search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
update atrs list
[RRG-proxmark3.git] / armsrc / appmain.c
blobb258b4ff5d3b269d45db0730c24d0014131557c8
1 //-----------------------------------------------------------------------------
2 // Copyright (C) Jonathan Westhues, Mar 2006
3 // Copyright (C) Gerhard de Koning Gans, Sep 2007
4 // Copyright (C) Proxmark3 contributors. See AUTHORS.md for details.
5 //
6 // This program is free software: you can redistribute it and/or modify
7 // it under the terms of the GNU General Public License as published by
8 // the Free Software Foundation, either version 3 of the License, or
9 // (at your option) any later version.
10 //
11 // This program is distributed in the hope that it will be useful,
12 // but WITHOUT ANY WARRANTY; without even the implied warranty of
13 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 // GNU General Public License for more details.
15 //
16 // See LICENSE.txt for the text of the license.
17 //-----------------------------------------------------------------------------
18 // The main application code. This is the first thing called after start.c
19 // executes.
20 //-----------------------------------------------------------------------------
21 #include "appmain.h"
22
23 #include "clocks.h"
24 #include "usb_cdc.h"
25 #include "proxmark3_arm.h"
26 #include "dbprint.h"
27 #include "pmflash.h"
28 #include "fpga.h"
29 #include "fpgaloader.h"
30 #include "string.h"
31 #include "printf.h"
32 #include "legicrf.h"
33 #include "BigBuf.h"
34 #include "iclass_cmd.h"
35 #include "hfops.h"
36 #include "iso14443a.h"
37 #include "iso14443b.h"
38 #include "iso15693.h"
39 #include "thinfilm.h"
40 #include "felica.h"
41 #include "hitag2.h"
42 #include "hitag2_crack.h"
43 #include "hitagS.h"
44 #include "em4x50.h"
45 #include "em4x70.h"
46 #include "iclass.h"
47 #include "legicrfsim.h"
48 //#include "cryptorfsim.h"
49 #include "epa.h"
50 #include "hfsnoop.h"
51 #include "lfops.h"
52 #include "lfsampling.h"
53 #include "lfzx.h"
54 #include "mifarecmd.h"
55 #include "mifaredesfire.h"
56 #include "mifaresim.h"
57 #include "pcf7931.h"
58 #include "Standalone/standalone.h"
59 #include "util.h"
60 #include "ticks.h"
61 #include "commonutil.h"
62 #include "crc16.h"
63 #include "protocols.h"
64 #include "mifareutil.h"
65 #include "sam_picopass.h"
66 #include "sam_seos.h"
67 #include "sam_mfc.h"
68
69 #ifdef WITH_LCD
70 #include "LCD_disabled.h"
71 #endif
72
73 #ifdef WITH_SMARTCARD
74 #include "i2c.h"
75 #endif
76
77 #ifdef WITH_FPC_USART
78 #include "usart.h"
79 #endif
80
81 #ifdef WITH_FLASH
82 #include "flashmem.h"
83 #include "spiffs.h"
84 #endif
85
86 int g_dbglevel = DBG_ERROR;
87 uint8_t g_trigger = 0;
88 bool g_hf_field_active = false;
89 extern uint32_t _stack_start[], _stack_end[];
90 common_area_t g_common_area __attribute__((section(".commonarea")));
91 static int button_status = BUTTON_NO_CLICK;
92 static bool allow_send_wtx = false;
93 uint16_t g_tearoff_delay_us = 0;
94 bool g_tearoff_enabled = false;
95
96 int tearoff_hook(void) {
97 if (g_tearoff_enabled) {
98 if (g_tearoff_delay_us == 0) {
99 Dbprintf(_RED_("No tear-off delay configured!"));
100 return PM3_SUCCESS; // SUCCESS = the hook didn't do anything
101 }
102 SpinDelayUsPrecision(g_tearoff_delay_us);
103 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
104 g_tearoff_enabled = false;
105 Dbprintf(_YELLOW_("Tear-off triggered!"));
106 return PM3_ETEAROFF;
107 } else {
108 return PM3_SUCCESS; // SUCCESS = the hook didn't do anything
109 }
110 }
111
112 void hf_field_off(void) {
113 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
114 LEDsoff();
115 g_hf_field_active = false;
116 }
117
118 void send_wtx(uint16_t wtx) {
119 if (allow_send_wtx) {
120 reply_ng(CMD_WTX, PM3_SUCCESS, (uint8_t *)&wtx, sizeof(wtx));
121 }
122 }
123
124 //-----------------------------------------------------------------------------
125 // Read an ADC channel and block till it completes, then return the result
126 // in ADC units (0 to 1023). Also a routine to sum up a number of samples and
127 // return that.
128 //-----------------------------------------------------------------------------
129 static uint16_t ReadAdc(uint8_t ch) {
130
131 // Note: ADC_MODE_PRESCALE and ADC_MODE_SAMPLE_HOLD_TIME are set to the maximum allowed value.
132 // AMPL_HI is are high impedance (10MOhm || 1MOhm) output, the input capacitance of the ADC is 12pF (typical). This results in a time constant
133 // of RC = (0.91MOhm) * 12pF = 10.9us. Even after the maximum configurable sample&hold time of 40us the input capacitor will not be fully charged.
134 //
135 // The maths are:
136 // If there is a voltage v_in at the input, the voltage v_cap at the capacitor (this is what we are measuring) will be
137 //
138 // v_cap = v_in * (1 - exp(-SHTIM/RC)) = v_in * (1 - exp(-40us/10.9us)) = v_in * 0,97 (i.e. an error of 3%)
139
140 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_SWRST;
141 AT91C_BASE_ADC->ADC_MR =
142 ADC_MODE_PRESCALE(63) // ADC_CLK = MCK / ((63+1) * 2) = 48MHz / 128 = 375kHz
143 | ADC_MODE_STARTUP_TIME(1) // Startup Time = (1+1) * 8 / ADC_CLK = 16 / 375kHz = 42,7us Note: must be > 20us
144 | ADC_MODE_SAMPLE_HOLD_TIME(15); // Sample & Hold Time SHTIM = 15 / ADC_CLK = 15 / 375kHz = 40us
145
146 AT91C_BASE_ADC->ADC_CHER = ADC_CHANNEL(ch);
147 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
148
149 while (!(AT91C_BASE_ADC->ADC_SR & ADC_END_OF_CONVERSION(ch))) {};
150
151 return (AT91C_BASE_ADC->ADC_CDR[ch] & 0x3FF);
152 }
153
154 // was static - merlok
155 uint16_t AvgAdc(uint8_t ch) {
156 return SumAdc(ch, 32) >> 5;
157 }
158
159 uint16_t SumAdc(uint8_t ch, uint8_t NbSamples) {
160 uint16_t a = 0;
161 for (uint8_t i = 0; i < NbSamples; i++)
162 a += ReadAdc(ch);
163 return (a + (NbSamples >> 1) - 1);
164 }
165 #ifdef WITH_LF
166 static void MeasureAntennaTuning(void) {
167
168 uint32_t peak = 0;
169
170 // in mVolt
171 struct p {
172 uint32_t v_lf134;
173 uint32_t v_lf125;
174 uint32_t v_lfconf;
175 uint32_t v_hf;
176 uint32_t peak_v;
177 uint32_t peak_f;
178 int divisor;
179 uint8_t results[256];
180 } PACKED payload;
181
182 // Need to clear all values to ensure non-random responses.
183 memset(&payload, 0, sizeof(payload));
184 // memset(payload.results, 0, sizeof(payload.results));
185
186 sample_config *sc = getSamplingConfig();
187 payload.divisor = sc->divisor;
188
189 LED_B_ON();
190
191 /*
192 * Sweeps the useful LF range of the proxmark from
193 * 46.8kHz (divisor=255) to 600kHz (divisor=19) and
194 * read the voltage in the antenna, the result left
195 * in the buffer is a graph which should clearly show
196 * the resonating frequency of your LF antenna
197 * ( hopefully around 95 if it is tuned to 125kHz!)
198 */
199
200 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
201 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER | FPGA_LF_ADC_READER_FIELD);
202 SpinDelay(50);
203
204 for (uint8_t i = 255; i >= 19; i--) {
205 WDT_HIT();
206 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, i);
207 SpinDelay(20);
208 uint32_t adcval = ((MAX_ADC_LF_VOLTAGE * (SumAdc(ADC_CHAN_LF, 32) >> 1)) >> 14);
209 if (i == LF_DIVISOR_125)
210 payload.v_lf125 = adcval; // voltage at 125kHz
211
212 if (i == LF_DIVISOR_134)
213 payload.v_lf134 = adcval; // voltage at 134kHz
214
215 if (i == sc->divisor)
216 payload.v_lfconf = adcval; // voltage at `lf config --divisor`
217
218 payload.results[i] = adcval >> 9; // scale int to fit in byte for graphing purposes
219
220 if (payload.results[i] > peak) {
221 payload.peak_v = adcval;
222 payload.peak_f = i;
223 peak = payload.results[i];
224 }
225 }
226
227 LED_A_ON();
228 // Let the FPGA drive the high-frequency antenna around 13.56 MHz.
229 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
230 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER);
231 SpinDelay(50);
232
233 payload.v_hf = (MAX_ADC_HF_VOLTAGE * SumAdc(ADC_CHAN_HF, 32)) >> 15;
234
235 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
236 reply_ng(CMD_MEASURE_ANTENNA_TUNING, PM3_SUCCESS, (uint8_t *)&payload, sizeof(payload));
237 LEDsoff();
238 }
239 #endif
240 // Measure HF in milliVolt
241 static uint16_t MeasureAntennaTuningHfData(void) {
242
243 return (MAX_ADC_HF_VOLTAGE * SumAdc(ADC_CHAN_HF, 32)) >> 15;
244
245 }
246
247 // Measure LF in milliVolt
248 static uint32_t MeasureAntennaTuningLfData(void) {
249 return (MAX_ADC_LF_VOLTAGE * (SumAdc(ADC_CHAN_LF, 32) >> 1)) >> 14;
250 }
251
252 void print_stack_usage(void) {
253 for (uint32_t *p = _stack_start; ; ++p) {
254 if (*p != 0xdeadbeef) {
255 Dbprintf(" Max stack usage......... %d / %d bytes", (uint32_t)_stack_end - (uint32_t)p, (uint32_t)_stack_end - (uint32_t)_stack_start);
256 break;
257 }
258 }
259 }
260
261 void ReadMem(int addr) {
262 const uint8_t *data = ((uint8_t *)addr);
263
264 Dbprintf("%x: %02x %02x %02x %02x %02x %02x %02x %02x", addr, data[0], data[1], data[2], data[3], data[4], data[5], data[6], data[7]);
265 }
266
267 /* osimage version information is linked in, cf commonutil.h */
268 /* bootrom version information is pointed to from _bootphase1_version_pointer */
269 extern uint32_t _bootphase1_version_pointer[], _flash_start[], _flash_end[], __data_src_start__[];
270 #ifndef WITH_COMPRESSION
271 extern uint32_t _bootrom_end[], _bootrom_start[], __os_size__[];
272 #endif
273 static void SendVersion(void) {
274 char temp[PM3_CMD_DATA_SIZE - 12]; /* Limited data payload in USB packets */
275 char VersionString[PM3_CMD_DATA_SIZE - 12] = { '\0' };
276
277 /* Try to find the bootrom version information. Expect to find a pointer at
278 * symbol _bootphase1_version_pointer, perform slight sanity checks on the
279 * pointer, then use it.
280 */
281 // dummy casting to avoid "dereferencing type-punned pointer breaking strict-aliasing rules" errors
282 uint32_t bootrom_version_ptr = (uint32_t)_bootphase1_version_pointer;
283 char *bootrom_version = *(char **)(bootrom_version_ptr);
284
285 strncat(VersionString, " [ "_YELLOW_("ARM")" ]\n", sizeof(VersionString) - strlen(VersionString) - 1);
286
287 if ((uint32_t)bootrom_version < (uint32_t)_flash_start || (uint32_t)bootrom_version >= (uint32_t)_flash_end) {
288 strcat(VersionString, "bootrom version information appears invalid\n");
289 } else {
290 FormatVersionInformation(temp, sizeof(temp), " bootrom: ", bootrom_version);
291 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
292 strncat(VersionString, "\n", sizeof(VersionString) - strlen(VersionString) - 1);
293 }
294
295
296 FormatVersionInformation(temp, sizeof(temp), " os: ", &g_version_information);
297 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
298 strncat(VersionString, "\n", sizeof(VersionString) - strlen(VersionString) - 1);
299
300 #if defined(__clang__)
301 strncat(VersionString, " compiled with Clang/LLVM "__VERSION__"\n", sizeof(VersionString) - strlen(VersionString) - 1);
302 #elif defined(__GNUC__) || defined(__GNUG__)
303 strncat(VersionString, " compiled with GCC "__VERSION__"\n", sizeof(VersionString) - strlen(VersionString) - 1);
304 #endif
305
306 strncat(VersionString, "\n [ "_YELLOW_("FPGA")" ] \n ", sizeof(VersionString) - strlen(VersionString) - 1);
307
308 for (int i = 0; i < g_fpga_bitstream_num; i++) {
309 strncat(VersionString, g_fpga_version_information[i].versionString, sizeof(VersionString) - strlen(VersionString) - 1);
310 if (i < g_fpga_bitstream_num - 1) {
311 strncat(VersionString, "\n ", sizeof(VersionString) - strlen(VersionString) - 1);
312 }
313 }
314 #ifdef WITH_COMPRESSION
315 // Send Chip ID and used flash memory
316 uint32_t text_and_rodata_section_size = (uint32_t)__data_src_start__ - (uint32_t)_flash_start;
317 uint32_t compressed_data_section_size = g_common_area.arg1;
318 #endif
319
320 struct p {
321 uint32_t id;
322 uint32_t section_size;
323 uint32_t versionstr_len;
324 char versionstr[PM3_CMD_DATA_SIZE - 12];
325 } PACKED;
326
327 struct p payload;
328 payload.id = *(AT91C_DBGU_CIDR);
329 #ifndef WITH_COMPRESSION
330 payload.section_size = (uint32_t)_bootrom_end - (uint32_t)_bootrom_start + (uint32_t)__os_size__;
331 #else
332 payload.section_size = text_and_rodata_section_size + compressed_data_section_size;
333 #endif
334 payload.versionstr_len = strlen(VersionString) + 1;
335 memcpy(payload.versionstr, VersionString, payload.versionstr_len);
336
337 reply_ng(CMD_VERSION, PM3_SUCCESS, (uint8_t *)&payload, 12 + payload.versionstr_len);
338 }
339
340 static void TimingIntervalAcquisition(void) {
341 // trigger new acquisition by turning main oscillator off and on
342 mck_from_pll_to_slck();
343 mck_from_slck_to_pll();
344 // wait for MCFR and recompute RTMR scaler
345 StartTickCount();
346 }
347
348 static void print_debug_level(void) {
349 char dbglvlstr[20] = {0};
350 switch (g_dbglevel) {
351 case DBG_NONE:
352 sprintf(dbglvlstr, "off");
353 break;
354 case DBG_ERROR:
355 sprintf(dbglvlstr, "error");
356 break;
357 case DBG_INFO:
358 sprintf(dbglvlstr, "info");
359 break;
360 case DBG_DEBUG:
361 sprintf(dbglvlstr, "debug");
362 break;
363 case DBG_EXTENDED:
364 sprintf(dbglvlstr, "extended");
365 break;
366 }
367 Dbprintf(" Debug log level......... %d ( " _YELLOW_("%s")" )", g_dbglevel, dbglvlstr);
368 }
369
370 // measure the Connection Speed by sending SpeedTestBufferSize bytes to client and measuring the elapsed time.
371 // Note: this mimics GetFromBigbuf(), i.e. we have the overhead of the PacketCommandNG structure included.
372 static void printConnSpeed(uint32_t wait) {
373 DbpString(_CYAN_("Transfer Speed"));
374 Dbprintf(" Sending packets to client...");
375
376 uint8_t *test_data = BigBuf_get_addr();
377 uint32_t start_time = GetTickCount();
378 uint32_t delta_time = 0;
379 uint32_t bytes_transferred = 0;
380
381 LED_B_ON();
382
383 while (delta_time < wait) {
384 reply_ng(CMD_DOWNLOADED_BIGBUF, PM3_SUCCESS, test_data, PM3_CMD_DATA_SIZE);
385 bytes_transferred += PM3_CMD_DATA_SIZE;
386 delta_time = GetTickCountDelta(start_time);
387 }
388 LED_B_OFF();
389
390 Dbprintf(" Time elapsed................... %dms", delta_time);
391 Dbprintf(" Bytes transferred.............. %d", bytes_transferred);
392 if (delta_time) {
393 Dbprintf(" Transfer Speed PM3 -> Client... " _YELLOW_("%llu") " bytes/s", 1000 * (uint64_t)bytes_transferred / delta_time);
394 }
395 }
396
397 /**
398 * Prints runtime information about the PM3.
399 **/
400 static void SendStatus(uint32_t wait) {
401 BigBuf_print_status();
402 Fpga_print_status();
403 #ifdef WITH_FLASH
404 Flashmem_print_status();
405 #endif
406 #ifdef WITH_SMARTCARD
407 I2C_print_status();
408 #endif
409 #ifdef WITH_LF
410 printLFConfig(); // LF Sampling config
411 printT55xxConfig(); // LF T55XX Config
412 #endif
413 #ifdef WITH_ISO14443a
414 printHf14aConfig(); // HF 14a config
415 #endif
416 printConnSpeed(wait);
417 DbpString(_CYAN_("Various"));
418
419 print_stack_usage();
420 print_debug_level();
421
422 tosend_t *ts = get_tosend();
423 Dbprintf(" ToSendMax............... %d", ts->max);
424 Dbprintf(" ToSend BUFFERSIZE....... %d", TOSEND_BUFFER_SIZE);
425 while ((AT91C_BASE_PMC->PMC_MCFR & AT91C_CKGR_MAINRDY) == 0); // Wait for MAINF value to become available...
426 uint16_t mainf = AT91C_BASE_PMC->PMC_MCFR & AT91C_CKGR_MAINF; // Get # main clocks within 16 slow clocks
427 Dbprintf(" Slow clock.............. %d Hz", (16 * MAINCK) / mainf);
428 uint32_t delta_time = 0;
429 uint32_t start_time = GetTickCount();
430 #define SLCK_CHECK_MS 50
431 SpinDelay(SLCK_CHECK_MS);
432 delta_time = GetTickCountDelta(start_time);
433 if ((delta_time < SLCK_CHECK_MS - 1) || (delta_time > SLCK_CHECK_MS + 1)) {
434 // error > 2% with SLCK_CHECK_MS=50
435 Dbprintf(_RED_(" Slow Clock speed change detected, run `hw tia`"));
436 Dbprintf(_YELLOW_(" Slow Clock actual speed seems closer to %d kHz"),
437 (16 * MAINCK / 1000) / mainf * delta_time / SLCK_CHECK_MS);
438 }
439 DbpString(_CYAN_("Installed StandAlone Mode"));
440 ModInfo();
441
442 #ifdef WITH_FLASH
443 Flashmem_print_info();
444 #endif
445 DbpString("");
446 reply_ng(CMD_STATUS, PM3_SUCCESS, NULL, 0);
447 }
448
449 static void SendCapabilities(void) {
450 capabilities_t capabilities;
451 capabilities.version = CAPABILITIES_VERSION;
452 capabilities.via_fpc = g_reply_via_fpc;
453 capabilities.via_usb = g_reply_via_usb;
454 capabilities.bigbuf_size = BigBuf_get_size();
455 capabilities.baudrate = 0; // no real baudrate for USB-CDC
456 #ifdef WITH_FPC_USART
457 if (g_reply_via_fpc)
458 capabilities.baudrate = g_usart_baudrate;
459 #endif
460
461 #ifdef RDV4
462 capabilities.is_rdv4 = true;
463 #else
464 capabilities.is_rdv4 = false;
465 #endif
466
467 #ifdef WITH_FLASH
468 capabilities.compiled_with_flash = true;
469 capabilities.hw_available_flash = FlashInit();
470 #else
471 capabilities.compiled_with_flash = false;
472 capabilities.hw_available_flash = false;
473 #endif
474 #ifdef WITH_SMARTCARD
475 capabilities.compiled_with_smartcard = true;
476 uint8_t maj, min;
477 capabilities.hw_available_smartcard = I2C_get_version(&maj, &min) == PM3_SUCCESS;
478 #else
479 capabilities.compiled_with_smartcard = false;
480 capabilities.hw_available_smartcard = false;
481 #endif
482 #ifdef WITH_FPC_USART
483 capabilities.compiled_with_fpc_usart = true;
484 #else
485 capabilities.compiled_with_fpc_usart = false;
486 #endif
487 #ifdef WITH_FPC_USART_DEV
488 capabilities.compiled_with_fpc_usart_dev = true;
489 #else
490 capabilities.compiled_with_fpc_usart_dev = false;
491 #endif
492 #ifdef WITH_FPC_USART_HOST
493 capabilities.compiled_with_fpc_usart_host = true;
494 #else
495 capabilities.compiled_with_fpc_usart_host = false;
496 #endif
497 #ifdef WITH_LF
498 capabilities.compiled_with_lf = true;
499 #else
500 capabilities.compiled_with_lf = false;
501 #endif
502 #ifdef WITH_HITAG
503 capabilities.compiled_with_hitag = true;
504 #else
505 capabilities.compiled_with_hitag = false;
506 #endif
507 #ifdef WITH_EM4x50
508 capabilities.compiled_with_em4x50 = true;
509 #else
510 capabilities.compiled_with_em4x50 = false;
511 #endif
512 #ifdef WITH_EM4x70
513 capabilities.compiled_with_em4x70 = true;
514 #else
515 capabilities.compiled_with_em4x70 = false;
516 #endif
517
518 #ifdef WITH_HFSNIFF
519 capabilities.compiled_with_hfsniff = true;
520 #else
521 capabilities.compiled_with_hfsniff = false;
522 #endif
523 #ifdef WITH_HFPLOT
524 capabilities.compiled_with_hfplot = true;
525 #else
526 capabilities.compiled_with_hfplot = false;
527 #endif
528 #ifdef WITH_ISO14443a
529 capabilities.compiled_with_iso14443a = true;
530 #else
531 capabilities.compiled_with_iso14443a = false;
532 #endif
533 #ifdef WITH_ISO14443b
534 capabilities.compiled_with_iso14443b = true;
535 #else
536 capabilities.compiled_with_iso14443b = false;
537 #endif
538 #ifdef WITH_ISO15693
539 capabilities.compiled_with_iso15693 = true;
540 #else
541 capabilities.compiled_with_iso15693 = false;
542 #endif
543 #ifdef WITH_FELICA
544 capabilities.compiled_with_felica = true;
545 #else
546 capabilities.compiled_with_felica = false;
547 #endif
548 #ifdef WITH_LEGICRF
549 capabilities.compiled_with_legicrf = true;
550 #else
551 capabilities.compiled_with_legicrf = false;
552 #endif
553 #ifdef WITH_ICLASS
554 capabilities.compiled_with_iclass = true;
555 #else
556 capabilities.compiled_with_iclass = false;
557 #endif
558 #ifdef WITH_NFCBARCODE
559 capabilities.compiled_with_nfcbarcode = true;
560 #else
561 capabilities.compiled_with_nfcbarcode = false;
562 #endif
563 #ifdef WITH_LCD
564 capabilities.compiled_with_lcd = true;
565 #else
566 capabilities.compiled_with_lcd = false;
567 #endif
568
569 #ifdef WITH_ZX8211
570 capabilities.compiled_with_zx8211 = true;
571 #else
572 capabilities.compiled_with_zx8211 = false;
573 #endif
574
575 reply_ng(CMD_CAPABILITIES, PM3_SUCCESS, (uint8_t *)&capabilities, sizeof(capabilities));
576 }
577
578 // Show some leds in a pattern to identify StandAlone mod is running
579 void StandAloneMode(void) {
580 DbpString("");
581 DbpString("Stand-alone mode, no computer necessary");
582 SpinDown(50);
583 SpinDelay(50);
584 SpinUp(50);
585 SpinDelay(50);
586 SpinDown(50);
587 }
588
589 /*
590 OBJECTIVE
591 Listen and detect an external reader. Determine the best location
592 for the antenna.
593
594 INSTRUCTIONS:
595 Inside the ListenReaderField() function, there is two mode.
596 By default, when you call the function, you will enter mode 1.
597 If you press the PM3 button one time, you will enter mode 2.
598 If you press the PM3 button a second time, you will exit the function.
599
600 DESCRIPTION OF MODE 1:
601 This mode just listens for an external reader field and lights up green
602 for HF and/or red for LF. This is the original mode of the detectreader
603 function.
604
605 DESCRIPTION OF MODE 2:
606 This mode will visually represent, using the LEDs, the actual strength of the
607 current compared to the maximum current detected. Basically, once you know
608 what kind of external reader is present, it will help you spot the best location to place
609 your antenna. You will probably not get some good results if there is a LF and a HF reader
610 at the same place! :-)
611 */
612 #define LIGHT_LEVELS 20
613
614 void ListenReaderField(uint8_t limit) {
615 #define LF_HF_BOTH 0
616 #define LF_ONLY 1
617 #define HF_ONLY 2
618 #define REPORT_CHANGE 1000 // report new values only if they have changed at least by REPORT_CHANGE mV
619
620 uint16_t lf_av = 0, lf_av_new, lf_baseline = 0, lf_max = 0;
621 uint16_t hf_av = 0, hf_av_new, hf_baseline = 0, hf_max = 0;
622 uint16_t mode = 1, display_val, display_max;
623
624 // switch off FPGA - we don't want to measure our own signal
625 // 20180315 - iceman, why load this before and then turn off?
626 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
627 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
628
629 LEDsoff();
630
631 if (limit == LF_ONLY || limit == LF_HF_BOTH) {
632 lf_av = lf_max = (MAX_ADC_LF_VOLTAGE * SumAdc(ADC_CHAN_LF, 32)) >> 15;
633 Dbprintf("LF 125/134kHz Baseline: %dmV", lf_av);
634 lf_baseline = lf_av;
635 }
636
637 if (limit == HF_ONLY || limit == LF_HF_BOTH) {
638
639 // iceman, useless, since we are measuring readerfield, not our field. My tests shows a max of 20v from a reader.
640 hf_av = hf_max = (MAX_ADC_HF_VOLTAGE * SumAdc(ADC_CHAN_HF, 32)) >> 15;
641 Dbprintf("HF 13.56MHz Baseline: %dmV", hf_av);
642 hf_baseline = hf_av;
643 }
644
645 for (;;) {
646
647 // Switch modes with button or Enter key
648 bool modeSwitched = BUTTON_PRESS();
649 if (modeSwitched == false && data_available()) {
650 // flush the buffer
651 PacketCommandNG rx;
652 receive_ng(&rx);
653 modeSwitched = true;
654 }
655 if (modeSwitched) {
656 SpinDelay(500);
657 switch (mode) {
658 case 1:
659 mode = 2;
660 DbpString("Signal Strength Mode");
661 break;
662 case 2:
663 default:
664 DbpString("Stopped");
665 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
666 LEDsoff();
667 return;
668 }
669 }
670 WDT_HIT();
671
672 if (limit == LF_ONLY || limit == LF_HF_BOTH) {
673 if (mode == 1) {
674 if (ABS(lf_av - lf_baseline) > REPORT_CHANGE)
675 LED_D_ON();
676 else
677 LED_D_OFF();
678 }
679
680 lf_av_new = (MAX_ADC_LF_VOLTAGE * SumAdc(ADC_CHAN_LF, 32)) >> 15;
681 // see if there's a significant change
682 if (ABS(lf_av - lf_av_new) > REPORT_CHANGE) {
683 Dbprintf("LF 125/134kHz Field Change: %5dmV", lf_av_new);
684 lf_av = lf_av_new;
685 if (lf_av > lf_max)
686 lf_max = lf_av;
687 }
688 }
689
690 if (limit == HF_ONLY || limit == LF_HF_BOTH) {
691 if (mode == 1) {
692 if (ABS(hf_av - hf_baseline) > REPORT_CHANGE)
693 LED_B_ON();
694 else
695 LED_B_OFF();
696 }
697
698 hf_av_new = (MAX_ADC_HF_VOLTAGE * SumAdc(ADC_CHAN_HF, 32)) >> 15;
699 // see if there's a significant change
700 if (ABS(hf_av - hf_av_new) > REPORT_CHANGE) {
701 Dbprintf("HF 13.56MHz Field Change: %5dmV", hf_av_new);
702 hf_av = hf_av_new;
703 if (hf_av > hf_max)
704 hf_max = hf_av;
705 }
706 }
707
708 if (mode == 2) {
709 if (limit == LF_ONLY) {
710 display_val = lf_av;
711 display_max = lf_max;
712 } else if (limit == HF_ONLY) {
713 display_val = hf_av;
714 display_max = hf_max;
715 } else { /* Pick one at random */
716 if ((hf_max - hf_baseline) > (lf_max - lf_baseline)) {
717 display_val = hf_av;
718 display_max = hf_max;
719 } else {
720 display_val = lf_av;
721 display_max = lf_max;
722 }
723 }
724
725 display_val = display_val * (4 * LIGHT_LEVELS) / MAX(1, display_max);
726 uint32_t duty_a = MIN(MAX(display_val, 0 * LIGHT_LEVELS), 1 * LIGHT_LEVELS) - 0 * LIGHT_LEVELS;
727 uint32_t duty_b = MIN(MAX(display_val, 1 * LIGHT_LEVELS), 2 * LIGHT_LEVELS) - 1 * LIGHT_LEVELS;
728 uint32_t duty_c = MIN(MAX(display_val, 2 * LIGHT_LEVELS), 3 * LIGHT_LEVELS) - 2 * LIGHT_LEVELS;
729 uint32_t duty_d = MIN(MAX(display_val, 3 * LIGHT_LEVELS), 4 * LIGHT_LEVELS) - 3 * LIGHT_LEVELS;
730
731 // LED A
732 if (duty_a == 0) {
733 LED_A_OFF();
734 } else if (duty_a == LIGHT_LEVELS) {
735 LED_A_ON();
736 } else {
737 LED_A_ON();
738 SpinDelay(duty_a);
739 LED_A_OFF();
740 SpinDelay(LIGHT_LEVELS - duty_a);
741 }
742
743 // LED B
744 if (duty_b == 0) {
745 LED_B_OFF();
746 } else if (duty_b == LIGHT_LEVELS) {
747 LED_B_ON();
748 } else {
749 LED_B_ON();
750 SpinDelay(duty_b);
751 LED_B_OFF();
752 SpinDelay(LIGHT_LEVELS - duty_b);
753 }
754
755 // LED C
756 if (duty_c == 0) {
757 LED_C_OFF();
758 } else if (duty_c == LIGHT_LEVELS) {
759 LED_C_ON();
760 } else {
761 LED_C_ON();
762 SpinDelay(duty_c);
763 LED_C_OFF();
764 SpinDelay(LIGHT_LEVELS - duty_c);
765 }
766
767 // LED D
768 if (duty_d == 0) {
769 LED_D_OFF();
770 } else if (duty_d == LIGHT_LEVELS) {
771 LED_D_ON();
772 } else {
773 LED_D_ON();
774 SpinDelay(duty_d);
775 LED_D_OFF();
776 SpinDelay(LIGHT_LEVELS - duty_d);
777 }
778 }
779 }
780 }
781 static void PacketReceived(PacketCommandNG *packet) {
782 /*
783 if (packet->ng) {
784 Dbprintf("received NG frame with %d bytes payload, with command: 0x%04x", packet->length, cmd);
785 } else {
786 Dbprintf("received OLD frame of %d bytes, with command: 0x%04x and args: %d %d %d", packet->length, packet->cmd, packet->oldarg[0], packet->oldarg[1], packet->oldarg[2]);
787 }
788 */
789
790 switch (packet->cmd) {
791 case CMD_BREAK_LOOP:
792 break;
793 case CMD_QUIT_SESSION: {
794 g_reply_via_fpc = false;
795 g_reply_via_usb = false;
796 break;
797 }
798 case CMD_SET_FPGAMODE: {
799 uint8_t mode = packet->data.asBytes[0];
800 if (mode >= FPGA_BITSTREAM_MIN && mode <= FPGA_BITSTREAM_MAX) {
801 FpgaDownloadAndGo(mode);
802 reply_ng(CMD_SET_FPGAMODE, PM3_SUCCESS, NULL, 0);
803 }
804 reply_ng(CMD_SET_FPGAMODE, PM3_EINVARG, NULL, 0);
805 break;
806 }
807 // emulator
808 case CMD_SET_DBGMODE: {
809 g_dbglevel = packet->data.asBytes[0];
810 if (packet->length == 1 || packet->data.asBytes[1] != 0)
811 print_debug_level();
812 reply_ng(CMD_SET_DBGMODE, PM3_SUCCESS, NULL, 0);
813 break;
814 }
815 case CMD_GET_DBGMODE: {
816 reply_ng(CMD_GET_DBGMODE, PM3_SUCCESS, (uint8_t *)&g_dbglevel, 1);
817 break;
818 }
819 case CMD_SET_TEAROFF: {
820 struct p {
821 uint16_t delay_us;
822 bool on;
823 bool off;
824 } PACKED;
825 struct p *payload = (struct p *)packet->data.asBytes;
826 if (payload->on && payload->off) {
827 reply_ng(CMD_SET_TEAROFF, PM3_EINVARG, NULL, 0);
828 }
829
830 if (payload->on) {
831 g_tearoff_enabled = true;
832 }
833
834 if (payload->off) {
835 g_tearoff_enabled = false;
836 }
837
838 if (payload->delay_us > 0) {
839 g_tearoff_delay_us = payload->delay_us;
840 }
841 reply_ng(CMD_SET_TEAROFF, PM3_SUCCESS, NULL, 0);
842 break;
843 }
844 // always available
845 case CMD_HF_DROPFIELD: {
846 hf_field_off();
847 break;
848 }
849 #ifdef WITH_LF
850 case CMD_LF_T55XX_SET_CONFIG: {
851 setT55xxConfig(packet->oldarg[0], (t55xx_configurations_t *) packet->data.asBytes);
852 break;
853 }
854 case CMD_LF_SAMPLING_PRINT_CONFIG: {
855 printLFConfig();
856 break;
857 }
858 case CMD_LF_SAMPLING_GET_CONFIG: {
859 sample_config *config = getSamplingConfig();
860 reply_ng(CMD_LF_SAMPLING_GET_CONFIG, PM3_SUCCESS, (uint8_t *)config, sizeof(sample_config));
861 break;
862 }
863 case CMD_LF_SAMPLING_SET_CONFIG: {
864 sample_config c;
865 memcpy(&c, packet->data.asBytes, sizeof(sample_config));
866 setSamplingConfig(&c);
867 break;
868 }
869 case CMD_LF_ACQ_RAW_ADC: {
870 lf_sample_payload_t *payload = (lf_sample_payload_t *)packet->data.asBytes;
871 if (payload->realtime) {
872 ReadLF_realtime(true);
873 } else {
874 uint32_t bits = SampleLF(payload->verbose, payload->samples, true);
875 reply_ng(CMD_LF_ACQ_RAW_ADC, PM3_SUCCESS, (uint8_t *)&bits, sizeof(bits));
876 }
877 break;
878 }
879 case CMD_LF_MOD_THEN_ACQ_RAW_ADC: {
880 struct p {
881 uint32_t delay;
882 uint16_t period_0;
883 uint16_t period_1;
884 uint8_t symbol_extra[LF_CMDREAD_MAX_EXTRA_SYMBOLS];
885 uint16_t period_extra[LF_CMDREAD_MAX_EXTRA_SYMBOLS];
886 uint32_t samples : 30;
887 bool keep : 1;
888 bool verbose : 1;
889 } PACKED;
890 struct p *payload = (struct p *)packet->data.asBytes;
891 uint8_t symbol_extra[LF_CMDREAD_MAX_EXTRA_SYMBOLS];
892 uint16_t period_extra[LF_CMDREAD_MAX_EXTRA_SYMBOLS];
893 memcpy(symbol_extra, payload->symbol_extra, sizeof(symbol_extra));
894 memcpy(period_extra, payload->period_extra, sizeof(period_extra));
895 ModThenAcquireRawAdcSamples125k(payload->delay, payload->period_0, payload->period_1, symbol_extra, period_extra, packet->data.asBytes + sizeof(struct p), payload->verbose, payload->keep, payload->samples, true);
896 break;
897 }
898 case CMD_LF_SNIFF_RAW_ADC: {
899 lf_sample_payload_t *payload = (lf_sample_payload_t *)packet->data.asBytes;
900 if (payload->realtime) {
901 ReadLF_realtime(false);
902 } else {
903 uint32_t bits = SniffLF(payload->verbose, payload->samples, true);
904 reply_ng(CMD_LF_SNIFF_RAW_ADC, PM3_SUCCESS, (uint8_t *)&bits, sizeof(bits));
905 }
906 break;
907 }
908 case CMD_LF_HID_WATCH: {
909 uint32_t high, low;
910 int res = lf_hid_watch(0, &high, &low, true);
911 reply_ng(CMD_LF_HID_WATCH, res, NULL, 0);
912 break;
913 }
914 case CMD_LF_HID_SIMULATE: {
915 lf_hidsim_t *payload = (lf_hidsim_t *)packet->data.asBytes;
916 CmdHIDsimTAG(payload->hi2, payload->hi, payload->lo, payload->longFMT, 1);
917 break;
918 }
919 case CMD_LF_FSK_SIMULATE: {
920 lf_fsksim_t *payload = (lf_fsksim_t *)packet->data.asBytes;
921 CmdFSKsimTAG(payload->fchigh, payload->fclow, payload->separator, payload->clock, packet->length - sizeof(lf_fsksim_t), payload->data, true);
922 break;
923 }
924 case CMD_LF_ASK_SIMULATE: {
925 lf_asksim_t *payload = (lf_asksim_t *)packet->data.asBytes;
926 CmdASKsimTAG(payload->encoding, payload->invert, payload->separator, payload->clock, packet->length - sizeof(lf_asksim_t), payload->data, true);
927 break;
928 }
929 case CMD_LF_PSK_SIMULATE: {
930 lf_psksim_t *payload = (lf_psksim_t *)packet->data.asBytes;
931 CmdPSKsimTAG(payload->carrier, payload->invert, payload->clock, packet->length - sizeof(lf_psksim_t), payload->data, true);
932 break;
933 }
934 case CMD_LF_NRZ_SIMULATE: {
935 lf_nrzsim_t *payload = (lf_nrzsim_t *)packet->data.asBytes;
936 CmdNRZsimTAG(payload->invert, payload->separator, payload->clock, packet->length - sizeof(lf_nrzsim_t), payload->data, true);
937 break;
938 }
939 case CMD_LF_HID_CLONE: {
940 lf_hidsim_t *payload = (lf_hidsim_t *)packet->data.asBytes;
941 CopyHIDtoT55x7(payload->hi2, payload->hi, payload->lo, payload->longFMT, payload->Q5, payload->EM, true);
942 break;
943 }
944 case CMD_LF_IO_WATCH: {
945 uint32_t high, low;
946 int res = lf_io_watch(0, &high, &low, true);
947 reply_ng(CMD_LF_IO_WATCH, res, NULL, 0);
948 break;
949 }
950 case CMD_LF_EM410X_WATCH: {
951 uint32_t high;
952 uint64_t low;
953 int res = lf_em410x_watch(0, &high, &low, true);
954 reply_ng(CMD_LF_EM410X_WATCH, res, NULL, 0);
955 break;
956 }
957 case CMD_LF_EM410X_CLONE: {
958 struct p {
959 bool Q5;
960 bool EM;
961 bool add_electra;
962 uint8_t clock;
963 uint32_t high;
964 uint32_t low;
965 } PACKED;
966 struct p *payload = (struct p *)packet->data.asBytes;
967 uint8_t card = payload->Q5 ? 0 : (payload->EM ? 2 : 1);
968 int res = copy_em410x_to_t55xx(card, payload->clock, payload->high, payload->low, payload->add_electra, true);
969 reply_ng(CMD_LF_EM410X_CLONE, res, NULL, 0);
970 break;
971 }
972 case CMD_LF_TI_READ: {
973 ReadTItag(true);
974 break;
975 }
976 case CMD_LF_TI_WRITE: {
977 struct p {
978 uint32_t high;
979 uint32_t low;
980 uint16_t crc;
981 } PACKED;
982 struct p *payload = (struct p *)packet->data.asBytes;
983 WriteTItag(payload->high, payload->low, packet->crc, true);
984 break;
985 }
986 case CMD_LF_SIMULATE: {
987 LED_A_ON();
988 struct p {
989 uint16_t len;
990 uint16_t gap;
991 } PACKED;
992 struct p *payload = (struct p *)packet->data.asBytes;
993 // length, start gap, led control
994 SimulateTagLowFrequency(payload->len, payload->gap, true);
995 reply_ng(CMD_LF_SIMULATE, PM3_EOPABORTED, NULL, 0);
996 LED_A_OFF();
997 break;
998 }
999 case CMD_LF_SIMULATE_BIDIR: {
1000 SimulateTagLowFrequencyBidir(packet->oldarg[0], packet->oldarg[1]);
1001 break;
1002 }
1003 case CMD_LF_T55XX_READBL: {
1004 struct p {
1005 uint32_t password;
1006 uint8_t blockno;
1007 uint8_t page;
1008 bool pwdmode;
1009 uint8_t downlink_mode;
1010 } PACKED;
1011 struct p *payload = (struct p *) packet->data.asBytes;
1012 T55xxReadBlock(payload->page, payload->pwdmode, false, payload->blockno, payload->password, payload->downlink_mode, true);
1013 break;
1014 }
1015 case CMD_LF_T55XX_WRITEBL: {
1016 // uses NG format
1017 T55xxWriteBlock(packet->data.asBytes, true);
1018 break;
1019 }
1020 case CMD_LF_T55XX_DANGERRAW: {
1021 T55xxDangerousRawTest(packet->data.asBytes, true);
1022 break;
1023 }
1024 case CMD_LF_T55XX_WAKEUP: {
1025 struct p {
1026 uint32_t password;
1027 uint8_t flags;
1028 } PACKED;
1029 struct p *payload = (struct p *) packet->data.asBytes;
1030 T55xxWakeUp(payload->password, payload->flags, true);
1031 break;
1032 }
1033 case CMD_LF_T55XX_RESET_READ: {
1034 T55xxResetRead(packet->data.asBytes[0] & 0xff, true);
1035 break;
1036 }
1037 case CMD_LF_T55XX_CHK_PWDS: {
1038 T55xx_ChkPwds(packet->data.asBytes[0] & 0xff, true);
1039 break;
1040 }
1041 case CMD_LF_PCF7931_READ: {
1042 ReadPCF7931(true);
1043 break;
1044 }
1045 case CMD_LF_PCF7931_WRITE: {
1046 WritePCF7931(
1047 packet->data.asBytes[0], packet->data.asBytes[1], packet->data.asBytes[2], packet->data.asBytes[3],
1048 packet->data.asBytes[4], packet->data.asBytes[5], packet->data.asBytes[6], packet->data.asBytes[9],
1049 packet->data.asBytes[7] - 128, packet->data.asBytes[8] - 128,
1050 packet->oldarg[0],
1051 packet->oldarg[1],
1052 packet->oldarg[2],
1053 true
1054 );
1055 break;
1056 }
1057 case CMD_LF_EM4X_LOGIN: {
1058 struct p {
1059 uint32_t password;
1060 } PACKED;
1061 struct p *payload = (struct p *) packet->data.asBytes;
1062 EM4xLogin(payload->password, true);
1063 break;
1064 }
1065 case CMD_LF_EM4X_BF: {
1066 struct p {
1067 uint32_t start_pwd;
1068 uint32_t n;
1069 } PACKED;
1070 struct p *payload = (struct p *) packet->data.asBytes;
1071 EM4xBruteforce(payload->start_pwd, payload->n, true);
1072 break;
1073 }
1074 case CMD_LF_EM4X_READWORD: {
1075 struct p {
1076 uint32_t password;
1077 uint8_t address;
1078 uint8_t usepwd;
1079 } PACKED;
1080 struct p *payload = (struct p *) packet->data.asBytes;
1081 EM4xReadWord(payload->address, payload->password, payload->usepwd, true);
1082 break;
1083 }
1084 case CMD_LF_EM4X_WRITEWORD: {
1085 struct p {
1086 uint32_t password;
1087 uint32_t data;
1088 uint8_t address;
1089 uint8_t usepwd;
1090 } PACKED;
1091 struct p *payload = (struct p *) packet->data.asBytes;
1092 EM4xWriteWord(payload->address, payload->data, payload->password, payload->usepwd, true);
1093 break;
1094 }
1095 case CMD_LF_EM4X_PROTECTWORD: {
1096 struct p {
1097 uint32_t password;
1098 uint32_t data;
1099 uint8_t usepwd;
1100 } PACKED;
1101 struct p *payload = (struct p *) packet->data.asBytes;
1102 EM4xProtectWord(payload->data, payload->password, payload->usepwd, true);
1103 break;
1104 }
1105 case CMD_LF_AWID_WATCH: {
1106 uint32_t high, low;
1107 int res = lf_awid_watch(0, &high, &low, true);
1108 reply_ng(CMD_LF_AWID_WATCH, res, NULL, 0);
1109 break;
1110 }
1111 case CMD_LF_VIKING_CLONE: {
1112 struct p {
1113 bool Q5;
1114 bool EM;
1115 uint8_t blocks[8];
1116 } PACKED;
1117 struct p *payload = (struct p *)packet->data.asBytes;
1118 CopyVikingtoT55xx(payload->blocks, payload->Q5, payload->EM, true);
1119 break;
1120 }
1121 case CMD_LF_COTAG_READ: {
1122 struct p {
1123 uint8_t mode;
1124 } PACKED;
1125 struct p *payload = (struct p *)packet->data.asBytes;
1126 Cotag(payload->mode, true);
1127 break;
1128 }
1129 #endif
1130
1131 #ifdef WITH_HITAG
1132 case CMD_LF_HITAG_SNIFF: { // Eavesdrop Hitag tag, args = type
1133 SniffHitag2(true);
1134 //hitag_sniff();
1135 reply_ng(CMD_LF_HITAG_SNIFF, PM3_SUCCESS, NULL, 0);
1136 break;
1137 }
1138 case CMD_LF_HITAG_SIMULATE: { // Simulate Hitag tag, args = memory content
1139 SimulateHitag2(true);
1140 break;
1141 }
1142 case CMD_LF_HITAG2_CRACK: {
1143 lf_hitag_data_t *payload = (lf_hitag_data_t *) packet->data.asBytes;
1144 ht2_crack1(payload->NrAr);
1145 break;
1146 }
1147 case CMD_LF_HITAG2_CRACK_2: {
1148 lf_hitag_data_t *payload = (lf_hitag_data_t *) packet->data.asBytes;
1149 ht2_crack2(payload->NrAr);
1150 break;
1151 }
1152 case CMD_LF_HITAG_READER: { // Reader for Hitag tags, args = type and function
1153 lf_hitag_data_t *payload = (lf_hitag_data_t *) packet->data.asBytes;
1154
1155 switch (payload->cmd) {
1156 case HT2F_UID_ONLY: {
1157 ht2_read_uid(NULL, true, true, false);
1158 break;
1159 }
1160 default: {
1161 ReaderHitag(payload, true);
1162 break;
1163 }
1164 }
1165 break;
1166 }
1167 case CMD_LF_HITAGS_SIMULATE: { // Simulate Hitag s tag, args = memory content
1168 hts_simulate((bool)packet->oldarg[0], packet->data.asBytes, true);
1169 break;
1170 }
1171 case CMD_LF_HITAGS_TEST_TRACES: { // Tests every challenge within the given file
1172 hts_check_challenges(packet->data.asBytes, packet->length, true);
1173 break;
1174 }
1175 case CMD_LF_HITAGS_READ: { // Reader for only Hitag S tags, args = key or challenge
1176 lf_hitag_data_t *payload = (lf_hitag_data_t *) packet->data.asBytes;
1177 hts_read(payload, true);
1178 break;
1179 }
1180 case CMD_LF_HITAGS_WRITE: {
1181 lf_hitag_data_t *payload = (lf_hitag_data_t *) packet->data.asBytes;
1182 hts_write_page(payload, true);
1183 break;
1184 }
1185 case CMD_LF_HITAGS_UID: {
1186 hts_read_uid(NULL, false, true);
1187 break;
1188 }
1189 case CMD_LF_HITAG2_WRITE: {
1190 lf_hitag_data_t *payload = (lf_hitag_data_t *) packet->data.asBytes;
1191 WriterHitag(payload, true);
1192 break;
1193 }
1194 case CMD_LF_HITAG_ELOAD: {
1195 lf_hitag_t *payload = (lf_hitag_t *) packet->data.asBytes;
1196 uint8_t *mem = BigBuf_get_EM_addr();
1197 memcpy(mem, payload->data, payload->len);
1198 break;
1199 }
1200 #endif
1201
1202 #ifdef WITH_EM4x50
1203 case CMD_LF_EM4X50_INFO: {
1204 em4x50_info((const em4x50_data_t *)packet->data.asBytes, true);
1205 break;
1206 }
1207 case CMD_LF_EM4X50_WRITE: {
1208 em4x50_write((const em4x50_data_t *)packet->data.asBytes, true);
1209 break;
1210 }
1211 case CMD_LF_EM4X50_WRITEPWD: {
1212 em4x50_writepwd((const em4x50_data_t *)packet->data.asBytes, true);
1213 break;
1214 }
1215 case CMD_LF_EM4X50_READ: {
1216 em4x50_read((const em4x50_data_t *)packet->data.asBytes, true);
1217 break;
1218 }
1219 case CMD_LF_EM4X50_BRUTE: {
1220 em4x50_brute((const em4x50_data_t *)packet->data.asBytes, true);
1221 break;
1222 }
1223 case CMD_LF_EM4X50_LOGIN: {
1224 em4x50_login((const uint32_t *)packet->data.asBytes, true);
1225 break;
1226 }
1227 case CMD_LF_EM4X50_SIM: {
1228 //-----------------------------------------------------------------------------
1229 // Note: we call FpgaDownloadAndGo(FPGA_BITSTREAM_LF) here although FPGA is not
1230 // involved in dealing with emulator memory. But if it is called later, it might
1231 // destroy the Emulator Memory.
1232 //-----------------------------------------------------------------------------
1233 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1234 em4x50_sim((const uint32_t *)packet->data.asBytes, true);
1235 break;
1236 }
1237 case CMD_LF_EM4X50_READER: {
1238 em4x50_reader(true);
1239 break;
1240 }
1241 case CMD_LF_EM4X50_ESET: {
1242 //-----------------------------------------------------------------------------
1243 // Note: we call FpgaDownloadAndGo(FPGA_BITSTREAM_LF) here although FPGA is not
1244 // involved in dealing with emulator memory. But if it is called later, it might
1245 // destroy the Emulator Memory.
1246 //-----------------------------------------------------------------------------
1247 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1248 emlSet(packet->data.asBytes, packet->oldarg[0], packet->oldarg[1]);
1249 break;
1250 }
1251 case CMD_LF_EM4X50_CHK: {
1252 //-----------------------------------------------------------------------------
1253 // Note: we call FpgaDownloadAndGo(FPGA_BITSTREAM_LF) here although FPGA is not
1254 // involved in dealing with emulator memory. But if it is called later, it might
1255 // destroy the Emulator Memory.
1256 //-----------------------------------------------------------------------------
1257 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1258 em4x50_chk((const char *)packet->data.asBytes, true);
1259 break;
1260 }
1261 #endif
1262
1263 #ifdef WITH_EM4x70
1264 case CMD_LF_EM4X70_INFO: {
1265 em4x70_info((em4x70_data_t *)packet->data.asBytes, true);
1266 break;
1267 }
1268 case CMD_LF_EM4X70_WRITE: {
1269 em4x70_write((em4x70_data_t *)packet->data.asBytes, true);
1270 break;
1271 }
1272 case CMD_LF_EM4X70_UNLOCK: {
1273 em4x70_unlock((em4x70_data_t *)packet->data.asBytes, true);
1274 break;
1275 }
1276 case CMD_LF_EM4X70_AUTH: {
1277 em4x70_auth((em4x70_data_t *)packet->data.asBytes, true);
1278 break;
1279 }
1280 case CMD_LF_EM4X70_SETPIN: {
1281 em4x70_write_pin((em4x70_data_t *)packet->data.asBytes, true);
1282 break;
1283 }
1284 case CMD_LF_EM4X70_SETKEY: {
1285 em4x70_write_key((em4x70_data_t *)packet->data.asBytes, true);
1286 break;
1287 }
1288 case CMD_LF_EM4X70_BRUTE: {
1289 em4x70_brute((em4x70_data_t *)packet->data.asBytes, true);
1290 break;
1291 }
1292 #endif
1293
1294 #ifdef WITH_ZX8211
1295 case CMD_LF_ZX_READ: {
1296 zx8211_read((zx8211_data_t *)packet->data.asBytes, true);
1297 break;
1298 }
1299 case CMD_LF_ZX_WRITE: {
1300 zx8211_write((zx8211_data_t *)packet->data.asBytes, true);
1301 break;
1302 }
1303 #endif
1304
1305 #ifdef WITH_ISO15693
1306 case CMD_HF_ISO15693_ACQ_RAW_ADC: {
1307 AcquireRawAdcSamplesIso15693();
1308 break;
1309 }
1310 case CMD_HF_ISO15693_SNIFF: {
1311 SniffIso15693(0, NULL, false);
1312 reply_ng(CMD_HF_ISO15693_SNIFF, PM3_SUCCESS, NULL, 0);
1313 break;
1314 }
1315 case CMD_HF_ISO15693_COMMAND: {
1316 iso15_raw_cmd_t *payload = (iso15_raw_cmd_t *)packet->data.asBytes;
1317 SendRawCommand15693(payload);
1318 break;
1319 }
1320 case CMD_HF_ISO15693_FINDAFI: {
1321 struct p {
1322 uint32_t flags;
1323 } PACKED;
1324 struct p *payload = (struct p *)packet->data.asBytes;
1325 BruteforceIso15693Afi(payload->flags);
1326 break;
1327 }
1328 case CMD_HF_ISO15693_READER: {
1329 ReaderIso15693(NULL);
1330 break;
1331 }
1332 case CMD_HF_ISO15693_EML_CLEAR: {
1333 //-----------------------------------------------------------------------------
1334 // Note: we call FpgaDownloadAndGo(FPGA_BITSTREAM_HF_15) here although FPGA is not
1335 // involved in dealing with emulator memory. But if it is called later, it might
1336 // destroy the Emulator Memory.
1337 //-----------------------------------------------------------------------------
1338 EmlClearIso15693();
1339 break;
1340 }
1341 case CMD_HF_ISO15693_EML_SETMEM: {
1342 //-----------------------------------------------------------------------------
1343 // Note: we call FpgaDownloadAndGo(FPGA_BITSTREAM_HF_15) here although FPGA is not
1344 // involved in dealing with emulator memory. But if it is called later, it might
1345 // destroy the Emulator Memory.
1346 //-----------------------------------------------------------------------------
1347 FpgaDownloadAndGo(FPGA_BITSTREAM_HF_15);
1348 struct p {
1349 uint32_t offset;
1350 uint16_t count;
1351 uint8_t data[];
1352 } PACKED;
1353 struct p *payload = (struct p *) packet->data.asBytes;
1354 emlSet(payload->data, payload->offset, payload->count);
1355 break;
1356 }
1357 case CMD_HF_ISO15693_EML_GETMEM: {
1358 FpgaDownloadAndGo(FPGA_BITSTREAM_HF_15);
1359 struct p {
1360 uint32_t offset;
1361 uint16_t length;
1362 } PACKED;
1363 struct p *payload = (struct p *) packet->data.asBytes;
1364
1365 if (payload->length > PM3_CMD_DATA_SIZE) {
1366 reply_ng(CMD_HF_ISO15693_EML_GETMEM, PM3_EMALLOC, NULL, 0);
1367 return;
1368 }
1369
1370 uint8_t *buf = BigBuf_malloc(payload->length);
1371 emlGet(buf, payload->offset, payload->length);
1372 LED_B_ON();
1373 reply_ng(CMD_HF_ISO15693_EML_GETMEM, PM3_SUCCESS, buf, payload->length);
1374 LED_B_OFF();
1375 BigBuf_free_keep_EM();
1376 break;
1377 }
1378 case CMD_HF_ISO15693_SIMULATE: {
1379 struct p {
1380 uint8_t uid[8];
1381 uint8_t block_size;
1382 } PACKED;
1383 struct p *payload = (struct p *) packet->data.asBytes;
1384 SimTagIso15693(payload->uid, payload->block_size);
1385 break;
1386 }
1387 case CMD_HF_ISO15693_CSETUID: {
1388 struct p {
1389 uint8_t uid[8];
1390 } PACKED;
1391 struct p *payload = (struct p *) packet->data.asBytes;
1392 SetTag15693Uid(payload->uid);
1393 break;
1394 }
1395 case CMD_HF_ISO15693_CSETUID_V2: {
1396 struct p {
1397 uint8_t uid[8];
1398 } PACKED;
1399 struct p *payload = (struct p *) packet->data.asBytes;
1400 SetTag15693Uid_v2(payload->uid);
1401 break;
1402 }
1403 case CMD_HF_ISO15693_SLIX_DISABLE_EAS: {
1404 struct p {
1405 uint8_t pwd[4];
1406 bool usepwd;
1407 } PACKED;
1408 struct p *payload = (struct p *) packet->data.asBytes;
1409 DisableEAS_AFISlixIso15693(payload->pwd, payload->usepwd);
1410 break;
1411 }
1412 case CMD_HF_ISO15693_SLIX_ENABLE_EAS: {
1413 struct p {
1414 uint8_t pwd[4];
1415 bool usepwd;
1416 } PACKED;
1417 struct p *payload = (struct p *) packet->data.asBytes;
1418 EnableEAS_AFISlixIso15693(payload->pwd, payload->usepwd);
1419 break;
1420 }
1421 case CMD_HF_ISO15693_SLIX_WRITE_PWD: {
1422 struct p {
1423 uint8_t old_pwd[4];
1424 uint8_t new_pwd[4];
1425 uint8_t pwd_id;
1426 } PACKED;
1427 struct p *payload = (struct p *) packet->data.asBytes;
1428 WritePasswordSlixIso15693(payload->old_pwd, payload->new_pwd, payload->pwd_id);
1429 break;
1430 }
1431 case CMD_HF_ISO15693_SLIX_DISABLE_PRIVACY: {
1432 struct p {
1433 uint8_t pwd[4];
1434 } PACKED;
1435 struct p *payload = (struct p *) packet->data.asBytes;
1436 DisablePrivacySlixIso15693(payload->pwd);
1437 break;
1438 }
1439 case CMD_HF_ISO15693_SLIX_ENABLE_PRIVACY: {
1440 struct p {
1441 uint8_t pwd[4];
1442 } PACKED;
1443 struct p *payload = (struct p *)packet->data.asBytes;
1444 EnablePrivacySlixIso15693(payload->pwd);
1445 break;
1446 }
1447 case CMD_HF_ISO15693_SLIX_PASS_PROTECT_AFI: {
1448 struct p {
1449 uint8_t pwd[4];
1450 } PACKED;
1451 struct p *payload = (struct p *)packet->data.asBytes;
1452 PassProtectAFISlixIso15693(payload->pwd);
1453 break;
1454 }
1455 case CMD_HF_ISO15693_WRITE_AFI: {
1456 struct p {
1457 uint8_t pwd[4];
1458 bool use_pwd;
1459 uint8_t uid[8];
1460 bool use_uid;
1461 uint8_t afi;
1462 } PACKED;
1463 struct p *payload = (struct p *)packet->data.asBytes;
1464 WriteAFIIso15693(payload->pwd, payload->use_pwd, payload->uid, payload->use_uid, payload->afi);
1465 break;
1466 }
1467 case CMD_HF_ISO15693_SLIX_PASS_PROTECT_EAS: {
1468 struct p {
1469 uint8_t pwd[4];
1470 } PACKED;
1471 struct p *payload = (struct p *)packet->data.asBytes;
1472 PassProtextEASSlixIso15693(payload->pwd);
1473 break;
1474 }
1475
1476 #endif
1477
1478 #ifdef WITH_LEGICRF
1479 case CMD_HF_LEGIC_SIMULATE: {
1480 struct p {
1481 uint8_t tagtype;
1482 bool send_reply;
1483 } PACKED;
1484 struct p *payload = (struct p *) packet->data.asBytes;
1485 LegicRfSimulate(payload->tagtype, payload->send_reply);
1486 break;
1487 }
1488 case CMD_HF_LEGIC_WRITER: {
1489 legic_packet_t *payload = (legic_packet_t *) packet->data.asBytes;
1490 LegicRfWriter(payload->offset, payload->len, payload->iv, payload->data);
1491 break;
1492 }
1493 case CMD_HF_LEGIC_READER: {
1494 legic_packet_t *payload = (legic_packet_t *) packet->data.asBytes;
1495 LegicRfReader(payload->offset, payload->len, payload->iv);
1496 break;
1497 }
1498 case CMD_HF_LEGIC_INFO: {
1499 LegicRfInfo();
1500 break;
1501 }
1502 case CMD_HF_LEGIC_ESET: {
1503 //-----------------------------------------------------------------------------
1504 // Note: we call FpgaDownloadAndGo(FPGA_BITSTREAM_HF) here although FPGA is not
1505 // involved in dealing with emulator memory. But if it is called later, it might
1506 // destroy the Emulator Memory.
1507 //-----------------------------------------------------------------------------
1508 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1509 legic_packet_t *payload = (legic_packet_t *) packet->data.asBytes;
1510 emlSet(payload->data, payload->offset, payload->len);
1511 break;
1512 }
1513 #endif
1514
1515 #ifdef WITH_ISO14443b
1516 case CMD_HF_SRI_READ: {
1517 struct p {
1518 uint8_t blockno;
1519 } PACKED;
1520 struct p *payload = (struct p *) packet->data.asBytes;
1521 read_14b_st_block(payload->blockno);
1522 break;
1523 }
1524 case CMD_HF_ISO14443B_SNIFF: {
1525 SniffIso14443b();
1526 reply_ng(CMD_HF_ISO14443B_SNIFF, PM3_SUCCESS, NULL, 0);
1527 break;
1528 }
1529 case CMD_HF_ISO14443B_SIMULATE: {
1530 SimulateIso14443bTag(packet->data.asBytes);
1531 break;
1532 }
1533 case CMD_HF_ISO14443B_COMMAND: {
1534 iso14b_raw_cmd_t *payload = (iso14b_raw_cmd_t *)packet->data.asBytes;
1535 SendRawCommand14443B(payload);
1536 break;
1537 }
1538 case CMD_HF_CRYPTORF_SIM : {
1539 // simulate_crf_tag();
1540 break;
1541 }
1542 #endif
1543
1544 #ifdef WITH_FELICA
1545 case CMD_HF_FELICA_COMMAND: {
1546 felica_sendraw(packet);
1547 break;
1548 }
1549 case CMD_HF_FELICALITE_SIMULATE: {
1550 struct p {
1551 uint8_t uid[8];
1552 } PACKED;
1553 struct p *payload = (struct p *) packet->data.asBytes;
1554 felica_sim_lite(payload->uid);
1555 break;
1556 }
1557 case CMD_HF_FELICA_SNIFF: {
1558 struct p {
1559 uint32_t samples;
1560 uint32_t triggers;
1561 } PACKED;
1562 struct p *payload = (struct p *) packet->data.asBytes;
1563 felica_sniff(payload->samples, payload->triggers);
1564 break;
1565 }
1566 case CMD_HF_FELICALITE_DUMP: {
1567 felica_dump_lite_s();
1568 break;
1569 }
1570 #endif
1571
1572 #ifdef WITH_GENERAL_HF
1573 case CMD_HF_ACQ_RAW_ADC: {
1574 uint32_t samplesCount = 0;
1575 memcpy(&samplesCount, packet->data.asBytes, 4);
1576 HfReadADC(samplesCount, true);
1577 break;
1578 }
1579 case CMD_HF_TEXKOM_SIMULATE: {
1580 struct p {
1581 uint8_t data[8];
1582 uint8_t modulation;
1583 uint32_t timeout;
1584 } PACKED;
1585 struct p *payload = (struct p *) packet->data.asBytes;
1586 HfSimulateTkm(payload->data, payload->modulation, payload->timeout);
1587 break;
1588 }
1589
1590 #endif
1591
1592 #ifdef WITH_ISO14443a
1593 case CMD_HF_ISO14443A_PRINT_CONFIG: {
1594 printHf14aConfig();
1595 break;
1596 }
1597 case CMD_HF_ISO14443A_GET_CONFIG: {
1598 hf14a_config *hf14aconfig = getHf14aConfig();
1599 reply_ng(CMD_HF_ISO14443A_GET_CONFIG, PM3_SUCCESS, (uint8_t *)hf14aconfig, sizeof(hf14a_config));
1600 break;
1601 }
1602 case CMD_HF_ISO14443A_SET_CONFIG: {
1603 hf14a_config c;
1604 memcpy(&c, packet->data.asBytes, sizeof(hf14a_config));
1605 setHf14aConfig(&c);
1606 break;
1607 }
1608 case CMD_HF_ISO14443A_SET_THRESHOLDS: {
1609 struct p {
1610 uint8_t threshold;
1611 uint8_t threshold_high;
1612 uint8_t legic_threshold;
1613 } PACKED;
1614 struct p *payload = (struct p *) packet->data.asBytes;
1615 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1616 FpgaSendCommand(FPGA_CMD_SET_EDGE_DETECT_THRESHOLD, (payload->threshold & 0x3f) | ((payload->threshold_high & 0x3f) << 6));
1617 #ifdef WITH_LEGICRF
1618 LegicRfSetThreshold((uint32_t)payload->legic_threshold);
1619 #endif
1620 break;
1621 }
1622 case CMD_HF_ISO14443A_SNIFF: {
1623 SniffIso14443a(packet->data.asBytes[0]);
1624 reply_ng(CMD_HF_ISO14443A_SNIFF, PM3_SUCCESS, NULL, 0);
1625 break;
1626 }
1627 case CMD_HF_ISO14443A_READER: {
1628 ReaderIso14443a(packet);
1629 break;
1630 }
1631 case CMD_HF_ISO14443A_SIMULATE: {
1632 struct p {
1633 uint8_t tagtype;
1634 uint16_t flags;
1635 uint8_t uid[10];
1636 uint8_t exitAfter;
1637 uint8_t rats[20];
1638 } PACKED;
1639 struct p *payload = (struct p *) packet->data.asBytes;
1640 SimulateIso14443aTag(payload->tagtype, payload->flags, payload->uid,
1641 payload->exitAfter, payload->rats, sizeof(payload->rats)); // ## Simulate iso14443a tag - pass tag type & UID
1642 break;
1643 }
1644 case CMD_HF_ISO14443A_SIM_AID: {
1645 struct p {
1646 uint8_t tagtype;
1647 uint16_t flags;
1648 uint8_t uid[10];
1649 uint8_t rats[20];
1650 uint8_t aid[30];
1651 uint8_t response[100];
1652 uint8_t apdu[100];
1653 int aid_len;
1654 int respond_len;
1655 int apdu_len;
1656 bool enumerate;
1657 } PACKED;
1658 struct p *payload = (struct p *) packet->data.asBytes;
1659 SimulateIso14443aTagAID(payload->tagtype, payload->flags, payload->uid,
1660 payload->rats, sizeof(payload->rats), payload->aid, payload->response,
1661 payload->apdu, payload->aid_len, payload->respond_len,
1662 payload->apdu_len, payload->enumerate); // ## Simulate iso14443a tag - pass tag type, UID, rats, aid, resp, apdu
1663 break;
1664 }
1665 case CMD_HF_ISO14443A_ANTIFUZZ: {
1666 struct p {
1667 uint8_t flag;
1668 } PACKED;
1669 struct p *payload = (struct p *) packet->data.asBytes;
1670 iso14443a_antifuzz(payload->flag);
1671 break;
1672 }
1673 // EPA related
1674 case CMD_HF_EPA_COLLECT_NONCE: {
1675 EPA_PACE_Collect_Nonce(packet);
1676 break;
1677 }
1678 case CMD_HF_EPA_REPLAY: {
1679 EPA_PACE_Replay(packet);
1680 break;
1681 }
1682 case CMD_HF_EPA_PACE_SIMULATE: {
1683 EPA_PACE_Simulate(packet);
1684 break;
1685 }
1686
1687 case CMD_HF_MIFARE_READER: {
1688 struct p {
1689 uint8_t first_run;
1690 uint8_t blockno;
1691 uint8_t key_type;
1692 } PACKED;
1693 struct p *payload = (struct p *) packet->data.asBytes;
1694 ReaderMifare(payload->first_run, payload->blockno, payload->key_type);
1695 break;
1696 }
1697 case CMD_HF_MIFARE_READBL: {
1698 mf_readblock_t *payload = (mf_readblock_t *)packet->data.asBytes;
1699 uint8_t outbuf[16];
1700 int16_t retval = mifare_cmd_readblocks(MF_WAKE_WUPA, MIFARE_AUTH_KEYA + payload->keytype, payload->key, ISO14443A_CMD_READBLOCK, payload->blockno, 1, outbuf);
1701 reply_ng(CMD_HF_MIFARE_READBL, retval, outbuf, sizeof(outbuf));
1702 break;
1703 }
1704 case CMD_HF_MIFARE_READBL_EX: {
1705 mf_readblock_ex_t *payload = (mf_readblock_ex_t *)packet->data.asBytes;
1706 uint8_t outbuf[16];
1707 int16_t retval = mifare_cmd_readblocks(payload->wakeup, payload->auth_cmd, payload->key, payload->read_cmd, payload->block_no, 1, outbuf);
1708 reply_ng(CMD_HF_MIFARE_READBL_EX, retval, outbuf, sizeof(outbuf));
1709 break;
1710 }
1711 case CMD_HF_MIFAREU_READBL: {
1712
1713 MifareUReadBlock(packet->oldarg[0], packet->oldarg[1], packet->data.asBytes);
1714 break;
1715 }
1716 case CMD_HF_MIFAREUC_AUTH: {
1717 MifareUC_Auth(packet->oldarg[0], packet->data.asBytes);
1718 break;
1719 }
1720 case CMD_HF_MIFAREULAES_AUTH: {
1721 struct p {
1722 bool turn_off_field;
1723 uint8_t keyno;
1724 uint8_t key[18];
1725 } PACKED;
1726 struct p *payload = (struct p *) packet->data.asBytes;
1727 MifareUL_AES_Auth(payload->turn_off_field, payload->keyno, payload->key);
1728 break;
1729 }
1730 case CMD_HF_MIFAREU_READCARD: {
1731 MifareUReadCard(packet->oldarg[0], packet->oldarg[1], packet->oldarg[2], packet->data.asBytes);
1732 break;
1733 }
1734 case CMD_HF_MIFAREUC_SETPWD: {
1735 MifareUSetPwd(packet->oldarg[0], packet->data.asBytes);
1736 break;
1737 }
1738 case CMD_HF_MIFARE_READSC: {
1739 MifareReadSector(packet->oldarg[0], packet->oldarg[1], packet->data.asBytes);
1740 break;
1741 }
1742 case CMD_HF_MIFARE_WRITEBL: {
1743 uint8_t block_no = packet->oldarg[0];
1744 uint8_t key_type = packet->oldarg[1];
1745 uint8_t *key = packet->data.asBytes;
1746 uint8_t *block_data = packet->data.asBytes + 10;
1747
1748 int16_t retval = mifare_cmd_writeblocks(MF_WAKE_WUPA, MIFARE_AUTH_KEYA + (key_type & 0xF), key, ISO14443A_CMD_WRITEBLOCK, block_no, 1, block_data);
1749
1750 // convert ng style retval to old status
1751 if (retval >= 0) {
1752 retval = 1;
1753 }
1754
1755 reply_mix(CMD_ACK, retval, 0, 0, 0, 0);
1756 break;
1757 }
1758 case CMD_HF_MIFARE_WRITEBL_EX: {
1759 mf_writeblock_ex_t *payload = (mf_writeblock_ex_t *)packet->data.asBytes;
1760 int16_t retval = mifare_cmd_writeblocks(payload->wakeup, payload->auth_cmd, payload->key, payload->write_cmd, payload->block_no, 1, payload->block_data);
1761 reply_ng(CMD_HF_MIFARE_WRITEBL_EX, retval, NULL, 0);
1762 break;
1763 }
1764 case CMD_HF_MIFARE_VALUE: {
1765 MifareValue(packet->oldarg[0], packet->oldarg[1], packet->oldarg[2], packet->data.asBytes);
1766 break;
1767 }
1768 case CMD_HF_MIFAREU_WRITEBL: {
1769 MifareUWriteBlock(packet->oldarg[0], packet->oldarg[1], packet->data.asBytes);
1770 break;
1771 }
1772 case CMD_HF_MIFAREU_WRITEBL_COMPAT: {
1773 MifareUWriteBlockCompat(packet->oldarg[0], packet->oldarg[1], packet->data.asBytes);
1774 break;
1775 }
1776 case CMD_HF_MIFARE_ACQ_ENCRYPTED_NONCES: {
1777 MifareAcquireEncryptedNonces(packet->oldarg[0], packet->oldarg[1], packet->oldarg[2], packet->data.asBytes);
1778 break;
1779 }
1780 case CMD_HF_MIFARE_ACQ_STATIC_ENCRYPTED_NONCES: {
1781 MifareAcquireStaticEncryptedNonces(packet->oldarg[0], packet->data.asBytes, true);
1782 break;
1783 }
1784 case CMD_HF_MIFARE_ACQ_NONCES: {
1785 MifareAcquireNonces(packet->oldarg[0], packet->oldarg[2]);
1786 break;
1787 }
1788 case CMD_HF_MIFARE_NESTED: {
1789 struct p {
1790 uint8_t block;
1791 uint8_t keytype;
1792 uint8_t target_block;
1793 uint8_t target_keytype;
1794 bool calibrate;
1795 uint8_t key[6];
1796 } PACKED;
1797 struct p *payload = (struct p *) packet->data.asBytes;
1798 MifareNested(payload->block, payload->keytype, payload->target_block, payload->target_keytype, payload->calibrate, payload->key);
1799 break;
1800 }
1801 case CMD_HF_MIFARE_STATIC_NESTED: {
1802 struct p {
1803 uint8_t block;
1804 uint8_t keytype;
1805 uint8_t target_block;
1806 uint8_t target_keytype;
1807 uint8_t key[6];
1808 } PACKED;
1809 struct p *payload = (struct p *) packet->data.asBytes;
1810 MifareStaticNested(payload->block, payload->keytype, payload->target_block, payload->target_keytype, payload->key);
1811 break;
1812 }
1813 case CMD_HF_MIFARE_CHKKEYS: {
1814 MifareChkKeys(packet->data.asBytes, false);
1815 break;
1816 }
1817 case CMD_HF_MIFARE_CHKKEYS_FAST: {
1818 MifareChkKeys_fast(packet->oldarg[0], packet->oldarg[1], packet->oldarg[2], packet->data.asBytes);
1819 break;
1820 }
1821 case CMD_HF_MIFARE_CHKKEYS_FILE: {
1822 struct p {
1823 uint8_t filename[32];
1824 } PACKED;
1825 struct p *payload = (struct p *) packet->data.asBytes;
1826 MifareChkKeys_file(payload->filename);
1827 break;
1828 }
1829 case CMD_HF_MIFARE_SIMULATE: {
1830 struct p {
1831 uint16_t flags;
1832 uint8_t exitAfter;
1833 uint8_t uid[10];
1834 uint16_t atqa;
1835 uint8_t sak;
1836 } PACKED;
1837 struct p *payload = (struct p *) packet->data.asBytes;
1838 Mifare1ksim(payload->flags, payload->exitAfter, payload->uid, payload->atqa, payload->sak);
1839 break;
1840 }
1841 case CMD_HF_MIFARE_EML_MEMCLR: {
1842 MifareEMemClr();
1843 reply_ng(CMD_HF_MIFARE_EML_MEMCLR, PM3_SUCCESS, NULL, 0);
1844 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1845 break;
1846 }
1847 case CMD_HF_MIFARE_EML_MEMSET: {
1848 struct p {
1849 uint8_t blockno;
1850 uint8_t blockcnt;
1851 uint8_t blockwidth;
1852 uint8_t data[];
1853 } PACKED;
1854 struct p *payload = (struct p *) packet->data.asBytes;
1855
1856 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1857
1858 // backwards compat... default bytewidth
1859 if (payload->blockwidth == 0)
1860 payload->blockwidth = 16;
1861
1862 emlSetMem_xt(payload->data, payload->blockno, payload->blockcnt, payload->blockwidth);
1863 break;
1864 }
1865 case CMD_HF_MIFARE_EML_MEMGET: {
1866 struct p {
1867 uint8_t blockno;
1868 uint8_t blockcnt;
1869 } PACKED;
1870 struct p *payload = (struct p *) packet->data.asBytes;
1871 MifareEMemGet(payload->blockno, payload->blockcnt);
1872 break;
1873 }
1874 case CMD_HF_MIFARE_EML_LOAD: {
1875 mfc_eload_t *payload = (mfc_eload_t *) packet->data.asBytes;
1876 MifareECardLoadExt(payload->sectorcnt, payload->keytype, payload->key);
1877 break;
1878 }
1879 // Gen1a / 1b - "magic Chinese" card
1880 case CMD_HF_MIFARE_CSETBL: {
1881 MifareCSetBlock(packet->oldarg[0], packet->oldarg[1], packet->data.asBytes);
1882 break;
1883 }
1884 case CMD_HF_MIFARE_CGETBL: {
1885 MifareCGetBlock(packet->oldarg[0], packet->oldarg[1], packet->data.asBytes);
1886 break;
1887 }
1888 case CMD_HF_MIFARE_CIDENT: {
1889 struct p {
1890 uint8_t is_mfc;
1891 uint8_t keytype;
1892 uint8_t key[6];
1893 } PACKED;
1894 struct p *payload = (struct p *) packet->data.asBytes;
1895 MifareCIdent(payload->is_mfc, payload->keytype, payload->key);
1896 break;
1897 }
1898 // Gen 3 magic cards
1899 case CMD_HF_MIFARE_GEN3UID: {
1900 MifareGen3UID(packet->oldarg[0], packet->data.asBytes);
1901 break;
1902 }
1903 case CMD_HF_MIFARE_GEN3BLK: {
1904 MifareGen3Blk(packet->oldarg[0], packet->data.asBytes);
1905 break;
1906 }
1907 case CMD_HF_MIFARE_GEN3FREEZ: {
1908 MifareGen3Freez();
1909 break;
1910 }
1911 // Gen 4 GTU magic cards
1912 case CMD_HF_MIFARE_G4_RDBL: {
1913 struct p {
1914 uint8_t blockno;
1915 uint8_t pwd[4];
1916 uint8_t workFlags;
1917 } PACKED;
1918 struct p *payload = (struct p *) packet->data.asBytes;
1919 MifareG4ReadBlk(payload->blockno, payload->pwd, payload->workFlags);
1920 break;
1921 }
1922 case CMD_HF_MIFARE_G4_WRBL: {
1923 struct p {
1924 uint8_t blockno;
1925 uint8_t pwd[4];
1926 uint8_t data[16]; // data to be written
1927 uint8_t workFlags;
1928 } PACKED;
1929 struct p *payload = (struct p *) packet->data.asBytes;
1930 MifareG4WriteBlk(payload->blockno, payload->pwd, payload->data, payload->workFlags);
1931 break;
1932 }
1933 case CMD_HF_MIFARE_G4_GDM_WRBL: {
1934 struct p {
1935 uint8_t blockno;
1936 uint8_t key[6];
1937 uint8_t data[16]; // data to be written
1938 } PACKED;
1939 struct p *payload = (struct p *) packet->data.asBytes;
1940 int16_t retval = mifare_cmd_writeblocks(MF_WAKE_WUPA, MIFARE_MAGIC_GDM_AUTH_KEY, payload->key, MIFARE_MAGIC_GDM_WRITEBLOCK, payload->blockno, 1, payload->data);
1941 reply_ng(CMD_HF_MIFARE_G4_GDM_WRBL, retval, NULL, 0);
1942 break;
1943 }
1944 case CMD_HF_MIFARE_PERSONALIZE_UID: {
1945 struct p {
1946 uint8_t keytype;
1947 uint8_t pers_option;
1948 uint8_t key[6];
1949 } PACKED;
1950 struct p *payload = (struct p *) packet->data.asBytes;
1951 uint64_t authkey = bytes_to_num(payload->key, 6);
1952 MifarePersonalizeUID(payload->keytype, payload->pers_option, authkey);
1953 break;
1954 }
1955 case CMD_HF_MIFARE_SETMOD: {
1956 MifareSetMod(packet->data.asBytes);
1957 break;
1958 }
1959 //mifare desfire
1960 case CMD_HF_DESFIRE_READBL: {
1961 break;
1962 }
1963 case CMD_HF_DESFIRE_WRITEBL: {
1964 break;
1965 }
1966 case CMD_HF_DESFIRE_AUTH1: {
1967 MifareDES_Auth1(packet->data.asBytes);
1968 break;
1969 }
1970 case CMD_HF_DESFIRE_AUTH2: {
1971 //MifareDES_Auth2(packet->oldarg[0],packet->data.asBytes);
1972 break;
1973 }
1974 case CMD_HF_DESFIRE_READER: {
1975 //readermifaredes(packet->oldarg[0], packet->oldarg[1], packet->data.asBytes);
1976 break;
1977 }
1978 case CMD_HF_DESFIRE_INFO: {
1979 MifareDesfireGetInformation();
1980 break;
1981 }
1982 case CMD_HF_DESFIRE_COMMAND: {
1983 MifareSendCommand(packet->data.asBytes);
1984 break;
1985 }
1986 case CMD_HF_MIFARE_NACK_DETECT: {
1987 DetectNACKbug();
1988 break;
1989 }
1990 case CMD_HF_MFU_OTP_TEAROFF: {
1991 MifareU_Otp_Tearoff(packet->oldarg[0], packet->oldarg[1], packet->data.asBytes);
1992 break;
1993 }
1994 case CMD_HF_MFU_COUNTER_TEAROFF: {
1995 struct p {
1996 uint8_t counter;
1997 uint32_t tearoff_time;
1998 uint8_t value[4];
1999 } PACKED;
2000 struct p *payload = (struct p *) packet->data.asBytes;
2001 MifareU_Counter_Tearoff(payload->counter, payload->tearoff_time, payload->value);
2002 break;
2003 }
2004 case CMD_HF_MIFARE_STATIC_NONCE: {
2005 MifareHasStaticNonce();
2006 break;
2007 }
2008 case CMD_HF_MIFARE_STATIC_ENCRYPTED_NONCE: {
2009 struct p {
2010 uint8_t block_no;
2011 uint8_t key_type;
2012 uint8_t key[6];
2013 uint8_t block_no_nested;
2014 uint8_t key_type_nested;
2015 uint8_t key_nested[6];
2016 uint8_t nr_nonces;
2017 uint8_t resets;
2018 uint8_t addread;
2019 uint8_t addauth;
2020 uint8_t incblk2;
2021 uint8_t corruptnrar;
2022 uint8_t corruptnrarparity;
2023 } PACKED;
2024 struct p *payload = (struct p *) packet->data.asBytes;
2025
2026 MifareHasStaticEncryptedNonce(payload->block_no, payload->key_type, payload->key, payload->block_no_nested, payload->key_type_nested, payload->key_nested, payload->nr_nonces, payload->resets & 1, (payload->resets >> 1) & 1, payload->addread, payload->addauth, payload->incblk2, payload->corruptnrar, payload->corruptnrarparity);
2027 break;
2028 }
2029 #endif
2030
2031 #ifdef WITH_NFCBARCODE
2032 case CMD_HF_THINFILM_READ: {
2033 ReadThinFilm();
2034 break;
2035 }
2036 case CMD_HF_THINFILM_SIMULATE: {
2037 SimulateThinFilm(packet->data.asBytes, packet->length);
2038 break;
2039 }
2040 #endif
2041
2042 #ifdef WITH_ICLASS
2043 // Makes use of ISO14443a FPGA Firmware
2044 case CMD_HF_ICLASS_SNIFF: {
2045 struct p {
2046 uint8_t jam_search_len;
2047 uint8_t jam_search_string[];
2048 } PACKED;
2049 struct p *payload = (struct p *) packet->data.asBytes;
2050 SniffIClass(payload->jam_search_len, payload->jam_search_string);
2051 reply_ng(CMD_HF_ICLASS_SNIFF, PM3_SUCCESS, NULL, 0);
2052 break;
2053 }
2054 case CMD_HF_ICLASS_SIMULATE: {
2055 /*
2056 struct p {
2057 uint8_t reader[4];
2058 uint8_t mac[4];
2059 } PACKED;
2060 struct p *payload = (struct p *) packet->data.asBytes;
2061 */
2062
2063 SimulateIClass(packet->oldarg[0], packet->oldarg[1], packet->oldarg[2], packet->data.asBytes);
2064 break;
2065 }
2066 case CMD_HF_ICLASS_READER: {
2067 iclass_card_select_t *payload = (iclass_card_select_t *) packet->data.asBytes;
2068 ReaderIClass(payload->flags);
2069 break;
2070 }
2071 case CMD_HF_ICLASS_EML_MEMSET: {
2072 //-----------------------------------------------------------------------------
2073 // Note: we call FpgaDownloadAndGo(FPGA_BITSTREAM_HF_15) here although FPGA is not
2074 // involved in dealing with emulator memory. But if it is called later, it might
2075 // destroy the Emulator Memory.
2076 //-----------------------------------------------------------------------------
2077 FpgaDownloadAndGo(FPGA_BITSTREAM_HF_15);
2078 struct p {
2079 uint16_t offset;
2080 uint16_t len;
2081 uint8_t data[];
2082 } PACKED;
2083 struct p *payload = (struct p *) packet->data.asBytes;
2084 emlSet(payload->data, payload->offset, payload->len);
2085 break;
2086 }
2087 case CMD_HF_ICLASS_WRITEBL: {
2088 iClass_WriteBlock(packet->data.asBytes);
2089 break;
2090 }
2091 case CMD_HF_ICLASS_READBL: {
2092 iClass_ReadBlock(packet->data.asBytes);
2093 break;
2094 }
2095 case CMD_HF_ICLASS_CHKKEYS: {
2096 iClass_Authentication_fast((iclass_chk_t *)packet->data.asBytes);
2097 break;
2098 }
2099 case CMD_HF_ICLASS_DUMP: {
2100 iClass_Dump(packet->data.asBytes);
2101 break;
2102 }
2103 case CMD_HF_ICLASS_RESTORE: {
2104 iClass_Restore((iclass_restore_req_t *)packet->data.asBytes);
2105 break;
2106 }
2107 case CMD_HF_ICLASS_RECOVER: {
2108 iClass_Recover((iclass_recover_req_t *)packet->data.asBytes);
2109 break;
2110 }
2111 case CMD_HF_ICLASS_CREDIT_EPURSE: {
2112 iclass_credit_epurse((iclass_credit_epurse_t *)packet->data.asBytes);
2113 break;
2114 }
2115 #endif
2116
2117 #ifdef WITH_HFSNIFF
2118 case CMD_HF_SNIFF: {
2119 struct p {
2120 uint32_t samplesToSkip;
2121 uint32_t triggersToSkip;
2122 uint8_t skipMode;
2123 uint8_t skipRatio;
2124 } PACKED;
2125 struct p *payload = (struct p *) packet->data.asBytes;
2126
2127 uint16_t len = 0;
2128 int res = HfSniff(payload->samplesToSkip, payload->triggersToSkip, &len, payload->skipMode, payload->skipRatio);
2129
2130 struct {
2131 uint16_t len;
2132 } PACKED retval;
2133 retval.len = len;
2134 reply_ng(CMD_HF_SNIFF, res, (uint8_t *)&retval, sizeof(retval));
2135 break;
2136 }
2137 #endif
2138
2139 #ifdef WITH_HFPLOT
2140 case CMD_FPGAMEM_DOWNLOAD: {
2141 HfPlotDownload();
2142 break;
2143 }
2144 #endif
2145
2146 #ifdef WITH_SMARTCARD
2147 case CMD_SMART_ATR: {
2148 SmartCardAtr();
2149 break;
2150 }
2151 case CMD_SMART_SETBAUD: {
2152 SmartCardSetBaud(packet->oldarg[0]);
2153 break;
2154 }
2155 case CMD_SMART_SETCLOCK: {
2156 struct p {
2157 uint32_t new_clk;
2158 } PACKED;
2159 struct p *payload = (struct p *) packet->data.asBytes;
2160 SmartCardSetClock(payload->new_clk);
2161 break;
2162 }
2163 case CMD_SMART_RAW: {
2164 SmartCardRaw((smart_card_raw_t *) packet->data.asBytes);
2165 break;
2166 }
2167 case CMD_SMART_UPLOAD: {
2168 // upload file from client
2169 struct p {
2170 uint32_t idx;
2171 uint32_t bytes_in_packet;
2172 uint16_t crc;
2173 uint8_t data[400];
2174 } PACKED;
2175 struct p *payload = (struct p *) packet->data.asBytes;
2176 uint8_t *mem = BigBuf_get_addr();
2177 memcpy(mem + payload->idx, payload->data, payload->bytes_in_packet);
2178
2179 uint8_t a = 0, b = 0;
2180 compute_crc(CRC_14443_A, mem + payload->idx, payload->bytes_in_packet, &a, &b);
2181 int res = PM3_SUCCESS;
2182 if (payload->crc != (a << 8 | b)) {
2183 DbpString("CRC Failed");
2184 res = PM3_ESOFT;
2185 }
2186 reply_ng(CMD_SMART_UPLOAD, res, NULL, 0);
2187 break;
2188 }
2189 case CMD_SMART_UPGRADE: {
2190 struct p {
2191 uint16_t fw_size;
2192 uint16_t crc;
2193 } PACKED;
2194 struct p *payload = (struct p *) packet->data.asBytes;
2195
2196 uint8_t *fwdata = BigBuf_get_addr();
2197 uint8_t a = 0, b = 0;
2198 compute_crc(CRC_14443_A, fwdata, payload->fw_size, &a, &b);
2199
2200 if (payload->crc != (a << 8 | b)) {
2201 Dbprintf("CRC Failed, 0x[%04x] != 0x[%02x%02x]", payload->crc, a, b);
2202 reply_ng(CMD_SMART_UPGRADE, PM3_ESOFT, NULL, 0);
2203 } else {
2204 SmartCardUpgrade(payload->fw_size);
2205 }
2206 fwdata = NULL;
2207 break;
2208 }
2209
2210 case CMD_HF_SAM_PICOPASS: {
2211 sam_picopass_get_pacs();
2212 break;
2213 }
2214 case CMD_HF_SAM_SEOS: {
2215 // sam_seos_get_pacs();
2216 break;
2217 }
2218
2219 case CMD_HF_SAM_MFC: {
2220 // sam_mfc_get_pacs();
2221 break;
2222 }
2223
2224 #endif
2225
2226 #ifdef WITH_FPC_USART
2227 case CMD_USART_TX: {
2228 LED_B_ON();
2229 usart_writebuffer_sync(packet->data.asBytes, packet->length);
2230 reply_ng(CMD_USART_TX, PM3_SUCCESS, NULL, 0);
2231 LED_B_OFF();
2232 break;
2233 }
2234 case CMD_USART_RX: {
2235 LED_B_ON();
2236 struct p {
2237 uint32_t waittime;
2238 } PACKED;
2239 struct p *payload = (struct p *) packet->data.asBytes;
2240
2241 uint16_t available;
2242 uint16_t pre_available = 0;
2243 uint8_t *dest = BigBuf_malloc(USART_FIFOLEN);
2244 uint32_t wait = payload->waittime;
2245
2246 StartTicks();
2247
2248 uint32_t ti = GetTickCount();
2249
2250 while (true) {
2251 WaitMS(50);
2252 available = usart_rxdata_available();
2253 if (available > pre_available) {
2254 // When receiving data, reset timer and shorten timeout
2255 ti = GetTickCount();
2256 wait = 50;
2257 pre_available = available;
2258 continue;
2259 }
2260 // We stop either after waittime if no data or 50ms after last data received
2261 if (GetTickCountDelta(ti) > wait)
2262 break;
2263 }
2264 if (available > 0) {
2265 uint16_t len = usart_read_ng(dest, available);
2266 reply_ng(CMD_USART_RX, PM3_SUCCESS, dest, len);
2267 } else {
2268 reply_ng(CMD_USART_RX, PM3_ENODATA, NULL, 0);
2269 }
2270
2271 StopTicks();
2272 BigBuf_free();
2273 LED_B_OFF();
2274 break;
2275 }
2276 case CMD_USART_TXRX: {
2277 LED_B_ON();
2278 struct p {
2279 uint32_t waittime;
2280 uint8_t data[];
2281 } PACKED;
2282 struct p *payload = (struct p *) packet->data.asBytes;
2283 usart_writebuffer_sync(payload->data, packet->length - sizeof(payload));
2284
2285 uint16_t available;
2286 uint16_t pre_available = 0;
2287 uint8_t *dest = BigBuf_malloc(USART_FIFOLEN);
2288 uint32_t wait = payload->waittime;
2289
2290 StartTicks();
2291
2292 uint32_t ti = GetTickCount();
2293
2294 while (true) {
2295 WaitMS(50);
2296 available = usart_rxdata_available();
2297 if (available > pre_available) {
2298 // When receiving data, reset timer and shorten timeout
2299 ti = GetTickCount();
2300 wait = 50;
2301 pre_available = available;
2302 continue;
2303 }
2304 // We stop either after waittime if no data or 50ms after last data received
2305 if (GetTickCountDelta(ti) > wait)
2306 break;
2307 }
2308
2309 if (available > 0) {
2310 uint16_t len = usart_read_ng(dest, available);
2311 reply_ng(CMD_USART_TXRX, PM3_SUCCESS, dest, len);
2312 } else {
2313 reply_ng(CMD_USART_TXRX, PM3_ENODATA, NULL, 0);
2314 }
2315
2316 StopTicks();
2317 BigBuf_free();
2318 LED_B_OFF();
2319 break;
2320 }
2321 case CMD_USART_CONFIG: {
2322 struct p {
2323 uint32_t baudrate;
2324 uint8_t parity;
2325 } PACKED;
2326 struct p *payload = (struct p *) packet->data.asBytes;
2327 usart_init(payload->baudrate, payload->parity);
2328 reply_ng(CMD_USART_CONFIG, PM3_SUCCESS, NULL, 0);
2329 break;
2330 }
2331 #endif
2332 case CMD_BUFF_CLEAR: {
2333 BigBuf_Clear();
2334 BigBuf_free();
2335 break;
2336 }
2337 #ifdef WITH_LF
2338 case CMD_MEASURE_ANTENNA_TUNING: {
2339 MeasureAntennaTuning();
2340 break;
2341 }
2342 #endif
2343 case CMD_MEASURE_ANTENNA_TUNING_HF: {
2344 if (packet->length != 1)
2345 reply_ng(CMD_MEASURE_ANTENNA_TUNING_HF, PM3_EINVARG, NULL, 0);
2346
2347 switch (packet->data.asBytes[0]) {
2348 case 1: // MEASURE_ANTENNA_TUNING_HF_START
2349 // Let the FPGA drive the high-frequency antenna around 13.56 MHz.
2350 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
2351 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER);
2352 reply_ng(CMD_MEASURE_ANTENNA_TUNING_HF, PM3_SUCCESS, NULL, 0);
2353 break;
2354 case 2:
2355 if (button_status == BUTTON_SINGLE_CLICK) {
2356 reply_ng(CMD_MEASURE_ANTENNA_TUNING_HF, PM3_EOPABORTED, NULL, 0);
2357 }
2358 uint16_t volt = MeasureAntennaTuningHfData();
2359 reply_ng(CMD_MEASURE_ANTENNA_TUNING_HF, PM3_SUCCESS, (uint8_t *)&volt, sizeof(volt));
2360 break;
2361 case 3:
2362 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2363 reply_ng(CMD_MEASURE_ANTENNA_TUNING_HF, PM3_SUCCESS, NULL, 0);
2364 break;
2365 default:
2366 reply_ng(CMD_MEASURE_ANTENNA_TUNING_HF, PM3_EINVARG, NULL, 0);
2367 break;
2368 }
2369 break;
2370 }
2371 case CMD_MEASURE_ANTENNA_TUNING_LF: {
2372 if (packet->length != 2)
2373 reply_ng(CMD_MEASURE_ANTENNA_TUNING_LF, PM3_EINVARG, NULL, 0);
2374
2375 switch (packet->data.asBytes[0]) {
2376 case 1: // MEASURE_ANTENNA_TUNING_LF_START
2377 // Let the FPGA drive the low-frequency antenna around 125kHz
2378 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
2379 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER | FPGA_LF_ADC_READER_FIELD);
2380 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, packet->data.asBytes[1]);
2381 reply_ng(CMD_MEASURE_ANTENNA_TUNING_LF, PM3_SUCCESS, NULL, 0);
2382 break;
2383 case 2:
2384 if (button_status == BUTTON_SINGLE_CLICK) {
2385 reply_ng(CMD_MEASURE_ANTENNA_TUNING_LF, PM3_EOPABORTED, NULL, 0);
2386 }
2387
2388 uint32_t volt = MeasureAntennaTuningLfData();
2389 reply_ng(CMD_MEASURE_ANTENNA_TUNING_LF, PM3_SUCCESS, (uint8_t *)&volt, sizeof(volt));
2390 break;
2391 case 3:
2392 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2393 reply_ng(CMD_MEASURE_ANTENNA_TUNING_LF, PM3_SUCCESS, NULL, 0);
2394 break;
2395 default:
2396 reply_ng(CMD_MEASURE_ANTENNA_TUNING_LF, PM3_EINVARG, NULL, 0);
2397 break;
2398 }
2399 break;
2400 }
2401 case CMD_LISTEN_READER_FIELD: {
2402 if (packet->length != sizeof(uint8_t))
2403 break;
2404 ListenReaderField(packet->data.asBytes[0]);
2405 reply_ng(CMD_LISTEN_READER_FIELD, PM3_EOPABORTED, NULL, 0);
2406 break;
2407 }
2408 case CMD_FPGA_MAJOR_MODE_OFF: { // ## FPGA Control
2409 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2410 SpinDelay(200);
2411 LED_D_OFF(); // LED D indicates field ON or OFF
2412 break;
2413 }
2414 case CMD_DOWNLOAD_BIGBUF: {
2415 LED_B_ON();
2416 uint8_t *mem = BigBuf_get_addr();
2417 uint32_t startidx = packet->oldarg[0];
2418 uint32_t numofbytes = packet->oldarg[1];
2419
2420 // arg0 = startindex
2421 // arg1 = length bytes to transfer
2422 // arg2 = BigBuf tracelen
2423 //Dbprintf("transfer to client parameters: %" PRIu32 " | %" PRIu32 " | %" PRIu32, startidx, numofbytes, packet->oldarg[2]);
2424
2425 for (size_t offset = 0; offset < numofbytes; offset += PM3_CMD_DATA_SIZE) {
2426 size_t len = MIN((numofbytes - offset), PM3_CMD_DATA_SIZE);
2427 int result = reply_old(CMD_DOWNLOADED_BIGBUF, offset, len, BigBuf_get_traceLen(), &mem[startidx + offset], len);
2428 if (result != PM3_SUCCESS)
2429 Dbprintf("transfer to client failed :: | bytes between %d - %d (%d) | result: %d", offset, offset + len, len, result);
2430 }
2431 // Trigger a finish downloading signal with an ACK frame
2432 // arg0 = status of download transfer
2433 reply_mix(CMD_ACK, 1, 0, BigBuf_get_traceLen(), NULL, 0);
2434 LED_B_OFF();
2435 break;
2436 }
2437 #ifdef WITH_LF
2438 case CMD_LF_UPLOAD_SIM_SAMPLES: {
2439 // iceman; since changing fpga_bitstreams clears bigbuff, Its better to call it before.
2440 // to be able to use this one for uploading data to device
2441 // flag =
2442 // b0 0 skip
2443 // 1 clear bigbuff
2444 struct p {
2445 uint8_t flag;
2446 uint16_t offset;
2447 uint8_t data[PM3_CMD_DATA_SIZE - sizeof(uint8_t) - sizeof(uint16_t)];
2448 } PACKED;
2449 struct p *payload = (struct p *) packet->data.asBytes;
2450
2451 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
2452
2453 if ((payload->flag & 0x1) == 0x1) {
2454 BigBuf_Clear_ext(false);
2455 BigBuf_free();
2456 }
2457
2458 // offset should not be over buffer
2459 if (payload->offset >= BigBuf_get_size()) {
2460 reply_ng(CMD_LF_UPLOAD_SIM_SAMPLES, PM3_EOVFLOW, NULL, 0);
2461 break;
2462 }
2463 // ensure len bytes copied won't go past end of bigbuf
2464 uint16_t len = MIN(BigBuf_get_size() - payload->offset, sizeof(payload->data));
2465
2466 uint8_t *mem = BigBuf_get_addr();
2467
2468 memcpy(mem + payload->offset, &payload->data, len);
2469 reply_ng(CMD_LF_UPLOAD_SIM_SAMPLES, PM3_SUCCESS, NULL, 0);
2470 break;
2471 }
2472 #endif
2473 case CMD_DOWNLOAD_EML_BIGBUF: {
2474 LED_B_ON();
2475 uint8_t *mem = BigBuf_get_EM_addr();
2476 uint32_t startidx = packet->oldarg[0];
2477 uint32_t numofbytes = packet->oldarg[1];
2478
2479 // arg0 = startindex
2480 // arg1 = length bytes to transfer
2481 // arg2 = RFU
2482
2483 for (size_t i = 0; i < numofbytes; i += PM3_CMD_DATA_SIZE) {
2484 size_t len = MIN((numofbytes - i), PM3_CMD_DATA_SIZE);
2485 int result = reply_old(CMD_DOWNLOADED_EML_BIGBUF, i, len, 0, mem + startidx + i, len);
2486 if (result != PM3_SUCCESS)
2487 Dbprintf("transfer to client failed :: | bytes between %d - %d (%d) | result: %d", i, i + len, len, result);
2488 }
2489 // Trigger a finish downloading signal with an ACK frame
2490 reply_mix(CMD_ACK, 1, 0, 0, 0, 0);
2491 LED_B_OFF();
2492 break;
2493 }
2494 case CMD_READ_MEM: {
2495 if (packet->length != sizeof(uint32_t))
2496 break;
2497 ReadMem(packet->data.asDwords[0]);
2498 break;
2499 }
2500 case CMD_READ_MEM_DOWNLOAD: {
2501 LED_B_ON();
2502
2503 size_t offset = packet->oldarg[0];
2504 size_t count = packet->oldarg[1];
2505 uint32_t flags = packet->oldarg[2];
2506
2507 bool isok = true;
2508 uint8_t *base = NULL;
2509
2510 bool raw_address_mode = ((flags & READ_MEM_DOWNLOAD_FLAG_RAW) == READ_MEM_DOWNLOAD_FLAG_RAW);
2511 if (!raw_address_mode) {
2512
2513 base = (uint8_t *) _flash_start;
2514
2515 size_t flash_size = get_flash_size();
2516
2517 // Boundary check the offset.
2518 if (offset > flash_size) {
2519 isok = false;
2520 Dbprintf("reading mcu flash failed :: | out of bounds, offset %u count %u", offset, count);
2521 }
2522
2523 // Clip the length if it goes past the end of the flash memory.
2524 count = MIN(count, flash_size - offset);
2525
2526 } else {
2527 // Allow reading from any memory address and length in special 'raw' mode.
2528 base = NULL;
2529 // Boundary check against end of addressable space.
2530 if (offset > 0)
2531 count = MIN(count, -offset);
2532 }
2533
2534 if (isok) {
2535 for (size_t pos = 0; pos < count; pos += PM3_CMD_DATA_SIZE) {
2536 size_t len = MIN((count - pos), PM3_CMD_DATA_SIZE);
2537 isok = 0 == reply_old(CMD_READ_MEM_DOWNLOADED, pos, len, 0, &base[offset + pos], len);
2538 if (!isok) {
2539 Dbprintf("transfer to client failed :: | pos %u len %u", pos, len);
2540 break;
2541 }
2542 }
2543 }
2544
2545 reply_old(CMD_ACK, 1, 0, 0, 0, 0);
2546 LED_B_OFF();
2547 break;
2548 }
2549 #ifdef WITH_FLASH
2550 case CMD_SPIFFS_TEST: {
2551 test_spiffs();
2552 break;
2553 }
2554 case CMD_SPIFFS_CHECK: {
2555 rdv40_spiffs_check();
2556 break;
2557 }
2558 case CMD_SPIFFS_MOUNT: {
2559 rdv40_spiffs_lazy_mount();
2560 break;
2561 }
2562 case CMD_SPIFFS_UNMOUNT: {
2563 rdv40_spiffs_lazy_unmount();
2564 break;
2565 }
2566 case CMD_SPIFFS_PRINT_TREE: {
2567 rdv40_spiffs_safe_print_tree();
2568 break;
2569 }
2570 case CMD_SPIFFS_PRINT_FSINFO: {
2571 rdv40_spiffs_safe_print_fsinfo();
2572 break;
2573 }
2574 case CMD_SPIFFS_DOWNLOAD: {
2575 LED_B_ON();
2576 uint8_t filename[32];
2577 uint8_t *pfilename = packet->data.asBytes;
2578 memcpy(filename, pfilename, SPIFFS_OBJ_NAME_LEN);
2579 if (g_dbglevel >= DBG_DEBUG) Dbprintf("Filename received for spiffs dump : %s", filename);
2580
2581 uint32_t size = packet->oldarg[1];
2582
2583 uint8_t *buff = BigBuf_malloc(size);
2584 if (buff == NULL) {
2585 if (g_dbglevel >= DBG_DEBUG) Dbprintf("Could not allocate buffer");
2586 // Trigger a finish downloading signal with an PM3_EMALLOC
2587 reply_ng(CMD_SPIFFS_DOWNLOAD, PM3_EMALLOC, NULL, 0);
2588 } else {
2589 rdv40_spiffs_read_as_filetype((char *)filename, (uint8_t *)buff, size, RDV40_SPIFFS_SAFETY_SAFE);
2590 // arg0 = filename
2591 // arg1 = size
2592 // arg2 = RFU
2593
2594 for (size_t i = 0; i < size; i += PM3_CMD_DATA_SIZE) {
2595 size_t len = MIN((size - i), PM3_CMD_DATA_SIZE);
2596 int result = reply_old(CMD_SPIFFS_DOWNLOADED, i, len, 0, buff + i, len);
2597 if (result != PM3_SUCCESS)
2598 Dbprintf("transfer to client failed :: | bytes between %d - %d (%d) | result: %d", i, i + len, len, result);
2599 }
2600 // Trigger a finish downloading signal with an ACK frame
2601 reply_ng(CMD_SPIFFS_DOWNLOAD, PM3_SUCCESS, NULL, 0);
2602 BigBuf_free();
2603 }
2604 LED_B_OFF();
2605 break;
2606 }
2607 case CMD_SPIFFS_STAT: {
2608 LED_B_ON();
2609 uint8_t filename[32];
2610 uint8_t *pfilename = packet->data.asBytes;
2611 memcpy(filename, pfilename, SPIFFS_OBJ_NAME_LEN);
2612 if (g_dbglevel >= DBG_DEBUG) {
2613 Dbprintf("Filename received for spiffs STAT : %s", filename);
2614 }
2615
2616 int changed = rdv40_spiffs_lazy_mount();
2617 uint32_t size = size_in_spiffs((char *)filename);
2618 if (changed) {
2619 rdv40_spiffs_lazy_unmount();
2620 }
2621
2622 reply_ng(CMD_SPIFFS_STAT, PM3_SUCCESS, (uint8_t *)&size, sizeof(uint32_t));
2623 LED_B_OFF();
2624 break;
2625 }
2626 case CMD_SPIFFS_REMOVE: {
2627 LED_B_ON();
2628
2629 struct p {
2630 uint8_t len;
2631 uint8_t fn[32];
2632 } PACKED;
2633 struct p *payload = (struct p *) packet->data.asBytes;
2634
2635 if (g_dbglevel >= DBG_DEBUG) {
2636 Dbprintf("Filename received for spiffs REMOVE : %s", payload->fn);
2637 }
2638
2639 rdv40_spiffs_remove((char *)payload->fn, RDV40_SPIFFS_SAFETY_SAFE);
2640 reply_ng(CMD_SPIFFS_REMOVE, PM3_SUCCESS, NULL, 0);
2641 LED_B_OFF();
2642 break;
2643 }
2644 case CMD_SPIFFS_RENAME: {
2645 LED_B_ON();
2646 struct p {
2647 uint8_t slen;
2648 uint8_t src[32];
2649 uint8_t dlen;
2650 uint8_t dest[32];
2651 } PACKED;
2652 struct p *payload = (struct p *) packet->data.asBytes;
2653
2654 if (g_dbglevel >= DBG_DEBUG) {
2655 Dbprintf("SPIFFS RENAME");
2656 Dbprintf("Source........ %s", payload->src);
2657 Dbprintf("Destination... %s", payload->dest);
2658 }
2659 rdv40_spiffs_rename((char *)payload->src, (char *)payload->dest, RDV40_SPIFFS_SAFETY_SAFE);
2660 reply_ng(CMD_SPIFFS_RENAME, PM3_SUCCESS, NULL, 0);
2661 LED_B_OFF();
2662 break;
2663 }
2664 case CMD_SPIFFS_COPY: {
2665 LED_B_ON();
2666 struct p {
2667 uint8_t slen;
2668 uint8_t src[32];
2669 uint8_t dlen;
2670 uint8_t dest[32];
2671 } PACKED;
2672 struct p *payload = (struct p *) packet->data.asBytes;
2673
2674 if (g_dbglevel >= DBG_DEBUG) {
2675 Dbprintf("SPIFFS COPY");
2676 Dbprintf("Source........ %s", payload->src);
2677 Dbprintf("Destination... %s", payload->dest);
2678 }
2679 rdv40_spiffs_copy((char *)payload->src, (char *)payload->dest, RDV40_SPIFFS_SAFETY_SAFE);
2680 reply_ng(CMD_SPIFFS_COPY, PM3_SUCCESS, NULL, 0);
2681 LED_B_OFF();
2682 break;
2683 }
2684 case CMD_SPIFFS_WRITE: {
2685 LED_B_ON();
2686
2687 flashmem_write_t *payload = (flashmem_write_t *)packet->data.asBytes;
2688
2689 if (g_dbglevel >= DBG_DEBUG) {
2690 Dbprintf("SPIFFS WRITE, dest `%s` with APPEND set to: %c", payload->fn, payload->append ? 'Y' : 'N');
2691 }
2692
2693 if (payload->append) {
2694 rdv40_spiffs_append((char *) payload->fn, payload->data, payload->bytes_in_packet, RDV40_SPIFFS_SAFETY_SAFE);
2695 } else {
2696 rdv40_spiffs_write((char *) payload->fn, payload->data, payload->bytes_in_packet, RDV40_SPIFFS_SAFETY_SAFE);
2697 }
2698
2699 reply_ng(CMD_SPIFFS_WRITE, PM3_SUCCESS, NULL, 0);
2700 LED_B_OFF();
2701 break;
2702 }
2703 case CMD_SPIFFS_WIPE: {
2704 LED_B_ON();
2705 rdv40_spiffs_safe_wipe();
2706 reply_ng(CMD_SPIFFS_WIPE, PM3_SUCCESS, NULL, 0);
2707 LED_B_OFF();
2708 break;
2709 }
2710 case CMD_SPIFFS_ELOAD: {
2711 LED_B_ON();
2712
2713 uint8_t *em = BigBuf_get_EM_addr();
2714 if (em == NULL) {
2715 reply_ng(CMD_SPIFFS_ELOAD, PM3_EMALLOC, NULL, 0);
2716 LED_B_OFF();
2717 break;
2718 }
2719
2720 char *fn = (char *)packet->data.asBytes;
2721
2722 uint32_t size = size_in_spiffs(fn);
2723 if (size == 0) {
2724 reply_ng(CMD_SPIFFS_ELOAD, PM3_SUCCESS, NULL, 0);
2725 LED_B_OFF();
2726 break;
2727 }
2728
2729 rdv40_spiffs_read_as_filetype(fn, em, size, RDV40_SPIFFS_SAFETY_SAFE);
2730 reply_ng(CMD_SPIFFS_ELOAD, PM3_SUCCESS, NULL, 0);
2731 LED_B_OFF();
2732 break;
2733 }
2734 case CMD_FLASHMEM_SET_SPIBAUDRATE: {
2735 if (packet->length != sizeof(uint32_t))
2736 break;
2737 FlashmemSetSpiBaudrate(packet->data.asDwords[0]);
2738 break;
2739 }
2740 case CMD_FLASHMEM_WRITE: {
2741 LED_B_ON();
2742
2743 flashmem_old_write_t *payload = (flashmem_old_write_t *)packet->data.asBytes;
2744
2745 if (FlashInit() == false) {
2746 reply_ng(CMD_FLASHMEM_WRITE, PM3_EIO, NULL, 0);
2747 LED_B_OFF();
2748 break;
2749 }
2750
2751 if (payload->startidx == DEFAULT_T55XX_KEYS_OFFSET_P(spi_flash_pages64k)) {
2752 Flash_CheckBusy(BUSY_TIMEOUT);
2753 Flash_WriteEnable();
2754 Flash_Erase4k(3, 0xC);
2755 } else if (payload->startidx == DEFAULT_MF_KEYS_OFFSET_P(spi_flash_pages64k)) {
2756 Flash_CheckBusy(BUSY_TIMEOUT);
2757 Flash_WriteEnable();
2758 Flash_Erase4k(3, 0x8);
2759 Flash_CheckBusy(BUSY_TIMEOUT);
2760 Flash_WriteEnable();
2761 Flash_Erase4k(3, 0x9);
2762 Flash_CheckBusy(BUSY_TIMEOUT);
2763 Flash_WriteEnable();
2764 Flash_Erase4k(3, 0xA);
2765 } else if (payload->startidx == DEFAULT_ICLASS_KEYS_OFFSET_P(spi_flash_pages64k)) {
2766 Flash_CheckBusy(BUSY_TIMEOUT);
2767 Flash_WriteEnable();
2768 Flash_Erase4k(3, 0xB);
2769 } else if (payload->startidx == FLASH_MEM_SIGNATURE_OFFSET_P(spi_flash_pages64k)) {
2770 Flash_CheckBusy(BUSY_TIMEOUT);
2771 Flash_WriteEnable();
2772 Flash_Erase4k(3, 0xF);
2773 }
2774
2775 uint16_t res = Flash_Write(payload->startidx, payload->data, payload->len);
2776
2777 reply_ng(CMD_FLASHMEM_WRITE, (res == payload->len) ? PM3_SUCCESS : PM3_ESOFT, NULL, 0);
2778 LED_B_OFF();
2779 break;
2780 }
2781 case CMD_FLASHMEM_WIPE: {
2782 LED_B_ON();
2783 uint8_t page = packet->oldarg[0];
2784 uint8_t initialwipe = packet->oldarg[1];
2785 bool isok = false;
2786 if (initialwipe) {
2787 isok = Flash_WipeMemory();
2788 reply_mix(CMD_ACK, isok, 0, 0, 0, 0);
2789 LED_B_OFF();
2790 break;
2791 }
2792 if (page < spi_flash_pages64k - 1) {
2793 isok = Flash_WipeMemoryPage(page);
2794 // let spiffs check and update its info post flash erase
2795 rdv40_spiffs_check();
2796 }
2797
2798 reply_mix(CMD_ACK, isok, 0, 0, 0, 0);
2799 LED_B_OFF();
2800 break;
2801 }
2802 case CMD_FLASHMEM_DOWNLOAD: {
2803
2804 LED_B_ON();
2805 uint8_t *mem = BigBuf_malloc(PM3_CMD_DATA_SIZE);
2806 uint32_t startidx = packet->oldarg[0];
2807 uint32_t numofbytes = packet->oldarg[1];
2808 // arg0 = startindex
2809 // arg1 = length bytes to transfer
2810 // arg2 = RFU
2811
2812 if (FlashInit() == false) {
2813 break;
2814 }
2815
2816 for (size_t i = 0; i < numofbytes; i += PM3_CMD_DATA_SIZE) {
2817 size_t len = MIN((numofbytes - i), PM3_CMD_DATA_SIZE);
2818 Flash_CheckBusy(BUSY_TIMEOUT);
2819 bool isok = Flash_ReadDataCont(startidx + i, mem, len);
2820 if (isok == false)
2821 Dbprintf("reading flash memory failed :: | bytes between %d - %d", i, len);
2822
2823 isok = reply_old(CMD_FLASHMEM_DOWNLOADED, i, len, 0, mem, len);
2824 if (isok != 0)
2825 Dbprintf("transfer to client failed :: | bytes between %d - %d", i, len);
2826 }
2827 FlashStop();
2828
2829 reply_mix(CMD_ACK, 1, 0, 0, 0, 0);
2830 BigBuf_free();
2831 LED_B_OFF();
2832 break;
2833 }
2834 case CMD_FLASHMEM_INFO: {
2835
2836 LED_B_ON();
2837 rdv40_validation_t *info = (rdv40_validation_t *)BigBuf_malloc(sizeof(rdv40_validation_t));
2838
2839 bool isok = Flash_ReadData(FLASH_MEM_SIGNATURE_OFFSET_P(spi_flash_pages64k), info->signature, FLASH_MEM_SIGNATURE_LEN);
2840
2841 if (FlashInit()) {
2842 Flash_UniqueID(info->flashid);
2843 FlashStop();
2844 }
2845 reply_mix(CMD_ACK, isok, 0, 0, info, sizeof(rdv40_validation_t));
2846 BigBuf_free();
2847
2848 LED_B_OFF();
2849 break;
2850 }
2851 case CMD_FLASHMEM_PAGES64K: {
2852
2853 LED_B_ON();
2854
2855 bool isok = false;
2856 if (FlashInit()) {
2857 isok = true;
2858 if (g_dbglevel >= DBG_DEBUG) {
2859 Dbprintf(" CMD_FLASHMEM_PAGE64K 0x%02x (%d 64k pages)", spi_flash_pages64k, spi_flash_pages64k);
2860 }
2861 FlashStop();
2862 }
2863 reply_mix(CMD_ACK, isok, 0, 0, &spi_flash_pages64k, sizeof(uint8_t));
2864
2865 LED_B_OFF();
2866 break;
2867 }
2868 #endif
2869 #ifdef WITH_LF
2870 case CMD_LF_SET_DIVISOR: {
2871 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
2872 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, packet->data.asBytes[0]);
2873 break;
2874 }
2875 #endif
2876 case CMD_SET_ADC_MUX: {
2877 switch (packet->data.asBytes[0]) {
2878 case 0:
2879 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
2880 break;
2881 case 2:
2882 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
2883 break;
2884 #ifndef WITH_FPC_USART
2885 case 1:
2886 SetAdcMuxFor(GPIO_MUXSEL_LORAW);
2887 break;
2888 case 3:
2889 SetAdcMuxFor(GPIO_MUXSEL_HIRAW);
2890 break;
2891 #endif
2892 }
2893 break;
2894 }
2895 case CMD_VERSION: {
2896 SendVersion();
2897 break;
2898 }
2899 case CMD_STATUS: {
2900 if (packet->length == 4)
2901 SendStatus(packet->data.asDwords[0]);
2902 else
2903 SendStatus(CONN_SPEED_TEST_MIN_TIME_DEFAULT);
2904 break;
2905 }
2906 case CMD_TIA: {
2907
2908 while ((AT91C_BASE_PMC->PMC_MCFR & AT91C_CKGR_MAINRDY) == 0); // Wait for MAINF value to become available...
2909 uint16_t mainf = AT91C_BASE_PMC->PMC_MCFR & AT91C_CKGR_MAINF;
2910 Dbprintf(" Slow clock old measured value:.........%d Hz", (16 * MAINCK) / mainf);
2911 TimingIntervalAcquisition();
2912
2913 while ((AT91C_BASE_PMC->PMC_MCFR & AT91C_CKGR_MAINRDY) == 0); // Wait for MAINF value to become available...
2914 mainf = AT91C_BASE_PMC->PMC_MCFR & AT91C_CKGR_MAINF;
2915 Dbprintf(""); // first message gets lost
2916 Dbprintf(" Slow clock new measured value:.........%d Hz", (16 * MAINCK) / mainf);
2917 reply_ng(CMD_TIA, PM3_SUCCESS, NULL, 0);
2918 break;
2919 }
2920 case CMD_STANDALONE: {
2921
2922 struct p {
2923 uint8_t arg;
2924 uint8_t mlen;
2925 uint8_t mode[10];
2926 } PACKED;
2927
2928 struct p *payload = (struct p *) packet->data.asBytes;
2929
2930 uint8_t *bb = BigBuf_get_EM_addr();
2931 if (payload->mlen == 0) {
2932 bb[0] = payload->arg;
2933 } else {
2934 memcpy(bb, payload->mode, payload->mlen);
2935 }
2936
2937 RunMod();
2938 break;
2939 }
2940 case CMD_CAPABILITIES: {
2941 SendCapabilities();
2942 break;
2943 }
2944 case CMD_PING: {
2945 reply_ng(CMD_PING, PM3_SUCCESS, packet->data.asBytes, packet->length);
2946 break;
2947 }
2948 #ifdef WITH_LCD
2949 case CMD_LCD_RESET: {
2950 LCDReset();
2951 break;
2952 }
2953 case CMD_LCD: {
2954 LCDSend(packet->oldarg[0]);
2955 break;
2956 }
2957 #endif
2958 case CMD_FINISH_WRITE:
2959 case CMD_HARDWARE_RESET: {
2960 usb_disable();
2961
2962 // (iceman) why this wait?
2963 SpinDelay(1000);
2964 AT91C_BASE_RSTC->RSTC_RCR = RST_CONTROL_KEY | AT91C_RSTC_PROCRST;
2965 // We're going to reset, and the bootrom will take control.
2966 for (;;) {}
2967 break;
2968 }
2969 case CMD_START_FLASH: {
2970 if (g_common_area.flags.bootrom_present) {
2971 g_common_area.command = COMMON_AREA_COMMAND_ENTER_FLASH_MODE;
2972 }
2973 usb_disable();
2974 AT91C_BASE_RSTC->RSTC_RCR = RST_CONTROL_KEY | AT91C_RSTC_PROCRST;
2975 // We're going to flash, and the bootrom will take control.
2976 for (;;) {}
2977 break;
2978 }
2979 case CMD_DEVICE_INFO: {
2980 uint32_t dev_info = DEVICE_INFO_FLAG_OSIMAGE_PRESENT | DEVICE_INFO_FLAG_CURRENT_MODE_OS;
2981 if (g_common_area.flags.bootrom_present) {
2982 dev_info |= DEVICE_INFO_FLAG_BOOTROM_PRESENT;
2983 }
2984 reply_old(CMD_DEVICE_INFO, dev_info, 0, 0, 0, 0);
2985 break;
2986 }
2987 default: {
2988 Dbprintf("%s: 0x%04x", "unknown command:", packet->cmd);
2989 break;
2990 }
2991 }
2992 }
2993
2994 void __attribute__((noreturn)) AppMain(void) {
2995
2996 SpinDelay(100);
2997 BigBuf_initialize();
2998
2999 // Add stack canary
3000 for (uint32_t *p = _stack_start; p + 0x200 < _stack_end ; ++p) {
3001 *p = 0xdeadbeef;
3002 }
3003
3004 LEDsoff();
3005
3006 // The FPGA gets its clock from us from PCK0 output, so set that up.
3007 AT91C_BASE_PIOA->PIO_BSR = GPIO_PCK0;
3008 AT91C_BASE_PIOA->PIO_PDR = GPIO_PCK0;
3009 AT91C_BASE_PMC->PMC_SCER |= AT91C_PMC_PCK0;
3010 // PCK0 is PLL clock / 4 = 96MHz / 4 = 24MHz
3011 AT91C_BASE_PMC->PMC_PCKR[0] = AT91C_PMC_CSS_PLL_CLK | AT91C_PMC_PRES_CLK_4; // 4 for 24MHz pck0, 2 for 48 MHZ pck0
3012 AT91C_BASE_PIOA->PIO_OER = GPIO_PCK0;
3013
3014 // Reset SPI
3015 AT91C_BASE_SPI->SPI_CR = AT91C_SPI_SWRST;
3016 AT91C_BASE_SPI->SPI_CR = AT91C_SPI_SWRST; // errata says it needs twice to be correctly set.
3017
3018 // Reset SSC
3019 AT91C_BASE_SSC->SSC_CR = AT91C_SSC_SWRST;
3020
3021 // Configure MUX
3022 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
3023
3024 // Load the FPGA image, which we have stored in our flash.
3025 // (the HF version by default)
3026 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
3027
3028 StartTickCount();
3029
3030 #ifdef WITH_LCD
3031 LCDInit();
3032 #endif
3033
3034 #ifdef WITH_SMARTCARD
3035 I2C_init(false);
3036 #endif
3037
3038 #ifdef WITH_FLASH
3039 if (FlashInit()) {
3040 uint64_t flash_uniqueID = 0;
3041 if (!Flash_CheckBusy(BUSY_TIMEOUT)) { // OK because firmware was built for devices with flash
3042 Flash_UniqueID((uint8_t *)(&flash_uniqueID));
3043 }
3044 FlashStop();
3045 usb_update_serial(flash_uniqueID);
3046 }
3047 #endif
3048
3049
3050 #ifdef WITH_FLASH
3051 // If flash is not present, BUSY_TIMEOUT kicks in, let's do it after USB
3052 loadT55xxConfig();
3053
3054 //
3055 // Enforce a spiffs check/garbage collection at boot so we are likely to never
3056 // fall under the 2 contigous free blocks availables
3057 // This is a time-consuming process on large flash.
3058 rdv40_spiffs_check();
3059 #endif
3060
3061 #ifdef WITH_FPC_USART
3062 usart_init(USART_BAUD_RATE, USART_PARITY);
3063 #endif
3064
3065 allow_send_wtx = true;
3066
3067 // This is made as late as possible to ensure enumeration without timeout
3068 // against device such as http://www.hobbytronics.co.uk/usb-host-board-v2
3069 // In other words, keep the interval between usb_enable() and the main loop as short as possible.
3070 // (AT91F_CDC_Enumerate() will be called in the main loop)
3071 usb_disable();
3072 usb_enable();
3073
3074 for (;;) {
3075 WDT_HIT();
3076
3077 if (*_stack_start != 0xdeadbeef) {
3078 Dbprintf("DEBUG: increase stack size, currently " _YELLOW_("%d") " bytes", (uint32_t)_stack_end - (uint32_t)_stack_start);
3079 Dbprintf("Stack overflow detected");
3080 Dbprintf("--> Unplug your device now! <--");
3081 hf_field_off();
3082 while (1);
3083 }
3084
3085 // Check if there is a packet available
3086 PacketCommandNG rx;
3087 memset(&rx.data, 0, sizeof(rx.data));
3088
3089 int ret = receive_ng(&rx);
3090 if (ret == PM3_SUCCESS) {
3091 PacketReceived(&rx);
3092 } else if (ret != PM3_ENODATA) {
3093
3094 Dbprintf("Error in frame reception: %d %s", ret, (ret == PM3_EIO) ? "PM3_EIO" : "");
3095 // TODO if error, shall we resync ?
3096 }
3097
3098 // Press button for one second to enter a possible standalone mode
3099 button_status = BUTTON_HELD(1000);
3100 if (button_status == BUTTON_HOLD) {
3101 /*
3102 * So this is the trigger to execute a standalone mod. Generic entrypoint by following the standalone/standalone.h headerfile
3103 * All standalone mod "main loop" should be the RunMod() function.
3104 */
3105 allow_send_wtx = false;
3106 RunMod();
3107 allow_send_wtx = true;
3108 }
3109 }
3110 }
Proxmark3 - the RFID research Swiss army knife. Iceman firmware