]> git.zerfleddert.de Git - proxmark3-svn/blob - armsrc/lfops.c
projects / proxmark3-svn / blob
? search:


a1a31f1a8f17239a3a031ec7d986c1e55ceb8956
[proxmark3-svn] / armsrc / lfops.c
1 //-----------------------------------------------------------------------------
2 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
3 // at your option, any later version. See the LICENSE.txt file for the text of
4 // the license.
5 //-----------------------------------------------------------------------------
6 // Miscellaneous routines for low frequency tag operations.
7 // Tags supported here so far are Texas Instruments (TI), HID, EM4x05, EM410x
8 // Also routines for raw mode reading/simulating of LF waveform
9 //-----------------------------------------------------------------------------
10
11 #include "proxmark3.h"
12 #include "apps.h"
13 #include "util.h"
14 #include "hitag2.h"
15 #include "crc16.h"
16 #include "string.h"
17 #include "lfdemod.h"
18 #include "lfsampling.h"
19 #include "protocols.h"
20 #include "cmd.h"
21 #include "usb_cdc.h" // for usb_poll_validate_length
22 #include "fpgaloader.h"
23
24 /**
25 * Function to do a modulation and then get samples.
26 * @param delay_off
27 * @param period_0
28 * @param period_1
29 * @param command
30 */
31 void ModThenAcquireRawAdcSamples125k(uint32_t delay_off, uint32_t period_0, uint32_t period_1, uint8_t *command)
32 {
33 // start timer
34 StartTicks();
35
36 // use lf config settings
37 sample_config *sc = getSamplingConfig();
38
39 // Make sure the tag is reset
40 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
41 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
42 WaitMS(2500);
43
44 // clear read buffer (after fpga bitstream loaded...)
45 BigBuf_Clear_keep_EM();
46
47 // power on
48 LFSetupFPGAForADC(sc->divisor, 1);
49
50 // And a little more time for the tag to fully power up
51 WaitMS(2000);
52 // if delay_off = 0 then just bitbang 1 = antenna on 0 = off for respective periods.
53 bool bitbang = delay_off == 0;
54 // now modulate the reader field
55
56 if (bitbang) {
57 // HACK it appears the loop and if statements take up about 7us so adjust waits accordingly...
58 uint8_t hack_cnt = 7;
59 if (period_0 < hack_cnt || period_1 < hack_cnt) {
60 DbpString("Warning periods cannot be less than 7us in bit bang mode");
61 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
62 LED_D_OFF();
63 return;
64 }
65
66 // hack2 needed--- it appears to take about 8-16us to turn the antenna back on
67 // leading to ~ 1 to 2 125khz samples extra in every off period
68 // so we should test for last 0 before next 1 and reduce period_0 by this extra amount...
69 // but is this time different for every antenna or other hw builds??? more testing needed
70
71 // prime cmd_len to save time comparing strings while modulating
72 int cmd_len = 0;
73 while(command[cmd_len] != '\0' && command[cmd_len] != ' ')
74 cmd_len++;
75
76 int counter = 0;
77 bool off = false;
78 for (counter = 0; counter < cmd_len; counter++) {
79 // if cmd = 0 then turn field off
80 if (command[counter] == '0') {
81 // if field already off leave alone (affects timing otherwise)
82 if (off == false) {
83 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
84 LED_D_OFF();
85 off = true;
86 }
87 // note we appear to take about 7us to switch over (or run the if statements/loop...)
88 WaitUS(period_0-hack_cnt);
89 // else if cmd = 1 then turn field on
90 } else {
91 // if field already on leave alone (affects timing otherwise)
92 if (off) {
93 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
94 LED_D_ON();
95 off = false;
96 }
97 // note we appear to take about 7us to switch over (or run the if statements/loop...)
98 WaitUS(period_1-hack_cnt);
99 }
100 }
101 } else { // old mode of cmd read using delay as off period
102 while(*command != '\0' && *command != ' ') {
103 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
104 LED_D_OFF();
105 WaitUS(delay_off);
106 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, sc->divisor);
107 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
108 LED_D_ON();
109 if(*(command++) == '0') {
110 WaitUS(period_0);
111 } else {
112 WaitUS(period_1);
113 }
114 }
115 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
116 LED_D_OFF();
117 WaitUS(delay_off);
118 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, sc->divisor);
119 }
120
121 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
122
123 // now do the read
124 DoAcquisition_config(false, 0);
125
126 // Turn off antenna
127 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
128 // tell client we are done
129 cmd_send(CMD_ACK,0,0,0,0,0);
130 }
131
132 /* blank r/w tag data stream
133 ...0000000000000000 01111111
134 1010101010101010101010101010101010101010101010101010101010101010
135 0011010010100001
136 01111111
137 101010101010101[0]000...
138
139 [5555fe852c5555555555555555fe0000]
140 */
141 void ReadTItag(void)
142 {
143 // some hardcoded initial params
144 // when we read a TI tag we sample the zerocross line at 2Mhz
145 // TI tags modulate a 1 as 16 cycles of 123.2Khz
146 // TI tags modulate a 0 as 16 cycles of 134.2Khz
147 #define FSAMPLE 2000000
148 #define FREQLO 123200
149 #define FREQHI 134200
150
151 signed char *dest = (signed char *)BigBuf_get_addr();
152 uint16_t n = BigBuf_max_traceLen();
153 // 128 bit shift register [shift3:shift2:shift1:shift0]
154 uint32_t shift3 = 0, shift2 = 0, shift1 = 0, shift0 = 0;
155
156 int i, cycles=0, samples=0;
157 // how many sample points fit in 16 cycles of each frequency
158 uint32_t sampleslo = (FSAMPLE<<4)/FREQLO, sampleshi = (FSAMPLE<<4)/FREQHI;
159 // when to tell if we're close enough to one freq or another
160 uint32_t threshold = (sampleslo - sampleshi + 1)>>1;
161
162 // TI tags charge at 134.2Khz
163 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
164 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 88); //134.8Khz
165
166 // Place FPGA in passthrough mode, in this mode the CROSS_LO line
167 // connects to SSP_DIN and the SSP_DOUT logic level controls
168 // whether we're modulating the antenna (high)
169 // or listening to the antenna (low)
170 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_PASSTHRU);
171
172 // get TI tag data into the buffer
173 AcquireTiType();
174
175 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
176
177 for (i=0; i<n-1; i++) {
178 // count cycles by looking for lo to hi zero crossings
179 if ( (dest[i]<0) && (dest[i+1]>0) ) {
180 cycles++;
181 // after 16 cycles, measure the frequency
182 if (cycles>15) {
183 cycles=0;
184 samples=i-samples; // number of samples in these 16 cycles
185
186 // TI bits are coming to us lsb first so shift them
187 // right through our 128 bit right shift register
188 shift0 = (shift0>>1) | (shift1 << 31);
189 shift1 = (shift1>>1) | (shift2 << 31);
190 shift2 = (shift2>>1) | (shift3 << 31);
191 shift3 >>= 1;
192
193 // check if the cycles fall close to the number
194 // expected for either the low or high frequency
195 if ( (samples>(sampleslo-threshold)) && (samples<(sampleslo+threshold)) ) {
196 // low frequency represents a 1
197 shift3 |= (1<<31);
198 } else if ( (samples>(sampleshi-threshold)) && (samples<(sampleshi+threshold)) ) {
199 // high frequency represents a 0
200 } else {
201 // probably detected a gay waveform or noise
202 // use this as gaydar or discard shift register and start again
203 shift3 = shift2 = shift1 = shift0 = 0;
204 }
205 samples = i;
206
207 // for each bit we receive, test if we've detected a valid tag
208
209 // if we see 17 zeroes followed by 6 ones, we might have a tag
210 // remember the bits are backwards
211 if ( ((shift0 & 0x7fffff) == 0x7e0000) ) {
212 // if start and end bytes match, we have a tag so break out of the loop
213 if ( ((shift0>>16)&0xff) == ((shift3>>8)&0xff) ) {
214 cycles = 0xF0B; //use this as a flag (ugly but whatever)
215 break;
216 }
217 }
218 }
219 }
220 }
221
222 // if flag is set we have a tag
223 if (cycles!=0xF0B) {
224 DbpString("Info: No valid tag detected.");
225 } else {
226 // put 64 bit data into shift1 and shift0
227 shift0 = (shift0>>24) | (shift1 << 8);
228 shift1 = (shift1>>24) | (shift2 << 8);
229
230 // align 16 bit crc into lower half of shift2
231 shift2 = ((shift2>>24) | (shift3 << 8)) & 0x0ffff;
232
233 // if r/w tag, check ident match
234 if (shift3 & (1<<15) ) {
235 DbpString("Info: TI tag is rewriteable");
236 // only 15 bits compare, last bit of ident is not valid
237 if (((shift3 >> 16) ^ shift0) & 0x7fff ) {
238 DbpString("Error: Ident mismatch!");
239 } else {
240 DbpString("Info: TI tag ident is valid");
241 }
242 } else {
243 DbpString("Info: TI tag is readonly");
244 }
245
246 // WARNING the order of the bytes in which we calc crc below needs checking
247 // i'm 99% sure the crc algorithm is correct, but it may need to eat the
248 // bytes in reverse or something
249 // calculate CRC
250 uint32_t crc=0;
251
252 crc = update_crc16(crc, (shift0)&0xff);
253 crc = update_crc16(crc, (shift0>>8)&0xff);
254 crc = update_crc16(crc, (shift0>>16)&0xff);
255 crc = update_crc16(crc, (shift0>>24)&0xff);
256 crc = update_crc16(crc, (shift1)&0xff);
257 crc = update_crc16(crc, (shift1>>8)&0xff);
258 crc = update_crc16(crc, (shift1>>16)&0xff);
259 crc = update_crc16(crc, (shift1>>24)&0xff);
260
261 Dbprintf("Info: Tag data: %x%08x, crc=%x",
262 (unsigned int)shift1, (unsigned int)shift0, (unsigned int)shift2 & 0xFFFF);
263 if (crc != (shift2&0xffff)) {
264 Dbprintf("Error: CRC mismatch, expected %x", (unsigned int)crc);
265 } else {
266 DbpString("Info: CRC is good");
267 }
268 }
269 }
270
271 void WriteTIbyte(uint8_t b)
272 {
273 int i = 0;
274
275 // modulate 8 bits out to the antenna
276 for (i=0; i<8; i++)
277 {
278 if (b&(1<<i)) {
279 // stop modulating antenna
280 LOW(GPIO_SSC_DOUT);
281 SpinDelayUs(1000);
282 // modulate antenna
283 HIGH(GPIO_SSC_DOUT);
284 SpinDelayUs(1000);
285 } else {
286 // stop modulating antenna
287 LOW(GPIO_SSC_DOUT);
288 SpinDelayUs(300);
289 // modulate antenna
290 HIGH(GPIO_SSC_DOUT);
291 SpinDelayUs(1700);
292 }
293 }
294 }
295
296 void AcquireTiType(void)
297 {
298 int i, j, n;
299 // tag transmission is <20ms, sampling at 2M gives us 40K samples max
300 // each sample is 1 bit stuffed into a uint32_t so we need 1250 uint32_t
301 #define TIBUFLEN 1250
302
303 // clear buffer
304 uint32_t *BigBuf = (uint32_t *)BigBuf_get_addr();
305 BigBuf_Clear_ext(false);
306
307 // Set up the synchronous serial port
308 AT91C_BASE_PIOA->PIO_PDR = GPIO_SSC_DIN;
309 AT91C_BASE_PIOA->PIO_ASR = GPIO_SSC_DIN;
310
311 // steal this pin from the SSP and use it to control the modulation
312 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
313 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
314
315 AT91C_BASE_SSC->SSC_CR = AT91C_SSC_SWRST;
316 AT91C_BASE_SSC->SSC_CR = AT91C_SSC_RXEN | AT91C_SSC_TXEN;
317
318 // Sample at 2 Mbit/s, so TI tags are 16.2 vs. 14.9 clocks long
319 // 48/2 = 24 MHz clock must be divided by 12
320 AT91C_BASE_SSC->SSC_CMR = 12;
321
322 AT91C_BASE_SSC->SSC_RCMR = SSC_CLOCK_MODE_SELECT(0);
323 AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(32) | AT91C_SSC_MSBF;
324 AT91C_BASE_SSC->SSC_TCMR = 0;
325 AT91C_BASE_SSC->SSC_TFMR = 0;
326
327 LED_D_ON();
328
329 // modulate antenna
330 HIGH(GPIO_SSC_DOUT);
331
332 // Charge TI tag for 50ms.
333 SpinDelay(50);
334
335 // stop modulating antenna and listen
336 LOW(GPIO_SSC_DOUT);
337
338 LED_D_OFF();
339
340 i = 0;
341 for(;;) {
342 if(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) {
343 BigBuf[i] = AT91C_BASE_SSC->SSC_RHR; // store 32 bit values in buffer
344 i++; if(i >= TIBUFLEN) break;
345 }
346 WDT_HIT();
347 }
348
349 // return stolen pin to SSP
350 AT91C_BASE_PIOA->PIO_PDR = GPIO_SSC_DOUT;
351 AT91C_BASE_PIOA->PIO_ASR = GPIO_SSC_DIN | GPIO_SSC_DOUT;
352
353 char *dest = (char *)BigBuf_get_addr();
354 n = TIBUFLEN*32;
355 // unpack buffer
356 for (i=TIBUFLEN-1; i>=0; i--) {
357 for (j=0; j<32; j++) {
358 if(BigBuf[i] & (1 << j)) {
359 dest[--n] = 1;
360 } else {
361 dest[--n] = -1;
362 }
363 }
364 }
365 }
366
367 // arguments: 64bit data split into 32bit idhi:idlo and optional 16bit crc
368 // if crc provided, it will be written with the data verbatim (even if bogus)
369 // if not provided a valid crc will be computed from the data and written.
370 void WriteTItag(uint32_t idhi, uint32_t idlo, uint16_t crc)
371 {
372 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
373 if(crc == 0) {
374 crc = update_crc16(crc, (idlo)&0xff);
375 crc = update_crc16(crc, (idlo>>8)&0xff);
376 crc = update_crc16(crc, (idlo>>16)&0xff);
377 crc = update_crc16(crc, (idlo>>24)&0xff);
378 crc = update_crc16(crc, (idhi)&0xff);
379 crc = update_crc16(crc, (idhi>>8)&0xff);
380 crc = update_crc16(crc, (idhi>>16)&0xff);
381 crc = update_crc16(crc, (idhi>>24)&0xff);
382 }
383 Dbprintf("Writing to tag: %x%08x, crc=%x",
384 (unsigned int) idhi, (unsigned int) idlo, crc);
385
386 // TI tags charge at 134.2Khz
387 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 88); //134.8Khz
388 // Place FPGA in passthrough mode, in this mode the CROSS_LO line
389 // connects to SSP_DIN and the SSP_DOUT logic level controls
390 // whether we're modulating the antenna (high)
391 // or listening to the antenna (low)
392 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_PASSTHRU);
393 LED_A_ON();
394
395 // steal this pin from the SSP and use it to control the modulation
396 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
397 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
398
399 // writing algorithm:
400 // a high bit consists of a field off for 1ms and field on for 1ms
401 // a low bit consists of a field off for 0.3ms and field on for 1.7ms
402 // initiate a charge time of 50ms (field on) then immediately start writing bits
403 // start by writing 0xBB (keyword) and 0xEB (password)
404 // then write 80 bits of data (or 64 bit data + 16 bit crc if you prefer)
405 // finally end with 0x0300 (write frame)
406 // all data is sent lsb firts
407 // finish with 15ms programming time
408
409 // modulate antenna
410 HIGH(GPIO_SSC_DOUT);
411 SpinDelay(50); // charge time
412
413 WriteTIbyte(0xbb); // keyword
414 WriteTIbyte(0xeb); // password
415 WriteTIbyte( (idlo )&0xff );
416 WriteTIbyte( (idlo>>8 )&0xff );
417 WriteTIbyte( (idlo>>16)&0xff );
418 WriteTIbyte( (idlo>>24)&0xff );
419 WriteTIbyte( (idhi )&0xff );
420 WriteTIbyte( (idhi>>8 )&0xff );
421 WriteTIbyte( (idhi>>16)&0xff );
422 WriteTIbyte( (idhi>>24)&0xff ); // data hi to lo
423 WriteTIbyte( (crc )&0xff ); // crc lo
424 WriteTIbyte( (crc>>8 )&0xff ); // crc hi
425 WriteTIbyte(0x00); // write frame lo
426 WriteTIbyte(0x03); // write frame hi
427 HIGH(GPIO_SSC_DOUT);
428 SpinDelay(50); // programming time
429
430 LED_A_OFF();
431
432 // get TI tag data into the buffer
433 AcquireTiType();
434
435 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
436 DbpString("Now use `lf ti read` to check");
437 }
438
439 void SimulateTagLowFrequency(int period, int gap, int ledcontrol)
440 {
441 int i;
442 uint8_t *tab = BigBuf_get_addr();
443
444 //note FpgaDownloadAndGo destroys the bigbuf so be sure this is called before now...
445 //FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
446 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT);
447
448 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT | GPIO_SSC_CLK;
449
450 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
451 AT91C_BASE_PIOA->PIO_ODR = GPIO_SSC_CLK;
452
453 #define SHORT_COIL() LOW(GPIO_SSC_DOUT)
454 #define OPEN_COIL() HIGH(GPIO_SSC_DOUT)
455
456 i = 0;
457 for(;;) {
458 //wait until SSC_CLK goes HIGH
459 int ii = 0;
460 while(!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK)) {
461 //only check every 1000th time (usb_poll_validate_length on some systems was too slow)
462 if ( ii == 1000 ) {
463 if (BUTTON_PRESS() || usb_poll_validate_length() ) {
464 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
465 DbpString("Stopped");
466 return;
467 }
468 ii=0;
469 }
470 WDT_HIT();
471 ii++;
472 }
473 if (ledcontrol)
474 LED_D_ON();
475
476 if(tab[i])
477 OPEN_COIL();
478 else
479 SHORT_COIL();
480
481 if (ledcontrol)
482 LED_D_OFF();
483 ii=0;
484 //wait until SSC_CLK goes LOW
485 while(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK) {
486 //only check every 1000th time (usb_poll_validate_length on some systems was too slow)
487 if ( ii == 1000 ) {
488 if (BUTTON_PRESS() || usb_poll_validate_length() ) {
489 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
490 DbpString("Stopped");
491 return;
492 }
493 ii=0;
494 }
495 WDT_HIT();
496 ii++;
497 }
498
499 i++;
500 if(i == period) {
501
502 i = 0;
503 if (gap) {
504 SHORT_COIL();
505 SpinDelayUs(gap);
506 }
507 }
508
509 }
510 }
511
512 #define DEBUG_FRAME_CONTENTS 1
513 void SimulateTagLowFrequencyBidir(int divisor, int t0)
514 {
515 }
516
517 // compose fc/8 fc/10 waveform (FSK2)
518 static void fc(int c, int *n)
519 {
520 uint8_t *dest = BigBuf_get_addr();
521 int idx;
522
523 // for when we want an fc8 pattern every 4 logical bits
524 if(c==0) {
525 dest[((*n)++)]=1;
526 dest[((*n)++)]=1;
527 dest[((*n)++)]=1;
528 dest[((*n)++)]=1;
529 dest[((*n)++)]=0;
530 dest[((*n)++)]=0;
531 dest[((*n)++)]=0;
532 dest[((*n)++)]=0;
533 }
534
535 // an fc/8 encoded bit is a bit pattern of 11110000 x6 = 48 samples
536 if(c==8) {
537 for (idx=0; idx<6; idx++) {
538 dest[((*n)++)]=1;
539 dest[((*n)++)]=1;
540 dest[((*n)++)]=1;
541 dest[((*n)++)]=1;
542 dest[((*n)++)]=0;
543 dest[((*n)++)]=0;
544 dest[((*n)++)]=0;
545 dest[((*n)++)]=0;
546 }
547 }
548
549 // an fc/10 encoded bit is a bit pattern of 1111100000 x5 = 50 samples
550 if(c==10) {
551 for (idx=0; idx<5; idx++) {
552 dest[((*n)++)]=1;
553 dest[((*n)++)]=1;
554 dest[((*n)++)]=1;
555 dest[((*n)++)]=1;
556 dest[((*n)++)]=1;
557 dest[((*n)++)]=0;
558 dest[((*n)++)]=0;
559 dest[((*n)++)]=0;
560 dest[((*n)++)]=0;
561 dest[((*n)++)]=0;
562 }
563 }
564 }
565 // compose fc/X fc/Y waveform (FSKx)
566 static void fcAll(uint8_t fc, int *n, uint8_t clock, uint16_t *modCnt)
567 {
568 uint8_t *dest = BigBuf_get_addr();
569 uint8_t halfFC = fc/2;
570 uint8_t wavesPerClock = clock/fc;
571 uint8_t mod = clock % fc; //modifier
572 uint8_t modAdj = fc/mod; //how often to apply modifier
573 bool modAdjOk = !(fc % mod); //if (fc % mod==0) modAdjOk=true;
574 // loop through clock - step field clock
575 for (uint8_t idx=0; idx < wavesPerClock; idx++){
576 // put 1/2 FC length 1's and 1/2 0's per field clock wave (to create the wave)
577 memset(dest+(*n), 0, fc-halfFC); //in case of odd number use extra here
578 memset(dest+(*n)+(fc-halfFC), 1, halfFC);
579 *n += fc;
580 }
581 if (mod>0) (*modCnt)++;
582 if ((mod>0) && modAdjOk){ //fsk2
583 if ((*modCnt % modAdj) == 0){ //if 4th 8 length wave in a rf/50 add extra 8 length wave
584 memset(dest+(*n), 0, fc-halfFC);
585 memset(dest+(*n)+(fc-halfFC), 1, halfFC);
586 *n += fc;
587 }
588 }
589 if (mod>0 && !modAdjOk){ //fsk1
590 memset(dest+(*n), 0, mod-(mod/2));
591 memset(dest+(*n)+(mod-(mod/2)), 1, mod/2);
592 *n += mod;
593 }
594 }
595
596 // prepare a waveform pattern in the buffer based on the ID given then
597 // simulate a HID tag until the button is pressed
598 void CmdHIDsimTAG(int hi2, int hi, int lo, int ledcontrol)
599 {
600 int n=0, i=0;
601 /*
602 HID tag bitstream format
603 The tag contains a 44bit unique code. This is sent out MSB first in sets of 4 bits
604 A 1 bit is represented as 6 fc8 and 5 fc10 patterns
605 A 0 bit is represented as 5 fc10 and 6 fc8 patterns
606 A fc8 is inserted before every 4 bits
607 A special start of frame pattern is used consisting a0b0 where a and b are neither 0
608 nor 1 bits, they are special patterns (a = set of 12 fc8 and b = set of 10 fc10)
609 */
610
611 if (hi2>0x0FFFFFFF) {
612 DbpString("Tags can only have 44 or 84 bits. - USE lf simfsk for larger tags");
613 return;
614 }
615 // set LF so we don't kill the bigbuf we are setting with simulation data.
616 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
617
618 fc(0,&n);
619 // special start of frame marker containing invalid bit sequences
620 fc(8, &n); fc(8, &n); // invalid
621 fc(8, &n); fc(10, &n); // logical 0
622 fc(10, &n); fc(10, &n); // invalid
623 fc(8, &n); fc(10, &n); // logical 0
624
625 WDT_HIT();
626 if (hi2 > 0 || hi > 0xFFF){
627 // manchester encode bits 91 to 64 (91-84 are part of the header)
628 for (i=27; i>=0; i--) {
629 if ((i%4)==3) fc(0,&n);
630 if ((hi2>>i)&1) {
631 fc(10, &n); fc(8, &n); // low-high transition
632 } else {
633 fc(8, &n); fc(10, &n); // high-low transition
634 }
635 }
636 WDT_HIT();
637 // manchester encode bits 63 to 32
638 for (i=31; i>=0; i--) {
639 if ((i%4)==3) fc(0,&n);
640 if ((hi>>i)&1) {
641 fc(10, &n); fc(8, &n); // low-high transition
642 } else {
643 fc(8, &n); fc(10, &n); // high-low transition
644 }
645 }
646 } else {
647 // manchester encode bits 43 to 32
648 for (i=11; i>=0; i--) {
649 if ((i%4)==3) fc(0,&n);
650 if ((hi>>i)&1) {
651 fc(10, &n); fc(8, &n); // low-high transition
652 } else {
653 fc(8, &n); fc(10, &n); // high-low transition
654 }
655 }
656 }
657
658 WDT_HIT();
659 // manchester encode bits 31 to 0
660 for (i=31; i>=0; i--) {
661 if ((i%4)==3) fc(0,&n);
662 if ((lo>>i)&1) {
663 fc(10, &n); fc(8, &n); // low-high transition
664 } else {
665 fc(8, &n); fc(10, &n); // high-low transition
666 }
667 }
668
669 if (ledcontrol)
670 LED_A_ON();
671 SimulateTagLowFrequency(n, 0, ledcontrol);
672
673 if (ledcontrol)
674 LED_A_OFF();
675 }
676
677 // prepare a waveform pattern in the buffer based on the ID given then
678 // simulate a FSK tag until the button is pressed
679 // arg1 contains fcHigh and fcLow, arg2 contains invert and clock
680 void CmdFSKsimTAG(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream)
681 {
682 int ledcontrol=1;
683 int n=0, i=0;
684 uint8_t fcHigh = arg1 >> 8;
685 uint8_t fcLow = arg1 & 0xFF;
686 uint16_t modCnt = 0;
687 uint8_t clk = arg2 & 0xFF;
688 uint8_t invert = (arg2 >> 8) & 1;
689
690 // set LF so we don't kill the bigbuf we are setting with simulation data.
691 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
692
693 for (i=0; i<size; i++){
694 if (BitStream[i] == invert){
695 fcAll(fcLow, &n, clk, &modCnt);
696 } else {
697 fcAll(fcHigh, &n, clk, &modCnt);
698 }
699 }
700 Dbprintf("Simulating with fcHigh: %d, fcLow: %d, clk: %d, invert: %d, n: %d",fcHigh, fcLow, clk, invert, n);
701 /*Dbprintf("DEBUG: First 32:");
702 uint8_t *dest = BigBuf_get_addr();
703 i=0;
704 Dbprintf("%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d", dest[i],dest[i+1],dest[i+2],dest[i+3],dest[i+4],dest[i+5],dest[i+6],dest[i+7],dest[i+8],dest[i+9],dest[i+10],dest[i+11],dest[i+12],dest[i+13],dest[i+14],dest[i+15]);
705 i+=16;
706 Dbprintf("%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d", dest[i],dest[i+1],dest[i+2],dest[i+3],dest[i+4],dest[i+5],dest[i+6],dest[i+7],dest[i+8],dest[i+9],dest[i+10],dest[i+11],dest[i+12],dest[i+13],dest[i+14],dest[i+15]);
707 */
708 if (ledcontrol)
709 LED_A_ON();
710
711 SimulateTagLowFrequency(n, 0, ledcontrol);
712
713 if (ledcontrol)
714 LED_A_OFF();
715 }
716
717 // compose ask waveform for one bit(ASK)
718 static void askSimBit(uint8_t c, int *n, uint8_t clock, uint8_t manchester)
719 {
720 uint8_t *dest = BigBuf_get_addr();
721 uint8_t halfClk = clock/2;
722 // c = current bit 1 or 0
723 if (manchester==1){
724 memset(dest+(*n), c, halfClk);
725 memset(dest+(*n) + halfClk, c^1, halfClk);
726 } else {
727 memset(dest+(*n), c, clock);
728 }
729 *n += clock;
730 }
731
732 static void biphaseSimBit(uint8_t c, int *n, uint8_t clock, uint8_t *phase)
733 {
734 uint8_t *dest = BigBuf_get_addr();
735 uint8_t halfClk = clock/2;
736 if (c){
737 memset(dest+(*n), c ^ 1 ^ *phase, halfClk);
738 memset(dest+(*n) + halfClk, c ^ *phase, halfClk);
739 } else {
740 memset(dest+(*n), c ^ *phase, clock);
741 *phase ^= 1;
742 }
743 *n += clock;
744 }
745
746 static void stAskSimBit(int *n, uint8_t clock) {
747 uint8_t *dest = BigBuf_get_addr();
748 uint8_t halfClk = clock/2;
749 //ST = .5 high .5 low 1.5 high .5 low 1 high
750 memset(dest+(*n), 1, halfClk);
751 memset(dest+(*n) + halfClk, 0, halfClk);
752 memset(dest+(*n) + clock, 1, clock + halfClk);
753 memset(dest+(*n) + clock*2 + halfClk, 0, halfClk);
754 memset(dest+(*n) + clock*3, 1, clock);
755 *n += clock*4;
756 }
757
758 // args clock, ask/man or askraw, invert, transmission separator
759 void CmdASKsimTag(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream)
760 {
761 int ledcontrol = 1;
762 int n=0, i=0;
763 uint8_t clk = (arg1 >> 8) & 0xFF;
764 uint8_t encoding = arg1 & 0xFF;
765 uint8_t separator = arg2 & 1;
766 uint8_t invert = (arg2 >> 8) & 1;
767
768 // set LF so we don't kill the bigbuf we are setting with simulation data.
769 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
770
771 if (encoding==2){ //biphase
772 uint8_t phase=0;
773 for (i=0; i<size; i++){
774 biphaseSimBit(BitStream[i]^invert, &n, clk, &phase);
775 }
776 if (phase==1) { //run a second set inverted to keep phase in check
777 for (i=0; i<size; i++){
778 biphaseSimBit(BitStream[i]^invert, &n, clk, &phase);
779 }
780 }
781 } else { // ask/manchester || ask/raw
782 for (i=0; i<size; i++){
783 askSimBit(BitStream[i]^invert, &n, clk, encoding);
784 }
785 if (encoding==0 && BitStream[0]==BitStream[size-1]){ //run a second set inverted (for ask/raw || biphase phase)
786 for (i=0; i<size; i++){
787 askSimBit(BitStream[i]^invert^1, &n, clk, encoding);
788 }
789 }
790 }
791 if (separator==1 && encoding == 1)
792 stAskSimBit(&n, clk);
793 else if (separator==1)
794 Dbprintf("sorry but separator option not yet available");
795
796 Dbprintf("Simulating with clk: %d, invert: %d, encoding: %d, separator: %d, n: %d",clk, invert, encoding, separator, n);
797 //DEBUG
798 //Dbprintf("First 32:");
799 //uint8_t *dest = BigBuf_get_addr();
800 //i=0;
801 //Dbprintf("%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d", dest[i],dest[i+1],dest[i+2],dest[i+3],dest[i+4],dest[i+5],dest[i+6],dest[i+7],dest[i+8],dest[i+9],dest[i+10],dest[i+11],dest[i+12],dest[i+13],dest[i+14],dest[i+15]);
802 //i+=16;
803 //Dbprintf("%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d", dest[i],dest[i+1],dest[i+2],dest[i+3],dest[i+4],dest[i+5],dest[i+6],dest[i+7],dest[i+8],dest[i+9],dest[i+10],dest[i+11],dest[i+12],dest[i+13],dest[i+14],dest[i+15]);
804
805 if (ledcontrol) LED_A_ON();
806 SimulateTagLowFrequency(n, 0, ledcontrol);
807 if (ledcontrol) LED_A_OFF();
808 }
809
810 //carrier can be 2,4 or 8
811 static void pskSimBit(uint8_t waveLen, int *n, uint8_t clk, uint8_t *curPhase, bool phaseChg)
812 {
813 uint8_t *dest = BigBuf_get_addr();
814 uint8_t halfWave = waveLen/2;
815 //uint8_t idx;
816 int i = 0;
817 if (phaseChg){
818 // write phase change
819 memset(dest+(*n), *curPhase^1, halfWave);
820 memset(dest+(*n) + halfWave, *curPhase, halfWave);
821 *n += waveLen;
822 *curPhase ^= 1;
823 i += waveLen;
824 }
825 //write each normal clock wave for the clock duration
826 for (; i < clk; i+=waveLen){
827 memset(dest+(*n), *curPhase, halfWave);
828 memset(dest+(*n) + halfWave, *curPhase^1, halfWave);
829 *n += waveLen;
830 }
831 }
832
833 // args clock, carrier, invert,
834 void CmdPSKsimTag(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream)
835 {
836 int ledcontrol=1;
837 int n=0, i=0;
838 uint8_t clk = arg1 >> 8;
839 uint8_t carrier = arg1 & 0xFF;
840 uint8_t invert = arg2 & 0xFF;
841 uint8_t curPhase = 0;
842 // set LF so we don't kill the bigbuf we are setting with simulation data.
843 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
844
845 for (i=0; i<size; i++){
846 if (BitStream[i] == curPhase){
847 pskSimBit(carrier, &n, clk, &curPhase, false);
848 } else {
849 pskSimBit(carrier, &n, clk, &curPhase, true);
850 }
851 }
852 Dbprintf("Simulating with Carrier: %d, clk: %d, invert: %d, n: %d",carrier, clk, invert, n);
853 //Dbprintf("DEBUG: First 32:");
854 //uint8_t *dest = BigBuf_get_addr();
855 //i=0;
856 //Dbprintf("%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d", dest[i],dest[i+1],dest[i+2],dest[i+3],dest[i+4],dest[i+5],dest[i+6],dest[i+7],dest[i+8],dest[i+9],dest[i+10],dest[i+11],dest[i+12],dest[i+13],dest[i+14],dest[i+15]);
857 //i+=16;
858 //Dbprintf("%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d", dest[i],dest[i+1],dest[i+2],dest[i+3],dest[i+4],dest[i+5],dest[i+6],dest[i+7],dest[i+8],dest[i+9],dest[i+10],dest[i+11],dest[i+12],dest[i+13],dest[i+14],dest[i+15]);
859
860 if (ledcontrol) LED_A_ON();
861 SimulateTagLowFrequency(n, 0, ledcontrol);
862 if (ledcontrol) LED_A_OFF();
863 }
864
865 // loop to get raw HID waveform then FSK demodulate the TAG ID from it
866 void CmdHIDdemodFSK(int findone, int *high2, int *high, int *low, int ledcontrol)
867 {
868 uint8_t *dest = BigBuf_get_addr();
869 //const size_t sizeOfBigBuff = BigBuf_max_traceLen();
870 size_t size;
871 uint32_t hi2=0, hi=0, lo=0;
872 int idx=0;
873 int dummyIdx = 0;
874 // Configure to go in 125Khz listen mode
875 LFSetupFPGAForADC(95, true);
876
877 //clear read buffer
878 BigBuf_Clear_keep_EM();
879
880 while(!BUTTON_PRESS() && !usb_poll_validate_length()) {
881 WDT_HIT();
882 if (ledcontrol) LED_A_ON();
883
884 DoAcquisition_default(-1,true);
885 // FSK demodulator
886 //size = sizeOfBigBuff; //variable size will change after demod so re initialize it before use
887 size = 50*128*2; //big enough to catch 2 sequences of largest format
888 idx = HIDdemodFSK(dest, &size, &hi2, &hi, &lo, &dummyIdx);
889
890 if (idx>0 && lo>0 && (size==96 || size==192)){
891 uint8_t bitlen = 0;
892 uint32_t fc = 0;
893 uint32_t cardnum = 0;
894 bool decoded = false;
895
896 // go over previously decoded manchester data and decode into usable tag ID
897 if ((hi2 & 0x000FFFF) != 0){ //extra large HID tags 88/192 bits
898 uint32_t bp = hi2 & 0x000FFFFF;
899 bitlen = 63;
900 while (bp > 0) {
901 bp = bp >> 1;
902 bitlen++;
903 }
904 } else if ((hi >> 6) > 0) {
905 uint32_t bp = hi;
906 bitlen = 31;
907 while (bp > 0) {
908 bp = bp >> 1;
909 bitlen++;
910 }
911 } else if (((hi >> 5) & 1) == 0) {
912 bitlen = 37;
913 } else if ((hi & 0x0000001F) > 0 ) {
914 uint32_t bp = (hi & 0x0000001F);
915 bitlen = 31;
916 while (bp > 0) {
917 bp = bp >> 1;
918 bitlen++;
919 }
920 } else {
921 uint32_t bp = lo;
922 bitlen = 0;
923 while (bp > 0) {
924 bp = bp >> 1;
925 bitlen++;
926 }
927 }
928 switch (bitlen){
929 case 26:
930 cardnum = (lo>>1)&0xFFFF;
931 fc = (lo>>17)&0xFF;
932 decoded = true;
933 break;
934 case 35:
935 cardnum = (lo>>1)&0xFFFFF;
936 fc = ((hi&1)<<11)|(lo>>21);
937 decoded = true;
938 break;
939 }
940
941 if (hi2 != 0) //extra large HID tags 88/192 bits
942 Dbprintf("TAG ID: %x%08x%08x (%d)",
943 (unsigned int) hi2, (unsigned int) hi, (unsigned int) lo, (unsigned int) (lo>>1) & 0xFFFF);
944 else
945 Dbprintf("TAG ID: %x%08x (%d)",
946 (unsigned int) hi, (unsigned int) lo, (unsigned int) (lo>>1) & 0xFFFF);
947
948 if (decoded)
949 Dbprintf("Format Len: %dbits - FC: %d - Card: %d",
950 (unsigned int) bitlen, (unsigned int) fc, (unsigned int) cardnum);
951
952 if (findone){
953 if (ledcontrol) LED_A_OFF();
954 *high2 = hi2;
955 *high = hi;
956 *low = lo;
957 break;
958 }
959 // reset
960 }
961 hi2 = hi = lo = idx = 0;
962 WDT_HIT();
963 }
964
965 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
966 DbpString("Stopped");
967 if (ledcontrol) LED_A_OFF();
968 }
969
970 // loop to get raw HID waveform then FSK demodulate the TAG ID from it
971 void CmdAWIDdemodFSK(int findone, int *high, int *low, int ledcontrol)
972 {
973 uint8_t *dest = BigBuf_get_addr();
974 size_t size;
975 int idx=0, dummyIdx=0;
976 //clear read buffer
977 BigBuf_Clear_keep_EM();
978 // Configure to go in 125Khz listen mode
979 LFSetupFPGAForADC(95, true);
980
981 while(!BUTTON_PRESS() && !usb_poll_validate_length()) {
982
983 WDT_HIT();
984 if (ledcontrol) LED_A_ON();
985
986 DoAcquisition_default(-1,true);
987 // FSK demodulator
988 size = 50*128*2; //big enough to catch 2 sequences of largest format
989 idx = AWIDdemodFSK(dest, &size, &dummyIdx);
990
991 if (idx<=0 || size!=96) continue;
992 // Index map
993 // 0 10 20 30 40 50 60
994 // | | | | | | |
995 // 01234567 890 1 234 5 678 9 012 3 456 7 890 1 234 5 678 9 012 3 456 7 890 1 234 5 678 9 012 3 - to 96
996 // -----------------------------------------------------------------------------
997 // 00000001 000 1 110 1 101 1 011 1 101 1 010 0 000 1 000 1 010 0 001 0 110 1 100 0 000 1 000 1
998 // premable bbb o bbb o bbw o fff o fff o ffc o ccc o ccc o ccc o ccc o ccc o wxx o xxx o xxx o - to 96
999 // |---26 bit---| |-----117----||-------------142-------------|
1000 // b = format bit len, o = odd parity of last 3 bits
1001 // f = facility code, c = card number
1002 // w = wiegand parity
1003 // (26 bit format shown)
1004
1005 //get raw ID before removing parities
1006 uint32_t rawLo = bytebits_to_byte(dest+idx+64,32);
1007 uint32_t rawHi = bytebits_to_byte(dest+idx+32,32);
1008 uint32_t rawHi2 = bytebits_to_byte(dest+idx,32);
1009
1010 size = removeParity(dest, idx+8, 4, 1, 88);
1011 if (size != 66) continue;
1012 // ok valid card found!
1013
1014 // Index map
1015 // 0 10 20 30 40 50 60
1016 // | | | | | | |
1017 // 01234567 8 90123456 7890123456789012 3 456789012345678901234567890123456
1018 // -----------------------------------------------------------------------------
1019 // 00011010 1 01110101 0000000010001110 1 000000000000000000000000000000000
1020 // bbbbbbbb w ffffffff cccccccccccccccc w xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
1021 // |26 bit| |-117--| |-----142------|
1022 // b = format bit len, o = odd parity of last 3 bits
1023 // f = facility code, c = card number
1024 // w = wiegand parity
1025 // (26 bit format shown)
1026
1027 uint32_t fc = 0;
1028 uint32_t cardnum = 0;
1029 uint32_t code1 = 0;
1030 uint32_t code2 = 0;
1031 uint8_t fmtLen = bytebits_to_byte(dest,8);
1032 if (fmtLen==26){
1033 fc = bytebits_to_byte(dest+9, 8);
1034 cardnum = bytebits_to_byte(dest+17, 16);
1035 code1 = bytebits_to_byte(dest+8,fmtLen);
1036 Dbprintf("AWID Found - BitLength: %d, FC: %d, Card: %d - Wiegand: %x, Raw: %08x%08x%08x", fmtLen, fc, cardnum, code1, rawHi2, rawHi, rawLo);
1037 } else {
1038 cardnum = bytebits_to_byte(dest+8+(fmtLen-17), 16);
1039 if (fmtLen>32){
1040 code1 = bytebits_to_byte(dest+8,fmtLen-32);
1041 code2 = bytebits_to_byte(dest+8+(fmtLen-32),32);
1042 Dbprintf("AWID Found - BitLength: %d -unknown BitLength- (%d) - Wiegand: %x%08x, Raw: %08x%08x%08x", fmtLen, cardnum, code1, code2, rawHi2, rawHi, rawLo);
1043 } else{
1044 code1 = bytebits_to_byte(dest+8,fmtLen);
1045 Dbprintf("AWID Found - BitLength: %d -unknown BitLength- (%d) - Wiegand: %x, Raw: %08x%08x%08x", fmtLen, cardnum, code1, rawHi2, rawHi, rawLo);
1046 }
1047 }
1048 if (findone){
1049 if (ledcontrol) LED_A_OFF();
1050 break;
1051 }
1052 // reset
1053 idx = 0;
1054 WDT_HIT();
1055 }
1056 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1057 DbpString("Stopped");
1058 if (ledcontrol) LED_A_OFF();
1059 }
1060
1061 void CmdEM410xdemod(int findone, int *high, int *low, int ledcontrol)
1062 {
1063 uint8_t *dest = BigBuf_get_addr();
1064
1065 size_t size=0, idx=0;
1066 int clk=0, invert=0, errCnt=0, maxErr=20;
1067 uint32_t hi=0;
1068 uint64_t lo=0;
1069 //clear read buffer
1070 BigBuf_Clear_keep_EM();
1071 // Configure to go in 125Khz listen mode
1072 LFSetupFPGAForADC(95, true);
1073
1074 while(!BUTTON_PRESS() && !usb_poll_validate_length()) {
1075
1076 WDT_HIT();
1077 if (ledcontrol) LED_A_ON();
1078
1079 DoAcquisition_default(-1,true);
1080 size = BigBuf_max_traceLen();
1081 //askdemod and manchester decode
1082 if (size > 16385) size = 16385; //big enough to catch 2 sequences of largest format
1083 errCnt = askdemod(dest, &size, &clk, &invert, maxErr, 0, 1);
1084 WDT_HIT();
1085
1086 if (errCnt<0) continue;
1087
1088 errCnt = Em410xDecode(dest, &size, &idx, &hi, &lo);
1089 if (errCnt){
1090 if (size>64){
1091 Dbprintf("EM XL TAG ID: %06x%08x%08x - (%05d_%03d_%08d)",
1092 hi,
1093 (uint32_t)(lo>>32),
1094 (uint32_t)lo,
1095 (uint32_t)(lo&0xFFFF),
1096 (uint32_t)((lo>>16LL) & 0xFF),
1097 (uint32_t)(lo & 0xFFFFFF));
1098 } else {
1099 Dbprintf("EM TAG ID: %02x%08x - (%05d_%03d_%08d)",
1100 (uint32_t)(lo>>32),
1101 (uint32_t)lo,
1102 (uint32_t)(lo&0xFFFF),
1103 (uint32_t)((lo>>16LL) & 0xFF),
1104 (uint32_t)(lo & 0xFFFFFF));
1105 }
1106
1107 if (findone){
1108 if (ledcontrol) LED_A_OFF();
1109 *high=lo>>32;
1110 *low=lo & 0xFFFFFFFF;
1111 break;
1112 }
1113 }
1114 WDT_HIT();
1115 hi = lo = size = idx = 0;
1116 clk = invert = errCnt = 0;
1117 }
1118 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1119 DbpString("Stopped");
1120 if (ledcontrol) LED_A_OFF();
1121 }
1122
1123 void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol)
1124 {
1125 uint8_t *dest = BigBuf_get_addr();
1126 int idx=0;
1127 uint32_t code=0, code2=0;
1128 uint8_t version=0;
1129 uint8_t facilitycode=0;
1130 uint16_t number=0;
1131 int dummyIdx=0;
1132 //clear read buffer
1133 BigBuf_Clear_keep_EM();
1134 // Configure to go in 125Khz listen mode
1135 LFSetupFPGAForADC(95, true);
1136
1137 while(!BUTTON_PRESS() && !usb_poll_validate_length()) {
1138 WDT_HIT();
1139 if (ledcontrol) LED_A_ON();
1140 DoAcquisition_default(-1,true);
1141 //fskdemod and get start index
1142 WDT_HIT();
1143 idx = IOdemodFSK(dest, BigBuf_max_traceLen(), &dummyIdx);
1144 if (idx<0) continue;
1145 //valid tag found
1146
1147 //Index map
1148 //0 10 20 30 40 50 60
1149 //| | | | | | |
1150 //01234567 8 90123456 7 89012345 6 78901234 5 67890123 4 56789012 3 45678901 23
1151 //-----------------------------------------------------------------------------
1152 //00000000 0 11110000 1 facility 1 version* 1 code*one 1 code*two 1 ???????? 11
1153 //
1154 //XSF(version)facility:codeone+codetwo
1155 //Handle the data
1156 if(findone){ //only print binary if we are doing one
1157 Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx], dest[idx+1], dest[idx+2],dest[idx+3],dest[idx+4],dest[idx+5],dest[idx+6],dest[idx+7],dest[idx+8]);
1158 Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+9], dest[idx+10],dest[idx+11],dest[idx+12],dest[idx+13],dest[idx+14],dest[idx+15],dest[idx+16],dest[idx+17]);
1159 Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+18],dest[idx+19],dest[idx+20],dest[idx+21],dest[idx+22],dest[idx+23],dest[idx+24],dest[idx+25],dest[idx+26]);
1160 Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+27],dest[idx+28],dest[idx+29],dest[idx+30],dest[idx+31],dest[idx+32],dest[idx+33],dest[idx+34],dest[idx+35]);
1161 Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+36],dest[idx+37],dest[idx+38],dest[idx+39],dest[idx+40],dest[idx+41],dest[idx+42],dest[idx+43],dest[idx+44]);
1162 Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+45],dest[idx+46],dest[idx+47],dest[idx+48],dest[idx+49],dest[idx+50],dest[idx+51],dest[idx+52],dest[idx+53]);
1163 Dbprintf("%d%d%d%d%d%d%d%d %d%d",dest[idx+54],dest[idx+55],dest[idx+56],dest[idx+57],dest[idx+58],dest[idx+59],dest[idx+60],dest[idx+61],dest[idx+62],dest[idx+63]);
1164 }
1165 code = bytebits_to_byte(dest+idx,32);
1166 code2 = bytebits_to_byte(dest+idx+32,32);
1167 version = bytebits_to_byte(dest+idx+27,8); //14,4
1168 facilitycode = bytebits_to_byte(dest+idx+18,8);
1169 number = (bytebits_to_byte(dest+idx+36,8)<<8)|(bytebits_to_byte(dest+idx+45,8)); //36,9
1170
1171 Dbprintf("XSF(%02d)%02x:%05d (%08x%08x)",version,facilitycode,number,code,code2);
1172 // if we're only looking for one tag
1173 if (findone){
1174 if (ledcontrol) LED_A_OFF();
1175 //LED_A_OFF();
1176 *high=code;
1177 *low=code2;
1178 break;
1179 }
1180 code=code2=0;
1181 version=facilitycode=0;
1182 number=0;
1183 idx=0;
1184
1185 WDT_HIT();
1186 }
1187 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1188 DbpString("Stopped");
1189 if (ledcontrol) LED_A_OFF();
1190 }
1191
1192 /*------------------------------
1193 * T5555/T5557/T5567/T5577 routines
1194 *------------------------------
1195 * NOTE: T55x7/T5555 configuration register definitions moved to protocols.h
1196 *
1197 * Relevant communication times in microsecond
1198 * To compensate antenna falling times shorten the write times
1199 * and enlarge the gap ones.
1200 * Q5 tags seems to have issues when these values changes.
1201 */
1202
1203 /*
1204 // Original Timings for reference
1205 //note startgap must be sent after tag has been powered up for more than 3ms (per T5557 ds)
1206
1207 #define START_GAP 31*8 // was 250 // SPEC: 1*8 to 50*8 - typ 15*8 (or 15fc)
1208 #define WRITE_GAP 20*8 // was 160 // SPEC: 1*8 to 20*8 - typ 10*8 (or 10fc)
1209 #define WRITE_0 18*8 // was 144 // SPEC: 16*8 to 32*8 - typ 24*8 (or 24fc)
1210 #define WRITE_1 50*8 // was 400 // SPEC: 48*8 to 64*8 - typ 56*8 (or 56fc) 432 for T55x7; 448 for E5550
1211 #define READ_GAP 15*8
1212
1213 */
1214 /* Q5 timing datasheet:
1215 * Type | MIN | Typical | Max |
1216 * Start_Gap | 10*8 | ? | 50*8 |
1217 * Write_Gap Normal mode | 8*8 | 14*8 | 20*8 |
1218 * Write_Gap Fast Mode | 8*8 | ? | 20*8 |
1219 * Write_0 Normal mode | 16*8 | 24*8 | 32*8 |
1220 * Write_1 Normal mode | 48*8 | 56*8 | 64*8 |
1221 * Write_0 Fast Mode | 8*8 | 12*8 | 16*8 |
1222 * Write_1 Fast Mode | 24*8 | 28*8 | 32*8 |
1223 */
1224
1225 /* T5557 timing datasheet:
1226 * Type | MIN | Typical | Max |
1227 * Start_Gap | 10*8 | ? | 50*8 |
1228 * Write_Gap Normal mode | 8*8 |50-150us | 30*8 |
1229 * Write_Gap Fast Mode | 8*8 | ? | 20*8 |
1230 * Write_0 Normal mode | 16*8 | 24*8 | 31*8 |
1231 * Write_1 Normal mode | 48*8 | 54*8 | 63*8 |
1232 * Write_0 Fast Mode | 8*8 | 12*8 | 15*8 |
1233 * Write_1 Fast Mode | 24*8 | 28*8 | 31*8 |
1234 */
1235
1236 /* T5577C timing datasheet for Fixed-Bit-Length protocol (defualt):
1237 * Type | MIN | Typical | Max |
1238 * Start_Gap | 8*8 | 15*8 | 50*8 |
1239 * Write_Gap Normal mode | 8*8 | 10*8 | 20*8 |
1240 * Write_Gap Fast Mode | 8*8 | 10*8 | 20*8 |
1241 * Write_0 Normal mode | 16*8 | 24*8 | 32*8 |
1242 * Write_1 Normal mode | 48*8 | 56*8 | 64*8 |
1243 * Write_0 Fast Mode | 8*8 | 12*8 | 16*8 |
1244 * Write_1 Fast Mode | 24*8 | 28*8 | 32*8 |
1245 */
1246
1247 // Structure to hold Timing values. In future will be simplier to add user changable timings.
1248 typedef struct {
1249 uint16_t START_GAP;
1250 uint16_t WRITE_GAP;
1251 uint16_t WRITE_0;
1252 uint16_t WRITE_1;
1253 uint16_t WRITE_2;
1254 uint16_t WRITE_3;
1255 uint16_t READ_GAP;
1256 } T55xx_Timing;
1257
1258 // Set Initial/Default Values. Note: *8 can occure when used. This should keep things simplier here.
1259 T55xx_Timing T55xx_Timing_FixedBit = { 31 * 8 , 20 * 8 , 18 * 8 , 50 * 8 , 0 , 0 , 15 * 8 };
1260 T55xx_Timing T55xx_Timing_LLR = { 31 * 8 , 20 * 8 , 18 * 8 , 50 * 8 , 0 , 0 , 15 * 8 };
1261 T55xx_Timing T55xx_Timing_Leading0 = { 31 * 8 , 20 * 8 , 18 * 8 , 40 * 8 , 0 , 0 , 15 * 8 };
1262 T55xx_Timing T55xx_Timing_1of4 = { 31 * 8 , 20 * 8 , 18 * 8 , 34 * 8 , 50 * 8 , 66 * 8 , 15 * 8 };
1263
1264 // Some defines for readability
1265 #define T55xx_DLMode_Fixed 0 // Default Mode
1266 #define T55xx_DLMode_LLR 1 // Long Leading Reference
1267 #define T55xx_DLMode_Leading0 2 // Leading Zero
1268 #define T55xx_DLMode_1of4 3 // 1 of 4
1269 #define T55xx_LongLeadingReference 4 // Value to tell Write Bit to send long reference
1270 // Macro for code readability
1271 #define BitStream_Byte(X) ((X) >> 3)
1272 #define BitStream_Bit(X) ((X) & 7)
1273
1274
1275 void TurnReadLFOn(int delay) {
1276 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
1277 // Give it a bit of time for the resonant antenna to settle.
1278 WaitUS(delay); //155*8 //50*8
1279 }
1280
1281 // Write one bit to card
1282 void T55xxWriteBit(int bit, T55xx_Timing *Timings) {
1283
1284 // If bit = 4 Send Long Leading Reference which is 138 + WRITE_0
1285 // Dbprintf ("Bits : %d",bit);
1286 switch (bit){
1287 case 0 : TurnReadLFOn(Timings->WRITE_0); break; // Send bit 0/00
1288 case 1 : TurnReadLFOn(Timings->WRITE_1); break; // Send bit 1/01
1289 case 2 : TurnReadLFOn(Timings->WRITE_2); break; // Send bits 10
1290 case 3 : TurnReadLFOn(Timings->WRITE_3); break; // Send bits 11
1291 case 4 : TurnReadLFOn(Timings->WRITE_0 + (136 * 8)); break; // Send Long Leading Reference
1292 }
1293 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1294 WaitUS(Timings->WRITE_GAP);
1295 }
1296
1297 // Function to abstract an Arbitrary length byte array to store bit pattern.
1298 // bit_array - Array to hold data/bit pattern
1299 // start_offset - bit location to start storing new bits.
1300 // data - upto 32 bits of data to store
1301 // num_bits - how many bits (low x bits of data) Max 32 bits at a time
1302 // max_len - how many bytes can the bit_array hold (ensure no buffer overflow)
1303 // returns "Next" bit offset / bits stored (for next store)
1304 //int T55xx_SetBits (uint8_t *bit_array, int start_offset, uint32_t data , int num_bits, int max_len)
1305 int T55xx_SetBits (uint8_t *BitStream, uint8_t start_offset, uint32_t data , uint8_t num_bits, uint8_t max_len)
1306 {
1307 int8_t offset;
1308 int8_t NextOffset = start_offset;
1309
1310 // Check if data will fit.
1311 if ((start_offset + num_bits) <= (max_len*8)) {
1312 // Loop through the data and store
1313 for (offset = (num_bits-1); offset >= 0; offset--) {
1314
1315 if ((data >> offset) & 1) BitStream[BitStream_Byte(NextOffset)] |= (1 << BitStream_Bit(NextOffset)); // Set the bit to 1
1316 else BitStream[BitStream_Byte(NextOffset)] &= (0xff ^ (1 << BitStream_Bit(NextOffset))); // Set the bit to 0
1317
1318 NextOffset++;
1319 }
1320 }
1321 else {
1322 // Note: This should never happen unless some code changes cause it.
1323 // So short message for coders when testing.
1324 Dbprintf ("T55 too many bits");
1325 }
1326 return NextOffset;
1327 }
1328
1329 // Send one downlink command to the card
1330 void T55xx_SendCMD (uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t arg) {
1331
1332 /*
1333 arg bits
1334 xxxxxxx1 0x01 PwdMode
1335 xxxxxx1x 0x02 Page
1336 xxxxx1xx 0x04 testMode
1337 xxx11xxx 0x18 downlink mode
1338 xx1xxxxx 0x20 !reg_readmode
1339 x1xxxxxx 0x40 called for a read, so no data packet
1340 1xxxxxxx 0x80 reset
1341
1342 */
1343 bool PwdMode = ((arg & 0x01) == 0x01);
1344 bool Page = (arg & 0x02);
1345 bool testMode = ((arg & 0x04) == 0x04);
1346 uint8_t downlink_mode = (arg >> 3) & 0x03;
1347 bool reg_readmode = ((arg & 0x20) == 0x20);
1348 bool read_cmd = ((arg & 0x40) == 0x40);
1349 bool reset = (arg & 0x80);
1350
1351 uint8_t i = 0;
1352 uint8_t BitStream[10]; // Max Downlink Command size ~74 bits, so 10 bytes (80 bits)
1353 uint8_t BitStreamLen;
1354 T55xx_Timing *Timing;
1355 uint8_t SendBits;
1356
1357 // Assigning Downlink Timeing for write
1358 switch (downlink_mode)
1359 {
1360 case T55xx_DLMode_Fixed : Timing = &T55xx_Timing_FixedBit; break;
1361 case T55xx_DLMode_LLR : Timing = &T55xx_Timing_LLR; break;
1362 case T55xx_DLMode_Leading0 : Timing = &T55xx_Timing_Leading0; break;
1363 case T55xx_DLMode_1of4 : Timing = &T55xx_Timing_1of4; break;
1364 default:
1365 Timing = &T55xx_Timing_FixedBit;
1366 }
1367
1368 // Build Bit Stream to send.
1369 memset (BitStream,0x00,sizeof(BitStream));
1370
1371 BitStreamLen = 0; // Ensure 0 bit index to start.
1372
1373 // Add Leading 0 and 1 of 4 reference bit
1374 if ((downlink_mode == T55xx_DLMode_Leading0) || (downlink_mode == T55xx_DLMode_1of4))
1375 BitStreamLen = T55xx_SetBits (BitStream, BitStreamLen, 0, 1,sizeof(BitStream));
1376
1377 // Add extra reference 0 for 1 of 4
1378 if (downlink_mode == T55xx_DLMode_1of4)
1379 BitStreamLen = T55xx_SetBits (BitStream, BitStreamLen, 0, 1,sizeof(BitStream));
1380
1381 // Add Opcode
1382 if (reset) {
1383 // Reset : r*) 00
1384 BitStreamLen = T55xx_SetBits (BitStream, BitStreamLen, 0, 2,sizeof(BitStream));
1385 }
1386 else
1387 {
1388 if (testMode) Dbprintf("TestMODE");
1389 BitStreamLen = T55xx_SetBits (BitStream, BitStreamLen,testMode ? 0 : 1 , 1,sizeof(BitStream));
1390 BitStreamLen = T55xx_SetBits (BitStream, BitStreamLen,testMode ? 1 : Page , 1,sizeof(BitStream));
1391
1392 if (PwdMode) {
1393 // Leading 0 and 1 of 4 00 fixed bits if passsword used
1394 if ((downlink_mode == T55xx_DLMode_Leading0) || (downlink_mode == T55xx_DLMode_1of4)) {
1395 BitStreamLen = T55xx_SetBits (BitStream, BitStreamLen, 0, 2,sizeof(BitStream));
1396 }
1397 BitStreamLen = T55xx_SetBits (BitStream, BitStreamLen, Pwd, 32,sizeof(BitStream));
1398 }
1399
1400 // Add Lock bit 0
1401 if (!reg_readmode) BitStreamLen = T55xx_SetBits (BitStream, BitStreamLen, 0, 1,sizeof(BitStream));
1402
1403 // Add Data if a write command
1404 if (!read_cmd) BitStreamLen = T55xx_SetBits (BitStream, BitStreamLen, Data, 32,sizeof(BitStream));
1405
1406 // Add Address
1407 if (!reg_readmode) BitStreamLen = T55xx_SetBits (BitStream, BitStreamLen, Block, 3,sizeof(BitStream));
1408 }
1409
1410 // Send Bits to T55xx
1411 // Set up FPGA, 125kHz
1412 LFSetupFPGAForADC(95, true);
1413 StartTicks();
1414 // make sure tag is fully powered up...
1415 WaitMS(5);
1416 // Trigger T55x7 in mode.
1417 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1418 WaitUS(Timing->START_GAP);
1419
1420 // If long leading 0 send long reference pulse
1421 if (downlink_mode == T55xx_DLMode_LLR)
1422 T55xxWriteBit (T55xx_LongLeadingReference,Timing); // Send Long Leading Start Reference
1423
1424 if ((downlink_mode == T55xx_DLMode_1of4) && (BitStreamLen > 0)) { // 1 of 4 need to send 2 bits at a time
1425 for ( i = 0; i < BitStreamLen-1; i+=2 ) {
1426 SendBits = (BitStream[BitStream_Byte(i )] >> (BitStream_Bit(i )) & 1) << 1; // Bit i
1427 SendBits += (BitStream[BitStream_Byte(i+1)] >> (BitStream_Bit(i+1)) & 1); // Bit i+1;
1428 T55xxWriteBit (SendBits & 3,Timing);
1429 }
1430 }
1431 else {
1432 for (i = 0; i < BitStreamLen; i++) {
1433 SendBits = (BitStream[BitStream_Byte(i)] >> BitStream_Bit(i));
1434 T55xxWriteBit (SendBits & 1,Timing);
1435 }
1436 }
1437 }
1438
1439 // Send T5577 reset command then read stream (see if we can identify the start of the stream)
1440 void T55xxResetRead(void) {
1441 LED_A_ON();
1442
1443 // send r* 00
1444 uint8_t arg = 0x80; // SendCMD will add correct reference mode based on flags (when added).
1445
1446 // Add in downlink_mode when ready
1447 // arg |= 0x00; // dlmode << 3 (00 default - 08 leading 0 - 10 Fixed - 18 1 of 4 )
1448
1449 //clear buffer now so it does not interfere with timing later
1450 BigBuf_Clear_keep_EM();
1451
1452 T55xx_SendCMD (0, 0, 0, arg); //, true);
1453
1454 TurnReadLFOn(T55xx_Timing_FixedBit.READ_GAP);
1455
1456 // Acquisition
1457 DoPartialAcquisition(0, true, BigBuf_max_traceLen(), 0);
1458
1459 // Turn the field off
1460 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1461 cmd_send(CMD_ACK,0,0,0,0,0);
1462 LED_A_OFF();
1463 }
1464
1465 // Write one card block in page 0, no lock
1466 void T55xxWriteBlock(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t arg) {
1467 /*
1468 arg bits
1469 xxxxxxx1 0x01 PwdMode
1470 xxxxxx1x 0x02 Page
1471 xxxxx1xx 0x04 testMode
1472 xxx11xxx 0x18 downlink mode
1473 xx1xxxxx 0x20 !reg_readmode
1474 x1xxxxxx 0x40 called for a read, so no data packet
1475 1xxxxxxx 0x80 reset
1476 */
1477
1478 bool testMode = ((arg & 0x04) == 0x04);
1479 arg &= (0xff ^ 0x40); // Called for a write, so ensure it is clear/0
1480
1481 LED_A_ON ();
1482 T55xx_SendCMD (Data, Block, Pwd, arg) ;//, false);
1483
1484 // Perform write (nominal is 5.6 ms for T55x7 and 18ms for E5550,
1485 // so wait a little more)
1486
1487 // "there is a clock delay before programming"
1488 // - programming takes ~5.6ms for t5577 ~18ms for E5550 or t5567
1489 // so we should wait 1 clock + 5.6ms then read response?
1490 // but we need to know we are dealing with t5577 vs t5567 vs e5550 (or q5) marshmellow...
1491 if (testMode) {
1492 //TESTMODE TIMING TESTS:
1493 // <566us does nothing
1494 // 566-568 switches between wiping to 0s and doing nothing
1495 // 5184 wipes and allows 1 block to be programmed.
1496 // indefinite power on wipes and then programs all blocks with bitshifted data sent.
1497 TurnReadLFOn(5184);
1498
1499 } else {
1500 TurnReadLFOn(20 * 1000);
1501 //could attempt to do a read to confirm write took
1502 // as the tag should repeat back the new block
1503 // until it is reset, but to confirm it we would
1504 // need to know the current block 0 config mode for
1505 // modulation clock an other details to demod the response...
1506 // response should be (for t55x7) a 0 bit then (ST if on)
1507 // block data written in on repeat until reset.
1508
1509 //DoPartialAcquisition(20, true, 12000);
1510 }
1511 // turn field off
1512 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1513
1514 cmd_send(CMD_ACK,0,0,0,0,0);
1515
1516 LED_A_OFF ();
1517 }
1518
1519 // Read one card block in page [page]
1520 void T55xxReadBlock (uint16_t arg0, uint8_t Block, uint32_t Pwd) {//, struct T55xx_Timing *Timing) {
1521
1522 LED_A_ON();
1523
1524 /*
1525 arg bits
1526 xxxxxxx1 0x01 PwdMode
1527 xxxxxx1x 0x02 Page
1528 xxxxx1xx 0x04 testMode
1529 xxx11xxx 0x18 downlink mode
1530 xx1xxxxx 0x20 !reg_readmode
1531 x1xxxxxx 0x40 called for a read, so no data packet
1532 1xxxxxxx 0x80 reset
1533 */
1534
1535 // Set Read Flag to ensure SendCMD does not add "data" to the packet
1536 arg0 |= 0x40;
1537
1538 // RegRead Mode true of block 0xff
1539 if (Block == 0xff) arg0 |= 0x20;
1540
1541 //make sure block is at max 7
1542 Block &= 0x7;
1543
1544 //clear buffer now so it does not interfere with timing later
1545 BigBuf_Clear_ext(false);
1546
1547 T55xx_SendCMD (0, Block, Pwd, arg0); //, true);
1548
1549 // Turn field on to read the response
1550 // 137*8 seems to get to the start of data pretty well...
1551 // but we want to go past the start and let the repeating data settle in...
1552 TurnReadLFOn(210*8);
1553
1554 // Acquisition
1555 // Now do the acquisition
1556 DoPartialAcquisition(0, true, 12000, 0);
1557
1558 // Turn the field off
1559 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1560 cmd_send(CMD_ACK,0,0,0,0,0);
1561
1562 LED_A_OFF();
1563 }
1564
1565 void T55xxWakeUp(uint32_t Pwd){
1566 LED_B_ON();
1567 /*
1568 arg bits
1569 xxxxxxx1 0x01 PwdMode
1570 xxxxxx1x 0x02 Page
1571 xxxxx1xx 0x04 testMode
1572 xxx11xxx 0x18 downlink mode
1573 xx1xxxxx 0x20 !reg_readmode
1574 x1xxxxxx 0x40 called for a read, so no data packet
1575 1xxxxxxx 0x80 reset
1576 */
1577
1578 // r* 10 (00) <pwd> r* for llr , L0 and 1/4 - (00) for L0 and 1/4 - All handled in SendCMD
1579 // So, default Opcode 10 and pwd.
1580 uint8_t arg = 0x01 | 0x40 | 0x20; //Password Read Call no data | reg_read no block
1581
1582 // Add in downlink_mode when ready
1583 // arg |= 0x00; // dlmode << 3 (00 default - 08 leading 0 - 10 Fixed - 18 1 of 4 )
1584
1585 T55xx_SendCMD (0, 0, Pwd, arg); //, true);
1586
1587 // Turn and leave field on to let the begin repeating transmission
1588 TurnReadLFOn(20*1000);
1589 }
1590
1591 /*-------------- Cloning routines -----------*/
1592
1593 void WriteT55xx(uint32_t *blockdata, uint8_t startblock, uint8_t numblocks) {
1594 // write last block first and config block last (if included)
1595 for (uint8_t i = numblocks+startblock; i > startblock; i--) {
1596 T55xxWriteBlock(blockdata[i-1],i-1,0,0);//,false); //,&T55xx_Timing_FixedBit);
1597 //T55xx_SendCMD (blockdata[i-1],i-1,0,0);//,false); //,&T55xx_Timing_FixedBit);
1598 }
1599 }
1600
1601 // Copy a HID-like card (e.g. HID Proximity, Paradox) to a T55x7 compatible card
1602 void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT, uint8_t preamble) {
1603 uint32_t data[] = {0,0,0,0,0,0,0};
1604 uint8_t last_block = 0;
1605
1606 if (longFMT) {
1607 // Ensure no more than 84 bits supplied
1608 if (hi2>0xFFFFF) {
1609 DbpString("Tags can only have 84 bits.");
1610 return;
1611 }
1612 // Build the 6 data blocks for supplied 84bit ID
1613 last_block = 6;
1614 // load preamble & long format identifier (9E manchester encoded)
1615 data[1] = (preamble << 24) | 0x96A900 | (manchesterEncode2Bytes((hi2 >> 16) & 0xF) & 0xFF);
1616 // load raw id from hi2, hi, lo to data blocks (manchester encoded)
1617 data[2] = manchesterEncode2Bytes(hi2 & 0xFFFF);
1618 data[3] = manchesterEncode2Bytes(hi >> 16);
1619 data[4] = manchesterEncode2Bytes(hi & 0xFFFF);
1620 data[5] = manchesterEncode2Bytes(lo >> 16);
1621 data[6] = manchesterEncode2Bytes(lo & 0xFFFF);
1622 } else {
1623 // Ensure no more than 44 bits supplied
1624 if (hi>0xFFF) {
1625 DbpString("Tags can only have 44 bits.");
1626 return;
1627 }
1628 // Build the 3 data blocks for supplied 44bit ID
1629 last_block = 3;
1630 // load preamble
1631 data[1] = (preamble << 24) | (manchesterEncode2Bytes(hi) & 0xFFFFFF);
1632 data[2] = manchesterEncode2Bytes(lo >> 16);
1633 data[3] = manchesterEncode2Bytes(lo & 0xFFFF);
1634 }
1635 // load chip config block
1636 data[0] = T55x7_BITRATE_RF_50 | T55x7_MODULATION_FSK2a | last_block << T55x7_MAXBLOCK_SHIFT;
1637
1638 //TODO add selection of chip for Q5 or T55x7
1639 // data[0] = (((50-2)/2)<<T5555_BITRATE_SHIFT) | T5555_MODULATION_FSK2 | T5555_INVERT_OUTPUT | last_block << T5555_MAXBLOCK_SHIFT;
1640
1641 LED_D_ON();
1642 // Program the data blocks for supplied ID
1643 // and the block 0 for HID format
1644 WriteT55xx(data, 0, last_block+1);
1645
1646 LED_D_OFF();
1647
1648 DbpString("DONE!");
1649 }
1650
1651 void CopyIOtoT55x7(uint32_t hi, uint32_t lo) {
1652 uint32_t data[] = {T55x7_BITRATE_RF_64 | T55x7_MODULATION_FSK2a | (2 << T55x7_MAXBLOCK_SHIFT), hi, lo};
1653 //TODO add selection of chip for Q5 or T55x7
1654 // data[0] = (((64-2)/2)<<T5555_BITRATE_SHIFT) | T5555_MODULATION_FSK2 | T5555_INVERT_OUTPUT | 2 << T5555_MAXBLOCK_SHIFT;
1655
1656 LED_D_ON();
1657 // Program the data blocks for supplied ID
1658 // and the block 0 config
1659 WriteT55xx(data, 0, 3);
1660
1661 LED_D_OFF();
1662
1663 DbpString("DONE!");
1664 }
1665
1666 // Clone Indala 64-bit tag by UID to T55x7
1667 void CopyIndala64toT55x7(uint32_t hi, uint32_t lo) {
1668 //Program the 2 data blocks for supplied 64bit UID
1669 // and the Config for Indala 64 format (RF/32;PSK1 with RF/2;Maxblock=2)
1670 uint32_t data[] = { T55x7_BITRATE_RF_32 | T55x7_MODULATION_PSK1 | (2 << T55x7_MAXBLOCK_SHIFT), hi, lo};
1671 //TODO add selection of chip for Q5 or T55x7
1672 // data[0] = (((32-2)/2)<<T5555_BITRATE_SHIFT) | T5555_MODULATION_PSK1 | 2 << T5555_MAXBLOCK_SHIFT;
1673
1674 WriteT55xx(data, 0, 3);
1675 //Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=2;Inverse data)
1676 // T5567WriteBlock(0x603E1042,0);
1677 DbpString("DONE!");
1678 }
1679 // Clone Indala 224-bit tag by UID to T55x7
1680 void CopyIndala224toT55x7(uint32_t uid1, uint32_t uid2, uint32_t uid3, uint32_t uid4, uint32_t uid5, uint32_t uid6, uint32_t uid7) {
1681 //Program the 7 data blocks for supplied 224bit UID
1682 uint32_t data[] = {0, uid1, uid2, uid3, uid4, uid5, uid6, uid7};
1683 // and the block 0 for Indala224 format
1684 //Config for Indala (RF/32;PSK2 with RF/2;Maxblock=7)
1685 data[0] = T55x7_BITRATE_RF_32 | T55x7_MODULATION_PSK2 | (7 << T55x7_MAXBLOCK_SHIFT);
1686 //TODO add selection of chip for Q5 or T55x7
1687 // data[0] = (((32-2)>>1)<<T5555_BITRATE_SHIFT) | T5555_MODULATION_PSK2 | 7 << T5555_MAXBLOCK_SHIFT;
1688 WriteT55xx(data, 0, 8);
1689 //Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=7;Inverse data)
1690 // T5567WriteBlock(0x603E10E2,0);
1691 DbpString("DONE!");
1692 }
1693 // clone viking tag to T55xx
1694 void CopyVikingtoT55xx(uint32_t block1, uint32_t block2, uint8_t Q5) {
1695 uint32_t data[] = {T55x7_BITRATE_RF_32 | T55x7_MODULATION_MANCHESTER | (2 << T55x7_MAXBLOCK_SHIFT), block1, block2};
1696 if (Q5) data[0] = T5555_SET_BITRATE(32) | T5555_MODULATION_MANCHESTER | 2 << T5555_MAXBLOCK_SHIFT;
1697 // Program the data blocks for supplied ID and the block 0 config
1698 WriteT55xx(data, 0, 3);
1699 LED_D_OFF();
1700 cmd_send(CMD_ACK,0,0,0,0,0);
1701 }
1702
1703 // Define 9bit header for EM410x tags
1704 #define EM410X_HEADER 0x1FF
1705 #define EM410X_ID_LENGTH 40
1706
1707 void WriteEM410x(uint32_t card, uint32_t id_hi, uint32_t id_lo) {
1708 int i, id_bit;
1709 uint64_t id = EM410X_HEADER;
1710 uint64_t rev_id = 0; // reversed ID
1711 int c_parity[4]; // column parity
1712 int r_parity = 0; // row parity
1713 uint32_t clock = 0;
1714
1715 // Reverse ID bits given as parameter (for simpler operations)
1716 for (i = 0; i < EM410X_ID_LENGTH; ++i) {
1717 if (i < 32) {
1718 rev_id = (rev_id << 1) | (id_lo & 1);
1719 id_lo >>= 1;
1720 } else {
1721 rev_id = (rev_id << 1) | (id_hi & 1);
1722 id_hi >>= 1;
1723 }
1724 }
1725
1726 for (i = 0; i < EM410X_ID_LENGTH; ++i) {
1727 id_bit = rev_id & 1;
1728
1729 if (i % 4 == 0) {
1730 // Don't write row parity bit at start of parsing
1731 if (i)
1732 id = (id << 1) | r_parity;
1733 // Start counting parity for new row
1734 r_parity = id_bit;
1735 } else {
1736 // Count row parity
1737 r_parity ^= id_bit;
1738 }
1739
1740 // First elements in column?
1741 if (i < 4)
1742 // Fill out first elements
1743 c_parity[i] = id_bit;
1744 else
1745 // Count column parity
1746 c_parity[i % 4] ^= id_bit;
1747
1748 // Insert ID bit
1749 id = (id << 1) | id_bit;
1750 rev_id >>= 1;
1751 }
1752
1753 // Insert parity bit of last row
1754 id = (id << 1) | r_parity;
1755
1756 // Fill out column parity at the end of tag
1757 for (i = 0; i < 4; ++i)
1758 id = (id << 1) | c_parity[i];
1759
1760 // Add stop bit
1761 id <<= 1;
1762
1763 Dbprintf("Started writing %s tag ...", card ? "T55x7":"T5555");
1764 LED_D_ON();
1765
1766 // Write EM410x ID
1767 uint32_t data[] = {0, (uint32_t)(id>>32), (uint32_t)(id & 0xFFFFFFFF)};
1768
1769 clock = (card & 0xFF00) >> 8;
1770 clock = (clock == 0) ? 64 : clock;
1771 Dbprintf("Clock rate: %d", clock);
1772 if (card & 0xFF) { //t55x7
1773 clock = GetT55xxClockBit(clock);
1774 if (clock == 0) {
1775 Dbprintf("Invalid clock rate: %d", clock);
1776 return;
1777 }
1778 data[0] = clock | T55x7_MODULATION_MANCHESTER | (2 << T55x7_MAXBLOCK_SHIFT);
1779 } else { //t5555 (Q5)
1780 data[0] = T5555_SET_BITRATE(clock) | T5555_MODULATION_MANCHESTER | (2 << T5555_MAXBLOCK_SHIFT);
1781 }
1782
1783 WriteT55xx(data, 0, 3);
1784
1785 LED_D_OFF();
1786 Dbprintf("Tag %s written with 0x%08x%08x\n", card ? "T55x7":"T5555",
1787 (uint32_t)(id >> 32), (uint32_t)id);
1788 }
1789
1790 //-----------------------------------
1791 // EM4469 / EM4305 routines
1792 //-----------------------------------
1793 #define FWD_CMD_LOGIN 0xC //including the even parity, binary mirrored
1794 #define FWD_CMD_WRITE 0xA
1795 #define FWD_CMD_READ 0x9
1796 #define FWD_CMD_DISABLE 0x5
1797 #define FWD_CMD_PROTECT 0x3
1798
1799 uint8_t forwardLink_data[64]; //array of forwarded bits
1800 uint8_t * forward_ptr; //ptr for forward message preparation
1801 uint8_t fwd_bit_sz; //forwardlink bit counter
1802 uint8_t * fwd_write_ptr; //forwardlink bit pointer
1803
1804 //====================================================================
1805 // prepares command bits
1806 // see EM4469 spec
1807 //====================================================================
1808 //--------------------------------------------------------------------
1809 // VALUES TAKEN FROM EM4x function: SendForward
1810 // START_GAP = 440; (55*8) cycles at 125Khz (8us = 1cycle)
1811 // WRITE_GAP = 128; (16*8)
1812 // WRITE_1 = 256 32*8; (32*8)
1813
1814 // These timings work for 4469/4269/4305 (with the 55*8 above)
1815 // WRITE_0 = 23*8 , 9*8 SpinDelayUs(23*8);
1816
1817 uint8_t Prepare_Cmd( uint8_t cmd ) {
1818
1819 *forward_ptr++ = 0; //start bit
1820 *forward_ptr++ = 0; //second pause for 4050 code
1821
1822 *forward_ptr++ = cmd;
1823 cmd >>= 1;
1824 *forward_ptr++ = cmd;
1825 cmd >>= 1;
1826 *forward_ptr++ = cmd;
1827 cmd >>= 1;
1828 *forward_ptr++ = cmd;
1829
1830 return 6; //return number of emited bits
1831 }
1832
1833 //====================================================================
1834 // prepares address bits
1835 // see EM4469 spec
1836 //====================================================================
1837 uint8_t Prepare_Addr( uint8_t addr ) {
1838
1839 register uint8_t line_parity;
1840
1841 uint8_t i;
1842 line_parity = 0;
1843 for(i=0;i<6;i++) {
1844 *forward_ptr++ = addr;
1845 line_parity ^= addr;
1846 addr >>= 1;
1847 }
1848
1849 *forward_ptr++ = (line_parity & 1);
1850
1851 return 7; //return number of emited bits
1852 }
1853
1854 //====================================================================
1855 // prepares data bits intreleaved with parity bits
1856 // see EM4469 spec
1857 //====================================================================
1858 uint8_t Prepare_Data( uint16_t data_low, uint16_t data_hi) {
1859
1860 register uint8_t line_parity;
1861 register uint8_t column_parity;
1862 register uint8_t i, j;
1863 register uint16_t data;
1864
1865 data = data_low;
1866 column_parity = 0;
1867
1868 for(i=0; i<4; i++) {
1869 line_parity = 0;
1870 for(j=0; j<8; j++) {
1871 line_parity ^= data;
1872 column_parity ^= (data & 1) << j;
1873 *forward_ptr++ = data;
1874 data >>= 1;
1875 }
1876 *forward_ptr++ = line_parity;
1877 if(i == 1)
1878 data = data_hi;
1879 }
1880
1881 for(j=0; j<8; j++) {
1882 *forward_ptr++ = column_parity;
1883 column_parity >>= 1;
1884 }
1885 *forward_ptr = 0;
1886
1887 return 45; //return number of emited bits
1888 }
1889
1890 //====================================================================
1891 // Forward Link send function
1892 // Requires: forwarLink_data filled with valid bits (1 bit per byte)
1893 // fwd_bit_count set with number of bits to be sent
1894 //====================================================================
1895 void SendForward(uint8_t fwd_bit_count) {
1896
1897 fwd_write_ptr = forwardLink_data;
1898 fwd_bit_sz = fwd_bit_count;
1899
1900 // Set up FPGA, 125kHz or 95 divisor
1901 LFSetupFPGAForADC(95, true);
1902
1903 // force 1st mod pulse (start gap must be longer for 4305)
1904 fwd_bit_sz--; //prepare next bit modulation
1905 fwd_write_ptr++;
1906 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1907 WaitUS(55*8); //55 cycles off (8us each)for 4305 //another reader has 37 here...
1908 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);//field on
1909 WaitUS(18*8); //18 cycles on (8us each)
1910
1911 // now start writting - each bit should be 32*8 total length
1912 while(fwd_bit_sz-- > 0) { //prepare next bit modulation
1913 if(((*fwd_write_ptr++) & 1) == 1)
1914 WaitUS(32*8); //32 cycles at 125Khz (8us each)
1915 else {
1916 //These timings work for 4469/4269/4305 (with the 55*8 above)
1917 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1918 WaitUS(23*8); //23 cycles off (8us each)
1919 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);//field on
1920 WaitUS((32-23)*8); //remaining cycles on (8us each)
1921 }
1922 }
1923 }
1924
1925 void EM4xLogin(uint32_t Password) {
1926
1927 uint8_t fwd_bit_count;
1928
1929 forward_ptr = forwardLink_data;
1930 fwd_bit_count = Prepare_Cmd( FWD_CMD_LOGIN );
1931 fwd_bit_count += Prepare_Data( Password&0xFFFF, Password>>16 );
1932
1933 SendForward(fwd_bit_count);
1934
1935 //Wait for command to complete
1936 SpinDelay(20);
1937 }
1938
1939 void EM4xReadWord(uint8_t Address, uint32_t Pwd, uint8_t PwdMode) {
1940
1941 uint8_t fwd_bit_count;
1942
1943 // Clear destination buffer before sending the command
1944 BigBuf_Clear_ext(false);
1945
1946 LED_A_ON();
1947 StartTicks();
1948 //If password mode do login
1949 if (PwdMode == 1) EM4xLogin(Pwd);
1950
1951 forward_ptr = forwardLink_data;
1952 fwd_bit_count = Prepare_Cmd( FWD_CMD_READ );
1953 fwd_bit_count += Prepare_Addr( Address );
1954
1955 SendForward(fwd_bit_count);
1956 WaitUS(400);
1957 // Now do the acquisition
1958 DoPartialAcquisition(20, true, 6000, 1000);
1959
1960 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1961 LED_A_OFF();
1962 cmd_send(CMD_ACK,0,0,0,0,0);
1963 }
1964
1965 void EM4xWriteWord(uint32_t flag, uint32_t Data, uint32_t Pwd) {
1966
1967 bool PwdMode = (flag & 0x1);
1968 uint8_t Address = (flag >> 8) & 0xFF;
1969 uint8_t fwd_bit_count;
1970
1971 //clear buffer now so it does not interfere with timing later
1972 BigBuf_Clear_ext(false);
1973
1974 LED_A_ON();
1975 StartTicks();
1976 //If password mode do login
1977 if (PwdMode) EM4xLogin(Pwd);
1978
1979 forward_ptr = forwardLink_data;
1980 fwd_bit_count = Prepare_Cmd( FWD_CMD_WRITE );
1981 fwd_bit_count += Prepare_Addr( Address );
1982 fwd_bit_count += Prepare_Data( Data&0xFFFF, Data>>16 );
1983
1984 SendForward(fwd_bit_count);
1985
1986 //Wait for write to complete
1987 //SpinDelay(10);
1988
1989 WaitUS(6500);
1990 //Capture response if one exists
1991 DoPartialAcquisition(20, true, 6000, 1000);
1992
1993 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1994 LED_A_OFF();
1995 cmd_send(CMD_ACK,0,0,0,0,0);
1996 }
1997
1998 void EM4xProtect(uint32_t flag, uint32_t Data, uint32_t Pwd) {
1999
2000 bool PwdMode = (flag & 0x1);
2001 uint8_t fwd_bit_count;
2002
2003 //clear buffer now so it does not interfere with timing later
2004 BigBuf_Clear_ext(false);
2005
2006 LED_A_ON();
2007 StartTicks();
2008 //If password mode do login
2009 if (PwdMode) EM4xLogin(Pwd);
2010
2011 forward_ptr = forwardLink_data;
2012 fwd_bit_count = Prepare_Cmd( FWD_CMD_PROTECT );
2013
2014 //unsure if this needs the full packet config...
2015 fwd_bit_count += Prepare_Data( Data&0xFFFF, Data>>16 );
2016
2017 SendForward(fwd_bit_count);
2018
2019 //Wait for write to complete
2020 //SpinDelay(10);
2021
2022 WaitUS(6500);
2023 //Capture response if one exists
2024 DoPartialAcquisition(20, true, 6000, 1000);
2025
2026 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
2027 LED_A_OFF();
2028 cmd_send(CMD_ACK,0,0,0,0,0);
2029 }
2030 /*
2031 Reading a COTAG.
2032
2033 COTAG needs the reader to send a startsequence and the card has an extreme slow datarate.
2034 because of this, we can "sample" the data signal but we interpreate it to Manchester direct.
2035
2036 READER START SEQUENCE:
2037 burst 800 us, gap 2.2 msecs
2038 burst 3.6 msecs gap 2.2 msecs
2039 burst 800 us gap 2.2 msecs
2040 pulse 3.6 msecs
2041
2042 This triggers a COTAG tag to response
2043 */
2044 void Cotag(uint32_t arg0) {
2045
2046 #define OFF { FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); WaitUS(2035); }
2047 #define ON(x) { FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD); WaitUS((x)); }
2048
2049 uint8_t rawsignal = arg0 & 0xF;
2050
2051 LED_A_ON();
2052
2053 // Switching to LF image on FPGA. This might empty BigBuff
2054 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
2055
2056 //clear buffer now so it does not interfere with timing later
2057 BigBuf_Clear_ext(false);
2058
2059 // Set up FPGA, 132kHz to power up the tag
2060 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 89);
2061 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
2062
2063 // Connect the A/D to the peak-detected low-frequency path.
2064 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
2065
2066 // Now set up the SSC to get the ADC samples that are now streaming at us.
2067 FpgaSetupSsc(FPGA_MAJOR_MODE_LF_ADC);
2068
2069 // start clock - 1.5ticks is 1us
2070 StartTicks();
2071
2072 //send COTAG start pulse
2073 ON(740) OFF
2074 ON(3330) OFF
2075 ON(740) OFF
2076 ON(1000)
2077
2078 switch(rawsignal) {
2079 case 0: doCotagAcquisition(50000); break;
2080 case 1: doCotagAcquisitionManchester(); break;
2081 case 2: DoAcquisition_config(true, 0); break;
2082 }
2083
2084 // Turn the field off
2085 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
2086 cmd_send(CMD_ACK,0,0,0,0,0);
2087 LED_A_OFF();
2088 }
Proxmark3 GIT tracking
Impressum, Datenschutz