//-----------------------------------------------------------------------------
// Copyright (C) Proxmark3 contributors. See AUTHORS.md for details.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// See LICENSE.txt for the text of the license.
//-----------------------------------------------------------------------------
#include "felica.h"
#include "proxmark3_arm.h"
#include "BigBuf.h"
#include "util.h"
#include "protocols.h"
#include "crc16.h"
#include "fpgaloader.h"
#include "string.h"
#include "commonutil.h"
#include "dbprint.h"
#include "ticks.h"
#include "iso18.h"
// FeliCa timings
// minimum time between the start bits of consecutive transfers from reader to tag: 6800 carrier (13.56MHz) cycles
#ifndef FELICA_REQUEST_GUARD_TIME
# define FELICA_REQUEST_GUARD_TIME (6800/16 + 1) // 426
#endif
// FRAME DELAY TIME 2672 carrier cycles
#ifndef FELICA_FRAME_DELAY_TIME
# define FELICA_FRAME_DELAY_TIME (2672/16 + 1) // 168
#endif
#ifndef DELAY_AIR2ARM_AS_READER
#define DELAY_AIR2ARM_AS_READER (3 + 16 + 8 + 8*16 + 4*16 - 8*16) // 91
#endif
#ifndef DELAY_ARM2AIR_AS_READER
#define DELAY_ARM2AIR_AS_READER (4*16 + 8*16 + 8 + 8 + 1) // 209
#endif
#define AddCrc(data, len) compute_crc(CRC_FELICA, (data), (len), (data)+(len)+1, (data)+(len))
static uint32_t felica_timeout;
static uint32_t felica_nexttransfertime;
static uint32_t felica_lasttime_prox2air_start;
static void iso18092_setup(uint8_t fpga_minor_mode);
static uint8_t felica_select_card(felica_card_select_t *card);
static void TransmitFor18092_AsReader(uint8_t *frame, uint16_t len, uint32_t *timing, uint8_t power, uint8_t highspeed);
static bool WaitForFelicaReply(uint16_t maxbytes);
static void iso18092_set_timeout(uint32_t timeout) {
felica_timeout = timeout + (DELAY_AIR2ARM_AS_READER + DELAY_ARM2AIR_AS_READER) / (16 * 8) + 2;
}
static uint32_t iso18092_get_timeout(void) {
return felica_timeout - (DELAY_AIR2ARM_AS_READER + DELAY_ARM2AIR_AS_READER) / (16 * 8) - 2;
}
#ifndef FELICA_MAX_FRAME_SIZE
#define FELICA_MAX_FRAME_SIZE 260
#endif
//structure to hold outgoing NFC frame
static uint8_t frameSpace[FELICA_MAX_FRAME_SIZE + 4];
//structure to hold incoming NFC frame, used for ISO/IEC 18092-compatible frames
static struct {
enum {
STATE_UNSYNCD,
STATE_TRYING_SYNC,
STATE_GET_LENGTH,
STATE_GET_DATA,
STATE_GET_CRC,
STATE_FULL
} state;
uint16_t shiftReg; //for synchronization and offset calculation
int posCnt;
bool crc_ok;
int rem_len;
uint16_t len;
uint8_t byte_offset;
uint8_t *framebytes;
//should be enough. maxlen is 255, 254 for data, 2 for sync, 2 for crc
// 0,1 -> SYNC, 2 - len, 3-(len+1)->data, then crc
} FelicaFrame;
//b2 4d is SYNC, 45645 in 16-bit notation, 10110010 01001101 binary. Frame will not start filling until this is shifted in
//bit order in byte -reverse, I guess? [((bt>>0)&1),((bt>>1)&1),((bt>>2)&1),((bt>>3)&1),((bt>>4)&1),((bt>>5)&1),((bt>>6)&1),((bt>>7)&1)] -at least in the mode that I read those in
#ifndef SYNC_16BIT
# define SYNC_16BIT 0xB24D
#endif
static void FelicaFrameReset(void) {
FelicaFrame.state = STATE_UNSYNCD;
FelicaFrame.posCnt = 0;
FelicaFrame.crc_ok = false;
FelicaFrame.byte_offset = 0;
}
static void FelicaFrameinit(uint8_t *data) {
FelicaFrame.framebytes = data;
FelicaFrameReset();
}
//shift byte into frame, reversing it at the same time
static void shiftInByte(uint8_t bt) {
uint8_t j;
for (j = 0; j < FelicaFrame.byte_offset; j++) {
FelicaFrame.framebytes[FelicaFrame.posCnt] = (FelicaFrame.framebytes[FelicaFrame.posCnt] << 1) + (bt & 1);
bt >>= 1;
}
FelicaFrame.posCnt++;
FelicaFrame.rem_len--;
for (j = FelicaFrame.byte_offset; j < 8; j++) {
FelicaFrame.framebytes[FelicaFrame.posCnt] = (FelicaFrame.framebytes[FelicaFrame.posCnt] << 1) + (bt & 1);
bt >>= 1;
}
}
static void Process18092Byte(uint8_t bt) {
switch (FelicaFrame.state) {
case STATE_UNSYNCD: {
//almost any nonzero byte can be start of SYNC. SYNC should be preceded by zeros, but that is not always the case
if (bt > 0) {
FelicaFrame.shiftReg = reflect8(bt);
FelicaFrame.state = STATE_TRYING_SYNC;
}
break;
}
case STATE_TRYING_SYNC: {
if (bt == 0) {
//desync
FelicaFrame.shiftReg = bt;
FelicaFrame.state = STATE_UNSYNCD;
} else {
for (uint8_t i = 0; i < 8; i++) {
if (FelicaFrame.shiftReg == SYNC_16BIT) {
//SYNC done!
FelicaFrame.state = STATE_GET_LENGTH;
FelicaFrame.framebytes[0] = 0xb2;
FelicaFrame.framebytes[1] = 0x4d;
FelicaFrame.byte_offset = i;
//shift in remaining byte, slowly...
for (uint8_t j = i; j < 8; j++) {
FelicaFrame.framebytes[2] = (FelicaFrame.framebytes[2] << 1) + (bt & 1);
bt >>= 1;
}
FelicaFrame.posCnt = 2;
if (i == 0)
break;
}
FelicaFrame.shiftReg = (FelicaFrame.shiftReg << 1) + (bt & 1);
bt >>= 1;
}
//that byte was last byte of sync
if (FelicaFrame.shiftReg == SYNC_16BIT) {
//Force SYNC on next byte
FelicaFrame.state = STATE_GET_LENGTH;
FelicaFrame.framebytes[0] = 0xb2;
FelicaFrame.framebytes[1] = 0x4d;
FelicaFrame.byte_offset = 0;
FelicaFrame.posCnt = 1;
}
}
break;
}
case STATE_GET_LENGTH: {
shiftInByte(bt);
FelicaFrame.rem_len = FelicaFrame.framebytes[2] - 1;
FelicaFrame.len = FelicaFrame.framebytes[2] + 4; //with crc and sync
FelicaFrame.state = STATE_GET_DATA;
break;
}
case STATE_GET_DATA: {
shiftInByte(bt);
if (FelicaFrame.rem_len <= 0) {
FelicaFrame.state = STATE_GET_CRC;
FelicaFrame.rem_len = 2;
}
break;
}
case STATE_GET_CRC: {
shiftInByte(bt);
if (FelicaFrame.rem_len <= 0) {
FelicaFrame.rem_len = 0;
// skip sync 2bytes. IF ok, residue should be 0x0000
FelicaFrame.crc_ok = check_crc(CRC_FELICA, FelicaFrame.framebytes + 2, FelicaFrame.len - 2);
FelicaFrame.state = STATE_FULL;
}
break;
}
case STATE_FULL: //ignore byte. Don't forget to clear frame to receive next one...
default:
break;
}
}
/* Perform FeliCa polling card
* Currently does NOT do any collision handling.
* It expects 0-1 cards in the device's range.
* return 0 if selection was successful
*/
static uint8_t felica_select_card(felica_card_select_t *card) {
// POLL command
// 0xB2 0x4B = sync code
// 0x06 = len
// 0x00 = rfu
// 0xff = system code service
// 0xff = system code service
// 0x00 = request code
// b7 = automatic switching of data rate
// b6-b2 = reserved
// b1 = fc/32 (414kbps)
// b0 = fc/64 (212kbps)
// 0x00 = timeslot
// 0x09 0x21 = crc
static uint8_t poll[10] = {0xb2, 0x4d, 0x06, FELICA_POLL_REQ, 0xFF, 0xFF, 0x00, 0x00, 0x09, 0x21};
int len = 10;
// We try 10 times, or if answer was received.
do {
// end-of-reception response packet data, wait approx. 501μs
// end-of-transmission command packet data, wait approx. 197μs
// polling card
TransmitFor18092_AsReader(poll, sizeof(poll), NULL, 1, 0);
// polling card, break if success
if (WaitForFelicaReply(1024) && FelicaFrame.framebytes[3] == FELICA_POLL_ACK)
break;
WDT_HIT();
} while (--len);
// timed-out
if (len == 0) {
if (g_dbglevel >= DBG_DEBUG)
Dbprintf("Error: Time out card selection!");
return 1;
}
// wrong answer
if (FelicaFrame.framebytes[3] != FELICA_POLL_ACK) {
if (g_dbglevel >= DBG_DEBUG)
Dbprintf("Error: Wrong answer selecting card!");
return 2;
}
// VALIDATE CRC residue is 0, hence if crc is a value it failed.
if (!check_crc(CRC_FELICA, FelicaFrame.framebytes + 2, FelicaFrame.len - 2)) {
if (g_dbglevel >= DBG_DEBUG) {
Dbprintf("Error: CRC check failed!");
Dbprintf("CRC check was done on Frame: ");
Dbhexdump(FelicaFrame.len - 2, FelicaFrame.framebytes + 2, 0);
}
return 3;
}
if (g_dbglevel >= DBG_DEBUG)
Dbprintf("Card selection successful!");
// copy UID
// idm 8
if (card) {
memcpy(card->IDm, FelicaFrame.framebytes + 4, 8);
memcpy(card->PMm, FelicaFrame.framebytes + 4 + 8, 8);
//memcpy(card->servicecode, FelicaFrame.framebytes + 4 + 8 + 8, 2);
memcpy(card->code, card->IDm, 2);
memcpy(card->uid, card->IDm + 2, 6);
memcpy(card->iccode, card->PMm, 2);
memcpy(card->mrt, card->PMm + 2, 6);
if (g_dbglevel >= DBG_DEBUG) {
Dbprintf("Received Frame: ");
Dbhexdump(FelicaFrame.len, FelicaFrame.framebytes, 0);
}
}
// more status bytes?
return 0;
}
// poll-0: 0xb2,0x4d,0x06,0x00,0xff,0xff,0x00,0x00,0x09,0x21,
// resp: 0xb2,0x4d,0x12,0x01,0x01,0x2e,0x3d,0x17,0x26,0x47,0x80,0x95,0x00,0xf1,0x00,0x00,0x00,0x01,0x43,0x00,0xb3,0x7f,
// poll-1 (reply with available system codes - NFC Tag3 specs, IIRC): 0xb2,0x4d,0x06,0x00,0xff,0xff,0x01,0x00,0x3a,0x10
// resp: 0xb2,0x4d,0x14,0x01, 0xXX,0xXX,0xXX,0xXX,0xXX,0xXX,0xXX,0xXX, 0x00,0xf1,0x00,0x00,0x00,0x01,0x43,0x00, 0x88,0xb4,0x0c,0xe2,
// page-req: 0xb2,0x4d,0x10,0x06, 0xXX,0xXX,0xXX,0xXX,0xXX,0xXX,0xXX,0xXX, 0x01, 0x0b,0x00, 0x01, 0x80,0x00, 0x2e,0xb3,
// page-req: 0x06, IDm(8), ServiceNum(1),Slist(2*num) BLocknum (1) BLockids(2-3*num)
// page-resp: 0xb2,0x4d,0x1d,0x07, 0xXX,0xXX,0xXX,0xXX,0xXX,0xXX,0xXX,0xXX, 0x00, 0x00, 0x01, 0x10,0x04,0x01,0x00,0x0d,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x23, 0xcb,0x6e,
// builds a readblock frame for felica lite(s). Using SERVICE: SERVICE_FELICA_LITE_READONLY
// Felica standard has a different file system, AFAIK,
// 8-byte IDm, number of blocks, blocks numbers
// number of blocks limited to 4 for FelicaLite(S)
static void BuildFliteRdblk(const uint8_t *idm, uint8_t blocknum, const uint16_t *blocks) {
if (blocknum > 4 || blocknum <= 0)
Dbprintf("Invalid number of blocks, %d != 4", blocknum);
uint8_t c = 0, i = 0;
// Sync bytes
frameSpace[c++] = 0xb2;
frameSpace[c++] = 0x4d;
c++; //set length later
frameSpace[c++] = FELICA_RDBLK_REQ; //command number
//card IDm, from poll
frameSpace[c++] = idm[0];
frameSpace[c++] = idm[1];
frameSpace[c++] = idm[2];
frameSpace[c++] = idm[3];
frameSpace[c++] = idm[4];
frameSpace[c++] = idm[5];
frameSpace[c++] = idm[6];
frameSpace[c++] = idm[7];
//number of services
frameSpace[c++] = 0x01;
//service code
frameSpace[c++] = (SERVICE_FELICA_LITE_READONLY >> 8);
frameSpace[c++] = SERVICE_FELICA_LITE_READONLY & 0xFF;
//number of blocks
frameSpace[c++] = blocknum;
for (i = 0; i < blocknum; i++) {
//3-byte block
if (blocks[i] >= 256) {
frameSpace[c++] = 0x00;
frameSpace[c++] = (blocks[i] >> 8); //block number, little endian....
frameSpace[c++] = (blocks[i] & 0xff);
} else {
frameSpace[c++] = 0x80;
frameSpace[c++] = blocks[i];
}
}
//set length
frameSpace[2] = c - 2;
//Add CRC
AddCrc(frameSpace + 2, c - 2);
}
static void TransmitFor18092_AsReader(uint8_t *frame, uint16_t len, uint32_t *timing, uint8_t power, uint8_t highspeed) {
uint16_t flags = FPGA_MAJOR_MODE_HF_ISO18092;
if (power)
flags |= FPGA_HF_ISO18092_FLAG_READER;
if (highspeed)
flags |= FPGA_HF_ISO18092_FLAG_424K;
FpgaWriteConfWord(flags);
uint32_t curr_transfer_time = ((MAX(felica_nexttransfertime, GetCountSspClk()) & 0xfffffff8) + 8);
while (GetCountSspClk() < curr_transfer_time) {};
felica_lasttime_prox2air_start = curr_transfer_time;
// preamble
// sending 0x00 0x00 0x00 0x00 0x00 0x00
uint16_t c = 0;
while (c < 6) {
// keep tx buffer in a defined state anyway.
if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
AT91C_BASE_SSC->SSC_THR = 0x00;
c++;
}
}
// sending data with sync bytes
c = 0;
if (g_dbglevel >= DBG_DEBUG) {
Dbprintf("Sending frame:");
Dbhexdump(len, frame, 0);
}
while (c < len) {
// Put byte into tx holding register as soon as it is ready
if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
AT91C_BASE_SSC->SSC_THR = frame[c++];
}
}
/**/
while (!(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY))) {};
AT91C_BASE_SSC->SSC_THR = 0x00; //minimum delay
while (!(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY))) {};
AT91C_BASE_SSC->SSC_THR = 0x00; //spin
/**/
// log
LogTrace(
frame,
len,
(felica_lasttime_prox2air_start << 4) + DELAY_ARM2AIR_AS_READER,
((felica_lasttime_prox2air_start + felica_lasttime_prox2air_start) << 4) + DELAY_ARM2AIR_AS_READER,
NULL,
true
);
felica_nexttransfertime = MAX(felica_nexttransfertime, felica_lasttime_prox2air_start + FELICA_REQUEST_GUARD_TIME);
}
// Wait for tag reply
// stop when button is pressed
// or return TRUE when command is captured
bool WaitForFelicaReply(uint16_t maxbytes) {
if (g_dbglevel >= DBG_DEBUG)
Dbprintf("WaitForFelicaReply Start");
uint32_t c = 0;
// power, no modulation
FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO18092 | FPGA_HF_ISO18092_FLAG_READER | FPGA_HF_ISO18092_FLAG_NOMOD);
FelicaFrameReset();
// clear RXRDY:
uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
(void)b;
uint32_t timeout = iso18092_get_timeout();
for (;;) {
WDT_HIT();
if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) {
b = (uint8_t)(AT91C_BASE_SSC->SSC_RHR);
Process18092Byte(b);
if (FelicaFrame.state == STATE_FULL) {
felica_nexttransfertime = MAX(felica_nexttransfertime,
(GetCountSspClk() & 0xfffffff8) - (DELAY_AIR2ARM_AS_READER + DELAY_ARM2AIR_AS_READER) / 16 + FELICA_FRAME_DELAY_TIME);
LogTrace(
FelicaFrame.framebytes,
FelicaFrame.len,
((GetCountSspClk() & 0xfffffff8) << 4) - DELAY_AIR2ARM_AS_READER - timeout,
((GetCountSspClk() & 0xfffffff8) << 4) - DELAY_AIR2ARM_AS_READER,
NULL,
false
);
if (g_dbglevel >= DBG_DEBUG) Dbprintf("All bytes received! STATE_FULL");
return true;
} else if (c++ > timeout && (FelicaFrame.state == STATE_UNSYNCD || FelicaFrame.state == STATE_TRYING_SYNC)) {
if (g_dbglevel >= DBG_DEBUG) Dbprintf("Error: Timeout! STATE_UNSYNCD");
return false;
}
}
}
}
// Set up FeliCa communication (similar to iso14443a_setup)
// field is setup for "Sending as Reader"
static void iso18092_setup(uint8_t fpga_minor_mode) {
if (g_dbglevel >= DBG_DEBUG) Dbprintf("Start iso18092_setup");
LEDsoff();
#if defined XC3
FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
#else
FpgaDownloadAndGo(FPGA_BITSTREAM_HF_FELICA);
#endif
// allocate command receive buffer
BigBuf_free();
BigBuf_Clear_ext(false);
// Initialize Demod and Uart structs
// DemodInit(BigBuf_malloc(MAX_FRAME_SIZE));
FelicaFrameinit(BigBuf_malloc(FELICA_MAX_FRAME_SIZE));
felica_nexttransfertime = 2 * DELAY_ARM2AIR_AS_READER;
iso18092_set_timeout(2120); // 106 * 20ms maximum start-up time of card
init_table(CRC_FELICA);
// connect Demodulated Signal to ADC:
SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
// Set up the synchronous serial port
FpgaSetupSsc(FPGA_MAJOR_MODE_HF_ISO18092);
// LSB transfer. Remember to set it back to MSB with
AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(8) | SSC_FRAME_MODE_WORDS_PER_TRANSFER(0);
// Signal field is on with the appropriate LED
FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO18092 | fpga_minor_mode);
//20.4 ms generate field, start sending polling command afterwars.
SpinDelay(100);
// Start the timer
StartCountSspClk();
LED_D_ON();
}
static void felica_reset_frame_mode(void) {
switch_off();
//Resetting Frame mode (First set in fpgaloader.c)
AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(8) | AT91C_SSC_MSBF | SSC_FRAME_MODE_WORDS_PER_TRANSFER(0);
}
//-----------------------------------------------------------------------------
// RAW FeliCa commands. Send out commands and store answers.
//-----------------------------------------------------------------------------
// arg0 FeliCa flags
// arg1 len of commandbytes
// d.asBytes command bytes to send
void felica_sendraw(PacketCommandNG *c) {
if (g_dbglevel >= DBG_DEBUG) Dbprintf("FeliCa_sendraw Enter");
felica_command_t param = c->oldarg[0];
size_t len = c->oldarg[1] & 0xffff;
uint8_t *cmd = c->data.asBytes;
uint32_t arg0;
felica_card_select_t card;
if ((param & FELICA_CONNECT))
if (g_dbglevel >= DBG_DEBUG) Dbprintf("Clear trace");
clear_trace();
set_tracing(true);
iso18092_setup(FPGA_HF_ISO18092_FLAG_READER | FPGA_HF_ISO18092_FLAG_NOMOD);
if ((param & FELICA_CONNECT)) {
// notify client selecting status.
// if failed selecting, turn off antenna and quite.
if (!(param & FELICA_NO_SELECT)) {
arg0 = felica_select_card(&card);
reply_mix(CMD_ACK, arg0, sizeof(card.uid), 0, &card, sizeof(felica_card_select_t));
if (arg0 > 0) {
if (g_dbglevel >= DBG_DEBUG) Dbprintf("Error: Failed selecting card! ");
felica_reset_frame_mode();
return;
}
}
} else {
if (g_dbglevel >= DBG_DEBUG) Dbprintf("No card selection");
}
if ((param & FELICA_RAW)) {
// 2 sync, 1 len, 2crc == 5
uint8_t *buf = BigBuf_malloc(len + 5);
// add sync bits
buf[0] = 0xb2;
buf[1] = 0x4d;
buf[2] = len;
// copy command
memcpy(buf + 2, cmd, len);
if ((param & FELICA_APPEND_CRC)) {
// Don't append crc on empty bytearray...
if (len > 0) {
AddCrc(buf + 2, len);
}
}
if (g_dbglevel >= DBG_DEBUG) {
Dbprintf("Transmit Frame (no CRC shown):");
Dbhexdump(len, buf, 0);
Dbprintf("Buffer Length: %i", buf[2] + 4);
};
TransmitFor18092_AsReader(buf, buf[2] + 4, NULL, 1, 0);
arg0 = WaitForFelicaReply(1024);
if (g_dbglevel >= DBG_DEBUG) {
Dbprintf("Received Frame Code: %d", arg0);
Dbhexdump(FelicaFrame.len, FelicaFrame.framebytes, 0);
};
uint32_t result = reply_mix(CMD_ACK, FelicaFrame.len, arg0, 0, FelicaFrame.framebytes, FelicaFrame.len);
if (result) {
Dbprintf("Reply to Client Error Code: %i", result);
}
}
if ((param & FELICA_NO_DISCONNECT)) {
Dbprintf("Disconnect");
}
if (g_dbglevel >= DBG_DEBUG)
Dbprintf("FeliCa_sendraw Exit");
felica_reset_frame_mode();
return;
}
void felica_sniff(uint32_t samplesToSkip, uint32_t triggersToSkip) {
clear_trace();
set_tracing(true);
iso18092_setup(FPGA_HF_ISO18092_FLAG_NOMOD);
LED_D_ON();
int retval = PM3_SUCCESS;
int remFrames = (samplesToSkip) ? samplesToSkip : 0;
int trigger_cnt = 0;
uint32_t timeout = iso18092_get_timeout();
bool isReaderFrame = true;
uint8_t flip = 0;
uint16_t checker = 0;
for (;;) {
WDT_HIT();
// since simulation is a tight time critical loop,
// we only check for user request to end at iteration 3000, 9000.
if (flip == 3) {
if (data_available()) {
retval = PM3_EOPABORTED;
break;
}
flip = 0;
}
if (checker >= 3000) {
if (BUTTON_PRESS()) {
retval = PM3_EOPABORTED;
break;
}
flip++;
checker = 0;
}
++checker;
if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) {
uint8_t dist = (uint8_t)(AT91C_BASE_SSC->SSC_RHR);
Process18092Byte(dist);
if ((dist >= 178) && (++trigger_cnt > triggersToSkip)) {
Dbprintf("triggers To skip kicked %d", dist);
break;
}
if (FelicaFrame.state == STATE_FULL) {
if ((FelicaFrame.framebytes[3] % 2) == 0) {
isReaderFrame = true; // All Reader Frames are even and all Tag frames are odd
} else {
isReaderFrame = false;
}
remFrames--;
if (remFrames <= 0) {
Dbprintf("Stop Sniffing - samples To skip reached!");
break;
}
LogTrace(FelicaFrame.framebytes,
FelicaFrame.len,
((GetCountSspClk() & 0xfffffff8) << 4) - DELAY_AIR2ARM_AS_READER - timeout,
((GetCountSspClk() & 0xfffffff8) << 4) - DELAY_AIR2ARM_AS_READER,
NULL,
isReaderFrame
);
FelicaFrameReset();
}
}
}
switch_off();
//reset framing
AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(8) | AT91C_SSC_MSBF | SSC_FRAME_MODE_WORDS_PER_TRANSFER(0);
Dbprintf("Felica sniffing done, tracelen: %i", BigBuf_get_traceLen());
reply_ng(CMD_HF_FELICA_SNIFF, retval, NULL, 0);
LED_D_OFF();
}
#define R_POLL0_LEN 0x16
#define R_POLL1_LEN 0x18
#define R_READBLK_LEN 0x21
//simulate NFC Tag3 card - for now only poll response works
// second half (4 bytes) of NDEF2 goes into nfcid2_0, first into nfcid2_1
void felica_sim_lite(uint8_t *uid) {
// prepare our 3 responses...
uint8_t resp_poll0[R_POLL0_LEN] = { 0xb2, 0x4d, 0x12, FELICA_POLL_ACK, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf1, 0x00, 0x00, 0x00, 0x01, 0x43, 0x00, 0xb3, 0x7f};
uint8_t resp_poll1[R_POLL1_LEN] = { 0xb2, 0x4d, 0x14, FELICA_POLL_ACK, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf1, 0x00, 0x00, 0x00, 0x01, 0x43, 0x00, 0x88, 0xb4, 0xb3, 0x7f};
uint8_t resp_readblk[R_READBLK_LEN] = { 0xb2, 0x4d, 0x1d, FELICA_RDBLK_ACK, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x10, 0x04, 0x01, 0x00, 0x0d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x23, 0xcb, 0x6e};
// NFC tag 3/ ISo technically. Many overlapping standards
DbpString("Felica Lite-S simulation start");
Dbprintf("NDEF2 UID: %02x %02x %02x %02x %02x %02x %02x %02x",
uid[0], uid[1], uid[2], uid[3], uid[4], uid[5], uid[6], uid[7]
);
// fill in blanks
for (uint8_t i = 0; i < 8; i++) {
resp_poll0[i + 4] = uid[i];
resp_poll1[i + 4] = uid[i];
resp_readblk[i + 4] = uid[i];
}
// calculate and set CRC
AddCrc(&resp_poll0[2], resp_poll0[2]);
AddCrc(&resp_poll1[2], resp_poll1[2]);
AddCrc(&resp_readblk[2], resp_readblk[2]);
iso18092_setup(FPGA_HF_ISO18092_FLAG_NOMOD);
int retval = PM3_SUCCESS;
int curlen = 0;
uint8_t *curresp = NULL;
bool listenmode = true;
// uint32_t frtm = GetCountSspClk();
uint8_t flip = 0;
uint16_t checker = 0;
for (;;) {
WDT_HIT();
// since simulation is a tight time critical loop,
// we only check for user request to end at iteration 3000, 9000.
if (flip == 3) {
if (data_available()) {
retval = PM3_EOPABORTED;
break;
}
flip = 0;
}
if (checker >= 3000) {
if (BUTTON_PRESS()) {
retval = PM3_EOPABORTED;
break;
}
flip++;
checker = 0;
}
++checker;
WDT_HIT();
if (listenmode) {
// waiting for request...
if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) {
uint8_t dist = (uint8_t)(AT91C_BASE_SSC->SSC_RHR);
// frtm = GetCountSspClk();
Process18092Byte(dist);
if (FelicaFrame.state == STATE_FULL) {
if (FelicaFrame.crc_ok) {
if (FelicaFrame.framebytes[2] == 6 && FelicaFrame.framebytes[3] == 0) {
static uint8_t timeslot = 0;
// polling... there are two types of polling we answer to
if (FelicaFrame.framebytes[6] == 0) {
curresp = resp_poll0;
curlen = R_POLL0_LEN;
listenmode = false;
}
if (FelicaFrame.framebytes[6] == 1) {
curresp = resp_poll1;
curlen = R_POLL1_LEN;
listenmode = false;
}
if (timeslot > FelicaFrame.framebytes[7]) {
// framebytes[7] contains the maximum time slot in which we are allowed to respond (#0..#15)
timeslot = 0;
}
// first time slot (#0) starts after 512 * 64 / fc, slot length equals 256 * 64 / fc
felica_nexttransfertime = GetCountSspClk() - (DELAY_AIR2ARM_AS_READER + DELAY_ARM2AIR_AS_READER) / 16 + (512 + timeslot * 256) * 64 / 16 + 1;
timeslot++; // we should use a random time slot, but responding in incremental slots should do just fine for now
}
if (FelicaFrame.framebytes[2] > 5 && FelicaFrame.framebytes[3] == 0x06) {
// we should rebuild it depending on page size, but...
// Let's see first
curresp = resp_readblk;
curlen = R_READBLK_LEN;
listenmode = false;
}
// clear frame
FelicaFrameReset();
} else {
// frame invalid, clear it out to allow for the next one
FelicaFrameReset();
}
}
}
}
if (listenmode == false) {
// trying to answer... here to start answering immediately.
// this one is a bit finicky. Seems that being a bit late is better than earlier
// TransmitFor18092_AsReader(curresp, curlen, frtm+512, 0, 0);
TransmitFor18092_AsReader(curresp, curlen, NULL, 0, 0);
// switch back
FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO18092 | FPGA_HF_ISO18092_FLAG_NOMOD);
FelicaFrameReset();
listenmode = true;
curlen = 0;
curresp = NULL;
}
}
switch_off();
// reset framing
AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(8) | AT91C_SSC_MSBF | SSC_FRAME_MODE_WORDS_PER_TRANSFER(0);
Dbprintf("FeliCa Lite-S emulator stopped. Trace length: %d ", BigBuf_get_traceLen());
reply_ng(CMD_HF_FELICALITE_SIMULATE, retval, NULL, 0);
}
#define RES_SVC_LEN 11 + 3
void felica_dump_lite_s(void) {
uint8_t ndef[8];
uint8_t poll[10] = { 0xb2, 0x4d, 0x06, FELICA_POLL_REQ, 0xff, 0xff, 0x00, 0x00, 0x09, 0x21};
uint16_t liteblks[28] = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, 0x88, 0x90, 0x91, 0x92, 0xa0};
// setup device.
iso18092_setup(FPGA_HF_ISO18092_FLAG_READER | FPGA_HF_ISO18092_FLAG_NOMOD);
uint8_t blknum;
bool isOK = false;
uint16_t cnt = 0, cntfails = 0;
uint8_t *dest = BigBuf_get_addr();
while ((BUTTON_PRESS() == false) && (data_available() == false)) {
WDT_HIT();
// polling?
//TransmitFor18092_AsReader(poll, 10, GetCountSspClk()+512, 1, 0);
TransmitFor18092_AsReader(poll, 10, NULL, 1, 0);
if (WaitForFelicaReply(512) && FelicaFrame.framebytes[3] == FELICA_POLL_ACK) {
// copy 8bytes to ndef.
memcpy(ndef, FelicaFrame.framebytes + 4, 8);
// for (c=0; c < 8; c++)
// ndef[c] = FelicaFrame.framebytes[c+4];
for (blknum = 0; blknum < ARRAYLEN(liteblks);) {
// block to read.
BuildFliteRdblk(ndef, 1, &liteblks[blknum]);
//TransmitFor18092_AsReader(frameSpace, frameSpace[2]+4, GetCountSspClk()+512, 1, 0);
TransmitFor18092_AsReader(frameSpace, frameSpace[2] + 4, NULL, 1, 0);
// read block
if (WaitForFelicaReply(1024) && FelicaFrame.framebytes[3] == FELICA_RDBLK_ACK) {
dest[cnt++] = liteblks[blknum];
uint8_t *fb = FelicaFrame.framebytes;
dest[cnt++] = fb[12];
dest[cnt++] = fb[13];
//memcpy(dest+cnt, FelicaFrame.framebytes + 15, 16);
//cnt += 16;
for (uint8_t j = 0; j < 16; j++)
dest[cnt++] = fb[15 + j];
blknum++;
cntfails = 0;
// // print raw log.
// Dbprintf("LEN %u | Dump bytes count %u ", FelicaFrame.len, cnt);
Dbhexdump(FelicaFrame.len, FelicaFrame.framebytes + 15, 0);
} else {
cntfails++;
if (cntfails > 12) {
blknum++;
cntfails = 0;
}
}
}
isOK = true;
break;
}
}
switch_off();
//Resetting Frame mode (First set in fpgaloader.c)
AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(8) | AT91C_SSC_MSBF | SSC_FRAME_MODE_WORDS_PER_TRANSFER(0);
//setting tracelen - important! it was set by buffer overflow before
set_tracelen(cnt);
reply_mix(CMD_ACK, isOK, cnt, 0, 0, 0);
}