]> git.zerfleddert.de Git - proxmark3-svn/blob - armsrc/lfops.c
projects / proxmark3-svn / blob
? search:


5e9fb193f239bff1df48898c1daecbc7c26d19b6
[proxmark3-svn] / armsrc / lfops.c
1 //-----------------------------------------------------------------------------
2 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
3 // at your option, any later version. See the LICENSE.txt file for the text of
4 // the license.
5 //-----------------------------------------------------------------------------
6 // Miscellaneous routines for low frequency tag operations.
7 // Tags supported here so far are Texas Instruments (TI), HID
8 // Also routines for raw mode reading/simulating of LF waveform
9 //-----------------------------------------------------------------------------
10
11 #include "proxmark3.h"
12 #include "apps.h"
13 #include "util.h"
14 #include "hitag2.h"
15 #include "crc16.h"
16 #include "string.h"
17 #include "lfdemod.h"
18 #include "lfsampling.h"
19 #include "protocols.h"
20 #include "usb_cdc.h" // for usb_poll_validate_length
21
22 /**
23 * Function to do a modulation and then get samples.
24 * @param delay_off
25 * @param period_0
26 * @param period_1
27 * @param command
28 */
29 void ModThenAcquireRawAdcSamples125k(uint32_t delay_off, uint32_t period_0, uint32_t period_1, uint8_t *command)
30 {
31
32 StartTicks();
33 int divisor_used = 95; // 125 KHz
34 // see if 'h' was specified
35
36 if (command[strlen((char *) command) - 1] == 'h')
37 divisor_used = 88; // 134.8 KHz
38
39 sample_config sc = { 0,0,1, divisor_used, 0};
40 setSamplingConfig(&sc);
41 //clear read buffer
42 BigBuf_Clear_keep_EM();
43
44 /* Make sure the tag is reset */
45 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
46 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
47 WaitMS(2500);
48
49 //power on
50 LFSetupFPGAForADC(sc.divisor, 1);
51
52 // And a little more time for the tag to fully power up
53 WaitMS(2000);
54 // if delay_off = 0 then just bitbang 1 = antenna on 0 = off for respective periods.
55 bool bitbang = delay_off == 0;
56 // now modulate the reader field
57
58 if (bitbang) {
59 //HACK it appears my loop and if statements take up about 7 us so adjust waits accordingly...
60 uint8_t hack_cnt = 7;
61 if (period_0 < hack_cnt || period_1 < hack_cnt) {
62 DbpString("Warning periods cannot be less than 7 in bit bang mode");
63 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
64 LED_D_OFF();
65 return;
66 }
67 //prime cmd_len to save time comparing strings while modulating
68 int cmd_len = 0;
69 while(command[cmd_len] != '\0' && command[cmd_len] != ' ')
70 cmd_len++;
71
72 int counter = 0;
73 bool off = false;
74 for (counter = 0; counter < cmd_len; counter++) {
75 //while(*command != '\0' && *command != ' ') {
76 // if cmd = 0 then turn field off
77 if (command[counter] == '0') {
78 // if field already off leave alone (affects timing otherwise)
79 if (off == false) {
80 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
81 LED_D_OFF();
82 off = true;
83 }
84 // note we appear to take about 6us to switch over (or run the if statements/loop...)
85 WaitUS(period_0-hack_cnt);
86 // else if cmd = 1 then turn field on
87 } else {
88 // if field already on leave alone (affects timing otherwise)
89 if (off) {
90 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
91 LED_D_ON();
92 off = false;
93 }
94 // note we appear to take about 6us to switch over (or run the if statements/loop...)
95 WaitUS(period_1-hack_cnt);
96 }
97 }
98 } else { // old mode of cmd read using delay as off period
99 while(*command != '\0' && *command != ' ') {
100 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
101 LED_D_OFF();
102 WaitUS(delay_off);
103 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, sc.divisor);
104 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
105 LED_D_ON();
106 if(*(command++) == '0') {
107 WaitUS(period_0);
108 } else {
109 WaitUS(period_1);
110 }
111 }
112 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
113 LED_D_OFF();
114 WaitUS(delay_off);
115 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, sc.divisor);
116 }
117
118 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
119
120 // now do the read
121 DoAcquisition_config(false, 0);
122 // note leaves field on... (for future commands?)
123 }
124
125 /* blank r/w tag data stream
126 ...0000000000000000 01111111
127 1010101010101010101010101010101010101010101010101010101010101010
128 0011010010100001
129 01111111
130 101010101010101[0]000...
131
132 [5555fe852c5555555555555555fe0000]
133 */
134 void ReadTItag(void)
135 {
136 // some hardcoded initial params
137 // when we read a TI tag we sample the zerocross line at 2Mhz
138 // TI tags modulate a 1 as 16 cycles of 123.2Khz
139 // TI tags modulate a 0 as 16 cycles of 134.2Khz
140 #define FSAMPLE 2000000
141 #define FREQLO 123200
142 #define FREQHI 134200
143
144 signed char *dest = (signed char *)BigBuf_get_addr();
145 uint16_t n = BigBuf_max_traceLen();
146 // 128 bit shift register [shift3:shift2:shift1:shift0]
147 uint32_t shift3 = 0, shift2 = 0, shift1 = 0, shift0 = 0;
148
149 int i, cycles=0, samples=0;
150 // how many sample points fit in 16 cycles of each frequency
151 uint32_t sampleslo = (FSAMPLE<<4)/FREQLO, sampleshi = (FSAMPLE<<4)/FREQHI;
152 // when to tell if we're close enough to one freq or another
153 uint32_t threshold = (sampleslo - sampleshi + 1)>>1;
154
155 // TI tags charge at 134.2Khz
156 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
157 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 88); //134.8Khz
158
159 // Place FPGA in passthrough mode, in this mode the CROSS_LO line
160 // connects to SSP_DIN and the SSP_DOUT logic level controls
161 // whether we're modulating the antenna (high)
162 // or listening to the antenna (low)
163 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_PASSTHRU);
164
165 // get TI tag data into the buffer
166 AcquireTiType();
167
168 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
169
170 for (i=0; i<n-1; i++) {
171 // count cycles by looking for lo to hi zero crossings
172 if ( (dest[i]<0) && (dest[i+1]>0) ) {
173 cycles++;
174 // after 16 cycles, measure the frequency
175 if (cycles>15) {
176 cycles=0;
177 samples=i-samples; // number of samples in these 16 cycles
178
179 // TI bits are coming to us lsb first so shift them
180 // right through our 128 bit right shift register
181 shift0 = (shift0>>1) | (shift1 << 31);
182 shift1 = (shift1>>1) | (shift2 << 31);
183 shift2 = (shift2>>1) | (shift3 << 31);
184 shift3 >>= 1;
185
186 // check if the cycles fall close to the number
187 // expected for either the low or high frequency
188 if ( (samples>(sampleslo-threshold)) && (samples<(sampleslo+threshold)) ) {
189 // low frequency represents a 1
190 shift3 |= (1<<31);
191 } else if ( (samples>(sampleshi-threshold)) && (samples<(sampleshi+threshold)) ) {
192 // high frequency represents a 0
193 } else {
194 // probably detected a gay waveform or noise
195 // use this as gaydar or discard shift register and start again
196 shift3 = shift2 = shift1 = shift0 = 0;
197 }
198 samples = i;
199
200 // for each bit we receive, test if we've detected a valid tag
201
202 // if we see 17 zeroes followed by 6 ones, we might have a tag
203 // remember the bits are backwards
204 if ( ((shift0 & 0x7fffff) == 0x7e0000) ) {
205 // if start and end bytes match, we have a tag so break out of the loop
206 if ( ((shift0>>16)&0xff) == ((shift3>>8)&0xff) ) {
207 cycles = 0xF0B; //use this as a flag (ugly but whatever)
208 break;
209 }
210 }
211 }
212 }
213 }
214
215 // if flag is set we have a tag
216 if (cycles!=0xF0B) {
217 DbpString("Info: No valid tag detected.");
218 } else {
219 // put 64 bit data into shift1 and shift0
220 shift0 = (shift0>>24) | (shift1 << 8);
221 shift1 = (shift1>>24) | (shift2 << 8);
222
223 // align 16 bit crc into lower half of shift2
224 shift2 = ((shift2>>24) | (shift3 << 8)) & 0x0ffff;
225
226 // if r/w tag, check ident match
227 if (shift3 & (1<<15) ) {
228 DbpString("Info: TI tag is rewriteable");
229 // only 15 bits compare, last bit of ident is not valid
230 if (((shift3 >> 16) ^ shift0) & 0x7fff ) {
231 DbpString("Error: Ident mismatch!");
232 } else {
233 DbpString("Info: TI tag ident is valid");
234 }
235 } else {
236 DbpString("Info: TI tag is readonly");
237 }
238
239 // WARNING the order of the bytes in which we calc crc below needs checking
240 // i'm 99% sure the crc algorithm is correct, but it may need to eat the
241 // bytes in reverse or something
242 // calculate CRC
243 uint32_t crc=0;
244
245 crc = update_crc16(crc, (shift0)&0xff);
246 crc = update_crc16(crc, (shift0>>8)&0xff);
247 crc = update_crc16(crc, (shift0>>16)&0xff);
248 crc = update_crc16(crc, (shift0>>24)&0xff);
249 crc = update_crc16(crc, (shift1)&0xff);
250 crc = update_crc16(crc, (shift1>>8)&0xff);
251 crc = update_crc16(crc, (shift1>>16)&0xff);
252 crc = update_crc16(crc, (shift1>>24)&0xff);
253
254 Dbprintf("Info: Tag data: %x%08x, crc=%x",
255 (unsigned int)shift1, (unsigned int)shift0, (unsigned int)shift2 & 0xFFFF);
256 if (crc != (shift2&0xffff)) {
257 Dbprintf("Error: CRC mismatch, expected %x", (unsigned int)crc);
258 } else {
259 DbpString("Info: CRC is good");
260 }
261 }
262 }
263
264 void WriteTIbyte(uint8_t b)
265 {
266 int i = 0;
267
268 // modulate 8 bits out to the antenna
269 for (i=0; i<8; i++)
270 {
271 if (b&(1<<i)) {
272 // stop modulating antenna
273 LOW(GPIO_SSC_DOUT);
274 SpinDelayUs(1000);
275 // modulate antenna
276 HIGH(GPIO_SSC_DOUT);
277 SpinDelayUs(1000);
278 } else {
279 // stop modulating antenna
280 LOW(GPIO_SSC_DOUT);
281 SpinDelayUs(300);
282 // modulate antenna
283 HIGH(GPIO_SSC_DOUT);
284 SpinDelayUs(1700);
285 }
286 }
287 }
288
289 void AcquireTiType(void)
290 {
291 int i, j, n;
292 // tag transmission is <20ms, sampling at 2M gives us 40K samples max
293 // each sample is 1 bit stuffed into a uint32_t so we need 1250 uint32_t
294 #define TIBUFLEN 1250
295
296 // clear buffer
297 uint32_t *BigBuf = (uint32_t *)BigBuf_get_addr();
298 BigBuf_Clear_ext(false);
299
300 // Set up the synchronous serial port
301 AT91C_BASE_PIOA->PIO_PDR = GPIO_SSC_DIN;
302 AT91C_BASE_PIOA->PIO_ASR = GPIO_SSC_DIN;
303
304 // steal this pin from the SSP and use it to control the modulation
305 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
306 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
307
308 AT91C_BASE_SSC->SSC_CR = AT91C_SSC_SWRST;
309 AT91C_BASE_SSC->SSC_CR = AT91C_SSC_RXEN | AT91C_SSC_TXEN;
310
311 // Sample at 2 Mbit/s, so TI tags are 16.2 vs. 14.9 clocks long
312 // 48/2 = 24 MHz clock must be divided by 12
313 AT91C_BASE_SSC->SSC_CMR = 12;
314
315 AT91C_BASE_SSC->SSC_RCMR = SSC_CLOCK_MODE_SELECT(0);
316 AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(32) | AT91C_SSC_MSBF;
317 AT91C_BASE_SSC->SSC_TCMR = 0;
318 AT91C_BASE_SSC->SSC_TFMR = 0;
319
320 LED_D_ON();
321
322 // modulate antenna
323 HIGH(GPIO_SSC_DOUT);
324
325 // Charge TI tag for 50ms.
326 SpinDelay(50);
327
328 // stop modulating antenna and listen
329 LOW(GPIO_SSC_DOUT);
330
331 LED_D_OFF();
332
333 i = 0;
334 for(;;) {
335 if(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) {
336 BigBuf[i] = AT91C_BASE_SSC->SSC_RHR; // store 32 bit values in buffer
337 i++; if(i >= TIBUFLEN) break;
338 }
339 WDT_HIT();
340 }
341
342 // return stolen pin to SSP
343 AT91C_BASE_PIOA->PIO_PDR = GPIO_SSC_DOUT;
344 AT91C_BASE_PIOA->PIO_ASR = GPIO_SSC_DIN | GPIO_SSC_DOUT;
345
346 char *dest = (char *)BigBuf_get_addr();
347 n = TIBUFLEN*32;
348 // unpack buffer
349 for (i=TIBUFLEN-1; i>=0; i--) {
350 for (j=0; j<32; j++) {
351 if(BigBuf[i] & (1 << j)) {
352 dest[--n] = 1;
353 } else {
354 dest[--n] = -1;
355 }
356 }
357 }
358 }
359
360 // arguments: 64bit data split into 32bit idhi:idlo and optional 16bit crc
361 // if crc provided, it will be written with the data verbatim (even if bogus)
362 // if not provided a valid crc will be computed from the data and written.
363 void WriteTItag(uint32_t idhi, uint32_t idlo, uint16_t crc)
364 {
365 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
366 if(crc == 0) {
367 crc = update_crc16(crc, (idlo)&0xff);
368 crc = update_crc16(crc, (idlo>>8)&0xff);
369 crc = update_crc16(crc, (idlo>>16)&0xff);
370 crc = update_crc16(crc, (idlo>>24)&0xff);
371 crc = update_crc16(crc, (idhi)&0xff);
372 crc = update_crc16(crc, (idhi>>8)&0xff);
373 crc = update_crc16(crc, (idhi>>16)&0xff);
374 crc = update_crc16(crc, (idhi>>24)&0xff);
375 }
376 Dbprintf("Writing to tag: %x%08x, crc=%x",
377 (unsigned int) idhi, (unsigned int) idlo, crc);
378
379 // TI tags charge at 134.2Khz
380 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 88); //134.8Khz
381 // Place FPGA in passthrough mode, in this mode the CROSS_LO line
382 // connects to SSP_DIN and the SSP_DOUT logic level controls
383 // whether we're modulating the antenna (high)
384 // or listening to the antenna (low)
385 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_PASSTHRU);
386 LED_A_ON();
387
388 // steal this pin from the SSP and use it to control the modulation
389 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
390 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
391
392 // writing algorithm:
393 // a high bit consists of a field off for 1ms and field on for 1ms
394 // a low bit consists of a field off for 0.3ms and field on for 1.7ms
395 // initiate a charge time of 50ms (field on) then immediately start writing bits
396 // start by writing 0xBB (keyword) and 0xEB (password)
397 // then write 80 bits of data (or 64 bit data + 16 bit crc if you prefer)
398 // finally end with 0x0300 (write frame)
399 // all data is sent lsb firts
400 // finish with 15ms programming time
401
402 // modulate antenna
403 HIGH(GPIO_SSC_DOUT);
404 SpinDelay(50); // charge time
405
406 WriteTIbyte(0xbb); // keyword
407 WriteTIbyte(0xeb); // password
408 WriteTIbyte( (idlo )&0xff );
409 WriteTIbyte( (idlo>>8 )&0xff );
410 WriteTIbyte( (idlo>>16)&0xff );
411 WriteTIbyte( (idlo>>24)&0xff );
412 WriteTIbyte( (idhi )&0xff );
413 WriteTIbyte( (idhi>>8 )&0xff );
414 WriteTIbyte( (idhi>>16)&0xff );
415 WriteTIbyte( (idhi>>24)&0xff ); // data hi to lo
416 WriteTIbyte( (crc )&0xff ); // crc lo
417 WriteTIbyte( (crc>>8 )&0xff ); // crc hi
418 WriteTIbyte(0x00); // write frame lo
419 WriteTIbyte(0x03); // write frame hi
420 HIGH(GPIO_SSC_DOUT);
421 SpinDelay(50); // programming time
422
423 LED_A_OFF();
424
425 // get TI tag data into the buffer
426 AcquireTiType();
427
428 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
429 DbpString("Now use `lf ti read` to check");
430 }
431
432 void SimulateTagLowFrequency(int period, int gap, int ledcontrol)
433 {
434 int i;
435 uint8_t *tab = BigBuf_get_addr();
436
437 //note FpgaDownloadAndGo destroys the bigbuf so be sure this is called before now...
438 //FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
439 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT);
440
441 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT | GPIO_SSC_CLK;
442
443 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
444 AT91C_BASE_PIOA->PIO_ODR = GPIO_SSC_CLK;
445
446 #define SHORT_COIL() LOW(GPIO_SSC_DOUT)
447 #define OPEN_COIL() HIGH(GPIO_SSC_DOUT)
448
449 i = 0;
450 for(;;) {
451 //wait until SSC_CLK goes HIGH
452 int ii = 0;
453 while(!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK)) {
454 //only check every 1000th time (usb_poll_validate_length on some systems was too slow)
455 if ( ii == 1000 ) {
456 if (BUTTON_PRESS() || usb_poll_validate_length() ) {
457 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
458 DbpString("Stopped");
459 return;
460 }
461 ii=0;
462 }
463 WDT_HIT();
464 ii++;
465 }
466 if (ledcontrol)
467 LED_D_ON();
468
469 if(tab[i])
470 OPEN_COIL();
471 else
472 SHORT_COIL();
473
474 if (ledcontrol)
475 LED_D_OFF();
476 ii=0;
477 //wait until SSC_CLK goes LOW
478 while(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK) {
479 //only check every 1000th time (usb_poll_validate_length on some systems was too slow)
480 if ( ii == 1000 ) {
481 if (BUTTON_PRESS() || usb_poll_validate_length() ) {
482 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
483 DbpString("Stopped");
484 return;
485 }
486 ii=0;
487 }
488 WDT_HIT();
489 ii++;
490 }
491
492 i++;
493 if(i == period) {
494
495 i = 0;
496 if (gap) {
497 SHORT_COIL();
498 SpinDelayUs(gap);
499 }
500 }
501
502 }
503 }
504
505 #define DEBUG_FRAME_CONTENTS 1
506 void SimulateTagLowFrequencyBidir(int divisor, int t0)
507 {
508 }
509
510 // compose fc/8 fc/10 waveform (FSK2)
511 static void fc(int c, int *n)
512 {
513 uint8_t *dest = BigBuf_get_addr();
514 int idx;
515
516 // for when we want an fc8 pattern every 4 logical bits
517 if(c==0) {
518 dest[((*n)++)]=1;
519 dest[((*n)++)]=1;
520 dest[((*n)++)]=1;
521 dest[((*n)++)]=1;
522 dest[((*n)++)]=0;
523 dest[((*n)++)]=0;
524 dest[((*n)++)]=0;
525 dest[((*n)++)]=0;
526 }
527
528 // an fc/8 encoded bit is a bit pattern of 11110000 x6 = 48 samples
529 if(c==8) {
530 for (idx=0; idx<6; idx++) {
531 dest[((*n)++)]=1;
532 dest[((*n)++)]=1;
533 dest[((*n)++)]=1;
534 dest[((*n)++)]=1;
535 dest[((*n)++)]=0;
536 dest[((*n)++)]=0;
537 dest[((*n)++)]=0;
538 dest[((*n)++)]=0;
539 }
540 }
541
542 // an fc/10 encoded bit is a bit pattern of 1111100000 x5 = 50 samples
543 if(c==10) {
544 for (idx=0; idx<5; idx++) {
545 dest[((*n)++)]=1;
546 dest[((*n)++)]=1;
547 dest[((*n)++)]=1;
548 dest[((*n)++)]=1;
549 dest[((*n)++)]=1;
550 dest[((*n)++)]=0;
551 dest[((*n)++)]=0;
552 dest[((*n)++)]=0;
553 dest[((*n)++)]=0;
554 dest[((*n)++)]=0;
555 }
556 }
557 }
558 // compose fc/X fc/Y waveform (FSKx)
559 static void fcAll(uint8_t fc, int *n, uint8_t clock, uint16_t *modCnt)
560 {
561 uint8_t *dest = BigBuf_get_addr();
562 uint8_t halfFC = fc/2;
563 uint8_t wavesPerClock = clock/fc;
564 uint8_t mod = clock % fc; //modifier
565 uint8_t modAdj = fc/mod; //how often to apply modifier
566 bool modAdjOk = !(fc % mod); //if (fc % mod==0) modAdjOk=TRUE;
567 // loop through clock - step field clock
568 for (uint8_t idx=0; idx < wavesPerClock; idx++){
569 // put 1/2 FC length 1's and 1/2 0's per field clock wave (to create the wave)
570 memset(dest+(*n), 0, fc-halfFC); //in case of odd number use extra here
571 memset(dest+(*n)+(fc-halfFC), 1, halfFC);
572 *n += fc;
573 }
574 if (mod>0) (*modCnt)++;
575 if ((mod>0) && modAdjOk){ //fsk2
576 if ((*modCnt % modAdj) == 0){ //if 4th 8 length wave in a rf/50 add extra 8 length wave
577 memset(dest+(*n), 0, fc-halfFC);
578 memset(dest+(*n)+(fc-halfFC), 1, halfFC);
579 *n += fc;
580 }
581 }
582 if (mod>0 && !modAdjOk){ //fsk1
583 memset(dest+(*n), 0, mod-(mod/2));
584 memset(dest+(*n)+(mod-(mod/2)), 1, mod/2);
585 *n += mod;
586 }
587 }
588
589 // prepare a waveform pattern in the buffer based on the ID given then
590 // simulate a HID tag until the button is pressed
591 void CmdHIDsimTAG(int hi, int lo, int ledcontrol)
592 {
593 int n=0, i=0;
594 /*
595 HID tag bitstream format
596 The tag contains a 44bit unique code. This is sent out MSB first in sets of 4 bits
597 A 1 bit is represented as 6 fc8 and 5 fc10 patterns
598 A 0 bit is represented as 5 fc10 and 6 fc8 patterns
599 A fc8 is inserted before every 4 bits
600 A special start of frame pattern is used consisting a0b0 where a and b are neither 0
601 nor 1 bits, they are special patterns (a = set of 12 fc8 and b = set of 10 fc10)
602 */
603
604 if (hi>0xFFF) {
605 DbpString("Tags can only have 44 bits. - USE lf simfsk for larger tags");
606 return;
607 }
608 // set LF so we don't kill the bigbuf we are setting with simulation data.
609 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
610
611 fc(0,&n);
612 // special start of frame marker containing invalid bit sequences
613 fc(8, &n); fc(8, &n); // invalid
614 fc(8, &n); fc(10, &n); // logical 0
615 fc(10, &n); fc(10, &n); // invalid
616 fc(8, &n); fc(10, &n); // logical 0
617
618 WDT_HIT();
619 // manchester encode bits 43 to 32
620 for (i=11; i>=0; i--) {
621 if ((i%4)==3) fc(0,&n);
622 if ((hi>>i)&1) {
623 fc(10, &n); fc(8, &n); // low-high transition
624 } else {
625 fc(8, &n); fc(10, &n); // high-low transition
626 }
627 }
628
629 WDT_HIT();
630 // manchester encode bits 31 to 0
631 for (i=31; i>=0; i--) {
632 if ((i%4)==3) fc(0,&n);
633 if ((lo>>i)&1) {
634 fc(10, &n); fc(8, &n); // low-high transition
635 } else {
636 fc(8, &n); fc(10, &n); // high-low transition
637 }
638 }
639
640 if (ledcontrol)
641 LED_A_ON();
642 SimulateTagLowFrequency(n, 0, ledcontrol);
643
644 if (ledcontrol)
645 LED_A_OFF();
646 }
647
648 // prepare a waveform pattern in the buffer based on the ID given then
649 // simulate a FSK tag until the button is pressed
650 // arg1 contains fcHigh and fcLow, arg2 contains invert and clock
651 void CmdFSKsimTAG(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream)
652 {
653 int ledcontrol=1;
654 int n=0, i=0;
655 uint8_t fcHigh = arg1 >> 8;
656 uint8_t fcLow = arg1 & 0xFF;
657 uint16_t modCnt = 0;
658 uint8_t clk = arg2 & 0xFF;
659 uint8_t invert = (arg2 >> 8) & 1;
660
661 // set LF so we don't kill the bigbuf we are setting with simulation data.
662 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
663
664 for (i=0; i<size; i++){
665 if (BitStream[i] == invert){
666 fcAll(fcLow, &n, clk, &modCnt);
667 } else {
668 fcAll(fcHigh, &n, clk, &modCnt);
669 }
670 }
671 Dbprintf("Simulating with fcHigh: %d, fcLow: %d, clk: %d, invert: %d, n: %d",fcHigh, fcLow, clk, invert, n);
672 /*Dbprintf("DEBUG: First 32:");
673 uint8_t *dest = BigBuf_get_addr();
674 i=0;
675 Dbprintf("%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d", dest[i],dest[i+1],dest[i+2],dest[i+3],dest[i+4],dest[i+5],dest[i+6],dest[i+7],dest[i+8],dest[i+9],dest[i+10],dest[i+11],dest[i+12],dest[i+13],dest[i+14],dest[i+15]);
676 i+=16;
677 Dbprintf("%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d", dest[i],dest[i+1],dest[i+2],dest[i+3],dest[i+4],dest[i+5],dest[i+6],dest[i+7],dest[i+8],dest[i+9],dest[i+10],dest[i+11],dest[i+12],dest[i+13],dest[i+14],dest[i+15]);
678 */
679 if (ledcontrol)
680 LED_A_ON();
681
682 SimulateTagLowFrequency(n, 0, ledcontrol);
683
684 if (ledcontrol)
685 LED_A_OFF();
686 }
687
688 // compose ask waveform for one bit(ASK)
689 static void askSimBit(uint8_t c, int *n, uint8_t clock, uint8_t manchester)
690 {
691 uint8_t *dest = BigBuf_get_addr();
692 uint8_t halfClk = clock/2;
693 // c = current bit 1 or 0
694 if (manchester==1){
695 memset(dest+(*n), c, halfClk);
696 memset(dest+(*n) + halfClk, c^1, halfClk);
697 } else {
698 memset(dest+(*n), c, clock);
699 }
700 *n += clock;
701 }
702
703 static void biphaseSimBit(uint8_t c, int *n, uint8_t clock, uint8_t *phase)
704 {
705 uint8_t *dest = BigBuf_get_addr();
706 uint8_t halfClk = clock/2;
707 if (c){
708 memset(dest+(*n), c ^ 1 ^ *phase, halfClk);
709 memset(dest+(*n) + halfClk, c ^ *phase, halfClk);
710 } else {
711 memset(dest+(*n), c ^ *phase, clock);
712 *phase ^= 1;
713 }
714 *n += clock;
715 }
716
717 static void stAskSimBit(int *n, uint8_t clock) {
718 uint8_t *dest = BigBuf_get_addr();
719 uint8_t halfClk = clock/2;
720 //ST = .5 high .5 low 1.5 high .5 low 1 high
721 memset(dest+(*n), 1, halfClk);
722 memset(dest+(*n) + halfClk, 0, halfClk);
723 memset(dest+(*n) + clock, 1, clock + halfClk);
724 memset(dest+(*n) + clock*2 + halfClk, 0, halfClk);
725 memset(dest+(*n) + clock*3, 1, clock);
726 *n += clock*4;
727 }
728
729 // args clock, ask/man or askraw, invert, transmission separator
730 void CmdASKsimTag(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream)
731 {
732 int ledcontrol = 1;
733 int n=0, i=0;
734 uint8_t clk = (arg1 >> 8) & 0xFF;
735 uint8_t encoding = arg1 & 0xFF;
736 uint8_t separator = arg2 & 1;
737 uint8_t invert = (arg2 >> 8) & 1;
738
739 // set LF so we don't kill the bigbuf we are setting with simulation data.
740 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
741
742 if (encoding==2){ //biphase
743 uint8_t phase=0;
744 for (i=0; i<size; i++){
745 biphaseSimBit(BitStream[i]^invert, &n, clk, &phase);
746 }
747 if (phase==1) { //run a second set inverted to keep phase in check
748 for (i=0; i<size; i++){
749 biphaseSimBit(BitStream[i]^invert, &n, clk, &phase);
750 }
751 }
752 } else { // ask/manchester || ask/raw
753 for (i=0; i<size; i++){
754 askSimBit(BitStream[i]^invert, &n, clk, encoding);
755 }
756 if (encoding==0 && BitStream[0]==BitStream[size-1]){ //run a second set inverted (for ask/raw || biphase phase)
757 for (i=0; i<size; i++){
758 askSimBit(BitStream[i]^invert^1, &n, clk, encoding);
759 }
760 }
761 }
762 if (separator==1 && encoding == 1)
763 stAskSimBit(&n, clk);
764 else if (separator==1)
765 Dbprintf("sorry but separator option not yet available");
766
767 Dbprintf("Simulating with clk: %d, invert: %d, encoding: %d, separator: %d, n: %d",clk, invert, encoding, separator, n);
768 //DEBUG
769 //Dbprintf("First 32:");
770 //uint8_t *dest = BigBuf_get_addr();
771 //i=0;
772 //Dbprintf("%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d", dest[i],dest[i+1],dest[i+2],dest[i+3],dest[i+4],dest[i+5],dest[i+6],dest[i+7],dest[i+8],dest[i+9],dest[i+10],dest[i+11],dest[i+12],dest[i+13],dest[i+14],dest[i+15]);
773 //i+=16;
774 //Dbprintf("%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d", dest[i],dest[i+1],dest[i+2],dest[i+3],dest[i+4],dest[i+5],dest[i+6],dest[i+7],dest[i+8],dest[i+9],dest[i+10],dest[i+11],dest[i+12],dest[i+13],dest[i+14],dest[i+15]);
775
776 if (ledcontrol) LED_A_ON();
777 SimulateTagLowFrequency(n, 0, ledcontrol);
778 if (ledcontrol) LED_A_OFF();
779 }
780
781 //carrier can be 2,4 or 8
782 static void pskSimBit(uint8_t waveLen, int *n, uint8_t clk, uint8_t *curPhase, bool phaseChg)
783 {
784 uint8_t *dest = BigBuf_get_addr();
785 uint8_t halfWave = waveLen/2;
786 //uint8_t idx;
787 int i = 0;
788 if (phaseChg){
789 // write phase change
790 memset(dest+(*n), *curPhase^1, halfWave);
791 memset(dest+(*n) + halfWave, *curPhase, halfWave);
792 *n += waveLen;
793 *curPhase ^= 1;
794 i += waveLen;
795 }
796 //write each normal clock wave for the clock duration
797 for (; i < clk; i+=waveLen){
798 memset(dest+(*n), *curPhase, halfWave);
799 memset(dest+(*n) + halfWave, *curPhase^1, halfWave);
800 *n += waveLen;
801 }
802 }
803
804 // args clock, carrier, invert,
805 void CmdPSKsimTag(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream)
806 {
807 int ledcontrol=1;
808 int n=0, i=0;
809 uint8_t clk = arg1 >> 8;
810 uint8_t carrier = arg1 & 0xFF;
811 uint8_t invert = arg2 & 0xFF;
812 uint8_t curPhase = 0;
813 // set LF so we don't kill the bigbuf we are setting with simulation data.
814 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
815
816 for (i=0; i<size; i++){
817 if (BitStream[i] == curPhase){
818 pskSimBit(carrier, &n, clk, &curPhase, FALSE);
819 } else {
820 pskSimBit(carrier, &n, clk, &curPhase, TRUE);
821 }
822 }
823 Dbprintf("Simulating with Carrier: %d, clk: %d, invert: %d, n: %d",carrier, clk, invert, n);
824 //Dbprintf("DEBUG: First 32:");
825 //uint8_t *dest = BigBuf_get_addr();
826 //i=0;
827 //Dbprintf("%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d", dest[i],dest[i+1],dest[i+2],dest[i+3],dest[i+4],dest[i+5],dest[i+6],dest[i+7],dest[i+8],dest[i+9],dest[i+10],dest[i+11],dest[i+12],dest[i+13],dest[i+14],dest[i+15]);
828 //i+=16;
829 //Dbprintf("%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d", dest[i],dest[i+1],dest[i+2],dest[i+3],dest[i+4],dest[i+5],dest[i+6],dest[i+7],dest[i+8],dest[i+9],dest[i+10],dest[i+11],dest[i+12],dest[i+13],dest[i+14],dest[i+15]);
830
831 if (ledcontrol) LED_A_ON();
832 SimulateTagLowFrequency(n, 0, ledcontrol);
833 if (ledcontrol) LED_A_OFF();
834 }
835
836 // loop to get raw HID waveform then FSK demodulate the TAG ID from it
837 void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol)
838 {
839 uint8_t *dest = BigBuf_get_addr();
840 //const size_t sizeOfBigBuff = BigBuf_max_traceLen();
841 size_t size;
842 uint32_t hi2=0, hi=0, lo=0;
843 int idx=0;
844 int dummyIdx = 0;
845 // Configure to go in 125Khz listen mode
846 LFSetupFPGAForADC(95, true);
847
848 //clear read buffer
849 BigBuf_Clear_keep_EM();
850
851 while(!BUTTON_PRESS() && !usb_poll_validate_length()) {
852
853 WDT_HIT();
854 if (ledcontrol) LED_A_ON();
855
856 DoAcquisition_default(-1,true);
857 // FSK demodulator
858 //size = sizeOfBigBuff; //variable size will change after demod so re initialize it before use
859 size = 50*128*2; //big enough to catch 2 sequences of largest format
860 idx = HIDdemodFSK(dest, &size, &hi2, &hi, &lo, &dummyIdx);
861
862 if (idx>0 && lo>0 && (size==96 || size==192)){
863 // go over previously decoded manchester data and decode into usable tag ID
864 if (hi2 != 0){ //extra large HID tags 88/192 bits
865 Dbprintf("TAG ID: %x%08x%08x (%d)",
866 (unsigned int) hi2, (unsigned int) hi, (unsigned int) lo, (unsigned int) (lo>>1) & 0xFFFF);
867 }else { //standard HID tags 44/96 bits
868 //Dbprintf("TAG ID: %x%08x (%d)",(unsigned int) hi, (unsigned int) lo, (unsigned int) (lo>>1) & 0xFFFF); //old print cmd
869 uint8_t bitlen = 0;
870 uint32_t fc = 0;
871 uint32_t cardnum = 0;
872 if (((hi>>5)&1) == 1){//if bit 38 is set then < 37 bit format is used
873 uint32_t lo2=0;
874 lo2=(((hi & 31) << 12) | (lo>>20)); //get bits 21-37 to check for format len bit
875 uint8_t idx3 = 1;
876 while(lo2 > 1){ //find last bit set to 1 (format len bit)
877 lo2=lo2 >> 1;
878 idx3++;
879 }
880 bitlen = idx3+19;
881 fc =0;
882 cardnum=0;
883 if(bitlen == 26){
884 cardnum = (lo>>1)&0xFFFF;
885 fc = (lo>>17)&0xFF;
886 }
887 if(bitlen == 37){
888 cardnum = (lo>>1)&0x7FFFF;
889 fc = ((hi&0xF)<<12)|(lo>>20);
890 }
891 if(bitlen == 34){
892 cardnum = (lo>>1)&0xFFFF;
893 fc= ((hi&1)<<15)|(lo>>17);
894 }
895 if(bitlen == 35){
896 cardnum = (lo>>1)&0xFFFFF;
897 fc = ((hi&1)<<11)|(lo>>21);
898 }
899 }
900 else { //if bit 38 is not set then 37 bit format is used
901 bitlen= 37;
902 fc =0;
903 cardnum=0;
904 if(bitlen==37){
905 cardnum = (lo>>1)&0x7FFFF;
906 fc = ((hi&0xF)<<12)|(lo>>20);
907 }
908 }
909 //Dbprintf("TAG ID: %x%08x (%d)",
910 // (unsigned int) hi, (unsigned int) lo, (unsigned int) (lo>>1) & 0xFFFF);
911 Dbprintf("TAG ID: %x%08x (%d) - Format Len: %dbit - FC: %d - Card: %d",
912 (unsigned int) hi, (unsigned int) lo, (unsigned int) (lo>>1) & 0xFFFF,
913 (unsigned int) bitlen, (unsigned int) fc, (unsigned int) cardnum);
914 }
915 if (findone){
916 if (ledcontrol) LED_A_OFF();
917 *high = hi;
918 *low = lo;
919 break;
920 }
921 // reset
922 }
923 hi2 = hi = lo = idx = 0;
924 WDT_HIT();
925 }
926
927 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
928 DbpString("Stopped");
929 if (ledcontrol) LED_A_OFF();
930 }
931
932 // loop to get raw HID waveform then FSK demodulate the TAG ID from it
933 void CmdAWIDdemodFSK(int findone, int *high, int *low, int ledcontrol)
934 {
935 uint8_t *dest = BigBuf_get_addr();
936 size_t size;
937 int idx=0, dummyIdx=0;
938 //clear read buffer
939 BigBuf_Clear_keep_EM();
940 // Configure to go in 125Khz listen mode
941 LFSetupFPGAForADC(95, true);
942
943 while(!BUTTON_PRESS() && !usb_poll_validate_length()) {
944
945 WDT_HIT();
946 if (ledcontrol) LED_A_ON();
947
948 DoAcquisition_default(-1,true);
949 // FSK demodulator
950 size = 50*128*2; //big enough to catch 2 sequences of largest format
951 idx = AWIDdemodFSK(dest, &size, &dummyIdx);
952
953 if (idx<=0 || size!=96) continue;
954 // Index map
955 // 0 10 20 30 40 50 60
956 // | | | | | | |
957 // 01234567 890 1 234 5 678 9 012 3 456 7 890 1 234 5 678 9 012 3 456 7 890 1 234 5 678 9 012 3 - to 96
958 // -----------------------------------------------------------------------------
959 // 00000001 000 1 110 1 101 1 011 1 101 1 010 0 000 1 000 1 010 0 001 0 110 1 100 0 000 1 000 1
960 // premable bbb o bbb o bbw o fff o fff o ffc o ccc o ccc o ccc o ccc o ccc o wxx o xxx o xxx o - to 96
961 // |---26 bit---| |-----117----||-------------142-------------|
962 // b = format bit len, o = odd parity of last 3 bits
963 // f = facility code, c = card number
964 // w = wiegand parity
965 // (26 bit format shown)
966
967 //get raw ID before removing parities
968 uint32_t rawLo = bytebits_to_byte(dest+idx+64,32);
969 uint32_t rawHi = bytebits_to_byte(dest+idx+32,32);
970 uint32_t rawHi2 = bytebits_to_byte(dest+idx,32);
971
972 size = removeParity(dest, idx+8, 4, 1, 88);
973 if (size != 66) continue;
974 // ok valid card found!
975
976 // Index map
977 // 0 10 20 30 40 50 60
978 // | | | | | | |
979 // 01234567 8 90123456 7890123456789012 3 456789012345678901234567890123456
980 // -----------------------------------------------------------------------------
981 // 00011010 1 01110101 0000000010001110 1 000000000000000000000000000000000
982 // bbbbbbbb w ffffffff cccccccccccccccc w xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
983 // |26 bit| |-117--| |-----142------|
984 // b = format bit len, o = odd parity of last 3 bits
985 // f = facility code, c = card number
986 // w = wiegand parity
987 // (26 bit format shown)
988
989 uint32_t fc = 0;
990 uint32_t cardnum = 0;
991 uint32_t code1 = 0;
992 uint32_t code2 = 0;
993 uint8_t fmtLen = bytebits_to_byte(dest,8);
994 if (fmtLen==26){
995 fc = bytebits_to_byte(dest+9, 8);
996 cardnum = bytebits_to_byte(dest+17, 16);
997 code1 = bytebits_to_byte(dest+8,fmtLen);
998 Dbprintf("AWID Found - BitLength: %d, FC: %d, Card: %d - Wiegand: %x, Raw: %08x%08x%08x", fmtLen, fc, cardnum, code1, rawHi2, rawHi, rawLo);
999 } else {
1000 cardnum = bytebits_to_byte(dest+8+(fmtLen-17), 16);
1001 if (fmtLen>32){
1002 code1 = bytebits_to_byte(dest+8,fmtLen-32);
1003 code2 = bytebits_to_byte(dest+8+(fmtLen-32),32);
1004 Dbprintf("AWID Found - BitLength: %d -unknown BitLength- (%d) - Wiegand: %x%08x, Raw: %08x%08x%08x", fmtLen, cardnum, code1, code2, rawHi2, rawHi, rawLo);
1005 } else{
1006 code1 = bytebits_to_byte(dest+8,fmtLen);
1007 Dbprintf("AWID Found - BitLength: %d -unknown BitLength- (%d) - Wiegand: %x, Raw: %08x%08x%08x", fmtLen, cardnum, code1, rawHi2, rawHi, rawLo);
1008 }
1009 }
1010 if (findone){
1011 if (ledcontrol) LED_A_OFF();
1012 break;
1013 }
1014 // reset
1015 idx = 0;
1016 WDT_HIT();
1017 }
1018 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1019 DbpString("Stopped");
1020 if (ledcontrol) LED_A_OFF();
1021 }
1022
1023 void CmdEM410xdemod(int findone, int *high, int *low, int ledcontrol)
1024 {
1025 uint8_t *dest = BigBuf_get_addr();
1026
1027 size_t size=0, idx=0;
1028 int clk=0, invert=0, errCnt=0, maxErr=20;
1029 uint32_t hi=0;
1030 uint64_t lo=0;
1031 //clear read buffer
1032 BigBuf_Clear_keep_EM();
1033 // Configure to go in 125Khz listen mode
1034 LFSetupFPGAForADC(95, true);
1035
1036 while(!BUTTON_PRESS() && !usb_poll_validate_length()) {
1037
1038 WDT_HIT();
1039 if (ledcontrol) LED_A_ON();
1040
1041 DoAcquisition_default(-1,true);
1042 size = BigBuf_max_traceLen();
1043 //askdemod and manchester decode
1044 if (size > 16385) size = 16385; //big enough to catch 2 sequences of largest format
1045 errCnt = askdemod(dest, &size, &clk, &invert, maxErr, 0, 1);
1046 WDT_HIT();
1047
1048 if (errCnt<0) continue;
1049
1050 errCnt = Em410xDecode(dest, &size, &idx, &hi, &lo);
1051 if (errCnt){
1052 if (size>64){
1053 Dbprintf("EM XL TAG ID: %06x%08x%08x - (%05d_%03d_%08d)",
1054 hi,
1055 (uint32_t)(lo>>32),
1056 (uint32_t)lo,
1057 (uint32_t)(lo&0xFFFF),
1058 (uint32_t)((lo>>16LL) & 0xFF),
1059 (uint32_t)(lo & 0xFFFFFF));
1060 } else {
1061 Dbprintf("EM TAG ID: %02x%08x - (%05d_%03d_%08d)",
1062 (uint32_t)(lo>>32),
1063 (uint32_t)lo,
1064 (uint32_t)(lo&0xFFFF),
1065 (uint32_t)((lo>>16LL) & 0xFF),
1066 (uint32_t)(lo & 0xFFFFFF));
1067 }
1068
1069 if (findone){
1070 if (ledcontrol) LED_A_OFF();
1071 *high=lo>>32;
1072 *low=lo & 0xFFFFFFFF;
1073 break;
1074 }
1075 }
1076 WDT_HIT();
1077 hi = lo = size = idx = 0;
1078 clk = invert = errCnt = 0;
1079 }
1080 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1081 DbpString("Stopped");
1082 if (ledcontrol) LED_A_OFF();
1083 }
1084
1085 void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol)
1086 {
1087 uint8_t *dest = BigBuf_get_addr();
1088 int idx=0;
1089 uint32_t code=0, code2=0;
1090 uint8_t version=0;
1091 uint8_t facilitycode=0;
1092 uint16_t number=0;
1093 int dummyIdx=0;
1094 //clear read buffer
1095 BigBuf_Clear_keep_EM();
1096 // Configure to go in 125Khz listen mode
1097 LFSetupFPGAForADC(95, true);
1098
1099 while(!BUTTON_PRESS() && !usb_poll_validate_length()) {
1100 WDT_HIT();
1101 if (ledcontrol) LED_A_ON();
1102 DoAcquisition_default(-1,true);
1103 //fskdemod and get start index
1104 WDT_HIT();
1105 idx = IOdemodFSK(dest, BigBuf_max_traceLen(), &dummyIdx);
1106 if (idx<0) continue;
1107 //valid tag found
1108
1109 //Index map
1110 //0 10 20 30 40 50 60
1111 //| | | | | | |
1112 //01234567 8 90123456 7 89012345 6 78901234 5 67890123 4 56789012 3 45678901 23
1113 //-----------------------------------------------------------------------------
1114 //00000000 0 11110000 1 facility 1 version* 1 code*one 1 code*two 1 ???????? 11
1115 //
1116 //XSF(version)facility:codeone+codetwo
1117 //Handle the data
1118 if(findone){ //only print binary if we are doing one
1119 Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx], dest[idx+1], dest[idx+2],dest[idx+3],dest[idx+4],dest[idx+5],dest[idx+6],dest[idx+7],dest[idx+8]);
1120 Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+9], dest[idx+10],dest[idx+11],dest[idx+12],dest[idx+13],dest[idx+14],dest[idx+15],dest[idx+16],dest[idx+17]);
1121 Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+18],dest[idx+19],dest[idx+20],dest[idx+21],dest[idx+22],dest[idx+23],dest[idx+24],dest[idx+25],dest[idx+26]);
1122 Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+27],dest[idx+28],dest[idx+29],dest[idx+30],dest[idx+31],dest[idx+32],dest[idx+33],dest[idx+34],dest[idx+35]);
1123 Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+36],dest[idx+37],dest[idx+38],dest[idx+39],dest[idx+40],dest[idx+41],dest[idx+42],dest[idx+43],dest[idx+44]);
1124 Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+45],dest[idx+46],dest[idx+47],dest[idx+48],dest[idx+49],dest[idx+50],dest[idx+51],dest[idx+52],dest[idx+53]);
1125 Dbprintf("%d%d%d%d%d%d%d%d %d%d",dest[idx+54],dest[idx+55],dest[idx+56],dest[idx+57],dest[idx+58],dest[idx+59],dest[idx+60],dest[idx+61],dest[idx+62],dest[idx+63]);
1126 }
1127 code = bytebits_to_byte(dest+idx,32);
1128 code2 = bytebits_to_byte(dest+idx+32,32);
1129 version = bytebits_to_byte(dest+idx+27,8); //14,4
1130 facilitycode = bytebits_to_byte(dest+idx+18,8);
1131 number = (bytebits_to_byte(dest+idx+36,8)<<8)|(bytebits_to_byte(dest+idx+45,8)); //36,9
1132
1133 Dbprintf("XSF(%02d)%02x:%05d (%08x%08x)",version,facilitycode,number,code,code2);
1134 // if we're only looking for one tag
1135 if (findone){
1136 if (ledcontrol) LED_A_OFF();
1137 //LED_A_OFF();
1138 *high=code;
1139 *low=code2;
1140 break;
1141 }
1142 code=code2=0;
1143 version=facilitycode=0;
1144 number=0;
1145 idx=0;
1146
1147 WDT_HIT();
1148 }
1149 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1150 DbpString("Stopped");
1151 if (ledcontrol) LED_A_OFF();
1152 }
1153
1154 /*------------------------------
1155 * T5555/T5557/T5567/T5577 routines
1156 *------------------------------
1157 * NOTE: T55x7/T5555 configuration register definitions moved to protocols.h
1158 *
1159 * Relevant communication times in microsecond
1160 * To compensate antenna falling times shorten the write times
1161 * and enlarge the gap ones.
1162 * Q5 tags seems to have issues when these values changes.
1163 */
1164 #define START_GAP 31*8 // was 250 // SPEC: 1*8 to 50*8 - typ 15*8 (or 15fc)
1165 #define WRITE_GAP 20*8 // was 160 // SPEC: 1*8 to 20*8 - typ 10*8 (or 10fc)
1166 #define WRITE_0 18*8 // was 144 // SPEC: 16*8 to 32*8 - typ 24*8 (or 24fc)
1167 #define WRITE_1 50*8 // was 400 // SPEC: 48*8 to 64*8 - typ 56*8 (or 56fc) 432 for T55x7; 448 for E5550
1168 #define READ_GAP 15*8
1169
1170 void TurnReadLFOn(int delay) {
1171 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
1172 // Give it a bit of time for the resonant antenna to settle.
1173 WaitUS(delay); //155*8 //50*8
1174 }
1175
1176 // Write one bit to card
1177 void T55xxWriteBit(int bit) {
1178 if (!bit)
1179 TurnReadLFOn(WRITE_0);
1180 else
1181 TurnReadLFOn(WRITE_1);
1182 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1183 WaitUS(WRITE_GAP);
1184 }
1185
1186 // Send T5577 reset command then read stream (see if we can identify the start of the stream)
1187 void T55xxResetRead(void) {
1188 LED_A_ON();
1189 //clear buffer now so it does not interfere with timing later
1190 BigBuf_Clear_keep_EM();
1191
1192 // Set up FPGA, 125kHz
1193 LFSetupFPGAForADC(95, true);
1194 StartTicks();
1195 // make sure tag is fully powered up...
1196 WaitMS(5);
1197
1198 // Trigger T55x7 in mode.
1199 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1200 WaitUS(START_GAP);
1201
1202 // reset tag - op code 00
1203 T55xxWriteBit(0);
1204 T55xxWriteBit(0);
1205
1206 TurnReadLFOn(READ_GAP);
1207
1208 // Acquisition
1209 DoPartialAcquisition(0, true, BigBuf_max_traceLen(), 0);
1210
1211 // Turn the field off
1212 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1213 cmd_send(CMD_ACK,0,0,0,0,0);
1214 LED_A_OFF();
1215 }
1216
1217 // Write one card block in page 0, no lock
1218 void T55xxWriteBlockExt(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t arg) {
1219 LED_A_ON();
1220 bool PwdMode = arg & 0x1;
1221 uint8_t Page = (arg & 0x2)>>1;
1222 bool testMode = arg & 0x4;
1223 uint32_t i = 0;
1224
1225 // Set up FPGA, 125kHz
1226 LFSetupFPGAForADC(95, true);
1227 StartTicks();
1228 // make sure tag is fully powered up...
1229 WaitMS(5);
1230 // Trigger T55x7 in mode.
1231 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1232 WaitUS(START_GAP);
1233
1234 if (testMode) Dbprintf("TestMODE");
1235 // Std Opcode 10
1236 T55xxWriteBit(testMode ? 0 : 1);
1237 T55xxWriteBit(testMode ? 1 : Page); //Page 0
1238
1239 if (PwdMode) {
1240 // Send Pwd
1241 for (i = 0x80000000; i != 0; i >>= 1)
1242 T55xxWriteBit(Pwd & i);
1243 }
1244 // Send Lock bit
1245 T55xxWriteBit(0);
1246
1247 // Send Data
1248 for (i = 0x80000000; i != 0; i >>= 1)
1249 T55xxWriteBit(Data & i);
1250
1251 // Send Block number
1252 for (i = 0x04; i != 0; i >>= 1)
1253 T55xxWriteBit(Block & i);
1254
1255 // Perform write (nominal is 5.6 ms for T55x7 and 18ms for E5550,
1256 // so wait a little more)
1257
1258 // "there is a clock delay before programming"
1259 // - programming takes ~5.6ms for t5577 ~18ms for E5550 or t5567
1260 // so we should wait 1 clock + 5.6ms then read response?
1261 // but we need to know we are dealing with t5577 vs t5567 vs e5550 (or q5) marshmellow...
1262 if (testMode) {
1263 //TESTMODE TIMING TESTS:
1264 // <566us does nothing
1265 // 566-568 switches between wiping to 0s and doing nothing
1266 // 5184 wipes and allows 1 block to be programmed.
1267 // indefinite power on wipes and then programs all blocks with bitshifted data sent.
1268 TurnReadLFOn(5184);
1269
1270 } else {
1271 TurnReadLFOn(20 * 1000);
1272 //could attempt to do a read to confirm write took
1273 // as the tag should repeat back the new block
1274 // until it is reset, but to confirm it we would
1275 // need to know the current block 0 config mode for
1276 // modulation clock an other details to demod the response...
1277 // response should be (for t55x7) a 0 bit then (ST if on)
1278 // block data written in on repeat until reset.
1279
1280 //DoPartialAcquisition(20, true, 12000);
1281 }
1282
1283 // turn field off
1284 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1285 LED_A_OFF();
1286 }
1287
1288 // Write one card block in page 0, no lock
1289 void T55xxWriteBlock(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t arg) {
1290 T55xxWriteBlockExt(Data, Block, Pwd, arg);
1291 cmd_send(CMD_ACK,0,0,0,0,0);
1292 }
1293
1294 // Read one card block in page [page]
1295 void T55xxReadBlock(uint16_t arg0, uint8_t Block, uint32_t Pwd) {
1296 LED_A_ON();
1297 bool PwdMode = arg0 & 0x1;
1298 uint8_t Page = (arg0 & 0x2) >> 1;
1299 uint32_t i = 0;
1300 bool RegReadMode = (Block == 0xFF);//regular read mode
1301
1302 //clear buffer now so it does not interfere with timing later
1303 BigBuf_Clear_ext(false);
1304
1305 //make sure block is at max 7
1306 Block &= 0x7;
1307
1308 // Set up FPGA, 125kHz to power up the tag
1309 LFSetupFPGAForADC(95, true);
1310 StartTicks();
1311 // make sure tag is fully powered up...
1312 WaitMS(5);
1313 // Trigger T55x7 Direct Access Mode with start gap
1314 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1315 WaitUS(START_GAP);
1316
1317 // Opcode 1[page]
1318 T55xxWriteBit(1);
1319 T55xxWriteBit(Page); //Page 0
1320
1321 if (PwdMode){
1322 // Send Pwd
1323 for (i = 0x80000000; i != 0; i >>= 1)
1324 T55xxWriteBit(Pwd & i);
1325 }
1326 // Send a zero bit separation
1327 T55xxWriteBit(0);
1328
1329 // Send Block number (if direct access mode)
1330 if (!RegReadMode)
1331 for (i = 0x04; i != 0; i >>= 1)
1332 T55xxWriteBit(Block & i);
1333
1334 // Turn field on to read the response
1335 // 137*8 seems to get to the start of data pretty well...
1336 // but we want to go past the start and let the repeating data settle in...
1337 TurnReadLFOn(210*8);
1338
1339 // Acquisition
1340 // Now do the acquisition
1341 DoPartialAcquisition(0, true, 12000, 0);
1342
1343 // Turn the field off
1344 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1345 cmd_send(CMD_ACK,0,0,0,0,0);
1346 LED_A_OFF();
1347 }
1348
1349 void T55xxWakeUp(uint32_t Pwd){
1350 LED_B_ON();
1351 uint32_t i = 0;
1352
1353 // Set up FPGA, 125kHz
1354 LFSetupFPGAForADC(95, true);
1355 StartTicks();
1356 // make sure tag is fully powered up...
1357 WaitMS(5);
1358
1359 // Trigger T55x7 Direct Access Mode
1360 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1361 WaitUS(START_GAP);
1362
1363 // Opcode 10
1364 T55xxWriteBit(1);
1365 T55xxWriteBit(0); //Page 0
1366
1367 // Send Pwd
1368 for (i = 0x80000000; i != 0; i >>= 1)
1369 T55xxWriteBit(Pwd & i);
1370
1371 // Turn and leave field on to let the begin repeating transmission
1372 TurnReadLFOn(20*1000);
1373 }
1374
1375 /*-------------- Cloning routines -----------*/
1376
1377 void WriteT55xx(uint32_t *blockdata, uint8_t startblock, uint8_t numblocks) {
1378 // write last block first and config block last (if included)
1379 for (uint8_t i = numblocks+startblock; i > startblock; i--) {
1380 T55xxWriteBlockExt(blockdata[i-1],i-1,0,0);
1381 }
1382 }
1383
1384 // Copy HID id to card and setup block 0 config
1385 void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT) {
1386 uint32_t data[] = {0,0,0,0,0,0,0};
1387 uint8_t last_block = 0;
1388
1389 if (longFMT) {
1390 // Ensure no more than 84 bits supplied
1391 if (hi2>0xFFFFF) {
1392 DbpString("Tags can only have 84 bits.");
1393 return;
1394 }
1395 // Build the 6 data blocks for supplied 84bit ID
1396 last_block = 6;
1397 // load preamble (1D) & long format identifier (9E manchester encoded)
1398 data[1] = 0x1D96A900 | (manchesterEncode2Bytes((hi2 >> 16) & 0xF) & 0xFF);
1399 // load raw id from hi2, hi, lo to data blocks (manchester encoded)
1400 data[2] = manchesterEncode2Bytes(hi2 & 0xFFFF);
1401 data[3] = manchesterEncode2Bytes(hi >> 16);
1402 data[4] = manchesterEncode2Bytes(hi & 0xFFFF);
1403 data[5] = manchesterEncode2Bytes(lo >> 16);
1404 data[6] = manchesterEncode2Bytes(lo & 0xFFFF);
1405 } else {
1406 // Ensure no more than 44 bits supplied
1407 if (hi>0xFFF) {
1408 DbpString("Tags can only have 44 bits.");
1409 return;
1410 }
1411 // Build the 3 data blocks for supplied 44bit ID
1412 last_block = 3;
1413 // load preamble
1414 data[1] = 0x1D000000 | (manchesterEncode2Bytes(hi) & 0xFFFFFF);
1415 data[2] = manchesterEncode2Bytes(lo >> 16);
1416 data[3] = manchesterEncode2Bytes(lo & 0xFFFF);
1417 }
1418 // load chip config block
1419 data[0] = T55x7_BITRATE_RF_50 | T55x7_MODULATION_FSK2a | last_block << T55x7_MAXBLOCK_SHIFT;
1420
1421 //TODO add selection of chip for Q5 or T55x7
1422 // data[0] = (((50-2)/2)<<T5555_BITRATE_SHIFT) | T5555_MODULATION_FSK2 | T5555_INVERT_OUTPUT | last_block << T5555_MAXBLOCK_SHIFT;
1423
1424 LED_D_ON();
1425 // Program the data blocks for supplied ID
1426 // and the block 0 for HID format
1427 WriteT55xx(data, 0, last_block+1);
1428
1429 LED_D_OFF();
1430
1431 DbpString("DONE!");
1432 }
1433
1434 void CopyIOtoT55x7(uint32_t hi, uint32_t lo) {
1435 uint32_t data[] = {T55x7_BITRATE_RF_64 | T55x7_MODULATION_FSK2a | (2 << T55x7_MAXBLOCK_SHIFT), hi, lo};
1436 //TODO add selection of chip for Q5 or T55x7
1437 // data[0] = (((64-2)/2)<<T5555_BITRATE_SHIFT) | T5555_MODULATION_FSK2 | T5555_INVERT_OUTPUT | 2 << T5555_MAXBLOCK_SHIFT;
1438
1439 LED_D_ON();
1440 // Program the data blocks for supplied ID
1441 // and the block 0 config
1442 WriteT55xx(data, 0, 3);
1443
1444 LED_D_OFF();
1445
1446 DbpString("DONE!");
1447 }
1448
1449 // Clone Indala 64-bit tag by UID to T55x7
1450 void CopyIndala64toT55x7(uint32_t hi, uint32_t lo) {
1451 //Program the 2 data blocks for supplied 64bit UID
1452 // and the Config for Indala 64 format (RF/32;PSK1 with RF/2;Maxblock=2)
1453 uint32_t data[] = { T55x7_BITRATE_RF_32 | T55x7_MODULATION_PSK1 | (2 << T55x7_MAXBLOCK_SHIFT), hi, lo};
1454 //TODO add selection of chip for Q5 or T55x7
1455 // data[0] = (((32-2)/2)<<T5555_BITRATE_SHIFT) | T5555_MODULATION_PSK1 | 2 << T5555_MAXBLOCK_SHIFT;
1456
1457 WriteT55xx(data, 0, 3);
1458 //Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=2;Inverse data)
1459 // T5567WriteBlock(0x603E1042,0);
1460 DbpString("DONE!");
1461 }
1462 // Clone Indala 224-bit tag by UID to T55x7
1463 void CopyIndala224toT55x7(uint32_t uid1, uint32_t uid2, uint32_t uid3, uint32_t uid4, uint32_t uid5, uint32_t uid6, uint32_t uid7) {
1464 //Program the 7 data blocks for supplied 224bit UID
1465 uint32_t data[] = {0, uid1, uid2, uid3, uid4, uid5, uid6, uid7};
1466 // and the block 0 for Indala224 format
1467 //Config for Indala (RF/32;PSK2 with RF/2;Maxblock=7)
1468 data[0] = T55x7_BITRATE_RF_32 | T55x7_MODULATION_PSK2 | (7 << T55x7_MAXBLOCK_SHIFT);
1469 //TODO add selection of chip for Q5 or T55x7
1470 // data[0] = (((32-2)>>1)<<T5555_BITRATE_SHIFT) | T5555_MODULATION_PSK2 | 7 << T5555_MAXBLOCK_SHIFT;
1471 WriteT55xx(data, 0, 8);
1472 //Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=7;Inverse data)
1473 // T5567WriteBlock(0x603E10E2,0);
1474 DbpString("DONE!");
1475 }
1476 // clone viking tag to T55xx
1477 void CopyVikingtoT55xx(uint32_t block1, uint32_t block2, uint8_t Q5) {
1478 uint32_t data[] = {T55x7_BITRATE_RF_32 | T55x7_MODULATION_MANCHESTER | (2 << T55x7_MAXBLOCK_SHIFT), block1, block2};
1479 if (Q5) data[0] = T5555_SET_BITRATE(32) | T5555_MODULATION_MANCHESTER | 2 << T5555_MAXBLOCK_SHIFT;
1480 // Program the data blocks for supplied ID and the block 0 config
1481 WriteT55xx(data, 0, 3);
1482 LED_D_OFF();
1483 cmd_send(CMD_ACK,0,0,0,0,0);
1484 }
1485
1486 // Define 9bit header for EM410x tags
1487 #define EM410X_HEADER 0x1FF
1488 #define EM410X_ID_LENGTH 40
1489
1490 void WriteEM410x(uint32_t card, uint32_t id_hi, uint32_t id_lo) {
1491 int i, id_bit;
1492 uint64_t id = EM410X_HEADER;
1493 uint64_t rev_id = 0; // reversed ID
1494 int c_parity[4]; // column parity
1495 int r_parity = 0; // row parity
1496 uint32_t clock = 0;
1497
1498 // Reverse ID bits given as parameter (for simpler operations)
1499 for (i = 0; i < EM410X_ID_LENGTH; ++i) {
1500 if (i < 32) {
1501 rev_id = (rev_id << 1) | (id_lo & 1);
1502 id_lo >>= 1;
1503 } else {
1504 rev_id = (rev_id << 1) | (id_hi & 1);
1505 id_hi >>= 1;
1506 }
1507 }
1508
1509 for (i = 0; i < EM410X_ID_LENGTH; ++i) {
1510 id_bit = rev_id & 1;
1511
1512 if (i % 4 == 0) {
1513 // Don't write row parity bit at start of parsing
1514 if (i)
1515 id = (id << 1) | r_parity;
1516 // Start counting parity for new row
1517 r_parity = id_bit;
1518 } else {
1519 // Count row parity
1520 r_parity ^= id_bit;
1521 }
1522
1523 // First elements in column?
1524 if (i < 4)
1525 // Fill out first elements
1526 c_parity[i] = id_bit;
1527 else
1528 // Count column parity
1529 c_parity[i % 4] ^= id_bit;
1530
1531 // Insert ID bit
1532 id = (id << 1) | id_bit;
1533 rev_id >>= 1;
1534 }
1535
1536 // Insert parity bit of last row
1537 id = (id << 1) | r_parity;
1538
1539 // Fill out column parity at the end of tag
1540 for (i = 0; i < 4; ++i)
1541 id = (id << 1) | c_parity[i];
1542
1543 // Add stop bit
1544 id <<= 1;
1545
1546 Dbprintf("Started writing %s tag ...", card ? "T55x7":"T5555");
1547 LED_D_ON();
1548
1549 // Write EM410x ID
1550 uint32_t data[] = {0, (uint32_t)(id>>32), (uint32_t)(id & 0xFFFFFFFF)};
1551
1552 clock = (card & 0xFF00) >> 8;
1553 clock = (clock == 0) ? 64 : clock;
1554 Dbprintf("Clock rate: %d", clock);
1555 if (card & 0xFF) { //t55x7
1556 clock = GetT55xxClockBit(clock);
1557 if (clock == 0) {
1558 Dbprintf("Invalid clock rate: %d", clock);
1559 return;
1560 }
1561 data[0] = clock | T55x7_MODULATION_MANCHESTER | (2 << T55x7_MAXBLOCK_SHIFT);
1562 } else { //t5555 (Q5)
1563 data[0] = T5555_SET_BITRATE(clock) | T5555_MODULATION_MANCHESTER | (2 << T5555_MAXBLOCK_SHIFT);
1564 }
1565
1566 WriteT55xx(data, 0, 3);
1567
1568 LED_D_OFF();
1569 Dbprintf("Tag %s written with 0x%08x%08x\n", card ? "T55x7":"T5555",
1570 (uint32_t)(id >> 32), (uint32_t)id);
1571 }
1572
1573 //-----------------------------------
1574 // EM4469 / EM4305 routines
1575 //-----------------------------------
1576 #define FWD_CMD_LOGIN 0xC //including the even parity, binary mirrored
1577 #define FWD_CMD_WRITE 0xA
1578 #define FWD_CMD_READ 0x9
1579 #define FWD_CMD_DISABLE 0x5
1580
1581 uint8_t forwardLink_data[64]; //array of forwarded bits
1582 uint8_t * forward_ptr; //ptr for forward message preparation
1583 uint8_t fwd_bit_sz; //forwardlink bit counter
1584 uint8_t * fwd_write_ptr; //forwardlink bit pointer
1585
1586 //====================================================================
1587 // prepares command bits
1588 // see EM4469 spec
1589 //====================================================================
1590 //--------------------------------------------------------------------
1591 // VALUES TAKEN FROM EM4x function: SendForward
1592 // START_GAP = 440; (55*8) cycles at 125Khz (8us = 1cycle)
1593 // WRITE_GAP = 128; (16*8)
1594 // WRITE_1 = 256 32*8; (32*8)
1595
1596 // These timings work for 4469/4269/4305 (with the 55*8 above)
1597 // WRITE_0 = 23*8 , 9*8 SpinDelayUs(23*8);
1598
1599 uint8_t Prepare_Cmd( uint8_t cmd ) {
1600
1601 *forward_ptr++ = 0; //start bit
1602 *forward_ptr++ = 0; //second pause for 4050 code
1603
1604 *forward_ptr++ = cmd;
1605 cmd >>= 1;
1606 *forward_ptr++ = cmd;
1607 cmd >>= 1;
1608 *forward_ptr++ = cmd;
1609 cmd >>= 1;
1610 *forward_ptr++ = cmd;
1611
1612 return 6; //return number of emited bits
1613 }
1614
1615 //====================================================================
1616 // prepares address bits
1617 // see EM4469 spec
1618 //====================================================================
1619 uint8_t Prepare_Addr( uint8_t addr ) {
1620
1621 register uint8_t line_parity;
1622
1623 uint8_t i;
1624 line_parity = 0;
1625 for(i=0;i<6;i++) {
1626 *forward_ptr++ = addr;
1627 line_parity ^= addr;
1628 addr >>= 1;
1629 }
1630
1631 *forward_ptr++ = (line_parity & 1);
1632
1633 return 7; //return number of emited bits
1634 }
1635
1636 //====================================================================
1637 // prepares data bits intreleaved with parity bits
1638 // see EM4469 spec
1639 //====================================================================
1640 uint8_t Prepare_Data( uint16_t data_low, uint16_t data_hi) {
1641
1642 register uint8_t line_parity;
1643 register uint8_t column_parity;
1644 register uint8_t i, j;
1645 register uint16_t data;
1646
1647 data = data_low;
1648 column_parity = 0;
1649
1650 for(i=0; i<4; i++) {
1651 line_parity = 0;
1652 for(j=0; j<8; j++) {
1653 line_parity ^= data;
1654 column_parity ^= (data & 1) << j;
1655 *forward_ptr++ = data;
1656 data >>= 1;
1657 }
1658 *forward_ptr++ = line_parity;
1659 if(i == 1)
1660 data = data_hi;
1661 }
1662
1663 for(j=0; j<8; j++) {
1664 *forward_ptr++ = column_parity;
1665 column_parity >>= 1;
1666 }
1667 *forward_ptr = 0;
1668
1669 return 45; //return number of emited bits
1670 }
1671
1672 //====================================================================
1673 // Forward Link send function
1674 // Requires: forwarLink_data filled with valid bits (1 bit per byte)
1675 // fwd_bit_count set with number of bits to be sent
1676 //====================================================================
1677 void SendForward(uint8_t fwd_bit_count) {
1678
1679 fwd_write_ptr = forwardLink_data;
1680 fwd_bit_sz = fwd_bit_count;
1681
1682 // Set up FPGA, 125kHz or 95 divisor
1683 LFSetupFPGAForADC(95, true);
1684
1685 // force 1st mod pulse (start gap must be longer for 4305)
1686 fwd_bit_sz--; //prepare next bit modulation
1687 fwd_write_ptr++;
1688 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1689 WaitUS(55*8); //55 cycles off (8us each)for 4305 //another reader has 37 here...
1690 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);//field on
1691 WaitUS(18*8); //18 cycles on (8us each)
1692
1693 // now start writting
1694 while(fwd_bit_sz-- > 0) { //prepare next bit modulation
1695 if(((*fwd_write_ptr++) & 1) == 1)
1696 WaitUS(32*8); //32 cycles at 125Khz (8us each)
1697 else {
1698 //These timings work for 4469/4269/4305 (with the 55*8 above)
1699 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1700 WaitUS(23*8); //23 cycles off (8us each)
1701 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);//field on
1702 WaitUS(18*8); //18 cycles on (8us each)
1703 }
1704 }
1705 }
1706
1707 void EM4xLogin(uint32_t Password) {
1708
1709 uint8_t fwd_bit_count;
1710
1711 forward_ptr = forwardLink_data;
1712 fwd_bit_count = Prepare_Cmd( FWD_CMD_LOGIN );
1713 fwd_bit_count += Prepare_Data( Password&0xFFFF, Password>>16 );
1714
1715 SendForward(fwd_bit_count);
1716
1717 //Wait for command to complete
1718 SpinDelay(20);
1719 }
1720
1721 void EM4xReadWord(uint8_t Address, uint32_t Pwd, uint8_t PwdMode) {
1722
1723 uint8_t fwd_bit_count;
1724
1725 // Clear destination buffer before sending the command
1726 BigBuf_Clear_ext(false);
1727
1728 LED_A_ON();
1729 StartTicks();
1730 //If password mode do login
1731 if (PwdMode == 1) EM4xLogin(Pwd);
1732
1733 forward_ptr = forwardLink_data;
1734 fwd_bit_count = Prepare_Cmd( FWD_CMD_READ );
1735 fwd_bit_count += Prepare_Addr( Address );
1736
1737 SendForward(fwd_bit_count);
1738 WaitUS(400);
1739 // Now do the acquisition
1740 DoPartialAcquisition(20, true, 6000, 1000);
1741
1742 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1743 LED_A_OFF();
1744 cmd_send(CMD_ACK,0,0,0,0,0);
1745 }
1746
1747 void EM4xWriteWord(uint32_t flag, uint32_t Data, uint32_t Pwd) {
1748
1749 bool PwdMode = (flag & 0xF);
1750 uint8_t Address = (flag >> 8) & 0xFF;
1751 uint8_t fwd_bit_count;
1752
1753 //clear buffer now so it does not interfere with timing later
1754 BigBuf_Clear_ext(false);
1755
1756 LED_A_ON();
1757 StartTicks();
1758 //If password mode do login
1759 if (PwdMode) EM4xLogin(Pwd);
1760
1761 forward_ptr = forwardLink_data;
1762 fwd_bit_count = Prepare_Cmd( FWD_CMD_WRITE );
1763 fwd_bit_count += Prepare_Addr( Address );
1764 fwd_bit_count += Prepare_Data( Data&0xFFFF, Data>>16 );
1765
1766 SendForward(fwd_bit_count);
1767
1768 //Wait for write to complete
1769 //SpinDelay(10);
1770
1771 WaitUS(6500);
1772 //Capture response if one exists
1773 DoPartialAcquisition(20, true, 6000, 1000);
1774
1775 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1776 LED_A_OFF();
1777 cmd_send(CMD_ACK,0,0,0,0,0);
1778 }
1779 /*
1780 Reading a COTAG.
1781
1782 COTAG needs the reader to send a startsequence and the card has an extreme slow datarate.
1783 because of this, we can "sample" the data signal but we interpreate it to Manchester direct.
1784
1785 READER START SEQUENCE:
1786 burst 800 us, gap 2.2 msecs
1787 burst 3.6 msecs gap 2.2 msecs
1788 burst 800 us gap 2.2 msecs
1789 pulse 3.6 msecs
1790
1791 This triggers a COTAG tag to response
1792 */
1793 void Cotag(uint32_t arg0) {
1794
1795 #define OFF { FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); WaitUS(2035); }
1796 #define ON(x) { FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD); WaitUS((x)); }
1797
1798 uint8_t rawsignal = arg0 & 0xF;
1799
1800 LED_A_ON();
1801
1802 // Switching to LF image on FPGA. This might empty BigBuff
1803 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1804
1805 //clear buffer now so it does not interfere with timing later
1806 BigBuf_Clear_ext(false);
1807
1808 // Set up FPGA, 132kHz to power up the tag
1809 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 89);
1810 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
1811
1812 // Connect the A/D to the peak-detected low-frequency path.
1813 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
1814
1815 // Now set up the SSC to get the ADC samples that are now streaming at us.
1816 FpgaSetupSsc();
1817
1818 // start clock - 1.5ticks is 1us
1819 StartTicks();
1820
1821 //send COTAG start pulse
1822 ON(740) OFF
1823 ON(3330) OFF
1824 ON(740) OFF
1825 ON(1000)
1826
1827 switch(rawsignal) {
1828 case 0: doCotagAcquisition(50000); break;
1829 case 1: doCotagAcquisitionManchester(); break;
1830 case 2: DoAcquisition_config(true, 0); break;
1831 }
1832
1833 // Turn the field off
1834 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1835 cmd_send(CMD_ACK,0,0,0,0,0);
1836 LED_A_OFF();
1837 }
Proxmark3 GIT tracking
Impressum, Datenschutz