]> git.zerfleddert.de Git - proxmark3-svn/blob - armsrc/lfops.c
projects / proxmark3-svn / blob
? search:


c7a7a59dd9469721ce2845eb150431ae8739bb47
[proxmark3-svn] / armsrc / lfops.c
1 //-----------------------------------------------------------------------------
2 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
3 // at your option, any later version. See the LICENSE.txt file for the text of
4 // the license.
5 //-----------------------------------------------------------------------------
6 // Miscellaneous routines for low frequency tag operations.
7 // Tags supported here so far are Texas Instruments (TI), HID, EM4x05, EM410x
8 // Also routines for raw mode reading/simulating of LF waveform
9 //-----------------------------------------------------------------------------
10
11 #include "proxmark3.h"
12 #include "apps.h"
13 #include "util.h"
14 #include "hitag2.h"
15 #include "crc16.h"
16 #include "string.h"
17 #include "lfdemod.h"
18 #include "lfsampling.h"
19 #include "protocols.h"
20 #include "usb_cdc.h" // for usb_poll_validate_length
21
22 /**
23 * Function to do a modulation and then get samples.
24 * @param delay_off
25 * @param period_0
26 * @param period_1
27 * @param command
28 */
29 void ModThenAcquireRawAdcSamples125k(uint32_t delay_off, uint32_t period_0, uint32_t period_1, uint8_t *command)
30 {
31 // start timer
32 StartTicks();
33
34 // use lf config settings
35 sample_config *sc = getSamplingConfig();
36 // clear read buffer
37 BigBuf_Clear_keep_EM();
38
39 /* Make sure the tag is reset */
40 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
41 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
42 WaitMS(2500);
43
44 // power on
45 LFSetupFPGAForADC(sc->divisor, 1);
46
47 // And a little more time for the tag to fully power up
48 WaitMS(2000);
49 // if delay_off = 0 then just bitbang 1 = antenna on 0 = off for respective periods.
50 bool bitbang = delay_off == 0;
51 // now modulate the reader field
52
53 if (bitbang) {
54 // HACK it appears the loop and if statements take up about 7us so adjust waits accordingly...
55 uint8_t hack_cnt = 7;
56 if (period_0 < hack_cnt || period_1 < hack_cnt) {
57 DbpString("Warning periods cannot be less than 7us in bit bang mode");
58 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
59 LED_D_OFF();
60 return;
61 }
62
63 // hack2 needed--- it appears to take about 8-16us to turn the antenna back on
64 // leading to ~ 1 to 2 125khz samples extra in every off period
65 // so we should test for last 0 before next 1 and reduce period_0 by this extra amount...
66 // but is this time different for every antenna or other hw builds??? more testing needed
67
68 // prime cmd_len to save time comparing strings while modulating
69 int cmd_len = 0;
70 while(command[cmd_len] != '\0' && command[cmd_len] != ' ')
71 cmd_len++;
72
73 int counter = 0;
74 bool off = false;
75 for (counter = 0; counter < cmd_len; counter++) {
76 // if cmd = 0 then turn field off
77 if (command[counter] == '0') {
78 // if field already off leave alone (affects timing otherwise)
79 if (off == false) {
80 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
81 LED_D_OFF();
82 off = true;
83 }
84 // note we appear to take about 7us to switch over (or run the if statements/loop...)
85 WaitUS(period_0-hack_cnt);
86 // else if cmd = 1 then turn field on
87 } else {
88 // if field already on leave alone (affects timing otherwise)
89 if (off) {
90 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
91 LED_D_ON();
92 off = false;
93 }
94 // note we appear to take about 7us to switch over (or run the if statements/loop...)
95 WaitUS(period_1-hack_cnt);
96 }
97 }
98 } else { // old mode of cmd read using delay as off period
99 while(*command != '\0' && *command != ' ') {
100 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
101 LED_D_OFF();
102 WaitUS(delay_off);
103 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, sc->divisor);
104 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
105 LED_D_ON();
106 if(*(command++) == '0') {
107 WaitUS(period_0);
108 } else {
109 WaitUS(period_1);
110 }
111 }
112 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
113 LED_D_OFF();
114 WaitUS(delay_off);
115 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, sc->divisor);
116 }
117
118 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
119
120 // now do the read
121 DoAcquisition_config(false, 0);
122
123 // Turn off antenna
124 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
125 // tell client we are done
126 cmd_send(CMD_ACK,0,0,0,0,0);
127 }
128
129 /* blank r/w tag data stream
130 ...0000000000000000 01111111
131 1010101010101010101010101010101010101010101010101010101010101010
132 0011010010100001
133 01111111
134 101010101010101[0]000...
135
136 [5555fe852c5555555555555555fe0000]
137 */
138 void ReadTItag(void)
139 {
140 // some hardcoded initial params
141 // when we read a TI tag we sample the zerocross line at 2Mhz
142 // TI tags modulate a 1 as 16 cycles of 123.2Khz
143 // TI tags modulate a 0 as 16 cycles of 134.2Khz
144 #define FSAMPLE 2000000
145 #define FREQLO 123200
146 #define FREQHI 134200
147
148 signed char *dest = (signed char *)BigBuf_get_addr();
149 uint16_t n = BigBuf_max_traceLen();
150 // 128 bit shift register [shift3:shift2:shift1:shift0]
151 uint32_t shift3 = 0, shift2 = 0, shift1 = 0, shift0 = 0;
152
153 int i, cycles=0, samples=0;
154 // how many sample points fit in 16 cycles of each frequency
155 uint32_t sampleslo = (FSAMPLE<<4)/FREQLO, sampleshi = (FSAMPLE<<4)/FREQHI;
156 // when to tell if we're close enough to one freq or another
157 uint32_t threshold = (sampleslo - sampleshi + 1)>>1;
158
159 // TI tags charge at 134.2Khz
160 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
161 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 88); //134.8Khz
162
163 // Place FPGA in passthrough mode, in this mode the CROSS_LO line
164 // connects to SSP_DIN and the SSP_DOUT logic level controls
165 // whether we're modulating the antenna (high)
166 // or listening to the antenna (low)
167 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_PASSTHRU);
168
169 // get TI tag data into the buffer
170 AcquireTiType();
171
172 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
173
174 for (i=0; i<n-1; i++) {
175 // count cycles by looking for lo to hi zero crossings
176 if ( (dest[i]<0) && (dest[i+1]>0) ) {
177 cycles++;
178 // after 16 cycles, measure the frequency
179 if (cycles>15) {
180 cycles=0;
181 samples=i-samples; // number of samples in these 16 cycles
182
183 // TI bits are coming to us lsb first so shift them
184 // right through our 128 bit right shift register
185 shift0 = (shift0>>1) | (shift1 << 31);
186 shift1 = (shift1>>1) | (shift2 << 31);
187 shift2 = (shift2>>1) | (shift3 << 31);
188 shift3 >>= 1;
189
190 // check if the cycles fall close to the number
191 // expected for either the low or high frequency
192 if ( (samples>(sampleslo-threshold)) && (samples<(sampleslo+threshold)) ) {
193 // low frequency represents a 1
194 shift3 |= (1<<31);
195 } else if ( (samples>(sampleshi-threshold)) && (samples<(sampleshi+threshold)) ) {
196 // high frequency represents a 0
197 } else {
198 // probably detected a gay waveform or noise
199 // use this as gaydar or discard shift register and start again
200 shift3 = shift2 = shift1 = shift0 = 0;
201 }
202 samples = i;
203
204 // for each bit we receive, test if we've detected a valid tag
205
206 // if we see 17 zeroes followed by 6 ones, we might have a tag
207 // remember the bits are backwards
208 if ( ((shift0 & 0x7fffff) == 0x7e0000) ) {
209 // if start and end bytes match, we have a tag so break out of the loop
210 if ( ((shift0>>16)&0xff) == ((shift3>>8)&0xff) ) {
211 cycles = 0xF0B; //use this as a flag (ugly but whatever)
212 break;
213 }
214 }
215 }
216 }
217 }
218
219 // if flag is set we have a tag
220 if (cycles!=0xF0B) {
221 DbpString("Info: No valid tag detected.");
222 } else {
223 // put 64 bit data into shift1 and shift0
224 shift0 = (shift0>>24) | (shift1 << 8);
225 shift1 = (shift1>>24) | (shift2 << 8);
226
227 // align 16 bit crc into lower half of shift2
228 shift2 = ((shift2>>24) | (shift3 << 8)) & 0x0ffff;
229
230 // if r/w tag, check ident match
231 if (shift3 & (1<<15) ) {
232 DbpString("Info: TI tag is rewriteable");
233 // only 15 bits compare, last bit of ident is not valid
234 if (((shift3 >> 16) ^ shift0) & 0x7fff ) {
235 DbpString("Error: Ident mismatch!");
236 } else {
237 DbpString("Info: TI tag ident is valid");
238 }
239 } else {
240 DbpString("Info: TI tag is readonly");
241 }
242
243 // WARNING the order of the bytes in which we calc crc below needs checking
244 // i'm 99% sure the crc algorithm is correct, but it may need to eat the
245 // bytes in reverse or something
246 // calculate CRC
247 uint32_t crc=0;
248
249 crc = update_crc16(crc, (shift0)&0xff);
250 crc = update_crc16(crc, (shift0>>8)&0xff);
251 crc = update_crc16(crc, (shift0>>16)&0xff);
252 crc = update_crc16(crc, (shift0>>24)&0xff);
253 crc = update_crc16(crc, (shift1)&0xff);
254 crc = update_crc16(crc, (shift1>>8)&0xff);
255 crc = update_crc16(crc, (shift1>>16)&0xff);
256 crc = update_crc16(crc, (shift1>>24)&0xff);
257
258 Dbprintf("Info: Tag data: %x%08x, crc=%x",
259 (unsigned int)shift1, (unsigned int)shift0, (unsigned int)shift2 & 0xFFFF);
260 if (crc != (shift2&0xffff)) {
261 Dbprintf("Error: CRC mismatch, expected %x", (unsigned int)crc);
262 } else {
263 DbpString("Info: CRC is good");
264 }
265 }
266 }
267
268 void WriteTIbyte(uint8_t b)
269 {
270 int i = 0;
271
272 // modulate 8 bits out to the antenna
273 for (i=0; i<8; i++)
274 {
275 if (b&(1<<i)) {
276 // stop modulating antenna
277 LOW(GPIO_SSC_DOUT);
278 SpinDelayUs(1000);
279 // modulate antenna
280 HIGH(GPIO_SSC_DOUT);
281 SpinDelayUs(1000);
282 } else {
283 // stop modulating antenna
284 LOW(GPIO_SSC_DOUT);
285 SpinDelayUs(300);
286 // modulate antenna
287 HIGH(GPIO_SSC_DOUT);
288 SpinDelayUs(1700);
289 }
290 }
291 }
292
293 void AcquireTiType(void)
294 {
295 int i, j, n;
296 // tag transmission is <20ms, sampling at 2M gives us 40K samples max
297 // each sample is 1 bit stuffed into a uint32_t so we need 1250 uint32_t
298 #define TIBUFLEN 1250
299
300 // clear buffer
301 uint32_t *BigBuf = (uint32_t *)BigBuf_get_addr();
302 BigBuf_Clear_ext(false);
303
304 // Set up the synchronous serial port
305 AT91C_BASE_PIOA->PIO_PDR = GPIO_SSC_DIN;
306 AT91C_BASE_PIOA->PIO_ASR = GPIO_SSC_DIN;
307
308 // steal this pin from the SSP and use it to control the modulation
309 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
310 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
311
312 AT91C_BASE_SSC->SSC_CR = AT91C_SSC_SWRST;
313 AT91C_BASE_SSC->SSC_CR = AT91C_SSC_RXEN | AT91C_SSC_TXEN;
314
315 // Sample at 2 Mbit/s, so TI tags are 16.2 vs. 14.9 clocks long
316 // 48/2 = 24 MHz clock must be divided by 12
317 AT91C_BASE_SSC->SSC_CMR = 12;
318
319 AT91C_BASE_SSC->SSC_RCMR = SSC_CLOCK_MODE_SELECT(0);
320 AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(32) | AT91C_SSC_MSBF;
321 AT91C_BASE_SSC->SSC_TCMR = 0;
322 AT91C_BASE_SSC->SSC_TFMR = 0;
323
324 LED_D_ON();
325
326 // modulate antenna
327 HIGH(GPIO_SSC_DOUT);
328
329 // Charge TI tag for 50ms.
330 SpinDelay(50);
331
332 // stop modulating antenna and listen
333 LOW(GPIO_SSC_DOUT);
334
335 LED_D_OFF();
336
337 i = 0;
338 for(;;) {
339 if(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) {
340 BigBuf[i] = AT91C_BASE_SSC->SSC_RHR; // store 32 bit values in buffer
341 i++; if(i >= TIBUFLEN) break;
342 }
343 WDT_HIT();
344 }
345
346 // return stolen pin to SSP
347 AT91C_BASE_PIOA->PIO_PDR = GPIO_SSC_DOUT;
348 AT91C_BASE_PIOA->PIO_ASR = GPIO_SSC_DIN | GPIO_SSC_DOUT;
349
350 char *dest = (char *)BigBuf_get_addr();
351 n = TIBUFLEN*32;
352 // unpack buffer
353 for (i=TIBUFLEN-1; i>=0; i--) {
354 for (j=0; j<32; j++) {
355 if(BigBuf[i] & (1 << j)) {
356 dest[--n] = 1;
357 } else {
358 dest[--n] = -1;
359 }
360 }
361 }
362 }
363
364 // arguments: 64bit data split into 32bit idhi:idlo and optional 16bit crc
365 // if crc provided, it will be written with the data verbatim (even if bogus)
366 // if not provided a valid crc will be computed from the data and written.
367 void WriteTItag(uint32_t idhi, uint32_t idlo, uint16_t crc)
368 {
369 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
370 if(crc == 0) {
371 crc = update_crc16(crc, (idlo)&0xff);
372 crc = update_crc16(crc, (idlo>>8)&0xff);
373 crc = update_crc16(crc, (idlo>>16)&0xff);
374 crc = update_crc16(crc, (idlo>>24)&0xff);
375 crc = update_crc16(crc, (idhi)&0xff);
376 crc = update_crc16(crc, (idhi>>8)&0xff);
377 crc = update_crc16(crc, (idhi>>16)&0xff);
378 crc = update_crc16(crc, (idhi>>24)&0xff);
379 }
380 Dbprintf("Writing to tag: %x%08x, crc=%x",
381 (unsigned int) idhi, (unsigned int) idlo, crc);
382
383 // TI tags charge at 134.2Khz
384 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 88); //134.8Khz
385 // Place FPGA in passthrough mode, in this mode the CROSS_LO line
386 // connects to SSP_DIN and the SSP_DOUT logic level controls
387 // whether we're modulating the antenna (high)
388 // or listening to the antenna (low)
389 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_PASSTHRU);
390 LED_A_ON();
391
392 // steal this pin from the SSP and use it to control the modulation
393 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
394 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
395
396 // writing algorithm:
397 // a high bit consists of a field off for 1ms and field on for 1ms
398 // a low bit consists of a field off for 0.3ms and field on for 1.7ms
399 // initiate a charge time of 50ms (field on) then immediately start writing bits
400 // start by writing 0xBB (keyword) and 0xEB (password)
401 // then write 80 bits of data (or 64 bit data + 16 bit crc if you prefer)
402 // finally end with 0x0300 (write frame)
403 // all data is sent lsb firts
404 // finish with 15ms programming time
405
406 // modulate antenna
407 HIGH(GPIO_SSC_DOUT);
408 SpinDelay(50); // charge time
409
410 WriteTIbyte(0xbb); // keyword
411 WriteTIbyte(0xeb); // password
412 WriteTIbyte( (idlo )&0xff );
413 WriteTIbyte( (idlo>>8 )&0xff );
414 WriteTIbyte( (idlo>>16)&0xff );
415 WriteTIbyte( (idlo>>24)&0xff );
416 WriteTIbyte( (idhi )&0xff );
417 WriteTIbyte( (idhi>>8 )&0xff );
418 WriteTIbyte( (idhi>>16)&0xff );
419 WriteTIbyte( (idhi>>24)&0xff ); // data hi to lo
420 WriteTIbyte( (crc )&0xff ); // crc lo
421 WriteTIbyte( (crc>>8 )&0xff ); // crc hi
422 WriteTIbyte(0x00); // write frame lo
423 WriteTIbyte(0x03); // write frame hi
424 HIGH(GPIO_SSC_DOUT);
425 SpinDelay(50); // programming time
426
427 LED_A_OFF();
428
429 // get TI tag data into the buffer
430 AcquireTiType();
431
432 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
433 DbpString("Now use `lf ti read` to check");
434 }
435
436 void SimulateTagLowFrequency(int period, int gap, int ledcontrol)
437 {
438 int i;
439 uint8_t *tab = BigBuf_get_addr();
440
441 //note FpgaDownloadAndGo destroys the bigbuf so be sure this is called before now...
442 //FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
443 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT);
444
445 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT | GPIO_SSC_CLK;
446
447 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
448 AT91C_BASE_PIOA->PIO_ODR = GPIO_SSC_CLK;
449
450 #define SHORT_COIL() LOW(GPIO_SSC_DOUT)
451 #define OPEN_COIL() HIGH(GPIO_SSC_DOUT)
452
453 i = 0;
454 for(;;) {
455 //wait until SSC_CLK goes HIGH
456 int ii = 0;
457 while(!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK)) {
458 //only check every 1000th time (usb_poll_validate_length on some systems was too slow)
459 if ( ii == 1000 ) {
460 if (BUTTON_PRESS() || usb_poll_validate_length() ) {
461 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
462 DbpString("Stopped");
463 return;
464 }
465 ii=0;
466 }
467 WDT_HIT();
468 ii++;
469 }
470 if (ledcontrol)
471 LED_D_ON();
472
473 if(tab[i])
474 OPEN_COIL();
475 else
476 SHORT_COIL();
477
478 if (ledcontrol)
479 LED_D_OFF();
480 ii=0;
481 //wait until SSC_CLK goes LOW
482 while(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK) {
483 //only check every 1000th time (usb_poll_validate_length on some systems was too slow)
484 if ( ii == 1000 ) {
485 if (BUTTON_PRESS() || usb_poll_validate_length() ) {
486 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
487 DbpString("Stopped");
488 return;
489 }
490 ii=0;
491 }
492 WDT_HIT();
493 ii++;
494 }
495
496 i++;
497 if(i == period) {
498
499 i = 0;
500 if (gap) {
501 SHORT_COIL();
502 SpinDelayUs(gap);
503 }
504 }
505
506 }
507 }
508
509 #define DEBUG_FRAME_CONTENTS 1
510 void SimulateTagLowFrequencyBidir(int divisor, int t0)
511 {
512 }
513
514 // compose fc/8 fc/10 waveform (FSK2)
515 static void fc(int c, int *n)
516 {
517 uint8_t *dest = BigBuf_get_addr();
518 int idx;
519
520 // for when we want an fc8 pattern every 4 logical bits
521 if(c==0) {
522 dest[((*n)++)]=1;
523 dest[((*n)++)]=1;
524 dest[((*n)++)]=1;
525 dest[((*n)++)]=1;
526 dest[((*n)++)]=0;
527 dest[((*n)++)]=0;
528 dest[((*n)++)]=0;
529 dest[((*n)++)]=0;
530 }
531
532 // an fc/8 encoded bit is a bit pattern of 11110000 x6 = 48 samples
533 if(c==8) {
534 for (idx=0; idx<6; idx++) {
535 dest[((*n)++)]=1;
536 dest[((*n)++)]=1;
537 dest[((*n)++)]=1;
538 dest[((*n)++)]=1;
539 dest[((*n)++)]=0;
540 dest[((*n)++)]=0;
541 dest[((*n)++)]=0;
542 dest[((*n)++)]=0;
543 }
544 }
545
546 // an fc/10 encoded bit is a bit pattern of 1111100000 x5 = 50 samples
547 if(c==10) {
548 for (idx=0; idx<5; idx++) {
549 dest[((*n)++)]=1;
550 dest[((*n)++)]=1;
551 dest[((*n)++)]=1;
552 dest[((*n)++)]=1;
553 dest[((*n)++)]=1;
554 dest[((*n)++)]=0;
555 dest[((*n)++)]=0;
556 dest[((*n)++)]=0;
557 dest[((*n)++)]=0;
558 dest[((*n)++)]=0;
559 }
560 }
561 }
562 // compose fc/X fc/Y waveform (FSKx)
563 static void fcAll(uint8_t fc, int *n, uint8_t clock, uint16_t *modCnt)
564 {
565 uint8_t *dest = BigBuf_get_addr();
566 uint8_t halfFC = fc/2;
567 uint8_t wavesPerClock = clock/fc;
568 uint8_t mod = clock % fc; //modifier
569 uint8_t modAdj = fc/mod; //how often to apply modifier
570 bool modAdjOk = !(fc % mod); //if (fc % mod==0) modAdjOk=TRUE;
571 // loop through clock - step field clock
572 for (uint8_t idx=0; idx < wavesPerClock; idx++){
573 // put 1/2 FC length 1's and 1/2 0's per field clock wave (to create the wave)
574 memset(dest+(*n), 0, fc-halfFC); //in case of odd number use extra here
575 memset(dest+(*n)+(fc-halfFC), 1, halfFC);
576 *n += fc;
577 }
578 if (mod>0) (*modCnt)++;
579 if ((mod>0) && modAdjOk){ //fsk2
580 if ((*modCnt % modAdj) == 0){ //if 4th 8 length wave in a rf/50 add extra 8 length wave
581 memset(dest+(*n), 0, fc-halfFC);
582 memset(dest+(*n)+(fc-halfFC), 1, halfFC);
583 *n += fc;
584 }
585 }
586 if (mod>0 && !modAdjOk){ //fsk1
587 memset(dest+(*n), 0, mod-(mod/2));
588 memset(dest+(*n)+(mod-(mod/2)), 1, mod/2);
589 *n += mod;
590 }
591 }
592
593 // prepare a waveform pattern in the buffer based on the ID given then
594 // simulate a HID tag until the button is pressed
595 void CmdHIDsimTAG(int hi, int lo, int ledcontrol)
596 {
597 int n=0, i=0;
598 /*
599 HID tag bitstream format
600 The tag contains a 44bit unique code. This is sent out MSB first in sets of 4 bits
601 A 1 bit is represented as 6 fc8 and 5 fc10 patterns
602 A 0 bit is represented as 5 fc10 and 6 fc8 patterns
603 A fc8 is inserted before every 4 bits
604 A special start of frame pattern is used consisting a0b0 where a and b are neither 0
605 nor 1 bits, they are special patterns (a = set of 12 fc8 and b = set of 10 fc10)
606 */
607
608 if (hi>0xFFF) {
609 DbpString("Tags can only have 44 bits. - USE lf simfsk for larger tags");
610 return;
611 }
612 // set LF so we don't kill the bigbuf we are setting with simulation data.
613 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
614
615 fc(0,&n);
616 // special start of frame marker containing invalid bit sequences
617 fc(8, &n); fc(8, &n); // invalid
618 fc(8, &n); fc(10, &n); // logical 0
619 fc(10, &n); fc(10, &n); // invalid
620 fc(8, &n); fc(10, &n); // logical 0
621
622 WDT_HIT();
623 // manchester encode bits 43 to 32
624 for (i=11; i>=0; i--) {
625 if ((i%4)==3) fc(0,&n);
626 if ((hi>>i)&1) {
627 fc(10, &n); fc(8, &n); // low-high transition
628 } else {
629 fc(8, &n); fc(10, &n); // high-low transition
630 }
631 }
632
633 WDT_HIT();
634 // manchester encode bits 31 to 0
635 for (i=31; i>=0; i--) {
636 if ((i%4)==3) fc(0,&n);
637 if ((lo>>i)&1) {
638 fc(10, &n); fc(8, &n); // low-high transition
639 } else {
640 fc(8, &n); fc(10, &n); // high-low transition
641 }
642 }
643
644 if (ledcontrol)
645 LED_A_ON();
646 SimulateTagLowFrequency(n, 0, ledcontrol);
647
648 if (ledcontrol)
649 LED_A_OFF();
650 }
651
652 // prepare a waveform pattern in the buffer based on the ID given then
653 // simulate a FSK tag until the button is pressed
654 // arg1 contains fcHigh and fcLow, arg2 contains invert and clock
655 void CmdFSKsimTAG(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream)
656 {
657 int ledcontrol=1;
658 int n=0, i=0;
659 uint8_t fcHigh = arg1 >> 8;
660 uint8_t fcLow = arg1 & 0xFF;
661 uint16_t modCnt = 0;
662 uint8_t clk = arg2 & 0xFF;
663 uint8_t invert = (arg2 >> 8) & 1;
664
665 // set LF so we don't kill the bigbuf we are setting with simulation data.
666 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
667
668 for (i=0; i<size; i++){
669 if (BitStream[i] == invert){
670 fcAll(fcLow, &n, clk, &modCnt);
671 } else {
672 fcAll(fcHigh, &n, clk, &modCnt);
673 }
674 }
675 Dbprintf("Simulating with fcHigh: %d, fcLow: %d, clk: %d, invert: %d, n: %d",fcHigh, fcLow, clk, invert, n);
676 /*Dbprintf("DEBUG: First 32:");
677 uint8_t *dest = BigBuf_get_addr();
678 i=0;
679 Dbprintf("%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d", dest[i],dest[i+1],dest[i+2],dest[i+3],dest[i+4],dest[i+5],dest[i+6],dest[i+7],dest[i+8],dest[i+9],dest[i+10],dest[i+11],dest[i+12],dest[i+13],dest[i+14],dest[i+15]);
680 i+=16;
681 Dbprintf("%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d", dest[i],dest[i+1],dest[i+2],dest[i+3],dest[i+4],dest[i+5],dest[i+6],dest[i+7],dest[i+8],dest[i+9],dest[i+10],dest[i+11],dest[i+12],dest[i+13],dest[i+14],dest[i+15]);
682 */
683 if (ledcontrol)
684 LED_A_ON();
685
686 SimulateTagLowFrequency(n, 0, ledcontrol);
687
688 if (ledcontrol)
689 LED_A_OFF();
690 }
691
692 // compose ask waveform for one bit(ASK)
693 static void askSimBit(uint8_t c, int *n, uint8_t clock, uint8_t manchester)
694 {
695 uint8_t *dest = BigBuf_get_addr();
696 uint8_t halfClk = clock/2;
697 // c = current bit 1 or 0
698 if (manchester==1){
699 memset(dest+(*n), c, halfClk);
700 memset(dest+(*n) + halfClk, c^1, halfClk);
701 } else {
702 memset(dest+(*n), c, clock);
703 }
704 *n += clock;
705 }
706
707 static void biphaseSimBit(uint8_t c, int *n, uint8_t clock, uint8_t *phase)
708 {
709 uint8_t *dest = BigBuf_get_addr();
710 uint8_t halfClk = clock/2;
711 if (c){
712 memset(dest+(*n), c ^ 1 ^ *phase, halfClk);
713 memset(dest+(*n) + halfClk, c ^ *phase, halfClk);
714 } else {
715 memset(dest+(*n), c ^ *phase, clock);
716 *phase ^= 1;
717 }
718 *n += clock;
719 }
720
721 static void stAskSimBit(int *n, uint8_t clock) {
722 uint8_t *dest = BigBuf_get_addr();
723 uint8_t halfClk = clock/2;
724 //ST = .5 high .5 low 1.5 high .5 low 1 high
725 memset(dest+(*n), 1, halfClk);
726 memset(dest+(*n) + halfClk, 0, halfClk);
727 memset(dest+(*n) + clock, 1, clock + halfClk);
728 memset(dest+(*n) + clock*2 + halfClk, 0, halfClk);
729 memset(dest+(*n) + clock*3, 1, clock);
730 *n += clock*4;
731 }
732
733 // args clock, ask/man or askraw, invert, transmission separator
734 void CmdASKsimTag(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream)
735 {
736 int ledcontrol = 1;
737 int n=0, i=0;
738 uint8_t clk = (arg1 >> 8) & 0xFF;
739 uint8_t encoding = arg1 & 0xFF;
740 uint8_t separator = arg2 & 1;
741 uint8_t invert = (arg2 >> 8) & 1;
742
743 // set LF so we don't kill the bigbuf we are setting with simulation data.
744 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
745
746 if (encoding==2){ //biphase
747 uint8_t phase=0;
748 for (i=0; i<size; i++){
749 biphaseSimBit(BitStream[i]^invert, &n, clk, &phase);
750 }
751 if (phase==1) { //run a second set inverted to keep phase in check
752 for (i=0; i<size; i++){
753 biphaseSimBit(BitStream[i]^invert, &n, clk, &phase);
754 }
755 }
756 } else { // ask/manchester || ask/raw
757 for (i=0; i<size; i++){
758 askSimBit(BitStream[i]^invert, &n, clk, encoding);
759 }
760 if (encoding==0 && BitStream[0]==BitStream[size-1]){ //run a second set inverted (for ask/raw || biphase phase)
761 for (i=0; i<size; i++){
762 askSimBit(BitStream[i]^invert^1, &n, clk, encoding);
763 }
764 }
765 }
766 if (separator==1 && encoding == 1)
767 stAskSimBit(&n, clk);
768 else if (separator==1)
769 Dbprintf("sorry but separator option not yet available");
770
771 Dbprintf("Simulating with clk: %d, invert: %d, encoding: %d, separator: %d, n: %d",clk, invert, encoding, separator, n);
772 //DEBUG
773 //Dbprintf("First 32:");
774 //uint8_t *dest = BigBuf_get_addr();
775 //i=0;
776 //Dbprintf("%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d", dest[i],dest[i+1],dest[i+2],dest[i+3],dest[i+4],dest[i+5],dest[i+6],dest[i+7],dest[i+8],dest[i+9],dest[i+10],dest[i+11],dest[i+12],dest[i+13],dest[i+14],dest[i+15]);
777 //i+=16;
778 //Dbprintf("%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d", dest[i],dest[i+1],dest[i+2],dest[i+3],dest[i+4],dest[i+5],dest[i+6],dest[i+7],dest[i+8],dest[i+9],dest[i+10],dest[i+11],dest[i+12],dest[i+13],dest[i+14],dest[i+15]);
779
780 if (ledcontrol) LED_A_ON();
781 SimulateTagLowFrequency(n, 0, ledcontrol);
782 if (ledcontrol) LED_A_OFF();
783 }
784
785 //carrier can be 2,4 or 8
786 static void pskSimBit(uint8_t waveLen, int *n, uint8_t clk, uint8_t *curPhase, bool phaseChg)
787 {
788 uint8_t *dest = BigBuf_get_addr();
789 uint8_t halfWave = waveLen/2;
790 //uint8_t idx;
791 int i = 0;
792 if (phaseChg){
793 // write phase change
794 memset(dest+(*n), *curPhase^1, halfWave);
795 memset(dest+(*n) + halfWave, *curPhase, halfWave);
796 *n += waveLen;
797 *curPhase ^= 1;
798 i += waveLen;
799 }
800 //write each normal clock wave for the clock duration
801 for (; i < clk; i+=waveLen){
802 memset(dest+(*n), *curPhase, halfWave);
803 memset(dest+(*n) + halfWave, *curPhase^1, halfWave);
804 *n += waveLen;
805 }
806 }
807
808 // args clock, carrier, invert,
809 void CmdPSKsimTag(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream)
810 {
811 int ledcontrol=1;
812 int n=0, i=0;
813 uint8_t clk = arg1 >> 8;
814 uint8_t carrier = arg1 & 0xFF;
815 uint8_t invert = arg2 & 0xFF;
816 uint8_t curPhase = 0;
817 // set LF so we don't kill the bigbuf we are setting with simulation data.
818 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
819
820 for (i=0; i<size; i++){
821 if (BitStream[i] == curPhase){
822 pskSimBit(carrier, &n, clk, &curPhase, FALSE);
823 } else {
824 pskSimBit(carrier, &n, clk, &curPhase, TRUE);
825 }
826 }
827 Dbprintf("Simulating with Carrier: %d, clk: %d, invert: %d, n: %d",carrier, clk, invert, n);
828 //Dbprintf("DEBUG: First 32:");
829 //uint8_t *dest = BigBuf_get_addr();
830 //i=0;
831 //Dbprintf("%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d", dest[i],dest[i+1],dest[i+2],dest[i+3],dest[i+4],dest[i+5],dest[i+6],dest[i+7],dest[i+8],dest[i+9],dest[i+10],dest[i+11],dest[i+12],dest[i+13],dest[i+14],dest[i+15]);
832 //i+=16;
833 //Dbprintf("%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d", dest[i],dest[i+1],dest[i+2],dest[i+3],dest[i+4],dest[i+5],dest[i+6],dest[i+7],dest[i+8],dest[i+9],dest[i+10],dest[i+11],dest[i+12],dest[i+13],dest[i+14],dest[i+15]);
834
835 if (ledcontrol) LED_A_ON();
836 SimulateTagLowFrequency(n, 0, ledcontrol);
837 if (ledcontrol) LED_A_OFF();
838 }
839
840 // loop to get raw HID waveform then FSK demodulate the TAG ID from it
841 void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol)
842 {
843 uint8_t *dest = BigBuf_get_addr();
844 //const size_t sizeOfBigBuff = BigBuf_max_traceLen();
845 size_t size;
846 uint32_t hi2=0, hi=0, lo=0;
847 int idx=0;
848 int dummyIdx = 0;
849 // Configure to go in 125Khz listen mode
850 LFSetupFPGAForADC(95, true);
851
852 //clear read buffer
853 BigBuf_Clear_keep_EM();
854
855 while(!BUTTON_PRESS() && !usb_poll_validate_length()) {
856
857 WDT_HIT();
858 if (ledcontrol) LED_A_ON();
859
860 DoAcquisition_default(-1,true);
861 // FSK demodulator
862 //size = sizeOfBigBuff; //variable size will change after demod so re initialize it before use
863 size = 50*128*2; //big enough to catch 2 sequences of largest format
864 idx = HIDdemodFSK(dest, &size, &hi2, &hi, &lo, &dummyIdx);
865
866 if (idx>0 && lo>0 && (size==96 || size==192)){
867 // go over previously decoded manchester data and decode into usable tag ID
868 if (hi2 != 0){ //extra large HID tags 88/192 bits
869 Dbprintf("TAG ID: %x%08x%08x (%d)",
870 (unsigned int) hi2, (unsigned int) hi, (unsigned int) lo, (unsigned int) (lo>>1) & 0xFFFF);
871 }else { //standard HID tags 44/96 bits
872 //Dbprintf("TAG ID: %x%08x (%d)",(unsigned int) hi, (unsigned int) lo, (unsigned int) (lo>>1) & 0xFFFF); //old print cmd
873 uint8_t bitlen = 0;
874 uint32_t fc = 0;
875 uint32_t cardnum = 0;
876 if (((hi>>5)&1) == 1){//if bit 38 is set then < 37 bit format is used
877 uint32_t lo2=0;
878 lo2=(((hi & 31) << 12) | (lo>>20)); //get bits 21-37 to check for format len bit
879 uint8_t idx3 = 1;
880 while(lo2 > 1){ //find last bit set to 1 (format len bit)
881 lo2=lo2 >> 1;
882 idx3++;
883 }
884 bitlen = idx3+19;
885 fc =0;
886 cardnum=0;
887 if(bitlen == 26){
888 cardnum = (lo>>1)&0xFFFF;
889 fc = (lo>>17)&0xFF;
890 }
891 if(bitlen == 37){
892 cardnum = (lo>>1)&0x7FFFF;
893 fc = ((hi&0xF)<<12)|(lo>>20);
894 }
895 if(bitlen == 34){
896 cardnum = (lo>>1)&0xFFFF;
897 fc= ((hi&1)<<15)|(lo>>17);
898 }
899 if(bitlen == 35){
900 cardnum = (lo>>1)&0xFFFFF;
901 fc = ((hi&1)<<11)|(lo>>21);
902 }
903 }
904 else { //if bit 38 is not set then 37 bit format is used
905 bitlen= 37;
906 fc =0;
907 cardnum=0;
908 if(bitlen==37){
909 cardnum = (lo>>1)&0x7FFFF;
910 fc = ((hi&0xF)<<12)|(lo>>20);
911 }
912 }
913 //Dbprintf("TAG ID: %x%08x (%d)",
914 // (unsigned int) hi, (unsigned int) lo, (unsigned int) (lo>>1) & 0xFFFF);
915 Dbprintf("TAG ID: %x%08x (%d) - Format Len: %dbit - FC: %d - Card: %d",
916 (unsigned int) hi, (unsigned int) lo, (unsigned int) (lo>>1) & 0xFFFF,
917 (unsigned int) bitlen, (unsigned int) fc, (unsigned int) cardnum);
918 }
919 if (findone){
920 if (ledcontrol) LED_A_OFF();
921 *high = hi;
922 *low = lo;
923 break;
924 }
925 // reset
926 }
927 hi2 = hi = lo = idx = 0;
928 WDT_HIT();
929 }
930
931 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
932 DbpString("Stopped");
933 if (ledcontrol) LED_A_OFF();
934 }
935
936 // loop to get raw HID waveform then FSK demodulate the TAG ID from it
937 void CmdAWIDdemodFSK(int findone, int *high, int *low, int ledcontrol)
938 {
939 uint8_t *dest = BigBuf_get_addr();
940 size_t size;
941 int idx=0, dummyIdx=0;
942 //clear read buffer
943 BigBuf_Clear_keep_EM();
944 // Configure to go in 125Khz listen mode
945 LFSetupFPGAForADC(95, true);
946
947 while(!BUTTON_PRESS() && !usb_poll_validate_length()) {
948
949 WDT_HIT();
950 if (ledcontrol) LED_A_ON();
951
952 DoAcquisition_default(-1,true);
953 // FSK demodulator
954 size = 50*128*2; //big enough to catch 2 sequences of largest format
955 idx = AWIDdemodFSK(dest, &size, &dummyIdx);
956
957 if (idx<=0 || size!=96) continue;
958 // Index map
959 // 0 10 20 30 40 50 60
960 // | | | | | | |
961 // 01234567 890 1 234 5 678 9 012 3 456 7 890 1 234 5 678 9 012 3 456 7 890 1 234 5 678 9 012 3 - to 96
962 // -----------------------------------------------------------------------------
963 // 00000001 000 1 110 1 101 1 011 1 101 1 010 0 000 1 000 1 010 0 001 0 110 1 100 0 000 1 000 1
964 // premable bbb o bbb o bbw o fff o fff o ffc o ccc o ccc o ccc o ccc o ccc o wxx o xxx o xxx o - to 96
965 // |---26 bit---| |-----117----||-------------142-------------|
966 // b = format bit len, o = odd parity of last 3 bits
967 // f = facility code, c = card number
968 // w = wiegand parity
969 // (26 bit format shown)
970
971 //get raw ID before removing parities
972 uint32_t rawLo = bytebits_to_byte(dest+idx+64,32);
973 uint32_t rawHi = bytebits_to_byte(dest+idx+32,32);
974 uint32_t rawHi2 = bytebits_to_byte(dest+idx,32);
975
976 size = removeParity(dest, idx+8, 4, 1, 88);
977 if (size != 66) continue;
978 // ok valid card found!
979
980 // Index map
981 // 0 10 20 30 40 50 60
982 // | | | | | | |
983 // 01234567 8 90123456 7890123456789012 3 456789012345678901234567890123456
984 // -----------------------------------------------------------------------------
985 // 00011010 1 01110101 0000000010001110 1 000000000000000000000000000000000
986 // bbbbbbbb w ffffffff cccccccccccccccc w xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
987 // |26 bit| |-117--| |-----142------|
988 // b = format bit len, o = odd parity of last 3 bits
989 // f = facility code, c = card number
990 // w = wiegand parity
991 // (26 bit format shown)
992
993 uint32_t fc = 0;
994 uint32_t cardnum = 0;
995 uint32_t code1 = 0;
996 uint32_t code2 = 0;
997 uint8_t fmtLen = bytebits_to_byte(dest,8);
998 if (fmtLen==26){
999 fc = bytebits_to_byte(dest+9, 8);
1000 cardnum = bytebits_to_byte(dest+17, 16);
1001 code1 = bytebits_to_byte(dest+8,fmtLen);
1002 Dbprintf("AWID Found - BitLength: %d, FC: %d, Card: %d - Wiegand: %x, Raw: %08x%08x%08x", fmtLen, fc, cardnum, code1, rawHi2, rawHi, rawLo);
1003 } else {
1004 cardnum = bytebits_to_byte(dest+8+(fmtLen-17), 16);
1005 if (fmtLen>32){
1006 code1 = bytebits_to_byte(dest+8,fmtLen-32);
1007 code2 = bytebits_to_byte(dest+8+(fmtLen-32),32);
1008 Dbprintf("AWID Found - BitLength: %d -unknown BitLength- (%d) - Wiegand: %x%08x, Raw: %08x%08x%08x", fmtLen, cardnum, code1, code2, rawHi2, rawHi, rawLo);
1009 } else{
1010 code1 = bytebits_to_byte(dest+8,fmtLen);
1011 Dbprintf("AWID Found - BitLength: %d -unknown BitLength- (%d) - Wiegand: %x, Raw: %08x%08x%08x", fmtLen, cardnum, code1, rawHi2, rawHi, rawLo);
1012 }
1013 }
1014 if (findone){
1015 if (ledcontrol) LED_A_OFF();
1016 break;
1017 }
1018 // reset
1019 idx = 0;
1020 WDT_HIT();
1021 }
1022 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1023 DbpString("Stopped");
1024 if (ledcontrol) LED_A_OFF();
1025 }
1026
1027 void CmdEM410xdemod(int findone, int *high, int *low, int ledcontrol)
1028 {
1029 uint8_t *dest = BigBuf_get_addr();
1030
1031 size_t size=0, idx=0;
1032 int clk=0, invert=0, errCnt=0, maxErr=20;
1033 uint32_t hi=0;
1034 uint64_t lo=0;
1035 //clear read buffer
1036 BigBuf_Clear_keep_EM();
1037 // Configure to go in 125Khz listen mode
1038 LFSetupFPGAForADC(95, true);
1039
1040 while(!BUTTON_PRESS() && !usb_poll_validate_length()) {
1041
1042 WDT_HIT();
1043 if (ledcontrol) LED_A_ON();
1044
1045 DoAcquisition_default(-1,true);
1046 size = BigBuf_max_traceLen();
1047 //askdemod and manchester decode
1048 if (size > 16385) size = 16385; //big enough to catch 2 sequences of largest format
1049 errCnt = askdemod(dest, &size, &clk, &invert, maxErr, 0, 1);
1050 WDT_HIT();
1051
1052 if (errCnt<0) continue;
1053
1054 errCnt = Em410xDecode(dest, &size, &idx, &hi, &lo);
1055 if (errCnt){
1056 if (size>64){
1057 Dbprintf("EM XL TAG ID: %06x%08x%08x - (%05d_%03d_%08d)",
1058 hi,
1059 (uint32_t)(lo>>32),
1060 (uint32_t)lo,
1061 (uint32_t)(lo&0xFFFF),
1062 (uint32_t)((lo>>16LL) & 0xFF),
1063 (uint32_t)(lo & 0xFFFFFF));
1064 } else {
1065 Dbprintf("EM TAG ID: %02x%08x - (%05d_%03d_%08d)",
1066 (uint32_t)(lo>>32),
1067 (uint32_t)lo,
1068 (uint32_t)(lo&0xFFFF),
1069 (uint32_t)((lo>>16LL) & 0xFF),
1070 (uint32_t)(lo & 0xFFFFFF));
1071 }
1072
1073 if (findone){
1074 if (ledcontrol) LED_A_OFF();
1075 *high=lo>>32;
1076 *low=lo & 0xFFFFFFFF;
1077 break;
1078 }
1079 }
1080 WDT_HIT();
1081 hi = lo = size = idx = 0;
1082 clk = invert = errCnt = 0;
1083 }
1084 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1085 DbpString("Stopped");
1086 if (ledcontrol) LED_A_OFF();
1087 }
1088
1089 void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol)
1090 {
1091 uint8_t *dest = BigBuf_get_addr();
1092 int idx=0;
1093 uint32_t code=0, code2=0;
1094 uint8_t version=0;
1095 uint8_t facilitycode=0;
1096 uint16_t number=0;
1097 int dummyIdx=0;
1098 //clear read buffer
1099 BigBuf_Clear_keep_EM();
1100 // Configure to go in 125Khz listen mode
1101 LFSetupFPGAForADC(95, true);
1102
1103 while(!BUTTON_PRESS() && !usb_poll_validate_length()) {
1104 WDT_HIT();
1105 if (ledcontrol) LED_A_ON();
1106 DoAcquisition_default(-1,true);
1107 //fskdemod and get start index
1108 WDT_HIT();
1109 idx = IOdemodFSK(dest, BigBuf_max_traceLen(), &dummyIdx);
1110 if (idx<0) continue;
1111 //valid tag found
1112
1113 //Index map
1114 //0 10 20 30 40 50 60
1115 //| | | | | | |
1116 //01234567 8 90123456 7 89012345 6 78901234 5 67890123 4 56789012 3 45678901 23
1117 //-----------------------------------------------------------------------------
1118 //00000000 0 11110000 1 facility 1 version* 1 code*one 1 code*two 1 ???????? 11
1119 //
1120 //XSF(version)facility:codeone+codetwo
1121 //Handle the data
1122 if(findone){ //only print binary if we are doing one
1123 Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx], dest[idx+1], dest[idx+2],dest[idx+3],dest[idx+4],dest[idx+5],dest[idx+6],dest[idx+7],dest[idx+8]);
1124 Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+9], dest[idx+10],dest[idx+11],dest[idx+12],dest[idx+13],dest[idx+14],dest[idx+15],dest[idx+16],dest[idx+17]);
1125 Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+18],dest[idx+19],dest[idx+20],dest[idx+21],dest[idx+22],dest[idx+23],dest[idx+24],dest[idx+25],dest[idx+26]);
1126 Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+27],dest[idx+28],dest[idx+29],dest[idx+30],dest[idx+31],dest[idx+32],dest[idx+33],dest[idx+34],dest[idx+35]);
1127 Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+36],dest[idx+37],dest[idx+38],dest[idx+39],dest[idx+40],dest[idx+41],dest[idx+42],dest[idx+43],dest[idx+44]);
1128 Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+45],dest[idx+46],dest[idx+47],dest[idx+48],dest[idx+49],dest[idx+50],dest[idx+51],dest[idx+52],dest[idx+53]);
1129 Dbprintf("%d%d%d%d%d%d%d%d %d%d",dest[idx+54],dest[idx+55],dest[idx+56],dest[idx+57],dest[idx+58],dest[idx+59],dest[idx+60],dest[idx+61],dest[idx+62],dest[idx+63]);
1130 }
1131 code = bytebits_to_byte(dest+idx,32);
1132 code2 = bytebits_to_byte(dest+idx+32,32);
1133 version = bytebits_to_byte(dest+idx+27,8); //14,4
1134 facilitycode = bytebits_to_byte(dest+idx+18,8);
1135 number = (bytebits_to_byte(dest+idx+36,8)<<8)|(bytebits_to_byte(dest+idx+45,8)); //36,9
1136
1137 Dbprintf("XSF(%02d)%02x:%05d (%08x%08x)",version,facilitycode,number,code,code2);
1138 // if we're only looking for one tag
1139 if (findone){
1140 if (ledcontrol) LED_A_OFF();
1141 //LED_A_OFF();
1142 *high=code;
1143 *low=code2;
1144 break;
1145 }
1146 code=code2=0;
1147 version=facilitycode=0;
1148 number=0;
1149 idx=0;
1150
1151 WDT_HIT();
1152 }
1153 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1154 DbpString("Stopped");
1155 if (ledcontrol) LED_A_OFF();
1156 }
1157
1158 /*------------------------------
1159 * T5555/T5557/T5567/T5577 routines
1160 *------------------------------
1161 * NOTE: T55x7/T5555 configuration register definitions moved to protocols.h
1162 *
1163 * Relevant communication times in microsecond
1164 * To compensate antenna falling times shorten the write times
1165 * and enlarge the gap ones.
1166 * Q5 tags seems to have issues when these values changes.
1167 */
1168 #define START_GAP 31*8 // was 250 // SPEC: 1*8 to 50*8 - typ 15*8 (or 15fc)
1169 #define WRITE_GAP 20*8 // was 160 // SPEC: 1*8 to 20*8 - typ 10*8 (or 10fc)
1170 #define WRITE_0 18*8 // was 144 // SPEC: 16*8 to 32*8 - typ 24*8 (or 24fc)
1171 #define WRITE_1 50*8 // was 400 // SPEC: 48*8 to 64*8 - typ 56*8 (or 56fc) 432 for T55x7; 448 for E5550
1172 #define READ_GAP 15*8
1173
1174 void TurnReadLFOn(int delay) {
1175 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
1176 // Give it a bit of time for the resonant antenna to settle.
1177 WaitUS(delay); //155*8 //50*8
1178 }
1179
1180 // Write one bit to card
1181 void T55xxWriteBit(int bit) {
1182 if (!bit)
1183 TurnReadLFOn(WRITE_0);
1184 else
1185 TurnReadLFOn(WRITE_1);
1186 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1187 WaitUS(WRITE_GAP);
1188 }
1189
1190 // Send T5577 reset command then read stream (see if we can identify the start of the stream)
1191 void T55xxResetRead(void) {
1192 LED_A_ON();
1193 //clear buffer now so it does not interfere with timing later
1194 BigBuf_Clear_keep_EM();
1195
1196 // Set up FPGA, 125kHz
1197 LFSetupFPGAForADC(95, true);
1198 StartTicks();
1199 // make sure tag is fully powered up...
1200 WaitMS(5);
1201
1202 // Trigger T55x7 in mode.
1203 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1204 WaitUS(START_GAP);
1205
1206 // reset tag - op code 00
1207 T55xxWriteBit(0);
1208 T55xxWriteBit(0);
1209
1210 TurnReadLFOn(READ_GAP);
1211
1212 // Acquisition
1213 DoPartialAcquisition(0, true, BigBuf_max_traceLen(), 0);
1214
1215 // Turn the field off
1216 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1217 cmd_send(CMD_ACK,0,0,0,0,0);
1218 LED_A_OFF();
1219 }
1220
1221 // Write one card block in page 0, no lock
1222 void T55xxWriteBlockExt(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t arg) {
1223 LED_A_ON();
1224 bool PwdMode = arg & 0x1;
1225 uint8_t Page = (arg & 0x2)>>1;
1226 bool testMode = arg & 0x4;
1227 uint32_t i = 0;
1228
1229 // Set up FPGA, 125kHz
1230 LFSetupFPGAForADC(95, true);
1231 StartTicks();
1232 // make sure tag is fully powered up...
1233 WaitMS(5);
1234 // Trigger T55x7 in mode.
1235 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1236 WaitUS(START_GAP);
1237
1238 if (testMode) Dbprintf("TestMODE");
1239 // Std Opcode 10
1240 T55xxWriteBit(testMode ? 0 : 1);
1241 T55xxWriteBit(testMode ? 1 : Page); //Page 0
1242
1243 if (PwdMode) {
1244 // Send Pwd
1245 for (i = 0x80000000; i != 0; i >>= 1)
1246 T55xxWriteBit(Pwd & i);
1247 }
1248 // Send Lock bit
1249 T55xxWriteBit(0);
1250
1251 // Send Data
1252 for (i = 0x80000000; i != 0; i >>= 1)
1253 T55xxWriteBit(Data & i);
1254
1255 // Send Block number
1256 for (i = 0x04; i != 0; i >>= 1)
1257 T55xxWriteBit(Block & i);
1258
1259 // Perform write (nominal is 5.6 ms for T55x7 and 18ms for E5550,
1260 // so wait a little more)
1261
1262 // "there is a clock delay before programming"
1263 // - programming takes ~5.6ms for t5577 ~18ms for E5550 or t5567
1264 // so we should wait 1 clock + 5.6ms then read response?
1265 // but we need to know we are dealing with t5577 vs t5567 vs e5550 (or q5) marshmellow...
1266 if (testMode) {
1267 //TESTMODE TIMING TESTS:
1268 // <566us does nothing
1269 // 566-568 switches between wiping to 0s and doing nothing
1270 // 5184 wipes and allows 1 block to be programmed.
1271 // indefinite power on wipes and then programs all blocks with bitshifted data sent.
1272 TurnReadLFOn(5184);
1273
1274 } else {
1275 TurnReadLFOn(20 * 1000);
1276 //could attempt to do a read to confirm write took
1277 // as the tag should repeat back the new block
1278 // until it is reset, but to confirm it we would
1279 // need to know the current block 0 config mode for
1280 // modulation clock an other details to demod the response...
1281 // response should be (for t55x7) a 0 bit then (ST if on)
1282 // block data written in on repeat until reset.
1283
1284 //DoPartialAcquisition(20, true, 12000);
1285 }
1286
1287 // turn field off
1288 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1289 LED_A_OFF();
1290 }
1291
1292 // Write one card block in page 0, no lock
1293 void T55xxWriteBlock(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t arg) {
1294 T55xxWriteBlockExt(Data, Block, Pwd, arg);
1295 cmd_send(CMD_ACK,0,0,0,0,0);
1296 }
1297
1298 // Read one card block in page [page]
1299 void T55xxReadBlock(uint16_t arg0, uint8_t Block, uint32_t Pwd) {
1300 LED_A_ON();
1301 bool PwdMode = arg0 & 0x1;
1302 uint8_t Page = (arg0 & 0x2) >> 1;
1303 uint32_t i = 0;
1304 bool RegReadMode = (Block == 0xFF);//regular read mode
1305
1306 //clear buffer now so it does not interfere with timing later
1307 BigBuf_Clear_ext(false);
1308
1309 //make sure block is at max 7
1310 Block &= 0x7;
1311
1312 // Set up FPGA, 125kHz to power up the tag
1313 LFSetupFPGAForADC(95, true);
1314 StartTicks();
1315 // make sure tag is fully powered up...
1316 WaitMS(5);
1317 // Trigger T55x7 Direct Access Mode with start gap
1318 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1319 WaitUS(START_GAP);
1320
1321 // Opcode 1[page]
1322 T55xxWriteBit(1);
1323 T55xxWriteBit(Page); //Page 0
1324
1325 if (PwdMode){
1326 // Send Pwd
1327 for (i = 0x80000000; i != 0; i >>= 1)
1328 T55xxWriteBit(Pwd & i);
1329 }
1330 // Send a zero bit separation
1331 T55xxWriteBit(0);
1332
1333 // Send Block number (if direct access mode)
1334 if (!RegReadMode)
1335 for (i = 0x04; i != 0; i >>= 1)
1336 T55xxWriteBit(Block & i);
1337
1338 // Turn field on to read the response
1339 // 137*8 seems to get to the start of data pretty well...
1340 // but we want to go past the start and let the repeating data settle in...
1341 TurnReadLFOn(210*8);
1342
1343 // Acquisition
1344 // Now do the acquisition
1345 DoPartialAcquisition(0, true, 12000, 0);
1346
1347 // Turn the field off
1348 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1349 cmd_send(CMD_ACK,0,0,0,0,0);
1350 LED_A_OFF();
1351 }
1352
1353 void T55xxWakeUp(uint32_t Pwd){
1354 LED_B_ON();
1355 uint32_t i = 0;
1356
1357 // Set up FPGA, 125kHz
1358 LFSetupFPGAForADC(95, true);
1359 StartTicks();
1360 // make sure tag is fully powered up...
1361 WaitMS(5);
1362
1363 // Trigger T55x7 Direct Access Mode
1364 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1365 WaitUS(START_GAP);
1366
1367 // Opcode 10
1368 T55xxWriteBit(1);
1369 T55xxWriteBit(0); //Page 0
1370
1371 // Send Pwd
1372 for (i = 0x80000000; i != 0; i >>= 1)
1373 T55xxWriteBit(Pwd & i);
1374
1375 // Turn and leave field on to let the begin repeating transmission
1376 TurnReadLFOn(20*1000);
1377 }
1378
1379 /*-------------- Cloning routines -----------*/
1380
1381 void WriteT55xx(uint32_t *blockdata, uint8_t startblock, uint8_t numblocks) {
1382 // write last block first and config block last (if included)
1383 for (uint8_t i = numblocks+startblock; i > startblock; i--) {
1384 T55xxWriteBlockExt(blockdata[i-1],i-1,0,0);
1385 }
1386 }
1387
1388 // Copy HID id to card and setup block 0 config
1389 void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT) {
1390 uint32_t data[] = {0,0,0,0,0,0,0};
1391 uint8_t last_block = 0;
1392
1393 if (longFMT) {
1394 // Ensure no more than 84 bits supplied
1395 if (hi2>0xFFFFF) {
1396 DbpString("Tags can only have 84 bits.");
1397 return;
1398 }
1399 // Build the 6 data blocks for supplied 84bit ID
1400 last_block = 6;
1401 // load preamble (1D) & long format identifier (9E manchester encoded)
1402 data[1] = 0x1D96A900 | (manchesterEncode2Bytes((hi2 >> 16) & 0xF) & 0xFF);
1403 // load raw id from hi2, hi, lo to data blocks (manchester encoded)
1404 data[2] = manchesterEncode2Bytes(hi2 & 0xFFFF);
1405 data[3] = manchesterEncode2Bytes(hi >> 16);
1406 data[4] = manchesterEncode2Bytes(hi & 0xFFFF);
1407 data[5] = manchesterEncode2Bytes(lo >> 16);
1408 data[6] = manchesterEncode2Bytes(lo & 0xFFFF);
1409 } else {
1410 // Ensure no more than 44 bits supplied
1411 if (hi>0xFFF) {
1412 DbpString("Tags can only have 44 bits.");
1413 return;
1414 }
1415 // Build the 3 data blocks for supplied 44bit ID
1416 last_block = 3;
1417 // load preamble
1418 data[1] = 0x1D000000 | (manchesterEncode2Bytes(hi) & 0xFFFFFF);
1419 data[2] = manchesterEncode2Bytes(lo >> 16);
1420 data[3] = manchesterEncode2Bytes(lo & 0xFFFF);
1421 }
1422 // load chip config block
1423 data[0] = T55x7_BITRATE_RF_50 | T55x7_MODULATION_FSK2a | last_block << T55x7_MAXBLOCK_SHIFT;
1424
1425 //TODO add selection of chip for Q5 or T55x7
1426 // data[0] = (((50-2)/2)<<T5555_BITRATE_SHIFT) | T5555_MODULATION_FSK2 | T5555_INVERT_OUTPUT | last_block << T5555_MAXBLOCK_SHIFT;
1427
1428 LED_D_ON();
1429 // Program the data blocks for supplied ID
1430 // and the block 0 for HID format
1431 WriteT55xx(data, 0, last_block+1);
1432
1433 LED_D_OFF();
1434
1435 DbpString("DONE!");
1436 }
1437
1438 void CopyIOtoT55x7(uint32_t hi, uint32_t lo) {
1439 uint32_t data[] = {T55x7_BITRATE_RF_64 | T55x7_MODULATION_FSK2a | (2 << T55x7_MAXBLOCK_SHIFT), hi, lo};
1440 //TODO add selection of chip for Q5 or T55x7
1441 // data[0] = (((64-2)/2)<<T5555_BITRATE_SHIFT) | T5555_MODULATION_FSK2 | T5555_INVERT_OUTPUT | 2 << T5555_MAXBLOCK_SHIFT;
1442
1443 LED_D_ON();
1444 // Program the data blocks for supplied ID
1445 // and the block 0 config
1446 WriteT55xx(data, 0, 3);
1447
1448 LED_D_OFF();
1449
1450 DbpString("DONE!");
1451 }
1452
1453 // Clone Indala 64-bit tag by UID to T55x7
1454 void CopyIndala64toT55x7(uint32_t hi, uint32_t lo) {
1455 //Program the 2 data blocks for supplied 64bit UID
1456 // and the Config for Indala 64 format (RF/32;PSK1 with RF/2;Maxblock=2)
1457 uint32_t data[] = { T55x7_BITRATE_RF_32 | T55x7_MODULATION_PSK1 | (2 << T55x7_MAXBLOCK_SHIFT), hi, lo};
1458 //TODO add selection of chip for Q5 or T55x7
1459 // data[0] = (((32-2)/2)<<T5555_BITRATE_SHIFT) | T5555_MODULATION_PSK1 | 2 << T5555_MAXBLOCK_SHIFT;
1460
1461 WriteT55xx(data, 0, 3);
1462 //Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=2;Inverse data)
1463 // T5567WriteBlock(0x603E1042,0);
1464 DbpString("DONE!");
1465 }
1466 // Clone Indala 224-bit tag by UID to T55x7
1467 void CopyIndala224toT55x7(uint32_t uid1, uint32_t uid2, uint32_t uid3, uint32_t uid4, uint32_t uid5, uint32_t uid6, uint32_t uid7) {
1468 //Program the 7 data blocks for supplied 224bit UID
1469 uint32_t data[] = {0, uid1, uid2, uid3, uid4, uid5, uid6, uid7};
1470 // and the block 0 for Indala224 format
1471 //Config for Indala (RF/32;PSK2 with RF/2;Maxblock=7)
1472 data[0] = T55x7_BITRATE_RF_32 | T55x7_MODULATION_PSK2 | (7 << T55x7_MAXBLOCK_SHIFT);
1473 //TODO add selection of chip for Q5 or T55x7
1474 // data[0] = (((32-2)>>1)<<T5555_BITRATE_SHIFT) | T5555_MODULATION_PSK2 | 7 << T5555_MAXBLOCK_SHIFT;
1475 WriteT55xx(data, 0, 8);
1476 //Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=7;Inverse data)
1477 // T5567WriteBlock(0x603E10E2,0);
1478 DbpString("DONE!");
1479 }
1480 // clone viking tag to T55xx
1481 void CopyVikingtoT55xx(uint32_t block1, uint32_t block2, uint8_t Q5) {
1482 uint32_t data[] = {T55x7_BITRATE_RF_32 | T55x7_MODULATION_MANCHESTER | (2 << T55x7_MAXBLOCK_SHIFT), block1, block2};
1483 if (Q5) data[0] = T5555_SET_BITRATE(32) | T5555_MODULATION_MANCHESTER | 2 << T5555_MAXBLOCK_SHIFT;
1484 // Program the data blocks for supplied ID and the block 0 config
1485 WriteT55xx(data, 0, 3);
1486 LED_D_OFF();
1487 cmd_send(CMD_ACK,0,0,0,0,0);
1488 }
1489
1490 // Define 9bit header for EM410x tags
1491 #define EM410X_HEADER 0x1FF
1492 #define EM410X_ID_LENGTH 40
1493
1494 void WriteEM410x(uint32_t card, uint32_t id_hi, uint32_t id_lo) {
1495 int i, id_bit;
1496 uint64_t id = EM410X_HEADER;
1497 uint64_t rev_id = 0; // reversed ID
1498 int c_parity[4]; // column parity
1499 int r_parity = 0; // row parity
1500 uint32_t clock = 0;
1501
1502 // Reverse ID bits given as parameter (for simpler operations)
1503 for (i = 0; i < EM410X_ID_LENGTH; ++i) {
1504 if (i < 32) {
1505 rev_id = (rev_id << 1) | (id_lo & 1);
1506 id_lo >>= 1;
1507 } else {
1508 rev_id = (rev_id << 1) | (id_hi & 1);
1509 id_hi >>= 1;
1510 }
1511 }
1512
1513 for (i = 0; i < EM410X_ID_LENGTH; ++i) {
1514 id_bit = rev_id & 1;
1515
1516 if (i % 4 == 0) {
1517 // Don't write row parity bit at start of parsing
1518 if (i)
1519 id = (id << 1) | r_parity;
1520 // Start counting parity for new row
1521 r_parity = id_bit;
1522 } else {
1523 // Count row parity
1524 r_parity ^= id_bit;
1525 }
1526
1527 // First elements in column?
1528 if (i < 4)
1529 // Fill out first elements
1530 c_parity[i] = id_bit;
1531 else
1532 // Count column parity
1533 c_parity[i % 4] ^= id_bit;
1534
1535 // Insert ID bit
1536 id = (id << 1) | id_bit;
1537 rev_id >>= 1;
1538 }
1539
1540 // Insert parity bit of last row
1541 id = (id << 1) | r_parity;
1542
1543 // Fill out column parity at the end of tag
1544 for (i = 0; i < 4; ++i)
1545 id = (id << 1) | c_parity[i];
1546
1547 // Add stop bit
1548 id <<= 1;
1549
1550 Dbprintf("Started writing %s tag ...", card ? "T55x7":"T5555");
1551 LED_D_ON();
1552
1553 // Write EM410x ID
1554 uint32_t data[] = {0, (uint32_t)(id>>32), (uint32_t)(id & 0xFFFFFFFF)};
1555
1556 clock = (card & 0xFF00) >> 8;
1557 clock = (clock == 0) ? 64 : clock;
1558 Dbprintf("Clock rate: %d", clock);
1559 if (card & 0xFF) { //t55x7
1560 clock = GetT55xxClockBit(clock);
1561 if (clock == 0) {
1562 Dbprintf("Invalid clock rate: %d", clock);
1563 return;
1564 }
1565 data[0] = clock | T55x7_MODULATION_MANCHESTER | (2 << T55x7_MAXBLOCK_SHIFT);
1566 } else { //t5555 (Q5)
1567 data[0] = T5555_SET_BITRATE(clock) | T5555_MODULATION_MANCHESTER | (2 << T5555_MAXBLOCK_SHIFT);
1568 }
1569
1570 WriteT55xx(data, 0, 3);
1571
1572 LED_D_OFF();
1573 Dbprintf("Tag %s written with 0x%08x%08x\n", card ? "T55x7":"T5555",
1574 (uint32_t)(id >> 32), (uint32_t)id);
1575 }
1576
1577 //-----------------------------------
1578 // EM4469 / EM4305 routines
1579 //-----------------------------------
1580 #define FWD_CMD_LOGIN 0xC //including the even parity, binary mirrored
1581 #define FWD_CMD_WRITE 0xA
1582 #define FWD_CMD_READ 0x9
1583 #define FWD_CMD_DISABLE 0x5
1584
1585 uint8_t forwardLink_data[64]; //array of forwarded bits
1586 uint8_t * forward_ptr; //ptr for forward message preparation
1587 uint8_t fwd_bit_sz; //forwardlink bit counter
1588 uint8_t * fwd_write_ptr; //forwardlink bit pointer
1589
1590 //====================================================================
1591 // prepares command bits
1592 // see EM4469 spec
1593 //====================================================================
1594 //--------------------------------------------------------------------
1595 // VALUES TAKEN FROM EM4x function: SendForward
1596 // START_GAP = 440; (55*8) cycles at 125Khz (8us = 1cycle)
1597 // WRITE_GAP = 128; (16*8)
1598 // WRITE_1 = 256 32*8; (32*8)
1599
1600 // These timings work for 4469/4269/4305 (with the 55*8 above)
1601 // WRITE_0 = 23*8 , 9*8 SpinDelayUs(23*8);
1602
1603 uint8_t Prepare_Cmd( uint8_t cmd ) {
1604
1605 *forward_ptr++ = 0; //start bit
1606 *forward_ptr++ = 0; //second pause for 4050 code
1607
1608 *forward_ptr++ = cmd;
1609 cmd >>= 1;
1610 *forward_ptr++ = cmd;
1611 cmd >>= 1;
1612 *forward_ptr++ = cmd;
1613 cmd >>= 1;
1614 *forward_ptr++ = cmd;
1615
1616 return 6; //return number of emited bits
1617 }
1618
1619 //====================================================================
1620 // prepares address bits
1621 // see EM4469 spec
1622 //====================================================================
1623 uint8_t Prepare_Addr( uint8_t addr ) {
1624
1625 register uint8_t line_parity;
1626
1627 uint8_t i;
1628 line_parity = 0;
1629 for(i=0;i<6;i++) {
1630 *forward_ptr++ = addr;
1631 line_parity ^= addr;
1632 addr >>= 1;
1633 }
1634
1635 *forward_ptr++ = (line_parity & 1);
1636
1637 return 7; //return number of emited bits
1638 }
1639
1640 //====================================================================
1641 // prepares data bits intreleaved with parity bits
1642 // see EM4469 spec
1643 //====================================================================
1644 uint8_t Prepare_Data( uint16_t data_low, uint16_t data_hi) {
1645
1646 register uint8_t line_parity;
1647 register uint8_t column_parity;
1648 register uint8_t i, j;
1649 register uint16_t data;
1650
1651 data = data_low;
1652 column_parity = 0;
1653
1654 for(i=0; i<4; i++) {
1655 line_parity = 0;
1656 for(j=0; j<8; j++) {
1657 line_parity ^= data;
1658 column_parity ^= (data & 1) << j;
1659 *forward_ptr++ = data;
1660 data >>= 1;
1661 }
1662 *forward_ptr++ = line_parity;
1663 if(i == 1)
1664 data = data_hi;
1665 }
1666
1667 for(j=0; j<8; j++) {
1668 *forward_ptr++ = column_parity;
1669 column_parity >>= 1;
1670 }
1671 *forward_ptr = 0;
1672
1673 return 45; //return number of emited bits
1674 }
1675
1676 //====================================================================
1677 // Forward Link send function
1678 // Requires: forwarLink_data filled with valid bits (1 bit per byte)
1679 // fwd_bit_count set with number of bits to be sent
1680 //====================================================================
1681 void SendForward(uint8_t fwd_bit_count) {
1682
1683 fwd_write_ptr = forwardLink_data;
1684 fwd_bit_sz = fwd_bit_count;
1685
1686 // Set up FPGA, 125kHz or 95 divisor
1687 LFSetupFPGAForADC(95, true);
1688
1689 // force 1st mod pulse (start gap must be longer for 4305)
1690 fwd_bit_sz--; //prepare next bit modulation
1691 fwd_write_ptr++;
1692 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1693 WaitUS(55*8); //55 cycles off (8us each)for 4305 //another reader has 37 here...
1694 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);//field on
1695 WaitUS(18*8); //18 cycles on (8us each)
1696
1697 // now start writting
1698 while(fwd_bit_sz-- > 0) { //prepare next bit modulation
1699 if(((*fwd_write_ptr++) & 1) == 1)
1700 WaitUS(32*8); //32 cycles at 125Khz (8us each)
1701 else {
1702 //These timings work for 4469/4269/4305 (with the 55*8 above)
1703 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1704 WaitUS(23*8); //23 cycles off (8us each)
1705 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);//field on
1706 WaitUS(18*8); //18 cycles on (8us each)
1707 }
1708 }
1709 }
1710
1711 void EM4xLogin(uint32_t Password) {
1712
1713 uint8_t fwd_bit_count;
1714
1715 forward_ptr = forwardLink_data;
1716 fwd_bit_count = Prepare_Cmd( FWD_CMD_LOGIN );
1717 fwd_bit_count += Prepare_Data( Password&0xFFFF, Password>>16 );
1718
1719 SendForward(fwd_bit_count);
1720
1721 //Wait for command to complete
1722 SpinDelay(20);
1723 }
1724
1725 void EM4xReadWord(uint8_t Address, uint32_t Pwd, uint8_t PwdMode) {
1726
1727 uint8_t fwd_bit_count;
1728
1729 // Clear destination buffer before sending the command
1730 BigBuf_Clear_ext(false);
1731
1732 LED_A_ON();
1733 StartTicks();
1734 //If password mode do login
1735 if (PwdMode == 1) EM4xLogin(Pwd);
1736
1737 forward_ptr = forwardLink_data;
1738 fwd_bit_count = Prepare_Cmd( FWD_CMD_READ );
1739 fwd_bit_count += Prepare_Addr( Address );
1740
1741 SendForward(fwd_bit_count);
1742 WaitUS(400);
1743 // Now do the acquisition
1744 DoPartialAcquisition(20, true, 6000, 1000);
1745
1746 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1747 LED_A_OFF();
1748 cmd_send(CMD_ACK,0,0,0,0,0);
1749 }
1750
1751 void EM4xWriteWord(uint32_t flag, uint32_t Data, uint32_t Pwd) {
1752
1753 bool PwdMode = (flag & 0xF);
1754 uint8_t Address = (flag >> 8) & 0xFF;
1755 uint8_t fwd_bit_count;
1756
1757 //clear buffer now so it does not interfere with timing later
1758 BigBuf_Clear_ext(false);
1759
1760 LED_A_ON();
1761 StartTicks();
1762 //If password mode do login
1763 if (PwdMode) EM4xLogin(Pwd);
1764
1765 forward_ptr = forwardLink_data;
1766 fwd_bit_count = Prepare_Cmd( FWD_CMD_WRITE );
1767 fwd_bit_count += Prepare_Addr( Address );
1768 fwd_bit_count += Prepare_Data( Data&0xFFFF, Data>>16 );
1769
1770 SendForward(fwd_bit_count);
1771
1772 //Wait for write to complete
1773 //SpinDelay(10);
1774
1775 WaitUS(6500);
1776 //Capture response if one exists
1777 DoPartialAcquisition(20, true, 6000, 1000);
1778
1779 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1780 LED_A_OFF();
1781 cmd_send(CMD_ACK,0,0,0,0,0);
1782 }
1783 /*
1784 Reading a COTAG.
1785
1786 COTAG needs the reader to send a startsequence and the card has an extreme slow datarate.
1787 because of this, we can "sample" the data signal but we interpreate it to Manchester direct.
1788
1789 READER START SEQUENCE:
1790 burst 800 us, gap 2.2 msecs
1791 burst 3.6 msecs gap 2.2 msecs
1792 burst 800 us gap 2.2 msecs
1793 pulse 3.6 msecs
1794
1795 This triggers a COTAG tag to response
1796 */
1797 void Cotag(uint32_t arg0) {
1798
1799 #define OFF { FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); WaitUS(2035); }
1800 #define ON(x) { FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD); WaitUS((x)); }
1801
1802 uint8_t rawsignal = arg0 & 0xF;
1803
1804 LED_A_ON();
1805
1806 // Switching to LF image on FPGA. This might empty BigBuff
1807 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1808
1809 //clear buffer now so it does not interfere with timing later
1810 BigBuf_Clear_ext(false);
1811
1812 // Set up FPGA, 132kHz to power up the tag
1813 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 89);
1814 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
1815
1816 // Connect the A/D to the peak-detected low-frequency path.
1817 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
1818
1819 // Now set up the SSC to get the ADC samples that are now streaming at us.
1820 FpgaSetupSsc();
1821
1822 // start clock - 1.5ticks is 1us
1823 StartTicks();
1824
1825 //send COTAG start pulse
1826 ON(740) OFF
1827 ON(3330) OFF
1828 ON(740) OFF
1829 ON(1000)
1830
1831 switch(rawsignal) {
1832 case 0: doCotagAcquisition(50000); break;
1833 case 1: doCotagAcquisitionManchester(); break;
1834 case 2: DoAcquisition_config(true, 0); break;
1835 }
1836
1837 // Turn the field off
1838 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1839 cmd_send(CMD_ACK,0,0,0,0,0);
1840 LED_A_OFF();
1841 }
Proxmark3 GIT tracking
Impressum, Datenschutz