"hf mf sniff" low level logics works.

2025-08-21 05:43:23 -07:00 · 2012-07-11 15:52:33 +00:00 · 2012-07-11 15:52:33 +00:00 · 39864b0bd4
commit 39864b0bd4
parent ec56429002
10 changed files with 322 additions and 25 deletions
--- a/armsrc/fpgaloader.c
+++ b/armsrc/fpgaloader.c
@ -138,11 +138,16 @@ void FpgaSetupSsc(void)
 //-----------------------------------------------------------------------------
 void FpgaSetupSscDma(uint8_t *buf, int len)
 {
+	AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
+	
 	AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) buf;
 	AT91C_BASE_PDC_SSC->PDC_RCR = len;
 	AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) buf;
 	AT91C_BASE_PDC_SSC->PDC_RNCR = len;
-	AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTEN;
+	
+	if (buf != NULL) {
+		AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTEN;
+	}
 }

 static void DownloadFPGA_byte(unsigned char w)
--- a/armsrc/iso14443a.c
+++ b/armsrc/iso14443a.c
@ -656,7 +656,6 @@ void RAMFUNC SnoopIso14443a(uint8_t param) {
 		if (!AT91C_BASE_PDC_SSC->PDC_RCR) {
 			AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) dmaBuf;
 			AT91C_BASE_PDC_SSC->PDC_RCR = DMA_BUFFER_SIZE;
-			Dbprintf("RxEmpty ERROR!!! %d", dataLen); // temporary
 		}
 		// secondary buffer sets as primary, secondary buffer was stopped
 		if (!AT91C_BASE_PDC_SSC->PDC_RNCR) {
@ -2356,7 +2355,8 @@ void RAMFUNC SniffMifare(uint8_t param) {
 	// param:
 	// bit 0 - trigger from first card answer
 	// bit 1 - trigger from first reader 7-bit request
-	
+
+	// C(red) A(yellow) B(green)
 	LEDsoff();
 	// init trace buffer
 	traceLen = 0;
@ -2378,7 +2378,6 @@ void RAMFUNC SniffMifare(uint8_t param) {
 	int8_t *data = dmaBuf;
 	int maxDataLen = 0;
 	int dataLen = 0;
-//	data = dmaBuf;

 	// Set up the demodulator for tag -> reader responses.
 	Demod.output = receivedResponse;
@ -2400,10 +2399,11 @@ void RAMFUNC SniffMifare(uint8_t param) {
 	LED_D_OFF();
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER);
 	SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
+	
+	// init sniffer
+	MfSniffInit();
+	int sniffCounter = 0;

-	// Count of samples received so far, so that we can include timing
-	// information in the trace buffer.
-	rsamples = 0;
 	// And now we loop, receiving samples.
 	while(true) {
 		if(BUTTON_PRESS()) {
@ -2413,6 +2413,13 @@ void RAMFUNC SniffMifare(uint8_t param) {

 		LED_A_ON();
 		WDT_HIT();
+		
+		if (++sniffCounter > 65) {
+			if (MfSniffSend(2000)) {
+				AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTEN;
+			}
+			sniffCounter = 0;
+		}

 		int register readBufDataP = data - dmaBuf;
 		int register dmaBufDataP = DMA_BUFFER_SIZE - AT91C_BASE_PDC_SSC->PDC_RCR;
@ -2445,33 +2452,30 @@ void RAMFUNC SniffMifare(uint8_t param) {

 		LED_A_OFF();
 		
-		rsamples += 4;
 		if(MillerDecoding((data[0] & 0xF0) >> 4)) {
-			LED_C_ON();
+			LED_C_INV();
 			// check - if there is a short 7bit request from reader
-			if ((Uart.byteCnt == 1) && (Uart.bitCnt = 9)) { 
-
-			}
-			if (!LogTrace(receivedCmd, Uart.byteCnt, 0 - Uart.samples, Uart.parityBits, TRUE)) break;
+			if (MfSniffLogic(receivedCmd, Uart.byteCnt, Uart.bitCnt, TRUE)) break;

 			/* And ready to receive another command. */
 			Uart.state = STATE_UNSYNCD;
-			/* And also reset the demod code, which might have been */
-			/* false-triggered by the commands from the reader. */
+			
+			/* And also reset the demod code */
 			Demod.state = DEMOD_UNSYNCD;
-			LED_B_OFF();
 		}

 		if(ManchesterDecoding(data[0] & 0x0F)) {
-			LED_B_ON();
+			LED_C_INV();

-			if (!LogTrace(receivedResponse, Demod.len, 0 - Demod.samples, Demod.parityBits, FALSE)) break;
+			if (MfSniffLogic(receivedResponse, Demod.len, Uart.bitCnt, FALSE)) break;

 			// And ready to receive another response.
 			memset(&Demod, 0, sizeof(Demod));
 			Demod.output = receivedResponse;
 			Demod.state = DEMOD_UNSYNCD;
-			LED_C_OFF();
+
+			/* And also reset the uart code */
+			Uart.state = STATE_UNSYNCD;
 		}

 		data++;
@ -2484,7 +2488,9 @@ void RAMFUNC SniffMifare(uint8_t param) {

 done:
 	AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
+	MfSniffEnd();
+	
 	Dbprintf("maxDataLen=%x, Uart.state=%x, Uart.byteCnt=%x", maxDataLen, Uart.state, Uart.byteCnt);
-	Dbprintf("Uart.byteCntMax=%x, traceLen=%x, Uart.output[0]=%x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
+	Dbprintf("Uart.byteCntMax=%x, traceLen=%x", Uart.byteCntMax, traceLen);
 	LEDsoff();
 }
--- a/armsrc/iso14443a.h
+++ b/armsrc/iso14443a.h
@ -13,6 +13,7 @@
 #ifndef __ISO14443A_H
 #define __ISO14443A_H
 #include "common.h"
+#include "mifaresniff.h"

 // mifare reader                      over DMA buffer (SnoopIso14443a())!!!
 #define MIFARE_BUFF_OFFSET 3560  //              \/   \/   \/
--- a/armsrc/mifaresniff.c
+++ b/armsrc/mifaresniff.c
@ -11,5 +11,182 @@
 #include "mifaresniff.h"
 #include "apps.h"

+static int sniffState = SNF_INIT;
+static uint8_t sniffUIDType;
+static uint8_t sniffUID[8];
+static uint8_t sniffATQA[2];
+static uint8_t sniffSAK;
+static uint8_t sniffBuf[16];
+static int timerData = 0;


+int MfSniffInit(void){
+	rsamples = 0;
+	memset(sniffUID, 0x00, 8);
+	memset(sniffATQA, 0x00, 2);
+	sniffSAK = 0;
+	sniffUIDType = SNF_UID_4;
+
+	return 0;
+}
+
+int MfSniffEnd(void){
+	UsbCommand ack = {CMD_ACK, {0, 0, 0}};
+
+	LED_B_ON();
+	UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
+	LED_B_OFF();
+
+	return 0;
+}
+
+int RAMFUNC MfSniffLogic(const uint8_t * data, int len, int bitCnt, int reader) {
+
+	if ((len == 1) && (bitCnt = 9)) { 
+		sniffState = SNF_INIT;
+	}
+
+	switch (sniffState) {
+		case SNF_INIT:{
+			if ((reader) && (len == 1) && (bitCnt == 9) && ((data[0] == 0x26) || (data[0] == 0x52))) { 
+				sniffUIDType = SNF_UID_4;
+				memset(sniffUID, 0x00, 8);
+				memset(sniffATQA, 0x00, 2);
+				sniffSAK = 0;
+
+				sniffState = SNF_WUPREQ;
+			}
+			break;
+		}
+		case SNF_WUPREQ:{
+			if ((!reader) && (len == 2)) { 
+				memcpy(sniffATQA, data, 2);
+
+				sniffState = SNF_ATQA;
+			}
+			break;
+		}
+		case SNF_ATQA:{
+			if ((reader) && (len == 2) && (data[0] == 0x93) && (data[1] == 0x20)) { 
+				sniffState = SNF_ANTICOL1;
+			}
+			break;
+		}
+		case SNF_ANTICOL1:{
+			if ((!reader) && (len == 5) && ((data[0] ^ data[1] ^ data[2] ^ data[3]) == data[4])) { 
+				memcpy(sniffUID + 3, data, 4);
+			
+				sniffState = SNF_UID1;
+			}
+			break;
+		}
+		case SNF_UID1:{
+			if ((reader) && (len == 9) && (data[0] == 0x93) && (data[1] == 0x70) && (CheckCrc14443(CRC_14443_A, data, 9))) { 
+				sniffState = SNF_SAK;
+			}
+			break;
+		}
+		case SNF_SAK:{
+			if ((!reader) && (len == 3) && (CheckCrc14443(CRC_14443_A, data, 3))) { 
+				sniffSAK = data[0];
+				if (sniffUID[3] == 0x88) {
+					sniffState = SNF_ANTICOL2;
+				} else {
+					sniffState = SNF_CARD_IDLE;
+				}
+			}
+			break;
+		}
+		case SNF_ANTICOL2:{
+			if ((!reader) && (len == 5) && ((data[0] ^ data[1] ^ data[2] ^ data[3]) == data[4])) { 
+				memcpy(sniffUID, data, 4);
+				sniffUIDType = SNF_UID_7;
+			
+				sniffState = SNF_UID2;
+		}
+			break;
+		}
+		case SNF_UID2:{
+			if ((reader) && (len == 9) && (data[0] == 0x95) && (data[1] == 0x70) && (CheckCrc14443(CRC_14443_A, data, 9))) { 
+				sniffState = SNF_SAK;
+	Dbprintf("SNF_SAK");				
+			}
+			break;
+		}
+		case SNF_CARD_IDLE:{
+			sniffBuf[0] = 0xFF;
+			sniffBuf[1] = 0xFF;
+			memcpy(sniffBuf + 2, sniffUID, 7);
+			memcpy(sniffBuf + 9, sniffATQA, 2);
+			sniffBuf[11] = sniffSAK;
+			sniffBuf[12] = 0xFF;
+			sniffBuf[13] = 0xFF;
+			LogTrace(sniffBuf, 14, 0, 0, true);
+			timerData = GetTickCount();
+		}
+		case SNF_CARD_CMD:{
+			LogTrace(data, len, 0, 0, true);
+
+			sniffState = SNF_CARD_RESP;
+			timerData = GetTickCount();
+			break;
+		}
+		case SNF_CARD_RESP:{
+			LogTrace(data, len, 0, 0, false);
+
+			sniffState = SNF_CARD_CMD;
+			timerData = GetTickCount();
+			break;
+		}
+	
+		default:
+			sniffState = SNF_INIT;
+		break;
+	}
+
+	return 0;
+}
+
+int RAMFUNC MfSniffSend(int maxTimeoutMs) {
+	if (traceLen && (timerData + maxTimeoutMs < GetTickCount())) {
+		return intMfSniffSend();
+	}
+	return 0;
+}
+
+// internal seding function. not a RAMFUNC.
+int intMfSniffSend() {
+	
+	int pckSize = 0;
+	int pckLen = traceLen;
+	int pckNum = 0;
+	
+	if (!traceLen) return 0;
+
+	AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
+
+	while (pckLen > 0) {
+		pckSize = min(32, pckLen);
+		UsbCommand ack = {CMD_ACK, {1, pckSize, pckNum}};
+		memcpy(ack.d.asBytes, trace + traceLen - pckLen, pckSize);
+	
+		LED_B_ON();
+		UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
+		SpinDelay(20);
+		LED_B_OFF();
+
+		pckLen -= pckSize;
+		pckNum++;
+	}
+
+	UsbCommand ack = {CMD_ACK, {2, 0, 0}};
+
+	LED_B_ON();
+	UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
+	LED_B_OFF();
+
+	traceLen = 0;
+	memset(trace, 0x44, TRACE_SIZE);
+	
+	return 1;
+}
--- a/armsrc/mifaresniff.h
+++ b/armsrc/mifaresniff.h
@ -22,5 +22,26 @@
 #include "mifareutil.h"
 #include "common.h"

+#define SNF_INIT				0
+#define SNF_NO_FIELD		1
+#define SNF_WUPREQ			2
+#define SNF_ATQA				3
+#define SNF_ANTICOL1		4
+#define SNF_UID1				5
+#define SNF_ANTICOL2		6
+#define SNF_UID2				7
+#define SNF_SAK					8
+#define SNF_CARD_IDLE		9
+#define SNF_CARD_CMD		10
+#define SNF_CARD_RESP		11
+
+#define SNF_UID_4				0
+#define SNF_UID_7				0
+
+int MfSniffInit(void);
+int RAMFUNC MfSniffLogic(const uint8_t * data, int len, int bitCnt, int reader);
+int RAMFUNC MfSniffSend(int maxTimeoutMs);
+int intMfSniffSend();
+int MfSniffEnd(void);

 #endif
--- a/armsrc/util.h
+++ b/armsrc/util.h
@ -17,6 +17,7 @@
 #define RAMFUNC __attribute((long_call, section(".ramfunc")))

 #define BYTEx(x, n) (((x) >> (n * 8)) & 0xff )
+#define min(a, b) (((a) > (b)) ? (b) : (a))

 #define LED_RED 1
 #define LED_ORANGE 2