mirror of
				https://github.com/Proxmark/proxmark3.git
				synced 2025-10-25 05:27:29 +08:00 
			
		
		
		
	Merge pull request #141 from etmatrix/tosubmit
HF snoop ported by enio's repository
This commit is contained in:
		
						commit
						6e2f85c44c
					
				
					 12 changed files with 181 additions and 16 deletions
				
			
		|  | @ -16,6 +16,7 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac | |||
| - Added 'hw status'. This command makes the ARM print out some runtime information. (holiman)  | ||||
| - Added 'hw ping'. This command just sends a usb packets and checks if the pm3 is responsive. Can be used to abort certain operations which supports abort over usb. (holiman) | ||||
| - Added `data hex2bin` and `data bin2hex` for command line conversion between binary and hexadecimal (holiman) | ||||
| - Added 'hf snoop'. This command take digitalized signal from FPGA and put in BigBuffer. (pwpiwi + enio) | ||||
| 
 | ||||
| ### Changed | ||||
| - changed `lf config t <threshold>` to be 0 - 128 and will trigger on + or - threshold value (marshmellow)  | ||||
|  |  | |||
|  | @ -10,7 +10,7 @@ APP_INCLUDES = apps.h | |||
| 
 | ||||
| #remove one of the following defines and comment out the relevant line
 | ||||
| #in the next section to remove that particular feature from compilation
 | ||||
| APP_CFLAGS	= -DWITH_ISO14443a_StandAlone -DWITH_LF -DWITH_ISO15693 -DWITH_ISO14443a -DWITH_ISO14443b -DWITH_ICLASS -DWITH_LEGICRF -DWITH_HITAG  -DWITH_CRC -DON_DEVICE \
 | ||||
| APP_CFLAGS	= -DWITH_ISO14443a_StandAlone -DWITH_LF -DWITH_ISO15693 -DWITH_ISO14443a -DWITH_ISO14443b -DWITH_ICLASS -DWITH_LEGICRF -DWITH_HITAG  -DWITH_CRC -DON_DEVICE -DWITH_HFSNOOP \
 | ||||
| 				-fno-strict-aliasing -ffunction-sections -fdata-sections | ||||
| #-DWITH_LCD
 | ||||
| 
 | ||||
|  | @ -60,7 +60,8 @@ ARMSRC = fpgaloader.c \ | |||
| 	legic_prng.c \
 | ||||
| 	iclass.c \
 | ||||
| 	BigBuf.c \
 | ||||
| 	optimized_cipher.c | ||||
| 	optimized_cipher.c \
 | ||||
| 	hfsnoop.c | ||||
| 
 | ||||
| # Do not move this inclusion before the definition of {THUMB,ASM,ARM}SRC
 | ||||
| include ../common/Makefile.common | ||||
|  |  | |||
|  | @ -1202,6 +1202,11 @@ void UsbPacketReceived(uint8_t *packet, int len) | |||
| 			iClass_Clone(c->arg[0], c->arg[1], c->d.asBytes); | ||||
| 			break; | ||||
| #endif | ||||
| #ifdef WITH_HFSNOOP | ||||
| 		case CMD_HF_SNIFFER: | ||||
| 			HfSnoop(c->arg[0], c->arg[1]); | ||||
| 			break; | ||||
| #endif | ||||
| 
 | ||||
| 		case CMD_BUFF_CLEAR: | ||||
| 			BigBuf_Clear(); | ||||
|  | @ -1338,7 +1343,7 @@ void  __attribute__((noreturn)) AppMain(void) | |||
| 	AT91C_BASE_PMC->PMC_SCER = AT91C_PMC_PCK0; | ||||
| 	// PCK0 is PLL clock / 4 = 96Mhz / 4 = 24Mhz
 | ||||
| 	AT91C_BASE_PMC->PMC_PCKR[0] = AT91C_PMC_CSS_PLL_CLK | | ||||
| 		AT91C_PMC_PRES_CLK_4; | ||||
| 		AT91C_PMC_PRES_CLK_4; //  4 for 24Mhz pck0, 2 for 48 MHZ pck0
 | ||||
| 	AT91C_BASE_PIOA->PIO_OER = GPIO_PCK0; | ||||
| 
 | ||||
| 	// Reset SPI
 | ||||
|  |  | |||
|  | @ -189,5 +189,6 @@ bool cmd_receive(UsbCommand* cmd); | |||
| bool cmd_send(uint32_t cmd, uint32_t arg0, uint32_t arg1, uint32_t arg2, void* data, size_t len); | ||||
| 
 | ||||
| /// util.h
 | ||||
| void HfSnoop(int , int); | ||||
| 
 | ||||
| #endif | ||||
|  |  | |||
|  | @ -43,6 +43,7 @@ void SetAdcMuxFor(uint32_t whichGpio); | |||
| #define FPGA_MAJOR_MODE_HF_READER_RX_XCORR			(1<<5) | ||||
| #define FPGA_MAJOR_MODE_HF_SIMULATOR				(2<<5) | ||||
| #define FPGA_MAJOR_MODE_HF_ISO14443A				(3<<5) | ||||
| #define FPGA_MAJOR_MODE_HF_SNOOP				(4<<5) | ||||
| // BOTH
 | ||||
| #define FPGA_MAJOR_MODE_OFF							(7<<5) | ||||
| // Options for LF_ADC
 | ||||
|  |  | |||
							
								
								
									
										76
									
								
								armsrc/hfsnoop.c
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										76
									
								
								armsrc/hfsnoop.c
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,76 @@ | |||
| #include "proxmark3.h" | ||||
| #include "apps.h" | ||||
| #include "BigBuf.h" | ||||
| #include "util.h" | ||||
| 
 | ||||
| static void RAMFUNC optimizedSnoop(void); | ||||
| 
 | ||||
| static void RAMFUNC optimizedSnoop(void) | ||||
| { | ||||
| 	BigBuf_free(); | ||||
| 	int n = BigBuf_max_traceLen() / sizeof(uint16_t); // take all memory
 | ||||
| 
 | ||||
| 	uint16_t *dest = (uint16_t *)BigBuf_get_addr(); | ||||
| 	uint16_t *destend = dest + n; | ||||
| 
 | ||||
| 	AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(16); // Setting Frame mode, 16 bits per word
 | ||||
| 	// Reading data loop
 | ||||
| 	while(dest <= destend) | ||||
| 	{ | ||||
| 		if(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) | ||||
| 		{ | ||||
| 			*dest = (uint16_t)(AT91C_BASE_SSC->SSC_RHR); | ||||
| 			dest = dest + 1; | ||||
| 		} | ||||
| 	} | ||||
| 	//Resetting Frame mode (First set in fpgaloader.c)
 | ||||
| 	AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(8) | AT91C_SSC_MSBF | SSC_FRAME_MODE_WORDS_PER_TRANSFER(0); | ||||
| } | ||||
| 
 | ||||
| void HfSnoop(int samplesToSkip, int triggersToSkip) | ||||
| { | ||||
| 	Dbprintf("Skipping first %d sample pairs, Skipping %d triggers.\n", samplesToSkip, triggersToSkip); | ||||
| 	bool trigger_cnt; | ||||
| 	LED_D_ON(); | ||||
| 	// Select correct configs
 | ||||
| 	FpgaDownloadAndGo(FPGA_BITSTREAM_HF); | ||||
| 	// Set up the synchronous serial port
 | ||||
| 	FpgaSetupSsc(); | ||||
| 	// connect Demodulated Signal to ADC:
 | ||||
| 	SetAdcMuxFor(GPIO_MUXSEL_HIPKD); | ||||
| 	FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SNOOP); | ||||
| 	SpinDelay(100); | ||||
| 
 | ||||
| 	AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(16); // Setting Frame Mode For better performance on high speed data transfer.
 | ||||
| 
 | ||||
| 	trigger_cnt = 0; | ||||
| 	uint16_t r = 0; | ||||
| 	while(!BUTTON_PRESS()) { | ||||
| 		WDT_HIT(); | ||||
| 		if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) { | ||||
| 			r = (uint16_t)AT91C_BASE_SSC->SSC_RHR; | ||||
| 			if (!(trigger_cnt == triggersToSkip) && ( (r >> 8) >= 240))  | ||||
| 			{ | ||||
| 				Dbprintf("Trigger kicked! Value: %d.", r >> 8); | ||||
| 				trigger_cnt++; | ||||
| 				break; | ||||
| 			}  | ||||
| 		} | ||||
| 	} | ||||
| 	if(!BUTTON_PRESS()) { | ||||
| 		Dbprintf("Trigger kicked! Value: %d, Dumping Samples Hispeed now.", r >> 8); | ||||
| 		int waitcount = samplesToSkip; // lets wait 40000 ticks of pck0
 | ||||
| 		while(waitcount != 0) { | ||||
| 			if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) { | ||||
| 				waitcount--; | ||||
| 			} | ||||
| 		} | ||||
| 
 | ||||
| 		optimizedSnoop(); | ||||
| 	} | ||||
| 
 | ||||
| 	DbpString("HF Snoop end"); | ||||
| 	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); | ||||
| 	LED_D_OFF(); | ||||
| } | ||||
| 
 | ||||
|  | @ -576,6 +576,14 @@ int CmdHFSearch(const char *Cmd){ | |||
| 	return 0; | ||||
| } | ||||
| 
 | ||||
| int CmdHFSnoop(const char *Cmd) | ||||
| { | ||||
| 	char * pEnd; | ||||
| 	UsbCommand c = {CMD_HF_SNIFFER, {strtol(Cmd, &pEnd,0),strtol(pEnd, &pEnd,0),0}}; | ||||
| 	SendCommand(&c); | ||||
| 	return 0; | ||||
| } | ||||
| 
 | ||||
| static command_t CommandTable[] =  | ||||
| { | ||||
|   {"help",        CmdHelp,          1, "This help"}, | ||||
|  | @ -590,7 +598,8 @@ static command_t CommandTable[] = | |||
|   {"tune",        CmdHFTune,        0, "Continuously measure HF antenna tuning"}, | ||||
|   {"list",        CmdHFList,        1, "List protocol data in trace buffer"}, | ||||
|   {"search",      CmdHFSearch,      1, "Search for known HF tags [preliminary]"}, | ||||
| 	{NULL, NULL, 0, NULL} | ||||
|   {"snoop",       CmdHFSnoop,       0, "<samples to skip (10000)> <triggers to skip (1)> Generic HF Snoop"}, | ||||
|   {NULL, NULL, 0, NULL} | ||||
| }; | ||||
| 
 | ||||
| int CmdHF(const char *Cmd) | ||||
|  |  | |||
|  | @ -5,7 +5,7 @@ clean: | |||
| 	$(DELETE) *.bgn *.drc *.ncd *.ngd *_par.xrpt *-placed.* *-placed_pad.* *_usage.xml xst_hf.srp xst_lf.srp | ||||
| 	$(DELETE) *.map *.ngc *.xrpt *.pcf *.rbt *_auto_* *.bld *.mrp *.ngm *.unroutes *_summary.xml netlist.lst xst | ||||
| 
 | ||||
| fpga_hf.ngc: fpga_hf.v fpga.ucf xst_hf.scr util.v hi_simulate.v hi_read_tx.v hi_read_rx_xcorr.v hi_iso14443a.v | ||||
| fpga_hf.ngc: fpga_hf.v fpga.ucf xst_hf.scr util.v hi_simulate.v hi_read_tx.v hi_read_rx_xcorr.v hi_iso14443a.v hi_sniffer.v | ||||
| 	$(DELETE) $@ | ||||
| 	$(XILINX_TOOLS_PREFIX)xst -ifn xst_hf.scr | ||||
| 
 | ||||
|  |  | |||
							
								
								
									
										
											BIN
										
									
								
								fpga/fpga_hf.bit
									
										
									
									
									
								
							
							
						
						
									
										
											BIN
										
									
								
								fpga/fpga_hf.bit
									
										
									
									
									
								
							
										
											Binary file not shown.
										
									
								
							|  | @ -17,6 +17,7 @@ | |||
| `include "hi_read_rx_xcorr.v" | ||||
| `include "hi_simulate.v" | ||||
| `include "hi_iso14443a.v" | ||||
| `include "hi_sniffer.v" | ||||
| `include "util.v" | ||||
| 
 | ||||
| module fpga_hf( | ||||
|  | @ -122,25 +123,36 @@ hi_iso14443a hisn( | |||
| 	hi_simulate_mod_type | ||||
| ); | ||||
| 
 | ||||
| hi_sniffer he( | ||||
|        pck0, ck_1356meg, ck_1356megb, | ||||
|        he_pwr_lo, he_pwr_hi, he_pwr_oe1, he_pwr_oe2, he_pwr_oe3,       he_pwr_oe4, | ||||
|        adc_d, he_adc_clk, | ||||
|        he_ssp_frame, he_ssp_din, ssp_dout, he_ssp_clk, | ||||
|        cross_hi, cross_lo, | ||||
|        he_dbg, | ||||
|        hi_read_rx_xcorr_848, hi_read_rx_xcorr_snoop, hi_read_rx_xcorr_quarter | ||||
| ); | ||||
| 
 | ||||
| // Major modes: | ||||
| 
 | ||||
| //   000 --  HF reader, transmitting to tag; modulation depth selectable | ||||
| //   001 --  HF reader, receiving from tag, correlating as it goes; frequency selectable | ||||
| //   010 --  HF simulated tag | ||||
| //   011 --  HF ISO14443-A | ||||
| //   100 --  HF Snoop | ||||
| //   111 --  everything off | ||||
| 
 | ||||
| mux8 mux_ssp_clk		(major_mode, ssp_clk,   ht_ssp_clk,   hrxc_ssp_clk,   hs_ssp_clk,   hisn_ssp_clk,   1'b0, 1'b0, 1'b0, 1'b0); | ||||
| mux8 mux_ssp_din		(major_mode, ssp_din,   ht_ssp_din,   hrxc_ssp_din,   hs_ssp_din,   hisn_ssp_din,   1'b0, 1'b0, 1'b0, 1'b0); | ||||
| mux8 mux_ssp_frame		(major_mode, ssp_frame, ht_ssp_frame, hrxc_ssp_frame, hs_ssp_frame, hisn_ssp_frame, 1'b0, 1'b0, 1'b0, 1'b0); | ||||
| mux8 mux_pwr_oe1		(major_mode, pwr_oe1,   ht_pwr_oe1,   hrxc_pwr_oe1,   hs_pwr_oe1,   hisn_pwr_oe1,   1'b0, 1'b0, 1'b0, 1'b0); | ||||
| mux8 mux_pwr_oe2		(major_mode, pwr_oe2,   ht_pwr_oe2,   hrxc_pwr_oe2,   hs_pwr_oe2,   hisn_pwr_oe2,   1'b0, 1'b0, 1'b0, 1'b0); | ||||
| mux8 mux_pwr_oe3		(major_mode, pwr_oe3,   ht_pwr_oe3,   hrxc_pwr_oe3,   hs_pwr_oe3,   hisn_pwr_oe3,   1'b0, 1'b0, 1'b0, 1'b0); | ||||
| mux8 mux_pwr_oe4		(major_mode, pwr_oe4,   ht_pwr_oe4,   hrxc_pwr_oe4,   hs_pwr_oe4,   hisn_pwr_oe4,   1'b0, 1'b0, 1'b0, 1'b0); | ||||
| mux8 mux_pwr_lo			(major_mode, pwr_lo,    ht_pwr_lo,    hrxc_pwr_lo,    hs_pwr_lo,    hisn_pwr_lo,    1'b0, 1'b0, 1'b0, 1'b0); | ||||
| mux8 mux_pwr_hi			(major_mode, pwr_hi,    ht_pwr_hi,    hrxc_pwr_hi,    hs_pwr_hi,    hisn_pwr_hi,    1'b0, 1'b0, 1'b0, 1'b0); | ||||
| mux8 mux_adc_clk		(major_mode, adc_clk,   ht_adc_clk,   hrxc_adc_clk,   hs_adc_clk,   hisn_adc_clk,   1'b0, 1'b0, 1'b0, 1'b0); | ||||
| mux8 mux_dbg			(major_mode, dbg,       ht_dbg,       hrxc_dbg,       hs_dbg,       hisn_dbg,       1'b0, 1'b0, 1'b0, 1'b0); | ||||
| mux8 mux_ssp_clk		(major_mode, ssp_clk,   ht_ssp_clk,   hrxc_ssp_clk,   hs_ssp_clk,   hisn_ssp_clk,   he_ssp_clk, 1'b0, 1'b0, 1'b0); | ||||
| mux8 mux_ssp_din		(major_mode, ssp_din,   ht_ssp_din,   hrxc_ssp_din,   hs_ssp_din,   hisn_ssp_din,   he_ssp_din, 1'b0, 1'b0, 1'b0); | ||||
| mux8 mux_ssp_frame		(major_mode, ssp_frame, ht_ssp_frame, hrxc_ssp_frame, hs_ssp_frame, hisn_ssp_frame, he_ssp_frame, 1'b0, 1'b0, 1'b0); | ||||
| mux8 mux_pwr_oe1		(major_mode, pwr_oe1,   ht_pwr_oe1,   hrxc_pwr_oe1,   hs_pwr_oe1,   hisn_pwr_oe1,   he_pwr_oe1, 1'b0, 1'b0, 1'b0); | ||||
| mux8 mux_pwr_oe2		(major_mode, pwr_oe2,   ht_pwr_oe2,   hrxc_pwr_oe2,   hs_pwr_oe2,   hisn_pwr_oe2,   he_pwr_oe2, 1'b0, 1'b0, 1'b0); | ||||
| mux8 mux_pwr_oe3		(major_mode, pwr_oe3,   ht_pwr_oe3,   hrxc_pwr_oe3,   hs_pwr_oe3,   hisn_pwr_oe3,   he_pwr_oe3, 1'b0, 1'b0, 1'b0); | ||||
| mux8 mux_pwr_oe4		(major_mode, pwr_oe4,   ht_pwr_oe4,   hrxc_pwr_oe4,   hs_pwr_oe4,   hisn_pwr_oe4,   he_pwr_oe4, 1'b0, 1'b0, 1'b0); | ||||
| mux8 mux_pwr_lo			(major_mode, pwr_lo,    ht_pwr_lo,    hrxc_pwr_lo,    hs_pwr_lo,    hisn_pwr_lo,    he_pwr_lo, 1'b0, 1'b0, 1'b0); | ||||
| mux8 mux_pwr_hi			(major_mode, pwr_hi,    ht_pwr_hi,    hrxc_pwr_hi,    hs_pwr_hi,    hisn_pwr_hi,    he_pwr_hi, 1'b0, 1'b0, 1'b0); | ||||
| mux8 mux_adc_clk		(major_mode, adc_clk,   ht_adc_clk,   hrxc_adc_clk,   hs_adc_clk,   hisn_adc_clk,   he_adc_clk, 1'b0, 1'b0, 1'b0); | ||||
| mux8 mux_dbg			(major_mode, dbg,       ht_dbg,       hrxc_dbg,       hs_dbg,       hisn_dbg,       he_dbg, 1'b0, 1'b0, 1'b0); | ||||
| 
 | ||||
| // In all modes, let the ADC's outputs be enabled. | ||||
| assign adc_noe = 1'b0; | ||||
|  |  | |||
							
								
								
									
										57
									
								
								fpga/hi_sniffer.v
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										57
									
								
								fpga/hi_sniffer.v
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,57 @@ | |||
| module hi_sniffer( | ||||
|     pck0, ck_1356meg, ck_1356megb, | ||||
|     pwr_lo, pwr_hi, pwr_oe1, pwr_oe2, pwr_oe3, pwr_oe4, | ||||
|     adc_d, adc_clk, | ||||
|     ssp_frame, ssp_din, ssp_dout, ssp_clk, | ||||
|     cross_hi, cross_lo, | ||||
|     dbg, | ||||
|     xcorr_is_848, snoop, xcorr_quarter_freq // not used. | ||||
| ); | ||||
|     input pck0, ck_1356meg, ck_1356megb; | ||||
|     output pwr_lo, pwr_hi, pwr_oe1, pwr_oe2, pwr_oe3, pwr_oe4; | ||||
|     input [7:0] adc_d; | ||||
|     output adc_clk; | ||||
|     input ssp_dout; | ||||
|     output ssp_frame, ssp_din, ssp_clk; | ||||
|     input cross_hi, cross_lo; | ||||
|     output dbg; | ||||
|     input xcorr_is_848, snoop, xcorr_quarter_freq; // not used. | ||||
| 
 | ||||
| // We are only snooping, all off. | ||||
| assign pwr_hi  = 1'b0; | ||||
| assign pwr_lo  = 1'b0; | ||||
| assign pwr_oe1 = 1'b0; | ||||
| assign pwr_oe2 = 1'b0; | ||||
| assign pwr_oe3 = 1'b0; | ||||
| assign pwr_oe4 = 1'b0; | ||||
| 
 | ||||
| reg ssp_frame; | ||||
| reg [7:0] adc_d_out = 8'd0; | ||||
| reg [2:0] ssp_cnt = 3'd0; | ||||
| 
 | ||||
| assign adc_clk = ck_1356meg; | ||||
| assign ssp_clk = ~ck_1356meg; | ||||
| 
 | ||||
| always @(posedge ssp_clk) | ||||
| begin | ||||
|     if(ssp_cnt[2:0] == 3'd7) | ||||
|         ssp_cnt[2:0] <= 3'd0; | ||||
|     else | ||||
|         ssp_cnt <= ssp_cnt + 1; | ||||
| 
 | ||||
|     if(ssp_cnt[2:0] == 3'b000) // set frame length | ||||
|         begin | ||||
|             adc_d_out[7:0] <= adc_d; | ||||
|             ssp_frame <= 1'b1; | ||||
|         end | ||||
|     else | ||||
|         begin | ||||
|             adc_d_out[7:0] <= {1'b0, adc_d_out[7:1]}; | ||||
|             ssp_frame <= 1'b0; | ||||
|         end | ||||
| 
 | ||||
| end | ||||
| 
 | ||||
| assign ssp_din = adc_d_out[0]; | ||||
| 
 | ||||
| endmodule | ||||
|  | @ -197,6 +197,8 @@ typedef struct{ | |||
| #define CMD_MIFARE_DESFIRE_INFO                                           0x072d | ||||
| #define CMD_MIFARE_DESFIRE                                                0x072e | ||||
| 
 | ||||
| #define CMD_HF_SNIFFER                                                    0x0800 | ||||
| 
 | ||||
| #define CMD_UNKNOWN                                                       0xFFFF | ||||
| 
 | ||||
| 
 | ||||
|  |  | |||
		Loading…
	
	Add table
		
		Reference in a new issue