Skip to content

Commit

Permalink
Merge pull request #2385 from henrygab/em4x70_add_tests
Browse files Browse the repository at this point in the history 
add `lf em 4x70 calc` and self-tests
  • Loading branch information
@iceman1001
iceman1001 authored May 15, 2024
2 parents cacc1c1 + f9dbe3f commit 2b276ca
Show file tree
Hide file tree
Showing 5 changed files with 240 additions and 121 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ All notable changes to this project will be documented in this file.
This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log...

## [unreleased][unreleased]
- Added `lf em 4x70 calc` - calculate `frn`/`grn` for a given `key` + `rnd`
- Fixed `hf 15 dump` memory leaks (@jlitewski)
- Changed `hf search` - topaz is detect before ISO14443a and commented out WIP ICT code path (@iceman1001)
- Fixed `hf search` - where felica reader now doesnt timeout and give wrong response (@iceman1001)
Expand Down
150 changes: 82 additions & 68 deletions armsrc/em4x70.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,43 +30,50 @@ static em4x70_tag_t tag = { 0 };
// EM4170 requires a parity bit on commands, other variants do not.
static bool command_parity = true;

// Conversion from Ticks to RF periods
// 1 us = 1.5 ticks
// 1RF Period = 8us = 12 Ticks
#define TICKS_PER_FC 12

// Chip timing from datasheet
// Converted into Ticks for timing functions
#define EM4X70_T_TAG_QUARTER_PERIOD (8 * TICKS_PER_FC)
#define EM4X70_T_TAG_HALF_PERIOD (16 * TICKS_PER_FC)
#define EM4X70_T_TAG_THREE_QUARTER_PERIOD (24 * TICKS_PER_FC)
#define EM4X70_T_TAG_FULL_PERIOD (32 * TICKS_PER_FC) // 1 Bit Period
#define EM4X70_T_TAG_TWA (128 * TICKS_PER_FC) // Write Access Time
#define EM4X70_T_TAG_DIV (224 * TICKS_PER_FC) // Divergency Time
#define EM4X70_T_TAG_AUTH (4224 * TICKS_PER_FC) // Authentication Time
#define EM4X70_T_TAG_WEE (3072 * TICKS_PER_FC) // EEPROM write Time
#define EM4X70_T_TAG_TWALB (672 * TICKS_PER_FC) // Write Access Time of Lock Bits
#define EM4X70_T_TAG_BITMOD (4 * TICKS_PER_FC) // Initial time to stop modulation when sending 0
#define EM4X70_T_TAG_TOLERANCE (8 * TICKS_PER_FC) // Tolerance in RF periods for receive/LIW

#define EM4X70_T_TAG_TIMEOUT (4 * EM4X70_T_TAG_FULL_PERIOD) // Timeout if we ever get a pulse longer than this
#define EM4X70_T_WAITING_FOR_LIW 50 // Pulses to wait for listen window
#define EM4X70_T_READ_HEADER_LEN 16 // Read header length (16 bit periods)

#define EM4X70_COMMAND_RETRIES 5 // Attempts to send/read command
#define EM4X70_MAX_RECEIVE_LENGTH 96 // Maximum bits to expect from any command

/**
* These IDs are from the EM4170 datasheet
* Some versions of the chip require a
* (even) parity bit, others do not
*/
#define EM4X70_COMMAND_ID 0x01
#define EM4X70_COMMAND_UM1 0x02
#define EM4X70_COMMAND_AUTH 0x03
#define EM4X70_COMMAND_PIN 0x04
#define EM4X70_COMMAND_WRITE 0x05
#define EM4X70_COMMAND_UM2 0x07
#if 1 // Calculation of ticks for timing functions
// Conversion from Ticks to RF periods
// 1 us = 1.5 ticks
// 1RF Period = 8us = 12 Ticks
#define TICKS_PER_FC 12

// Chip timing from datasheet
// Converted into Ticks for timing functions
#define EM4X70_T_TAG_QUARTER_PERIOD (8 * TICKS_PER_FC)
#define EM4X70_T_TAG_HALF_PERIOD (16 * TICKS_PER_FC)
#define EM4X70_T_TAG_THREE_QUARTER_PERIOD (24 * TICKS_PER_FC)
#define EM4X70_T_TAG_FULL_PERIOD (32 * TICKS_PER_FC) // 1 Bit Period
#define EM4X70_T_TAG_TWA (128 * TICKS_PER_FC) // Write Access Time
#define EM4X70_T_TAG_DIV (224 * TICKS_PER_FC) // Divergency Time
#define EM4X70_T_TAG_AUTH (4224 * TICKS_PER_FC) // Authentication Time
#define EM4X70_T_TAG_WEE (3072 * TICKS_PER_FC) // EEPROM write Time
#define EM4X70_T_TAG_TWALB (672 * TICKS_PER_FC) // Write Access Time of Lock Bits
#define EM4X70_T_TAG_BITMOD (4 * TICKS_PER_FC) // Initial time to stop modulation when sending 0
#define EM4X70_T_TAG_TOLERANCE (8 * TICKS_PER_FC) // Tolerance in RF periods for receive/LIW

#define EM4X70_T_TAG_TIMEOUT (4 * EM4X70_T_TAG_FULL_PERIOD) // Timeout if we ever get a pulse longer than this
#define EM4X70_T_WAITING_FOR_LIW 50 // Pulses to wait for listen window
#define EM4X70_T_READ_HEADER_LEN 16 // Read header length (16 bit periods)

#define EM4X70_COMMAND_RETRIES 5 // Attempts to send/read command
#define EM4X70_MAX_RECEIVE_LENGTH 96 // Maximum bits to expect from any command
#endif // Calculation of ticks for timing functions

#if 1 // EM4x70 Command IDs
/**
* These IDs are from the EM4170 datasheet.
* Some versions of the chip require a
* (even) parity bit, others do not.
* The command is thus stored only in the
* three least significant bits (mask 0x07).
*/
#define EM4X70_COMMAND_ID 0x01
#define EM4X70_COMMAND_UM1 0x02
#define EM4X70_COMMAND_AUTH 0x03
#define EM4X70_COMMAND_PIN 0x04
#define EM4X70_COMMAND_WRITE 0x05
#define EM4X70_COMMAND_UM2 0x07
#endif // EM4x70 Command IDs

// Constants used to determine high/low state of signal
#define EM4X70_NOISE_THRESHOLD 13 // May depend on noise in environment
Expand All @@ -80,9 +87,9 @@ static bool command_parity = true;
#define IS_TIMEOUT(timeout_ticks) (GetTicks() > timeout_ticks)
#define TICKS_ELAPSED(start_ticks) (GetTicks() - start_ticks)

static uint8_t bits2byte(const uint8_t *bits, int length);
static void bits2bytes(const uint8_t *bits, int length, uint8_t *out);
static int em4x70_receive(uint8_t *bits, size_t length);
static uint8_t encoded_bit_array_to_byte(const uint8_t *bits, int count_of_bits);
static void encoded_bit_array_to_bytes(const uint8_t *bits, int count_of_bits, uint8_t *out);
static int em4x70_receive(uint8_t *bits, size_t maximum_bits_to_read);
static bool find_listen_window(bool command);

static void init_tag(void) {
Expand Down Expand Up @@ -207,9 +214,10 @@ static uint32_t get_pulse_length(edge_detection_t edge) {
return 0;
}

static bool check_pulse_length(uint32_t pl, uint32_t length) {
// check if pulse length <pl> corresponds to given length <length>
return ((pl >= (length - EM4X70_T_TAG_TOLERANCE)) && (pl <= (length + EM4X70_T_TAG_TOLERANCE)));
static bool check_pulse_length(uint32_t pulse_tick_length, uint32_t target_tick_length) {
// check if pulse tick length corresponds to target length (+/- tolerance)
return ((pulse_tick_length >= (target_tick_length - EM4X70_T_TAG_TOLERANCE)) &&
(pulse_tick_length <= (target_tick_length + EM4X70_T_TAG_TOLERANCE)));
}

static void em4x70_send_bit(bool bit) {
Expand Down Expand Up @@ -301,7 +309,7 @@ static bool check_ack(void) {
// ACK 64 + 64
// NAK 64 + 48
if (check_pulse_length(get_pulse_length(FALLING_EDGE), 2 * EM4X70_T_TAG_FULL_PERIOD) &&
check_pulse_length(get_pulse_length(FALLING_EDGE), 2 * EM4X70_T_TAG_FULL_PERIOD)) {
check_pulse_length(get_pulse_length(FALLING_EDGE), 2 * EM4X70_T_TAG_FULL_PERIOD)) {
// ACK
return true;
}
Expand Down Expand Up @@ -344,7 +352,11 @@ static int authenticate(const uint8_t *rnd, const uint8_t *frnd, uint8_t *respon
if (g_dbglevel >= DBG_EXTENDED) Dbprintf("Auth failed");
return PM3_ESOFT;
}
bits2bytes(grnd, 24, response);
// although only received 20 bits
// ask for 24 bits converted because
// this utility function requires
// decoding in multiples of 8 bits
encoded_bit_array_to_bytes(grnd, 24, response);
return PM3_SUCCESS;
}

Expand Down Expand Up @@ -455,12 +467,12 @@ static int send_pin(const uint32_t pin) {
WaitTicks(EM4X70_T_TAG_WEE);
// <-- Receive header + ID
uint8_t tag_id[EM4X70_MAX_RECEIVE_LENGTH];
int num = em4x70_receive(tag_id, 32);
if (num < 32) {
int count_of_bits_received = em4x70_receive(tag_id, 32);
if (count_of_bits_received < 32) {
Dbprintf("Invalid ID Received");
return PM3_ESOFT;
}
bits2bytes(tag_id, num, &tag.data[4]);
encoded_bit_array_to_bytes(tag_id, count_of_bits_received, &tag.data[4]);
return PM3_SUCCESS;
}
}
Expand Down Expand Up @@ -537,51 +549,53 @@ static bool find_listen_window(bool command) {
return false;
}

static void bits2bytes(const uint8_t *bits, int length, uint8_t *out) {
// *bits == array of bytes, each byte storing a single bit.
// *out == array of bytes, storing converted bits --> bytes.
//
// [in, bcount(count_of_bits) ] const uint8_t *bits
// [out, bcount(count_of_bits/8)] uint8_t *out
static void encoded_bit_array_to_bytes(const uint8_t *bits, int count_of_bits, uint8_t *out) {

if (length % 8 != 0) {
Dbprintf("Should have a multiple of 8 bits, was sent %d", length);
if (count_of_bits % 8 != 0) {
Dbprintf("Should have a multiple of 8 bits, was sent %d", count_of_bits);
}

int num_bytes = length / 8; // We should have a multiple of 8 here
int num_bytes = count_of_bits / 8; // We should have a multiple of 8 here

for (int i = 1; i <= num_bytes; i++) {
out[num_bytes - i] = bits2byte(bits, 8);
out[num_bytes - i] = encoded_bit_array_to_byte(bits, 8);
bits += 8;
}
}

static uint8_t bits2byte(const uint8_t *bits, int length) {
static uint8_t encoded_bit_array_to_byte(const uint8_t *bits, int count_of_bits) {

// converts <length> separate bits into a single "byte"
// converts <count_of_bits> separate bits into a single "byte"
uint8_t byte = 0;
for (int i = 0; i < length; i++) {

for (int i = 0; i < count_of_bits; i++) {
byte <<= 1;
byte |= bits[i];

if (i != length - 1)
byte <<= 1;
}

return byte;
}

static bool send_command_and_read(uint8_t command, uint8_t *bytes, size_t length) {
static bool send_command_and_read(uint8_t command, uint8_t *bytes, size_t expected_byte_count) {

int retries = EM4X70_COMMAND_RETRIES;
while (retries) {
retries--;

if (find_listen_window(true)) {
uint8_t bits[EM4X70_MAX_RECEIVE_LENGTH] = {0};
size_t out_length_bits = length * 8;
size_t out_length_bits = expected_byte_count * 8;
em4x70_send_nibble(command, command_parity);
int len = em4x70_receive(bits, out_length_bits);
if (len < out_length_bits) {
Dbprintf("Invalid data received length: %d, expected %d", len, out_length_bits);
return false;
}
bits2bytes(bits, len, bytes);
encoded_bit_array_to_bytes(bits, len, bytes);
return true;
}
}
Expand Down Expand Up @@ -629,7 +643,7 @@ static bool find_em4x70_tag(void) {
return find_listen_window(false);
}

static int em4x70_receive(uint8_t *bits, size_t length) {
static int em4x70_receive(uint8_t *bits, size_t maximum_bits_to_read) {

uint32_t pl;
int bit_pos = 0;
Expand Down Expand Up @@ -667,7 +681,7 @@ static int em4x70_receive(uint8_t *bits, size_t length) {

// identify remaining bits based on pulse lengths
// between listen windows only pulse lengths of 1, 1.5 and 2 are possible
while (bit_pos < length) {
while (bit_pos < maximum_bits_to_read) {

pl = get_pulse_length(edge);

Expand All @@ -681,13 +695,13 @@ static int em4x70_receive(uint8_t *bits, size_t length) {
// pulse length 1.5 -> 2 bits + flip edge detection
if (edge == FALLING_EDGE) {
bits[bit_pos++] = 0;
if (bit_pos < length) {
if (bit_pos < maximum_bits_to_read) {
bits[bit_pos++] = 0;
}
edge = RISING_EDGE;
} else {
bits[bit_pos++] = 1;
if (bit_pos < length) {
if (bit_pos < maximum_bits_to_read) {
bits[bit_pos++] = 1;
}
edge = FALLING_EDGE;
Expand All @@ -698,12 +712,12 @@ static int em4x70_receive(uint8_t *bits, size_t length) {
// pulse length of 2 -> two bits
if (edge == FALLING_EDGE) {
bits[bit_pos++] = 0;
if (bit_pos < length) {
if (bit_pos < maximum_bits_to_read) {
bits[bit_pos++] = 1;
}
} else {
bits[bit_pos++] = 1;
if (bit_pos < length) {
if (bit_pos < maximum_bits_to_read) {
bits[bit_pos++] = 0;
}
}
Expand Down
Loading

0 comments on commit 2b276ca

Please sign in to comment.