]> git.zerfleddert.de Git - proxmark3-svn/blame - armsrc/appmain.c
projects / proxmark3-svn / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
This version code now reads a TI tag properly.
[proxmark3-svn] / armsrc / appmain.c
CommitLineData
959baa89 1//-----------------------------------------------------------------------------
2// The main application code. This is the first thing called after start.c
3// executes.
4// Jonathan Westhues, Mar 2006
5// Edits by Gerhard de Koning Gans, Sep 2007 (##)
6//-----------------------------------------------------------------------------
7
8
9#include <proxmark3.h>
7f348042 10#include <stdlib.h>
959baa89 11#include "apps.h"
12#ifdef WITH_LCD
13#include "fonts.h"
14#include "LCD.h"
15#endif
16
17// The large multi-purpose buffer, typically used to hold A/D samples,
18// maybe pre-processed in some way.
19DWORD BigBuf[16000];
955fc5e2 20int usbattached = 0;
959baa89 21
22//=============================================================================
23// A buffer where we can queue things up to be sent through the FPGA, for
24// any purpose (fake tag, as reader, whatever). We go MSB first, since that
25// is the order in which they go out on the wire.
26//=============================================================================
27
28BYTE ToSend[256];
29int ToSendMax;
30static int ToSendBit;
31
f23e056d 32
33void BufferClear(void)
34{
35 memset(BigBuf,0,sizeof(BigBuf));
36 DbpString("Buffer cleared");
37}
38
959baa89 39void ToSendReset(void)
40{
41 ToSendMax = -1;
42 ToSendBit = 8;
43}
44
45void ToSendStuffBit(int b)
46{
47 if(ToSendBit >= 8) {
48 ToSendMax++;
49 ToSend[ToSendMax] = 0;
50 ToSendBit = 0;
51 }
52
53 if(b) {
54 ToSend[ToSendMax] |= (1 << (7 - ToSendBit));
55 }
56
57 ToSendBit++;
58
59 if(ToSendBit >= sizeof(ToSend)) {
60 ToSendBit = 0;
61 DbpString("ToSendStuffBit overflowed!");
62 }
63}
64
65//=============================================================================
66// Debug print functions, to go out over USB, to the usual PC-side client.
67//=============================================================================
68
69void DbpString(char *str)
70{
955fc5e2 71 /* this holds up stuff unless we're connected to usb */
1dff8c42 72// if (!usbattached)
73// return;
c701d2c2 74
959baa89 75 UsbCommand c;
76 c.cmd = CMD_DEBUG_PRINT_STRING;
77 c.ext1 = strlen(str);
78 memcpy(c.d.asBytes, str, c.ext1);
79
80 UsbSendPacket((BYTE *)&c, sizeof(c));
81 // TODO fix USB so stupid things like this aren't req'd
82 SpinDelay(50);
83}
84
85void DbpIntegers(int x1, int x2, int x3)
86{
955fc5e2 87 /* this holds up stuff unless we're connected to usb */
1dff8c42 88// if (!usbattached)
89// return;
955fc5e2 90
959baa89 91 UsbCommand c;
92 c.cmd = CMD_DEBUG_PRINT_INTEGERS;
93 c.ext1 = x1;
94 c.ext2 = x2;
95 c.ext3 = x3;
96
97 UsbSendPacket((BYTE *)&c, sizeof(c));
98 // XXX
99 SpinDelay(50);
100}
101
102void AcquireRawAdcSamples125k(BOOL at134khz)
103{
104 if(at134khz) {
105 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 88); //134.8Khz
c701d2c2 106 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER);
959baa89 107 } else {
108 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
c701d2c2 109 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER);
959baa89 110 }
111
112 // Connect the A/D to the peak-detected low-frequency path.
113 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
114
115 // Give it a bit of time for the resonant antenna to settle.
116 SpinDelay(50);
117
118 // Now set up the SSC to get the ADC samples that are now streaming at us.
119 FpgaSetupSsc();
120
121 // Now call the acquisition routine
122 DoAcquisition125k(at134khz);
123}
124
125// split into two routines so we can avoid timing issues after sending commands //
126void DoAcquisition125k(BOOL at134khz)
127{
128 BYTE *dest = (BYTE *)BigBuf;
129 int n = sizeof(BigBuf);
130 int i;
131
132 memset(dest,0,n);
133 i = 0;
134 for(;;) {
135 if(SSC_STATUS & (SSC_STATUS_TX_READY)) {
136 SSC_TRANSMIT_HOLDING = 0x43;
137 LED_D_ON();
138 }
139 if(SSC_STATUS & (SSC_STATUS_RX_READY)) {
140 dest[i] = (BYTE)SSC_RECEIVE_HOLDING;
141 i++;
142 LED_D_OFF();
143 if(i >= n) {
144 break;
145 }
146 }
147 }
148 DbpIntegers(dest[0], dest[1], at134khz);
149}
150
151void ModThenAcquireRawAdcSamples125k(int delay_off,int period_0,int period_1,BYTE *command)
152{
153 BOOL at134khz;
154
155 // see if 'h' was specified
1dd23352 156 if(command[strlen((char *) command) - 1] == 'h')
959baa89 157 at134khz= TRUE;
158 else
159 at134khz= FALSE;
c701d2c2 160
959baa89 161 if(at134khz) {
162 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 88); //134.8Khz
c701d2c2 163 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER);
959baa89 164 } else {
165 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
c701d2c2 166 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER);
959baa89 167 }
168
169 // Give it a bit of time for the resonant antenna to settle.
170 SpinDelay(50);
171
172 // Now set up the SSC to get the ADC samples that are now streaming at us.
173 FpgaSetupSsc();
174
175 // now modulate the reader field
176 while(*command != '\0' && *command != ' ')
177 {
178 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
179 LED_D_OFF();
180 SpinDelayUs(delay_off);
181 if(at134khz) {
182 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 88); //134.8Khz
c701d2c2 183 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER);
959baa89 184 } else {
185 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
c701d2c2 186 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER);
959baa89 187 }
188 LED_D_ON();
189 if(*(command++) == '0')
190 SpinDelayUs(period_0);
191 else
192 SpinDelayUs(period_1);
193 }
194 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
195 LED_D_OFF();
196 SpinDelayUs(delay_off);
197 if(at134khz) {
198 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 88); //134.8Khz
c701d2c2 199 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER);
959baa89 200 } else {
201 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
c701d2c2 202 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER);
959baa89 203 }
204
205 // now do the read
206 DoAcquisition125k(at134khz);
207}
208
c701d2c2 209void AcquireTiType(void)
210{
211 int i;
8e7a6ce4 212 int n = 5000;
c701d2c2 213
214 // clear buffer
215 memset(BigBuf,0,sizeof(BigBuf));
216
8e7a6ce4 217 // Set up the synchronous serial port
c701d2c2 218 PIO_DISABLE = (1<<GPIO_SSC_DIN);
219 PIO_PERIPHERAL_A_SEL = (1<<GPIO_SSC_DIN);
220
8e7a6ce4 221 // steal this pin from the SSP and use it to control the modulation
222 PIO_ENABLE = (1<<GPIO_SSC_DOUT);
223 PIO_OUTPUT_ENABLE = (1<<GPIO_SSC_DOUT);
224
c701d2c2 225 SSC_CONTROL = SSC_CONTROL_RESET;
226 SSC_CONTROL = SSC_CONTROL_RX_ENABLE | SSC_CONTROL_TX_ENABLE;
227
228 // Sample at 2 Mbit/s, so TI tags are 16.2 vs. 14.9 clocks long
229 // 48/2 = 24 MHz clock must be divided by 12
230 SSC_CLOCK_DIVISOR = 12;
231
232 SSC_RECEIVE_CLOCK_MODE = SSC_CLOCK_MODE_SELECT(0);
8e7a6ce4 233 SSC_RECEIVE_FRAME_MODE = SSC_FRAME_MODE_BITS_IN_WORD(32) | SSC_FRAME_MODE_MSB_FIRST;
234 SSC_TRANSMIT_CLOCK_MODE = 0;
235 SSC_TRANSMIT_FRAME_MODE = 0;
c701d2c2 236
c701d2c2 237 LED_D_ON();
8e7a6ce4 238
239 // modulate antenna
240 PIO_OUTPUT_DATA_SET = (1<<GPIO_SSC_DOUT);
c701d2c2 241
242 // Charge TI tag for 50ms.
243 SpinDelay(50);
8e7a6ce4 244
245 // stop modulating antenna and listen
246 PIO_OUTPUT_DATA_CLEAR = (1<<GPIO_SSC_DOUT);
247
c701d2c2 248 LED_D_OFF();
249
8e7a6ce4 250 i = 0;
251 for(;;) {
252 if(SSC_STATUS & SSC_STATUS_RX_READY) {
253 BigBuf[i] = SSC_RECEIVE_HOLDING; // store 32 bit values in buffer
254 i++; if(i >= n) return;
255 }
256 WDT_HIT();
257 }
258
259 // return stolen pin ro SSP
260 PIO_DISABLE = (1<<GPIO_SSC_DOUT);
261 PIO_PERIPHERAL_A_SEL = (1<<GPIO_SSC_DIN) | (1<<GPIO_SSC_DOUT);
262}
263
264void AcquireRawBitsTI(void)
265{
266 LED_D_ON();
267 // TI tags charge at 134.2Khz
268 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 88); //134.8Khz
269 // Place FPGA in passthrough mode, in this mode the CROSS_LO line
270 // connects to SSP_DIN and the SSP_DOUT logic level controls
271 // whether we're modulating the antenna (high)
272 // or listening to the antenna (low)
c701d2c2 273 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_PASSTHRU);
274
275 // get TI tag data into the buffer
276 AcquireTiType();
277
278 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
c701d2c2 279}
280
959baa89 281//-----------------------------------------------------------------------------
282// Read an ADC channel and block till it completes, then return the result
283// in ADC units (0 to 1023). Also a routine to average 32 samples and
284// return that.
285//-----------------------------------------------------------------------------
286static int ReadAdc(int ch)
287{
288 DWORD d;
289
290 ADC_CONTROL = ADC_CONTROL_RESET;
291 ADC_MODE = ADC_MODE_PRESCALE(32) | ADC_MODE_STARTUP_TIME(16) |
292 ADC_MODE_SAMPLE_HOLD_TIME(8);
293 ADC_CHANNEL_ENABLE = ADC_CHANNEL(ch);
294
295 ADC_CONTROL = ADC_CONTROL_START;
296 while(!(ADC_STATUS & ADC_END_OF_CONVERSION(ch)))
297 ;
298 d = ADC_CHANNEL_DATA(ch);
299
300 return d;
301}
302
303static int AvgAdc(int ch)
304{
305 int i;
306 int a = 0;
307
308 for(i = 0; i < 32; i++) {
309 a += ReadAdc(ch);
310 }
311
312 return (a + 15) >> 5;
313}
30f2a7d3 314
e7aee94e 315void MeasureAntennaTuning(void)
959baa89 316{
317 BYTE *dest = (BYTE *)BigBuf;
e7aee94e 318 int i, ptr = 0, adcval = 0, peak = 0, peakv = 0, peakf = 0;;
319 int vLf125 = 0, vLf134 = 0, vHf = 0; // in mV
320
321 UsbCommand c;
959baa89 322
e7aee94e 323 DbpString("Measuring antenna characteristics, please wait.");
959baa89 324 memset(BigBuf,0,sizeof(BigBuf));
325
e7aee94e 326/*
327 * Sweeps the useful LF range of the proxmark from
328 * 46.8kHz (divisor=255) to 600kHz (divisor=19) and
329 * read the voltage in the antenna, the result left
330 * in the buffer is a graph which should clearly show
331 * the resonating frequency of your LF antenna
332 * ( hopefully around 95 if it is tuned to 125kHz!)
333 */
959baa89 334 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER);
335 for (i=255; i>19; i--) {
336 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, i);
337 SpinDelay(20);
e7aee94e 338 // Vref = 3.3V, and a 10000:240 voltage divider on the input
339 // can measure voltages up to 137500 mV
340 adcval = ((137500 * AvgAdc(ADC_CHAN_LF)) >> 10);
341 if (i==95) vLf125 = adcval; // voltage at 125Khz
342 if (i==89) vLf134 = adcval; // voltage at 134Khz
343
344 dest[i] = adcval>>8; // scale int to fit in byte for graphing purposes
38b65694 345 if(dest[i] > peak) {
e7aee94e 346 peakv = adcval;
347 peak = dest[i];
348 peakf = i;
349 ptr = i;
38b65694 350 }
e7aee94e 351 }
959baa89 352
353 // Let the FPGA drive the high-frequency antenna around 13.56 MHz.
354 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR);
355 SpinDelay(20);
959baa89 356 // Vref = 3300mV, and an 10:1 voltage divider on the input
357 // can measure voltages up to 33000 mV
e7aee94e 358 vHf = (33000 * AvgAdc(ADC_CHAN_HF)) >> 10;
959baa89 359
360 c.cmd = CMD_MEASURED_ANTENNA_TUNING;
361 c.ext1 = (vLf125 << 0) | (vLf134 << 16);
362 c.ext2 = vHf;
c701d2c2 363 c.ext3 = peakf | (peakv << 16);
959baa89 364 UsbSendPacket((BYTE *)&c, sizeof(c));
365}
366
955fc5e2 367void SimulateTagLowFrequency(int period, int ledcontrol)
959baa89 368{
369 int i;
370 BYTE *tab = (BYTE *)BigBuf;
371
372 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_SIMULATOR);
373
374 PIO_ENABLE = (1 << GPIO_SSC_DOUT) | (1 << GPIO_SSC_CLK);
375
376 PIO_OUTPUT_ENABLE = (1 << GPIO_SSC_DOUT);
377 PIO_OUTPUT_DISABLE = (1 << GPIO_SSC_CLK);
378
379#define SHORT_COIL() LOW(GPIO_SSC_DOUT)
380#define OPEN_COIL() HIGH(GPIO_SSC_DOUT)
381
382 i = 0;
383 for(;;) {
384 while(!(PIO_PIN_DATA_STATUS & (1<<GPIO_SSC_CLK))) {
385 if(BUTTON_PRESS()) {
6bd86cb2 386 DbpString("Stopped");
959baa89 387 return;
388 }
389 WDT_HIT();
390 }
391
955fc5e2 392 if (ledcontrol)
393 LED_D_ON();
394
395 if(tab[i])
959baa89 396 OPEN_COIL();
955fc5e2 397 else
959baa89 398 SHORT_COIL();
c701d2c2 399
955fc5e2 400 if (ledcontrol)
401 LED_D_OFF();
959baa89 402
403 while(PIO_PIN_DATA_STATUS & (1<<GPIO_SSC_CLK)) {
404 if(BUTTON_PRESS()) {
6bd86cb2 405 DbpString("Stopped");
959baa89 406 return;
407 }
408 WDT_HIT();
409 }
410
411 i++;
412 if(i == period) i = 0;
413 }
414}
415
416// compose fc/8 fc/10 waveform
417static void fc(int c, int *n) {
418 BYTE *dest = (BYTE *)BigBuf;
419 int idx;
420
421 // for when we want an fc8 pattern every 4 logical bits
422 if(c==0) {
423 dest[((*n)++)]=1;
424 dest[((*n)++)]=1;
425 dest[((*n)++)]=0;
426 dest[((*n)++)]=0;
427 dest[((*n)++)]=0;
428 dest[((*n)++)]=0;
429 dest[((*n)++)]=0;
430 dest[((*n)++)]=0;
431 }
432 // an fc/8 encoded bit is a bit pattern of 11000000 x6 = 48 samples
433 if(c==8) {
434 for (idx=0; idx<6; idx++) {
435 dest[((*n)++)]=1;
436 dest[((*n)++)]=1;
437 dest[((*n)++)]=0;
438 dest[((*n)++)]=0;
439 dest[((*n)++)]=0;
440 dest[((*n)++)]=0;
441 dest[((*n)++)]=0;
442 dest[((*n)++)]=0;
443 }
444 }
445
446 // an fc/10 encoded bit is a bit pattern of 1110000000 x5 = 50 samples
447 if(c==10) {
448 for (idx=0; idx<5; idx++) {
449 dest[((*n)++)]=1;
450 dest[((*n)++)]=1;
451 dest[((*n)++)]=1;
452 dest[((*n)++)]=0;
453 dest[((*n)++)]=0;
454 dest[((*n)++)]=0;
455 dest[((*n)++)]=0;
456 dest[((*n)++)]=0;
457 dest[((*n)++)]=0;
458 dest[((*n)++)]=0;
459 }
460 }
461}
462
463// prepare a waveform pattern in the buffer based on the ID given then
464// simulate a HID tag until the button is pressed
955fc5e2 465static void CmdHIDsimTAG(int hi, int lo, int ledcontrol)
959baa89 466{
467 int n=0, i=0;
468 /*
469 HID tag bitstream format
470 The tag contains a 44bit unique code. This is sent out MSB first in sets of 4 bits
471 A 1 bit is represented as 6 fc8 and 5 fc10 patterns
472 A 0 bit is represented as 5 fc10 and 6 fc8 patterns
473 A fc8 is inserted before every 4 bits
474 A special start of frame pattern is used consisting a0b0 where a and b are neither 0
475 nor 1 bits, they are special patterns (a = set of 12 fc8 and b = set of 10 fc10)
476 */
477
478 if (hi>0xFFF) {
479 DbpString("Tags can only have 44 bits.");
480 return;
481 }
482 fc(0,&n);
483 // special start of frame marker containing invalid bit sequences
484 fc(8, &n); fc(8, &n); // invalid
485 fc(8, &n); fc(10, &n); // logical 0
486 fc(10, &n); fc(10, &n); // invalid
487 fc(8, &n); fc(10, &n); // logical 0
488
489 WDT_HIT();
490 // manchester encode bits 43 to 32
491 for (i=11; i>=0; i--) {
492 if ((i%4)==3) fc(0,&n);
493 if ((hi>>i)&1) {
494 fc(10, &n); fc(8, &n); // low-high transition
495 } else {
496 fc(8, &n); fc(10, &n); // high-low transition
497 }
498 }
499
500 WDT_HIT();
501 // manchester encode bits 31 to 0
502 for (i=31; i>=0; i--) {
503 if ((i%4)==3) fc(0,&n);
504 if ((lo>>i)&1) {
505 fc(10, &n); fc(8, &n); // low-high transition
506 } else {
507 fc(8, &n); fc(10, &n); // high-low transition
508 }
509 }
510
955fc5e2 511 if (ledcontrol)
512 LED_A_ON();
513 SimulateTagLowFrequency(n, ledcontrol);
c701d2c2 514
955fc5e2 515 if (ledcontrol)
516 LED_A_OFF();
959baa89 517}
518
519// loop to capture raw HID waveform then FSK demodulate the TAG ID from it
955fc5e2 520static void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol)
959baa89 521{
522 BYTE *dest = (BYTE *)BigBuf;
523 int m=0, n=0, i=0, idx=0, found=0, lastval=0;
524 DWORD hi=0, lo=0;
525
526 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
c701d2c2 527 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER);
959baa89 528
529 // Connect the A/D to the peak-detected low-frequency path.
530 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
531
532 // Give it a bit of time for the resonant antenna to settle.
533 SpinDelay(50);
534
535 // Now set up the SSC to get the ADC samples that are now streaming at us.
536 FpgaSetupSsc();
537
538 for(;;) {
539 WDT_HIT();
955fc5e2 540 if (ledcontrol)
541 LED_A_ON();
959baa89 542 if(BUTTON_PRESS()) {
6bd86cb2 543 DbpString("Stopped");
955fc5e2 544 if (ledcontrol)
545 LED_A_OFF();
959baa89 546 return;
547 }
548
549 i = 0;
550 m = sizeof(BigBuf);
551 memset(dest,128,m);
552 for(;;) {
553 if(SSC_STATUS & (SSC_STATUS_TX_READY)) {
554 SSC_TRANSMIT_HOLDING = 0x43;
955fc5e2 555 if (ledcontrol)
556 LED_D_ON();
959baa89 557 }
558 if(SSC_STATUS & (SSC_STATUS_RX_READY)) {
559 dest[i] = (BYTE)SSC_RECEIVE_HOLDING;
560 // we don't care about actual value, only if it's more or less than a
561 // threshold essentially we capture zero crossings for later analysis
562 if(dest[i] < 127) dest[i] = 0; else dest[i] = 1;
563 i++;
955fc5e2 564 if (ledcontrol)
565 LED_D_OFF();
959baa89 566 if(i >= m) {
567 break;
568 }
569 }
570 }
571
572 // FSK demodulator
573
574 // sync to first lo-hi transition
575 for( idx=1; idx<m; idx++) {
576 if (dest[idx-1]<dest[idx])
577 lastval=idx;
578 break;
579 }
580 WDT_HIT();
581
582 // count cycles between consecutive lo-hi transitions, there should be either 8 (fc/8)
583 // or 10 (fc/10) cycles but in practice due to noise etc we may end up with with anywhere
584 // between 7 to 11 cycles so fuzz it by treat anything <9 as 8 and anything else as 10
585 for( i=0; idx<m; idx++) {
586 if (dest[idx-1]<dest[idx]) {
587 dest[i]=idx-lastval;
588 if (dest[i] <= 8) {
589 dest[i]=1;
590 } else {
591 dest[i]=0;
592 }
593
594 lastval=idx;
595 i++;
596 }
597 }
598 m=i;
599 WDT_HIT();
600
601 // we now have a set of cycle counts, loop over previous results and aggregate data into bit patterns
602 lastval=dest[0];
603 idx=0;
604 i=0;
605 n=0;
606 for( idx=0; idx<m; idx++) {
607 if (dest[idx]==lastval) {
608 n++;
609 } else {
610 // a bit time is five fc/10 or six fc/8 cycles so figure out how many bits a pattern width represents,
611 // an extra fc/8 pattern preceeds every 4 bits (about 200 cycles) just to complicate things but it gets
612 // swallowed up by rounding
613 // expected results are 1 or 2 bits, any more and it's an invalid manchester encoding
614 // special start of frame markers use invalid manchester states (no transitions) by using sequences
615 // like 111000
616 if (dest[idx-1]) {
617 n=(n+1)/6; // fc/8 in sets of 6
618 } else {
619 n=(n+1)/5; // fc/10 in sets of 5
620 }
621 switch (n) { // stuff appropriate bits in buffer
622 case 0:
623 case 1: // one bit
624 dest[i++]=dest[idx-1];
625 break;
626 case 2: // two bits
627 dest[i++]=dest[idx-1];
628 dest[i++]=dest[idx-1];
629 break;
630 case 3: // 3 bit start of frame markers
631 dest[i++]=dest[idx-1];
632 dest[i++]=dest[idx-1];
633 dest[i++]=dest[idx-1];
634 break;
635 // When a logic 0 is immediately followed by the start of the next transmisson
636 // (special pattern) a pattern of 4 bit duration lengths is created.
637 case 4:
638 dest[i++]=dest[idx-1];
639 dest[i++]=dest[idx-1];
640 dest[i++]=dest[idx-1];
641 dest[i++]=dest[idx-1];
642 break;
643 default: // this shouldn't happen, don't stuff any bits
644 break;
645 }
646 n=0;
647 lastval=dest[idx];
648 }
649 }
650 m=i;
651 WDT_HIT();
652
653 // final loop, go over previously decoded manchester data and decode into usable tag ID
654 // 111000 bit pattern represent start of frame, 01 pattern represents a 1 and 10 represents a 0
655 for( idx=0; idx<m-6; idx++) {
656 // search for a start of frame marker
657 if ( dest[idx] && dest[idx+1] && dest[idx+2] && (!dest[idx+3]) && (!dest[idx+4]) && (!dest[idx+5]) )
658 {
659 found=1;
660 idx+=6;
661 if (found && (hi|lo)) {
662 DbpString("TAG ID");
663 DbpIntegers(hi, lo, (lo>>1)&0xffff);
955fc5e2 664 /* if we're only looking for one tag */
665 if (findone)
666 {
667 *high = hi;
668 *low = lo;
669 return;
670 }
959baa89 671 hi=0;
672 lo=0;
673 found=0;
674 }
675 }
676 if (found) {
677 if (dest[idx] && (!dest[idx+1]) ) {
678 hi=(hi<<1)|(lo>>31);
679 lo=(lo<<1)|0;
680 } else if ( (!dest[idx]) && dest[idx+1]) {
681 hi=(hi<<1)|(lo>>31);
682 lo=(lo<<1)|1;
683 } else {
684 found=0;
685 hi=0;
686 lo=0;
687 }
688 idx++;
689 }
690 if ( dest[idx] && dest[idx+1] && dest[idx+2] && (!dest[idx+3]) && (!dest[idx+4]) && (!dest[idx+5]) )
691 {
692 found=1;
693 idx+=6;
694 if (found && (hi|lo)) {
695 DbpString("TAG ID");
696 DbpIntegers(hi, lo, (lo>>1)&0xffff);
955fc5e2 697 /* if we're only looking for one tag */
698 if (findone)
699 {
700 *high = hi;
701 *low = lo;
702 return;
703 }
959baa89 704 hi=0;
705 lo=0;
706 found=0;
707 }
708 }
709 }
710 WDT_HIT();
711 }
712}
713
714void SimulateTagHfListen(void)
715{
716 BYTE *dest = (BYTE *)BigBuf;
717 int n = sizeof(BigBuf);
718 BYTE v = 0;
719 int i;
720 int p = 0;
721
722 // We're using this mode just so that I can test it out; the simulated
723 // tag mode would work just as well and be simpler.
724 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR | FPGA_HF_READER_RX_XCORR_848_KHZ | FPGA_HF_READER_RX_XCORR_SNOOP);
725
726 // We need to listen to the high-frequency, peak-detected path.
727 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
728
729 FpgaSetupSsc();
730
731 i = 0;
732 for(;;) {
733 if(SSC_STATUS & (SSC_STATUS_TX_READY)) {
734 SSC_TRANSMIT_HOLDING = 0xff;
735 }
736 if(SSC_STATUS & (SSC_STATUS_RX_READY)) {
737 BYTE r = (BYTE)SSC_RECEIVE_HOLDING;
738
739 v <<= 1;
740 if(r & 1) {
741 v |= 1;
742 }
743 p++;
744
745 if(p >= 8) {
746 dest[i] = v;
747 v = 0;
748 p = 0;
749 i++;
750
751 if(i >= n) {
752 break;
753 }
754 }
755 }
756 }
757 DbpString("simulate tag (now type bitsamples)");
758}
759
760void UsbPacketReceived(BYTE *packet, int len)
761{
762 UsbCommand *c = (UsbCommand *)packet;
763
764 switch(c->cmd) {
765 case CMD_ACQUIRE_RAW_ADC_SAMPLES_125K:
766 AcquireRawAdcSamples125k(c->ext1);
767 break;
768
769 case CMD_MOD_THEN_ACQUIRE_RAW_ADC_SAMPLES_125K:
770 ModThenAcquireRawAdcSamples125k(c->ext1,c->ext2,c->ext3,c->d.asBytes);
771 break;
772
c701d2c2 773 case CMD_ACQUIRE_RAW_BITS_TI_TYPE:
774 AcquireRawBitsTI();
775 break;
776
959baa89 777 case CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_15693:
778 AcquireRawAdcSamplesIso15693();
779 break;
f23e056d 780
781 case CMD_BUFF_CLEAR:
782 BufferClear();
783 break;
959baa89 784
785 case CMD_READER_ISO_15693:
786 ReaderIso15693(c->ext1);
787 break;
788
789 case CMD_SIMTAG_ISO_15693:
790 SimTagIso15693(c->ext1);
791 break;
792
793 case CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_14443:
794 AcquireRawAdcSamplesIso14443(c->ext1);
795 break;
fb25b483 796
797 case CMD_READ_SRI512_TAG:
798 ReadSRI512Iso14443(c->ext1);
799 break;
959baa89 800
801 case CMD_READER_ISO_14443a:
802 ReaderIso14443a(c->ext1);
803 break;
804
805 case CMD_SNOOP_ISO_14443:
806 SnoopIso14443();
807 break;
808
809 case CMD_SNOOP_ISO_14443a:
810 SnoopIso14443a();
811 break;
812
813 case CMD_SIMULATE_TAG_HF_LISTEN:
814 SimulateTagHfListen();
815 break;
816
817 case CMD_SIMULATE_TAG_ISO_14443:
818 SimulateIso14443Tag();
819 break;
820
821 case CMD_SIMULATE_TAG_ISO_14443a:
822 SimulateIso14443aTag(c->ext1, c->ext2); // ## Simulate iso14443a tag - pass tag type & UID
823 break;
824
825 case CMD_MEASURE_ANTENNA_TUNING:
826 MeasureAntennaTuning();
827 break;
828
7f348042 829 case CMD_LISTEN_READER_FIELD:
830 ListenReaderField(c->ext1);
831 break;
832
959baa89 833 case CMD_HID_DEMOD_FSK:
955fc5e2 834 CmdHIDdemodFSK(0, 0, 0, 1); // Demodulate HID tag
959baa89 835 break;
836
837 case CMD_HID_SIM_TAG:
955fc5e2 838 CmdHIDsimTAG(c->ext1, c->ext2, 1); // Simulate HID tag by ID
959baa89 839 break;
840
841 case CMD_FPGA_MAJOR_MODE_OFF: // ## FPGA Control
842 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
843 SpinDelay(200);
844 LED_D_OFF(); // LED D indicates field ON or OFF
845 break;
846
847 case CMD_DOWNLOAD_RAW_ADC_SAMPLES_125K:
848 case CMD_DOWNLOAD_RAW_BITS_TI_TYPE: {
849 UsbCommand n;
850 if(c->cmd == CMD_DOWNLOAD_RAW_ADC_SAMPLES_125K) {
851 n.cmd = CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K;
852 } else {
853 n.cmd = CMD_DOWNLOADED_RAW_BITS_TI_TYPE;
854 }
855 n.ext1 = c->ext1;
856 memcpy(n.d.asDwords, BigBuf+c->ext1, 12*sizeof(DWORD));
857 UsbSendPacket((BYTE *)&n, sizeof(n));
858 break;
859 }
860 case CMD_DOWNLOADED_SIM_SAMPLES_125K: {
861 BYTE *b = (BYTE *)BigBuf;
862 memcpy(b+c->ext1, c->d.asBytes, 48);
863 break;
864 }
865 case CMD_SIMULATE_TAG_125K:
866 LED_A_ON();
955fc5e2 867 SimulateTagLowFrequency(c->ext1, 1);
959baa89 868 LED_A_OFF();
869 break;
870#ifdef WITH_LCD
871 case CMD_LCD_RESET:
872 LCDReset();
873 break;
874#endif
1dff8c42 875 case CMD_READ_MEM:
876 ReadMem(c->ext1);
877 break;
959baa89 878 case CMD_SET_LF_DIVISOR:
879 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, c->ext1);
880 break;
881#ifdef WITH_LCD
882 case CMD_LCD:
883 LCDSend(c->ext1);
884 break;
885#endif
886 case CMD_SETUP_WRITE:
887 case CMD_FINISH_WRITE:
888 case CMD_HARDWARE_RESET:
889 USB_D_PLUS_PULLUP_OFF();
890 SpinDelay(1000);
891 SpinDelay(1000);
892 RSTC_CONTROL = RST_CONTROL_KEY | RST_CONTROL_PROCESSOR_RESET;
893 for(;;) {
894 // We're going to reset, and the bootrom will take control.
895 }
896 break;
897
898
899 default:
900 DbpString("unknown command");
901 break;
902 }
903}
904
1dff8c42 905void ReadMem(int addr)
906{
907 const DWORD *data = ((DWORD *)addr);
908 int i;
c701d2c2 909
1dff8c42 910 DbpString("Reading memory at address");
911 DbpIntegers(0, 0, addr);
912 for (i = 0; i < 8; i+= 2)
913 DbpIntegers(0, data[i], data[i+1]);
914}
915
959baa89 916void AppMain(void)
917{
918 memset(BigBuf,0,sizeof(BigBuf));
919 SpinDelay(100);
920
693f7cf7 921 LED_D_OFF();
922 LED_C_OFF();
923 LED_B_OFF();
924 LED_A_OFF();
959baa89 925
926 UsbStart();
927
928 // The FPGA gets its clock from us from PCK0 output, so set that up.
929 PIO_PERIPHERAL_B_SEL = (1 << GPIO_PCK0);
930 PIO_DISABLE = (1 << GPIO_PCK0);
931 PMC_SYS_CLK_ENABLE = PMC_SYS_CLK_PROGRAMMABLE_CLK_0;
932 // PCK0 is PLL clock / 4 = 96Mhz / 4 = 24Mhz
933 PMC_PROGRAMMABLE_CLK_0 = PMC_CLK_SELECTION_PLL_CLOCK |
934 PMC_CLK_PRESCALE_DIV_4;
935 PIO_OUTPUT_ENABLE = (1 << GPIO_PCK0);
936
937 // Reset SPI
938 SPI_CONTROL = SPI_CONTROL_RESET;
939 // Reset SSC
940 SSC_CONTROL = SSC_CONTROL_RESET;
941
942 // Load the FPGA image, which we have stored in our flash.
943 FpgaDownloadAndGo();
944
945#ifdef WITH_LCD
946
947 LCDInit();
948
949 // test text on different colored backgrounds
693f7cf7 950 LCDString(" The quick brown fox ", &FONT6x8,1,1+8*0,WHITE ,BLACK );
951 LCDString(" jumped over the ", &FONT6x8,1,1+8*1,BLACK ,WHITE );
952 LCDString(" lazy dog. ", &FONT6x8,1,1+8*2,YELLOW ,RED );
953 LCDString(" AaBbCcDdEeFfGgHhIiJj ", &FONT6x8,1,1+8*3,RED ,GREEN );
954 LCDString(" KkLlMmNnOoPpQqRrSsTt ", &FONT6x8,1,1+8*4,MAGENTA,BLUE );
955 LCDString("UuVvWwXxYyZz0123456789", &FONT6x8,1,1+8*5,BLUE ,YELLOW);
956 LCDString("`-=[]_;',./~!@#$%^&*()", &FONT6x8,1,1+8*6,BLACK ,CYAN );
957 LCDString(" _+{}|:\\\"<>? ",&FONT6x8,1,1+8*7,BLUE ,MAGENTA);
959baa89 958
959 // color bands
960 LCDFill(0, 1+8* 8, 132, 8, BLACK);
961 LCDFill(0, 1+8* 9, 132, 8, WHITE);
962 LCDFill(0, 1+8*10, 132, 8, RED);
963 LCDFill(0, 1+8*11, 132, 8, GREEN);
964 LCDFill(0, 1+8*12, 132, 8, BLUE);
965 LCDFill(0, 1+8*13, 132, 8, YELLOW);
966 LCDFill(0, 1+8*14, 132, 8, CYAN);
967 LCDFill(0, 1+8*15, 132, 8, MAGENTA);
968
969#endif
970
971 for(;;) {
955fc5e2 972 usbattached = UsbPoll(FALSE);
959baa89 973 WDT_HIT();
959baa89 974
955fc5e2 975 if (BUTTON_HELD(1000) > 0)
976 SamyRun();
959baa89 977 }
978}
979
959baa89 980
955fc5e2 981// samy's sniff and repeat routine
982void SamyRun()
983{
984 DbpString("Stand-alone mode! No PC necessary.");
959baa89 985
955fc5e2 986 // 3 possible options? no just 2 for now
987#define OPTS 2
959baa89 988
955fc5e2 989 int high[OPTS], low[OPTS];
c701d2c2 990
955fc5e2 991 // Oooh pretty -- notify user we're in elite samy mode now
992 LED(LED_RED, 200);
993 LED(LED_ORANGE, 200);
994 LED(LED_GREEN, 200);
995 LED(LED_ORANGE, 200);
996 LED(LED_RED, 200);
997 LED(LED_ORANGE, 200);
998 LED(LED_GREEN, 200);
999 LED(LED_ORANGE, 200);
1000 LED(LED_RED, 200);
c701d2c2 1001
955fc5e2 1002 int selected = 0;
1003 int playing = 0;
c701d2c2 1004
955fc5e2 1005 // Turn on selected LED
1006 LED(selected + 1, 0);
c701d2c2 1007
955fc5e2 1008 for (;;)
1009 {
1010 usbattached = UsbPoll(FALSE);
959baa89 1011 WDT_HIT();
c701d2c2 1012
955fc5e2 1013 // Was our button held down or pressed?
1014 int button_pressed = BUTTON_HELD(1000);
1015 SpinDelay(300);
c701d2c2 1016
955fc5e2 1017 // Button was held for a second, begin recording
1018 if (button_pressed > 0)
1019 {
1020 LEDsoff();
1021 LED(selected + 1, 0);
1022 LED(LED_RED2, 0);
c701d2c2 1023
955fc5e2 1024 // record
1025 DbpString("Starting recording");
693f7cf7 1026
1027 // wait for button to be released
1028 while(BUTTON_PRESS())
1029 WDT_HIT();
1030
955fc5e2 1031 /* need this delay to prevent catching some weird data */
1032 SpinDelay(500);
693f7cf7 1033
955fc5e2 1034 CmdHIDdemodFSK(1, &high[selected], &low[selected], 0);
1035 DbpString("Recorded");
1036 DbpIntegers(selected, high[selected], low[selected]);
c701d2c2 1037
955fc5e2 1038 LEDsoff();
1039 LED(selected + 1, 0);
1040 // Finished recording
c701d2c2 1041
955fc5e2 1042 // If we were previously playing, set playing off
1043 // so next button push begins playing what we recorded
1044 playing = 0;
1045 }
c701d2c2 1046
955fc5e2 1047 // Change where to record (or begin playing)
1048 else if (button_pressed)
1049 {
1050 // Next option if we were previously playing
1051 if (playing)
1052 selected = (selected + 1) % OPTS;
1053 playing = !playing;
c701d2c2 1054
955fc5e2 1055 LEDsoff();
1056 LED(selected + 1, 0);
c701d2c2 1057
955fc5e2 1058 // Begin transmitting
1059 if (playing)
1060 {
1061 LED(LED_GREEN, 0);
1062 DbpString("Playing");
693f7cf7 1063 // wait for button to be released
1064 while(BUTTON_PRESS())
1065 WDT_HIT();
955fc5e2 1066 DbpIntegers(selected, high[selected], low[selected]);
1067 CmdHIDsimTAG(high[selected], low[selected], 0);
1068 DbpString("Done playing");
693f7cf7 1069 if (BUTTON_HELD(1000) > 0)
1070 {
1071 DbpString("Exiting");
1072 LEDsoff();
1073 return;
1074 }
c701d2c2 1075
955fc5e2 1076 /* We pressed a button so ignore it here with a delay */
1077 SpinDelay(300);
c701d2c2 1078
955fc5e2 1079 // when done, we're done playing, move to next option
1080 selected = (selected + 1) % OPTS;
1081 playing = !playing;
1082 LEDsoff();
1083 LED(selected + 1, 0);
1084 }
693f7cf7 1085 else
1086 while(BUTTON_PRESS())
1087 WDT_HIT();
955fc5e2 1088 }
959baa89 1089 }
1090}
7f348042 1091
955fc5e2 1092
c701d2c2 1093// listen for external reader
7f348042 1094void ListenReaderField(int limit)
1095{
1dd23352 1096 int lf_av, lf_av_new, lf_baseline= 0, lf_count= 0;
1097 int hf_av, hf_av_new, hf_baseline= 0, hf_count= 0;
7f348042 1098
1099#define LF_ONLY 1
1100#define HF_ONLY 2
1101
1102 LED_A_OFF();
1103 LED_B_OFF();
1104 LED_C_OFF();
1105 LED_D_OFF();
1106
1107 lf_av= ReadAdc(ADC_CHAN_LF);
1108
c701d2c2 1109 if(limit != HF_ONLY)
7f348042 1110 {
1111 DbpString("LF 125/134 Baseline:");
1112 DbpIntegers(lf_av,0,0);
1113 lf_baseline= lf_av;
1114 }
1115
1116 hf_av= ReadAdc(ADC_CHAN_HF);
1117
1118
c701d2c2 1119 if (limit != LF_ONLY)
7f348042 1120 {
1121 DbpString("HF 13.56 Baseline:");
1122 DbpIntegers(hf_av,0,0);
1123 hf_baseline= hf_av;
1124 }
1125
c701d2c2 1126 for(;;)
7f348042 1127 {
c701d2c2 1128 if(BUTTON_PRESS())
7f348042 1129 {
6bd86cb2 1130 DbpString("Stopped");
7f348042 1131 LED_B_OFF();
1132 LED_D_OFF();
1133 return;
1134 }
1135 WDT_HIT();
1136
1137
c701d2c2 1138 if (limit != HF_ONLY)
7f348042 1139 {
1140 if (abs(lf_av - lf_baseline) > 10)
1141 LED_D_ON();
1142 else
1143 LED_D_OFF();
1144 ++lf_count;
1145 lf_av_new= ReadAdc(ADC_CHAN_LF);
1146 // see if there's a significant change
c701d2c2 1147 if(abs(lf_av - lf_av_new) > 10)
7f348042 1148 {
1149 DbpString("LF 125/134 Field Change:");
1150 DbpIntegers(lf_av,lf_av_new,lf_count);
1151 lf_av= lf_av_new;
1152 lf_count= 0;
1153 }
1154 }
1155
c701d2c2 1156 if (limit != LF_ONLY)
7f348042 1157 {
1158 if (abs(hf_av - hf_baseline) > 10)
1159 LED_B_ON();
1160 else
1161 LED_B_OFF();
1162 ++hf_count;
1163 hf_av_new= ReadAdc(ADC_CHAN_HF);
1164 // see if there's a significant change
c701d2c2 1165 if(abs(hf_av - hf_av_new) > 10)
7f348042 1166 {
1167 DbpString("HF 13.56 Field Change:");
1168 DbpIntegers(hf_av,hf_av_new,hf_count);
1169 hf_av= hf_av_new;
1170 hf_count= 0;
1171 }
1172 }
1173 }
1174}
Proxmark3 GIT tracking
Impressum, Datenschutz