search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge pull request #2593 from Akury83/master
[RRG-proxmark3.git] / armsrc / mifaresniff_disabled.c
blob80b5adeb8906d22199501e9fd18a357b1b91f251
1 //-----------------------------------------------------------------------------
2 // Copyright (C) Gerhard de Koning Gans - May 2008
3 // Copyright (C) Proxmark3 contributors. See AUTHORS.md for details.
4 //
5 // This program is free software: you can redistribute it and/or modify
6 // it under the terms of the GNU General Public License as published by
7 // the Free Software Foundation, either version 3 of the License, or
8 // (at your option) any later version.
9 //
10 // This program is distributed in the hope that it will be useful,
11 // but WITHOUT ANY WARRANTY; without even the implied warranty of
12 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 // GNU General Public License for more details.
14 //
15 // See LICENSE.txt for the text of the license.
16 //-----------------------------------------------------------------------------
17 // Routines to support mifare classic sniffer.
18 //-----------------------------------------------------------------------------
19
20 #include "mifaresniff_disabled.h"
21
22 #ifndef CheckCrc14A
23 # define CheckCrc14A(data, len) check_crc(CRC_14443_A, (data), (len))
24 #endif
25
26 //static int sniffState = SNF_INIT;
27 static uint8_t sniffUIDType = 0;
28 static uint8_t sniffUID[10] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
29 static uint8_t sniffATQA[2] = {0, 0};
30 static uint8_t sniffSAK = 0;
31 static uint8_t sniffBuf[17];
32 static uint32_t timerData = 0;
33
34 //-----------------------------------------------------------------------------
35 // MIFARE sniffer.
36 //
37 // if no activity for 2sec, it sends the collected data to the client.
38 //-----------------------------------------------------------------------------
39 // "hf mf sniff"
40 void RAMFUNC SniffMifare(uint8_t param) {
41 // param:
42 // bit 0 - trigger from first card answer
43 // bit 1 - trigger from first reader 7-bit request
44
45 // C(red) A(yellow) B(green)
46 LEDsoff();
47 iso14443a_setup(FPGA_HF_ISO14443A_SNIFFER);
48
49 // Allocate memory from BigBuf for some buffers
50 // free all previous allocations first
51 BigBuf_free();
52 BigBuf_Clear_ext(false);
53 clear_trace();
54 set_tracing(true);
55
56 // The command (reader -> tag) that we're receiving.
57 uint8_t receivedCmd[MAX_MIFARE_FRAME_SIZE] = {0x00};
58 uint8_t receivedCmdPar[MAX_MIFARE_PARITY_SIZE] = {0x00};
59
60 // The response (tag -> reader) that we're receiving.
61 uint8_t receivedResp[MAX_MIFARE_FRAME_SIZE] = {0x00};
62 uint8_t receivedRespPar[MAX_MIFARE_PARITY_SIZE] = {0x00};
63
64 // allocate the DMA buffer, used to stream samples from the FPGA
65 uint8_t *dmaBuf = BigBuf_malloc(DMA_BUFFER_SIZE);
66 uint8_t *data = dmaBuf;
67 uint8_t previous_data = 0;
68 int dataLen, maxDataLen = 0;
69 bool ReaderIsActive = false;
70 bool TagIsActive = false;
71
72 // We won't start recording the frames that we acquire until we trigger;
73 // a good trigger condition to get started is probably when we see a
74 // response from the tag.
75 // triggered == false -- to wait first for card
76 //bool triggered = !(param & 0x03);
77
78
79 // Set up the demodulator for tag -> reader responses.
80 Demod14aInit(receivedResp, receivedRespPar);
81
82 // Set up the demodulator for the reader -> tag commands
83 Uart14aInit(receivedCmd, sizeof(receivedCmd), receivedCmdPar);
84
85 // Setup and start DMA.
86 // set transfer address and number of bytes. Start transfer.
87 if (!FpgaSetupSscDma(dmaBuf, DMA_BUFFER_SIZE)) {
88 if (g_dbglevel > 1) Dbprintf("[!] FpgaSetupSscDma failed. Exiting");
89 return;
90 }
91
92 tUart14a *uart = GetUart14a();
93 tDemod14a *demod = GetDemod14a();
94
95 MfSniffInit();
96
97 uint32_t sniffCounter = 0;
98 // loop and listen
99 while (BUTTON_PRESS() == false) {
100 WDT_HIT();
101 LED_A_ON();
102 /*
103 if ((sniffCounter & 0x0000FFFF) == 0) { // from time to time
104 // check if a transaction is completed (timeout after 2000ms).
105 // if yes, stop the DMA transfer and send what we have so far to the client
106 if (BigBuf_get_traceLen()) {
107 MfSniffSend();
108 // Reset everything - we missed some sniffed data anyway while the DMA was stopped
109 sniffCounter = 0;
110 dmaBuf = BigBuf_malloc(DMA_BUFFER_SIZE);
111 data = dmaBuf;
112 maxDataLen = 0;
113 ReaderIsActive = false;
114 TagIsActive = false;
115 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE); // set transfer address and number of bytes. Start transfer.
116 }
117 }
118 */
119
120 // number of bytes we have processed so far
121 int register readBufDataP = data - dmaBuf;
122 // number of bytes already transferred
123 int register dmaBufDataP = DMA_BUFFER_SIZE - AT91C_BASE_PDC_SSC->PDC_RCR;
124 if (readBufDataP <= dmaBufDataP) // we are processing the same block of data which is currently being transferred
125 dataLen = dmaBufDataP - readBufDataP; // number of bytes still to be processed
126 else
127 dataLen = DMA_BUFFER_SIZE - readBufDataP + dmaBufDataP; // number of bytes still to be processed
128
129 // test for length of buffer
130 if (dataLen > maxDataLen) { // we are more behind than ever...
131 maxDataLen = dataLen;
132 if (dataLen > (9 * DMA_BUFFER_SIZE / 10)) {
133 Dbprintf("[!] blew circular buffer! | datalen %u", dataLen);
134 break;
135 }
136 }
137 if (dataLen < 1) continue;
138
139 // primary buffer was stopped ( <-- we lost data!
140 if (!AT91C_BASE_PDC_SSC->PDC_RCR) {
141 AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t)dmaBuf;
142 AT91C_BASE_PDC_SSC->PDC_RCR = DMA_BUFFER_SIZE;
143 Dbprintf("[-] RxEmpty ERROR | data length %d", dataLen); // temporary
144 }
145 // secondary buffer sets as primary, secondary buffer was stopped
146 if (!AT91C_BASE_PDC_SSC->PDC_RNCR) {
147 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t)dmaBuf;
148 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
149 }
150
151 LED_A_OFF();
152
153 // Need two samples to feed Miller and Manchester-Decoder
154 if (sniffCounter & 0x01) {
155
156 // no need to try decoding tag data if the reader is sending
157 if (!TagIsActive) {
158 uint8_t readerbyte = (previous_data & 0xF0) | (*data >> 4);
159 if (MillerDecoding(readerbyte, (sniffCounter - 1) * 4)) {
160 LogTrace(receivedCmd, uart->len, 0, 0, NULL, true);
161 Demod14aReset();
162 Uart14aReset();
163 }
164 ReaderIsActive = (uart->state != STATE_14A_UNSYNCD);
165 }
166
167 // no need to try decoding tag data if the reader is sending
168 if (!ReaderIsActive) {
169 uint8_t tagbyte = (previous_data << 4) | (*data & 0x0F);
170 if (ManchesterDecoding(tagbyte, 0, (sniffCounter - 1) * 4)) {
171 LogTrace(receivedResp, demod->len, 0, 0, NULL, false);
172 Demod14aReset();
173 Uart14aReset();
174 }
175 TagIsActive = (demod->state != DEMOD_14A_UNSYNCD);
176 }
177 }
178 previous_data = *data;
179 sniffCounter++;
180 data++;
181
182 if (data == dmaBuf + DMA_BUFFER_SIZE)
183 data = dmaBuf;
184
185 } // main cycle
186
187 MfSniffEnd();
188 switch_off();
189 }
190
191 void MfSniffInit(void) {
192 memset(sniffUID, 0x00, sizeof(sniffUID));
193 memset(sniffATQA, 0x00, sizeof(sniffATQA));
194 memset(sniffBuf, 0x00, sizeof(sniffBuf));
195 sniffSAK = 0;
196 sniffUIDType = SNF_UID_4;
197 timerData = 0;
198 }
199
200 void MfSniffEnd(void) {
201 LED_B_ON();
202 reply_old(CMD_ACK, 0, 0, 0, 0, 0);
203 LED_B_OFF();
204 }
205
206 /*
207 bool RAMFUNC MfSniffLogic(const uint8_t *data, uint16_t len, uint8_t *parity, uint16_t bitCnt, bool reader) {
208
209 // reset on 7-Bit commands from reader
210 if (reader && (len == 1) && (bitCnt == 7)) {
211 sniffState = SNF_INIT;
212 }
213
214
215
216 switch (sniffState) {
217 case SNF_INIT:{
218 // REQA,WUPA or MAGICWUP from reader
219 if ((len == 1) && (reader) && (bitCnt == 7) ) {
220 MfSniffInit();
221 sniffState = (data[0] == MIFARE_MAGICWUPC1) ? SNF_MAGIC_WUPC2 : SNF_ATQA;
222 }
223 break;
224 }
225 case SNF_MAGIC_WUPC2: {
226 if ((len == 1) && (reader) && (data[0] == MIFARE_MAGICWUPC2) ) {
227 sniffState = SNF_CARD_IDLE;
228 }
229 break;
230 }
231 case SNF_ATQA:{
232 // ATQA from tag
233 if ((!reader) && (len == 2)) {
234 sniffATQA[0] = data[0];
235 sniffATQA[1] = data[1];
236 sniffState = SNF_UID;
237 }
238 break;
239 }
240 case SNF_UID: {
241
242 if ( !reader ) break;
243 if ( len != 9 ) break;
244 if ( !CheckCrc14A(data, 9)) break;
245 if ( data[1] != 0x70 ) break;
246
247 Dbprintf("[!] UID | %x", data[0]);
248
249 if ((data[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT)) {
250 // UID_4 - select 4 Byte UID from reader
251 memcpy(sniffUID, data+2, 4);
252 sniffUIDType = SNF_UID_4;
253 sniffState = SNF_SAK;
254 } else if ((data[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2)) {
255 // UID_7 - Select 2nd part of 7 Byte UID
256
257 // get rid of 0x88
258 sniffUID[0] = sniffUID[1];
259 sniffUID[1] = sniffUID[2];
260 sniffUID[2] = sniffUID[3];
261 //new uid bytes
262 memcpy(sniffUID+3, data+2, 4);
263 sniffUIDType = SNF_UID_7;
264 sniffState = SNF_SAK;
265 } else if ((data[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_3)) {
266 // UID_10 - Select 3nd part of 10 Byte UID
267 // 3+3+4 = 10.
268 // get ride of previous 0x88
269 sniffUID[3] = sniffUID[4];
270 sniffUID[4] = sniffUID[5];
271 sniffUID[5] = sniffUID[6];
272 // new uid bytes
273 memcpy(sniffUID+6, data+2, 4);
274 sniffUIDType = SNF_UID_10;
275 sniffState = SNF_SAK;
276 }
277 break;
278 }
279 case SNF_SAK:{
280 // SAK from card?
281 if ((!reader) && (len == 3) && (CheckCrc14A(data, 3))) {
282 sniffSAK = data[0];
283 // CL2 UID part to be expected
284 if (( sniffSAK == 0x04) && (sniffUIDType == SNF_UID_4)) {
285 sniffState = SNF_UID;
286 // CL3 UID part to be expected
287 } else if ((sniffSAK == 0x04) && (sniffUIDType == SNF_UID_7)) {
288 sniffState = SNF_UID;
289 } else {
290 // select completed
291 sniffState = SNF_CARD_IDLE;
292 }
293 }
294 break;
295 }
296 case SNF_CARD_IDLE:{ // trace the card select sequence
297 sniffBuf[0] = 0xFF;
298 sniffBuf[1] = 0xFF;
299 memcpy(sniffBuf + 2, sniffUID, sizeof(sniffUID));
300 memcpy(sniffBuf + 12, sniffATQA, sizeof(sniffATQA));
301 sniffBuf[14] = sniffSAK;
302 sniffBuf[15] = 0xFF;
303 sniffBuf[16] = 0xFF;
304 LogTrace(sniffBuf, sizeof(sniffBuf), 0, 0, NULL, true);
305 sniffState = SNF_CARD_CMD;
306 } // intentionally no break;
307 case SNF_CARD_CMD:{
308 LogTrace(data, len, 0, 0, NULL, reader);
309 timerData = GetTickCount();
310 break;
311 }
312 default:
313 sniffState = SNF_INIT;
314 break;
315 }
316 return false;
317 }
318 */
319
320 void RAMFUNC MfSniffSend(void) {
321 uint16_t tracelen = BigBuf_get_traceLen();
322 int packlen = tracelen; // total number of bytes to send
323 uint8_t *data = BigBuf_get_addr();
324
325 while (packlen > 0) {
326 LED_B_ON();
327 uint16_t chunksize = MIN(PM3_CMD_DATA_SIZE, packlen); // chunk size 512
328 reply_old(CMD_ACK, 1, tracelen, chunksize, data + tracelen - packlen, chunksize);
329 packlen -= chunksize;
330 LED_B_OFF();
331 }
332
333 LED_B_ON();
334 reply_old(CMD_ACK, 2, 0, 0, 0, 0); // 2 == data transfer finished.
335 LED_B_OFF();
336 }
Proxmark3 - the RFID research Swiss army knife. Iceman firmware