github/proxmark3
1
0
Fork 0
mirror of https://github.com/Proxmark/proxmark3.git synced 2025-08-21 13:53:26 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

CHG: generic code clean up. Removal of commented code.

Browse source 
CHG: USB_CMD_DATA_SIZE is now used as maxsize for transfer of data between client and pm3device
CHG: suggested a fix for the underscore problem in ioclass\fileutils.c
ADD:  tnp3xx support
ADD:  nxp tag idents.
ADD:  identifiction of chinese backdoor commands to hf 14a reader.
This commit is contained in:
iceman1001 2015-01-05 15:51:27 +01:00
commit 3fe4ff4f03
40 changed files with 518 additions and 700 deletions
Download patch file Download diff file Expand all files Collapse all files

3
armsrc/Makefile
View file

@ -24,7 +24,8 @@ THUMBSRC = start.c \
$(SRC_LCD) \
$(SRC_ISO15693) \
$(SRC_LF) \
appmain.c printf.c \
appmain.c \
printf.c \
util.c \
string.c \
usb_cdc.c \

119
armsrc/appmain.c
View file

@ -82,40 +82,12 @@ void DbpString(char *str)
{
byte_t len = strlen(str);
cmd_send(CMD_DEBUG_PRINT_STRING,len,0,0,(byte_t*)str,len);
// /* this holds up stuff unless we're connected to usb */
// if (!UsbConnected())
// return;
//
// UsbCommand c;
// c.cmd = CMD_DEBUG_PRINT_STRING;
// c.arg[0] = strlen(str);
// if(c.arg[0] > sizeof(c.d.asBytes)) {
// c.arg[0] = sizeof(c.d.asBytes);
// }
// memcpy(c.d.asBytes, str, c.arg[0]);
//
// UsbSendPacket((uint8_t *)&c, sizeof(c));
// // TODO fix USB so stupid things like this aren't req'd
// SpinDelay(50);
}
#if 0
void DbpIntegers(int x1, int x2, int x3)
{
cmd_send(CMD_DEBUG_PRINT_INTEGERS,x1,x2,x3,0,0);
// /* this holds up stuff unless we're connected to usb */
// if (!UsbConnected())
// return;
//
// UsbCommand c;
// c.cmd = CMD_DEBUG_PRINT_INTEGERS;
// c.arg[0] = x1;
// c.arg[1] = x2;
// c.arg[2] = x3;
//
// UsbSendPacket((uint8_t *)&c, sizeof(c));
// // XXX
// SpinDelay(50);
}
#endif
@ -332,7 +304,7 @@ extern struct version_information version_information;
extern char *_bootphase1_version_pointer, _flash_start, _flash_end;
void SendVersion(void)
{
char temp[256]; /* Limited data payload in USB packets */
char temp[512]; /* Limited data payload in USB packets */
DbpString("Prox/RFID mark3 RFID instrument");
/* Try to find the bootrom version information. Expect to find a pointer at
@ -381,13 +353,13 @@ void SamyRun()
int selected = 0;
int playing = 0;
int cardRead = 0;
// Turn on selected LED
LED(selected + 1, 0);
for (;;)
{
// UsbPoll(FALSE);
usb_poll();
WDT_HIT();
@ -396,7 +368,7 @@ void SamyRun()
SpinDelay(300);
// Button was held for a second, begin recording
if (button_pressed > 0)
if (button_pressed > 0 && cardRead == 0)
{
LEDsoff();
LED(selected + 1, 0);
@ -422,6 +394,40 @@ void SamyRun()
// If we were previously playing, set playing off
// so next button push begins playing what we recorded
playing = 0;
cardRead = 1;
}
else if (button_pressed > 0 && cardRead == 1)
{
LEDsoff();
LED(selected + 1, 0);
LED(LED_ORANGE, 0);
// record
Dbprintf("Cloning %x %x %x", selected, high[selected], low[selected]);
// wait for button to be released
while(BUTTON_PRESS())
WDT_HIT();
/* need this delay to prevent catching some weird data */
SpinDelay(500);
CopyHIDtoT55x7(high[selected], low[selected], 0, 0);
Dbprintf("Cloned %x %x %x", selected, high[selected], low[selected]);
LEDsoff();
LED(selected + 1, 0);
// Finished recording
// If we were previously playing, set playing off
// so next button push begins playing what we recorded
playing = 0;
cardRead = 0;
}
// Change where to record (or begin playing)
@ -635,18 +641,18 @@ void UsbPacketReceived(uint8_t *packet, int len)
cmd_send(CMD_ACK,0,0,0,0,0);
break;
case CMD_HID_DEMOD_FSK:
CmdHIDdemodFSK(c->arg[0], 0, 0, 1); // Demodulate HID tag
CmdHIDdemodFSK(c->arg[0], 0, 0, 1);
break;
case CMD_HID_SIM_TAG:
CmdHIDsimTAG(c->arg[0], c->arg[1], 1); // Simulate HID tag by ID
CmdHIDsimTAG(c->arg[0], c->arg[1], 1);
break;
case CMD_HID_CLONE_TAG: // Clone HID tag by ID to T55x7
case CMD_HID_CLONE_TAG:
CopyHIDtoT55x7(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]);
break;
case CMD_IO_DEMOD_FSK:
CmdIOdemodFSK(c->arg[0], 0, 0, 1); // Demodulate IO tag
CmdIOdemodFSK(c->arg[0], 0, 0, 1);
break;
case CMD_IO_CLONE_TAG: // Clone IO tag by ID to T55x7
case CMD_IO_CLONE_TAG:
CopyIOtoT55x7(c->arg[0], c->arg[1], c->d.asBytes[0]);
break;
case CMD_EM410X_DEMOD:
@ -669,10 +675,10 @@ void UsbPacketReceived(uint8_t *packet, int len)
case CMD_LF_SIMULATE_BIDIR:
SimulateTagLowFrequencyBidir(c->arg[0], c->arg[1]);
break;
case CMD_INDALA_CLONE_TAG: // Clone Indala 64-bit tag by UID to T55x7
case CMD_INDALA_CLONE_TAG:
CopyIndala64toT55x7(c->arg[0], c->arg[1]);
break;
case CMD_INDALA_CLONE_TAG_L: // Clone Indala 224-bit tag by UID to T55x7
case CMD_INDALA_CLONE_TAG_L:
CopyIndala224toT55x7(c->d.asDwords[0], c->d.asDwords[1], c->d.asDwords[2], c->d.asDwords[3], c->d.asDwords[4], c->d.asDwords[5], c->d.asDwords[6]);
break;
case CMD_T55XX_READ_BLOCK:
@ -681,13 +687,12 @@ void UsbPacketReceived(uint8_t *packet, int len)
case CMD_T55XX_WRITE_BLOCK:
T55xxWriteBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]);
break;
case CMD_T55XX_READ_TRACE: // Clone HID tag by ID to T55x7
case CMD_T55XX_READ_TRACE:
T55xxReadTrace();
break;
case CMD_PCF7931_READ: // Read PCF7931 tag
case CMD_PCF7931_READ:
ReadPCF7931();
cmd_send(CMD_ACK,0,0,0,0,0);
// UsbSendPacket((uint8_t*)&ack, sizeof(ack));
break;
case CMD_EM4X_READ_WORD:
EM4xReadWord(c->arg[1], c->arg[2],c->d.asBytes[0]);
@ -733,7 +738,7 @@ void UsbPacketReceived(uint8_t *packet, int len)
ReaderIso15693(c->arg[0]);
break;
case CMD_SIMTAG_ISO_15693:
SimTagIso15693(c->arg[0]);
SimTagIso15693(c->arg[0], c->d.asBytes);
break;
#endif
@ -782,6 +787,7 @@ void UsbPacketReceived(uint8_t *packet, int len)
case CMD_SIMULATE_TAG_ISO_14443a:
SimulateIso14443aTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); // ## Simulate iso14443a tag - pass tag type & UID
break;
case CMD_EPA_PACE_COLLECT_NONCE:
EPA_PACE_Collect_Nonce(c);
break;
@ -838,12 +844,15 @@ void UsbPacketReceived(uint8_t *packet, int len)
break;
// Work with "magic Chinese" card
case CMD_MIFARE_EML_CSETBLOCK:
case CMD_MIFARE_CSETBLOCK:
MifareCSetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
break;
case CMD_MIFARE_EML_CGETBLOCK:
case CMD_MIFARE_CGETBLOCK:
MifareCGetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
break;
case CMD_MIFARE_CIDENT:
MifareCIdent();
break;
// mifare sniffer
case CMD_MIFARE_SNIFFER:
@ -894,18 +903,6 @@ void UsbPacketReceived(uint8_t *packet, int len)
break;
case CMD_DOWNLOAD_RAW_ADC_SAMPLES_125K:
// UsbCommand n;
// if(c->cmd == CMD_DOWNLOAD_RAW_ADC_SAMPLES_125K) {
// n.cmd = CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K;
// } else {
// n.cmd = CMD_DOWNLOADED_RAW_BITS_TI_TYPE;
// }
// n.arg[0] = c->arg[0];
// memcpy(n.d.asBytes, BigBuf+c->arg[0], 48); // 12*sizeof(uint32_t)
// LED_B_ON();
// usb_write((uint8_t *)&n, sizeof(n));
// UsbSendPacket((uint8_t *)&n, sizeof(n));
// LED_B_OFF();
LED_B_ON();
for(size_t i=0; i<c->arg[1]; i += USB_CMD_DATA_SIZE) {
@ -919,9 +916,7 @@ void UsbPacketReceived(uint8_t *packet, int len)
case CMD_DOWNLOADED_SIM_SAMPLES_125K: {
uint8_t *b = (uint8_t *)BigBuf;
memcpy(b+c->arg[0], c->d.asBytes, 48);
//Dbprintf("copied 48 bytes to %i",b+c->arg[0]);
// UsbSendPacket((uint8_t*)&ack, sizeof(ack));
memcpy(b+c->arg[0], c->d.asBytes, USB_CMD_DATA_SIZE);
cmd_send(CMD_ACK,0,0,0,0,0);
break;
}
@ -979,7 +974,6 @@ void UsbPacketReceived(uint8_t *packet, int len)
case CMD_DEVICE_INFO: {
uint32_t dev_info = DEVICE_INFO_FLAG_OSIMAGE_PRESENT | DEVICE_INFO_FLAG_CURRENT_MODE_OS;
if(common_area.flags.bootrom_present) dev_info |= DEVICE_INFO_FLAG_BOOTROM_PRESENT;
// UsbSendPacket((uint8_t*)&c, sizeof(c));
cmd_send(CMD_DEVICE_INFO,dev_info,0,0,0,0);
break;
}
@ -1006,9 +1000,8 @@ void __attribute__((noreturn)) AppMain(void)
LED_B_OFF();
LED_A_OFF();
// Init USB device`
// Init USB device
usb_enable();
// UsbStart();
// The FPGA gets its clock from us from PCK0 output, so set that up.
AT91C_BASE_PIOA->PIO_BSR = GPIO_PCK0;
@ -1044,8 +1037,6 @@ void __attribute__((noreturn)) AppMain(void)
UsbPacketReceived(rx,rx_len);
}
}
// UsbPoll(FALSE);
WDT_HIT();
#ifdef WITH_LF

3
armsrc/apps.h
View file

@ -192,12 +192,13 @@ void MifareEMemGet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain)
void MifareECardLoad(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);
void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain); // Work with "magic Chinese" card
void MifareCGetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);
void MifareCIdent(); // is "magic chinese" card?
/// iso15693.h
void RecordRawAdcSamplesIso15693(void);
void AcquireRawAdcSamplesIso15693(void);
void ReaderIso15693(uint32_t parameter); // Simulate an ISO15693 reader - greg
void SimTagIso15693(uint32_t parameter); // simulate an ISO15693 tag - greg
void SimTagIso15693(uint32_t parameter, uint8_t *uid); // simulate an ISO15693 tag - greg
void BruteforceIso15693Afi(uint32_t speed); // find an AFI of a tag - atrox
void DirectTag15693Command(uint32_t datalen,uint32_t speed, uint32_t recv, uint8_t data[]); // send arbitrary commands from CLI - atrox
void SetDebugIso15693(uint32_t flag);

18
armsrc/epa.c
View file

@ -185,6 +185,7 @@ int EPA_Read_CardAccess(uint8_t *buffer, size_t max_length)
|| response_apdu[rapdu_length - 4] != 0x90
|| response_apdu[rapdu_length - 3] != 0x00)
{
Dbprintf("epa - no select cardaccess");
return -1;
}
@ -196,6 +197,7 @@ int EPA_Read_CardAccess(uint8_t *buffer, size_t max_length)
|| response_apdu[rapdu_length - 4] != 0x90
|| response_apdu[rapdu_length - 3] != 0x00)
{
Dbprintf("epa - no read cardaccess");
return -1;
}
@ -223,7 +225,6 @@ static void EPA_PACE_Collect_Nonce_Abort(uint8_t step, int func_return)
// send the USB packet
cmd_send(CMD_ACK,step,func_return,0,0,0);
//UsbSendPacket((void *)ack, sizeof(UsbCommand));
}
//-----------------------------------------------------------------------------
@ -243,7 +244,7 @@ void EPA_PACE_Collect_Nonce(UsbCommand *c)
*/
// return value of a function
int func_return;
int func_return = 0;
// // initialize ack with 0s
// memset(ack->arg, 0, 12);
@ -301,7 +302,6 @@ void EPA_PACE_Collect_Nonce(UsbCommand *c)
// save received information
// ack->arg[1] = func_return;
// memcpy(ack->d.asBytes, nonce, func_return);
// UsbSendPacket((void *)ack, sizeof(UsbCommand));
cmd_send(CMD_ACK,0,func_return,0,nonce,func_return);
}
@ -416,25 +416,27 @@ int EPA_PACE_MSE_Set_AT(pace_version_info_t pace_version_info, uint8_t password)
//-----------------------------------------------------------------------------
int EPA_Setup()
{
// return code
int return_code = 0;
// card UID
uint8_t uid[10];
// card select information
uint8_t pps_response[3];
uint8_t pps_response_par[1];
iso14a_card_select_t card_select_info;
// power up the field
iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
iso14a_set_timeout(10500);
// select the card
return_code = iso14443a_select_card(uid, &card_select_info, NULL);
if (return_code != 1) {
Dbprintf("Epa: Can't select card");
return 1;
}
// send the PPS request
ReaderTransmit((uint8_t *)pps, sizeof(pps), NULL);
uint8_t pps_response[3];
uint8_t pps_response_par[1];
return_code = ReaderReceive(pps_response, pps_response_par);
if (return_code != 3 || pps_response[0] != 0xD0) {
return return_code == 0 ? 2 : return_code;

16
armsrc/hitag2.c
View file

@ -990,18 +990,18 @@ void SimulateHitagTag(bool tag_mem_supplied, byte_t* data) {
// Disable timer during configuration
AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
// Capture mode, defaul timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
// Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
// external trigger rising edge, load RA on rising edge of TIOA.
AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK | AT91C_TC_ETRGEDG_RISING | AT91C_TC_ABETRG | AT91C_TC_LDRA_RISING;
// Enable and reset counter
AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
// Reset the received frame, frame count and timing info
memset(rx,0x00,sizeof(rx));
frame_count = 0;
response = 0;
overflow = 0;
// Enable and reset counter
AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
while(!BUTTON_PRESS()) {
// Watchdog hit
@ -1105,9 +1105,9 @@ void SimulateHitagTag(bool tag_mem_supplied, byte_t* data) {
AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
// Dbprintf("frame received: %d",frame_count);
// Dbprintf("Authentication Attempts: %d",(auth_table_len/8));
// DbpString("All done");
DbpString("Sim Stopped");
}
void ReaderHitag(hitag_function htf, hitag_data* htd) {
@ -1158,7 +1158,7 @@ void ReaderHitag(hitag_function htf, hitag_data* htd) {
case RHT2F_CRYPTO: {
DbpString("Authenticating using key:");
memcpy(key,htd->crypto.key,4);
memcpy(key,htd->crypto.key,4); //HACK; 4 or 6?? I read both in the code.
Dbhexdump(6,key,false);
blocknr = 0;
bQuiet = false;

15
armsrc/iclass.c
View file

@ -433,7 +433,6 @@ static RAMFUNC int ManchesterDecoding(int v)
else {
modulation = bit & Demod.syncBit;
modulation |= ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
//modulation = ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
Demod.samples += 4;
@ -842,10 +841,7 @@ static int GetIClassCommandFromReader(uint8_t *received, int *len, int maxLen)
}
if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
/*if(OutOfNDecoding((b & 0xf0) >> 4)) {
*len = Uart.byteCnt;
return TRUE;
}*/
if(OutOfNDecoding(b & 0x0f)) {
*len = Uart.byteCnt;
return TRUE;
@ -1001,8 +997,6 @@ void SimulateIClass(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain
*/
int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader_mac_buf)
{
// CSN followed by two CRC bytes
uint8_t response2[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
uint8_t response3[] = { 0,0,0,0,0,0,0,0,0,0};
@ -1106,6 +1100,7 @@ int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader
//Signal tracer
// Can be used to get a trigger for an oscilloscope..
LED_C_OFF();
if(!GetIClassCommandFromReader(receivedCmd, &len, 100)) {
buttonPressed = true;
break;
@ -1368,7 +1363,6 @@ void ReaderTransmitIClass(uint8_t* frame, int len)
int samples = 0;
// This is tied to other size changes
// uint8_t* frame_addr = ((uint8_t*)BigBuf) + 2024;
CodeIClassCommand(frame,len);
// Select the card
@ -1423,10 +1417,7 @@ static int GetIClassAnswer(uint8_t *receivedResponse, int maxLen, int *samples,
b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
skip = !skip;
if(skip) continue;
/*if(ManchesterDecoding((b>>4) & 0xf)) {
*samples = ((c - 1) << 3) + 4;
return TRUE;
}*/
if(ManchesterDecoding(b & 0x0f)) {
*samples = c << 3;
return TRUE;

6
armsrc/iso14443.c
View file

@ -293,8 +293,7 @@ static int GetIso14443CommandFromReader(uint8_t *received, int *len, int maxLen)
// only, since we are receiving, not transmitting).
// Signal field is off with the appropriate LED
LED_D_OFF();
FpgaWriteConfWord(
FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_NO_MODULATION);
FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_NO_MODULATION);
// Now run a `software UART' on the stream of incoming samples.
@ -401,8 +400,7 @@ void SimulateIso14443Tag(void)
// Modulate BPSK
// Signal field is off with the appropriate LED
LED_D_OFF();
FpgaWriteConfWord(
FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_MODULATE_BPSK);
FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_MODULATE_BPSK);
AT91C_BASE_SSC->SSC_THR = 0xff;
FpgaSetupSsc();

46
armsrc/iso14443a.c
View file

@ -144,7 +144,6 @@ const uint8_t OddByteParity[256] = {
1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1
};
void iso14a_set_trigger(bool enable) {
trigger = enable;
}
@ -310,6 +309,7 @@ static RAMFUNC bool MillerDecoding(uint8_t bit, uint32_t non_real_time)
Uart.twoBits = (Uart.twoBits << 8) | bit;
if (Uart.state == STATE_UNSYNCD) { // not yet synced
if (Uart.highCnt < 7) { // wait for a stable unmodulated signal
if (Uart.twoBits == 0xffff) {
Uart.highCnt++;
@ -399,7 +399,7 @@ static RAMFUNC bool MillerDecoding(uint8_t bit, uint32_t non_real_time)
if (Uart.len) {
return TRUE; // we are finished with decoding the raw data sequence
} else {
UartReset(); // Nothing received - try again
UartReset(); // Nothing receiver - start over
}
}
if (Uart.state == STATE_START_OF_COMMUNICATION) { // error - must not follow directly after SOC
@ -473,7 +473,6 @@ void DemodReset()
Demod.endTime = 0;
}
void DemodInit(uint8_t *data, uint8_t *parity)
{
Demod.output = data;
@ -763,7 +762,6 @@ static void CodeIso14443aAsTagPar(const uint8_t *cmd, uint16_t len, uint8_t *par
// Send startbit
ToSend[++ToSendMax] = SEC_D;
LastProxToAirDuration = 8 * ToSendMax - 4;
for(uint16_t i = 0; i < len; i++) {
@ -990,6 +988,12 @@ void SimulateIso14443aTag(int tagType, int uid_1st, int uid_2nd, byte_t* data)
response1[1] = 0x00;
sak = 0x28;
} break;
case 5: { // MIFARE TNP3XXX
// Says: I am a toy
response1[0] = 0x01;
response1[1] = 0x0f;
sak = 0x01;
} break;
default: {
Dbprintf("Error: unkown tagtype (%d)",tagType);
return;
@ -1123,7 +1127,7 @@ void SimulateIso14443aTag(int tagType, int uid_1st, int uid_2nd, byte_t* data)
// We already responded, do not send anything with the EmSendCmd14443aRaw() that is called below
p_response = NULL;
} else if(receivedCmd[0] == 0x50) { // Received a HALT
// DbpString("Reader requested we HALT!:");
if (tracing) {
LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
}
@ -1228,6 +1232,7 @@ void SimulateIso14443aTag(int tagType, int uid_1st, int uid_2nd, byte_t* data)
// do the tracing for the previous reader request and this tag answer:
uint8_t par[MAX_PARITY_SIZE];
GetParity(p_response->response, p_response->response_n, par);
EmLogTrace(Uart.output,
Uart.len,
Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG,
@ -1308,13 +1313,6 @@ static void TransmitFor14443a(const uint8_t *cmd, uint16_t len, uint32_t *timing
// clear TXRDY
AT91C_BASE_SSC->SSC_THR = SEC_Y;
// for(uint16_t c = 0; c < 10;) { // standard delay for each transfer (allow tag to be ready after last transmission)
// if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
// AT91C_BASE_SSC->SSC_THR = SEC_Y;
// c++;
// }
// }
uint16_t c = 0;
for(;;) {
if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
@ -1327,7 +1325,6 @@ static void TransmitFor14443a(const uint8_t *cmd, uint16_t len, uint32_t *timing
}
NextTransferTime = MAX(NextTransferTime, LastTimeProxToAirStart + REQUEST_GUARD_TIME);
}
@ -1669,7 +1666,6 @@ static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse, uint8_t *receive
void ReaderTransmitBitsPar(uint8_t* frame, uint16_t bits, uint8_t *par, uint32_t *timing)
{
CodeIso14443aBitsAsReaderPar(frame, bits, par);
// Send command to tag
@ -1744,7 +1740,6 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u
// Receive the ATQA
if(!ReaderReceive(resp, resp_par)) return 0;
//Dbprintf("atqa: %02x %02x",resp[1],resp[0]);
if(p_hi14a_card) {
memcpy(p_hi14a_card->atqa, resp, 2);
@ -1800,7 +1795,6 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u
memcpy(uid_resp, resp, 4);
}
uid_resp_len = 4;
//Dbprintf("uid: %02x %02x %02x %02x",uid_resp[0],uid_resp[1],uid_resp[2],uid_resp[3]);
// calculate crypto UID. Always use last 4 Bytes.
if(cuid_ptr) {
@ -1822,11 +1816,6 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u
if ((sak & 0x04) /* && uid_resp[0] == 0x88 */) {
// Remove first byte, 0x88 is not an UID byte, it CT, see page 3 of:
// http://www.nxp.com/documents/application_note/AN10927.pdf
// This was earlier:
//memcpy(uid_resp, uid_resp + 1, 3);
// But memcpy should not be used for overlapping arrays,
// and memmove appears to not be available in the arm build.
// Therefore:
uid_resp[0] = uid_resp[1];
uid_resp[1] = uid_resp[2];
uid_resp[2] = uid_resp[3];
@ -1849,9 +1838,8 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u
p_hi14a_card->ats_len = 0;
}
if( (sak & 0x20) == 0) {
return 2; // non iso14443a compliant tag
}
// non iso14443a compliant tag
if( (sak & 0x20) == 0) return 2;
// Request for answer to select
AppendCrc14443a(rats, 2);
@ -1859,6 +1847,7 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u
if (!(len = ReaderReceive(resp, resp_par))) return 0;
if(p_hi14a_card) {
memcpy(p_hi14a_card->ats, resp, sizeof(p_hi14a_card->ats));
p_hi14a_card->ats_len = len;
@ -1866,7 +1855,6 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u
// reset the PCB block number
iso14_pcb_blocknum = 0;
return 1;
}
@ -1957,7 +1945,7 @@ void ReaderIso14443a(UsbCommand *c)
}
if(param & ISO14A_SET_TIMEOUT) {
iso14a_timeout = c->arg[2];
iso14a_set_timeout(c->arg[2]);
}
if(param & ISO14A_APDU) {
@ -2047,8 +2035,8 @@ void ReaderMifare(bool first_try)
uint32_t nt = 0;
uint32_t previous_nt = 0;
static uint32_t nt_attacked = 0;
byte_t par_list[8] = {0,0,0,0,0,0,0,0};
byte_t ks_list[8] = {0,0,0,0,0,0,0,0};
byte_t par_list[8] = {0x00};
byte_t ks_list[8] = {0x00};
static uint32_t sync_time;
static uint32_t sync_cycles;
@ -2057,8 +2045,6 @@ void ReaderMifare(bool first_try)
uint16_t consecutive_resyncs = 0;
int isOK = 0;
if (first_try) {
mf_nr_ar3 = 0;
iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);

175
armsrc/iso15693.c
View file

@ -263,13 +263,10 @@ static void TransmitTo15693Tag(const uint8_t *cmd, int len, int *samples, int *w
//-----------------------------------------------------------------------------
static void TransmitTo15693Reader(const uint8_t *cmd, int len, int *samples, int *wait)
{
int c;
// FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_TX);
FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR); // No requirement to energise my coils
int c = 0;
FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR|FPGA_HF_SIMULATOR_MODULATE_424K);
if(*wait < 10) { *wait = 10; }
c = 0;
for(;;) {
if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
AT91C_BASE_SSC->SSC_THR = cmd[c];
@ -464,8 +461,7 @@ static int GetIso15693AnswerFromSniff(uint8_t *receivedResponse, int maxLen, int
AT91C_BASE_SSC->SSC_THR = 0x43;
}
if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
int8_t b;
b = (int8_t)AT91C_BASE_SSC->SSC_RHR;
int8_t b = (int8_t)AT91C_BASE_SSC->SSC_RHR;
// The samples are correlations against I and Q versions of the
// tone that the tag AM-modulates, so every other sample is I,
@ -600,10 +596,10 @@ static void BuildIdentifyRequest(void);
//-----------------------------------------------------------------------------
void AcquireRawAdcSamplesIso15693(void)
{
int c = 0;
uint8_t *dest = (uint8_t *)BigBuf;
int getNext = 0;
int c = 0;
int getNext = 0;
int8_t prev = 0;
FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
@ -682,10 +678,10 @@ void AcquireRawAdcSamplesIso15693(void)
void RecordRawAdcSamplesIso15693(void)
{
int c = 0;
uint8_t *dest = (uint8_t *)BigBuf;
int getNext = 0;
uint8_t *dest = (uint8_t *)BigBuf;
int c = 0;
int getNext = 0;
int8_t prev = 0;
FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
@ -836,24 +832,25 @@ static void BuildReadBlockRequest(uint8_t *uid, uint8_t blockNumber )
}
// Now the VICC>VCD responses when we are simulating a tag
static void BuildInventoryResponse(void)
static void BuildInventoryResponse( uint8_t *uid)
{
uint8_t cmd[12];
uint16_t crc;
// one sub-carrier, inventory, 1 slot, fast rate
// AFI is at bit 5 (1<<4) when doing an INVENTORY
cmd[0] = 0; //(1 << 2) | (1 << 5) | (1 << 1);
cmd[1] = 0;
//(1 << 2) | (1 << 5) | (1 << 1);
cmd[0] = 0; //
cmd[1] = 0; // DSFID (data storage format identifier). 0x00 = not supported
// 64-bit UID
cmd[2] = 0x32;
cmd[3]= 0x4b;
cmd[4] = 0x03;
cmd[5] = 0x01;
cmd[6] = 0x00;
cmd[7] = 0x10;
cmd[8] = 0x05;
cmd[9]= 0xe0;
cmd[2] = uid[7]; //0x32;
cmd[3] = uid[6]; //0x4b;
cmd[4] = uid[5]; //0x03;
cmd[5] = uid[4]; //0x01;
cmd[6] = uid[3]; //0x00;
cmd[7] = uid[2]; //0x10;
cmd[8] = uid[1]; //0x05;
cmd[9] = uid[0]; //0xe0;
//Now the CRC
crc = Crc(cmd, 10);
cmd[10] = crc & 0xff;
@ -1002,23 +999,27 @@ void ReaderIso15693(uint32_t parameter)
LED_C_OFF();
LED_D_OFF();
//DbpString(parameter);
//uint8_t *answer0 = (((uint8_t *)BigBuf) + 3560); // allow 100 bytes per reponse (way too much)
uint8_t *answer1 = (((uint8_t *)BigBuf) + 3660); //
uint8_t *answer2 = (((uint8_t *)BigBuf) + 3760);
uint8_t *answer3 = (((uint8_t *)BigBuf) + 3860);
//uint8_t *TagUID= (((uint8_t *)BigBuf) + 3960); // where we hold the uid for hi15reader
// int answerLen0 = 0;
int answerLen1 = 0;
int answerLen2 = 0;
int answerLen3 = 0;
int i=0; // counter
int i = 0;
int samples = 0;
int tsamples = 0;
int wait = 0;
int elapsed = 0;
uint8_t TagUID[8] = {0x00};
// Blank arrays
memset(BigBuf + 3660, 0, 300);
memset(BigBuf + 3660, 0x00, 300);
FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
// Setup SSC
FpgaSetupSsc();
@ -1026,9 +1027,6 @@ void ReaderIso15693(uint32_t parameter)
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
SpinDelay(200);
SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
FpgaSetupSsc();
// Give the tags time to energize
FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR);
SpinDelay(200);
@ -1038,44 +1036,19 @@ void ReaderIso15693(uint32_t parameter)
LED_C_OFF();
LED_D_OFF();
int samples = 0;
int tsamples = 0;
int wait = 0;
int elapsed = 0;
// FIRST WE RUN AN INVENTORY TO GET THE TAG UID
// THIS MEANS WE CAN PRE-BUILD REQUESTS TO SAVE CPU TIME
uint8_t TagUID[8] = {0, 0, 0, 0, 0, 0, 0, 0}; // where we hold the uid for hi15reader
// BuildIdentifyRequest();
// //TransmitTo15693Tag(ToSend,ToSendMax+3,&tsamples, &wait);
// TransmitTo15693Tag(ToSend,ToSendMax,&tsamples, &wait); // No longer ToSendMax+3
// // Now wait for a response
// responseLen0 = GetIso15693AnswerFromTag(receivedAnswer0, 100, &samples, &elapsed) ;
// if (responseLen0 >=12) // we should do a better check than this
// {
// // really we should check it is a valid mesg
// // but for now just grab what we think is the uid
// TagUID[0] = receivedAnswer0[2];
// TagUID[1] = receivedAnswer0[3];
// TagUID[2] = receivedAnswer0[4];
// TagUID[3] = receivedAnswer0[5];
// TagUID[4] = receivedAnswer0[6];
// TagUID[5] = receivedAnswer0[7];
// TagUID[6] = receivedAnswer0[8]; // IC Manufacturer code
// DbpIntegers(TagUID[6],TagUID[5],TagUID[4]);
//}
// Now send the IDENTIFY command
BuildIdentifyRequest();
//TransmitTo15693Tag(ToSend,ToSendMax+3,&tsamples, &wait);
TransmitTo15693Tag(ToSend,ToSendMax,&tsamples, &wait); // No longer ToSendMax+3
TransmitTo15693Tag(ToSend,ToSendMax,&tsamples, &wait);
// Now wait for a response
answerLen1 = GetIso15693AnswerFromTag(answer1, 100, &samples, &elapsed) ;
if (answerLen1 >=12) // we should do a better check than this
{
TagUID[0] = answer1[2];
TagUID[1] = answer1[3];
TagUID[2] = answer1[4];
@ -1085,23 +1058,6 @@ void ReaderIso15693(uint32_t parameter)
TagUID[6] = answer1[8]; // IC Manufacturer code
TagUID[7] = answer1[9]; // always E0
// Now send the SELECT command
// since the SELECT command is optional, we should not rely on it.
//// BuildSelectRequest(TagUID);
// TransmitTo15693Tag(ToSend,ToSendMax,&tsamples, &wait); // No longer ToSendMax+3
// Now wait for a response
/// answerLen2 = GetIso15693AnswerFromTag(answer2, 100, &samples, &elapsed);
// Now send the MULTI READ command
// BuildArbitraryRequest(*TagUID,parameter);
/// BuildArbitraryCustomRequest(TagUID,parameter);
// BuildReadBlockRequest(*TagUID,parameter);
// BuildSysInfoRequest(*TagUID);
//TransmitTo15693Tag(ToSend,ToSendMax+3,&tsamples, &wait);
/// TransmitTo15693Tag(ToSend,ToSendMax,&tsamples, &wait); // No longer ToSendMax+3
// Now wait for a response
/// answerLen3 = GetIso15693AnswerFromTag(answer3, 100, &samples, &elapsed) ;
}
Dbprintf("%d octets read from IDENTIFY request:", answerLen1);
@ -1110,9 +1066,9 @@ void ReaderIso15693(uint32_t parameter)
// UID is reverse
if (answerLen1>=12)
//Dbprintf("UID = %*D",8,TagUID," ");
Dbprintf("UID = %02hX%02hX%02hX%02hX%02hX%02hX%02hX%02hX",TagUID[7],TagUID[6],TagUID[5],
TagUID[4],TagUID[3],TagUID[2],TagUID[1],TagUID[0]);
Dbprintf("UID = %02hX%02hX%02hX%02hX%02hX%02hX%02hX%02hX",
TagUID[7],TagUID[6],TagUID[5],TagUID[4],
TagUID[3],TagUID[2],TagUID[1],TagUID[0]);
Dbprintf("%d octets read from SELECT request:", answerLen2);
@ -1123,7 +1079,6 @@ void ReaderIso15693(uint32_t parameter)
DbdecodeIso15693Answer(answerLen3,answer3);
Dbhexdump(answerLen3,answer3,true);
// read all pages
if (answerLen1>=12 && DEBUG) {
i=0;
@ -1141,13 +1096,6 @@ void ReaderIso15693(uint32_t parameter)
}
}
// str2[0]=0;
// for(i = 0; i < responseLen3; i++) {
// itoa(str1,receivedAnswer3[i]);
// strncat(str2,str1,8);
// }
// DbpString(str2);
LED_A_OFF();
LED_B_OFF();
LED_C_OFF();
@ -1156,32 +1104,31 @@ void ReaderIso15693(uint32_t parameter)
// Simulate an ISO15693 TAG, perform anti-collision and then print any reader commands
// all demodulation performed in arm rather than host. - greg
void SimTagIso15693(uint32_t parameter)
void SimTagIso15693(uint32_t parameter, uint8_t *uid)
{
LED_A_ON();
LED_B_ON();
LED_C_OFF();
LED_D_OFF();
uint8_t *answer1 = (((uint8_t *)BigBuf) + 3660); //
uint8_t *buf = (((uint8_t *)BigBuf) + 3660); //
int answerLen1 = 0;
int samples = 0;
int tsamples = 0;
int wait = 0;
int elapsed = 0;
// Blank arrays
memset(answer1, 0, 100);
memset(buf, 0x00, 100);
FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
// Setup SSC
SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
FpgaSetupSsc();
// Start from off (no field generated)
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
SpinDelay(200);
SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
FpgaSetupSsc();
// Give the tags time to energize
// FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR); // NO GOOD FOR SIM TAG!!!!
SpinDelay(200);
LED_A_OFF();
@ -1189,24 +1136,26 @@ void SimTagIso15693(uint32_t parameter)
LED_C_ON();
LED_D_OFF();
int samples = 0;
int tsamples = 0;
int wait = 0;
int elapsed = 0;
answerLen1 = GetIso15693AnswerFromSniff(answer1, 100, &samples, &elapsed) ;
// Listen to reader
answerLen1 = GetIso15693AnswerFromSniff(buf, 100, &samples, &elapsed) ;
if (answerLen1 >=1) // we should do a better check than this
{
// Build a suitable reponse to the reader INVENTORY cocmmand
BuildInventoryResponse();
// not so obsvious, but in the call to BuildInventoryResponse, the command is copied to the global ToSend buffer used below.
BuildInventoryResponse(uid);
TransmitTo15693Reader(ToSend,ToSendMax, &tsamples, &wait);
}
Dbprintf("%d octets read from reader command: %x %x %x %x %x %x %x %x %x", answerLen1,
answer1[0], answer1[1], answer1[2],
answer1[3], answer1[4], answer1[5],
answer1[6], answer1[7], answer1[8]);
buf[0], buf[1], buf[2], buf[3],
buf[4], buf[5], buf[6], buf[7], buf[8]);
Dbprintf("Simulationg uid: %x %x %x %x %x %x %x %x",
uid[0], uid[1], uid[2], uid[3],
uid[4], uid[5], uid[6], uid[7]);
LED_A_OFF();
LED_B_OFF();
@ -1275,12 +1224,8 @@ void DirectTag15693Command(uint32_t datalen,uint32_t speed, uint32_t recv, uint8
recvlen=SendDataTag(data,datalen,1,speed,(recv?&recvbuf:NULL));
if (recv) {
// n.cmd=/* CMD_ISO_15693_COMMAND_DONE */ CMD_ACK;
// n.arg[0]=recvlen>48?48:recvlen;
// memcpy(n.d.asBytes, recvbuf, 48);
LED_B_ON();
cmd_send(CMD_ACK,recvlen>48?48:recvlen,0,0,recvbuf,48);
// UsbSendPacket((uint8_t *)&n, sizeof(n));
LED_B_OFF();
if (DEBUG) {

10
armsrc/lfops.c
View file

@ -179,8 +179,6 @@ void ReadTItag(void)
signed char *dest = (signed char *)BigBuf;
int n = sizeof(BigBuf);
// int *dest = GraphBuffer;
// int n = GraphTraceLen;
// 128 bit shift register [shift3:shift2:shift1:shift0]
uint32_t shift3 = 0, shift2 = 0, shift1 = 0, shift0 = 0;
@ -625,6 +623,7 @@ void CmdHIDsimTAG(int hi, int lo, int ledcontrol)
if (ledcontrol)
LED_A_ON();
SimulateTagLowFrequency(n, 0, ledcontrol);
if (ledcontrol)
@ -718,7 +717,6 @@ void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol)
hi2 = hi = lo = 0;
}
WDT_HIT();
//SpinDelay(50);
}
DbpString("Stopped");
if (ledcontrol) LED_A_OFF();
@ -1337,7 +1335,6 @@ void WriteEM410x(uint32_t card, uint32_t id_hi, uint32_t id_lo)
// Clone Indala 64-bit tag by UID to T55x7
void CopyIndala64toT55x7(int hi, int lo)
{
//Program the 2 data blocks for supplied 64bit UID
// and the block 0 for Indala64 format
T55xxWriteBlock(hi,1,0,0);
@ -1351,12 +1348,10 @@ void CopyIndala64toT55x7(int hi, int lo)
// T5567WriteBlock(0x603E1042,0);
DbpString("DONE!");
}
void CopyIndala224toT55x7(int uid1, int uid2, int uid3, int uid4, int uid5, int uid6, int uid7)
{
//Program the 7 data blocks for supplied 224bit UID
// and the block 0 for Indala224 format
T55xxWriteBlock(uid1,1,0,0);
@ -1375,7 +1370,6 @@ void CopyIndala224toT55x7(int uid1, int uid2, int uid3, int uid4, int uid5, int
// T5567WriteBlock(0x603E10E2,0);
DbpString("DONE!");
}
@ -1525,7 +1519,6 @@ int IsBlock1PCF7931(uint8_t *Block) {
return 0;
}
#define ALLOC 16
void ReadPCF7931() {
@ -1785,6 +1778,7 @@ void SendForward(uint8_t fwd_bit_count) {
}
}
void EM4xLogin(uint32_t Password) {
uint8_t fwd_bit_count;

108
armsrc/mifarecmd.c
View file

@ -2,6 +2,9 @@
// Merlok - June 2011, 2012
// Gerhard de Koning Gans - May 2008
// Hagen Fritsch - June 2010
// Midnitesnake - Dec 2013
// Andy Davies - Apr 2014
// Iceman - May 2014
//
// This code is licensed to you under the terms of the GNU GPL, version 2 or,
// at your option, any later version. See the LICENSE.txt file for the text of
@ -36,8 +39,6 @@ void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
// clear trace
iso14a_clear_trace();
// iso14a_set_tracing(false);
iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
LED_A_ON();
@ -81,8 +82,6 @@ void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
// Thats it...
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
LEDsoff();
// iso14a_set_tracing(TRUE);
}
void MifareUReadBlock(uint8_t arg0,uint8_t *datain)
@ -129,14 +128,10 @@ void MifareUReadBlock(uint8_t arg0,uint8_t *datain)
LED_B_ON();
cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16);
LED_B_OFF();
// Thats it...
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
LEDsoff();
}
//-----------------------------------------------------------------------------
// Select, Authenticate, Read a MIFARE tag.
// read sector (data = 4 x 16 bytes = 64 bytes, or 16 x 16 bytes = 256 bytes)
@ -150,7 +145,7 @@ void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
ui64Key = bytes_to_num(datain, 6);
// variables
byte_t isOK;
byte_t isOK = 0;
byte_t dataoutbuf[16 * 16];
uint8_t uid[10];
uint32_t cuid;
@ -160,7 +155,6 @@ void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
// clear trace
iso14a_clear_trace();
// iso14a_set_tracing(false);
iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
@ -192,7 +186,6 @@ void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
}
// ----------------------------- crypto1 destroy
crypto1_destroy(pcs);
@ -205,7 +198,6 @@ void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
// Thats it...
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
LEDsoff();
// iso14a_set_tracing(TRUE);
}
@ -288,7 +280,6 @@ void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
// clear trace
iso14a_clear_trace();
// iso14a_set_tracing(false);
iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
@ -334,11 +325,8 @@ void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
// Thats it...
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
LEDsoff();
// iso14a_set_tracing(TRUE);
}
void MifareUWriteBlock(uint8_t arg0, uint8_t *datain)
{
// params
@ -355,7 +343,6 @@ void MifareUWriteBlock(uint8_t arg0, uint8_t *datain)
// clear trace
iso14a_clear_trace();
// iso14a_set_tracing(false);
iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
@ -396,7 +383,6 @@ void MifareUWriteBlock(uint8_t arg0, uint8_t *datain)
// iso14a_set_tracing(TRUE);
}
void MifareUWriteBlock_Special(uint8_t arg0, uint8_t *datain)
{
// params
@ -412,7 +398,6 @@ void MifareUWriteBlock_Special(uint8_t arg0, uint8_t *datain)
// clear trace
iso14a_clear_trace();
// iso14a_set_tracing(false);
iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
@ -446,15 +431,11 @@ void MifareUWriteBlock_Special(uint8_t arg0, uint8_t *datain)
cmd_send(CMD_ACK,isOK,0,0,0,0);
LED_B_OFF();
// Thats it...
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
LEDsoff();
// iso14a_set_tracing(TRUE);
}
// Return 1 if the nonce is invalid else return 0
int valid_nonce(uint32_t Nt, uint32_t NtEnc, uint32_t Ks1, uint8_t *parity) {
return ((oddparity((Nt >> 24) & 0xFF) == ((parity[0]) ^ oddparity((NtEnc >> 24) & 0xFF) ^ BIT(Ks1,16))) & \
@ -510,6 +491,7 @@ void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *dat
// statistics on nonce distance
if (calibrate) { // for first call only. Otherwise reuse previous calibration
LED_B_ON();
WDT_HIT();
davg = dmax = 0;
dmin = 2000;
@ -733,7 +715,6 @@ void MifareChkKeys(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
cmd_send(CMD_ACK,isOK,0,0,datain + i * 6,6);
LED_B_OFF();
// Thats it...
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
LEDsoff();
@ -750,7 +731,6 @@ void MifareSetDbgLvl(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai
Dbprintf("Debug level: %d", MF_DBGLEVEL);
}
//-----------------------------------------------------------------------------
// Work with emulator memory
//
@ -759,23 +739,19 @@ void MifareEMemClr(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain)
emlClearMem();
}
void MifareEMemSet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
emlSetMem(datain, arg0, arg1); // data, block num, blocks count
}
void MifareEMemGet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
byte_t buf[48];
byte_t buf[USB_CMD_DATA_SIZE];
emlGetMem(buf, arg0, arg1); // data, block num, blocks count (max 4)
LED_B_ON();
cmd_send(CMD_ACK,arg0,arg1,0,buf,48);
cmd_send(CMD_ACK,arg0,arg1,0,buf,USB_CMD_DATA_SIZE);
LED_B_OFF();
}
//-----------------------------------------------------------------------------
// Load a card into the emulator memory
//
@ -884,32 +860,26 @@ void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai
// variables
byte_t isOK = 0;
uint8_t uid[10];
uint8_t d_block[18];
uint8_t uid[10] = {0x00};
uint8_t d_block[18] = {0x00};
uint32_t cuid;
memset(uid, 0x00, 10);
uint8_t *receivedAnswer = get_bigbufptr_recvrespbuf();
uint8_t *receivedAnswerPar = receivedAnswer + MAX_FRAME_SIZE;
// reset FPGA and LED
if (workFlags & 0x08) {
// clear trace
iso14a_clear_trace();
iso14a_set_tracing(TRUE);
iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
LED_A_ON();
LED_B_OFF();
LED_C_OFF();
SpinDelay(300);
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
SpinDelay(100);
FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
iso14a_clear_trace();
iso14a_set_tracing(TRUE);
iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
}
while (true) {
// get UID from chip
if (workFlags & 0x01) {
if(!iso14443a_select_card(uid, NULL, &cuid)) {
@ -988,7 +958,6 @@ void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai
LED_B_OFF();
if ((workFlags & 0x10) || (!isOK)) {
// Thats it...
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
LEDsoff();
}
@ -1011,28 +980,20 @@ void MifareCGetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai
// variables
byte_t isOK = 0;
uint8_t data[18];
uint8_t data[18] = {0x00};
uint32_t cuid = 0;
memset(data, 0x00, 18);
uint8_t* receivedAnswer = get_bigbufptr_recvrespbuf();
uint8_t *receivedAnswerPar = receivedAnswer + MAX_FRAME_SIZE;
if (workFlags & 0x08) {
// clear trace
iso14a_clear_trace();
iso14a_set_tracing(TRUE);
iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
LED_A_ON();
LED_B_OFF();
LED_C_OFF();
SpinDelay(300);
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
SpinDelay(100);
FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
iso14a_clear_trace();
iso14a_set_tracing(TRUE);
iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
}
while (true) {
@ -1073,9 +1034,40 @@ void MifareCGetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai
LED_B_OFF();
if ((workFlags & 0x10) || (!isOK)) {
// Thats it...
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
LEDsoff();
}
}
void MifareCIdent(){
// card commands
uint8_t wupC1[] = { 0x40 };
uint8_t wupC2[] = { 0x43 };
// variables
byte_t isOK = 1;
uint8_t* receivedAnswer = get_bigbufptr_recvrespbuf();
uint8_t *receivedAnswerPar = receivedAnswer + MAX_FRAME_SIZE;
ReaderTransmitBitsPar(wupC1,7,0, NULL);
if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
isOK = 0;
};
ReaderTransmit(wupC2, sizeof(wupC2), NULL);
if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
isOK = 0;
};
if (mifare_classic_halt(NULL, 0)) {
isOK = 0;
};
cmd_send(CMD_ACK,isOK,0,0,0,0);
}
//
// DESFIRE
//

1
armsrc/mifaresniff.c
View file

@ -11,7 +11,6 @@
#include "mifaresniff.h"
#include "apps.h"
static int sniffState = SNF_INIT;
static uint8_t sniffUIDType;
static uint8_t sniffUID[8];

32
armsrc/mifareutil.c
View file

@ -54,10 +54,12 @@ void mf_crypto1_encrypt(struct Crypto1State *pcs, uint8_t *data, uint16_t len, u
uint8_t bt = 0;
int i;
par[0] = 0;
for (i = 0; i < len; i++) {
bt = data[i];
data[i] = crypto1_byte(pcs, 0x00, 0) ^ data[i];
if((i&0x0007) == 0) par[i>>3] = 0;
if((i&0x0007) == 0)
par[i>>3] = 0;
par[i>>3] |= (((filter(pcs->odd) ^ oddparity(bt)) & 0x01)<<(7-(i&0x0007)));
}
return;
@ -81,9 +83,7 @@ int mifare_sendcmd_short(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd,
int mifare_sendcmd_short_special(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, uint8_t* data, uint8_t* answer, uint8_t *answer_parity, uint32_t *timing)
{
uint8_t dcmd[8];//, ecmd[4];
//uint32_t par=0;
uint8_t dcmd[8];
dcmd[0] = cmd;
dcmd[1] = data[0];
dcmd[2] = data[1];
@ -91,10 +91,6 @@ int mifare_sendcmd_short_special(struct Crypto1State *pcs, uint8_t crypted, uint
dcmd[4] = data[3];
dcmd[5] = data[4];
AppendCrc14443a(dcmd, 6);
//Dbprintf("Data command: %02x", dcmd[0]);
//Dbprintf("Data R: %02x %02x %02x %02x %02x %02x %02x", dcmd[1],dcmd[2],dcmd[3],dcmd[4],dcmd[5],dcmd[6],dcmd[7]);
//memcpy(ecmd, dcmd, sizeof(dcmd));
ReaderTransmit(dcmd, sizeof(dcmd), NULL);
int len = ReaderReceive(answer, answer_parity);
if(!len)
@ -165,7 +161,7 @@ int mifare_classic_authex(struct Crypto1State *pcs, uint32_t uid, uint8_t blockN
int len;
uint32_t pos;
uint8_t tmp4[4];
uint8_t par[1] = {0};
uint8_t par[1] = {0x00};
byte_t nr[4];
uint32_t nt, ntpp; // Supplied tag nonce
@ -210,7 +206,6 @@ int mifare_classic_authex(struct Crypto1State *pcs, uint32_t uid, uint8_t blockN
if (ntptr)
*ntptr = nt;
// Generate (encrypted) nr+parity by loading it into the cipher (Nr)
par[0] = 0;
for (pos = 0; pos < 4; pos++)
@ -292,6 +287,7 @@ int mifare_ultra_readblock(uint32_t uid, uint8_t blockNo, uint8_t *blockData)
uint8_t* receivedAnswer = get_bigbufptr_recvrespbuf();
uint8_t* receivedAnswerPar = receivedAnswer + MAX_FRAME_SIZE;
// command MIFARE_CLASSIC_READBLOCK
len = mifare_sendcmd_short(NULL, 1, 0x30, blockNo, receivedAnswer, receivedAnswerPar, NULL);
if (len == 1) {
@ -318,7 +314,7 @@ int mifare_ultra_readblock(uint32_t uid, uint8_t blockNo, uint8_t *blockData)
int mifare_classic_writeblock(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t *blockData)
{
// variables
int len, i;
uint16_t len, i;
uint32_t pos;
uint8_t par[3] = {0}; // enough for 18 Bytes to send
byte_t res;
@ -367,7 +363,6 @@ int mifare_ultra_writeblock(uint32_t uid, uint8_t blockNo, uint8_t *blockData)
// variables
uint16_t len;
uint8_t par[3] = {0}; // enough for 18 parity bits
uint8_t d_block[18];
uint8_t* receivedAnswer = get_bigbufptr_recvrespbuf();
uint8_t* receivedAnswerPar = receivedAnswer + MAX_FRAME_SIZE;
@ -400,7 +395,6 @@ int mifare_ultra_writeblock(uint32_t uid, uint8_t blockNo, uint8_t *blockData)
int mifare_ultra_special_writeblock(uint32_t uid, uint8_t blockNo, uint8_t *blockData)
{
uint16_t len;
uint8_t d_block[8];
uint8_t *receivedAnswer = get_bigbufptr_recvrespbuf();
uint8_t *receivedAnswerPar = receivedAnswer + MAX_FRAME_SIZE;
@ -418,16 +412,12 @@ int mifare_ultra_special_writeblock(uint32_t uid, uint8_t blockNo, uint8_t *bloc
if (MF_DBGLEVEL >= 1) Dbprintf("Cmd Send Error: %02x %d", receivedAnswer[0],len);
return 1;
}
return 0;
return 0;
}
int mifare_classic_halt(struct Crypto1State *pcs, uint32_t uid)
{
// variables
uint16_t len;
// Mifare HALT
uint8_t *receivedAnswer = get_bigbufptr_recvrespbuf();
uint8_t *receivedAnswerPar = receivedAnswer + MAX_FRAME_SIZE;
@ -443,8 +433,6 @@ int mifare_classic_halt(struct Crypto1State *pcs, uint32_t uid)
int mifare_ultra_halt(uint32_t uid)
{
uint16_t len;
// Mifare HALT
uint8_t *receivedAnswer = get_bigbufptr_recvrespbuf();
uint8_t *receivedAnswerPar = receivedAnswer + MAX_FRAME_SIZE;
@ -481,19 +469,16 @@ uint8_t FirstBlockOfSector(uint8_t sectorNo)
// work with emulator memory
void emlSetMem(uint8_t *data, int blockNum, int blocksCount) {
uint8_t* emCARD = get_bigbufptr_emlcardmem();
memcpy(emCARD + blockNum * 16, data, blocksCount * 16);
}
void emlGetMem(uint8_t *data, int blockNum, int blocksCount) {
uint8_t* emCARD = get_bigbufptr_emlcardmem();
memcpy(data, emCARD + blockNum * 16, blocksCount * 16);
}
void emlGetMemBt(uint8_t *data, int bytePtr, int byteCount) {
uint8_t* emCARD = get_bigbufptr_emlcardmem();
memcpy(data, emCARD + bytePtr, byteCount);
}
@ -522,7 +507,6 @@ int emlGetValBl(uint32_t *blReg, uint8_t *blBlock, int blockNum) {
memcpy(blReg, data, 4);
*blBlock = data[12];
return 0;
}