search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
text
[RRG-proxmark3.git] / armsrc / pcf7931.c
blob6ad44d7c4827f7e254b0c61b8c5b6c897c325ba8
1 #include "pcf7931.h"
2
3 #include "proxmark3_arm.h"
4 #include "cmd.h"
5 #include "BigBuf.h"
6 #include "fpgaloader.h"
7 #include "ticks.h"
8 #include "dbprint.h"
9 #include "util.h"
10 #include "lfsampling.h"
11 #include "string.h"
12
13 #define T0_PCF 8 //period for the pcf7931 in us
14 #define ALLOC 16
15
16 size_t DemodPCF7931(uint8_t **outBlocks) {
17 uint8_t bits[256] = {0x00};
18 uint8_t blocks[8][16];
19 uint8_t *dest = BigBuf_get_addr();
20
21 int GraphTraceLen = BigBuf_max_traceLen();
22 if (GraphTraceLen > 18000)
23 GraphTraceLen = 18000;
24
25 int i = 2, j, lastval, bitidx, half_switch;
26 int clock = 64;
27 int tolerance = clock / 8;
28 int pmc, block_done;
29 int lc, warnings = 0;
30 size_t num_blocks = 0;
31 int lmin = 64, lmax = 192;
32 uint8_t dir;
33
34 BigBuf_Clear_keep_EM();
35 LFSetupFPGAForADC(LF_DIVISOR_125, true);
36 DoAcquisition_default(0, true);
37
38 /* Find first local max/min */
39 if (dest[1] > dest[0]) {
40 while (i < GraphTraceLen) {
41 if (!(dest[i] > dest[i - 1]) && dest[i] > lmax)
42 break;
43 i++;
44 }
45 dir = 0;
46 } else {
47 while (i < GraphTraceLen) {
48 if (!(dest[i] < dest[i - 1]) && dest[i] < lmin)
49 break;
50 i++;
51 }
52 dir = 1;
53 }
54
55 lastval = i++;
56 half_switch = 0;
57 pmc = 0;
58 block_done = 0;
59
60 for (bitidx = 0; i < GraphTraceLen; i++) {
61 if ((dest[i - 1] > dest[i] && dir == 1 && dest[i] > lmax) || (dest[i - 1] < dest[i] && dir == 0 && dest[i] < lmin)) {
62 lc = i - lastval;
63 lastval = i;
64
65 // Switch depending on lc length:
66 // Tolerance is 1/8 of clock rate (arbitrary)
67 if (ABS(lc - clock / 4) < tolerance) {
68 // 16T0
69 if ((i - pmc) == lc) { /* 16T0 was previous one */
70 /* It's a PMC ! */
71 i += (128 + 127 + 16 + 32 + 33 + 16) - 1;
72 lastval = i;
73 pmc = 0;
74 block_done = 1;
75 } else {
76 pmc = i;
77 }
78 } else if (ABS(lc - clock / 2) < tolerance) {
79 // 32TO
80 if ((i - pmc) == lc) { /* 16T0 was previous one */
81 /* It's a PMC ! */
82 i += (128 + 127 + 16 + 32 + 33) - 1;
83 lastval = i;
84 pmc = 0;
85 block_done = 1;
86 } else if (half_switch == 1) {
87 bits[bitidx++] = 0;
88 half_switch = 0;
89 } else
90 half_switch++;
91 } else if (ABS(lc - clock) < tolerance) {
92 // 64TO
93 bits[bitidx++] = 1;
94 } else {
95 // Error
96 if (++warnings > 10) {
97
98 if (DBGLEVEL >= DBG_EXTENDED)
99 Dbprintf("Error: too many detection errors, aborting.");
100
101 return 0;
102 }
103 }
104
105 if (block_done == 1) {
106 if (bitidx == 128) {
107 for (j = 0; j < 16; ++j) {
108 blocks[num_blocks][j] =
109 128 * bits[j * 8 + 7] +
110 64 * bits[j * 8 + 6] +
111 32 * bits[j * 8 + 5] +
112 16 * bits[j * 8 + 4] +
113 8 * bits[j * 8 + 3] +
114 4 * bits[j * 8 + 2] +
115 2 * bits[j * 8 + 1] +
116 bits[j * 8]
117 ;
118 }
119 num_blocks++;
120 }
121 bitidx = 0;
122 block_done = 0;
123 half_switch = 0;
124 }
125 if (i < GraphTraceLen)
126 dir = (dest[i - 1] > dest[i]) ? 0 : 1;
127 }
128 if (bitidx == 255)
129 bitidx = 0;
130 warnings = 0;
131 if (num_blocks == 4) break;
132 }
133 memcpy(outBlocks, blocks, 16 * num_blocks);
134 return num_blocks;
135 }
136
137 bool IsBlock0PCF7931(uint8_t *block) {
138 // assuming all RFU bits are set to 0
139 // if PAC is enabled password is set to 0
140 if (block[7] == 0x01) {
141 if (!memcmp(block, "\x00\x00\x00\x00\x00\x00\x00", 7)
142 && !memcmp(block + 9, "\x00\x00\x00\x00\x00\x00\x00", 7)) {
143 return true;
144 }
145 } else if (block[7] == 0x00) {
146 if (!memcmp(block + 9, "\x00\x00\x00\x00\x00\x00\x00", 7)) {
147 return true;
148 }
149 }
150 return false;
151 }
152
153 bool IsBlock1PCF7931(uint8_t *block) {
154 // assuming all RFU bits are set to 0
155
156 uint8_t rb1 = block[14] & 0x80;
157 uint8_t rfb = block[14] & 0x7f;
158 uint8_t rlb = block[15];
159
160 if (block[10] == 0
161 && block[11] == 0
162 && block[12] == 0
163 && block[13] == 0) {
164 // block 1 is sent only if (RLB >= 1 && RFB <= 1) or RB1 enabled
165 if (rfb <= rlb
166 && rfb <= 9
167 && rlb <= 9
168 && ((rfb <= 1 && rlb >= 1) || rb1)) {
169 return true;
170 }
171 }
172
173 return false;
174 }
175
176 void ReadPCF7931(void) {
177 int found_blocks = 0; // successfully read blocks
178 int max_blocks = 8; // readable blocks
179 uint8_t memory_blocks[8][17]; // PCF content
180 uint8_t single_blocks[8][17]; // PFC blocks with unknown position
181 int single_blocks_cnt = 0;
182
183 size_t n = 0; // transmitted blocks
184 uint8_t tmp_blocks[4][16]; // temporary read buffer
185
186 uint8_t found_0_1 = 0; // flag: blocks 0 and 1 were found
187 int errors = 0; // error counter
188 int tries = 0; // tries counter
189
190 memset(memory_blocks, 0, 8 * 17 * sizeof(uint8_t));
191 memset(single_blocks, 0, 8 * 17 * sizeof(uint8_t));
192
193 int i = 0, j = 0;
194
195 do {
196 i = 0;
197
198 memset(tmp_blocks, 0, 4 * 16 * sizeof(uint8_t));
199 n = DemodPCF7931((uint8_t **)tmp_blocks);
200 if (!n)
201 ++errors;
202
203 // exit if no block is received
204 if (errors >= 10 && found_blocks == 0 && single_blocks_cnt == 0) {
205
206 if (DBGLEVEL >= DBG_INFO)
207 Dbprintf("[!!] Error, no tag or bad tag");
208
209 return;
210 }
211 // exit if too many errors during reading
212 if (tries > 50 && (2 * errors > tries)) {
213
214 if (DBGLEVEL >= DBG_INFO)
215 Dbprintf("[!!] Error reading the tag, only partial content");
216
217 goto end;
218 }
219
220 // our logic breaks if we don't get at least two blocks
221 if (n < 2) {
222 // skip if all 0s block or no blocks
223 if (n == 0 || !memcmp(tmp_blocks[0], "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16))
224 continue;
225
226 // add block to single blocks list
227 if (single_blocks_cnt < max_blocks) {
228 for (i = 0; i < single_blocks_cnt; ++i) {
229 if (!memcmp(single_blocks[i], tmp_blocks[0], 16)) {
230 j = 1;
231 break;
232 }
233 }
234 if (j != 1) {
235 memcpy(single_blocks[single_blocks_cnt], tmp_blocks[0], 16);
236 print_result("got single block", single_blocks[single_blocks_cnt], 16);
237 single_blocks_cnt++;
238 }
239 j = 0;
240 }
241 ++tries;
242 continue;
243 }
244
245 if (DBGLEVEL >= DBG_EXTENDED)
246 Dbprintf("(dbg) got %d blocks (%d/%d found) (%d tries, %d errors)", n, found_blocks, (max_blocks == 0 ? found_blocks : max_blocks), tries, errors);
247
248 for (i = 0; i < n; ++i) {
249 print_result("got consecutive blocks", tmp_blocks[i], 16);
250 }
251
252 i = 0;
253 if (!found_0_1) {
254 while (i < n - 1) {
255 if (IsBlock0PCF7931(tmp_blocks[i]) && IsBlock1PCF7931(tmp_blocks[i + 1])) {
256 found_0_1 = 1;
257 memcpy(memory_blocks[0], tmp_blocks[i], 16);
258 memcpy(memory_blocks[1], tmp_blocks[i + 1], 16);
259 memory_blocks[0][ALLOC] = memory_blocks[1][ALLOC] = 1;
260 // block 1 tells how many blocks are going to be sent
261 max_blocks = MAX((memory_blocks[1][14] & 0x7f), memory_blocks[1][15]) + 1;
262 found_blocks = 2;
263
264 Dbprintf("Found blocks 0 and 1. PCF is transmitting %d blocks.", max_blocks);
265
266 // handle the following blocks
267 for (j = i + 2; j < n; ++j) {
268 memcpy(memory_blocks[found_blocks], tmp_blocks[j], 16);
269 memory_blocks[found_blocks][ALLOC] = 1;
270 ++found_blocks;
271 }
272 break;
273 }
274 ++i;
275 }
276 } else {
277 // Trying to re-order blocks
278 // Look for identical block in memory blocks
279 while (i < n - 1) {
280 // skip all zeroes blocks
281 if (memcmp(tmp_blocks[i], "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16)) {
282 for (j = 1; j < max_blocks - 1; ++j) {
283 if (!memcmp(tmp_blocks[i], memory_blocks[j], 16) && !memory_blocks[j + 1][ALLOC]) {
284 memcpy(memory_blocks[j + 1], tmp_blocks[i + 1], 16);
285 memory_blocks[j + 1][ALLOC] = 1;
286 if (++found_blocks >= max_blocks) goto end;
287 }
288 }
289 }
290 if (memcmp(tmp_blocks[i + 1], "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16)) {
291 for (j = 0; j < max_blocks; ++j) {
292 if (!memcmp(tmp_blocks[i + 1], memory_blocks[j], 16) && !memory_blocks[(j == 0 ? max_blocks : j) - 1][ALLOC]) {
293 if (j == 0) {
294 memcpy(memory_blocks[max_blocks - 1], tmp_blocks[i], 16);
295 memory_blocks[max_blocks - 1][ALLOC] = 1;
296 } else {
297 memcpy(memory_blocks[j - 1], tmp_blocks[i], 16);
298 memory_blocks[j - 1][ALLOC] = 1;
299 }
300 if (++found_blocks >= max_blocks) goto end;
301 }
302 }
303 }
304 ++i;
305 }
306 }
307 ++tries;
308 if (BUTTON_PRESS()) {
309 if (DBGLEVEL >= DBG_EXTENDED)
310 Dbprintf("Button pressed, stopping.");
311
312 goto end;
313 }
314 } while (found_blocks < max_blocks);
315
316 end:
317 Dbprintf("-----------------------------------------");
318 Dbprintf("Memory content:");
319 Dbprintf("-----------------------------------------");
320 for (i = 0; i < max_blocks; ++i) {
321 if (memory_blocks[i][ALLOC])
322 print_result("Block", memory_blocks[i], 16);
323 else
324 Dbprintf("<missing block %d>", i);
325 }
326 Dbprintf("-----------------------------------------");
327
328 if (found_blocks < max_blocks) {
329 Dbprintf("-----------------------------------------");
330 Dbprintf("Blocks with unknown position:");
331 Dbprintf("-----------------------------------------");
332 for (i = 0; i < single_blocks_cnt; ++i)
333 print_result("Block", single_blocks[i], 16);
334
335 Dbprintf("-----------------------------------------");
336 }
337 reply_mix(CMD_ACK, 0, 0, 0, 0, 0);
338 }
339
340 static void RealWritePCF7931(uint8_t *pass, uint16_t init_delay, int32_t l, int32_t p, uint8_t address, uint8_t byte, uint8_t data) {
341 uint32_t tab[1024] = {0}; // data times frame
342 uint32_t u = 0;
343 uint8_t parity = 0;
344 bool comp = 0;
345
346 //BUILD OF THE DATA FRAME
347 //alimentation of the tag (time for initializing)
348 AddPatternPCF7931(init_delay, 0, 8192 / 2 * T0_PCF, tab);
349 AddPatternPCF7931(8192 / 2 * T0_PCF + 319 * T0_PCF + 70, 3 * T0_PCF, 29 * T0_PCF, tab);
350 //password indication bit
351 AddBitPCF7931(1, tab, l, p);
352 //password (on 56 bits)
353 AddBytePCF7931(pass[0], tab, l, p);
354 AddBytePCF7931(pass[1], tab, l, p);
355 AddBytePCF7931(pass[2], tab, l, p);
356 AddBytePCF7931(pass[3], tab, l, p);
357 AddBytePCF7931(pass[4], tab, l, p);
358 AddBytePCF7931(pass[5], tab, l, p);
359 AddBytePCF7931(pass[6], tab, l, p);
360 //programming mode (0 or 1)
361 AddBitPCF7931(0, tab, l, p);
362
363 //block adress on 6 bits
364 for (u = 0; u < 6; ++u) {
365 if (address & (1 << u)) { // bit 1
366 ++parity;
367 AddBitPCF7931(1, tab, l, p);
368 } else { // bit 0
369 AddBitPCF7931(0, tab, l, p);
370 }
371 }
372
373 //byte address on 4 bits
374 for (u = 0; u < 4; ++u) {
375 if (byte & (1 << u)) { // bit 1
376 parity++;
377 AddBitPCF7931(1, tab, l, p);
378 } else // bit 0
379 AddBitPCF7931(0, tab, l, p);
380 }
381
382 //data on 8 bits
383 for (u = 0; u < 8; u++) {
384 if (data & (1 << u)) { // bit 1
385 parity++;
386 AddBitPCF7931(1, tab, l, p);
387 } else //bit 0
388 AddBitPCF7931(0, tab, l, p);
389 }
390
391 //parity bit
392 if ((parity % 2) == 0)
393 AddBitPCF7931(0, tab, l, p); //even parity
394 else
395 AddBitPCF7931(1, tab, l, p);//odd parity
396
397 //time access memory
398 AddPatternPCF7931(5120 + 2680, 0, 0, tab);
399
400 //conversion of the scale time
401 for (u = 0; u < 500; ++u)
402 tab[u] = (tab[u] * 3) / 2;
403
404 //compensation of the counter reload
405 while (!comp) {
406 comp = 1;
407 for (u = 0; tab[u] != 0; ++u)
408 if (tab[u] > 0xFFFF) {
409 tab[u] -= 0xFFFF;
410 comp = 0;
411 }
412 }
413
414 SendCmdPCF7931(tab);
415 }
416
417 /* Write on a byte of a PCF7931 tag
418 * @param address : address of the block to write
419 @param byte : address of the byte to write
420 @param data : data to write
421 */
422 void WritePCF7931(uint8_t pass1, uint8_t pass2, uint8_t pass3, uint8_t pass4, uint8_t pass5, uint8_t pass6, uint8_t pass7, uint16_t init_delay, int32_t l, int32_t p, uint8_t address, uint8_t byte, uint8_t data) {
423
424 if (DBGLEVEL >= DBG_INFO) {
425 Dbprintf("Initialization delay : %d us", init_delay);
426 Dbprintf("Offsets : %d us on the low pulses width, %d us on the low pulses positions", l, p);
427 }
428
429 Dbprintf("Password (LSB first on each byte): %02x %02x %02x %02x %02x %02x %02x", pass1, pass2, pass3, pass4, pass5, pass6, pass7);
430 Dbprintf("Block address : %02x", address);
431 Dbprintf("Byte address : %02x", byte);
432 Dbprintf("Data : %02x", data);
433
434 uint8_t password[7] = {pass1, pass2, pass3, pass4, pass5, pass6, pass7};
435
436 RealWritePCF7931(password, init_delay, l, p, address, byte, data);
437 }
438
439
440 /* Send a trame to a PCF7931 tags
441 * @param tab : array of the data frame
442 */
443
444 void SendCmdPCF7931(uint32_t *tab) {
445 uint16_t u = 0, tempo = 0;
446
447 if (DBGLEVEL >= DBG_INFO) {
448 Dbprintf("Sending data frame...");
449 }
450
451 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
452 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, LF_DIVISOR_125); //125kHz
453 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_PASSTHRU);
454
455 LED_A_ON();
456
457 // steal this pin from the SSP and use it to control the modulation
458 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
459 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
460
461 //initialization of the timer
462 AT91C_BASE_PMC->PMC_PCER |= (0x1 << AT91C_ID_TC0);
463 AT91C_BASE_TCB->TCB_BMR = AT91C_TCB_TC0XC0S_NONE | AT91C_TCB_TC1XC1S_TIOA0 | AT91C_TCB_TC2XC2S_NONE;
464 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS; // timer disable
465 AT91C_BASE_TC0->TC_CMR = AT91C_TC_CLKS_TIMER_DIV3_CLOCK; //clock at 48/32 MHz
466 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN;
467 AT91C_BASE_TCB->TCB_BCR = 1;
468
469 tempo = AT91C_BASE_TC0->TC_CV;
470 for (u = 0; tab[u] != 0; u += 3) {
471 // modulate antenna
472 HIGH(GPIO_SSC_DOUT);
473 while (tempo != tab[u])
474 tempo = AT91C_BASE_TC0->TC_CV;
475
476 // stop modulating antenna
477 LOW(GPIO_SSC_DOUT);
478 while (tempo != tab[u + 1])
479 tempo = AT91C_BASE_TC0->TC_CV;
480
481 // modulate antenna
482 HIGH(GPIO_SSC_DOUT);
483 while (tempo != tab[u + 2])
484 tempo = AT91C_BASE_TC0->TC_CV;
485 }
486
487 LED_A_OFF();
488 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
489 SpinDelay(200);
490
491 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS; // timer disable
492 }
493
494
495 /* Add a byte for building the data frame of PCF7931 tags
496 * @param b : byte to add
497 * @param tab : array of the data frame
498 * @param l : offset on low pulse width
499 * @param p : offset on low pulse positioning
500 */
501 bool AddBytePCF7931(uint8_t byte, uint32_t *tab, int32_t l, int32_t p) {
502 uint32_t u;
503 for (u = 0; u < 8; ++u) {
504 if (byte & (1 << u)) { //bit is 1
505 if (AddBitPCF7931(1, tab, l, p) == 1) return true;
506 } else { //bit is 0
507 if (AddBitPCF7931(0, tab, l, p) == 1) return true;
508 }
509 }
510
511 return false;
512 }
513
514 /* Add a bits for building the data frame of PCF7931 tags
515 * @param b : bit to add
516 * @param tab : array of the data frame
517 * @param l : offset on low pulse width
518 * @param p : offset on low pulse positioning
519 */
520 bool AddBitPCF7931(bool b, uint32_t *tab, int32_t l, int32_t p) {
521 uint8_t u = 0;
522
523 //we put the cursor at the last value of the array
524 for (u = 0; tab[u] != 0; u += 3) { };
525
526 if (b == 1) { //add a bit 1
527 if (u == 0)
528 tab[u] = 34 * T0_PCF + p;
529 else
530 tab[u] = 34 * T0_PCF + tab[u - 1] + p;
531
532 tab[u + 1] = 6 * T0_PCF + tab[u] + l;
533 tab[u + 2] = 88 * T0_PCF + tab[u + 1] - l - p;
534 return false;
535 } else { //add a bit 0
536
537 if (u == 0)
538 tab[u] = 98 * T0_PCF + p;
539 else
540 tab[u] = 98 * T0_PCF + tab[u - 1] + p;
541
542 tab[u + 1] = 6 * T0_PCF + tab[u] + l;
543 tab[u + 2] = 24 * T0_PCF + tab[u + 1] - l - p;
544 return false;
545 }
546 return true;
547 }
548
549 /* Add a custom pattern in the data frame
550 * @param a : delay of the first high pulse
551 * @param b : delay of the low pulse
552 * @param c : delay of the last high pulse
553 * @param tab : array of the data frame
554 */
555 bool AddPatternPCF7931(uint32_t a, uint32_t b, uint32_t c, uint32_t *tab) {
556 uint32_t u = 0;
557 for (u = 0; tab[u] != 0; u += 3) {} //we put the cursor at the last value of the array
558
559 tab[u] = (u == 0) ? a : a + tab[u - 1];
560 tab[u + 1] = b + tab[u];
561 tab[u + 2] = c + tab[u + 1];
562
563 return true;
564 }
Proxmark3 - the RFID research Swiss army knife. Iceman firmware