]> git.zerfleddert.de Git - proxmark3-svn/blob - armsrc/lfops.c
added nested authentication "not implemented" warning
[proxmark3-svn] / armsrc / lfops.c
1 //-----------------------------------------------------------------------------
2 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
3 // at your option, any later version. See the LICENSE.txt file for the text of
4 // the license.
5 //-----------------------------------------------------------------------------
6 // Miscellaneous routines for low frequency tag operations.
7 // Tags supported here so far are Texas Instruments (TI), HID
8 // Also routines for raw mode reading/simulating of LF waveform
9 //-----------------------------------------------------------------------------
10
11 #include "proxmark3.h"
12 #include "apps.h"
13 #include "util.h"
14 #include "hitag2.h"
15 #include "crc16.h"
16 #include "string.h"
17 #include "lfdemod.h"
18 #include "lfsampling.h"
19 #include "protocols.h"
20 #include "usb_cdc.h" // for usb_poll_validate_length
21
22 /**
23 * Function to do a modulation and then get samples.
24 * @param delay_off
25 * @param period_0
26 * @param period_1
27 * @param command
28 */
29 void ModThenAcquireRawAdcSamples125k(uint32_t delay_off, uint32_t period_0, uint32_t period_1, uint8_t *command)
30 {
31
32 int divisor_used = 95; // 125 KHz
33 // see if 'h' was specified
34
35 if (command[strlen((char *) command) - 1] == 'h')
36 divisor_used = 88; // 134.8 KHz
37
38 sample_config sc = { 0,0,1, divisor_used, 0};
39 setSamplingConfig(&sc);
40 //clear read buffer
41 BigBuf_Clear_keep_EM();
42
43 /* Make sure the tag is reset */
44 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
45 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
46 SpinDelay(2500);
47
48 LFSetupFPGAForADC(sc.divisor, 1);
49
50 // And a little more time for the tag to fully power up
51 SpinDelay(2000);
52
53 // now modulate the reader field
54 while(*command != '\0' && *command != ' ') {
55 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
56 LED_D_OFF();
57 SpinDelayUs(delay_off);
58 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, sc.divisor);
59
60 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
61 LED_D_ON();
62 if(*(command++) == '0')
63 SpinDelayUs(period_0);
64 else
65 SpinDelayUs(period_1);
66 }
67 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
68 LED_D_OFF();
69 SpinDelayUs(delay_off);
70 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, sc.divisor);
71
72 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
73
74 // now do the read
75 DoAcquisition_config(false, 0);
76 }
77
78 /* blank r/w tag data stream
79 ...0000000000000000 01111111
80 1010101010101010101010101010101010101010101010101010101010101010
81 0011010010100001
82 01111111
83 101010101010101[0]000...
84
85 [5555fe852c5555555555555555fe0000]
86 */
87 void ReadTItag(void)
88 {
89 // some hardcoded initial params
90 // when we read a TI tag we sample the zerocross line at 2Mhz
91 // TI tags modulate a 1 as 16 cycles of 123.2Khz
92 // TI tags modulate a 0 as 16 cycles of 134.2Khz
93 #define FSAMPLE 2000000
94 #define FREQLO 123200
95 #define FREQHI 134200
96
97 signed char *dest = (signed char *)BigBuf_get_addr();
98 uint16_t n = BigBuf_max_traceLen();
99 // 128 bit shift register [shift3:shift2:shift1:shift0]
100 uint32_t shift3 = 0, shift2 = 0, shift1 = 0, shift0 = 0;
101
102 int i, cycles=0, samples=0;
103 // how many sample points fit in 16 cycles of each frequency
104 uint32_t sampleslo = (FSAMPLE<<4)/FREQLO, sampleshi = (FSAMPLE<<4)/FREQHI;
105 // when to tell if we're close enough to one freq or another
106 uint32_t threshold = (sampleslo - sampleshi + 1)>>1;
107
108 // TI tags charge at 134.2Khz
109 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
110 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 88); //134.8Khz
111
112 // Place FPGA in passthrough mode, in this mode the CROSS_LO line
113 // connects to SSP_DIN and the SSP_DOUT logic level controls
114 // whether we're modulating the antenna (high)
115 // or listening to the antenna (low)
116 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_PASSTHRU);
117
118 // get TI tag data into the buffer
119 AcquireTiType();
120
121 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
122
123 for (i=0; i<n-1; i++) {
124 // count cycles by looking for lo to hi zero crossings
125 if ( (dest[i]<0) && (dest[i+1]>0) ) {
126 cycles++;
127 // after 16 cycles, measure the frequency
128 if (cycles>15) {
129 cycles=0;
130 samples=i-samples; // number of samples in these 16 cycles
131
132 // TI bits are coming to us lsb first so shift them
133 // right through our 128 bit right shift register
134 shift0 = (shift0>>1) | (shift1 << 31);
135 shift1 = (shift1>>1) | (shift2 << 31);
136 shift2 = (shift2>>1) | (shift3 << 31);
137 shift3 >>= 1;
138
139 // check if the cycles fall close to the number
140 // expected for either the low or high frequency
141 if ( (samples>(sampleslo-threshold)) && (samples<(sampleslo+threshold)) ) {
142 // low frequency represents a 1
143 shift3 |= (1<<31);
144 } else if ( (samples>(sampleshi-threshold)) && (samples<(sampleshi+threshold)) ) {
145 // high frequency represents a 0
146 } else {
147 // probably detected a gay waveform or noise
148 // use this as gaydar or discard shift register and start again
149 shift3 = shift2 = shift1 = shift0 = 0;
150 }
151 samples = i;
152
153 // for each bit we receive, test if we've detected a valid tag
154
155 // if we see 17 zeroes followed by 6 ones, we might have a tag
156 // remember the bits are backwards
157 if ( ((shift0 & 0x7fffff) == 0x7e0000) ) {
158 // if start and end bytes match, we have a tag so break out of the loop
159 if ( ((shift0>>16)&0xff) == ((shift3>>8)&0xff) ) {
160 cycles = 0xF0B; //use this as a flag (ugly but whatever)
161 break;
162 }
163 }
164 }
165 }
166 }
167
168 // if flag is set we have a tag
169 if (cycles!=0xF0B) {
170 DbpString("Info: No valid tag detected.");
171 } else {
172 // put 64 bit data into shift1 and shift0
173 shift0 = (shift0>>24) | (shift1 << 8);
174 shift1 = (shift1>>24) | (shift2 << 8);
175
176 // align 16 bit crc into lower half of shift2
177 shift2 = ((shift2>>24) | (shift3 << 8)) & 0x0ffff;
178
179 // if r/w tag, check ident match
180 if (shift3 & (1<<15) ) {
181 DbpString("Info: TI tag is rewriteable");
182 // only 15 bits compare, last bit of ident is not valid
183 if (((shift3 >> 16) ^ shift0) & 0x7fff ) {
184 DbpString("Error: Ident mismatch!");
185 } else {
186 DbpString("Info: TI tag ident is valid");
187 }
188 } else {
189 DbpString("Info: TI tag is readonly");
190 }
191
192 // WARNING the order of the bytes in which we calc crc below needs checking
193 // i'm 99% sure the crc algorithm is correct, but it may need to eat the
194 // bytes in reverse or something
195 // calculate CRC
196 uint32_t crc=0;
197
198 crc = update_crc16(crc, (shift0)&0xff);
199 crc = update_crc16(crc, (shift0>>8)&0xff);
200 crc = update_crc16(crc, (shift0>>16)&0xff);
201 crc = update_crc16(crc, (shift0>>24)&0xff);
202 crc = update_crc16(crc, (shift1)&0xff);
203 crc = update_crc16(crc, (shift1>>8)&0xff);
204 crc = update_crc16(crc, (shift1>>16)&0xff);
205 crc = update_crc16(crc, (shift1>>24)&0xff);
206
207 Dbprintf("Info: Tag data: %x%08x, crc=%x",
208 (unsigned int)shift1, (unsigned int)shift0, (unsigned int)shift2 & 0xFFFF);
209 if (crc != (shift2&0xffff)) {
210 Dbprintf("Error: CRC mismatch, expected %x", (unsigned int)crc);
211 } else {
212 DbpString("Info: CRC is good");
213 }
214 }
215 }
216
217 void WriteTIbyte(uint8_t b)
218 {
219 int i = 0;
220
221 // modulate 8 bits out to the antenna
222 for (i=0; i<8; i++)
223 {
224 if (b&(1<<i)) {
225 // stop modulating antenna
226 LOW(GPIO_SSC_DOUT);
227 SpinDelayUs(1000);
228 // modulate antenna
229 HIGH(GPIO_SSC_DOUT);
230 SpinDelayUs(1000);
231 } else {
232 // stop modulating antenna
233 LOW(GPIO_SSC_DOUT);
234 SpinDelayUs(300);
235 // modulate antenna
236 HIGH(GPIO_SSC_DOUT);
237 SpinDelayUs(1700);
238 }
239 }
240 }
241
242 void AcquireTiType(void)
243 {
244 int i, j, n;
245 // tag transmission is <20ms, sampling at 2M gives us 40K samples max
246 // each sample is 1 bit stuffed into a uint32_t so we need 1250 uint32_t
247 #define TIBUFLEN 1250
248
249 // clear buffer
250 uint32_t *BigBuf = (uint32_t *)BigBuf_get_addr();
251 BigBuf_Clear_ext(false);
252
253 // Set up the synchronous serial port
254 AT91C_BASE_PIOA->PIO_PDR = GPIO_SSC_DIN;
255 AT91C_BASE_PIOA->PIO_ASR = GPIO_SSC_DIN;
256
257 // steal this pin from the SSP and use it to control the modulation
258 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
259 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
260
261 AT91C_BASE_SSC->SSC_CR = AT91C_SSC_SWRST;
262 AT91C_BASE_SSC->SSC_CR = AT91C_SSC_RXEN | AT91C_SSC_TXEN;
263
264 // Sample at 2 Mbit/s, so TI tags are 16.2 vs. 14.9 clocks long
265 // 48/2 = 24 MHz clock must be divided by 12
266 AT91C_BASE_SSC->SSC_CMR = 12;
267
268 AT91C_BASE_SSC->SSC_RCMR = SSC_CLOCK_MODE_SELECT(0);
269 AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(32) | AT91C_SSC_MSBF;
270 AT91C_BASE_SSC->SSC_TCMR = 0;
271 AT91C_BASE_SSC->SSC_TFMR = 0;
272
273 LED_D_ON();
274
275 // modulate antenna
276 HIGH(GPIO_SSC_DOUT);
277
278 // Charge TI tag for 50ms.
279 SpinDelay(50);
280
281 // stop modulating antenna and listen
282 LOW(GPIO_SSC_DOUT);
283
284 LED_D_OFF();
285
286 i = 0;
287 for(;;) {
288 if(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) {
289 BigBuf[i] = AT91C_BASE_SSC->SSC_RHR; // store 32 bit values in buffer
290 i++; if(i >= TIBUFLEN) break;
291 }
292 WDT_HIT();
293 }
294
295 // return stolen pin to SSP
296 AT91C_BASE_PIOA->PIO_PDR = GPIO_SSC_DOUT;
297 AT91C_BASE_PIOA->PIO_ASR = GPIO_SSC_DIN | GPIO_SSC_DOUT;
298
299 char *dest = (char *)BigBuf_get_addr();
300 n = TIBUFLEN*32;
301 // unpack buffer
302 for (i=TIBUFLEN-1; i>=0; i--) {
303 for (j=0; j<32; j++) {
304 if(BigBuf[i] & (1 << j)) {
305 dest[--n] = 1;
306 } else {
307 dest[--n] = -1;
308 }
309 }
310 }
311 }
312
313 // arguments: 64bit data split into 32bit idhi:idlo and optional 16bit crc
314 // if crc provided, it will be written with the data verbatim (even if bogus)
315 // if not provided a valid crc will be computed from the data and written.
316 void WriteTItag(uint32_t idhi, uint32_t idlo, uint16_t crc)
317 {
318 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
319 if(crc == 0) {
320 crc = update_crc16(crc, (idlo)&0xff);
321 crc = update_crc16(crc, (idlo>>8)&0xff);
322 crc = update_crc16(crc, (idlo>>16)&0xff);
323 crc = update_crc16(crc, (idlo>>24)&0xff);
324 crc = update_crc16(crc, (idhi)&0xff);
325 crc = update_crc16(crc, (idhi>>8)&0xff);
326 crc = update_crc16(crc, (idhi>>16)&0xff);
327 crc = update_crc16(crc, (idhi>>24)&0xff);
328 }
329 Dbprintf("Writing to tag: %x%08x, crc=%x",
330 (unsigned int) idhi, (unsigned int) idlo, crc);
331
332 // TI tags charge at 134.2Khz
333 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 88); //134.8Khz
334 // Place FPGA in passthrough mode, in this mode the CROSS_LO line
335 // connects to SSP_DIN and the SSP_DOUT logic level controls
336 // whether we're modulating the antenna (high)
337 // or listening to the antenna (low)
338 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_PASSTHRU);
339 LED_A_ON();
340
341 // steal this pin from the SSP and use it to control the modulation
342 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
343 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
344
345 // writing algorithm:
346 // a high bit consists of a field off for 1ms and field on for 1ms
347 // a low bit consists of a field off for 0.3ms and field on for 1.7ms
348 // initiate a charge time of 50ms (field on) then immediately start writing bits
349 // start by writing 0xBB (keyword) and 0xEB (password)
350 // then write 80 bits of data (or 64 bit data + 16 bit crc if you prefer)
351 // finally end with 0x0300 (write frame)
352 // all data is sent lsb firts
353 // finish with 15ms programming time
354
355 // modulate antenna
356 HIGH(GPIO_SSC_DOUT);
357 SpinDelay(50); // charge time
358
359 WriteTIbyte(0xbb); // keyword
360 WriteTIbyte(0xeb); // password
361 WriteTIbyte( (idlo )&0xff );
362 WriteTIbyte( (idlo>>8 )&0xff );
363 WriteTIbyte( (idlo>>16)&0xff );
364 WriteTIbyte( (idlo>>24)&0xff );
365 WriteTIbyte( (idhi )&0xff );
366 WriteTIbyte( (idhi>>8 )&0xff );
367 WriteTIbyte( (idhi>>16)&0xff );
368 WriteTIbyte( (idhi>>24)&0xff ); // data hi to lo
369 WriteTIbyte( (crc )&0xff ); // crc lo
370 WriteTIbyte( (crc>>8 )&0xff ); // crc hi
371 WriteTIbyte(0x00); // write frame lo
372 WriteTIbyte(0x03); // write frame hi
373 HIGH(GPIO_SSC_DOUT);
374 SpinDelay(50); // programming time
375
376 LED_A_OFF();
377
378 // get TI tag data into the buffer
379 AcquireTiType();
380
381 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
382 DbpString("Now use `lf ti read` to check");
383 }
384
385 void SimulateTagLowFrequency(int period, int gap, int ledcontrol)
386 {
387 int i;
388 uint8_t *tab = BigBuf_get_addr();
389
390 //note FpgaDownloadAndGo destroys the bigbuf so be sure this is called before now...
391 //FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
392 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT);
393
394 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT | GPIO_SSC_CLK;
395
396 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
397 AT91C_BASE_PIOA->PIO_ODR = GPIO_SSC_CLK;
398
399 #define SHORT_COIL() LOW(GPIO_SSC_DOUT)
400 #define OPEN_COIL() HIGH(GPIO_SSC_DOUT)
401
402 i = 0;
403 for(;;) {
404 //wait until SSC_CLK goes HIGH
405 int ii = 0;
406 while(!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK)) {
407 //only check every 1000th time (usb_poll_validate_length on some systems was too slow)
408 if ( ii == 1000 ) {
409 if (BUTTON_PRESS() || usb_poll_validate_length() ) {
410 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
411 DbpString("Stopped");
412 return;
413 }
414 ii=0;
415 }
416 WDT_HIT();
417 ii++;
418 }
419 if (ledcontrol)
420 LED_D_ON();
421
422 if(tab[i])
423 OPEN_COIL();
424 else
425 SHORT_COIL();
426
427 if (ledcontrol)
428 LED_D_OFF();
429 ii=0;
430 //wait until SSC_CLK goes LOW
431 while(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK) {
432 //only check every 1000th time (usb_poll_validate_length on some systems was too slow)
433 if ( ii == 1000 ) {
434 if (BUTTON_PRESS() || usb_poll_validate_length() ) {
435 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
436 DbpString("Stopped");
437 return;
438 }
439 ii=0;
440 }
441 WDT_HIT();
442 ii++;
443 }
444
445 i++;
446 if(i == period) {
447
448 i = 0;
449 if (gap) {
450 SHORT_COIL();
451 SpinDelayUs(gap);
452 }
453 }
454
455 }
456 }
457
458 #define DEBUG_FRAME_CONTENTS 1
459 void SimulateTagLowFrequencyBidir(int divisor, int t0)
460 {
461 }
462
463 // compose fc/8 fc/10 waveform (FSK2)
464 static void fc(int c, int *n)
465 {
466 uint8_t *dest = BigBuf_get_addr();
467 int idx;
468
469 // for when we want an fc8 pattern every 4 logical bits
470 if(c==0) {
471 dest[((*n)++)]=1;
472 dest[((*n)++)]=1;
473 dest[((*n)++)]=1;
474 dest[((*n)++)]=1;
475 dest[((*n)++)]=0;
476 dest[((*n)++)]=0;
477 dest[((*n)++)]=0;
478 dest[((*n)++)]=0;
479 }
480
481 // an fc/8 encoded bit is a bit pattern of 11110000 x6 = 48 samples
482 if(c==8) {
483 for (idx=0; idx<6; idx++) {
484 dest[((*n)++)]=1;
485 dest[((*n)++)]=1;
486 dest[((*n)++)]=1;
487 dest[((*n)++)]=1;
488 dest[((*n)++)]=0;
489 dest[((*n)++)]=0;
490 dest[((*n)++)]=0;
491 dest[((*n)++)]=0;
492 }
493 }
494
495 // an fc/10 encoded bit is a bit pattern of 1111100000 x5 = 50 samples
496 if(c==10) {
497 for (idx=0; idx<5; idx++) {
498 dest[((*n)++)]=1;
499 dest[((*n)++)]=1;
500 dest[((*n)++)]=1;
501 dest[((*n)++)]=1;
502 dest[((*n)++)]=1;
503 dest[((*n)++)]=0;
504 dest[((*n)++)]=0;
505 dest[((*n)++)]=0;
506 dest[((*n)++)]=0;
507 dest[((*n)++)]=0;
508 }
509 }
510 }
511 // compose fc/X fc/Y waveform (FSKx)
512 static void fcAll(uint8_t fc, int *n, uint8_t clock, uint16_t *modCnt)
513 {
514 uint8_t *dest = BigBuf_get_addr();
515 uint8_t halfFC = fc/2;
516 uint8_t wavesPerClock = clock/fc;
517 uint8_t mod = clock % fc; //modifier
518 uint8_t modAdj = fc/mod; //how often to apply modifier
519 bool modAdjOk = !(fc % mod); //if (fc % mod==0) modAdjOk=TRUE;
520 // loop through clock - step field clock
521 for (uint8_t idx=0; idx < wavesPerClock; idx++){
522 // put 1/2 FC length 1's and 1/2 0's per field clock wave (to create the wave)
523 memset(dest+(*n), 0, fc-halfFC); //in case of odd number use extra here
524 memset(dest+(*n)+(fc-halfFC), 1, halfFC);
525 *n += fc;
526 }
527 if (mod>0) (*modCnt)++;
528 if ((mod>0) && modAdjOk){ //fsk2
529 if ((*modCnt % modAdj) == 0){ //if 4th 8 length wave in a rf/50 add extra 8 length wave
530 memset(dest+(*n), 0, fc-halfFC);
531 memset(dest+(*n)+(fc-halfFC), 1, halfFC);
532 *n += fc;
533 }
534 }
535 if (mod>0 && !modAdjOk){ //fsk1
536 memset(dest+(*n), 0, mod-(mod/2));
537 memset(dest+(*n)+(mod-(mod/2)), 1, mod/2);
538 *n += mod;
539 }
540 }
541
542 // prepare a waveform pattern in the buffer based on the ID given then
543 // simulate a HID tag until the button is pressed
544 void CmdHIDsimTAG(int hi, int lo, int ledcontrol)
545 {
546 int n=0, i=0;
547 /*
548 HID tag bitstream format
549 The tag contains a 44bit unique code. This is sent out MSB first in sets of 4 bits
550 A 1 bit is represented as 6 fc8 and 5 fc10 patterns
551 A 0 bit is represented as 5 fc10 and 6 fc8 patterns
552 A fc8 is inserted before every 4 bits
553 A special start of frame pattern is used consisting a0b0 where a and b are neither 0
554 nor 1 bits, they are special patterns (a = set of 12 fc8 and b = set of 10 fc10)
555 */
556
557 if (hi>0xFFF) {
558 DbpString("Tags can only have 44 bits. - USE lf simfsk for larger tags");
559 return;
560 }
561 // set LF so we don't kill the bigbuf we are setting with simulation data.
562 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
563
564 fc(0,&n);
565 // special start of frame marker containing invalid bit sequences
566 fc(8, &n); fc(8, &n); // invalid
567 fc(8, &n); fc(10, &n); // logical 0
568 fc(10, &n); fc(10, &n); // invalid
569 fc(8, &n); fc(10, &n); // logical 0
570
571 WDT_HIT();
572 // manchester encode bits 43 to 32
573 for (i=11; i>=0; i--) {
574 if ((i%4)==3) fc(0,&n);
575 if ((hi>>i)&1) {
576 fc(10, &n); fc(8, &n); // low-high transition
577 } else {
578 fc(8, &n); fc(10, &n); // high-low transition
579 }
580 }
581
582 WDT_HIT();
583 // manchester encode bits 31 to 0
584 for (i=31; i>=0; i--) {
585 if ((i%4)==3) fc(0,&n);
586 if ((lo>>i)&1) {
587 fc(10, &n); fc(8, &n); // low-high transition
588 } else {
589 fc(8, &n); fc(10, &n); // high-low transition
590 }
591 }
592
593 if (ledcontrol)
594 LED_A_ON();
595 SimulateTagLowFrequency(n, 0, ledcontrol);
596
597 if (ledcontrol)
598 LED_A_OFF();
599 }
600
601 // prepare a waveform pattern in the buffer based on the ID given then
602 // simulate a FSK tag until the button is pressed
603 // arg1 contains fcHigh and fcLow, arg2 contains invert and clock
604 void CmdFSKsimTAG(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream)
605 {
606 int ledcontrol=1;
607 int n=0, i=0;
608 uint8_t fcHigh = arg1 >> 8;
609 uint8_t fcLow = arg1 & 0xFF;
610 uint16_t modCnt = 0;
611 uint8_t clk = arg2 & 0xFF;
612 uint8_t invert = (arg2 >> 8) & 1;
613
614 // set LF so we don't kill the bigbuf we are setting with simulation data.
615 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
616
617 for (i=0; i<size; i++){
618 if (BitStream[i] == invert){
619 fcAll(fcLow, &n, clk, &modCnt);
620 } else {
621 fcAll(fcHigh, &n, clk, &modCnt);
622 }
623 }
624 Dbprintf("Simulating with fcHigh: %d, fcLow: %d, clk: %d, invert: %d, n: %d",fcHigh, fcLow, clk, invert, n);
625 /*Dbprintf("DEBUG: First 32:");
626 uint8_t *dest = BigBuf_get_addr();
627 i=0;
628 Dbprintf("%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d", dest[i],dest[i+1],dest[i+2],dest[i+3],dest[i+4],dest[i+5],dest[i+6],dest[i+7],dest[i+8],dest[i+9],dest[i+10],dest[i+11],dest[i+12],dest[i+13],dest[i+14],dest[i+15]);
629 i+=16;
630 Dbprintf("%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d", dest[i],dest[i+1],dest[i+2],dest[i+3],dest[i+4],dest[i+5],dest[i+6],dest[i+7],dest[i+8],dest[i+9],dest[i+10],dest[i+11],dest[i+12],dest[i+13],dest[i+14],dest[i+15]);
631 */
632 if (ledcontrol)
633 LED_A_ON();
634
635 SimulateTagLowFrequency(n, 0, ledcontrol);
636
637 if (ledcontrol)
638 LED_A_OFF();
639 }
640
641 // compose ask waveform for one bit(ASK)
642 static void askSimBit(uint8_t c, int *n, uint8_t clock, uint8_t manchester)
643 {
644 uint8_t *dest = BigBuf_get_addr();
645 uint8_t halfClk = clock/2;
646 // c = current bit 1 or 0
647 if (manchester==1){
648 memset(dest+(*n), c, halfClk);
649 memset(dest+(*n) + halfClk, c^1, halfClk);
650 } else {
651 memset(dest+(*n), c, clock);
652 }
653 *n += clock;
654 }
655
656 static void biphaseSimBit(uint8_t c, int *n, uint8_t clock, uint8_t *phase)
657 {
658 uint8_t *dest = BigBuf_get_addr();
659 uint8_t halfClk = clock/2;
660 if (c){
661 memset(dest+(*n), c ^ 1 ^ *phase, halfClk);
662 memset(dest+(*n) + halfClk, c ^ *phase, halfClk);
663 } else {
664 memset(dest+(*n), c ^ *phase, clock);
665 *phase ^= 1;
666 }
667 *n += clock;
668 }
669
670 static void stAskSimBit(int *n, uint8_t clock) {
671 uint8_t *dest = BigBuf_get_addr();
672 uint8_t halfClk = clock/2;
673 //ST = .5 high .5 low 1.5 high .5 low 1 high
674 memset(dest+(*n), 1, halfClk);
675 memset(dest+(*n) + halfClk, 0, halfClk);
676 memset(dest+(*n) + clock, 1, clock + halfClk);
677 memset(dest+(*n) + clock*2 + halfClk, 0, halfClk);
678 memset(dest+(*n) + clock*3, 1, clock);
679 *n += clock*4;
680 }
681
682 // args clock, ask/man or askraw, invert, transmission separator
683 void CmdASKsimTag(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream)
684 {
685 int ledcontrol = 1;
686 int n=0, i=0;
687 uint8_t clk = (arg1 >> 8) & 0xFF;
688 uint8_t encoding = arg1 & 0xFF;
689 uint8_t separator = arg2 & 1;
690 uint8_t invert = (arg2 >> 8) & 1;
691
692 // set LF so we don't kill the bigbuf we are setting with simulation data.
693 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
694
695 if (encoding==2){ //biphase
696 uint8_t phase=0;
697 for (i=0; i<size; i++){
698 biphaseSimBit(BitStream[i]^invert, &n, clk, &phase);
699 }
700 if (phase==1) { //run a second set inverted to keep phase in check
701 for (i=0; i<size; i++){
702 biphaseSimBit(BitStream[i]^invert, &n, clk, &phase);
703 }
704 }
705 } else { // ask/manchester || ask/raw
706 for (i=0; i<size; i++){
707 askSimBit(BitStream[i]^invert, &n, clk, encoding);
708 }
709 if (encoding==0 && BitStream[0]==BitStream[size-1]){ //run a second set inverted (for ask/raw || biphase phase)
710 for (i=0; i<size; i++){
711 askSimBit(BitStream[i]^invert^1, &n, clk, encoding);
712 }
713 }
714 }
715 if (separator==1 && encoding == 1)
716 stAskSimBit(&n, clk);
717 else if (separator==1)
718 Dbprintf("sorry but separator option not yet available");
719
720 Dbprintf("Simulating with clk: %d, invert: %d, encoding: %d, separator: %d, n: %d",clk, invert, encoding, separator, n);
721 //DEBUG
722 //Dbprintf("First 32:");
723 //uint8_t *dest = BigBuf_get_addr();
724 //i=0;
725 //Dbprintf("%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d", dest[i],dest[i+1],dest[i+2],dest[i+3],dest[i+4],dest[i+5],dest[i+6],dest[i+7],dest[i+8],dest[i+9],dest[i+10],dest[i+11],dest[i+12],dest[i+13],dest[i+14],dest[i+15]);
726 //i+=16;
727 //Dbprintf("%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d", dest[i],dest[i+1],dest[i+2],dest[i+3],dest[i+4],dest[i+5],dest[i+6],dest[i+7],dest[i+8],dest[i+9],dest[i+10],dest[i+11],dest[i+12],dest[i+13],dest[i+14],dest[i+15]);
728
729 if (ledcontrol) LED_A_ON();
730 SimulateTagLowFrequency(n, 0, ledcontrol);
731 if (ledcontrol) LED_A_OFF();
732 }
733
734 //carrier can be 2,4 or 8
735 static void pskSimBit(uint8_t waveLen, int *n, uint8_t clk, uint8_t *curPhase, bool phaseChg)
736 {
737 uint8_t *dest = BigBuf_get_addr();
738 uint8_t halfWave = waveLen/2;
739 //uint8_t idx;
740 int i = 0;
741 if (phaseChg){
742 // write phase change
743 memset(dest+(*n), *curPhase^1, halfWave);
744 memset(dest+(*n) + halfWave, *curPhase, halfWave);
745 *n += waveLen;
746 *curPhase ^= 1;
747 i += waveLen;
748 }
749 //write each normal clock wave for the clock duration
750 for (; i < clk; i+=waveLen){
751 memset(dest+(*n), *curPhase, halfWave);
752 memset(dest+(*n) + halfWave, *curPhase^1, halfWave);
753 *n += waveLen;
754 }
755 }
756
757 // args clock, carrier, invert,
758 void CmdPSKsimTag(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream)
759 {
760 int ledcontrol=1;
761 int n=0, i=0;
762 uint8_t clk = arg1 >> 8;
763 uint8_t carrier = arg1 & 0xFF;
764 uint8_t invert = arg2 & 0xFF;
765 uint8_t curPhase = 0;
766 // set LF so we don't kill the bigbuf we are setting with simulation data.
767 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
768
769 for (i=0; i<size; i++){
770 if (BitStream[i] == curPhase){
771 pskSimBit(carrier, &n, clk, &curPhase, FALSE);
772 } else {
773 pskSimBit(carrier, &n, clk, &curPhase, TRUE);
774 }
775 }
776 Dbprintf("Simulating with Carrier: %d, clk: %d, invert: %d, n: %d",carrier, clk, invert, n);
777 //Dbprintf("DEBUG: First 32:");
778 //uint8_t *dest = BigBuf_get_addr();
779 //i=0;
780 //Dbprintf("%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d", dest[i],dest[i+1],dest[i+2],dest[i+3],dest[i+4],dest[i+5],dest[i+6],dest[i+7],dest[i+8],dest[i+9],dest[i+10],dest[i+11],dest[i+12],dest[i+13],dest[i+14],dest[i+15]);
781 //i+=16;
782 //Dbprintf("%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d", dest[i],dest[i+1],dest[i+2],dest[i+3],dest[i+4],dest[i+5],dest[i+6],dest[i+7],dest[i+8],dest[i+9],dest[i+10],dest[i+11],dest[i+12],dest[i+13],dest[i+14],dest[i+15]);
783
784 if (ledcontrol) LED_A_ON();
785 SimulateTagLowFrequency(n, 0, ledcontrol);
786 if (ledcontrol) LED_A_OFF();
787 }
788
789 // loop to get raw HID waveform then FSK demodulate the TAG ID from it
790 void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol)
791 {
792 uint8_t *dest = BigBuf_get_addr();
793 //const size_t sizeOfBigBuff = BigBuf_max_traceLen();
794 size_t size;
795 uint32_t hi2=0, hi=0, lo=0;
796 int idx=0;
797 int dummyIdx = 0;
798 // Configure to go in 125Khz listen mode
799 LFSetupFPGAForADC(95, true);
800
801 //clear read buffer
802 BigBuf_Clear_keep_EM();
803
804 while(!BUTTON_PRESS() && !usb_poll_validate_length()) {
805
806 WDT_HIT();
807 if (ledcontrol) LED_A_ON();
808
809 DoAcquisition_default(-1,true);
810 // FSK demodulator
811 //size = sizeOfBigBuff; //variable size will change after demod so re initialize it before use
812 size = 50*128*2; //big enough to catch 2 sequences of largest format
813 idx = HIDdemodFSK(dest, &size, &hi2, &hi, &lo, &dummyIdx);
814
815 if (idx>0 && lo>0 && (size==96 || size==192)){
816 // go over previously decoded manchester data and decode into usable tag ID
817 if (hi2 != 0){ //extra large HID tags 88/192 bits
818 Dbprintf("TAG ID: %x%08x%08x (%d)",
819 (unsigned int) hi2, (unsigned int) hi, (unsigned int) lo, (unsigned int) (lo>>1) & 0xFFFF);
820 }else { //standard HID tags 44/96 bits
821 //Dbprintf("TAG ID: %x%08x (%d)",(unsigned int) hi, (unsigned int) lo, (unsigned int) (lo>>1) & 0xFFFF); //old print cmd
822 uint8_t bitlen = 0;
823 uint32_t fc = 0;
824 uint32_t cardnum = 0;
825 if (((hi>>5)&1) == 1){//if bit 38 is set then < 37 bit format is used
826 uint32_t lo2=0;
827 lo2=(((hi & 31) << 12) | (lo>>20)); //get bits 21-37 to check for format len bit
828 uint8_t idx3 = 1;
829 while(lo2 > 1){ //find last bit set to 1 (format len bit)
830 lo2=lo2 >> 1;
831 idx3++;
832 }
833 bitlen = idx3+19;
834 fc =0;
835 cardnum=0;
836 if(bitlen == 26){
837 cardnum = (lo>>1)&0xFFFF;
838 fc = (lo>>17)&0xFF;
839 }
840 if(bitlen == 37){
841 cardnum = (lo>>1)&0x7FFFF;
842 fc = ((hi&0xF)<<12)|(lo>>20);
843 }
844 if(bitlen == 34){
845 cardnum = (lo>>1)&0xFFFF;
846 fc= ((hi&1)<<15)|(lo>>17);
847 }
848 if(bitlen == 35){
849 cardnum = (lo>>1)&0xFFFFF;
850 fc = ((hi&1)<<11)|(lo>>21);
851 }
852 }
853 else { //if bit 38 is not set then 37 bit format is used
854 bitlen= 37;
855 fc =0;
856 cardnum=0;
857 if(bitlen==37){
858 cardnum = (lo>>1)&0x7FFFF;
859 fc = ((hi&0xF)<<12)|(lo>>20);
860 }
861 }
862 //Dbprintf("TAG ID: %x%08x (%d)",
863 // (unsigned int) hi, (unsigned int) lo, (unsigned int) (lo>>1) & 0xFFFF);
864 Dbprintf("TAG ID: %x%08x (%d) - Format Len: %dbit - FC: %d - Card: %d",
865 (unsigned int) hi, (unsigned int) lo, (unsigned int) (lo>>1) & 0xFFFF,
866 (unsigned int) bitlen, (unsigned int) fc, (unsigned int) cardnum);
867 }
868 if (findone){
869 if (ledcontrol) LED_A_OFF();
870 *high = hi;
871 *low = lo;
872 break;
873 }
874 // reset
875 }
876 hi2 = hi = lo = idx = 0;
877 WDT_HIT();
878 }
879
880 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
881 DbpString("Stopped");
882 if (ledcontrol) LED_A_OFF();
883 }
884
885 // loop to get raw HID waveform then FSK demodulate the TAG ID from it
886 void CmdAWIDdemodFSK(int findone, int *high, int *low, int ledcontrol)
887 {
888 uint8_t *dest = BigBuf_get_addr();
889 size_t size;
890 int idx=0, dummyIdx=0;
891 //clear read buffer
892 BigBuf_Clear_keep_EM();
893 // Configure to go in 125Khz listen mode
894 LFSetupFPGAForADC(95, true);
895
896 while(!BUTTON_PRESS() && !usb_poll_validate_length()) {
897
898 WDT_HIT();
899 if (ledcontrol) LED_A_ON();
900
901 DoAcquisition_default(-1,true);
902 // FSK demodulator
903 size = 50*128*2; //big enough to catch 2 sequences of largest format
904 idx = AWIDdemodFSK(dest, &size, &dummyIdx);
905
906 if (idx<=0 || size!=96) continue;
907 // Index map
908 // 0 10 20 30 40 50 60
909 // | | | | | | |
910 // 01234567 890 1 234 5 678 9 012 3 456 7 890 1 234 5 678 9 012 3 456 7 890 1 234 5 678 9 012 3 - to 96
911 // -----------------------------------------------------------------------------
912 // 00000001 000 1 110 1 101 1 011 1 101 1 010 0 000 1 000 1 010 0 001 0 110 1 100 0 000 1 000 1
913 // premable bbb o bbb o bbw o fff o fff o ffc o ccc o ccc o ccc o ccc o ccc o wxx o xxx o xxx o - to 96
914 // |---26 bit---| |-----117----||-------------142-------------|
915 // b = format bit len, o = odd parity of last 3 bits
916 // f = facility code, c = card number
917 // w = wiegand parity
918 // (26 bit format shown)
919
920 //get raw ID before removing parities
921 uint32_t rawLo = bytebits_to_byte(dest+idx+64,32);
922 uint32_t rawHi = bytebits_to_byte(dest+idx+32,32);
923 uint32_t rawHi2 = bytebits_to_byte(dest+idx,32);
924
925 size = removeParity(dest, idx+8, 4, 1, 88);
926 if (size != 66) continue;
927 // ok valid card found!
928
929 // Index map
930 // 0 10 20 30 40 50 60
931 // | | | | | | |
932 // 01234567 8 90123456 7890123456789012 3 456789012345678901234567890123456
933 // -----------------------------------------------------------------------------
934 // 00011010 1 01110101 0000000010001110 1 000000000000000000000000000000000
935 // bbbbbbbb w ffffffff cccccccccccccccc w xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
936 // |26 bit| |-117--| |-----142------|
937 // b = format bit len, o = odd parity of last 3 bits
938 // f = facility code, c = card number
939 // w = wiegand parity
940 // (26 bit format shown)
941
942 uint32_t fc = 0;
943 uint32_t cardnum = 0;
944 uint32_t code1 = 0;
945 uint32_t code2 = 0;
946 uint8_t fmtLen = bytebits_to_byte(dest,8);
947 if (fmtLen==26){
948 fc = bytebits_to_byte(dest+9, 8);
949 cardnum = bytebits_to_byte(dest+17, 16);
950 code1 = bytebits_to_byte(dest+8,fmtLen);
951 Dbprintf("AWID Found - BitLength: %d, FC: %d, Card: %d - Wiegand: %x, Raw: %08x%08x%08x", fmtLen, fc, cardnum, code1, rawHi2, rawHi, rawLo);
952 } else {
953 cardnum = bytebits_to_byte(dest+8+(fmtLen-17), 16);
954 if (fmtLen>32){
955 code1 = bytebits_to_byte(dest+8,fmtLen-32);
956 code2 = bytebits_to_byte(dest+8+(fmtLen-32),32);
957 Dbprintf("AWID Found - BitLength: %d -unknown BitLength- (%d) - Wiegand: %x%08x, Raw: %08x%08x%08x", fmtLen, cardnum, code1, code2, rawHi2, rawHi, rawLo);
958 } else{
959 code1 = bytebits_to_byte(dest+8,fmtLen);
960 Dbprintf("AWID Found - BitLength: %d -unknown BitLength- (%d) - Wiegand: %x, Raw: %08x%08x%08x", fmtLen, cardnum, code1, rawHi2, rawHi, rawLo);
961 }
962 }
963 if (findone){
964 if (ledcontrol) LED_A_OFF();
965 break;
966 }
967 // reset
968 idx = 0;
969 WDT_HIT();
970 }
971 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
972 DbpString("Stopped");
973 if (ledcontrol) LED_A_OFF();
974 }
975
976 void CmdEM410xdemod(int findone, int *high, int *low, int ledcontrol)
977 {
978 uint8_t *dest = BigBuf_get_addr();
979
980 size_t size=0, idx=0;
981 int clk=0, invert=0, errCnt=0, maxErr=20;
982 uint32_t hi=0;
983 uint64_t lo=0;
984 //clear read buffer
985 BigBuf_Clear_keep_EM();
986 // Configure to go in 125Khz listen mode
987 LFSetupFPGAForADC(95, true);
988
989 while(!BUTTON_PRESS() && !usb_poll_validate_length()) {
990
991 WDT_HIT();
992 if (ledcontrol) LED_A_ON();
993
994 DoAcquisition_default(-1,true);
995 size = BigBuf_max_traceLen();
996 //askdemod and manchester decode
997 if (size > 16385) size = 16385; //big enough to catch 2 sequences of largest format
998 errCnt = askdemod(dest, &size, &clk, &invert, maxErr, 0, 1);
999 WDT_HIT();
1000
1001 if (errCnt<0) continue;
1002
1003 errCnt = Em410xDecode(dest, &size, &idx, &hi, &lo);
1004 if (errCnt){
1005 if (size>64){
1006 Dbprintf("EM XL TAG ID: %06x%08x%08x - (%05d_%03d_%08d)",
1007 hi,
1008 (uint32_t)(lo>>32),
1009 (uint32_t)lo,
1010 (uint32_t)(lo&0xFFFF),
1011 (uint32_t)((lo>>16LL) & 0xFF),
1012 (uint32_t)(lo & 0xFFFFFF));
1013 } else {
1014 Dbprintf("EM TAG ID: %02x%08x - (%05d_%03d_%08d)",
1015 (uint32_t)(lo>>32),
1016 (uint32_t)lo,
1017 (uint32_t)(lo&0xFFFF),
1018 (uint32_t)((lo>>16LL) & 0xFF),
1019 (uint32_t)(lo & 0xFFFFFF));
1020 }
1021
1022 if (findone){
1023 if (ledcontrol) LED_A_OFF();
1024 *high=lo>>32;
1025 *low=lo & 0xFFFFFFFF;
1026 break;
1027 }
1028 }
1029 WDT_HIT();
1030 hi = lo = size = idx = 0;
1031 clk = invert = errCnt = 0;
1032 }
1033 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1034 DbpString("Stopped");
1035 if (ledcontrol) LED_A_OFF();
1036 }
1037
1038 void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol)
1039 {
1040 uint8_t *dest = BigBuf_get_addr();
1041 int idx=0;
1042 uint32_t code=0, code2=0;
1043 uint8_t version=0;
1044 uint8_t facilitycode=0;
1045 uint16_t number=0;
1046 int dummyIdx=0;
1047 //clear read buffer
1048 BigBuf_Clear_keep_EM();
1049 // Configure to go in 125Khz listen mode
1050 LFSetupFPGAForADC(95, true);
1051
1052 while(!BUTTON_PRESS() && !usb_poll_validate_length()) {
1053 WDT_HIT();
1054 if (ledcontrol) LED_A_ON();
1055 DoAcquisition_default(-1,true);
1056 //fskdemod and get start index
1057 WDT_HIT();
1058 idx = IOdemodFSK(dest, BigBuf_max_traceLen(), &dummyIdx);
1059 if (idx<0) continue;
1060 //valid tag found
1061
1062 //Index map
1063 //0 10 20 30 40 50 60
1064 //| | | | | | |
1065 //01234567 8 90123456 7 89012345 6 78901234 5 67890123 4 56789012 3 45678901 23
1066 //-----------------------------------------------------------------------------
1067 //00000000 0 11110000 1 facility 1 version* 1 code*one 1 code*two 1 ???????? 11
1068 //
1069 //XSF(version)facility:codeone+codetwo
1070 //Handle the data
1071 if(findone){ //only print binary if we are doing one
1072 Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx], dest[idx+1], dest[idx+2],dest[idx+3],dest[idx+4],dest[idx+5],dest[idx+6],dest[idx+7],dest[idx+8]);
1073 Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+9], dest[idx+10],dest[idx+11],dest[idx+12],dest[idx+13],dest[idx+14],dest[idx+15],dest[idx+16],dest[idx+17]);
1074 Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+18],dest[idx+19],dest[idx+20],dest[idx+21],dest[idx+22],dest[idx+23],dest[idx+24],dest[idx+25],dest[idx+26]);
1075 Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+27],dest[idx+28],dest[idx+29],dest[idx+30],dest[idx+31],dest[idx+32],dest[idx+33],dest[idx+34],dest[idx+35]);
1076 Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+36],dest[idx+37],dest[idx+38],dest[idx+39],dest[idx+40],dest[idx+41],dest[idx+42],dest[idx+43],dest[idx+44]);
1077 Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+45],dest[idx+46],dest[idx+47],dest[idx+48],dest[idx+49],dest[idx+50],dest[idx+51],dest[idx+52],dest[idx+53]);
1078 Dbprintf("%d%d%d%d%d%d%d%d %d%d",dest[idx+54],dest[idx+55],dest[idx+56],dest[idx+57],dest[idx+58],dest[idx+59],dest[idx+60],dest[idx+61],dest[idx+62],dest[idx+63]);
1079 }
1080 code = bytebits_to_byte(dest+idx,32);
1081 code2 = bytebits_to_byte(dest+idx+32,32);
1082 version = bytebits_to_byte(dest+idx+27,8); //14,4
1083 facilitycode = bytebits_to_byte(dest+idx+18,8);
1084 number = (bytebits_to_byte(dest+idx+36,8)<<8)|(bytebits_to_byte(dest+idx+45,8)); //36,9
1085
1086 Dbprintf("XSF(%02d)%02x:%05d (%08x%08x)",version,facilitycode,number,code,code2);
1087 // if we're only looking for one tag
1088 if (findone){
1089 if (ledcontrol) LED_A_OFF();
1090 //LED_A_OFF();
1091 *high=code;
1092 *low=code2;
1093 break;
1094 }
1095 code=code2=0;
1096 version=facilitycode=0;
1097 number=0;
1098 idx=0;
1099
1100 WDT_HIT();
1101 }
1102 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1103 DbpString("Stopped");
1104 if (ledcontrol) LED_A_OFF();
1105 }
1106
1107 /*------------------------------
1108 * T5555/T5557/T5567/T5577 routines
1109 *------------------------------
1110 * NOTE: T55x7/T5555 configuration register definitions moved to protocols.h
1111 *
1112 * Relevant communication times in microsecond
1113 * To compensate antenna falling times shorten the write times
1114 * and enlarge the gap ones.
1115 * Q5 tags seems to have issues when these values changes.
1116 */
1117 #define START_GAP 31*8 // was 250 // SPEC: 1*8 to 50*8 - typ 15*8 (or 15fc)
1118 #define WRITE_GAP 20*8 // was 160 // SPEC: 1*8 to 20*8 - typ 10*8 (or 10fc)
1119 #define WRITE_0 18*8 // was 144 // SPEC: 16*8 to 32*8 - typ 24*8 (or 24fc)
1120 #define WRITE_1 50*8 // was 400 // SPEC: 48*8 to 64*8 - typ 56*8 (or 56fc) 432 for T55x7; 448 for E5550
1121 #define READ_GAP 15*8
1122
1123 void TurnReadLFOn(int delay) {
1124 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
1125 // Give it a bit of time for the resonant antenna to settle.
1126 WaitUS(delay); //155*8 //50*8
1127 }
1128
1129 // Write one bit to card
1130 void T55xxWriteBit(int bit) {
1131 if (!bit)
1132 TurnReadLFOn(WRITE_0);
1133 else
1134 TurnReadLFOn(WRITE_1);
1135 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1136 WaitUS(WRITE_GAP);
1137 }
1138
1139 // Send T5577 reset command then read stream (see if we can identify the start of the stream)
1140 void T55xxResetRead(void) {
1141 LED_A_ON();
1142 //clear buffer now so it does not interfere with timing later
1143 BigBuf_Clear_keep_EM();
1144
1145 // Set up FPGA, 125kHz
1146 LFSetupFPGAForADC(95, true);
1147 StartTicks();
1148 // make sure tag is fully powered up...
1149 WaitMS(5);
1150
1151 // Trigger T55x7 in mode.
1152 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1153 WaitUS(START_GAP);
1154
1155 // reset tag - op code 00
1156 T55xxWriteBit(0);
1157 T55xxWriteBit(0);
1158
1159 TurnReadLFOn(READ_GAP);
1160
1161 // Acquisition
1162 DoPartialAcquisition(0, true, BigBuf_max_traceLen(), 0);
1163
1164 // Turn the field off
1165 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1166 cmd_send(CMD_ACK,0,0,0,0,0);
1167 LED_A_OFF();
1168 }
1169
1170 // Write one card block in page 0, no lock
1171 void T55xxWriteBlockExt(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t arg) {
1172 LED_A_ON();
1173 bool PwdMode = arg & 0x1;
1174 uint8_t Page = (arg & 0x2)>>1;
1175 bool testMode = arg & 0x4;
1176 uint32_t i = 0;
1177
1178 // Set up FPGA, 125kHz
1179 LFSetupFPGAForADC(95, true);
1180 StartTicks();
1181 // make sure tag is fully powered up...
1182 WaitMS(5);
1183 // Trigger T55x7 in mode.
1184 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1185 WaitUS(START_GAP);
1186
1187 if (testMode) Dbprintf("TestMODE");
1188 // Std Opcode 10
1189 T55xxWriteBit(testMode ? 0 : 1);
1190 T55xxWriteBit(testMode ? 1 : Page); //Page 0
1191
1192 if (PwdMode) {
1193 // Send Pwd
1194 for (i = 0x80000000; i != 0; i >>= 1)
1195 T55xxWriteBit(Pwd & i);
1196 }
1197 // Send Lock bit
1198 T55xxWriteBit(0);
1199
1200 // Send Data
1201 for (i = 0x80000000; i != 0; i >>= 1)
1202 T55xxWriteBit(Data & i);
1203
1204 // Send Block number
1205 for (i = 0x04; i != 0; i >>= 1)
1206 T55xxWriteBit(Block & i);
1207
1208 // Perform write (nominal is 5.6 ms for T55x7 and 18ms for E5550,
1209 // so wait a little more)
1210
1211 // "there is a clock delay before programming"
1212 // - programming takes ~5.6ms for t5577 ~18ms for E5550 or t5567
1213 // so we should wait 1 clock + 5.6ms then read response?
1214 // but we need to know we are dealing with t5577 vs t5567 vs e5550 (or q5) marshmellow...
1215 if (testMode) {
1216 //TESTMODE TIMING TESTS:
1217 // <566us does nothing
1218 // 566-568 switches between wiping to 0s and doing nothing
1219 // 5184 wipes and allows 1 block to be programmed.
1220 // indefinite power on wipes and then programs all blocks with bitshifted data sent.
1221 TurnReadLFOn(5184);
1222
1223 } else {
1224 TurnReadLFOn(20 * 1000);
1225 //could attempt to do a read to confirm write took
1226 // as the tag should repeat back the new block
1227 // until it is reset, but to confirm it we would
1228 // need to know the current block 0 config mode for
1229 // modulation clock an other details to demod the response...
1230 // response should be (for t55x7) a 0 bit then (ST if on)
1231 // block data written in on repeat until reset.
1232
1233 //DoPartialAcquisition(20, true, 12000);
1234 }
1235
1236 // turn field off
1237 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1238 LED_A_OFF();
1239 }
1240
1241 // Write one card block in page 0, no lock
1242 void T55xxWriteBlock(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t arg) {
1243 T55xxWriteBlockExt(Data, Block, Pwd, arg);
1244 cmd_send(CMD_ACK,0,0,0,0,0);
1245 }
1246
1247 // Read one card block in page [page]
1248 void T55xxReadBlock(uint16_t arg0, uint8_t Block, uint32_t Pwd) {
1249 LED_A_ON();
1250 bool PwdMode = arg0 & 0x1;
1251 uint8_t Page = (arg0 & 0x2) >> 1;
1252 uint32_t i = 0;
1253 bool RegReadMode = (Block == 0xFF);//regular read mode
1254
1255 //clear buffer now so it does not interfere with timing later
1256 BigBuf_Clear_ext(false);
1257
1258 //make sure block is at max 7
1259 Block &= 0x7;
1260
1261 // Set up FPGA, 125kHz to power up the tag
1262 LFSetupFPGAForADC(95, true);
1263 StartTicks();
1264 // make sure tag is fully powered up...
1265 WaitMS(5);
1266 // Trigger T55x7 Direct Access Mode with start gap
1267 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1268 WaitUS(START_GAP);
1269
1270 // Opcode 1[page]
1271 T55xxWriteBit(1);
1272 T55xxWriteBit(Page); //Page 0
1273
1274 if (PwdMode){
1275 // Send Pwd
1276 for (i = 0x80000000; i != 0; i >>= 1)
1277 T55xxWriteBit(Pwd & i);
1278 }
1279 // Send a zero bit separation
1280 T55xxWriteBit(0);
1281
1282 // Send Block number (if direct access mode)
1283 if (!RegReadMode)
1284 for (i = 0x04; i != 0; i >>= 1)
1285 T55xxWriteBit(Block & i);
1286
1287 // Turn field on to read the response
1288 // 137*8 seems to get to the start of data pretty well...
1289 // but we want to go past the start and let the repeating data settle in...
1290 TurnReadLFOn(210*8);
1291
1292 // Acquisition
1293 // Now do the acquisition
1294 DoPartialAcquisition(0, true, 12000, 0);
1295
1296 // Turn the field off
1297 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1298 cmd_send(CMD_ACK,0,0,0,0,0);
1299 LED_A_OFF();
1300 }
1301
1302 void T55xxWakeUp(uint32_t Pwd){
1303 LED_B_ON();
1304 uint32_t i = 0;
1305
1306 // Set up FPGA, 125kHz
1307 LFSetupFPGAForADC(95, true);
1308 StartTicks();
1309 // make sure tag is fully powered up...
1310 WaitMS(5);
1311
1312 // Trigger T55x7 Direct Access Mode
1313 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1314 WaitUS(START_GAP);
1315
1316 // Opcode 10
1317 T55xxWriteBit(1);
1318 T55xxWriteBit(0); //Page 0
1319
1320 // Send Pwd
1321 for (i = 0x80000000; i != 0; i >>= 1)
1322 T55xxWriteBit(Pwd & i);
1323
1324 // Turn and leave field on to let the begin repeating transmission
1325 TurnReadLFOn(20*1000);
1326 }
1327
1328 /*-------------- Cloning routines -----------*/
1329
1330 void WriteT55xx(uint32_t *blockdata, uint8_t startblock, uint8_t numblocks) {
1331 // write last block first and config block last (if included)
1332 for (uint8_t i = numblocks+startblock; i > startblock; i--) {
1333 T55xxWriteBlockExt(blockdata[i-1],i-1,0,0);
1334 }
1335 }
1336
1337 // Copy HID id to card and setup block 0 config
1338 void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT) {
1339 uint32_t data[] = {0,0,0,0,0,0,0};
1340 uint8_t last_block = 0;
1341
1342 if (longFMT) {
1343 // Ensure no more than 84 bits supplied
1344 if (hi2>0xFFFFF) {
1345 DbpString("Tags can only have 84 bits.");
1346 return;
1347 }
1348 // Build the 6 data blocks for supplied 84bit ID
1349 last_block = 6;
1350 // load preamble (1D) & long format identifier (9E manchester encoded)
1351 data[1] = 0x1D96A900 | (manchesterEncode2Bytes((hi2 >> 16) & 0xF) & 0xFF);
1352 // load raw id from hi2, hi, lo to data blocks (manchester encoded)
1353 data[2] = manchesterEncode2Bytes(hi2 & 0xFFFF);
1354 data[3] = manchesterEncode2Bytes(hi >> 16);
1355 data[4] = manchesterEncode2Bytes(hi & 0xFFFF);
1356 data[5] = manchesterEncode2Bytes(lo >> 16);
1357 data[6] = manchesterEncode2Bytes(lo & 0xFFFF);
1358 } else {
1359 // Ensure no more than 44 bits supplied
1360 if (hi>0xFFF) {
1361 DbpString("Tags can only have 44 bits.");
1362 return;
1363 }
1364 // Build the 3 data blocks for supplied 44bit ID
1365 last_block = 3;
1366 // load preamble
1367 data[1] = 0x1D000000 | (manchesterEncode2Bytes(hi) & 0xFFFFFF);
1368 data[2] = manchesterEncode2Bytes(lo >> 16);
1369 data[3] = manchesterEncode2Bytes(lo & 0xFFFF);
1370 }
1371 // load chip config block
1372 data[0] = T55x7_BITRATE_RF_50 | T55x7_MODULATION_FSK2a | last_block << T55x7_MAXBLOCK_SHIFT;
1373
1374 //TODO add selection of chip for Q5 or T55x7
1375 // data[0] = (((50-2)/2)<<T5555_BITRATE_SHIFT) | T5555_MODULATION_FSK2 | T5555_INVERT_OUTPUT | last_block << T5555_MAXBLOCK_SHIFT;
1376
1377 LED_D_ON();
1378 // Program the data blocks for supplied ID
1379 // and the block 0 for HID format
1380 WriteT55xx(data, 0, last_block+1);
1381
1382 LED_D_OFF();
1383
1384 DbpString("DONE!");
1385 }
1386
1387 void CopyIOtoT55x7(uint32_t hi, uint32_t lo) {
1388 uint32_t data[] = {T55x7_BITRATE_RF_64 | T55x7_MODULATION_FSK2a | (2 << T55x7_MAXBLOCK_SHIFT), hi, lo};
1389 //TODO add selection of chip for Q5 or T55x7
1390 // data[0] = (((64-2)/2)<<T5555_BITRATE_SHIFT) | T5555_MODULATION_FSK2 | T5555_INVERT_OUTPUT | 2 << T5555_MAXBLOCK_SHIFT;
1391
1392 LED_D_ON();
1393 // Program the data blocks for supplied ID
1394 // and the block 0 config
1395 WriteT55xx(data, 0, 3);
1396
1397 LED_D_OFF();
1398
1399 DbpString("DONE!");
1400 }
1401
1402 // Clone Indala 64-bit tag by UID to T55x7
1403 void CopyIndala64toT55x7(uint32_t hi, uint32_t lo) {
1404 //Program the 2 data blocks for supplied 64bit UID
1405 // and the Config for Indala 64 format (RF/32;PSK1 with RF/2;Maxblock=2)
1406 uint32_t data[] = { T55x7_BITRATE_RF_32 | T55x7_MODULATION_PSK1 | (2 << T55x7_MAXBLOCK_SHIFT), hi, lo};
1407 //TODO add selection of chip for Q5 or T55x7
1408 // data[0] = (((32-2)/2)<<T5555_BITRATE_SHIFT) | T5555_MODULATION_PSK1 | 2 << T5555_MAXBLOCK_SHIFT;
1409
1410 WriteT55xx(data, 0, 3);
1411 //Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=2;Inverse data)
1412 // T5567WriteBlock(0x603E1042,0);
1413 DbpString("DONE!");
1414 }
1415 // Clone Indala 224-bit tag by UID to T55x7
1416 void CopyIndala224toT55x7(uint32_t uid1, uint32_t uid2, uint32_t uid3, uint32_t uid4, uint32_t uid5, uint32_t uid6, uint32_t uid7) {
1417 //Program the 7 data blocks for supplied 224bit UID
1418 uint32_t data[] = {0, uid1, uid2, uid3, uid4, uid5, uid6, uid7};
1419 // and the block 0 for Indala224 format
1420 //Config for Indala (RF/32;PSK2 with RF/2;Maxblock=7)
1421 data[0] = T55x7_BITRATE_RF_32 | T55x7_MODULATION_PSK2 | (7 << T55x7_MAXBLOCK_SHIFT);
1422 //TODO add selection of chip for Q5 or T55x7
1423 // data[0] = (((32-2)>>1)<<T5555_BITRATE_SHIFT) | T5555_MODULATION_PSK2 | 7 << T5555_MAXBLOCK_SHIFT;
1424 WriteT55xx(data, 0, 8);
1425 //Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=7;Inverse data)
1426 // T5567WriteBlock(0x603E10E2,0);
1427 DbpString("DONE!");
1428 }
1429 // clone viking tag to T55xx
1430 void CopyVikingtoT55xx(uint32_t block1, uint32_t block2, uint8_t Q5) {
1431 uint32_t data[] = {T55x7_BITRATE_RF_32 | T55x7_MODULATION_MANCHESTER | (2 << T55x7_MAXBLOCK_SHIFT), block1, block2};
1432 if (Q5) data[0] = T5555_SET_BITRATE(32) | T5555_MODULATION_MANCHESTER | 2 << T5555_MAXBLOCK_SHIFT;
1433 // Program the data blocks for supplied ID and the block 0 config
1434 WriteT55xx(data, 0, 3);
1435 LED_D_OFF();
1436 cmd_send(CMD_ACK,0,0,0,0,0);
1437 }
1438
1439 // Define 9bit header for EM410x tags
1440 #define EM410X_HEADER 0x1FF
1441 #define EM410X_ID_LENGTH 40
1442
1443 void WriteEM410x(uint32_t card, uint32_t id_hi, uint32_t id_lo) {
1444 int i, id_bit;
1445 uint64_t id = EM410X_HEADER;
1446 uint64_t rev_id = 0; // reversed ID
1447 int c_parity[4]; // column parity
1448 int r_parity = 0; // row parity
1449 uint32_t clock = 0;
1450
1451 // Reverse ID bits given as parameter (for simpler operations)
1452 for (i = 0; i < EM410X_ID_LENGTH; ++i) {
1453 if (i < 32) {
1454 rev_id = (rev_id << 1) | (id_lo & 1);
1455 id_lo >>= 1;
1456 } else {
1457 rev_id = (rev_id << 1) | (id_hi & 1);
1458 id_hi >>= 1;
1459 }
1460 }
1461
1462 for (i = 0; i < EM410X_ID_LENGTH; ++i) {
1463 id_bit = rev_id & 1;
1464
1465 if (i % 4 == 0) {
1466 // Don't write row parity bit at start of parsing
1467 if (i)
1468 id = (id << 1) | r_parity;
1469 // Start counting parity for new row
1470 r_parity = id_bit;
1471 } else {
1472 // Count row parity
1473 r_parity ^= id_bit;
1474 }
1475
1476 // First elements in column?
1477 if (i < 4)
1478 // Fill out first elements
1479 c_parity[i] = id_bit;
1480 else
1481 // Count column parity
1482 c_parity[i % 4] ^= id_bit;
1483
1484 // Insert ID bit
1485 id = (id << 1) | id_bit;
1486 rev_id >>= 1;
1487 }
1488
1489 // Insert parity bit of last row
1490 id = (id << 1) | r_parity;
1491
1492 // Fill out column parity at the end of tag
1493 for (i = 0; i < 4; ++i)
1494 id = (id << 1) | c_parity[i];
1495
1496 // Add stop bit
1497 id <<= 1;
1498
1499 Dbprintf("Started writing %s tag ...", card ? "T55x7":"T5555");
1500 LED_D_ON();
1501
1502 // Write EM410x ID
1503 uint32_t data[] = {0, (uint32_t)(id>>32), (uint32_t)(id & 0xFFFFFFFF)};
1504
1505 clock = (card & 0xFF00) >> 8;
1506 clock = (clock == 0) ? 64 : clock;
1507 Dbprintf("Clock rate: %d", clock);
1508 if (card & 0xFF) { //t55x7
1509 clock = GetT55xxClockBit(clock);
1510 if (clock == 0) {
1511 Dbprintf("Invalid clock rate: %d", clock);
1512 return;
1513 }
1514 data[0] = clock | T55x7_MODULATION_MANCHESTER | (2 << T55x7_MAXBLOCK_SHIFT);
1515 } else { //t5555 (Q5)
1516 data[0] = T5555_SET_BITRATE(clock) | T5555_MODULATION_MANCHESTER | (2 << T5555_MAXBLOCK_SHIFT);
1517 }
1518
1519 WriteT55xx(data, 0, 3);
1520
1521 LED_D_OFF();
1522 Dbprintf("Tag %s written with 0x%08x%08x\n", card ? "T55x7":"T5555",
1523 (uint32_t)(id >> 32), (uint32_t)id);
1524 }
1525
1526 //-----------------------------------
1527 // EM4469 / EM4305 routines
1528 //-----------------------------------
1529 #define FWD_CMD_LOGIN 0xC //including the even parity, binary mirrored
1530 #define FWD_CMD_WRITE 0xA
1531 #define FWD_CMD_READ 0x9
1532 #define FWD_CMD_DISABLE 0x5
1533
1534 uint8_t forwardLink_data[64]; //array of forwarded bits
1535 uint8_t * forward_ptr; //ptr for forward message preparation
1536 uint8_t fwd_bit_sz; //forwardlink bit counter
1537 uint8_t * fwd_write_ptr; //forwardlink bit pointer
1538
1539 //====================================================================
1540 // prepares command bits
1541 // see EM4469 spec
1542 //====================================================================
1543 //--------------------------------------------------------------------
1544 // VALUES TAKEN FROM EM4x function: SendForward
1545 // START_GAP = 440; (55*8) cycles at 125Khz (8us = 1cycle)
1546 // WRITE_GAP = 128; (16*8)
1547 // WRITE_1 = 256 32*8; (32*8)
1548
1549 // These timings work for 4469/4269/4305 (with the 55*8 above)
1550 // WRITE_0 = 23*8 , 9*8 SpinDelayUs(23*8);
1551
1552 uint8_t Prepare_Cmd( uint8_t cmd ) {
1553
1554 *forward_ptr++ = 0; //start bit
1555 *forward_ptr++ = 0; //second pause for 4050 code
1556
1557 *forward_ptr++ = cmd;
1558 cmd >>= 1;
1559 *forward_ptr++ = cmd;
1560 cmd >>= 1;
1561 *forward_ptr++ = cmd;
1562 cmd >>= 1;
1563 *forward_ptr++ = cmd;
1564
1565 return 6; //return number of emited bits
1566 }
1567
1568 //====================================================================
1569 // prepares address bits
1570 // see EM4469 spec
1571 //====================================================================
1572 uint8_t Prepare_Addr( uint8_t addr ) {
1573
1574 register uint8_t line_parity;
1575
1576 uint8_t i;
1577 line_parity = 0;
1578 for(i=0;i<6;i++) {
1579 *forward_ptr++ = addr;
1580 line_parity ^= addr;
1581 addr >>= 1;
1582 }
1583
1584 *forward_ptr++ = (line_parity & 1);
1585
1586 return 7; //return number of emited bits
1587 }
1588
1589 //====================================================================
1590 // prepares data bits intreleaved with parity bits
1591 // see EM4469 spec
1592 //====================================================================
1593 uint8_t Prepare_Data( uint16_t data_low, uint16_t data_hi) {
1594
1595 register uint8_t line_parity;
1596 register uint8_t column_parity;
1597 register uint8_t i, j;
1598 register uint16_t data;
1599
1600 data = data_low;
1601 column_parity = 0;
1602
1603 for(i=0; i<4; i++) {
1604 line_parity = 0;
1605 for(j=0; j<8; j++) {
1606 line_parity ^= data;
1607 column_parity ^= (data & 1) << j;
1608 *forward_ptr++ = data;
1609 data >>= 1;
1610 }
1611 *forward_ptr++ = line_parity;
1612 if(i == 1)
1613 data = data_hi;
1614 }
1615
1616 for(j=0; j<8; j++) {
1617 *forward_ptr++ = column_parity;
1618 column_parity >>= 1;
1619 }
1620 *forward_ptr = 0;
1621
1622 return 45; //return number of emited bits
1623 }
1624
1625 //====================================================================
1626 // Forward Link send function
1627 // Requires: forwarLink_data filled with valid bits (1 bit per byte)
1628 // fwd_bit_count set with number of bits to be sent
1629 //====================================================================
1630 void SendForward(uint8_t fwd_bit_count) {
1631
1632 fwd_write_ptr = forwardLink_data;
1633 fwd_bit_sz = fwd_bit_count;
1634
1635 // Set up FPGA, 125kHz or 95 divisor
1636 LFSetupFPGAForADC(95, true);
1637
1638 // force 1st mod pulse (start gap must be longer for 4305)
1639 fwd_bit_sz--; //prepare next bit modulation
1640 fwd_write_ptr++;
1641 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1642 WaitUS(55*8); //55 cycles off (8us each)for 4305 //another reader has 37 here...
1643 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);//field on
1644 WaitUS(18*8); //18 cycles on (8us each)
1645
1646 // now start writting
1647 while(fwd_bit_sz-- > 0) { //prepare next bit modulation
1648 if(((*fwd_write_ptr++) & 1) == 1)
1649 WaitUS(32*8); //32 cycles at 125Khz (8us each)
1650 else {
1651 //These timings work for 4469/4269/4305 (with the 55*8 above)
1652 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1653 WaitUS(23*8); //23 cycles off (8us each)
1654 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);//field on
1655 WaitUS(18*8); //18 cycles on (8us each)
1656 }
1657 }
1658 }
1659
1660 void EM4xLogin(uint32_t Password) {
1661
1662 uint8_t fwd_bit_count;
1663
1664 forward_ptr = forwardLink_data;
1665 fwd_bit_count = Prepare_Cmd( FWD_CMD_LOGIN );
1666 fwd_bit_count += Prepare_Data( Password&0xFFFF, Password>>16 );
1667
1668 SendForward(fwd_bit_count);
1669
1670 //Wait for command to complete
1671 SpinDelay(20);
1672 }
1673
1674 void EM4xReadWord(uint8_t Address, uint32_t Pwd, uint8_t PwdMode) {
1675
1676 uint8_t fwd_bit_count;
1677
1678 // Clear destination buffer before sending the command
1679 BigBuf_Clear_ext(false);
1680
1681 LED_A_ON();
1682 StartTicks();
1683 //If password mode do login
1684 if (PwdMode == 1) EM4xLogin(Pwd);
1685
1686 forward_ptr = forwardLink_data;
1687 fwd_bit_count = Prepare_Cmd( FWD_CMD_READ );
1688 fwd_bit_count += Prepare_Addr( Address );
1689
1690 SendForward(fwd_bit_count);
1691 WaitUS(400);
1692 // Now do the acquisition
1693 DoPartialAcquisition(20, true, 6000, 1000);
1694
1695 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1696 LED_A_OFF();
1697 cmd_send(CMD_ACK,0,0,0,0,0);
1698 }
1699
1700 void EM4xWriteWord(uint32_t flag, uint32_t Data, uint32_t Pwd) {
1701
1702 bool PwdMode = (flag & 0xF);
1703 uint8_t Address = (flag >> 8) & 0xFF;
1704 uint8_t fwd_bit_count;
1705
1706 //clear buffer now so it does not interfere with timing later
1707 BigBuf_Clear_ext(false);
1708
1709 LED_A_ON();
1710 StartTicks();
1711 //If password mode do login
1712 if (PwdMode) EM4xLogin(Pwd);
1713
1714 forward_ptr = forwardLink_data;
1715 fwd_bit_count = Prepare_Cmd( FWD_CMD_WRITE );
1716 fwd_bit_count += Prepare_Addr( Address );
1717 fwd_bit_count += Prepare_Data( Data&0xFFFF, Data>>16 );
1718
1719 SendForward(fwd_bit_count);
1720
1721 //Wait for write to complete
1722 //SpinDelay(10);
1723
1724 WaitUS(6500);
1725 //Capture response if one exists
1726 DoPartialAcquisition(20, true, 6000, 1000);
1727
1728 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1729 LED_A_OFF();
1730 cmd_send(CMD_ACK,0,0,0,0,0);
1731 }
1732 /*
1733 Reading a COTAG.
1734
1735 COTAG needs the reader to send a startsequence and the card has an extreme slow datarate.
1736 because of this, we can "sample" the data signal but we interpreate it to Manchester direct.
1737
1738 READER START SEQUENCE:
1739 burst 800 us, gap 2.2 msecs
1740 burst 3.6 msecs gap 2.2 msecs
1741 burst 800 us gap 2.2 msecs
1742 pulse 3.6 msecs
1743
1744 This triggers a COTAG tag to response
1745 */
1746 void Cotag(uint32_t arg0) {
1747
1748 #define OFF { FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); WaitUS(2035); }
1749 #define ON(x) { FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD); WaitUS((x)); }
1750
1751 uint8_t rawsignal = arg0 & 0xF;
1752
1753 LED_A_ON();
1754
1755 // Switching to LF image on FPGA. This might empty BigBuff
1756 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1757
1758 //clear buffer now so it does not interfere with timing later
1759 BigBuf_Clear_ext(false);
1760
1761 // Set up FPGA, 132kHz to power up the tag
1762 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 89);
1763 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
1764
1765 // Connect the A/D to the peak-detected low-frequency path.
1766 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
1767
1768 // Now set up the SSC to get the ADC samples that are now streaming at us.
1769 FpgaSetupSsc();
1770
1771 // start clock - 1.5ticks is 1us
1772 StartTicks();
1773
1774 //send COTAG start pulse
1775 ON(740) OFF
1776 ON(3330) OFF
1777 ON(740) OFF
1778 ON(1000)
1779
1780 switch(rawsignal) {
1781 case 0: doCotagAcquisition(50000); break;
1782 case 1: doCotagAcquisitionManchester(); break;
1783 case 2: DoAcquisition_config(true, 0); break;
1784 }
1785
1786 // Turn the field off
1787 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1788 cmd_send(CMD_ACK,0,0,0,0,0);
1789 LED_A_OFF();
1790 }
Impressum, Datenschutz