search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
text
[RRG-proxmark3.git] / armsrc / hitagS.c
blob7d396196e3af36af57fe4f3b1bc57d96a87f6df1
1 //-----------------------------------------------------------------------------
2 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
3 // at your option, any later version. See the LICENSE.txt file for the text of
4 // the license.
5 //-----------------------------------------------------------------------------
6 // HitagS emulation (preliminary test version)
7 //
8 // (c) 2016 Oguzhan Cicek, Hendrik Schwartke, Ralf Spenneberg
9 // <info@os-s.de>
10 //-----------------------------------------------------------------------------
11 // Some code was copied from Hitag2.c
12 //-----------------------------------------------------------------------------
13 // bosb 2020
14
15 #include "hitagS.h"
16
17 #include "proxmark3_arm.h"
18 #include "cmd.h"
19 #include "BigBuf.h"
20 #include "fpgaloader.h"
21 #include "ticks.h"
22 #include "dbprint.h"
23 #include "util.h"
24 #include "string.h"
25 #include "commonutil.h"
26 #include "hitag2_crypto.h"
27 #include "lfadc.h"
28
29 #define CRC_PRESET 0xFF
30 #define CRC_POLYNOM 0x1D
31
32 static bool bQuiet;
33 static bool bSuccessful;
34 static struct hitagS_tag tag;
35 static uint8_t page_to_be_written = 0;
36 static int block_data_left = 0;
37
38 typedef enum modulation {
39 AC2K = 0,
40 AC4K,
41 MC4K,
42 MC8K
43 } MOD;
44
45 static MOD m = AC2K; // used modulation
46 static uint32_t temp_uid;
47 static int temp2 = 0;
48 static int sof_bits; // number of start-of-frame bits
49 static uint8_t pwdh0, pwdl0, pwdl1; // password bytes
50 static uint32_t rnd = 0x74124485; // randomnumber
51 static bool end = false;
52 //#define SENDBIT_TEST
53
54 /* array index 3 2 1 0 // bytes in sim.bin file are 0 1 2 3
55 // UID is 0 1 2 3 // tag.uid is 3210
56 // datasheet HitagS_V11.pdf bytes in tables printed 3 2 1 0
57
58 #db# UID: 5F C2 11 84
59 #db# conf0: C9 conf1: 00 conf2: 00
60 3 2 1 0
61 #db# Page[ 0]: 84 11 C2 5F uid
62 #db# Page[ 1]: AA 00 00 C9 conf, HITAG S 256
63 #db# Page[ 2]: 4E 4F 54 48
64 #db# Page[ 3]: 52 4B 49 4D
65 #db# Page[ 4]: 00 00 00 00
66 #db# Page[ 5]: 00 00 00 00
67 #db# Page[ 6]: 00 00 00 00
68 #db# Page[ 7]: 4B 4F 5F 57 */
69
70 #define ht2bs_4a(a,b,c,d) (~(((a|b)&c)^(a|d)^b))
71 #define ht2bs_4b(a,b,c,d) (~(((d|c)&(a^b))^(d|a|b)))
72 #define ht2bs_5c(a,b,c,d,e) (~((((((c^e)|d)&a)^b)&(c^b))^(((d^e)|a)&((d^b)|c))))
73
74 // Sam7s has several timers, we will use the source TIMER_CLOCK1 (aka AT91C_TC_CLKS_TIMER_DIV1_CLOCK)
75 // TIMER_CLOCK1 = MCK/2, MCK is running at 48 MHz, Timer is running at 48/2 = 24 MHz
76 // Hitag units (T0) have duration of 8 microseconds (us), which is 1/125000 per second (carrier)
77 // T0 = TIMER_CLOCK1 / 125000 = 192
78 #ifndef T0
79 #define T0 192
80 #endif
81
82 #define HITAG_FRAME_LEN 20
83 #define HITAG_T_STOP 36 /* T_EOF should be > 36 */
84 #define HITAG_T_LOW 8 /* T_LOW should be 4..10 */
85 #define HITAG_T_0_MIN 15 /* T[0] should be 18..22 */
86 #define HITAG_T_1_MIN 25 /* T[1] should be 26..30 */
87 //#define HITAG_T_EOF 40 /* T_EOF should be > 36 */
88 #define HITAG_T_EOF 80 /* T_EOF should be > 36 */
89 #define HITAG_T_WAIT_1 200 /* T_wresp should be 199..206 */
90 #define HITAG_T_WAIT_2 90 /* T_wresp should be 199..206 */
91 #define HITAG_T_WAIT_MAX 300 /* bit more than HITAG_T_WAIT_1 + HITAG_T_WAIT_2 */
92
93 #define HITAG_T_TAG_ONE_HALF_PERIOD 10
94 #define HITAG_T_TAG_TWO_HALF_PERIOD 25
95 #define HITAG_T_TAG_THREE_HALF_PERIOD 41
96 #define HITAG_T_TAG_FOUR_HALF_PERIOD 57
97
98 #define HITAG_T_TAG_HALF_PERIOD 16
99 #define HITAG_T_TAG_FULL_PERIOD 32
100
101 #define HITAG_T_TAG_CAPTURE_ONE_HALF 13
102 #define HITAG_T_TAG_CAPTURE_TWO_HALF 25
103 #define HITAG_T_TAG_CAPTURE_THREE_HALF 41
104 #define HITAG_T_TAG_CAPTURE_FOUR_HALF 57
105
106 /*
107 * Implementation of the crc8 calculation from Hitag S
108 * from http://www.proxmark.org/files/Documents/125%20kHz%20-%20Hitag/HitagS.V11.pdf
109 */
110 static void calc_crc(unsigned char *crc, unsigned char data, unsigned char Bitcount) {
111 *crc ^= data; // crc = crc (exor) data
112 do {
113 if (*crc & 0x80) { // if (MSB-CRC == 1)
114 *crc <<= 1; // CRC = CRC Bit-shift left
115 *crc ^= CRC_POLYNOM; // CRC = CRC (exor) CRC_POLYNOM
116 } else {
117 *crc <<= 1; // CRC = CRC Bit-shift left
118 }
119 } while (--Bitcount);
120 }
121
122 static void hitag_send_bit(int bit) {
123 LED_A_ON();
124 // Reset clock for the next bit
125 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
126
127 switch (m) {
128 case AC2K:
129 if (bit == 0) {
130 // AC Coding --__
131 HIGH(GPIO_SSC_DOUT);
132 while (AT91C_BASE_TC0->TC_CV < T0 * 32) {};
133
134 LOW(GPIO_SSC_DOUT);
135 while (AT91C_BASE_TC0->TC_CV < T0 * 64) {};
136
137 } else {
138 // AC coding -_-_
139 HIGH(GPIO_SSC_DOUT);
140 while (AT91C_BASE_TC0->TC_CV < T0 * 16) {};
141
142 LOW(GPIO_SSC_DOUT);
143 while (AT91C_BASE_TC0->TC_CV < T0 * 32) {};
144
145 HIGH(GPIO_SSC_DOUT);
146 while (AT91C_BASE_TC0->TC_CV < T0 * 48) {};
147
148 LOW(GPIO_SSC_DOUT);
149 while (AT91C_BASE_TC0->TC_CV < T0 * 64) {};
150
151 }
152 LED_A_OFF();
153 break;
154 case AC4K:
155 if (bit == 0) {
156 // AC Coding --__
157 HIGH(GPIO_SSC_DOUT);
158 while (AT91C_BASE_TC0->TC_CV < T0 * HITAG_T_TAG_HALF_PERIOD) {};
159
160 LOW(GPIO_SSC_DOUT);
161 while (AT91C_BASE_TC0->TC_CV < T0 * HITAG_T_TAG_FULL_PERIOD) {};
162
163 } else {
164 // AC coding -_-_
165 HIGH(GPIO_SSC_DOUT);
166 while (AT91C_BASE_TC0->TC_CV < T0 * 8) {};
167
168 LOW(GPIO_SSC_DOUT);
169 while (AT91C_BASE_TC0->TC_CV < T0 * 16) {};
170
171 HIGH(GPIO_SSC_DOUT);
172 while (AT91C_BASE_TC0->TC_CV < T0 * 24) {};
173
174 LOW(GPIO_SSC_DOUT);
175 while (AT91C_BASE_TC0->TC_CV < T0 * 32) {};
176 }
177 LED_A_OFF();
178 break;
179 case MC4K:
180 if (bit == 0) {
181 // Manchester: Unloaded, then loaded |__--|
182 LOW(GPIO_SSC_DOUT);
183 while (AT91C_BASE_TC0->TC_CV < T0 * 16) {};
184
185 HIGH(GPIO_SSC_DOUT);
186 while (AT91C_BASE_TC0->TC_CV < T0 * 32) {};
187
188 } else {
189 // Manchester: Loaded, then unloaded |--__|
190 HIGH(GPIO_SSC_DOUT);
191 while (AT91C_BASE_TC0->TC_CV < T0 * 16) {};
192
193 LOW(GPIO_SSC_DOUT);
194 while (AT91C_BASE_TC0->TC_CV < T0 * 32) {};
195
196 }
197 LED_A_OFF();
198 break;
199 case MC8K:
200 if (bit == 0) {
201 // Manchester: Unloaded, then loaded |__--|
202 LOW(GPIO_SSC_DOUT);
203 while (AT91C_BASE_TC0->TC_CV < T0 * 8) {};
204
205 HIGH(GPIO_SSC_DOUT);
206 while (AT91C_BASE_TC0->TC_CV < T0 * 16) {};
207
208 } else {
209 // Manchester: Loaded, then unloaded |--__|
210 HIGH(GPIO_SSC_DOUT);
211 while (AT91C_BASE_TC0->TC_CV < T0 * 8) {};
212
213 LOW(GPIO_SSC_DOUT);
214 while (AT91C_BASE_TC0->TC_CV < T0 * 16) {};
215
216 }
217 LED_A_OFF();
218 break;
219 default:
220 break;
221 }
222 }
223
224 static void hitag_send_frame(const uint8_t *frame, size_t frame_len) {
225 if (DBGLEVEL >= DBG_EXTENDED)
226 Dbprintf("hitag_send_frame: (%i) %02X %02X %02X %02X", frame_len, frame[0], frame[1], frame[2], frame[3]);
227 // The beginning of the frame is hidden in some high level; pause until our bits will have an effect
228 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
229 HIGH(GPIO_SSC_DOUT);
230 switch (m) {
231 case AC4K:
232 case MC8K:
233 while (AT91C_BASE_TC0->TC_CV < T0 * 40) {}; //FADV
234 break;
235 case AC2K:
236 case MC4K:
237 while (AT91C_BASE_TC0->TC_CV < T0 * 20) {}; //STD + ADV
238 break;
239 }
240
241 // SOF - send start of frame
242 for (size_t i = 0; i < sof_bits; i++) {
243 hitag_send_bit(1);
244 }
245
246 // Send the content of the frame
247 for (size_t i = 0; i < frame_len; i++) {
248 hitag_send_bit((frame[i / 8] >> (7 - (i % 8))) & 1);
249 }
250
251 LOW(GPIO_SSC_DOUT);
252 }
253
254 static void hitag_reader_send_bit(int bit) {
255
256 LED_A_ON();
257 // Reset clock for the next bit
258 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
259
260 // Binary puls length modulation (BPLM) is used to encode the data stream
261 // This means that a transmission of a one takes longer than that of a zero
262
263 HIGH(GPIO_SSC_DOUT);
264
265 #ifdef SENDBIT_TEST
266 // Wait for 4-10 times the carrier period
267 while (AT91C_BASE_TC0->TC_CV < T0 * 6) {};
268
269 LOW(GPIO_SSC_DOUT);
270
271 if (bit == 0) {
272 // Zero bit: |_-|
273 while (AT91C_BASE_TC0->TC_CV < T0 * 11) {};
274 } else {
275 // One bit: |_--|
276 while (AT91C_BASE_TC0->TC_CV < T0 * 14) {};
277 }
278 #else
279 // Wait for 4-10 times the carrier period
280 while (AT91C_BASE_TC0->TC_CV < T0 * 6) {};
281
282 LOW(GPIO_SSC_DOUT);
283
284 if (bit == 0) {
285 // Zero bit: |_-|
286 while (AT91C_BASE_TC0->TC_CV < T0 * 22) {};
287 } else {
288 // One bit: |_--|
289 while (AT91C_BASE_TC0->TC_CV < T0 * 28) {};
290 }
291 #endif
292
293 LED_A_OFF();
294 }
295
296 static void hitag_reader_send_frame(const uint8_t *frame, size_t frame_len) {
297 // Send the content of the frame
298 for (size_t i = 0; i < frame_len; i++) {
299 // if (frame[0] == 0xf8) {
300 //Dbprintf("BIT: %d",(frame[i / 8] >> (7 - (i % 8))) & 1);
301 // }
302 hitag_reader_send_bit((frame[i / 8] >> (7 - (i % 8))) & 1);
303 }
304 // send EOF
305 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
306
307 HIGH(GPIO_SSC_DOUT);
308
309 // Wait for 4-10 times the carrier period
310 while (AT91C_BASE_TC0->TC_CV < T0 * 6) {};
311
312 LOW(GPIO_SSC_DOUT);
313 }
314
315 /*
316 * to check if the right uid was selected
317 */
318 static int check_select(uint8_t *rx, uint32_t uid) {
319 unsigned char resp[48];
320 uint32_t ans = 0x0;
321 for (int i = 0; i < 48; i++)
322 resp[i] = (rx[i / 8] >> (7 - (i % 8))) & 0x1;
323 for (int i = 0; i < 32; i++)
324 ans += resp[5 + i] << (31 - i);
325
326 temp_uid = ans;
327 if (ans == tag.uid)
328 return 1;
329
330 return 0;
331 }
332
333 static void hitagS_set_frame_modulation(void) {
334 switch (tag.mode) {
335 case HT_STANDARD:
336 sof_bits = 1;
337 m = MC4K;
338 break;
339 case HT_ADVANCED:
340 sof_bits = 6;
341 m = MC4K;
342 break;
343 case HT_FAST_ADVANCED:
344 sof_bits = 6;
345 m = MC8K;
346 break;
347 default:
348 break;
349 }
350 }
351
352 /*
353 * handles all commands from a reader
354 */
355 static void hitagS_handle_reader_command(uint8_t *rx, const size_t rxlen,
356 uint8_t *tx, size_t *txlen) {
357 uint8_t rx_air[HITAG_FRAME_LEN];
358 uint64_t state;
359 unsigned char crc;
360
361 // Copy the (original) received frame how it is send over the air
362 memcpy(rx_air, rx, nbytes(rxlen));
363
364 // Reset the transmission frame length
365 *txlen = 0;
366
367 // Try to find out which command was send by selecting on length (in bits)
368 switch (rxlen) {
369 case 5: {
370 //UID request with a selected response protocol mode
371 if (DBGLEVEL >= DBG_EXTENDED)
372 Dbprintf("UID request: length: %i first byte: %02x", rxlen, rx[0]);
373 tag.pstate = HT_READY;
374 tag.tstate = HT_NO_OP;
375 if ((rx[0] & 0xf0) == 0x30) {
376 if (DBGLEVEL >= DBG_EXTENDED)
377 Dbprintf("HT_STANDARD");
378 tag.mode = HT_STANDARD;
379 sof_bits = 1;
380 m = AC2K;
381 }
382 if ((rx[0] & 0xf0) == 0xc0) {
383 tag.mode = HT_ADVANCED;
384 if (DBGLEVEL >= DBG_EXTENDED)
385 Dbprintf("HT_ADVANCED");
386 sof_bits = 3;
387 m = AC2K;
388 }
389
390 if ((rx[0] & 0xf0) == 0xd0) {
391 if (DBGLEVEL >= DBG_EXTENDED)
392 Dbprintf("HT_FAST_ADVANCED");
393 tag.mode = HT_FAST_ADVANCED;
394 sof_bits = 3;
395 m = AC4K;
396 }
397 //send uid as a response
398 *txlen = 32;
399 for (int i = 0; i < 4; i++)
400 tx[i] = (tag.uid >> (24 - (i * 8))) & 0xff;
401 }
402 break;
403 case 45: {
404 //select command from reader received
405 if (DBGLEVEL >= DBG_EXTENDED)
406 DbpString("SELECT");
407 if (check_select(rx, tag.uid) == 1) {
408 if (DBGLEVEL >= DBG_EXTENDED)
409 DbpString("SELECT match");
410 //if the right tag was selected
411 *txlen = 32;
412 hitagS_set_frame_modulation();
413
414 //send configuration
415 for (int i = 0; i < 4; i++)
416 tx[i] = tag.pages[1][i];
417 tx[3] = 0xff;
418 if (tag.mode != HT_STANDARD) {
419 *txlen = 40;
420 crc = CRC_PRESET;
421 for (int i = 0; i < 4; i++)
422 calc_crc(&crc, tx[i], 8);
423 tx[4] = crc;
424 }
425 }
426 }
427 break;
428 case 64: {
429 //challenge message received
430 Dbprintf("Challenge for UID: %X", temp_uid);
431 temp2++;
432 *txlen = 32;
433 state = _hitag2_init(REV64(tag.key),
434 REV32((tag.pages[0][3] << 24) + (tag.pages[0][2] << 16) + (tag.pages[0][1] << 8) + tag.pages[0][0]),
435 REV32((rx[3] << 24) + (rx[2] << 16) + (rx[1] << 8) + rx[0])
436 );
437 Dbprintf(",{0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X}",
438 rx[0], rx[1], rx[2], rx[3], rx[4], rx[5], rx[6], rx[7]);
439
440 hitagS_set_frame_modulation();
441
442 for (int i = 0; i < 4; i++)
443 _hitag2_byte(&state);
444
445 //send con2, pwdh0, pwdl0, pwdl1 encrypted as a response
446 tx[0] = _hitag2_byte(&state) ^ tag.pages[1][2];
447 tx[1] = _hitag2_byte(&state) ^ tag.pwdh0;
448 tx[2] = _hitag2_byte(&state) ^ tag.pwdl0;
449 tx[3] = _hitag2_byte(&state) ^ tag.pwdl1;
450 if (tag.mode != HT_STANDARD) {
451 //add crc8
452 *txlen = 40;
453 crc = CRC_PRESET;
454 calc_crc(&crc, tag.pages[1][2], 8);
455 calc_crc(&crc, tag.pwdh0, 8);
456 calc_crc(&crc, tag.pwdl0, 8);
457 calc_crc(&crc, tag.pwdl1, 8);
458 tx[4] = (crc ^ _hitag2_byte(&state));
459 }
460 /*
461 * some readers do not allow to authenticate multiple times in a row with the same tag.
462 * use this to change the uid between authentications.
463
464 if (temp2 % 2 == 0) {
465 tag.uid = 0x11223344;
466 tag.pages[0][0] = 0x11;
467 tag.pages[0][1] = 0x22;
468 tag.pages[0][2] = 0x33;
469 tag.pages[0][3] = 0x44;
470 } else {
471 tag.uid = 0x55667788;
472 tag.pages[0][0] = 0x55;
473 tag.pages[0][1] = 0x66;
474 tag.pages[0][2] = 0x77;
475 tag.pages[0][3] = 0x88;
476 }
477 */
478 }
479 break;
480 case 40:
481 if (DBGLEVEL >= DBG_EXTENDED)
482 Dbprintf("WRITE");
483 //data received to be written
484 if (tag.tstate == HT_WRITING_PAGE_DATA) {
485 tag.tstate = HT_NO_OP;
486 tag.pages[page_to_be_written][0] = rx[0];
487 tag.pages[page_to_be_written][1] = rx[1];
488 tag.pages[page_to_be_written][2] = rx[2];
489 tag.pages[page_to_be_written][3] = rx[3];
490 //send ack
491 *txlen = 2;
492 tx[0] = 0x40;
493 page_to_be_written = 0;
494 hitagS_set_frame_modulation();
495 } else if (tag.tstate == HT_WRITING_BLOCK_DATA) {
496 tag.pages[page_to_be_written][0] = rx[0];
497 tag.pages[page_to_be_written][1] = rx[1];
498 tag.pages[page_to_be_written][2] = rx[2];
499 tag.pages[page_to_be_written][3] = rx[3];
500 //send ack
501 *txlen = 2;
502 tx[0] = 0x40;
503 hitagS_set_frame_modulation();
504 page_to_be_written++;
505 block_data_left--;
506 if (block_data_left == 0) {
507 tag.tstate = HT_NO_OP;
508 page_to_be_written = 0;
509 }
510 }
511 break;
512 case 20: {
513 //write page, write block, read page or read block command received
514 if ((rx[0] & 0xf0) == 0xc0) { //read page
515 //send page data
516 uint8_t page = ((rx[0] & 0x0f) * 16) + ((rx[1] & 0xf0) / 16);
517 *txlen = 32;
518 tx[0] = tag.pages[page][0];
519 tx[1] = tag.pages[page][1];
520 tx[2] = tag.pages[page][2];
521 tx[3] = tag.pages[page][3];
522 if (tag.LKP && page == 1)
523 tx[3] = 0xff;
524
525 hitagS_set_frame_modulation();
526
527 if (tag.mode != HT_STANDARD) {
528 //add crc8
529 *txlen = 40;
530 crc = CRC_PRESET;
531 for (int i = 0; i < 4; i++)
532 calc_crc(&crc, tx[i], 8);
533 tx[4] = crc;
534 }
535
536 if (tag.LKP && (page == 2 || page == 3)) {
537 //if reader asks for key or password and the LKP-mark is set do not respond
538 sof_bits = 0;
539 *txlen = 0;
540 }
541 } else if ((rx[0] & 0xf0) == 0xd0) { //read block
542 uint8_t page = ((rx[0] & 0x0f) * 16) + ((rx[1] & 0xf0) / 16);
543 *txlen = 32 * 4;
544 //send page,...,page+3 data
545 for (int i = 0; i < 4; i++) {
546 tx[0 + i * 4] = tag.pages[page + 0 + i * 4][0];
547 tx[1 + i * 4] = tag.pages[page + 1 + i * 4][1];
548 tx[2 + i * 4] = tag.pages[page + 2 + i * 4][2];
549 tx[3 + i * 4] = tag.pages[page + 3 + i * 4][3];
550 }
551
552 hitagS_set_frame_modulation();
553
554 if (tag.mode != HT_STANDARD) {
555 //add crc8
556 *txlen = 32 * 4 + 8;
557 crc = CRC_PRESET;
558 for (int i = 0; i < 16; i++)
559 calc_crc(&crc, tx[i], 8);
560 tx[16] = crc;
561 }
562
563 if ((page) % 4 != 0 || (tag.LKP && (page) == 0)) {
564 sof_bits = 0;
565 *txlen = 0;
566 }
567 } else if ((rx[0] & 0xf0) == 0x80) { //write page
568 uint8_t page = ((rx[0] & 0x0f) * 16) + ((rx[1] & 0xf0) / 16);
569 if ((tag.LCON && page == 1)
570 || (tag.LKP && (page == 2 || page == 3))) {
571 //deny
572 *txlen = 0;
573 } else {
574 //allow
575 *txlen = 2;
576 tx[0] = 0x40;
577 page_to_be_written = page;
578 tag.tstate = HT_WRITING_PAGE_DATA;
579 }
580
581 } else if ((rx[0] & 0xf0) == 0x90) { //write block
582 uint8_t page = ((rx[0] & 0x0f) * 6) + ((rx[1] & 0xf0) / 16);
583 hitagS_set_frame_modulation();
584 if (page % 4 != 0 || page == 0) {
585 //deny
586 *txlen = 0;
587 } else {
588 //allow
589 *txlen = 2;
590 tx[0] = 0x40;
591 page_to_be_written = page;
592 block_data_left = 4;
593 tag.tstate = HT_WRITING_BLOCK_DATA;
594 }
595 }
596 }
597 break;
598 default:
599 if (DBGLEVEL >= DBG_EXTENDED)
600 Dbprintf("unknown rxlen: (%i) %02X %02X %02X %02X ...", rxlen, rx[0], rx[1], rx[2], rx[3]);
601 break;
602 }
603 }
604
605 /*
606 * to autenticate to a tag with the given key or challenge
607 */
608 static int hitagS_handle_tag_auth(hitag_function htf, uint64_t key, uint64_t NrAr, uint8_t *rx, const size_t rxlen, uint8_t *tx, size_t *txlen) {
609 uint8_t rx_air[HITAG_FRAME_LEN];
610 int response_bit[200];
611 unsigned char mask = 1;
612 unsigned char uid[32];
613 unsigned char crc;
614 uint64_t state;
615 uint8_t auth_ks[4];
616 uint8_t conf_pages[3];
617 memcpy(rx_air, rx, nbytes(rxlen));
618 *txlen = 0;
619
620 if (tag.pstate == HT_READY && rxlen >= 67) {
621 //received uid
622 if (end == true) {
623 Dbprintf("authentication failed!");
624 return -1;
625 }
626 int z = 0;
627 for (int i = 0; i < 10; i++) {
628 for (int j = 0; j < 8; j++) {
629 response_bit[z] = 0;
630 if ((rx[i] & ((mask << 7) >> j)) != 0)
631 response_bit[z] = 1;
632 z++;
633 }
634 }
635 uint16_t k = 0;
636 for (int i = 5; i < z; i += 2) {
637 uid[k] = response_bit[i];
638 k++;
639 if (k > 31)
640 break;
641 }
642 uint8_t uid1 = (uid[0] << 7)
643 | (uid[1] << 6)
644 | (uid[2] << 5)
645 | (uid[3] << 4)
646 | (uid[4] << 3)
647 | (uid[5] << 2)
648 | (uid[6] << 1)
649 | uid[7];
650
651 uint8_t uid2 = (uid[8] << 7)
652 | (uid[9] << 6)
653 | (uid[10] << 5)
654 | (uid[11] << 4)
655 | (uid[12] << 3)
656 | (uid[13] << 2)
657 | (uid[14] << 1)
658 | uid[15];
659
660 uint8_t uid3 = (uid[16] << 7)
661 | (uid[17] << 6)
662 | (uid[18] << 5)
663 | (uid[19] << 4)
664 | (uid[20] << 3)
665 | (uid[21] << 2)
666 | (uid[22] << 1)
667 | uid[23];
668
669 uint8_t uid4 = (uid[24] << 7)
670 | (uid[25] << 6)
671 | (uid[26] << 5)
672 | (uid[27] << 4)
673 | (uid[28] << 3)
674 | (uid[29] << 2)
675 | (uid[30] << 1)
676 | uid[31];
677
678 if (DBGLEVEL >= DBG_EXTENDED)
679 Dbprintf("UID: %02X %02X %02X %02X", uid1, uid2, uid3, uid4);
680
681 tag.uid = (uid4 << 24 | uid3 << 16 | uid2 << 8 | uid1);
682
683 //select uid
684 *txlen = 45;
685 crc = CRC_PRESET;
686 calc_crc(&crc, 0x00, 5);
687 calc_crc(&crc, uid1, 8);
688 calc_crc(&crc, uid2, 8);
689 calc_crc(&crc, uid3, 8);
690 calc_crc(&crc, uid4, 8);
691
692 for (int i = 0; i < 100; i++) {
693 response_bit[i] = 0;
694 }
695
696 for (int i = 0; i < 5; i++) {
697 response_bit[i] = 0;
698 }
699 {
700 int i = 5;
701 for (; i < 37; i++) {
702 response_bit[i] = uid[i - 5];
703 }
704
705 for (int j = 0; j < 8; j++) {
706 response_bit[i] = 0;
707 if ((crc & ((mask << 7) >> j)) != 0)
708 response_bit[i] = 1;
709 i++;
710 }
711 }
712 k = 0;
713 for (int i = 0; i < 6; i++) {
714 tx[i] = (response_bit[k] << 7)
715 | (response_bit[k + 1] << 6)
716 | (response_bit[k + 2] << 5)
717 | (response_bit[k + 3] << 4)
718 | (response_bit[k + 4] << 3)
719 | (response_bit[k + 5] << 2)
720 | (response_bit[k + 6] << 1)
721 | response_bit[k + 7];
722
723 k += 8;
724 }
725
726 tag.pstate = HT_INIT;
727 } else if (tag.pstate == HT_INIT && rxlen == 44) {
728 // received configuration after select command
729 int z = 0;
730 for (int i = 0; i < 6; i++) {
731 for (int j = 0; j < 8; j++) {
732 response_bit[z] = 0;
733 if ((rx[i] & ((mask << 7) >> j)) != 0)
734 response_bit[z] = 1;
735 z++;
736 }
737 }
738 conf_pages[0] = ((response_bit[4] << 7) | (response_bit[5] << 6)
739 | (response_bit[6] << 5) | (response_bit[7] << 4)
740 | (response_bit[8] << 3) | (response_bit[9] << 2)
741 | (response_bit[10] << 1) | response_bit[11]);
742 //check wich memorysize this tag has
743 if (response_bit[10] == 0 && response_bit[11] == 0)
744 tag.max_page = 32 / 32;
745 if (response_bit[10] == 0 && response_bit[11] == 1)
746 tag.max_page = 256 / 32;
747 if (response_bit[10] == 1 && response_bit[11] == 0)
748 tag.max_page = 2048 / 32;
749 conf_pages[1] = ((response_bit[12] << 7) | (response_bit[13] << 6)
750 | (response_bit[14] << 5) | (response_bit[15] << 4)
751 | (response_bit[16] << 3) | (response_bit[17] << 2)
752 | (response_bit[18] << 1) | response_bit[19]);
753 tag.auth = response_bit[12];
754 tag.TTFC = response_bit[13];
755 //tag.TTFDR in response_bit[14] and response_bit[15]
756 //tag.TTFM in response_bit[16] and response_bit[17]
757 tag.LCON = response_bit[18];
758 tag.LKP = response_bit[19];
759 conf_pages[2] = ((response_bit[20] << 7) | (response_bit[21] << 6)
760 | (response_bit[22] << 5) | (response_bit[23] << 4)
761 | (response_bit[24] << 3) | (response_bit[25] << 2)
762 | (response_bit[26] << 1) | response_bit[27]);
763 tag.LCK7 = response_bit[20];
764 tag.LCK6 = response_bit[21];
765 tag.LCK5 = response_bit[22];
766 tag.LCK4 = response_bit[23];
767 tag.LCK3 = response_bit[24];
768 tag.LCK2 = response_bit[25];
769 tag.LCK1 = response_bit[26];
770 tag.LCK0 = response_bit[27];
771
772 if (DBGLEVEL >= DBG_EXTENDED)
773 Dbprintf("conf0: %02X conf1: %02X conf2: %02X", conf_pages[0], conf_pages[1], conf_pages[2]);
774
775 if (tag.auth == 1) {
776 //if the tag is in authentication mode try the key or challenge
777 *txlen = 64;
778 if (end != true) {
779 if (htf == 02 || htf == 04) { //RHTS_KEY //WHTS_KEY
780 state = _hitag2_init(REV64(key), REV32(tag.uid), REV32(rnd));
781
782 for (int i = 0; i < 4; i++) {
783 auth_ks[i] = _hitag2_byte(&state) ^ 0xff;
784 }
785 *txlen = 64;
786 tx[0] = rnd & 0xff;
787 tx[1] = (rnd >> 8) & 0xff;
788 tx[2] = (rnd >> 16) & 0xff;
789 tx[3] = (rnd >> 24) & 0xff;
790
791 tx[4] = auth_ks[0];
792 tx[5] = auth_ks[1];
793 tx[6] = auth_ks[2];
794 tx[7] = auth_ks[3];
795 if (DBGLEVEL >= DBG_EXTENDED)
796 Dbprintf("%02X %02X %02X %02X %02X %02X %02X %02X", tx[0],
797 tx[1], tx[2], tx[3], tx[4], tx[5], tx[6], tx[7]);
798 } else if (htf == 01 || htf == 03) { //RHTS_CHALLENGE //WHTS_CHALLENGE
799 for (int i = 0; i < 8; i++)
800 tx[i] = ((NrAr >> (56 - (i * 8))) & 0xff);
801 }
802 end = true;
803 tag.pstate = HT_AUTHENTICATE;
804 } else {
805 Dbprintf("authentication failed!");
806 return -1;
807 }
808 } else if (tag.auth == 0) {
809 tag.pstate = HT_SELECTED;
810 }
811
812 } else if (tag.pstate == HT_AUTHENTICATE && rxlen == 44) {
813 //encrypted con2,password received.
814 crc = CRC_PRESET;
815 calc_crc(&crc, 0x80, 1);
816 calc_crc(&crc, ((rx[0] & 0x0f) * 16 + ((rx[1] & 0xf0) / 16)), 8);
817 calc_crc(&crc, ((rx[1] & 0x0f) * 16 + ((rx[2] & 0xf0) / 16)), 8);
818 calc_crc(&crc, ((rx[2] & 0x0f) * 16 + ((rx[3] & 0xf0) / 16)), 8);
819 calc_crc(&crc, ((rx[3] & 0x0f) * 16 + ((rx[4] & 0xf0) / 16)), 8);
820 if (DBGLEVEL >= DBG_EXTENDED) {
821 Dbprintf("UID:::%X", tag.uid);
822 Dbprintf("RND:::%X", rnd);
823 }
824
825 //decrypt password
826 pwdh0 = 0;
827 pwdl0 = 0;
828 pwdl1 = 0;
829 if (htf == 02 || htf == 04) { //RHTS_KEY //WHTS_KEY
830 {
831 state = _hitag2_init(REV64(key), REV32(tag.uid), REV32(rnd));
832 for (int i = 0; i < 5; i++)
833 _hitag2_byte(&state);
834
835 pwdh0 = ((rx[1] & 0x0f) * 16 + ((rx[2] & 0xf0) / 16)) ^ _hitag2_byte(&state);
836 pwdl0 = ((rx[2] & 0x0f) * 16 + ((rx[3] & 0xf0) / 16)) ^ _hitag2_byte(&state);
837 pwdl1 = ((rx[3] & 0x0f) * 16 + ((rx[4] & 0xf0) / 16)) ^ _hitag2_byte(&state);
838 }
839
840 if (DBGLEVEL >= DBG_EXTENDED)
841 Dbprintf("pwdh0 %02X pwdl0 %02X pwdl1 %02X", pwdh0, pwdl0, pwdl1);
842
843 //Dbprintf("%X %02X", rnd, ((rx[4] & 0x0f) * 16) + ((rx[5] & 0xf0) / 16));
844 //rnd += 1;
845 }
846 tag.pstate = HT_SELECTED; //tag is now ready for read/write commands
847 }
848 return 0;
849
850 }
851
852 /*
853 * Emulates a Hitag S Tag with the given data from the .hts file
854 */
855 void SimulateHitagSTag(bool tag_mem_supplied, uint8_t *data) {
856
857 StopTicks();
858
859 // int frame_count = 0;
860 int response = 0, overflow = 0;
861 int i, j;
862 uint8_t rx[HITAG_FRAME_LEN];
863 size_t rxlen = 0;
864 bQuiet = false;
865 uint8_t txbuf[HITAG_FRAME_LEN];
866 uint8_t *tx = txbuf;
867 size_t txlen = 0;
868
869 // Reset the received frame, frame count and timing info
870 memset(rx, 0x00, sizeof(rx));
871
872 // free eventually allocated BigBuf memory
873 BigBuf_free();
874 BigBuf_Clear_ext(false);
875
876 // Clean up trace and prepare it for storing frames
877 set_tracing(true);
878 clear_trace();
879
880 DbpString("Starting HitagS simulation");
881 LED_D_ON();
882
883 tag.pstate = HT_READY;
884 tag.tstate = HT_NO_OP;
885
886 // read tag data into memory
887 if (tag_mem_supplied) {
888 for (i = 0; i < 16; i++)
889 for (j = 0; j < 4; j++)
890 tag.pages[i][j] = 0x0;
891
892 DbpString("Loading hitagS memory...");
893 memcpy((uint8_t *)tag.pages, data, 4 * 64);
894 } else {
895 // use the last read tag
896 }
897
898 tag.uid = ((tag.pages[0][3]) << 24) | ((tag.pages[0][2]) << 16) | ((tag.pages[0][1]) << 8) | tag.pages[0][0];
899 tag.key = (((uint64_t)tag.pages[3][3]) << 40) |
900 (((uint64_t)tag.pages[3][2]) << 32) |
901 (((uint64_t)tag.pages[3][1]) << 24) |
902 (((uint64_t)tag.pages[3][0]) << 16) |
903 (((uint64_t)tag.pages[2][3]) << 8) |
904 (((uint64_t)tag.pages[2][2]));
905 tag.pwdl0 = tag.pages[2][0];
906 tag.pwdl1 = tag.pages[2][1];
907 tag.pwdh0 = tag.pages[1][3];
908 //con0
909 tag.max_page = 64;
910 if ((tag.pages[1][0] & 0x2) == 0 && (tag.pages[1][0] & 0x1) == 1)
911 tag.max_page = 8;
912 if ((tag.pages[1][0] & 0x2) == 0 && (tag.pages[1][0] & 0x1) == 0)
913 tag.max_page = 0;
914 if (DBGLEVEL >= DBG_EXTENDED)
915 for (i = 0; i < tag.max_page; i++)
916 Dbprintf("Page[%2d]: %02X %02X %02X %02X", i,
917 (tag.pages[i][3]) & 0xff,
918 (tag.pages[i][2]) & 0xff,
919 (tag.pages[i][1]) & 0xff,
920 tag.pages[i][0] & 0xff);
921 //con1
922 tag.auth = 0;
923 if ((tag.pages[1][1] & 0x80) == 0x80)
924 tag.auth = 1;
925 tag.LCON = 0;
926 if ((tag.pages[1][1] & 0x2) == 0x02)
927 tag.LCON = 1;
928 tag.LKP = 0;
929 if ((tag.pages[1][1] & 0x1) == 0x01)
930 tag.LKP = 1;
931 //con2
932 //0=read write 1=read only
933 tag.LCK7 = 0;
934 if ((tag.pages[1][2] & 0x80) == 0x80)
935 tag.LCK7 = 1;
936 tag.LCK6 = 0;
937 if ((tag.pages[1][2] & 0x40) == 0x040)
938 tag.LCK6 = 1;
939 tag.LCK5 = 0;
940 if ((tag.pages[1][2] & 0x20) == 0x20)
941 tag.LCK5 = 1;
942 tag.LCK4 = 0;
943 if ((tag.pages[1][2] & 0x10) == 0x10)
944 tag.LCK4 = 1;
945 tag.LCK3 = 0;
946 if ((tag.pages[1][2] & 0x8) == 0x08)
947 tag.LCK3 = 1;
948 tag.LCK2 = 0;
949 if ((tag.pages[1][2] & 0x4) == 0x04)
950 tag.LCK2 = 1;
951 tag.LCK1 = 0;
952 if ((tag.pages[1][2] & 0x2) == 0x02)
953 tag.LCK1 = 1;
954 tag.LCK0 = 0;
955 if ((tag.pages[1][2] & 0x1) == 0x01)
956 tag.LCK0 = 1;
957
958
959 // Set up simulator mode, frequency divisor which will drive the FPGA
960 // and analog mux selection.
961 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
962 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT);
963 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, LF_DIVISOR_125); //125kHz
964 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
965
966 // Configure output pin that is connected to the FPGA (for modulating)
967 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
968 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
969
970 // Disable modulation at default, which means release resistance
971 LOW(GPIO_SSC_DOUT);
972
973 // Enable Peripheral Clock for
974 // TIMER_CLOCK0, used to measure exact timing before answering
975 // TIMER_CLOCK1, used to capture edges of the tag frames
976 AT91C_BASE_PMC->PMC_PCER |= (1 << AT91C_ID_TC0) | (1 << AT91C_ID_TC1);
977
978 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
979
980 // Disable timer during configuration
981 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
982 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
983
984 // TC0: Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), no triggers
985 AT91C_BASE_TC0->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK;
986
987 // TC1: Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
988 // external trigger rising edge, load RA on rising edge of TIOA.
989 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK
990 | AT91C_TC_ETRGEDG_RISING | AT91C_TC_ABETRG | AT91C_TC_LDRA_RISING;
991
992 // Enable and reset counter
993 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
994 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
995
996 // synchronized startup procedure
997 while (AT91C_BASE_TC0->TC_CV > 0); // wait until TC0 returned to zero
998
999 while (!BUTTON_PRESS() && !data_available()) {
1000
1001 WDT_HIT();
1002
1003 // Receive frame, watch for at most T0*EOF periods
1004 while (AT91C_BASE_TC1->TC_CV < T0 * HITAG_T_EOF) {
1005 // Check if rising edge in modulation is detected
1006 if (AT91C_BASE_TC1->TC_SR & AT91C_TC_LDRAS) {
1007 // Retrieve the new timing values
1008 int ra = (AT91C_BASE_TC1->TC_RA / T0) + overflow;
1009 overflow = 0;
1010
1011 // Reset timer every frame, we have to capture the last edge for timing
1012 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1013
1014 LED_B_ON();
1015
1016 // Capture reader frame
1017 if (ra >= HITAG_T_STOP) {
1018 if (rxlen != 0) {
1019 //DbpString("wierd0?");
1020 }
1021 // Capture the T0 periods that have passed since last communication or field drop (reset)
1022 response = (ra - HITAG_T_LOW);
1023 } else if (ra >= HITAG_T_1_MIN) {
1024 // '1' bit
1025 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
1026 rxlen++;
1027 } else if (ra >= HITAG_T_0_MIN) {
1028 // '0' bit
1029 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
1030 rxlen++;
1031 } else {
1032 // Ignore wierd value, is to small to mean anything
1033 }
1034 }
1035 }
1036
1037 // Check if frame was captured
1038 if (rxlen > 0) {
1039 // frame_count++;
1040 LogTrace(rx, nbytes(rxlen), response, response, NULL, true);
1041
1042 // Disable timer 1 with external trigger to avoid triggers during our own modulation
1043 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1044
1045 // Process the incoming frame (rx) and prepare the outgoing frame (tx)
1046 hitagS_handle_reader_command(rx, rxlen, tx, &txlen);
1047
1048 // Wait for HITAG_T_WAIT_1 carrier periods after the last reader bit,
1049 // not that since the clock counts since the rising edge, but T_Wait1 is
1050 // with respect to the falling edge, we need to wait actually (T_Wait1 - T_Low)
1051 // periods. The gap time T_Low varies (4..10). All timer values are in
1052 // terms of T0 units
1053 while (AT91C_BASE_TC0->TC_CV < T0 * (HITAG_T_WAIT_1 - HITAG_T_LOW)) {};
1054
1055 // Send and store the tag answer (if there is any)
1056 if (txlen > 0) {
1057 // Transmit the tag frame
1058 hitag_send_frame(tx, txlen);
1059 LogTrace(tx, nbytes(txlen), 0, 0, NULL, false);
1060 }
1061
1062 // Enable and reset external trigger in timer for capturing future frames
1063 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1064
1065 // Reset the received frame and response timing info
1066 memset(rx, 0x00, sizeof(rx));
1067 response = 0;
1068
1069 LED_B_OFF();
1070 }
1071 // Reset the frame length
1072 rxlen = 0;
1073 // Save the timer overflow, will be 0 when frame was received
1074 overflow += (AT91C_BASE_TC1->TC_CV / T0);
1075 // Reset the timer to restart while-loop that receives frames
1076 AT91C_BASE_TC1->TC_CCR = AT91C_TC_SWTRG;
1077
1078 }
1079
1080 set_tracing(false);
1081 lf_finalize();
1082 // release allocated memory from BigBuff.
1083 BigBuf_free();
1084
1085 DbpString("Sim Stopped");
1086 }
1087
1088 static void hitagS_receive_frame(uint8_t *rx, size_t *rxlen, int *response) {
1089
1090 // Reset values for receiving frames
1091 memset(rx, 0x00, HITAG_FRAME_LEN * sizeof(uint8_t));
1092 *rxlen = 0;
1093 int lastbit = 1;
1094 bool bSkip = true;
1095 int tag_sof = 1;
1096 *response = 0;
1097 uint32_t errorCount = 0;
1098
1099 // Receive frame, watch for at most T0*EOF periods
1100 while (AT91C_BASE_TC1->TC_CV < T0 * HITAG_T_WAIT_MAX) {
1101 // Check if falling edge in tag modulation is detected
1102 if (AT91C_BASE_TC1->TC_SR & AT91C_TC_LDRAS) {
1103 // Retrieve the new timing values
1104 int ra = (AT91C_BASE_TC1->TC_RA / T0);
1105
1106 // Reset timer every frame, we have to capture the last edge for timing
1107 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
1108
1109 LED_B_ON();
1110
1111 // Capture tag frame (manchester decoding using only falling edges)
1112 if (ra >= HITAG_T_EOF) {
1113 if (*rxlen != 0) {
1114 //DbpString("wierd1?");
1115 }
1116 // Capture the T0 periods that have passed since last communication or field drop (reset)
1117 // We always recieve a 'one' first, which has the falling edge after a half period |-_|
1118 *response = ra - HITAG_T_TAG_HALF_PERIOD;
1119 } else if (ra >= HITAG_T_TAG_CAPTURE_FOUR_HALF) {
1120 // Manchester coding example |-_|_-|-_| (101)
1121 rx[(*rxlen) / 8] |= 0 << (7 - ((*rxlen) % 8));
1122 (*rxlen)++;
1123 rx[(*rxlen) / 8] |= 1 << (7 - ((*rxlen) % 8));
1124 (*rxlen)++;
1125 } else if (ra >= HITAG_T_TAG_CAPTURE_THREE_HALF) {
1126 // Manchester coding example |_-|...|_-|-_| (0...01)
1127 rx[(*rxlen) / 8] |= 0 << (7 - ((*rxlen) % 8));
1128 (*rxlen)++;
1129 // We have to skip this half period at start and add the 'one' the second time
1130 if (!bSkip) {
1131 rx[(*rxlen) / 8] |= 1 << (7 - ((*rxlen) % 8));
1132 (*rxlen)++;
1133 }
1134 lastbit = !lastbit;
1135 bSkip = !bSkip;
1136 } else if (ra >= HITAG_T_TAG_CAPTURE_TWO_HALF) {
1137 // Manchester coding example |_-|_-| (00) or |-_|-_| (11)
1138 if (tag_sof) {
1139 // Ignore bits that are transmitted during SOF
1140 tag_sof--;
1141 } else {
1142 // bit is same as last bit
1143 rx[(*rxlen) / 8] |= lastbit << (7 - ((*rxlen) % 8));
1144 (*rxlen)++;
1145 }
1146 } else {
1147 // Ignore wierd value, is to small to mean anything
1148 errorCount++;
1149 }
1150 }
1151
1152 // if we saw over 100 wierd values break it probably isn't hitag...
1153 if (errorCount > 100) break;
1154
1155 // We can break this loop if we received the last bit from a frame
1156 if (AT91C_BASE_TC1->TC_CV > T0 * HITAG_T_EOF) {
1157 if ((*rxlen) > 0)
1158 break;
1159 }
1160 }
1161 }
1162
1163 /*
1164 * Authenticates to the Tag with the given key or challenge.
1165 * If the key was given the password will be decrypted.
1166 * Reads every page of a hitag S transpoder.
1167 */
1168 void ReadHitagS(hitag_function htf, hitag_data *htd) {
1169
1170 StopTicks();
1171
1172 int i, j, z, k;
1173 // int frame_count = 0;
1174 int response = 0;
1175 int response_bit[200];
1176 uint8_t rx[HITAG_FRAME_LEN];
1177 size_t rxlen = 0;
1178 uint8_t txbuf[HITAG_FRAME_LEN];
1179 uint8_t *tx = txbuf;
1180 size_t txlen = 0;
1181 int lastbit = 1;
1182 int t_wait = HITAG_T_WAIT_MAX;
1183 bool bStop = false;
1184 int pageNum = 0;
1185 unsigned char mask = 1;
1186 unsigned char crc;
1187 unsigned char pageData[32];
1188 page_to_be_written = 0;
1189
1190 //read given key/challenge
1191 uint8_t NrAr_[8];
1192 uint64_t key = 0;
1193 uint64_t NrAr = 0;
1194 uint8_t key_[6];
1195
1196 tag.pstate = HT_READY;
1197 tag.tstate = HT_NO_OP;
1198
1199 switch (htf) {
1200 case RHTSF_CHALLENGE: {
1201 DbpString("Authenticating using nr,ar pair:");
1202 memcpy(NrAr_, htd->auth.NrAr, 8);
1203 Dbhexdump(8, NrAr_, false);
1204 NrAr = NrAr_[7] | ((uint64_t)NrAr_[6]) << 8 | ((uint64_t)NrAr_[5]) << 16 | ((uint64_t)NrAr_[4]) << 24 | ((uint64_t)NrAr_[3]) << 32 |
1205 ((uint64_t)NrAr_[2]) << 40 | ((uint64_t)NrAr_[1]) << 48 | ((uint64_t)NrAr_[0]) << 56;
1206 break;
1207 }
1208 case RHTSF_KEY: {
1209 DbpString("Authenticating using key:");
1210 memcpy(key_, htd->crypto.key, 6);
1211 Dbhexdump(6, key_, false);
1212 key = key_[5] | ((uint64_t)key_[4]) << 8 | ((uint64_t)key_[3]) << 16 | ((uint64_t)key_[2]) << 24 | ((uint64_t)key_[1]) << 32 | ((uint64_t)key_[0]) << 40;
1213 break;
1214 }
1215 default: {
1216 Dbprintf("Error , unknown function: %d", htf);
1217 return;
1218 }
1219 }
1220
1221 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1222 // Reset the return status
1223 bSuccessful = false;
1224
1225 // Clean up trace and prepare it for storing frames
1226 set_tracing(true);
1227 clear_trace();
1228
1229 bQuiet = false;
1230
1231 LED_D_ON();
1232
1233 // Set fpga in edge detect with reader field, we can modulate as reader now
1234 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD);
1235 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, LF_DIVISOR_125); //125kHz
1236 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
1237
1238 // Configure output and enable pin that is connected to the FPGA (for modulating)
1239 AT91C_BASE_PIOA->PIO_OER |= GPIO_SSC_DOUT;
1240 AT91C_BASE_PIOA->PIO_PER |= GPIO_SSC_DOUT;
1241
1242 // Disable modulation at default, which means enable the field
1243 LOW(GPIO_SSC_DOUT);
1244
1245 // Enable Peripheral Clock for
1246 // TIMER_CLOCK0, used to measure exact timing before answering
1247 // TIMER_CLOCK1, used to capture edges of the tag frames
1248 AT91C_BASE_PMC->PMC_PCER |= (1 << AT91C_ID_TC0) | (1 << AT91C_ID_TC1);
1249
1250 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
1251
1252 // Disable timer during configuration
1253 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
1254 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1255
1256 // TC0: Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), no triggers
1257 AT91C_BASE_TC0->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK;
1258
1259 // TC1: Capture mode, defaul timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
1260 // external trigger rising edge, load RA on falling edge of TIOA.
1261 AT91C_BASE_TC1->TC_CMR =
1262 AT91C_TC_CLKS_TIMER_DIV1_CLOCK |
1263 AT91C_TC_ETRGEDG_FALLING |
1264 AT91C_TC_ABETRG |
1265 AT91C_TC_LDRA_FALLING;
1266
1267 // Enable and reset counters
1268 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1269 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1270
1271 // synchronized startup procedure
1272 while (AT91C_BASE_TC0->TC_CV > 0); // wait until TC0 returned to zero
1273 // Reset the received frame, frame count and timing info
1274 t_wait = 200;
1275 while (!bStop && !BUTTON_PRESS() && !data_available()) {
1276
1277 WDT_HIT();
1278
1279 // Check if frame was captured and store it
1280 if (rxlen > 0) {
1281 // frame_count++;
1282 LogTrace(rx, nbytes(rxlen), response, response, NULL, false);
1283 }
1284
1285 // By default reset the transmission buffer
1286 tx = txbuf;
1287 txlen = 0;
1288
1289 if (rxlen == 0) {
1290 //start authentication
1291 txlen = 5;
1292 memcpy(tx, "\xC0", nbytes(txlen));
1293 tag.pstate = HT_READY;
1294 tag.tstate = HT_NO_OP;
1295 } else if (tag.pstate != HT_SELECTED) {
1296 if (hitagS_handle_tag_auth(htf, key, NrAr, rx, rxlen, tx, &txlen) == -1)
1297 bStop = !false;
1298 }
1299
1300 if (tag.pstate == HT_SELECTED && tag.tstate == HT_NO_OP && rxlen > 0) {
1301 //send read request
1302 tag.tstate = HT_READING_PAGE;
1303 txlen = 20;
1304 crc = CRC_PRESET;
1305 tx[0] = 0xc0 + (pageNum / 16);
1306 calc_crc(&crc, tx[0], 8);
1307 calc_crc(&crc, 0x00 + ((pageNum % 16) * 16), 4);
1308 tx[1] = 0x00 + ((pageNum % 16) * 16) + (crc / 16);
1309 tx[2] = 0x00 + (crc % 16) * 16;
1310 } else if (tag.pstate == HT_SELECTED
1311 && tag.tstate == HT_READING_PAGE
1312 && rxlen > 0) {
1313 //save received data - 40 bits
1314 z = 0;
1315 for (i = 0; i < 5; i++) {
1316 for (j = 0; j < 8; j++) {
1317 response_bit[z] = 0;
1318 if ((rx[i] & ((mask << 7) >> j)) != 0)
1319 response_bit[z] = 1;
1320 z++;
1321 }
1322 }
1323 k = 0;
1324 for (i = 4; i < 36; i++) { // ignore first 4 bits: SOF (actualy 1 or 6 depending on response protocol)
1325 pageData[k] = response_bit[i];
1326 k++;
1327 }
1328 for (i = 0; i < 4; i++) // set page bytes to 0
1329 tag.pages[pageNum][i] = 0x0;
1330 for (i = 0; i < 4; i++) { // set page bytes from recieved bits
1331 tag.pages[pageNum][i] += ((pageData[i * 8] << 7)
1332 | (pageData[1 + (i * 8)] << 6)
1333 | (pageData[2 + (i * 8)] << 5)
1334 | (pageData[3 + (i * 8)] << 4)
1335 | (pageData[4 + (i * 8)] << 3)
1336 | (pageData[5 + (i * 8)] << 2)
1337 | (pageData[6 + (i * 8)] << 1)
1338 | pageData[7 + (i * 8)]);
1339 }
1340 if (tag.auth && tag.LKP && pageNum == 1) {
1341 Dbprintf("Page[%2d]: %02X %02X %02X %02X", pageNum, pwdh0,
1342 (tag.pages[pageNum][2]) & 0xff,
1343 (tag.pages[pageNum][1]) & 0xff,
1344 tag.pages[pageNum][0] & 0xff);
1345 } else {
1346 Dbprintf("Page[%2d]: %02X %02X %02X %02X", pageNum,
1347 (tag.pages[pageNum][3]) & 0xff,
1348 (tag.pages[pageNum][2]) & 0xff,
1349 (tag.pages[pageNum][1]) & 0xff,
1350 tag.pages[pageNum][0] & 0xff);
1351 }
1352
1353 pageNum++;
1354 //display key and password if possible
1355 if (pageNum == 2 && tag.auth == 1 && tag.LKP) {
1356 if (htf == RHTSF_KEY) {
1357 Dbprintf("Page[ 2]: %02X %02X %02X %02X",
1358 (uint8_t)(key >> 8) & 0xff,
1359 (uint8_t) key & 0xff,
1360 pwdl1,
1361 pwdl0
1362 );
1363 Dbprintf("Page[ 3]: %02X %02X %02X %02X",
1364 (uint8_t)(key >> 40) & 0xff,
1365 (uint8_t)(key >> 32) & 0xff,
1366 (uint8_t)(key >> 24) & 0xff,
1367 (uint8_t)(key >> 16) & 0xff
1368 );
1369 } else {
1370 //if the authentication is done with a challenge the key and password are unknown
1371 Dbprintf("Page[ 2]: __ __ __ __");
1372 Dbprintf("Page[ 3]: __ __ __ __");
1373 }
1374 // since page 2+3 are not accessible when LKP == 1 and AUT == 1 fastforward to next readable page
1375 pageNum = 4;
1376 }
1377
1378 txlen = 20;
1379 crc = CRC_PRESET;
1380 tx[0] = 0xc0 + (pageNum / 16);
1381 calc_crc(&crc, tx[0], 8);
1382 calc_crc(&crc, 0x00 + ((pageNum % 16) * 16), 4);
1383 tx[1] = 0x00 + ((pageNum % 16) * 16) + (crc / 16);
1384 tx[2] = 0x00 + (crc % 16) * 16;
1385 if (pageNum >= tag.max_page) {
1386 bStop = !false;
1387 }
1388 }
1389
1390 // Send and store the reader command
1391 // Disable timer 1 with external trigger to avoid triggers during our own modulation
1392 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1393
1394 // Wait for HITAG_T_WAIT_2 carrier periods after the last tag bit before transmitting,
1395 // Since the clock counts since the last falling edge, a 'one' means that the
1396 // falling edge occurred halfway the period. with respect to this falling edge,
1397 // we need to wait (T_Wait2 + half_tag_period) when the last was a 'one'.
1398 // All timer values are in terms of T0 units
1399
1400 while (AT91C_BASE_TC0->TC_CV < T0 * (t_wait + (HITAG_T_TAG_HALF_PERIOD * lastbit))) {};
1401
1402 // Transmit the reader frame
1403 hitag_reader_send_frame(tx, txlen);
1404
1405 // Enable and reset external trigger in timer for capturing future frames
1406 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1407
1408 // Add transmitted frame to total count
1409 if (txlen > 0) {
1410 // frame_count++;
1411 LogTrace(tx, nbytes(txlen), HITAG_T_WAIT_2, HITAG_T_WAIT_2, NULL, true);
1412 }
1413
1414 hitagS_receive_frame(rx, &rxlen, &response);
1415 }
1416 end = false;
1417 set_tracing(false);
1418
1419 lf_finalize();
1420 reply_mix(CMD_ACK, bSuccessful, 0, 0, 0, 0);
1421 }
1422
1423 /*
1424 * Authenticates to the Tag with the given Key or Challenge.
1425 * Writes the given 32Bit data into page_
1426 */
1427 void WritePageHitagS(hitag_function htf, hitag_data *htd, int page) {
1428
1429 StopTicks();
1430
1431 // int frame_count = 0;
1432 int response = 0;
1433 uint8_t rx[HITAG_FRAME_LEN];
1434 size_t rxlen = 0;
1435 uint8_t txbuf[HITAG_FRAME_LEN];
1436 uint8_t *tx = txbuf;
1437 size_t txlen = 0;
1438 int lastbit;
1439 int t_wait = HITAG_T_WAIT_MAX;
1440 bool bStop;
1441 unsigned char crc;
1442 uint8_t data[4] = {0, 0, 0, 0};
1443
1444 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1445
1446 bSuccessful = false;
1447
1448 // Clean up trace and prepare it for storing frames
1449 set_tracing(true);
1450 clear_trace();
1451
1452 //read given key/challenge, the page and the data
1453 uint8_t NrAr_[8];
1454 uint64_t key = 0;
1455 uint64_t NrAr = 0;
1456 uint8_t key_[6];
1457 switch (htf) {
1458 case WHTSF_CHALLENGE: {
1459 memcpy(data, htd->auth.data, 4);
1460 DbpString("Authenticating using nr,ar pair:");
1461 memcpy(NrAr_, htd->auth.NrAr, 8);
1462 Dbhexdump(8, NrAr_, false);
1463 NrAr = NrAr_[7] | ((uint64_t)NrAr_[6]) << 8 | ((uint64_t)NrAr_[5]) << 16 | ((uint64_t)NrAr_[4]) << 24 | ((uint64_t)NrAr_[3]) << 32 |
1464 ((uint64_t)NrAr_[2]) << 40 | ((uint64_t)NrAr_[1]) << 48 | ((uint64_t)NrAr_[0]) << 56;
1465 break;
1466 }
1467
1468 case WHTSF_KEY: {
1469 memcpy(data, htd->crypto.data, 4);
1470 DbpString("Authenticating using key:");
1471 memcpy(key_, htd->crypto.key, 6);
1472 Dbhexdump(6, key_, false);
1473 key = key_[5] | ((uint64_t)key_[4]) << 8 | ((uint64_t)key_[3]) << 16 | ((uint64_t)key_[2]) << 24 | ((uint64_t)key_[1]) << 32 | ((uint64_t)key_[0]) << 40;
1474 break;
1475 }
1476 default: {
1477 Dbprintf("Error , unknown function: %d", htf);
1478 return;
1479 }
1480 }
1481
1482 Dbprintf("Page: %d", page);
1483 Dbprintf("DATA: %02X %02X %02X %02X", data[0], data[1], data[2], data[3]);
1484
1485 tag.pstate = HT_READY;
1486 tag.tstate = HT_NO_OP;
1487
1488 LED_D_ON();
1489
1490 // Configure output and enable pin that is connected to the FPGA (for modulating)
1491 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
1492 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
1493
1494 // Set fpga in edge detect with reader field, we can modulate as reader now
1495 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD);
1496 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, LF_DIVISOR_125); //125kHz
1497 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
1498
1499 // Disable modulation at default, which means enable the field
1500 LOW(GPIO_SSC_DOUT);
1501
1502 // Enable Peripheral Clock for
1503 // TIMER_CLOCK0, used to measure exact timing before answering
1504 // TIMER_CLOCK1, used to capture edges of the tag frames
1505 AT91C_BASE_PMC->PMC_PCER |= (1 << AT91C_ID_TC0) | (1 << AT91C_ID_TC1);
1506
1507 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
1508
1509 // Disable timer during configuration
1510 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
1511 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1512
1513 // Capture mode, defaul timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
1514 AT91C_BASE_TC0->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK;
1515 // external trigger rising edge, load RA on falling edge of TIOA.
1516 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK
1517 | AT91C_TC_ETRGEDG_FALLING
1518 | AT91C_TC_ABETRG
1519 | AT91C_TC_LDRA_FALLING;
1520
1521 // Enable and reset counters
1522 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1523 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1524
1525 while (AT91C_BASE_TC0->TC_CV > 0);
1526
1527 // Reset the received frame, frame count and timing info
1528 lastbit = 1;
1529 bStop = false;
1530 t_wait = 200;
1531
1532 while (!bStop && !BUTTON_PRESS() && !data_available()) {
1533
1534 WDT_HIT();
1535
1536 // Check if frame was captured and store it
1537 if (rxlen > 0) {
1538 // frame_count++;
1539 LogTrace(rx, nbytes(rxlen), response, response, NULL, false);
1540 }
1541
1542 //check for valid input
1543 if (page == 0) {
1544 Dbprintf(
1545 "usage: lf hitag writer [--03 | --04] [--nrar CHALLENGE | -k KEY] [-p page] -d [4 hex bytes]");
1546 bStop = !false;
1547 }
1548
1549 // By default reset the transmission buffer
1550 tx = txbuf;
1551 txlen = 0;
1552
1553 if (rxlen == 0 && tag.tstate == HT_WRITING_PAGE_ACK) {
1554 //no write access on this page
1555 Dbprintf("no write access on page %d", page);
1556 bStop = !false;
1557 } else if (rxlen == 0 && tag.tstate != HT_WRITING_PAGE_DATA) {
1558 //start the authetication
1559 txlen = 5;
1560 memcpy(tx, "\xc0", nbytes(txlen));
1561 tag.pstate = HT_READY;
1562 tag.tstate = HT_NO_OP;
1563 } else if (tag.pstate != HT_SELECTED) {
1564 //try to authenticate with the given key or challenge
1565 if (hitagS_handle_tag_auth(htf, key, NrAr, rx, rxlen, tx, &txlen) == -1)
1566 bStop = !false;
1567 }
1568 if (tag.pstate == HT_SELECTED && tag.tstate == HT_NO_OP && rxlen > 0) {
1569 //check if the given page exists
1570 if (page > tag.max_page) {
1571 Dbprintf("page number too big");
1572 bStop = !false;
1573 }
1574 //ask Tag for write permission
1575 tag.tstate = HT_WRITING_PAGE_ACK;
1576 txlen = 20;
1577 crc = CRC_PRESET;
1578 tx[0] = 0x90 + (page / 16);
1579 calc_crc(&crc, tx[0], 8);
1580 calc_crc(&crc, 0x00 + ((page % 16) * 16), 4);
1581 tx[1] = 0x00 + ((page % 16) * 16) + (crc / 16);
1582 tx[2] = 0x00 + (crc % 16) * 16;
1583 } else if (tag.pstate == HT_SELECTED && tag.tstate == HT_WRITING_PAGE_ACK
1584 && rxlen == 6 && rx[0] == 0xf4) {
1585 //ACK recieved to write the page. send data
1586 tag.tstate = HT_WRITING_PAGE_DATA;
1587 txlen = 40;
1588 crc = CRC_PRESET;
1589 calc_crc(&crc, data[3], 8);
1590 calc_crc(&crc, data[2], 8);
1591 calc_crc(&crc, data[1], 8);
1592 calc_crc(&crc, data[0], 8);
1593 tx[0] = data[3];
1594 tx[1] = data[2];
1595 tx[2] = data[1];
1596 tx[3] = data[0];
1597 tx[4] = crc;
1598 } else if (tag.pstate == HT_SELECTED && tag.tstate == HT_WRITING_PAGE_DATA
1599 && rxlen == 6 && rx[0] == 0xf4) {
1600 //received ACK
1601 Dbprintf("Successful!");
1602 bStop = !false;
1603 }
1604
1605 // Send and store the reader command
1606 // Disable timer 1 with external trigger to avoid triggers during our own modulation
1607 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1608
1609 // Wait for HITAG_T_WAIT_2 carrier periods after the last tag bit before transmitting,
1610 // Since the clock counts since the last falling edge, a 'one' means that the
1611 // falling edge occurred halfway the period. with respect to this falling edge,
1612 // we need to wait (T_Wait2 + half_tag_period) when the last was a 'one'.
1613 // All timer values are in terms of T0 units
1614
1615 while (AT91C_BASE_TC0->TC_CV < T0 * (t_wait + (HITAG_T_TAG_HALF_PERIOD * lastbit))) {};
1616
1617 // Transmit the reader frame
1618 hitag_reader_send_frame(tx, txlen);
1619
1620 // Enable and reset external trigger in timer for capturing future frames
1621 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1622
1623 // Add transmitted frame to total count
1624 if (txlen > 0) {
1625 // frame_count++;
1626 LogTrace(tx, nbytes(txlen), HITAG_T_WAIT_2, HITAG_T_WAIT_2, NULL, true);
1627 }
1628
1629 hitagS_receive_frame(rx, &rxlen, &response);
1630
1631 }
1632 end = false;
1633 set_tracing(false);
1634
1635 lf_finalize();
1636
1637 reply_mix(CMD_ACK, bSuccessful, 0, 0, 0, 0);
1638 }
1639
1640 /*
1641 * Tries to authenticate to a Hitag S Transponder with the given challenges from a .cc file.
1642 * Displays all Challenges that failed.
1643 * When collecting Challenges to break the key it is possible that some data
1644 * is not received correctly due to Antenna problems. This function
1645 * detects these challenges.
1646 */
1647 void check_challenges(bool file_given, uint8_t *data) {
1648 int i, j, z, k;
1649 // int frame_count = 0;
1650 int response = 0;
1651 uint8_t uid_byte[4];
1652 uint8_t rx[HITAG_FRAME_LEN];
1653 uint8_t unlocker[60][8];
1654 int u1 = 0;
1655 size_t rxlen = 0;
1656 uint8_t txbuf[HITAG_FRAME_LEN];
1657 int t_wait = HITAG_T_WAIT_MAX;
1658 int lastbit, STATE = 0;
1659 bool bStop;
1660 int response_bit[200];
1661 unsigned char mask = 1;
1662 unsigned char uid[32];
1663 unsigned char crc;
1664
1665 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1666 // Reset the return status
1667 bSuccessful = false;
1668
1669 // Clean up trace and prepare it for storing frames
1670 set_tracing(true);
1671 clear_trace();
1672
1673 bQuiet = false;
1674
1675 LED_D_ON();
1676
1677 // Configure output and enable pin that is connected to the FPGA (for modulating)
1678 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
1679 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
1680
1681 // Set fpga in edge detect with reader field, we can modulate as reader now
1682 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD);
1683 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, LF_DIVISOR_125); //125kHz
1684 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
1685
1686 // Disable modulation at default, which means enable the field
1687 LOW(GPIO_SSC_DOUT);
1688
1689 // Enable Peripheral Clock for
1690 // TIMER_CLOCK0, used to measure exact timing before answering
1691 // TIMER_CLOCK1, used to capture edges of the tag frames
1692 AT91C_BASE_PMC->PMC_PCER |= (1 << AT91C_ID_TC0) | (1 << AT91C_ID_TC1);
1693
1694 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
1695
1696 // Disable timer during configuration
1697 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
1698 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1699
1700 // TC0: Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), no triggers
1701 AT91C_BASE_TC0->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK;
1702
1703 // TC1: Capture mode, defaul timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
1704 // external trigger rising edge, load RA on falling edge of TIOA.
1705 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK
1706 | AT91C_TC_ETRGEDG_FALLING
1707 | AT91C_TC_ABETRG
1708 | AT91C_TC_LDRA_FALLING;
1709
1710 // Enable and reset counters
1711 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1712 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1713
1714 while (AT91C_BASE_TC0->TC_CV > 0) {};
1715
1716 // Reset the received frame, frame count and timing info
1717 lastbit = 1;
1718 bStop = false;
1719 t_wait = 200;
1720
1721 if (file_given) {
1722 DbpString("Loading challenges...");
1723 memcpy((uint8_t *)unlocker, data, 60 * 8);
1724 }
1725
1726 while (file_given && !bStop && !BUTTON_PRESS()) {
1727 // Watchdog hit
1728 WDT_HIT();
1729
1730 // Check if frame was captured and store it
1731 if (rxlen > 0) {
1732 // frame_count++;
1733 LogTrace(rx, nbytes(rxlen), response, response, NULL, false);
1734 }
1735
1736 uint8_t *tx = txbuf;
1737 size_t txlen = 0;
1738 if (rxlen == 0) {
1739 if (STATE == 2)
1740 // challenge failed
1741 Dbprintf("Challenge failed: %02X %02X %02X %02X %02X %02X %02X %02X",
1742 unlocker[u1 - 1][0], unlocker[u1 - 1][1],
1743 unlocker[u1 - 1][2], unlocker[u1 - 1][3],
1744 unlocker[u1 - 1][4], unlocker[u1 - 1][5],
1745 unlocker[u1 - 1][6], unlocker[u1 - 1][7]);
1746 STATE = 0;
1747 txlen = 5;
1748 //start new authentication
1749 memcpy(tx, "\xC0", nbytes(txlen));
1750 } else if (rxlen >= 67 && STATE == 0) {
1751 //received uid
1752 z = 0;
1753 for (i = 0; i < 10; i++) {
1754 for (j = 0; j < 8; j++) {
1755 response_bit[z] = 0;
1756 if ((rx[i] & ((mask << 7) >> j)) != 0)
1757 response_bit[z] = 1;
1758 z++;
1759 }
1760 }
1761 k = 0;
1762 for (i = 5; i < z; i += 2) {
1763 uid[k] = response_bit[i];
1764 k++;
1765 if (k > 31)
1766 break;
1767 }
1768 uid_byte[0] = (uid[0] << 7) | (uid[1] << 6) | (uid[2] << 5)
1769 | (uid[3] << 4) | (uid[4] << 3) | (uid[5] << 2)
1770 | (uid[6] << 1) | uid[7];
1771 uid_byte[1] = (uid[8] << 7) | (uid[9] << 6) | (uid[10] << 5)
1772 | (uid[11] << 4) | (uid[12] << 3) | (uid[13] << 2)
1773 | (uid[14] << 1) | uid[15];
1774 uid_byte[2] = (uid[16] << 7) | (uid[17] << 6) | (uid[18] << 5)
1775 | (uid[19] << 4) | (uid[20] << 3) | (uid[21] << 2)
1776 | (uid[22] << 1) | uid[23];
1777 uid_byte[3] = (uid[24] << 7) | (uid[25] << 6) | (uid[26] << 5)
1778 | (uid[27] << 4) | (uid[28] << 3) | (uid[29] << 2)
1779 | (uid[30] << 1) | uid[31];
1780 //Dbhexdump(10, rx, rxlen);
1781 STATE = 1;
1782 txlen = 45;
1783 crc = CRC_PRESET;
1784 calc_crc(&crc, 0x00, 5);
1785 calc_crc(&crc, uid_byte[0], 8);
1786 calc_crc(&crc, uid_byte[1], 8);
1787 calc_crc(&crc, uid_byte[2], 8);
1788 calc_crc(&crc, uid_byte[3], 8);
1789 for (i = 0; i < 100; i++) {
1790 response_bit[i] = 0;
1791 }
1792 for (i = 0; i < 5; i++) {
1793 response_bit[i] = 0;
1794 }
1795 for (i = 5; i < 37; i++) {
1796 response_bit[i] = uid[i - 5];
1797 }
1798 for (j = 0; j < 8; j++) {
1799 response_bit[i] = 0;
1800 if ((crc & ((mask << 7) >> j)) != 0)
1801 response_bit[i] = 1;
1802 i++;
1803 }
1804 k = 0;
1805 for (i = 0; i < 6; i++) {
1806 tx[i] = (response_bit[k] << 7) | (response_bit[k + 1] << 6)
1807 | (response_bit[k + 2] << 5)
1808 | (response_bit[k + 3] << 4)
1809 | (response_bit[k + 4] << 3)
1810 | (response_bit[k + 5] << 2)
1811 | (response_bit[k + 6] << 1) | response_bit[k + 7];
1812 k += 8;
1813 }
1814
1815 } else if (STATE == 1 && rxlen == 44) {
1816 //received configuration
1817 STATE = 2;
1818 z = 0;
1819 for (i = 0; i < 6; i++) {
1820 for (j = 0; j < 8; j++) {
1821 response_bit[z] = 0;
1822 if ((rx[i] & ((mask << 7) >> j)) != 0)
1823 response_bit[z] = 1;
1824 z++;
1825 }
1826 }
1827 txlen = 64;
1828
1829 if (u1 >= ARRAYLEN(unlocker))
1830 bStop = !false;
1831 for (i = 0; i < 8; i++)
1832 tx[i] = unlocker[u1][i];
1833 u1++;
1834
1835 } else if (STATE == 2 && rxlen >= 44) {
1836 Dbprintf("Challenge success: %02X%02X%02X%02X %02X%02X%02X%02X",
1837 unlocker[u1 - 1][0], unlocker[u1 - 1][1],
1838 unlocker[u1 - 1][2], unlocker[u1 - 1][3],
1839 unlocker[u1 - 1][4], unlocker[u1 - 1][5],
1840 unlocker[u1 - 1][6], unlocker[u1 - 1][7]);
1841 STATE = 0;
1842 }
1843
1844 // Send and store the reader command
1845 // Disable timer 1 with external trigger to avoid triggers during our own modulation
1846 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1847
1848 // Wait for HITAG_T_WAIT_2 carrier periods after the last tag bit before transmitting,
1849 // Since the clock counts since the last falling edge, a 'one' means that the
1850 // falling edge occurred halfway the period. with respect to this falling edge,
1851 // we need to wait (T_Wait2 + half_tag_period) when the last was a 'one'.
1852 // All timer values are in terms of T0 units
1853
1854 while (AT91C_BASE_TC0->TC_CV < T0 * (t_wait + (HITAG_T_TAG_HALF_PERIOD * lastbit))) {};
1855
1856 // Transmit the reader frame
1857 hitag_reader_send_frame(tx, txlen);
1858
1859 // Enable and reset external trigger in timer for capturing future frames
1860 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1861
1862 // Add transmitted frame to total count
1863 if (txlen > 0) {
1864 // frame_count++;
1865 LogTrace(tx, nbytes(txlen), HITAG_T_WAIT_2, HITAG_T_WAIT_2, NULL, true);
1866 }
1867
1868 hitagS_receive_frame(rx, &rxlen, &response);
1869 }
1870
1871 set_tracing(false);
1872 lf_finalize();
1873 reply_mix(CMD_ACK, bSuccessful, 0, 0, 0, 0);
1874 }
Proxmark3 - the RFID research Swiss army knife. Iceman firmware