github/RRG-Proxmark3
1
0
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-07-05 20:41:34 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 4
RRG-Proxmark3/armsrc/em4x70.c

1677 lines
66 KiB
C
Raw Permalink Blame History

//-----------------------------------------------------------------------------
// Copyright (C) Proxmark3 contributors. See AUTHORS.md for details.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// See LICENSE.txt for the text of the license.
//-----------------------------------------------------------------------------
// Low frequency EM4x70 commands
//-----------------------------------------------------------------------------
#include "fpgaloader.h"
#include "ticks.h"
#include "dbprint.h"
#include "lfadc.h"
#include "commonutil.h"
#include "optimized_cipherutils.h"
#include "em4x70.h"
#include "appmain.h" // tear
// Set debug level via client, e.g.: `hw dbg -4`
// For development, can force all the logging at compilation time by setting this to `true`
#define FORCE_ENABLE_LOGGING (false)
// Define debug macros that efficiently avoid formatting the strings
// if the debug level is not high enough. Avoids rewriting the same
// checks like `if (g_dbglevel >= DBG_ERROR)` throughout the code,
// improving readability. On the downside, it does require double-parentheses
// because of the limitations of the C preprocessor (until C23).
//
// Example usage:
// DPRINTF_ERROR(("Error: %d", error_code));
// DPRINTF_EXTENDED(("Bitstream: %s", bitstream_as_string));
#define DPRINTF_ALWAYS(x) do { Dbprintf x ; } while (0);
#define DPRINTF_ERROR(x) do { if ((FORCE_ENABLE_LOGGING) || (g_dbglevel >= DBG_ERROR )) { Dbprintf x ; } } while (0);
#define DPRINTF_INFO(x) do { if ((FORCE_ENABLE_LOGGING) || (g_dbglevel >= DBG_INFO )) { Dbprintf x ; } } while (0);
#define DPRINTF_DEBUG(x) do { if ((FORCE_ENABLE_LOGGING) || (g_dbglevel >= DBG_DEBUG )) { Dbprintf x ; } } while (0);
#define DPRINTF_EXTENDED(x) do { if ((FORCE_ENABLE_LOGGING) || (g_dbglevel >= DBG_EXTENDED)) { Dbprintf x ; } } while (0);
#define DPRINTF_PROLIX(x) do { if ((FORCE_ENABLE_LOGGING) || (g_dbglevel > DBG_EXTENDED)) { Dbprintf x ; } } while (0);
// EM4170 requires a parity bit on commands, other variants do not.
static bool g_deprecated_command_parity = false;
static em4x70_tag_t g_tag = { 0 };
#if 1 // Calculation of ticks for timing functions
// Nearly every calculation is done in terms of Field Codes (FC) aka RF periods
// 1 us = 1.5 ticks
// 1RF Period = 8us = 12 Ticks
#define TICKS_PER_FC 12
// Chip timing from datasheet
// Converted into Ticks for timing functions
#define EM4X70_T_TAG_QUARTER_PERIOD (8 * TICKS_PER_FC)
#define EM4X70_T_TAG_HALF_PERIOD (16 * TICKS_PER_FC)
#define EM4X70_T_TAG_THREE_QUARTER_PERIOD (24 * TICKS_PER_FC)
#define EM4X70_T_TAG_FULL_PERIOD (32 * TICKS_PER_FC) // 1 Bit Period
#define EM4X70_T_TAG_TWA (128 * TICKS_PER_FC) // Write Access Time
#define EM4X70_T_TAG_DIV (224 * TICKS_PER_FC) // Divergency Time
#define EM4X70_T_TAG_AUTH (4224 * TICKS_PER_FC) // Authentication Time
#define EM4X70_T_TAG_WEE (3072 * TICKS_PER_FC) // EEPROM write Time
#define EM4X70_T_TAG_TWALB (672 * TICKS_PER_FC) // Write Access Time of Lock Bits
#define EM4X70_T_TAG_BITMOD (4 * TICKS_PER_FC) // Initial time to stop modulation when sending 0
#define EM4X70_T_TAG_TOLERANCE (8 * TICKS_PER_FC) // Tolerance in RF periods for receive/LIW
#define EM4X70_T_TAG_TIMEOUT (4 * EM4X70_T_TAG_FULL_PERIOD) // Timeout if we ever get a pulse longer than this
#define EM4X70_T_DELAY_FROM_LIW_TO_RM (72 * TICKS_PER_FC) // Default delay from finding LIW until start sending RM bits
#define EM4X70_T_PULSES_TO_SEARCH_FOR_LIW 50 // Pulses to wait for listen window
#define EM4X70_T_PULSES_TO_SEARCH_FOR_HEADER_TRANSITION 16 // Read header length (16 bit periods), wait that many pulses to find transition from the 12x `1` to 4x `0`
#define EM4X70_COMMAND_LIW_SEARCH_RETRIES 5 // Attempts to send/read command
#define EM4X70_MAX_SEND_BITCOUNT 96u // Authentication == CMD(4) + NONCE(56) + DIVERGENCY(7) + FRND(28) == 6 + 56 + 35 == 56 + 41 == 95 bits (NOTE: RM(2) is handled as part of LIW detection)
#define EM4X70_MAX_RECEIVE_BITCOUNT 64u // Maximum bits to receive in response to any command (NOTE: This is EXCLUDING the 16-bit header of 0b1111'1111'1111'0000)
#endif // Calculation of ticks for timing functions
#if 1 // EM4x70 Command IDs and notes
/**
* These IDs are from the EM4170 datasheet.
* Some versions of the chip require a
* (even) parity bit, others do not.
* The command is thus stored only in the
* three least significant bits (mask 0x07).
*/
// // w/o parity with parity
#define EM4X70_COMMAND_ID 0x01 // 0b0001 --> 0b001'1
#define EM4X70_COMMAND_UM1 0x02 // 0b0010 --> 0b010'1
#define EM4X70_COMMAND_AUTH 0x03 // 0b0011 --> 0b011'0
#define EM4X70_COMMAND_PIN 0x04 // 0b0100 --> 0b100'1
#define EM4X70_COMMAND_WRITE 0x05 // 0b0101 --> 0b101'0
#define EM4X70_COMMAND_UM2 0x07 // 0b0111 --> 0b111'1
// Command behaviors and bit counts for each direction:
//
// The command IDs and behaviors are the same for both EM4170 and V4070/EM4070,
// However, V4070/EM4070 does not support sending a PIN, reading UM2, and WRITE
// is limited to block 0..9 (other blocks don't exist).
// NOTE: It's possible that original V4070/EM4070 tags may have been manufactured
// with all ten blocks being OTP (one-time-programmable)?
//
// There are only 6 commands in total.
// Each of the six commands has two variants (i.e., with and w/o command parity).
//
// Four of the commands send a predetermined bitstream, immediately synchronize
// on the tag sending the header, and then receive a number of bits from the tag:
//
// #define EM4X70_COMMAND_ID 0x01 // 0b0001 --> 0b001'1
// Tag: [LIW] [Header][ID31..ID0][LIW]
// Reader: [RM][Command]
// Bits Sent: RM + 4 bits
// Bits Recv: Header + 32 bits
//
// #define EM4X70_COMMAND_UM1 0x02 // 0b0010 --> 0b010'1
// Tag: [LIW] [Header][LB1, LB0, UM129..UM10][LIW]
// Reader: [RM][Command]
// Bits Sent: RM + 4 bits
// Bits Recv: Header + 32 bits
//
// #define EM4X70_COMMAND_UM2 0x07 // 0b0111 --> 0b111'1
// Tag: [LIW] [Header][UM263..UM20][LIW]
// Reader: [RM][Command]
// Bits Sent: RM + 4 bits
// Bits Recv: Header + 64 bits
//
// #define EM4X70_COMMAND_AUTH 0x03 // 0b0011 --> 0b011'0
// Tag: [LIW] [Header][g(RN)19..RN0][LIW]
// Reader: [RM][Command][N55..N0][0000000][f(RN)27..f(RN)0]
// Bits Sent: RM + 95 bits
// Bits Recv: Header + 20 bits
//
// The SEND_PIN command requires the tag ID to be retrieved first,
// then can sends a predetermined bitstream. Unlike the above, there
// is then a wait time before the tag sends a first ACK. Then a second
// wait time before synchronizing on the tag sending the header, and
// receive a number of bits from the tag:
//
// #define EM4X70_COMMAND_PIN 0x04 // 0b0100 --> 0b100'1
// Tag: [LIW] .. [ACK] .. [Header][ID31..ID0][LIW]
// Reader: [RM][Command][ID31..ID0][Pin31..Pin0] .. ..
// Bits Sent: RM + 68 bits
// Bits Recv: Header + 32 bits
//
// The WRITE command, given an address to write (A) and 16 bits of data (D),
// sends a predetermined bitstream. Unlike the four basic commands, there
// is then a wait time before the tag sends a first ACK, and then a second
// wait time before the tag sends a second ACK. No data is received from
// the tag ... just the two ACKs.
//
// #define EM4X70_COMMAND_WRITE 0x05 // 0b0101 --> 0b101'0
// Tag: [LIW] .. [ACK] .. [ACK][LIW]
// Reader: [RM][Command][A3..A0,Ap][Data5x5] .. ..
// Bits Sent: RM + 34 bits
// Bits Recv: !!!!!!!! NONE !!!!!!!!
//
// Thus, only need to define three sequences of interaction with the tag.
// Moreover, the reader can pre-generate its entire bitstream before any bits are sent.
// Validation of newly-written data depends on the block(s) written:
// * UM1 -- Read UM1 from the tag
// * ID -- Read ID from the tag
// * UM2 -- Read UM2 from the tag
// * KEY -- attempt authentication with the new key
// * PIN -- unlock the tag using the new PIN
// TODO: Determine if sending PIN will report success, even if the tag is already unlocked?
// Auto-detect tag variant and command parity?
// EM4070/V4070 does not contain UM2 or PIN, and UM1 may be OTP (one-time programmable)
// EM4170 added Pin and UM2, and UM1
//
// Thus, to check for overlap, need only check the first three commands with parity:
// | CMD | P? | Bits | Safe? | Overlaps With | Notes
// |-------|-----|----------|-------|------------------|------------
// | ID | No | `0b0001` | Yes | None! | Safe ... indicates no parity if successful
// | UM1 | No | `0b0010` | Yes | None! | Safe ... indicates no parity if successful
// | AUTH | No | `0b0011` | Yes | ID w/parity | cannot test for no-parity, but safe to try ID w/parity
// | WRITE | No | `0b0101` | NO | | DO NOT USE ... just in case
// | PIN | No | `0b0100` | N/A | | DO NOT USE ... just in case
// | UM2 | No | `0b0111` | Yes | None! | Safe ... indicates no parity AND EM4170 tag type
// | ID | Yes | `0b0011` | Yes | Auth w/o Parity | Safe to try ... indicates parity if successful
// | UM1 | Yes | `0b0101` | Yes | Write w/o Parity |
// | AUTH | Yes | `0b0110` | Yes | None! | Not testable
// | WRITE | Yes | `0b1010` | NO | None! | DO NOT USE ... just in case
// | PIN | Yes | `0b1001` | N/A | None! | DO NOT USE ... just in case
// | UM2 | Yes | `0b1111` | Yes | None! | Safe ... indicates parity AND EM4170 tag type
//
// Thus, the following sequence of commands should auto-detect both the type of tag,
// as well as whether it requires command parity or not:
// 1. If UM2 w/o parity -- If successful, command parity is NOT required, Type is EM4170
// 2. Elif UM2 with parity -- If successful, command parity IS required, Type is EM4170
// 3. Elif ID w/o parity -- If successful, command parity is NOT required, Type is EM4070/V4070
// 4. Elif ID with parity -- If successful, command parity IS required, Type is EM4070/V4070
// 5. Else -- Error ... no tag or other error?
#endif // EM4x70 Command IDs
// Constants used to determine high/low state of signal
#define EM4X70_NOISE_THRESHOLD 13 // May depend on noise in environment
#define HIGH_SIGNAL_THRESHOLD (127 + EM4X70_NOISE_THRESHOLD)
#define LOW_SIGNAL_THRESHOLD (127 - EM4X70_NOISE_THRESHOLD)
#define IS_HIGH(sample) (sample > LOW_SIGNAL_THRESHOLD ? true : false)
#define IS_LOW(sample) (sample < HIGH_SIGNAL_THRESHOLD ? true : false)
// Timing related macros
#define IS_TIMEOUT(timeout_ticks) (GetTicks() > timeout_ticks)
#define TICKS_ELAPSED(start_ticks) (GetTicks() - start_ticks)
static uint8_t encoded_bit_array_to_byte(const uint8_t *bits, int count_of_bits);
static void encoded_bit_array_to_bytes(const uint8_t *bits, int count_of_bits, uint8_t *out);
static int em4x70_receive(uint8_t *bits, size_t maximum_bits_to_read);
static bool find_listen_window(bool command);
static void init_tag(void) {
memset(g_tag.data, 0x00, sizeof(g_tag.data));
}
static void em4x70_setup_read(void) {
FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
// 50ms for the resonant antenna to settle.
SpinDelay(50);
// Now set up the SSC to get the ADC samples that are now streaming at us.
FpgaSetupSsc(FPGA_MAJOR_MODE_LF_READER);
FpgaSendCommand(FPGA_CMD_SET_DIVISOR, LF_DIVISOR_125);
// Connect the A/D to the peak-detected low-frequency path.
SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
// Steal this pin from the SSP (SPI communication channel with fpga) and
// use it to control the modulation
AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
// Disable modulation at default, which means enable the field
LOW(GPIO_SSC_DOUT);
// Start the timer
StartTicks();
// Watchdog hit
WDT_HIT();
}
static bool get_signalproperties(void) {
// Simple check to ensure we see a signal above the noise threshold
uint32_t no_periods = 32;
// wait until signal/noise > 1 (max. 32 periods)
for (int i = 0; i < EM4X70_T_TAG_FULL_PERIOD * no_periods; i++) {
// about 2 samples per bit period
WaitTicks(EM4X70_T_TAG_HALF_PERIOD);
if (AT91C_BASE_SSC->SSC_RHR > HIGH_SIGNAL_THRESHOLD) {
return true;
}
}
return false;
}
/**
* get_falling_pulse_length
*
* Returns time between falling edge pulse in ticks
*/
static uint32_t get_falling_pulse_length(void) {
uint32_t timeout = GetTicks() + EM4X70_T_TAG_TIMEOUT;
while (IS_HIGH(AT91C_BASE_SSC->SSC_RHR) && !IS_TIMEOUT(timeout));
if (IS_TIMEOUT(timeout))
return 0;
uint32_t start_ticks = GetTicks();
while (IS_LOW(AT91C_BASE_SSC->SSC_RHR) && !IS_TIMEOUT(timeout));
if (IS_TIMEOUT(timeout))
return 0;
while (IS_HIGH(AT91C_BASE_SSC->SSC_RHR) && !IS_TIMEOUT(timeout));
if (IS_TIMEOUT(timeout))
return 0;
return TICKS_ELAPSED(start_ticks);
}
/**
* get_rising_pulse_length
*
* Returns time between rising edge pulse in ticks
*/
static uint32_t get_rising_pulse_length(void) {
uint32_t timeout = GetTicks() + EM4X70_T_TAG_TIMEOUT;
while (IS_LOW(AT91C_BASE_SSC->SSC_RHR) && !IS_TIMEOUT(timeout));
if (IS_TIMEOUT(timeout))
return 0;
uint32_t start_ticks = GetTicks();
while (IS_HIGH(AT91C_BASE_SSC->SSC_RHR) && !IS_TIMEOUT(timeout));
if (IS_TIMEOUT(timeout))
return 0;
while (IS_LOW(AT91C_BASE_SSC->SSC_RHR) && !IS_TIMEOUT(timeout));
if (IS_TIMEOUT(timeout))
return 0;
return TICKS_ELAPSED(start_ticks);
}
static uint32_t get_pulse_length(edge_detection_t edge) {
if (edge == RISING_EDGE)
return get_rising_pulse_length();
else if (edge == FALLING_EDGE)
return get_falling_pulse_length();
return 0;
}
static bool check_pulse_length(uint32_t pulse_tick_length, uint32_t target_tick_length) {
// check if pulse tick length corresponds to target length (+/- tolerance)
return ((pulse_tick_length >= (target_tick_length - EM4X70_T_TAG_TOLERANCE)) &&
(pulse_tick_length <= (target_tick_length + EM4X70_T_TAG_TOLERANCE)));
}
#if 1 // brute force logging of sent buffer
// e.g., authenticate sends 93 bits (2x RM, 56x rnd, 7x div, 28x frnd) == 2+56+35 = 58+35 = 93
// NOTE: unlike the bitstream functions, the logs include sending of the two `RM` bits
#define EM4X70_MAX_LOG_BITS MAX(2u + EM4X70_MAX_SEND_BITCOUNT, 16u + EM4X70_MAX_RECEIVE_BITCOUNT)
typedef struct _em4x70_log_t {
uint32_t start_tick;
uint32_t end_tick;
uint32_t bits_used;
uint8_t bit[EM4X70_MAX_LOG_BITS]; // one bit per byte
} em4x70_sublog_t;
typedef struct _em4x70_transmit_log_t {
em4x70_sublog_t transmit;
em4x70_sublog_t receive;
} em4x70_transmitted_data_log_t;
em4x70_transmitted_data_log_t g_not_used_directly; // change to bigbuff allocation?
em4x70_transmitted_data_log_t *g_Log = &g_not_used_directly;
static void log_reset(void) {
if (g_Log != NULL) {
memset(g_Log, 0, sizeof(em4x70_transmitted_data_log_t));
}
}
static void log_dump_helper(em4x70_sublog_t *part, bool is_transmit) {
if (g_dbglevel >= DBG_INFO || FORCE_ENABLE_LOGGING) {
char const *const direction = is_transmit ? "sent >>>" : "recv <<<";
if (part->bits_used == 0) {
DPRINTF_EXTENDED(("%s: no data", direction));
} else {
char bitstring[EM4X70_MAX_LOG_BITS + 1];
memset(bitstring, 0, sizeof(bitstring));
for (int i = 0; i < part->bits_used; i++) {
bitstring[i] = part->bit[i] ? '1' : '0';
}
DPRINTF_EXTENDED((
"%s: [ %8d .. %8d ] ( %6d ) %2d bits: %s",
direction,
part->start_tick, part->end_tick,
part->end_tick - part->start_tick,
part->bits_used, bitstring
));
}
}
}
static void log_dump(void) {
if (g_dbglevel >= DBG_INFO || FORCE_ENABLE_LOGGING) {
bool hasContent = false;
if (g_Log != NULL) {
uint8_t *check_for_data = (uint8_t *)g_Log;
for (size_t i = 0; i < sizeof(em4x70_transmitted_data_log_t); ++i) {
if (check_for_data[i] != 0) {
hasContent = true;
break;
}
}
}
if (hasContent) {
log_dump_helper(&g_Log->transmit, true);
log_dump_helper(&g_Log->receive, false);
}
}
}
static void log_sent_bit(uint32_t start_tick, bool bit) {
if (g_Log != NULL) {
if (g_Log->transmit.bits_used == 0) {
g_Log->transmit.start_tick = start_tick;
}
g_Log->transmit.bit[g_Log->transmit.bits_used] = bit;
g_Log->transmit.bits_used++;
}
}
static void log_sent_bit_end(uint32_t end_tick) {
if (g_Log != NULL) {
g_Log->transmit.end_tick = end_tick;
}
}
static void log_received_bit_start(uint32_t start_tick) {
if (g_Log != NULL && g_Log->receive.start_tick == 0) {
g_Log->receive.start_tick = start_tick;
}
}
static void log_received_bit_end(uint32_t end_tick) {
if (g_Log != NULL) {
g_Log->receive.end_tick = end_tick;
}
}
static void log_received_bits(uint8_t *byte_per_bit_array, size_t array_element_count) {
if (g_Log != NULL) {
memcpy(&g_Log->receive.bit[g_Log->receive.bits_used], byte_per_bit_array, array_element_count);
g_Log->receive.bits_used += array_element_count;
}
}
#endif // brute force logging of sent buffer
// This is the only function that actually toggles modulation for sending bits
static void em4x70_send_bit(bool bit) {
// send single bit according to EM4170 application note and datasheet
uint32_t start_ticks = GetTicks();
log_sent_bit(start_ticks, bit);
if (bit == 0) {
// disable modulation (drop the field) n cycles of carrier
LOW(GPIO_SSC_DOUT);
while (TICKS_ELAPSED(start_ticks) <= EM4X70_T_TAG_BITMOD);
// enable modulation (activates the field) for remaining first
// half of bit period
HIGH(GPIO_SSC_DOUT);
while (TICKS_ELAPSED(start_ticks) <= EM4X70_T_TAG_HALF_PERIOD);
// disable modulation for second half of bit period
LOW(GPIO_SSC_DOUT);
while (TICKS_ELAPSED(start_ticks) <= EM4X70_T_TAG_FULL_PERIOD);
} else {
// bit = "1" means disable modulation for full bit period
LOW(GPIO_SSC_DOUT);
while (TICKS_ELAPSED(start_ticks) <= EM4X70_T_TAG_FULL_PERIOD);
}
log_sent_bit_end(GetTicks());
}
// TODO: Add similar function that will wait for an ACK/NAK up to a given timeout.
// This will allow for more flexibile handling of tag timing in the response.
static bool check_ack(void) {
// returns true if signal structue corresponds to ACK, anything else is
// counted as NAK (-> false)
// ACK 64 + 64
// NAK 64 + 48
if (check_pulse_length(get_pulse_length(FALLING_EDGE), 2 * EM4X70_T_TAG_FULL_PERIOD) &&
check_pulse_length(get_pulse_length(FALLING_EDGE), 2 * EM4X70_T_TAG_FULL_PERIOD)) {
// ACK
return true;
}
// Otherwise it was a NAK or Listen Window
return false;
}
#if 1 // #pragma region // Bitstream structures / enumerations
#define EM4X70_MAX_BITSTREAM_BITS MAX(EM4X70_MAX_SEND_BITCOUNT, EM4X70_MAX_RECEIVE_BITCOUNT)
// _Static_assert(EM4X70_MAX_SEND_BITCOUNT <= 255, "EM4X70_MAX_SEND_BITCOUNT must fit in uint8_t");
// _Static_assert(EM4X70_MAX_RECEIVE_BITCOUNT <= 255, "EM4X70_MAX_RECEIVE_BITCOUNT must fit in uint8_t");
typedef struct _em4x70_bitstream_t {
// For sending, this is the number of bits to send
// For receiving, this is the number of bits expected from tag
uint8_t bitcount;
// each bit is stored as a uint8_t, storing a single bit as 0 or 1
// this avoids bit-shifting in potentially timing-sensitive code,
// and ensures the simplest possible code for sending and receiving.
uint8_t one_bit_per_byte[EM4X70_MAX_BITSTREAM_BITS];
} em4x70_bitstream_t;
typedef struct _em4x70_command_bitstream {
uint8_t command; // three-bit value that is encoded as the command ... used to select function to handle sending/receiving data
em4x70_bitstream_t to_send;
em4x70_bitstream_t to_receive;
// Note: Bits are stored in reverse order from transmission
// As a result, the first bit from one_bit_per_byte[0]
// ends up as the least significant bit of the LAST
// byte written. E.g., if receiving 20 bit g(rn),
// converted_to_bytes[0] will have bits: GRN03..GRN00 0 0 0 0
// converted_to_bytes[1] will have bits: GRN11..GRN04
// converted_to_bytes[2] will have bits: GRN19..GRN12
// Which when treated as a 24-bit value stored little-endian, is:
// g(rn) << 8u
// This is based on how the existing code worked.
uint8_t received_data_converted_to_bytes[(EM4X70_MAX_BITSTREAM_BITS / 8) + (EM4X70_MAX_BITSTREAM_BITS % 8 ? 1 : 0)];
} em4x70_command_bitstream_t;
typedef bool (*bitstream_command_generator_id_t)(em4x70_command_bitstream_t *out_cmd_bitstream, bool with_command_parity);
typedef bool (*bitstream_command_generator_um1_t)(em4x70_command_bitstream_t *out_cmd_bitstream, bool with_command_parity);
typedef bool (*bitstream_command_generator_um2_t)(em4x70_command_bitstream_t *out_cmd_bitstream, bool with_command_parity);
typedef bool (*bitstream_command_generator_auth_t)(em4x70_command_bitstream_t *out_cmd_bitstream, bool with_command_parity, const uint8_t *rnd, const uint8_t *frnd);
typedef bool (*bitstream_command_generator_pin_t)(em4x70_command_bitstream_t *out_cmd_bitstream, bool with_command_parity, const uint8_t *tag_id, const uint32_t pin_little_endian);
typedef bool (*bitstream_command_generator_write_t)(em4x70_command_bitstream_t *out_cmd_bitstream, bool with_command_parity, uint16_t data_little_endian, uint8_t address);
typedef struct _em4x70_command_generators_t {
bitstream_command_generator_id_t id;
bitstream_command_generator_um1_t um1;
bitstream_command_generator_um2_t um2;
bitstream_command_generator_auth_t auth;
bitstream_command_generator_pin_t pin;
bitstream_command_generator_write_t write;
} em4x70_command_generators_t;
#endif // #pragma endregion // Bitstream structures / enumerations
#if 1 // #pragma region // Functions to dump bitstreams to debug output
static void bitstream_dump_helper(const em4x70_bitstream_t *bitstream, bool is_transmit) {
// mimic the log's output format to make comparisons easier
char const *const direction = is_transmit ? "sent >>>" : "recv <<<";
if (bitstream->bitcount == 0) {
if (g_dbglevel >= DBG_INFO || true) {
DPRINTF_EXTENDED(("%s: no data", direction));
}
} else if (bitstream->bitcount > 0xFEu) {
DPRINTF_ERROR(("INTERNAL ERROR: Too many bits to dump: %d", bitstream->bitcount));
} else {
char bitstring[EM4X70_MAX_BITSTREAM_BITS + 1];
memset(bitstring, 0, sizeof(bitstring));
for (uint16_t i = 0; i < bitstream->bitcount; ++i) {
bitstring[i] = bitstream->one_bit_per_byte[i] ? '1' : '0';
}
DPRINTF_EXTENDED((
"%s: [ %8d .. %8d ] ( %6d ) %2d bits: %s%s",
direction,
0, 0, 0,
bitstream->bitcount + (is_transmit ? 2u : 0u), // add the two RM bits to transmitted data
is_transmit ? "00" : "", // add the two RM bits to transmitted data
bitstring
));
}
}
static void bitstream_dump(const em4x70_command_bitstream_t *cmd_bitstream) {
bitstream_dump_helper(&cmd_bitstream->to_send, true);
bitstream_dump_helper(&cmd_bitstream->to_receive, false);
}
#endif // #pragma region // Functions to dump bitstreams to debug output
#if 1 // #pragma region // Functions to send bitstreams, with options to receive data
/// @brief Internal function to send a bitstream to the tag.
/// @details This function presumes a validated structure, and sends the bitstream without delays, to support timing-sensitive operations.
/// @param send The details on the bitstream to send to the tag.
/// @return
static bool send_bitstream_internal(const em4x70_bitstream_t *send) {
// similar to original send_command_and_read, but using provided bitstream
int retries = EM4X70_COMMAND_LIW_SEARCH_RETRIES; // only retries finding the LIW ... not the actual command
// TIMING SENSITIVE FUNCTION ... Minimize delays after finding the listen window
while (retries) {
const uint8_t *s = send->one_bit_per_byte;
uint8_t sent = 0;
retries--;
if (find_listen_window(true)) { // `true` will automatically send the two `RM` zero bits
// TIMING SENSITIVE SECTION
do {
em4x70_send_bit(*s);
s++;
sent++;
} while (sent < send->bitcount);
return true;
// TIMING SENSITIVE SECTION
}
}
return false;
}
/// @brief Internal function to send a bitstream to the tag, and immediately read response data.
/// @param send Bitstream to be sent to the tag
/// @param recv Buffer to store received data from the tag.
/// `recv->expected_bitcount` must be initialized to indicate expected bits to receive from the tag.
/// @return true only if the bitstream was sent and the expected count of bits were received from the tag.
static bool send_bitstream_and_read(em4x70_command_bitstream_t *command_bitstream) {
const em4x70_bitstream_t *send = &command_bitstream->to_send;
em4x70_bitstream_t *recv = &command_bitstream->to_receive;
// Validate the parameters before proceeding
bool parameters_valid = true;
uint8_t bits_to_decode;
do {
if (command_bitstream->command == 0) {
DPRINTF_ERROR(("No command specified -- coding error?"));
parameters_valid = false;
bits_to_decode = 0;
} else if (
(command_bitstream->command == EM4X70_COMMAND_ID) ||
(command_bitstream->command == EM4X70_COMMAND_UM1) ||
(command_bitstream->command == EM4X70_COMMAND_UM2) ||
(command_bitstream->command == EM4X70_COMMAND_AUTH)
) {
// These are the four commands that are supported by this function.
// Allow these to proceed.
} else {
DPRINTF_ERROR(("Unknown command: 0x%x (%d)", command_bitstream->command, command_bitstream->command));
parameters_valid = false;
bits_to_decode = 0;
}
if (send->bitcount == 0) {
DPRINTF_ERROR(("No bits to send -- coding error?"));
parameters_valid = false;
bits_to_decode = 0;
} else if (send->bitcount > EM4X70_MAX_SEND_BITCOUNT) {
DPRINTF_ERROR(("Too many bits to send -- coding error? %d", send->bitcount));
parameters_valid = false;
bits_to_decode = 0;
}
if (recv->bitcount == 0) {
DPRINTF_ERROR(("No bits to receive -- coding error?"));
parameters_valid = false;
bits_to_decode = 0;
} else if (recv->bitcount > EM4X70_MAX_RECEIVE_BITCOUNT) {
DPRINTF_ERROR(("Too many bits to receive -- coding error? %d", recv->bitcount));
parameters_valid = false;
bits_to_decode = 0;
} else if (recv->bitcount % 8u != 0u) {
// AUTH command receives 20 bits. Existing code treated this "as if" tag sent 24 bits.
// Keep this behavior to minimize the changes to both ARM and client code bases.
bits_to_decode = ((recv->bitcount / 8u) + 1u) * 8u; // round up to nearest byte multiple
// _Static_assert(EM4X70_MAX_RECEIVE_BITCOUNT <= (UINT8_MAX - (UINT8_MAX % 8u)), "EM4X70_MAX_RECEIVE_BITCOUNT too large to safely round up within a uint8_t?");
// No static assertion, so do this at runtime
if (bits_to_decode > EM4X70_MAX_RECEIVE_BITCOUNT) {
DPRINTF_ERROR(("Too many bits to decode after adjusting to nearest byte multiple -- coding error? %d --> %d (max %d)", recv->bitcount, bits_to_decode, EM4X70_MAX_RECEIVE_BITCOUNT));
parameters_valid = false;
} else {
DPRINTF_PROLIX(("Note: will receive %d bits, but decode as %d bits", recv->bitcount));
}
} else {
// Valid number of bits expected, and an integral multiple of 8 bits ... so decode exactly what was received
bits_to_decode = recv->bitcount;
}
} while (0);
// early return when parameter validation fails
if (!parameters_valid) {
return false;
}
// similar to original send_command_and_read, but using provided bitstream
int bits_received = 0;
// NOTE: reset of log does not track the time first bit is sent. That occurs
// when the first sent bit is recorded in the log.
log_reset();
// TIMING SENSITIVE SECTION
if (send_bitstream_internal(send)) {
bits_received = em4x70_receive(recv->one_bit_per_byte, recv->bitcount);
}
// END OF TIMING SENSITIVE SECTION
// Convert the received bits into byte array (bits are received in reverse order ... this simplifies reasoning / debugging)
bool result = (bits_received == recv->bitcount);
// output errors via debug prints and dump log as appropriate
encoded_bit_array_to_bytes(recv->one_bit_per_byte, bits_to_decode, command_bitstream->received_data_converted_to_bytes);
log_dump();
bitstream_dump(command_bitstream);
if (bits_received == 0) {
DPRINTF_INFO(("No bits received -- tag may not be present?"));
} else if (bits_received < recv->bitcount) {
DPRINTF_INFO(("Invalid data received length: %d, expected %d", bits_received, recv->bitcount));
} else if (bits_received != recv->bitcount) {
DPRINTF_INFO(("INTERNAL ERROR: Expected %d bits, received %d bits (more than maximum allowed)", recv->bitcount, bits_received));
}
// finally return the result of the operation
return result;
}
static bool send_bitstream_wait_ack_wait_read(em4x70_command_bitstream_t *command_bitstream) {
const em4x70_bitstream_t *send = &command_bitstream->to_send;
em4x70_bitstream_t *recv = &command_bitstream->to_receive;
// Validate the parameters before proceeding
bool parameters_valid = true;
do {
if (command_bitstream->command == 0) {
DPRINTF_ERROR(("No command specified -- coding error?"));
parameters_valid = false;
} else if (command_bitstream->command != EM4X70_COMMAND_PIN) {
DPRINTF_ERROR(("Unexpected command (only supports PIN): 0x%x (%d)", command_bitstream->command, command_bitstream->command));
parameters_valid = false;
}
if (send->bitcount == 0) {
DPRINTF_ERROR(("No bits to send -- coding error?"));
parameters_valid = false;
} else if (send->bitcount > EM4X70_MAX_SEND_BITCOUNT) {
DPRINTF_ERROR(("Too many bits to send -- coding error? %d", send->bitcount));
parameters_valid = false;
}
if (recv->bitcount == 0) {
DPRINTF_ERROR(("No bits to receive -- coding error?"));
parameters_valid = false;
} else if (recv->bitcount > EM4X70_MAX_RECEIVE_BITCOUNT) {
DPRINTF_ERROR(("Too many bits to receive -- coding error? %d", recv->bitcount));
parameters_valid = false;
} else if (recv->bitcount % 8u != 0u) {
DPRINTF_ERROR(("PIN must transmit multiple of 8 bits -- coding error?", recv->bitcount));
parameters_valid = false;
}
} while (0);
// early return when parameter validation fails
if (!parameters_valid) {
return false;
}
log_reset();
int bits_received = 0;
// TIMING SENSITIVE SECTION -- only debug output on unrecoverable errors
if (send_bitstream_internal(send)) {
// Wait TWALB (write access lock bits)
WaitTicks(EM4X70_T_TAG_TWALB);
// <-- Receive ACK
if (check_ack()) {
// <w> Writes Lock Bits
WaitTicks(EM4X70_T_TAG_WEE);
bits_received = em4x70_receive(recv->one_bit_per_byte, recv->bitcount);
if (bits_received != recv->bitcount) {
DPRINTF_INFO(("Invalid data received length: %d, expected %d", bits_received, recv->bitcount));
}
} else {
DPRINTF_INFO(("No ACK received after sending command"));
}
} else {
DPRINTF_INFO(("Failed to send command"));
}
// END TIMING SENSITIVE SECTION
// Convert the received bits into byte array (bits are received in reverse order ... this simplifies reasoning / debugging)
bool result = (bits_received == recv->bitcount);
// output errors via debug prints and dump log as appropriate
encoded_bit_array_to_bytes(recv->one_bit_per_byte, bits_received, command_bitstream->received_data_converted_to_bytes);
log_dump();
bitstream_dump(command_bitstream);
return result;
}
static bool send_bitstream_wait_ack_wait_ack(em4x70_command_bitstream_t *command_bitstream) {
const em4x70_bitstream_t *send = &command_bitstream->to_send;
em4x70_bitstream_t *recv = &command_bitstream->to_receive;
// Validate the parameters before proceeding
bool parameters_valid = true;
do {
if (command_bitstream->command == 0) {
DPRINTF_ERROR(("No command specified -- coding error?"));
parameters_valid = false;
} else if (command_bitstream->command != EM4X70_COMMAND_WRITE) {
DPRINTF_ERROR(("Unexpected command (only supports WRITE): 0x%x (%d)", command_bitstream->command, command_bitstream->command));
parameters_valid = false;
}
if (send->bitcount == 0) {
DPRINTF_ERROR(("No bits to send -- coding error?"));
parameters_valid = false;
} else if (send->bitcount > EM4X70_MAX_SEND_BITCOUNT) {
DPRINTF_ERROR(("Too many bits to send -- coding error? %d", send->bitcount));
parameters_valid = false;
}
if (recv->bitcount != 0) {
DPRINTF_ERROR(("Expecting to receive data (%d bits) -- coding error?", recv->bitcount));
parameters_valid = false;
}
} while (0);
// early return when parameter validation fails
if (!parameters_valid) {
DPRINTF_ERROR(("Parameter validation failed"));
return false;
}
bool result = false;
log_reset();
// TIMING SENSITIVE SECTION -- only debug output on unrecoverable errors
if (send_bitstream_internal(send)) {
// Wait TWA
WaitTicks(EM4X70_T_TAG_TWA);
// look for ACK sequence
if (check_ack()) {
// now EM4x70 needs EM4X70_T_TAG_TWEE (EEPROM write time)
// for saving data and should return with ACK
WaitTicks(EM4X70_T_TAG_WEE);
if (check_ack()) {
result = true;
} else {
DPRINTF_INFO(("No second ACK received after sending command"));
}
} else {
DPRINTF_INFO(("No ACK received after sending command"));
}
} else {
DPRINTF_INFO(("Failed to send command"));
}
// END TIMING SENSITIVE SECTION
log_dump();
bitstream_dump(command_bitstream);
return result;
}
#endif // #pragma region // Functions to send bitstreams, with options to receive data
#if 1 // #pragma region // Create bitstreams for each type of EM4x70 command
static bool add_bit_to_bitstream(em4x70_bitstream_t *s, bool b) {
uint8_t i = s->bitcount;
uint8_t bits_to_add = 1u;
if (i > EM4X70_MAX_BITSTREAM_BITS - bits_to_add) {
DPRINTF_ERROR(("Too many bits to add to bitstream: %d, %d", i, bits_to_add));
return false;
}
s->one_bit_per_byte[i] = b ? 1 : 0;
s->bitcount++;
return true;
}
static bool add_nibble_to_bitstream(em4x70_bitstream_t *s, uint8_t nibble, bool add_fifth_parity_bit) {
uint8_t i = s->bitcount;
uint8_t bits_to_add = add_fifth_parity_bit ? 5u : 4u;
if (i > EM4X70_MAX_BITSTREAM_BITS - bits_to_add) {
DPRINTF_ERROR(("Too many bits to add to bitstream: %d, %d", i, bits_to_add));
return false;
}
if ((nibble & 0xFu) != nibble) {
DPRINTF_ERROR(("Invalid nibble value: 0x%x", nibble));
return false;
}
// transmit the most significant bit first
s->one_bit_per_byte[i + 0] = nibble & 0x08u ? 1 : 0;
s->one_bit_per_byte[i + 1] = nibble & 0x04u ? 1 : 0;
s->one_bit_per_byte[i + 2] = nibble & 0x02u ? 1 : 0;
s->one_bit_per_byte[i + 3] = nibble & 0x01u ? 1 : 0;
// add parity if requested
if (add_fifth_parity_bit) {
static const uint16_t parity = 0x6996u; // 0b0110'1001'1001'0110 -- value at bit index defines parity bit for that nibble value
s->one_bit_per_byte[i + 4] = (parity & (1u << nibble)) == 0 ? 0 : 1;
}
s->bitcount += bits_to_add;
return true;
}
static bool add_byte_to_bitstream(em4x70_bitstream_t *s, uint8_t b) {
uint8_t i = s->bitcount;
uint8_t bits_to_add = 8u;
if (i > EM4X70_MAX_BITSTREAM_BITS - bits_to_add) {
DPRINTF_ERROR(("Too many bits to add to bitstream: %d, %d", i, bits_to_add));
return false;
}
// transmit the most significant bit first
s->one_bit_per_byte[i + 0] = b & 0x80u ? 1 : 0;
s->one_bit_per_byte[i + 1] = b & 0x40u ? 1 : 0;
s->one_bit_per_byte[i + 2] = b & 0x20u ? 1 : 0;
s->one_bit_per_byte[i + 3] = b & 0x10u ? 1 : 0;
s->one_bit_per_byte[i + 4] = b & 0x08u ? 1 : 0;
s->one_bit_per_byte[i + 5] = b & 0x04u ? 1 : 0;
s->one_bit_per_byte[i + 6] = b & 0x02u ? 1 : 0;
s->one_bit_per_byte[i + 7] = b & 0x01u ? 1 : 0;
s->bitcount += bits_to_add;
return true;
}
static bool create_legacy_em4x70_bitstream_for_cmd_id(em4x70_command_bitstream_t *out_cmd_bitstream, bool with_command_parity) {
const uint8_t expected_bits_to_send = 4u;
bool result = true;
memset(out_cmd_bitstream, 0, sizeof(em4x70_command_bitstream_t));
out_cmd_bitstream->command = EM4X70_COMMAND_ID;
uint8_t cmd = 0x3u; // CMD + Parity bit == 0b001'1
result = result && add_nibble_to_bitstream(&out_cmd_bitstream->to_send, cmd, false);
out_cmd_bitstream->to_receive.bitcount = 32;
if (out_cmd_bitstream->to_send.bitcount != expected_bits_to_send) {
DPRINTF_ERROR(("INTERNAL ERROR: Expected %d bits to be added to send buffer, but only %d bits were added", expected_bits_to_send, out_cmd_bitstream->to_send.bitcount));
result = false;
}
return result;
}
static bool create_legacy_em4x70_bitstream_for_cmd_um1(em4x70_command_bitstream_t *out_cmd_bitstream, bool with_command_parity) {
const uint8_t expected_bits_to_send = 4u;
bool result = true;
memset(out_cmd_bitstream, 0, sizeof(em4x70_command_bitstream_t));
out_cmd_bitstream->command = EM4X70_COMMAND_UM1;
uint8_t cmd = 0x5u; // CMD + Parity bit == 0b010'1
result = result && add_nibble_to_bitstream(&out_cmd_bitstream->to_send, cmd, false);
out_cmd_bitstream->to_receive.bitcount = 32;
if (out_cmd_bitstream->to_send.bitcount != expected_bits_to_send) {
DPRINTF_ERROR(("INTERNAL ERROR: Expected %d bits to be added to send buffer, but only %d bits were added", expected_bits_to_send, out_cmd_bitstream->to_send.bitcount));
result = false;
}
return result;
}
static bool create_legacy_em4x70_bitstream_for_cmd_um2(em4x70_command_bitstream_t *out_cmd_bitstream, bool with_command_parity) {
const uint8_t expected_bits_to_send = 4u;
bool result = true;
memset(out_cmd_bitstream, 0, sizeof(em4x70_command_bitstream_t));
out_cmd_bitstream->command = EM4X70_COMMAND_UM2;
uint8_t cmd = 0xFu; // CMD + Parity bit == 0b111'1
result = result && add_nibble_to_bitstream(&out_cmd_bitstream->to_send, cmd, false);
out_cmd_bitstream->to_receive.bitcount = 64;
if (out_cmd_bitstream->to_send.bitcount != expected_bits_to_send) {
DPRINTF_ERROR(("INTERNAL ERROR: Expected %d bits to be added to send buffer, but only %d bits were added", expected_bits_to_send, out_cmd_bitstream->to_send.bitcount));
result = false;
}
return true;
}
static bool create_legacy_em4x70_bitstream_for_cmd_auth(em4x70_command_bitstream_t *out_cmd_bitstream, bool with_command_parity, const uint8_t *rnd, const uint8_t *frnd) {
const uint8_t expected_bits_to_send = 95u;
bool result = true;
memset(out_cmd_bitstream, 0, sizeof(em4x70_command_bitstream_t));
out_cmd_bitstream->command = EM4X70_COMMAND_AUTH;
em4x70_bitstream_t *s = &out_cmd_bitstream->to_send;
uint8_t cmd = 0x6u; // CMD + Parity bit == 0b011'0
result = result && add_nibble_to_bitstream(s, cmd, false);
// Reader: [RM][0][Command][N55..N0][0000000][f(RN)27..f(RN)0]
//
// ----> HACK <----- : [ 0 ] == extra bit of zero (!?)
// Command is 4 bits : [ 1 .. 4 ] <---- HACK: Always sent with command parity
// N is 56 bits : [ 5 .. 60 ]
// 7 bits of 0 : [61 .. 67 ]
// f(RN) is 28 bits : [68 .. 95 ]
// Total bits to send: 96 bits (not the 95 bits that are actually expected)
// Fills in bits at indexes 5 .. 60
for (uint_fast8_t i = 0; i < 7; ++i) {
result = result && add_byte_to_bitstream(s, rnd[i]);
}
// Send seven diversity bits ... indexes 61 .. 67
for (uint_fast8_t i = 0; i < 7; ++i) {
result = result && add_bit_to_bitstream(s, 0);
}
// Send first 24 bit of f(RN) ... indexes 68 .. 91
for (uint_fast8_t i = 0; i < 3; ++i) {
result = result && add_byte_to_bitstream(s, frnd[i]);
}
// and send the final 4 bits of f(RN) ... indexes 92 .. 95
do {
uint8_t nibble = (frnd[3] >> 4u) & 0xFu;
result = result && add_nibble_to_bitstream(s, nibble, false);
} while (0);
out_cmd_bitstream->to_receive.bitcount = 20;
if (out_cmd_bitstream->to_send.bitcount != expected_bits_to_send) {
DPRINTF_ERROR(("INTERNAL ERROR: Expected %d bits to be added to send buffer, but only %d bits were added", expected_bits_to_send, out_cmd_bitstream->to_send.bitcount));
result = false;
}
return result;
}
static bool create_legacy_em4x70_bitstream_for_cmd_pin(em4x70_command_bitstream_t *out_cmd_bitstream, bool with_command_parity, const uint8_t *tag_id, const uint32_t pin) {
const uint8_t expected_bits_to_send = 68;
bool result = true;
memset(out_cmd_bitstream, 0, sizeof(em4x70_command_bitstream_t));
em4x70_bitstream_t *s = &out_cmd_bitstream->to_send;
out_cmd_bitstream->command = EM4X70_COMMAND_PIN;
uint8_t cmd = 0x9u; // CMD + Parity bit == 0b100'1
result = result && add_nibble_to_bitstream(s, cmd, false);
// Send tag's ID ... indexes 4 .. 35
// e.g., tag_id points to &tag.data[4] ... &tag.data[7]
for (uint_fast8_t i = 0; i < 4; i++) {
uint8_t b = tag_id[3 - i];
result = result && add_byte_to_bitstream(s, b);
}
// Send the PIN ... indexes 36 .. 67
for (uint_fast8_t i = 0; i < 4 ; i++) {
// BUGBUG ... Non-portable ... likely depends on little-endian vs. big-endian (presumes little-endian)
uint8_t b = (pin >> (i * 8u)) & 0xFFu;
result = result && add_byte_to_bitstream(s, b);
}
out_cmd_bitstream->to_receive.bitcount = 32;
if (out_cmd_bitstream->to_send.bitcount != expected_bits_to_send) {
DPRINTF_ERROR(("INTERNAL ERROR: Expected %d bits to be added to send buffer, but only %d bits were added", expected_bits_to_send, out_cmd_bitstream->to_send.bitcount));
result = false;
}
return result;
}
static bool create_legacy_em4x70_bitstream_for_cmd_write(em4x70_command_bitstream_t *out_cmd_bitstream, bool with_command_parity, uint16_t new_data, uint8_t address) {
const uint8_t expected_bits_to_send = 34u;
bool result = true;
memset(out_cmd_bitstream, 0, sizeof(em4x70_command_bitstream_t));
out_cmd_bitstream->command = EM4X70_COMMAND_WRITE;
em4x70_bitstream_t *s = &out_cmd_bitstream->to_send;
uint8_t cmd = 0xAu; // CMD + Parity bit == 0b101'0
result = result && add_nibble_to_bitstream(s, cmd, false);
if ((address & 0x0Fu) != address) {
// only lower 4 bits are valid for address
DPRINTF_ERROR(("Invalid address value: 0x%x", address));
result = false;
}
// Send address data with its even parity bit ... indexes 4 .. 8
result = result && add_nibble_to_bitstream(s, address, true);
// Split into nibbles ... Being explicit here because
// the client sent a uint16_t, but the order of the bytes
// is reversed relative to what is going to be sent.
// Thus, must swap the bytes before splitting into nibbles.
// TODO: Fix client and arm code to only use byte arrays.....
uint8_t nibbles[4] = {
(new_data >> 4) & 0xFu,
(new_data >> 0) & 0xFu,
(new_data >> 12) & 0xFu,
(new_data >> 8) & 0xFu,
};
// Send each of the four nibbles of data with their respective parity ... indexes 9 .. 28
uint8_t column_parity = 0;
for (uint_fast8_t i = 0; i < 4; ++i) {
uint8_t nibble = nibbles[i];
column_parity ^= nibble;
result = result && add_nibble_to_bitstream(s, nibble, true);
}
// add the column parity ... indexes 29 .. 32 ... but manually add zero as fifth bit (it's not a parity)
result = result && add_nibble_to_bitstream(s, column_parity, false);
result = result && add_bit_to_bitstream(s, 0);
out_cmd_bitstream->to_receive.bitcount = 0;
if (out_cmd_bitstream->to_send.bitcount != expected_bits_to_send) {
DPRINTF_ERROR(("INTERNAL ERROR: Expected %d bits to be added to send buffer, but only %d bits were added", expected_bits_to_send, out_cmd_bitstream->to_send.bitcount));
result = false;
}
return result;
}
const em4x70_command_generators_t legacy_em4x70_command_generators = {
.id = create_legacy_em4x70_bitstream_for_cmd_id,
.um1 = create_legacy_em4x70_bitstream_for_cmd_um1,
.um2 = create_legacy_em4x70_bitstream_for_cmd_um2,
.auth = create_legacy_em4x70_bitstream_for_cmd_auth,
.pin = create_legacy_em4x70_bitstream_for_cmd_pin,
.write = create_legacy_em4x70_bitstream_for_cmd_write
};
#endif // #pragma endregion // Create bitstreams for each type of EM4x70 command
// TODO: define and use structs for rnd, frnd, response
// Or, just use the structs defined by IDLIB48?
// log entry/exit point
static int authenticate(const uint8_t *rnd, const uint8_t *frnd, uint8_t *response) {
em4x70_command_bitstream_t auth_cmd;
const em4x70_command_generators_t *generator = &legacy_em4x70_command_generators;
generator->auth(&auth_cmd, g_deprecated_command_parity, rnd, frnd);
bool result = send_bitstream_and_read(&auth_cmd);
if (result) {
encoded_bit_array_to_bytes(auth_cmd.to_receive.one_bit_per_byte, 24, response);
}
return result ? PM3_SUCCESS : PM3_ESOFT;
}
// Sets one (reflected) byte and returns carry bit
// (1 if `value` parameter was greater than 0xFF)
static int set_byte(uint8_t *target, uint16_t value) {
int c = value > 0xFF ? 1 : 0; // be explicit about carry bit values
*target = reflect8(value);
return c;
}
static int bruteforce(const uint8_t address, const uint8_t *rnd, const uint8_t *frnd, uint16_t start_key, uint8_t *response) {
uint8_t auth_resp[3] = {0};
uint8_t rev_rnd[7];
uint8_t temp_rnd[7];
reverse_arraybytes_copy((uint8_t *)rnd, rev_rnd, sizeof(rev_rnd));
memcpy(temp_rnd, rnd, sizeof(temp_rnd));
for (int k = start_key; k <= 0xFFFF; ++k) {
int c = 0;
WDT_HIT();
uint16_t rev_k = reflect16(k);
switch (address) {
case 9:
c = set_byte(&temp_rnd[0], rev_rnd[0] + ((rev_k) & 0xFFu));
c = set_byte(&temp_rnd[1], rev_rnd[1] + c + ((rev_k >> 8) & 0xFFu));
c = set_byte(&temp_rnd[2], rev_rnd[2] + c);
c = set_byte(&temp_rnd[3], rev_rnd[3] + c);
c = set_byte(&temp_rnd[4], rev_rnd[4] + c);
c = set_byte(&temp_rnd[5], rev_rnd[5] + c);
set_byte(&temp_rnd[6], rev_rnd[6] + c);
break;
case 8:
c = set_byte(&temp_rnd[2], rev_rnd[2] + ((rev_k) & 0xFFu));
c = set_byte(&temp_rnd[3], rev_rnd[3] + c + ((rev_k >> 8) & 0xFFu));
c = set_byte(&temp_rnd[4], rev_rnd[4] + c);
c = set_byte(&temp_rnd[5], rev_rnd[5] + c);
set_byte(&temp_rnd[6], rev_rnd[6] + c);
break;
case 7:
c = set_byte(&temp_rnd[4], rev_rnd[4] + ((rev_k) & 0xFFu));
c = set_byte(&temp_rnd[5], rev_rnd[5] + c + ((rev_k >> 8) & 0xFFu));
set_byte(&temp_rnd[6], rev_rnd[6] + c);
break;
default:
DPRINTF_ERROR(("Bad block number given: %d", address));
return PM3_ESOFT;
}
// Report progress every 256 attempts
if ((k % 0x100) == 0) {
DPRINTF_ALWAYS(("Trying: %04X", k));
}
// Due to performance reason, we only try it once. Therefore you need a very stable RFID communcation.
if (authenticate(temp_rnd, frnd, auth_resp) == PM3_SUCCESS) {
DPRINTF_INFO(("Authentication success with rnd: %02X%02X%02X%02X%02X%02X%02X", temp_rnd[0], temp_rnd[1], temp_rnd[2], temp_rnd[3], temp_rnd[4], temp_rnd[5], temp_rnd[6]));
response[0] = (k >> 8) & 0xFF;
response[1] = k & 0xFF;
return PM3_SUCCESS;
}
if (BUTTON_PRESS() || data_available()) {
DPRINTF_ALWAYS(("EM4x70 Bruteforce Interrupted at key %04X", k));
return PM3_EOPABORTED;
}
}
return PM3_ESOFT;
}
// log entry/exit point
static int send_pin(const uint32_t pin) {
em4x70_command_bitstream_t send_pin_cmd;
const em4x70_command_generators_t *generator = &legacy_em4x70_command_generators;
generator->pin(&send_pin_cmd, g_deprecated_command_parity, &g_tag.data[4], pin);
bool result = send_bitstream_wait_ack_wait_read(&send_pin_cmd);
return result ? PM3_SUCCESS : PM3_ESOFT;
}
// log entry/exit point
static int write(const uint16_t word, const uint8_t address) {
em4x70_command_bitstream_t write_cmd;
const em4x70_command_generators_t *generator = &legacy_em4x70_command_generators;
generator->write(&write_cmd, g_deprecated_command_parity, word, address);
bool result = send_bitstream_wait_ack_wait_ack(&write_cmd);
if (!result) {
DPRINTF_INFO(("Failed to write data"));
}
return result ? PM3_SUCCESS : PM3_ESOFT;
}
static bool find_listen_window(bool command) {
int cnt = 0;
while (cnt < EM4X70_T_PULSES_TO_SEARCH_FOR_LIW) {
/*
80 ( 64 + 16 )
80 ( 64 + 16 )
Flip Polarity
96 ( 64 + 32 )
64 ( 32 + 16 +16 )*/
if (check_pulse_length(get_pulse_length(RISING_EDGE), (2 * EM4X70_T_TAG_FULL_PERIOD) + EM4X70_T_TAG_HALF_PERIOD) &&
check_pulse_length(get_pulse_length(RISING_EDGE), (2 * EM4X70_T_TAG_FULL_PERIOD) + EM4X70_T_TAG_HALF_PERIOD) &&
check_pulse_length(get_pulse_length(FALLING_EDGE), (2 * EM4X70_T_TAG_FULL_PERIOD) + EM4X70_T_TAG_FULL_PERIOD) &&
check_pulse_length(get_pulse_length(FALLING_EDGE), (1 * EM4X70_T_TAG_FULL_PERIOD) + EM4X70_T_TAG_FULL_PERIOD)) {
if (command) {
/* Here we are after the 64 duration edge.
* em4170 says we need to wait about 48 RF clock cycles.
* depends on the delay between tag and us
*
* I've found 32-40 field cycles works best
* Allow user adjustment in range: 24-48 field cycles?
* On PM3Easy I've seen success at 24..40 field
*/
WaitTicks(EM4X70_T_DELAY_FROM_LIW_TO_RM);
// Send RM Command
em4x70_send_bit(0);
em4x70_send_bit(0);
}
return true;
}
cnt++;
}
return false;
}
// *bits == array of bytes, each byte storing a single bit.
// *out == array of bytes, storing converted bits --> bytes.
//
// [in, bcount(count_of_bits) ] const uint8_t *bits
// [out, bcount(count_of_bits/8)] uint8_t *out
static void encoded_bit_array_to_bytes(const uint8_t *bits, int count_of_bits, uint8_t *out) {
if (count_of_bits % 8 != 0) {
DPRINTF_ERROR(("Should have a multiple of 8 bits, was sent %d", count_of_bits));
}
int num_bytes = count_of_bits / 8; // We should have a multiple of 8 here
for (int i = 1; i <= num_bytes; i++) {
out[num_bytes - i] = encoded_bit_array_to_byte(bits, 8);
bits += 8;
}
}
static uint8_t encoded_bit_array_to_byte(const uint8_t *bits, int count_of_bits) {
// converts <count_of_bits> separate bits into a single "byte"
uint8_t byte = 0;
for (int i = 0; i < count_of_bits; i++) {
byte <<= 1;
byte |= bits[i];
}
return byte;
}
/**
* em4x70_read_id
*
* read pre-programmed ID (4 bytes)
*/
static bool em4x70_read_id(void) {
em4x70_command_bitstream_t read_id_cmd;
const em4x70_command_generators_t *generator = &legacy_em4x70_command_generators;
generator->id(&read_id_cmd, g_deprecated_command_parity);
bool result = send_bitstream_and_read(&read_id_cmd);
if (result) {
encoded_bit_array_to_bytes(read_id_cmd.to_receive.one_bit_per_byte, read_id_cmd.to_receive.bitcount, &g_tag.data[4]);
}
return result;
}
/**
* em4x70_read_um1
*
* read user memory 1 (4 bytes including lock bits)
*/
static bool em4x70_read_um1(void) {
em4x70_command_bitstream_t read_um1_cmd;
const em4x70_command_generators_t *generator = &legacy_em4x70_command_generators;
generator->um1(&read_um1_cmd, g_deprecated_command_parity);
bool result = send_bitstream_and_read(&read_um1_cmd);
if (result) {
encoded_bit_array_to_bytes(read_um1_cmd.to_receive.one_bit_per_byte, read_um1_cmd.to_receive.bitcount, &g_tag.data[0]);
}
bitstream_dump(&read_um1_cmd);
return result;
}
/**
* em4x70_read_um2
*
* read user memory 2 (8 bytes)
*/
static bool em4x70_read_um2(void) {
em4x70_command_bitstream_t read_um2_cmd;
const em4x70_command_generators_t *generator = &legacy_em4x70_command_generators;
generator->um2(&read_um2_cmd, g_deprecated_command_parity);
bool result = send_bitstream_and_read(&read_um2_cmd);
if (result) {
encoded_bit_array_to_bytes(read_um2_cmd.to_receive.one_bit_per_byte, read_um2_cmd.to_receive.bitcount, &g_tag.data[24]);
}
bitstream_dump(&read_um2_cmd);
return result;
}
static bool find_em4x70_tag(void) {
// function is used to check whether a tag on the proxmark is an
// EM4x70 tag or not -> speed up "lf search" process
return find_listen_window(false);
}
// This is the ONLY function that receives data from the tag
static int em4x70_receive(uint8_t *bits, size_t maximum_bits_to_read) {
uint32_t pl;
int bit_pos = 0;
edge_detection_t edge = RISING_EDGE;
bool foundheader = false;
// Read out the header
// 12 Manchester 1's (may miss some during settle period)
// 4 Manchester 0's
// Skip about half of the leading 1's as signal could start off noisy
WaitTicks(6 * EM4X70_T_TAG_FULL_PERIOD);
// wait until we get the transition from 1's to 0's which is 1.5 full windows
for (int i = 0; i < EM4X70_T_PULSES_TO_SEARCH_FOR_HEADER_TRANSITION; i++) {
pl = get_pulse_length(edge);
if (check_pulse_length(pl, 3 * EM4X70_T_TAG_HALF_PERIOD)) {
foundheader = true;
break;
}
}
if (!foundheader) {
if (g_dbglevel >= DBG_EXTENDED) Dbprintf("Failed to find read header");
return 0;
}
// Skip next 3 0's, (the header check above consumed the first 0)
for (int i = 0; i < 3; i++) {
// If pulse length is not 1 bit, then abort early
if (!check_pulse_length(get_pulse_length(edge), EM4X70_T_TAG_FULL_PERIOD)) {
return 0;
}
}
log_received_bit_start(GetTicks());
// identify remaining bits based on pulse lengths
// between listen windows only pulse lengths of 1, 1.5 and 2 are possible
while (bit_pos < maximum_bits_to_read) {
pl = get_pulse_length(edge);
if (check_pulse_length(pl, EM4X70_T_TAG_FULL_PERIOD)) {
// pulse length 1 -> assign bit
bits[bit_pos++] = edge == FALLING_EDGE ? 1 : 0;
} else if (check_pulse_length(pl, 3 * EM4X70_T_TAG_HALF_PERIOD)) {
// pulse length 1.5 -> 2 bits + flip edge detection
if (edge == FALLING_EDGE) {
bits[bit_pos++] = 0;
if (bit_pos < maximum_bits_to_read) {
bits[bit_pos++] = 0;
}
edge = RISING_EDGE;
} else {
bits[bit_pos++] = 1;
if (bit_pos < maximum_bits_to_read) {
bits[bit_pos++] = 1;
}
edge = FALLING_EDGE;
}
} else if (check_pulse_length(pl, 2 * EM4X70_T_TAG_FULL_PERIOD)) {
// pulse length of 2 -> two bits
if (edge == FALLING_EDGE) {
bits[bit_pos++] = 0;
if (bit_pos < maximum_bits_to_read) {
bits[bit_pos++] = 1;
}
} else {
bits[bit_pos++] = 1;
if (bit_pos < maximum_bits_to_read) {
bits[bit_pos++] = 0;
}
}
} else {
// Listen Window, or invalid bit
break;
}
}
log_received_bit_end(GetTicks());
log_received_bits(bits, bit_pos);
return bit_pos;
}
// CLIENT ENTRY POINTS
void em4x70_info(const em4x70_data_t *etd, bool ledcontrol) {
bool success = false;
bool success_with_UM2 = false;
// Support tags with and without command parity bits
g_deprecated_command_parity = false;
init_tag();
em4x70_setup_read();
// Find the Tag
if (get_signalproperties() && find_em4x70_tag()) {
// Read ID and UM1 (both em4070 and em4170)
success = em4x70_read_id() && em4x70_read_um1();
// em4170 also has UM2, V4070 does not (e.g., 1998 Porsche Boxster)
success_with_UM2 = em4x70_read_um2();
}
StopTicks();
lf_finalize(ledcontrol);
int status = success ? PM3_SUCCESS : PM3_ESOFT;
size_t data_size =
success && success_with_UM2 ? 32 :
success ? 20 :
0;
// not returning the data to the client about actual length read?
reply_ng(CMD_LF_EM4X70_INFO, status, g_tag.data, data_size);
}
void em4x70_write(const em4x70_data_t *etd, bool ledcontrol) {
int status = PM3_ESOFT;
g_deprecated_command_parity = false;
// Disable to prevent sending corrupted data to the tag.
if (g_deprecated_command_parity) {
DPRINTF_ALWAYS(("Use of `--par` option with `lf em 4x70 write` is non-functional and may corrupt data on the tag."));
// reply_ng(CMD_LF_EM4X70_WRITE, PM3_ENOTIMPL, NULL, 0);
// return;
}
init_tag();
em4x70_setup_read();
// Find the Tag
if (get_signalproperties() && find_em4x70_tag()) {
// Write
status = write(etd->word, etd->address);
if (status == PM3_SUCCESS) {
// Read Tag after writing
if (em4x70_read_id()) {
em4x70_read_um1();
em4x70_read_um2();
}
}
}
StopTicks();
lf_finalize(ledcontrol);
reply_ng(CMD_LF_EM4X70_WRITE, status, g_tag.data, sizeof(g_tag.data));
}
void em4x70_unlock(const em4x70_data_t *etd, bool ledcontrol) {
int status = PM3_ESOFT;
g_deprecated_command_parity = false;
init_tag();
em4x70_setup_read();
// Find the Tag
if (get_signalproperties() && find_em4x70_tag()) {
// Read ID (required for send_pin command)
if (em4x70_read_id()) {
// Send PIN
status = send_pin(etd->pin);
// If the write succeeded, read the rest of the tag
if (status == PM3_SUCCESS) {
// Read Tag
// ID doesn't change
em4x70_read_um1();
em4x70_read_um2();
}
}
}
StopTicks();
lf_finalize(ledcontrol);
reply_ng(CMD_LF_EM4X70_UNLOCK, status, g_tag.data, sizeof(g_tag.data));
}
void em4x70_auth(const em4x70_data_t *etd, bool ledcontrol) {
int status = PM3_ESOFT;
uint8_t response[3] = {0};
g_deprecated_command_parity = false;
// Disable to prevent sending corrupted data to the tag.
if (g_deprecated_command_parity) {
DPRINTF_ALWAYS(("Use of `--par` option with `lf em 4x70 auth` is non-functional."));
// reply_ng(CMD_LF_EM4X70_WRITE, PM3_ENOTIMPL, NULL, 0);
// return;
}
init_tag();
em4x70_setup_read();
// Find the Tag
if (get_signalproperties() && find_em4x70_tag()) {
// Authenticate and get tag response
status = authenticate(etd->rnd, etd->frnd, response);
}
StopTicks();
lf_finalize(ledcontrol);
reply_ng(CMD_LF_EM4X70_AUTH, status, response, sizeof(response));
}
void em4x70_brute(const em4x70_data_t *etd, bool ledcontrol) {
int status = PM3_ESOFT;
uint8_t response[2] = {0};
g_deprecated_command_parity = false;
// Disable to prevent sending corrupted data to the tag.
if (g_deprecated_command_parity) {
DPRINTF_ALWAYS(("Use of `--par` option with `lf em 4x70 brute` is non-functional and may corrupt data on the tag."));
// reply_ng(CMD_LF_EM4X70_WRITE, PM3_ENOTIMPL, NULL, 0);
// return;
}
init_tag();
em4x70_setup_read();
// Find the Tag
if (get_signalproperties() && find_em4x70_tag()) {
// Bruteforce partial key
status = bruteforce(etd->address, etd->rnd, etd->frnd, etd->start_key, response);
}
StopTicks();
lf_finalize(ledcontrol);
reply_ng(CMD_LF_EM4X70_BRUTE, status, response, sizeof(response));
}
void em4x70_write_pin(const em4x70_data_t *etd, bool ledcontrol) {
int status = PM3_ESOFT;
g_deprecated_command_parity = false;
// Disable to prevent sending corrupted data to the tag.
if (g_deprecated_command_parity) {
DPRINTF_ALWAYS(("Use of `--par` option with `lf em 4x70 setpin` is non-functional and may corrupt data on the tag."));
// reply_ng(CMD_LF_EM4X70_WRITE, PM3_ENOTIMPL, NULL, 0);
// return;
}
init_tag();
em4x70_setup_read();
// Find the Tag
if (get_signalproperties() && find_em4x70_tag()) {
// Read ID (required for send_pin command)
if (em4x70_read_id()) {
// Write the pin
status = write((etd->pin) & 0xFFFF, EM4X70_PIN_WORD_UPPER);
if (status == PM3_SUCCESS) {
status = write((etd->pin >> 16) & 0xFFFF, EM4X70_PIN_WORD_LOWER);
}
if (status == PM3_SUCCESS) {
// Now Try to authenticate using the new PIN
// Send PIN
status = send_pin(etd->pin);
// If the write succeeded, read the rest of the tag
if (status == PM3_SUCCESS) {
// Read Tag
// ID doesn't change
em4x70_read_um1();
em4x70_read_um2();
}
}
}
}
StopTicks();
lf_finalize(ledcontrol);
reply_ng(CMD_LF_EM4X70_SETPIN, status, g_tag.data, sizeof(g_tag.data));
}
void em4x70_write_key(const em4x70_data_t *etd, bool ledcontrol) {
int status = PM3_ESOFT;
g_deprecated_command_parity = false;
// Disable to prevent sending corrupted data to the tag.
if (g_deprecated_command_parity) {
DPRINTF_ALWAYS(("Use of `--par` option with `lf em 4x70 setkey` is non-functional and may corrupt data on the tag."));
// reply_ng(CMD_LF_EM4X70_WRITE, PM3_ENOTIMPL, NULL, 0);
// return;
}
init_tag();
em4x70_setup_read();
// Find the Tag
if (get_signalproperties() && find_em4x70_tag()) {
// Read ID to ensure we can write to card
if (em4x70_read_id()) {
status = PM3_SUCCESS;
// Write each crypto block
for (int i = 0; i < 6; i++) {
uint16_t key_word = (etd->crypt_key[(i * 2) + 1] << 8) + etd->crypt_key[i * 2];
// Write each word, abort if any failure occurs
status = write(key_word, 9 - i);
if (status != PM3_SUCCESS) {
break;
}
}
// The client now has support for test authentication after
// writing a new key, thus allowing to verify that the new
// key was written correctly. This is what the datasheet
// suggests. Not currently implemented in the firmware.
// ID48LIB has no dependencies that would prevent this from
// being implemented directly within the firmware layer...
}
}
StopTicks();
lf_finalize(ledcontrol);
reply_ng(CMD_LF_EM4X70_SETKEY, status, g_tag.data, sizeof(g_tag.data));
}
Reference in a new issue View git blame Copy permalink