From 865a7c3ad4635889fe56d52b78f437c11b70fc92 Mon Sep 17 00:00:00 2001
From: Philippe Teuwen <phil@teuwen.org>
Date: Fri, 2 Aug 2019 00:00:37 +0200
Subject: [PATCH] Add thinfilm simulation

---
 armsrc/appmain.c       |   4 ++
 armsrc/thinfilm.c      | 114 +++++++++++++++++++++++++++++++++++++++++
 armsrc/thinfilm.h      |   1 +
 client/cmdhfthinfilm.c |  62 +++++++++++++++++++++-
 include/pm3_cmd.h      |   1 +
 5 files changed, 180 insertions(+), 2 deletions(-)

diff --git a/armsrc/appmain.c b/armsrc/appmain.c
index 4dcaac17a..b980a3456 100644
--- a/armsrc/appmain.c
+++ b/armsrc/appmain.c
@@ -1283,6 +1283,10 @@ static void PacketReceived(PacketCommandNG *packet) {
             ReadThinFilm();
             break;
         }
+        case CMD_SIMULATE_TAG_THINFILM: {
+            SimulateThinFilm(packet->data.asBytes, packet->length);
+            break;
+        }
 #endif
 
 #ifdef WITH_ICLASS
diff --git a/armsrc/thinfilm.c b/armsrc/thinfilm.c
index e730842ad..f8cf2b0da 100644
--- a/armsrc/thinfilm.c
+++ b/armsrc/thinfilm.c
@@ -36,3 +36,117 @@ void ReadThinFilm(void) {
     set_tracing(false);
 }
 
+#define SEC_D 0xf0
+#define SEC_E 0x0f
+#define SEC_F 0x00
+uint16_t FpgaSendQueueDelay;
+
+uint16_t ReadReaderField(void) {
+    uint16_t hf_av = AvgAdc(ADC_CHAN_HF);
+    if (((MAX_ADC_HF_VOLTAGE * hf_av) >> 10) > MAX_ADC_HF_VOLTAGE - 300)
+        hf_av = AvgAdc(ADC_CHAN_HF_RDV40);
+    return hf_av;
+}
+
+static void CodeThinfilmAsTag(const uint8_t *cmd, uint16_t len) {
+    ToSendReset();
+    for (uint16_t i = 0; i < len; i++) {
+        uint8_t b = cmd[i];
+        for (uint8_t j = 0; j < 8; j++) {
+            ToSend[++ToSendMax] = b & 0x80 ? SEC_D : SEC_E;
+            b <<= 1;
+        }
+    }
+    ToSendMax++;
+}
+
+int EmSendCmdThinfilmRaw(uint8_t *resp, uint16_t respLen) {
+    volatile uint8_t b;
+    uint16_t i = 0;
+    uint32_t ThisTransferTime;
+    // wait for the FPGA to signal fdt_indicator == 1 (the FPGA is ready to queue new data in its delay line)
+    for (uint8_t j = 0; j < 5; j++) {    // allow timeout - better late than never
+        while (!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY));
+        if (AT91C_BASE_SSC->SSC_RHR) break;
+    }
+    while ((ThisTransferTime = GetCountSspClk()) & 0x00000007);
+
+
+    // Clear TXRDY:
+    AT91C_BASE_SSC->SSC_THR = SEC_F;
+
+    // send cycle
+    for (; i < respLen;) {
+        if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
+            AT91C_BASE_SSC->SSC_THR = resp[i++];
+            FpgaSendQueueDelay = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
+        }
+
+        if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
+            b = (uint16_t)(AT91C_BASE_SSC->SSC_RHR);
+            (void)b;
+        }
+        if (BUTTON_PRESS()) break;
+    }
+
+    // Ensure that the FPGA Delay Queue is empty
+    uint8_t fpga_queued_bits = FpgaSendQueueDelay >> 3;
+    for (i = 0; i <= fpga_queued_bits / 8 + 1;) {
+        if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
+            AT91C_BASE_SSC->SSC_THR = SEC_F;
+            FpgaSendQueueDelay = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
+            i++;
+        }
+    }
+
+    return 0;
+}
+
+void SimulateThinFilm(uint8_t *data, size_t len) {
+    Dbprintf("Simulate %i-bit Thinfilm tag", len * 8);
+    Dbhexdump(len, data, true);
+    int16_t status = PM3_SUCCESS;
+    CodeThinfilmAsTag(data, len);
+
+    FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
+    // Set up the synchronous serial port
+    FpgaSetupSsc();
+    // connect Demodulated Signal to ADC:
+    SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
+
+    FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD);
+    SpinDelay(100);
+    uint16_t hf_baseline = ReadReaderField();
+
+    // Start the timer
+    StartCountSspClk();
+
+    bool reader_detected = false;
+    LED_A_ON();
+    for (;;) {
+        WDT_HIT();
+        if (BUTTON_PRESS() || data_available()) {
+            status = PM3_EOPABORTED;
+            break;
+        }
+        uint16_t hf_av = ReadReaderField();
+        if (hf_av < hf_baseline)
+            hf_baseline = hf_av;
+        if (hf_av > hf_baseline + 10) {
+            EmSendCmdThinfilmRaw(ToSend, ToSendMax);
+            if (!reader_detected) {
+                LED_B_ON();
+                Dbprintf("Reader detected, start beaming data");
+                reader_detected = true;
+            }
+        } else {
+            if (reader_detected) {
+                LED_B_OFF();
+                Dbprintf("Reader gone, stop beaming data");
+                reader_detected = false;
+            }
+        }
+    }
+    LED_A_OFF();
+    reply_ng(CMD_SIMULATE_TAG_THINFILM, status, NULL, 0);
+}
diff --git a/armsrc/thinfilm.h b/armsrc/thinfilm.h
index cfbfd03c1..a9024338b 100644
--- a/armsrc/thinfilm.h
+++ b/armsrc/thinfilm.h
@@ -22,6 +22,7 @@ extern "C" {
 #include "iso14443a.h"
 
 void ReadThinFilm(void);
+void SimulateThinFilm(uint8_t *data, size_t len);
 
 #ifdef __cplusplus
 }
diff --git a/client/cmdhfthinfilm.c b/client/cmdhfthinfilm.c
index 3864d0562..38d7a4c85 100644
--- a/client/cmdhfthinfilm.c
+++ b/client/cmdhfthinfilm.c
@@ -21,6 +21,17 @@ static int usage_thinfilm_info(void) {
     return PM3_SUCCESS;
 }
 
+static int usage_thinfilm_sim(void) {
+    PrintAndLogEx(NORMAL, "Usage:  hf thinfilm sim [h] [d <data>]");
+    PrintAndLogEx(NORMAL, "Options:");
+    PrintAndLogEx(NORMAL, "           h          this help");
+    PrintAndLogEx(NORMAL, "           d <bytes>  bytes to send, in hex");
+    PrintAndLogEx(NORMAL, "           r          raw, provided bytes should include CRC");
+    PrintAndLogEx(NORMAL, "");
+    PrintAndLogEx(NORMAL, "Examples:");
+    PrintAndLogEx(NORMAL, "           hf thinfilm sim d B70470726f786d61726b2e636f6d");
+    return PM3_SUCCESS;
+}
 
 // Printing function based upon the code in libnfc
 // ref
@@ -143,8 +154,55 @@ int infoThinFilm(bool verbose) {
 }
 
 static int CmdHfThinFilmSim(const char *Cmd) {
-    PrintAndLogEx(INFO, "To be implemented");
-    return PM3_ENOTIMPL;
+    uint8_t cmdp = 0;
+    uint8_t data[512];
+    int datalen = 0;
+
+    bool addcrc = true;
+    bool errors = false;
+
+    while (param_getchar(Cmd, cmdp) != 0x00 && !errors) {
+        switch (tolower(param_getchar(Cmd, cmdp))) {
+            case 'h':
+                return usage_thinfilm_sim();
+            case 'd':
+                // Retrieve the data
+                param_gethex_ex(Cmd, cmdp + 1, data, &datalen);
+                datalen >>= 1;
+                cmdp += 2;
+                break;
+            case 'r':
+                addcrc = false;
+                cmdp++;
+                break;
+            default:
+                PrintAndLogEx(WARNING, "Unknown parameter '%c'", param_getchar(Cmd, cmdp));
+                errors = true;
+                break;
+        }
+    }
+
+    //Validations
+    if (errors || cmdp == 0 || datalen == 0 || datalen > 512) return usage_thinfilm_sim();
+    if (addcrc && datalen <= 510) {
+        uint8_t b1, b2;
+        compute_crc(CRC_14443_A, data, datalen, &b1, &b2);
+        data[datalen++] = b2;
+        data[datalen++] = b1;
+    }
+
+    clearCommandBuffer();
+    SendCommandNG(CMD_SIMULATE_TAG_THINFILM, (uint8_t *)&data, datalen);
+    PacketResponseNG resp;
+    PrintAndLogEx(SUCCESS, "press pm3-button to abort simulation");
+
+    while (!kbd_enter_pressed()) {
+        if (WaitForResponseTimeout(CMD_SIMULATE_TAG_THINFILM, &resp, 1500) == 0) continue;
+        if (resp.status != PM3_SUCCESS) break;
+    }
+
+    PrintAndLogEx(INFO, "Done");
+    return PM3_SUCCESS;
 }
 
 static int CmdHfThinFilmList(const char *Cmd) {
diff --git a/include/pm3_cmd.h b/include/pm3_cmd.h
index de4a622e4..33e291d8c 100644
--- a/include/pm3_cmd.h
+++ b/include/pm3_cmd.h
@@ -496,6 +496,7 @@ typedef struct {
 
 // For ThinFilm Kovio
 #define CMD_THINFILM_READ                                                 0x0810
+#define CMD_SIMULATE_TAG_THINFILM                                         0x0811
 
 #define CMD_UNKNOWN                                                       0xFFFF