From: iZsh Date: Sat, 21 Jun 2014 19:33:54 +0000 (+0200) Subject: new command "lf snoop" to snoop raw ADC values X-Git-Tag: v1.1.0~1^2~4 X-Git-Url: http://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/commitdiff_plain/b014c96d685962e4d4eea887b211397ba17fbf3d new command "lf snoop" to snoop raw ADC values fpga/lo_read.v (lf_field): new argument. fpga/fpga_lf.v: modify accordingly. armsrc/apps.h (FPGA_MAJOR_MODE_LF_READER): Rename as FPGA_MAJOR_MODE_LF_ADC. armsrc/apps.h (FPGA_LF_ADC_READER_FIELD): New LF option. armsrc/lfops.c: Modify accordingly. client/cmdlf.c (CmdLFSnoop): New command. armsrc/appmain.c, armsrc/lfops.c, client/cmdlf.h, include/usb_cmd.h: Modify accordingly. --- diff --git a/armsrc/appmain.c b/armsrc/appmain.c index b7bc87e7..8c224b6a 100644 --- a/armsrc/appmain.c +++ b/armsrc/appmain.c @@ -215,7 +215,7 @@ void MeasureAntennaTuning(void) */ FpgaDownloadAndGo(FPGA_BITSTREAM_LF); - FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER); + FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD); for (i=255; i>19; i--) { WDT_HIT(); FpgaSendCommand(FPGA_CMD_SET_DIVISOR, i); @@ -638,6 +638,10 @@ void UsbPacketReceived(uint8_t *packet, int len) case CMD_MOD_THEN_ACQUIRE_RAW_ADC_SAMPLES_125K: ModThenAcquireRawAdcSamples125k(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes); break; + case CMD_LF_SNOOP_RAW_ADC_SAMPLES: + SnoopLFRawAdcSamples(c->arg[0], c->arg[1]); + cmd_send(CMD_ACK,0,0,0,0,0); + break; case CMD_HID_DEMOD_FSK: CmdHIDdemodFSK(0, 0, 0, 1); // Demodulate HID tag break; diff --git a/armsrc/apps.h b/armsrc/apps.h index 76d1247a..4c7fa190 100644 --- a/armsrc/apps.h +++ b/armsrc/apps.h @@ -59,7 +59,8 @@ void ToSendStuffBit(int b); void ToSendReset(void); void ListenReaderField(int limit); void AcquireRawAdcSamples125k(int at134khz); -void DoAcquisition125k(void); +void SnoopLFRawAdcSamples(int divisor, int trigger_threshold); +void DoAcquisition125k(int trigger_threshold); extern int ToSendMax; extern uint8_t ToSend[]; extern uint32_t BigBuf[]; @@ -82,8 +83,8 @@ void SetAdcMuxFor(uint32_t whichGpio); #define FPGA_CMD_SET_DIVISOR (2<<12) // Definitions for the FPGA configuration word. // LF -#define FPGA_MAJOR_MODE_LF_READER (0<<5) -#define FPGA_MAJOR_MODE_LF_EDGE_DETECT (1<<5) +#define FPGA_MAJOR_MODE_LF_ADC (0<<5) +#define FPGA_MAJOR_MODE_LF_EDGE_DETECT (1<<5) #define FPGA_MAJOR_MODE_LF_PASSTHRU (2<<5) // HF #define FPGA_MAJOR_MODE_HF_READER_TX (0<<5) @@ -92,6 +93,8 @@ void SetAdcMuxFor(uint32_t whichGpio); #define FPGA_MAJOR_MODE_HF_ISO14443A (3<<5) // BOTH #define FPGA_MAJOR_MODE_OFF (7<<5) +// Options for LF_ADC +#define FPGA_LF_ADC_READER_FIELD (1<<0) // Options for LF_EDGE_DETECT #define FPGA_LF_EDGE_DETECT_READER_FIELD (1<<0) // Options for the HF reader, tx to tag diff --git a/armsrc/lfops.c b/armsrc/lfops.c index a0fa870b..6b131c26 100644 --- a/armsrc/lfops.c +++ b/armsrc/lfops.c @@ -15,7 +15,7 @@ #include "crc16.h" #include "string.h" -void AcquireRawAdcSamples125k(int divisor) +void LFSetupFPGAForADC(int divisor, bool lf_field) { FpgaDownloadAndGo(FPGA_BITSTREAM_LF); if ( (divisor == 1) || (divisor < 0) || (divisor > 255) ) @@ -25,23 +25,30 @@ void AcquireRawAdcSamples125k(int divisor) else FpgaSendCommand(FPGA_CMD_SET_DIVISOR, divisor); - FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER); + FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | (lf_field ? FPGA_LF_ADC_READER_FIELD : 0)); // Connect the A/D to the peak-detected low-frequency path. SetAdcMuxFor(GPIO_MUXSEL_LOPKD); - // Give it a bit of time for the resonant antenna to settle. SpinDelay(50); - // Now set up the SSC to get the ADC samples that are now streaming at us. FpgaSetupSsc(); +} + +void AcquireRawAdcSamples125k(int divisor) +{ + LFSetupFPGAForADC(divisor, true); + DoAcquisition125k(-1); +} - // Now call the acquisition routine - DoAcquisition125k(); +void SnoopLFRawAdcSamples(int divisor, int trigger_threshold) +{ + LFSetupFPGAForADC(divisor, false); + DoAcquisition125k(trigger_threshold); } // split into two routines so we can avoid timing issues after sending commands // -void DoAcquisition125k(void) +void DoAcquisition125k(int trigger_threshold) { uint8_t *dest = (uint8_t *)BigBuf; int n = sizeof(BigBuf); @@ -56,9 +63,12 @@ void DoAcquisition125k(void) } if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) { dest[i] = (uint8_t)AT91C_BASE_SSC->SSC_RHR; - i++; LED_D_OFF(); - if (i >= n) break; + if (trigger_threshold != -1 && dest[i] < trigger_threshold) + continue; + else + trigger_threshold = -1; + if (++i >= n) break; } } Dbprintf("buffer samples: %02x %02x %02x %02x %02x %02x %02x %02x ...", @@ -85,7 +95,7 @@ void ModThenAcquireRawAdcSamples125k(int delay_off, int period_0, int period_1, else FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz - FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER); + FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD); // Give it a bit of time for the resonant antenna to settle. SpinDelay(50); @@ -105,7 +115,7 @@ void ModThenAcquireRawAdcSamples125k(int delay_off, int period_0, int period_1, else FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz - FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER); + FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD); LED_D_ON(); if(*(command++) == '0') SpinDelayUs(period_0); @@ -120,10 +130,10 @@ void ModThenAcquireRawAdcSamples125k(int delay_off, int period_0, int period_1, else FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz - FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER); + FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD); // now do the read - DoAcquisition125k(); + DoAcquisition125k(-1); } /* blank r/w tag data stream @@ -609,7 +619,7 @@ void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol) FpgaDownloadAndGo(FPGA_BITSTREAM_LF); FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz - FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER); + FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD); // Connect the A/D to the peak-detected low-frequency path. SetAdcMuxFor(GPIO_MUXSEL_LOPKD); @@ -823,7 +833,7 @@ void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol) FpgaDownloadAndGo(FPGA_BITSTREAM_LF); FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz - FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER); + FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD); // Connect the A/D to the peak-detected low-frequency path. SetAdcMuxFor(GPIO_MUXSEL_LOPKD); @@ -1141,7 +1151,7 @@ void T55xxWriteBit(int bit) { FpgaDownloadAndGo(FPGA_BITSTREAM_LF); FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz - FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER); + FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD); if (bit == 0) SpinDelayUs(WRITE_0); else @@ -1157,7 +1167,7 @@ void T55xxWriteBlock(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t PwdMod FpgaDownloadAndGo(FPGA_BITSTREAM_LF); FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz - FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER); + FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD); // Give it a bit of time for the resonant antenna to settle. // And for the tag to fully power up @@ -1189,7 +1199,7 @@ void T55xxWriteBlock(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t PwdMod // Now perform write (nominal is 5.6 ms for T55x7 and 18ms for E5550, // so wait a little more) FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz - FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER); + FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD); SpinDelay(20); FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); } @@ -1211,7 +1221,7 @@ void T55xxReadBlock(uint32_t Block, uint32_t Pwd, uint8_t PwdMode) LED_D_ON(); FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz - FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER); + FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD); // Give it a bit of time for the resonant antenna to settle. // And for the tag to fully power up @@ -1237,7 +1247,7 @@ void T55xxReadBlock(uint32_t Block, uint32_t Pwd, uint8_t PwdMode) // Turn field on to read the response FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz - FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER); + FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD); // Now do the acquisition i = 0; @@ -1276,7 +1286,7 @@ void T55xxReadTrace(void){ LED_D_ON(); FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz - FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER); + FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD); // Give it a bit of time for the resonant antenna to settle. // And for the tag to fully power up @@ -1292,7 +1302,7 @@ void T55xxReadTrace(void){ // Turn field on to read the response FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz - FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER); + FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD); // Now do the acquisition i = 0; @@ -1983,7 +1993,7 @@ void SendForward(uint8_t fwd_bit_count) { //Field on FpgaDownloadAndGo(FPGA_BITSTREAM_LF); FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz - FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER); + FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD); // Give it a bit of time for the resonant antenna to settle. // And for the tag to fully power up @@ -1995,7 +2005,7 @@ void SendForward(uint8_t fwd_bit_count) { FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off SpinDelayUs(55*8); //55 cycles off (8us each)for 4305 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz - FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER);//field on + FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);//field on SpinDelayUs(16*8); //16 cycles on (8us each) // now start writting @@ -2007,7 +2017,7 @@ void SendForward(uint8_t fwd_bit_count) { FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off SpinDelayUs(23*8); //16-4 cycles off (8us each) FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz - FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER);//field on + FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);//field on SpinDelayUs(9*8); //16 cycles on (8us each) } } diff --git a/client/cmdlf.c b/client/cmdlf.c index 387e60d5..22aa1e05 100644 --- a/client/cmdlf.c +++ b/client/cmdlf.c @@ -450,6 +450,28 @@ int CmdLFSimManchester(const char *Cmd) return 0; } +int CmdLFSnoop(const char *Cmd) +{ + UsbCommand c = {CMD_LF_SNOOP_RAW_ADC_SAMPLES}; + // 'h' means higher-low-frequency, 134 kHz + c.arg[0] = 0; + c.arg[1] = -1; + if (*Cmd == 0) { + // empty + } else if (*Cmd == 'l') { + sscanf(Cmd, "l %"lli, &c.arg[1]); + } else if(*Cmd == 'h') { + c.arg[0] = 1; + sscanf(Cmd, "h %"lli, &c.arg[1]); + } else if (sscanf(Cmd, "%"lli" %"lli, &c.arg[0], &c.arg[1]) < 1) { + PrintAndLog("use 'snoop' or 'snoop {l,h} [trigger threshold]', or 'snoop [trigger threshold]'"); + return 0; + } + SendCommand(&c); + WaitForResponse(CMD_ACK,NULL); + return 0; +} + int CmdVchDemod(const char *Cmd) { // Is this the entire sync pattern, or does this also include some @@ -540,6 +562,7 @@ static command_t CommandTable[] = {"sim", CmdLFSim, 0, "[GAP] -- Simulate LF tag from buffer with optional GAP (in microseconds)"}, {"simbidir", CmdLFSimBidir, 0, "Simulate LF tag (with bidirectional data transmission between reader and tag)"}, {"simman", CmdLFSimManchester, 0, " [GAP] Simulate arbitrary Manchester LF tag"}, + {"snoop", CmdLFSnoop, 0, "['l'|'h'|] [trigger threshold]-- Snoop LF (l:125khz, h:134khz)"}, {"ti", CmdLFTI, 1, "{ TI RFIDs... }"}, {"hitag", CmdLFHitag, 1, "{ Hitag tags and transponders... }"}, {"vchdemod", CmdVchDemod, 1, "['clone'] -- Demodulate samples for VeriChip"}, diff --git a/client/cmdlf.h b/client/cmdlf.h index 471e4e0c..7278754b 100644 --- a/client/cmdlf.h +++ b/client/cmdlf.h @@ -21,6 +21,7 @@ int CmdLFRead(const char *Cmd); int CmdLFSim(const char *Cmd); int CmdLFSimBidir(const char *Cmd); int CmdLFSimManchester(const char *Cmd); +int CmdLFSnoop(const char *Cmd); int CmdVchDemod(const char *Cmd); #endif diff --git a/fpga/fpga_lf.bit b/fpga/fpga_lf.bit index 133ea992..d9c7515e 100644 Binary files a/fpga/fpga_lf.bit and b/fpga/fpga_lf.bit differ diff --git a/fpga/fpga_lf.v b/fpga/fpga_lf.v index 1e20aa90..81976375 100644 --- a/fpga/fpga_lf.v +++ b/fpga/fpga_lf.v @@ -80,7 +80,7 @@ lo_read lr( lr_pwr_lo, lr_pwr_hi, lr_pwr_oe1, lr_pwr_oe2, lr_pwr_oe3, lr_pwr_oe4, adc_d, lr_adc_clk, lr_ssp_frame, lr_ssp_din, lr_ssp_clk, - lr_dbg + lr_dbg, lf_field ); lo_passthru lp( diff --git a/fpga/lo_read.v b/fpga/lo_read.v index b1fa7fc7..a6d077b9 100644 --- a/fpga/lo_read.v +++ b/fpga/lo_read.v @@ -13,7 +13,8 @@ module lo_read( output pwr_oe1, output pwr_oe2, output pwr_oe3, output pwr_oe4, input [7:0] adc_d, output adc_clk, output ssp_frame, output ssp_din, output ssp_clk, - output dbg + output dbg, + input lf_field ); reg [7:0] to_arm_shiftreg; @@ -65,7 +66,7 @@ assign pwr_oe2 = 1'b0; assign pwr_oe3 = 1'b0; assign pwr_oe4 = 1'b0; // this is the antenna driver signal -assign pwr_lo = pck_divclk; +assign pwr_lo = lf_field & pck_divclk; // ADC clock out of phase with antenna driver assign adc_clk = ~pck_divclk; // ADC clock also routed to debug pin diff --git a/include/usb_cmd.h b/include/usb_cmd.h index 9c25555d..4b1fc2b6 100644 --- a/include/usb_cmd.h +++ b/include/usb_cmd.h @@ -96,6 +96,7 @@ typedef struct { #define CMD_ISO_15693_COMMAND_DONE 0x0314 #define CMD_ISO_15693_FIND_AFI 0x0315 #define CMD_ISO_15693_DEBUG 0x0316 +#define CMD_LF_SNOOP_RAW_ADC_SAMPLES 0x0317 // For Hitag2 transponders #define CMD_SNOOP_HITAG 0x0370