE); } //----------------------------------------------------------------------------- @@ -121,10 +249,6 @@ static struct { uint16_t bitCount; int posCount; int thisBit; - /* this had been used to add RSSI (Received Signal Strength Indication) to traces. Currently not implemented. - int metric; - int metricN; - */ uint16_t shiftReg; uint8_t *output; uint16_t len; @@ -150,7 +274,6 @@ static void Demod14bReset(void) { static void Demod14bInit(uint8_t *data) { Demod.output = data; Demod14bReset(); - // memset(Demod.output, 0x00, MAX_FRAME_SIZE); } @@ -175,6 +298,7 @@ static void iso14b_set_timeout(uint32_t timeout) { iso14b_timeout = timeout; if (DBGLEVEL >= 3) Dbprintf("ISO14443B Timeout set to %ld fwt", iso14b_timeout); } + static void iso14b_set_maxframesize(uint16_t size) { if (size > 256) size = MAX_FRAME_SIZE; @@ -183,142 +307,6 @@ static void iso14b_set_maxframesize(uint16_t size) { if (DBGLEVEL >= 3) Dbprintf("ISO14443B Max frame size set to %d bytes", Uart.byteCntMax); } -//----------------------------------------------------------------------------- -// Code up a string of octets at layer 2 (including CRC, we don't generate -// that here) so that they can be transmitted to the reader. Doesn't transmit -// them yet, just leaves them ready to send in ToSend[]. -//----------------------------------------------------------------------------- -static void CodeIso14443bAsTag(const uint8_t *cmd, int len) { - /* ISO 14443 B - * - * Reader to card | ASK - Amplitude Shift Keying Modulation (PCD to PICC for Type B) (NRZ-L encodig) - * Card to reader | BPSK - Binary Phase Shift Keying Modulation, (PICC to PCD for Type B) - * - * fc - carrier frequency 13.56 MHz - * TR0 - Guard Time per 14443-2 - * TR1 - Synchronization Time per 14443-2 - * TR2 - PICC to PCD Frame Delay Time (per 14443-3 Amendment 1) - * - * Elementary Time Unit (ETU) is - * - 128 Carrier Cycles (9.4395 µS) = 8 Subcarrier Units - * - 1 ETU = 1 bit - * - 10 ETU = 1 startbit, 8 databits, 1 stopbit (10bits length) - * - startbit is a 0 - * - stopbit is a 1 - * - * Start of frame (SOF) is - * - [10-11] ETU of ZEROS, unmodulated time - * - [2-3] ETU of ONES, - * - * End of frame (EOF) is - * - [10-11] ETU of ZEROS, unmodulated time - * - * -TO VERIFY THIS BELOW- - * The mode FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_MODULATE_BPSK which we use to simulate tag - * works like this: - * - A 1-bit input to the FPGA becomes 8 pulses at 847.5kHz (1.18µS / pulse) == 9.44us - * - A 0-bit input to the FPGA becomes an unmodulated time of 1.18µS or does it become 8 nonpulses for 9.44us - * - * FPGA doesn't seem to work with ETU. It seems to work with pulse / duration instead. - * - * Card sends data ub 847.e kHz subcarrier - * subcar |duration| FC division - * -------+--------+------------ - * 106kHz | 9.44µS | FC/128 - * 212kHz | 4.72µS | FC/64 - * 424kHz | 2.36µS | FC/32 - * 848kHz | 1.18µS | FC/16 - * -------+--------+------------ - * - * Reader data transmission: - * - no modulation ONES - * - SOF - * - Command, data and CRC_B - * - EOF - * - no modulation ONES - * - * Card data transmission - * - TR1 - * - SOF - * - data (each bytes is: 1startbit, 8bits, 1stopbit) - * - CRC_B - * - EOF - * - * FPGA implementation : - * At this point only Type A is implemented. This means that we are using a - * bit rate of 106 kbit/s, or fc/128. Oversample by 4, which ought to make - * things practical for the ARM (fc/32, 423.8 kbits/s, ~50 kbytes/s) - * - */ - - ToSendReset(); - - // Transmit a burst of ones, as the initial thing that lets the - // reader get phase sync. - // This loop is TR1, per specification - // TR1 minimum must be > 80/fs - // TR1 maximum 200/fs - // 80/fs < TR1 < 200/fs - // 10 ETU < TR1 < 24 ETU - - // Send TR1. - // 10-11 ETU * 4times samples ONES - for (int i = 0; i < 10; i++) { SEND4STUFFBIT(1); } - - // Send SOF. - // 10-11 ETU * 4times samples ZEROS - for (int i = 0; i < 10; i++) { SEND4STUFFBIT(0); } - //for(i = 0; i < 10; i++) { ToSendStuffBit(0); } - - // 2-3 ETU * 4times samples ONES - for (int i = 0; i < 3; i++) { SEND4STUFFBIT(1); } - //for(i = 0; i < 3; i++) { ToSendStuffBit(1); } - - // data - for (int i = 0; i < len; ++i) { - - // Start bit - SEND4STUFFBIT(0); - //ToSendStuffBit(0); - - // Data bits - uint8_t b = cmd[i]; - for (int j = 0; j < 8; ++j) { - // if(b & 1) { - // SEND4STUFFBIT(1); - // //ToSendStuffBit(1); - // } else { - // SEND4STUFFBIT(0); - // //ToSendStuffBit(0); - // } - SEND4STUFFBIT(b & 1); - b >>= 1; - } - - // Stop bit - SEND4STUFFBIT(1); - //ToSendStuffBit(1); - - // Extra Guard bit - // For PICC it ranges 0-18us (1etu = 9us) - SEND4STUFFBIT(1); - //ToSendStuffBit(1); - } - - // Send EOF. - // 10-11 ETU * 4 sample rate = ZEROS - for (int i = 0; i < 10; i++) { SEND4STUFFBIT(0); } - //for(i = 0; i < 10; i++) { ToSendStuffBit(0); } - - // why this? - for (int i = 0; i < 2; i++) { SEND4STUFFBIT(1); } - //for(i = 0; i < 40; i++) { ToSendStuffBit(1); } - - // Convert from last byte pos to length - ++ToSendMax; -} - - /* Receive & handle a bit coming from the reader. * * This function is called 4 times per bit (every 2 subcarrier cycles). @@ -454,41 +442,15 @@ static int GetIso14443bCommandFromReader(uint8_t *received, uint16_t *len) { LED_D_OFF(); FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_NO_MODULATION); - StartCountSspClk(); - - volatile uint8_t b; - - // clear receiving shift register and holding register - // What does this loop do? Is it TR1? - // loop is a wait/delay ? - /* - for(uint8_t c = 0; c < 10;) { - - // keep tx buffer in a defined state anyway. - if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) { - AT91C_BASE_SSC->SSC_THR = 0xFF; - ++c; - } - } - */ // Now run a `software UART' on the stream of incoming samples. Uart14bInit(received); - uint8_t mask; - while (!BUTTON_PRESS()) { + while (BUTTON_PRESS() == false) { WDT_HIT(); - // keep tx buffer in a defined state anyway. - if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) { - AT91C_BASE_SSC->SSC_THR = 0x00; - } - - // Wait for byte be become available in rx holding register - if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) { - - b = (uint8_t) AT91C_BASE_SSC->SSC_RHR; - - for (mask = 0x80; mask != 0; mask >>= 1) { + if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) { + uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR; + for (uint8_t mask = 0x80; mask != 0x00; mask >>= 1) { if (Handle14443bReaderUartBit(b & mask)) { *len = Uart.byteCnt; return true; @@ -499,75 +461,25 @@ static int GetIso14443bCommandFromReader(uint8_t *received, uint16_t *len) { return false; } -void ClearFpgaShiftingRegisters(void) { - - volatile uint8_t b; - - // clear receiving shift register and holding register - while (!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY)) {}; - - b = AT91C_BASE_SSC->SSC_RHR; - (void) b; - - while (!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY)) {}; - - b = AT91C_BASE_SSC->SSC_RHR; - (void) b; - - // wait for the FPGA to signal fdt_indicator == 1 (the FPGA is ready to queue new data in its delay line) - for (uint8_t j = 0; j < 5; j++) { // allow timeout - better late than never - while (!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY)) {}; - if (AT91C_BASE_SSC->SSC_RHR) break; - } - - // Clear TXRDY: - //AT91C_BASE_SSC->SSC_THR = 0xFF; -} - -void WaitForFpgaDelayQueueIsEmpty(uint16_t delay) { - // Ensure that the FPGA Delay Queue is empty before we switch to TAGSIM_LISTEN again: - uint8_t fpga_queued_bits = delay >> 3; // twich /8 ?? >>3, - for (uint8_t i = 0; i <= fpga_queued_bits / 8 + 1;) { - if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) { - AT91C_BASE_SSC->SSC_THR = 0xFF; - i++; - } - } -} static void TransmitFor14443b_AsTag(uint8_t *response, uint16_t len) { - volatile uint32_t b; - // Signal field is off with the appropriate LED LED_D_OFF(); - //uint16_t fpgasendQueueDelay = 0; // Modulate BPSK FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_MODULATE_BPSK); - SpinDelay(40); - - ClearFpgaShiftingRegisters(); - - FpgaSetupSsc(); + AT91C_BASE_SSC->SSC_THR = 0xFF; + FpgaSetupSsc(FPGA_MAJOR_MODE_HF_SIMULATOR); // Transmit the response. for (uint16_t i = 0; i < len;) { // Put byte into tx holding register as soon as it is ready if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXRDY) { - AT91C_BASE_SSC->SSC_THR = response[++i]; - } - - // Prevent rx holding register from overflowing - if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) { - b = AT91C_BASE_SSC->SSC_RHR; - (void)b; + AT91C_BASE_SSC->SSC_THR = response[i++]; } } - - //WaitForFpgaDelayQueueIsEmpty(fpgasendQueueDelay); - AT91C_BASE_SSC->SSC_THR = 0xFF; } //----------------------------------------------------------------------------- // Main loop of simulated tag: receive commands from reader, decide what @@ -575,41 +487,26 @@ static void TransmitFor14443b_AsTag(uint8_t *response, uint16_t len) { //----------------------------------------------------------------------------- void SimulateIso14443bTag(uint32_t pupi) { - // setup device. - FpgaDownloadAndGo(FPGA_BITSTREAM_HF); - // connect Demodulated Signal to ADC: - SetAdcMuxFor(GPIO_MUXSEL_HIPKD); - // Set up the synchronous serial port - FpgaSetupSsc(); - - // allocate command receive buffer - BigBuf_free(); - BigBuf_Clear_ext(false); - - clear_trace(); //sim - set_tracing(true); - - uint16_t len, cmdsReceived = 0; - int cardSTATE = SIM_NOFIELD; - int vHf = 0; // in mV - // uint32_t time_0 = 0; - // uint32_t t2r_time = 0; - // uint32_t r2t_time = 0; - uint8_t *receivedCmd = BigBuf_malloc(MAX_FRAME_SIZE); - + LED_A_ON(); // the only commands we understand is WUPB, AFI=0, Select All, N=1: -// static const uint8_t cmdWUPB[] = { ISO14443B_REQB, 0x00, 0x08, 0x39, 0x73 }; // WUPB +// static const uint8_t cmdWUPB[] = { ISO14443B_REQB, 0x00, 0x08, 0x39, 0x73 }; // WUPB // ... and REQB, AFI=0, Normal Request, N=1: -// static const uint8_t cmdREQB[] = { ISO14443B_REQB, 0x00, 0x00, 0x71, 0xFF }; // REQB +// static const uint8_t cmdREQB[] = { ISO14443B_REQB, 0x00, 0x00, 0x71, 0xFF }; // REQB + // ... and HLTB +// static const uint8_t cmdHLTB[] = { 0x50, 0xff, 0xff, 0xff, 0xff }; // HLTB // ... and ATTRIB -// static const uint8_t cmdATTRIB[] = { ISO14443B_ATTRIB, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}; // ATTRIB +// static const uint8_t cmdATTRIB[] = { ISO14443B_ATTRIB, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}; // ATTRIB // ... if not PUPI/UID is supplied we always respond with ATQB, PUPI = 820de174, Application Data = 0x20381922, // supports only 106kBit/s in both directions, max frame size = 32Bytes, // supports ISO14443-4, FWI=8 (77ms), NAD supported, CID not supported: - uint8_t respATQB[] = { 0x50, 0x82, 0x0d, 0xe1, 0x74, 0x20, 0x38, 0x19, - 0x22, 0x00, 0x21, 0x85, 0x5e, 0xd7 - }; + uint8_t respATQB[] = { + 0x50, + 0x82, 0x0d, 0xe1, 0x74, + 0x20, 0x38, 0x19, + 0x22, 0x00, 0x21, 0x85, + 0x5e, 0xd7 + }; // response to HLTB and ATTRIB static const uint8_t respOK[] = {0x00, 0x78, 0xF0}; @@ -619,23 +516,51 @@ void SimulateIso14443bTag(uint32_t pupi) { num_to_bytes(pupi, 4, respATQB + 1); AddCrc14B(respATQB, 12); } + + // setup device. + FpgaDownloadAndGo(FPGA_BITSTREAM_HF); + + // connect Demodulated Signal to ADC: + SetAdcMuxFor(GPIO_MUXSEL_HIPKD); + + // Set up the synchronous serial port + FpgaSetupSsc(FPGA_MAJOR_MODE_HF_SIMULATOR); + + // allocate command receive buffer + BigBuf_free(); + BigBuf_Clear_ext(false); + clear_trace(); + set_tracing(true); + + uint16_t len, cmdsReceived = 0; + int cardSTATE = SIM_NOFIELD; + int vHf = 0; // in mV + + tosend_t *ts = get_tosend(); + + uint8_t *receivedCmd = BigBuf_malloc(MAX_FRAME_SIZE); // prepare "ATQB" tag answer (encoded): CodeIso14443bAsTag(respATQB, sizeof(respATQB)); - uint8_t *encodedATQB = BigBuf_malloc(ToSendMax); - uint16_t encodedATQBLen = ToSendMax; - memcpy(encodedATQB, ToSend, ToSendMax); + uint8_t *encodedATQB = BigBuf_malloc(ts->max); + uint16_t encodedATQBLen = ts->max; + memcpy(encodedATQB, ts->buf, ts->max); // prepare "OK" tag answer (encoded): CodeIso14443bAsTag(respOK, sizeof(respOK)); - uint8_t *encodedOK = BigBuf_malloc(ToSendMax); - uint16_t encodedOKLen = ToSendMax; - memcpy(encodedOK, ToSend, ToSendMax); + uint8_t *encodedOK = BigBuf_malloc(ts->max); + uint16_t encodedOKLen = ts->max; + memcpy(encodedOK, ts->buf, ts->max); // Simulation loop - while (!BUTTON_PRESS() && !data_available()) { + while (BUTTON_PRESS() == false) { WDT_HIT(); + + //iceman: limit with 2000 times.. + if (data_available()) { + break; + } // find reader field if (cardSTATE == SIM_NOFIELD) { @@ -663,7 +588,7 @@ void SimulateIso14443bTag(uint32_t pupi) { // WUP in HALTED state if (len == 5) { if ((receivedCmd[0] == ISO14443B_REQB && (receivedCmd[2] & 0x8) == 0x8 && cardSTATE == SIM_HALTED) || - receivedCmd[0] == ISO14443B_REQB) { + receivedCmd[0] == ISO14443B_REQB) { LogTrace(receivedCmd, len, 0, 0, NULL, true); cardSTATE = SIM_SELECTING; } @@ -714,15 +639,21 @@ void SimulateIso14443bTag(uint32_t pupi) { // - SLOT MARKER // - ISO7816 // - emulate with a memory dump - Dbprintf("new cmd from reader: len=%d, cmdsRecvd=%d", len, cmdsReceived); + if (DBGLEVEL >= DBG_DEBUG) + Dbprintf("new cmd from reader: len=%d, cmdsRecvd=%d", len, cmdsReceived); // CRC Check if (len >= 3) { // if crc exists - if (!check_crc(CRC_14443_B, receivedCmd, len)) - DbpString("+++CRC fail"); - else - DbpString("CRC passes"); + if (!check_crc(CRC_14443_B, receivedCmd, len)) { + if (DBGLEVEL >= DBG_DEBUG) { + DbpString("CRC fail"); + } + } + } else { + if (DBGLEVEL >= DBG_DEBUG) { + DbpString("CRC passed"); + } } cardSTATE = SIM_IDLE; } @@ -734,8 +665,10 @@ void SimulateIso14443bTag(uint32_t pupi) { ++cmdsReceived; } - if (DBGLEVEL >= 2) + + if (DBGLEVEL >= DBG_DEBUG) Dbprintf("Emulator stopped. Trace length: %d ", BigBuf_get_traceLen()); + switch_off(); //simulate } @@ -760,72 +693,17 @@ void SimulateIso14443bTag(uint32_t pupi) { * false if we are still waiting for some more * */ -static RAMFUNC int Handle14443bTagSamplesDemod(int ci, int cq) { - int v = 0, myI = ABS(ci), myQ = ABS(cq); +static RAMFUNC int Handle14443bTagSamplesDemod(uint16_t amplitude) { -// The soft decision on the bit uses an estimate of just the -// quadrant of the reference angle, not the exact angle. -#define MAKE_SOFT_DECISION(void) { \ - if (Demod.sumI > 0) { \ - v = ci; \ - } else { \ - v = -ci; \ - } \ - if (Demod.sumQ > 0) { \ - v += cq; \ - } else { \ - v -= cq; \ - } \ - } - -// Subcarrier amplitude v = sqrt(ci^2 + cq^2), approximated here by abs(ci) + abs(cq) -// Subcarrier amplitude v = sqrt(ci^2 + cq^2), approximated here by max(abs(ci),abs(cq)) + 1/2*min(abs(ci),abs(cq))) -#define CHECK_FOR_SUBCARRIER_old(void) { \ - if (ci < 0) { \ - if (cq < 0) { /* ci < 0, cq < 0 */ \ - if (cq < ci) { \ - v = -cq - (ci >> 1); \ - } else { \ - v = -ci - (cq >> 1); \ - } \ - } else { /* ci < 0, cq >= 0 */ \ - if (cq < -ci) { \ - v = -ci + (cq >> 1); \ - } else { \ - v = cq - (ci >> 1); \ - } \ - } \ - } else { \ - if (cq < 0) { /* ci >= 0, cq < 0 */ \ - if (-cq < ci) { \ - v = ci - (cq >> 1); \ - } else { \ - v = -cq + (ci >> 1); \ - } \ - } else { /* ci >= 0, cq >= 0 */ \ - if (cq < ci) { \ - v = ci + (cq >> 1); \ - } else { \ - v = cq + (ci >> 1); \ - } \ - } \ - } \ - } - -//note: couldn't we just use MAX(ABS(ci),ABS(cq)) + (MIN(ABS(ci),ABS(cq))/2) from common.h - marshmellow -#define CHECK_FOR_SUBCARRIER(void) { v = MAX(myI, myQ) + (MIN(myI, myQ) >> 1); } +#define SUBCARRIER_DETECT_THRESHOLD 8 switch (Demod.state) { case DEMOD_UNSYNCD: - CHECK_FOR_SUBCARRIER(); - - // subcarrier detected - - if (v > SUBCARRIER_DETECT_THRESHOLD) { + if (amplitude > SUBCARRIER_DETECT_THRESHOLD) { Demod.state = DEMOD_PHASE_REF_TRAINING; - Demod.sumI = ci; - Demod.sumQ = cq; + Demod.sumI = amplitude; + Demod.sumQ = amplitude; Demod.posCount = 1; } break; @@ -833,13 +711,11 @@ static RAMFUNC int Handle14443bTagSamplesDemod(int ci, int cq) { case DEMOD_PHASE_REF_TRAINING: if (Demod.posCount < 8) { - CHECK_FOR_SUBCARRIER(); - - if (v > SUBCARRIER_DETECT_THRESHOLD) { + if (amplitude > SUBCARRIER_DETECT_THRESHOLD) { // set the reference phase (will code a logic '1') by averaging over 32 1/fs. // note: synchronization time > 80 1/fs - Demod.sumI += ci; - Demod.sumQ += cq; + Demod.sumI += amplitude; + Demod.sumQ += amplitude; Demod.posCount++; } else { // subcarrier lost @@ -852,14 +728,14 @@ static RAMFUNC int Handle14443bTagSamplesDemod(int ci, int cq) { case DEMOD_AWAITING_FALLING_EDGE_OF_SOF: - MAKE_SOFT_DECISION(); - - if (v < 0) { // logic '0' detected + if (amplitude == 0) { // logic '0' detected Demod.state = DEMOD_GOT_FALLING_EDGE_OF_SOF; Demod.posCount = 0; // start of SOF sequence } else { // maximum length of TR1 = 200 1/fs - if (Demod.posCount > 200 / 4) Demod.state = DEMOD_UNSYNCD; + if (Demod.posCount > 200 / 4){ + Demod.state = DEMOD_UNSYNCD; + } } Demod.posCount++; break; @@ -867,9 +743,7 @@ static RAMFUNC int Handle14443bTagSamplesDemod(int ci, int cq) { case DEMOD_GOT_FALLING_EDGE_OF_SOF: Demod.posCount++; - MAKE_SOFT_DECISION(); - - if (v > 0) { + if (amplitude > 0) { // low phase of SOF too short (< 9 etu). Note: spec is >= 10, but FPGA tends to "smear" edges if (Demod.posCount < 9 * 2) { Demod.state = DEMOD_UNSYNCD; @@ -877,6 +751,7 @@ static RAMFUNC int Handle14443bTagSamplesDemod(int ci, int cq) { LED_C_ON(); // Got SOF Demod.state = DEMOD_AWAITING_START_BIT; Demod.posCount = 0; + Demod.bitCount = 0; Demod.len = 0; } } else { @@ -891,17 +766,19 @@ static RAMFUNC int Handle14443bTagSamplesDemod(int ci, int cq) { case DEMOD_AWAITING_START_BIT: Demod.posCount++; - MAKE_SOFT_DECISION(); - - if (v > 0) { + if (amplitude > 0) { if (Demod.posCount > 6 * 2) { // max 19us between characters = 16 1/fs, max 3 etu after low phase of SOF = 24 1/fs - Demod.state = DEMOD_UNSYNCD; LED_C_OFF(); + if (Demod.bitCount == 0 && Demod.len == 0) { // received SOF only, this is valid for iClass/Picopass + return true; + } else { + Demod.state = DEMOD_UNSYNCD; + } } } else { // start bit detected Demod.bitCount = 0; Demod.posCount = 1; // this was the first half - Demod.thisBit = v; + Demod.thisBit = amplitude; Demod.shiftReg = 0; Demod.state = DEMOD_RECEIVING_DATA; } @@ -909,15 +786,13 @@ static RAMFUNC int Handle14443bTagSamplesDemod(int ci, int cq) { case DEMOD_RECEIVING_DATA: - MAKE_SOFT_DECISION(); - if (Demod.posCount == 0) { // first half of bit - Demod.thisBit = v; + Demod.thisBit = amplitude; Demod.posCount = 1; } else { // second half of bit - Demod.thisBit += v; + Demod.thisBit += amplitude; Demod.shiftReg >>= 1; // OR in a logic '1' @@ -932,11 +807,12 @@ static RAMFUNC int Handle14443bTagSamplesDemod(int ci, int cq) { uint16_t s = Demod.shiftReg; // stop bit == '1', start bit == '0' - if ((s & 0x200) && (s & 0x001) == 0) { + if ((s & 0x200) && ((s & 0x001) == 0)) { // left shift to drop the startbit uint8_t b = (s >> 1); Demod.output[Demod.len] = b; - ++Demod.len; + Demod.len++; + Demod.bitCount = 0; Demod.state = DEMOD_AWAITING_START_BIT; } else { // this one is a bit hard, either its a correc byte or its unsynced. @@ -962,101 +838,120 @@ static RAMFUNC int Handle14443bTagSamplesDemod(int ci, int cq) { /* * Demodulate the samples we received from the tag, also log to tracebuffer - * quiet: set to 'TRUE' to disable debug output */ -static void GetTagSamplesFor14443bDemod(void) { - bool finished = false; -// int lastRxCounter = ISO14443B_DMA_BUFFER_SIZE; - uint32_t time_0 = 0, time_stop = 0; +static int GetTagSamplesFor14443bDemod(int timeout) { + + int samples = 0, ret = 0; BigBuf_free(); // Set up the demodulator for tag -> reader responses. Demod14bInit(BigBuf_malloc(MAX_FRAME_SIZE)); - // The DMA buffer, used to stream samples from the FPGA - int8_t *dmaBuf = (int8_t *) BigBuf_malloc(ISO14443B_DMA_BUFFER_SIZE); - int8_t *upTo = dmaBuf; + // wait for last transfer to complete + while (!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXEMPTY)) // Setup and start DMA. - if (!FpgaSetupSscDma((uint8_t *) dmaBuf, ISO14443B_DMA_BUFFER_SIZE)) { + FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER); + + // The DMA buffer, used to stream samples from the FPGA + dmabuf16_t *dma = get_dma16(); + if (FpgaSetupSscDma((uint8_t *) dma->buf, DMA_BUFFER_SIZE) == false) { if (DBGLEVEL > 1) Dbprintf("FpgaSetupSscDma failed. Exiting"); - return; + return -1; } + // Signal field is ON with the appropriate LED: + LED_D_ON(); + // And put the FPGA in the appropriate mode - FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR | FPGA_HF_READER_RX_XCORR_848_KHZ); + FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_SUBCARRIER_848_KHZ | FPGA_HF_READER_MODE_RECEIVE_IQ); - // get current clock - time_0 = GetCountSspClk(); +// uint32_t dma_start_time; + uint16_t *upTo = dma->buf; - // rx counter - dma counter? (how much?) & (mod) mask > 2. (since 2bytes at the time is read) - while (!finished) { + for(;;) { + uint16_t behindBy = ((uint16_t*)AT91C_BASE_PDC_SSC->PDC_RPR - upTo) & (DMA_BUFFER_SIZE - 1); - LED_A_INV(); - WDT_HIT(); + if (behindBy == 0) continue; - // LSB is a fpga signal bit. - int ci = upTo[0]; - int cq = upTo[1]; - upTo += 2; -// lastRxCounter -= 2; + samples++; + /* + if (samples == 1) { + // DMA has transferred the very first data + dma_start_time = GetCountSspClk() & 0xfffffff0; + } + */ - // restart DMA buffer to receive again. - if (upTo >= dmaBuf + ISO14443B_DMA_BUFFER_SIZE) { - upTo = dmaBuf; -// lastRxCounter = ISO14443B_DMA_BUFFER_SIZE; - AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) upTo; - AT91C_BASE_PDC_SSC->PDC_RNCR = ISO14443B_DMA_BUFFER_SIZE; + volatile uint16_t tagdata = *upTo++; + + if (upTo >= dma->buf + DMA_BUFFER_SIZE) { // we have read all of the DMA buffer content. + upTo = dma->buf; // start reading the circular buffer from the beginning + if (behindBy > (9 * DMA_BUFFER_SIZE / 10)) { + Dbprintf("About to blow circular buffer - aborted! behindBy=%d", behindBy); + ret = -1; + break; + } + } + + if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_ENDRX)) { // DMA Counter Register had reached 0, already rotated. + AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dma->buf; // refresh the DMA Next Buffer and + AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE; // DMA Next Counter registers } - // https://github.com/Proxmark/proxmark3/issues/103 - bool gotFrame = Handle14443bTagSamplesDemod(ci, cq); - time_stop = GetCountSspClk() - time_0; + if (Handle14443bTagSamplesDemod(tagdata)) { + ret = Demod.len; + break; + } - finished = (time_stop > iso14b_timeout || gotFrame); + if(samples > timeout && Demod.state < DEMOD_PHASE_REF_TRAINING) { + ret = -1; + LED_C_OFF(); + break; + } } FpgaDisableSscDma(); - if (upTo) - upTo = NULL; + if (ret < 0) { + return ret; + } - if (Demod.len > 0) - LogTrace(Demod.output, Demod.len, time_0, time_stop, NULL, false); + if (Demod.len > 0) { + LogTrace(Demod.output, Demod.len, 0, 0, NULL, false); + } + + return ret; } //----------------------------------------------------------------------------- // Transmit the command (to the tag) that was placed in ToSend[]. //----------------------------------------------------------------------------- static void TransmitFor14443b_AsReader(void) { - int c; - FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_TX | FPGA_HF_READER_TX_SHALLOW_MOD); - SpinDelay(60); + FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_MODE_SEND_SHALLOW_MOD); - // What does this loop do? Is it TR1? - // 0xFF = 8 bits of 1. 1 bit == 1Etu,.. - // loop 10 * 8 = 80 ETU of delay, with a non modulated signal. why? - // 80*9 = 720us. + LED_B_ON(); + tosend_t *ts = get_tosend(); + + for (int c = 0; c < ts->max; c++) { + uint8_t data = ts->buf[c]; - for (c = 0; c < 50;) { + for (int i = 0; i < 8; i++) { + uint16_t send_word = (data & 0x80) ? 0x0000 : 0xffff; + + while (!(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY))) ; + + AT91C_BASE_SSC->SSC_THR = send_word; - if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) { - AT91C_BASE_SSC->SSC_THR = 0xFF; - c++; + while (!(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY))) ; + AT91C_BASE_SSC->SSC_THR = send_word; + + data <<= 1; } + WDT_HIT(); } - - // Send frame loop - for (c = 0; c < ToSendMax;) { - - // Put byte into tx holding register as soon as it is ready - if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) { - AT91C_BASE_SSC->SSC_THR = ToSend[c++]; - } - } - WDT_HIT(); + LED_B_OFF(); } //----------------------------------------------------------------------------- @@ -1079,64 +974,62 @@ static void CodeIso14443bAsReader(const uint8_t *cmd, int len) { * 1 "stuffbit" = 1ETU (9us) */ - ToSendReset(); + tosend_reset(); // Send SOF // 10-11 ETUs of ZERO - for (int i = 0; i < 10; ++i) ToSendStuffBit(0); + for (int i = 0; i < 10; i++) + tosend_stuffbit(0); + // 2-3 ETUs of ONE - ToSendStuffBit(1); - ToSendStuffBit(1); -// ToSendStuffBit(1); + tosend_stuffbit(1); + tosend_stuffbit(1); // Sending cmd, LSB // from here we add BITS - for (int i = 0; i < len; ++i) { + for (int i = 0; i < len; i++) { // Start bit - ToSendStuffBit(0); + tosend_stuffbit(0); // Data bits uint8_t b = cmd[i]; - // if ( b & 1 ) ToSendStuffBit(1); else ToSendStuffBit(0); - // if ( (b>>1) & 1) ToSendStuffBit(1); else ToSendStuffBit(0); - // if ( (b>>2) & 1) ToSendStuffBit(1); else ToSendStuffBit(0); - // if ( (b>>3) & 1) ToSendStuffBit(1); else ToSendStuffBit(0); - // if ( (b>>4) & 1) ToSendStuffBit(1); else ToSendStuffBit(0); - // if ( (b>>5) & 1) ToSendStuffBit(1); else ToSendStuffBit(0); - // if ( (b>>6) & 1) ToSendStuffBit(1); else ToSendStuffBit(0); - // if ( (b>>7) & 1) ToSendStuffBit(1); else ToSendStuffBit(0); - ToSendStuffBit(b & 1); - ToSendStuffBit((b >> 1) & 1); - ToSendStuffBit((b >> 2) & 1); - ToSendStuffBit((b >> 3) & 1); - ToSendStuffBit((b >> 4) & 1); - ToSendStuffBit((b >> 5) & 1); - ToSendStuffBit((b >> 6) & 1); - ToSendStuffBit((b >> 7) & 1); + tosend_stuffbit(b & 1); + tosend_stuffbit((b >> 1) & 1); + tosend_stuffbit((b >> 2) & 1); + tosend_stuffbit((b >> 3) & 1); + tosend_stuffbit((b >> 4) & 1); + tosend_stuffbit((b >> 5) & 1); + tosend_stuffbit((b >> 6) & 1); + tosend_stuffbit((b >> 7) & 1); // Stop bit - ToSendStuffBit(1); + tosend_stuffbit(1); // EGT extra guard time // For PCD it ranges 0-57us (1etu = 9us) - ToSendStuffBit(1); - ToSendStuffBit(1); - ToSendStuffBit(1); +// tosend_stuffbit(1); +// tosend_stuffbit(1); +// tosend_stuffbit(1); } // Send EOF // 10-11 ETUs of ZERO - for (int i = 0; i < 10; ++i) ToSendStuffBit(0); + for (int i = 0; i < 10; i++) + tosend_stuffbit(0); // Transition time. TR0 - guard time // 8ETUS minum? // Per specification, Subcarrier must be stopped no later than 2 ETUs after EOF. // I'm guessing this is for the FPGA to be able to send all bits before we switch to listening mode - for (int i = 0; i < 24 ; ++i) ToSendStuffBit(1); + + // ensure that last byte is filled up + for (int i = 0; i < 8 ; ++i) + tosend_stuffbit(1); // TR1 - Synchronization time // Convert from last character reference to length - ToSendMax++; + tosend_t *ts = get_tosend(); + ts->max++; } /* @@ -1147,11 +1040,7 @@ static void CodeAndTransmit14443bAsReader(const uint8_t *cmd, int len) { uint32_t time_start = GetCountSspClk(); CodeIso14443bAsReader(cmd, len); - TransmitFor14443b_AsReader(); - - if (g_trigger) LED_A_ON(); - LogTrace(cmd, len, time_start, GetCountSspClk(), NULL, true); } @@ -1159,7 +1048,7 @@ static void CodeAndTransmit14443bAsReader(const uint8_t *cmd, int len) { * TODO: check CRC and preamble */ uint8_t iso14443b_apdu(uint8_t const *message, size_t message_length, uint8_t *response) { - + LED_A_ON(); uint8_t message_frame[message_length + 4]; // PCB message_frame[0] = 0x0A | pcb_blocknum; @@ -1171,18 +1060,20 @@ uint8_t iso14443b_apdu(uint8_t const *message, size_t message_length, uint8_t *r // EDC (CRC) AddCrc14B(message_frame, message_length + 2); // send - CodeAndTransmit14443bAsReader(message_frame, message_length + 4); //no + CodeAndTransmit14443bAsReader(message_frame, message_length + 4); // get response - GetTagSamplesFor14443bDemod(); //no + int ret = GetTagSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT); FpgaDisableTracing(); - if (Demod.len < 3) - return 0; + if (ret < 3) { + LED_A_OFF(); + return 0; + } // VALIDATE CRC if (!check_crc(CRC_14443_B, Demod.output, Demod.len)) { - if (DBGLEVEL > 3) Dbprintf("crc fail ICE"); + if (DBGLEVEL > 3) DbpString("CRC fail"); return 0; } // copy response contents @@ -1190,6 +1081,7 @@ uint8_t iso14443b_apdu(uint8_t const *message, size_t message_length, uint8_t *r memcpy(response, Demod.output, Demod.len); return Demod.len; + LED_A_OFF(); } /** @@ -1202,12 +1094,14 @@ static uint8_t iso14443b_select_srx_card(iso14b_card_select_t *card) { uint8_t select_srx[] = { ISO14443B_SELECT, 0x00, 0x00, 0x00}; CodeAndTransmit14443bAsReader(init_srx, sizeof(init_srx)); - GetTagSamplesFor14443bDemod(); //no + int ret = GetTagSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT); FpgaDisableTracing(); - if (Demod.len == 0) + if (Demod.len == 0 || ret < 0) return 2; + Dbprintf("Randomly generated Chip ID (+ 2 byte CRC): %02x [%02x %02x]", Demod.output[0], Demod.output[1], Demod.output[2]); + // Randomly generated Chip ID if (card) card->chipid = Demod.output[0]; @@ -1216,10 +1110,10 @@ static uint8_t iso14443b_select_srx_card(iso14b_card_select_t *card) { AddCrc14B(select_srx, 2); CodeAndTransmit14443bAsReader(select_srx, sizeof(select_srx)); - GetTagSamplesFor14443bDemod(); //no + ret = GetTagSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT); FpgaDisableTracing(); - if (Demod.len != 3) + if (Demod.len != 3 || ret < 0) return 2; // Check the CRC of the answer: @@ -1235,10 +1129,10 @@ static uint8_t iso14443b_select_srx_card(iso14b_card_select_t *card) { AddCrc14B(select_srx, 1); CodeAndTransmit14443bAsReader(select_srx, 3); // Only first three bytes for this one - GetTagSamplesFor14443bDemod(); //no + ret = GetTagSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT); FpgaDisableTracing(); - if (Demod.len != 10) + if (Demod.len != 10 || ret < 0) return 2; // The check the CRC of the answer @@ -1258,7 +1152,7 @@ static uint8_t iso14443b_select_srx_card(iso14b_card_select_t *card) { * TODO: Support multiple cards (perform anticollision) * TODO: Verify CRC checksums */ -uint8_t iso14443b_select_card(iso14b_card_select_t *card) { +int iso14443b_select_card(iso14b_card_select_t *card) { // WUPB command (including CRC) // Note: WUPB wakes up all tags, REQB doesn't wake up tags in HALT state static const uint8_t wupb[] = { ISO14443B_REQB, 0x00, 0x08, 0x39, 0x73 }; @@ -1267,16 +1161,16 @@ uint8_t iso14443b_select_card(iso14b_card_select_t *card) { // first, wake up the tag CodeAndTransmit14443bAsReader(wupb, sizeof(wupb)); - GetTagSamplesFor14443bDemod(); //select_card + int ret = GetTagSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT); FpgaDisableTracing(); // ATQB too short? - if (Demod.len < 14) - return 2; + if (ret < 14) + return -1; // VALIDATE CRC if (!check_crc(CRC_14443_B, Demod.output, Demod.len)) - return 3; + return -2; if (card) { card->uidlen = 4; @@ -1292,16 +1186,16 @@ uint8_t iso14443b_select_card(iso14b_card_select_t *card) { AddCrc14B(attrib, 9); CodeAndTransmit14443bAsReader(attrib, sizeof(attrib)); - GetTagSamplesFor14443bDemod();//select_card + ret = GetTagSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT); FpgaDisableTracing(); // Answer to ATTRIB too short? - if (Demod.len < 3) - return 2; + if (ret < 3) + return -1; // VALIDATE CRC if (!check_crc(CRC_14443_B, Demod.output, Demod.len)) - return 3; + return -2; if (card) { @@ -1344,10 +1238,10 @@ void iso14443b_setup(void) { SetAdcMuxFor(GPIO_MUXSEL_HIPKD); // Set up the synchronous serial port - FpgaSetupSsc(); + FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER); // Signal field is on with the appropriate LED - FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_TX | FPGA_HF_READER_TX_SHALLOW_MOD); + FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_MODE_SEND_SHALLOW_MOD); SpinDelay(100); // Start the timer @@ -1369,21 +1263,22 @@ static bool ReadSTBlock(uint8_t block) { uint8_t cmd[] = {ISO14443B_READ_BLK, block, 0x00, 0x00}; AddCrc14B(cmd, 2); CodeAndTransmit14443bAsReader(cmd, sizeof(cmd)); - GetTagSamplesFor14443bDemod(); + int res = GetTagSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT); FpgaDisableTracing(); // Check if we got an answer from the tag - if (Demod.len != 6) { + if (Demod.len != 6 || res < 0) { DbpString("[!] expected 6 bytes from tag, got less..."); return false; } // The check the CRC of the answer if (!check_crc(CRC_14443_B, Demod.output, Demod.len)) { - DbpString("[!] CRC Error block!"); + DbpString("CRC fail"); return false; } return true; } + void ReadSTMemoryIso14443b(uint8_t numofblocks) { // Make sure that we start from off, since the tags are stateful; // confusing things will happen if we don't reset them between reads. @@ -1427,6 +1322,9 @@ void ReadSTMemoryIso14443b(uint8_t numofblocks) { if (i == 0xff) break; ++i; } + + // Todo: iceman: send back read data to client. + // reply_ng(..., ); out: switch_off(); // disconnect raw @@ -1452,17 +1350,17 @@ static void iso1444b_setup_sniff(void) { Dbprintf("[+] trace: %i bytes", BigBuf_max_traceLen()); Dbprintf("[+] reader -> tag: %i bytes", MAX_FRAME_SIZE); Dbprintf("[+] tag -> reader: %i bytes", MAX_FRAME_SIZE); - Dbprintf("[+] DMA: %i bytes", ISO14443B_DMA_BUFFER_SIZE); + Dbprintf("[+] DMA: %i bytes", DMA_BUFFER_SIZE); } // connect Demodulated Signal to ADC: SetAdcMuxFor(GPIO_MUXSEL_HIPKD); // Setup for the DMA. - FpgaSetupSsc(); + FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER); // Set FPGA in the appropriate mode - FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR | FPGA_HF_READER_RX_XCORR_848_KHZ | FPGA_HF_READER_RX_XCORR_SNOOP); + FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_SUBCARRIER_848_KHZ | FPGA_HF_READER_MODE_SNIFF_IQ); SpinDelay(20); // Start the SSP timer @@ -1496,14 +1394,22 @@ void RAMFUNC SniffIso14443b(void) { bool TagIsActive = false; bool ReaderIsActive = false; + int lastRxCounter = DMA_BUFFER_SIZE; + int8_t ci, cq; + int maxBehindBy = 0; + + // Count of samples received so far, so that we can include timing + // information in the trace buffer. + int samples = 0; + iso1444b_setup_sniff(); // The DMA buffer, used to stream samples from the FPGA - int8_t *dmaBuf = (int8_t *) BigBuf_malloc(ISO14443B_DMA_BUFFER_SIZE); - int8_t *data = dmaBuf; + dmabuf16_t *dma = get_dma16(); + uint16_t *upTo = dma->buf; // Setup and start DMA. - if (!FpgaSetupSscDma((uint8_t *) dmaBuf, ISO14443B_DMA_BUFFER_SIZE)) { + if (!FpgaSetupSscDma((uint8_t *) dma->buf, DMA_BUFFER_SIZE)) { if (DBGLEVEL > 1) Dbprintf("[!] FpgaSetupSscDma failed. Exiting"); BigBuf_free(); return; @@ -1513,25 +1419,50 @@ void RAMFUNC SniffIso14443b(void) { time_0 = GetCountSspClk(); // loop and listen - while (!BUTTON_PRESS()) { - WDT_HIT(); + for(;;) { - int ci = data[0]; - int cq = data[1]; - data += 2; - - if (data >= dmaBuf + ISO14443B_DMA_BUFFER_SIZE) { - data = dmaBuf; - AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dmaBuf; - AT91C_BASE_PDC_SSC->PDC_RNCR = ISO14443B_DMA_BUFFER_SIZE; + int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) & (DMA_BUFFER_SIZE - 1); + if (behindBy > maxBehindBy) { + maxBehindBy = behindBy; } + if (behindBy == 0) continue; + + ci = *upTo >> 8; + cq = *upTo; + uint16_t tagdata = *upTo; + + upTo++; + lastRxCounter--; + if (upTo >= dma->buf + DMA_BUFFER_SIZE) { // we have read all of the DMA buffer content. + upTo = dma->buf; // start reading the circular buffer from the beginning again + lastRxCounter += DMA_BUFFER_SIZE; + if (behindBy > (9 * DMA_BUFFER_SIZE / 10)) { + Dbprintf("About to blow circular buffer - aborted! behindBy=%d", behindBy); + break; + } + } + + if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_ENDRX)) { // DMA Counter Register had reached 0, already rotated. + AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dma->buf; // refresh the DMA Next Buffer and + AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE; // DMA Next Counter registers + + WDT_HIT(); + if (BUTTON_PRESS()) { + DbpString("Button pressed, cancelled"); + break; + } + } + + samples++; + // no need to try decoding reader data if the tag is sending - if (!TagIsActive) { + if (TagIsActive == false) { LED_A_INV(); if (Handle14443bReaderUartBit(ci & 0x01)) { + time_stop = GetCountSspClk() - time_0; LogTrace(Uart.output, Uart.byteCnt, time_start, time_stop, NULL, true); Uart14bReset(); @@ -1556,7 +1487,7 @@ void RAMFUNC SniffIso14443b(void) { // is this | 0x01 the error? & 0xfe in https://github.com/Proxmark/proxmark3/issues/103 // LSB is a fpga signal bit. - if (Handle14443bTagSamplesDemod(ci, cq)) { + if (Handle14443bTagSamplesDemod(tagdata) >= 0) { time_stop = GetCountSspClk() - time_0; LogTrace(Demod.output, Demod.len, time_start, time_stop, NULL, false); Uart14bReset(); @@ -1568,6 +1499,7 @@ void RAMFUNC SniffIso14443b(void) { } } + FpgaDisableSscDma(); if (DBGLEVEL >= 2) { DbpString("[+] Sniff statistics:"); Dbprintf("[+] uart State: %x ByteCount: %i ByteCountMax: %i", Uart.state, Uart.byteCnt, Uart.byteCntMax); @@ -1593,12 +1525,14 @@ static void iso14b_set_trigger(bool enable) { * */ void SendRawCommand14443B_Ex(PacketCommandNG *c) { + iso14b_command_t param = c->oldarg[0]; size_t len = c->oldarg[1] & 0xffff; uint32_t timeout = c->oldarg[2]; uint8_t *cmd = c->data.asBytes; - uint8_t status; + int status; uint32_t sendlen = sizeof(iso14b_card_select_t); + uint8_t buf[PM3_CMD_DATA_SIZE] = {0x00}; if (DBGLEVEL > 3) Dbprintf("14b raw: param, %04x", param); @@ -1620,22 +1554,22 @@ void SendRawCommand14443B_Ex(PacketCommandNG *c) { if ((param & ISO14B_SELECT_STD) == ISO14B_SELECT_STD) { iso14b_card_select_t *card = (iso14b_card_select_t *)buf; status = iso14443b_select_card(card); - reply_mix(CMD_ACK, status, sendlen, 0, buf, sendlen); - // 0: OK 2: attrib fail, 3:crc fail, - if (status > 0) goto out; + reply_mix(CMD_HF_ISO14443B_COMMAND, status, sendlen, 0, buf, sendlen); + // 0: OK -1: attrib fail, -2:crc fail, + if (status != 0) goto out; } if ((param & ISO14B_SELECT_SR) == ISO14B_SELECT_SR) { iso14b_card_select_t *card = (iso14b_card_select_t *)buf; status = iso14443b_select_srx_card(card); - reply_mix(CMD_ACK, status, sendlen, 0, buf, sendlen); + reply_mix(CMD_HF_ISO14443B_COMMAND, status, sendlen, 0, buf, sendlen); // 0: OK 2: demod fail, 3:crc fail, if (status > 0) goto out; } if ((param & ISO14B_APDU) == ISO14B_APDU) { status = iso14443b_apdu(cmd, len, buf); - reply_mix(CMD_ACK, status, status, 0, buf, status); + reply_mix(CMD_HF_ISO14443B_COMMAND, status, status, 0, buf, status); } if ((param & ISO14B_RAW) == ISO14B_RAW) { @@ -1645,12 +1579,11 @@ void SendRawCommand14443B_Ex(PacketCommandNG *c) { } CodeAndTransmit14443bAsReader(cmd, len); // raw - GetTagSamplesFor14443bDemod(); // raw + status = GetTagSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT); // raw FpgaDisableTracing(); sendlen = MIN(Demod.len, PM3_CMD_DATA_SIZE); - status = (Demod.len > 0) ? 0 : 1; - reply_old(CMD_ACK, status, sendlen, 0, Demod.output, sendlen); + reply_old(CMD_HF_ISO14443B_COMMAND, status, sendlen, 0, Demod.output, sendlen); } out: diff --git a/armsrc/iso14443b.h b/armsrc/iso14443b.h index 62dbd6590..0013ad313 100644 --- a/armsrc/iso14443b.h +++ b/armsrc/iso14443b.h @@ -28,7 +28,7 @@ void iso14443b_setup(void); uint8_t iso14443b_apdu(uint8_t const *message, size_t message_length, uint8_t *response); -uint8_t iso14443b_select_card(iso14b_card_select_t *card); +int iso14443b_select_card(iso14b_card_select_t *card); uint8_t iso14443b_select_card_srx(iso14b_card_select_t *card); void SimulateIso14443bTag(uint32_t pupi); diff --git a/armsrc/iso15693.c b/armsrc/iso15693.c index d88bae1f0..a2f74f4b5 100644 --- a/armsrc/iso15693.c +++ b/armsrc/iso15693.c @@ -3,24 +3,22 @@ // Modified by Greg Jones, Jan 2009 // Modified by Adrian Dabrowski "atrox", Mar-Sept 2010,Oct 2011 // Modified by Christian Herrmann "iceman", 2017 +// Modified by piwi, Oct 2018 // // This code is licensed to you under the terms of the GNU GPL, version 2 or, // at your option, any later version. See the LICENSE.txt file for the text of // the license. //----------------------------------------------------------------------------- // Routines to support ISO 15693. This includes both the reader software and -// the `fake tag' modes, but at the moment I've implemented only the reader -// stuff, and that barely. -// Modified to perform modulation onboard in arm rather than on PC -// Also added additional reader commands (SELECT, READ etc.) +// the `fake tag' modes. //----------------------------------------------------------------------------- -// The ISO 15693 describes two transmission modes from reader to tag, and 4 -// transmission modes from tag to reader. As of Mar 2010 this code only -// supports one of each: "1of4" mode from reader to tag, and the highspeed -// variant with one subcarrier from card to reader. -// As long, as the card fully support ISO 15693 this is no problem, since the -// reader chooses both data rates, but some non-standard tags do not. Further for -// the simulation to work, we will need to support all data rates. + +// The ISO 15693 describes two transmission modes from reader to tag, and four +// transmission modes from tag to reader. As of Oct 2018 this code supports +// both reader modes and the high speed variant with one subcarrier from card to reader. +// As long as the card fully support ISO 15693 this is no problem, since the +// reader chooses both data rates, but some non-standard tags do not. +// For card simulation, the code supports both high and low speed modes with one subcarrier. // // VCD (reader) -> VICC (tag) // 1 out of 256: @@ -47,15 +45,11 @@ // *) UID is always used "transmission order" (LSB), which is reverse to display order // TODO / BUGS / ISSUES: -// *) writing to tags takes longer: we miss the answer from the tag in most cases -// -> tweak the read-timeout times -// *) signal decoding from the card is still a bit shaky. -// *) signal decoding is unable to detect collissions. -// *) add anti-collission support for inventory-commands +// *) signal decoding is unable to detect collisions. +// *) add anti-collision support for inventory-commands // *) read security status of a block -// *) sniffing and simulation do only support one transmission mode. need to support -// all 8 transmission combinations -// *) remove or refactor code under "depricated" +// *) sniffing and simulation do not support two subcarrier modes. +// *) remove or refactor code under "deprecated" // *) document all the functions #include "iso15693.h" @@ -72,418 +66,1097 @@ #include "ticks.h" #include "BigBuf.h" #include "crc16.h" + +// Delays in SSP_CLK ticks. +// SSP_CLK runs at 13,56MHz / 32 = 423.75kHz when simulating a tag +#define DELAY_READER_TO_ARM 8 +#define DELAY_ARM_TO_READER 0 + +//SSP_CLK runs at 13.56MHz / 4 = 3,39MHz when acting as reader. All values should be multiples of 16 +#define DELAY_ARM_TO_TAG 16 +#define DELAY_TAG_TO_ARM 32 + +//SSP_CLK runs at 13.56MHz / 4 = 3,39MHz when sniffing. All values should be multiples of 16 +#define DELAY_TAG_TO_ARM_SNIFF 32 +#define DELAY_READER_TO_ARM_SNIFF 32 + +// times in samples @ 212kHz when acting as reader +#define ISO15693_READER_TIMEOUT 330 // 330/212kHz = 1558us, should be even enough for iClass tags responding to ACTALL +#define ISO15693_READER_TIMEOUT_WRITE 4700 // 4700/212kHz = 22ms, nominal 20ms + /////////////////////////////////////////////////////////////////////// // ISO 15693 Part 2 - Air Interface -// This section basicly contains transmission and receiving of bits +// This section basically contains transmission and receiving of bits /////////////////////////////////////////////////////////////////////// +// buffers +#define ISO15693_MAX_RESPONSE_LENGTH 36 // allows read single block with the maximum block size of 256bits. Read multiple blocks not supported yet +#define ISO15693_MAX_COMMAND_LENGTH 45 // allows write single block with the maximum block size of 256bits. Write multiple blocks not supported yet + // 32 + 2 crc + 1 #define ISO15_MAX_FRAME 35 #define CMD_ID_RESP 5 #define CMD_READ_RESP 13 #define CMD_INV_RESP 12 -#define FrameSOF Iso15693FrameSOF -#define Logic0 Iso15693Logic0 -#define Logic1 Iso15693Logic1 -#define FrameEOF Iso15693FrameEOF - //#define Crc(data, len) Crc(CRC_15693, (data), (len)) #define CheckCrc15(data, len) check_crc(CRC_15693, (data), (len)) #define AddCrc15(data, len) compute_crc(CRC_15693, (data), (len), (data)+(len), (data)+(len)+1) -static void BuildIdentifyRequest(uint8_t *cmdout); -//static void BuildReadBlockRequest(uint8_t *cmdout, uint8_t *uid, uint8_t blockNumber ); -static void BuildInventoryResponse(uint8_t *cmdout, uint8_t *uid); +static void BuildIdentifyRequest(uint8_t *cmd); + +// --------------------------- -// --------------------------- // Signal Processing // --------------------------- // prepare data using "1 out of 4" code for later transmission -// resulting data rate is 26,48 kbit/s (fc/512) +// resulting data rate is 26.48 kbit/s (fc/512) // cmd ... data -// n ... length of data -static void CodeIso15693AsReader(uint8_t *cmd, int n) { - int i, j; +// n ... length of data +static uint8_t encode15_lut[] = { + 0x40, // 01000000 + 0x10, // 00010000 + 0x04, // 00000100 + 0x01 // 00000001 +}; - ToSendReset(); +void CodeIso15693AsReader(uint8_t *cmd, int n) { - // Give it a bit of slack at the beginning - for (i = 0; i < 24; i++) - ToSendStuffBit(1); + tosend_reset(); + tosend_t *ts = get_tosend(); // SOF for 1of4 - ToSendStuffBit(0); - ToSendStuffBit(1); - ToSendStuffBit(1); - ToSendStuffBit(1); - ToSendStuffBit(1); - ToSendStuffBit(0); - ToSendStuffBit(1); - ToSendStuffBit(1); - for (i = 0; i < n; i++) { - for (j = 0; j < 8; j += 2) { - int these = (cmd[i] >> j) & 3; - switch (these) { - case 0: - ToSendStuffBit(1); - ToSendStuffBit(0); - ToSendStuffBit(1); - ToSendStuffBit(1); - ToSendStuffBit(1); - ToSendStuffBit(1); - ToSendStuffBit(1); - ToSendStuffBit(1); - break; - case 1: - ToSendStuffBit(1); - ToSendStuffBit(1); - ToSendStuffBit(1); - ToSendStuffBit(0); - ToSendStuffBit(1); - ToSendStuffBit(1); - ToSendStuffBit(1); - ToSendStuffBit(1); - break; - case 2: - ToSendStuffBit(1); - ToSendStuffBit(1); - ToSendStuffBit(1); - ToSendStuffBit(1); - ToSendStuffBit(1); - ToSendStuffBit(0); - ToSendStuffBit(1); - ToSendStuffBit(1); - break; - case 3: - ToSendStuffBit(1); - ToSendStuffBit(1); - ToSendStuffBit(1); - ToSendStuffBit(1); - ToSendStuffBit(1); - ToSendStuffBit(1); - ToSendStuffBit(1); - ToSendStuffBit(0); - break; - } - } - } - // EOF - ToSendStuffBit(1); - ToSendStuffBit(1); - ToSendStuffBit(0); - ToSendStuffBit(1); + ts->buf[++ts->max] = 0x84; //10000100 - // And slack at the end, too. - for (i = 0; i < 24; i++) - ToSendStuffBit(1); + // data + for (int i = 0; i < n; i++) { + + volatile uint8_t b = (cmd[i] >> 0) & 0x03; + ts->buf[++ts->max] = encode15_lut[b]; + + b = (cmd[i] >> 2) & 0x03; + ts->buf[++ts->max] = encode15_lut[b]; + + b = (cmd[i] >> 4) & 0x03; + ts->buf[++ts->max] = encode15_lut[b]; + + b = (cmd[i] >> 6) & 0x03; + ts->buf[++ts->max] = encode15_lut[b]; + } + + // EOF + ts->buf[++ts->max] = 0x20; //0010 + 0000 padding + ts->max++; } -// encode data using "1 out of 256" sheme +// Encode EOF only +static void CodeIso15693AsReaderEOF(void) { + tosend_reset(); + tosend_t *ts = get_tosend(); + ts->buf[++ts->max] = 0x20; + ts->max++; +} + + +// encode data using "1 out of 256" scheme // data rate is 1,66 kbit/s (fc/8192) // is designed for more robust communication over longer distances static void CodeIso15693AsReader256(uint8_t *cmd, int n) { - int i, j; - - ToSendReset(); - - // Give it a bit of slack at the beginning - for (i = 0; i < 24; i++) - ToSendStuffBit(1); + tosend_reset(); + tosend_t *ts = get_tosend(); + // SOF for 1of256 - ToSendStuffBit(0); - ToSendStuffBit(1); - ToSendStuffBit(1); - ToSendStuffBit(1); - ToSendStuffBit(1); - ToSendStuffBit(1); - ToSendStuffBit(1); - ToSendStuffBit(0); + ts->buf[++ts->max] = 0x81; //10000001 - for (i = 0; i < n; i++) { - for (j = 0; j <= 255; j++) { + // data + for(int i = 0; i < n; i++) { + for (int j = 0; j <= 255; j++) { if (cmd[i] == j) { - ToSendStuffBit(1); - ToSendStuffBit(0); + tosend_stuffbit(0); + tosend_stuffbit(1); } else { - ToSendStuffBit(1); - ToSendStuffBit(1); + tosend_stuffbit(0); + tosend_stuffbit(0); } } } - // EOF - ToSendStuffBit(1); - ToSendStuffBit(1); - ToSendStuffBit(0); - ToSendStuffBit(1); - // And slack at the end, too. - for (i = 0; i < 24; i++) - ToSendStuffBit(1); + // EOF + ts->buf[++ts->max] = 0x20; //0010 + 0000 padding + ts->max++; } -// Transmit the command (to the tag) that was placed in ToSend[]. -static void TransmitTo15693Tag(const uint8_t *cmd, int len, int *samples, int *wait) { +static const uint8_t encode_4bits[16] = { +// 0 1 2 3 + 0xaa, 0x6a, 0x9a, 0x5a, +// 4 5 6 7 + 0xa6, 0x66, 0x96, 0x56, +// 8 9 A B + 0xa9, 0x69, 0x99, 0x59, +// C D E F + 0xa5, 0x65, 0x95, 0x55 +}; - int c; - FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_TX); +void CodeIso15693AsTag(uint8_t *cmd, size_t len) { + /* + * SOF comprises 3 parts; + * * An unmodulated time of 56.64 us + * * 24 pulses of 423.75 kHz (fc/32) + * * A logic 1, which starts with an unmodulated time of 18.88us + * followed by 8 pulses of 423.75kHz (fc/32) + * + * EOF comprises 3 parts: + * - A logic 0 (which starts with 8 pulses of fc/32 followed by an unmodulated + * time of 18.88us. + * - 24 pulses of fc/32 + * - An unmodulated time of 56.64 us + * + * A logic 0 starts with 8 pulses of fc/32 + * followed by an unmodulated time of 256/fc (~18,88us). + * + * A logic 0 starts with unmodulated time of 256/fc (~18,88us) followed by + * 8 pulses of fc/32 (also 18.88us) + * + * A bit here becomes 8 pulses of fc/32. Therefore: + * The SOF can be written as 00011101 = 0x1D + * The EOF can be written as 10111000 = 0xb8 + * A logic 1 is 01 + * A logic 0 is 10 + * + * */ + tosend_reset(); + tosend_t *ts = get_tosend(); - if (wait) { - for (c = 0; c < *wait;) { - if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) { - AT91C_BASE_SSC->SSC_THR = 0x00; // For exact timing! - ++c; - } - WDT_HIT(); - } + // SOF + ts->buf[++ts->max] = 0x1D; // 00011101 + + // data + for (int i = 0; i < len; i += 2) { + ts->buf[++ts->max] = encode_4bits[cmd[i] & 0xF]; + ts->buf[++ts->max] = encode_4bits[cmd[i] >> 4]; + ts->buf[++ts->max] = encode_4bits[cmd[i + 1] & 0xF]; + ts->buf[++ts->max] = encode_4bits[cmd[i + 1] >> 4]; } - c = 0; - for (;;) { - if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) { - AT91C_BASE_SSC->SSC_THR = cmd[c]; - if (++c >= len) break; + // EOF + ts->buf[++ts->max] = 0xB8; // 10111000 + ts->max++; +} + +// Transmit the command (to the tag) that was placed in cmd[]. +void TransmitTo15693Tag(const uint8_t *cmd, int len, uint32_t *start_time) { + + FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_MODE_SEND_FULL_MOD); + + if (*start_time < DELAY_ARM_TO_TAG) { + *start_time = DELAY_ARM_TO_TAG; + } + + *start_time = (*start_time - DELAY_ARM_TO_TAG) & 0xfffffff0; + + if (GetCountSspClk() > *start_time) { // we may miss the intended time + *start_time = (GetCountSspClk() + 16) & 0xfffffff0; // next possible time + } + + // wait + while (GetCountSspClk() < *start_time) ; + + LED_B_ON(); + for (int c = 0; c < len; c++) { + volatile uint8_t data = cmd[c]; + + for (uint8_t i = 0; i < 8; i++) { + uint16_t send_word = (data & 0x80) ? 0xffff : 0x0000; + while (!(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY))) ; + AT91C_BASE_SSC->SSC_THR = send_word; + while (!(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY))) ; + AT91C_BASE_SSC->SSC_THR = send_word; + data <<= 1; } WDT_HIT(); } + LED_B_OFF(); - if (samples) { - if (wait) - *samples = (c + *wait) << 3; - else - *samples = c << 3; - } + *start_time = *start_time + DELAY_ARM_TO_TAG; } //----------------------------------------------------------------------------- -// Transmit the command (to the reader) that was placed in ToSend[]. +// Transmit the tag response (to the reader) that was placed in cmd[]. //----------------------------------------------------------------------------- -static void TransmitTo15693Reader(const uint8_t *cmd, int len, int *samples, int *wait) { - int c = 0; +void TransmitTo15693Reader(const uint8_t *cmd, size_t len, uint32_t *start_time, uint32_t slot_time, bool slow) { + + // don't use the FPGA_HF_SIMULATOR_MODULATE_424K_8BIT minor mode. It would spoil GetCountSspClk() FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_MODULATE_424K); - if (wait) { - for (c = 0; c < *wait;) { - if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) { - AT91C_BASE_SSC->SSC_THR = 0x00; // For exact timing! - ++c; - } - WDT_HIT(); + uint32_t modulation_start_time = *start_time - DELAY_ARM_TO_READER + 3 * 8; // no need to transfer the unmodulated start of SOF + + while (GetCountSspClk() > (modulation_start_time & 0xfffffff8) + 3) { // we will miss the intended time + if (slot_time) { + modulation_start_time += slot_time; // use next available slot + } else { + modulation_start_time = (modulation_start_time & 0xfffffff8) + 8; // next possible time } } - c = 0; - for (;;) { - if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) { - AT91C_BASE_SSC->SSC_THR = cmd[c]; - if (++c >= len) break; + // wait + while (GetCountSspClk() < (modulation_start_time & 0xfffffff8)) ; + + uint8_t shift_delay = modulation_start_time & 0x00000007; + + *start_time = modulation_start_time + DELAY_ARM_TO_READER - 3 * 8; + + LED_C_ON(); + uint8_t bits_to_shift = 0x00; + uint8_t bits_to_send = 0x00; + + for (size_t c = 0; c < len; c++) { + for (int i = (c == 0 ? 4 : 7); i >= 0; i--) { + + uint8_t cmd_bits = ((cmd[c] >> i) & 0x01) ? 0xff : 0x00; + + for (int j = 0; j < (slow ? 4 : 1); ) { + if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXRDY) { + bits_to_send = bits_to_shift << (8 - shift_delay) | cmd_bits >> shift_delay; + AT91C_BASE_SSC->SSC_THR = bits_to_send; + bits_to_shift = cmd_bits; + j++; + } + } } WDT_HIT(); } - if (samples) { - if (wait) - *samples = (c + *wait) << 3; - else - *samples = c << 3; + + // send the remaining bits, padded with 0: + bits_to_send = bits_to_shift << (8 - shift_delay); + if (bits_to_send) { + for ( ; ; ) { + if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXRDY) { + AT91C_BASE_SSC->SSC_THR = bits_to_send; + break; + } + } } + LED_C_OFF(); } +//============================================================================= +// An ISO 15693 decoder for tag responses (one subcarrier only). +// Uses cross correlation to identify each bit and EOF. +// This function is called 8 times per bit (every 2 subcarrier cycles). +// Subcarrier frequency fs is 424kHz, 1/fs = 2,36us, +// i.e. function is called every 4,72us +// LED handling: +// LED C -> ON once we have received the SOF and are expecting the rest. +// LED C -> OFF once we have received EOF or are unsynced +// +// Returns: true if we received a EOF +// false if we are still waiting for some more +//============================================================================= + +#define NOISE_THRESHOLD 80 // don't try to correlate noise +#define MAX_PREVIOUS_AMPLITUDE (-1 - NOISE_THRESHOLD) + +typedef struct { + enum { + STATE_TAG_SOF_LOW, + STATE_TAG_SOF_RISING_EDGE, + STATE_TAG_SOF_HIGH, + STATE_TAG_SOF_HIGH_END, + STATE_TAG_RECEIVING_DATA, + STATE_TAG_EOF, + STATE_TAG_EOF_TAIL + } state; + int bitCount; + int posCount; + enum { + LOGIC0, + LOGIC1, + SOF_PART1, + SOF_PART2 + } lastBit; + uint16_t shiftReg; + uint16_t max_len; + uint8_t *output; + int len; + int sum1; + int sum2; + int threshold_sof; + int threshold_half; + uint16_t previous_amplitude; +} DecodeTag_t; + //----------------------------------------------------------------------------- // DEMODULATE tag answer //----------------------------------------------------------------------------- -static int DemodAnswer(uint8_t *received, uint8_t *dest, uint16_t samplecount) { +static RAMFUNC int Handle15693SamplesFromTag(uint16_t amplitude, DecodeTag_t *tag) { - int i, j; - int max = 0, maxPos = 0, skip = 4; - int k = 0; // this will be our return value + switch (tag->state) { - // First, correlate for SOF - for (i = 0; i < samplecount; i++) { - int corr = 0; - for (j = 0; j < ARRAYLEN(FrameSOF); j += skip) { - corr += FrameSOF[j] * dest[i + (j / skip)]; - } - if (corr > max) { - max = corr; - maxPos = i; - } - } - // DbpString("SOF at %d, correlation %d", maxPos,max/(ARRAYLEN(FrameSOF)/skip)); - - // greg - If correlation is less than 1 then there's little point in continuing - if ((max / (ARRAYLEN(FrameSOF) / skip)) < 1) - return k; - - i = maxPos + ARRAYLEN(FrameSOF) / skip; - - uint8_t outBuf[ISO15_MAX_FRAME]; - memset(outBuf, 0, sizeof(outBuf)); - uint8_t mask = 0x01; - for (;;) { - int corr0 = 0, corr1 = 0, corrEOF = 0; - for (j = 0; j < ARRAYLEN(Logic0); j += skip) { - corr0 += Logic0[j] * dest[i + (j / skip)]; - } - for (j = 0; j < ARRAYLEN(Logic1); j += skip) { - corr1 += Logic1[j] * dest[i + (j / skip)]; - } - for (j = 0; j < ARRAYLEN(FrameEOF); j += skip) { - corrEOF += FrameEOF[j] * dest[i + (j / skip)]; - } - // Even things out by the length of the target waveform. - corr0 *= 4; - corr1 *= 4; - // if (DBGLEVEL >= DBG_EXTENDED) - // Dbprintf("Corr1 %d, Corr0 %d, CorrEOF %d", corr1, corr0, corrEOF); - - if (corrEOF > corr1 && corrEOF > corr0) + case STATE_TAG_SOF_LOW: { + // waiting for a rising edge + if (amplitude > NOISE_THRESHOLD + tag->previous_amplitude) { + if (tag->posCount > 10) { + tag->threshold_sof = amplitude - tag->previous_amplitude; // to be divided by 2 + tag->threshold_half = 0; + tag->state = STATE_TAG_SOF_RISING_EDGE; + } else { + tag->posCount = 0; + } + } else { + tag->posCount++; + tag->previous_amplitude = amplitude; + } break; - - if (corr1 > corr0) { - i += ARRAYLEN(Logic1) / skip; - outBuf[k] |= mask; - } else { - i += ARRAYLEN(Logic0) / skip; } - mask <<= 1; - - if (mask == 0) { - k++; - mask = 0x01; + case STATE_TAG_SOF_RISING_EDGE: { + if (amplitude > tag->threshold_sof + tag->previous_amplitude) { // edge still rising + if (amplitude > tag->threshold_sof + tag->threshold_sof) { // steeper edge, take this as time reference + tag->posCount = 1; + } else { + tag->posCount = 2; + } + tag->threshold_sof = (amplitude - tag->previous_amplitude) / 2; + } else { + tag->posCount = 2; + tag->threshold_sof = tag->threshold_sof / 2; + } + tag->state = STATE_TAG_SOF_HIGH; + break; } - if ((i + (int)ARRAYLEN(FrameEOF)) >= samplecount - 1) { - //Dbprintf("[!] ran off end! %d | %d",( i + (int)ARRAYLEN(FrameEOF)), samplecount-1); + case STATE_TAG_SOF_HIGH: { + // waiting for 10 times high. Take average over the last 8 + if (amplitude > tag->threshold_sof) { + tag->posCount++; + if (tag->posCount > 2) { + tag->threshold_half += amplitude; // keep track of average high value + } + if (tag->posCount == 10) { + tag->threshold_half >>= 2; // (4 times 1/2 average) + tag->state = STATE_TAG_SOF_HIGH_END; + } + } else { // high phase was too short + tag->posCount = 1; + tag->previous_amplitude = amplitude; + tag->state = STATE_TAG_SOF_LOW; + } + break; + } + + case STATE_TAG_SOF_HIGH_END: { + // check for falling edge + if (tag->posCount == 13 && amplitude < tag->threshold_sof) { + tag->lastBit = SOF_PART1; // detected 1st part of SOF (12 samples low and 12 samples high) + tag->shiftReg = 0; + tag->bitCount = 0; + tag->len = 0; + tag->sum1 = amplitude; + tag->sum2 = 0; + tag->posCount = 2; + tag->state = STATE_TAG_RECEIVING_DATA; + LED_C_ON(); + } else { + tag->posCount++; + if (tag->posCount > 13) { // high phase too long + tag->posCount = 0; + tag->previous_amplitude = amplitude; + tag->state = STATE_TAG_SOF_LOW; + LED_C_OFF(); + } + } + break; + } + + case STATE_TAG_RECEIVING_DATA: { + if (tag->posCount == 1) { + tag->sum1 = 0; + tag->sum2 = 0; + } + + if (tag->posCount <= 4) { + tag->sum1 += amplitude; + } else { + tag->sum2 += amplitude; + } + + if (tag->posCount == 8) { + if (tag->sum1 > tag->threshold_half && tag->sum2 > tag->threshold_half) { // modulation in both halves + if (tag->lastBit == LOGIC0) { // this was already part of EOF + tag->state = STATE_TAG_EOF; + } else { + tag->posCount = 0; + tag->previous_amplitude = amplitude; + tag->state = STATE_TAG_SOF_LOW; + LED_C_OFF(); + } + } else if (tag->sum1 < tag->threshold_half && tag->sum2 > tag->threshold_half) { // modulation in second half + // logic 1 + if (tag->lastBit == SOF_PART1) { // still part of SOF + tag->lastBit = SOF_PART2; // SOF completed + } else { + tag->lastBit = LOGIC1; + tag->shiftReg >>= 1; + tag->shiftReg |= 0x80; + tag->bitCount++; + if (tag->bitCount == 8) { + tag->output[tag->len] = tag->shiftReg; + tag->len++; + + if (tag->len > tag->max_len) { + // buffer overflow, give up + LED_C_OFF(); + return true; + } + tag->bitCount = 0; + tag->shiftReg = 0; + } + } + } else if (tag->sum1 > tag->threshold_half && tag->sum2 < tag->threshold_half) { // modulation in first half + // logic 0 + if (tag->lastBit == SOF_PART1) { // incomplete SOF + tag->posCount = 0; + tag->previous_amplitude = amplitude; + tag->state = STATE_TAG_SOF_LOW; + LED_C_OFF(); + } else { + tag->lastBit = LOGIC0; + tag->shiftReg >>= 1; + tag->bitCount++; + + if (tag->bitCount == 8) { + tag->output[tag->len] = tag->shiftReg; + tag->len++; + + if (tag->len > tag->max_len) { + // buffer overflow, give up + tag->posCount = 0; + tag->previous_amplitude = amplitude; + tag->state = STATE_TAG_SOF_LOW; + LED_C_OFF(); + } + tag->bitCount = 0; + tag->shiftReg = 0; + } + } + } else { // no modulation + if (tag->lastBit == SOF_PART2) { // only SOF (this is OK for iClass) + LED_C_OFF(); + return true; + } else { + tag->posCount = 0; + tag->state = STATE_TAG_SOF_LOW; + LED_C_OFF(); + } + } + tag->posCount = 0; + } + tag->posCount++; + break; + } + + case STATE_TAG_EOF: { + if (tag->posCount == 1) { + tag->sum1 = 0; + tag->sum2 = 0; + } + + if (tag->posCount <= 4) { + tag->sum1 += amplitude; + } else { + tag->sum2 += amplitude; + } + + if (tag->posCount == 8) { + if (tag->sum1 > tag->threshold_half && tag->sum2 < tag->threshold_half) { // modulation in first half + tag->posCount = 0; + tag->state = STATE_TAG_EOF_TAIL; + } else { + tag->posCount = 0; + tag->previous_amplitude = amplitude; + tag->state = STATE_TAG_SOF_LOW; + LED_C_OFF(); + } + } + tag->posCount++; + break; + } + + case STATE_TAG_EOF_TAIL: { + if (tag->posCount == 1) { + tag->sum1 = 0; + tag->sum2 = 0; + } + + if (tag->posCount <= 4) { + tag->sum1 += amplitude; + } else { + tag->sum2 += amplitude; + } + + if (tag->posCount == 8) { + if (tag->sum1 < tag->threshold_half && tag->sum2 < tag->threshold_half) { // no modulation in both halves + LED_C_OFF(); + return true; + } else { + tag->posCount = 0; + tag->previous_amplitude = amplitude; + tag->state = STATE_TAG_SOF_LOW; + LED_C_OFF(); + } + } + tag->posCount++; break; } } - if (DBGLEVEL >= DBG_EXTENDED) Dbprintf("ice: demod bytes %u", k); - - if (mask != 0x01) { // this happens, when we miss the EOF - - // TODO: for some reason this happens quite often - if (DBGLEVEL >= DBG_ERROR && k != 0) Dbprintf("[!] error, uneven octet! (extra bits!) mask %02x", mask); - //if (mask < 0x08) k--; // discard the last uneven octet; - // 0x08 is an assumption - but works quite often - } - - for (i = 0; i < k; i++) - received[i] = outBuf[i]; - - // return the number of bytes demodulated - return k; + return false; } -// Read from Tag -// Parameters: -// received -// samples -// elapsed -// returns: -// number of decoded bytes -// logging enabled -#define SIGNAL_BUFF_SIZE 20000 +static void DecodeTagReset(DecodeTag_t *tag) { + tag->posCount = 0; + tag->state = STATE_TAG_SOF_LOW; + tag->previous_amplitude = MAX_PREVIOUS_AMPLITUDE; +} -static int GetIso15693AnswerFromTag(uint8_t *received, int *elapsed) { +static void DecodeTagInit(DecodeTag_t *tag, uint8_t *data, uint16_t max_len) { + tag->output = data; + tag->max_len = max_len; + DecodeTagReset(tag); +} - // get current clock - uint32_t time_0 = GetCountSspClk(); - uint32_t time_stop = 0; - bool getNext = false; - int counter = 0, ci, cq = 0; - uint8_t *buf = BigBuf_malloc(SIGNAL_BUFF_SIZE); +/* + * Receive and decode the tag response, also log to tracebuffer + */ +int GetIso15693AnswerFromTag(uint8_t* response, uint16_t max_len, uint16_t timeout, uint32_t *eof_time) { - if (elapsed) *elapsed = 0; + int samples = 0, ret = 0; - FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR); + // the Decoder data structure + DecodeTag_t dtm = { 0 }; + DecodeTag_t *dt = &dtm; + DecodeTagInit(dt, response, max_len); - for (;;) { - WDT_HIT(); + // wait for last transfer to complete + while (!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXEMPTY)); - if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) { - AT91C_BASE_SSC->SSC_THR = 0x00; //0x43; - // To make use of exact timing of next command from reader!! - if (elapsed)(*elapsed)++; - } - if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) { + // And put the FPGA in the appropriate mode + FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_SUBCARRIER_424_KHZ | FPGA_HF_READER_MODE_RECEIVE_AMPLITUDE); - ci = (int8_t)AT91C_BASE_SSC->SSC_RHR; - ci = ABS(ci); + // Setup and start DMA. + FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER); - // The samples are correlations against I and Q versions of the - // tone that the tag AM-modulates, so every other sample is I, - // every other is Q. We just want power, so abs(I) + abs(Q) is - // close to what we want. - // iceman 2016, amplitude sqrt(abs(i) + abs(q)) - if (getNext) { + // The DMA buffer, used to stream samples from the FPGA + dmabuf16_t *dma = get_dma16(); - buf[counter++] = (uint8_t)(MAX(ci, cq) + (MIN(ci, cq) >> 1)); - - if (counter >= SIGNAL_BUFF_SIZE) - break; - } else { - cq = ci; - } - getNext = !getNext; - } + // Setup and start DMA. + if (FpgaSetupSscDma((uint8_t *) dma->buf, DMA_BUFFER_SIZE) == false) { + if (DBGLEVEL > DBG_ERROR) Dbprintf("FpgaSetupSscDma failed. Exiting"); + return -4; } - time_stop = GetCountSspClk(); - int len = DemodAnswer(received, buf, counter); - LogTrace(received, len, time_0 << 4, time_stop << 4, NULL, false); - BigBuf_free(); - return len; + + uint32_t dma_start_time = 0; + uint16_t *upTo = dma->buf; + + for(;;) { + + volatile uint16_t behindBy = ((uint16_t*)AT91C_BASE_PDC_SSC->PDC_RPR - upTo) & (DMA_BUFFER_SIZE - 1); + if (behindBy == 0) + continue; + + samples++; + if (samples == 1) { + // DMA has transferred the very first data + dma_start_time = GetCountSspClk() & 0xfffffff0; + } + + volatile uint16_t tagdata = *upTo++; + + if (upTo >= dma->buf + DMA_BUFFER_SIZE) { // we have read all of the DMA buffer content. + upTo = dma->buf; // start reading the circular buffer from the beginning + if (behindBy > (9 * DMA_BUFFER_SIZE / 10)) { + Dbprintf("About to blow circular buffer - aborted! behindBy=%d", behindBy); + ret = -1; + break; + } + } + if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_ENDRX)) { // DMA Counter Register had reached 0, already rotated. + AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dma->buf; // refresh the DMA Next Buffer and + AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE; // DMA Next Counter registers + } + + if (Handle15693SamplesFromTag(tagdata, dt)) { + *eof_time = dma_start_time + (samples * 16) - DELAY_TAG_TO_ARM; // end of EOF + if (dt->lastBit == SOF_PART2) { + *eof_time -= (8 * 16); // needed 8 additional samples to confirm single SOF (iCLASS) + } + if (dt->len > dt->max_len) { + ret = -2; // buffer overflow + } + break; + } + + if (samples > timeout && dt->state < STATE_TAG_RECEIVING_DATA) { + ret = -3; // timeout + break; + } + + } + + FpgaDisableSscDma(); + + uint32_t sof_time = *eof_time + - (dt->len * 8 * 8 * 16) // time for byte transfers + - (32 * 16) // time for SOF transfer + - (dt->lastBit != SOF_PART2 ? (32 * 16) : 0); // time for EOF transfer + + if (DBGLEVEL >= DBG_EXTENDED) { + Dbprintf("samples = %d, ret = %d, Decoder: state = %d, lastBit = %d, len = %d, bitCount = %d, posCount = %d, maxlen = %u", + samples, + ret, + dt->state, + dt->lastBit, + dt->len, + dt->bitCount, + dt->posCount, + dt->max_len + ); + Dbprintf("timing: sof_time = %d, eof_time = %d", (sof_time * 4), (*eof_time * 4)); + } + + if (ret < 0) { + return ret; + } + + LogTrace_ISO15693(dt->output, dt->len, (sof_time * 4), (*eof_time * 4), NULL, false); + return dt->len; } -// Now the GetISO15693 message from sniffing command -// logging enable, -static int GetIso15693AnswerFromSniff(uint8_t *received, int *samples, int *elapsed) { +//============================================================================= +// An ISO15693 decoder for reader commands. +// +// This function is called 4 times per bit (every 2 subcarrier cycles). +// Subcarrier frequency fs is 848kHz, 1/fs = 1,18us, i.e. function is called every 2,36us +// LED handling: +// LED B -> ON once we have received the SOF and are expecting the rest. +// LED B -> OFF once we have received EOF or are in error state or unsynced +// +// Returns: true if we received a EOF +// false if we are still waiting for some more +//============================================================================= - bool getNext = false; - int counter = 0, ci, cq = 0; - uint32_t time_0 = 0, time_stop = 0; - uint8_t *buf = BigBuf_malloc(SIGNAL_BUFF_SIZE); +typedef struct { + enum { + STATE_READER_UNSYNCD, + STATE_READER_AWAIT_1ST_FALLING_EDGE_OF_SOF, + STATE_READER_AWAIT_1ST_RISING_EDGE_OF_SOF, + STATE_READER_AWAIT_2ND_FALLING_EDGE_OF_SOF, + STATE_READER_AWAIT_2ND_RISING_EDGE_OF_SOF, + STATE_READER_AWAIT_END_OF_SOF_1_OUT_OF_4, + STATE_READER_RECEIVE_DATA_1_OUT_OF_4, + STATE_READER_RECEIVE_DATA_1_OUT_OF_256, + STATE_READER_RECEIVE_JAMMING + } state; + enum { + CODING_1_OUT_OF_4, + CODING_1_OUT_OF_256 + } Coding; + uint8_t shiftReg; + uint8_t bitCount; + int byteCount; + int byteCountMax; + int posCount; + int sum1, sum2; + uint8_t *output; + uint8_t jam_search_len; + uint8_t *jam_search_string; +} DecodeReader_t; - // get current clock - time_0 = GetCountSspClk(); +static void DecodeReaderInit(DecodeReader_t* reader, uint8_t *data, uint16_t max_len, uint8_t jam_search_len, uint8_t *jam_search_string) { + reader->output = data; + reader->byteCountMax = max_len; + reader->state = STATE_READER_UNSYNCD; + reader->byteCount = 0; + reader->bitCount = 0; + reader->posCount = 1; + reader->shiftReg = 0; + reader->jam_search_len = jam_search_len; + reader->jam_search_string = jam_search_string; +} - FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR); +static void DecodeReaderReset(DecodeReader_t* reader) { + reader->state = STATE_READER_UNSYNCD; +} - for (;;) { - WDT_HIT(); - - if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) { - - ci = (int8_t)AT91C_BASE_SSC->SSC_RHR; - ci = ABS(ci); - - // The samples are correlations against I and Q versions of the - // tone that the tag AM-modulates, so every other sample is I, - // every other is Q. We just want power, so abs(I) + abs(Q) is - // close to what we want. - if (getNext) { - - buf[counter++] = (uint8_t)(MAX(ci, cq) + (MIN(ci, cq) >> 1)); - - if (counter >= 20000) - break; - } else { - cq = ci; +//static inline __attribute__((always_inline)) + static int RAMFUNC Handle15693SampleFromReader(bool bit, DecodeReader_t *reader) { + switch (reader->state) { + case STATE_READER_UNSYNCD: + // wait for unmodulated carrier + if (bit) { + reader->state = STATE_READER_AWAIT_1ST_FALLING_EDGE_OF_SOF; } - getNext = !getNext; - } + break; + + case STATE_READER_AWAIT_1ST_FALLING_EDGE_OF_SOF: + if (!bit) { + // we went low, so this could be the beginning of a SOF + reader->posCount = 1; + reader->state = STATE_READER_AWAIT_1ST_RISING_EDGE_OF_SOF; + } + break; + + case STATE_READER_AWAIT_1ST_RISING_EDGE_OF_SOF: + reader->posCount++; + if (bit) { // detected rising edge + if (reader->posCount < 4) { // rising edge too early (nominally expected at 5) + reader->state = STATE_READER_AWAIT_1ST_FALLING_EDGE_OF_SOF; + } else { // SOF + reader->state = STATE_READER_AWAIT_2ND_FALLING_EDGE_OF_SOF; + } + } else { + if (reader->posCount > 5) { // stayed low for too long + DecodeReaderReset(reader); + } else { + // do nothing, keep waiting + } + } + break; + + case STATE_READER_AWAIT_2ND_FALLING_EDGE_OF_SOF: + + reader->posCount++; + + if (bit == false) { // detected a falling edge + + if (reader->posCount < 20) { // falling edge too early (nominally expected at 21 earliest) + DecodeReaderReset(reader); + } else if (reader->posCount < 23) { // SOF for 1 out of 4 coding + reader->Coding = CODING_1_OUT_OF_4; + reader->state = STATE_READER_AWAIT_2ND_RISING_EDGE_OF_SOF; + } else if (reader->posCount < 28) { // falling edge too early (nominally expected at 29 latest) + DecodeReaderReset(reader); + } else { // SOF for 1 out of 256 coding + reader->Coding = CODING_1_OUT_OF_256; + reader->state = STATE_READER_AWAIT_2ND_RISING_EDGE_OF_SOF; + } + + } else { + if (reader->posCount > 29) { // stayed high for too long + reader->state = STATE_READER_AWAIT_1ST_FALLING_EDGE_OF_SOF; + } else { + // do nothing, keep waiting + } + } + break; + + case STATE_READER_AWAIT_2ND_RISING_EDGE_OF_SOF: + + reader->posCount++; + + if (bit) { // detected rising edge + if (reader->Coding == CODING_1_OUT_OF_256) { + if (reader->posCount < 32) { // rising edge too early (nominally expected at 33) + reader->state = STATE_READER_AWAIT_1ST_FALLING_EDGE_OF_SOF; + } else { + reader->posCount = 1; + reader->bitCount = 0; + reader->byteCount = 0; + reader->sum1 = 1; + reader->state = STATE_READER_RECEIVE_DATA_1_OUT_OF_256; + LED_B_ON(); + } + } else { // CODING_1_OUT_OF_4 + if (reader->posCount < 24) { // rising edge too early (nominally expected at 25) + reader->state = STATE_READER_AWAIT_1ST_FALLING_EDGE_OF_SOF; + } else { + reader->posCount = 1; + reader->state = STATE_READER_AWAIT_END_OF_SOF_1_OUT_OF_4; + } + } + } else { + if (reader->Coding == CODING_1_OUT_OF_256) { + if (reader->posCount > 34) { // signal stayed low for too long + DecodeReaderReset(reader); + } else { + // do nothing, keep waiting + } + } else { // CODING_1_OUT_OF_4 + if (reader->posCount > 26) { // signal stayed low for too long + DecodeReaderReset(reader); + } else { + // do nothing, keep waiting + } + } + } + break; + + case STATE_READER_AWAIT_END_OF_SOF_1_OUT_OF_4: + + reader->posCount++; + + if (bit) { + if (reader->posCount == 9) { + reader->posCount = 1; + reader->bitCount = 0; + reader->byteCount = 0; + reader->sum1 = 1; + reader->state = STATE_READER_RECEIVE_DATA_1_OUT_OF_4; + LED_B_ON(); + } else { + // do nothing, keep waiting + } + } else { // unexpected falling edge + DecodeReaderReset(reader); + } + break; + + case STATE_READER_RECEIVE_DATA_1_OUT_OF_4: + + reader->posCount++; + + if (reader->posCount == 1) { + + reader->sum1 = bit ? 1 : 0; + + } else if (reader->posCount <= 4) { + + if (bit) + reader->sum1++; + + } else if (reader->posCount == 5) { + + reader->sum2 = bit ? 1 : 0; + + } else { + if (bit) + reader->sum2++; + } + + if (reader->posCount == 8) { + reader->posCount = 0; + if (reader->sum1 <= 1 && reader->sum2 >= 3) { // EOF + LED_B_OFF(); // Finished receiving + DecodeReaderReset(reader); + if (reader->byteCount != 0) { + return true; + } + + } else if (reader->sum1 >= 3 && reader->sum2 <= 1) { // detected a 2bit position + reader->shiftReg >>= 2; + reader->shiftReg |= (reader->bitCount << 6); + } + + if (reader->bitCount == 15) { // we have a full byte + + reader->output[reader->byteCount++] = reader->shiftReg; + if (reader->byteCount > reader->byteCountMax) { + // buffer overflow, give up + LED_B_OFF(); + DecodeReaderReset(reader); + } + + reader->bitCount = 0; + reader->shiftReg = 0; + if (reader->byteCount == reader->jam_search_len) { + if (!memcmp(reader->output, reader->jam_search_string, reader->jam_search_len)) { + LED_D_ON(); + FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_MODE_SEND_JAM); + reader->state = STATE_READER_RECEIVE_JAMMING; + } + } + + } else { + reader->bitCount++; + } + } + break; + + case STATE_READER_RECEIVE_DATA_1_OUT_OF_256: + + reader->posCount++; + + if (reader->posCount == 1) { + reader->sum1 = bit ? 1 : 0; + } else if (reader->posCount <= 4) { + if (bit) reader->sum1++; + } else if (reader->posCount == 5) { + reader->sum2 = bit ? 1 : 0; + } else if (bit) { + reader->sum2++; + } + + if (reader->posCount == 8) { + reader->posCount = 0; + if (reader->sum1 <= 1 && reader->sum2 >= 3) { // EOF + LED_B_OFF(); // Finished receiving + DecodeReaderReset(reader); + if (reader->byteCount != 0) { + return true; + } + + } else if (reader->sum1 >= 3 && reader->sum2 <= 1) { // detected the bit position + reader->shiftReg = reader->bitCount; + } + + if (reader->bitCount == 255) { // we have a full byte + reader->output[reader->byteCount++] = reader->shiftReg; + if (reader->byteCount > reader->byteCountMax) { + // buffer overflow, give up + LED_B_OFF(); + DecodeReaderReset(reader); + } + + if (reader->byteCount == reader->jam_search_len) { + if (!memcmp(reader->output, reader->jam_search_string, reader->jam_search_len)) { + LED_D_ON(); + FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_MODE_SEND_JAM); + reader->state = STATE_READER_RECEIVE_JAMMING; + } + } + } + reader->bitCount++; + } + break; + + case STATE_READER_RECEIVE_JAMMING: + + reader->posCount++; + + if (reader->Coding == CODING_1_OUT_OF_4) { + if (reader->posCount == 7 * 16) { // 7 bits jammed + FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_MODE_SNIFF_AMPLITUDE); // stop jamming + // FpgaDisableTracing(); + LED_D_OFF(); + } else if (reader->posCount == 8 * 16) { + reader->posCount = 0; + reader->output[reader->byteCount++] = 0x00; + reader->state = STATE_READER_RECEIVE_DATA_1_OUT_OF_4; + } + } else { + if (reader->posCount == 7 * 256) { // 7 bits jammend + FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_MODE_SNIFF_AMPLITUDE); // stop jamming + LED_D_OFF(); + } else if (reader->posCount == 8 * 256) { + reader->posCount = 0; + reader->output[reader->byteCount++] = 0x00; + reader->state = STATE_READER_RECEIVE_DATA_1_OUT_OF_256; + } + } + break; + + default: + LED_B_OFF(); + DecodeReaderReset(reader); + break; } - time_stop = GetCountSspClk(); - int k = DemodAnswer(received, buf, counter); - LogTrace(received, k, time_0 << 4, time_stop << 4, NULL, false); - BigBuf_free(); - return k; + return false; +} + +//----------------------------------------------------------------------------- +// Receive a command (from the reader to us, where we are the simulated tag), +// and store it in the given buffer, up to the given maximum length. Keeps +// spinning, waiting for a well-framed command, until either we get one +// (returns len) or someone presses the pushbutton on the board (returns -1). +// +// Assume that we're called with the SSC (to the FPGA) and ADC path set +// correctly. +//----------------------------------------------------------------------------- + +int GetIso15693CommandFromReader(uint8_t *received, size_t max_len, uint32_t *eof_time) { + int samples = 0; + bool gotFrame = false; + + // the decoder data structure + DecodeReader_t *dr = (DecodeReader_t *)BigBuf_malloc(sizeof(DecodeReader_t)); + DecodeReaderInit(dr, received, max_len, 0, NULL); + + // wait for last transfer to complete + while (!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXEMPTY)); + + LED_D_OFF(); + FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_NO_MODULATION); + + // clear receive register and wait for next transfer + uint32_t temp = AT91C_BASE_SSC->SSC_RHR; + (void) temp; + while (!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY)) ; + + // Setup and start DMA. + dmabuf8_t *dma = get_dma8(); + if (FpgaSetupSscDma(dma->buf, DMA_BUFFER_SIZE) == false) { + if (DBGLEVEL > DBG_ERROR) Dbprintf("FpgaSetupSscDma failed. Exiting"); + return -4; + } + uint8_t *upTo = dma->buf; + + uint32_t dma_start_time = GetCountSspClk() & 0xfffffff8; + + for (;;) { + volatile uint16_t behindBy = ((uint8_t*)AT91C_BASE_PDC_SSC->PDC_RPR - upTo) & (DMA_BUFFER_SIZE - 1); + if (behindBy == 0) continue; + + if (samples == 0) { + // DMA has transferred the very first data + dma_start_time = GetCountSspClk() & 0xfffffff0; + } + + volatile uint8_t b = *upTo++; + if (upTo >= dma->buf + DMA_BUFFER_SIZE) { // we have read all of the DMA buffer content. + upTo = dma->buf; // start reading the circular buffer from the beginning + if (behindBy > (9 * DMA_BUFFER_SIZE / 10)) { + Dbprintf("About to blow circular buffer - aborted! behindBy %d", behindBy); + break; + } + } + if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_ENDRX)) { // DMA Counter Register had reached 0, already rotated. + AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dma->buf; // refresh the DMA Next Buffer and + AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE; // DMA Next Counter registers + } + + for (int i = 7; i >= 0; i--) { + if (Handle15693SampleFromReader((b >> i) & 0x01, dr)) { + *eof_time = dma_start_time + samples - DELAY_READER_TO_ARM; // end of EOF + gotFrame = true; + break; + } + samples++; + } + + if (gotFrame) { + break; + } + + if (BUTTON_PRESS()) { + dr->byteCount = -1; + break; + } + + WDT_HIT(); + } + + FpgaDisableSscDma(); + + if (DBGLEVEL >= DBG_EXTENDED) { + Dbprintf("samples = %d, gotFrame = %d, Decoder: state = %d, len = %d, bitCount = %d, posCount = %d", + samples, gotFrame, dr->state, dr->byteCount, + dr->bitCount, dr->posCount); + } + + if (dr->byteCount >= 0) { + uint32_t sof_time = *eof_time + - dr->byteCount * (dr->Coding == CODING_1_OUT_OF_4 ? 128 : 2048) // time for byte transfers + - 32 // time for SOF transfer + - 16; // time for EOF transfer + LogTrace_ISO15693(dr->output, dr->byteCount, (sof_time * 32), (*eof_time * 32), NULL, true); + } + + return dr->byteCount; } //----------------------------------------------------------------------------- @@ -492,133 +1165,239 @@ static int GetIso15693AnswerFromSniff(uint8_t *received, int *samples, int *elap // so that it can be downloaded to a PC and processed there. //----------------------------------------------------------------------------- void AcquireRawAdcSamplesIso15693(void) { - int c = 0, getNext = false; - int ci, cq = 0; + LED_A_ON(); + uint8_t *dest = BigBuf_malloc(4000); FpgaDownloadAndGo(FPGA_BITSTREAM_HF); + FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER); + LED_D_ON(); + FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER); SetAdcMuxFor(GPIO_MUXSEL_HIPKD); - FpgaSetupSsc(); + + uint8_t cmd[5]; + BuildIdentifyRequest(cmd); + CodeIso15693AsReader(cmd, sizeof(cmd)); + + // Give the tags time to energize + SpinDelay(100); // Now send the command - FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_TX); - SpinDelay(200); + tosend_t *ts = get_tosend(); - uint8_t *buf = BigBuf_get_addr(); + uint32_t start_time = 0; + TransmitTo15693Tag(ts->buf, ts->max, &start_time); - uint32_t time_start = GetCountSspClk(); - uint8_t cmd[CMD_ID_RESP] = {0}; - BuildIdentifyRequest(cmd); + // wait for last transfer to complete + while (!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXEMPTY)) ; - // sending command - c = 0; - for (;;) { - WDT_HIT(); + FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_SUBCARRIER_424_KHZ | FPGA_HF_READER_MODE_RECEIVE_AMPLITUDE); - if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) { - AT91C_BASE_SSC->SSC_THR = ToSend[c]; - c++; - if (c == ToSendMax + 3) { - break; - } + for(int c = 0; c < 4000; ) { + if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) { + uint16_t r = AT91C_BASE_SSC->SSC_RHR; + dest[c++] = r >> 5; } } - LogTrace(cmd, CMD_ID_RESP, time_start << 4, GetCountSspClk() << 4, NULL, true); - - FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR); - - c = 0; - for (;;) { - WDT_HIT(); - - if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) { - - ci = (int8_t)AT91C_BASE_SSC->SSC_RHR; - ci = ABS(ci); - - // The samples are correlations against I and Q versions of the - // tone that the tag AM-modulates, so every other sample is I, - // every other is Q. We just want power, so abs(I) + abs(Q) is - // close to what we want. - // iceman 2016, amplitude sqrt(abs(i) + abs(q)) - if (getNext) { - - buf[c++] = (uint8_t)(MAX(ci, cq) + (MIN(ci, cq) >> 1)); - - if (c >= 7000) break; - - } else { - cq = ci; - } - getNext = !getNext; - } - } -} - -// switch_off, initreader, no logging -void RecordRawAdcSamplesIso15693(void) { - - int c = 0, getNext = false; - int ci, cq = 0; - - Iso15693InitReader(); - - uint8_t *buf = BigBuf_get_addr(); - - for (;;) { - WDT_HIT(); - - if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) { - - ci = (int8_t)AT91C_BASE_SSC->SSC_RHR; - ci = ABS(ci); - // The samples are correlations against I and Q versions of the - // tone that the tag AM-modulates, so every other sample is I, - // every other is Q. We just want power, so abs(I) + abs(Q) is - // close to what we want. - if (getNext) { - - buf[c++] = (uint8_t)(MAX(ci, cq) + (MIN(ci, cq) >> 1)); - - if (c >= 7000) - break; - } else { - cq = ci; - } - - getNext = !getNext; - } - } - - Dbprintf("done"); - switch_off(); -} - -// Initialize the proxmark as iso15k reader -// (this might produces glitches that confuse some tags -void Iso15693InitReader(void) { + FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); LEDsoff(); +} + +void SniffIso15693(uint8_t jam_search_len, uint8_t *jam_search_string) { + + LED_A_ON(); + + FpgaDownloadAndGo(FPGA_BITSTREAM_HF); + + BigBuf_free(); clear_trace(); set_tracing(true); + + DecodeTag_t dtag = {0}; + uint8_t response[ISO15693_MAX_RESPONSE_LENGTH] = {0}; + DecodeTagInit(&dtag, response, sizeof(response)); + DecodeReader_t dreader = {0}; + uint8_t cmd[ISO15693_MAX_COMMAND_LENGTH] = {0}; + DecodeReaderInit(&dreader, cmd, sizeof(cmd), jam_search_len, jam_search_string); + + // The DMA buffer, used to stream samples from the FPGA + dmabuf16_t *dma = get_dma16(); + + Dbprintf("Starting to sniff. Press PM3 Button to stop."); + + FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_MODE_SNIFF_AMPLITUDE); + LED_D_OFF(); + + SetAdcMuxFor(GPIO_MUXSEL_HIPKD); + FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER); + StartCountSspClk(); + + // Setup and start DMA. + if (FpgaSetupSscDma((uint8_t *) dma->buf, DMA_BUFFER_SIZE) == false) { + if (DBGLEVEL > DBG_ERROR) Dbprintf("FpgaSetupSscDma failed. Exiting"); + switch_off(); + return; + } + + bool tag_is_active = false; + bool reader_is_active = false; + bool expect_tag_answer = false; + int dma_start_time = 0; + + // Count of samples received so far, so that we can include timing + int samples = 0; + + uint16_t *upTo = dma->buf; + + for (;;) { + + volatile int behind_by = ((uint16_t*)AT91C_BASE_PDC_SSC->PDC_RPR - upTo) & (DMA_BUFFER_SIZE - 1); + if (behind_by < 1) continue; + + samples++; + if (samples == 1) { + // DMA has transferred the very first data + dma_start_time = GetCountSspClk() & 0xfffffff0; + } + + volatile uint16_t sniffdata = *upTo++; + + // we have read all of the DMA buffer content + if (upTo >= dma->buf + DMA_BUFFER_SIZE) { + + // start reading the circular buffer from the beginning + upTo = dma->buf; + + // DMA Counter Register had reached 0, already rotated. + if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_ENDRX)) { + + // primary buffer was stopped + if (AT91C_BASE_PDC_SSC->PDC_RCR == false) { + AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) dma->buf; + AT91C_BASE_PDC_SSC->PDC_RCR = DMA_BUFFER_SIZE; + } + // secondary buffer sets as primary, secondary buffer was stopped + if (AT91C_BASE_PDC_SSC->PDC_RNCR == false) { + AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dma->buf; + AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE; + } + + WDT_HIT(); + if (BUTTON_PRESS()) { + DbpString("Sniff stopped"); + break; + } + } + } + + // no need to try decoding reader data if the tag is sending + if (tag_is_active == false) { + + if (Handle15693SampleFromReader((sniffdata & 0x02) >> 1, &dreader)) { + + uint32_t eof_time = dma_start_time + (samples * 16) + 8 - DELAY_READER_TO_ARM_SNIFF; // end of EOF + if (dreader.byteCount > 0) { + uint32_t sof_time = eof_time + - dreader.byteCount * (dreader.Coding == CODING_1_OUT_OF_4 ? 128 * 16 : 2048 * 16) // time for byte transfers + - 32 * 16 // time for SOF transfer + - 16 * 16; // time for EOF transfer + LogTrace_ISO15693(dreader.output, dreader.byteCount, (sof_time * 4), (eof_time * 4), NULL, true); + } + // And ready to receive another command. + DecodeReaderReset(&dreader); + DecodeTagReset(&dtag); + reader_is_active = false; + expect_tag_answer = true; + + } else if (Handle15693SampleFromReader(sniffdata & 0x01, &dreader)) { + + uint32_t eof_time = dma_start_time + (samples * 16) + 16 - DELAY_READER_TO_ARM_SNIFF; // end of EOF + if (dreader.byteCount > 0) { + uint32_t sof_time = eof_time + - dreader.byteCount * (dreader.Coding == CODING_1_OUT_OF_4 ? 128 * 16 : 2048 * 16) // time for byte transfers + - 32 * 16 // time for SOF transfer + - 16 * 16; // time for EOF transfer + LogTrace_ISO15693(dreader.output, dreader.byteCount, (sof_time * 4), (eof_time * 4), NULL, true); + } + // And ready to receive another command + DecodeReaderReset(&dreader); + DecodeTagReset(&dtag); + reader_is_active = false; + expect_tag_answer = true; + + } else { + reader_is_active = (dreader.state >= STATE_READER_RECEIVE_DATA_1_OUT_OF_4); + } + } + + if (reader_is_active == false && expect_tag_answer) { // no need to try decoding tag data if the reader is currently sending or no answer expected yet + + if (Handle15693SamplesFromTag(sniffdata >> 2, &dtag)) { + + uint32_t eof_time = dma_start_time + (samples * 16) - DELAY_TAG_TO_ARM_SNIFF; // end of EOF + if (dtag.lastBit == SOF_PART2) { + eof_time -= (8 * 16); // needed 8 additional samples to confirm single SOF (iCLASS) + } + uint32_t sof_time = eof_time + - dtag.len * 8 * 8 * 16 // time for byte transfers + - (32 * 16) // time for SOF transfer + - (dtag.lastBit != SOF_PART2 ? (32 * 16) : 0); // time for EOF transfer + + LogTrace_ISO15693(dtag.output, dtag.len, (sof_time * 4), (eof_time * 4), NULL, false); + // And ready to receive another response. + DecodeTagReset(&dtag); + DecodeReaderReset(&dreader); + expect_tag_answer = false; + tag_is_active = false; + } else { + tag_is_active = (dtag.state >= STATE_TAG_RECEIVING_DATA); + } + } + + } + + FpgaDisableTracing(); + switch_off(); + + DbpString(""); + DbpString(_CYAN_("Sniff statistics")); + DbpString("================================="); + Dbprintf(" DecodeTag State........%d", dtag.state); + Dbprintf(" DecodeTag byteCnt......%d", dtag.len); + Dbprintf(" DecodeTag posCount.....%d", dtag.posCount); + Dbprintf(" DecodeReader State.....%d", dreader.state); + Dbprintf(" DecodeReader byteCnt...%d", dreader.byteCount); + Dbprintf(" DecodeReader posCount..%d", dreader.posCount); + Dbprintf(" Trace length..........." _YELLOW_("%d"), BigBuf_get_traceLen()); + DbpString(""); + +} + +// Initialize Proxmark3 as ISO15693 reader +void Iso15693InitReader(void) { + + LEDsoff(); FpgaDownloadAndGo(FPGA_BITSTREAM_HF); // Start from off (no field generated) FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); SpinDelay(10); + // switch field on + FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER); + LED_D_ON(); + + // initialize SSC and select proper AD input + FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER); SetAdcMuxFor(GPIO_MUXSEL_HIPKD); - FpgaSetupSsc(); + set_tracing(true); - // Give the tags time to energize - FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR); - SpinDelay(200); + // give tags some time to energize + SpinDelay(250); - // Start the timer StartCountSspClk(); - - LED_A_ON(); } /////////////////////////////////////////////////////////////////////// @@ -626,75 +1405,19 @@ void Iso15693InitReader(void) { // This section basicly contains transmission and receiving of bits /////////////////////////////////////////////////////////////////////// -// Encode (into the ToSend buffers) an identify request, which is the first +// Encode an identify request, which is the first // thing that you must send to a tag to get a response. // It expects "cmdout" to be at least CMD_ID_RESP large -static void BuildIdentifyRequest(uint8_t *cmdout) { - uint8_t cmd[CMD_ID_RESP] = {0, ISO15_CMD_INVENTORY, 0, 0, 0}; +// When READER: +static void BuildIdentifyRequest(uint8_t *cmd) { // flags cmd[0] = ISO15_REQ_SUBCARRIER_SINGLE | ISO15_REQ_DATARATE_HIGH | ISO15_REQ_INVENTORY | ISO15_REQINV_SLOT1; + // inventory command code + cmd[1] = ISO15_CMD_INVENTORY; // no mask cmd[2] = 0x00; // CRC AddCrc15(cmd, 3); - // coding as high speed (1 out of 4) - CodeIso15693AsReader(cmd, CMD_ID_RESP); - memcpy(cmdout, cmd, CMD_ID_RESP); -} - -// uid is in transmission order (which is reverse of display order) -/* -static void BuildReadBlockRequest(uint8_t **out, uint8_t *uid, uint8_t blockNumber ) { - uint8_t cmd[CMD_READ_RESP] = {0,0,0,0,0,0,0,0,0,0,0,0,0}; - // If we set the Option_Flag in this request, the VICC will respond with the secuirty status of the block - // followed by teh block data - // one sub-carrier, inventory, 1 slot, fast rate - cmd[0] = (1 << 6)| (1 << 5) | (1 << 1); // no SELECT bit, ADDR bit, OPTION bit - // READ BLOCK command code - cmd[1] = 0x20; - // UID may be optionally specified here - // 64-bit UID - cmd[2] = uid[0]; - cmd[3] = uid[1]; - cmd[4] = uid[2]; - cmd[5] = uid[3]; - cmd[6] = uid[4]; - cmd[7] = uid[5]; - cmd[8] = uid[6]; - cmd[9] = uid[7]; // 0xe0; // always e0 (not exactly unique) - // Block number to read - cmd[10] = blockNumber;//0x00; - // CRC - AddCrc15(cmd, 11); - CodeIso15693AsReader(cmd, CMD_READ_RESP); - memcpy(out, cmd, CMD_ID_RESP); -} -*/ - -// Now the VICC>VCD responses when we are simulating a tag -// It expects "out" to be at least CMD_INV_RESP large -static void BuildInventoryResponse(uint8_t *cmdout, uint8_t *uid) { - - uint8_t cmd[CMD_INV_RESP] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; - - // one sub-carrier, inventory, 1 slot, fast rate - // AFI is at bit 5 (1<<4) when doing an INVENTORY - //(1 << 2) | (1 << 5) | (1 << 1); - cmd[0] = 0; // - cmd[1] = 0; // DSFID (data storage format identifier). 0x00 = not supported - // 64-bit UID - cmd[2] = uid[7]; //0x32; - cmd[3] = uid[6]; //0x4b; - cmd[4] = uid[5]; //0x03; - cmd[5] = uid[4]; //0x01; - cmd[6] = uid[3]; //0x00; - cmd[7] = uid[2]; //0x10; - cmd[8] = uid[1]; //0x05; - cmd[9] = uid[0]; //0xe0; - // CRC - AddCrc15(cmd, 10); - CodeIso15693AsReader(cmd, CMD_INV_RESP); - memcpy(cmdout, cmd, CMD_INV_RESP); } // Universal Method for sending to and recv bytes from a tag @@ -704,36 +1427,46 @@ static void BuildInventoryResponse(uint8_t *cmdout, uint8_t *uid) { // If you do not need the answer use NULL for *recv[] // return: length of received data // logging enabled -static int SendDataTag(uint8_t *send, int sendlen, bool init, int speed, uint8_t *outdata) { +int SendDataTag(uint8_t *send, int sendlen, bool init, bool speed_fast, uint8_t *recv, + uint16_t max_recv_len, uint32_t start_time, uint16_t timeout, uint32_t *eof_time) { - int t_samples = 0, wait = 0, elapsed = 0, answer_len = 0; - - LEDsoff(); - - if (init) Iso15693InitReader(); - - LED_A_ON(); - - if (!speed) - CodeIso15693AsReader256(send, sendlen); // low speed (1 out of 256) - else - CodeIso15693AsReader(send, sendlen); // high speed (1 out of 4) - - LED_A_INV(); - - uint32_t time_start = GetCountSspClk(); - - TransmitTo15693Tag(ToSend, ToSendMax, &t_samples, &wait); - LogTrace(send, sendlen, time_start << 4, GetCountSspClk() << 4, NULL, true); - - // Now wait for a response - if (outdata != NULL) { - LED_B_INV(); - answer_len = GetIso15693AnswerFromTag(outdata, &elapsed); + if (init) { + Iso15693InitReader(); } - LEDsoff(); - return answer_len; + if (speed_fast) { + // high speed (1 out of 4) + CodeIso15693AsReader(send, sendlen); + } else { + // low speed (1 out of 256) + CodeIso15693AsReader256(send, sendlen); + } + + tosend_t *ts = get_tosend(); + TransmitTo15693Tag(ts->buf, ts->max, &start_time); + uint32_t end_time = start_time + 32 * ((8 * ts->max) - 4); // substract the 4 padding bits after EOF + LogTrace_ISO15693(send, sendlen, (start_time * 4), (end_time * 4), NULL, true); + + int res = 0; + if (recv != NULL) { + res = GetIso15693AnswerFromTag(recv, max_recv_len, timeout, eof_time); + } + return res; +} + +int SendDataTagEOF(uint8_t *recv, uint16_t max_recv_len, uint32_t start_time, uint16_t timeout, uint32_t *eof_time) { + + CodeIso15693AsReaderEOF(); + tosend_t *ts = get_tosend(); + TransmitTo15693Tag(ts->buf, ts->max, &start_time); + uint32_t end_time = start_time + 32 * (8 * ts->max - 4); // substract the 4 padding bits after EOF + LogTrace_ISO15693(NULL, 0, (start_time * 4), (end_time * 4), NULL, true); + + int res = 0; + if (recv != NULL) { + res = GetIso15693AnswerFromTag(recv, max_recv_len, timeout, eof_time); + } + return res; } // -------------------------------------------------------------------- @@ -745,10 +1478,13 @@ static int SendDataTag(uint8_t *send, int sendlen, bool init, int speed, uint8_t static void DbdecodeIso15693Answer(int len, uint8_t *d) { if (len > 3) { + char status[DBD15STATLEN + 1] = {0}; - if (d[0] & (1 << 3)) + + if (d[0] & ISO15_RES_EXT) strncat(status, "ProtExt ", DBD15STATLEN - strlen(status)); - if (d[0] & 1) { + + if (d[0] & ISO15_RES_ERROR) { // error strncat(status, "Error ", DBD15STATLEN - strlen(status)); switch (d[1]) { @@ -788,9 +1524,9 @@ static void DbdecodeIso15693Answer(int len, uint8_t *d) { } if (CheckCrc15(d, len)) - strncat(status, "[+] crc OK", DBD15STATLEN - strlen(status)); + strncat(status, "[+] crc (" _GREEN_("OK") ")", DBD15STATLEN - strlen(status)); else - strncat(status, "[!] crc fail", DBD15STATLEN - strlen(status)); + strncat(status, "[!] crc (" _RED_("fail") ")", DBD15STATLEN - strlen(status)); if (DBGLEVEL >= DBG_ERROR) Dbprintf("%s", status); } @@ -807,41 +1543,35 @@ static void DbdecodeIso15693Answer(int len, uint8_t *d) { // ok // parameter is unused !?! void ReaderIso15693(uint32_t parameter) { - int answerLen1 = 0; - int tsamples = 0, wait = 0, elapsed = 0; - // set up device/fpga - Iso15693InitReader(); - uint8_t *answer1 = BigBuf_malloc(50); - uint8_t *answer2 = BigBuf_malloc(50); + LED_A_ON(); + set_tracing(true); - // Blank arrays - memset(answer1, 0x00, 50); - memset(answer2, 0x00, 50); + uint8_t *answer = BigBuf_malloc(ISO15693_MAX_RESPONSE_LENGTH); + memset(answer, 0x00, ISO15693_MAX_RESPONSE_LENGTH); - // Now send the IDENTIFY command // FIRST WE RUN AN INVENTORY TO GET THE TAG UID // THIS MEANS WE CAN PRE-BUILD REQUESTS TO SAVE CPU TIME - uint32_t time_start = GetCountSspClk(); - uint8_t cmd[CMD_ID_RESP] = {0}; - BuildIdentifyRequest(cmd); - TransmitTo15693Tag(ToSend, ToSendMax, &tsamples, &wait); - LogTrace(cmd, CMD_ID_RESP, time_start << 4, GetCountSspClk() << 4, NULL, true); - // Now wait for a response - answerLen1 = GetIso15693AnswerFromTag(answer1, &elapsed) ; + // Send the IDENTIFY command + uint8_t cmd[5] = {0}; + BuildIdentifyRequest(cmd); + uint32_t start_time = 0; + uint32_t eof_time; + int answerLen = SendDataTag(cmd, sizeof(cmd), true, true, answer, ISO15693_MAX_RESPONSE_LENGTH, start_time, ISO15693_READER_TIMEOUT, &eof_time); + start_time = eof_time + DELAY_ISO15693_VICC_TO_VCD_READER; // we should do a better check than this - if (answerLen1 >= 12) { + if (answerLen >= 12) { uint8_t uid[8]; - uid[0] = answer1[9]; // always E0 - uid[1] = answer1[8]; // IC Manufacturer code - uid[2] = answer1[7]; - uid[3] = answer1[6]; - uid[4] = answer1[5]; - uid[5] = answer1[4]; - uid[6] = answer1[3]; - uid[7] = answer1[2]; + uid[0] = answer[9]; // always E0 + uid[1] = answer[8]; // IC Manufacturer code + uid[2] = answer[7]; + uid[3] = answer[6]; + uid[4] = answer[5]; + uid[5] = answer[4]; + uid[6] = answer[3]; + uid[7] = answer[2]; if (DBGLEVEL >= DBG_EXTENDED) { Dbprintf("[+] UID = %02X%02X%02X%02X%02X%02X%02X%02X", @@ -854,82 +1584,138 @@ void ReaderIso15693(uint32_t parameter) { // arg1 = len of response (12 bytes) // arg2 = rtf // asbytes = uid. - reply_old(CMD_ACK, 1, sizeof(uid), 0, uid, sizeof(uid)); + reply_mix(CMD_ACK, 1, sizeof(uid), 0, uid, sizeof(uid)); } if (DBGLEVEL >= DBG_EXTENDED) { - Dbprintf("[+] %d octets read from IDENTIFY request:", answerLen1); - DbdecodeIso15693Answer(answerLen1, answer1); - Dbhexdump(answerLen1, answer1, true); + Dbprintf("[+] %d octets read from IDENTIFY request:", answerLen); + DbdecodeIso15693Answer(answerLen, answer); + Dbhexdump(answerLen, answer, true); } switch_off(); + BigBuf_free(); +} + +// When SIM: initialize the Proxmark3 as ISO15693 tag +void Iso15693InitTag(void) { + + FpgaDownloadAndGo(FPGA_BITSTREAM_HF); + + // Start from off (no field generated) + FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); + LEDsoff(); + SpinDelay(10); + + // switch simulation FPGA + FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_NO_MODULATION); + + // initialize SSC and select proper AD input + FpgaSetupSsc(FPGA_MAJOR_MODE_HF_SIMULATOR); + SetAdcMuxFor(GPIO_MUXSEL_HIPKD); + + clear_trace(); + set_tracing(true); + + StartCountSspClk(); } // Simulate an ISO15693 TAG, perform anti-collision and then print any reader commands // all demodulation performed in arm rather than host. - greg -void SimTagIso15693(uint32_t parameter, uint8_t *uid) { +void SimTagIso15693(uint8_t *uid) { - LEDsoff(); - FpgaDownloadAndGo(FPGA_BITSTREAM_HF); - SetAdcMuxFor(GPIO_MUXSEL_HIPKD); - FpgaSetupSsc(); - // Start from off (no field generated) - FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); - SpinDelay(200); + // free eventually allocated BigBuf memory + BigBuf_free_keep_EM(); + + Iso15693InitTag(); LED_A_ON(); - uint32_t time_start; - int samples = 0, tsamples = 0; - int wait = 0, elapsed = 0; - Dbprintf("ISO-15963 Simulating uid: %02X%02X%02X%02X%02X%02X%02X%02X", uid[0], uid[1], uid[2], uid[3], uid[4], uid[5], uid[6], uid[7]); - uint8_t buf[ISO15_MAX_FRAME]; - memset(buf, 0x00, sizeof(buf)); - LED_C_ON(); - // Build a suitable reponse to the reader INVENTORY cocmmand - // not so obsvious, but in the call to BuildInventoryResponse, the command is copied to the global ToSend buffer used below. - uint8_t cmd[CMD_INV_RESP] = {0}; - BuildInventoryResponse(cmd, uid); + // Build INVENTORY command + uint8_t resp_inv[CMD_INV_RESP] = {0}; - while (!BUTTON_PRESS() && !data_available()) { + resp_inv[0] = 0; // No error, no protocol format extension + resp_inv[1] = 0; // DSFID (data storage format identifier). 0x00 = not supported + + // 64-bit UID + resp_inv[2] = uid[7]; + resp_inv[3] = uid[6]; + resp_inv[4] = uid[5]; + resp_inv[5] = uid[4]; + resp_inv[6] = uid[3]; + resp_inv[7] = uid[2]; + resp_inv[8] = uid[1]; + resp_inv[9] = uid[0]; + + // CRC + AddCrc15(resp_inv, 10); + CodeIso15693AsTag(resp_inv, CMD_INV_RESP); + + tosend_t *ts = get_tosend(); + + enum { NO_FIELD, IDLE, ACTIVATED, SELECTED, HALTED } chip_state = NO_FIELD; + + bool button_pressed = false; + int vHf = 0; // in mV + + bool exit_loop = false; + while (exit_loop == false) { WDT_HIT(); - // Listen to reader - int ans = GetIso15693AnswerFromSniff(buf, &samples, &elapsed) ; + // find reader field + if (chip_state == NO_FIELD) { - // we should do a better check than this - if (ans >= 1) { - - time_start = GetCountSspClk(); - TransmitTo15693Reader(ToSend, ToSendMax, &tsamples, &wait); - LogTrace(cmd, CMD_INV_RESP, time_start << 4, GetCountSspClk() << 4, NULL, true); - - if (DBGLEVEL >= DBG_EXTENDED) { - Dbprintf("[+] %d octets read from reader command: %x %x %x %x %x %x %x %x", ans, - buf[0], buf[1], buf[2], buf[3], - buf[4], buf[5], buf[6], buf[7] - ); +#if defined RDV4 + vHf = (MAX_ADC_HF_VOLTAGE_RDV40 * SumAdc(ADC_CHAN_HF_RDV40, 32)) >> 15; +#else + vHf = (MAX_ADC_HF_VOLTAGE * SumAdc(ADC_CHAN_HF, 32)) >> 15; +#endif + if (vHf > MF_MINFIELDV) { + chip_state = IDLE; + LED_A_ON(); + } else { + continue; } } + + // Listen to reader + uint8_t cmd[ISO15693_MAX_COMMAND_LENGTH]; + uint32_t reader_eof_time = 0; + int cmd_len = GetIso15693CommandFromReader(cmd, sizeof(cmd), &reader_eof_time); + if (cmd_len < 0) { + Dbprintf("button pressed, exiting"); + button_pressed = true; + exit_loop = true; + break; + } + + // TODO: check more flags + if ((cmd_len >= 5) && (cmd[0] & ISO15_REQ_INVENTORY) && (cmd[1] == ISO15_CMD_INVENTORY)) { + bool slow = !(cmd[0] & ISO15_REQ_DATARATE_HIGH); + uint32_t response_time = reader_eof_time + DELAY_ISO15693_VCD_TO_VICC_SIM; + TransmitTo15693Reader(ts->buf, ts->max, &response_time, 0, slow); + LogTrace_ISO15693(resp_inv, CMD_INV_RESP, response_time * 32, (response_time * 32) + (ts->max * 32 * 64), NULL, false); + + chip_state = SELECTED; + } } + switch_off(); + + if (button_pressed) + DbpString("button pressed"); } // Since there is no standardized way of reading the AFI out of a tag, we will brute force it // (some manufactures offer a way to read the AFI, though) void BruteforceIso15693Afi(uint32_t speed) { - uint8_t data[7] = {0, 0, 0, 0, 0, 0, 0}; - uint8_t buf[ISO15_MAX_FRAME]; - memset(buf, 0x00, sizeof(buf)); - int datalen = 0, recvlen = 0; - bool aborted = false; - + uint8_t data[7] = {0}; + uint8_t recv[ISO15693_MAX_RESPONSE_LENGTH]; Iso15693InitReader(); // first without AFI @@ -939,31 +1725,40 @@ void BruteforceIso15693Afi(uint32_t speed) { data[1] = ISO15_CMD_INVENTORY; data[2] = 0; // AFI AddCrc15(data, 3); - datalen = 5; - recvlen = SendDataTag(data, datalen, false, speed, buf); + + int datalen = 5; + uint32_t eof_time = 0; + uint32_t start_time = GetCountSspClk(); + int recvlen = SendDataTag(data, datalen, true, speed, recv, sizeof(recv), 0, ISO15693_READER_TIMEOUT, &eof_time); + start_time = eof_time + DELAY_ISO15693_VICC_TO_VCD_READER; WDT_HIT(); if (recvlen >= 12) { - Dbprintf("NoAFI UID = %s", iso15693_sprintUID(NULL, buf + 2)); + Dbprintf("NoAFI UID = %s", iso15693_sprintUID(NULL, recv + 2)); } // now with AFI data[0] |= ISO15_REQINV_AFI; - //data[1] = ISO15_CMD_INVENTORY; data[2] = 0; // AFI data[3] = 0; // mask length // 4 + 2crc datalen = 6; + bool aborted = false; for (uint16_t i = 0; i < 256; i++) { + data[2] = i & 0xFF; AddCrc15(data, 4); - recvlen = SendDataTag(data, datalen, false, speed, buf); + + recvlen = SendDataTag(data, datalen, false, speed, recv, sizeof(recv), start_time, ISO15693_READER_TIMEOUT, &eof_time); + start_time = eof_time + DELAY_ISO15693_VICC_TO_VCD_READER; + WDT_HIT(); + if (recvlen >= 12) { - Dbprintf("AFI = %i UID = %s", i, iso15693_sprintUID(NULL, buf + 2)); + Dbprintf("AFI = %i UID = %s", i, iso15693_sprintUID(NULL, recv + 2)); } aborted = BUTTON_PRESS(); @@ -985,34 +1780,126 @@ void BruteforceIso15693Afi(uint32_t speed) { } // Allows to directly send commands to the tag via the client -// Has to increase dialog between device and client. +// OBS: doesn't turn off rf field afterwards. void DirectTag15693Command(uint32_t datalen, uint32_t speed, uint32_t recv, uint8_t *data) { - bool init = true; - int buflen = 0; - uint8_t buf[ISO15_MAX_FRAME]; - memset(buf, 0x00, sizeof(buf)); + LED_A_ON(); + + int recvlen = 0; + uint8_t recvbuf[ISO15693_MAX_RESPONSE_LENGTH]; + uint32_t eof_time; + uint16_t timeout; + bool request_answer = false; + + switch (data[1]) { + case ISO15_CMD_WRITE: + case ISO15_CMD_LOCK: + case ISO15_CMD_WRITEMULTI: + case ISO15_CMD_WRITEAFI: + case ISO15_CMD_LOCKAFI: + case ISO15_CMD_WRITEDSFID: + case ISO15_CMD_LOCKDSFID: + timeout = ISO15693_READER_TIMEOUT_WRITE; + request_answer = data[0] & ISO15_REQ_OPTION; + break; + default: + timeout = ISO15693_READER_TIMEOUT; + } if (DBGLEVEL >= DBG_EXTENDED) { - DbpString("[+] SEND"); - Dbhexdump(datalen, data, true); + Dbprintf("SEND:"); + Dbhexdump(datalen, data, false); } - buflen = SendDataTag(data, datalen, init, speed, (recv ? buf : NULL)); + recvlen = SendDataTag(data, datalen, true, speed, (recv ? recvbuf : NULL), sizeof(recvbuf), 0, timeout, &eof_time); + + // send a single EOF to get the tag response + if (request_answer) { + recvlen = SendDataTagEOF((recv ? recvbuf : NULL), sizeof(recvbuf), 0, ISO15693_READER_TIMEOUT, &eof_time); + } + + // for the time being, switch field off to protect rdv4.0 + // note: this prevents using hf 15 cmd with s option - which isn't implemented yet anyway + FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); + LED_D_OFF(); if (recv) { - buflen = (buflen > ISO15_MAX_FRAME) ? ISO15_MAX_FRAME : buflen; - LED_B_ON(); - reply_old(CMD_ACK, buflen, 0, 0, buf, buflen); - LED_B_OFF(); + if (recvlen > ISO15693_MAX_RESPONSE_LENGTH) { + recvlen = ISO15693_MAX_RESPONSE_LENGTH; + } + reply_mix(CMD_ACK, recvlen, 0, 0, recvbuf, ISO15693_MAX_RESPONSE_LENGTH); if (DBGLEVEL >= DBG_EXTENDED) { - DbpString("[+] RECV"); - DbdecodeIso15693Answer(buflen, buf); - Dbhexdump(buflen, buf, true); + Dbprintf("RECV:"); + if (recvlen > 0) { + Dbhexdump(recvlen, recvbuf, false); + DbdecodeIso15693Answer(recvlen, recvbuf); + } } } else { - reply_old(CMD_ACK, 1, 0, 0, 0, 0); + reply_mix(CMD_ACK, 1, 0, 0, 0, 0); } } + + +//----------------------------------------------------------------------------- +// Work with "magic Chinese" card. +// +//----------------------------------------------------------------------------- + +// Set the UID on Magic ISO15693 tag (based on Iceman's LUA-script). +void SetTag15693Uid(uint8_t *uid) { + + LED_A_ON(); + + uint8_t cmd[4][9] = { + {ISO15_REQ_DATARATE_HIGH, ISO15_CMD_WRITE, 0x3e, 0x00, 0x00, 0x00, 0x00}, + {ISO15_REQ_DATARATE_HIGH, ISO15_CMD_WRITE, 0x3f, 0x69, 0x96, 0x00, 0x00}, + {ISO15_REQ_DATARATE_HIGH, ISO15_CMD_WRITE, 0x38}, + {ISO15_REQ_DATARATE_HIGH, ISO15_CMD_WRITE, 0x39} + }; + + int recvlen = 0; + uint8_t recvbuf[ISO15693_MAX_RESPONSE_LENGTH]; + uint32_t eof_time; + + // Command 3 : 022138u8u7u6u5 (where uX = uid byte X) + cmd[2][3] = uid[7]; + cmd[2][4] = uid[6]; + cmd[2][5] = uid[5]; + cmd[2][6] = uid[4]; + + // Command 4 : 022139u4u3u2u1 (where uX = uid byte X) + cmd[3][3] = uid[3]; + cmd[3][4] = uid[2]; + cmd[3][5] = uid[1]; + cmd[3][6] = uid[0]; + + AddCrc15(cmd[0], 7); + AddCrc15(cmd[1], 7); + AddCrc15(cmd[2], 7); + AddCrc15(cmd[3], 7); + + uint32_t start_time = 0; + + for (int i = 0; i < 4; i++) { + + recvlen = SendDataTag(cmd[i], sizeof(cmd[i]), i == 0 ? true : false, true, recvbuf, sizeof(recvbuf), start_time, ISO15693_READER_TIMEOUT_WRITE, &eof_time); + start_time = eof_time + DELAY_ISO15693_VICC_TO_VCD_READER; + + if (DBGLEVEL >= DBG_EXTENDED) { + Dbprintf("SEND:"); + Dbhexdump(sizeof(cmd[i]), cmd[i], false); + Dbprintf("RECV:"); + if (recvlen > 0) { + Dbhexdump(recvlen, recvbuf, false); + DbdecodeIso15693Answer(recvlen, recvbuf); + } + } + } + + FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); + LEDsoff(); + reply_mix(CMD_ACK, recvlen, 0, 0, recvbuf, recvlen); +} diff --git a/armsrc/iso15693.h b/armsrc/iso15693.h index 2233ba9fd..d650ab0ef 100644 --- a/armsrc/iso15693.h +++ b/armsrc/iso15693.h @@ -12,15 +12,41 @@ #define __ISO15693_H #include "common.h" - #include "pm3_cmd.h" // struct + -void RecordRawAdcSamplesIso15693(void); +// Delays in SSP_CLK ticks. +// SSP_CLK runs at 13,56MHz / 32 = 423.75kHz when simulating a tag +#define DELAY_ISO15693_VCD_TO_VICC_SIM 132 // 132/423.75kHz = 311.5us from end of command EOF to start of tag response + +//SSP_CLK runs at 13.56MHz / 4 = 3,39MHz when acting as reader. All values should be multiples of 16 +#define DELAY_ISO15693_VCD_TO_VICC_READER 1056 // 1056/3,39MHz = 311.5us from end of command EOF to start of tag response +#define DELAY_ISO15693_VICC_TO_VCD_READER 1024 // 1024/3.39MHz = 302.1us between end of tag response and next reader command + +void Iso15693InitReader(void); +void Iso15693InitTag(void); +void CodeIso15693AsReader(uint8_t *cmd, int n); +void CodeIso15693AsTag(uint8_t *cmd, size_t len); + +void TransmitTo15693Reader(const uint8_t *cmd, size_t len, uint32_t *start_time, uint32_t slot_time, bool slow); +int GetIso15693CommandFromReader(uint8_t *received, size_t max_len, uint32_t *eof_time); +void TransmitTo15693Tag(const uint8_t *cmd, int len, uint32_t *start_time); +int GetIso15693AnswerFromTag(uint8_t* response, uint16_t max_len, uint16_t timeout, uint32_t *eof_time); + +//void RecordRawAdcSamplesIso15693(void); void AcquireRawAdcSamplesIso15693(void); void ReaderIso15693(uint32_t parameter); // Simulate an ISO15693 reader - greg -void SimTagIso15693(uint32_t parameter, uint8_t *uid); // simulate an ISO15693 tag - greg +void SimTagIso15693(uint8_t *uid); // simulate an ISO15693 tag - greg void BruteforceIso15693Afi(uint32_t speed); // find an AFI of a tag - atrox void DirectTag15693Command(uint32_t datalen, uint32_t speed, uint32_t recv, uint8_t *data); // send arbitrary commands from CLI - atrox void Iso15693InitReader(void); +void SniffIso15693(uint8_t jam_search_len, uint8_t *jam_search_string); + +int SendDataTag(uint8_t *send, int sendlen, bool init, bool speed_fast, uint8_t *recv, + uint16_t max_recv_len, uint32_t start_time, uint16_t timeout, uint32_t *eof_time); + +int SendDataTagEOF(uint8_t *recv, uint16_t max_recv_len, uint32_t start_time, uint16_t timeout, uint32_t *eof_time); + +void SetTag15693Uid(uint8_t *uid); #endif diff --git a/armsrc/legicrf.c b/armsrc/legicrf.c index 21b0c0a42..1d2693347 100644 --- a/armsrc/legicrf.c +++ b/armsrc/legicrf.c @@ -152,7 +152,7 @@ static void tx_bit(bool bit) { //----------------------------------------------------------------------------- static void tx_frame(uint32_t frame, uint8_t len) { - FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_TX); + FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_MODE_SEND_FULL_MOD); // wait for next tx timeslot last_frame_end += RWD_FRAME_WAIT; @@ -180,9 +180,7 @@ static void tx_frame(uint32_t frame, uint8_t len) { } static uint32_t rx_frame(uint8_t len) { - FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR - | FPGA_HF_READER_RX_XCORR_848_KHZ - | FPGA_HF_READER_RX_XCORR_QUARTER); + FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_SUBCARRIER_212_KHZ | FPGA_HF_READER_MODE_RECEIVE_IQ); // hold sampling until card is expected to respond last_frame_end += TAG_FRAME_WAIT; @@ -210,9 +208,7 @@ static uint32_t rx_frame(uint8_t len) { static bool rx_ack(void) { // change fpga into rx mode - FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR - | FPGA_HF_READER_RX_XCORR_848_KHZ - | FPGA_HF_READER_RX_XCORR_QUARTER); + FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_SUBCARRIER_212_KHZ | FPGA_HF_READER_MODE_RECEIVE_IQ); // hold sampling until card is expected to respond last_frame_end += TAG_FRAME_WAIT; @@ -279,14 +275,12 @@ static int init_card(uint8_t cardtype, legic_card_select_t *p_card) { static void init_reader(bool clear_mem) { // configure FPGA FpgaDownloadAndGo(FPGA_BITSTREAM_HF); - FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR - | FPGA_HF_READER_RX_XCORR_848_KHZ - | FPGA_HF_READER_RX_XCORR_QUARTER); + FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_SUBCARRIER_212_KHZ | FPGA_HF_READER_MODE_RECEIVE_IQ); SetAdcMuxFor(GPIO_MUXSEL_HIPKD); LED_A_ON(); // configure SSC with defaults - FpgaSetupSsc(); + FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER); // re-claim GPIO_SSC_DOUT as GPIO and enable output AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT; diff --git a/armsrc/legicrfsim.c b/armsrc/legicrfsim.c index 35eefc56c..2ca65f54a 100644 --- a/armsrc/legicrfsim.c +++ b/armsrc/legicrfsim.c @@ -303,12 +303,11 @@ static int32_t init_card(uint8_t cardtype, legic_card_select_t *p_card) { static void init_tag(void) { // configure FPGA FpgaDownloadAndGo(FPGA_BITSTREAM_HF); - FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR - | FPGA_HF_SIMULATOR_MODULATE_212K); + FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_MODULATE_212K); SetAdcMuxFor(GPIO_MUXSEL_HIPKD); // configure SSC with defaults - FpgaSetupSsc(); + FpgaSetupSsc(FPGA_MAJOR_MODE_HF_SIMULATOR); // first pull output to low to prevent glitches then re-claim GPIO_SSC_DOUT LOW(GPIO_SSC_DOUT); diff --git a/armsrc/lfadc.c b/armsrc/lfadc.c index 8c453bdc9..2c46f5581 100644 --- a/armsrc/lfadc.c +++ b/armsrc/lfadc.c @@ -181,7 +181,7 @@ void lf_init(bool reader, bool simulate) { SetAdcMuxFor(GPIO_MUXSEL_LOPKD); // Now set up the SSC to get the ADC samples that are now streaming at us. - FpgaSetupSsc(); + FpgaSetupSsc(FPGA_MAJOR_MODE_LF_READER); // When in reader mode, give the field a bit of time to settle. // 313T0 = 313 * 8us = 2504us = 2.5ms Hitag2 tags needs to be fully powered. diff --git a/armsrc/lfops.c b/armsrc/lfops.c index 7e907da09..4a9373cec 100644 --- a/armsrc/lfops.c +++ b/armsrc/lfops.c @@ -678,7 +678,7 @@ void AcquireTiType(void) { AT91C_BASE_SSC->SSC_TCMR = 0; // Transmit Frame Mode Register AT91C_BASE_SSC->SSC_TFMR = 0; - // iceman, FpgaSetupSsc() ?? the code above? can it be replaced? + // iceman, FpgaSetupSsc(FPGA_MAJOR_MODE_LF_READER) ?? the code above? can it be replaced? LED_D_ON(); // modulate antenna @@ -721,7 +721,7 @@ void AcquireTiType(void) { } // reset SSC - FpgaSetupSsc(); + FpgaSetupSsc(FPGA_MAJOR_MODE_LF_READER); } // arguments: 64bit data split into 32bit idhi:idlo and optional 16bit crc @@ -2597,24 +2597,35 @@ void Cotag(uint32_t arg0) { LFSetupFPGAForADC(LF_FREQ2DIV(132), true); //clear buffer now so it does not interfere with timing later + BigBuf_free(); BigBuf_Clear_ext(false); //send COTAG start pulse +/* ON(740) OFF(2035) ON(3330) OFF(2035) ON(740) OFF(2035) ON(1000) +*/ + + ON(800) OFF(2200) + ON(3600) OFF(2200) + ON(800) OFF(2200) + ON(3400) + + FpgaSendCommand(FPGA_CMD_SET_DIVISOR, LF_FREQ2DIV(125)); switch (rawsignal) { case 0: - doCotagAcquisition(40000); + doCotagAcquisition(); break; case 1: doCotagAcquisitionManchester(); break; - case 2: + case 2: { DoAcquisition_config(false, 0); break; + } } // Turn the field off diff --git a/armsrc/lfsampling.c b/armsrc/lfsampling.c index f77084b3d..aaf7ec86c 100644 --- a/armsrc/lfsampling.c +++ b/armsrc/lfsampling.c @@ -51,11 +51,11 @@ void printConfig(void) { } void printSamples(void) { - DbpString(_CYAN_("LF Sampling memory")); - Dbprintf(" decimation counter.....%d ", samples.dec_counter); - Dbprintf(" sum.....%u ", samples.sum); - Dbprintf(" counter.....%u ", samples.counter); - Dbprintf(" total saved.....%u ", samples.total_saved); + DbpString(_CYAN_("LF Sampling memory usage")); +// Dbprintf(" decimation counter...%d", samples.dec_counter); +// Dbprintf(" sum..................%u", samples.sum); + Dbprintf(" counter.............." _YELLOW_("%u"), samples.counter); + Dbprintf(" total saved.........." _YELLOW_("%u"), samples.total_saved); print_stack_usage(); } @@ -241,7 +241,7 @@ void LFSetupFPGAForADC(int divisor, bool reader_field) { SpinDelay(50); // Now set up the SSC to get the ADC samples that are now streaming at us. - FpgaSetupSsc(); + FpgaSetupSsc(FPGA_MAJOR_MODE_LF_READER); // start a 1.5ticks is 1us StartTicks(); @@ -480,19 +480,19 @@ void doT55x7Acquisition(size_t sample_size) { #define COTAG_T1 384 #define COTAG_T2 (COTAG_T1>>1) -#define COTAG_ONE_THRESHOLD 128+10 -#define COTAG_ZERO_THRESHOLD 128-10 +#define COTAG_ONE_THRESHOLD 128+5 +#define COTAG_ZERO_THRESHOLD 128-5 #ifndef COTAG_BITS #define COTAG_BITS 264 #endif -void doCotagAcquisition(size_t sample_size) { +void doCotagAcquisition() { uint8_t *dest = BigBuf_get_addr(); - uint16_t bufsize = MIN(sample_size, BigBuf_max_traceLen()); + uint16_t bufsize = BigBuf_max_traceLen(); dest[0] = 0; uint8_t firsthigh = 0, firstlow = 0; - uint16_t i = 0, noise_counter = 0, checker = 0; + uint16_t i = 0, noise_counter = 0; if (DBGLEVEL >= DBG_DEBUG) { Dbprintf("doCotagAcquisition - after init"); @@ -504,21 +504,8 @@ void doCotagAcquisition(size_t sample_size) { if (BUTTON_PRESS()) break; - if (checker == 4000) { - if (data_available()) - break; - else - checker = 0; - } else { - ++checker; - } - WDT_HIT(); - if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXRDY) { - LED_D_ON(); - } - if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) { volatile uint8_t sample = (uint8_t)AT91C_BASE_SSC->SSC_RHR; @@ -551,9 +538,13 @@ void doCotagAcquisition(size_t sample_size) { } } + Dbprintf("doCotagAcquisition - %u high %u == 1 low %u == 1", i, firsthigh, firstlow); + // Ensure that DC offset removal and noise check is performed for any device-side processing removeSignalOffset(dest, bufsize); + printSamples(); computeSignalProperties(dest, bufsize); + printSamples(); } uint32_t doCotagAcquisitionManchester(void) { @@ -565,7 +556,7 @@ uint32_t doCotagAcquisitionManchester(void) { uint8_t firsthigh = 0, firstlow = 0; uint8_t curr = 0, prev = 0; uint16_t sample_counter = 0, period = 0; - uint16_t noise_counter = 0, checker = 0; + uint16_t noise_counter = 0; if (DBGLEVEL >= DBG_DEBUG) { Dbprintf("doCotagAcquisitionManchester - after init"); @@ -576,15 +567,6 @@ uint32_t doCotagAcquisitionManchester(void) { if (BUTTON_PRESS()) break; - - if (checker == 4000) { - if ( data_available()) - break; - else - checker = 0; - } else { - ++checker; - } WDT_HIT(); diff --git a/armsrc/lfsampling.h b/armsrc/lfsampling.h index 9b8c4c6b1..28721f6ca 100644 --- a/armsrc/lfsampling.h +++ b/armsrc/lfsampling.h @@ -21,7 +21,7 @@ typedef struct { * acquisition of Cotag LF signal. Similar to other LF, since the Cotag has such long datarate RF/384 * and is Manchester?, we directly gather the manchester data into bigbuff **/ -void doCotagAcquisition(size_t sample_size); +void doCotagAcquisition(void); uint32_t doCotagAcquisitionManchester(void); /** diff --git a/armsrc/optimized_cipher.c b/armsrc/optimized_cipher.c index 0f762a8d6..98c2034e2 100644 --- a/armsrc/optimized_cipher.c +++ b/armsrc/optimized_cipher.c @@ -77,7 +77,15 @@ -- piwi 2019 **/ +/** + add the possibility to do iCLASS on device only + -- iceman 2020 +**/ + #include "optimized_cipher.h" +#include "optimized_elite.h" +#include "optimized_ikeys.h" +#include "optimized_cipherutils.h" static const uint8_t opt_select_LUT[256] = { 00, 03, 02, 01, 02, 03, 00, 01, 04, 07, 07, 04, 06, 07, 05, 04, @@ -241,11 +249,34 @@ static void opt_MAC(uint8_t *k, uint8_t *input, uint8_t *out) { opt_output(k, &_init, out); } +static void opt_MAC_N(uint8_t *k, uint8_t *input, uint8_t in_size, uint8_t *out) { + State _init = { + ((k[0] ^ 0x4c) + 0xEC) & 0xFF,// l + ((k[0] ^ 0x4c) + 0x21) & 0xFF,// r + 0x4c, // b + 0xE012 // t + }; + + opt_suc(k, &_init, input, in_size, false); + opt_output(k, &_init, out); +} + void opt_doReaderMAC(uint8_t *cc_nr_p, uint8_t *div_key_p, uint8_t mac[4]) { uint8_t dest [] = {0, 0, 0, 0, 0, 0, 0, 0}; opt_MAC(div_key_p, cc_nr_p, dest); memcpy(mac, dest, 4); - return; +} + +void opt_doReaderMAC_2(State _init, uint8_t *nr, uint8_t mac[4], const uint8_t *div_key_p) { + opt_suc(div_key_p, &_init, nr, 4, false); + opt_output(div_key_p, &_init, mac); +} + + +void doMAC_N(uint8_t *in_p, uint8_t in_size, uint8_t *div_key_p, uint8_t mac[4]) { + uint8_t dest [] = {0, 0, 0, 0, 0, 0, 0, 0}; + opt_MAC_N(div_key_p, in_p, in_size, dest); + memcpy(mac, dest, 4); } void opt_doTagMAC(uint8_t *cc_p, const uint8_t *div_key_p, uint8_t mac[4]) { @@ -257,7 +288,6 @@ void opt_doTagMAC(uint8_t *cc_p, const uint8_t *div_key_p, uint8_t mac[4]) { }; opt_suc(div_key_p, &_init, cc_p, 12, true); opt_output(div_key_p, &_init, mac); - return; } /** @@ -291,5 +321,24 @@ State opt_doTagMAC_1(uint8_t *cc_p, const uint8_t *div_key_p) { void opt_doTagMAC_2(State _init, uint8_t *nr, uint8_t mac[4], const uint8_t *div_key_p) { opt_suc(div_key_p, &_init, nr, 4, true); opt_output(div_key_p, &_init, mac); - return; +} + + +void iclass_calc_div_key(uint8_t *csn, uint8_t *key, uint8_t *div_key, bool elite) { + if (elite) { + uint8_t keytable[128] = {0}; + uint8_t key_index[8] = {0}; + uint8_t key_sel[8] = { 0 }; + uint8_t key_sel_p[8] = { 0 }; + hash2(key, keytable); + hash1(csn, key_index); + for (uint8_t i = 0; i < 8 ; i++) + key_sel[i] = keytable[key_index[i]]; + + //Permute from iclass format to standard format + permutekey_rev(key_sel, key_sel_p); + diversifyKey(csn, key_sel_p, div_key); + } else { + diversifyKey(csn, key, div_key); + } } diff --git a/armsrc/optimized_cipher.h b/armsrc/optimized_cipher.h index c6df25ab8..587f6b7a6 100644 --- a/armsrc/optimized_cipher.h +++ b/armsrc/optimized_cipher.h @@ -21,6 +21,9 @@ typedef struct { /** The reader MAC is MAC(key, CC * NR ) **/ void opt_doReaderMAC(uint8_t *cc_nr_p, uint8_t *div_key_p, uint8_t mac[4]); + +void opt_doReaderMAC_2(State _init, uint8_t *nr, uint8_t mac[4], const uint8_t *div_key_p); + /** * The tag MAC is MAC(key, CC * NR * 32x0)) */ @@ -46,4 +49,6 @@ State opt_doTagMAC_1(uint8_t *cc_p, const uint8_t *div_key_p); */ void opt_doTagMAC_2(State _init, uint8_t *nr, uint8_t mac[4], const uint8_t *div_key_p); +void doMAC_N(uint8_t *in_p, uint8_t in_size, uint8_t *div_key_p, uint8_t mac[4]); +void iclass_calc_div_key(uint8_t *csn, uint8_t *key, uint8_t *div_key, bool elite); #endif // OPTIMIZED_CIPHER_H diff --git a/armsrc/optimized_cipherutils.c b/armsrc/optimized_cipherutils.c new file mode 100644 index 000000000..c51f83f9b --- /dev/null +++ b/armsrc/optimized_cipherutils.c @@ -0,0 +1,140 @@ +/***************************************************************************** + * WARNING + * + * THIS CODE IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY. + * + * USAGE OF THIS CODE IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL + * PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL, + * AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES. + * + * THIS CODE SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS. + * + ***************************************************************************** + * + * This file is part of loclass. It is a reconstructon of the cipher engine + * used in iClass, and RFID techology. + * + * The implementation is based on the work performed by + * Flavio D. Garcia, Gerhard de Koning Gans, Roel Verdult and + * Milosch Meriac in the paper "Dismantling IClass". + * + * Copyright (C) 2014 Martin Holst Swende + * + * This is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as published + * by the Free Software Foundation, or, at your option, any later version. + * + * This file is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with loclass. If not, see . + * + * + ****************************************************************************/ +#include "optimized_cipherutils.h" +#include + +/** + * + * @brief Return and remove the first bit (x0) in the stream : + * @param stream + * @return + */ +bool headBit(BitstreamIn *stream) { + int bytepos = stream->position >> 3; // divide by 8 + int bitpos = (stream->position++) & 7; // mask out 00000111 + return (*(stream->buffer + bytepos) >> (7 - bitpos)) & 1; +} +/** + * @brief Return and remove the last bit (xn) in the stream: + * @param stream + * @return + */ +bool tailBit(BitstreamIn *stream) { + int bitpos = stream->numbits - 1 - (stream->position++); + + int bytepos = bitpos >> 3; + bitpos &= 7; + return (*(stream->buffer + bytepos) >> (7 - bitpos)) & 1; +} +/** + * @brief Pushes bit onto the stream + * @param stream + * @param bit + */ +void pushBit(BitstreamOut *stream, bool bit) { + int bytepos = stream->position >> 3; // divide by 8 + int bitpos = stream->position & 7; + *(stream->buffer + bytepos) |= (bit) << (7 - bitpos); + stream->position++; + stream->numbits++; +} + +/** + * @brief Pushes the lower six bits onto the stream + * as b0 b1 b2 b3 b4 b5 b6 + * @param stream + * @param bits + */ +void push6bits(BitstreamOut *stream, uint8_t bits) { + pushBit(stream, bits & 0x20); + pushBit(stream, bits & 0x10); + pushBit(stream, bits & 0x08); + pushBit(stream, bits & 0x04); + pushBit(stream, bits & 0x02); + pushBit(stream, bits & 0x01); +} + +/** + * @brief bitsLeft + * @param stream + * @return number of bits left in stream + */ +int bitsLeft(BitstreamIn *stream) { + return stream->numbits - stream->position; +} +/** + * @brief numBits + * @param stream + * @return Number of bits stored in stream + */ +void x_num_to_bytes(uint64_t n, size_t len, uint8_t *dest) { + while (len--) { + dest[len] = (uint8_t) n; + n >>= 8; + } +} + +uint64_t x_bytes_to_num(uint8_t *src, size_t len) { + uint64_t num = 0; + while (len--) { + num = (num << 8) | (*src); + src++; + } + return num; +} + +uint8_t reversebytes(uint8_t b) { + b = (b & 0xF0) >> 4 | (b & 0x0F) << 4; + b = (b & 0xCC) >> 2 | (b & 0x33) << 2; + b = (b & 0xAA) >> 1 | (b & 0x55) << 1; + return b; +} + +void reverse_arraybytes(uint8_t *arr, size_t len) { + uint8_t i; + for (i = 0; i < len ; i++) { + arr[i] = reversebytes(arr[i]); + } +} + +void reverse_arraycopy(uint8_t *arr, uint8_t *dest, size_t len) { + uint8_t i; + for (i = 0; i < len ; i++) { + dest[i] = reversebytes(arr[i]); + } +} + diff --git a/armsrc/optimized_cipherutils.h b/armsrc/optimized_cipherutils.h new file mode 100644 index 000000000..63ba8b8aa --- /dev/null +++ b/armsrc/optimized_cipherutils.h @@ -0,0 +1,66 @@ +/***************************************************************************** + * WARNING + * + * THIS CODE IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY. + * + * USAGE OF THIS CODE IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL + * PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL, + * AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES. + * + * THIS CODE SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS. + * + ***************************************************************************** + * + * This file is part of loclass. It is a reconstructon of the cipher engine + * used in iClass, and RFID techology. + * + * The implementation is based on the work performed by + * Flavio D. Garcia, Gerhard de Koning Gans, Roel Verdult and + * Milosch Meriac in the paper "Dismantling IClass". + * + * Copyright (C) 2014 Martin Holst Swende + * + * This is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as published + * by the Free Software Foundation, or, at your option, any later version. + * + * This file is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with loclass. If not, see . + * + * + ****************************************************************************/ +#ifndef CIPHERUTILS_H +#define CIPHERUTILS_H +#include +#include +#include + +typedef struct { + uint8_t *buffer; + uint8_t numbits; + uint8_t position; +} BitstreamIn; + +typedef struct { + uint8_t *buffer; + uint8_t numbits; + uint8_t position; +} BitstreamOut; + +bool headBit(BitstreamIn *stream); +bool tailBit(BitstreamIn *stream); +void pushBit(BitstreamOut *stream, bool bit); +int bitsLeft(BitstreamIn *stream); + +void push6bits(BitstreamOut *stream, uint8_t bits); +void x_num_to_bytes(uint64_t n, size_t len, uint8_t *dest); +uint64_t x_bytes_to_num(uint8_t *src, size_t len); +uint8_t reversebytes(uint8_t b); +void reverse_arraybytes(uint8_t *arr, size_t len); +void reverse_arraycopy(uint8_t *arr, uint8_t *dest, size_t len); +#endif // CIPHERUTILS_H diff --git a/armsrc/optimized_elite.c b/armsrc/optimized_elite.c new file mode 100644 index 000000000..d2c57ac68 --- /dev/null +++ b/armsrc/optimized_elite.c @@ -0,0 +1,238 @@ +/***************************************************************************** + * WARNING + * + * THIS CODE IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY. + * + * USAGE OF THIS CODE IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL + * PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL, + * AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES. + * + * THIS CODE SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS. + * + ***************************************************************************** + * + * This file is part of loclass. It is a reconstructon of the cipher engine + * used in iClass, and RFID techology. + * + * The implementation is based on the work performed by + * Flavio D. Garcia, Gerhard de Koning Gans, Roel Verdult and + * Milosch Meriac in the paper "Dismantling IClass". + * + * Copyright (C) 2014 Martin Holst Swende + * + * This is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as published + * by the Free Software Foundation, or, at your option, any later version. + * + * This file is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with loclass. If not, see . + * + * + * + ****************************************************************************/ +#include "optimized_elite.h" + +#include +#include +#include +#include "mbedtls/des.h" +#include "optimized_ikeys.h" + +/** + * @brief Permutes a key from standard NIST format to Iclass specific format + * from http://www.proxmark.org/forum/viewtopic.php?pid=11220#p11220 + * + * If you permute [6c 8d 44 f9 2a 2d 01 bf] you get [8a 0d b9 88 bb a7 90 ea] as shown below. + * + * 1 0 1 1 1 1 1 1 bf + * 0 0 0 0 0 0 0 1 01 + * 0 0 1 0 1 1 0 1 2d + * 0 0 1 0 1 0 1 0 2a + * 1 1 1 1 1 0 0 1 f9 + * 0 1 0 0 0 1 0 0 44 + * 1 0 0 0 1 1 0 1 8d + * 0 1 1 0 1 1 0 0 6c + * + * 8 0 b 8 b a 9 e + * a d 9 8 b 7 0 a + * + * @param key + * @param dest + */ +void permutekey(uint8_t key[8], uint8_t dest[8]) { + int i; + for (i = 0 ; i < 8 ; i++) { + dest[i] = (((key[7] & (0x80 >> i)) >> (7 - i)) << 7) | + (((key[6] & (0x80 >> i)) >> (7 - i)) << 6) | + (((key[5] & (0x80 >> i)) >> (7 - i)) << 5) | + (((key[4] & (0x80 >> i)) >> (7 - i)) << 4) | + (((key[3] & (0x80 >> i)) >> (7 - i)) << 3) | + (((key[2] & (0x80 >> i)) >> (7 - i)) << 2) | + (((key[1] & (0x80 >> i)) >> (7 - i)) << 1) | + (((key[0] & (0x80 >> i)) >> (7 - i)) << 0); + } +} +/** + * Permutes a key from iclass specific format to NIST format + * @brief permutekey_rev + * @param key + * @param dest + */ +void permutekey_rev(uint8_t key[8], uint8_t dest[8]) { + int i; + for (i = 0 ; i < 8 ; i++) { + dest[7 - i] = (((key[0] & (0x80 >> i)) >> (7 - i)) << 7) | + (((key[1] & (0x80 >> i)) >> (7 - i)) << 6) | + (((key[2] & (0x80 >> i)) >> (7 - i)) << 5) | + (((key[3] & (0x80 >> i)) >> (7 - i)) << 4) | + (((key[4] & (0x80 >> i)) >> (7 - i)) << 3) | + (((key[5] & (0x80 >> i)) >> (7 - i)) << 2) | + (((key[6] & (0x80 >> i)) >> (7 - i)) << 1) | + (((key[7] & (0x80 >> i)) >> (7 - i)) << 0); + } +} + +/** + * Helper function for hash1 + * @brief rr + * @param val + * @return + */ +static inline uint8_t rr(uint8_t val) { + return val >> 1 | ((val & 1) << 7); +} + +/** + * Helper function for hash1 + * @brief rl + * @param val + * @return + */ +static inline uint8_t rl(uint8_t val) { + return val << 1 | ((val & 0x80) >> 7); +} + +/** + * Helper function for hash1 + * @brief swap + * @param val + * @return + */ +static inline uint8_t swap(uint8_t val) { + return ((val >> 4) & 0xFF) | ((val & 0xFF) << 4); +} + +/** + * Hash1 takes CSN as input, and determines what bytes in the keytable will be used + * when constructing the K_sel. + * @param csn the CSN used + * @param k output + */ +void hash1(uint8_t csn[], uint8_t k[]) { + k[0] = csn[0] ^ csn[1] ^ csn[2] ^ csn[3] ^ csn[4] ^ csn[5] ^ csn[6] ^ csn[7]; + k[1] = csn[0] + csn[1] + csn[2] + csn[3] + csn[4] + csn[5] + csn[6] + csn[7]; + k[2] = rr(swap(csn[2] + k[1])); + k[3] = rl(swap(csn[3] + k[0])); + k[4] = ~rr(csn[4] + k[2]) + 1; + k[5] = ~rl(csn[5] + k[3]) + 1; + k[6] = rr(csn[6] + (k[4] ^ 0x3c)); + k[7] = rl(csn[7] + (k[5] ^ 0xc3)); + + k[7] &= 0x7F; + k[6] &= 0x7F; + k[5] &= 0x7F; + k[4] &= 0x7F; + k[3] &= 0x7F; + k[2] &= 0x7F; + k[1] &= 0x7F; + k[0] &= 0x7F; +} +/** +Definition 14. Define the rotate key function rk : (F 82 ) 8 × N → (F 82 ) 8 as +rk(x [0] . . . x [7] , 0) = x [0] . . . x [7] +rk(x [0] . . . x [7] , n + 1) = rk(rl(x [0] ) . . . rl(x [7] ), n) +**/ +static void rk(uint8_t *key, uint8_t n, uint8_t *outp_key) { + memcpy(outp_key, key, 8); + uint8_t j; + while (n-- > 0) { + for (j = 0; j < 8 ; j++) + outp_key[j] = rl(outp_key[j]); + } + return; +} + +static mbedtls_des_context ctx_enc; +static mbedtls_des_context ctx_dec; + +static void desdecrypt_iclass(uint8_t *iclass_key, uint8_t *input, uint8_t *output) { + uint8_t key_std_format[8] = {0}; + permutekey_rev(iclass_key, key_std_format); + mbedtls_des_setkey_dec(&ctx_dec, key_std_format); + mbedtls_des_crypt_ecb(&ctx_dec, input, output); +} + +static void desencrypt_iclass(uint8_t *iclass_key, uint8_t *input, uint8_t *output) { + uint8_t key_std_format[8] = {0}; + permutekey_rev(iclass_key, key_std_format); + mbedtls_des_setkey_enc(&ctx_enc, key_std_format); + mbedtls_des_crypt_ecb(&ctx_enc, input, output); +} + +/** + * @brief Insert uint8_t[8] custom master key to calculate hash2 and return key_select. + * @param key unpermuted custom key + * @param hash1 hash1 + * @param key_sel output key_sel=h[hash1[i]] + */ +void hash2(uint8_t *key64, uint8_t *outp_keytable) { + /** + *Expected: + * High Security Key Table + + 00 F1 35 59 A1 0D 5A 26 7F 18 60 0B 96 8A C0 25 C1 + 10 BF A1 3B B0 FF 85 28 75 F2 1F C6 8F 0E 74 8F 21 + 20 14 7A 55 16 C8 A9 7D B3 13 0C 5D C9 31 8D A9 B2 + 30 A3 56 83 0F 55 7E DE 45 71 21 D2 6D C1 57 1C 9C + 40 78 2F 64 51 42 7B 64 30 FA 26 51 76 D3 E0 FB B6 + 50 31 9F BF 2F 7E 4F 94 B4 BD 4F 75 91 E3 1B EB 42 + 60 3F 88 6F B8 6C 2C 93 0D 69 2C D5 20 3C C1 61 95 + 70 43 08 A0 2F FE B3 26 D7 98 0B 34 7B 47 70 A0 AB + + **** The 64-bit HS Custom Key Value = 5B7C62C491C11B39 ******/ + uint8_t key64_negated[8] = {0}; + uint8_t z[8][8] = {{0}, {0}}; + uint8_t temp_output[8] = {0}; + + //calculate complement of key + int i; + for (i = 0; i < 8; i++) + key64_negated[i] = ~key64[i]; + + // Once again, key is on iclass-format + desencrypt_iclass(key64, key64_negated, z[0]); + + uint8_t y[8][8] = {{0}, {0}}; + + // y[0]=DES_dec(z[0],~key) + // Once again, key is on iclass-format + desdecrypt_iclass(z[0], key64_negated, y[0]); + + for (i = 1; i < 8; i++) { + rk(key64, i, temp_output); + desdecrypt_iclass(temp_output, z[i - 1], z[i]); + desencrypt_iclass(temp_output, y[i - 1], y[i]); + } + + if (outp_keytable != NULL) { + for (i = 0 ; i < 8 ; i++) { + memcpy(outp_keytable + i * 16, y[i], 8); + memcpy(outp_keytable + 8 + i * 16, z[i], 8); + } + } +} diff --git a/armsrc/optimized_elite.h b/armsrc/optimized_elite.h new file mode 100644 index 000000000..281ecf0bb --- /dev/null +++ b/armsrc/optimized_elite.h @@ -0,0 +1,62 @@ +/***************************************************************************** + * WARNING + * + * THIS CODE IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY. + * + * USAGE OF THIS CODE IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL + * PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL, + * AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES. + * + * THIS CODE SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS. + * + ***************************************************************************** + * + * This file is part of loclass. It is a reconstructon of the cipher engine + * used in iClass, and RFID techology. + * + * The implementation is based on the work performed by + * Flavio D. Garcia, Gerhard de Koning Gans, Roel Verdult and + * Milosch Meriac in the paper "Dismantling IClass". + * + * Copyright (C) 2014 Martin Holst Swende + * + * This is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as published + * by the Free Software Foundation, or, at your option, any later version. + * + * This file is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with loclass. If not, see . + * + * + ****************************************************************************/ + + +#ifndef ELITE_CRACK_H +#define ELITE_CRACK_H + +#include +#include + +void permutekey(uint8_t key[8], uint8_t dest[8]); +/** + * Permutes a key from iclass specific format to NIST format + * @brief permutekey_rev + * @param key + * @param dest + */ +void permutekey_rev(uint8_t key[8], uint8_t dest[8]); +/** + * Hash1 takes CSN as input, and determines what bytes in the keytable will be used + * when constructing the K_sel. + * @param csn the CSN used + * @param k output + */ +void hash1(uint8_t *csn, uint8_t *k); +void hash2(uint8_t *key64, uint8_t *outp_keytable); + +#endif diff --git a/armsrc/optimized_ikeys.c b/armsrc/optimized_ikeys.c new file mode 100644 index 000000000..eeb00e562 --- /dev/null +++ b/armsrc/optimized_ikeys.c @@ -0,0 +1,324 @@ +/***************************************************************************** + * WARNING + * + * THIS CODE IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY. + * + * USAGE OF THIS CODE IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL + * PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL, + * AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES. + * + * THIS CODE SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS. + * + ***************************************************************************** + * + * This file is part of loclass. It is a reconstructon of the cipher engine + * used in iClass, and RFID techology. + * + * The implementation is based on the work performed by + * Flavio D. Garcia, Gerhard de Koning Gans, Roel Verdult and + * Milosch Meriac in the paper "Dismantling IClass". + * + * Copyright (C) 2014 Martin Holst Swende + * + * This is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as published + * by the Free Software Foundation, or, at your option, any later version. + * + * This file is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with loclass. If not, see . + * + * + ****************************************************************************/ + +/** +From "Dismantling iclass": + This section describes in detail the built-in key diversification algorithm of iClass. + Besides the obvious purpose of deriving a card key from a master key, this + algorithm intends to circumvent weaknesses in the cipher by preventing the + usage of certain ‘weak’ keys. In order to compute a diversified key, the iClass + reader first encrypts the card identity id with the master key K, using single + DES. The resulting ciphertext is then input to a function called hash0 which + outputs the diversified key k. + + k = hash0(DES enc (id, K)) + + Here the DES encryption of id with master key K outputs a cryptogram c + of 64 bits. These 64 bits are divided as c = x, y, z [0] , . . . , z [7] ∈ F 82 × F 82 × (F 62 ) 8 + which is used as input to the hash0 function. This function introduces some + obfuscation by performing a number of permutations, complement and modulo + operations, see Figure 2.5. Besides that, it checks for and removes patterns like + similar key bytes, which could produce a strong bias in the cipher. Finally, the + output of hash0 is the diversified card key k = k [0] , . . . , k [7] ∈ (F 82 ) 8 . + +**/ +#include "optimized_ikeys.h" + +#include +#include +#include +#include "mbedtls/des.h" +#include "optimized_cipherutils.h" + +uint8_t pi[35] = { + 0x0F, 0x17, 0x1B, 0x1D, 0x1E, 0x27, 0x2B, 0x2D, + 0x2E, 0x33, 0x35, 0x39, 0x36, 0x3A, 0x3C, 0x47, + 0x4B, 0x4D, 0x4E, 0x53, 0x55, 0x56, 0x59, 0x5A, + 0x5C, 0x63, 0x65, 0x66, 0x69, 0x6A, 0x6C, 0x71, + 0x72, 0x74, 0x78 +}; + +static mbedtls_des_context ctx_enc; + +/** + * @brief The key diversification algorithm uses 6-bit bytes. + * This implementation uses 64 bit uint to pack seven of them into one + * variable. When they are there, they are placed as follows: + * XXXX XXXX N0 .... N7, occupying the last 48 bits. + * + * This function picks out one from such a collection + * @param all + * @param n bitnumber + * @return + */ +static uint8_t getSixBitByte(uint64_t c, int n) { + return (c >> (42 - 6 * n)) & 0x3F; +} + +/** + * @brief Puts back a six-bit 'byte' into a uint64_t. + * @param c buffer + * @param z the value to place there + * @param n bitnumber. + */ +static void pushbackSixBitByte(uint64_t *c, uint8_t z, int n) { + //0x XXXX YYYY ZZZZ ZZZZ ZZZZ + // ^z0 ^z7 + //z0: 1111 1100 0000 0000 + + uint64_t masked = z & 0x3F; + uint64_t eraser = 0x3F; + masked <<= 42 - 6 * n; + eraser <<= 42 - 6 * n; + + //masked <<= 6*n; + //eraser <<= 6*n; + + eraser = ~eraser; + (*c) &= eraser; + (*c) |= masked; + +} +/** + * @brief Swaps the z-values. + * If the input value has format XYZ0Z1...Z7, the output will have the format + * XYZ7Z6...Z0 instead + * @param c + * @return + */ +static uint64_t swapZvalues(uint64_t c) { + uint64_t newz = 0; + pushbackSixBitByte(&newz, getSixBitByte(c, 0), 7); + pushbackSixBitByte(&newz, getSixBitByte(c, 1), 6); + pushbackSixBitByte(&newz, getSixBitByte(c, 2), 5); + pushbackSixBitByte(&newz, getSixBitByte(c, 3), 4); + pushbackSixBitByte(&newz, getSixBitByte(c, 4), 3); + pushbackSixBitByte(&newz, getSixBitByte(c, 5), 2); + pushbackSixBitByte(&newz, getSixBitByte(c, 6), 1); + pushbackSixBitByte(&newz, getSixBitByte(c, 7), 0); + newz |= (c & 0xFFFF000000000000); + return newz; +} + +/** +* @return 4 six-bit bytes chunked into a uint64_t,as 00..00a0a1a2a3 +*/ +static uint64_t ck(int i, int j, uint64_t z) { + if (i == 1 && j == -1) { + // ck(1, −1, z [0] . . . z [3] ) = z [0] . . . z [3] + return z; + } else if (j == -1) { + // ck(i, −1, z [0] . . . z [3] ) = ck(i − 1, i − 2, z [0] . . . z [3] ) + return ck(i - 1, i - 2, z); + } + + if (getSixBitByte(z, i) == getSixBitByte(z, j)) { + //ck(i, j − 1, z [0] . . . z [i] ← j . . . z [3] ) + uint64_t newz = 0; + int c; + for (c = 0; c < 4; c++) { + uint8_t val = getSixBitByte(z, c); + if (c == i) + pushbackSixBitByte(&newz, j, c); + else + pushbackSixBitByte(&newz, val, c); + } + return ck(i, j - 1, newz); + } else { + return ck(i, j - 1, z); + } +} +/** + + Definition 8. + Let the function check : (F 62 ) 8 → (F 62 ) 8 be defined as + check(z [0] . . . z [7] ) = ck(3, 2, z [0] . . . z [3] ) · ck(3, 2, z [4] . . . z [7] ) + + where ck : N × N × (F 62 ) 4 → (F 62 ) 4 is defined as + + ck(1, −1, z [0] . . . z [3] ) = z [0] . . . z [3] + ck(i, −1, z [0] . . . z [3] ) = ck(i − 1, i − 2, z [0] . . . z [3] ) + ck(i, j, z [0] . . . z [3] ) = + ck(i, j − 1, z [0] . . . z [i] ← j . . . z [3] ), if z [i] = z [j] ; + ck(i, j − 1, z [0] . . . z [3] ), otherwise + + otherwise. +**/ + +static uint64_t check(uint64_t z) { + //These 64 bits are divided as c = x, y, z [0] , . . . , z [7] + + // ck(3, 2, z [0] . . . z [3] ) + uint64_t ck1 = ck(3, 2, z); + + // ck(3, 2, z [4] . . . z [7] ) + uint64_t ck2 = ck(3, 2, z << 24); + + //The ck function will place the values + // in the middle of z. + ck1 &= 0x00000000FFFFFF000000; + ck2 &= 0x00000000FFFFFF000000; + + return ck1 | ck2 >> 24; +} + +static void permute(BitstreamIn *p_in, uint64_t z, int l, int r, BitstreamOut *out) { + if (bitsLeft(p_in) == 0) + return; + + bool pn = tailBit(p_in); + if (pn) { // pn = 1 + uint8_t zl = getSixBitByte(z, l); + + push6bits(out, zl + 1); + permute(p_in, z, l + 1, r, out); + } else { // otherwise + uint8_t zr = getSixBitByte(z, r); + + push6bits(out, zr); + permute(p_in, z, l, r + 1, out); + } +} + +/** + * @brief + *Definition 11. Let the function hash0 : F 82 × F 82 × (F 62 ) 8 → (F 82 ) 8 be defined as + * hash0(x, y, z [0] . . . z [7] ) = k [0] . . . k [7] where + * z'[i] = (z[i] mod (63-i)) + i i = 0...3 + * z'[i+4] = (z[i+4] mod (64-i)) + i i = 0...3 + * ẑ = check(z'); + * @param c + * @param k this is where the diversified key is put (should be 8 bytes) + * @return + */ +void hash0(uint64_t c, uint8_t k[8]) { + c = swapZvalues(c); + + //These 64 bits are divided as c = x, y, z [0] , . . . , z [7] + // x = 8 bits + // y = 8 bits + // z0-z7 6 bits each : 48 bits + uint8_t x = (c & 0xFF00000000000000) >> 56; + uint8_t y = (c & 0x00FF000000000000) >> 48; + uint64_t zP = 0; + + for (int n = 0; n < 4 ; n++) { + uint8_t zn = getSixBitByte(c, n); + uint8_t zn4 = getSixBitByte(c, n + 4); + uint8_t _zn = (zn % (63 - n)) + n; + uint8_t _zn4 = (zn4 % (64 - n)) + n; + pushbackSixBitByte(&zP, _zn, n); + pushbackSixBitByte(&zP, _zn4, n + 4); + } + + uint64_t zCaret = check(zP); + uint8_t p = pi[x % 35]; + + if (x & 1) //Check if x7 is 1 + p = ~p; + + BitstreamIn p_in = { &p, 8, 0 }; + uint8_t outbuffer[] = {0, 0, 0, 0, 0, 0, 0, 0}; + BitstreamOut out = {outbuffer, 0, 0}; + permute(&p_in, zCaret, 0, 4, &out); //returns 48 bits? or 6 8-bytes + + //Out is now a buffer containing six-bit bytes, should be 48 bits + // if all went well + //Shift z-values down onto the lower segment + + uint64_t zTilde = x_bytes_to_num(outbuffer, sizeof(outbuffer)); + + zTilde >>= 16; + + for (int i = 0; i < 8; i++) { + // the key on index i is first a bit from y + // then six bits from z, + // then a bit from p + + // Init with zeroes + k[i] = 0; + // First, place yi leftmost in k + //k[i] |= (y << i) & 0x80 ; + + // First, place y(7-i) leftmost in k + k[i] |= (y << (7 - i)) & 0x80 ; + + uint8_t zTilde_i = getSixBitByte(zTilde, i); + // zTildeI is now on the form 00XXXXXX + // with one leftshift, it'll be + // 0XXXXXX0 + // So after leftshift, we can OR it into k + // However, when doing complement, we need to + // again MASK 0XXXXXX0 (0x7E) + zTilde_i <<= 1; + + //Finally, add bit from p or p-mod + //Shift bit i into rightmost location (mask only after complement) + uint8_t p_i = p >> i & 0x1; + + if (k[i]) { // yi = 1 + k[i] |= ~zTilde_i & 0x7E; + k[i] |= p_i & 1; + k[i] += 1; + + } else { // otherwise + k[i] |= zTilde_i & 0x7E; + k[i] |= (~p_i) & 1; + } + } +} +/** + * @brief Performs Elite-class key diversification + * @param csn + * @param key + * @param div_key + */ +void diversifyKey(uint8_t *csn, uint8_t *key, uint8_t *div_key) { + // Prepare the DES key + mbedtls_des_setkey_enc(&ctx_enc, key); + + uint8_t crypted_csn[8] = {0}; + + // Calculate DES(CSN, KEY) + mbedtls_des_crypt_ecb(&ctx_enc, csn, crypted_csn); + + //Calculate HASH0(DES)) + uint64_t c_csn = x_bytes_to_num(crypted_csn, sizeof(crypted_csn)); + + hash0(c_csn, div_key); +} + diff --git a/armsrc/optimized_ikeys.h b/armsrc/optimized_ikeys.h new file mode 100644 index 000000000..91fa406ad --- /dev/null +++ b/armsrc/optimized_ikeys.h @@ -0,0 +1,69 @@ +/***************************************************************************** + * WARNING + * + * THIS CODE IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY. + * + * USAGE OF THIS CODE IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL + * PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL, + * AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES. + * + * THIS CODE SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS. + * + ***************************************************************************** + * + * This file is part of loclass. It is a reconstructon of the cipher engine + * used in iClass, and RFID techology. + * + * The implementation is based on the work performed by + * Flavio D. Garcia, Gerhard de Koning Gans, Roel Verdult and + * Milosch Meriac in the paper "Dismantling IClass". + * + * Copyright (C) 2014 Martin Holst Swende + * + * This is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as published + * by the Free Software Foundation, or, at your option, any later version. + * + * This file is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with loclass. If not, see . + * + * + ****************************************************************************/ + +#ifndef IKEYS_H +#define IKEYS_H + +#include + +/** + * @brief + *Definition 11. Let the function hash0 : F 82 × F 82 × (F 62 ) 8 → (F 82 ) 8 be defined as + * hash0(x, y, z [0] . . . z [7] ) = k [0] . . . k [7] where + * z'[i] = (z[i] mod (63-i)) + i i = 0...3 + * z'[i+4] = (z[i+4] mod (64-i)) + i i = 0...3 + * ẑ = check(z'); + * @param c + * @param k this is where the diversified key is put (should be 8 bytes) + * @return + */ +void hash0(uint64_t c, uint8_t k[8]); +/** + * @brief Performs Elite-class key diversification + * @param csn + * @param key + * @param div_key + */ + +void diversifyKey(uint8_t csn[8], uint8_t key[8], uint8_t div_key[8]); +/** + * @brief Permutes a key from standard NIST format to Iclass specific format + * @param key + * @param dest + */ + +#endif // IKEYS_H diff --git a/armsrc/spiffs.c b/armsrc/spiffs.c index 025146b55..a7be6cedf 100644 --- a/armsrc/spiffs.c +++ b/armsrc/spiffs.c @@ -472,16 +472,20 @@ int rdv40_spiffs_is_symlink(const char *s) { // ATTENTION : you must NOT provide the whole filename (so please do not include the .lnk extension) // TODO : integrate in read_function int rdv40_spiffs_read_as_symlink(char *filename, uint8_t *dst, uint32_t size, RDV40SpiFFSSafetyLevel level) { - RDV40_SPIFFS_SAFE_FUNCTION( // - char linkdest[SPIFFS_OBJ_NAME_LEN]; // - char linkfilename[SPIFFS_OBJ_NAME_LEN]; // + RDV40_SPIFFS_SAFE_FUNCTION( + char linkdest[SPIFFS_OBJ_NAME_LEN]; + char linkfilename[SPIFFS_OBJ_NAME_LEN]; sprintf(linkfilename, "%s.lnk", filename); - if (DBGLEVEL > 1) Dbprintf("Linkk real filename is destination is : %s", linkfilename); + + if (DBGLEVEL > 1) Dbprintf("Linkk real filename is : " _YELLOW_("%s"), linkfilename); + read_from_spiffs((char *)linkfilename, (uint8_t *)linkdest, SPIFFS_OBJ_NAME_LEN); - if (DBGLEVEL > 1) Dbprintf("Symlink destination is : %s", linkdest); - read_from_spiffs((char *)linkdest, (uint8_t *)dst, size); // - ) - } + + if (DBGLEVEL > 1) Dbprintf("Symlink destination is : " _YELLOW_("%s"), linkdest); + + read_from_spiffs((char *)linkdest, (uint8_t *)dst, size); + ) +} // BEWARE ! This function is DESTRUCTIVE as it will UPDATE an existing symlink // Since it creates a .lnk extension file it may be minor to mistake the order of arguments @@ -496,10 +500,10 @@ int rdv40_spiffs_read_as_symlink(char *filename, uint8_t *dst, uint32_t size, RD // rdv40_spiffs_read_as_symlink((uint8_t *)"world",(uint8_t *) buffer, orig_file_size, RDV40_SPIFFS_SAFETY_SAFE); // TODO : FORBID creating a symlink with a basename (before.lnk) which already exists as a file ! int rdv40_spiffs_make_symlink(char *linkdest, char *filename, RDV40SpiFFSSafetyLevel level) { - RDV40_SPIFFS_SAFE_FUNCTION( // - char linkfilename[SPIFFS_OBJ_NAME_LEN]; // + RDV40_SPIFFS_SAFE_FUNCTION( + char linkfilename[SPIFFS_OBJ_NAME_LEN]; sprintf(linkfilename, "%s.lnk", filename); - write_to_spiffs((char *)linkfilename, (uint8_t *)linkdest, SPIFFS_OBJ_NAME_LEN); // + write_to_spiffs((char *)linkfilename, (uint8_t *)linkdest, SPIFFS_OBJ_NAME_LEN); ) } @@ -510,20 +514,20 @@ int rdv40_spiffs_make_symlink(char *linkdest, char *filename, RDV40SpiFFSSafetyL // preexistance, avoiding a link being created if filename exists, or avoiding a file being created if // symlink exists with same name int rdv40_spiffs_read_as_filetype(char *filename, uint8_t *dst, uint32_t size, RDV40SpiFFSSafetyLevel level) { - RDV40_SPIFFS_SAFE_FUNCTION( // - RDV40SpiFFSFileType filetype = filetype_in_spiffs((char *)filename); // - switch (filetype) { - case RDV40_SPIFFS_FILETYPE_REAL: - rdv40_spiffs_read((char *)filename, (uint8_t *)dst, size, level); - break; - case RDV40_SPIFFS_FILETYPE_SYMLINK: - rdv40_spiffs_read_as_symlink((char *)filename, (uint8_t *)dst, size, level); - break; - case RDV40_SPIFFS_FILETYPE_BOTH: - case RDV40_SPIFFS_FILETYPE_UNKNOWN: - default: + RDV40_SPIFFS_SAFE_FUNCTION( + RDV40SpiFFSFileType filetype = filetype_in_spiffs((char *)filename); + switch (filetype) { + case RDV40_SPIFFS_FILETYPE_REAL: + rdv40_spiffs_read((char *)filename, (uint8_t *)dst, size, level); + break; + case RDV40_SPIFFS_FILETYPE_SYMLINK: + rdv40_spiffs_read_as_symlink((char *)filename, (uint8_t *)dst, size, level); + break; + case RDV40_SPIFFS_FILETYPE_BOTH: + case RDV40_SPIFFS_FILETYPE_UNKNOWN: + default: ; - } // + } ) } @@ -552,7 +556,7 @@ void rdv40_spiffs_safe_print_fsinfo(void) { Dbprintf(" Max Path Length............" _YELLOW_("%d")" chars", fsinfo.maxPathLength); DbpString(""); Dbprintf(" filesystem size used available use% mounted"); - Dbprintf(" spiffs %6d B %6d B %6d B"_YELLOW_("%2d%")" /" + Dbprintf(" spiffs %6d B %6d B %6d B " _YELLOW_("%2d%")" /" , fsinfo.totalBytes , fsinfo.usedBytes , fsinfo.freeBytes @@ -601,6 +605,37 @@ void rdv40_spiffs_safe_print_tree(uint8_t banner) { rdv40_spiffs_lazy_mount_rollback(changed); } +void rdv40_spiffs_safe_wipe(void) { + + int changed = rdv40_spiffs_lazy_mount(); + + spiffs_DIR d; + struct spiffs_dirent e; + struct spiffs_dirent *pe = &e; + SPIFFS_opendir(&fs, "/", &d); + + while ((pe = SPIFFS_readdir(&d, pe))) { + + if (rdv40_spiffs_is_symlink((const char *)pe->name)) { + + char linkdest[SPIFFS_OBJ_NAME_LEN]; + read_from_spiffs((char *)pe->name, (uint8_t *)linkdest, SPIFFS_OBJ_NAME_LEN); + + remove_from_spiffs(linkdest); + Dbprintf(".lnk removed %s", pe->name); + + remove_from_spiffs((char *)pe->name); + Dbprintf("removed %s", linkdest); + + } else { + remove_from_spiffs((char *)pe->name); + Dbprintf("removed %s", pe->name); + } + } + + SPIFFS_closedir(&d); + rdv40_spiffs_lazy_mount_rollback(changed); +} // Selftest function void test_spiffs(void) { diff --git a/armsrc/spiffs.h b/armsrc/spiffs.h index 5a9e58a94..8754cb432 100644 --- a/armsrc/spiffs.h +++ b/armsrc/spiffs.h @@ -58,6 +58,8 @@ int rdv40_spiffs_stat(char *filename, uint32_t *buf, RDV40SpiFFSSafetyLevel leve uint32_t size_in_spiffs(const char *filename); int exists_in_spiffs(const char *filename); +void rdv40_spiffs_safe_wipe(void); + #define SPIFFS_OK 0 #define SPIFFS_ERR_NOT_MOUNTED -10000 #define SPIFFS_ERR_FULL -10001 diff --git a/armsrc/thinfilm.c b/armsrc/thinfilm.c index a77a70744..dcc2ff36f 100644 --- a/armsrc/thinfilm.c +++ b/armsrc/thinfilm.c @@ -30,7 +30,6 @@ void ReadThinFilm(void) { clear_trace(); - set_tracing(true); iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN); @@ -60,15 +59,19 @@ static uint16_t ReadReaderField(void) { } static void CodeThinfilmAsTag(const uint8_t *cmd, uint16_t len) { - ToSendReset(); + + tosend_reset(); + + tosend_t *ts = get_tosend(); + for (uint16_t i = 0; i < len; i++) { uint8_t b = cmd[i]; for (uint8_t j = 0; j < 8; j++) { - ToSend[++ToSendMax] = (b & 0x80) ? SEC_D : SEC_E; + ts->buf[++ts->max] = (b & 0x80) ? SEC_D : SEC_E; b <<= 1; } } - ToSendMax++; + ts->max++; } static int EmSendCmdThinfilmRaw(uint8_t *resp, uint16_t respLen) { @@ -122,7 +125,7 @@ void SimulateThinFilm(uint8_t *data, size_t len) { FpgaDownloadAndGo(FPGA_BITSTREAM_HF); // Set up the synchronous serial port - FpgaSetupSsc(); + FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER); // connect Demodulated Signal to ADC: SetAdcMuxFor(GPIO_MUXSEL_HIPKD); @@ -132,6 +135,8 @@ void SimulateThinFilm(uint8_t *data, size_t len) { uint16_t hf_baseline = ReadReaderField(); + tosend_t *ts = get_tosend(); + // Start the timer StartCountSspClk(); @@ -147,7 +152,8 @@ void SimulateThinFilm(uint8_t *data, size_t len) { if (hf_av < hf_baseline) hf_baseline = hf_av; if (hf_av > hf_baseline + 10) { - EmSendCmdThinfilmRaw(ToSend, ToSendMax); + + EmSendCmdThinfilmRaw(ts->buf, ts->max); if (!reader_detected) { LED_B_ON(); //Dbprintf("Reader detected, start beaming data"); diff --git a/armsrc/ticks.c b/armsrc/ticks.c index 0ce55e417..e9cbea219 100644 --- a/armsrc/ticks.c +++ b/armsrc/ticks.c @@ -117,47 +117,61 @@ uint32_t RAMFUNC GetCountUS(void) { void StartCountSspClk(void) { AT91C_BASE_PMC->PMC_PCER |= (1 << AT91C_ID_TC0) | (1 << AT91C_ID_TC1) | (1 << AT91C_ID_TC2); // Enable Clock to all timers AT91C_BASE_TCB->TCB_BMR = AT91C_TCB_TC0XC0S_TIOA1 // XC0 Clock = TIOA1 - | AT91C_TCB_TC1XC1S_NONE // XC1 Clock = none - | AT91C_TCB_TC2XC2S_TIOA0; // XC2 Clock = TIOA0 + | AT91C_TCB_TC1XC1S_NONE // XC1 Clock = none + | AT91C_TCB_TC2XC2S_TIOA0; // XC2 Clock = TIOA0 // configure TC1 to create a short pulse on TIOA1 when a rising edge on TIOB1 (= ssp_clk from FPGA) occurs: AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS; // disable TC1 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK // TC1 Clock = MCK(48MHz)/2 = 24MHz - | AT91C_TC_CPCSTOP // Stop clock on RC compare - | AT91C_TC_EEVTEDG_RISING // Trigger on rising edge of Event - | AT91C_TC_EEVT_TIOB // Event-Source: TIOB1 (= ssp_clk from FPGA = 13,56MHz/16) - | AT91C_TC_ENETRG // Enable external trigger event - | AT91C_TC_WAVESEL_UP // Upmode without automatic trigger on RC compare - | AT91C_TC_WAVE // Waveform Mode - | AT91C_TC_AEEVT_SET // Set TIOA1 on external event - | AT91C_TC_ACPC_CLEAR; // Clear TIOA1 on RC Compare - AT91C_BASE_TC1->TC_RC = 0x04; // RC Compare value = 0x04 + | AT91C_TC_CPCSTOP // Stop clock on RC compare + | AT91C_TC_EEVTEDG_RISING // Trigger on rising edge of Event + | AT91C_TC_EEVT_TIOB // Event-Source: TIOB1 (= ssp_clk from FPGA = 13,56MHz/16) + | AT91C_TC_ENETRG // Enable external trigger event + | AT91C_TC_WAVESEL_UP // Upmode without automatic trigger on RC compare + | AT91C_TC_WAVE // Waveform Mode + | AT91C_TC_AEEVT_SET // Set TIOA1 on external event + | AT91C_TC_ACPC_CLEAR; // Clear TIOA1 on RC Compare + AT91C_BASE_TC1->TC_RC = 0x01; // RC Compare value = 0x01, pulse width to TC0 // use TC0 to count TIOA1 pulses AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS; // disable TC0 AT91C_BASE_TC0->TC_CMR = AT91C_TC_CLKS_XC0 // TC0 clock = XC0 clock = TIOA1 - | AT91C_TC_WAVE // Waveform Mode - | AT91C_TC_WAVESEL_UP // just count - | AT91C_TC_ACPA_CLEAR // Clear TIOA0 on RA Compare - | AT91C_TC_ACPC_SET; // Set TIOA0 on RC Compare + | AT91C_TC_WAVE // Waveform Mode + | AT91C_TC_WAVESEL_UP // just count + | AT91C_TC_ACPA_CLEAR // Clear TIOA0 on RA Compare + | AT91C_TC_ACPC_SET; // Set TIOA0 on RC Compare AT91C_BASE_TC0->TC_RA = 1; // RA Compare value = 1; pulse width to TC2 AT91C_BASE_TC0->TC_RC = 0; // RC Compare value = 0; increment TC2 on overflow // use TC2 to count TIOA0 pulses (giving us a 32bit counter (TC0/TC2) clocked by ssp_clk) AT91C_BASE_TC2->TC_CCR = AT91C_TC_CLKDIS; // disable TC2 AT91C_BASE_TC2->TC_CMR = AT91C_TC_CLKS_XC2 // TC2 clock = XC2 clock = TIOA0 - | AT91C_TC_WAVE // Waveform Mode - | AT91C_TC_WAVESEL_UP; // just count + | AT91C_TC_WAVE // Waveform Mode + | AT91C_TC_WAVESEL_UP; // just count AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG; // enable and reset TC0 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG; // enable and reset TC1 AT91C_BASE_TC2->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG; // enable and reset TC2 + // // synchronize the counter with the ssp_frame signal. - // Note: FPGA must be in any iso14443 mode, otherwise the frame signal would not be present - while (!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_FRAME)); // wait for ssp_frame to go high (start of frame) - while (AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_FRAME); // wait for ssp_frame to be low - while (!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK)); // wait for ssp_clk to go high + // Note: FPGA must be in a FPGA mode with SSC transfer, otherwise SSC_FRAME and SSC_CLK signals would not be present + // + while(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_FRAME); // wait for ssp_frame to be low + while(!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_FRAME)); // wait for ssp_frame to go high (start of frame) + while(!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK)); // wait for ssp_clk to go high; 1st ssp_clk after start of frame + while(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK); // wait for ssp_clk to go low; + while(!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK)); // wait for ssp_clk to go high; 2nd ssp_clk after start of frame + if ((AT91C_BASE_SSC->SSC_RFMR & SSC_FRAME_MODE_BITS_IN_WORD(32)) == SSC_FRAME_MODE_BITS_IN_WORD(16)) { // 16bit frame + while(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK); // wait for ssp_clk to go low; + while(!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK)); // wait for ssp_clk to go high; 3rd ssp_clk after start of frame + while(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK); // wait for ssp_clk to go low; + while(!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK)); // wait for ssp_clk to go high; 4th ssp_clk after start of frame + while(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK); // wait for ssp_clk to go low; + while(!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK)); // wait for ssp_clk to go high; 5th ssp_clk after start of frame + while(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK); // wait for ssp_clk to go low; + while(!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK)); // wait for ssp_clk to go high; 6th ssp_clk after start of frame + } // note: up to now two ssp_clk rising edges have passed since the rising edge of ssp_frame // it is now safe to assert a sync signal. This sets all timers to 0 on next active clock edge diff --git a/client/src/cmdflashmemspiffs.c b/client/src/cmdflashmemspiffs.c index b994ea56c..d419fa131 100644 --- a/client/src/cmdflashmemspiffs.c +++ b/client/src/cmdflashmemspiffs.c @@ -19,53 +19,69 @@ static int CmdHelp(const char *Cmd); static int usage_flashmemspiffs_remove(void) { - PrintAndLogEx(NORMAL, "Remove a file from spiffs filesystem"); - PrintAndLogEx(NORMAL, " Usage: mem spiffs remove "); + PrintAndLogEx(NORMAL, "Remove a file from spiffs filesystem\n"); + PrintAndLogEx(NORMAL, "Usage: mem spiffs remove "); + PrintAndLogEx(NORMAL, ""); + PrintAndLogEx(NORMAL, "Examples:"); + PrintAndLogEx(NORMAL, _YELLOW_(" mem spiffs remove lasttag.bin")); return PM3_SUCCESS; } static int usage_flashmemspiffs_rename(void) { - PrintAndLogEx(NORMAL, "Rename/move a file in spiffs filesystem"); - PrintAndLogEx(NORMAL, " Usage: mem spiffs rename "); + PrintAndLogEx(NORMAL, "Rename/move a file in spiffs filesystem\n"); + PrintAndLogEx(NORMAL, "Usage: mem spiffs rename "); + PrintAndLogEx(NORMAL, ""); + PrintAndLogEx(NORMAL, "Examples:"); + PrintAndLogEx(NORMAL, _YELLOW_(" mem spiffs rename lasttag.bin oldtag.bin")); return PM3_SUCCESS; } static int usage_flashmemspiffs_copy(void) { - PrintAndLogEx(NORMAL, "Copy a file to another (destructively) in spiffs filesystem"); - PrintAndLogEx(NORMAL, " Usage: mem spiffs copy "); + PrintAndLogEx(NORMAL, "Copy a file to another (destructively) in spiffs filesystem\n"); + PrintAndLogEx(NORMAL, "Usage: mem spiffs copy "); + PrintAndLogEx(NORMAL, ""); + PrintAndLogEx(NORMAL, "Examples:"); + PrintAndLogEx(NORMAL, _YELLOW_(" mem spiffs copy lasttag.bin lasttag_cpy.bin")); return PM3_SUCCESS; } static int usage_flashmemspiffs_dump(void) { PrintAndLogEx(NORMAL, "Dumps flash memory on device into a file or in console"); - PrintAndLogEx(NORMAL, "Size is handled by first sending a STAT command against file existence"); - PrintAndLogEx(NORMAL, " Usage: mem spiffs dump o [f [e]] [p]"); - PrintAndLogEx(NORMAL, " o : filename in SPIFFS"); - PrintAndLogEx(NORMAL, " f : file name to save to"); - PrintAndLogEx(NORMAL, " p : print dump in console"); - PrintAndLogEx(NORMAL, " e : also save in EML format (good for tags save and dictonnary files)"); + PrintAndLogEx(NORMAL, "Size is handled by first sending a STAT command against file existence\n"); + PrintAndLogEx(NORMAL, "Usage: mem spiffs dump o [f [e]] [p]"); + PrintAndLogEx(NORMAL, " o - filename in SPIFFS"); + PrintAndLogEx(NORMAL, " f - file name to save to "); + PrintAndLogEx(NORMAL, " p - print dump in console"); + PrintAndLogEx(NORMAL, " e - also save in EML format (good for tags save and dictonnary files)"); PrintAndLogEx(NORMAL, " You must specify at lease option f or option p, both if you wish"); PrintAndLogEx(NORMAL, ""); PrintAndLogEx(NORMAL, "Examples:"); - PrintAndLogEx(NORMAL, " mem spiffs dump o hf_colin/lasttag f lasttag e"); - PrintAndLogEx(NORMAL, " mem spiffs dump o hf_colin/lasttag p"); + PrintAndLogEx(NORMAL, _YELLOW_(" mem spiffs dump o lasttag.bin f lasttag e")); + PrintAndLogEx(NORMAL, _YELLOW_(" mem spiffs dump o lasttag.bin p")); return PM3_SUCCESS; } static int usage_flashmemspiffs_load(void) { PrintAndLogEx(NORMAL, "Uploads binary-wise file into device filesystem"); - PrintAndLogEx(NORMAL, "Usage: mem spiffs load o f "); PrintAndLogEx(NORMAL, "Warning: mem area to be written must have been wiped first"); - PrintAndLogEx(NORMAL, "(this is already taken care when loading dictionaries)"); - PrintAndLogEx(NORMAL, " o : destination filename"); - PrintAndLogEx(NORMAL, " f : local filename"); + PrintAndLogEx(NORMAL, "(this is already taken care when loading dictionaries)\n"); + PrintAndLogEx(NORMAL, "Usage: mem spiffs load o f "); + PrintAndLogEx(NORMAL, " o - destination filename"); + PrintAndLogEx(NORMAL, " f - local filename"); PrintAndLogEx(NORMAL, ""); PrintAndLogEx(NORMAL, "Examples:"); - PrintAndLogEx(NORMAL, " mem spiffs load f myfile o myapp.conf"); + PrintAndLogEx(NORMAL, _YELLOW_(" mem spiffs load f myfile o myapp.conf")); return PM3_SUCCESS; } - +static int usage_flashmemspiffs_wipe(void) { + PrintAndLogEx(NORMAL, "wipes all files on the device filesystem " _RED_("* Warning *")); + PrintAndLogEx(NORMAL, "Usage: mem spiffs wipe [h]"); + PrintAndLogEx(NORMAL, ""); + PrintAndLogEx(NORMAL, "Examples:"); + PrintAndLogEx(NORMAL, _YELLOW_(" mem spiffs wipe")); + return PM3_SUCCESS; +} static int CmdFlashMemSpiFFSMount(const char *Cmd) { (void)Cmd; // Cmd is not used so far clearCommandBuffer(); @@ -277,12 +293,12 @@ static int CmdFlashMemSpiFFSDump(const char *Cmd) { } if ((filename[0] == '\0') && (!print)) { - PrintAndLogEx(FAILED, "No print asked and Local dump Filename missing or invalid"); + PrintAndLogEx(FAILED, "No print asked and local dump filename missing or invalid"); errors = true; } if (destfilename[0] == '\0') { - PrintAndLogEx(FAILED, "SPIFFS Filename missing or invalid"); + PrintAndLogEx(FAILED, "SPIFFS filename missing or invalid"); errors = true; } @@ -320,9 +336,16 @@ static int CmdFlashMemSpiFFSDump(const char *Cmd) { } if (filename[0] != '\0') { - saveFile(filename, "", dump, len); + saveFile(filename, ".bin", dump, len); if (eml) { - saveFileEML(filename, dump, len, 16); + uint8_t eml_len = 16; + + if (strstr(filename, "class") != NULL) + eml_len = 8; + else if (strstr(filename, "mfu") != NULL) + eml_len = 4; + + saveFileEML(filename, dump, len, eml_len); } } @@ -397,6 +420,23 @@ out: return ret_val; } +static int CmdFlashMemSpiFFSWipe(const char *Cmd) { + + char ctmp = tolower(param_getchar(Cmd, 0)); + if (ctmp == 'h') { + return usage_flashmemspiffs_wipe(); + } + + PrintAndLogEx(INFO, "Wiping all files from SPIFFS FileSystem"); + PacketResponseNG resp; + clearCommandBuffer(); + SendCommandNG(CMD_SPIFFS_WIPE, NULL, 0); + WaitForResponse(CMD_SPIFFS_WIPE, &resp); + PrintAndLogEx(INFO, "Done!"); + PrintAndLogEx(HINT, "Try use '" _YELLOW_("mem spiffs tree") "' to verify."); + return PM3_SUCCESS; +} + static int CmdFlashMemSpiFFSLoad(const char *Cmd) { char filename[FILE_PATH_SIZE] = {0}; @@ -457,20 +497,18 @@ static int CmdFlashMemSpiFFSLoad(const char *Cmd) { static command_t CommandTable[] = { {"help", CmdHelp, AlwaysAvailable, "This help"}, - { - "copy", CmdFlashMemSpiFFSCopy, IfPm3Flash, - "Copy a file to another (destructively) in SPIFFS FileSystem in FlashMEM (spiffs)" - }, - {"check", CmdFlashMemSpiFFSCheck, IfPm3Flash, "Check/try to defrag faulty/fragmented Filesystem"}, - {"dump", CmdFlashMemSpiFFSDump, IfPm3Flash, "Dump a file from SPIFFS FileSystem in FlashMEM (spiffs)"}, - {"info", CmdFlashMemSpiFFSInfo, IfPm3Flash, "Print filesystem info and usage statistics (spiffs)"}, - {"load", CmdFlashMemSpiFFSLoad, IfPm3Flash, "Upload file into SPIFFS Filesystem (spiffs)"}, - {"mount", CmdFlashMemSpiFFSMount, IfPm3Flash, "Mount the SPIFFS Filesystem if not already mounted (spiffs)"}, - {"remove", CmdFlashMemSpiFFSRemove, IfPm3Flash, "Remove a file from SPIFFS FileSystem in FlashMEM (spiffs)"}, - {"rename", CmdFlashMemSpiFFSRename, IfPm3Flash, "Rename/move a file in SPIFFS FileSystem in FlashMEM (spiffs)"}, - {"test", CmdFlashMemSpiFFSTest, IfPm3Flash, "Test SPIFFS Operations (require wiping pages 0 and 1)"}, - {"tree", CmdFlashMemSpiFFSTree, IfPm3Flash, "Print the Flash Memory FileSystem Tree (spiffs)"}, + {"copy", CmdFlashMemSpiFFSCopy, IfPm3Flash, "Copy a file to another (destructively) in SPIFFS FileSystem in FlashMEM (spiffs)"}, + {"check", CmdFlashMemSpiFFSCheck, IfPm3Flash, "Check/try to defrag faulty/fragmented Filesystem"}, + {"dump", CmdFlashMemSpiFFSDump, IfPm3Flash, "Dump a file from SPIFFS FileSystem in FlashMEM (spiffs)"}, + {"info", CmdFlashMemSpiFFSInfo, IfPm3Flash, "Print filesystem info and usage statistics (spiffs)"}, + {"load", CmdFlashMemSpiFFSLoad, IfPm3Flash, "Upload file into SPIFFS Filesystem (spiffs)"}, + {"mount", CmdFlashMemSpiFFSMount, IfPm3Flash, "Mount the SPIFFS Filesystem if not already mounted (spiffs)"}, + {"remove", CmdFlashMemSpiFFSRemove, IfPm3Flash, "Remove a file from SPIFFS FileSystem in FlashMEM (spiffs)"}, + {"rename", CmdFlashMemSpiFFSRename, IfPm3Flash, "Rename/move a file in SPIFFS FileSystem in FlashMEM (spiffs)"}, + {"test", CmdFlashMemSpiFFSTest, IfPm3Flash, "Test SPIFFS Operations (require wiping pages 0 and 1)"}, + {"tree", CmdFlashMemSpiFFSTree, IfPm3Flash, "Print the Flash Memory FileSystem Tree (spiffs)"}, {"unmount", CmdFlashMemSpiFFSUnmount, IfPm3Flash, "Un-mount the SPIFFS Filesystem if not already mounted (spiffs)"}, + {"wipe", CmdFlashMemSpiFFSWipe, IfPm3Flash, "Wipe all files from SPIFFS FileSystem." _RED_("* dangerous *") }, {NULL, NULL, NULL, NULL} }; diff --git a/client/src/cmdhf.c b/client/src/cmdhf.c index 4fc138a98..f0c967205 100644 --- a/client/src/cmdhf.c +++ b/client/src/cmdhf.c @@ -129,6 +129,15 @@ int CmdHFSearch(const char *Cmd) { } } + PROMPT_CLEARLINE; + PrintAndLogEx(INPLACE, " Searching for iCLASS / PicoPass tag..."); + if (IfPm3Iclass()) { + if (read_iclass_csn(false, false) == PM3_SUCCESS) { + PrintAndLogEx(SUCCESS, "\nValid " _GREEN_("iCLASS tag / PicoPass tag") " found\n"); + res = PM3_SUCCESS; + } + } + PROMPT_CLEARLINE; PrintAndLogEx(INPLACE, " Searching for LEGIC tag..."); if (IfPm3Legicrf()) { @@ -156,7 +165,6 @@ int CmdHFSearch(const char *Cmd) { } } /* - // 14b and iclass is the longest test (put last) PROMPT_CLEARLINE; PrintAndLogEx(INPLACE, " Searching for CryptoRF tag..."); if (IfPm3Iso14443b()) { @@ -167,7 +175,7 @@ int CmdHFSearch(const char *Cmd) { } */ - // 14b and iclass is the longest test (put last) + // 14b is the longest test (put last) PROMPT_CLEARLINE; PrintAndLogEx(INPLACE, " Searching for ISO14443-B tag..."); if (IfPm3Iso14443b()) { @@ -177,14 +185,6 @@ int CmdHFSearch(const char *Cmd) { } } - PROMPT_CLEARLINE; - PrintAndLogEx(INPLACE, " Searching for iClass / PicoPass tag..."); - if (IfPm3Iclass()) { - if (readIclass(false, false) == PM3_SUCCESS) { - PrintAndLogEx(SUCCESS, "\nValid " _GREEN_("iClass tag / PicoPass tag") " found\n"); - res = PM3_SUCCESS; - } - } PROMPT_CLEARLINE; if (res != PM3_SUCCESS) { diff --git a/client/src/cmdhf14b.c b/client/src/cmdhf14b.c index bfb19323b..141fefda5 100644 --- a/client/src/cmdhf14b.c +++ b/client/src/cmdhf14b.c @@ -134,7 +134,7 @@ static bool waitCmd14b(bool verbose) { PacketResponseNG resp; - if (WaitForResponseTimeout(CMD_ACK, &resp, TIMEOUT)) { + if (WaitForResponseTimeout(CMD_HF_ISO14443B_COMMAND, &resp, TIMEOUT)) { if ((resp.oldarg[0] & 0xFF) > 0) return false; @@ -314,7 +314,7 @@ static bool get_14b_UID(iso14b_card_select_t *card) { clearCommandBuffer(); SendCommandMIX(CMD_HF_ISO14443B_COMMAND, ISO14B_CONNECT | ISO14B_SELECT_SR | ISO14B_DISCONNECT, 0, 0, NULL, 0); - if (WaitForResponseTimeout(CMD_ACK, &resp, TIMEOUT)) { + if (WaitForResponseTimeout(CMD_HF_ISO14443B_COMMAND, &resp, TIMEOUT)) { uint8_t status = resp.oldarg[0]; if (status == 0) { @@ -330,7 +330,7 @@ static bool get_14b_UID(iso14b_card_select_t *card) { clearCommandBuffer(); SendCommandMIX(CMD_HF_ISO14443B_COMMAND, ISO14B_CONNECT | ISO14B_SELECT_STD | ISO14B_DISCONNECT, 0, 0, NULL, 0); - if (WaitForResponseTimeout(CMD_ACK, &resp, TIMEOUT)) { + if (WaitForResponseTimeout(CMD_HF_ISO14443B_COMMAND, &resp, TIMEOUT)) { uint8_t status = resp.oldarg[0]; if (status == 0) { @@ -515,7 +515,7 @@ static bool HF14B_Std_Info(bool verbose) { SendCommandMIX(CMD_HF_ISO14443B_COMMAND, ISO14B_CONNECT | ISO14B_SELECT_STD | ISO14B_DISCONNECT, 0, 0, NULL, 0); PacketResponseNG resp; - if (!WaitForResponseTimeout(CMD_ACK, &resp, TIMEOUT)) { + if (!WaitForResponseTimeout(CMD_HF_ISO14443B_COMMAND, &resp, TIMEOUT)) { if (verbose) PrintAndLogEx(WARNING, "command execution timeout"); switch_off_field_14b(); return false; @@ -556,7 +556,7 @@ static bool HF14B_ST_Info(bool verbose) { SendCommandMIX(CMD_HF_ISO14443B_COMMAND, ISO14B_CONNECT | ISO14B_SELECT_SR | ISO14B_DISCONNECT, 0, 0, NULL, 0); PacketResponseNG resp; - if (!WaitForResponseTimeout(CMD_ACK, &resp, TIMEOUT)) { + if (!WaitForResponseTimeout(CMD_HF_ISO14443B_COMMAND, &resp, TIMEOUT)) { if (verbose) PrintAndLogEx(WARNING, "command execution timeout"); return false; } @@ -611,7 +611,7 @@ static bool HF14B_ST_Reader(bool verbose) { clearCommandBuffer(); SendCommandMIX(CMD_HF_ISO14443B_COMMAND, ISO14B_CONNECT | ISO14B_SELECT_SR | ISO14B_DISCONNECT, 0, 0, NULL, 0); PacketResponseNG resp; - if (!WaitForResponseTimeout(CMD_ACK, &resp, TIMEOUT)) { + if (!WaitForResponseTimeout(CMD_HF_ISO14443B_COMMAND, &resp, TIMEOUT)) { if (verbose) PrintAndLogEx(WARNING, "command execution timeout"); return false; } @@ -651,7 +651,7 @@ static bool HF14B_Std_Reader(bool verbose) { SendCommandMIX(CMD_HF_ISO14443B_COMMAND, ISO14B_CONNECT | ISO14B_SELECT_STD | ISO14B_DISCONNECT, 0, 0, NULL, 0); PacketResponseNG resp; - if (!WaitForResponseTimeout(CMD_ACK, &resp, TIMEOUT)) { + if (!WaitForResponseTimeout(CMD_HF_ISO14443B_COMMAND, &resp, TIMEOUT)) { if (verbose) PrintAndLogEx(WARNING, "command execution timeout"); return false; } @@ -695,7 +695,7 @@ static bool HF14B_Other_Reader(void) { // clearCommandBuffer(); // SendCommandMIX(CMD_HF_ISO14443B_COMMAND, flags, datalen, 0, data, datalen); // PacketResponseNG resp; - // WaitForResponse(CMD_ACK,&resp); + // WaitForResponse(CMD_HF_ISO14443B_COMMAND,&resp); // if (datalen > 2 ) { // PrintAndLogEx(NORMAL, "\n14443-3b tag found:"); @@ -709,7 +709,7 @@ static bool HF14B_Other_Reader(void) { // clearCommandBuffer(); // SendCommandMIX(CMD_HF_ISO14443B_COMMAND, flags, 1, 0, data, 1); // PacketResponseNG resp; - // WaitForResponse(CMD_ACK, &resp); + // WaitForResponse(CMD_HF_ISO14443B_COMMAND, &resp); // if (datalen > 0) { // PrintAndLogEx(NORMAL, "\n14443-3b tag found:"); @@ -723,7 +723,7 @@ static bool HF14B_Other_Reader(void) { // clearCommandBuffer(); // SendCommandMIX(CMD_HF_ISO14443B_COMMAND, flags, 1, 0, data, 1); // PacketResponseNG resp; - // WaitForResponse(CMD_ACK, &resp); + // WaitForResponse(CMD_HF_ISO14443B_COMMAND, &resp); // if (datalen > 0) { // PrintAndLogEx(NORMAL, "\n14443-3b tag found:"); @@ -899,7 +899,7 @@ static int CmdHF14BDump(const char *Cmd) { SendCommandMIX(CMD_HF_ISO14443B_COMMAND, ISO14B_CONNECT | ISO14B_SELECT_SR, 0, 0, NULL, 0); //select - if (WaitForResponseTimeout(CMD_ACK, &resp, 2000)) { + if (WaitForResponseTimeout(CMD_HF_ISO14443B_COMMAND, &resp, 2000)) { if (resp.oldarg[0]) { PrintAndLogEx(INFO, "failed to select %" PRId64 " | %" PRId64, resp.oldarg[0], resp.oldarg[1]); goto out; @@ -915,7 +915,7 @@ static int CmdHF14BDump(const char *Cmd) { clearCommandBuffer(); SendCommandMIX(CMD_HF_ISO14443B_COMMAND, ISO14B_APPEND_CRC | ISO14B_RAW, 2, 0, req, sizeof(req)); - if (WaitForResponseTimeout(CMD_ACK, &resp, 2000)) { + if (WaitForResponseTimeout(CMD_HF_ISO14443B_COMMAND, &resp, 2000)) { uint8_t status = resp.oldarg[0] & 0xFF; if (status > 0) { diff --git a/client/src/cmdhf15.c b/client/src/cmdhf15.c index 2b8812d33..ad69d5615 100644 --- a/client/src/cmdhf15.c +++ b/client/src/cmdhf15.c @@ -973,12 +973,12 @@ static int CmdHF15Info(const char *Cmd) { // Record Activity without enabling carrier //helptext -static int CmdHF15Record(const char *Cmd) { +static int CmdHF15Sniff(const char *Cmd) { char cmdp = tolower(param_getchar(Cmd, 0)); if (cmdp == 'h') return usage_15_record(); clearCommandBuffer(); - SendCommandNG(CMD_HF_ISO15693_RAWADC, NULL, 0); + SendCommandNG(CMD_HF_ISO15693_SNIFF, NULL, 0); return PM3_SUCCESS; } @@ -1841,9 +1841,8 @@ static command_t CommandTable[] = { {"demod", CmdHF15Demod, AlwaysAvailable, "Demodulate ISO15693 from tag"}, {"dump", CmdHF15Dump, IfPm3Iso15693, "Read all memory pages of an ISO15693 tag, save to file"}, {"info", CmdHF15Info, IfPm3Iso15693, "Tag information"}, -// {"sniff", CmdHF15Sniff, IfPm3Iso15693, "Sniff ISO15693 traffic"}, + {"sniff", CmdHF15Sniff, IfPm3Iso15693, "Sniff ISO15693 traffic"}, {"raw", CmdHF15Raw, IfPm3Iso15693, "Send raw hex data to tag"}, - {"record", CmdHF15Record, IfPm3Iso15693, "Record Samples (ISO15693)"}, {"read", CmdHF15Read, IfPm3Iso15693, "Read a block"}, {"reader", CmdHF15Reader, IfPm3Iso15693, "Act like an ISO15693 reader"}, {"readmulti", CmdHF15Readmulti, IfPm3Iso15693, "Reads multiple Blocks"}, diff --git a/client/src/cmdhficlass.c b/client/src/cmdhficlass.c index 501190170..b186b2496 100644 --- a/client/src/cmdhficlass.c +++ b/client/src/cmdhficlass.c @@ -2,6 +2,7 @@ // Copyright (C) 2010 iZsh , Hagen Fritsch // Copyright (C) 2011 Gerhard de Koning Gans // Copyright (C) 2014 Midnitesnake & Andy Davies & Martin Holst Swende +// Copyright (C) 2019 piwi // Copyright (C) 2020 Iceman // // This code is licensed to you under the terms of the GNU GPL, version 2 or, @@ -13,6 +14,7 @@ #include "cmdhficlass.h" #include +#include "cliparser.h" #include "cmdparser.h" // command_t #include "commonutil.h" // ARRAYLEN #include "cmdtrace.h" @@ -33,6 +35,7 @@ #define ICLASS_KEYS_MAX 8 #define ICLASS_AUTH_RETRY 10 #define ICLASS_DECRYPTION_BIN "iclass_decryptionkey.bin" +static uint8_t empty[8] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF}; static int CmdHelp(const char *Cmd); @@ -48,8 +51,8 @@ static uint8_t iClass_Key_Table[ICLASS_KEYS_MAX][8] = { }; static int usage_hf_iclass_sim(void) { - PrintAndLogEx(NORMAL, "Simulate a iclass legacy/standard tag\n"); - PrintAndLogEx(NORMAL, "Usage: hf iclass sim [h]