1 //-----------------------------------------------------------------------------
2 // Jonathan Westhues, April 2006
3 // iZsh <izsh at fail0verflow.com>, 2014
5 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
6 // at your option, any later version. See the LICENSE.txt file for the text of
8 //-----------------------------------------------------------------------------
9 // Routines to load the FPGA image, and then to configure the FPGA's major
10 // mode once it is configured.
11 //-----------------------------------------------------------------------------
12 #include "proxmark3.h"
17 // remember which version of the bitstream we have already downloaded to the FPGA
18 static int downloaded_bitstream
= FPGA_BITSTREAM_ERR
;
20 // this is where the bitstreams are located in memory:
21 extern uint8_t _binary_fpga_lf_bit_start
, _binary_fpga_lf_bit_end
;
22 extern uint8_t _binary_fpga_hf_bit_start
, _binary_fpga_hf_bit_end
;
23 static uint8_t *fpga_image_ptr
= NULL
;
25 static const uint8_t _bitparse_fixed_header
[] = {0x00, 0x09, 0x0f, 0xf0, 0x0f, 0xf0, 0x0f, 0xf0, 0x0f, 0xf0, 0x00, 0x00, 0x01};
26 static const uint8_t _gzip_header
[] = {0x1f, 0x8b, 0x08}; // including compression method 0x08 (deflate)
27 #define GZIP_HEADER_SIZE sizeof(_gzip_header)
28 #define FPGA_BITSTREAM_FIXED_HEADER_SIZE sizeof(_bitparse_fixed_header)
30 //-----------------------------------------------------------------------------
31 // Set up the Serial Peripheral Interface as master
32 // Used to write the FPGA config word
33 // May also be used to write to other SPI attached devices like an LCD
34 //-----------------------------------------------------------------------------
35 void SetupSpi(int mode
)
37 // PA10 -> SPI_NCS2 chip select (LCD)
38 // PA11 -> SPI_NCS0 chip select (FPGA)
39 // PA12 -> SPI_MISO Master-In Slave-Out
40 // PA13 -> SPI_MOSI Master-Out Slave-In
41 // PA14 -> SPI_SPCK Serial Clock
43 // Disable PIO control of the following pins, allows use by the SPI peripheral
44 AT91C_BASE_PIOA
->PIO_PDR
=
51 AT91C_BASE_PIOA
->PIO_ASR
=
57 AT91C_BASE_PIOA
->PIO_BSR
= GPIO_NCS2
;
59 //enable the SPI Peripheral clock
60 AT91C_BASE_PMC
->PMC_PCER
= (1<<AT91C_ID_SPI
);
62 AT91C_BASE_SPI
->SPI_CR
= AT91C_SPI_SPIEN
;
66 AT91C_BASE_SPI
->SPI_MR
=
67 ( 0 << 24) | // Delay between chip selects (take default: 6 MCK periods)
68 (14 << 16) | // Peripheral Chip Select (selects FPGA SPI_NCS0 or PA11)
69 ( 0 << 7) | // Local Loopback Disabled
70 ( 1 << 4) | // Mode Fault Detection disabled
71 ( 0 << 2) | // Chip selects connected directly to peripheral
72 ( 0 << 1) | // Fixed Peripheral Select
73 ( 1 << 0); // Master Mode
74 AT91C_BASE_SPI
->SPI_CSR
[0] =
75 ( 1 << 24) | // Delay between Consecutive Transfers (32 MCK periods)
76 ( 1 << 16) | // Delay Before SPCK (1 MCK period)
77 ( 6 << 8) | // Serial Clock Baud Rate (baudrate = MCK/6 = 24Mhz/6 = 4M baud
78 ( 8 << 4) | // Bits per Transfer (16 bits)
79 ( 0 << 3) | // Chip Select inactive after transfer
80 ( 1 << 1) | // Clock Phase data captured on leading edge, changes on following edge
81 ( 0 << 0); // Clock Polarity inactive state is logic 0
84 AT91C_BASE_SPI
->SPI_MR
=
85 ( 0 << 24) | // Delay between chip selects (take default: 6 MCK periods)
86 (11 << 16) | // Peripheral Chip Select (selects LCD SPI_NCS2 or PA10)
87 ( 0 << 7) | // Local Loopback Disabled
88 ( 1 << 4) | // Mode Fault Detection disabled
89 ( 0 << 2) | // Chip selects connected directly to peripheral
90 ( 0 << 1) | // Fixed Peripheral Select
91 ( 1 << 0); // Master Mode
92 AT91C_BASE_SPI
->SPI_CSR
[2] =
93 ( 1 << 24) | // Delay between Consecutive Transfers (32 MCK periods)
94 ( 1 << 16) | // Delay Before SPCK (1 MCK period)
95 ( 6 << 8) | // Serial Clock Baud Rate (baudrate = MCK/6 = 24Mhz/6 = 4M baud
96 ( 1 << 4) | // Bits per Transfer (9 bits)
97 ( 0 << 3) | // Chip Select inactive after transfer
98 ( 1 << 1) | // Clock Phase data captured on leading edge, changes on following edge
99 ( 0 << 0); // Clock Polarity inactive state is logic 0
101 default: // Disable SPI
102 AT91C_BASE_SPI
->SPI_CR
= AT91C_SPI_SPIDIS
;
107 //-----------------------------------------------------------------------------
108 // Set up the synchronous serial port, with the one set of options that we
109 // always use when we are talking to the FPGA. Both RX and TX are enabled.
110 //-----------------------------------------------------------------------------
111 void FpgaSetupSsc(void)
113 // First configure the GPIOs, and get ourselves a clock.
114 AT91C_BASE_PIOA
->PIO_ASR
=
119 AT91C_BASE_PIOA
->PIO_PDR
= GPIO_SSC_DOUT
;
121 AT91C_BASE_PMC
->PMC_PCER
= (1 << AT91C_ID_SSC
);
123 // Now set up the SSC proper, starting from a known state.
124 AT91C_BASE_SSC
->SSC_CR
= AT91C_SSC_SWRST
;
126 // RX clock comes from TX clock, RX starts when TX starts, data changes
127 // on RX clock rising edge, sampled on falling edge
128 AT91C_BASE_SSC
->SSC_RCMR
= SSC_CLOCK_MODE_SELECT(1) | SSC_CLOCK_MODE_START(1);
130 // 8 bits per transfer, no loopback, MSB first, 1 transfer per sync
131 // pulse, no output sync
132 AT91C_BASE_SSC
->SSC_RFMR
= SSC_FRAME_MODE_BITS_IN_WORD(8) | AT91C_SSC_MSBF
| SSC_FRAME_MODE_WORDS_PER_TRANSFER(0);
134 // clock comes from TK pin, no clock output, outputs change on falling
135 // edge of TK, sample on rising edge of TK, start on positive-going edge of sync
136 AT91C_BASE_SSC
->SSC_TCMR
= SSC_CLOCK_MODE_SELECT(2) | SSC_CLOCK_MODE_START(5);
138 // tx framing is the same as the rx framing
139 AT91C_BASE_SSC
->SSC_TFMR
= AT91C_BASE_SSC
->SSC_RFMR
;
141 AT91C_BASE_SSC
->SSC_CR
= AT91C_SSC_RXEN
| AT91C_SSC_TXEN
;
144 //-----------------------------------------------------------------------------
145 // Set up DMA to receive samples from the FPGA. We will use the PDC, with
146 // a single buffer as a circular buffer (so that we just chain back to
147 // ourselves, not to another buffer). The stuff to manipulate those buffers
148 // is in apps.h, because it should be inlined, for speed.
149 //-----------------------------------------------------------------------------
150 bool FpgaSetupSscDma(uint8_t *buf
, int len
)
156 AT91C_BASE_PDC_SSC
->PDC_PTCR
= AT91C_PDC_RXTDIS
; // Disable DMA Transfer
157 AT91C_BASE_PDC_SSC
->PDC_RPR
= (uint32_t) buf
; // transfer to this memory address
158 AT91C_BASE_PDC_SSC
->PDC_RCR
= len
; // transfer this many bytes
159 AT91C_BASE_PDC_SSC
->PDC_RNPR
= (uint32_t) buf
; // next transfer to same memory address
160 AT91C_BASE_PDC_SSC
->PDC_RNCR
= len
; // ... with same number of bytes
161 AT91C_BASE_PDC_SSC
->PDC_PTCR
= AT91C_PDC_RXTEN
; // go!
167 void reset_fpga_stream(uint8_t *image_start
)
169 fpga_image_ptr
= image_start
;
173 uint8_t get_from_fpga_stream(void)
175 return *fpga_image_ptr
++;
179 static void DownloadFPGA_byte(unsigned char w
)
181 #define SEND_BIT(x) { if(w & (1<<x) ) HIGH(GPIO_FPGA_DIN); else LOW(GPIO_FPGA_DIN); HIGH(GPIO_FPGA_CCLK); LOW(GPIO_FPGA_CCLK); }
192 // Download the fpga image starting at current stream position with length FpgaImageLen bytes
193 static void DownloadFPGA(int FpgaImageLen
)
197 AT91C_BASE_PIOA
->PIO_OER
= GPIO_FPGA_ON
;
198 AT91C_BASE_PIOA
->PIO_PER
= GPIO_FPGA_ON
;
199 HIGH(GPIO_FPGA_ON
); // ensure everything is powered on
205 // These pins are inputs
206 AT91C_BASE_PIOA
->PIO_ODR
=
209 // PIO controls the following pins
210 AT91C_BASE_PIOA
->PIO_PER
=
214 AT91C_BASE_PIOA
->PIO_PPUER
=
218 // setup initial logic state
219 HIGH(GPIO_FPGA_NPROGRAM
);
222 // These pins are outputs
223 AT91C_BASE_PIOA
->PIO_OER
=
228 // enter FPGA configuration mode
229 LOW(GPIO_FPGA_NPROGRAM
);
231 HIGH(GPIO_FPGA_NPROGRAM
);
234 // wait for FPGA ready to accept data signal
235 while ((i
) && ( !(AT91C_BASE_PIOA
->PIO_PDSR
& GPIO_FPGA_NINIT
) ) ) {
239 // crude error indicator, leave both red LEDs on and return
246 while(FpgaImageLen
-->0) {
247 DownloadFPGA_byte(get_from_fpga_stream());
250 // continue to clock FPGA until ready signal goes high
252 while ( (i
--) && ( !(AT91C_BASE_PIOA
->PIO_PDSR
& GPIO_FPGA_DONE
) ) ) {
253 HIGH(GPIO_FPGA_CCLK
);
256 // crude error indicator, leave both red LEDs on and return
266 /* Simple Xilinx .bit parser. The file starts with the fixed opaque byte sequence
267 * 00 09 0f f0 0f f0 0f f0 0f f0 00 00 01
268 * After that the format is 1 byte section type (ASCII character), 2 byte length
269 * (big endian), <length> bytes content. Except for section 'e' which has 4 bytes
272 int bitparse_find_section(char section_name
, unsigned int *section_length
)
275 #define MAX_FPGA_BIT_STREAM_HEADER_SEARCH 100 // maximum number of bytes to search for the requested section
276 uint16_t numbytes
= 0;
277 while(numbytes
< MAX_FPGA_BIT_STREAM_HEADER_SEARCH
) {
278 char current_name
= get_from_fpga_stream();
280 unsigned int current_length
= 0;
281 if(current_name
< 'a' || current_name
> 'e') {
282 /* Strange section name, abort */
286 switch(current_name
) {
288 /* Four byte length field */
289 current_length
+= get_from_fpga_stream() << 24;
290 current_length
+= get_from_fpga_stream() << 16;
292 default: /* Fall through, two byte length field */
293 current_length
+= get_from_fpga_stream() << 8;
294 current_length
+= get_from_fpga_stream() << 0;
298 if(current_name
!= 'e' && current_length
> 255) {
299 /* Maybe a parse error */
303 if(current_name
== section_name
) {
305 *section_length
= current_length
;
310 for (uint16_t i
= 0; i
< current_length
&& numbytes
< MAX_FPGA_BIT_STREAM_HEADER_SEARCH
; i
++) {
311 get_from_fpga_stream();
319 void init_fpga_inflate(void)
321 // initialize zlib for inflate
325 //-----------------------------------------------------------------------------
326 // Find out which FPGA image format is stored in flash, then call DownloadFPGA
327 // with the right parameters to download the image
328 //-----------------------------------------------------------------------------
329 void FpgaDownloadAndGo(int bitstream_version
)
331 uint8_t header
[FPGA_BITSTREAM_FIXED_HEADER_SIZE
];
333 // check whether or not the bitstream is already loaded
334 if (downloaded_bitstream
== bitstream_version
)
337 if (bitstream_version
== FPGA_BITSTREAM_LF
) {
338 reset_fpga_stream(&_binary_fpga_lf_bit_start
);
339 } else if (bitstream_version
== FPGA_BITSTREAM_HF
) {
340 reset_fpga_stream(&_binary_fpga_hf_bit_start
);
345 for (; i
< GZIP_HEADER_SIZE
; i
++) {
346 header
[i
] = get_from_fpga_stream();
349 // Check for compressed new flash image format (starts with gzip header)
350 if(memcmp(_gzip_header
, header
, GZIP_HEADER_SIZE
) == 0) {
354 for (; i
< FPGA_BITSTREAM_FIXED_HEADER_SIZE
; i
++) {
355 header
[i
] = get_from_fpga_stream();
358 // Check for the new flash image format: Should have the .bit file at &_binary_fpga_bit_start
359 if(memcmp(_bitparse_fixed_header
, header
, FPGA_BITSTREAM_FIXED_HEADER_SIZE
) == 0) {
360 unsigned int bitstream_length
;
361 if(bitparse_find_section('e', &bitstream_length
)) {
362 DownloadFPGA(bitstream_length
);
363 downloaded_bitstream
= bitstream_version
;
364 return; /* All done */
369 int FpgaGatherBitstreamVersion()
371 return downloaded_bitstream
;
374 void FpgaGatherVersion(int bitstream_version
, char *dst
, int len
)
376 unsigned int fpga_info_len
;
381 if (bitstream_version
== FPGA_BITSTREAM_LF
) {
382 reset_fpga_stream(&_binary_fpga_lf_bit_start
);
383 } else if (bitstream_version
== FPGA_BITSTREAM_HF
) {
384 reset_fpga_stream(&_binary_fpga_hf_bit_start
);
389 for (uint16_t i
= 0; i
< FPGA_BITSTREAM_FIXED_HEADER_SIZE
; i
++) {
390 get_from_fpga_stream();
393 if(bitparse_find_section('a', &fpga_info_len
)) {
394 for (uint16_t i
= 0; i
< fpga_info_len
; i
++) {
395 char c
= (char)get_from_fpga_stream();
396 if (i
< sizeof(tempstr
)) {
400 if (!memcmp("fpga_lf", tempstr
, 7))
401 strncat(dst
, "LF ", len
-1);
402 else if (!memcmp("fpga_hf", tempstr
, 7))
403 strncat(dst
, "HF ", len
-1);
405 strncat(dst
, "FPGA image built", len
-1);
406 if(bitparse_find_section('b', &fpga_info_len
)) {
407 strncat(dst
, " for ", len
-1);
408 for (uint16_t i
= 0; i
< fpga_info_len
; i
++) {
409 char c
= (char)get_from_fpga_stream();
410 if (i
< sizeof(tempstr
)) {
414 strncat(dst
, tempstr
, len
-1);
416 if(bitparse_find_section('c', &fpga_info_len
)) {
417 strncat(dst
, " on ", len
-1);
418 for (uint16_t i
= 0; i
< fpga_info_len
; i
++) {
419 char c
= (char)get_from_fpga_stream();
420 if (i
< sizeof(tempstr
)) {
424 strncat(dst
, tempstr
, len
-1);
426 if(bitparse_find_section('d', &fpga_info_len
)) {
427 strncat(dst
, " at ", len
-1);
428 for (uint16_t i
= 0; i
< fpga_info_len
; i
++) {
429 char c
= (char)get_from_fpga_stream();
430 if (i
< sizeof(tempstr
)) {
434 strncat(dst
, tempstr
, len
-1);
438 //-----------------------------------------------------------------------------
439 // Send a 16 bit command/data pair to the FPGA.
440 // The bit format is: C3 C2 C1 C0 D11 D10 D9 D8 D7 D6 D5 D4 D3 D2 D1 D0
441 // where C is the 4 bit command and D is the 12 bit data
442 //-----------------------------------------------------------------------------
443 void FpgaSendCommand(uint16_t cmd
, uint16_t v
)
445 SetupSpi(SPI_FPGA_MODE
);
446 while ((AT91C_BASE_SPI
->SPI_SR
& AT91C_SPI_TXEMPTY
) == 0); // wait for the transfer to complete
447 AT91C_BASE_SPI
->SPI_TDR
= AT91C_SPI_LASTXFER
| cmd
| v
; // send the data
449 //-----------------------------------------------------------------------------
450 // Write the FPGA setup word (that determines what mode the logic is in, read
451 // vs. clone vs. etc.). This is now a special case of FpgaSendCommand() to
452 // avoid changing this function's occurence everywhere in the source code.
453 //-----------------------------------------------------------------------------
454 void FpgaWriteConfWord(uint8_t v
)
456 FpgaSendCommand(FPGA_CMD_SET_CONFREG
, v
);
459 //-----------------------------------------------------------------------------
460 // Set up the CMOS switches that mux the ADC: four switches, independently
461 // closable, but should only close one at a time. Not an FPGA thing, but
462 // the samples from the ADC always flow through the FPGA.
463 //-----------------------------------------------------------------------------
464 void SetAdcMuxFor(uint32_t whichGpio
)
466 AT91C_BASE_PIOA
->PIO_OER
=
472 AT91C_BASE_PIOA
->PIO_PER
=
478 LOW(GPIO_MUXSEL_HIPKD
);
479 LOW(GPIO_MUXSEL_HIRAW
);
480 LOW(GPIO_MUXSEL_LORAW
);
481 LOW(GPIO_MUXSEL_LOPKD
);