armsrc/mifaresniff_disabled.c

   1 //-----------------------------------------------------------------------------
   2 // Merlok - 2012
   3 //
   4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
   5 // at your option, any later version. See the LICENSE.txt file for the text of
   6 // the license.
   7 //-----------------------------------------------------------------------------
   8 // Routines to support mifare classic sniffer.
   9 //-----------------------------------------------------------------------------
  10
  11 #include "mifaresniff_disabled.h"
  12
  13 #ifndef CheckCrc14A
  14 # define CheckCrc14A(data, len) check_crc(CRC_14443_A, (data), (len))
  15 #endif
  16
  17 //static int sniffState = SNF_INIT;
  18 static uint8_t sniffUIDType = 0;
  19 static uint8_t sniffUID[10] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
  20 static uint8_t sniffATQA[2] = {0, 0};
  21 static uint8_t sniffSAK = 0;
  22 static uint8_t sniffBuf[17];
  23 static uint32_t timerData = 0;
  24
  25 //-----------------------------------------------------------------------------
  26 // MIFARE sniffer.
  27 //
  28 // if no activity for 2sec, it sends the collected data to the client.
  29 //-----------------------------------------------------------------------------
  30 // "hf mf sniff"
  31 void RAMFUNC SniffMifare(uint8_t param) {
  32     // param:
  33     // bit 0 - trigger from first card answer
  34     // bit 1 - trigger from first reader 7-bit request
  35
  36     // C(red) A(yellow) B(green)
  37     LEDsoff();
  38     iso14443a_setup(FPGA_HF_ISO14443A_SNIFFER);
  39
  40     // Allocate memory from BigBuf for some buffers
  41     // free all previous allocations first
  42     BigBuf_free();
  43     BigBuf_Clear_ext(false);
  44     clear_trace();
  45     set_tracing(true);
  46
  47     // The command (reader -> tag) that we're receiving.
  48     uint8_t receivedCmd[MAX_MIFARE_FRAME_SIZE] = {0x00};
  49     uint8_t receivedCmdPar[MAX_MIFARE_PARITY_SIZE] = {0x00};
  50
  51     // The response (tag -> reader) that we're receiving.
  52     uint8_t receivedResp[MAX_MIFARE_FRAME_SIZE] = {0x00};
  53     uint8_t receivedRespPar[MAX_MIFARE_PARITY_SIZE] = {0x00};
  54
  55     // allocate the DMA buffer, used to stream samples from the FPGA
  56     uint8_t *dmaBuf = BigBuf_malloc(DMA_BUFFER_SIZE);
  57     uint8_t *data = dmaBuf;
  58     uint8_t previous_data = 0;
  59     int dataLen, maxDataLen = 0;
  60     bool ReaderIsActive = false;
  61     bool TagIsActive = false;
  62
  63     // We won't start recording the frames that we acquire until we trigger;
  64     // a good trigger condition to get started is probably when we see a
  65     // response from the tag.
  66     // triggered == false -- to wait first for card
  67     //bool triggered = !(param & 0x03);
  68
  69
  70     // Set up the demodulator for tag -> reader responses.
  71     Demod14aInit(receivedResp, receivedRespPar);
  72
  73     // Set up the demodulator for the reader -> tag commands
  74     Uart14aInit(receivedCmd, receivedCmdPar);
  75
  76     // Setup and start DMA.
  77     // set transfer address and number of bytes. Start transfer.
  78     if (!FpgaSetupSscDma(dmaBuf, DMA_BUFFER_SIZE)) {
  79         if (DBGLEVEL > 1) Dbprintf("[!] FpgaSetupSscDma failed. Exiting");
  80         return;
  81     }
  82
  83     tUart14a *uart = GetUart14a();
  84     tDemod14a *demod = GetDemod14a();
  85
  86     MfSniffInit();
  87
  88     uint32_t sniffCounter = 0;
  89     // loop and listen
  90     while (!BUTTON_PRESS()) {
  91         WDT_HIT();
  92         LED_A_ON();
  93         /*
  94                 if ((sniffCounter & 0x0000FFFF) == 0) { // from time to time
  95                     // check if a transaction is completed (timeout after 2000ms).
  96                     // if yes, stop the DMA transfer and send what we have so far to the client
  97                     if (BigBuf_get_traceLen()) {
  98                         MfSniffSend();
  99                         // Reset everything - we missed some sniffed data anyway while the DMA was stopped
 100                         sniffCounter = 0;
 101                         dmaBuf = BigBuf_malloc(DMA_BUFFER_SIZE);
 102                         data = dmaBuf;
 103                         maxDataLen = 0;
 104                         ReaderIsActive = false;
 105                         TagIsActive = false;
 106                         FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE); // set transfer address and number of bytes. Start transfer.
 107                     }
 108                 }
 109                 */
 110
 111         // number of bytes we have processed so far
 112         int register readBufDataP = data - dmaBuf;
 113         // number of bytes already transferred
 114         int register dmaBufDataP = DMA_BUFFER_SIZE - AT91C_BASE_PDC_SSC->PDC_RCR;
 115         if (readBufDataP <= dmaBufDataP)            // we are processing the same block of data which is currently being transferred
 116             dataLen = dmaBufDataP - readBufDataP;   // number of bytes still to be processed
 117         else
 118             dataLen = DMA_BUFFER_SIZE - readBufDataP + dmaBufDataP; // number of bytes still to be processed
 119
 120         // test for length of buffer
 121         if (dataLen > maxDataLen) {                 // we are more behind than ever...
 122             maxDataLen = dataLen;
 123             if (dataLen > (9 * DMA_BUFFER_SIZE / 10)) {
 124                 Dbprintf("[!] blew circular buffer! | datalen %u", dataLen);
 125                 break;
 126             }
 127         }
 128         if (dataLen < 1) continue;
 129
 130         // primary buffer was stopped ( <-- we lost data!
 131         if (!AT91C_BASE_PDC_SSC->PDC_RCR) {
 132             AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t)dmaBuf;
 133             AT91C_BASE_PDC_SSC->PDC_RCR = DMA_BUFFER_SIZE;
 134             Dbprintf("[-] RxEmpty ERROR | data length %d", dataLen); // temporary
 135         }
 136         // secondary buffer sets as primary, secondary buffer was stopped
 137         if (!AT91C_BASE_PDC_SSC->PDC_RNCR) {
 138             AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t)dmaBuf;
 139             AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
 140         }
 141
 142         LED_A_OFF();
 143
 144         // Need two samples to feed Miller and Manchester-Decoder
 145         if (sniffCounter & 0x01) {
 146
 147             // no need to try decoding tag data if the reader is sending
 148             if (!TagIsActive) {
 149                 uint8_t readerbyte = (previous_data & 0xF0) | (*data >> 4);
 150                 if (MillerDecoding(readerbyte, (sniffCounter - 1) * 4)) {
 151                     LogTrace(receivedCmd, uart->len, 0, 0, NULL, true);
 152                     Demod14aReset();
 153                     Uart14aReset();
 154                 }
 155                 ReaderIsActive = (uart->state != STATE_14A_UNSYNCD);
 156             }
 157
 158             // no need to try decoding tag data if the reader is sending
 159             if (!ReaderIsActive) {
 160                 uint8_t tagbyte = (previous_data << 4) | (*data & 0x0F);
 161                 if (ManchesterDecoding(tagbyte, 0, (sniffCounter - 1) * 4)) {
 162                     LogTrace(receivedResp,  demod->len, 0, 0, NULL, false);
 163                     Demod14aReset();
 164                     Uart14aReset();
 165                 }
 166                 TagIsActive = (demod->state != DEMOD_14A_UNSYNCD);
 167             }
 168         }
 169         previous_data = *data;
 170         sniffCounter++;
 171         data++;
 172
 173         if (data == dmaBuf + DMA_BUFFER_SIZE)
 174             data = dmaBuf;
 175
 176     } // main cycle
 177
 178     MfSniffEnd();
 179     switch_off();
 180 }
 181
 182 void MfSniffInit(void) {
 183     memset(sniffUID, 0x00, sizeof(sniffUID));
 184     memset(sniffATQA, 0x00, sizeof(sniffATQA));
 185     memset(sniffBuf, 0x00, sizeof(sniffBuf));
 186     sniffSAK = 0;
 187     sniffUIDType = SNF_UID_4;
 188     timerData = 0;
 189 }
 190
 191 void MfSniffEnd(void) {
 192     LED_B_ON();
 193     reply_old(CMD_ACK, 0, 0, 0, 0, 0);
 194     LED_B_OFF();
 195 }
 196
 197 /*
 198 bool RAMFUNC MfSniffLogic(const uint8_t *data, uint16_t len, uint8_t *parity, uint16_t bitCnt, bool reader) {
 199
 200     // reset on 7-Bit commands from reader
 201     if (reader && (len == 1) && (bitCnt == 7)) {
 202         sniffState = SNF_INIT;
 203     }
 204
 205
 206
 207     switch (sniffState) {
 208         case SNF_INIT:{
 209             // REQA,WUPA or MAGICWUP from reader
 210             if ((len == 1) && (reader) && (bitCnt == 7) ) {
 211                 MfSniffInit();
 212                 sniffState = (data[0] == MIFARE_MAGICWUPC1) ? SNF_MAGIC_WUPC2 : SNF_ATQA;
 213             }
 214             break;
 215         }
 216         case SNF_MAGIC_WUPC2: {
 217             if ((len == 1) && (reader) && (data[0] == MIFARE_MAGICWUPC2) ) {
 218                 sniffState = SNF_CARD_IDLE;
 219             }
 220             break;
 221         }
 222         case SNF_ATQA:{
 223             // ATQA from tag
 224             if ((!reader) && (len == 2)) {
 225                 sniffATQA[0] = data[0];
 226                 sniffATQA[1] = data[1];
 227                 sniffState = SNF_UID;
 228             }
 229             break;
 230         }
 231         case SNF_UID: {
 232
 233             if ( !reader ) break;
 234             if ( len != 9 ) break;
 235             if ( !CheckCrc14A(data, 9)) break;
 236             if ( data[1] != 0x70 ) break;
 237
 238             Dbprintf("[!] UID | %x", data[0]);
 239
 240             if ((data[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT)) {
 241                 // UID_4 - select 4 Byte UID from reader
 242                 memcpy(sniffUID, data+2, 4);
 243                 sniffUIDType = SNF_UID_4;
 244                 sniffState = SNF_SAK;
 245             } else if ((data[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2)) {
 246                 // UID_7 - Select 2nd part of 7 Byte UID
 247
 248                 // get rid of 0x88
 249                 sniffUID[0] = sniffUID[1];
 250                 sniffUID[1] = sniffUID[2];
 251                 sniffUID[2] = sniffUID[3];
 252                 //new uid bytes
 253                 memcpy(sniffUID+3, data+2, 4);
 254                 sniffUIDType = SNF_UID_7;
 255                 sniffState = SNF_SAK;
 256             } else if ((data[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_3)) {
 257                 // UID_10 - Select 3nd part of 10 Byte UID
 258                 // 3+3+4 = 10.
 259                 // get ride of previous 0x88
 260                 sniffUID[3] = sniffUID[4];
 261                 sniffUID[4] = sniffUID[5];
 262                 sniffUID[5] = sniffUID[6];
 263                 // new uid bytes
 264                 memcpy(sniffUID+6, data+2, 4);
 265                 sniffUIDType = SNF_UID_10;
 266                 sniffState = SNF_SAK;
 267             }
 268             break;
 269         }
 270         case SNF_SAK:{
 271             // SAK from card?
 272             if ((!reader) && (len == 3) && (CheckCrc14A(data, 3))) {
 273                 sniffSAK = data[0];
 274                 // CL2 UID part to be expected
 275                 if (( sniffSAK == 0x04) && (sniffUIDType == SNF_UID_4)) {
 276                     sniffState = SNF_UID;
 277                 // CL3 UID part to be expected
 278                 } else if ((sniffSAK == 0x04) && (sniffUIDType == SNF_UID_7)) {
 279                     sniffState = SNF_UID;
 280                 } else {
 281                     // select completed
 282                     sniffState = SNF_CARD_IDLE;
 283                 }
 284             }
 285             break;
 286         }
 287         case SNF_CARD_IDLE:{ // trace the card select sequence
 288             sniffBuf[0] = 0xFF;
 289             sniffBuf[1] = 0xFF;
 290             memcpy(sniffBuf + 2, sniffUID, sizeof(sniffUID));
 291             memcpy(sniffBuf + 12, sniffATQA, sizeof(sniffATQA));
 292             sniffBuf[14] = sniffSAK;
 293             sniffBuf[15] = 0xFF;
 294             sniffBuf[16] = 0xFF;
 295             LogTrace(sniffBuf, sizeof(sniffBuf), 0, 0, NULL, true);
 296             sniffState = SNF_CARD_CMD;
 297         } // intentionally no break;
 298         case SNF_CARD_CMD:{
 299             LogTrace(data, len, 0, 0, NULL, reader);
 300             timerData = GetTickCount();
 301             break;
 302         }
 303         default:
 304             sniffState = SNF_INIT;
 305         break;
 306     }
 307     return false;
 308 }
 309 */
 310
 311 void RAMFUNC MfSniffSend(void) {
 312     uint16_t tracelen = BigBuf_get_traceLen();
 313     int packlen = tracelen; // total number of bytes to send
 314     uint8_t *data = BigBuf_get_addr();
 315
 316     while (packlen > 0) {
 317         LED_B_ON();
 318         uint16_t chunksize = MIN(PM3_CMD_DATA_SIZE, packlen); // chunk size 512
 319         reply_old(CMD_ACK, 1, tracelen, chunksize, data + tracelen - packlen, chunksize);
 320         packlen -= chunksize;
 321         LED_B_OFF();
 322     }
 323
 324     LED_B_ON();
 325     reply_old(CMD_ACK, 2, 0, 0, 0, 0);  // 2 == data transfer finished.
 326     LED_B_OFF();
 327 }