search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
style
[RRG-proxmark3.git] / armsrc / felica.c
blob084ca6eeebc201923db3d3d185c7f89f08342b6e
1 //-----------------------------------------------------------------------------
2 // Copyright (C) Proxmark3 contributors. See AUTHORS.md for details.
3 //
4 // This program is free software: you can redistribute it and/or modify
5 // it under the terms of the GNU General Public License as published by
6 // the Free Software Foundation, either version 3 of the License, or
7 // (at your option) any later version.
8 //
9 // This program is distributed in the hope that it will be useful,
10 // but WITHOUT ANY WARRANTY; without even the implied warranty of
11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 // GNU General Public License for more details.
13 //
14 // See LICENSE.txt for the text of the license.
15 //-----------------------------------------------------------------------------
16 #include "felica.h"
17 #include "proxmark3_arm.h"
18 #include "BigBuf.h"
19 #include "util.h"
20 #include "protocols.h"
21 #include "crc16.h"
22 #include "fpgaloader.h"
23 #include "string.h"
24 #include "commonutil.h"
25 #include "dbprint.h"
26 #include "ticks.h"
27 #include "iso18.h"
28
29 // FeliCa timings
30 // minimum time between the start bits of consecutive transfers from reader to tag: 6800 carrier (13.56MHz) cycles
31 #ifndef FELICA_REQUEST_GUARD_TIME
32 //# define FELICA_REQUEST_GUARD_TIME (6800 / 16 + 1) // 426
33 # define FELICA_REQUEST_GUARD_TIME ((512 + 0 * 256) * 64 / 16 + 1)
34 #endif
35 // FRAME DELAY TIME 2672 carrier cycles
36 #ifndef FELICA_FRAME_DELAY_TIME
37 # define FELICA_FRAME_DELAY_TIME (2672/16 + 1) // 168
38 #endif
39 #ifndef DELAY_AIR2ARM_AS_READER
40 #define DELAY_AIR2ARM_AS_READER (3 + 16 + 8 + 8*16 + 4*16 - 8*16) // 91
41 #endif
42 #ifndef DELAY_ARM2AIR_AS_READER
43 #define DELAY_ARM2AIR_AS_READER (4*16 + 8*16 + 8 + 8 + 1) // 209
44 #endif
45 #define AddCrc(data, len) compute_crc(CRC_FELICA, (data), (len), (data)+(len)+1, (data)+(len))
46
47 static uint32_t felica_timeout;
48 static uint32_t felica_nexttransfertime;
49 static uint32_t felica_lasttime_prox2air_start;
50
51 static void iso18092_setup(uint8_t fpga_minor_mode);
52 static uint8_t felica_select_card(felica_card_select_t *card);
53 static void TransmitFor18092_AsReader(const uint8_t *frame, uint16_t len, const uint32_t *NYI_timing_NYI, uint8_t power, uint8_t highspeed);
54 static bool WaitForFelicaReply(uint16_t maxbytes);
55
56 static void iso18092_set_timeout(uint32_t timeout) {
57 felica_timeout = timeout + (DELAY_AIR2ARM_AS_READER + DELAY_ARM2AIR_AS_READER) / (16 * 8) + 2;
58 }
59
60 static uint32_t iso18092_get_timeout(void) {
61 return felica_timeout - (DELAY_AIR2ARM_AS_READER + DELAY_ARM2AIR_AS_READER) / (16 * 8) - 2;
62 }
63
64 #ifndef FELICA_MAX_FRAME_SIZE
65 #define FELICA_MAX_FRAME_SIZE 260
66 #endif
67
68
69
70
71
72
73 //structure to hold outgoing NFC frame
74 static uint8_t frameSpace[FELICA_MAX_FRAME_SIZE + 4];
75
76 //structure to hold incoming NFC frame, used for ISO/IEC 18092-compatible frames
77 static struct {
78 enum {
79 STATE_UNSYNCD,
80 STATE_TRYING_SYNC,
81 STATE_GET_LENGTH,
82 STATE_GET_DATA,
83 STATE_GET_CRC,
84 STATE_FULL
85 } state;
86
87 uint16_t shiftReg; //for synchronization and offset calculation
88 int posCnt;
89 bool crc_ok;
90 int rem_len;
91 uint16_t len;
92 uint8_t byte_offset;
93 uint8_t *framebytes;
94 //should be enough. maxlen is 255, 254 for data, 2 for sync, 2 for crc
95 // 0,1 -> SYNC, 2 - len, 3-(len+1)->data, then crc
96 } FelicaFrame;
97
98 //b2 4d is SYNC, 45645 in 16-bit notation, 10110010 01001101 binary. Frame will not start filling until this is shifted in
99 //bit order in byte -reverse, I guess? [((bt>>0)&1),((bt>>1)&1),((bt>>2)&1),((bt>>3)&1),((bt>>4)&1),((bt>>5)&1),((bt>>6)&1),((bt>>7)&1)] -at least in the mode that I read those in
100 #ifndef SYNC_16BIT
101 # define SYNC_16BIT 0xB24D
102 #endif
103
104 static void FelicaFrameReset(void) {
105 FelicaFrame.state = STATE_UNSYNCD;
106 FelicaFrame.posCnt = 0;
107 FelicaFrame.crc_ok = false;
108 FelicaFrame.byte_offset = 0;
109 }
110 static void FelicaFrameinit(uint8_t *data) {
111 FelicaFrame.framebytes = data;
112 FelicaFrameReset();
113 }
114
115 //shift byte into frame, reversing it at the same time
116 static void shiftInByte(uint8_t bt) {
117 uint8_t j;
118 for (j = 0; j < FelicaFrame.byte_offset; j++) {
119 FelicaFrame.framebytes[FelicaFrame.posCnt] = (FelicaFrame.framebytes[FelicaFrame.posCnt] << 1) + (bt & 1);
120 bt >>= 1;
121 }
122 FelicaFrame.posCnt++;
123 FelicaFrame.rem_len--;
124 for (j = FelicaFrame.byte_offset; j < 8; j++) {
125 FelicaFrame.framebytes[FelicaFrame.posCnt] = (FelicaFrame.framebytes[FelicaFrame.posCnt] << 1) + (bt & 1);
126 bt >>= 1;
127 }
128 }
129
130 static void Process18092Byte(uint8_t bt) {
131
132 switch (FelicaFrame.state) {
133
134 case STATE_UNSYNCD: {
135 // almost any nonzero byte can be start of SYNC. SYNC should be preceded by zeros, but that is not always the case
136 if (bt > 0) {
137 FelicaFrame.shiftReg = reflect8(bt);
138 FelicaFrame.state = STATE_TRYING_SYNC;
139 }
140 break;
141 }
142
143 case STATE_TRYING_SYNC: {
144
145 if (bt == 0) {
146 // desync
147 FelicaFrame.shiftReg = bt;
148 FelicaFrame.state = STATE_UNSYNCD;
149 } else {
150
151 for (uint8_t i = 0; i < 8; i++) {
152
153 if (FelicaFrame.shiftReg == SYNC_16BIT) {
154 // SYNC done!
155 FelicaFrame.state = STATE_GET_LENGTH;
156 FelicaFrame.framebytes[0] = 0xb2;
157 FelicaFrame.framebytes[1] = 0x4d;
158 FelicaFrame.byte_offset = i;
159
160 // shift in remaining byte, slowly...
161 for (uint8_t j = i; j < 8; j++) {
162 FelicaFrame.framebytes[2] = (FelicaFrame.framebytes[2] << 1) + (bt & 1);
163 bt >>= 1;
164 }
165
166 FelicaFrame.posCnt = 2;
167 if (i == 0) {
168 break;
169 }
170 }
171 FelicaFrame.shiftReg = (FelicaFrame.shiftReg << 1) + (bt & 1);
172 bt >>= 1;
173 }
174
175 //that byte was last byte of sync
176 if (FelicaFrame.shiftReg == SYNC_16BIT) {
177 //Force SYNC on next byte
178 FelicaFrame.state = STATE_GET_LENGTH;
179 FelicaFrame.framebytes[0] = 0xb2;
180 FelicaFrame.framebytes[1] = 0x4d;
181 FelicaFrame.byte_offset = 0;
182 FelicaFrame.posCnt = 1;
183 }
184 }
185 break;
186 }
187 case STATE_GET_LENGTH: {
188 shiftInByte(bt);
189 FelicaFrame.rem_len = FelicaFrame.framebytes[2] - 1;
190 FelicaFrame.len = FelicaFrame.framebytes[2] + 4; //with crc and sync
191 FelicaFrame.state = STATE_GET_DATA;
192 break;
193 }
194 case STATE_GET_DATA: {
195 shiftInByte(bt);
196 if (FelicaFrame.rem_len <= 0) {
197 FelicaFrame.state = STATE_GET_CRC;
198 FelicaFrame.rem_len = 2;
199 }
200 break;
201 }
202 case STATE_GET_CRC: {
203 shiftInByte(bt);
204 if (FelicaFrame.rem_len <= 0) {
205 FelicaFrame.rem_len = 0;
206 // skip sync 2bytes. IF ok, residue should be 0x0000
207 FelicaFrame.crc_ok = check_crc(CRC_FELICA, FelicaFrame.framebytes + 2, FelicaFrame.len - 2);
208 FelicaFrame.state = STATE_FULL;
209 }
210 break;
211 }
212 case STATE_FULL: //ignore byte. Don't forget to clear frame to receive next one...
213 default:
214 break;
215 }
216 }
217
218 /* Perform FeliCa polling card
219 * Currently does NOT do any collision handling.
220 * It expects 0-1 cards in the device's range.
221 * return 0 if selection was successful
222 */
223 static uint8_t felica_select_card(felica_card_select_t *card) {
224
225 // POLL command
226 // 0xB2 0x4B = sync code
227 // 0x06 = len
228 // 0x00 = rfu
229 // 0xff = system code service
230 // 0xff = system code service
231 // 0x00 = request code
232 // b7 = automatic switching of data rate
233 // b6-b2 = reserved
234 // b1 = fc/32 (414kbps)
235 // b0 = fc/64 (212kbps)
236 // 0x00 = timeslot
237 // 0x09 0x21 = crc
238 static uint8_t poll[10] = {0xb2, 0x4d, 0x06, FELICA_POLL_REQ, 0xFF, 0xFF, 0x00, 0x00, 0x09, 0x21};
239
240
241 // We try 10 times, or if answer was received.
242 int len = 25;
243 do {
244 // end-of-reception response packet data, wait approx. 501μs
245 // end-of-transmission command packet data, wait approx. 197μs
246 // polling card
247 TransmitFor18092_AsReader(poll, sizeof(poll), NULL, 1, 0);
248
249 // polling card, break if success
250 if (WaitForFelicaReply(1024) && FelicaFrame.framebytes[3] == FELICA_POLL_ACK) {
251 break;
252 }
253
254 WDT_HIT();
255
256 } while (--len);
257
258 // 1. timed-out
259 if (len == 0) {
260 return 1;
261 }
262
263 // 2. wrong answer
264 if (FelicaFrame.framebytes[3] != FELICA_POLL_ACK) {
265 return 2;
266 }
267
268 // 3. wrong crc. residue is 0, hence if crc is a value it failed.
269 if (check_crc(CRC_FELICA, FelicaFrame.framebytes + 2, FelicaFrame.len - 2) == false) {
270
271 if (g_dbglevel >= DBG_DEBUG) {
272 Dbprintf("Error: CRC check failed!");
273 Dbhexdump(FelicaFrame.len - 2, FelicaFrame.framebytes + 2, 0);
274 }
275 return 3;
276 }
277
278 // copy UID
279 // idm 8
280 if (card) {
281 memcpy(card->IDm, FelicaFrame.framebytes + 4, 8);
282 memcpy(card->PMm, FelicaFrame.framebytes + 4 + 8, 8);
283 // memcpy(card->servicecode, FelicaFrame.framebytes + 4 + 8 + 8, 2);
284 memcpy(card->code, card->IDm, 2);
285 memcpy(card->uid, card->IDm + 2, 6);
286 memcpy(card->iccode, card->PMm, 2);
287 memcpy(card->mrt, card->PMm + 2, 6);
288 if (g_dbglevel >= DBG_DEBUG) {
289 Dbprintf("Received Frame: ");
290 Dbhexdump(FelicaFrame.len, FelicaFrame.framebytes, 0);
291 }
292 }
293 // 0. OK
294 return 0;
295 }
296
297 // poll-0: 0xb2,0x4d,0x06,0x00,0xff,0xff,0x00,0x00,0x09,0x21,
298 // resp: 0xb2,0x4d,0x12,0x01,0x01,0x2e,0x3d,0x17,0x26,0x47,0x80,0x95,0x00,0xf1,0x00,0x00,0x00,0x01,0x43,0x00,0xb3,0x7f,
299 // poll-1 (reply with available system codes - NFC Tag3 specs, IIRC): 0xb2,0x4d,0x06,0x00,0xff,0xff,0x01,0x00,0x3a,0x10
300 // resp: 0xb2,0x4d,0x14,0x01, 0xXX,0xXX,0xXX,0xXX,0xXX,0xXX,0xXX,0xXX, 0x00,0xf1,0x00,0x00,0x00,0x01,0x43,0x00, 0x88,0xb4,0x0c,0xe2,
301 // page-req: 0xb2,0x4d,0x10,0x06, 0xXX,0xXX,0xXX,0xXX,0xXX,0xXX,0xXX,0xXX, 0x01, 0x0b,0x00, 0x01, 0x80,0x00, 0x2e,0xb3,
302 // page-req: 0x06, IDm(8), ServiceNum(1),Slist(2*num) BLocknum (1) BLockids(2-3*num)
303 // page-resp: 0xb2,0x4d,0x1d,0x07, 0xXX,0xXX,0xXX,0xXX,0xXX,0xXX,0xXX,0xXX, 0x00, 0x00, 0x01, 0x10,0x04,0x01,0x00,0x0d,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x23, 0xcb,0x6e,
304
305 // builds a readblock frame for felica lite(s). Using SERVICE: SERVICE_FELICA_LITE_READONLY
306 // Felica standard has a different file system, AFAIK,
307 // 8-byte IDm, number of blocks, blocks numbers
308 // number of blocks limited to 4 for FelicaLite(S)
309 static void BuildFliteRdblk(const uint8_t *idm, uint8_t blocknum, const uint16_t *blocks) {
310
311 if (blocknum > 4 || blocknum == 0) {
312 Dbprintf("Invalid number of blocks, %d != 4", blocknum);
313 }
314
315 uint8_t c = 0, i = 0;
316
317 // Sync bytes
318 frameSpace[c++] = 0xb2;
319 frameSpace[c++] = 0x4d;
320
321 c++; // set length later
322
323 frameSpace[c++] = FELICA_RDBLK_REQ; // command number
324
325 // card IDm, from poll
326 frameSpace[c++] = idm[0];
327 frameSpace[c++] = idm[1];
328 frameSpace[c++] = idm[2];
329 frameSpace[c++] = idm[3];
330 frameSpace[c++] = idm[4];
331 frameSpace[c++] = idm[5];
332 frameSpace[c++] = idm[6];
333 frameSpace[c++] = idm[7];
334
335 // number of services
336 frameSpace[c++] = 0x01;
337
338 // service code
339 frameSpace[c++] = (SERVICE_FELICA_LITE_READONLY >> 8);
340 frameSpace[c++] = SERVICE_FELICA_LITE_READONLY & 0xFF;
341
342 // number of blocks
343 frameSpace[c++] = blocknum;
344
345 for (i = 0; i < blocknum; i++) {
346
347 // 3-byte block
348 if (blocks[i] >= 256) {
349 frameSpace[c++] = 0x00;
350 frameSpace[c++] = (blocks[i] >> 8); // block number, little endian....
351 frameSpace[c++] = (blocks[i] & 0xff);
352 } else {
353 frameSpace[c++] = 0x80;
354 frameSpace[c++] = blocks[i];
355 }
356 }
357
358 // set length
359 frameSpace[2] = c - 2;
360 // Add CRC
361 AddCrc(frameSpace + 2, c - 2);
362 }
363
364 static void TransmitFor18092_AsReader(const uint8_t *frame, uint16_t len, const uint32_t *NYI_timing_NYI, uint8_t power, uint8_t highspeed) {
365
366 if (NYI_timing_NYI != NULL) {
367 DbpString("Error: TransmitFor18092_AsReader does not check or set parameter NYI_timing_NYI");
368 return;
369 }
370
371 uint16_t flags = FPGA_MAJOR_MODE_HF_ISO18092;
372
373 if (power) {
374 flags |= FPGA_HF_ISO18092_FLAG_READER;
375 }
376
377 if (highspeed) {
378 flags |= FPGA_HF_ISO18092_FLAG_424K;
379 }
380
381 FpgaWriteConfWord(flags);
382
383 uint32_t curr_transfer_time = ((MAX(felica_nexttransfertime, GetCountSspClk()) & 0xfffffff8) + 8);
384
385 while (GetCountSspClk() < curr_transfer_time) {};
386
387 felica_lasttime_prox2air_start = curr_transfer_time;
388
389 // preamble
390 // sending 0x00 0x00 0x00 0x00 0x00 0x00
391 uint16_t c = 0;
392 while (c < 6) {
393 // keep tx buffer in a defined state anyway.
394 if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
395 AT91C_BASE_SSC->SSC_THR = 0x00;
396 c++;
397 }
398 }
399 // sending data with sync bytes
400 c = 0;
401
402 while (c < len) {
403 // Put byte into tx holding register as soon as it is ready
404 if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
405 AT91C_BASE_SSC->SSC_THR = frame[c++];
406 }
407 }
408
409 /**/
410 while (!(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY))) {};
411 AT91C_BASE_SSC->SSC_THR = 0x00; //minimum delay
412
413 while (!(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY))) {};
414 AT91C_BASE_SSC->SSC_THR = 0x00; //spin
415 /**/
416
417 // log
418 LogTrace(
419 frame,
420 len,
421 (felica_lasttime_prox2air_start << 4) + DELAY_ARM2AIR_AS_READER,
422 ((felica_lasttime_prox2air_start + felica_lasttime_prox2air_start) << 4) + DELAY_ARM2AIR_AS_READER,
423 NULL,
424 true
425 );
426
427 felica_nexttransfertime = MAX(felica_nexttransfertime, felica_lasttime_prox2air_start + FELICA_REQUEST_GUARD_TIME);
428 }
429
430 // Wait for tag reply
431 // stop when button is pressed
432 // or return TRUE when command is captured
433 bool WaitForFelicaReply(uint16_t maxbytes) {
434
435 // if (g_dbglevel >= DBG_DEBUG) { Dbprintf("WaitForFelicaReply Start"); }
436
437 uint32_t c = 0;
438
439 // power, no modulation
440 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO18092 | FPGA_HF_ISO18092_FLAG_READER | FPGA_HF_ISO18092_FLAG_NOMOD);
441 FelicaFrameReset();
442
443 // clear RXRDY:
444 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
445 (void)b;
446
447 uint32_t timeout = iso18092_get_timeout();
448
449 for (;;) {
450
451 WDT_HIT();
452
453 if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) {
454
455 b = (uint8_t)(AT91C_BASE_SSC->SSC_RHR);
456
457 Process18092Byte(b);
458
459 if (FelicaFrame.state == STATE_FULL) {
460
461 felica_nexttransfertime = MAX(
462 felica_nexttransfertime,
463 (GetCountSspClk() & 0xfffffff8) - (DELAY_AIR2ARM_AS_READER + DELAY_ARM2AIR_AS_READER) / 16 + FELICA_FRAME_DELAY_TIME);
464
465 LogTrace(
466 FelicaFrame.framebytes,
467 FelicaFrame.len,
468 ((GetCountSspClk() & 0xfffffff8) << 4) - DELAY_AIR2ARM_AS_READER - timeout,
469 ((GetCountSspClk() & 0xfffffff8) << 4) - DELAY_AIR2ARM_AS_READER,
470 NULL,
471 false
472 );
473 return true;
474
475 } else if (c++ > timeout && (FelicaFrame.state == STATE_UNSYNCD || FelicaFrame.state == STATE_TRYING_SYNC)) {
476
477 // if (g_dbglevel >= DBG_DEBUG) Dbprintf("Error: Timeout! STATE_UNSYNCD");
478
479 return false;
480 }
481 }
482 }
483 }
484
485 // Set up FeliCa communication (similar to iso14443a_setup)
486 // field is setup for "Sending as Reader"
487 static void iso18092_setup(uint8_t fpga_minor_mode) {
488
489 LEDsoff();
490 #if defined XC3
491 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
492 #else
493 FpgaDownloadAndGo(FPGA_BITSTREAM_HF_FELICA);
494 #endif
495 // allocate command receive buffer
496 BigBuf_free();
497 BigBuf_Clear_ext(false);
498
499 // Initialize Demod and Uart structs
500 // DemodInit(BigBuf_malloc(MAX_FRAME_SIZE));
501 FelicaFrameinit(BigBuf_calloc(FELICA_MAX_FRAME_SIZE));
502
503 felica_nexttransfertime = 2 * DELAY_ARM2AIR_AS_READER; // 418
504 // iso18092_set_timeout(2120); // 106 * 20ms maximum start-up time of card
505 iso18092_set_timeout(1060); // 106 * 10ms maximum start-up time of card
506
507 init_table(CRC_FELICA);
508
509 // connect Demodulated Signal to ADC:
510 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
511
512 // Set up the synchronous serial port
513 FpgaSetupSsc(FPGA_MAJOR_MODE_HF_ISO18092);
514
515 // LSB transfer. Remember to set it back to MSB with
516 AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(8) | SSC_FRAME_MODE_WORDS_PER_TRANSFER(0);
517
518 // Signal field is on with the appropriate LED
519 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO18092 | fpga_minor_mode);
520
521 //20.4 ms generate field, start sending polling command afterwars.
522 SpinDelay(100);
523
524 // Start the timer
525 StartCountSspClk();
526
527 LED_D_ON();
528 }
529
530 static void felica_reset_frame_mode(void) {
531 switch_off();
532 //Resetting Frame mode (First set in fpgaloader.c)
533 AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(8) | AT91C_SSC_MSBF | SSC_FRAME_MODE_WORDS_PER_TRANSFER(0);
534 }
535
536
537 //-----------------------------------------------------------------------------
538 // RAW FeliCa commands. Send out commands and store answers.
539 //-----------------------------------------------------------------------------
540 // arg0 FeliCa flags
541 // arg1 len of commandbytes
542 // d.asBytes command bytes to send
543 void felica_sendraw(const PacketCommandNG *c) {
544
545 felica_command_t param = c->oldarg[0];
546 size_t len = c->oldarg[1] & 0xffff;
547 uint32_t arg0;
548
549 if ((param & FELICA_CONNECT) == FELICA_CONNECT) {
550 clear_trace();
551 }
552 set_tracing(true);
553
554 iso18092_setup(FPGA_HF_ISO18092_FLAG_READER | FPGA_HF_ISO18092_FLAG_NOMOD);
555
556 if ((param & FELICA_CONNECT) == FELICA_CONNECT) {
557
558 // notify client selecting status.
559 // if failed selecting, turn off antenna and quite.
560 if ((param & FELICA_NO_SELECT) != FELICA_NO_SELECT) {
561
562 felica_card_select_t card;
563 arg0 = felica_select_card(&card);
564 reply_mix(CMD_ACK, arg0, sizeof(card.uid), 0, &card, sizeof(felica_card_select_t));
565 if (arg0) {
566 felica_reset_frame_mode();
567 return;
568 }
569 }
570
571 }
572
573 if ((param & FELICA_RAW) == FELICA_RAW) {
574
575 // 2 sync, 1 len, 2crc == 5
576 uint8_t *buf = BigBuf_calloc(len + 5);
577 // add sync bits
578 buf[0] = 0xb2;
579 buf[1] = 0x4d;
580 buf[2] = len;
581
582 // copy command
583 memcpy(buf + 2, c->data.asBytes, len);
584
585 if ((param & FELICA_APPEND_CRC) == FELICA_APPEND_CRC) {
586 // Don't append crc on empty bytearray...
587 if (len > 0) {
588 AddCrc(buf + 2, len);
589 }
590 }
591
592 if (g_dbglevel >= DBG_DEBUG) {
593 Dbprintf("Transmit Frame (no CRC shown):");
594 Dbhexdump(len, buf, 0);
595 Dbprintf("Buffer Length: %i", buf[2] + 4);
596 };
597
598 TransmitFor18092_AsReader(buf, buf[2] + 4, NULL, 1, 0);
599 arg0 = WaitForFelicaReply(1024);
600
601 if (g_dbglevel >= DBG_DEBUG) {
602 Dbprintf("Received Frame Code: %d", arg0);
603 Dbhexdump(FelicaFrame.len, FelicaFrame.framebytes, 0);
604 };
605
606 uint32_t result = reply_mix(CMD_ACK, FelicaFrame.len, arg0, 0, FelicaFrame.framebytes, FelicaFrame.len);
607 if (result) {
608 Dbprintf("Reply to Client Error Code: %i", result);
609 }
610 }
611
612 if ((param & FELICA_NO_DISCONNECT) == FELICA_NO_DISCONNECT) {
613 return;
614 }
615
616 felica_reset_frame_mode();
617 return;
618 }
619
620 void felica_sniff(uint32_t samplesToSkip, uint32_t triggersToSkip) {
621
622 clear_trace();
623 set_tracing(true);
624 iso18092_setup(FPGA_HF_ISO18092_FLAG_NOMOD);
625
626 LED_D_ON();
627
628 int retval = PM3_SUCCESS;
629 int remFrames = (samplesToSkip) ? samplesToSkip : 0;
630 int trigger_cnt = 0;
631 uint32_t timeout = iso18092_get_timeout();
632 bool isReaderFrame;
633
634 uint8_t flip = 0;
635 uint16_t checker = 0;
636 for (;;) {
637
638 WDT_HIT();
639
640 // since simulation is a tight time critical loop,
641 // we only check for user request to end at iteration 3000, 9000.
642 if (flip == 3) {
643 if (data_available()) {
644 retval = PM3_EOPABORTED;
645 break;
646 }
647 flip = 0;
648 }
649
650 if (checker >= 3000) {
651
652 if (BUTTON_PRESS()) {
653 retval = PM3_EOPABORTED;
654 break;
655 }
656 flip++;
657 checker = 0;
658 }
659 ++checker;
660
661 if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) {
662
663 uint8_t dist = (uint8_t)(AT91C_BASE_SSC->SSC_RHR);
664 Process18092Byte(dist);
665
666 if ((dist >= 178) && (++trigger_cnt > triggersToSkip)) {
667 Dbprintf("triggers To skip kicked %d", dist);
668 break;
669 }
670 if (FelicaFrame.state == STATE_FULL) {
671 if ((FelicaFrame.framebytes[3] % 2) == 0) {
672 isReaderFrame = true; // All Reader Frames are even and all Tag frames are odd
673 } else {
674 isReaderFrame = false;
675 }
676 remFrames--;
677 if (remFrames <= 0) {
678 Dbprintf("Stop Sniffing - samples To skip reached!");
679 break;
680 }
681 LogTrace(FelicaFrame.framebytes,
682 FelicaFrame.len,
683 ((GetCountSspClk() & 0xfffffff8) << 4) - DELAY_AIR2ARM_AS_READER - timeout,
684 ((GetCountSspClk() & 0xfffffff8) << 4) - DELAY_AIR2ARM_AS_READER,
685 NULL,
686 isReaderFrame
687 );
688 FelicaFrameReset();
689 }
690 }
691 }
692 switch_off();
693 //reset framing
694 AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(8) | AT91C_SSC_MSBF | SSC_FRAME_MODE_WORDS_PER_TRANSFER(0);
695
696 Dbprintf("Felica sniffing done, tracelen: %i", BigBuf_get_traceLen());
697 reply_ng(CMD_HF_FELICA_SNIFF, retval, NULL, 0);
698 LED_D_OFF();
699 }
700
701 #define R_POLL0_LEN 0x16
702 #define R_POLL1_LEN 0x18
703 #define R_READBLK_LEN 0x21
704 //simulate NFC Tag3 card - for now only poll response works
705 // second half (4 bytes) of NDEF2 goes into nfcid2_0, first into nfcid2_1
706 void felica_sim_lite(const uint8_t *uid) {
707
708 // prepare our 3 responses...
709 uint8_t resp_poll0[R_POLL0_LEN] = { 0xb2, 0x4d, 0x12, FELICA_POLL_ACK, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf1, 0x00, 0x00, 0x00, 0x01, 0x43, 0x00, 0xb3, 0x7f};
710 uint8_t resp_poll1[R_POLL1_LEN] = { 0xb2, 0x4d, 0x14, FELICA_POLL_ACK, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf1, 0x00, 0x00, 0x00, 0x01, 0x43, 0x00, 0x88, 0xb4, 0xb3, 0x7f};
711 uint8_t resp_readblk[R_READBLK_LEN] = { 0xb2, 0x4d, 0x1d, FELICA_RDBLK_ACK, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x10, 0x04, 0x01, 0x00, 0x0d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x23, 0xcb, 0x6e};
712
713 // NFC tag 3/ ISo technically. Many overlapping standards
714 DbpString("Felica Lite-S simulation start");
715 Dbprintf("NDEF2 UID: %02x %02x %02x %02x %02x %02x %02x %02x",
716 uid[0], uid[1], uid[2], uid[3], uid[4], uid[5], uid[6], uid[7]
717 );
718
719 // fill in blanks
720 for (uint8_t i = 0; i < 8; i++) {
721 resp_poll0[i + 4] = uid[i];
722 resp_poll1[i + 4] = uid[i];
723 resp_readblk[i + 4] = uid[i];
724 }
725
726 // calculate and set CRC
727 AddCrc(&resp_poll0[2], resp_poll0[2]);
728 AddCrc(&resp_poll1[2], resp_poll1[2]);
729 AddCrc(&resp_readblk[2], resp_readblk[2]);
730
731 iso18092_setup(FPGA_HF_ISO18092_FLAG_NOMOD);
732
733 int retval = PM3_SUCCESS;
734 int curlen = 0;
735 const uint8_t *curresp = NULL;
736 bool listenmode = true;
737 // uint32_t frtm = GetCountSspClk();
738
739 uint8_t flip = 0;
740 uint16_t checker = 0;
741 for (;;) {
742
743 WDT_HIT();
744
745 // since simulation is a tight time critical loop,
746 // we only check for user request to end at iteration 3000, 9000.
747 if (flip == 3) {
748 if (data_available()) {
749 retval = PM3_EOPABORTED;
750 break;
751 }
752 flip = 0;
753 }
754
755 if (checker >= 3000) {
756
757 if (BUTTON_PRESS()) {
758 retval = PM3_EOPABORTED;
759 break;
760 }
761 flip++;
762 checker = 0;
763 }
764 ++checker;
765
766 WDT_HIT();
767
768 if (listenmode) {
769 // waiting for request...
770 if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) {
771
772 uint8_t dist = (uint8_t)(AT91C_BASE_SSC->SSC_RHR);
773 // frtm = GetCountSspClk();
774 Process18092Byte(dist);
775
776 if (FelicaFrame.state == STATE_FULL) {
777
778 if (FelicaFrame.crc_ok) {
779
780 if (FelicaFrame.framebytes[2] == 6 && FelicaFrame.framebytes[3] == 0) {
781 static uint8_t timeslot = 0;
782
783 // polling... there are two types of polling we answer to
784 if (FelicaFrame.framebytes[6] == 0) {
785 curresp = resp_poll0;
786 curlen = R_POLL0_LEN;
787 listenmode = false;
788 }
789 if (FelicaFrame.framebytes[6] == 1) {
790 curresp = resp_poll1;
791 curlen = R_POLL1_LEN;
792 listenmode = false;
793 }
794 if (timeslot > FelicaFrame.framebytes[7]) {
795 // framebytes[7] contains the maximum time slot in which we are allowed to respond (#0..#15)
796 timeslot = 0;
797 }
798 // first time slot (#0) starts after 512 * 64 / fc, slot length equals 256 * 64 / fc
799 felica_nexttransfertime = GetCountSspClk() - (DELAY_AIR2ARM_AS_READER + DELAY_ARM2AIR_AS_READER) / 16 + (512 + timeslot * 256) * 64 / 16 + 1;
800 timeslot++; // we should use a random time slot, but responding in incremental slots should do just fine for now
801 }
802
803 if (FelicaFrame.framebytes[2] > 5 && FelicaFrame.framebytes[3] == 0x06) {
804 // we should rebuild it depending on page size, but...
805 // Let's see first
806 curresp = resp_readblk;
807 curlen = R_READBLK_LEN;
808 listenmode = false;
809 }
810 // clear frame
811 FelicaFrameReset();
812 } else {
813 // frame invalid, clear it out to allow for the next one
814 FelicaFrameReset();
815 }
816 }
817 }
818 }
819
820
821 if (listenmode == false) {
822 // trying to answer... here to start answering immediately.
823 // this one is a bit finicky. Seems that being a bit late is better than earlier
824 // TransmitFor18092_AsReader(curresp, curlen, frtm+512, 0, 0);
825 TransmitFor18092_AsReader(curresp, curlen, NULL, 0, 0);
826
827 // switch back
828 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO18092 | FPGA_HF_ISO18092_FLAG_NOMOD);
829
830 FelicaFrameReset();
831 listenmode = true;
832 curlen = 0;
833 curresp = NULL;
834 }
835 }
836
837 switch_off();
838
839 // reset framing
840 AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(8) | AT91C_SSC_MSBF | SSC_FRAME_MODE_WORDS_PER_TRANSFER(0);
841
842 Dbprintf("FeliCa Lite-S emulator stopped. Trace length: %d ", BigBuf_get_traceLen());
843 reply_ng(CMD_HF_FELICALITE_SIMULATE, retval, NULL, 0);
844 }
845
846 #define RES_SVC_LEN 11 + 3
847
848 void felica_dump_lite_s(void) {
849 uint8_t ndef[8];
850 uint8_t poll[10] = { 0xb2, 0x4d, 0x06, FELICA_POLL_REQ, 0xff, 0xff, 0x00, 0x00, 0x09, 0x21};
851 uint16_t liteblks[28] = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, 0x88, 0x90, 0x91, 0x92, 0xa0};
852
853 // setup device.
854 iso18092_setup(FPGA_HF_ISO18092_FLAG_READER | FPGA_HF_ISO18092_FLAG_NOMOD);
855
856 uint8_t blknum;
857 bool isOK = false;
858 uint16_t cnt = 0, cntfails = 0;
859 uint8_t *dest = BigBuf_get_addr();
860
861 while ((BUTTON_PRESS() == false) && (data_available() == false)) {
862 WDT_HIT();
863 // polling?
864 //TransmitFor18092_AsReader(poll, 10, GetCountSspClk()+512, 1, 0);
865 TransmitFor18092_AsReader(poll, 10, NULL, 1, 0);
866
867 if (WaitForFelicaReply(512) && FelicaFrame.framebytes[3] == FELICA_POLL_ACK) {
868 // copy 8bytes to ndef.
869 memcpy(ndef, FelicaFrame.framebytes + 4, 8);
870 // for (c=0; c < 8; c++)
871 // ndef[c] = FelicaFrame.framebytes[c+4];
872
873 for (blknum = 0; blknum < ARRAYLEN(liteblks);) {
874 // block to read.
875 BuildFliteRdblk(ndef, 1, &liteblks[blknum]);
876
877 //TransmitFor18092_AsReader(frameSpace, frameSpace[2]+4, GetCountSspClk()+512, 1, 0);
878
879 TransmitFor18092_AsReader(frameSpace, frameSpace[2] + 4, NULL, 1, 0);
880 // read block
881 if (WaitForFelicaReply(1024) && FelicaFrame.framebytes[3] == FELICA_RDBLK_ACK) {
882
883 dest[cnt++] = liteblks[blknum];
884
885 const uint8_t *fb = FelicaFrame.framebytes;
886 dest[cnt++] = fb[12];
887 dest[cnt++] = fb[13];
888
889 //memcpy(dest+cnt, FelicaFrame.framebytes + 15, 16);
890 //cnt += 16;
891 for (uint8_t j = 0; j < 16; j++) {
892 dest[cnt++] = fb[15 + j];
893 }
894
895 blknum++;
896 cntfails = 0;
897
898 // // print raw log.
899 // Dbprintf("LEN %u | Dump bytes count %u ", FelicaFrame.len, cnt);
900 // Dbhexdump(FelicaFrame.len, FelicaFrame.framebytes + 15, 0);
901 } else {
902 cntfails++;
903 if (cntfails > 12) {
904 blknum++;
905 cntfails = 0;
906 }
907 }
908 }
909
910 isOK = true;
911 break;
912 }
913 }
914 switch_off();
915
916 // Resetting Frame mode (First set in fpgaloader.c)
917 AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(8) | AT91C_SSC_MSBF | SSC_FRAME_MODE_WORDS_PER_TRANSFER(0);
918
919 // setting tracelen - important! it was set by buffer overflow before
920 // iceman: is this still needed?!?
921 set_tracelen(cnt);
922 reply_mix(CMD_ACK, isOK, cnt, 0, 0, 0);
923 }
Proxmark3 - the RFID research Swiss army knife. Iceman firmware