]> git.zerfleddert.de Git - proxmark3-svn/blame - armsrc/iso15693.c
projects / proxmark3-svn / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
fix 'hf iclass reader' and 'hf iclass readblk'
[proxmark3-svn] / armsrc / iso15693.c
CommitLineData
15c4dc5a 1//-----------------------------------------------------------------------------
bd20f8f4 2// Jonathan Westhues, split Nov 2006
3// Modified by Greg Jones, Jan 2009
e6304bca 4// Modified by Adrian Dabrowski "atrox", Mar-Sept 2010,Oct 2011
a66f26da 5// Modified by piwi, Oct 2018
bd20f8f4 6//
7// This code is licensed to you under the terms of the GNU GPL, version 2 or,
8// at your option, any later version. See the LICENSE.txt file for the text of
9// the license.
10//-----------------------------------------------------------------------------
15c4dc5a 11// Routines to support ISO 15693. This includes both the reader software and
8c6cca0b 12// the `fake tag' modes.
15c4dc5a 13//-----------------------------------------------------------------------------
8c6cca0b 14
15// The ISO 15693 describes two transmission modes from reader to tag, and four
16// transmission modes from tag to reader. As of Oct 2018 this code supports
17// both reader modes and the high speed variant with one subcarrier from card to reader.
18// As long as the card fully support ISO 15693 this is no problem, since the
a66f26da 19// reader chooses both data rates, but some non-standard tags do not.
8c6cca0b 20// For card simulation, the code supports both high and low speed modes with one subcarrier.
9455b51c 21//
22// VCD (reader) -> VICC (tag)
23// 1 out of 256:
a66f26da 24// data rate: 1,66 kbit/s (fc/8192)
25// used for long range
9455b51c 26// 1 out of 4:
a66f26da 27// data rate: 26,48 kbit/s (fc/512)
28// used for short range, high speed
8c6cca0b 29//
9455b51c 30// VICC (tag) -> VCD (reader)
31// Modulation:
a66f26da 32// ASK / one subcarrier (423,75 khz)
33// FSK / two subcarriers (423,75 khz && 484,28 khz)
9455b51c 34// Data Rates / Modes:
a66f26da 35// low ASK: 6,62 kbit/s
36// low FSK: 6.67 kbit/s
37// high ASK: 26,48 kbit/s
38// high FSK: 26,69 kbit/s
9455b51c 39//-----------------------------------------------------------------------------
9455b51c 40
41
42// Random Remarks:
43// *) UID is always used "transmission order" (LSB), which is reverse to display order
44
45// TODO / BUGS / ISSUES:
8c6cca0b 46// *) signal decoding is unable to detect collisions.
47// *) add anti-collision support for inventory-commands
e6304bca 48// *) read security status of a block
8c6cca0b 49// *) sniffing and simulation do not support two subcarrier modes.
d9de20fa 50// *) remove or refactor code under "deprecated"
9455b51c 51// *) document all the functions
52
d9de20fa 53#include "iso15693.h"
bd20f8f4 54
e30c654b 55#include "proxmark3.h"
f7e3ed82 56#include "util.h"
15c4dc5a 57#include "apps.h"
9ab7a6c7 58#include "string.h"
9455b51c 59#include "iso15693tools.h"
8c6cca0b 60#include "protocols.h"
902cb3c0 61#include "cmd.h"
d9de20fa 62#include "BigBuf.h"
fc52fbd4 63#include "fpgaloader.h"
15c4dc5a 64
15c4dc5a 65#define arraylen(x) (sizeof(x)/sizeof((x)[0]))
66
c41dd5f9 67// Delays in SSP_CLK ticks.
68// SSP_CLK runs at 13,56MHz / 32 = 423.75kHz when simulating a tag
69#define DELAY_READER_TO_ARM 8
70#define DELAY_ARM_TO_READER 0
71//SSP_CLK runs at 13.56MHz / 4 = 3,39MHz when acting as reader. All values should be multiples of 16
72#define DELAY_TAG_TO_ARM 32
73#define DELAY_ARM_TO_TAG 16
74
70b2fc0a 75static int DEBUG = 0;
76
c41dd5f9 77
78// specific LogTrace function for ISO15693: the duration needs to be scaled because otherwise it won't fit into a uint16_t
79bool LogTrace_ISO15693(const uint8_t *btBytes, uint16_t iLen, uint32_t timestamp_start, uint32_t timestamp_end, uint8_t *parity, bool readerToTag) {
80 uint32_t duration = timestamp_end - timestamp_start;
81 duration /= 32;
82 timestamp_end = timestamp_start + duration;
83 return LogTrace(btBytes, iLen, timestamp_start, timestamp_end, parity, readerToTag);
84}
85
86
9455b51c 87///////////////////////////////////////////////////////////////////////
88// ISO 15693 Part 2 - Air Interface
3d2c9c9b 89// This section basically contains transmission and receiving of bits
9455b51c 90///////////////////////////////////////////////////////////////////////
91
8c6cca0b 92// buffers
3d2c9c9b 93#define ISO15693_DMA_BUFFER_SIZE 2048 // must be a power of 2
d9de20fa 94#define ISO15693_MAX_RESPONSE_LENGTH 36 // allows read single block with the maximum block size of 256bits. Read multiple blocks not supported yet
95#define ISO15693_MAX_COMMAND_LENGTH 45 // allows write single block with the maximum block size of 256bits. Write multiple blocks not supported yet
8c6cca0b 96
9455b51c 97// ---------------------------
8c6cca0b 98// Signal Processing
9455b51c 99// ---------------------------
100
101// prepare data using "1 out of 4" code for later transmission
8c6cca0b 102// resulting data rate is 26.48 kbit/s (fc/512)
9455b51c 103// cmd ... data
104// n ... length of data
c41dd5f9 105void CodeIso15693AsReader(uint8_t *cmd, int n) {
15c4dc5a 106
107 ToSendReset();
108
9455b51c 109 // SOF for 1of4
c41dd5f9 110 ToSend[++ToSendMax] = 0x84; //10000100
111
112 // data
113 for (int i = 0; i < n; i++) {
114 for (int j = 0; j < 8; j += 2) {
115 int these = (cmd[i] >> j) & 0x03;
15c4dc5a 116 switch(these) {
117 case 0:
c41dd5f9 118 ToSend[++ToSendMax] = 0x40; //01000000
15c4dc5a 119 break;
120 case 1:
c41dd5f9 121 ToSend[++ToSendMax] = 0x10; //00010000
15c4dc5a 122 break;
123 case 2:
c41dd5f9 124 ToSend[++ToSendMax] = 0x04; //00000100
15c4dc5a 125 break;
126 case 3:
c41dd5f9 127 ToSend[++ToSendMax] = 0x01; //00000001
15c4dc5a 128 break;
129 }
130 }
131 }
a66f26da 132
c41dd5f9 133 // EOF
134 ToSend[++ToSendMax] = 0x20; //0010 + 0000 padding
ece38ef3 135
bdf96aae 136 ToSendMax++;
15c4dc5a 137}
138
70b2fc0a 139// encode data using "1 out of 256" scheme
8c6cca0b 140// data rate is 1,66 kbit/s (fc/8192)
9455b51c 141// is designed for more robust communication over longer distances
142static void CodeIso15693AsReader256(uint8_t *cmd, int n)
15c4dc5a 143{
9455b51c 144 ToSendReset();
145
9455b51c 146 // SOF for 1of256
c41dd5f9 147 ToSend[++ToSendMax] = 0x81; //10000001
148
149 // data
150 for(int i = 0; i < n; i++) {
151 for (int j = 0; j <= 255; j++) {
152 if (cmd[i] == j) {
9455b51c 153 ToSendStuffBit(0);
9455b51c 154 ToSendStuffBit(1);
c41dd5f9 155 } else {
156 ToSendStuffBit(0);
157 ToSendStuffBit(0);
8c6cca0b 158 }
159 }
15c4dc5a 160 }
c41dd5f9 161
9455b51c 162 // EOF
c41dd5f9 163 ToSend[++ToSendMax] = 0x20; //0010 + 0000 padding
8c6cca0b 164
165 ToSendMax++;
166}
167
168
3d2c9c9b 169// static uint8_t encode4Bits(const uint8_t b) {
170 // uint8_t c = b & 0xF;
171 // // OTA, the least significant bits first
172 // // The columns are
173 // // 1 - Bit value to send
174 // // 2 - Reversed (big-endian)
175 // // 3 - Manchester Encoded
176 // // 4 - Hex values
177
178 // switch(c){
179 // // 1 2 3 4
180 // case 15: return 0x55; // 1111 -> 1111 -> 01010101 -> 0x55
181 // case 14: return 0x95; // 1110 -> 0111 -> 10010101 -> 0x95
182 // case 13: return 0x65; // 1101 -> 1011 -> 01100101 -> 0x65
183 // case 12: return 0xa5; // 1100 -> 0011 -> 10100101 -> 0xa5
184 // case 11: return 0x59; // 1011 -> 1101 -> 01011001 -> 0x59
185 // case 10: return 0x99; // 1010 -> 0101 -> 10011001 -> 0x99
186 // case 9: return 0x69; // 1001 -> 1001 -> 01101001 -> 0x69
187 // case 8: return 0xa9; // 1000 -> 0001 -> 10101001 -> 0xa9
188 // case 7: return 0x56; // 0111 -> 1110 -> 01010110 -> 0x56
189 // case 6: return 0x96; // 0110 -> 0110 -> 10010110 -> 0x96
190 // case 5: return 0x66; // 0101 -> 1010 -> 01100110 -> 0x66
191 // case 4: return 0xa6; // 0100 -> 0010 -> 10100110 -> 0xa6
192 // case 3: return 0x5a; // 0011 -> 1100 -> 01011010 -> 0x5a
193 // case 2: return 0x9a; // 0010 -> 0100 -> 10011010 -> 0x9a
194 // case 1: return 0x6a; // 0001 -> 1000 -> 01101010 -> 0x6a
195 // default: return 0xaa; // 0000 -> 0000 -> 10101010 -> 0xaa
196
197 // }
198// }
199
8efd0b80 200static const uint8_t encode_4bits[16] = { 0xaa, 0x6a, 0x9a, 0x5a, 0xa6, 0x66, 0x96, 0x56, 0xa9, 0x69, 0x99, 0x59, 0xa5, 0x65, 0x95, 0x55 };
201
3d2c9c9b 202void CodeIso15693AsTag(uint8_t *cmd, size_t len) {
203 /*
204 * SOF comprises 3 parts;
205 * * An unmodulated time of 56.64 us
206 * * 24 pulses of 423.75 kHz (fc/32)
207 * * A logic 1, which starts with an unmodulated time of 18.88us
208 * followed by 8 pulses of 423.75kHz (fc/32)
209 *
210 * EOF comprises 3 parts:
211 * - A logic 0 (which starts with 8 pulses of fc/32 followed by an unmodulated
212 * time of 18.88us.
213 * - 24 pulses of fc/32
214 * - An unmodulated time of 56.64 us
215 *
216 * A logic 0 starts with 8 pulses of fc/32
217 * followed by an unmodulated time of 256/fc (~18,88us).
218 *
219 * A logic 0 starts with unmodulated time of 256/fc (~18,88us) followed by
220 * 8 pulses of fc/32 (also 18.88us)
221 *
222 * A bit here becomes 8 pulses of fc/32. Therefore:
223 * The SOF can be written as 00011101 = 0x1D
224 * The EOF can be written as 10111000 = 0xb8
225 * A logic 1 is 01
226 * A logic 0 is 10
227 *
228 * */
229
8c6cca0b 230 ToSendReset();
231
232 // SOF
3d2c9c9b 233 ToSend[++ToSendMax] = 0x1D; // 00011101
8c6cca0b 234
235 // data
8efd0b80 236 for (int i = 0; i < len; i++) {
237 ToSend[++ToSendMax] = encode_4bits[cmd[i] & 0xF];
238 ToSend[++ToSendMax] = encode_4bits[cmd[i] >> 4];
8c6cca0b 239 }
240
241 // EOF
3d2c9c9b 242 ToSend[++ToSendMax] = 0xB8; // 10111000
8c6cca0b 243
244 ToSendMax++;
15c4dc5a 245}
246
9455b51c 247
70b2fc0a 248// Transmit the command (to the tag) that was placed in cmd[].
c41dd5f9 249void TransmitTo15693Tag(const uint8_t *cmd, int len, uint32_t *start_time) {
250
5ea2a248 251 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_MODE_SEND_FULL_MOD);
ece38ef3 252
253 if (*start_time < DELAY_ARM_TO_TAG) {
254 *start_time = DELAY_ARM_TO_TAG;
255 }
256
c41dd5f9 257 *start_time = (*start_time - DELAY_ARM_TO_TAG) & 0xfffffff0;
258
259 while (GetCountSspClk() > *start_time) { // we may miss the intended time
260 *start_time += 16; // next possible time
261 }
15c4dc5a 262
ece38ef3 263
c41dd5f9 264 while (GetCountSspClk() < *start_time)
265 /* wait */ ;
d9de20fa 266
70b2fc0a 267 LED_B_ON();
c41dd5f9 268 for (int c = 0; c < len; c++) {
5ea2a248 269 uint8_t data = cmd[c];
270 for (int i = 0; i < 8; i++) {
c41dd5f9 271 uint16_t send_word = (data & 0x80) ? 0xffff : 0x0000;
5ea2a248 272 while (!(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY))) ;
273 AT91C_BASE_SSC->SSC_THR = send_word;
274 while (!(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY))) ;
275 AT91C_BASE_SSC->SSC_THR = send_word;
c41dd5f9 276
5ea2a248 277 data <<= 1;
278 }
279 WDT_HIT();
280 }
70b2fc0a 281 LED_B_OFF();
ece38ef3 282
c41dd5f9 283 *start_time = *start_time + DELAY_ARM_TO_TAG;
284
15c4dc5a 285}
286
5ea2a248 287
15c4dc5a 288//-----------------------------------------------------------------------------
8c6cca0b 289// Transmit the tag response (to the reader) that was placed in cmd[].
15c4dc5a 290//-----------------------------------------------------------------------------
8efd0b80 291void TransmitTo15693Reader(const uint8_t *cmd, size_t len, uint32_t *start_time, uint32_t slot_time, bool slow) {
8c6cca0b 292 // don't use the FPGA_HF_SIMULATOR_MODULATE_424K_8BIT minor mode. It would spoil GetCountSspClk()
70b2fc0a 293 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_MODULATE_424K);
15c4dc5a 294
c41dd5f9 295 uint32_t modulation_start_time = *start_time - DELAY_ARM_TO_READER + 3 * 8; // no need to transfer the unmodulated start of SOF
ece38ef3 296
8efd0b80 297 while (GetCountSspClk() > (modulation_start_time & 0xfffffff8) + 3) { // we will miss the intended time
298 if (slot_time) {
299 modulation_start_time += slot_time; // use next available slot
300 } else {
301 modulation_start_time = (modulation_start_time & 0xfffffff8) + 8; // next possible time
302 }
303 }
304
ece38ef3 305 while (GetCountSspClk() < (modulation_start_time & 0xfffffff8))
8efd0b80 306 /* wait */ ;
8c6cca0b 307
8efd0b80 308 uint8_t shift_delay = modulation_start_time & 0x00000007;
309
c41dd5f9 310 *start_time = modulation_start_time + DELAY_ARM_TO_READER - 3 * 8;
d9de20fa 311
70b2fc0a 312 LED_C_ON();
8c6cca0b 313 uint8_t bits_to_shift = 0x00;
3d2c9c9b 314 uint8_t bits_to_send = 0x00;
8efd0b80 315 for (size_t c = 0; c < len; c++) {
316 for (int i = (c==0?4:7); i >= 0; i--) {
3d2c9c9b 317 uint8_t cmd_bits = ((cmd[c] >> i) & 0x01) ? 0xff : 0x00;
8c6cca0b 318 for (int j = 0; j < (slow?4:1); ) {
319 if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXRDY) {
a66f26da 320 bits_to_send = bits_to_shift << (8 - shift_delay) | cmd_bits >> shift_delay;
3d2c9c9b 321 AT91C_BASE_SSC->SSC_THR = bits_to_send;
a66f26da 322 bits_to_shift = cmd_bits;
8c6cca0b 323 j++;
324 }
8c6cca0b 325 }
a66f26da 326 }
3d2c9c9b 327 WDT_HIT();
a66f26da 328 }
3d2c9c9b 329 // send the remaining bits, padded with 0:
330 bits_to_send = bits_to_shift << (8 - shift_delay);
331 for ( ; ; ) {
332 if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXRDY) {
333 AT91C_BASE_SSC->SSC_THR = bits_to_send;
334 break;
335 }
336 }
70b2fc0a 337 LED_C_OFF();
15c4dc5a 338}
339
9455b51c 340
70b2fc0a 341//=============================================================================
8c6cca0b 342// An ISO 15693 decoder for tag responses (one subcarrier only).
d9de20fa 343// Uses cross correlation to identify each bit and EOF.
70b2fc0a 344// This function is called 8 times per bit (every 2 subcarrier cycles).
8c6cca0b 345// Subcarrier frequency fs is 424kHz, 1/fs = 2,36us,
70b2fc0a 346// i.e. function is called every 4,72us
347// LED handling:
348// LED C -> ON once we have received the SOF and are expecting the rest.
349// LED C -> OFF once we have received EOF or are unsynced
350//
351// Returns: true if we received a EOF
352// false if we are still waiting for some more
353//=============================================================================
354
c41dd5f9 355#define NOISE_THRESHOLD 160 // don't try to correlate noise
356#define MAX_PREVIOUS_AMPLITUDE (-1 - NOISE_THRESHOLD)
70b2fc0a 357
8c6cca0b 358typedef struct DecodeTag {
70b2fc0a 359 enum {
d9de20fa 360 STATE_TAG_SOF_LOW,
c41dd5f9 361 STATE_TAG_SOF_RISING_EDGE,
d9de20fa 362 STATE_TAG_SOF_HIGH,
363 STATE_TAG_SOF_HIGH_END,
8c6cca0b 364 STATE_TAG_RECEIVING_DATA,
c41dd5f9 365 STATE_TAG_EOF,
366 STATE_TAG_EOF_TAIL
70b2fc0a 367 } state;
368 int bitCount;
369 int posCount;
370 enum {
371 LOGIC0,
372 LOGIC1,
373 SOF_PART1,
374 SOF_PART2
375 } lastBit;
376 uint16_t shiftReg;
d9de20fa 377 uint16_t max_len;
70b2fc0a 378 uint8_t *output;
379 int len;
380 int sum1, sum2;
c41dd5f9 381 int threshold_sof;
382 int threshold_half;
383 uint16_t previous_amplitude;
8c6cca0b 384} DecodeTag_t;
70b2fc0a 385
d9de20fa 386
387static int inline __attribute__((always_inline)) Handle15693SamplesFromTag(uint16_t amplitude, DecodeTag_t *DecodeTag)
15c4dc5a 388{
8c6cca0b 389 switch(DecodeTag->state) {
a66f26da 390 case STATE_TAG_SOF_LOW:
c41dd5f9 391 // waiting for a rising edge
392 if (amplitude > NOISE_THRESHOLD + DecodeTag->previous_amplitude) {
d9de20fa 393 if (DecodeTag->posCount > 10) {
c41dd5f9 394 DecodeTag->threshold_sof = amplitude - DecodeTag->previous_amplitude;
395 DecodeTag->threshold_half = 0;
396 DecodeTag->state = STATE_TAG_SOF_RISING_EDGE;
d9de20fa 397 } else {
398 DecodeTag->posCount = 0;
399 }
c41dd5f9 400 } else {
401 DecodeTag->posCount++;
402 DecodeTag->previous_amplitude = amplitude;
15c4dc5a 403 }
d9de20fa 404 break;
a66f26da 405
c41dd5f9 406 case STATE_TAG_SOF_RISING_EDGE:
407 if (amplitude - DecodeTag->previous_amplitude > DecodeTag->threshold_sof) { // edge still rising
408 if (amplitude - DecodeTag->threshold_sof > DecodeTag->threshold_sof) { // steeper edge, take this as time reference
409 DecodeTag->posCount = 1;
410 } else {
411 DecodeTag->posCount = 2;
412 }
413 DecodeTag->threshold_sof = (amplitude - DecodeTag->previous_amplitude) / 2;
414 } else {
415 DecodeTag->posCount = 2;
416 DecodeTag->threshold_sof = DecodeTag->threshold_sof/2;
417 }
418 // DecodeTag->posCount = 2;
419 DecodeTag->state = STATE_TAG_SOF_HIGH;
420 break;
ece38ef3 421
d9de20fa 422 case STATE_TAG_SOF_HIGH:
423 // waiting for 10 times high. Take average over the last 8
c41dd5f9 424 if (amplitude > DecodeTag->threshold_sof) {
d9de20fa 425 DecodeTag->posCount++;
426 if (DecodeTag->posCount > 2) {
c41dd5f9 427 DecodeTag->threshold_half += amplitude; // keep track of average high value
d9de20fa 428 }
429 if (DecodeTag->posCount == 10) {
c41dd5f9 430 DecodeTag->threshold_half >>= 2; // (4 times 1/2 average)
d9de20fa 431 DecodeTag->state = STATE_TAG_SOF_HIGH_END;
432 }
433 } else { // high phase was too short
434 DecodeTag->posCount = 1;
ece38ef3 435 DecodeTag->previous_amplitude = amplitude;
d9de20fa 436 DecodeTag->state = STATE_TAG_SOF_LOW;
70b2fc0a 437 }
70b2fc0a 438 break;
439
d9de20fa 440 case STATE_TAG_SOF_HIGH_END:
c41dd5f9 441 // check for falling edge
442 if (DecodeTag->posCount == 13 && amplitude < DecodeTag->threshold_sof) {
d9de20fa 443 DecodeTag->lastBit = SOF_PART1; // detected 1st part of SOF (12 samples low and 12 samples high)
444 DecodeTag->shiftReg = 0;
445 DecodeTag->bitCount = 0;
446 DecodeTag->len = 0;
447 DecodeTag->sum1 = amplitude;
8c6cca0b 448 DecodeTag->sum2 = 0;
449 DecodeTag->posCount = 2;
450 DecodeTag->state = STATE_TAG_RECEIVING_DATA;
ece38ef3 451 FpgaDisableTracing(); // DEBUGGING
452 Dbprintf("amplitude = %d, threshold_sof = %d, threshold_half/4 = %d, previous_amplitude = %d",
453 amplitude,
454 DecodeTag->threshold_sof,
455 DecodeTag->threshold_half/4,
456 DecodeTag->previous_amplitude); // DEBUGGING
70b2fc0a 457 LED_C_ON();
d9de20fa 458 } else {
459 DecodeTag->posCount++;
460 if (DecodeTag->posCount > 13) { // high phase too long
461 DecodeTag->posCount = 0;
ece38ef3 462 DecodeTag->previous_amplitude = amplitude;
d9de20fa 463 DecodeTag->state = STATE_TAG_SOF_LOW;
464 LED_C_OFF();
465 }
70b2fc0a 466 }
70b2fc0a 467 break;
15c4dc5a 468
8c6cca0b 469 case STATE_TAG_RECEIVING_DATA:
470 if (DecodeTag->posCount == 1) {
471 DecodeTag->sum1 = 0;
472 DecodeTag->sum2 = 0;
70b2fc0a 473 }
8c6cca0b 474 if (DecodeTag->posCount <= 4) {
d9de20fa 475 DecodeTag->sum1 += amplitude;
70b2fc0a 476 } else {
d9de20fa 477 DecodeTag->sum2 += amplitude;
70b2fc0a 478 }
8c6cca0b 479 if (DecodeTag->posCount == 8) {
c41dd5f9 480 if (DecodeTag->sum1 > DecodeTag->threshold_half && DecodeTag->sum2 > DecodeTag->threshold_half) { // modulation in both halves
d9de20fa 481 if (DecodeTag->lastBit == LOGIC0) { // this was already part of EOF
482 DecodeTag->state = STATE_TAG_EOF;
483 } else {
484 DecodeTag->posCount = 0;
ece38ef3 485 DecodeTag->previous_amplitude = amplitude;
d9de20fa 486 DecodeTag->state = STATE_TAG_SOF_LOW;
487 LED_C_OFF();
488 }
c41dd5f9 489 } else if (DecodeTag->sum1 < DecodeTag->threshold_half && DecodeTag->sum2 > DecodeTag->threshold_half) { // modulation in second half
70b2fc0a 490 // logic 1
8c6cca0b 491 if (DecodeTag->lastBit == SOF_PART1) { // still part of SOF
d9de20fa 492 DecodeTag->lastBit = SOF_PART2; // SOF completed
70b2fc0a 493 } else {
8c6cca0b 494 DecodeTag->lastBit = LOGIC1;
495 DecodeTag->shiftReg >>= 1;
496 DecodeTag->shiftReg |= 0x80;
497 DecodeTag->bitCount++;
498 if (DecodeTag->bitCount == 8) {
499 DecodeTag->output[DecodeTag->len] = DecodeTag->shiftReg;
500 DecodeTag->len++;
c41dd5f9 501 // if (DecodeTag->shiftReg == 0x12 && DecodeTag->len == 1) FpgaDisableTracing(); // DEBUGGING
d9de20fa 502 if (DecodeTag->len > DecodeTag->max_len) {
503 // buffer overflow, give up
d9de20fa 504 LED_C_OFF();
c41dd5f9 505 return true;
d9de20fa 506 }
8c6cca0b 507 DecodeTag->bitCount = 0;
508 DecodeTag->shiftReg = 0;
70b2fc0a 509 }
510 }
c41dd5f9 511 } else if (DecodeTag->sum1 > DecodeTag->threshold_half && DecodeTag->sum2 < DecodeTag->threshold_half) { // modulation in first half
70b2fc0a 512 // logic 0
8c6cca0b 513 if (DecodeTag->lastBit == SOF_PART1) { // incomplete SOF
d9de20fa 514 DecodeTag->posCount = 0;
ece38ef3 515 DecodeTag->previous_amplitude = amplitude;
d9de20fa 516 DecodeTag->state = STATE_TAG_SOF_LOW;
70b2fc0a 517 LED_C_OFF();
518 } else {
8c6cca0b 519 DecodeTag->lastBit = LOGIC0;
520 DecodeTag->shiftReg >>= 1;
521 DecodeTag->bitCount++;
522 if (DecodeTag->bitCount == 8) {
523 DecodeTag->output[DecodeTag->len] = DecodeTag->shiftReg;
524 DecodeTag->len++;
c41dd5f9 525 // if (DecodeTag->shiftReg == 0x12 && DecodeTag->len == 1) FpgaDisableTracing(); // DEBUGGING
d9de20fa 526 if (DecodeTag->len > DecodeTag->max_len) {
527 // buffer overflow, give up
528 DecodeTag->posCount = 0;
ece38ef3 529 DecodeTag->previous_amplitude = amplitude;
d9de20fa 530 DecodeTag->state = STATE_TAG_SOF_LOW;
531 LED_C_OFF();
532 }
8c6cca0b 533 DecodeTag->bitCount = 0;
534 DecodeTag->shiftReg = 0;
70b2fc0a 535 }
536 }
c41dd5f9 537 } else { // no modulation
538 if (DecodeTag->lastBit == SOF_PART2) { // only SOF (this is OK for iClass)
539 LED_C_OFF();
540 return true;
541 } else {
542 DecodeTag->posCount = 0;
543 DecodeTag->state = STATE_TAG_SOF_LOW;
544 LED_C_OFF();
545 }
70b2fc0a 546 }
8c6cca0b 547 DecodeTag->posCount = 0;
70b2fc0a 548 }
8c6cca0b 549 DecodeTag->posCount++;
70b2fc0a 550 break;
8c6cca0b 551
d9de20fa 552 case STATE_TAG_EOF:
553 if (DecodeTag->posCount == 1) {
554 DecodeTag->sum1 = 0;
555 DecodeTag->sum2 = 0;
556 }
557 if (DecodeTag->posCount <= 4) {
558 DecodeTag->sum1 += amplitude;
70b2fc0a 559 } else {
d9de20fa 560 DecodeTag->sum2 += amplitude;
70b2fc0a 561 }
d9de20fa 562 if (DecodeTag->posCount == 8) {
c41dd5f9 563 if (DecodeTag->sum1 > DecodeTag->threshold_half && DecodeTag->sum2 < DecodeTag->threshold_half) { // modulation in first half
d9de20fa 564 DecodeTag->posCount = 0;
c41dd5f9 565 DecodeTag->state = STATE_TAG_EOF_TAIL;
566 } else {
567 DecodeTag->posCount = 0;
ece38ef3 568 DecodeTag->previous_amplitude = amplitude;
d9de20fa 569 DecodeTag->state = STATE_TAG_SOF_LOW;
570 LED_C_OFF();
c41dd5f9 571 }
572 }
573 DecodeTag->posCount++;
574 break;
575
576 case STATE_TAG_EOF_TAIL:
577 if (DecodeTag->posCount == 1) {
578 DecodeTag->sum1 = 0;
579 DecodeTag->sum2 = 0;
580 }
581 if (DecodeTag->posCount <= 4) {
582 DecodeTag->sum1 += amplitude;
583 } else {
584 DecodeTag->sum2 += amplitude;
585 }
586 if (DecodeTag->posCount == 8) {
587 if (DecodeTag->sum1 < DecodeTag->threshold_half && DecodeTag->sum2 < DecodeTag->threshold_half) { // no modulation in both halves
d9de20fa 588 LED_C_OFF();
589 return true;
c41dd5f9 590 } else {
591 DecodeTag->posCount = 0;
ece38ef3 592 DecodeTag->previous_amplitude = amplitude;
c41dd5f9 593 DecodeTag->state = STATE_TAG_SOF_LOW;
594 LED_C_OFF();
d9de20fa 595 }
596 }
597 DecodeTag->posCount++;
70b2fc0a 598 break;
15c4dc5a 599 }
15c4dc5a 600
70b2fc0a 601 return false;
602}
15c4dc5a 603
15c4dc5a 604
ece38ef3 605static void DecodeTagInit(DecodeTag_t *DecodeTag, uint8_t *data, uint16_t max_len) {
c41dd5f9 606 DecodeTag->previous_amplitude = MAX_PREVIOUS_AMPLITUDE;
d9de20fa 607 DecodeTag->posCount = 0;
608 DecodeTag->state = STATE_TAG_SOF_LOW;
8c6cca0b 609 DecodeTag->output = data;
d9de20fa 610 DecodeTag->max_len = max_len;
611}
612
613
ece38ef3 614static void DecodeTagReset(DecodeTag_t *DecodeTag) {
d9de20fa 615 DecodeTag->posCount = 0;
616 DecodeTag->state = STATE_TAG_SOF_LOW;
c41dd5f9 617 DecodeTag->previous_amplitude = MAX_PREVIOUS_AMPLITUDE;
70b2fc0a 618}
619
d9de20fa 620
70b2fc0a 621/*
8c6cca0b 622 * Receive and decode the tag response, also log to tracebuffer
70b2fc0a 623 */
c41dd5f9 624int GetIso15693AnswerFromTag(uint8_t* response, uint16_t max_len, uint16_t timeout, uint32_t *eof_time) {
625
d9de20fa 626 int samples = 0;
c41dd5f9 627 int ret = 0;
70b2fc0a 628
c41dd5f9 629 uint16_t dmaBuf[ISO15693_DMA_BUFFER_SIZE];
a66f26da 630
8c6cca0b 631 // the Decoder data structure
d9de20fa 632 DecodeTag_t DecodeTag = { 0 };
633 DecodeTagInit(&DecodeTag, response, max_len);
70b2fc0a 634
635 // wait for last transfer to complete
636 while (!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXEMPTY));
637
638 // And put the FPGA in the appropriate mode
5ea2a248 639 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_SUBCARRIER_424_KHZ | FPGA_HF_READER_MODE_RECEIVE_AMPLITUDE);
70b2fc0a 640
641 // Setup and start DMA.
5ea2a248 642 FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER);
70b2fc0a 643 FpgaSetupSscDma((uint8_t*) dmaBuf, ISO15693_DMA_BUFFER_SIZE);
c41dd5f9 644 uint32_t dma_start_time = 0;
70b2fc0a 645 uint16_t *upTo = dmaBuf;
70b2fc0a 646
647 for(;;) {
d9de20fa 648 uint16_t behindBy = ((uint16_t*)AT91C_BASE_PDC_SSC->PDC_RPR - upTo) & (ISO15693_DMA_BUFFER_SIZE-1);
70b2fc0a 649
d9de20fa 650 if (behindBy == 0) continue;
8c6cca0b 651
c41dd5f9 652 samples++;
653 if (samples == 1) {
ece38ef3 654 // DMA has transferred the very first data
c41dd5f9 655 dma_start_time = GetCountSspClk() & 0xfffffff0;
656 }
ece38ef3 657
d9de20fa 658 uint16_t tagdata = *upTo++;
70b2fc0a 659
70b2fc0a 660 if(upTo >= dmaBuf + ISO15693_DMA_BUFFER_SIZE) { // we have read all of the DMA buffer content.
661 upTo = dmaBuf; // start reading the circular buffer from the beginning
d9de20fa 662 if(behindBy > (9*ISO15693_DMA_BUFFER_SIZE/10)) {
663 Dbprintf("About to blow circular buffer - aborted! behindBy=%d", behindBy);
c41dd5f9 664 ret = -1;
d9de20fa 665 break;
666 }
15c4dc5a 667 }
70b2fc0a 668 if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_ENDRX)) { // DMA Counter Register had reached 0, already rotated.
669 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dmaBuf; // refresh the DMA Next Buffer and
670 AT91C_BASE_PDC_SSC->PDC_RNCR = ISO15693_DMA_BUFFER_SIZE; // DMA Next Counter registers
15c4dc5a 671 }
d9de20fa 672
d9de20fa 673 if (Handle15693SamplesFromTag(tagdata, &DecodeTag)) {
c41dd5f9 674 *eof_time = dma_start_time + samples*16 - DELAY_TAG_TO_ARM; // end of EOF
675 if (DecodeTag.lastBit == SOF_PART2) {
676 *eof_time -= 8*16; // needed 8 additional samples to confirm single SOF (iCLASS)
677 }
678 if (DecodeTag.len > DecodeTag.max_len) {
679 ret = -2; // buffer overflow
680 }
70b2fc0a 681 break;
682 }
15c4dc5a 683
d9de20fa 684 if (samples > timeout && DecodeTag.state < STATE_TAG_RECEIVING_DATA) {
ece38ef3 685 ret = -1; // timeout
70b2fc0a 686 break;
687 }
8c6cca0b 688
70b2fc0a 689 }
690
691 FpgaDisableSscDma();
a66f26da 692
c41dd5f9 693 if (DEBUG) Dbprintf("samples = %d, ret = %d, Decoder: state = %d, lastBit = %d, len = %d, bitCount = %d, posCount = %d",
694 samples, ret, DecodeTag.state, DecodeTag.lastBit, DecodeTag.len, DecodeTag.bitCount, DecodeTag.posCount);
70b2fc0a 695
c41dd5f9 696 if (ret < 0) {
697 return ret;
70b2fc0a 698 }
699
c41dd5f9 700 uint32_t sof_time = *eof_time
701 - DecodeTag.len * 8 * 8 * 16 // time for byte transfers
702 - 32 * 16 // time for SOF transfer
703 - (DecodeTag.lastBit != SOF_PART2?32*16:0); // time for EOF transfer
ece38ef3 704
c41dd5f9 705 if (DEBUG) Dbprintf("timing: sof_time = %d, eof_time = %d", sof_time, *eof_time);
ece38ef3 706
c41dd5f9 707 LogTrace_ISO15693(DecodeTag.output, DecodeTag.len, sof_time*4, *eof_time*4, NULL, false);
708
8c6cca0b 709 return DecodeTag.len;
15c4dc5a 710}
711
9455b51c 712
8c6cca0b 713//=============================================================================
714// An ISO15693 decoder for reader commands.
715//
716// This function is called 4 times per bit (every 2 subcarrier cycles).
717// Subcarrier frequency fs is 848kHz, 1/fs = 1,18us, i.e. function is called every 2,36us
718// LED handling:
719// LED B -> ON once we have received the SOF and are expecting the rest.
720// LED B -> OFF once we have received EOF or are in error state or unsynced
721//
722// Returns: true if we received a EOF
723// false if we are still waiting for some more
724//=============================================================================
725
726typedef struct DecodeReader {
727 enum {
728 STATE_READER_UNSYNCD,
5b12974a 729 STATE_READER_AWAIT_1ST_FALLING_EDGE_OF_SOF,
8c6cca0b 730 STATE_READER_AWAIT_1ST_RISING_EDGE_OF_SOF,
731 STATE_READER_AWAIT_2ND_FALLING_EDGE_OF_SOF,
732 STATE_READER_AWAIT_2ND_RISING_EDGE_OF_SOF,
733 STATE_READER_AWAIT_END_OF_SOF_1_OUT_OF_4,
734 STATE_READER_RECEIVE_DATA_1_OUT_OF_4,
735 STATE_READER_RECEIVE_DATA_1_OUT_OF_256
736 } state;
737 enum {
738 CODING_1_OUT_OF_4,
739 CODING_1_OUT_OF_256
740 } Coding;
741 uint8_t shiftReg;
742 uint8_t bitCount;
743 int byteCount;
744 int byteCountMax;
745 int posCount;
a66f26da 746 int sum1, sum2;
8c6cca0b 747 uint8_t *output;
748} DecodeReader_t;
749
750
d9de20fa 751static void DecodeReaderInit(DecodeReader_t* DecodeReader, uint8_t *data, uint16_t max_len)
752{
753 DecodeReader->output = data;
754 DecodeReader->byteCountMax = max_len;
755 DecodeReader->state = STATE_READER_UNSYNCD;
756 DecodeReader->byteCount = 0;
757 DecodeReader->bitCount = 0;
758 DecodeReader->posCount = 1;
759 DecodeReader->shiftReg = 0;
760}
761
762
763static void DecodeReaderReset(DecodeReader_t* DecodeReader)
764{
765 DecodeReader->state = STATE_READER_UNSYNCD;
766}
767
768
769static int inline __attribute__((always_inline)) Handle15693SampleFromReader(uint8_t bit, DecodeReader_t *restrict DecodeReader)
15c4dc5a 770{
3d2c9c9b 771 switch (DecodeReader->state) {
8c6cca0b 772 case STATE_READER_UNSYNCD:
5b12974a 773 // wait for unmodulated carrier
774 if (bit) {
775 DecodeReader->state = STATE_READER_AWAIT_1ST_FALLING_EDGE_OF_SOF;
776 }
777 break;
778
779 case STATE_READER_AWAIT_1ST_FALLING_EDGE_OF_SOF:
3d2c9c9b 780 if (!bit) {
8c6cca0b 781 // we went low, so this could be the beginning of a SOF
8c6cca0b 782 DecodeReader->posCount = 1;
d9de20fa 783 DecodeReader->state = STATE_READER_AWAIT_1ST_RISING_EDGE_OF_SOF;
8c6cca0b 784 }
785 break;
15c4dc5a 786
8c6cca0b 787 case STATE_READER_AWAIT_1ST_RISING_EDGE_OF_SOF:
788 DecodeReader->posCount++;
3d2c9c9b 789 if (bit) { // detected rising edge
790 if (DecodeReader->posCount < 4) { // rising edge too early (nominally expected at 5)
5b12974a 791 DecodeReader->state = STATE_READER_AWAIT_1ST_FALLING_EDGE_OF_SOF;
8c6cca0b 792 } else { // SOF
793 DecodeReader->state = STATE_READER_AWAIT_2ND_FALLING_EDGE_OF_SOF;
794 }
795 } else {
3d2c9c9b 796 if (DecodeReader->posCount > 5) { // stayed low for too long
d9de20fa 797 DecodeReaderReset(DecodeReader);
8c6cca0b 798 } else {
799 // do nothing, keep waiting
800 }
801 }
802 break;
803
804 case STATE_READER_AWAIT_2ND_FALLING_EDGE_OF_SOF:
805 DecodeReader->posCount++;
3d2c9c9b 806 if (!bit) { // detected a falling edge
8c6cca0b 807 if (DecodeReader->posCount < 20) { // falling edge too early (nominally expected at 21 earliest)
d9de20fa 808 DecodeReaderReset(DecodeReader);
8c6cca0b 809 } else if (DecodeReader->posCount < 23) { // SOF for 1 out of 4 coding
810 DecodeReader->Coding = CODING_1_OUT_OF_4;
811 DecodeReader->state = STATE_READER_AWAIT_2ND_RISING_EDGE_OF_SOF;
812 } else if (DecodeReader->posCount < 28) { // falling edge too early (nominally expected at 29 latest)
d9de20fa 813 DecodeReaderReset(DecodeReader);
5b12974a 814 } else { // SOF for 1 out of 256 coding
8c6cca0b 815 DecodeReader->Coding = CODING_1_OUT_OF_256;
816 DecodeReader->state = STATE_READER_AWAIT_2ND_RISING_EDGE_OF_SOF;
817 }
818 } else {
3d2c9c9b 819 if (DecodeReader->posCount > 29) { // stayed high for too long
5b12974a 820 DecodeReader->state = STATE_READER_AWAIT_1ST_FALLING_EDGE_OF_SOF;
8c6cca0b 821 } else {
822 // do nothing, keep waiting
823 }
824 }
825 break;
826
827 case STATE_READER_AWAIT_2ND_RISING_EDGE_OF_SOF:
828 DecodeReader->posCount++;
829 if (bit) { // detected rising edge
830 if (DecodeReader->Coding == CODING_1_OUT_OF_256) {
831 if (DecodeReader->posCount < 32) { // rising edge too early (nominally expected at 33)
5b12974a 832 DecodeReader->state = STATE_READER_AWAIT_1ST_FALLING_EDGE_OF_SOF;
8c6cca0b 833 } else {
834 DecodeReader->posCount = 1;
835 DecodeReader->bitCount = 0;
836 DecodeReader->byteCount = 0;
837 DecodeReader->sum1 = 1;
838 DecodeReader->state = STATE_READER_RECEIVE_DATA_1_OUT_OF_256;
839 LED_B_ON();
840 }
841 } else { // CODING_1_OUT_OF_4
842 if (DecodeReader->posCount < 24) { // rising edge too early (nominally expected at 25)
5b12974a 843 DecodeReader->state = STATE_READER_AWAIT_1ST_FALLING_EDGE_OF_SOF;
8c6cca0b 844 } else {
5b12974a 845 DecodeReader->posCount = 1;
8c6cca0b 846 DecodeReader->state = STATE_READER_AWAIT_END_OF_SOF_1_OUT_OF_4;
847 }
848 }
849 } else {
850 if (DecodeReader->Coding == CODING_1_OUT_OF_256) {
851 if (DecodeReader->posCount > 34) { // signal stayed low for too long
5b12974a 852 DecodeReaderReset(DecodeReader);
8c6cca0b 853 } else {
854 // do nothing, keep waiting
855 }
856 } else { // CODING_1_OUT_OF_4
857 if (DecodeReader->posCount > 26) { // signal stayed low for too long
5b12974a 858 DecodeReaderReset(DecodeReader);
8c6cca0b 859 } else {
860 // do nothing, keep waiting
861 }
862 }
863 }
864 break;
865
866 case STATE_READER_AWAIT_END_OF_SOF_1_OUT_OF_4:
867 DecodeReader->posCount++;
868 if (bit) {
5b12974a 869 if (DecodeReader->posCount == 9) {
8c6cca0b 870 DecodeReader->posCount = 1;
871 DecodeReader->bitCount = 0;
872 DecodeReader->byteCount = 0;
873 DecodeReader->sum1 = 1;
874 DecodeReader->state = STATE_READER_RECEIVE_DATA_1_OUT_OF_4;
875 LED_B_ON();
876 } else {
877 // do nothing, keep waiting
878 }
879 } else { // unexpected falling edge
d9de20fa 880 DecodeReaderReset(DecodeReader);
8c6cca0b 881 }
882 break;
883
884 case STATE_READER_RECEIVE_DATA_1_OUT_OF_4:
e49d31c0 885 bit = !!bit;
8c6cca0b 886 DecodeReader->posCount++;
887 if (DecodeReader->posCount == 1) {
888 DecodeReader->sum1 = bit;
889 } else if (DecodeReader->posCount <= 4) {
890 DecodeReader->sum1 += bit;
891 } else if (DecodeReader->posCount == 5) {
892 DecodeReader->sum2 = bit;
893 } else {
894 DecodeReader->sum2 += bit;
895 }
896 if (DecodeReader->posCount == 8) {
897 DecodeReader->posCount = 0;
e49d31c0 898 if (DecodeReader->sum1 <= 1 && DecodeReader->sum2 >= 3) { // EOF
8c6cca0b 899 LED_B_OFF(); // Finished receiving
d9de20fa 900 DecodeReaderReset(DecodeReader);
8c6cca0b 901 if (DecodeReader->byteCount != 0) {
902 return true;
903 }
904 }
e49d31c0 905 if (DecodeReader->sum1 >= 3 && DecodeReader->sum2 <= 1) { // detected a 2bit position
8c6cca0b 906 DecodeReader->shiftReg >>= 2;
907 DecodeReader->shiftReg |= (DecodeReader->bitCount << 6);
908 }
909 if (DecodeReader->bitCount == 15) { // we have a full byte
910 DecodeReader->output[DecodeReader->byteCount++] = DecodeReader->shiftReg;
911 if (DecodeReader->byteCount > DecodeReader->byteCountMax) {
912 // buffer overflow, give up
913 LED_B_OFF();
d9de20fa 914 DecodeReaderReset(DecodeReader);
8c6cca0b 915 }
916 DecodeReader->bitCount = 0;
d9de20fa 917 DecodeReader->shiftReg = 0;
8c6cca0b 918 } else {
919 DecodeReader->bitCount++;
920 }
921 }
922 break;
923
924 case STATE_READER_RECEIVE_DATA_1_OUT_OF_256:
e49d31c0 925 bit = !!bit;
8c6cca0b 926 DecodeReader->posCount++;
927 if (DecodeReader->posCount == 1) {
928 DecodeReader->sum1 = bit;
929 } else if (DecodeReader->posCount <= 4) {
930 DecodeReader->sum1 += bit;
931 } else if (DecodeReader->posCount == 5) {
932 DecodeReader->sum2 = bit;
933 } else {
934 DecodeReader->sum2 += bit;
935 }
936 if (DecodeReader->posCount == 8) {
937 DecodeReader->posCount = 0;
e49d31c0 938 if (DecodeReader->sum1 <= 1 && DecodeReader->sum2 >= 3) { // EOF
8c6cca0b 939 LED_B_OFF(); // Finished receiving
d9de20fa 940 DecodeReaderReset(DecodeReader);
8c6cca0b 941 if (DecodeReader->byteCount != 0) {
942 return true;
943 }
944 }
e49d31c0 945 if (DecodeReader->sum1 >= 3 && DecodeReader->sum2 <= 1) { // detected the bit position
8c6cca0b 946 DecodeReader->shiftReg = DecodeReader->bitCount;
947 }
948 if (DecodeReader->bitCount == 255) { // we have a full byte
949 DecodeReader->output[DecodeReader->byteCount++] = DecodeReader->shiftReg;
950 if (DecodeReader->byteCount > DecodeReader->byteCountMax) {
951 // buffer overflow, give up
952 LED_B_OFF();
d9de20fa 953 DecodeReaderReset(DecodeReader);
8c6cca0b 954 }
955 }
956 DecodeReader->bitCount++;
957 }
958 break;
959
960 default:
961 LED_B_OFF();
d9de20fa 962 DecodeReaderReset(DecodeReader);
8c6cca0b 963 break;
15c4dc5a 964 }
8c6cca0b 965
966 return false;
967}
968
969
8c6cca0b 970//-----------------------------------------------------------------------------
971// Receive a command (from the reader to us, where we are the simulated tag),
972// and store it in the given buffer, up to the given maximum length. Keeps
973// spinning, waiting for a well-framed command, until either we get one
3d2c9c9b 974// (returns len) or someone presses the pushbutton on the board (returns -1).
8c6cca0b 975//
976// Assume that we're called with the SSC (to the FPGA) and ADC path set
977// correctly.
978//-----------------------------------------------------------------------------
979
3d2c9c9b 980int GetIso15693CommandFromReader(uint8_t *received, size_t max_len, uint32_t *eof_time) {
d9de20fa 981 int samples = 0;
8c6cca0b 982 bool gotFrame = false;
983 uint8_t b;
984
3d2c9c9b 985 uint8_t dmaBuf[ISO15693_DMA_BUFFER_SIZE];
8c6cca0b 986
987 // the decoder data structure
6eeb5f1c 988 DecodeReader_t DecodeReader = {0};
d9de20fa 989 DecodeReaderInit(&DecodeReader, received, max_len);
8c6cca0b 990
991 // wait for last transfer to complete
992 while (!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXEMPTY));
993
70b2fc0a 994 LED_D_OFF();
8c6cca0b 995 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_NO_MODULATION);
15c4dc5a 996
8c6cca0b 997 // clear receive register and wait for next transfer
998 uint32_t temp = AT91C_BASE_SSC->SSC_RHR;
999 (void) temp;
1000 while (!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY)) ;
15c4dc5a 1001
3d2c9c9b 1002 uint32_t dma_start_time = GetCountSspClk() & 0xfffffff8;
15c4dc5a 1003
8c6cca0b 1004 // Setup and start DMA.
1005 FpgaSetupSscDma(dmaBuf, ISO15693_DMA_BUFFER_SIZE);
1006 uint8_t *upTo = dmaBuf;
15c4dc5a 1007
3d2c9c9b 1008 for (;;) {
d9de20fa 1009 uint16_t behindBy = ((uint8_t*)AT91C_BASE_PDC_SSC->PDC_RPR - upTo) & (ISO15693_DMA_BUFFER_SIZE-1);
70b2fc0a 1010
d9de20fa 1011 if (behindBy == 0) continue;
15c4dc5a 1012
8c6cca0b 1013 b = *upTo++;
3d2c9c9b 1014 if (upTo >= dmaBuf + ISO15693_DMA_BUFFER_SIZE) { // we have read all of the DMA buffer content.
8c6cca0b 1015 upTo = dmaBuf; // start reading the circular buffer from the beginning
3d2c9c9b 1016 if (behindBy > (9*ISO15693_DMA_BUFFER_SIZE/10)) {
d9de20fa 1017 Dbprintf("About to blow circular buffer - aborted! behindBy=%d", behindBy);
1018 break;
1019 }
8c6cca0b 1020 }
1021 if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_ENDRX)) { // DMA Counter Register had reached 0, already rotated.
1022 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dmaBuf; // refresh the DMA Next Buffer and
1023 AT91C_BASE_PDC_SSC->PDC_RNCR = ISO15693_DMA_BUFFER_SIZE; // DMA Next Counter registers
1024 }
15c4dc5a 1025
8c6cca0b 1026 for (int i = 7; i >= 0; i--) {
1027 if (Handle15693SampleFromReader((b >> i) & 0x01, &DecodeReader)) {
c41dd5f9 1028 *eof_time = dma_start_time + samples - DELAY_READER_TO_ARM; // end of EOF
8c6cca0b 1029 gotFrame = true;
9455b51c 1030 break;
1031 }
8c6cca0b 1032 samples++;
15c4dc5a 1033 }
8c6cca0b 1034
1035 if (gotFrame) {
1036 break;
15c4dc5a 1037 }
8c6cca0b 1038
1039 if (BUTTON_PRESS()) {
3d2c9c9b 1040 DecodeReader.byteCount = -1;
8c6cca0b 1041 break;
15c4dc5a 1042 }
15c4dc5a 1043
8c6cca0b 1044 WDT_HIT();
1045 }
1046
8c6cca0b 1047 FpgaDisableSscDma();
a66f26da 1048
d9de20fa 1049 if (DEBUG) Dbprintf("samples = %d, gotFrame = %d, Decoder: state = %d, len = %d, bitCount = %d, posCount = %d",
a66f26da 1050 samples, gotFrame, DecodeReader.state, DecodeReader.byteCount, DecodeReader.bitCount, DecodeReader.posCount);
8c6cca0b 1051
d9de20fa 1052 if (DecodeReader.byteCount > 0) {
a66f26da 1053 uint32_t sof_time = *eof_time
3d2c9c9b 1054 - DecodeReader.byteCount * (DecodeReader.Coding==CODING_1_OUT_OF_4?128:2048) // time for byte transfers
1055 - 32 // time for SOF transfer
1056 - 16; // time for EOF transfer
c41dd5f9 1057 LogTrace_ISO15693(DecodeReader.output, DecodeReader.byteCount, sof_time*32, *eof_time*32, NULL, true);
8c6cca0b 1058 }
1059
1060 return DecodeReader.byteCount;
15c4dc5a 1061}
1062
9455b51c 1063
d9de20fa 1064// Encode (into the ToSend buffers) an identify request, which is the first
1065// thing that you must send to a tag to get a response.
1066static void BuildIdentifyRequest(void)
1067{
1068 uint8_t cmd[5];
1069
1070 uint16_t crc;
1071 // one sub-carrier, inventory, 1 slot, fast rate
1072 // AFI is at bit 5 (1<<4) when doing an INVENTORY
1073 cmd[0] = (1 << 2) | (1 << 5) | (1 << 1);
1074 // inventory command code
1075 cmd[1] = 0x01;
1076 // no mask
1077 cmd[2] = 0x00;
1078 //Now the CRC
3d2c9c9b 1079 crc = Iso15693Crc(cmd, 3);
d9de20fa 1080 cmd[3] = crc & 0xff;
1081 cmd[4] = crc >> 8;
1082
1083 CodeIso15693AsReader(cmd, sizeof(cmd));
1084}
1085
1086
15c4dc5a 1087//-----------------------------------------------------------------------------
1088// Start to read an ISO 15693 tag. We send an identify request, then wait
1089// for the response. The response is not demodulated, just left in the buffer
1090// so that it can be downloaded to a PC and processed there.
1091//-----------------------------------------------------------------------------
1092void AcquireRawAdcSamplesIso15693(void)
1093{
70b2fc0a 1094 LED_A_ON();
8c6cca0b 1095
117d9ec2 1096 uint8_t *dest = BigBuf_get_addr();
15c4dc5a 1097
7cc204bf 1098 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
5ea2a248 1099 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER);
ece38ef3 1100 LED_D_ON();
5ea2a248 1101 FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER);
15c4dc5a 1102 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1103
5ea2a248 1104 BuildIdentifyRequest();
1105
15c4dc5a 1106 // Give the tags time to energize
15c4dc5a 1107 SpinDelay(100);
1108
1109 // Now send the command
c41dd5f9 1110 uint32_t start_time = 0;
1111 TransmitTo15693Tag(ToSend, ToSendMax, &start_time);
70b2fc0a 1112
1113 // wait for last transfer to complete
5ea2a248 1114 while (!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXEMPTY)) ;
15c4dc5a 1115
5ea2a248 1116 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_SUBCARRIER_424_KHZ | FPGA_HF_READER_MODE_RECEIVE_AMPLITUDE);
15c4dc5a 1117
70b2fc0a 1118 for(int c = 0; c < 4000; ) {
15c4dc5a 1119 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
d9de20fa 1120 uint16_t r = AT91C_BASE_SSC->SSC_RHR;
1121 dest[c++] = r >> 5;
9455b51c 1122 }
1123 }
70b2fc0a 1124
1125 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1126 LEDsoff();
9455b51c 1127}
1128
1129
d9de20fa 1130void SnoopIso15693(void)
9455b51c 1131{
1523527f 1132 LED_A_ON();
ece38ef3 1133
d9de20fa 1134 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1135 BigBuf_free();
8c6cca0b 1136
d9de20fa 1137 clear_trace();
1138 set_tracing(true);
3fe4ff4f 1139
d9de20fa 1140 // The DMA buffer, used to stream samples from the FPGA
1141 uint16_t* dmaBuf = (uint16_t*)BigBuf_malloc(ISO15693_DMA_BUFFER_SIZE*sizeof(uint16_t));
1142 uint16_t *upTo;
1143
1144 // Count of samples received so far, so that we can include timing
1145 // information in the trace buffer.
1146 int samples = 0;
1147
1148 DecodeTag_t DecodeTag = {0};
1149 uint8_t response[ISO15693_MAX_RESPONSE_LENGTH];
1150 DecodeTagInit(&DecodeTag, response, sizeof(response));
9455b51c 1151
d9de20fa 1152 DecodeReader_t DecodeReader = {0};;
1153 uint8_t cmd[ISO15693_MAX_COMMAND_LENGTH];
1154 DecodeReaderInit(&DecodeReader, cmd, sizeof(cmd));
1155
1156 // Print some debug information about the buffer sizes
1157 if (DEBUG) {
1158 Dbprintf("Snooping buffers initialized:");
1159 Dbprintf(" Trace: %i bytes", BigBuf_max_traceLen());
1160 Dbprintf(" Reader -> tag: %i bytes", ISO15693_MAX_COMMAND_LENGTH);
1161 Dbprintf(" tag -> Reader: %i bytes", ISO15693_MAX_RESPONSE_LENGTH);
1162 Dbprintf(" DMA: %i bytes", ISO15693_DMA_BUFFER_SIZE * sizeof(uint16_t));
1163 }
5ea2a248 1164 Dbprintf("Snoop started. Press PM3 Button to stop.");
a66f26da 1165
5ea2a248 1166 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_MODE_SNOOP_AMPLITUDE);
9455b51c 1167 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1168
d9de20fa 1169 // Setup for the DMA.
5ea2a248 1170 FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER);
d9de20fa 1171 upTo = dmaBuf;
1172 FpgaSetupSscDma((uint8_t*) dmaBuf, ISO15693_DMA_BUFFER_SIZE);
9455b51c 1173
d9de20fa 1174 bool TagIsActive = false;
1175 bool ReaderIsActive = false;
1176 bool ExpectTagAnswer = false;
9455b51c 1177
d9de20fa 1178 // And now we loop, receiving samples.
1179 for(;;) {
1180 uint16_t behindBy = ((uint16_t*)AT91C_BASE_PDC_SSC->PDC_RPR - upTo) & (ISO15693_DMA_BUFFER_SIZE-1);
1181
1182 if (behindBy == 0) continue;
1183
1184 uint16_t snoopdata = *upTo++;
1185
1186 if(upTo >= dmaBuf + ISO15693_DMA_BUFFER_SIZE) { // we have read all of the DMA buffer content.
1187 upTo = dmaBuf; // start reading the circular buffer from the beginning
1188 if(behindBy > (9*ISO15693_DMA_BUFFER_SIZE/10)) {
1189 Dbprintf("About to blow circular buffer - aborted! behindBy=%d, samples=%d", behindBy, samples);
1190 break;
1191 }
1192 if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_ENDRX)) { // DMA Counter Register had reached 0, already rotated.
1193 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dmaBuf; // refresh the DMA Next Buffer and
1194 AT91C_BASE_PDC_SSC->PDC_RNCR = ISO15693_DMA_BUFFER_SIZE; // DMA Next Counter registers
1195 WDT_HIT();
1196 if(BUTTON_PRESS()) {
1197 DbpString("Snoop stopped.");
1198 break;
1199 }
1200 }
1201 }
1202 samples++;
a66f26da 1203
d9de20fa 1204 if (!TagIsActive) { // no need to try decoding reader data if the tag is sending
1205 if (Handle15693SampleFromReader(snoopdata & 0x02, &DecodeReader)) {
1206 FpgaDisableSscDma();
1207 ExpectTagAnswer = true;
c41dd5f9 1208 LogTrace_ISO15693(DecodeReader.output, DecodeReader.byteCount, samples*64, samples*64, NULL, true);
d9de20fa 1209 /* And ready to receive another command. */
1210 DecodeReaderReset(&DecodeReader);
1211 /* And also reset the demod code, which might have been */
1212 /* false-triggered by the commands from the reader. */
1213 DecodeTagReset(&DecodeTag);
1214 upTo = dmaBuf;
1215 FpgaSetupSscDma((uint8_t*) dmaBuf, ISO15693_DMA_BUFFER_SIZE);
1216 }
1217 if (Handle15693SampleFromReader(snoopdata & 0x01, &DecodeReader)) {
1218 FpgaDisableSscDma();
1219 ExpectTagAnswer = true;
c41dd5f9 1220 LogTrace_ISO15693(DecodeReader.output, DecodeReader.byteCount, samples*64, samples*64, NULL, true);
d9de20fa 1221 /* And ready to receive another command. */
1222 DecodeReaderReset(&DecodeReader);
1223 /* And also reset the demod code, which might have been */
1224 /* false-triggered by the commands from the reader. */
1225 DecodeTagReset(&DecodeTag);
1226 upTo = dmaBuf;
1227 FpgaSetupSscDma((uint8_t*) dmaBuf, ISO15693_DMA_BUFFER_SIZE);
1228 }
1229 ReaderIsActive = (DecodeReader.state >= STATE_READER_AWAIT_2ND_RISING_EDGE_OF_SOF);
9455b51c 1230 }
d9de20fa 1231
a66f26da 1232 if (!ReaderIsActive && ExpectTagAnswer) { // no need to try decoding tag data if the reader is currently sending or no answer expected yet
d9de20fa 1233 if (Handle15693SamplesFromTag(snoopdata >> 2, &DecodeTag)) {
1234 FpgaDisableSscDma();
1235 //Use samples as a time measurement
c41dd5f9 1236 LogTrace_ISO15693(DecodeTag.output, DecodeTag.len, samples*64, samples*64, NULL, false);
d9de20fa 1237 // And ready to receive another response.
1238 DecodeTagReset(&DecodeTag);
1239 DecodeReaderReset(&DecodeReader);
1240 ExpectTagAnswer = false;
1241 upTo = dmaBuf;
1242 FpgaSetupSscDma((uint8_t*) dmaBuf, ISO15693_DMA_BUFFER_SIZE);
1243 }
1244 TagIsActive = (DecodeTag.state >= STATE_TAG_RECEIVING_DATA);
1245 }
1246
9455b51c 1247 }
70b2fc0a 1248
d9de20fa 1249 FpgaDisableSscDma();
1250 BigBuf_free();
a66f26da 1251
d9de20fa 1252 LEDsoff();
1253
1254 DbpString("Snoop statistics:");
1255 Dbprintf(" ExpectTagAnswer: %d", ExpectTagAnswer);
1256 Dbprintf(" DecodeTag State: %d", DecodeTag.state);
1257 Dbprintf(" DecodeTag byteCnt: %d", DecodeTag.len);
1258 Dbprintf(" DecodeReader State: %d", DecodeReader.state);
1259 Dbprintf(" DecodeReader byteCnt: %d", DecodeReader.byteCount);
1260 Dbprintf(" Trace length: %d", BigBuf_get_traceLen());
9455b51c 1261}
1262
1263
8c6cca0b 1264// Initialize the proxmark as iso15k reader
c41dd5f9 1265void Iso15693InitReader() {
7cc204bf 1266 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
9455b51c 1267
1268 // Start from off (no field generated)
70b2fc0a 1269 LED_D_OFF();
9455b51c 1270 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
e6304bca 1271 SpinDelay(10);
9455b51c 1272
1273 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
5ea2a248 1274 FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER);
9455b51c 1275
1276 // Give the tags time to energize
70b2fc0a 1277 LED_D_ON();
5ea2a248 1278 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER);
e6304bca 1279 SpinDelay(250);
9455b51c 1280}
1281
1282///////////////////////////////////////////////////////////////////////
1283// ISO 15693 Part 3 - Air Interface
70b2fc0a 1284// This section basically contains transmission and receiving of bits
9455b51c 1285///////////////////////////////////////////////////////////////////////
1286
9455b51c 1287
1288// uid is in transmission order (which is reverse of display order)
1289static void BuildReadBlockRequest(uint8_t *uid, uint8_t blockNumber )
1290{
1291 uint8_t cmd[13];
1292
1293 uint16_t crc;
d9de20fa 1294 // If we set the Option_Flag in this request, the VICC will respond with the security status of the block
1295 // followed by the block data
a66f26da 1296 cmd[0] = ISO15693_REQ_OPTION | ISO15693_REQ_ADDRESS | ISO15693_REQ_DATARATE_HIGH;
9455b51c 1297 // READ BLOCK command code
d9de20fa 1298 cmd[1] = ISO15693_READBLOCK;
9455b51c 1299 // UID may be optionally specified here
1300 // 64-bit UID
1301 cmd[2] = uid[0];
1302 cmd[3] = uid[1];
1303 cmd[4] = uid[2];
1304 cmd[5] = uid[3];
1305 cmd[6] = uid[4];
1306 cmd[7] = uid[5];
1307 cmd[8] = uid[6];
1308 cmd[9] = uid[7]; // 0xe0; // always e0 (not exactly unique)
1309 // Block number to read
d9de20fa 1310 cmd[10] = blockNumber;
9455b51c 1311 //Now the CRC
3d2c9c9b 1312 crc = Iso15693Crc(cmd, 11); // the crc needs to be calculated over 11 bytes
9455b51c 1313 cmd[11] = crc & 0xff;
1314 cmd[12] = crc >> 8;
1315
1316 CodeIso15693AsReader(cmd, sizeof(cmd));
1317}
1318
70b2fc0a 1319
9455b51c 1320// Now the VICC>VCD responses when we are simulating a tag
8c6cca0b 1321static void BuildInventoryResponse(uint8_t *uid)
9455b51c 1322{
1323 uint8_t cmd[12];
1324
1325 uint16_t crc;
8c6cca0b 1326
1327 cmd[0] = 0; // No error, no protocol format extension
3fe4ff4f 1328 cmd[1] = 0; // DSFID (data storage format identifier). 0x00 = not supported
9455b51c 1329 // 64-bit UID
3fe4ff4f 1330 cmd[2] = uid[7]; //0x32;
1331 cmd[3] = uid[6]; //0x4b;
1332 cmd[4] = uid[5]; //0x03;
1333 cmd[5] = uid[4]; //0x01;
1334 cmd[6] = uid[3]; //0x00;
1335 cmd[7] = uid[2]; //0x10;
1336 cmd[8] = uid[1]; //0x05;
1337 cmd[9] = uid[0]; //0xe0;
9455b51c 1338 //Now the CRC
3d2c9c9b 1339 crc = Iso15693Crc(cmd, 10);
9455b51c 1340 cmd[10] = crc & 0xff;
1341 cmd[11] = crc >> 8;
1342
8c6cca0b 1343 CodeIso15693AsTag(cmd, sizeof(cmd));
9455b51c 1344}
1345
e6304bca 1346// Universal Method for sending to and recv bytes from a tag
a66f26da 1347// init ... should we initialize the reader?
1348// speed ... 0 low speed, 1 hi speed
1349// *recv will contain the tag's answer
c41dd5f9 1350// return: length of received data, or -1 for timeout
1351int SendDataTag(uint8_t *send, int sendlen, bool init, int speed, uint8_t *recv, uint16_t max_recv_len, uint32_t start_time, uint32_t *eof_time) {
9455b51c 1352
c41dd5f9 1353 if (init) {
1354 Iso15693InitReader();
1355 StartCountSspClk();
1356 }
ece38ef3 1357
c41dd5f9 1358 int answerLen = 0;
ece38ef3 1359
9455b51c 1360 if (!speed) {
1361 // low speed (1 out of 256)
1362 CodeIso15693AsReader256(send, sendlen);
1363 } else {
1364 // high speed (1 out of 4)
1365 CodeIso15693AsReader(send, sendlen);
1366 }
8c6cca0b 1367
c41dd5f9 1368 TransmitTo15693Tag(ToSend, ToSendMax, &start_time);
d9de20fa 1369
9455b51c 1370 // Now wait for a response
d9de20fa 1371 if (recv != NULL) {
ece38ef3 1372 answerLen = GetIso15693AnswerFromTag(recv, max_recv_len, ISO15693_READER_TIMEOUT, eof_time);
9455b51c 1373 }
1374
9455b51c 1375 return answerLen;
1376}
15c4dc5a 1377
15c4dc5a 1378
9455b51c 1379// --------------------------------------------------------------------
8c6cca0b 1380// Debug Functions
9455b51c 1381// --------------------------------------------------------------------
15c4dc5a 1382
9455b51c 1383// Decodes a message from a tag and displays its metadata and content
1384#define DBD15STATLEN 48
1385void DbdecodeIso15693Answer(int len, uint8_t *d) {
1386 char status[DBD15STATLEN+1]={0};
1387 uint16_t crc;
1388
d9de20fa 1389 if (len > 3) {
1390 if (d[0] & ISO15693_RES_EXT)
1391 strncat(status,"ProtExt ", DBD15STATLEN);
1392 if (d[0] & ISO15693_RES_ERROR) {
9455b51c 1393 // error
d9de20fa 1394 strncat(status,"Error ", DBD15STATLEN);
9455b51c 1395 switch (d[1]) {
8c6cca0b 1396 case 0x01:
d9de20fa 1397 strncat(status,"01:notSupp", DBD15STATLEN);
15c4dc5a 1398 break;
8c6cca0b 1399 case 0x02:
d9de20fa 1400 strncat(status,"02:notRecog", DBD15STATLEN);
9455b51c 1401 break;
8c6cca0b 1402 case 0x03:
d9de20fa 1403 strncat(status,"03:optNotSupp", DBD15STATLEN);
9455b51c 1404 break;
8c6cca0b 1405 case 0x0f:
d9de20fa 1406 strncat(status,"0f:noInfo", DBD15STATLEN);
9455b51c 1407 break;
8c6cca0b 1408 case 0x10:
d9de20fa 1409 strncat(status,"10:doesn'tExist", DBD15STATLEN);
9455b51c 1410 break;
8c6cca0b 1411 case 0x11:
d9de20fa 1412 strncat(status,"11:lockAgain", DBD15STATLEN);
9455b51c 1413 break;
8c6cca0b 1414 case 0x12:
d9de20fa 1415 strncat(status,"12:locked", DBD15STATLEN);
9455b51c 1416 break;
8c6cca0b 1417 case 0x13:
d9de20fa 1418 strncat(status,"13:progErr", DBD15STATLEN);
9455b51c 1419 break;
8c6cca0b 1420 case 0x14:
d9de20fa 1421 strncat(status,"14:lockErr", DBD15STATLEN);
9455b51c 1422 break;
1423 default:
d9de20fa 1424 strncat(status,"unknownErr", DBD15STATLEN);
15c4dc5a 1425 }
d9de20fa 1426 strncat(status," ", DBD15STATLEN);
9455b51c 1427 } else {
d9de20fa 1428 strncat(status,"NoErr ", DBD15STATLEN);
15c4dc5a 1429 }
8c6cca0b 1430
3d2c9c9b 1431 crc=Iso15693Crc(d,len-2);
8c6cca0b 1432 if ( (( crc & 0xff ) == d[len-2]) && (( crc >> 8 ) == d[len-1]) )
9455b51c 1433 strncat(status,"CrcOK",DBD15STATLEN);
1434 else
8c6cca0b 1435 strncat(status,"CrcFail!",DBD15STATLEN);
9455b51c 1436
1437 Dbprintf("%s",status);
15c4dc5a 1438 }
1439}
1440
9455b51c 1441
1442
1443///////////////////////////////////////////////////////////////////////
1444// Functions called via USB/Client
1445///////////////////////////////////////////////////////////////////////
1446
1447void SetDebugIso15693(uint32_t debug) {
1448 DEBUG=debug;
1449 Dbprintf("Iso15693 Debug is now %s",DEBUG?"on":"off");
1450 return;
1451}
1452
d9de20fa 1453
5ea2a248 1454//---------------------------------------------------------------------------------------
1455// Simulate an ISO15693 reader, perform anti-collision and then attempt to read a sector.
15c4dc5a 1456// all demodulation performed in arm rather than host. - greg
5ea2a248 1457//---------------------------------------------------------------------------------------
ece38ef3 1458void ReaderIso15693(uint32_t parameter) {
1459
15c4dc5a 1460 LED_A_ON();
15c4dc5a 1461
d9de20fa 1462 set_tracing(true);
a66f26da 1463
d9de20fa 1464 int answerLen = 0;
3fe4ff4f 1465 uint8_t TagUID[8] = {0x00};
1466
09ffd16e 1467 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
15c4dc5a 1468
d9de20fa 1469 uint8_t answer[ISO15693_MAX_RESPONSE_LENGTH];
15c4dc5a 1470
3fe4ff4f 1471 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
15c4dc5a 1472 // Setup SSC
5ea2a248 1473 FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER);
15c4dc5a 1474
1475 // Start from off (no field generated)
a66f26da 1476 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1477 SpinDelay(200);
15c4dc5a 1478
15c4dc5a 1479 // Give the tags time to energize
70b2fc0a 1480 LED_D_ON();
5ea2a248 1481 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER);
15c4dc5a 1482 SpinDelay(200);
d9de20fa 1483 StartCountSspClk();
1484
15c4dc5a 1485
15c4dc5a 1486 // FIRST WE RUN AN INVENTORY TO GET THE TAG UID
1487 // THIS MEANS WE CAN PRE-BUILD REQUESTS TO SAVE CPU TIME
15c4dc5a 1488
1489 // Now send the IDENTIFY command
1490 BuildIdentifyRequest();
c41dd5f9 1491 uint32_t start_time = 0;
1492 TransmitTo15693Tag(ToSend, ToSendMax, &start_time);
a66f26da 1493
15c4dc5a 1494 // Now wait for a response
c41dd5f9 1495 uint32_t eof_time;
1496 answerLen = GetIso15693AnswerFromTag(answer, sizeof(answer), DELAY_ISO15693_VCD_TO_VICC_READER * 2, &eof_time) ;
1497 start_time = eof_time + DELAY_ISO15693_VICC_TO_VCD_READER;
15c4dc5a 1498
d9de20fa 1499 if (answerLen >=12) // we should do a better check than this
15c4dc5a 1500 {
d9de20fa 1501 TagUID[0] = answer[2];
1502 TagUID[1] = answer[3];
1503 TagUID[2] = answer[4];
1504 TagUID[3] = answer[5];
1505 TagUID[4] = answer[6];
1506 TagUID[5] = answer[7];
1507 TagUID[6] = answer[8]; // IC Manufacturer code
1508 TagUID[7] = answer[9]; // always E0
15c4dc5a 1509
15c4dc5a 1510 }
1511
d9de20fa 1512 Dbprintf("%d octets read from IDENTIFY request:", answerLen);
1513 DbdecodeIso15693Answer(answerLen, answer);
1514 Dbhexdump(answerLen, answer, false);
9455b51c 1515
1516 // UID is reverse
d9de20fa 1517 if (answerLen >= 12)
3fe4ff4f 1518 Dbprintf("UID = %02hX%02hX%02hX%02hX%02hX%02hX%02hX%02hX",
1519 TagUID[7],TagUID[6],TagUID[5],TagUID[4],
1520 TagUID[3],TagUID[2],TagUID[1],TagUID[0]);
9455b51c 1521
1522
315e18e6 1523 // Dbprintf("%d octets read from SELECT request:", answerLen2);
1524 // DbdecodeIso15693Answer(answerLen2,answer2);
1525 // Dbhexdump(answerLen2,answer2,true);
9455b51c 1526
315e18e6 1527 // Dbprintf("%d octets read from XXX request:", answerLen3);
1528 // DbdecodeIso15693Answer(answerLen3,answer3);
1529 // Dbhexdump(answerLen3,answer3,true);
9455b51c 1530
9455b51c 1531 // read all pages
d9de20fa 1532 if (answerLen >= 12 && DEBUG) {
5ea2a248 1533 for (int i = 0; i < 32; i++) { // sanity check, assume max 32 pages
8c6cca0b 1534 BuildReadBlockRequest(TagUID, i);
c41dd5f9 1535 TransmitTo15693Tag(ToSend, ToSendMax, &start_time);
1536 int answerLen = GetIso15693AnswerFromTag(answer, sizeof(answer), DELAY_ISO15693_VCD_TO_VICC_READER * 2, &eof_time);
1537 start_time = eof_time + DELAY_ISO15693_VICC_TO_VCD_READER;
d9de20fa 1538 if (answerLen > 0) {
1539 Dbprintf("READ SINGLE BLOCK %d returned %d octets:", i, answerLen);
1540 DbdecodeIso15693Answer(answerLen, answer);
1541 Dbhexdump(answerLen, answer, false);
1542 if ( *((uint32_t*) answer) == 0x07160101 ) break; // exit on NoPageErr
8c6cca0b 1543 }
8c6cca0b 1544 }
9455b51c 1545 }
15c4dc5a 1546
8c6cca0b 1547 // for the time being, switch field off to protect rdv4.0
70b2fc0a 1548 // note: this prevents using hf 15 cmd with s option - which isn't implemented yet anyway
a66f26da 1549 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
15c4dc5a 1550 LED_D_OFF();
8c6cca0b 1551
70b2fc0a 1552 LED_A_OFF();
15c4dc5a 1553}
1554
8c6cca0b 1555
1556// Simulate an ISO15693 TAG.
1557// For Inventory command: print command and send Inventory Response with given UID
1558// TODO: interpret other reader commands and send appropriate response
ece38ef3 1559void SimTagIso15693(uint32_t parameter, uint8_t *uid) {
1560
15c4dc5a 1561 LED_A_ON();
15c4dc5a 1562
7cc204bf 1563 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
15c4dc5a 1564 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
a66f26da 1565 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_NO_MODULATION);
8c6cca0b 1566 FpgaSetupSsc(FPGA_MAJOR_MODE_HF_SIMULATOR);
15c4dc5a 1567
8c6cca0b 1568 StartCountSspClk();
15c4dc5a 1569
8c6cca0b 1570 uint8_t cmd[ISO15693_MAX_COMMAND_LENGTH];
15c4dc5a 1571
8c6cca0b 1572 // Build a suitable response to the reader INVENTORY command
1573 BuildInventoryResponse(uid);
15c4dc5a 1574
8c6cca0b 1575 // Listen to reader
1576 while (!BUTTON_PRESS()) {
1577 uint32_t eof_time = 0, start_time = 0;
1578 int cmd_len = GetIso15693CommandFromReader(cmd, sizeof(cmd), &eof_time);
1579
1580 if ((cmd_len >= 5) && (cmd[0] & ISO15693_REQ_INVENTORY) && (cmd[1] == ISO15693_INVENTORY)) { // TODO: check more flags
1581 bool slow = !(cmd[0] & ISO15693_REQ_DATARATE_HIGH);
c41dd5f9 1582 start_time = eof_time + DELAY_ISO15693_VCD_TO_VICC_SIM;
8efd0b80 1583 TransmitTo15693Reader(ToSend, ToSendMax, &start_time, 0, slow);
8c6cca0b 1584 }
3fe4ff4f 1585
8c6cca0b 1586 Dbprintf("%d bytes read from reader:", cmd_len);
1587 Dbhexdump(cmd_len, cmd, false);
1588 }
15c4dc5a 1589
a66f26da 1590 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
ece38ef3 1591 LED_D_OFF();
1592 LED_A_OFF();
15c4dc5a 1593}
9455b51c 1594
1595
1596// Since there is no standardized way of reading the AFI out of a tag, we will brute force it
1597// (some manufactures offer a way to read the AFI, though)
8c6cca0b 1598void BruteforceIso15693Afi(uint32_t speed)
1599{
70b2fc0a 1600 LED_A_ON();
8c6cca0b 1601
d9de20fa 1602 uint8_t data[6];
1603 uint8_t recv[ISO15693_MAX_RESPONSE_LENGTH];
c41dd5f9 1604 int datalen = 0, recvlen = 0;
1605 uint32_t eof_time;
a66f26da 1606
9455b51c 1607 // first without AFI
8c6cca0b 1608 // Tags should respond without AFI and with AFI=0 even when AFI is active
1609
1610 data[0] = ISO15693_REQ_DATARATE_HIGH | ISO15693_REQ_INVENTORY | ISO15693_REQINV_SLOT1;
1611 data[1] = ISO15693_INVENTORY;
1612 data[2] = 0; // mask length
3d2c9c9b 1613 datalen = Iso15693AddCrc(data,3);
c41dd5f9 1614 uint32_t start_time = GetCountSspClk();
1615 recvlen = SendDataTag(data, datalen, true, speed, recv, sizeof(recv), 0, &eof_time);
1616 start_time = eof_time + DELAY_ISO15693_VICC_TO_VCD_READER;
9455b51c 1617 WDT_HIT();
1618 if (recvlen>=12) {
3d2c9c9b 1619 Dbprintf("NoAFI UID=%s", Iso15693sprintUID(NULL, &recv[2]));
9455b51c 1620 }
8c6cca0b 1621
9455b51c 1622 // now with AFI
8c6cca0b 1623
1624 data[0] = ISO15693_REQ_DATARATE_HIGH | ISO15693_REQ_INVENTORY | ISO15693_REQINV_AFI | ISO15693_REQINV_SLOT1;
1625 data[1] = ISO15693_INVENTORY;
1626 data[2] = 0; // AFI
1627 data[3] = 0; // mask length
1628
d9de20fa 1629 for (int i = 0; i < 256; i++) {
1630 data[2] = i & 0xFF;
3d2c9c9b 1631 datalen = Iso15693AddCrc(data,4);
c41dd5f9 1632 recvlen = SendDataTag(data, datalen, false, speed, recv, sizeof(recv), start_time, &eof_time);
1633 start_time = eof_time + DELAY_ISO15693_VICC_TO_VCD_READER;
9455b51c 1634 WDT_HIT();
d9de20fa 1635 if (recvlen >= 12) {
3d2c9c9b 1636 Dbprintf("AFI=%i UID=%s", i, Iso15693sprintUID(NULL, &recv[2]));
9455b51c 1637 }
8c6cca0b 1638 }
9455b51c 1639 Dbprintf("AFI Bruteforcing done.");
8c6cca0b 1640
a66f26da 1641 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
ece38ef3 1642 LED_D_OFF();
1643 LED_A_OFF();
1644
9455b51c 1645}
1646
1647// Allows to directly send commands to the tag via the client
70b2fc0a 1648void DirectTag15693Command(uint32_t datalen, uint32_t speed, uint32_t recv, uint8_t data[]) {
9455b51c 1649
ece38ef3 1650 LED_A_ON();
1651
d9de20fa 1652 int recvlen = 0;
1653 uint8_t recvbuf[ISO15693_MAX_RESPONSE_LENGTH];
c41dd5f9 1654 uint32_t eof_time;
8c6cca0b 1655
9455b51c 1656 if (DEBUG) {
d9de20fa 1657 Dbprintf("SEND:");
8c6cca0b 1658 Dbhexdump(datalen, data, false);
9455b51c 1659 }
8c6cca0b 1660
c41dd5f9 1661 recvlen = SendDataTag(data, datalen, true, speed, (recv?recvbuf:NULL), sizeof(recvbuf), 0, &eof_time);
1662
1663 // for the time being, switch field off to protect rdv4.0
1664 // note: this prevents using hf 15 cmd with s option - which isn't implemented yet anyway
1665 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1666 LED_D_OFF();
9455b51c 1667
8c6cca0b 1668 if (recv) {
9455b51c 1669 if (DEBUG) {
d9de20fa 1670 Dbprintf("RECV:");
c41dd5f9 1671 if (recvlen > 0) {
1672 Dbhexdump(recvlen, recvbuf, false);
1673 DbdecodeIso15693Answer(recvlen, recvbuf);
1674 }
9455b51c 1675 }
c41dd5f9 1676 if (recvlen > ISO15693_MAX_RESPONSE_LENGTH) {
1677 recvlen = ISO15693_MAX_RESPONSE_LENGTH;
1678 }
1679 cmd_send(CMD_ACK, recvlen, 0, 0, recvbuf, ISO15693_MAX_RESPONSE_LENGTH);
9455b51c 1680 }
1681
70b2fc0a 1682 LED_A_OFF();
9455b51c 1683}
1684
096dee17 1685//-----------------------------------------------------------------------------
1686// Work with "magic Chinese" card.
1687//
1688//-----------------------------------------------------------------------------
1689
1690// Set the UID to the tag (based on Iceman work).
ece38ef3 1691void SetTag15693Uid(uint8_t *uid) {
a66f26da 1692
ece38ef3 1693 LED_A_ON();
1694
1695 uint8_t cmd[4][9] = {0x00};
a66f26da 1696 uint16_t crc;
1697
1698 int recvlen = 0;
1699 uint8_t recvbuf[ISO15693_MAX_RESPONSE_LENGTH];
c41dd5f9 1700 uint32_t eof_time;
a66f26da 1701
1702 // Command 1 : 02213E00000000
1703 cmd[0][0] = 0x02;
1704 cmd[0][1] = 0x21;
1705 cmd[0][2] = 0x3e;
1706 cmd[0][3] = 0x00;
1707 cmd[0][4] = 0x00;
1708 cmd[0][5] = 0x00;
1709 cmd[0][6] = 0x00;
1710
1711 // Command 2 : 02213F69960000
1712 cmd[1][0] = 0x02;
1713 cmd[1][1] = 0x21;
1714 cmd[1][2] = 0x3f;
1715 cmd[1][3] = 0x69;
1716 cmd[1][4] = 0x96;
1717 cmd[1][5] = 0x00;
1718 cmd[1][6] = 0x00;
1719
1720 // Command 3 : 022138u8u7u6u5 (where uX = uid byte X)
1721 cmd[2][0] = 0x02;
1722 cmd[2][1] = 0x21;
1723 cmd[2][2] = 0x38;
1724 cmd[2][3] = uid[7];
1725 cmd[2][4] = uid[6];
1726 cmd[2][5] = uid[5];
1727 cmd[2][6] = uid[4];
1728
1729 // Command 4 : 022139u4u3u2u1 (where uX = uid byte X)
1730 cmd[3][0] = 0x02;
1731 cmd[3][1] = 0x21;
1732 cmd[3][2] = 0x39;
1733 cmd[3][3] = uid[3];
1734 cmd[3][4] = uid[2];
1735 cmd[3][5] = uid[1];
1736 cmd[3][6] = uid[0];
1737
c41dd5f9 1738 for (int i = 0; i < 4; i++) {
a66f26da 1739 // Add the CRC
1740 crc = Iso15693Crc(cmd[i], 7);
1741 cmd[i][7] = crc & 0xff;
1742 cmd[i][8] = crc >> 8;
1743
1744 if (DEBUG) {
1745 Dbprintf("SEND:");
1746 Dbhexdump(sizeof(cmd[i]), cmd[i], false);
1747 }
1748
c41dd5f9 1749 recvlen = SendDataTag(cmd[i], sizeof(cmd[i]), true, 1, recvbuf, sizeof(recvbuf), 0, &eof_time);
a66f26da 1750
1751 if (DEBUG) {
1752 Dbprintf("RECV:");
c41dd5f9 1753 if (recvlen > 0) {
1754 Dbhexdump(recvlen, recvbuf, false);
1755 DbdecodeIso15693Answer(recvlen, recvbuf);
1756 }
a66f26da 1757 }
1758
1759 cmd_send(CMD_ACK, recvlen>ISO15693_MAX_RESPONSE_LENGTH?ISO15693_MAX_RESPONSE_LENGTH:recvlen, 0, 0, recvbuf, ISO15693_MAX_RESPONSE_LENGTH);
1760 }
1761
a66f26da 1762 LED_A_OFF();
096dee17 1763}
9455b51c 1764
1765
1766
1767// --------------------------------------------------------------------
1768// -- Misc & deprecated functions
1769// --------------------------------------------------------------------
1770
e6304bca 1771/*
9455b51c 1772
1773// do not use; has a fix UID
1774static void __attribute__((unused)) BuildSysInfoRequest(uint8_t *uid)
1775{
1776 uint8_t cmd[12];
1777
1778 uint16_t crc;
5ea2a248 1779 // If we set the Option_Flag in this request, the VICC will respond with the security status of the block
1780 // followed by the block data
9455b51c 1781 // one sub-carrier, inventory, 1 slot, fast rate
1782 cmd[0] = (1 << 5) | (1 << 1); // no SELECT bit
1783 // System Information command code
1784 cmd[1] = 0x2B;
1785 // UID may be optionally specified here
1786 // 64-bit UID
1787 cmd[2] = 0x32;
1788 cmd[3]= 0x4b;
1789 cmd[4] = 0x03;
1790 cmd[5] = 0x01;
1791 cmd[6] = 0x00;
1792 cmd[7] = 0x10;
1793 cmd[8] = 0x05;
1794 cmd[9]= 0xe0; // always e0 (not exactly unique)
1795 //Now the CRC
3d2c9c9b 1796 crc = Iso15693Crc(cmd, 10); // the crc needs to be calculated over 2 bytes
9455b51c 1797 cmd[10] = crc & 0xff;
1798 cmd[11] = crc >> 8;
1799
1800 CodeIso15693AsReader(cmd, sizeof(cmd));
1801}
1802
9455b51c 1803
1804// do not use; has a fix UID
1805static void __attribute__((unused)) BuildReadMultiBlockRequest(uint8_t *uid)
1806{
1807 uint8_t cmd[14];
1808
1809 uint16_t crc;
5ea2a248 1810 // If we set the Option_Flag in this request, the VICC will respond with the security status of the block
1811 // followed by the block data
9455b51c 1812 // one sub-carrier, inventory, 1 slot, fast rate
1813 cmd[0] = (1 << 5) | (1 << 1); // no SELECT bit
1814 // READ Multi BLOCK command code
1815 cmd[1] = 0x23;
1816 // UID may be optionally specified here
1817 // 64-bit UID
1818 cmd[2] = 0x32;
1819 cmd[3]= 0x4b;
1820 cmd[4] = 0x03;
1821 cmd[5] = 0x01;
1822 cmd[6] = 0x00;
1823 cmd[7] = 0x10;
1824 cmd[8] = 0x05;
1825 cmd[9]= 0xe0; // always e0 (not exactly unique)
1826 // First Block number to read
1827 cmd[10] = 0x00;
1828 // Number of Blocks to read
1829 cmd[11] = 0x2f; // read quite a few
1830 //Now the CRC
3d2c9c9b 1831 crc = Iso15693Crc(cmd, 12); // the crc needs to be calculated over 2 bytes
9455b51c 1832 cmd[12] = crc & 0xff;
1833 cmd[13] = crc >> 8;
1834
1835 CodeIso15693AsReader(cmd, sizeof(cmd));
1836}
1837
1838// do not use; has a fix UID
1839static void __attribute__((unused)) BuildArbitraryRequest(uint8_t *uid,uint8_t CmdCode)
1840{
1841 uint8_t cmd[14];
1842
1843 uint16_t crc;
5ea2a248 1844 // If we set the Option_Flag in this request, the VICC will respond with the security status of the block
1845 // followed by the block data
9455b51c 1846 // one sub-carrier, inventory, 1 slot, fast rate
1847 cmd[0] = (1 << 5) | (1 << 1); // no SELECT bit
1848 // READ BLOCK command code
1849 cmd[1] = CmdCode;
1850 // UID may be optionally specified here
1851 // 64-bit UID
1852 cmd[2] = 0x32;
1853 cmd[3]= 0x4b;
1854 cmd[4] = 0x03;
1855 cmd[5] = 0x01;
1856 cmd[6] = 0x00;
1857 cmd[7] = 0x10;
1858 cmd[8] = 0x05;
1859 cmd[9]= 0xe0; // always e0 (not exactly unique)
1860 // Parameter
1861 cmd[10] = 0x00;
1862 cmd[11] = 0x0a;
1863
a66f26da 1864// cmd[12] = 0x00;
1865// cmd[13] = 0x00; //Now the CRC
3d2c9c9b 1866 crc = Iso15693Crc(cmd, 12); // the crc needs to be calculated over 2 bytes
9455b51c 1867 cmd[12] = crc & 0xff;
1868 cmd[13] = crc >> 8;
1869
1870 CodeIso15693AsReader(cmd, sizeof(cmd));
1871}
1872
1873// do not use; has a fix UID
1874static void __attribute__((unused)) BuildArbitraryCustomRequest(uint8_t uid[], uint8_t CmdCode)
1875{
1876 uint8_t cmd[14];
1877
1878 uint16_t crc;
5ea2a248 1879 // If we set the Option_Flag in this request, the VICC will respond with the security status of the block
1880 // followed by the block data
9455b51c 1881 // one sub-carrier, inventory, 1 slot, fast rate
1882 cmd[0] = (1 << 5) | (1 << 1); // no SELECT bit
1883 // READ BLOCK command code
1884 cmd[1] = CmdCode;
1885 // UID may be optionally specified here
1886 // 64-bit UID
1887 cmd[2] = 0x32;
1888 cmd[3]= 0x4b;
1889 cmd[4] = 0x03;
1890 cmd[5] = 0x01;
1891 cmd[6] = 0x00;
1892 cmd[7] = 0x10;
1893 cmd[8] = 0x05;
1894 cmd[9]= 0xe0; // always e0 (not exactly unique)
1895 // Parameter
5ea2a248 1896 cmd[10] = 0x05; // for custom codes this must be manufacturer code
9455b51c 1897 cmd[11] = 0x00;
1898
a66f26da 1899// cmd[12] = 0x00;
1900// cmd[13] = 0x00; //Now the CRC
3d2c9c9b 1901 crc = Iso15693Crc(cmd, 12); // the crc needs to be calculated over 2 bytes
9455b51c 1902 cmd[12] = crc & 0xff;
1903 cmd[13] = crc >> 8;
1904
1905 CodeIso15693AsReader(cmd, sizeof(cmd));
1906}
1907
1908
1909
1910
e6304bca 1911*/
9455b51c 1912
1913
Proxmark3 GIT tracking
Impressum, Datenschutz