github/RRG-Proxmark3
1
0
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-08-21 05:43:48 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

adding support to read fuji/xerox tags, thanks to user Horror

Browse source
This commit is contained in:
iceman1001 2022-06-30 22:50:52 +02:00
commit 6d699d66bc
12 changed files with 1083 additions and 49 deletions
Download patch file Download diff file Expand all files Collapse all files

282
armsrc/iso14443b.c
View file

@ -1381,11 +1381,11 @@ static int Get14443bAnswerFromTag(uint8_t *response, uint16_t max_len, uint32_t
}
if (Demod.len > 0) {
uint32_t sof_time = *eof_time
- (Demod.len * (8 + 2)) // time for byte transfers
- (10) // time for TR1
- (10 + 2) // time for SOF transfer
- (10); // time for EOF transfer
uint32_t sof_time = *eof_time - ETU_TO_SSP(
(Demod.len * (8 + 2)) // time for byte transfers
// + (10) // time for TR1
+ (10 + 2) // time for SOF transfer
+ (10)); // time for EOF transfer
LogTrace(Demod.output, Demod.len, sof_time, *eof_time, NULL, false);
}
return Demod.len;
@ -1435,9 +1435,28 @@ static void TransmitFor14443b_AsReader(uint32_t *start_time) {
}
WDT_HIT();
}
// transmit remaining bits. we need one-sample granularity now
volatile uint8_t data = ts->buf[ts->max], last_bits = ts->bit;
for (uint8_t i = 0; i < last_bits; i++) {
volatile uint16_t send_word = (data & 0x80) ? 0x0000 : 0xFFFF;
while (!(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY))) ;
AT91C_BASE_SSC->SSC_THR = send_word;
while (!(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY))) ;
AT91C_BASE_SSC->SSC_THR = send_word;
data <<= 1;
}
WDT_HIT();
LED_B_OFF();
*start_time += DELAY_ARM_TO_TAG;
// *start_time += DELAY_ARM_TO_TAG;
// wait for last transfer to complete
while (!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXEMPTY)) {};
@ -1447,7 +1466,7 @@ static void TransmitFor14443b_AsReader(uint32_t *start_time) {
// Code a layer 2 command (string of octets, including CRC) into ToSend[],
// so that it is ready to transmit to the tag using TransmitFor14443b().
//-----------------------------------------------------------------------------
static void CodeIso14443bAsReader(const uint8_t *cmd, int len) {
static void CodeIso14443bAsReader(const uint8_t *cmd, int len, bool framing) {
/*
* QUESTION: how long is a 1 or 0 in pulses in the xcorr_848 mode?
* 1 "stuffbit" = 1ETU (9us)
@ -1460,14 +1479,18 @@ static void CodeIso14443bAsReader(const uint8_t *cmd, int len) {
int i;
tosend_reset();
// Send SOF
// 10-11 ETUs of ZERO
for (i = 0; i < 10; i++) {
tosend_stuffbit(0);
// add framing enable flag. xerox chips use unframed commands during anticollision
if (framing) {
// Send SOF
// 10-11 ETUs of ZERO
for (i = 0; i < 10; i++) {
tosend_stuffbit(0);
}
// 2-3 ETUs of ONE
tosend_stuffbit(1);
tosend_stuffbit(1);
}
// 2-3 ETUs of ONE
tosend_stuffbit(1);
tosend_stuffbit(1);
// Sending cmd, LSB
// from here we add BITS
@ -1493,28 +1516,36 @@ static void CodeIso14443bAsReader(const uint8_t *cmd, int len) {
// FOR PICC it ranges 0-19us == 0 - 2 ETU
}
// Send EOF
// 10-11 ETUs of ZERO
for (i = 0; i < 10; i++) {
tosend_stuffbit(0);
if (framing) {
// Send EOF
// 10-11 ETUs of ZERO
for (i = 0; i < 10; i++) {
tosend_stuffbit(0);
}
}
int pad = (10 + 2 + (len * 10) + 10) & 0x7;
for (i = 0; i < 16 - pad; ++i)
tosend_stuffbit(1);
// we can't use padding now
/*
int pad = (10 + 2 + (len * 10) + 10) & 0x7;
for (i = 0; i < 16 - pad; ++i)
tosend_stuffbit(1);
*/
}
/*
* Convenience function to encode, transmit and trace iso 14443b comms
*/
static void CodeAndTransmit14443bAsReader(const uint8_t *cmd, int len, uint32_t *start_time, uint32_t *eof_time) {
static void CodeAndTransmit14443bAsReader(const uint8_t *cmd, int len, uint32_t *start_time, uint32_t *eof_time, bool framing) {
tosend_t *ts = get_tosend();
CodeIso14443bAsReader(cmd, len);
CodeIso14443bAsReader(cmd, len, framing);
TransmitFor14443b_AsReader(start_time);
if (g_trigger) LED_A_ON();
*eof_time = *start_time + (10 * ts->max) + 10 + 2 + 10;
// eof_time in ssp clocks, but bits was added here!
// *eof_time = *start_time + (10 * ts->max) + 10 + 2 + 10;
*eof_time = *start_time + ETU_TO_SSP(8 * ts->max);
LogTrace(cmd, len, *start_time, *eof_time, NULL, true);
}
@ -1545,7 +1576,7 @@ int iso14443b_apdu(uint8_t const *msg, size_t msg_len, bool send_chaining, void
// send
uint32_t start_time = 0;
uint32_t eof_time = 0;
CodeAndTransmit14443bAsReader(real_cmd, msg_len + 3, &start_time, &eof_time);
CodeAndTransmit14443bAsReader(real_cmd, msg_len + 3, &start_time, &eof_time, true);
eof_time += DELAY_ISO14443B_PCD_TO_PICC_READER;
int len = Get14443bAnswerFromTag(rxdata, rxmaxlen, iso14b_timeout, &eof_time);
@ -1578,7 +1609,7 @@ int iso14443b_apdu(uint8_t const *msg, size_t msg_len, bool send_chaining, void
AddCrc14B(data_bytes, len - 2);
// transmit S-Block
CodeAndTransmit14443bAsReader(data_bytes, len, &start_time, &eof_time);
CodeAndTransmit14443bAsReader(data_bytes, len, &start_time, &eof_time, true);
// retrieve the result again (with increased timeout)
eof_time += DELAY_ISO14443B_PCD_TO_PICC_READER;
@ -1637,7 +1668,7 @@ static int iso14443b_select_cts_card(iso14b_cts_card_select_t *card) {
uint32_t start_time = 0;
uint32_t eof_time = 0;
CodeAndTransmit14443bAsReader(cmdINIT, sizeof(cmdINIT), &start_time, &eof_time);
CodeAndTransmit14443bAsReader(cmdINIT, sizeof(cmdINIT), &start_time, &eof_time, true);
eof_time += DELAY_ISO14443B_PCD_TO_PICC_READER;
int retlen = Get14443bAnswerFromTag(r, sizeof(r), iso14b_timeout, &eof_time);
@ -1657,7 +1688,7 @@ static int iso14443b_select_cts_card(iso14b_cts_card_select_t *card) {
}
start_time = eof_time + ISO14B_TR2;
CodeAndTransmit14443bAsReader(cmdMSBUID, sizeof(cmdMSBUID), &start_time, &eof_time);
CodeAndTransmit14443bAsReader(cmdMSBUID, sizeof(cmdMSBUID), &start_time, &eof_time, true);
eof_time += DELAY_ISO14443B_PCD_TO_PICC_READER;
retlen = Get14443bAnswerFromTag(r, sizeof(r), iso14b_timeout, &eof_time);
@ -1675,7 +1706,7 @@ static int iso14443b_select_cts_card(iso14b_cts_card_select_t *card) {
}
start_time = eof_time + ISO14B_TR2;
CodeAndTransmit14443bAsReader(cmdLSBUID, sizeof(cmdLSBUID), &start_time, &eof_time);
CodeAndTransmit14443bAsReader(cmdLSBUID, sizeof(cmdLSBUID), &start_time, &eof_time, true);
eof_time += DELAY_ISO14443B_PCD_TO_PICC_READER;
retlen = Get14443bAnswerFromTag(r, sizeof(r), iso14b_timeout, &eof_time);
@ -1706,7 +1737,7 @@ static int iso14443b_select_srx_card(iso14b_card_select_t *card) {
uint32_t start_time = 0;
uint32_t eof_time = 0;
CodeAndTransmit14443bAsReader(init_srx, sizeof(init_srx), &start_time, &eof_time);
CodeAndTransmit14443bAsReader(init_srx, sizeof(init_srx), &start_time, &eof_time, true);
eof_time += DELAY_ISO14443B_PCD_TO_PICC_READER;
int retlen = Get14443bAnswerFromTag(r_init, sizeof(r_init), iso14b_timeout, &eof_time);
@ -1728,7 +1759,7 @@ static int iso14443b_select_srx_card(iso14b_card_select_t *card) {
AddCrc14B(select_srx, 2);
start_time = eof_time + ISO14B_TR2;
CodeAndTransmit14443bAsReader(select_srx, sizeof(select_srx), &start_time, &eof_time);
CodeAndTransmit14443bAsReader(select_srx, sizeof(select_srx), &start_time, &eof_time, true);
eof_time += DELAY_ISO14443B_PCD_TO_PICC_READER;
retlen = Get14443bAnswerFromTag(r_select, sizeof(r_select), iso14b_timeout, &eof_time);
@ -1752,7 +1783,7 @@ static int iso14443b_select_srx_card(iso14b_card_select_t *card) {
AddCrc14B(select_srx, 1);
start_time = eof_time + ISO14B_TR2;
CodeAndTransmit14443bAsReader(select_srx, 3, &start_time, &eof_time); // Only first three bytes for this one
CodeAndTransmit14443bAsReader(select_srx, 3, &start_time, &eof_time, true); // Only first three bytes for this one
eof_time += DELAY_ISO14443B_PCD_TO_PICC_READER;
retlen = Get14443bAnswerFromTag(r_papid, sizeof(r_papid), iso14b_timeout, &eof_time);
@ -1772,6 +1803,174 @@ static int iso14443b_select_srx_card(iso14b_card_select_t *card) {
return 0;
}
// Xerox tag connect function: wup, anticoll, attrib, password
// the original chips require all commands in this sequence
// 0: OK, 1: select fail, 2: attrib fail, 3: crc fail, 4: password fail
int iso14443b_select_xrx_card(iso14b_card_select_t *card) {
// AFI
static const uint8_t x_wup1[] = { 0x0D, 0x37, 0x21, 0x92, 0xf2 };
static const uint8_t x_wup2[] = { 0x5D, 0x37, 0x21, 0x71, 0x71 };
uint8_t slot_mark[1];
uint8_t x_atqb[24] = {0x0}; // ATQB len = 18
uint32_t start_time = 0;
uint32_t eof_time = 0;
iso14b_set_timeout(24); // wait for carrier
// wup1
CodeAndTransmit14443bAsReader(x_wup1, sizeof(x_wup1), &start_time, &eof_time, true);
start_time = eof_time + US_TO_SSP(9000); // 9ms before next cmd
// wup2
CodeAndTransmit14443bAsReader(x_wup2, sizeof(x_wup2), &start_time, &eof_time, true);
uint64_t uid = 0;
int retlen;
for (int uid_pos = 0; uid_pos < 64; uid_pos += 2) {
int slot;
for (slot = 0; slot < 4; slot++) {
start_time = eof_time + ETU_TO_SSP(30); //(24); // next slot after 24 ETU
retlen = Get14443bAnswerFromTag(x_atqb, sizeof(x_atqb), iso14b_timeout, &eof_time);
if (retlen > 0) {
FpgaDisableTracing();
Dbprintf("unexpected data %d", retlen);
Dbprintf("crc %s", check_crc(CRC_14443_B, x_atqb, retlen) ? "OK" : "BAD");
return 1;
}
// tx unframed slot-marker
if (Demod.posCount) { // no rx, but subcarrier burst detected
uid |= (uint64_t)slot << uid_pos;
slot_mark[0] = 0xB1 + (slot << 1); // ack slot
CodeAndTransmit14443bAsReader(slot_mark, sizeof(slot_mark), &start_time, &eof_time, false);
break;
} else { // no subcarrier burst
slot_mark[0] = 0xA1 + (slot << 1); // nak slot
CodeAndTransmit14443bAsReader(slot_mark, sizeof(slot_mark), &start_time, &eof_time, false);
}
}
if (4 == slot) {
FpgaDisableTracing();
DbpString("no answer to anticollision");
return 1;
}
}
retlen = Get14443bAnswerFromTag(x_atqb, sizeof(x_atqb), iso14b_timeout, &eof_time);
Dbprintf("anticollision uid %llx", uid);
// ATQB too short?
if (retlen < 18) {
return 1;
}
// VALIDATE CRC
if (check_crc(CRC_14443_B, x_atqb, 18) == false) { // use fixed len because unstable EOF catch
return 3;
}
if (x_atqb[0] != 0x50) {
// DbpString("aqtb bad");
return 1;
}
if (card) {
card->uidlen = 8;
memcpy(card->uid, x_atqb + 1, 8);
memcpy(card->atqb, x_atqb + 9, 7);
}
// DbpString("aqtb ok");
// send ATTRIB command
uint8_t txbuf[18];
txbuf[1] = 0x1d;
memcpy(txbuf + 2, &uid, 8);
txbuf[10] = 0;
txbuf[11] = 0xF;
txbuf[12] = 1;
txbuf[13] = 0xF;
AddCrc14B(txbuf + 1, 13);
start_time = eof_time + ISO14B_TR2;
CodeAndTransmit14443bAsReader(txbuf + 1, 15, &start_time, &eof_time, true);
eof_time += DELAY_ISO14443B_PCD_TO_PICC_READER;
retlen = Get14443bAnswerFromTag(x_atqb, sizeof(x_atqb), iso14b_timeout, &eof_time);
FpgaDisableTracing();
if (retlen < 3) {
// DbpString("attrib failed");
return 2;
}
if (check_crc(CRC_14443_B, x_atqb, 3) == false) {
return 3;
}
if (x_atqb[0] != 0) {
// DbpString("attrib failed");
return 2;
}
// DbpString("attrib ok");
// apply PASSWORD command
txbuf[0] = 2;
txbuf[1] = 0x38;
// uid from previous command used
txbuf[10] = 3;
txbuf[11] = 0x4e;
txbuf[12] = 0x4b;
txbuf[13] = 0x53;
txbuf[14] = 0x4F;
AddCrc14B(txbuf, 15);
start_time = eof_time + ISO14B_TR2;
CodeAndTransmit14443bAsReader(txbuf, 17, &start_time, &eof_time, true);
eof_time += DELAY_ISO14443B_PCD_TO_PICC_READER;
retlen = Get14443bAnswerFromTag(x_atqb, sizeof(x_atqb), iso14b_timeout, &eof_time);
if (retlen < 4) {
// DbpString("passwd failed");
return 4;
}
if (check_crc(CRC_14443_B, x_atqb, 4) == false) {
return 3;
}
if (x_atqb[0] != 2 || x_atqb[1] != 0) {
// DbpString("passwd failed");
return 4;
}
// DbpString("passwd ok");
return 0;
}
/* Perform the ISO 14443 B Card Selection procedure
* Currently does NOT do any collision handling.
* It expects 0-1 cards in the device's range.
@ -1794,7 +1993,7 @@ int iso14443b_select_card(iso14b_card_select_t *card) {
// first, wake up the tag
uint32_t start_time = 0;
uint32_t eof_time = 0;
CodeAndTransmit14443bAsReader(wupb, sizeof(wupb), &start_time, &eof_time);
CodeAndTransmit14443bAsReader(wupb, sizeof(wupb), &start_time, &eof_time, true);
eof_time += DELAY_ISO14443B_PCD_TO_PICC_READER;
int retlen = Get14443bAnswerFromTag(r_pupid, sizeof(r_pupid), iso14b_timeout, &eof_time);
@ -1823,7 +2022,7 @@ int iso14443b_select_card(iso14b_card_select_t *card) {
attrib[7] = r_pupid[10] & 0x0F;
AddCrc14B(attrib, 9);
start_time = eof_time + ISO14B_TR2;
CodeAndTransmit14443bAsReader(attrib, sizeof(attrib), &start_time, &eof_time);
CodeAndTransmit14443bAsReader(attrib, sizeof(attrib), &start_time, &eof_time, true);
eof_time += DELAY_ISO14443B_PCD_TO_PICC_READER;
retlen = Get14443bAnswerFromTag(r_attrib, sizeof(r_attrib), iso14b_timeout, &eof_time);
@ -1916,7 +2115,7 @@ static int read_srx_block(uint8_t blocknr, uint8_t *block) {
uint32_t start_time = 0;
uint32_t eof_time = 0;
CodeAndTransmit14443bAsReader(cmd, sizeof(cmd), &start_time, &eof_time);
CodeAndTransmit14443bAsReader(cmd, sizeof(cmd), &start_time, &eof_time, true);
eof_time += DELAY_ISO14443B_PCD_TO_PICC_READER;
int retlen = Get14443bAnswerFromTag(r_block, sizeof(r_block), iso14b_timeout, &eof_time);
@ -2223,6 +2422,13 @@ void SendRawCommand14443B_Ex(iso14b_raw_cmd_t *p) {
if (status > 0) goto out;
}
if ((p->flags & ISO14B_SELECT_XRX) == ISO14B_SELECT_XRX) {
status = iso14443b_select_xrx_card(&card);
reply_mix(CMD_HF_ISO14443B_COMMAND, status, sendlen, 0, (uint8_t *)&card, sendlen);
// 0: OK, 1: select fail, 2: attrib fail, 3: crc fail, 4: password fail
if (status != 0) goto out;
}
if ((p->flags & ISO14B_APDU) == ISO14B_APDU) {
uint8_t res;
status = iso14443b_apdu(p->raw, p->rawlen, (p->flags & ISO14B_SEND_CHAINING), buf, sizeof(buf), &res);
@ -2239,7 +2445,7 @@ void SendRawCommand14443B_Ex(iso14b_raw_cmd_t *p) {
}
uint32_t start_time = 0;
uint32_t eof_time = 0;
CodeAndTransmit14443bAsReader(p->raw, p->rawlen, &start_time, &eof_time);
CodeAndTransmit14443bAsReader(p->raw, p->rawlen, &start_time, &eof_time, true);
if (tearoff_hook() == PM3_ETEAROFF) { // tearoff occurred
FpgaDisableTracing();