From 69d88ec4639d7bec0d3b226c2f4d2186703e9055 Mon Sep 17 00:00:00 2001 From: Martin Holst Swende Date: Sun, 30 Mar 2014 15:59:54 +0200 Subject: [PATCH 1/8] Major refactoring of lfops, removed a lot of duplicate code --- armsrc/lfops.c | 631 ++++++++++++++++++------------------------------- 1 file changed, 230 insertions(+), 401 deletions(-) diff --git a/armsrc/lfops.c b/armsrc/lfops.c index 76c4b44e..072961a2 100644 --- a/armsrc/lfops.c +++ b/armsrc/lfops.c @@ -15,32 +15,8 @@ #include "crc16.h" #include "string.h" -void AcquireRawAdcSamples125k(int divisor) -{ - if ( (divisor == 1) || (divisor < 0) || (divisor > 255) ) - FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 88); //134.8Khz - else if (divisor == 0) - FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz - else - FpgaSendCommand(FPGA_CMD_SET_DIVISOR, divisor); - - FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER); - - // Connect the A/D to the peak-detected low-frequency path. - SetAdcMuxFor(GPIO_MUXSEL_LOPKD); - - // Give it a bit of time for the resonant antenna to settle. - SpinDelay(50); - - // Now set up the SSC to get the ADC samples that are now streaming at us. - FpgaSetupSsc(); - - // Now call the acquisition routine - DoAcquisition125k(); -} - // split into two routines so we can avoid timing issues after sending commands // -void DoAcquisition125k(void) +void DoAcquisition125k_internal(bool silent) { uint8_t *dest = (uint8_t *)BigBuf; int n = sizeof(BigBuf); @@ -60,8 +36,44 @@ void DoAcquisition125k(void) if (i >= n) break; } } - Dbprintf("buffer samples: %02x %02x %02x %02x %02x %02x %02x %02x ...", - dest[0], dest[1], dest[2], dest[3], dest[4], dest[5], dest[6], dest[7]); + if( ! silent) + { + Dbprintf("buffer samples: %02x %02x %02x %02x %02x %02x %02x %02x ...", + dest[0], dest[1], dest[2], dest[3], dest[4], dest[5], dest[6], dest[7]); + } +} + +void DoAcquisition125k(void) +{ + DoAcquisition125k_internal(false); +} + +void SetupToAcquireRawAdcSamples(int divisor) +{ + if ( (divisor == 1) || (divisor < 0) || (divisor > 255) ) + FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 88); //134.8Khz + else if (divisor == 0) + FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz + else + FpgaSendCommand(FPGA_CMD_SET_DIVISOR, divisor); + + FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER); + + // Connect the A/D to the peak-detected low-frequency path. + SetAdcMuxFor(GPIO_MUXSEL_LOPKD); + + // Give it a bit of time for the resonant antenna to settle. + SpinDelay(50); + + // Now set up the SSC to get the ADC samples that are now streaming at us. + FpgaSetupSsc(); +} + +void AcquireRawAdcSamples125k(int divisor) +{ + SetupToAcquireRawAdcSamples(divisor); + // Now call the acquisition routine + DoAcquisition125k_internal(false); } void ModThenAcquireRawAdcSamples125k(int delay_off, int period_0, int period_1, uint8_t *command) @@ -593,15 +605,8 @@ void CmdHIDsimTAG(int hi, int lo, int ledcontrol) if (ledcontrol) LED_A_OFF(); } - - -// loop to capture raw HID waveform then FSK demodulate the TAG ID from it -void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol) +void setup_for_125khz() { - uint8_t *dest = (uint8_t *)BigBuf; - int m=0, n=0, i=0, idx=0, found=0, lastval=0; - uint32_t hi2=0, hi=0, lo=0; - FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER); @@ -614,6 +619,115 @@ void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol) // Now set up the SSC to get the ADC samples that are now streaming at us. FpgaSetupSsc(); +} +void get_samples(int ledcontrol, uint8_t* dest, int size) +{ + int i = 0; + + memset(dest,128,size); + for(;;) { + if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) { + AT91C_BASE_SSC->SSC_THR = 0x43; + if (ledcontrol) LED_D_ON(); + } + if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) { + dest[i] = (uint8_t)AT91C_BASE_SSC->SSC_RHR; + // we don't care about actual value, only if it's more or less than a + // threshold essentially we capture zero crossings for later analysis + if(dest[i] < 127) dest[i] = 0; else dest[i] = 1; + i++; + if (ledcontrol) LED_D_OFF(); + if(i >= size) { + break; + } + } + } +} + +uint8_t fsk_demod(uint8_t * dest, int size) +{ + uint8_t last_transition = 0; + uint8_t idx = 1; + + // we don't care about actual value, only if it's more or less than a + // threshold essentially we capture zero crossings for later analysis + uint8_t threshold_value = 127; + + WDT_HIT(); + + // sync to first lo-hi transition, and threshold + + //Need to threshold first sample + if(dest[0] < threshold_value) dest[0] = 0; + else dest[0] = 1; + + uint8_t numBits = 0; + // count cycles between consecutive lo-hi transitions, there should be either 8 (fc/8) + // or 10 (fc/10) cycles but in practice due to noise etc we may end up with with anywhere + // between 7 to 11 cycles so fuzz it by treat anything <9 as 8 and anything else as 10 + for(idx = 1; idx < size; idx++) { + + // threshold current value + if (dest[idx] < threshold_value) dest[idx] = 0; + else dest[idx] = 1; + + // Check for 0->1 transition + if (dest[idx-1] < dest[idx]) { // 0 -> 1 transition + + if (idx-last_transition < 9) { + dest[numBits]=1; + } else { + dest[numBits]=0; + } + last_transition = idx; + numBits++; + } + } + return numBits; //Actually, it returns the number of bytes, but each byte represents a bit: 1 or 0 +} + +uint8_t aggregate_bits(uint8_t *dest,uint8_t size, uint8_t h2l_crossing_value,uint8_t l2h_crossing_value, uint8_t maxConsequtiveBits ) +{ + uint8_t lastval=dest[0]; + uint8_t idx=0; + uint8_t numBits=0; + uint8_t n=1, i=0; + + for( idx=1; idx < size; idx++) { + + if (dest[idx]==lastval) { + n++; + continue; + } + //if lastval was 1, we have a 1->0 crossing + if ( lastval ) { + n=(n+1)/7; + } else {// 0->1 crossing + n=(n+1)/6; + } + if(n < 13) + { + memset(dest+i, lastval ^ 1, n); + numBits += n; + } + n=0; + lastval=dest[idx]; + }//end for + + return numBits; + +} +// loop to capture raw HID waveform then FSK demodulate the TAG ID from it +void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol) +{ + uint8_t *dest = (uint8_t *)BigBuf; + + int size=0, idx=0, found=0; + uint32_t hi2=0, hi=0, lo=0; + + // Configure to go in 125Khz listen mode + SetupToAcquireRawAdcSamples(0); + for(;;) { WDT_HIT(); if (ledcontrol) @@ -625,170 +739,64 @@ void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol) return; } - i = 0; - m = sizeof(BigBuf); - memset(dest,128,m); - for(;;) { - if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) { - AT91C_BASE_SSC->SSC_THR = 0x43; - if (ledcontrol) - LED_D_ON(); - } - if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) { - dest[i] = (uint8_t)AT91C_BASE_SSC->SSC_RHR; - // we don't care about actual value, only if it's more or less than a - // threshold essentially we capture zero crossings for later analysis - if(dest[i] < 127) dest[i] = 0; else dest[i] = 1; - i++; - if (ledcontrol) - LED_D_OFF(); - if(i >= m) { - break; - } - } - } + + DoAcquisition125k_internal(true); + size = sizeof(BigBuf); // FSK demodulator + size = fsk_demod(dest, size); - // sync to first lo-hi transition - for( idx=1; idx0 : fc/8 in sets of 6 + // 0->1 : fc/10 in sets of 5 + size = aggregate_bits(dest,size, 6,5,5); + WDT_HIT(); // final loop, go over previously decoded manchester data and decode into usable tag ID // 111000 bit pattern represent start of frame, 01 pattern represents a 1 and 10 represents a 0 - for( idx=0; idx>1) & 0xFFFF); - } - else { - Dbprintf("TAG ID: %x%08x (%d)", - (unsigned int) hi, (unsigned int) lo, (unsigned int) (lo>>1) & 0xFFFF); - } - /* if we're only looking for one tag */ - if (findone) - { - *high = hi; - *low = lo; - return; - } - hi2=0; - hi=0; - lo=0; - found=0; - } - } + uint8_t frame_marker_mask[] = {1,1,1,0,0,0}; + + for( idx=0; idx < size-sizeof(frame_marker_mask); idx++) { + if (found) { - if (dest[idx] && (!dest[idx+1]) ) { - hi2=(hi2<<1)|(hi>>31); - hi=(hi<<1)|(lo>>31); - lo=(lo<<1)|0; - } else if ( (!dest[idx]) && dest[idx+1]) { - hi2=(hi2<<1)|(hi>>31); - hi=(hi<<1)|(lo>>31); - lo=(lo<<1)|1; - } else { + if(dest[idx] == dest[idx+1]) + {// 1 1 or 00 found=0; - hi2=0; + hi2=0; hi=0; lo=0; + }else + { + //Shift in a bit. Start by shifting high registers + hi2 = (hi2<<1)|(hi>>31); + hi = (hi<<1)|(lo>>31); + //Then, shift in a 0 or one into low + if (dest[idx] && !dest[idx+1]) // 1 0 + lo=(lo<<1)|0; + else // 0 1 + lo=(lo<<1)|1; } idx++; } - if ( dest[idx] && dest[idx+1] && dest[idx+2] && (!dest[idx+3]) && (!dest[idx+4]) && (!dest[idx+5]) ) - { + + // search for a start of frame marker + if ( memcmp(dest+idx, frame_marker_mask, sizeof(frame_marker_mask)) == 0) + { // Found start of frame marker found=1; - idx+=6; - if (found && (hi|lo)) { - if (hi2 != 0){ - Dbprintf("TAG ID: %x%08x%08x (%d)", - (unsigned int) hi2, (unsigned int) hi, (unsigned int) lo, (unsigned int) (lo>>1) & 0xFFFF); - } - else { - Dbprintf("TAG ID: %x%08x (%d)", - (unsigned int) hi, (unsigned int) lo, (unsigned int) (lo>>1) & 0xFFFF); - } + idx+=sizeof(frame_marker_mask); + if (found && (hi2|hi|lo)) { + if (hi2 != 0){ + Dbprintf("TAG ID: %x%08x%08x (%d)", + (unsigned int) hi2, (unsigned int) hi, (unsigned int) lo, (unsigned int) (lo>>1) & 0xFFFF); + } + else { + Dbprintf("TAG ID: %x%08x (%d)", + (unsigned int) hi, (unsigned int) lo, (unsigned int) (lo>>1) & 0xFFFF); + } /* if we're only looking for one tag */ if (findone) { @@ -796,7 +804,7 @@ void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol) *low = lo; return; } - hi2=0; + hi2=0; hi=0; lo=0; found=0; @@ -807,25 +815,26 @@ void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol) } } +uint32_t bytebits_to_byte(uint8_t* src, int numbits) +{ + uint32_t num = 0; + for(int i = 0 ; i < numbits ; i++) + { + num = (num << 1) | (*src); + src++; + } + return num; +} + + void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol) { uint8_t *dest = (uint8_t *)BigBuf; - int m=0, n=0, i=0, idx=0, lastval=0; - int found=0; + int size=0, idx=0; uint32_t code=0, code2=0; //uint32_t hi2=0, hi=0, lo=0; - FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz - FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER); - - // Connect the A/D to the peak-detected low-frequency path. - SetAdcMuxFor(GPIO_MUXSEL_LOPKD); - - // Give it a bit of time for the resonant antenna to settle. - SpinDelay(50); - - // Now set up the SSC to get the ADC samples that are now streaming at us. - FpgaSetupSsc(); + setup_for_125khz(); for(;;) { WDT_HIT(); @@ -838,170 +847,24 @@ void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol) return; } - i = 0; - m = sizeof(BigBuf); - memset(dest,128,m); - for(;;) { - if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) { - AT91C_BASE_SSC->SSC_THR = 0x43; - if (ledcontrol) - LED_D_ON(); - } - if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) { - dest[i] = (uint8_t)AT91C_BASE_SSC->SSC_RHR; - // we don't care about actual value, only if it's more or less than a - // threshold essentially we capture zero crossings for later analysis - if(dest[i] < 127) dest[i] = 0; else dest[i] = 1; - i++; - if (ledcontrol) - LED_D_OFF(); - if(i >= m) { - break; - } - } - } + DoAcquisition125k_internal(true); + size = sizeof(BigBuf); // FSK demodulator - - // sync to first lo-hi transition - for( idx=1; idx0 : fc/8 in sets of 7 + // 0->1 : fc/10 in sets of 6 + size = aggregate_bits(dest, size, 7,6,13); + WDT_HIT(); - for( idx=0; idx Date: Mon, 31 Mar 2014 17:57:14 +0200 Subject: [PATCH 2/8] Refactoring low frequency operations, now 'lf hid fskdemod' is more stable. Also did changes to handling ioprox tags, this is yet untested, so until it's been tested it should be kept off 'stable' branch --- armsrc/lfops.c | 180 ++++++++++++++++----------------------------- client/proxmark3.c | 6 +- 2 files changed, 70 insertions(+), 116 deletions(-) diff --git a/armsrc/lfops.c b/armsrc/lfops.c index 072961a2..397ea847 100644 --- a/armsrc/lfops.c +++ b/armsrc/lfops.c @@ -605,55 +605,16 @@ void CmdHIDsimTAG(int hi, int lo, int ledcontrol) if (ledcontrol) LED_A_OFF(); } -void setup_for_125khz() + +size_t fsk_demod(uint8_t * dest, size_t size) { - FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz - FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER); - - // Connect the A/D to the peak-detected low-frequency path. - SetAdcMuxFor(GPIO_MUXSEL_LOPKD); - - // Give it a bit of time for the resonant antenna to settle. - SpinDelay(50); - - // Now set up the SSC to get the ADC samples that are now streaming at us. - FpgaSetupSsc(); - -} -void get_samples(int ledcontrol, uint8_t* dest, int size) -{ - int i = 0; - - memset(dest,128,size); - for(;;) { - if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) { - AT91C_BASE_SSC->SSC_THR = 0x43; - if (ledcontrol) LED_D_ON(); - } - if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) { - dest[i] = (uint8_t)AT91C_BASE_SSC->SSC_RHR; - // we don't care about actual value, only if it's more or less than a - // threshold essentially we capture zero crossings for later analysis - if(dest[i] < 127) dest[i] = 0; else dest[i] = 1; - i++; - if (ledcontrol) LED_D_OFF(); - if(i >= size) { - break; - } - } - } -} - -uint8_t fsk_demod(uint8_t * dest, int size) -{ - uint8_t last_transition = 0; - uint8_t idx = 1; + uint32_t last_transition = 0; + uint32_t idx = 1; // we don't care about actual value, only if it's more or less than a // threshold essentially we capture zero crossings for later analysis uint8_t threshold_value = 127; - WDT_HIT(); // sync to first lo-hi transition, and threshold @@ -661,12 +622,11 @@ uint8_t fsk_demod(uint8_t * dest, int size) if(dest[0] < threshold_value) dest[0] = 0; else dest[0] = 1; - uint8_t numBits = 0; + size_t numBits = 0; // count cycles between consecutive lo-hi transitions, there should be either 8 (fc/8) // or 10 (fc/10) cycles but in practice due to noise etc we may end up with with anywhere // between 7 to 11 cycles so fuzz it by treat anything <9 as 8 and anything else as 10 for(idx = 1; idx < size; idx++) { - // threshold current value if (dest[idx] < threshold_value) dest[idx] = 0; else dest[idx] = 1; @@ -686,12 +646,13 @@ uint8_t fsk_demod(uint8_t * dest, int size) return numBits; //Actually, it returns the number of bytes, but each byte represents a bit: 1 or 0 } -uint8_t aggregate_bits(uint8_t *dest,uint8_t size, uint8_t h2l_crossing_value,uint8_t l2h_crossing_value, uint8_t maxConsequtiveBits ) + +size_t aggregate_bits(uint8_t *dest,size_t size, uint8_t h2l_crossing_value,uint8_t l2h_crossing_value, uint8_t maxConsequtiveBits ) { uint8_t lastval=dest[0]; - uint8_t idx=0; - uint8_t numBits=0; - uint8_t n=1, i=0; + uint32_t idx=0; + size_t numBits=0; + uint32_t n=1; for( idx=1; idx < size; idx++) { @@ -700,14 +661,16 @@ uint8_t aggregate_bits(uint8_t *dest,uint8_t size, uint8_t h2l_crossing_value,ui continue; } //if lastval was 1, we have a 1->0 crossing - if ( lastval ) { - n=(n+1)/7; + if ( dest[idx-1] ) { + n=(n+1) / h2l_crossing_value; } else {// 0->1 crossing - n=(n+1)/6; + n=(n+1) / l2h_crossing_value; } - if(n < 13) + if (n == 0) n = 1; + + if(n < maxConsequtiveBits) { - memset(dest+i, lastval ^ 1, n); + memset(dest+numBits, dest[idx-1] , n); numBits += n; } n=0; @@ -722,34 +685,26 @@ void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol) { uint8_t *dest = (uint8_t *)BigBuf; - int size=0, idx=0, found=0; + size_t size=0,idx=0; //, found=0; uint32_t hi2=0, hi=0, lo=0; - // Configure to go in 125Khz listen mode - SetupToAcquireRawAdcSamples(0); - for(;;) { + while(!BUTTON_PRESS()) { + + // Configure to go in 125Khz listen mode + SetupToAcquireRawAdcSamples(0); + WDT_HIT(); - if (ledcontrol) - LED_A_ON(); - if(BUTTON_PRESS()) { - DbpString("Stopped"); - if (ledcontrol) - LED_A_OFF(); - return; - } - + if (ledcontrol) LED_A_ON(); DoAcquisition125k_internal(true); size = sizeof(BigBuf); // FSK demodulator size = fsk_demod(dest, size); - WDT_HIT(); // we now have a set of cycle counts, loop over previous results and aggregate data into bit patterns - // 1->0 : fc/8 in sets of 6 // 0->1 : fc/10 in sets of 5 size = aggregate_bits(dest,size, 6,5,5); @@ -759,36 +714,32 @@ void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol) // final loop, go over previously decoded manchester data and decode into usable tag ID // 111000 bit pattern represent start of frame, 01 pattern represents a 1 and 10 represents a 0 uint8_t frame_marker_mask[] = {1,1,1,0,0,0}; + int numshifts = 0; + idx = 0; + while( idx + sizeof(frame_marker_mask) < size) { + // search for a start of frame marker + if ( memcmp(dest+idx, frame_marker_mask, sizeof(frame_marker_mask)) == 0) + { // frame marker found + idx+=sizeof(frame_marker_mask); - for( idx=0; idx < size-sizeof(frame_marker_mask); idx++) { - - if (found) { - if(dest[idx] == dest[idx+1]) - {// 1 1 or 00 - found=0; - hi2=0; - hi=0; - lo=0; - }else - { - //Shift in a bit. Start by shifting high registers + while(dest[idx] != dest[idx+1] && idx < size-2) + { // Keep going until next frame marker (or error) + // Shift in a bit. Start by shifting high registers hi2 = (hi2<<1)|(hi>>31); hi = (hi<<1)|(lo>>31); //Then, shift in a 0 or one into low if (dest[idx] && !dest[idx+1]) // 1 0 lo=(lo<<1)|0; else // 0 1 - lo=(lo<<1)|1; + lo=(lo<<1)| + 1; + numshifts ++; + idx += 2; } - idx++; - } - - // search for a start of frame marker - if ( memcmp(dest+idx, frame_marker_mask, sizeof(frame_marker_mask)) == 0) - { // Found start of frame marker - found=1; - idx+=sizeof(frame_marker_mask); - if (found && (hi2|hi|lo)) { + //Dbprintf("Num shifts: %d ", numshifts); + // Hopefully, we read a tag and hit upon the next frame marker + if ( memcmp(dest+idx, frame_marker_mask, sizeof(frame_marker_mask)) == 0) + { if (hi2 != 0){ Dbprintf("TAG ID: %x%08x%08x (%d)", (unsigned int) hi2, (unsigned int) hi, (unsigned int) lo, (unsigned int) (lo>>1) & 0xFFFF); @@ -797,22 +748,21 @@ void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol) Dbprintf("TAG ID: %x%08x (%d)", (unsigned int) hi, (unsigned int) lo, (unsigned int) (lo>>1) & 0xFFFF); } - /* if we're only looking for one tag */ - if (findone) - { - *high = hi; - *low = lo; - return; - } - hi2=0; - hi=0; - lo=0; - found=0; } + + // reset + hi2 = hi = lo = 0; + numshifts = 0; + }else + { + idx++; } } WDT_HIT(); + } + DbpString("Stopped"); + if (ledcontrol) LED_A_OFF(); } uint32_t bytebits_to_byte(uint8_t* src, int numbits) @@ -830,22 +780,18 @@ uint32_t bytebits_to_byte(uint8_t* src, int numbits) void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol) { uint8_t *dest = (uint8_t *)BigBuf; - int size=0, idx=0; + + size_t size=0, idx=0; uint32_t code=0, code2=0; - //uint32_t hi2=0, hi=0, lo=0; - setup_for_125khz(); - for(;;) { + while(!BUTTON_PRESS()) { + + // Configure to go in 125Khz listen mode + SetupToAcquireRawAdcSamples(0); + WDT_HIT(); - if (ledcontrol) - LED_A_ON(); - if(BUTTON_PRESS()) { - DbpString("Stopped"); - if (ledcontrol) - LED_A_OFF(); - return; - } + if (ledcontrol) LED_A_ON(); DoAcquisition125k_internal(true); size = sizeof(BigBuf); @@ -853,6 +799,7 @@ void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol) // FSK demodulator size = fsk_demod(dest, size); WDT_HIT(); + // we now have a set of cycle counts, loop over previous results and aggregate data into bit patterns // 1->0 : fc/8 in sets of 7 // 0->1 : fc/10 in sets of 6 @@ -860,6 +807,7 @@ void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol) WDT_HIT(); + //Handle the data uint8_t mask[] = {0,0,0,0,0,0,0,0,0,1}; for( idx=0; idx < size - 64; idx++) { @@ -890,8 +838,10 @@ void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol) return; } } + WDT_HIT(); } - WDT_HIT(); + DbpString("Stopped"); + if (ledcontrol) LED_A_OFF(); } /*------------------------------ diff --git a/client/proxmark3.c b/client/proxmark3.c index 528cae34..bf0f3817 100644 --- a/client/proxmark3.c +++ b/client/proxmark3.c @@ -47,7 +47,11 @@ void SendCommand(UsbCommand *c) { PrintAndLog("Sending bytes to proxmark failed - offline"); return; } - + /** + The while-loop below causes hangups at times, when the pm3 unit is unresponsive + or disconnected. The main console thread is alive, but comm thread just spins here. + Not good.../holiman + **/ while(txcmd_pending); txcmd = *c; txcmd_pending = true; From 1a5a0d75909562e37b23e6cfd97f0d88206eeac6 Mon Sep 17 00:00:00 2001 From: Martin Holst Swende Date: Fri, 24 Oct 2014 20:53:43 +0200 Subject: [PATCH 3/8] Fixed compilation issues, but functionality not tested --- armsrc/lfops.c | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/armsrc/lfops.c b/armsrc/lfops.c index d29ec375..3478932a 100644 --- a/armsrc/lfops.c +++ b/armsrc/lfops.c @@ -81,10 +81,7 @@ void AcquireRawAdcSamples125k(int divisor) void SnoopLFRawAdcSamples(int divisor, int trigger_threshold) { LFSetupFPGAForADC(divisor, false); - DoAcquisition125k(trigger_threshold, false); -} - - + DoAcquisition125k(trigger_threshold); } void ModThenAcquireRawAdcSamples125k(int delay_off, int period_0, int period_1, uint8_t *command) @@ -706,12 +703,12 @@ void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol) while(!BUTTON_PRESS()) { // Configure to go in 125Khz listen mode - LFSetupFPGAForADC(0, true) + LFSetupFPGAForADC(0, true); WDT_HIT(); if (ledcontrol) LED_A_ON(); - DoAcquisition125k_internal(true); + DoAcquisition125k_internal(-1,true); size = sizeof(BigBuf); // FSK demodulator @@ -807,7 +804,7 @@ void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol) WDT_HIT(); if (ledcontrol) LED_A_ON(); - DoAcquisition125k_internal(true); + DoAcquisition125k_internal(-1,true); size = sizeof(BigBuf); // FSK demodulator From b225678574c43cd109503f0b2d94f70499812c67 Mon Sep 17 00:00:00 2001 From: Martin Holst Swende Date: Fri, 24 Oct 2014 21:12:31 +0200 Subject: [PATCH 4/8] Some minor changes and some documentation --- armsrc/lfops.c | 54 +++++++++++++++++++++++++++++++------------------- 1 file changed, 34 insertions(+), 20 deletions(-) diff --git a/armsrc/lfops.c b/armsrc/lfops.c index 3478932a..ba9015ee 100644 --- a/armsrc/lfops.c +++ b/armsrc/lfops.c @@ -15,7 +15,13 @@ #include "crc16.h" #include "string.h" -// split into two routines so we can avoid timing issues after sending commands // + +/** +* Does the sample acquisition. If threshold is specified, the actual sampling +* is not commenced until the threshold has been reached. +* @param trigger_threshold - the threshold +* @param silent - is true, now outputs are made. If false, dbprints the status +*/ void DoAcquisition125k_internal(int trigger_threshold,bool silent) { uint8_t *dest = (uint8_t *)BigBuf; @@ -46,12 +52,21 @@ void DoAcquisition125k_internal(int trigger_threshold,bool silent) } } +/** +* Perform sample aquisition. +*/ void DoAcquisition125k(int trigger_threshold) { DoAcquisition125k_internal(trigger_threshold, false); } -//void SetupToAcquireRawAdcSamples(int divisor) +/** +* Setup the FPGA to listen for samples. This method downloads the FPGA bitstream +* if not already loaded, sets divisor and starts up the antenna. +* @param divisor : 1, 88> 255 or negative ==> 134.8 KHz +* 0 or 95 ==> 125 KHz +* +**/ void LFSetupFPGAForADC(int divisor, bool lf_field) { FpgaDownloadAndGo(FPGA_BITSTREAM_LF); @@ -71,13 +86,19 @@ void LFSetupFPGAForADC(int divisor, bool lf_field) // Now set up the SSC to get the ADC samples that are now streaming at us. FpgaSetupSsc(); } - +/** +* Initializes the FPGA, and acquires the samples. +**/ void AcquireRawAdcSamples125k(int divisor) { LFSetupFPGAForADC(divisor, true); // Now call the acquisition routine DoAcquisition125k_internal(-1,false); } +/** +* Initializes the FPGA for snoop-mode, and acquires the samples. +**/ + void SnoopLFRawAdcSamples(int divisor, int trigger_threshold) { LFSetupFPGAForADC(divisor, false); @@ -86,28 +107,25 @@ void SnoopLFRawAdcSamples(int divisor, int trigger_threshold) void ModThenAcquireRawAdcSamples125k(int delay_off, int period_0, int period_1, uint8_t *command) { - int at134khz; /* Make sure the tag is reset */ FpgaDownloadAndGo(FPGA_BITSTREAM_LF); FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); SpinDelay(2500); + + int divisor_used = 95; // 125 KHz // see if 'h' was specified + if (command[strlen((char *) command) - 1] == 'h') - at134khz = TRUE; - else - at134khz = FALSE; + divisor_used = 88; // 134.8 KHz - if (at134khz) - FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 88); //134.8Khz - else - FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz + FpgaSendCommand(FPGA_CMD_SET_DIVISOR, divisor_used); FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD); - // Give it a bit of time for the resonant antenna to settle. SpinDelay(50); + // And a little more time for the tag to fully power up SpinDelay(2000); @@ -119,10 +137,7 @@ void ModThenAcquireRawAdcSamples125k(int delay_off, int period_0, int period_1, FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); LED_D_OFF(); SpinDelayUs(delay_off); - if (at134khz) - FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 88); //134.8Khz - else - FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz + FpgaSendCommand(FPGA_CMD_SET_DIVISOR, divisor_used); FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD); LED_D_ON(); @@ -134,10 +149,7 @@ void ModThenAcquireRawAdcSamples125k(int delay_off, int period_0, int period_1, FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); LED_D_OFF(); SpinDelayUs(delay_off); - if (at134khz) - FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 88); //134.8Khz - else - FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz + FpgaSendCommand(FPGA_CMD_SET_DIVISOR, divisor_used); FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD); @@ -702,9 +714,11 @@ void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol) while(!BUTTON_PRESS()) { + /** TODO! This should probably be moved outside the loop /Martin */ // Configure to go in 125Khz listen mode LFSetupFPGAForADC(0, true); + WDT_HIT(); if (ledcontrol) LED_A_ON(); From 9cc8a1e5882d22cfded4f0439cab99de07aa5841 Mon Sep 17 00:00:00 2001 From: Martin Holst Swende Date: Sat, 25 Oct 2014 22:42:27 +0200 Subject: [PATCH 5/8] Some more docs, also made lf hid fskdemod a bit more stable. Should be no more false readings now --- armsrc/lfops.c | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/armsrc/lfops.c b/armsrc/lfops.c index ba9015ee..74f04913 100644 --- a/armsrc/lfops.c +++ b/armsrc/lfops.c @@ -711,14 +711,11 @@ void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol) size_t size=0,idx=0; //, found=0; uint32_t hi2=0, hi=0, lo=0; + // Configure to go in 125Khz listen mode + LFSetupFPGAForADC(95, true); while(!BUTTON_PRESS()) { - /** TODO! This should probably be moved outside the loop /Martin */ - // Configure to go in 125Khz listen mode - LFSetupFPGAForADC(0, true); - - WDT_HIT(); if (ledcontrol) LED_A_ON(); @@ -727,7 +724,6 @@ void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol) // FSK demodulator size = fsk_demod(dest, size); - WDT_HIT(); // we now have a set of cycle counts, loop over previous results and aggregate data into bit patterns // 1->0 : fc/8 in sets of 6 @@ -748,7 +744,8 @@ void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol) idx+=sizeof(frame_marker_mask); while(dest[idx] != dest[idx+1] && idx < size-2) - { // Keep going until next frame marker (or error) + { + // Keep going until next frame marker (or error) // Shift in a bit. Start by shifting high registers hi2 = (hi2<<1)|(hi>>31); hi = (hi<<1)|(lo>>31); @@ -763,16 +760,20 @@ void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol) } //Dbprintf("Num shifts: %d ", numshifts); // Hopefully, we read a tag and hit upon the next frame marker - if ( memcmp(dest+idx, frame_marker_mask, sizeof(frame_marker_mask)) == 0) + if(idx + sizeof(frame_marker_mask) < size) { - if (hi2 != 0){ - Dbprintf("TAG ID: %x%08x%08x (%d)", - (unsigned int) hi2, (unsigned int) hi, (unsigned int) lo, (unsigned int) (lo>>1) & 0xFFFF); - } - else { - Dbprintf("TAG ID: %x%08x (%d)", - (unsigned int) hi, (unsigned int) lo, (unsigned int) (lo>>1) & 0xFFFF); + if ( memcmp(dest+idx, frame_marker_mask, sizeof(frame_marker_mask)) == 0) + { + if (hi2 != 0){ + Dbprintf("TAG ID: %x%08x%08x (%d)", + (unsigned int) hi2, (unsigned int) hi, (unsigned int) lo, (unsigned int) (lo>>1) & 0xFFFF); + } + else { + Dbprintf("TAG ID: %x%08x (%d)", + (unsigned int) hi, (unsigned int) lo, (unsigned int) (lo>>1) & 0xFFFF); + } } + } // reset @@ -809,11 +810,11 @@ void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol) size_t size=0, idx=0; uint32_t code=0, code2=0; + // Configure to go in 125Khz listen mode + LFSetupFPGAForADC(95, true); while(!BUTTON_PRESS()) { - // Configure to go in 125Khz listen mode - LFSetupFPGAForADC(0, true); WDT_HIT(); if (ledcontrol) LED_A_ON(); @@ -823,7 +824,6 @@ void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol) // FSK demodulator size = fsk_demod(dest, size); - WDT_HIT(); // we now have a set of cycle counts, loop over previous results and aggregate data into bit patterns // 1->0 : fc/8 in sets of 7 From 90e278d3daf11b501043d7ae628a25aeb0227420 Mon Sep 17 00:00:00 2001 From: Martin Holst Swende Date: Mon, 27 Oct 2014 21:46:04 +0100 Subject: [PATCH 6/8] Fixed several issues found using a coverity-scan --- client/cmddata.c | 2 +- client/cmdhf15.c | 3 ++- client/cmdhficlass.c | 4 ++-- client/cmdhfmf.c | 26 ++++++++++++++------------ client/cmdlfem4x.c | 2 +- client/cmdlfhitag.c | 1 + client/cmdmain.c | 3 ++- client/mifarehost.c | 2 +- client/nonce2key/crapto1.c | 6 ++++++ 9 files changed, 30 insertions(+), 19 deletions(-) diff --git a/client/cmddata.c b/client/cmddata.c index fa54d01a..7d9ec1b7 100644 --- a/client/cmddata.c +++ b/client/cmddata.c @@ -556,7 +556,7 @@ int CmdManchesterDemod(const char *Cmd) /* But it does not work if compiling on WIndows: therefore we just allocate a */ /* large array */ - uint8_t BitStream[MAX_GRAPH_TRACE_LEN]; + uint8_t BitStream[MAX_GRAPH_TRACE_LEN] = {0}; /* Detect high and lows */ for (i = 0; i < GraphTraceLen; i++) diff --git a/client/cmdhf15.c b/client/cmdhf15.c index cc61d289..2239e9e4 100644 --- a/client/cmdhf15.c +++ b/client/cmdhf15.c @@ -535,7 +535,8 @@ int CmdHF15CmdRaw (const char *cmd) { */ int prepareHF15Cmd(char **cmd, UsbCommand *c, uint8_t iso15cmd[], int iso15cmdlen) { int temp; - uint8_t *req=c->d.asBytes, uid[8]; + uint8_t *req=c->d.asBytes; + uint8_t uid[8] = {0}; uint32_t reqlen=0; // strip diff --git a/client/cmdhficlass.c b/client/cmdhficlass.c index 7156b118..d9af9044 100644 --- a/client/cmdhficlass.c +++ b/client/cmdhficlass.c @@ -502,6 +502,8 @@ int CmdHFiClassReader_Dump(const char *Cmd) SendCommand(&c); UsbCommand resp; + uint8_t key_sel[8] = {0}; + uint8_t key_sel_p[8] = { 0 }; if (WaitForResponseTimeout(CMD_ACK,&resp,4500)) { uint8_t isOK = resp.arg[0] & 0xff; @@ -520,8 +522,6 @@ int CmdHFiClassReader_Dump(const char *Cmd) { if(elite) { - uint8_t key_sel[8] = {0}; - uint8_t key_sel_p[8] = { 0 }; //Get the key index (hash1) uint8_t key_index[8] = {0}; diff --git a/client/cmdhfmf.c b/client/cmdhfmf.c index b66aa3a6..4b591f0f 100644 --- a/client/cmdhfmf.c +++ b/client/cmdhfmf.c @@ -1004,6 +1004,16 @@ int CmdHF14AMfNested(const char *Cmd) int CmdHF14AMfChk(const char *Cmd) { + if (strlen(Cmd)<3) { + PrintAndLog("Usage: hf mf chk |<*card memory> [t] [] []"); + PrintAndLog(" * - all sectors"); + PrintAndLog("card memory - 0 - MINI(320 bytes), 1 - 1K, 2 - 2K, 4 - 4K, - 1K"); + PrintAndLog("d - write keys to binary file\n"); + PrintAndLog(" sample: hf mf chk 0 A 1234567890ab keys.dic"); + PrintAndLog(" hf mf chk *1 ? t"); + return 0; + } + FILE * f; char filename[256]={0}; char buf[13]; @@ -1021,6 +1031,7 @@ int CmdHF14AMfChk(const char *Cmd) int transferToEml = 0; int createDumpFile = 0; + keyBlock = calloc(stKeyBlock, 6); if (keyBlock == NULL) return 1; @@ -1047,15 +1058,6 @@ int CmdHF14AMfChk(const char *Cmd) num_to_bytes(defaultKeys[defaultKeyCounter], 6, (uint8_t*)(keyBlock + defaultKeyCounter * 6)); } - if (strlen(Cmd)<3) { - PrintAndLog("Usage: hf mf chk |<*card memory> [t] [] []"); - PrintAndLog(" * - all sectors"); - PrintAndLog("card memory - 0 - MINI(320 bytes), 1 - 1K, 2 - 2K, 4 - 4K, - 1K"); - PrintAndLog("d - write keys to binary file\n"); - PrintAndLog(" sample: hf mf chk 0 A 1234567890ab keys.dic"); - PrintAndLog(" hf mf chk *1 ? t"); - return 0; - } if (param_getchar(Cmd, 0)=='*') { blockNo = 3; @@ -1144,11 +1146,11 @@ int CmdHF14AMfChk(const char *Cmd) keycnt++; memset(buf, 0, sizeof(buf)); } + fclose(f); } else { PrintAndLog("File: %s: not found or locked.", filename); free(keyBlock); return 1; - fclose(f); } } } @@ -1586,8 +1588,8 @@ int CmdHF14AMfEKeyPrn(const char *Cmd) int CmdHF14AMfCSetUID(const char *Cmd) { uint8_t wipeCard = 0; - uint8_t uid[8]; - uint8_t oldUid[8]; + uint8_t uid[8] = {0}; + uint8_t oldUid[8]= {0}; int res; if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') { diff --git a/client/cmdlfem4x.c b/client/cmdlfem4x.c index a7312d21..a3674a6c 100644 --- a/client/cmdlfem4x.c +++ b/client/cmdlfem4x.c @@ -319,7 +319,7 @@ int CmdEM4x50Read(const char *Cmd) ++i; while ((GraphBuffer[i] > low) && (i(MAX_GRAPH_TRACE_LEN/64)) { + if (j>=(MAX_GRAPH_TRACE_LEN/64)) { break; } tmpbuff[j++]= i - start; diff --git a/client/cmdlfhitag.c b/client/cmdlfhitag.c index af61bd36..13f075f7 100644 --- a/client/cmdlfhitag.c +++ b/client/cmdlfhitag.c @@ -149,6 +149,7 @@ int CmdLFHitagSim(const char *Cmd) { tag_mem_supplied = true; if (fread(c.d.asBytes,48,1,pf) == 0) { PrintAndLog("Error: File reading error"); + fclose(pf); return 1; } fclose(pf); diff --git a/client/cmdmain.c b/client/cmdmain.c index fa358fac..77f1c373 100644 --- a/client/cmdmain.c +++ b/client/cmdmain.c @@ -134,8 +134,9 @@ int getCommand(UsbCommand* response) */ bool WaitForResponseTimeout(uint32_t cmd, UsbCommand* response, size_t ms_timeout) { + UsbCommand resp; + if (response == NULL) { - UsbCommand resp; response = &resp; } diff --git a/client/mifarehost.c b/client/mifarehost.c index fe8b8b26..7633def3 100644 --- a/client/mifarehost.c +++ b/client/mifarehost.c @@ -296,7 +296,7 @@ static uint8_t trailerAccessBytes[4] = {0x08, 0x77, 0x8F, 0x00}; // variables char logHexFileName[200] = {0x00}; static uint8_t traceCard[4096] = {0x00}; -static char traceFileName[20]; +static char traceFileName[200] = {0}; static int traceState = TRACE_IDLE; static uint8_t traceCurBlock = 0; static uint8_t traceCurKey = 0; diff --git a/client/nonce2key/crapto1.c b/client/nonce2key/crapto1.c index 90f55ab4..61215420 100644 --- a/client/nonce2key/crapto1.c +++ b/client/nonce2key/crapto1.c @@ -544,8 +544,14 @@ lfsr_common_prefix(uint32_t pfx, uint32_t rr, uint8_t ks[8], uint8_t par[8][8], statelist = malloc((sizeof *statelist) << 21); //how large should be? if(!statelist || !odd || !even) + { + free(statelist); + free(odd); + free(even); return 0; + } + s = statelist; for(o = odd; *o != -1; ++o) for(e = even; *e != -1; ++e) From 97d582a69235c88c8f30a88193769dbddb74e9b1 Mon Sep 17 00:00:00 2001 From: Martin Holst Swende Date: Mon, 27 Oct 2014 22:33:37 +0100 Subject: [PATCH 7/8] More coverity findings --- client/cmdhfmf.c | 86 +++++++++++------------------------------- client/cmdlfhitag.c | 23 ++++------- client/loclass/ikeys.c | 10 +++-- client/mifarehost.c | 26 ++++--------- 4 files changed, 46 insertions(+), 99 deletions(-) diff --git a/client/cmdhfmf.c b/client/cmdhfmf.c index 4b591f0f..80d93a46 100644 --- a/client/cmdhfmf.c +++ b/client/cmdhfmf.c @@ -343,10 +343,6 @@ int CmdHF14AMfURdCard(const char *Cmd) uint8_t isOK = 0; uint8_t * data = NULL; - if (sectorNo > 15) { - PrintAndLog("Sector number must be less than 16"); - return 1; - } PrintAndLog("Attempting to Read Ultralight... "); UsbCommand c = {CMD_MIFAREU_READCARD, {sectorNo}}; @@ -359,64 +355,24 @@ int CmdHF14AMfURdCard(const char *Cmd) PrintAndLog("isOk:%02x", isOK); if (isOK) - for (i = 0; i < 16; i++) { - switch(i){ - case 2: - //process lock bytes - lockbytes_t=data+(i*4); - lockbytes[0]=lockbytes_t[2]; - lockbytes[1]=lockbytes_t[3]; - for(int j=0; j<16; j++){ - bit[j]=lockbytes[j/8] & ( 1 <<(7-j%8)); - } - //PrintAndLog("LB %02x %02x", lockbytes[0],lockbytes[1]); - //PrintAndLog("LB2b %02x %02x %02x %02x %02x %02x %02x %02x",bit[8],bit[9],bit[10],bit[11],bit[12],bit[13],bit[14],bit[15]); - PrintAndLog("Block %3d:%s ", i,sprint_hex(data + i * 4, 4)); - break; - case 3: - PrintAndLog("Block %3d:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[4]); - break; - case 4: - PrintAndLog("Block %3d:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[3]); - break; - case 5: - PrintAndLog("Block %3d:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[2]); - break; - case 6: - PrintAndLog("Block %3d:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[1]); - break; - case 7: - PrintAndLog("Block %3d:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[0]); - break; - case 8: - PrintAndLog("Block %3d:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[15]); - break; - case 9: - PrintAndLog("Block %3d:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[14]); - break; - case 10: - PrintAndLog("Block %3d:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[13]); - break; - case 11: - PrintAndLog("Block %3d:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[12]); - break; - case 12: - PrintAndLog("Block %3d:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[11]); - break; - case 13: - PrintAndLog("Block %3d:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[10]); - break; - case 14: - PrintAndLog("Block %3d:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[9]); - break; - case 15: - PrintAndLog("Block %3d:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[8]); - break; - default: - PrintAndLog("Block %3d:%s ", i,sprint_hex(data + i * 4, 4)); - break; + { // bit 0 and 1 + PrintAndLog("Block %3d:%s ", 0,sprint_hex(data + 0 * 4, 4)); + PrintAndLog("Block %3d:%s ", 1,sprint_hex(data + 1 * 4, 4)); + // bit 2 + //process lock bytes + lockbytes_t=data+(2*4); + lockbytes[0]=lockbytes_t[2]; + lockbytes[1]=lockbytes_t[3]; + for(int j=0; j<16; j++){ + bit[j]=lockbytes[j/8] & ( 1 <<(7-j%8)); } - } + //remaining + for (i = 3; i < 16; i++) { + int bitnum = (23-i) % 16; + PrintAndLog("Block %3d:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[bitnum]); + } + + } } else { PrintAndLog("Command execute timeout"); } @@ -546,6 +502,7 @@ int CmdHF14AMfDump(const char *Cmd) for (sectorNo=0; sectorNo= 1900) { break; @@ -107,23 +104,19 @@ int CmdLFHitagList(const char *Cmd) line); - if (pf) { - fprintf(pf," +%7d: %3d: %s %s\n", - (prev < 0 ? 0 : (timestamp - prev)), - bits, - (isResponse ? "TAG" : " "), - line); - } +// if (pf) { +// fprintf(pf," +%7d: %3d: %s %s\n", +// (prev < 0 ? 0 : (timestamp - prev)), +// bits, +// (isResponse ? "TAG" : " "), +// line); +// } prev = timestamp; i += (len + 9); } - if (pf) { - PrintAndLog("Recorded activity succesfully written to file: %s", filename); - fclose(pf); - } - + return 0; } diff --git a/client/loclass/ikeys.c b/client/loclass/ikeys.c index cd2b72ee..4749181e 100644 --- a/client/loclass/ikeys.c +++ b/client/loclass/ikeys.c @@ -727,13 +727,17 @@ int readKeyFile(uint8_t key[8]) { FILE *f; - + int retval = 1; f = fopen("iclass_key.bin", "rb"); if (f) { - if(fread(key, sizeof(key), 1, f) == 1) return 0; + if(fread(key, sizeof(uint8_t), 8, f) == 1) + { + retval = 0; + } + fclose(f); } - return 1; + return retval; } diff --git a/client/mifarehost.c b/client/mifarehost.c index 7633def3..72e70662 100644 --- a/client/mifarehost.c +++ b/client/mifarehost.c @@ -497,7 +497,7 @@ int mfTraceDecode(uint8_t *data_src, int len, uint32_t parity, bool wantSaveToEm break; case TRACE_WRITE_OK: - if ((len == 1) && (data[0] = 0x0a)) { + if ((len == 1) && (data[0] == 0x0a)) { traceState = TRACE_WRITE_DATA; return 0; @@ -555,23 +555,13 @@ int mfTraceDecode(uint8_t *data_src, int len, uint32_t parity, bool wantSaveToEm at_par = parity; // decode key here) - if (!traceCrypto1) { - ks2 = ar_enc ^ prng_successor(nt, 64); - ks3 = at_enc ^ prng_successor(nt, 96); - revstate = lfsr_recovery64(ks2, ks3); - lfsr_rollback_word(revstate, 0, 0); - lfsr_rollback_word(revstate, 0, 0); - lfsr_rollback_word(revstate, nr_enc, 1); - lfsr_rollback_word(revstate, uid ^ nt, 0); - }else{ - ks2 = ar_enc ^ prng_successor(nt, 64); - ks3 = at_enc ^ prng_successor(nt, 96); - revstate = lfsr_recovery64(ks2, ks3); - lfsr_rollback_word(revstate, 0, 0); - lfsr_rollback_word(revstate, 0, 0); - lfsr_rollback_word(revstate, nr_enc, 1); - lfsr_rollback_word(revstate, uid ^ nt, 0); - } + ks2 = ar_enc ^ prng_successor(nt, 64); + ks3 = at_enc ^ prng_successor(nt, 96); + revstate = lfsr_recovery64(ks2, ks3); + lfsr_rollback_word(revstate, 0, 0); + lfsr_rollback_word(revstate, 0, 0); + lfsr_rollback_word(revstate, nr_enc, 1); + lfsr_rollback_word(revstate, uid ^ nt, 0); crypto1_get_lfsr(revstate, &lfsr); printf("key> %x%x\n", (unsigned int)((lfsr & 0xFFFFFFFF00000000) >> 32), (unsigned int)(lfsr & 0xFFFFFFFF)); AddLogUint64(logHexFileName, "key> ", lfsr); From 2ed270a8548e1b0436af6caf2e1c5e179a6b6a58 Mon Sep 17 00:00:00 2001 From: Martin Holst Swende Date: Tue, 28 Oct 2014 21:44:17 +0100 Subject: [PATCH 8/8] Coverity-fixes in armsrc --- armsrc/epa.c | 2 +- armsrc/hitag2.c | 4 +- armsrc/iclass.c | 29 +++++---- armsrc/iso14443a.c | 11 +++- armsrc/lfops.c | 147 +++++++++++++++++++++++---------------------- armsrc/util.c | 2 +- 6 files changed, 104 insertions(+), 91 deletions(-) diff --git a/armsrc/epa.c b/armsrc/epa.c index b0ae5e0d..b1f0a187 100644 --- a/armsrc/epa.c +++ b/armsrc/epa.c @@ -419,7 +419,7 @@ int EPA_Setup() // return code int return_code = 0; // card UID - uint8_t uid[8]; + uint8_t uid[10]; // card select information iso14a_card_select_t card_select_info; // power up the field diff --git a/armsrc/hitag2.c b/armsrc/hitag2.c index 9181a62e..839240bd 100644 --- a/armsrc/hitag2.c +++ b/armsrc/hitag2.c @@ -1140,7 +1140,7 @@ void ReaderHitag(hitag_function htf, hitag_data* htd) { case RHT2F_PASSWORD: { Dbprintf("List identifier in password mode"); memcpy(password,htd->pwd.password,4); - blocknr = 0; + blocknr = 0; bQuitTraceFull = false; bQuiet = false; bPwd = false; @@ -1158,7 +1158,7 @@ void ReaderHitag(hitag_function htf, hitag_data* htd) { case RHT2F_CRYPTO: { DbpString("Authenticating using key:"); - memcpy(key,htd->crypto.key,6); + memcpy(key,htd->crypto.key,4); Dbhexdump(6,key,false); blocknr = 0; bQuiet = false; diff --git a/armsrc/iclass.c b/armsrc/iclass.c index 0ff24bfd..0ee1b355 100644 --- a/armsrc/iclass.c +++ b/armsrc/iclass.c @@ -1295,20 +1295,23 @@ static void TransmitIClassCommand(const uint8_t *cmd, int len, int *samples, int FpgaSetupSsc(); if (wait) - if(*wait < 10) - *wait = 10; + { + if(*wait < 10) *wait = 10; + + for(c = 0; c < *wait;) { + if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) { + AT91C_BASE_SSC->SSC_THR = 0x00; // For exact timing! + c++; + } + if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) { + volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR; + (void)r; + } + WDT_HIT(); + } + + } - for(c = 0; c < *wait;) { - if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) { - AT91C_BASE_SSC->SSC_THR = 0x00; // For exact timing! - c++; - } - if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) { - volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR; - (void)r; - } - WDT_HIT(); - } uint8_t sendbyte; bool firstpart = TRUE; diff --git a/armsrc/iso14443a.c b/armsrc/iso14443a.c index 9a80a177..bbfc0b75 100644 --- a/armsrc/iso14443a.c +++ b/armsrc/iso14443a.c @@ -1726,7 +1726,13 @@ int iso14443a_select_card(byte_t* uid_ptr, iso14a_card_select_t* p_hi14a_card, u if ((sak & 0x04) /* && uid_resp[0] == 0x88 */) { // Remove first byte, 0x88 is not an UID byte, it CT, see page 3 of: // http://www.nxp.com/documents/application_note/AN10927.pdf - memcpy(uid_resp, uid_resp + 1, 3); + // This was earlier: + //memcpy(uid_resp, uid_resp + 1, 3); + // But memcpy should not be used for overlapping arrays, + // and memmove appears to not be available in the arm build. + // So this has been replaced with a for-loop: + for(int xx = 0; xx < 3; xx++) uid_resp[xx] = uid_resp[xx+1]; + uid_resp_len = 3; } @@ -1936,7 +1942,8 @@ void ReaderMifare(bool first_try) uint8_t uid[10]; uint32_t cuid; - uint32_t nt, previous_nt; + uint32_t nt =0 ; + uint32_t previous_nt = 0; static uint32_t nt_attacked = 0; byte_t par_list[8] = {0,0,0,0,0,0,0,0}; byte_t ks_list[8] = {0,0,0,0,0,0,0,0}; diff --git a/armsrc/lfops.c b/armsrc/lfops.c index 74f04913..7d497e3c 100644 --- a/armsrc/lfops.c +++ b/armsrc/lfops.c @@ -1456,78 +1456,81 @@ int DemodPCF7931(uint8_t **outBlocks) { for (bitidx = 0; i < GraphTraceLen; i++) { - if ( (GraphBuffer[i-1] > GraphBuffer[i] && dir == 1 && GraphBuffer[i] > lmax) || (GraphBuffer[i-1] < GraphBuffer[i] && dir == 0 && GraphBuffer[i] < lmin)) - { - lc = i - lastval; - lastval = i; - - // Switch depending on lc length: - // Tolerance is 1/8 of clock rate (arbitrary) - if (abs(lc-clock/4) < tolerance) { - // 16T0 - if((i - pmc) == lc) { /* 16T0 was previous one */ - /* It's a PMC ! */ - i += (128+127+16+32+33+16)-1; - lastval = i; - pmc = 0; - block_done = 1; - } - else { - pmc = i; - } - } else if (abs(lc-clock/2) < tolerance) { - // 32TO - if((i - pmc) == lc) { /* 16T0 was previous one */ - /* It's a PMC ! */ - i += (128+127+16+32+33)-1; - lastval = i; - pmc = 0; - block_done = 1; - } - else if(half_switch == 1) { - BitStream[bitidx++] = 0; - half_switch = 0; - } - else - half_switch++; - } else if (abs(lc-clock) < tolerance) { - // 64TO - BitStream[bitidx++] = 1; - } else { - // Error - warnings++; - if (warnings > 10) - { - Dbprintf("Error: too many detection errors, aborting."); - return 0; - } - } - - if(block_done == 1) { - if(bitidx == 128) { - for(j=0; j<16; j++) { - Blocks[num_blocks][j] = 128*BitStream[j*8+7]+ - 64*BitStream[j*8+6]+ - 32*BitStream[j*8+5]+ - 16*BitStream[j*8+4]+ - 8*BitStream[j*8+3]+ - 4*BitStream[j*8+2]+ - 2*BitStream[j*8+1]+ - BitStream[j*8]; - } - num_blocks++; - } - bitidx = 0; - block_done = 0; - half_switch = 0; - } - if (GraphBuffer[i-1] > GraphBuffer[i]) dir=0; - else dir = 1; - } - if(bitidx==255) - bitidx=0; - warnings = 0; - if(num_blocks == 4) break; + if ( (GraphBuffer[i-1] > GraphBuffer[i] && dir == 1 && GraphBuffer[i] > lmax) || (GraphBuffer[i-1] < GraphBuffer[i] && dir == 0 && GraphBuffer[i] < lmin)) + { + lc = i - lastval; + lastval = i; + + // Switch depending on lc length: + // Tolerance is 1/8 of clock rate (arbitrary) + if (abs(lc-clock/4) < tolerance) { + // 16T0 + if((i - pmc) == lc) { /* 16T0 was previous one */ + /* It's a PMC ! */ + i += (128+127+16+32+33+16)-1; + lastval = i; + pmc = 0; + block_done = 1; + } + else { + pmc = i; + } + } else if (abs(lc-clock/2) < tolerance) { + // 32TO + if((i - pmc) == lc) { /* 16T0 was previous one */ + /* It's a PMC ! */ + i += (128+127+16+32+33)-1; + lastval = i; + pmc = 0; + block_done = 1; + } + else if(half_switch == 1) { + BitStream[bitidx++] = 0; + half_switch = 0; + } + else + half_switch++; + } else if (abs(lc-clock) < tolerance) { + // 64TO + BitStream[bitidx++] = 1; + } else { + // Error + warnings++; + if (warnings > 10) + { + Dbprintf("Error: too many detection errors, aborting."); + return 0; + } + } + + if(block_done == 1) { + if(bitidx == 128) { + for(j=0; j<16; j++) { + Blocks[num_blocks][j] = 128*BitStream[j*8+7]+ + 64*BitStream[j*8+6]+ + 32*BitStream[j*8+5]+ + 16*BitStream[j*8+4]+ + 8*BitStream[j*8+3]+ + 4*BitStream[j*8+2]+ + 2*BitStream[j*8+1]+ + BitStream[j*8]; + } + num_blocks++; + } + bitidx = 0; + block_done = 0; + half_switch = 0; + } + if(i < GraphTraceLen) + { + if (GraphBuffer[i-1] > GraphBuffer[i]) dir=0; + else dir = 1; + } + } + if(bitidx==255) + bitidx=0; + warnings = 0; + if(num_blocks == 4) break; } memcpy(outBlocks, Blocks, 16*num_blocks); return num_blocks; diff --git a/armsrc/util.c b/armsrc/util.c index 2d3aab9c..5b68f513 100644 --- a/armsrc/util.c +++ b/armsrc/util.c @@ -225,7 +225,7 @@ void FormatVersionInformation(char *dst, int len, const char *prefix, void *vers { struct version_information *v = (struct version_information*)version_information; dst[0] = 0; - strncat(dst, prefix, len); + strncat(dst, prefix, len-1); if(v->magic != VERSION_INFORMATION_MAGIC) { strncat(dst, "Missing/Invalid version information", len - strlen(dst) - 1); return;