X-Git-Url: http://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/bf7163bdb387693ea592c212c659bbb095f84cb4..7bd30f12ac6def96c82df20ed7d927160db289af:/armsrc/lfops.c

diff --git a/armsrc/lfops.c b/armsrc/lfops.c
index fbd07e65..e086a717 100644
--- a/armsrc/lfops.c
+++ b/armsrc/lfops.c
@@ -8,15 +8,18 @@
 // Also routines for raw mode reading/simulating of LF waveform
 //-----------------------------------------------------------------------------
 
-#include "proxmark3.h"
+#include "../include/proxmark3.h"
 #include "apps.h"
 #include "util.h"
-#include "hitag2.h"
-#include "crc16.h"
+#include "../include/hitag2.h"
+#include "../common/crc16.h"
 #include "string.h"
+#include "crapto1.h"
+#include "mifareutil.h"
 
-void AcquireRawAdcSamples125k(int divisor)
+void LFSetupFPGAForADC(int divisor, bool lf_field)
 {
+	FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
 	if ( (divisor == 1) || (divisor < 0) || (divisor > 255) )
 		FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 88); //134.8Khz
 	else if (divisor == 0)
@@ -24,29 +27,38 @@ void AcquireRawAdcSamples125k(int divisor)
 	else
 		FpgaSendCommand(FPGA_CMD_SET_DIVISOR, divisor);
 
-	FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER);
+	FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | (lf_field ? FPGA_LF_ADC_READER_FIELD : 0));
 
 	// Connect the A/D to the peak-detected low-frequency path.
 	SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
-
+	
 	// Give it a bit of time for the resonant antenna to settle.
-	SpinDelay(50);
-
+	SpinDelay(150);
+	
 	// Now set up the SSC to get the ADC samples that are now streaming at us.
 	FpgaSetupSsc();
+}
 
-	// Now call the acquisition routine
-	DoAcquisition125k();
+void AcquireRawAdcSamples125k(int divisor)
+{
+	LFSetupFPGAForADC(divisor, true);
+	DoAcquisition125k(-1);
+}
+
+void SnoopLFRawAdcSamples(int divisor, int trigger_threshold)
+{
+	LFSetupFPGAForADC(divisor, false);
+	DoAcquisition125k(trigger_threshold);
 }
 
 // split into two routines so we can avoid timing issues after sending commands //
-void DoAcquisition125k(void)
+void DoAcquisition125k(int trigger_threshold)
 {
-	uint8_t *dest = (uint8_t *)BigBuf;
-	int n = sizeof(BigBuf);
+	uint8_t *dest =  mifare_get_bigbufptr();
+	int n = 8000;
 	int i;
 
-	memset(dest, 0, n);
+	memset(dest, 0x00, n);
 	i = 0;
 	for(;;) {
 		if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXRDY) {
@@ -55,13 +67,17 @@ void DoAcquisition125k(void)
 		}
 		if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) {
 			dest[i] = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
-			i++;
 			LED_D_OFF();
-			if (i >= n) break;
+			if (trigger_threshold != -1 && dest[i] < trigger_threshold)
+				continue;
+			else
+				trigger_threshold = -1;
+			if (++i >= n) break;
 		}
 	}
 	Dbprintf("buffer samples: %02x %02x %02x %02x %02x %02x %02x %02x ...",
 			dest[0], dest[1], dest[2], dest[3], dest[4], dest[5], dest[6], dest[7]);
+			
 }
 
 void ModThenAcquireRawAdcSamples125k(int delay_off, int period_0, int period_1, uint8_t *command)
@@ -69,6 +85,7 @@ void ModThenAcquireRawAdcSamples125k(int delay_off, int period_0, int period_1,
 	int at134khz;
 
 	/* Make sure the tag is reset */
+	FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
 	SpinDelay(2500);
 
@@ -83,7 +100,7 @@ void ModThenAcquireRawAdcSamples125k(int delay_off, int period_0, int period_1,
 	else
 		FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
 
-	FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER);
+	FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
 
 	// Give it a bit of time for the resonant antenna to settle.
 	SpinDelay(50);
@@ -103,7 +120,7 @@ void ModThenAcquireRawAdcSamples125k(int delay_off, int period_0, int period_1,
 		else
 			FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
 
-		FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER);
+		FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
 		LED_D_ON();
 		if(*(command++) == '0')
 			SpinDelayUs(period_0);
@@ -118,10 +135,10 @@ void ModThenAcquireRawAdcSamples125k(int delay_off, int period_0, int period_1,
 	else
 		FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
 
-	FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER);
+	FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
 
 	// now do the read
-	DoAcquisition125k();
+	DoAcquisition125k(-1);
 }
 
 /* blank r/w tag data stream
@@ -158,6 +175,7 @@ void ReadTItag(void)
 	uint32_t threshold = (sampleslo - sampleshi + 1)>>1;
 
 	// TI tags charge at 134.2Khz
+	FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
 	FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 88); //134.8Khz
 
 	// Place FPGA in passthrough mode, in this mode the CROSS_LO line
@@ -365,6 +383,7 @@ void AcquireTiType(void)
 // if not provided a valid crc will be computed from the data and written.
 void WriteTItag(uint32_t idhi, uint32_t idlo, uint16_t crc)
 {
+	FpgaDownloadAndGo(FPGA_BITSTREAM_LF);	
 	if(crc == 0) {
 	 	crc = update_crc16(crc, (idlo)&0xff);
 		crc = update_crc16(crc, (idlo>>8)&0xff);
@@ -436,6 +455,7 @@ void SimulateTagLowFrequency(int period, int gap, int ledcontrol)
 	int i;
 	uint8_t *tab = (uint8_t *)BigBuf;
     
+	FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT);
     
 	AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT | GPIO_SSC_CLK;
@@ -602,8 +622,9 @@ void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol)
 	int m=0, n=0, i=0, idx=0, found=0, lastval=0;
   uint32_t hi2=0, hi=0, lo=0;
 
+	FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
 	FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
-	FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER);
+	FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
 
 	// Connect the A/D to the peak-detected low-frequency path.
 	SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
@@ -807,20 +828,190 @@ void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol)
 	}
 }
 
+void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol)
+{
+	uint8_t *dest =  mifare_get_bigbufptr();
+	int m=0, n=0, i=0, idx=0, lastval=0;
+	int found=0;
+	uint32_t code=0, code2=0;
+
+	LFSetupFPGAForADC(0, true);
+
+	for(;;) {
+		WDT_HIT();
+		if (ledcontrol)
+			LED_A_ON();
+		if(BUTTON_PRESS()) {
+			DbpString("Stopped");
+			if (ledcontrol)
+				LED_A_OFF();
+			return;
+		}
+
+		i = 0;
+		m = 30000;
+		memset(dest,128,m);
+		for(;;) {
+			if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
+				AT91C_BASE_SSC->SSC_THR = 0x43;
+				if (ledcontrol)
+					LED_D_ON();
+			}
+			if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
+				dest[i] = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
+				// we don't care about actual value, only if it's more or less than a
+				// threshold essentially we capture zero crossings for later analysis
+				dest[i] = (dest[i] < 127) ? 0 : 1;
+				++i;
+				if (ledcontrol)
+					LED_D_OFF();
+				if(i >= m) 	
+					break;
+			}
+		}
+
+		// FSK demodulator
+
+		// sync to first lo-hi transition
+		for( idx=1; idx<m; idx++) {
+			if (dest[idx-1]<dest[idx])
+				lastval=idx;
+				break;
+		}
+		WDT_HIT();
+
+		// count cycles between consecutive lo-hi transitions, there should be either 8 (fc/8)
+		// or 10 (fc/10) cycles but in practice due to noise etc we may end up with with anywhere
+		// between 7 to 11 cycles so fuzz it by treat anything <9 as 8 and anything else as 10
+		for( i=0; idx<m; idx++) {
+			if (dest[idx-1]<dest[idx]) {
+				dest[i]=idx-lastval;
+				dest[i] = (dest[i] <= 8) ? 1:0;
+				lastval=idx;
+				i++;
+			}
+		}
+		m=i;
+		WDT_HIT();
+
+		// we now have a set of cycle counts, loop over previous results and aggregate data into bit patterns
+		lastval=dest[0];
+		idx=0;
+		i=0;
+		n=0;
+		for( idx=0; idx<m; idx++) {
+			if (dest[idx]==lastval) {
+				n++;
+			} else {
+				// a bit time is five fc/10 or six fc/8 cycles so figure out how many bits a pattern width represents,
+				// an extra fc/8 pattern preceeds every 4 bits (about 200 cycles) just to complicate things but it gets
+				// swallowed up by rounding
+				// expected results are 1 or 2 bits, any more and it's an invalid manchester encoding
+				// special start of frame markers use invalid manchester states (no transitions) by using sequences
+				// like 111000
+				if (dest[idx-1]) {
+					n=(n+1)/7;			// fc/8 in sets of 7
+				} else {
+					n=(n+1)/6;			// fc/10 in sets of 6
+				}
+
+				// stuff appropriate bits in buffer
+				if ( n==0 )
+					dest[i++]=dest[idx-1]^1;
+				else {
+					if ( n < 13){
+						for(int j=0; j<n; j++){
+							dest[i++]=dest[idx-1]^1;
+						}
+					}
+				}
+				
+				n=0;
+				lastval=dest[idx];
+			}
+		}//end for
+
+		m=i;
+		WDT_HIT();
+		
+        for( idx=0; idx<m-9; idx++) {
+	  if ( !(dest[idx]) && !(dest[idx+1]) && !(dest[idx+2]) && !(dest[idx+3]) && !(dest[idx+4]) && !(dest[idx+5]) && !(dest[idx+6]) && !(dest[idx+7]) && !(dest[idx+8])&& (dest[idx+9])){
+		found=1;
+		//idx+=9;
+		if (found) {
+		    Dbprintf("%d%d%d%d%d%d%d%d",dest[idx],   dest[idx+1],   dest[idx+2],dest[idx+3],dest[idx+4],dest[idx+5],dest[idx+6],dest[idx+7]);
+		    Dbprintf("%d%d%d%d%d%d%d%d",dest[idx+8], dest[idx+9], dest[idx+10],dest[idx+11],dest[idx+12],dest[idx+13],dest[idx+14],dest[idx+15]);			  
+		    Dbprintf("%d%d%d%d%d%d%d%d",dest[idx+16],dest[idx+17],dest[idx+18],dest[idx+19],dest[idx+20],dest[idx+21],dest[idx+22],dest[idx+23]);
+		    Dbprintf("%d%d%d%d%d%d%d%d",dest[idx+24],dest[idx+25],dest[idx+26],dest[idx+27],dest[idx+28],dest[idx+29],dest[idx+30],dest[idx+31]);
+		    Dbprintf("%d%d%d%d%d%d%d%d",dest[idx+32],dest[idx+33],dest[idx+34],dest[idx+35],dest[idx+36],dest[idx+37],dest[idx+38],dest[idx+39]);
+		    Dbprintf("%d%d%d%d%d%d%d%d",dest[idx+40],dest[idx+41],dest[idx+42],dest[idx+43],dest[idx+44],dest[idx+45],dest[idx+46],dest[idx+47]);
+		    Dbprintf("%d%d%d%d%d%d%d%d",dest[idx+48],dest[idx+49],dest[idx+50],dest[idx+51],dest[idx+52],dest[idx+53],dest[idx+54],dest[idx+55]);
+		    Dbprintf("%d%d%d%d%d%d%d%d",dest[idx+56],dest[idx+57],dest[idx+58],dest[idx+59],dest[idx+60],dest[idx+61],dest[idx+62],dest[idx+63]);
+		
+		    short version='\x00';
+		    char unknown='\x00';
+		    uint16_t number=0;
+		    for(int j=14;j<18;j++){
+		       //Dbprintf("%d",dest[idx+j]);
+		       version <<=1;
+		       if (dest[idx+j]) version |= 1;
+		    }
+		    for(int j=19;j<27;j++){
+		       //Dbprintf("%d",dest[idx+j]);
+		       unknown <<=1;
+		       if (dest[idx+j]) unknown |= 1;
+		    }
+		    for(int j=37;j<45;j++){
+		       //Dbprintf("%d",dest[idx+j]);
+		       number <<=1;
+		       if (dest[idx+j]) number |= 1;
+		    }
+		    for(int j=46;j<53;j++){
+		       //Dbprintf("%d",dest[idx+j]);
+		       number <<=1;
+		       if (dest[idx+j]) number |= 1;
+		    }
+			
+		    for(int j=0; j<32; j++){
+				code <<=1;
+				if(dest[idx+j]) code |= 1;
+		    }
+		    for(int j=32; j<64; j++){
+				code2 <<=1;
+				if(dest[idx+j]) code2 |= 1;
+		    }
+		    
+		    Dbprintf("XSF(%02d)%02x:%d (%08x%08x)",version,unknown,number,code,code2);
+		    if (ledcontrol)
+			LED_D_OFF();
+		}
+		// if we're only looking for one tag 
+		if (findone){
+			LED_A_OFF();
+			return;
+		}
+
+		found=0;
+	  }
+	}
+	}
+	WDT_HIT();
+}
+
 /*------------------------------
  * T5555/T5557/T5567 routines
  *------------------------------
  */
 
 /* T55x7 configuration register definitions */
-#define T55x7_POR_DELAY			0x00000001
-#define T55x7_ST_TERMINATOR		0x00000008
-#define T55x7_PWD			0x00000010
+#define T55x7_POR_DELAY				0x00000001
+#define T55x7_ST_TERMINATOR			0x00000008
+#define T55x7_PWD					0x00000010
 #define T55x7_MAXBLOCK_SHIFT		5
-#define T55x7_AOR			0x00000200
-#define T55x7_PSKCF_RF_2		0
-#define T55x7_PSKCF_RF_4		0x00000400
-#define T55x7_PSKCF_RF_8		0x00000800
+#define T55x7_AOR					0x00000200
+#define T55x7_PSKCF_RF_2			0
+#define T55x7_PSKCF_RF_4			0x00000400
+#define T55x7_PSKCF_RF_8			0x00000800
 #define T55x7_MODULATION_DIRECT		0
 #define T55x7_MODULATION_PSK1		0x00001000
 #define T55x7_MODULATION_PSK2		0x00002000
@@ -831,17 +1022,17 @@ void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol)
 #define T55x7_MODULATION_FSK2a		0x00007000
 #define T55x7_MODULATION_MANCHESTER	0x00008000
 #define T55x7_MODULATION_BIPHASE	0x00010000
-#define T55x7_BITRATE_RF_8		0
-#define T55x7_BITRATE_RF_16		0x00040000
-#define T55x7_BITRATE_RF_32		0x00080000
-#define T55x7_BITRATE_RF_40		0x000C0000
-#define T55x7_BITRATE_RF_50		0x00100000
-#define T55x7_BITRATE_RF_64		0x00140000
+#define T55x7_BITRATE_RF_8			0
+#define T55x7_BITRATE_RF_16			0x00040000
+#define T55x7_BITRATE_RF_32			0x00080000
+#define T55x7_BITRATE_RF_40			0x000C0000
+#define T55x7_BITRATE_RF_50			0x00100000
+#define T55x7_BITRATE_RF_64			0x00140000
 #define T55x7_BITRATE_RF_100		0x00180000
 #define T55x7_BITRATE_RF_128		0x001C0000
 
 /* T5555 (Q5) configuration register definitions */
-#define T5555_ST_TERMINATOR		0x00000001
+#define T5555_ST_TERMINATOR			0x00000001
 #define T5555_MAXBLOCK_SHIFT		0x00000001
 #define T5555_MODULATION_MANCHESTER	0
 #define T5555_MODULATION_PSK1		0x00000010
@@ -851,32 +1042,43 @@ void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol)
 #define T5555_MODULATION_FSK2		0x00000050
 #define T5555_MODULATION_BIPHASE	0x00000060
 #define T5555_MODULATION_DIRECT		0x00000070
-#define T5555_INVERT_OUTPUT		0x00000080
-#define T5555_PSK_RF_2			0
-#define T5555_PSK_RF_4			0x00000100
-#define T5555_PSK_RF_8			0x00000200
-#define T5555_USE_PWD			0x00000400
-#define T5555_USE_AOR			0x00000800
-#define T5555_BITRATE_SHIFT		12
-#define T5555_FAST_WRITE		0x00004000
-#define T5555_PAGE_SELECT		0x00008000
+#define T5555_INVERT_OUTPUT			0x00000080
+#define T5555_PSK_RF_2				0
+#define T5555_PSK_RF_4				0x00000100
+#define T5555_PSK_RF_8				0x00000200
+#define T5555_USE_PWD				0x00000400
+#define T5555_USE_AOR				0x00000800
+#define T5555_BITRATE_SHIFT			12
+#define T5555_FAST_WRITE			0x00004000
+#define T5555_PAGE_SELECT			0x00008000
 
 /*
  * Relevant times in microsecond
  * To compensate antenna falling times shorten the write times
  * and enlarge the gap ones.
  */
-#define START_GAP 250
-#define WRITE_GAP 160
-#define WRITE_0   144 // 192
-#define WRITE_1   400 // 432 for T55x7; 448 for E5550
+#define START_GAP 30*8 // 10 - 50fc 250
+#define WRITE_GAP 20*8 //  8 - 30fc
+#define WRITE_0   24*8 // 16 - 31fc 24fc 192
+#define WRITE_1   54*8 // 48 - 63fc 54fc 432 for T55x7; 448 for E5550
+
+//  VALUES TAKEN FROM EM4x function: SendForward
+//  START_GAP = 440;       (55*8) cycles at 125Khz (8us = 1cycle)
+//  WRITE_GAP = 128;       (16*8)
+//  WRITE_1   = 256 32*8;  (32*8) 
+
+//  These timings work for 4469/4269/4305 (with the 55*8 above)
+//  WRITE_0 = 23*8 , 9*8  SpinDelayUs(23*8); 
+
+#define T55xx_SAMPLES_SIZE		12000 // 32 x 32 x 10  (32 bit times numofblock (7), times clock skip..)
 
 // Write one bit to card
 void T55xxWriteBit(int bit)
 {
+	FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
 	FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
-	FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER);
-	if (bit == 0)
+	FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
+	if (!bit)
 		SpinDelayUs(WRITE_0);
 	else
 		SpinDelayUs(WRITE_1);
@@ -887,14 +1089,11 @@ void T55xxWriteBit(int bit)
 // Write one card block in page 0, no lock
 void T55xxWriteBlock(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t PwdMode)
 {
-	unsigned int i;
-
-	FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
-	FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER);
+	uint32_t i = 0;
 
-	// Give it a bit of time for the resonant antenna to settle.
-	// And for the tag to fully power up
-	SpinDelay(150);
+	// Set up FPGA, 125kHz
+	// Wait for config.. (192+8190xPOW)x8 == 67ms
+	LFSetupFPGAForADC(0, true);
 
 	// Now start writting
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
@@ -903,11 +1102,11 @@ void T55xxWriteBlock(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t PwdMod
 	// Opcode
 	T55xxWriteBit(1);
 	T55xxWriteBit(0); //Page 0
-  if (PwdMode == 1){
-    // Pwd
-    for (i = 0x80000000; i != 0; i >>= 1)
-      T55xxWriteBit(Pwd & i);
-  }
+	if (PwdMode == 1){
+		// Pwd
+		for (i = 0x80000000; i != 0; i >>= 1)
+			T55xxWriteBit(Pwd & i);
+	}
 	// Lock bit
 	T55xxWriteBit(0);
 
@@ -922,7 +1121,7 @@ void T55xxWriteBlock(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t PwdMod
 	// Now perform write (nominal is 5.6 ms for T55x7 and 18ms for E5550,
 	// so wait a little more)
 	FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
-	FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER);
+	FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
 	SpinDelay(20);
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
 }
@@ -930,26 +1129,17 @@ void T55xxWriteBlock(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t PwdMod
 // Read one card block in page 0
 void T55xxReadBlock(uint32_t Block, uint32_t Pwd, uint8_t PwdMode)
 {
-	uint8_t *dest = (uint8_t *)BigBuf;
-	int m=0, i=0;
-  
-	m = sizeof(BigBuf);
-  // Clear destination buffer before sending the command
-	memset(dest, 128, m);
-	// Connect the A/D to the peak-detected low-frequency path.
-	SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
-	// Now set up the SSC to get the ADC samples that are now streaming at us.
-	FpgaSetupSsc();
-  
-	LED_D_ON();
-	FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
-	FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER);
-  
-	// Give it a bit of time for the resonant antenna to settle.
-	// And for the tag to fully power up
-	SpinDelay(150);
-  
-	// Now start writting
+	uint8_t *dest =  mifare_get_bigbufptr();
+	uint16_t bufferlength = T55xx_SAMPLES_SIZE;
+	uint32_t i = 0;
+
+	// Clear destination buffer before sending the command  0x80 = average.
+	memset(dest, 0x80, bufferlength);
+
+	// Set up FPGA, 125kHz
+	// Wait for config.. (192+8190xPOW)x8 == 67ms
+	LFSetupFPGAForADC(0, true);
+
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
 	SpinDelayUs(START_GAP);
   
@@ -967,53 +1157,40 @@ void T55xxReadBlock(uint32_t Block, uint32_t Pwd, uint8_t PwdMode)
 	for (i = 0x04; i != 0; i >>= 1)
 		T55xxWriteBit(Block & i);
   
-  // Turn field on to read the response
-	FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
-	FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER);
+	// Turn field on to read the response
+	TurnReadLFOn();
   
 	// Now do the acquisition
 	i = 0;
 	for(;;) {
 		if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXRDY) {
 			AT91C_BASE_SSC->SSC_THR = 0x43;
+			LED_D_ON();
 		}
 		if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) {
 			dest[i] = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
-			// we don't care about actual value, only if it's more or less than a
-			// threshold essentially we capture zero crossings for later analysis
-      //			if(dest[i] < 127) dest[i] = 0; else dest[i] = 1;
-			i++;
-			if (i >= m) break;
+			++i;
+			LED_D_OFF();
+			if (i > bufferlength) break;
 		}
 	}
-  
-  FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
+ 
+	cmd_send(CMD_ACK,0,0,0,0,0);
+    FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
 	LED_D_OFF();
-	DbpString("DONE!");
 }
 
 // Read card traceability data (page 1)
 void T55xxReadTrace(void){
-	uint8_t *dest = (uint8_t *)BigBuf;
-	int m=0, i=0;
-  
-	m = sizeof(BigBuf);
-  // Clear destination buffer before sending the command
-	memset(dest, 128, m);
-	// Connect the A/D to the peak-detected low-frequency path.
-	SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
-	// Now set up the SSC to get the ADC samples that are now streaming at us.
-	FpgaSetupSsc();
-  
-	LED_D_ON();
-	FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
-	FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER);
+	uint8_t *dest =  mifare_get_bigbufptr();
+	uint16_t bufferlength = T55xx_SAMPLES_SIZE;
+	int i=0;
+	
+	// Clear destination buffer before sending the command 0x80 = average
+	memset(dest, 0x80, bufferlength);  
   
-	// Give it a bit of time for the resonant antenna to settle.
-	// And for the tag to fully power up
-	SpinDelay(150);
+	LFSetupFPGAForADC(0, true);
   
-	// Now start writting
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
 	SpinDelayUs(START_GAP);
   
@@ -1021,26 +1198,35 @@ void T55xxReadTrace(void){
 	T55xxWriteBit(1);
 	T55xxWriteBit(1); //Page 1
   
-  // Turn field on to read the response
-	FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
-	FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER);
+	// Turn field on to read the response
+	TurnReadLFOn();
   
 	// Now do the acquisition
-	i = 0;
 	for(;;) {
 		if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXRDY) {
 			AT91C_BASE_SSC->SSC_THR = 0x43;
+			LED_D_ON();
 		}
 		if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) {
 			dest[i] = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
-			i++;
-			if (i >= m) break;
+			++i;
+			LED_D_OFF();
+		
+			if (i >= bufferlength) break;
 		}
 	}
   
-  FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
+	cmd_send(CMD_ACK,0,0,0,0,0);
+	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
 	LED_D_OFF();
-	DbpString("DONE!");
+}
+
+void TurnReadLFOn(){
+	FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
+	FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
+	// Give it a bit of time for the resonant antenna to settle.
+	//SpinDelay(30);
+	SpinDelayUs(8*150);
 }
 
 /*-------------- Cloning routines -----------*/
@@ -1156,7 +1342,7 @@ void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT)
   }
   
 	// Config for HID (RF/50, FSK2a, Maxblock=3 for short/6 for long)
-	T55xxWriteBlock(T55x7_BITRATE_RF_50    |
+	T55xxWriteBlock(T55x7_BITRATE_RF_50  |
                   T55x7_MODULATION_FSK2a |
                   last_block << T55x7_MAXBLOCK_SHIFT,
                   0,0,0);
@@ -1166,6 +1352,26 @@ void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT)
 	DbpString("DONE!");
 }
 
+void CopyIOtoT55x7(uint32_t hi, uint32_t lo, uint8_t longFMT)
+{
+   int data1=0, data2=0; //up to six blocks for long format
+  	
+    data1 = hi;  // load preamble
+    data2 = lo;
+    
+    LED_D_ON();
+    // Program the data blocks for supplied ID
+    // and the block 0 for HID format
+    T55xxWriteBlock(data1,1,0,0);
+    T55xxWriteBlock(data2,2,0,0);
+	
+    //Config Block
+    T55xxWriteBlock(0x00147040,0,0,0);
+    LED_D_OFF();
+	
+    DbpString("DONE!");
+}
+
 // Define 9bit header for EM410x tags
 #define EM410X_HEADER		0x1FF
 #define EM410X_ID_LENGTH	40
@@ -1279,7 +1485,6 @@ void WriteEM410x(uint32_t card, uint32_t id_hi, uint32_t id_lo)
 // Clone Indala 64-bit tag by UID to T55x7
 void CopyIndala64toT55x7(int hi, int lo)
 {
-
 	//Program the 2 data blocks for supplied 64bit UID
 	// and the block 0 for Indala64 format
 	T55xxWriteBlock(hi,1,0,0);
@@ -1290,15 +1495,13 @@ void CopyIndala64toT55x7(int hi, int lo)
 			2 << T55x7_MAXBLOCK_SHIFT,
 			0, 0, 0);
 	//Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=2;Inverse data)
-//	T5567WriteBlock(0x603E1042,0);
+	//	T5567WriteBlock(0x603E1042,0);
 
 	DbpString("DONE!");
-
 }	
 
 void CopyIndala224toT55x7(int uid1, int uid2, int uid3, int uid4, int uid5, int uid6, int uid7)
 {
-
 	//Program the 7 data blocks for supplied 224bit UID
 	// and the block 0 for Indala224 format
 	T55xxWriteBlock(uid1,1,0,0);
@@ -1314,10 +1517,9 @@ void CopyIndala224toT55x7(int uid1, int uid2, int uid3, int uid4, int uid5, int
 			7 << T55x7_MAXBLOCK_SHIFT,
 			0,0,0);
 	//Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=7;Inverse data)
-//	T5567WriteBlock(0x603E10E2,0);
+	//	T5567WriteBlock(0x603E10E2,0);
 
 	DbpString("DONE!");
-
 }
 
 
@@ -1464,7 +1666,6 @@ int IsBlock1PCF7931(uint8_t *Block) {
 	
 	return 0;
 }
-
 #define ALLOC 16
 
 void ReadPCF7931() {
@@ -1692,8 +1893,9 @@ void SendForward(uint8_t fwd_bit_count) {
   LED_D_ON();
   
   //Field on
+  FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
   FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
-  FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER);
+  FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
   
   // Give it a bit of time for the resonant antenna to settle.
   // And for the tag to fully power up
@@ -1705,7 +1907,7 @@ void SendForward(uint8_t fwd_bit_count) {
   FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
   SpinDelayUs(55*8); //55 cycles off (8us each)for 4305
   FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
-  FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER);//field on
+  FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);//field on
   SpinDelayUs(16*8); //16 cycles on (8us each)
   
   // now start writting
@@ -1717,12 +1919,13 @@ void SendForward(uint8_t fwd_bit_count) {
       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
       SpinDelayUs(23*8); //16-4 cycles off (8us each)
       FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
-      FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER);//field on
+      FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);//field on
       SpinDelayUs(9*8); //16 cycles on (8us each)
     }
   }
 }
 
+
 void EM4xLogin(uint32_t Password) {
   
   uint8_t fwd_bit_count;
@@ -1740,41 +1943,48 @@ void EM4xLogin(uint32_t Password) {
 
 void EM4xReadWord(uint8_t Address, uint32_t Pwd, uint8_t PwdMode) {
   
-  uint8_t fwd_bit_count;
-  uint8_t *dest = (uint8_t *)BigBuf;
-  int m=0, i=0;
+  	uint8_t *dest =  mifare_get_bigbufptr();
+	uint16_t bufferlength = 12000;
+	uint32_t i = 0;
+
+	// Clear destination buffer before sending the command  0x80 = average.
+	memset(dest, 0x80, bufferlength);
+	
+	uint8_t fwd_bit_count;
   
-  //If password mode do login
-  if (PwdMode == 1) EM4xLogin(Pwd);
+	//If password mode do login
+	if (PwdMode == 1) EM4xLogin(Pwd);
   
-  forward_ptr = forwardLink_data;
-  fwd_bit_count = Prepare_Cmd( FWD_CMD_READ );
-  fwd_bit_count += Prepare_Addr( Address );
+	forward_ptr = forwardLink_data;
+	fwd_bit_count = Prepare_Cmd( FWD_CMD_READ );
+	fwd_bit_count += Prepare_Addr( Address );
   
-  m = sizeof(BigBuf);
-  // Clear destination buffer before sending the command
-  memset(dest, 128, m);
-  // Connect the A/D to the peak-detected low-frequency path.
-  SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
-  // Now set up the SSC to get the ADC samples that are now streaming at us.
-  FpgaSetupSsc();
+	// Connect the A/D to the peak-detected low-frequency path.
+	SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
+	// Now set up the SSC to get the ADC samples that are now streaming at us.
+	FpgaSetupSsc();
   
-  SendForward(fwd_bit_count);
+	SendForward(fwd_bit_count);
   
-  // Now do the acquisition
-  i = 0;
-  for(;;) {
-    if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXRDY) {
-      AT91C_BASE_SSC->SSC_THR = 0x43;
-    }
-    if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) {
-      dest[i] = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
-      i++;
-      if (i >= m) break;
-    }
-  }
-  FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
-  LED_D_OFF();
+	// // Turn field on to read the response
+	// TurnReadLFOn();
+	
+	// Now do the acquisition
+	i = 0;
+	for(;;) {
+		if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXRDY) {
+			AT91C_BASE_SSC->SSC_THR = 0x43;
+		}
+		if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) {
+			dest[i] = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
+			++i;
+			if (i >= bufferlength) break;
+		}
+	}
+  
+	cmd_send(CMD_ACK,0,0,0,0,0);
+	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
+	LED_D_OFF();
 }
 
 void EM4xWriteWord(uint32_t Data, uint8_t Address, uint32_t Pwd, uint8_t PwdMode) {