github/proxmark3
1
0
Fork 0
mirror of https://github.com/Proxmark/proxmark3.git synced 2025-07-29 19:18:35 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

implement 'hf iclass snoop -j'

Browse source 
* fix long option --jam
* make room for one more bit for FPGA minor mode
* new mode FPGA_HF_READER_MODE_SEND_JAM
* implement jamming in Handle15693SampleFromReader
This commit is contained in:
pwpiwi 2019-11-13 16:42:29 +01:00
parent be09ea8603
commit cd028159be
13 changed files with 116 additions and 68 deletions
Download patch file Download diff file Expand all files Collapse all files

19
armsrc/fpgaloader.c
View file

@ -115,8 +115,7 @@ void SetupSpi(int mode)
// Set up the synchronous serial port with the set of options that fits
// the FPGA mode. Both RX and TX are always enabled.
//-----------------------------------------------------------------------------
void FpgaSetupSsc(uint8_t FPGA_mode)
{
void FpgaSetupSsc(uint16_t FPGA_mode) {
// First configure the GPIOs, and get ourselves a clock.
AT91C_BASE_PIOA->PIO_ASR =
GPIO_SSC_FRAME |
@ -136,7 +135,7 @@ void FpgaSetupSsc(uint8_t FPGA_mode)
// 8, 16 or 32 bits per transfer, no loopback, MSB first, 1 transfer per sync
// pulse, no output sync
if ((FPGA_mode & 0xe0) == FPGA_MAJOR_MODE_HF_READER && FpgaGetCurrent() == FPGA_BITSTREAM_HF) {
if ((FPGA_mode & 0x1c0) == FPGA_MAJOR_MODE_HF_READER && FpgaGetCurrent() == FPGA_BITSTREAM_HF) {
AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(16) | AT91C_SSC_MSBF | SSC_FRAME_MODE_WORDS_PER_TRANSFER(0);
} else {
AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(8) | AT91C_SSC_MSBF | SSC_FRAME_MODE_WORDS_PER_TRANSFER(0);
@ -450,10 +449,9 @@ void FpgaDownloadAndGo(int bitstream_version)
// The bit format is: C3 C2 C1 C0 D11 D10 D9 D8 D7 D6 D5 D4 D3 D2 D1 D0
// where C is the 4 bit command and D is the 12 bit data
//-----------------------------------------------------------------------------
void FpgaSendCommand(uint16_t cmd, uint16_t v)
{
void FpgaSendCommand(uint16_t cmd, uint16_t v) {
SetupSpi(SPI_FPGA_MODE);
while ((AT91C_BASE_SPI->SPI_SR & AT91C_SPI_TXEMPTY) == 0); // wait for the transfer to complete
while ((AT91C_BASE_SPI->SPI_SR & AT91C_SPI_TXEMPTY) == 0); // wait for the transfer to complete
AT91C_BASE_SPI->SPI_TDR = AT91C_SPI_LASTXFER | cmd | v; // send the data
}
@ -462,21 +460,18 @@ void FpgaSendCommand(uint16_t cmd, uint16_t v)
// vs. clone vs. etc.). This is now a special case of FpgaSendCommand() to
// avoid changing this function's occurence everywhere in the source code.
//-----------------------------------------------------------------------------
void FpgaWriteConfWord(uint16_t v)
{
void FpgaWriteConfWord(uint16_t v) {
FpgaSendCommand(FPGA_CMD_SET_CONFREG, v);
}
//-----------------------------------------------------------------------------
// enable/disable FPGA internal tracing
//-----------------------------------------------------------------------------
void FpgaEnableTracing(void)
{
void FpgaEnableTracing(void) {
FpgaSendCommand(FPGA_CMD_TRACE_ENABLE, 1);
}
void FpgaDisableTracing(void)
{
void FpgaDisableTracing(void) {
FpgaSendCommand(FPGA_CMD_TRACE_ENABLE, 0);
}

27
armsrc/fpgaloader.h
View file

@ -19,7 +19,7 @@
void FpgaSendCommand(uint16_t cmd, uint16_t v);
void FpgaWriteConfWord(uint16_t v);
void FpgaDownloadAndGo(int bitstream_version);
void FpgaSetupSsc(uint8_t mode);
void FpgaSetupSsc(uint16_t mode);
void SetupSpi(int mode);
bool FpgaSetupSscDma(uint8_t *buf, uint16_t sample_count);
void Fpga_print_status();
@ -45,17 +45,17 @@ void SetAdcMuxFor(uint32_t whichGpio);
// Definitions for the FPGA configuration word.
// LF
#define FPGA_MAJOR_MODE_LF_ADC (0<<5)
#define FPGA_MAJOR_MODE_LF_EDGE_DETECT (1<<5)
#define FPGA_MAJOR_MODE_LF_PASSTHRU (2<<5)
#define FPGA_MAJOR_MODE_LF_ADC (0<<6)
#define FPGA_MAJOR_MODE_LF_EDGE_DETECT (1<<6)
#define FPGA_MAJOR_MODE_LF_PASSTHRU (2<<6)
// HF
#define FPGA_MAJOR_MODE_HF_READER (0<<5)
#define FPGA_MAJOR_MODE_HF_SIMULATOR (1<<5)
#define FPGA_MAJOR_MODE_HF_ISO14443A (2<<5)
#define FPGA_MAJOR_MODE_HF_SNOOP (3<<5)
#define FPGA_MAJOR_MODE_HF_GET_TRACE (4<<5)
#define FPGA_MAJOR_MODE_HF_READER (0<<6)
#define FPGA_MAJOR_MODE_HF_SIMULATOR (1<<6)
#define FPGA_MAJOR_MODE_HF_ISO14443A (2<<6)
#define FPGA_MAJOR_MODE_HF_SNOOP (3<<6)
#define FPGA_MAJOR_MODE_HF_GET_TRACE (4<<6)
// BOTH
#define FPGA_MAJOR_MODE_OFF (7<<5)
#define FPGA_MAJOR_MODE_OFF (7<<6)
// Options for LF_ADC
#define FPGA_LF_ADC_READER_FIELD (1<<0)
@ -74,10 +74,11 @@ void SetAdcMuxFor(uint32_t whichGpio);
#define FPGA_HF_READER_MODE_SNOOP_IQ (5<<0)
#define FPGA_HF_READER_MODE_SNOOP_AMPLITUDE (6<<0)
#define FPGA_HF_READER_MODE_SNOOP_PHASE (7<<0)
#define FPGA_HF_READER_MODE_SEND_JAM (8<<0)
#define FPGA_HF_READER_SUBCARRIER_848_KHZ (0<<3)
#define FPGA_HF_READER_SUBCARRIER_424_KHZ (1<<3)
#define FPGA_HF_READER_SUBCARRIER_212_KHZ (2<<3)
#define FPGA_HF_READER_SUBCARRIER_848_KHZ (0<<4)
#define FPGA_HF_READER_SUBCARRIER_424_KHZ (1<<4)
#define FPGA_HF_READER_SUBCARRIER_212_KHZ (2<<4)
// Options for the HF simulated tag, how to modulate
#define FPGA_HF_SIMULATOR_NO_MODULATION (0<<0)

62
armsrc/iso15693.c
View file

@ -84,7 +84,7 @@ static int DEBUG = 0;
///////////////////////////////////////////////////////////////////////
// buffers
#define ISO15693_DMA_BUFFER_SIZE 128 // must be a power of 2
#define ISO15693_DMA_BUFFER_SIZE 256 // must be a power of 2
#define ISO15693_MAX_RESPONSE_LENGTH 36 // allows read single block with the maximum block size of 256bits. Read multiple blocks not supported yet
#define ISO15693_MAX_COMMAND_LENGTH 45 // allows write single block with the maximum block size of 256bits. Write multiple blocks not supported yet
@ -341,11 +341,6 @@ void TransmitTo15693Reader(const uint8_t *cmd, size_t len, uint32_t *start_time,
}
static void jam(void) {
// send a short burst to jam the reader signal
}
//=============================================================================
// An ISO 15693 decoder for tag responses (one subcarrier only).
// Uses cross correlation to identify each bit and EOF.
@ -392,7 +387,7 @@ typedef struct DecodeTag {
} DecodeTag_t;
static int inline __attribute__((always_inline)) Handle15693SamplesFromTag(uint16_t amplitude, DecodeTag_t *restrict DecodeTag) {
static int inline __attribute__((always_inline)) Handle15693SamplesFromTag(uint16_t amplitude, DecodeTag_t *DecodeTag) {
switch (DecodeTag->state) {
case STATE_TAG_SOF_LOW:
// waiting for a rising edge
@ -745,7 +740,8 @@ typedef struct DecodeReader {
STATE_READER_AWAIT_2ND_RISING_EDGE_OF_SOF,
STATE_READER_AWAIT_END_OF_SOF_1_OUT_OF_4,
STATE_READER_RECEIVE_DATA_1_OUT_OF_4,
STATE_READER_RECEIVE_DATA_1_OUT_OF_256
STATE_READER_RECEIVE_DATA_1_OUT_OF_256,
STATE_READER_RECEIVE_JAMMING
} state;
enum {
CODING_1_OUT_OF_4,
@ -781,7 +777,7 @@ static void DecodeReaderReset(DecodeReader_t* DecodeReader) {
}
static int inline __attribute__((always_inline)) Handle15693SampleFromReader(bool bit, DecodeReader_t *restrict DecodeReader) {
static int inline __attribute__((always_inline)) Handle15693SampleFromReader(bool bit, DecodeReader_t *DecodeReader) {
switch (DecodeReader->state) {
case STATE_READER_UNSYNCD:
// wait for unmodulated carrier
@ -920,12 +916,6 @@ static int inline __attribute__((always_inline)) Handle15693SampleFromReader(boo
}
if (DecodeReader->bitCount == 15) { // we have a full byte
DecodeReader->output[DecodeReader->byteCount++] = DecodeReader->shiftReg;
if (DecodeReader->byteCount == DecodeReader->jam_search_len) {
if (!memcmp(DecodeReader->output, DecodeReader->jam_search_string, DecodeReader->jam_search_len)) {
jam(); // send a jamming signal
Dbprintf("JAMMING!");
}
}
if (DecodeReader->byteCount > DecodeReader->byteCountMax) {
// buffer overflow, give up
LED_B_OFF();
@ -933,6 +923,13 @@ static int inline __attribute__((always_inline)) Handle15693SampleFromReader(boo
}
DecodeReader->bitCount = 0;
DecodeReader->shiftReg = 0;
if (DecodeReader->byteCount == DecodeReader->jam_search_len) {
if (!memcmp(DecodeReader->output, DecodeReader->jam_search_string, DecodeReader->jam_search_len)) {
LED_D_ON();
FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_MODE_SEND_JAM);
DecodeReader->state = STATE_READER_RECEIVE_JAMMING;
}
}
} else {
DecodeReader->bitCount++;
}
@ -968,11 +965,42 @@ static int inline __attribute__((always_inline)) Handle15693SampleFromReader(boo
LED_B_OFF();
DecodeReaderReset(DecodeReader);
}
if (DecodeReader->byteCount == DecodeReader->jam_search_len) {
if (!memcmp(DecodeReader->output, DecodeReader->jam_search_string, DecodeReader->jam_search_len)) {
LED_D_ON();
FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_MODE_SEND_JAM);
DecodeReader->state = STATE_READER_RECEIVE_JAMMING;
}
}
}
DecodeReader->bitCount++;
}
break;
case STATE_READER_RECEIVE_JAMMING:
DecodeReader->posCount++;
if (DecodeReader->Coding == CODING_1_OUT_OF_4) {
if (DecodeReader->posCount == 7*16) { // 7 bits jammed
FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_MODE_SNOOP_AMPLITUDE); // stop jamming
// FpgaDisableTracing();
LED_D_OFF();
} else if (DecodeReader->posCount == 8*16) {
DecodeReader->posCount = 0;
DecodeReader->output[DecodeReader->byteCount++] = 0x00;
DecodeReader->state = STATE_READER_RECEIVE_DATA_1_OUT_OF_4;
}
} else {
if (DecodeReader->posCount == 7*256) { // 7 bits jammend
FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_MODE_SNOOP_AMPLITUDE); // stop jamming
LED_D_OFF();
} else if (DecodeReader->posCount == 8*256) {
DecodeReader->posCount = 0;
DecodeReader->output[DecodeReader->byteCount++] = 0x00;
DecodeReader->state = STATE_READER_RECEIVE_DATA_1_OUT_OF_256;
}
}
break;
default:
LED_B_OFF();
DecodeReaderReset(DecodeReader);
@ -1212,7 +1240,7 @@ void SnoopIso15693(uint8_t jam_search_len, uint8_t *jam_search_string) {
if (upTo >= dmaBuf + ISO15693_DMA_BUFFER_SIZE) { // we have read all of the DMA buffer content.
upTo = dmaBuf; // start reading the circular buffer from the beginning
if (behindBy > (9*ISO15693_DMA_BUFFER_SIZE/10)) {
FpgaDisableTracing();
// FpgaDisableTracing();
Dbprintf("About to blow circular buffer - aborted! behindBy=%d, samples=%d", behindBy, samples);
break;
}
@ -1305,8 +1333,6 @@ void SnoopIso15693(uint8_t jam_search_len, uint8_t *jam_search_string) {
FpgaDisableSscDma();
LEDsoff();
DbpString("Snoop statistics:");
Dbprintf(" ExpectTagAnswer: %d, TagIsActive: %d, ReaderIsActive: %d", ExpectTagAnswer, TagIsActive, ReaderIsActive);
Dbprintf(" DecodeTag State: %d", DecodeTag.state);

2
client/cmdhficlass.c
View file

@ -180,7 +180,7 @@ static int CmdHFiClassSnoop(const char *Cmd) {
CLIParserInit("hf iclass snoop", "\nSnoop a communication between an iClass Reader and an iClass Tag.", NULL);
void* argtable[] = {
arg_param_begin,
arg_lit0("j", "--jam", "Jam (prevent) e-purse Updates"),
arg_lit0("j", "jam", "Jam (prevent) e-purse Updates"),
arg_param_end
};
if (CLIParserParseString(Cmd, argtable, arg_getsize(argtable), true)){

5
common/iso15693tools.c
View file

@ -9,9 +9,8 @@
#include "iso15693tools.h"
#include "proxmark3.h"
#include <stddef.h>
#include <stdint.h>
#include <stdlib.h>
#ifdef ON_DEVICE
#include "printf.h"
#else
@ -90,7 +89,7 @@ uint16_t iclass_crc16(char *data_p, unsigned short length) {
crc = ~crc;
data = crc;
crc = (crc << 8) | (data >> 8 & 0xff);
crc = crc ^ 0xBC3;
crc = crc ^ 0x0BC3;
return (crc);
}

3
common/iso15693tools.h
View file

@ -4,9 +4,10 @@
#ifndef ISO15693TOOLS_H__
#define ISO15693TOOLS_H__
#include <stdint.h>
// ISO15693 CRC
#define ISO15693_CRC_CHECK ((uint16_t)(~0xF0B8 & 0xFFFF)) // use this for checking of a correct crc
uint16_t Iso15693Crc(uint8_t *v, int n);
int Iso15693AddCrc(uint8_t *req, int n);
char* Iso15693sprintUID(char *target, uint8_t *uid);

BIN
fpga/fpga_hf.bit
View file

Binary file not shown.

21
fpga/fpga_hf.v
View file

@ -13,8 +13,14 @@
// iZsh <izsh at fail0verflow.com>, June 2014
//-----------------------------------------------------------------------------
// Defining modes and options. This must be aligned to the definitions in fpgaloader.h
// Defining commands, modes and options. This must be aligned to the definitions in fpgaloader.h
// Note: the definitions here are without shifts
// Commands:
`define FPGA_CMD_SET_CONFREG 1
`define FPGA_CMD_TRACE_ENABLE 2
// Major modes:
`define FPGA_MAJOR_MODE_LF_ADC 0
`define FPGA_MAJOR_MODE_LF_EDGE_DETECT 1
@ -35,6 +41,7 @@
`define FPGA_HF_READER_MODE_SNIFF_IQ 5
`define FPGA_HF_READER_MODE_SNIFF_AMPLITUDE 6
`define FPGA_HF_READER_MODE_SNIFF_PHASE 7
`define FPGA_HF_READER_MODE_SEND_JAM 8
`define FPGA_HF_READER_SUBCARRIER_848_KHZ 0
`define FPGA_HF_READER_SUBCARRIER_424_KHZ 1
`define FPGA_HF_READER_SUBCARRIER_212_KHZ 2
@ -79,7 +86,7 @@ module fpga_hf(
//-----------------------------------------------------------------------------
reg [15:0] shift_reg;
reg [7:0] conf_word;
reg [8:0] conf_word;
reg trace_enable;
// We switch modes between transmitting to the 13.56 MHz tag and receiving
@ -88,8 +95,8 @@ reg trace_enable;
always @(posedge ncs)
begin
case(shift_reg[15:12])
4'b0001: conf_word <= shift_reg[7:0]; // FPGA_CMD_SET_CONFREG
4'b0010: trace_enable <= shift_reg[0]; // FPGA_CMD_TRACE_ENABLE
`FPGA_CMD_SET_CONFREG: conf_word <= shift_reg[8:0];
`FPGA_CMD_TRACE_ENABLE: trace_enable <= shift_reg[0];
endcase
end
@ -103,11 +110,11 @@ begin
end
// select module (outputs) based on major mode
wire [2:0] major_mode = conf_word[7:5];
wire [2:0] major_mode = conf_word[8:6];
// configuring the HF reader
wire [1:0] subcarrier_frequency = conf_word[4:3];
wire [2:0] minor_mode = conf_word[2:0];
wire [1:0] subcarrier_frequency = conf_word[5:4];
wire [3:0] minor_mode = conf_word[3:0];
//-----------------------------------------------------------------------------
// And then we instantiate the modules corresponding to each of the FPGA's

BIN
fpga/fpga_lf.bit
View file

Binary file not shown.

17
fpga/fpga_lf.v
View file

@ -29,17 +29,18 @@ module fpga_lf(
reg [15:0] shift_reg;
reg [7:0] divisor;
reg [7:0] conf_word;
reg [8:0] conf_word;
reg [7:0] user_byte1;
always @(posedge ncs)
begin
case(shift_reg[15:12])
4'b0001:
case (shift_reg[15:12])
4'b0001: // FPGA_CMD_SET_CONFREG
begin
conf_word <= shift_reg[7:0];
if (shift_reg[7:0] == 8'b00000001) begin // LF edge detect
user_byte1 <= 127; // default threshold
conf_word <= shift_reg[8:0];
if (shift_reg[8:0] == 9'b000000001)
begin // LF edge detect
user_byte1 <= 127; // default threshold
end
end
4'b0010: divisor <= shift_reg[7:0]; // FPGA_CMD_SET_DIVISOR
@ -49,14 +50,14 @@ end
always @(posedge spck)
begin
if(~ncs)
if (~ncs)
begin
shift_reg[15:1] <= shift_reg[14:0];
shift_reg[0] <= mosi;
end
end
wire [2:0] major_mode = conf_word[7:5];
wire [2:0] major_mode = conf_word[8:6];
// For the low-frequency configuration:
wire lf_field = conf_word[0];

2
fpga/hi_iso14443a.v
View file

@ -18,7 +18,7 @@ module hi_iso14443a(
input ssp_dout;
output ssp_frame, ssp_din, ssp_clk;
output dbg;
input [2:0] mod_type;
input [3:0] mod_type;
wire adc_clk = ck_1356meg;

24
fpga/hi_reader.v
View file

@ -19,7 +19,7 @@ module hi_reader(
output ssp_frame, ssp_din, ssp_clk;
output dbg;
input [1:0] subcarrier_frequency;
input [2:0] minor_mode;
input [3:0] minor_mode;
assign adc_clk = ck_1356meg; // sample frequency is 13,56 MHz
@ -257,6 +257,19 @@ end
assign ssp_din = corr_i_out[7];
// a jamming signal
reg jam_signal;
reg [3:0] jam_counter;
always @(negedge adc_clk)
begin
if (corr_i_cnt == 6'd0)
begin
jam_counter <= jam_counter + 1;
jam_signal <= jam_counter[1] ^ jam_counter[3];
end
end
// Antenna drivers
reg pwr_hi, pwr_oe4;
@ -272,10 +285,15 @@ begin
pwr_hi = ck_1356meg & ~ssp_dout;
pwr_oe4 = 1'b0;
end
else if (minor_mode == `FPGA_HF_READER_MODE_SEND_JAM)
begin
pwr_hi = ck_1356meg & jam_signal;
pwr_oe4 = 1'b0;
end
else if (minor_mode == `FPGA_HF_READER_MODE_SNIFF_IQ
|| minor_mode == `FPGA_HF_READER_MODE_SNIFF_AMPLITUDE
|| minor_mode == `FPGA_HF_READER_MODE_SNIFF_PHASE)
begin
begin // all off
pwr_hi = 1'b0;
pwr_oe4 = 1'b0;
end
@ -284,7 +302,7 @@ begin
pwr_hi = ck_1356meg;
pwr_oe4 = 1'b0;
end
end
end
// always on
assign pwr_oe1 = 1'b0;

2
fpga/hi_simulate.v
View file

@ -31,7 +31,7 @@ module hi_simulate(
input ssp_dout;
output ssp_frame, ssp_din, ssp_clk;
output dbg;
input [2:0] mod_type;
input [3:0] mod_type;
assign adc_clk = ck_1356meg;