#include "proxmark3.h"
#include "apps.h"
#include "BigBuf.h"
#include "util.h"
#include "usb_cdc.h" // for usb_poll_validate_length
#include "protocols.h"
#include "crc16.h" // crc16 ccitt
// FeliCa timings
// minimum time between the start bits of consecutive transfers from reader to tag: 6800 carrier (13.56Mhz) cycles
#ifndef FELICA_REQUEST_GUARD_TIME
# define FELICA_REQUEST_GUARD_TIME (6800/16 + 1)
#endif
// FRAME DELAY TIME 2672 carrier cycles
#ifndef FELICA_FRAME_DELAY_TIME
# define FELICA_FRAME_DELAY_TIME (2672/16 + 1)
#endif
#ifndef DELAY_AIR2ARM_AS_READER
#define DELAY_AIR2ARM_AS_READER (3 + 16 + 8 + 8*16 + 4*16 - 8*16)
#endif
#ifndef DELAY_ARM2AIR_AS_READER
#define DELAY_ARM2AIR_AS_READER (4*16 + 8*16 + 8 + 8 + 1)
#endif
// CRC skips two first sync bits in data buffer
#define AddCrc(data, len) compute_crc(CRC_FELICA, (data)+2, (len),(data)+(len)+2, (data)+(len)+3)
static uint32_t felica_timeout;
static uint32_t felica_nexttransfertime;
static uint32_t felica_lasttime_prox2air_start;
static void felica_setup(uint8_t fpga_minor_mode);
static uint8_t felica_select_card(felica_card_select_t *card);
static void TransmitFor18092_AsReader(uint8_t * frame, int len, uint32_t *timing, uint8_t power, uint8_t highspeed);
bool WaitForFelicaReply(uint16_t maxbytes);
void felica_set_timeout(uint32_t timeout) {
felica_timeout = timeout + (DELAY_AIR2ARM_AS_READER + DELAY_ARM2AIR_AS_READER)/(16*8) + 2;
}
uint32_t felica_get_timeout(void) {
return felica_timeout - (DELAY_AIR2ARM_AS_READER + DELAY_ARM2AIR_AS_READER)/(16*8) - 2;
}
//random service RW: 0x0009
//random service RO: 0x000B
#ifndef NFC_MAX_FRAME_SIZE
#define NFC_MAX_FRAME_SIZE 260
#endif
//structure to hold outgoing NFC frame
static uint8_t frameSpace[NFC_MAX_FRAME_SIZE+4];
//structure to hold incoming NFC frame, used for ISO/IEC 18092-compatible frames
static struct {
enum {
STATE_UNSYNCD,
STATE_TRYING_SYNC,
STATE_GET_LENGTH,
STATE_GET_DATA,
STATE_GET_CRC,
STATE_FULL
} state;
uint16_t shiftReg; //for synchronization and offset calculation
int posCnt;
bool crc_ok;
int rem_len;
uint16_t len;
uint8_t byte_offset;
uint8_t *framebytes;
//should be enough. maxlen is 255, 254 for data, 2 for sync, 2 for crc
// 0,1 -> SYNC, 2 - len, 3-(len+1)->data, then crc
} NFCFrame;
//b2 4d is SYNC, 45645 in 16-bit notation, 10110010 01001101 binary. Frame will not start filling until this is shifted in
//bit order in byte -reverse, I guess? [((bt>>0)&1),((bt>>1)&1),((bt>>2)&1),((bt>>3)&1),((bt>>4)&1),((bt>>5)&1),((bt>>6)&1),((bt>>7)&1)] -at least in the mode that I read those in
#ifndef SYNC_16BIT
# define SYNC_16BIT 0x4DB2
#endif
static void NFCFrameReset() {
NFCFrame.state = STATE_UNSYNCD;
NFCFrame.posCnt = 0;
NFCFrame.crc_ok = false;
NFCFrame.byte_offset = 0;
}
static void NFCInit(uint8_t *data) {
NFCFrame.framebytes = data;
NFCFrameReset();
}
//shift byte into frame, reversing it at the same time
static void shiftInByte(uint8_t bt) {
uint8_t j;
for(j=0; j < NFCFrame.byte_offset; j++) {
NFCFrame.framebytes[NFCFrame.posCnt] = ( NFCFrame.framebytes[NFCFrame.posCnt]<<1 ) + (bt & 1);
bt >>= 1;
}
NFCFrame.posCnt++;
NFCFrame.rem_len--;
for(j = NFCFrame.byte_offset; j<8; j++) {
NFCFrame.framebytes[NFCFrame.posCnt] = (NFCFrame.framebytes[NFCFrame.posCnt]<<1 ) + (bt & 1);
bt >>= 1;
}
}
static void ProcessNFCByte(uint8_t bt) {
switch (NFCFrame.state) {
case STATE_UNSYNCD: {
//almost any nonzero byte can be start of SYNC. SYNC should be preceded by zeros, but that is not alsways the case
if (bt > 0) {
NFCFrame.shiftReg = reflect8(bt);
NFCFrame.state = STATE_TRYING_SYNC;
}
break;
}
case STATE_TRYING_SYNC: {
if (bt == 0) {
//desync
NFCFrame.shiftReg = bt;
NFCFrame.state = STATE_UNSYNCD;
} else {
for (uint8_t i=0; i<8; i++) {
if (NFCFrame.shiftReg == SYNC_16BIT) {
//SYNC done!
NFCFrame.state = STATE_GET_LENGTH;
NFCFrame.framebytes[0] = 0xb2;
NFCFrame.framebytes[1] = 0x4d; //write SYNC
NFCFrame.byte_offset = i;
//shift in remaining byte, slowly...
for(uint8_t j=i; j<8; j++) {
NFCFrame.framebytes[2] = (NFCFrame.framebytes[2] << 1) + (bt & 1);
bt >>= 1;
}
NFCFrame.posCnt = 2;
if (i==0)
break;
}
NFCFrame.shiftReg = (NFCFrame.shiftReg << 1) + (bt & 1);
bt >>= 1;
}
//that byte was last byte of sync
if (NFCFrame.shiftReg == SYNC_16BIT) {
//Force SYNC on next byte
NFCFrame.state = STATE_GET_LENGTH;
NFCFrame.framebytes[0] = 0xb2;
NFCFrame.framebytes[1] = 0x4d;
NFCFrame.byte_offset = 0;
NFCFrame.posCnt = 1;
}
}
break;
}
case STATE_GET_LENGTH: {
shiftInByte(bt);
NFCFrame.rem_len = NFCFrame.framebytes[2] - 1;
NFCFrame.len = NFCFrame.framebytes[2] + 4; //with crc and sync
NFCFrame.state = STATE_GET_DATA;
break;
}
case STATE_GET_DATA: {
shiftInByte(bt);
if (NFCFrame.rem_len <= 0) {
NFCFrame.state = STATE_GET_CRC;
NFCFrame.rem_len = 2;
}
break;
}
case STATE_GET_CRC: {
shiftInByte(bt);
if ( NFCFrame.rem_len <= 0 ) {
// skip sync 2bytes. IF ok, residue should be 0x0000
NFCFrame.crc_ok = check_crc(CRC_FELICA, NFCFrame.framebytes+2, NFCFrame.len-2);
NFCFrame.state = STATE_FULL;
NFCFrame.rem_len = 0;
if (MF_DBGLEVEL > 3) Dbprintf("[+] got 2 crc bytes [%s]", (NFCFrame.crc_ok) ? "OK" : "No" );
}
break;
}
case STATE_FULL: //ignore byte. Don't forget to clear frame to receive next one...
default:
break;
}
}
/* Perform FeliCa polling card
* Currently does NOT do any collision handling.
* It expects 0-1 cards in the device's range.
*/
static uint8_t felica_select_card(felica_card_select_t *card) {
// POLL command
// 0xB2 0x4B = sync code
// 0x06 = len
// 0x00 = rfu
// 0xff = system service
// 0xff = system service
// 0x00 =
// b7 = automatic switching of data rate
// b6-b2 = reserved
// b1 = fc/32 (414kbps)
// b0 = fc/64 (212kbps)
// 0x00 = timeslot
// 0x09 0x21 = crc
static uint8_t poll[10] = {0xb2,0x4d,0x06,0x00,0xFF,0xFF,0x00,0x00,0x09,0x21};
int len = 20;
// We try 20 times, or if answer was received.
do {
// end-of-reception response packet data, wait approx. 501μs
// end-of-transmission command packet data, wait approx. 197μs
// polling card
TransmitFor18092_AsReader(poll, sizeof(poll), NULL, 1, 0);
// polling card, break if success
if (WaitForFelicaReply(512) && NFCFrame.framebytes[3] == FELICA_POLL_ACK)
break;
WDT_HIT();
} while (--len);
// timed-out
if ( len == 0 )
return 1;
// wrong answer
if (NFCFrame.framebytes[3] != FELICA_POLL_ACK)
return 2;
// VALIDATE CRC residue is 0, hence if crc is a value it failed.
if (!check_crc(CRC_FELICA, NFCFrame.framebytes+2, NFCFrame.len-2))
return 3;
// copy UID
// idm 8
if (card) {
memcpy(card->IDm, NFCFrame.framebytes + 4, 8);
memcpy(card->PMm, NFCFrame.framebytes + 4 + 8, 8);
//memcpy(card->servicecode, NFCFrame.framebytes + 4 + 8 + 8, 2);
memcpy(card->code, card->IDm, 2);
memcpy(card->uid, card->IDm + 2, 6);
memcpy(card->iccode, card->PMm, 2);
memcpy(card->mrt, card->PMm+2, 6);
}
// more status bytes?
return 0;
}
// poll-0: 0xb2,0x4d,0x06,0x00,0xff,0xff,0x00,0x00,0x09,0x21,
// resp: 0xb2,0x4d,0x12,0x01,0x01,0x2e,0x3d,0x17,0x26,0x47,0x80,0x95,0x00,0xf1,0x00,0x00,0x00,0x01,0x43,0x00,0xb3,0x7f,
// poll-1 (reply with available system codes - NFC Tag3 specs, IIRC): 0xb2,0x4d,0x06,0x00,0xff,0xff,0x01,0x00,0x3a,0x10
// resp: 0xb2,0x4d,0x14,0x01, 0xXX,0xXX,0xXX,0xXX,0xXX,0xXX,0xXX,0xXX, 0x00,0xf1,0x00,0x00,0x00,0x01,0x43,0x00, 0x88,0xb4,0x0c,0xe2,
// page-req: 0xb2,0x4d,0x10,0x06, 0xXX,0xXX,0xXX,0xXX,0xXX,0xXX,0xXX,0xXX, 0x01, 0x0b,0x00, 0x01, 0x80,0x00, 0x2e,0xb3,
// page-req: 0x06, IDm(8), ServiceNum(1),Slist(2*num) BLocknum (1) BLockids(2-3*num)
// page-resp: 0xb2,0x4d,0x1d,0x07, 0xXX,0xXX,0xXX,0xXX,0xXX,0xXX,0xXX,0xXX, 0x00, 0x00, 0x01, 0x10,0x04,0x01,0x00,0x0d,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x23, 0xcb,0x6e,
// builds a readblock frame for felica lite(s). Using SERVICE: SERVICE_FELICA_LITE_READONLY
// Felica standard has a different file system, AFAIK,
// 8-byte IDm, number of blocks, blocks numbers
// number of blocks limited to 4 for FelicaLite(S)
static void BuildFliteRdblk(uint8_t* idm, int blocknum, uint16_t *blocks ) {
if (blocknum > 4 || blocknum <= 0)
Dbprintf("Invalid number of blocks, %d. Up to 4 are allowed.", blocknum);
uint8_t c = 0, i = 0;
frameSpace[c++] = 0xb2;
frameSpace[c++] = 0x4d;
c++; //set length later
frameSpace[c++] = FELICA_RDBLK_REQ; //command number
//card IDm, from poll
frameSpace[c++] = idm[0];
frameSpace[c++] = idm[1];
frameSpace[c++] = idm[2];
frameSpace[c++] = idm[3];
frameSpace[c++] = idm[4];
frameSpace[c++] = idm[5];
frameSpace[c++] = idm[6];
frameSpace[c++] = idm[7];
//number of services
frameSpace[c++] = 0x01;
//service code
frameSpace[c++] = (SERVICE_FELICA_LITE_READONLY >> 8);
frameSpace[c++] = SERVICE_FELICA_LITE_READONLY & 0xFF;
//number of blocks
frameSpace[c++] = blocknum;
for (i=0; i < blocknum; i++) {
//3-byte block
if (blocks[i] >= 256) {
frameSpace[c++] = 0x00;
frameSpace[c++] = (blocks[i] >> 8); //block number, little endian....
frameSpace[c++] = (blocks[i] & 0xff);
} else {
frameSpace[c++] = 0x80;
frameSpace[c++] = blocks[i];
}
}
//set length
frameSpace[2] = c-2;
AddCrc(frameSpace, c-2);
}
static void TransmitFor18092_AsReader(uint8_t * frame, int len, uint32_t *timing, uint8_t power, uint8_t highspeed) {
volatile uint16_t b;
uint8_t flags = FPGA_MAJOR_MODE_ISO18092;
if ( power )
flags |= FPGA_HF_ISO18092_FLAG_READER;
if (highspeed)
flags |= FPGA_HF_ISO18092_FLAG_424K;
FpgaWriteConfWord(flags);
uint32_t curr_transfer_time = ((MAX(felica_nexttransfertime, GetCountSspClk()) & 0xfffffff8) + 8);
while (GetCountSspClk() < curr_transfer_time) {};
felica_lasttime_prox2air_start = curr_transfer_time;
// preamble
// sending 0x00 0x00 0x00 0x00 0x00 0x00
uint16_t c = 0;
while (c < 6) {
if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
AT91C_BASE_SSC->SSC_THR = 0x00;
c++;
}
if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
b = (uint16_t)(AT91C_BASE_SSC->SSC_RHR); (void)b;
}
}
// sending sync code
// sending data
c = 0;
while (c < len) {
if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
AT91C_BASE_SSC->SSC_THR = frame[c++];
}
if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
b = (uint16_t)(AT91C_BASE_SSC->SSC_RHR); (void)b;
}
}
/**/
while (!(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY))) {};
AT91C_BASE_SSC->SSC_THR = 0x00; //minimum delay
while (!(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY))) {};
AT91C_BASE_SSC->SSC_THR = 0x00; //spin
/**/
// log
LogTrace(
frame,
len,
(felica_lasttime_prox2air_start<<4) + DELAY_ARM2AIR_AS_READER,
((felica_lasttime_prox2air_start + felica_lasttime_prox2air_start)<<4) + DELAY_ARM2AIR_AS_READER,
NULL,
true
);
felica_nexttransfertime = MAX(felica_nexttransfertime ,felica_lasttime_prox2air_start + FELICA_REQUEST_GUARD_TIME);
}
// Wait for tag reply
// stop when button is pressed
// or return TRUE when command is captured
bool WaitForFelicaReply(uint16_t maxbytes) {
uint32_t c = 0;
// power, no modulation
FpgaWriteConfWord(FPGA_MAJOR_MODE_ISO18092 | FPGA_HF_ISO18092_FLAG_READER | FPGA_HF_ISO18092_FLAG_NOMOD);
NFCFrameReset();
// clear RXRDY:
uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
uint32_t timeout = felica_get_timeout();
for(;;) {
WDT_HIT();
if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) {
b = (uint8_t)(AT91C_BASE_SSC->SSC_RHR);
ProcessNFCByte(b);
if (NFCFrame.state == STATE_FULL) {
felica_nexttransfertime =
MAX(
felica_nexttransfertime,
(GetCountSspClk() & 0xfffffff8) - (DELAY_AIR2ARM_AS_READER + DELAY_ARM2AIR_AS_READER)/16 + FELICA_FRAME_DELAY_TIME
)
;
LogTrace(
NFCFrame.framebytes,
NFCFrame.len,
((GetCountSspClk() & 0xfffffff8)<<4) - DELAY_AIR2ARM_AS_READER - timeout,
((GetCountSspClk() & 0xfffffff8)<<4) - DELAY_AIR2ARM_AS_READER,
NULL,
false
);
return true;
} else if (c++ > timeout && NFCFrame.state == STATE_UNSYNCD) {
return false;
} else if (NFCFrame.state == STATE_GET_CRC) {
Dbprintf(" Frame: ");
Dbhexdump(16, NFCFrame.framebytes, 0);
//return false;
}
}
}
return false;
}
// Set up FeliCa communication (similar to iso14443a_setup)
// field is setup for "Sending as Reader"
static void felica_setup(uint8_t fpga_minor_mode) {
if (MF_DBGLEVEL > 3) Dbprintf("FeliCa_setup Enter");
LEDsoff();
FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
// allocate command receive buffer
BigBuf_free(); BigBuf_Clear_ext(false);
// Initialize Demod and Uart structs
//DemodInit(BigBuf_malloc(MAX_FRAME_SIZE));
NFCInit(BigBuf_malloc(NFC_MAX_FRAME_SIZE));
felica_nexttransfertime = 2 * DELAY_ARM2AIR_AS_READER;
felica_set_timeout(2120); // 106 * 20ms maximum start-up time of card
// connect Demodulated Signal to ADC:
SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
// Set up the synchronous serial port
FpgaSetupSsc();
// LSB transfer. Remember to set it back to MSB with
AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(8) | SSC_FRAME_MODE_WORDS_PER_TRANSFER(0);
init_table(CRC_FELICA);
// Signal field is on with the appropriate LED
FpgaWriteConfWord(FPGA_MAJOR_MODE_ISO18092 | fpga_minor_mode);
//20.4 ms generate field, start sending polling command afterwars.
SpinDelay(100);
// Start the timer
StartCountSspClk();
LED_D_ON();
if (MF_DBGLEVEL > 3) Dbprintf("FeliCa_setup Exit");
}
//-----------------------------------------------------------------------------
// RAW FeliCa commands. Send out commands and store answers.
//-----------------------------------------------------------------------------
// arg0 FeliCa flags
// arg1 len of commandbytes
// d.asBytes command bytes to send
void felica_sendraw(UsbCommand *c) {
if (MF_DBGLEVEL > 3) Dbprintf("FeliCa_sendraw Enter");
felica_command_t param = c->arg[0];
size_t len = c->arg[1] & 0xffff;
uint8_t *cmd = c->d.asBytes;
uint32_t arg0 = 0;
felica_card_select_t card;
if ((param & FELICA_CONNECT))
clear_trace();
set_tracing(true);
if ((param & FELICA_CONNECT)) {
felica_setup(FPGA_HF_ISO18092_FLAG_READER | FPGA_HF_ISO18092_FLAG_NOMOD);
// notify client selecting status.
// if failed selecting, turn off antenna and quite.
if( !(param & FELICA_NO_SELECT) ) {
arg0 = felica_select_card(&card);
cmd_send(CMD_ACK, arg0, sizeof(card.uid), 0, &card, sizeof(felica_card_select_t));
if ( arg0 > 0 )
goto OUT;
}
}
if ((param & FELICA_RAW)) {
// 2 sync, 1 len, 2crc == 5
uint8_t *buf = BigBuf_malloc(len+5);
// add sync bits
buf[0] = 0xb2;
buf[1] = 0x4d;
buf[2] = len;
// copy command
memcpy(buf+2, cmd, len);
if ((param & FELICA_APPEND_CRC)) {
// Don't append crc on empty bytearray...
if ( len > 0 ) {
AddCrc(buf, len);
len += 2;
}
}
TransmitFor18092_AsReader(buf, buf[2]+4, NULL, 1, 0);
arg0 = !WaitForFelicaReply(1024);
cmd_send(CMD_ACK, arg0, 0, 0, NFCFrame.framebytes+2, NFCFrame.len-2);
}
if ((param & FELICA_NO_DISCONNECT))
return;
OUT:
switch_off();
//Resetting Frame mode (First set in fpgaloader.c)
AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(8) | AT91C_SSC_MSBF | SSC_FRAME_MODE_WORDS_PER_TRANSFER(0);
if (MF_DBGLEVEL > 3) Dbprintf("FeliCa_sendraw Exit");
}
void felica_sniff(uint32_t samplesToSkip, uint32_t triggersToSkip) {
int remFrames = (samplesToSkip) ? samplesToSkip : 0;
Dbprintf("Snoop FelicaLiteS: Getting first %d frames, Skipping %d triggers.\n", samplesToSkip, triggersToSkip);
felica_setup( FPGA_HF_ISO18092_FLAG_NOMOD);
//the frame bits are slow enough.
int n = BigBuf_max_traceLen() / sizeof(uint8_t); // take all memory
int numbts = 0;
uint8_t *dest = (uint8_t *)BigBuf_get_addr();
uint8_t *destend = dest + n-2;
uint32_t endframe = GetCountSspClk();
while (dest <= destend) {
WDT_HIT();
if( BUTTON_PRESS()) break;
if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) {
uint8_t dist = (uint8_t)(AT91C_BASE_SSC->SSC_RHR);
ProcessNFCByte(dist);
//to be sure we are in frame
if (NFCFrame.state == STATE_GET_LENGTH) {
//length is after 48 (PRE)+16 (SYNC) - 64 ticks +maybe offset? not 100%
uint16_t distance = GetCountSspClk() - endframe - 64 + (NFCFrame.byte_offset > 0 ? (8-NFCFrame.byte_offset) : 0);
*dest = distance >> 8;
dest++;
*dest = (distance & 0xff);
dest++;
}
//crc NOT checked
if (NFCFrame.state == STATE_FULL) {
endframe = GetCountSspClk();
//*dest = NFCFrame.crc_ok; //kind of wasteful
dest++;
for(int i=0; i < NFCFrame.len; i++) {
*dest = NFCFrame.framebytes[i];
dest++;
if (dest >= destend ) break;
}
remFrames--;
if (remFrames <= 0) break;
if (dest >= destend ) break;
numbts += NFCFrame.len;
NFCFrameReset();
}
}
}
switch_off();
//reset framing
AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(8) | AT91C_SSC_MSBF | SSC_FRAME_MODE_WORDS_PER_TRANSFER(0);
set_tracelen(numbts);
Dbprintf("Felica sniffing done, tracelen: %i, use hf list felica for annotations", BigBuf_get_traceLen());
cmd_send(CMD_ACK,1, numbts,0,0,0);
}
#define R_POLL0_LEN 0x16
#define R_POLL1_LEN 0x18
#define R_READBLK_LEN 0x21
//simulate NFC Tag3 card - for now only poll response works
// second half (4 bytes) of NDEF2 goes into nfcid2_0, first into nfcid2_1
void felica_sim_lite(uint64_t nfcid) {
int i, curlen = 0;
uint8_t *curresp = 0;
uint8_t ndef[8];
num_to_bytes(nfcid, 8, ndef);
//prepare our 3 responses...
uint8_t resp_poll0[R_POLL0_LEN] = { 0xb2,0x4d,0x12,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xf1,0x00,0x00,0x00,0x01,0x43,0x00,0xb3,0x7f};
uint8_t resp_poll1[R_POLL1_LEN] = { 0xb2,0x4d,0x14,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xf1,0x00,0x00,0x00,0x01,0x43,0x00, 0x88,0xb4,0xb3,0x7f};
uint8_t resp_readblk[R_READBLK_LEN] = { 0xb2,0x4d,0x1d,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x04,0x01,0x00,0x0d,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x23,0xcb,0x6e};
//NFC tag 3/ ISo technically. Many overlapping standards
DbpString("Felica Lite-S sim start");
Dbprintf("NDEF2 UID: %02x %02x %02x %02x %02x %02x %02x %02x",
ndef[0], ndef[1], ndef[2], ndef[3], ndef[4], ndef[5], ndef[6], ndef[7]
);
//fill in blanks
for( i=0; i<8; i++) {
resp_poll0[i+4] = ndef[i];
resp_poll1[i+4] = ndef[i];
resp_readblk[i+4] = ndef[i];
}
//calculate and set CRC
AddCrc(resp_poll0, resp_poll0[2]);
AddCrc(resp_poll1, resp_poll1[2]);
AddCrc(resp_readblk, resp_readblk[2]);
felica_setup( FPGA_HF_ISO18092_FLAG_NOMOD);
bool listenmode = true;
//uint32_t frtm = GetCountSspClk();
for(;;) {
if( BUTTON_PRESS()) break;
WDT_HIT();
if (listenmode) {
//waiting for request...
if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) {
uint8_t dist = (uint8_t)(AT91C_BASE_SSC->SSC_RHR);
//frtm = GetCountSspClk();
ProcessNFCByte(dist);
if (NFCFrame.state == STATE_FULL) {
if (NFCFrame.crc_ok) {
if (NFCFrame.framebytes[2] == 6 && NFCFrame.framebytes[3] == 0) {
//polling... there are two types of polling we answer to
if (NFCFrame.framebytes[6] == 0) {
curresp = resp_poll0;
curlen = R_POLL0_LEN;
listenmode = false;
}
if (NFCFrame.framebytes[6] == 1) {
curresp = resp_poll1;
curlen = R_POLL1_LEN;
listenmode = true;
}
}
if (NFCFrame.framebytes[2] > 5 && NFCFrame.framebytes[3] == 0x06) {
//we should rebuild it depending on page size, but...
//Let's see first
curresp = resp_readblk;
curlen = R_READBLK_LEN;
listenmode = false;
}
//clear frame
NFCFrameReset();
} else {
//frame invalid, clear it out to allow for the next one
NFCFrameReset();
}
}
}
}
if (!listenmode) {
//trying to answer... here to start answering immediately.
//this one is a bit finicky. Seems that being a bit late is better than earlier
//TransmitFor18092_AsReader(curresp, curlen, frtm+512, 0, 0);
TransmitFor18092_AsReader(curresp, curlen, NULL, 0, 0);
//switch back
FpgaWriteConfWord(FPGA_MAJOR_MODE_ISO18092 | FPGA_HF_ISO18092_FLAG_NOMOD);
NFCFrameReset();
listenmode = true;
curlen = 0;
curresp = NULL;
}
}
switch_off();
//reset framing
AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(8) | AT91C_SSC_MSBF | SSC_FRAME_MODE_WORDS_PER_TRANSFER(0);
DbpString("Felica Lite-S sim end");
}
void felica_dump_lite_s() {
uint8_t ndef[8];
uint8_t poll[10] = { 0xb2,0x4d,0x06,0x00,0xff,0xff,0x00,0x00,0x09,0x21};
uint16_t liteblks[28] = {0x00, 0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x80,0x81,0x82,0x83,0x84,0x85,0x86,0x87,0x88,0x90,0x91,0x92,0xa0};
// setup device.
felica_setup(FPGA_HF_ISO18092_FLAG_READER | FPGA_HF_ISO18092_FLAG_NOMOD);
uint8_t blknum;
bool isOK = false;
uint16_t cnt = 0, cntfails = 0;
uint8_t *dest = BigBuf_get_addr();
while (!BUTTON_PRESS() && !usb_poll_validate_length()) {
WDT_HIT();
// polling?
//TransmitFor18092_AsReader(poll, 10, GetCountSspClk()+512, 1, 0);
TransmitFor18092_AsReader(poll, 10, NULL, 1, 0);
if (WaitForFelicaReply(512) && NFCFrame.framebytes[3] == FELICA_POLL_ACK) {
// copy 8bytes to ndef.
memcpy(ndef, NFCFrame.framebytes + 4, 8);
// for (c=0; c < 8; c++)
// ndef[c] = NFCFrame.framebytes[c+4];
for (blknum=0; blknum < sizeof(liteblks); ) {
// block to read.
BuildFliteRdblk(ndef, 1, &liteblks[blknum]);
//TransmitFor18092_AsReader(frameSpace, frameSpace[2]+4, GetCountSspClk()+512, 1, 0);
TransmitFor18092_AsReader(frameSpace, frameSpace[2]+4, NULL, 1, 0);
// read block
if (WaitForFelicaReply(1024) && NFCFrame.framebytes[3] == FELICA_RDBLK_ACK) {
dest[cnt++] = liteblks[blknum];
uint8_t *fb = NFCFrame.framebytes;
dest[cnt++] = fb[12];
dest[cnt++] = fb[13];
//memcpy(dest+cnt, NFCFrame.framebytes + 15, 16);
//cnt += 16;
for(uint8_t j=0; j < 16; j++)
dest[cnt++] = fb[15+j];
blknum++;
cntfails = 0;
// // print raw log.
// Dbprintf("LEN %u | Dump bytes count %u ", NFCFrame.len, cnt);
Dbhexdump(NFCFrame.len, NFCFrame.framebytes+15, 0);
} else {
cntfails++;
if (cntfails > 12) {
blknum++;
cntfails = 0;
}
}
}
isOK = true;
break;
}
}
switch_off();
//Resetting Frame mode (First set in fpgaloader.c)
AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(8) | AT91C_SSC_MSBF | SSC_FRAME_MODE_WORDS_PER_TRANSFER(0);
//setting tracelen - important! it was set by buffer overflow before
set_tracelen(cnt);
cmd_send(CMD_ACK, isOK, cnt, 0, 0, 0);
}