github/RRG-Proxmark3
1
0
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-08-19 21:03:48 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

get rid of tabs

Browse source
This commit is contained in:
Philippe Teuwen 2020-10-06 20:44:23 +02:00
commit 491adacb94
18 changed files with 998 additions and 998 deletions
Download patch file Download diff file Expand all files Collapse all files

40
armsrc/iso14443b.c
View file

@ -752,26 +752,26 @@ static RAMFUNC int Handle14443bSamplesFromTag(int ci, int cq) {
// The soft decision on the bit uses an estimate of just the
// quadrant of the reference angle, not the exact angle.
#define MAKE_SOFT_DECISION() { \
if(Demod.sumI > 0) { \
v = ci; \
} else { \
v = -ci; \
} \
if(Demod.sumQ > 0) { \
v += cq; \
} else { \
v -= cq; \
} \
}
if(Demod.sumI > 0) { \
v = ci; \
} else { \
v = -ci; \
} \
if(Demod.sumQ > 0) { \
v += cq; \
} else { \
v -= cq; \
} \
}
#define SUBCARRIER_DETECT_THRESHOLD 8
#define SUBCARRIER_DETECT_THRESHOLD 8
// Subcarrier amplitude v = sqrt(ci^2 + cq^2), approximated here by max(abs(ci),abs(cq)) + 1/2*min(abs(ci),abs(cq)))
#define AMPLITUDE(ci,cq) (MAX(ABS(ci),ABS(cq)) + (MIN(ABS(ci),ABS(cq))/2))
switch (Demod.state) {
case DEMOD_UNSYNCD: {
if (AMPLITUDE(ci, cq) > SUBCARRIER_DETECT_THRESHOLD) { // subcarrier detected
if (AMPLITUDE(ci, cq) > SUBCARRIER_DETECT_THRESHOLD) { // subcarrier detected
Demod.state = DEMOD_PHASE_REF_TRAINING;
Demod.sumI = ci;
Demod.sumQ = cq;
@ -799,7 +799,7 @@ static RAMFUNC int Handle14443bSamplesFromTag(int ci, int cq) {
} else {
// at this point it can be start of 14b' data or start of 14b SOF
MAKE_SOFT_DECISION();
Demod.posCount = 1; // this was the first half
Demod.posCount = 1; // this was the first half
Demod.thisBit = v;
Demod.shiftReg = 0;
Demod.state = DEMOD_RECEIVING_DATA;
@ -815,7 +815,7 @@ static RAMFUNC int Handle14443bSamplesFromTag(int ci, int cq) {
Demod.posCount++;
MAKE_SOFT_DECISION();
if (v > 0) {
if (Demod.posCount > 3 * 2) { // max 19us between characters = 16 1/fs, max 3 etu after low phase of SOF = 24 1/fs
if (Demod.posCount > 3 * 2) { // max 19us between characters = 16 1/fs, max 3 etu after low phase of SOF = 24 1/fs
LED_C_OFF();
if (Demod.bitCount == 0 && Demod.len == 0) { // received SOF only, this is valid for iClass/Picopass
return true;
@ -823,8 +823,8 @@ static RAMFUNC int Handle14443bSamplesFromTag(int ci, int cq) {
Demod.state = DEMOD_UNSYNCD;
}
}
} else { // start bit detected
Demod.posCount = 1; // this was the first half
} else { // start bit detected
Demod.posCount = 1; // this was the first half
Demod.thisBit = v;
Demod.shiftReg = 0;
Demod.state = DEMOD_RECEIVING_DATA;
@ -857,14 +857,14 @@ static RAMFUNC int Handle14443bSamplesFromTag(int ci, int cq) {
MAKE_SOFT_DECISION();
if (Demod.posCount == 0) { // first half of bit
if (Demod.posCount == 0) { // first half of bit
Demod.thisBit = v;
Demod.posCount = 1;
} else { // second half of bit
} else { // second half of bit
Demod.thisBit += v;
Demod.shiftReg >>= 1;
if (Demod.thisBit > 0) { // logic '1'
if (Demod.thisBit > 0) { // logic '1'
Demod.shiftReg |= 0x200;
}

176
armsrc/iso15693.c
View file

@ -1883,112 +1883,112 @@ void LockPassSlixIso15693(uint32_t pass_id, uint32_t password) {
LED_A_ON();
uint8_t cmd_inventory[] = {ISO15693_REQ_DATARATE_HIGH | ISO15693_REQ_INVENTORY | ISO15693_REQINV_SLOT1, 0x01, 0x00, 0x00, 0x00 };
uint8_t cmd_get_rnd[] = {ISO15693_REQ_DATARATE_HIGH, 0xB2, 0x04, 0x00, 0x00 };
uint8_t cmd_set_pass[] = {ISO15693_REQ_DATARATE_HIGH, 0xB3, 0x04, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
//uint8_t cmd_write_pass[] = {ISO15693_REQ_DATARATE_HIGH | ISO15693_REQ_ADDRESS, 0xB4, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
uint8_t cmd_lock_pass[] = {ISO15693_REQ_DATARATE_HIGH | ISO15693_REQ_ADDRESS, 0xB5, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00 };
uint16_t crc;
int recvlen = 0;
uint8_t recvbuf[ISO15693_MAX_RESPONSE_LENGTH];
uint32_t start_time = 0;
bool done = false;
uint8_t cmd_inventory[] = {ISO15693_REQ_DATARATE_HIGH | ISO15693_REQ_INVENTORY | ISO15693_REQINV_SLOT1, 0x01, 0x00, 0x00, 0x00 };
uint8_t cmd_get_rnd[] = {ISO15693_REQ_DATARATE_HIGH, 0xB2, 0x04, 0x00, 0x00 };
uint8_t cmd_set_pass[] = {ISO15693_REQ_DATARATE_HIGH, 0xB3, 0x04, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
//uint8_t cmd_write_pass[] = {ISO15693_REQ_DATARATE_HIGH | ISO15693_REQ_ADDRESS, 0xB4, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
uint8_t cmd_lock_pass[] = {ISO15693_REQ_DATARATE_HIGH | ISO15693_REQ_ADDRESS, 0xB5, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00 };
uint16_t crc;
int recvlen = 0;
uint8_t recvbuf[ISO15693_MAX_RESPONSE_LENGTH];
uint32_t start_time = 0;
bool done = false;
// setup 'get random number' command
crc = Iso15693Crc(cmd_get_rnd, 3);
cmd_get_rnd[3] = crc & 0xff;
cmd_get_rnd[4] = crc >> 8;
// setup 'get random number' command
crc = Iso15693Crc(cmd_get_rnd, 3);
cmd_get_rnd[3] = crc & 0xff;
cmd_get_rnd[4] = crc >> 8;
Dbprintf("LockPass: Press button lock password, long-press to terminate.");
Dbprintf("LockPass: Press button lock password, long-press to terminate.");
while (!done) {
while (!done) {
LED_D_ON();
switch(BUTTON_HELD(1000)) {
case BUTTON_SINGLE_CLICK:
Dbprintf("LockPass: Reset 'DONE'-LED (A)");
LED_A_OFF();
LED_B_OFF();
LED_C_OFF();
break;
case BUTTON_HOLD:
Dbprintf("LockPass: Terminating");
done = true;
break;
default:
SpinDelay(50);
continue;
}
LED_D_ON();
switch(BUTTON_HELD(1000)) {
case BUTTON_SINGLE_CLICK:
Dbprintf("LockPass: Reset 'DONE'-LED (A)");
LED_A_OFF();
LED_B_OFF();
LED_C_OFF();
break;
case BUTTON_HOLD:
Dbprintf("LockPass: Terminating");
done = true;
break;
default:
SpinDelay(50);
continue;
}
if (done) [
break;
}
if (done) [
break;
}
recvlen = SendDataTag(cmd_get_rnd, sizeof(cmd_get_rnd), true, true, recvbuf, sizeof(recvbuf), start_time);
if (recvlen != 5) {
LED_C_ON();
} else {
Dbprintf("LockPass: Received random 0x%02X%02X (%d)", recvbuf[1], recvbuf[2], recvlen);
recvlen = SendDataTag(cmd_get_rnd, sizeof(cmd_get_rnd), true, true, recvbuf, sizeof(recvbuf), start_time);
if (recvlen != 5) {
LED_C_ON();
} else {
Dbprintf("LockPass: Received random 0x%02X%02X (%d)", recvbuf[1], recvbuf[2], recvlen);
// setup 'set password' command
cmd_set_pass[4] = ((password>>0) &0xFF) ^ recvbuf[1];
cmd_set_pass[5] = ((password>>8) &0xFF) ^ recvbuf[2];
cmd_set_pass[6] = ((password>>16) &0xFF) ^ recvbuf[1];
cmd_set_pass[7] = ((password>>24) &0xFF) ^ recvbuf[2];
// setup 'set password' command
cmd_set_pass[4] = ((password>>0) &0xFF) ^ recvbuf[1];
cmd_set_pass[5] = ((password>>8) &0xFF) ^ recvbuf[2];
cmd_set_pass[6] = ((password>>16) &0xFF) ^ recvbuf[1];
cmd_set_pass[7] = ((password>>24) &0xFF) ^ recvbuf[2];
crc = Iso15693Crc(cmd_set_pass, 8);
cmd_set_pass[8] = crc & 0xff;
cmd_set_pass[9] = crc >> 8;
crc = Iso15693Crc(cmd_set_pass, 8);
cmd_set_pass[8] = crc & 0xff;
cmd_set_pass[9] = crc >> 8;
Dbprintf("LockPass: Sending old password to end privacy mode", cmd_set_pass[4], cmd_set_pass[5], cmd_set_pass[6], cmd_set_pass[7]);
recvlen = SendDataTag(cmd_set_pass, sizeof(cmd_set_pass), false, true, recvbuf, sizeof(recvbuf), start_time);
if (recvlen != 3) {
Dbprintf("LockPass: Failed to set password (%d)", recvlen);
LED_B_ON();
} else {
crc = Iso15693Crc(cmd_inventory, 3);
cmd_inventory[3] = crc & 0xff;
cmd_inventory[4] = crc >> 8;
Dbprintf("LockPass: Sending old password to end privacy mode", cmd_set_pass[4], cmd_set_pass[5], cmd_set_pass[6], cmd_set_pass[7]);
recvlen = SendDataTag(cmd_set_pass, sizeof(cmd_set_pass), false, true, recvbuf, sizeof(recvbuf), start_time);
if (recvlen != 3) {
Dbprintf("LockPass: Failed to set password (%d)", recvlen);
LED_B_ON();
} else {
crc = Iso15693Crc(cmd_inventory, 3);
cmd_inventory[3] = crc & 0xff;
cmd_inventory[4] = crc >> 8;
Dbprintf("LockPass: Searching for tag...");
recvlen = SendDataTag(cmd_inventory, sizeof(cmd_inventory), false, true, recvbuf, sizeof(recvbuf), start_time);
if (recvlen != 12) {
Dbprintf("LockPass: Failed to read inventory (%d)", recvlen);
LED_B_ON();
LED_C_ON();
} else {
Dbprintf("LockPass: Searching for tag...");
recvlen = SendDataTag(cmd_inventory, sizeof(cmd_inventory), false, true, recvbuf, sizeof(recvbuf), start_time);
if (recvlen != 12) {
Dbprintf("LockPass: Failed to read inventory (%d)", recvlen);
LED_B_ON();
LED_C_ON();
} else {
Dbprintf("LockPass: Answer from %02X%02X%02X%02X%02X%02X%02X%02X", recvbuf[9], recvbuf[8], recvbuf[7], recvbuf[6], recvbuf[5], recvbuf[4], recvbuf[3], recvbuf[2]);
Dbprintf("LockPass: Answer from %02X%02X%02X%02X%02X%02X%02X%02X", recvbuf[9], recvbuf[8], recvbuf[7], recvbuf[6], recvbuf[5], recvbuf[4], recvbuf[3], recvbuf[2]);
memcpy(&cmd_lock_pass[3], &recvbuf[2], 8);
memcpy(&cmd_lock_pass[3], &recvbuf[2], 8);
cmd_lock_pass[8+3] = pass_id;
cmd_lock_pass[8+3] = pass_id;
crc = Iso15693Crc(cmd_lock_pass, 8+4);
cmd_lock_pass[8+4] = crc & 0xff;
cmd_lock_pass[8+5] = crc >> 8;
crc = Iso15693Crc(cmd_lock_pass, 8+4);
cmd_lock_pass[8+4] = crc & 0xff;
cmd_lock_pass[8+5] = crc >> 8;
Dbprintf("LockPass: locking to password 0x%02X%02X%02X%02X for ID %02X", cmd_set_pass[4], cmd_set_pass[5], cmd_set_pass[6], cmd_set_pass[7], pass_id);
Dbprintf("LockPass: locking to password 0x%02X%02X%02X%02X for ID %02X", cmd_set_pass[4], cmd_set_pass[5], cmd_set_pass[6], cmd_set_pass[7], pass_id);
recvlen = SendDataTag(cmd_lock_pass, sizeof(cmd_lock_pass), false, true, recvbuf, sizeof(recvbuf), start_time);
if (recvlen != 3) {
Dbprintf("LockPass: Failed to lock password (%d)", recvlen);
} else {
Dbprintf("LockPass: Successful (%d)", recvlen);
}
LED_A_ON();
}
} }
}
recvlen = SendDataTag(cmd_lock_pass, sizeof(cmd_lock_pass), false, true, recvbuf, sizeof(recvbuf), start_time);
if (recvlen != 3) {
Dbprintf("LockPass: Failed to lock password (%d)", recvlen);
} else {
Dbprintf("LockPass: Successful (%d)", recvlen);
}
LED_A_ON();
}
} }
}
Dbprintf("LockPass: Finishing");
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
Dbprintf("LockPass: Finishing");
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
cmd_send(CMD_ACK, recvlen, 0, 0, recvbuf, recvlen);
LED_A_OFF();
LED_B_OFF();
LED_C_OFF();
LED_D_OFF();
cmd_send(CMD_ACK, recvlen, 0, 0, recvbuf, recvlen);
LED_A_OFF();
LED_B_OFF();
LED_C_OFF();
LED_D_OFF();
}
*/

310
client/luascripts/hf_mf_dump-luxeo.lua
View file

@ -77,65 +77,65 @@ local function setdevicedebug( status )
end
local function xteaCrypt(num_rounds, v, key)
local v0 = v[0]
local v1 = v[1]
local delta = 0x9E3779B9
local sum = 0
local v0 = v[0]
local v1 = v[1]
local delta = 0x9E3779B9
local sum = 0
for i = 0, num_rounds-1 do
-- v0 += (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + key[sum & 3]);
v0 = band(bxor(bxor(lsh(v1,4), rsh(v1,5)) + v1, sum + key[band(sum,3)]) + v0, 0xFFFFFFFF)
sum = band(sum + delta, 0xFFFFFFFF)
-- v1 += (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + key[(sum>>11) & 3]);
v1 = band(bxor(bxor(lsh(v0,4), rsh(v0,5)) + v0, sum + key[band(rsh(sum,11),3)]) + v1, 0xFFFFFFFF)
end
v[0] = v0
v[1] = v1
for i = 0, num_rounds-1 do
-- v0 += (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + key[sum & 3]);
v0 = band(bxor(bxor(lsh(v1,4), rsh(v1,5)) + v1, sum + key[band(sum,3)]) + v0, 0xFFFFFFFF)
sum = band(sum + delta, 0xFFFFFFFF)
-- v1 += (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + key[(sum>>11) & 3]);
v1 = band(bxor(bxor(lsh(v0,4), rsh(v0,5)) + v0, sum + key[band(rsh(sum,11),3)]) + v1, 0xFFFFFFFF)
end
v[0] = v0
v[1] = v1
end
local function xteaDecrypt(num_rounds, v, key)
local v0 = v[0]
local v1 = v[1]
local delta = 0x9E3779B9
local sum = band(delta * num_rounds, 0xFFFFFFFF)
local v0 = v[0]
local v1 = v[1]
local delta = 0x9E3779B9
local sum = band(delta * num_rounds, 0xFFFFFFFF)
for i = 0, num_rounds-1 do
-- v1 -= (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + key[(sum>>11) & 3]);
v1 = band(v1 - bxor(bxor(lsh(v0,4), rsh(v0,5)) + v0, sum + key[band(rsh(sum,11),3)]), 0xFFFFFFFF)
sum = band(sum - delta, 0xFFFFFFFF)
-- v0 -= (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + key[sum & 3]);
v0 = band(v0 - bxor(bxor(lsh(v1,4), rsh(v1,5)) + v1, sum + key[band(sum,3)]), 0xFFFFFFFF)
end
v[0] = v0
v[1] = v1
for i = 0, num_rounds-1 do
-- v1 -= (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + key[(sum>>11) & 3]);
v1 = band(v1 - bxor(bxor(lsh(v0,4), rsh(v0,5)) + v0, sum + key[band(rsh(sum,11),3)]), 0xFFFFFFFF)
sum = band(sum - delta, 0xFFFFFFFF)
-- v0 -= (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + key[sum & 3]);
v0 = band(v0 - bxor(bxor(lsh(v1,4), rsh(v1,5)) + v1, sum + key[band(sum,3)]), 0xFFFFFFFF)
end
v[0] = v0
v[1] = v1
end
local function createxteakey(mfuid)
local xteakey = {}
local buid = {}
local tmpkey = {}
local uid = {}
local xteakey = {}
local buid = {}
local tmpkey = {}
local uid = {}
-- Warning ! "it is customary in Lua to START ARRAYS WITH ONE"
buid = utils.ConvertHexToBytes(mfuid)
uid[0] = bor(buid[1], lsh(buid[2], 8))
uid[1] = bor(buid[3], lsh(buid[4], 8))
-- Warning ! "it is customary in Lua to START ARRAYS WITH ONE"
buid = utils.ConvertHexToBytes(mfuid)
uid[0] = bor(buid[1], lsh(buid[2], 8))
uid[1] = bor(buid[3], lsh(buid[4], 8))
tmpkey[0] = 0x198B
tmpkey[1] = uid[0]
tmpkey[2] = 0x46D8
tmpkey[3] = uid[1]
tmpkey[4] = 0x5310
tmpkey[5] = bxor(uid[0], 0xA312)
tmpkey[6] = 0xFFCB
tmpkey[7] = bxor(uid[1], 0x55AA)
tmpkey[0] = 0x198B
tmpkey[1] = uid[0]
tmpkey[2] = 0x46D8
tmpkey[3] = uid[1]
tmpkey[4] = 0x5310
tmpkey[5] = bxor(uid[0], 0xA312)
tmpkey[6] = 0xFFCB
tmpkey[7] = bxor(uid[1], 0x55AA)
xteakey[0] = bor(lsh(tmpkey[1], 16), tmpkey[0])
xteakey[1] = bor(lsh(tmpkey[3], 16), tmpkey[2])
xteakey[2] = bor(lsh(tmpkey[5], 16), tmpkey[4])
xteakey[3] = bor(lsh(tmpkey[7], 16), tmpkey[6])
xteakey[0] = bor(lsh(tmpkey[1], 16), tmpkey[0])
xteakey[1] = bor(lsh(tmpkey[3], 16), tmpkey[2])
xteakey[2] = bor(lsh(tmpkey[5], 16), tmpkey[4])
xteakey[3] = bor(lsh(tmpkey[7], 16), tmpkey[6])
return xteakey
return xteakey
end
local function getblockdata(response)
@ -160,38 +160,38 @@ local function readblock(blockno, key)
end
local function readtag(mfkey,xteakey)
local tagdata = {}
local cleardata = {}
local v = {}
local vv = {}
local tagdata = {}
local cleardata = {}
local v = {}
local vv = {}
-- Read 4 sectors and build table
for sect = 8, 11 do
for blockn = sect * 4, (sect * 4) + 2 do
local blockdata = readblock(blockn, mfkey)
if not blockdata then return oops('[!] failed reading block') end
table.insert(tagdata, blockdata)
end
end
-- Read 4 sectors and build table
for sect = 8, 11 do
for blockn = sect * 4, (sect * 4) + 2 do
local blockdata = readblock(blockn, mfkey)
if not blockdata then return oops('[!] failed reading block') end
table.insert(tagdata, blockdata)
end
end
-- Decrypt data and build clear table
for key,value in ipairs(tagdata) do
local clearblockdata
v[0] = utils.SwapEndianness(value:sub(1, 8), 32)
v[1] = utils.SwapEndianness(value:sub(9, 16), 32)
xteaDecrypt(16, v, xteakey)
vv[0] = utils.SwapEndianness(value:sub(17, 24), 32)
vv[1] = utils.SwapEndianness(value:sub(25, 32), 32)
xteaDecrypt(16, vv, xteakey)
clearblockdata=string.format("%08X%08X%08X%08X",
utils.SwapEndianness(string.format("%08X", v[0]), 32),
utils.SwapEndianness(string.format("%08X", v[1]), 32),
utils.SwapEndianness(string.format("%08X", vv[0]), 32),
utils.SwapEndianness(string.format("%08X", vv[1]), 32))
table.insert(cleardata, clearblockdata)
end
-- Decrypt data and build clear table
for key,value in ipairs(tagdata) do
local clearblockdata
v[0] = utils.SwapEndianness(value:sub(1, 8), 32)
v[1] = utils.SwapEndianness(value:sub(9, 16), 32)
xteaDecrypt(16, v, xteakey)
vv[0] = utils.SwapEndianness(value:sub(17, 24), 32)
vv[1] = utils.SwapEndianness(value:sub(25, 32), 32)
xteaDecrypt(16, vv, xteakey)
clearblockdata=string.format("%08X%08X%08X%08X",
utils.SwapEndianness(string.format("%08X", v[0]), 32),
utils.SwapEndianness(string.format("%08X", v[1]), 32),
utils.SwapEndianness(string.format("%08X", vv[0]), 32),
utils.SwapEndianness(string.format("%08X", vv[1]), 32))
table.insert(cleardata, clearblockdata)
end
return tagdata,cleardata
return tagdata,cleardata
end
@ -203,98 +203,98 @@ local function main(args)
if o == 'h' then return help() end
end
local xteakey = {}
-- local v = {}
local edata = {}
local cdata = {}
local xteakey = {}
-- local v = {}
local edata = {}
local cdata = {}
-- Turn off Debug
setdevicedebug(false)
-- Turn off Debug
setdevicedebug(false)
-- GET TAG UID
tag, err = lib14a.read(false, true)
if err then
lib14a.disconnect()
return oops(err)
end
core.clearCommandBuffer()
-- GET TAG UID
tag, err = lib14a.read(false, true)
if err then
lib14a.disconnect()
return oops(err)
end
core.clearCommandBuffer()
-- simple tag check
if 0x08 ~= tag.sak then
if 0x0400 ~= tag.atqa then
return oops(('[fail] found tag %s :: looking for Mifare S50 1k'):format(tag.name))
end
end
-- simple tag check
if 0x08 ~= tag.sak then
if 0x0400 ~= tag.atqa then
return oops(('[fail] found tag %s :: looking for Mifare S50 1k'):format(tag.name))
end
end
xteakey = createxteakey(tag.uid)
print(acblue.."UID: "..tag.uid..acoff)
print(acblue..string.format("XTEA key: %08X %08X %08X %08X", xteakey[0], xteakey[1], xteakey[2], xteakey[3])..acoff)
xteakey = createxteakey(tag.uid)
print(acblue.."UID: "..tag.uid..acoff)
print(acblue..string.format("XTEA key: %08X %08X %08X %08X", xteakey[0], xteakey[1], xteakey[2], xteakey[3])..acoff)
edata, cdata = readtag("415A54454B4D", xteakey)
edata, cdata = readtag("415A54454B4D", xteakey)
if edata == nil or cdata == nil then
print("ERROR Reading tag!")
return nil
end
if edata == nil or cdata == nil then
print("ERROR Reading tag!")
return nil
end
print("Ciphered data:")
for key,value in ipairs(edata) do
print(value)
if key % 3 == 0 then print("") end
end
print("Ciphered data:")
for key,value in ipairs(edata) do
print(value)
if key % 3 == 0 then print("") end
end
-- compute CRC for each segment
-- compute CRC for each segment
crcH = utils.SwapEndianness(core.reveng_runmodel("CRC-16/ARC", cdata[1]..cdata[2]..cdata[3]:sub(1,28), false, '0'),16)
crcA = utils.SwapEndianness(core.reveng_runmodel("CRC-16/ARC", cdata[4]..cdata[5]..cdata[6]..cdata[7]:sub(1,28), false, '0'),16)
crcB = utils.SwapEndianness(core.reveng_runmodel("CRC-16/ARC", cdata[8]..cdata[9]..cdata[10]..cdata[11]:sub(1,28), false, '0'),16)
print("\nHeader:")
for key,value in ipairs(cdata) do
if key == 3 then
print(value:sub(1,28)..acmagenta..value:sub(29,32)..acoff)
if utils.SwapEndianness(value:sub(29,32),16) == crcH then strcrc = " OK" else strcrc = acred.." CRCERROR !!" end
print(acmagenta.."CRC16/ARC = "..string.format("0x%04X", crcH)..strcrc..acoff)
print("\nDataA:")
elseif key == 4 then
print(acgreen..value:sub(1,4)..acoff..value:sub(5,16)..accyan..value:sub(17,24)..acoff..value:sub(25,26)..accyan..value:sub(27,28)..acoff..value:sub(29,32))
versionA = utils.SwapEndianness(value:sub(1,4),16)
dateA = string.format("%d/%02d/%02d %02d:%02d", tonumber(value:sub(17,18),10)+2000, tonumber(value:sub(19,20),10),
tonumber(string.format("%02X", band(tonumber(value:sub(21,22),16),0x3f)),10),
tonumber(value:sub(23,24),10), tonumber(value:sub(27,28),10))
elseif key == 8 then
print(acgreen..value:sub(1,4)..acoff..value:sub(5,16)..accyan..value:sub(17,24)..acoff..value:sub(25,26)..accyan..value:sub(27,28)..acoff..value:sub(29,32))
versionB = utils.SwapEndianness(value:sub(1,4),16)
dateB = string.format("%d/%02d/%02d %02d:%02d", tonumber(value:sub(17,18),10)+2000, tonumber(value:sub(19,20),10),
tonumber(string.format("%02X", band(tonumber(value:sub(21,22),16),0x3f)),10),
tonumber(value:sub(23,24),10), tonumber(value:sub(27,28),10))
elseif key == 5 then
print(acyellow..value:sub(1,4)..acoff..value:sub(5,32))
creditA = utils.SwapEndianness(value:sub(1,4),16)/100
elseif key == 9 then
print(acyellow..value:sub(1,4)..acoff..value:sub(5,32))
creditB = utils.SwapEndianness(value:sub(1,4),16)/100
elseif key == 7 then
print(value:sub(1,28)..acmagenta..value:sub(29,32)..acoff)
print(acgreen.."Version "..string.format("0x%04X", versionA)..acoff)
print(acyellow.."Credit : "..creditA..acoff)
if utils.SwapEndianness(value:sub(29,32),16) == crcA then strcrc = " OK" else strcrc = acred.." CRCERROR !!" end
print(acmagenta.."CRC16/ARC = "..string.format("0x%04X", crcA)..strcrc..acoff)
print(accyan.."Date: "..dateA..acoff)
print("\nDataB:")
elseif key == 11 then
print(value:sub(1,28)..acmagenta..value:sub(29,32)..acoff)
print(acgreen.."Version "..string.format("0x%04X", versionB)..acoff)
print(acyellow.."Credit : "..creditB..acoff)
if utils.SwapEndianness(value:sub(29,32),16) == crcB then strcrc = " OK" else strcrc = acred.." CRCERROR !!" end
print(acmagenta.."CRC16/ARC = "..string.format("0x%04X", crcB)..strcrc..acoff)
print(accyan.."Date: "..dateB..acoff)
print("\nFooter:")
else
print(value)
end
end
print("\nHeader:")
for key,value in ipairs(cdata) do
if key == 3 then
print(value:sub(1,28)..acmagenta..value:sub(29,32)..acoff)
if utils.SwapEndianness(value:sub(29,32),16) == crcH then strcrc = " OK" else strcrc = acred.." CRCERROR !!" end
print(acmagenta.."CRC16/ARC = "..string.format("0x%04X", crcH)..strcrc..acoff)
print("\nDataA:")
elseif key == 4 then
print(acgreen..value:sub(1,4)..acoff..value:sub(5,16)..accyan..value:sub(17,24)..acoff..value:sub(25,26)..accyan..value:sub(27,28)..acoff..value:sub(29,32))
versionA = utils.SwapEndianness(value:sub(1,4),16)
dateA = string.format("%d/%02d/%02d %02d:%02d", tonumber(value:sub(17,18),10)+2000, tonumber(value:sub(19,20),10),
tonumber(string.format("%02X", band(tonumber(value:sub(21,22),16),0x3f)),10),
tonumber(value:sub(23,24),10), tonumber(value:sub(27,28),10))
elseif key == 8 then
print(acgreen..value:sub(1,4)..acoff..value:sub(5,16)..accyan..value:sub(17,24)..acoff..value:sub(25,26)..accyan..value:sub(27,28)..acoff..value:sub(29,32))
versionB = utils.SwapEndianness(value:sub(1,4),16)
dateB = string.format("%d/%02d/%02d %02d:%02d", tonumber(value:sub(17,18),10)+2000, tonumber(value:sub(19,20),10),
tonumber(string.format("%02X", band(tonumber(value:sub(21,22),16),0x3f)),10),
tonumber(value:sub(23,24),10), tonumber(value:sub(27,28),10))
elseif key == 5 then
print(acyellow..value:sub(1,4)..acoff..value:sub(5,32))
creditA = utils.SwapEndianness(value:sub(1,4),16)/100
elseif key == 9 then
print(acyellow..value:sub(1,4)..acoff..value:sub(5,32))
creditB = utils.SwapEndianness(value:sub(1,4),16)/100
elseif key == 7 then
print(value:sub(1,28)..acmagenta..value:sub(29,32)..acoff)
print(acgreen.."Version "..string.format("0x%04X", versionA)..acoff)
print(acyellow.."Credit : "..creditA..acoff)
if utils.SwapEndianness(value:sub(29,32),16) == crcA then strcrc = " OK" else strcrc = acred.." CRCERROR !!" end
print(acmagenta.."CRC16/ARC = "..string.format("0x%04X", crcA)..strcrc..acoff)
print(accyan.."Date: "..dateA..acoff)
print("\nDataB:")
elseif key == 11 then
print(value:sub(1,28)..acmagenta..value:sub(29,32)..acoff)
print(acgreen.."Version "..string.format("0x%04X", versionB)..acoff)
print(acyellow.."Credit : "..creditB..acoff)
if utils.SwapEndianness(value:sub(29,32),16) == crcB then strcrc = " OK" else strcrc = acred.." CRCERROR !!" end
print(acmagenta.."CRC16/ARC = "..string.format("0x%04X", crcB)..strcrc..acoff)
print(accyan.."Date: "..dateB..acoff)
print("\nFooter:")
else
print(value)
end
end
return
return
end
main(args)

20
client/luascripts/hf_mf_gen3_writer.lua
View file

@ -34,7 +34,7 @@ version = 'v1.0.0'
desc = [[
This script gives you an easy way to write your *.eml dumps into normal MIFARE Classic and Magic Gen3 cards.
Works with both 4 and 7 bytes NXP MIFARE Classic 1K cards.
Works with both 4 and 7 bytes NXP MIFARE Classic 1K cards.
The script also has the possibility to change UID and permanent lock uid on magic Gen3 cards.
It supports the following functionality.
@ -47,18 +47,18 @@ desc = [[
Script works in a wizard styled way.
Author Youtube channel: https://yev.ooo/
Author Youtube channel: https://yev.ooo/
Many Thanks,
Best Regards
Many Thanks,
Best Regards
]]
example = [[
1. script run mfc_gen3_writer
]]
usage = [[
Give script to know if you uses an Windows OS
Give script to know if you uses an Windows OS
Select your *.eml dump from list to write to the card.
Follow the wizard.
Follow the wizard.
]]
--
---
@ -163,9 +163,9 @@ end
--
local function KeyAB()
if default_key_type == '00' then
return 'KeyA'
return 'KeyA'
else
return 'KeyB'
return 'KeyB'
end
end
--
@ -265,7 +265,7 @@ local function main(args)
eml_file_uid_end = 22
eml_file_lengt = 31
else
eml_file_uid_start = 9
eml_file_uid_start = 9
eml_file_uid_end = 16
eml_file_lengt = 25
end
@ -366,7 +366,7 @@ local function main(args)
print(tab)
--
if checkkey() == true then
print(tab)
print(tab)
if (utils.confirm(' Card is Empty. Write selected dump to card ?') == true) then
for i = 1, #eml do
core.console(string.format(cmd_wrbl_b, (i-1), default_key, eml[i]))

2
client/luascripts/hf_mf_uidbruteforce.lua
View file

@ -114,7 +114,7 @@ local function main(args)
local c = string.format( command, n )
print('Running: "'..c..'"')
core.console(c)
core.console('msleep '..timeout);
core.console('msleep '..timeout);
core.console('hw ping')
end

864
client/luascripts/hf_mfu_magicwrite.lua
View file

File diff suppressed because it is too large Load diff

50
doc/fpga_arm_notes.md
View file

@ -65,37 +65,37 @@ ARM, send a 16bit configuration with fits the select major mode.
## ARM GPIO setup
```
// First configure the GPIOs, and get ourselves a clock.
AT91C_BASE_PIOA->PIO_ASR =
GPIO_SSC_FRAME |
GPIO_SSC_DIN |
GPIO_SSC_DOUT |
GPIO_SSC_CLK;
AT91C_BASE_PIOA->PIO_PDR = GPIO_SSC_DOUT;
// First configure the GPIOs, and get ourselves a clock.
AT91C_BASE_PIOA->PIO_ASR =
GPIO_SSC_FRAME |
GPIO_SSC_DIN |
GPIO_SSC_DOUT |
GPIO_SSC_CLK;
AT91C_BASE_PIOA->PIO_PDR = GPIO_SSC_DOUT;
AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_SSC);
AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_SSC);
// Now set up the SSC proper, starting from a known state.
AT91C_BASE_SSC->SSC_CR = AT91C_SSC_SWRST;
// Now set up the SSC proper, starting from a known state.
AT91C_BASE_SSC->SSC_CR = AT91C_SSC_SWRST;
// RX clock comes from TX clock, RX starts on Transmit Start,
// data and frame signal is sampled on falling edge of RK
AT91C_BASE_SSC->SSC_RCMR = SSC_CLOCK_MODE_SELECT(1) | SSC_CLOCK_MODE_START(1);
// RX clock comes from TX clock, RX starts on Transmit Start,
// data and frame signal is sampled on falling edge of RK
AT91C_BASE_SSC->SSC_RCMR = SSC_CLOCK_MODE_SELECT(1) | SSC_CLOCK_MODE_START(1);
// 8, 16 or 32 bits per transfer, no loopback, MSB first, 1 transfer per sync
// pulse, no output sync
if ((FPGA_mode & FPGA_MAJOR_MODE_MASK) == FPGA_MAJOR_MODE_HF_READER && FpgaGetCurrent() == FPGA_BITSTREAM_HF) {
AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(16) | AT91C_SSC_MSBF | SSC_FRAME_MODE_WORDS_PER_TRANSFER(0);
} else {
AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(8) | AT91C_SSC_MSBF | SSC_FRAME_MODE_WORDS_PER_TRANSFER(0);
}
// 8, 16 or 32 bits per transfer, no loopback, MSB first, 1 transfer per sync
// pulse, no output sync
if ((FPGA_mode & FPGA_MAJOR_MODE_MASK) == FPGA_MAJOR_MODE_HF_READER && FpgaGetCurrent() == FPGA_BITSTREAM_HF) {
AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(16) | AT91C_SSC_MSBF | SSC_FRAME_MODE_WORDS_PER_TRANSFER(0);
} else {
AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(8) | AT91C_SSC_MSBF | SSC_FRAME_MODE_WORDS_PER_TRANSFER(0);
}
// TX clock comes from TK pin, no clock output, outputs change on rising edge of TK,
// TF (frame sync) is sampled on falling edge of TK, start TX on rising edge of TF
AT91C_BASE_SSC->SSC_TCMR = SSC_CLOCK_MODE_SELECT(2) | SSC_CLOCK_MODE_START(5);
// TX clock comes from TK pin, no clock output, outputs change on rising edge of TK,
// TF (frame sync) is sampled on falling edge of TK, start TX on rising edge of TF
AT91C_BASE_SSC->SSC_TCMR = SSC_CLOCK_MODE_SELECT(2) | SSC_CLOCK_MODE_START(5);
// tx framing is the same as the rx framing
AT91C_BASE_SSC->SSC_TFMR = AT91C_BASE_SSC->SSC_RFMR;
// tx framing is the same as the rx framing
AT91C_BASE_SSC->SSC_TFMR = AT91C_BASE_SSC->SSC_RFMR;
```

22
fpga/fpga_felica.v
View file

@ -154,22 +154,22 @@ wire [3:0] minor_mode = conf_word[3:0];
// 000 - HF reader
hi_reader hr(
ck_1356megb,
hr_pwr_lo, hr_pwr_hi, hr_pwr_oe1, hr_pwr_oe2, hr_pwr_oe3, hr_pwr_oe4,
adc_d, hr_adc_clk,
hr_ssp_frame, hr_ssp_din, ssp_dout, hr_ssp_clk,
hr_dbg,
subcarrier_frequency, minor_mode
ck_1356megb,
hr_pwr_lo, hr_pwr_hi, hr_pwr_oe1, hr_pwr_oe2, hr_pwr_oe3, hr_pwr_oe4,
adc_d, hr_adc_clk,
hr_ssp_frame, hr_ssp_din, ssp_dout, hr_ssp_clk,
hr_dbg,
subcarrier_frequency, minor_mode
);
// 001 - HF simulated tag
hi_simulate hs(
ck_1356meg,
ck_1356meg,
hs_pwr_lo, hs_pwr_hi, hs_pwr_oe1, hs_pwr_oe2, hs_pwr_oe3, hs_pwr_oe4,
adc_d, hs_adc_clk,
hs_ssp_frame, hs_ssp_din, ssp_dout, hs_ssp_clk,
hs_dbg,
minor_mode
minor_mode
);
// 011 - HF sniff
@ -192,9 +192,9 @@ hi_flite hfl(
// 101 - HF get trace
hi_get_trace gt(
ck_1356megb,
adc_d, trace_enable, major_mode,
gt_ssp_frame, gt_ssp_din, gt_ssp_clk
ck_1356megb,
adc_d, trace_enable, major_mode,
gt_ssp_frame, gt_ssp_din, gt_ssp_clk
);
// Major modes:

26
fpga/fpga_hf.v
View file

@ -156,32 +156,32 @@ wire [3:0] minor_mode = conf_word[3:0];
// 000 - HF reader
hi_reader hr(
ck_1356megb,
hr_pwr_lo, hr_pwr_hi, hr_pwr_oe1, hr_pwr_oe2, hr_pwr_oe3, hr_pwr_oe4,
adc_d, hr_adc_clk,
hr_ssp_frame, hr_ssp_din, ssp_dout, hr_ssp_clk,
hr_dbg,
subcarrier_frequency, minor_mode
ck_1356megb,
hr_pwr_lo, hr_pwr_hi, hr_pwr_oe1, hr_pwr_oe2, hr_pwr_oe3, hr_pwr_oe4,
adc_d, hr_adc_clk,
hr_ssp_frame, hr_ssp_din, ssp_dout, hr_ssp_clk,
hr_dbg,
subcarrier_frequency, minor_mode
);
// 001 - HF simulated tag
hi_simulate hs(
ck_1356meg,
ck_1356meg,
hs_pwr_lo, hs_pwr_hi, hs_pwr_oe1, hs_pwr_oe2, hs_pwr_oe3, hs_pwr_oe4,
adc_d, hs_adc_clk,
hs_ssp_frame, hs_ssp_din, ssp_dout, hs_ssp_clk,
hs_dbg,
minor_mode
minor_mode
);
// 010 - HF ISO14443-A
hi_iso14443a hisn(
ck_1356meg,
ck_1356meg,
hisn_pwr_lo, hisn_pwr_hi, hisn_pwr_oe1, hisn_pwr_oe2, hisn_pwr_oe3, hisn_pwr_oe4,
adc_d, hisn_adc_clk,
hisn_ssp_frame, hisn_ssp_din, ssp_dout, hisn_ssp_clk,
hisn_dbg,
minor_mode
minor_mode
);
// 011 - HF sniff
@ -206,9 +206,9 @@ hi_flite hfl(
// 101 - HF get trace
hi_get_trace gt(
ck_1356megb,
adc_d, trace_enable, major_mode,
gt_ssp_frame, gt_ssp_din, gt_ssp_clk
ck_1356megb,
adc_d, trace_enable, major_mode,
gt_ssp_frame, gt_ssp_din, gt_ssp_clk
);
// Major modes:

176
fpga/hi_get_trace.v
View file

@ -10,25 +10,25 @@ module hi_get_trace(
);
input ck_1356megb;
input [7:0] adc_d;
input trace_enable;
input [2:0] major_mode;
input trace_enable;
input [2:0] major_mode;
output ssp_frame, ssp_din, ssp_clk;
// clock divider
reg [6:0] clock_cnt;
always @(negedge ck_1356megb)
begin
clock_cnt <= clock_cnt + 1;
clock_cnt <= clock_cnt + 1;
end
// sample at 13,56MHz / 8. The highest signal frequency (subcarrier) is 848,5kHz, i.e. in this case we oversample by a factor of 2
reg [2:0] sample_clock;
always @(negedge ck_1356megb)
begin
if (sample_clock == 3'd7)
sample_clock <= 3'd0;
else
sample_clock <= sample_clock + 1;
if (sample_clock == 3'd7)
sample_clock <= 3'd0;
else
sample_clock <= sample_clock + 1;
end
@ -39,65 +39,65 @@ reg write_enable1;
reg write_enable2;
always @(negedge ck_1356megb)
begin
previous_major_mode <= major_mode;
if (major_mode == `FPGA_MAJOR_MODE_HF_GET_TRACE)
begin
write_enable1 <= 1'b0;
write_enable2 <= 1'b0;
if (previous_major_mode != `FPGA_MAJOR_MODE_HF_GET_TRACE) // just switched into GET_TRACE mode
addr <= start_addr;
if (clock_cnt == 7'd0)
begin
if (addr == 12'd3071)
addr <= 12'd0;
else
addr <= addr + 1;
end
end
else if (major_mode != `FPGA_MAJOR_MODE_OFF)
begin
if (trace_enable)
begin
if (addr[11] == 1'b0)
begin
write_enable1 <= 1'b1;
write_enable2 <= 1'b0;
end
else
begin
write_enable1 <= 1'b0;
write_enable2 <= 1'b1;
end
if (sample_clock == 3'b000)
begin
if (addr == 12'd3071)
begin
addr <= 12'd0;
write_enable1 <= 1'b1;
write_enable2 <= 1'b0;
end
else
begin
addr <= addr + 1;
end
end
end
else
begin
write_enable1 <= 1'b0;
write_enable2 <= 1'b0;
start_addr <= addr;
end
end
else // major_mode == `FPGA_MAJOR_MODE_OFF
begin
write_enable1 <= 1'b0;
write_enable2 <= 1'b0;
if (previous_major_mode != `FPGA_MAJOR_MODE_OFF && previous_major_mode != `FPGA_MAJOR_MODE_HF_GET_TRACE) // just switched off
previous_major_mode <= major_mode;
if (major_mode == `FPGA_MAJOR_MODE_HF_GET_TRACE)
begin
write_enable1 <= 1'b0;
write_enable2 <= 1'b0;
if (previous_major_mode != `FPGA_MAJOR_MODE_HF_GET_TRACE) // just switched into GET_TRACE mode
addr <= start_addr;
if (clock_cnt == 7'd0)
begin
if (addr == 12'd3071)
addr <= 12'd0;
else
addr <= addr + 1;
end
end
else if (major_mode != `FPGA_MAJOR_MODE_OFF)
begin
if (trace_enable)
begin
if (addr[11] == 1'b0)
begin
write_enable1 <= 1'b1;
write_enable2 <= 1'b0;
end
else
begin
write_enable1 <= 1'b0;
write_enable2 <= 1'b1;
end
if (sample_clock == 3'b000)
begin
if (addr == 12'd3071)
begin
start_addr <= addr;
addr <= 12'd0;
write_enable1 <= 1'b1;
write_enable2 <= 1'b0;
end
end
else
begin
addr <= addr + 1;
end
end
end
else
begin
write_enable1 <= 1'b0;
write_enable2 <= 1'b0;
start_addr <= addr;
end
end
else // major_mode == `FPGA_MAJOR_MODE_OFF
begin
write_enable1 <= 1'b0;
write_enable2 <= 1'b0;
if (previous_major_mode != `FPGA_MAJOR_MODE_OFF && previous_major_mode != `FPGA_MAJOR_MODE_HF_GET_TRACE) // just switched off
begin
start_addr <= addr;
end
end
end
@ -108,20 +108,20 @@ reg [7:0] ram2 [1023:0]; // 1024 u8
always @(negedge ck_1356megb)
begin
if (write_enable1)
begin
ram1[addr[10:0]] <= adc_d;
D_out1 <= adc_d;
end
else
D_out1 <= ram1[addr[10:0]];
if (write_enable2)
if (write_enable1)
begin
ram1[addr[10:0]] <= adc_d;
D_out1 <= adc_d;
end
else
D_out1 <= ram1[addr[10:0]];
if (write_enable2)
begin
ram2[addr[9:0]] <= adc_d;
D_out2 <= adc_d;
end
else
D_out2 <= ram2[addr[9:0]];
ram2[addr[9:0]] <= adc_d;
D_out2 <= adc_d;
end
else
D_out2 <= ram2[addr[9:0]];
end
@ -133,27 +133,27 @@ reg [7:0] shift_out;
always @(negedge ck_1356megb)
begin
if (clock_cnt[3:0] == 4'd0) // update shift register every 16 clock cycles
begin
if (clock_cnt[6:4] == 3'd0) // either load new value
begin
begin
if (clock_cnt[6:4] == 3'd0) // either load new value
begin
if (addr[11] == 1'b0)
shift_out <= D_out1;
else
shift_out <= D_out2;
end
else
end
else
begin
// or shift left
shift_out[7:1] <= shift_out[6:0];
end
end
end
ssp_clk <= ~clock_cnt[3]; // ssp_clk frequency = 13,56MHz / 16 = 847,5 kHz
ssp_clk <= ~clock_cnt[3]; // ssp_clk frequency = 13,56MHz / 16 = 847,5 kHz
if (clock_cnt[6:4] == 3'b000) // set ssp_frame for 0...31
ssp_frame <= 1'b1;
else
ssp_frame <= 1'b0;
if (clock_cnt[6:4] == 3'b000) // set ssp_frame for 0...31
ssp_frame <= 1'b1;
else
ssp_frame <= 1'b0;
end

30
fpga/hi_iso14443a.v
View file

@ -142,7 +142,7 @@ begin
end
// adjust internal timer counter if necessary:
if (negedge_cnt[3:0] == 4'd13 && (mod_type == `FPGA_HF_ISO14443A_SNIFFER || mod_type == `FPGA_HF_ISO14443A_TAGSIM_LISTEN) && deep_modulation)
if (negedge_cnt[3:0] == 4'd13 && (mod_type == `FPGA_HF_ISO14443A_SNIFFER || mod_type == `FPGA_HF_ISO14443A_TAGSIM_LISTEN) && deep_modulation)
begin
if (reader_falling_edge_time == 4'd1) // reader signal changes right after sampling. Better sample earlier next time.
begin
@ -176,7 +176,7 @@ reg [3:0] mod_detect_reset_time;
always @(negedge adc_clk)
begin
if (mod_type == `FPGA_HF_ISO14443A_READER_LISTEN)
if (mod_type == `FPGA_HF_ISO14443A_READER_LISTEN)
// (our) reader signal changes at negedge_cnt[3:0]=9, tag response expected to start n*16+4 ticks later, further delayed by
// 3 ticks ADC conversion. The maximum filter output (edge detected) will be detected after subcarrier zero crossing (+7 ticks).
// To allow some timing variances, we want to have the maximum filter outputs well within the detection window, i.e.
@ -186,7 +186,7 @@ begin
mod_detect_reset_time <= 4'd4;
end
else
if (mod_type == `FPGA_HF_ISO14443A_SNIFFER)
if (mod_type == `FPGA_HF_ISO14443A_SNIFFER)
begin
// detect a rising edge of reader's signal and sync modulation detector to the tag's answer:
if (~pre_after_hysteresis && after_hysteresis && deep_modulation)
@ -354,7 +354,7 @@ reg mod_sig_coil;
always @(negedge adc_clk)
begin
if (mod_type == `FPGA_HF_ISO14443A_TAGSIM_MOD) // need to take care of proper fdt timing
if (mod_type == `FPGA_HF_ISO14443A_TAGSIM_MOD) // need to take care of proper fdt timing
begin
if(fdt_counter == `FDT_COUNT)
begin
@ -429,7 +429,7 @@ always @(negedge adc_clk)
begin
if (negedge_cnt[5:0] == 6'd63) // fill the buffer
begin
if (mod_type == `FPGA_HF_ISO14443A_SNIFFER)
if (mod_type == `FPGA_HF_ISO14443A_SNIFFER)
begin
if(deep_modulation) // a reader is sending (or there's no field at all)
begin
@ -446,7 +446,7 @@ begin
end
end
if(negedge_cnt[2:0] == 3'b000 && mod_type == `FPGA_HF_ISO14443A_SNIFFER) // shift at double speed
if(negedge_cnt[2:0] == 3'b000 && mod_type == `FPGA_HF_ISO14443A_SNIFFER) // shift at double speed
begin
// Don't shift if we just loaded new data, obviously.
if(negedge_cnt[5:0] != 6'd0)
@ -455,7 +455,7 @@ begin
end
end
if(negedge_cnt[3:0] == 4'b0000 && mod_type != `FPGA_HF_ISO14443A_SNIFFER)
if(negedge_cnt[3:0] == 4'b0000 && mod_type != `FPGA_HF_ISO14443A_SNIFFER)
begin
// Don't shift if we just loaded new data, obviously.
if(negedge_cnt[6:0] != 7'd0)
@ -475,8 +475,8 @@ reg ssp_frame;
always @(negedge adc_clk)
begin
if(mod_type == `FPGA_HF_ISO14443A_SNIFFER)
// FPGA_HF_ISO14443A_SNIFFER mode (ssp_clk = adc_clk / 8, ssp_frame clock = adc_clk / 64)):
if(mod_type == `FPGA_HF_ISO14443A_SNIFFER)
// FPGA_HF_ISO14443A_SNIFFER mode (ssp_clk = adc_clk / 8, ssp_frame clock = adc_clk / 64)):
begin
if(negedge_cnt[2:0] == 3'd0)
ssp_clk <= 1'b1;
@ -496,7 +496,7 @@ begin
if(negedge_cnt[3:0] == 4'd8)
ssp_clk <= 1'b0;
if(negedge_cnt[6:0] == 7'd7) // ssp_frame rising edge indicates start of frame, sampled on falling edge of ssp_clk
if(negedge_cnt[6:0] == 7'd7) // ssp_frame rising edge indicates start of frame, sampled on falling edge of ssp_clk
ssp_frame <= 1'b1;
if(negedge_cnt[6:0] == 7'd23)
ssp_frame <= 1'b0;
@ -516,23 +516,23 @@ begin
if(negedge_cnt[3:0] == 4'd0)
begin
// What do we communicate to the ARM
if(mod_type == `FPGA_HF_ISO14443A_TAGSIM_LISTEN)
if(mod_type == `FPGA_HF_ISO14443A_TAGSIM_LISTEN)
sendbit = after_hysteresis;
else if(mod_type == `FPGA_HF_ISO14443A_TAGSIM_MOD)
else if(mod_type == `FPGA_HF_ISO14443A_TAGSIM_MOD)
/* if(fdt_counter > 11'd772) sendbit = mod_sig_coil; // huh?
else */
sendbit = fdt_indicator;
else if (mod_type == `FPGA_HF_ISO14443A_READER_LISTEN)
else if (mod_type == `FPGA_HF_ISO14443A_READER_LISTEN)
sendbit = curbit;
else
sendbit = 1'b0;
end
if(mod_type == `FPGA_HF_ISO14443A_SNIFFER)
if(mod_type == `FPGA_HF_ISO14443A_SNIFFER)
// send sampled reader and tag data:
bit_to_arm = to_arm[7];
else if (mod_type == `FPGA_HF_ISO14443A_TAGSIM_MOD && fdt_elapsed && temp_buffer_reset)
else if (mod_type == `FPGA_HF_ISO14443A_TAGSIM_MOD && fdt_elapsed && temp_buffer_reset)
// send timing information:
bit_to_arm = to_arm[7];
else

218
fpga/hi_reader.v
View file

@ -19,7 +19,7 @@ module hi_reader(
output ssp_frame, ssp_din, ssp_clk;
output dbg;
input [1:0] subcarrier_frequency;
input [3:0] minor_mode;
input [3:0] minor_mode;
assign adc_clk = ck_1356meg; // sample frequency is 13,56 MHz
@ -58,7 +58,7 @@ end
reg [5:0] corr_i_cnt;
always @(negedge adc_clk)
begin
corr_i_cnt <= corr_i_cnt + 1;
corr_i_cnt <= corr_i_cnt + 1;
end
@ -83,28 +83,28 @@ reg [12:0] min_ci_cq_2; // min_ci_cq / 2
always @(*)
begin
if (corr_i_accum[13] == 1'b0)
abs_ci <= corr_i_accum;
else
abs_ci <= -corr_i_accum;
if (corr_i_accum[13] == 1'b0)
abs_ci <= corr_i_accum;
else
abs_ci <= -corr_i_accum;
if (corr_q_accum[13] == 1'b0)
abs_cq <= corr_q_accum;
else
abs_cq <= -corr_q_accum;
if (corr_q_accum[13] == 1'b0)
abs_cq <= corr_q_accum;
else
abs_cq <= -corr_q_accum;
if (abs_ci > abs_cq)
begin
max_ci_cq <= abs_ci;
min_ci_cq_2 <= abs_cq / 2;
end
else
begin
max_ci_cq <= abs_cq;
min_ci_cq_2 <= abs_ci / 2;
end
if (abs_ci > abs_cq)
begin
max_ci_cq <= abs_ci;
min_ci_cq_2 <= abs_cq / 2;
end
else
begin
max_ci_cq <= abs_cq;
min_ci_cq_2 <= abs_ci / 2;
end
corr_amplitude <= max_ci_cq + min_ci_cq_2;
corr_amplitude <= max_ci_cq + min_ci_cq_2;
end
@ -115,21 +115,21 @@ reg subcarrier_Q;
always @(*)
begin
if (subcarrier_frequency == `FPGA_HF_READER_SUBCARRIER_848_KHZ)
begin
subcarrier_I = ~corr_i_cnt[3];
subcarrier_Q = ~(corr_i_cnt[3] ^ corr_i_cnt[2]);
end
else if (subcarrier_frequency == `FPGA_HF_READER_SUBCARRIER_212_KHZ)
begin
subcarrier_I = ~corr_i_cnt[5];
subcarrier_Q = ~(corr_i_cnt[5] ^ corr_i_cnt[4]);
end
else
begin // 424 kHz
subcarrier_I = ~corr_i_cnt[4];
subcarrier_Q = ~(corr_i_cnt[4] ^ corr_i_cnt[3]);
end
if (subcarrier_frequency == `FPGA_HF_READER_SUBCARRIER_848_KHZ)
begin
subcarrier_I = ~corr_i_cnt[3];
subcarrier_Q = ~(corr_i_cnt[3] ^ corr_i_cnt[2]);
end
else if (subcarrier_frequency == `FPGA_HF_READER_SUBCARRIER_212_KHZ)
begin
subcarrier_I = ~corr_i_cnt[5];
subcarrier_Q = ~(corr_i_cnt[5] ^ corr_i_cnt[4]);
end
else
begin // 424 kHz
subcarrier_I = ~corr_i_cnt[4];
subcarrier_Q = ~(corr_i_cnt[4] ^ corr_i_cnt[3]);
end
end
@ -143,64 +143,64 @@ begin
begin
if (minor_mode == `FPGA_HF_READER_MODE_SNIFF_AMPLITUDE)
begin
// send amplitude plus 2 bits reader signal
corr_i_out <= corr_amplitude[13:6];
corr_q_out <= {corr_amplitude[5:0], after_hysteresis_prev_prev, after_hysteresis_prev};
end
else if (minor_mode == `FPGA_HF_READER_MODE_SNIFF_IQ)
begin
// send amplitude plus 2 bits reader signal
corr_i_out <= corr_amplitude[13:6];
corr_q_out <= {corr_amplitude[5:0], after_hysteresis_prev_prev, after_hysteresis_prev};
end
else if (minor_mode == `FPGA_HF_READER_MODE_SNIFF_IQ)
begin
// Send 7 most significant bits of in phase tag signal (signed), plus 1 bit reader signal
if (corr_i_accum[13:11] == 3'b000 || corr_i_accum[13:11] == 3'b111)
corr_i_out <= {corr_i_accum[11:5], after_hysteresis_prev_prev};
else // truncate to maximum value
if (corr_i_accum[13] == 1'b0)
corr_i_out <= {7'b0111111, after_hysteresis_prev_prev};
else
corr_i_out <= {7'b1000000, after_hysteresis_prev_prev};
// Send 7 most significant bits of in phase tag signal (signed), plus 1 bit reader signal
if (corr_i_accum[13:11] == 3'b000 || corr_i_accum[13:11] == 3'b111)
corr_i_out <= {corr_i_accum[11:5], after_hysteresis_prev_prev};
else // truncate to maximum value
if (corr_i_accum[13] == 1'b0)
corr_i_out <= {7'b0111111, after_hysteresis_prev_prev};
else
corr_i_out <= {7'b1000000, after_hysteresis_prev_prev};
// Send 7 most significant bits of quadrature phase tag signal (signed), plus 1 bit reader signal
if (corr_q_accum[13:11] == 3'b000 || corr_q_accum[13:11] == 3'b111)
corr_q_out <= {corr_q_accum[11:5], after_hysteresis_prev};
else // truncate to maximum value
if (corr_q_accum[13] == 1'b0)
corr_q_out <= {7'b0111111, after_hysteresis_prev};
else
corr_q_out <= {7'b1000000, after_hysteresis_prev};
end
// Send 7 most significant bits of quadrature phase tag signal (signed), plus 1 bit reader signal
if (corr_q_accum[13:11] == 3'b000 || corr_q_accum[13:11] == 3'b111)
corr_q_out <= {corr_q_accum[11:5], after_hysteresis_prev};
else // truncate to maximum value
if (corr_q_accum[13] == 1'b0)
corr_q_out <= {7'b0111111, after_hysteresis_prev};
else
corr_q_out <= {7'b1000000, after_hysteresis_prev};
end
else if (minor_mode == `FPGA_HF_READER_MODE_RECEIVE_AMPLITUDE)
begin
// send amplitude
corr_i_out <= {2'b00, corr_amplitude[13:8]};
corr_q_out <= corr_amplitude[7:0];
end
else if (minor_mode == `FPGA_HF_READER_MODE_RECEIVE_IQ)
begin
// send amplitude
corr_i_out <= {2'b00, corr_amplitude[13:8]};
corr_q_out <= corr_amplitude[7:0];
end
else if (minor_mode == `FPGA_HF_READER_MODE_RECEIVE_IQ)
begin
// Send 8 bits of in phase tag signal
if (corr_i_accum[13:11] == 3'b000 || corr_i_accum[13:11] == 3'b111)
corr_i_out <= corr_i_accum[11:4];
else // truncate to maximum value
if (corr_i_accum[13] == 1'b0)
corr_i_out <= 8'b01111111;
else
corr_i_out <= 8'b10000000;
// Send 8 bits of in phase tag signal
if (corr_i_accum[13:11] == 3'b000 || corr_i_accum[13:11] == 3'b111)
corr_i_out <= corr_i_accum[11:4];
else // truncate to maximum value
if (corr_i_accum[13] == 1'b0)
corr_i_out <= 8'b01111111;
else
corr_i_out <= 8'b10000000;
// Send 8 bits of quadrature phase tag signal
if (corr_q_accum[13:11] == 3'b000 || corr_q_accum[13:11] == 3'b111)
corr_q_out <= corr_q_accum[11:4];
else // truncate to maximum value
if (corr_q_accum[13] == 1'b0)
corr_q_out <= 8'b01111111;
else
corr_q_out <= 8'b10000000;
end
// Send 8 bits of quadrature phase tag signal
if (corr_q_accum[13:11] == 3'b000 || corr_q_accum[13:11] == 3'b111)
corr_q_out <= corr_q_accum[11:4];
else // truncate to maximum value
if (corr_q_accum[13] == 1'b0)
corr_q_out <= 8'b01111111;
else
corr_q_out <= 8'b10000000;
end
// for each Q/I pair report two reader signal samples when sniffing. Store the 1st.
after_hysteresis_prev_prev <= after_hysteresis;
// for each Q/I pair report two reader signal samples when sniffing. Store the 1st.
after_hysteresis_prev_prev <= after_hysteresis;
// Initialize next correlation.
// Both I and Q reference signals are high when corr_i_nct == 0. Therefore need to accumulate.
// Initialize next correlation.
// Both I and Q reference signals are high when corr_i_nct == 0. Therefore need to accumulate.
corr_i_accum <= $signed({1'b0, adc_d});
corr_q_accum <= $signed({1'b0, adc_d});
end
@ -217,14 +217,14 @@ begin
corr_q_accum <= corr_q_accum - $signed({1'b0, adc_d});
end
// for each Q/I pair report two reader signal samples when sniffing. Store the 2nd.
// for each Q/I pair report two reader signal samples when sniffing. Store the 2nd.
if (corr_i_cnt == 6'd32)
after_hysteresis_prev <= after_hysteresis;
// Then the result from last time is serialized and send out to the ARM.
// We get one report each cycle, and each report is 16 bits, so the
// ssp_clk should be the adc_clk divided by 64/16 = 4.
// ssp_clk frequency = 13,56MHz / 4 = 3.39MHz
// ssp_clk frequency = 13,56MHz / 4 = 3.39MHz
if (corr_i_cnt[1:0] == 2'b00)
begin
@ -261,8 +261,8 @@ begin
if (corr_i_cnt[1:0] == 2'b10)
ssp_clk <= 1'b0;
// set ssp_frame signal for corr_i_cnt = 1..3
// (send one frame with 16 Bits)
// set ssp_frame signal for corr_i_cnt = 1..3
// (send one frame with 16 Bits)
if (corr_i_cnt == 6'd1)
ssp_frame <= 1'b1;
@ -280,11 +280,11 @@ reg [3:0] jam_counter;
always @(negedge adc_clk)
begin
if (corr_i_cnt == 6'd0)
begin
jam_counter <= jam_counter + 1;
jam_signal <= jam_counter[1] ^ jam_counter[3];
end
if (corr_i_cnt == 6'd0)
begin
jam_counter <= jam_counter + 1;
jam_signal <= jam_counter[1] ^ jam_counter[3];
end
end
// Antenna drivers
@ -303,22 +303,22 @@ begin
pwr_oe4 = 1'b0;
end
else if (minor_mode == `FPGA_HF_READER_MODE_SEND_JAM)
begin
begin
pwr_hi = ck_1356meg & jam_signal;
pwr_oe4 = 1'b0;
end
else if (minor_mode == `FPGA_HF_READER_MODE_SNIFF_IQ
|| minor_mode == `FPGA_HF_READER_MODE_SNIFF_AMPLITUDE
|| minor_mode == `FPGA_HF_READER_MODE_SNIFF_PHASE)
begin // all off
pwr_hi = 1'b0;
pwr_oe4 = 1'b0;
end
else // receiving from tag
begin
pwr_hi = ck_1356meg;
pwr_oe4 = 1'b0;
end
end
else if (minor_mode == `FPGA_HF_READER_MODE_SNIFF_IQ
|| minor_mode == `FPGA_HF_READER_MODE_SNIFF_AMPLITUDE
|| minor_mode == `FPGA_HF_READER_MODE_SNIFF_PHASE)
begin // all off
pwr_hi = 1'b0;
pwr_oe4 = 1'b0;
end
else // receiving from tag
begin
pwr_hi = ck_1356meg;
pwr_oe4 = 1'b0;
end
end
// always on

38
fpga/hi_simulate.v
View file

@ -35,8 +35,8 @@ module hi_simulate(
// Power amp goes between LOW and tri-state, so pwr_hi (and pwr_lo) can
// always be low.
assign pwr_hi = 1'b0; // HF antenna connected to GND
assign pwr_lo = 1'b0; // LF antenna connected to GND
assign pwr_hi = 1'b0; // HF antenna connected to GND
assign pwr_lo = 1'b0; // LF antenna connected to GND
// This one is all LF, so doesn't matter
assign pwr_oe2 = 1'b0;
@ -53,7 +53,7 @@ begin
if (& adc_d[7:5]) after_hysteresis <= 1'b1; // if (adc_d >= 224)
else if (~(| adc_d[7:5])) after_hysteresis <= 1'b0; // if (adc_d <= 31)
if (adc_d >= 224)
if (adc_d >= 224)
begin
has_been_low_for <= 12'd0;
end
@ -65,9 +65,9 @@ begin
after_hysteresis <= 1'b1;
end
else
begin
begin
has_been_low_for <= has_been_low_for + 1;
end
end
end
end
@ -100,20 +100,20 @@ end
reg ssp_frame;
always @(negedge adc_clk)
begin
if (mod_type == `FPGA_HF_SIMULATOR_MODULATE_212K)
begin
if (ssp_clk_divider[8:5] == 4'd1)
ssp_frame <= 1'b1;
if (ssp_clk_divider[8:5] == 4'd5)
ssp_frame <= 1'b0;
end
if (mod_type == `FPGA_HF_SIMULATOR_MODULATE_212K)
begin
if (ssp_clk_divider[8:5] == 4'd1)
ssp_frame <= 1'b1;
if (ssp_clk_divider[8:5] == 4'd5)
ssp_frame <= 1'b0;
end
else
begin
if (ssp_clk_divider[7:4] == 4'd1)
ssp_frame <= 1'b1;
if (ssp_clk_divider[7:4] == 4'd5)
ssp_frame <= 1'b0;
end
begin
if (ssp_clk_divider[7:4] == 4'd1)
ssp_frame <= 1'b1;
if (ssp_clk_divider[7:4] == 4'd5)
ssp_frame <= 1'b0;
end
end
@ -143,6 +143,6 @@ always @(*)
assign pwr_oe1 = 1'b0; // 33 Ohms Load
assign pwr_oe4 = modulating_carrier; // 33 Ohms Load
// This one is always on, so that we can watch the carrier.
assign pwr_oe3 = 1'b0; // 10k Load
assign pwr_oe3 = 1'b0; // 10k Load
endmodule

8
tools/hitag2crack/common/hitagcrypto.c
View file

@ -188,7 +188,7 @@
HITAG 2 256 Bit total memory Read/Write
8 pages of 32 bits, inc UID (32),
secret key (64), password (24), config (8)
secret key (64), password (24), config (8)
HITAG S 32 32 bits Unique Identifier Read Only
HITAG S 256 256 bits total memory Read/Write
@ -227,9 +227,9 @@ static uint32_t hitag2_crypt(uint64_t x);
static uint32_t hitag2_crypt(uint64_t x) {
const uint32_t ht2_function4a = 0x2C79; // 0010 1100 0111 1001
const uint32_t ht2_function4b = 0x6671; // 0110 0110 0111 0001
const uint32_t ht2_function5c = 0x7907287B; // 0111 1001 0000 0111 0010 1000 0111 1011
const uint32_t ht2_function4a = 0x2C79; // 0010 1100 0111 1001
const uint32_t ht2_function4b = 0x6671; // 0110 0110 0111 0001
const uint32_t ht2_function5c = 0x7907287B; // 0111 1001 0000 0111 0010 1000 0111 1011
uint32_t bitindex;
bitindex = (ht2_function4a >> pickbits2_2(x, 1, 4)) & 1;

4
tools/hitag2crack/common/hitagcrypto.h
View file

@ -132,7 +132,7 @@
#ifndef HITAGCRYPTO_H
#define HITAGCRYPTO_H
#define HITAGCRYPTO_H
#include <stdint.h>
@ -163,5 +163,5 @@ void hitag2_init(Hitag_State *pstate, uint64_t sharedkey, uint32_t serialnum, ui
uint32_t hitag2_nstep(Hitag_State *pstate, uint32_t steps);
#endif /* HITAGCRYPTO_H */
#endif /* HITAGCRYPTO_H */

6
tools/mf_nonce_brute/iso14443crc.h
View file

@ -13,9 +13,9 @@
// Routines to compute the CRCs (two different flavours, just for confusion)
// required for ISO 14443, swiped directly from the spec.
//-----------------------------------------------------------------------------
#define CRC_14443_A 0x6363 /* ITU-V.41 */
#define CRC_14443_B 0xFFFF /* ISO/IEC 13239 (formerly ISO/IEC 3309) */
#define CRC_ICLASS 0xE012 /* ICLASS PREFIX */
#define CRC_14443_A 0x6363 /* ITU-V.41 */
#define CRC_14443_B 0xFFFF /* ISO/IEC 13239 (formerly ISO/IEC 3309) */
#define CRC_ICLASS 0xE012 /* ICLASS PREFIX */
void ComputeCrc14443(int CrcType,
const unsigned char *Data, int Length,

4
tools/mf_nonce_brute/protocol.h
View file

@ -4,8 +4,8 @@
#define ISO14443A_CMD_READBLOCK 0x30
#define ISO14443A_CMD_WRITEBLOCK 0xA0
#define MIFARE_AUTH_KEYA 0x60
#define MIFARE_AUTH_KEYB 0x61
#define MIFARE_AUTH_KEYA 0x60
#define MIFARE_AUTH_KEYB 0x61
#define MIFARE_CMD_INC 0xC0
#define MIFARE_CMD_DEC 0xC1
#define MIFARE_CMD_RESTORE 0xC2

2
tools/mf_nonce_brute/sleep.c
View file

@ -10,7 +10,7 @@
#ifndef _WIN32
#define _POSIX_C_SOURCE 199309L
#define _POSIX_C_SOURCE 199309L
#include "sleep.h"
#include <time.h>
#include <stdio.h>