search

emsec / ChameleonMini

The ChameleonMini is a versatile contactless smartcard emulator compliant to NFC. The ChameleonMini was developed by https://kasper-oswald.de. The device is available at https://shop.kasper.it. For further information see the Getting Started Page https://rawgit.com/emsec/ChameleonMini/master/Doc/Doxygen/html/_page__getting_started.html or the Wiki tab above.
Other
1.72k stars 391 forks source link

ISO15693 sniffing codec #316

Closed ceres-c closed 2 years ago

ceres-c commented 2 years ago

This PR adds sniffing support for ISO15693 tags.

The VCD -> VICC part of this is basically the same as the ISO15693 emulation codec already merged.

VICC -> VCD sniffing is implemented in single subcarrier mode only. When VCD demodulation is done, a reference "noise" value is acquired from the DEMOD signal (PORTA Pin 7, yellow in the screenshot below) to get a reference value of the field when no modulation is ongoing. This value is then fed to the DAC channel 0, which is the negative input to the analog comparator channel 0 (ACACH0). Positive input is, again, PORTA Pin 7, so whenever a signal goes beyond the noise value, an AC interrupt occurs.

The analog comparator interrupt will increase the DAC output (the AC threshold) to a slightly higher value and enable interrupts to wait for the third pulse. When the third pulse is found, the threshold will be increased again with an even higher value, this time around sampled by the ADC from DEMOD-READER signal (PORTA Pin 2, pink below)

SDS00001

Using two different signals is convenient for ease of data acquisition, given the low speed of the Xmega ADC. DEMOD-READER has the advantage of being a non-return-to-zero signal, but still follows DEMOD's shape. Blindly sampling DEMOD would likely yield a wrong threshold, given it might be sampled too close to bottom or top values. On the other hand, DEMOD-READER, after a sufficient number of pulses (3) gives a likely reasonable value without struggling with DSP.

When the first pause after the 24 SOC pulses is found, if the number of previous pulses is considered sufficient (more than 15), the codec is initialized to decode upcoming data. From now on, every 18,88 us an interrupt will store the first half-bit in a register, then after another 18,88us the second half will be stored in the same register. When 16 bit halves are found, data is decoded to a byte, which is then appended to the codec buffer.

The rest is basically boilerplate and small changes made to accommodate for the timers being used elsewhere in the codebase.

In my tests this codec proved to be fairly resistant to "dirty" situations like moving the tag or the reader in the field or suddenly removing them. For best performance, the chameleon must be kept between the tag and the reader maximizing antenna coupling: in my case the tag had to be slightly off-center by a couple of millimeters, but YMMV.

Attached a photo of my (admittedly ugly, but reliable) test setup. Yellow probe corresponds to yellow DEMOD signal above (MCU Pin 5 -> PORTA Pin 7) and green probe is DEMOD-READER (MCU Pin 7 -> PORTA Pin 2). Below the Chameleon, covered by masking tape, was my ST M24LR-DISCOVERY demo board. IMG_0589

As it turns out, if you're going to keep micro probes attached to your MCU pins for an extended period of time, you're going to need support for the cables or you're going to break your pins like I did. Thanks @MrMoDDoM for lending me your Chameleon :)

ceres-c commented 2 years ago

Ported suggested fixes

ceres-c commented 2 years ago

Changes made

ceres-c commented 2 years ago

Now that this is merged, I'd suggest updating the wiki as well :) https://github.com/emsec/ChameleonMini/wiki/Supported-Cards-and--Codecs

fptrs commented 2 years ago

Done, thanks for the hint