]> git.zerfleddert.de Git - proxmark3-svn/blame - armsrc/lfops.c
projects / proxmark3-svn / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
ADD: 'hf standalone 14a mode", added "mifare 4k" detection.
[proxmark3-svn] / armsrc / lfops.c
CommitLineData
e09f21fa 1//-----------------------------------------------------------------------------
2// This code is licensed to you under the terms of the GNU GPL, version 2 or,
3// at your option, any later version. See the LICENSE.txt file for the text of
4// the license.
5//-----------------------------------------------------------------------------
6// Miscellaneous routines for low frequency tag operations.
7// Tags supported here so far are Texas Instruments (TI), HID
8// Also routines for raw mode reading/simulating of LF waveform
9//-----------------------------------------------------------------------------
10
11#include "proxmark3.h"
12#include "apps.h"
13#include "util.h"
14#include "hitag2.h"
15#include "crc16.h"
16#include "string.h"
17#include "lfdemod.h"
18#include "lfsampling.h"
1d0ccbe0 19#include "protocols.h"
c0f15a05 20#include "usb_cdc.h" // for usb_poll_validate_length
e09f21fa 21
f121b478 22#ifndef SHORT_COIL
23# define SHORT_COIL() LOW(GPIO_SSC_DOUT)
24#endif
25#ifndef OPEN_COIL
26# define OPEN_COIL() HIGH(GPIO_SSC_DOUT)
27#endif
28
e09f21fa 29/**
30 * Function to do a modulation and then get samples.
31 * @param delay_off
95522869 32 * @param periods 0xFFFF0000 is period_0, 0x0000FFFF is period_1
33 * @param useHighFreg
e09f21fa 34 * @param command
35 */
d0724780 36void ModThenAcquireRawAdcSamples125k(uint32_t delay_off, uint32_t periods, uint32_t useHighFreq, uint8_t *command)
e09f21fa 37{
d0724780 38 /* Make sure the tag is reset */
39 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
40 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
41 SpinDelay(200);
e09f21fa 42
d0724780 43 uint16_t period_0 = periods >> 16;
44 uint16_t period_1 = periods & 0xFFFF;
45
507afbf3 46 // 95 == 125 KHz 88 == 134.8 KHz
95522869 47 int divisor_used = (useHighFreq) ? 88 : 95;
e09f21fa 48 sample_config sc = { 0,0,1, divisor_used, 0};
49 setSamplingConfig(&sc);
d0724780 50
c0f15a05 51 //clear read buffer
52 BigBuf_Clear_keep_EM();
e09f21fa 53
e09f21fa 54 LFSetupFPGAForADC(sc.divisor, 1);
55
56 // And a little more time for the tag to fully power up
d0724780 57 SpinDelay(50);
e09f21fa 58
e0165dcf 59 // now modulate the reader field
60 while(*command != '\0' && *command != ' ') {
61 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
62 LED_D_OFF();
24c49d36 63 WaitUS(delay_off);
e09f21fa 64 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, sc.divisor);
65
e0165dcf 66 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
67 LED_D_ON();
68 if(*(command++) == '0')
24c49d36 69 WaitUS(period_0);
e0165dcf 70 else
24c49d36 71 WaitUS(period_1);
e0165dcf 72 }
73 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
74 LED_D_OFF();
24c49d36 75 WaitUS(delay_off);
e09f21fa 76 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, sc.divisor);
e0165dcf 77 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
e09f21fa 78
e0165dcf 79 // now do the read
e09f21fa 80 DoAcquisition_config(false);
b828a4e1 81
82 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
e09f21fa 83}
84
e09f21fa 85/* blank r/w tag data stream
86...0000000000000000 01111111
871010101010101010101010101010101010101010101010101010101010101010
880011010010100001
8901111111
90101010101010101[0]000...
91
92[5555fe852c5555555555555555fe0000]
93*/
94void ReadTItag(void)
95{
29ff374e 96 StartTicks();
e0165dcf 97 // some hardcoded initial params
98 // when we read a TI tag we sample the zerocross line at 2Mhz
99 // TI tags modulate a 1 as 16 cycles of 123.2Khz
100 // TI tags modulate a 0 as 16 cycles of 134.2Khz
0de8e387 101 #define FSAMPLE 2000000
102 #define FREQLO 123200
103 #define FREQHI 134200
e09f21fa 104
e0165dcf 105 signed char *dest = (signed char *)BigBuf_get_addr();
106 uint16_t n = BigBuf_max_traceLen();
107 // 128 bit shift register [shift3:shift2:shift1:shift0]
108 uint32_t shift3 = 0, shift2 = 0, shift1 = 0, shift0 = 0;
109
110 int i, cycles=0, samples=0;
111 // how many sample points fit in 16 cycles of each frequency
112 uint32_t sampleslo = (FSAMPLE<<4)/FREQLO, sampleshi = (FSAMPLE<<4)/FREQHI;
113 // when to tell if we're close enough to one freq or another
114 uint32_t threshold = (sampleslo - sampleshi + 1)>>1;
115
116 // TI tags charge at 134.2Khz
117 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
118 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 88); //134.8Khz
119
120 // Place FPGA in passthrough mode, in this mode the CROSS_LO line
121 // connects to SSP_DIN and the SSP_DOUT logic level controls
122 // whether we're modulating the antenna (high)
123 // or listening to the antenna (low)
124 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_PASSTHRU);
125
126 // get TI tag data into the buffer
127 AcquireTiType();
128
129 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
130
131 for (i=0; i<n-1; i++) {
132 // count cycles by looking for lo to hi zero crossings
133 if ( (dest[i]<0) && (dest[i+1]>0) ) {
134 cycles++;
135 // after 16 cycles, measure the frequency
136 if (cycles>15) {
137 cycles=0;
138 samples=i-samples; // number of samples in these 16 cycles
139
140 // TI bits are coming to us lsb first so shift them
141 // right through our 128 bit right shift register
142 shift0 = (shift0>>1) | (shift1 << 31);
143 shift1 = (shift1>>1) | (shift2 << 31);
144 shift2 = (shift2>>1) | (shift3 << 31);
145 shift3 >>= 1;
146
147 // check if the cycles fall close to the number
148 // expected for either the low or high frequency
149 if ( (samples>(sampleslo-threshold)) && (samples<(sampleslo+threshold)) ) {
150 // low frequency represents a 1
151 shift3 |= (1<<31);
152 } else if ( (samples>(sampleshi-threshold)) && (samples<(sampleshi+threshold)) ) {
153 // high frequency represents a 0
154 } else {
155 // probably detected a gay waveform or noise
156 // use this as gaydar or discard shift register and start again
157 shift3 = shift2 = shift1 = shift0 = 0;
158 }
159 samples = i;
160
161 // for each bit we receive, test if we've detected a valid tag
162
163 // if we see 17 zeroes followed by 6 ones, we might have a tag
164 // remember the bits are backwards
165 if ( ((shift0 & 0x7fffff) == 0x7e0000) ) {
166 // if start and end bytes match, we have a tag so break out of the loop
167 if ( ((shift0>>16)&0xff) == ((shift3>>8)&0xff) ) {
168 cycles = 0xF0B; //use this as a flag (ugly but whatever)
169 break;
170 }
171 }
172 }
173 }
174 }
175
176 // if flag is set we have a tag
177 if (cycles!=0xF0B) {
178 DbpString("Info: No valid tag detected.");
179 } else {
180 // put 64 bit data into shift1 and shift0
181 shift0 = (shift0>>24) | (shift1 << 8);
182 shift1 = (shift1>>24) | (shift2 << 8);
183
184 // align 16 bit crc into lower half of shift2
185 shift2 = ((shift2>>24) | (shift3 << 8)) & 0x0ffff;
186
187 // if r/w tag, check ident match
e09f21fa 188 if (shift3 & (1<<15) ) {
e0165dcf 189 DbpString("Info: TI tag is rewriteable");
190 // only 15 bits compare, last bit of ident is not valid
e09f21fa 191 if (((shift3 >> 16) ^ shift0) & 0x7fff ) {
e0165dcf 192 DbpString("Error: Ident mismatch!");
193 } else {
194 DbpString("Info: TI tag ident is valid");
195 }
196 } else {
197 DbpString("Info: TI tag is readonly");
198 }
199
200 // WARNING the order of the bytes in which we calc crc below needs checking
201 // i'm 99% sure the crc algorithm is correct, but it may need to eat the
202 // bytes in reverse or something
203 // calculate CRC
204 uint32_t crc=0;
205
206 crc = update_crc16(crc, (shift0)&0xff);
207 crc = update_crc16(crc, (shift0>>8)&0xff);
208 crc = update_crc16(crc, (shift0>>16)&0xff);
209 crc = update_crc16(crc, (shift0>>24)&0xff);
210 crc = update_crc16(crc, (shift1)&0xff);
211 crc = update_crc16(crc, (shift1>>8)&0xff);
212 crc = update_crc16(crc, (shift1>>16)&0xff);
213 crc = update_crc16(crc, (shift1>>24)&0xff);
214
1a570b0a 215 Dbprintf("Info: Tag data: %x%08x, crc=%x", (unsigned int)shift1, (unsigned int)shift0, (unsigned int)shift2 & 0xFFFF);
e0165dcf 216 if (crc != (shift2&0xffff)) {
217 Dbprintf("Error: CRC mismatch, expected %x", (unsigned int)crc);
218 } else {
219 DbpString("Info: CRC is good");
220 }
221 }
29ff374e 222 StopTicks();
e09f21fa 223}
224
225void WriteTIbyte(uint8_t b)
226{
e0165dcf 227 int i = 0;
228
229 // modulate 8 bits out to the antenna
230 for (i=0; i<8; i++)
231 {
24c49d36 232 if ( b & ( 1 << i ) ) {
233 // stop modulating antenna 1ms
e0165dcf 234 LOW(GPIO_SSC_DOUT);
24c49d36 235 WaitUS(1000);
236 // modulate antenna 1ms
237 HIGH(GPIO_SSC_DOUT);
238 WaitUS(1000);
e0165dcf 239 } else {
24c49d36 240 // stop modulating antenna 1ms
e0165dcf 241 LOW(GPIO_SSC_DOUT);
24c49d36 242 WaitUS(300);
243 // modulate antenna 1m
e0165dcf 244 HIGH(GPIO_SSC_DOUT);
24c49d36 245 WaitUS(1700);
e0165dcf 246 }
247 }
e09f21fa 248}
249
250void AcquireTiType(void)
251{
e0165dcf 252 int i, j, n;
253 // tag transmission is <20ms, sampling at 2M gives us 40K samples max
254 // each sample is 1 bit stuffed into a uint32_t so we need 1250 uint32_t
a739812e 255 #define TIBUFLEN 1250
e09f21fa 256
e0165dcf 257 // clear buffer
a739812e 258 uint32_t *buf = (uint32_t *)BigBuf_get_addr();
259
260 //clear buffer now so it does not interfere with timing later
261 BigBuf_Clear_ext(false);
e0165dcf 262
263 // Set up the synchronous serial port
264 AT91C_BASE_PIOA->PIO_PDR = GPIO_SSC_DIN;
265 AT91C_BASE_PIOA->PIO_ASR = GPIO_SSC_DIN;
266
267 // steal this pin from the SSP and use it to control the modulation
268 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
269 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
270
271 AT91C_BASE_SSC->SSC_CR = AT91C_SSC_SWRST;
272 AT91C_BASE_SSC->SSC_CR = AT91C_SSC_RXEN | AT91C_SSC_TXEN;
273
274 // Sample at 2 Mbit/s, so TI tags are 16.2 vs. 14.9 clocks long
275 // 48/2 = 24 MHz clock must be divided by 12
276 AT91C_BASE_SSC->SSC_CMR = 12;
277
278 AT91C_BASE_SSC->SSC_RCMR = SSC_CLOCK_MODE_SELECT(0);
279 AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(32) | AT91C_SSC_MSBF;
280 AT91C_BASE_SSC->SSC_TCMR = 0;
281 AT91C_BASE_SSC->SSC_TFMR = 0;
c5e8b916 282 // iceman, FpgaSetupSsc() ?? the code above? can it be replaced?
e0165dcf 283 LED_D_ON();
284
285 // modulate antenna
286 HIGH(GPIO_SSC_DOUT);
287
288 // Charge TI tag for 50ms.
29ff374e 289 WaitMS(50);
e0165dcf 290
291 // stop modulating antenna and listen
292 LOW(GPIO_SSC_DOUT);
293
294 LED_D_OFF();
295
296 i = 0;
297 for(;;) {
298 if(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) {
a739812e 299 buf[i] = AT91C_BASE_SSC->SSC_RHR; // store 32 bit values in buffer
e0165dcf 300 i++; if(i >= TIBUFLEN) break;
301 }
302 WDT_HIT();
303 }
304
305 // return stolen pin to SSP
306 AT91C_BASE_PIOA->PIO_PDR = GPIO_SSC_DOUT;
307 AT91C_BASE_PIOA->PIO_ASR = GPIO_SSC_DIN | GPIO_SSC_DOUT;
308
309 char *dest = (char *)BigBuf_get_addr();
a739812e 310 n = TIBUFLEN * 32;
311
e0165dcf 312 // unpack buffer
a739812e 313 for (i = TIBUFLEN-1; i >= 0; i--) {
314 for (j = 0; j < 32; j++) {
315 if(buf[i] & (1 << j)) {
e0165dcf 316 dest[--n] = 1;
317 } else {
318 dest[--n] = -1;
319 }
320 }
321 }
e09f21fa 322}
323
324// arguments: 64bit data split into 32bit idhi:idlo and optional 16bit crc
325// if crc provided, it will be written with the data verbatim (even if bogus)
326// if not provided a valid crc will be computed from the data and written.
327void WriteTItag(uint32_t idhi, uint32_t idlo, uint16_t crc)
328{
29ff374e 329 StartTicks();
e0165dcf 330 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
331 if(crc == 0) {
332 crc = update_crc16(crc, (idlo)&0xff);
333 crc = update_crc16(crc, (idlo>>8)&0xff);
334 crc = update_crc16(crc, (idlo>>16)&0xff);
335 crc = update_crc16(crc, (idlo>>24)&0xff);
336 crc = update_crc16(crc, (idhi)&0xff);
337 crc = update_crc16(crc, (idhi>>8)&0xff);
338 crc = update_crc16(crc, (idhi>>16)&0xff);
339 crc = update_crc16(crc, (idhi>>24)&0xff);
340 }
a739812e 341 Dbprintf("Writing to tag: %x%08x, crc=%x", (unsigned int) idhi, (unsigned int) idlo, crc);
e0165dcf 342
343 // TI tags charge at 134.2Khz
344 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 88); //134.8Khz
345 // Place FPGA in passthrough mode, in this mode the CROSS_LO line
346 // connects to SSP_DIN and the SSP_DOUT logic level controls
347 // whether we're modulating the antenna (high)
348 // or listening to the antenna (low)
349 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_PASSTHRU);
350 LED_A_ON();
351
352 // steal this pin from the SSP and use it to control the modulation
353 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
354 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
355
356 // writing algorithm:
357 // a high bit consists of a field off for 1ms and field on for 1ms
358 // a low bit consists of a field off for 0.3ms and field on for 1.7ms
359 // initiate a charge time of 50ms (field on) then immediately start writing bits
360 // start by writing 0xBB (keyword) and 0xEB (password)
361 // then write 80 bits of data (or 64 bit data + 16 bit crc if you prefer)
362 // finally end with 0x0300 (write frame)
1a570b0a 363 // all data is sent lsb first
e0165dcf 364 // finish with 15ms programming time
365
366 // modulate antenna
367 HIGH(GPIO_SSC_DOUT);
29ff374e 368 WaitMS(50); // charge time
e0165dcf 369
370 WriteTIbyte(0xbb); // keyword
371 WriteTIbyte(0xeb); // password
372 WriteTIbyte( (idlo )&0xff );
373 WriteTIbyte( (idlo>>8 )&0xff );
374 WriteTIbyte( (idlo>>16)&0xff );
375 WriteTIbyte( (idlo>>24)&0xff );
376 WriteTIbyte( (idhi )&0xff );
377 WriteTIbyte( (idhi>>8 )&0xff );
378 WriteTIbyte( (idhi>>16)&0xff );
379 WriteTIbyte( (idhi>>24)&0xff ); // data hi to lo
380 WriteTIbyte( (crc )&0xff ); // crc lo
381 WriteTIbyte( (crc>>8 )&0xff ); // crc hi
382 WriteTIbyte(0x00); // write frame lo
383 WriteTIbyte(0x03); // write frame hi
384 HIGH(GPIO_SSC_DOUT);
29ff374e 385 WaitMS(50); // programming time
e0165dcf 386
387 LED_A_OFF();
388
389 // get TI tag data into the buffer
390 AcquireTiType();
391
392 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
6c68b84a 393 DbpString("Now use `lf ti read` to check");
29ff374e 394 StopTicks();
e09f21fa 395}
396
cd073027 397void SimulateTagLowFrequency(int period, int gap, int ledcontrol)
e09f21fa 398{
f121b478 399 int i = 0;
49065576 400 uint8_t *buf = BigBuf_get_addr();
4460be68 401
501c666b 402 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT);
403 //FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD);
404 //FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_TOGGLE_MODE );
6fe5fe8d
I		 405
406 // set frequency, get values from 'lf config' command
407 sample_config *sc = getSamplingConfig();
408
409 if ( (sc->divisor == 1) || (sc->divisor < 0) || (sc->divisor > 255) )
410 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 88); //134.8Khz
411 else if (sc->divisor == 0)
412 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
413 else
414 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, sc->divisor);
415
501c666b 416 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
417
e0165dcf 418 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT | GPIO_SSC_CLK;
e0165dcf 419 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
420 AT91C_BASE_PIOA->PIO_ODR = GPIO_SSC_CLK;
e09f21fa 421
501c666b 422 // power on antenna
423 // OPEN_COIL();
424 // SpinDelay(50);
425
e0165dcf 426 for(;;) {
f121b478 427 WDT_HIT();
428
429 if (ledcontrol) LED_D_ON();
430
49065576 431 // wait until SSC_CLK goes HIGH
432 // used as a simple detection of a reader field?
e0165dcf 433 while(!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK)) {
e0165dcf 434 WDT_HIT();
49065576 435 if ( usb_poll_validate_length() || BUTTON_PRESS() )
436 goto OUT;
e0165dcf 437 }
f121b478 438
49065576 439 if(buf[i])
e0165dcf 440 OPEN_COIL();
441 else
442 SHORT_COIL();
501c666b 443
e0165dcf 444 //wait until SSC_CLK goes LOW
445 while(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK) {
e0165dcf 446 WDT_HIT();
49065576 447 if ( usb_poll_validate_length() || BUTTON_PRESS() )
448 goto OUT;
e0165dcf 449 }
501c666b 450
e0165dcf 451 i++;
452 if(i == period) {
e0165dcf 453 i = 0;
454 if (gap) {
f121b478 455 WDT_HIT();
e0165dcf 456 SHORT_COIL();
501c666b 457 SpinDelayUs(gap);
e0165dcf 458 }
459 }
501c666b 460
461 if (ledcontrol) LED_D_OFF();
e0165dcf 462 }
49065576 463OUT:
464 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
49065576 465 LED_D_OFF();
c50259b3 466 DbpString("Simulation stopped");
49065576 467 return;
e09f21fa 468}
469
e09f21fa 470#define DEBUG_FRAME_CONTENTS 1
471void SimulateTagLowFrequencyBidir(int divisor, int t0)
472{
473}
474
475// compose fc/8 fc/10 waveform (FSK2)
476static void fc(int c, int *n)
477{
e0165dcf 478 uint8_t *dest = BigBuf_get_addr();
479 int idx;
480
481 // for when we want an fc8 pattern every 4 logical bits
482 if(c==0) {
483 dest[((*n)++)]=1;
484 dest[((*n)++)]=1;
485 dest[((*n)++)]=1;
486 dest[((*n)++)]=1;
487 dest[((*n)++)]=0;
488 dest[((*n)++)]=0;
489 dest[((*n)++)]=0;
490 dest[((*n)++)]=0;
491 }
492
493 // an fc/8 encoded bit is a bit pattern of 11110000 x6 = 48 samples
494 if(c==8) {
495 for (idx=0; idx<6; idx++) {
496 dest[((*n)++)]=1;
497 dest[((*n)++)]=1;
498 dest[((*n)++)]=1;
499 dest[((*n)++)]=1;
500 dest[((*n)++)]=0;
501 dest[((*n)++)]=0;
502 dest[((*n)++)]=0;
503 dest[((*n)++)]=0;
504 }
505 }
506
507 // an fc/10 encoded bit is a bit pattern of 1111100000 x5 = 50 samples
508 if(c==10) {
509 for (idx=0; idx<5; idx++) {
510 dest[((*n)++)]=1;
511 dest[((*n)++)]=1;
512 dest[((*n)++)]=1;
513 dest[((*n)++)]=1;
514 dest[((*n)++)]=1;
515 dest[((*n)++)]=0;
516 dest[((*n)++)]=0;
517 dest[((*n)++)]=0;
518 dest[((*n)++)]=0;
519 dest[((*n)++)]=0;
520 }
521 }
e09f21fa 522}
523// compose fc/X fc/Y waveform (FSKx)
712ebfa6 524static void fcAll(uint8_t fc, int *n, uint8_t clock, uint16_t *modCnt)
e09f21fa 525{
e0165dcf 526 uint8_t *dest = BigBuf_get_addr();
527 uint8_t halfFC = fc/2;
528 uint8_t wavesPerClock = clock/fc;
529 uint8_t mod = clock % fc; //modifier
530 uint8_t modAdj = fc/mod; //how often to apply modifier
531 bool modAdjOk = !(fc % mod); //if (fc % mod==0) modAdjOk=TRUE;
532 // loop through clock - step field clock
533 for (uint8_t idx=0; idx < wavesPerClock; idx++){
534 // put 1/2 FC length 1's and 1/2 0's per field clock wave (to create the wave)
535 memset(dest+(*n), 0, fc-halfFC); //in case of odd number use extra here
536 memset(dest+(*n)+(fc-halfFC), 1, halfFC);
537 *n += fc;
538 }
539 if (mod>0) (*modCnt)++;
540 if ((mod>0) && modAdjOk){ //fsk2
541 if ((*modCnt % modAdj) == 0){ //if 4th 8 length wave in a rf/50 add extra 8 length wave
542 memset(dest+(*n), 0, fc-halfFC);
543 memset(dest+(*n)+(fc-halfFC), 1, halfFC);
544 *n += fc;
545 }
546 }
547 if (mod>0 && !modAdjOk){ //fsk1
548 memset(dest+(*n), 0, mod-(mod/2));
549 memset(dest+(*n)+(mod-(mod/2)), 1, mod/2);
550 *n += mod;
551 }
e09f21fa 552}
553
554// prepare a waveform pattern in the buffer based on the ID given then
555// simulate a HID tag until the button is pressed
556void CmdHIDsimTAG(int hi, int lo, int ledcontrol)
557{
f121b478 558 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
559 set_tracing(FALSE);
560
561 int n = 0, i = 0;
e0165dcf 562 /*
563 HID tag bitstream format
564 The tag contains a 44bit unique code. This is sent out MSB first in sets of 4 bits
565 A 1 bit is represented as 6 fc8 and 5 fc10 patterns
566 A 0 bit is represented as 5 fc10 and 6 fc8 patterns
567 A fc8 is inserted before every 4 bits
568 A special start of frame pattern is used consisting a0b0 where a and b are neither 0
569 nor 1 bits, they are special patterns (a = set of 12 fc8 and b = set of 10 fc10)
570 */
571
f121b478 572 if (hi > 0xFFF) {
e0165dcf 573 DbpString("Tags can only have 44 bits. - USE lf simfsk for larger tags");
574 return;
575 }
576 fc(0,&n);
577 // special start of frame marker containing invalid bit sequences
578 fc(8, &n); fc(8, &n); // invalid
579 fc(8, &n); fc(10, &n); // logical 0
580 fc(10, &n); fc(10, &n); // invalid
581 fc(8, &n); fc(10, &n); // logical 0
582
583 WDT_HIT();
584 // manchester encode bits 43 to 32
585 for (i=11; i>=0; i--) {
586 if ((i%4)==3) fc(0,&n);
587 if ((hi>>i)&1) {
588 fc(10, &n); fc(8, &n); // low-high transition
589 } else {
590 fc(8, &n); fc(10, &n); // high-low transition
591 }
592 }
593
594 WDT_HIT();
595 // manchester encode bits 31 to 0
596 for (i=31; i>=0; i--) {
597 if ((i%4)==3) fc(0,&n);
598 if ((lo>>i)&1) {
599 fc(10, &n); fc(8, &n); // low-high transition
600 } else {
601 fc(8, &n); fc(10, &n); // high-low transition
602 }
603 }
f121b478 604 WDT_HIT();
605
a739812e 606 if (ledcontrol) LED_A_ON();
e0165dcf 607 SimulateTagLowFrequency(n, 0, ledcontrol);
a739812e 608 if (ledcontrol) LED_A_OFF();
e09f21fa 609}
610
611// prepare a waveform pattern in the buffer based on the ID given then
612// simulate a FSK tag until the button is pressed
613// arg1 contains fcHigh and fcLow, arg2 contains invert and clock
614void CmdFSKsimTAG(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream)
615{
f121b478 616 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
617
618 // free eventually allocated BigBuf memory
619 BigBuf_free(); BigBuf_Clear_ext(false);
620 clear_trace();
621 set_tracing(FALSE);
622
623 int ledcontrol = 1, n = 0, i = 0;
e0165dcf 624 uint8_t fcHigh = arg1 >> 8;
625 uint8_t fcLow = arg1 & 0xFF;
626 uint16_t modCnt = 0;
627 uint8_t clk = arg2 & 0xFF;
628 uint8_t invert = (arg2 >> 8) & 1;
629
630 for (i=0; i<size; i++){
f121b478 631
632 if (BitStream[i] == invert)
e0165dcf 633 fcAll(fcLow, &n, clk, &modCnt);
f121b478 634 else
e0165dcf 635 fcAll(fcHigh, &n, clk, &modCnt);
e0165dcf 636 }
f121b478 637 WDT_HIT();
638
639 Dbprintf("Simulating with fcHigh: %d, fcLow: %d, clk: %d, invert: %d, n: %d", fcHigh, fcLow, clk, invert, n);
e0165dcf 640
508b37ba 641 if (ledcontrol) LED_A_ON();
e0165dcf 642 SimulateTagLowFrequency(n, 0, ledcontrol);
508b37ba 643 if (ledcontrol) LED_A_OFF();
e09f21fa 644}
645
646// compose ask waveform for one bit(ASK)
e0165dcf 647static void askSimBit(uint8_t c, int *n, uint8_t clock, uint8_t manchester)
e09f21fa 648{
e0165dcf 649 uint8_t *dest = BigBuf_get_addr();
650 uint8_t halfClk = clock/2;
651 // c = current bit 1 or 0
652 if (manchester==1){
653 memset(dest+(*n), c, halfClk);
654 memset(dest+(*n) + halfClk, c^1, halfClk);
655 } else {
656 memset(dest+(*n), c, clock);
657 }
658 *n += clock;
e09f21fa 659}
660
b41534d1 661static void biphaseSimBit(uint8_t c, int *n, uint8_t clock, uint8_t *phase)
662{
e0165dcf 663 uint8_t *dest = BigBuf_get_addr();
664 uint8_t halfClk = clock/2;
665 if (c){
666 memset(dest+(*n), c ^ 1 ^ *phase, halfClk);
667 memset(dest+(*n) + halfClk, c ^ *phase, halfClk);
668 } else {
669 memset(dest+(*n), c ^ *phase, clock);
670 *phase ^= 1;
671 }
c728b2b4 672 *n += clock;
b41534d1 673}
674
6c68b84a 675static void stAskSimBit(int *n, uint8_t clock) {
676 uint8_t *dest = BigBuf_get_addr();
677 uint8_t halfClk = clock/2;
678 //ST = .5 high .5 low 1.5 high .5 low 1 high
679 memset(dest+(*n), 1, halfClk);
680 memset(dest+(*n) + halfClk, 0, halfClk);
681 memset(dest+(*n) + clock, 1, clock + halfClk);
682 memset(dest+(*n) + clock*2 + halfClk, 0, halfClk);
683 memset(dest+(*n) + clock*3, 1, clock);
684 *n += clock*4;
685}
686
e09f21fa 687// args clock, ask/man or askraw, invert, transmission separator
688void CmdASKsimTag(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream)
689{
f121b478 690 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
691 set_tracing(FALSE);
692
693 int ledcontrol = 1, n = 0, i = 0;
e0165dcf 694 uint8_t clk = (arg1 >> 8) & 0xFF;
2b3af97d 695 uint8_t encoding = arg1 & 0xFF;
e0165dcf 696 uint8_t separator = arg2 & 1;
697 uint8_t invert = (arg2 >> 8) & 1;
698
f121b478 699 if (encoding == 2){ //biphase
700 uint8_t phase = 0;
e0165dcf 701 for (i=0; i<size; i++){
702 biphaseSimBit(BitStream[i]^invert, &n, clk, &phase);
703 }
f121b478 704 if (phase == 1) { //run a second set inverted to keep phase in check
e0165dcf 705 for (i=0; i<size; i++){
706 biphaseSimBit(BitStream[i]^invert, &n, clk, &phase);
707 }
708 }
709 } else { // ask/manchester || ask/raw
710 for (i=0; i<size; i++){
711 askSimBit(BitStream[i]^invert, &n, clk, encoding);
712 }
713 if (encoding==0 && BitStream[0]==BitStream[size-1]){ //run a second set inverted (for biphase phase)
714 for (i=0; i<size; i++){
715 askSimBit(BitStream[i]^invert^1, &n, clk, encoding);
716 }
717 }
718 }
6c68b84a 719 if (separator==1 && encoding == 1)
720 stAskSimBit(&n, clk);
721 else if (separator==1)
722 Dbprintf("sorry but separator option not yet available");
e0165dcf 723
f121b478 724 WDT_HIT();
725
e0165dcf 726 Dbprintf("Simulating with clk: %d, invert: %d, encoding: %d, separator: %d, n: %d",clk, invert, encoding, separator, n);
e0165dcf 727
a739812e 728 if (ledcontrol) LED_A_ON();
e0165dcf 729 SimulateTagLowFrequency(n, 0, ledcontrol);
a739812e 730 if (ledcontrol) LED_A_OFF();
e09f21fa 731}
732
733//carrier can be 2,4 or 8
734static void pskSimBit(uint8_t waveLen, int *n, uint8_t clk, uint8_t *curPhase, bool phaseChg)
735{
e0165dcf 736 uint8_t *dest = BigBuf_get_addr();
737 uint8_t halfWave = waveLen/2;
738 //uint8_t idx;
739 int i = 0;
740 if (phaseChg){
741 // write phase change
742 memset(dest+(*n), *curPhase^1, halfWave);
743 memset(dest+(*n) + halfWave, *curPhase, halfWave);
744 *n += waveLen;
745 *curPhase ^= 1;
746 i += waveLen;
747 }
748 //write each normal clock wave for the clock duration
749 for (; i < clk; i+=waveLen){
750 memset(dest+(*n), *curPhase, halfWave);
751 memset(dest+(*n) + halfWave, *curPhase^1, halfWave);
752 *n += waveLen;
753 }
e09f21fa 754}
755
756// args clock, carrier, invert,
757void CmdPSKsimTag(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream)
758{
f121b478 759 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
760 set_tracing(FALSE);
761
762 int ledcontrol = 1, n = 0, i = 0;
e0165dcf 763 uint8_t clk = arg1 >> 8;
764 uint8_t carrier = arg1 & 0xFF;
765 uint8_t invert = arg2 & 0xFF;
766 uint8_t curPhase = 0;
767 for (i=0; i<size; i++){
768 if (BitStream[i] == curPhase){
769 pskSimBit(carrier, &n, clk, &curPhase, FALSE);
770 } else {
771 pskSimBit(carrier, &n, clk, &curPhase, TRUE);
772 }
773 }
f121b478 774
775 WDT_HIT();
776
e0165dcf 777 Dbprintf("Simulating with Carrier: %d, clk: %d, invert: %d, n: %d",carrier, clk, invert, n);
e0165dcf 778
a739812e 779 if (ledcontrol) LED_A_ON();
e0165dcf 780 SimulateTagLowFrequency(n, 0, ledcontrol);
a739812e 781 if (ledcontrol) LED_A_OFF();
e09f21fa 782}
783
784// loop to get raw HID waveform then FSK demodulate the TAG ID from it
785void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol)
786{
e0165dcf 787 uint8_t *dest = BigBuf_get_addr();
e0165dcf 788 size_t size = 0;
789 uint32_t hi2=0, hi=0, lo=0;
790 int idx=0;
791 // Configure to go in 125Khz listen mode
792 LFSetupFPGAForADC(95, true);
e09f21fa 793
c0f15a05 794 //clear read buffer
795 BigBuf_Clear_keep_EM();
796
6427695b 797 while(!BUTTON_PRESS() && !usb_poll_validate_length()) {
e09f21fa 798
e0165dcf 799 WDT_HIT();
800 if (ledcontrol) LED_A_ON();
e09f21fa 801
802 DoAcquisition_default(-1,true);
803 // FSK demodulator
b8f705e7 804 size = 50*128*2; //big enough to catch 2 sequences of largest format
e09f21fa 805 idx = HIDdemodFSK(dest, &size, &hi2, &hi, &lo);
e0165dcf 806
b8f705e7 807 if (idx>0 && lo>0 && (size==96 || size==192)){
808 // go over previously decoded manchester data and decode into usable tag ID
809 if (hi2 != 0){ //extra large HID tags 88/192 bits
e0165dcf 810 Dbprintf("TAG ID: %x%08x%08x (%d)",
a739812e 811 (unsigned int) hi2,
812 (unsigned int) hi,
813 (unsigned int) lo,
814 (unsigned int) (lo>>1) & 0xFFFF
815 );
614da335 816 } else { //standard HID tags 44/96 bits
e0165dcf 817 uint8_t bitlen = 0;
818 uint32_t fc = 0;
819 uint32_t cardnum = 0;
a739812e 820
e09f21fa 821 if (((hi>>5)&1) == 1){//if bit 38 is set then < 37 bit format is used
e0165dcf 822 uint32_t lo2=0;
823 lo2=(((hi & 31) << 12) | (lo>>20)); //get bits 21-37 to check for format len bit
824 uint8_t idx3 = 1;
e09f21fa 825 while(lo2 > 1){ //find last bit set to 1 (format len bit)
826 lo2=lo2 >> 1;
e0165dcf 827 idx3++;
828 }
e09f21fa 829 bitlen = idx3+19;
e0165dcf 830 fc =0;
831 cardnum=0;
e09f21fa 832 if(bitlen == 26){
e0165dcf 833 cardnum = (lo>>1)&0xFFFF;
834 fc = (lo>>17)&0xFF;
835 }
e09f21fa 836 if(bitlen == 37){
e0165dcf 837 cardnum = (lo>>1)&0x7FFFF;
838 fc = ((hi&0xF)<<12)|(lo>>20);
839 }
e09f21fa 840 if(bitlen == 34){
e0165dcf 841 cardnum = (lo>>1)&0xFFFF;
842 fc= ((hi&1)<<15)|(lo>>17);
843 }
e09f21fa 844 if(bitlen == 35){
e0165dcf 845 cardnum = (lo>>1)&0xFFFFF;
846 fc = ((hi&1)<<11)|(lo>>21);
847 }
848 }
849 else { //if bit 38 is not set then 37 bit format is used
850 bitlen= 37;
851 fc =0;
852 cardnum=0;
853 if(bitlen==37){
854 cardnum = (lo>>1)&0x7FFFF;
855 fc = ((hi&0xF)<<12)|(lo>>20);
856 }
857 }
e0165dcf 858 Dbprintf("TAG ID: %x%08x (%d) - Format Len: %dbit - FC: %d - Card: %d",
a739812e 859 (unsigned int) hi,
860 (unsigned int) lo,
861 (unsigned int) (lo>>1) & 0xFFFF,
862 (unsigned int) bitlen,
863 (unsigned int) fc,
864 (unsigned int) cardnum);
e0165dcf 865 }
866 if (findone){
867 if (ledcontrol) LED_A_OFF();
868 *high = hi;
869 *low = lo;
55db344f 870 break;
e0165dcf 871 }
872 // reset
e0165dcf 873 }
b8f705e7 874 hi2 = hi = lo = idx = 0;
e0165dcf 875 WDT_HIT();
876 }
501c666b 877 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
e0165dcf 878 DbpString("Stopped");
879 if (ledcontrol) LED_A_OFF();
e09f21fa 880}
881
db25599d 882// loop to get raw HID waveform then FSK demodulate the TAG ID from it
883void CmdAWIDdemodFSK(int findone, int *high, int *low, int ledcontrol)
884{
885 uint8_t *dest = BigBuf_get_addr();
db25599d 886 size_t size;
887 int idx=0;
c0f15a05 888 //clear read buffer
889 BigBuf_Clear_keep_EM();
db25599d 890 // Configure to go in 125Khz listen mode
891 LFSetupFPGAForADC(95, true);
892
6427695b 893 while(!BUTTON_PRESS() && !usb_poll_validate_length()) {
db25599d 894
895 WDT_HIT();
896 if (ledcontrol) LED_A_ON();
897
898 DoAcquisition_default(-1,true);
899 // FSK demodulator
db25599d 900 size = 50*128*2; //big enough to catch 2 sequences of largest format
901 idx = AWIDdemodFSK(dest, &size);
902
a126332a 903 if (idx<=0 || size!=96) continue;
db25599d 904 // Index map
905 // 0 10 20 30 40 50 60
906 // | | | | | | |
907 // 01234567 890 1 234 5 678 9 012 3 456 7 890 1 234 5 678 9 012 3 456 7 890 1 234 5 678 9 012 3 - to 96
908 // -----------------------------------------------------------------------------
909 // 00000001 000 1 110 1 101 1 011 1 101 1 010 0 000 1 000 1 010 0 001 0 110 1 100 0 000 1 000 1
910 // premable bbb o bbb o bbw o fff o fff o ffc o ccc o ccc o ccc o ccc o ccc o wxx o xxx o xxx o - to 96
911 // |---26 bit---| |-----117----||-------------142-------------|
912 // b = format bit len, o = odd parity of last 3 bits
913 // f = facility code, c = card number
914 // w = wiegand parity
915 // (26 bit format shown)
916
917 //get raw ID before removing parities
918 uint32_t rawLo = bytebits_to_byte(dest+idx+64,32);
919 uint32_t rawHi = bytebits_to_byte(dest+idx+32,32);
920 uint32_t rawHi2 = bytebits_to_byte(dest+idx,32);
921
922 size = removeParity(dest, idx+8, 4, 1, 88);
a126332a 923 if (size != 66) continue;
db25599d 924
925 // Index map
926 // 0 10 20 30 40 50 60
927 // | | | | | | |
928 // 01234567 8 90123456 7890123456789012 3 456789012345678901234567890123456
929 // -----------------------------------------------------------------------------
930 // 00011010 1 01110101 0000000010001110 1 000000000000000000000000000000000
931 // bbbbbbbb w ffffffff cccccccccccccccc w xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
932 // |26 bit| |-117--| |-----142------|
c5e8b916 933 //
934 // 00110010 0 0000011111010000000000000001000100101000100001111 0 00000000
935 // bbbbbbbb w ffffffffffffffffccccccccccccccccccccccccccccccccc w xxxxxxxx
936 // |50 bit| |----4000------||-----------2248975-------------|
937 //
db25599d 938 // b = format bit len, o = odd parity of last 3 bits
939 // f = facility code, c = card number
940 // w = wiegand parity
db25599d 941
942 uint32_t fc = 0;
943 uint32_t cardnum = 0;
944 uint32_t code1 = 0;
945 uint32_t code2 = 0;
946 uint8_t fmtLen = bytebits_to_byte(dest,8);
c5e8b916 947 switch(fmtLen) {
948 case 26:
949 fc = bytebits_to_byte(dest + 9, 8);
950 cardnum = bytebits_to_byte(dest + 17, 16);
951 code1 = bytebits_to_byte(dest + 8,fmtLen);
6a4271d1 952 Dbprintf("AWID Found - BitLength: %d, FC: %d, Card: %u - Wiegand: %x, Raw: %08x%08x%08x", fmtLen, fc, cardnum, code1, rawHi2, rawHi, rawLo);
c5e8b916 953 break;
954 case 50:
955 fc = bytebits_to_byte(dest + 9, 16);
956 cardnum = bytebits_to_byte(dest + 25, 32);
957 code1 = bytebits_to_byte(dest + 8, (fmtLen-32) );
958 code2 = bytebits_to_byte(dest + 8 + (fmtLen-32), 32);
6a4271d1 959 Dbprintf("AWID Found - BitLength: %d, FC: %d, Card: %u - Wiegand: %x%08x, Raw: %08x%08x%08x", fmtLen, fc, cardnum, code1, code2, rawHi2, rawHi, rawLo);
c5e8b916 960 break;
961 default:
962 if (fmtLen > 32 ) {
963 cardnum = bytebits_to_byte(dest+8+(fmtLen-17), 16);
964 code1 = bytebits_to_byte(dest+8,fmtLen-32);
965 code2 = bytebits_to_byte(dest+8+(fmtLen-32),32);
6a4271d1 966 Dbprintf("AWID Found - BitLength: %d -unknown BitLength- (%u) - Wiegand: %x%08x, Raw: %08x%08x%08x", fmtLen, cardnum, code1, code2, rawHi2, rawHi, rawLo);
c5e8b916 967 } else {
968 cardnum = bytebits_to_byte(dest+8+(fmtLen-17), 16);
969 code1 = bytebits_to_byte(dest+8,fmtLen);
6a4271d1 970 Dbprintf("AWID Found - BitLength: %d -unknown BitLength- (%u) - Wiegand: %x, Raw: %08x%08x%08x", fmtLen, cardnum, code1, rawHi2, rawHi, rawLo);
c5e8b916 971 }
972 break;
db25599d 973 }
501c666b 974 if (findone)
55db344f 975 break;
501c666b 976
db25599d 977 idx = 0;
978 WDT_HIT();
979 }
55db344f 980
501c666b 981 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
db25599d 982 DbpString("Stopped");
983 if (ledcontrol) LED_A_OFF();
984}
985
e09f21fa 986void CmdEM410xdemod(int findone, int *high, int *low, int ledcontrol)
987{
e0165dcf 988 uint8_t *dest = BigBuf_get_addr();
989
990 size_t size=0, idx=0;
991 int clk=0, invert=0, errCnt=0, maxErr=20;
992 uint32_t hi=0;
993 uint64_t lo=0;
c0f15a05 994 //clear read buffer
995 BigBuf_Clear_keep_EM();
e0165dcf 996 // Configure to go in 125Khz listen mode
997 LFSetupFPGAForADC(95, true);
998
6427695b 999 while(!BUTTON_PRESS() && !usb_poll_validate_length()) {
e0165dcf 1000
1001 WDT_HIT();
1002 if (ledcontrol) LED_A_ON();
1003
1004 DoAcquisition_default(-1,true);
1005 size = BigBuf_max_traceLen();
e0165dcf 1006 //askdemod and manchester decode
b8f705e7 1007 if (size > 16385) size = 16385; //big enough to catch 2 sequences of largest format
fef74fdc 1008 errCnt = askdemod(dest, &size, &clk, &invert, maxErr, 0, 1);
e0165dcf 1009 WDT_HIT();
1010
b8f705e7 1011 if (errCnt<0) continue;
1012
e0165dcf 1013 errCnt = Em410xDecode(dest, &size, &idx, &hi, &lo);
e0165dcf 1014 if (errCnt){
1015 if (size>64){
1016 Dbprintf("EM XL TAG ID: %06x%08x%08x - (%05d_%03d_%08d)",
1017 hi,
1018 (uint32_t)(lo>>32),
1019 (uint32_t)lo,
1020 (uint32_t)(lo&0xFFFF),
1021 (uint32_t)((lo>>16LL) & 0xFF),
1022 (uint32_t)(lo & 0xFFFFFF));
1023 } else {
1024 Dbprintf("EM TAG ID: %02x%08x - (%05d_%03d_%08d)",
1025 (uint32_t)(lo>>32),
1026 (uint32_t)lo,
1027 (uint32_t)(lo&0xFFFF),
1028 (uint32_t)((lo>>16LL) & 0xFF),
1029 (uint32_t)(lo & 0xFFFFFF));
1030 }
b8f705e7 1031
e0165dcf 1032 if (findone){
1033 if (ledcontrol) LED_A_OFF();
1034 *high=lo>>32;
1035 *low=lo & 0xFFFFFFFF;
55db344f 1036 break;
e0165dcf 1037 }
e0165dcf 1038 }
1039 WDT_HIT();
b8f705e7 1040 hi = lo = size = idx = 0;
1041 clk = invert = errCnt = 0;
e0165dcf 1042 }
55db344f 1043 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
e0165dcf 1044 DbpString("Stopped");
1045 if (ledcontrol) LED_A_OFF();
e09f21fa 1046}
1047
1048void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol)
1049{
e0165dcf 1050 uint8_t *dest = BigBuf_get_addr();
1051 int idx=0;
1052 uint32_t code=0, code2=0;
1053 uint8_t version=0;
1054 uint8_t facilitycode=0;
1055 uint16_t number=0;
b8f705e7 1056 uint8_t crc = 0;
1057 uint16_t calccrc = 0;
c0f15a05 1058
1059 //clear read buffer
1060 BigBuf_Clear_keep_EM();
1061
118bf0c2 1062 // Configure to go in 125Khz listen mode
e0165dcf 1063 LFSetupFPGAForADC(95, true);
1064
6427695b 1065 while(!BUTTON_PRESS() && !usb_poll_validate_length()) {
e0165dcf 1066 WDT_HIT();
1067 if (ledcontrol) LED_A_ON();
e09f21fa 1068 DoAcquisition_default(-1,true);
1069 //fskdemod and get start index
e0165dcf 1070 WDT_HIT();
1071 idx = IOdemodFSK(dest, BigBuf_max_traceLen());
b8f705e7 1072 if (idx<0) continue;
e0165dcf 1073 //valid tag found
1074
1075 //Index map
1076 //0 10 20 30 40 50 60
1077 //| | | | | | |
1078 //01234567 8 90123456 7 89012345 6 78901234 5 67890123 4 56789012 3 45678901 23
1079 //-----------------------------------------------------------------------------
b8f705e7 1080 //00000000 0 11110000 1 facility 1 version* 1 code*one 1 code*two 1 checksum 11
e0165dcf 1081 //
b8f705e7 1082 //Checksum:
1083 //00000000 0 11110000 1 11100000 1 00000001 1 00000011 1 10110110 1 01110101 11
1084 //preamble F0 E0 01 03 B6 75
1085 // How to calc checksum,
1086 // http://www.proxmark.org/forum/viewtopic.php?id=364&p=6
1087 // F0 + E0 + 01 + 03 + B6 = 28A
1088 // 28A & FF = 8A
1089 // FF - 8A = 75
1090 // Checksum: 0x75
e0165dcf 1091 //XSF(version)facility:codeone+codetwo
1092 //Handle the data
501c666b 1093 // if(findone){ //only print binary if we are doing one
1094 // Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx], dest[idx+1], dest[idx+2],dest[idx+3],dest[idx+4],dest[idx+5],dest[idx+6],dest[idx+7],dest[idx+8]);
1095 // Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+9], dest[idx+10],dest[idx+11],dest[idx+12],dest[idx+13],dest[idx+14],dest[idx+15],dest[idx+16],dest[idx+17]);
1096 // Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+18],dest[idx+19],dest[idx+20],dest[idx+21],dest[idx+22],dest[idx+23],dest[idx+24],dest[idx+25],dest[idx+26]);
1097 // Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+27],dest[idx+28],dest[idx+29],dest[idx+30],dest[idx+31],dest[idx+32],dest[idx+33],dest[idx+34],dest[idx+35]);
1098 // Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+36],dest[idx+37],dest[idx+38],dest[idx+39],dest[idx+40],dest[idx+41],dest[idx+42],dest[idx+43],dest[idx+44]);
1099 // Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+45],dest[idx+46],dest[idx+47],dest[idx+48],dest[idx+49],dest[idx+50],dest[idx+51],dest[idx+52],dest[idx+53]);
1100 // Dbprintf("%d%d%d%d%d%d%d%d %d%d",dest[idx+54],dest[idx+55],dest[idx+56],dest[idx+57],dest[idx+58],dest[idx+59],dest[idx+60],dest[idx+61],dest[idx+62],dest[idx+63]);
1101 // }
e0165dcf 1102 code = bytebits_to_byte(dest+idx,32);
1103 code2 = bytebits_to_byte(dest+idx+32,32);
1104 version = bytebits_to_byte(dest+idx+27,8); //14,4
a739812e 1105 facilitycode = bytebits_to_byte(dest+idx+18,8);
e0165dcf 1106 number = (bytebits_to_byte(dest+idx+36,8)<<8)|(bytebits_to_byte(dest+idx+45,8)); //36,9
1107
b8f705e7 1108 crc = bytebits_to_byte(dest+idx+54,8);
1109 for (uint8_t i=1; i<6; ++i)
1110 calccrc += bytebits_to_byte(dest+idx+9*i,8);
1111 calccrc &= 0xff;
1112 calccrc = 0xff - calccrc;
1113
1114 char *crcStr = (crc == calccrc) ? "ok":"!crc";
1115
1116 Dbprintf("IO Prox XSF(%02d)%02x:%05d (%08x%08x) [%02x %s]",version,facilitycode,number,code,code2, crc, crcStr);
e0165dcf 1117 // if we're only looking for one tag
1118 if (findone){
1119 if (ledcontrol) LED_A_OFF();
e0165dcf 1120 *high=code;
1121 *low=code2;
55db344f 1122 break;
e0165dcf 1123 }
1124 code=code2=0;
1125 version=facilitycode=0;
1126 number=0;
1127 idx=0;
b8f705e7 1128
e0165dcf 1129 WDT_HIT();
1130 }
61d36d36 1131 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
e0165dcf 1132 DbpString("Stopped");
1133 if (ledcontrol) LED_A_OFF();
e09f21fa 1134}
1135
1136/*------------------------------
94422fa2 1137 * T5555/T5557/T5567/T5577 routines
e09f21fa 1138 *------------------------------
1d0ccbe0 1139 * NOTE: T55x7/T5555 configuration register definitions moved to protocols.h
1140 *
1141 * Relevant communication times in microsecond
e09f21fa 1142 * To compensate antenna falling times shorten the write times
1143 * and enlarge the gap ones.
6a09bea4 1144 * Q5 tags seems to have issues when these values changes.
e09f21fa 1145 */
0de8e387 1146
8ddfbc34 1147#define START_GAP 50*8 // was 250 // SPEC: 1*8 to 50*8 - typ 15*8 (15fc)
1148#define WRITE_GAP 20*8 // was 160 // SPEC: 1*8 to 20*8 - typ 10*8 (10fc)
1149#define WRITE_0 18*8 // was 144 // SPEC: 16*8 to 32*8 - typ 24*8 (24fc)
1150#define WRITE_1 54*8 // was 400 // SPEC: 48*8 to 64*8 - typ 56*8 (56fc) 432 for T55x7; 448 for E5550
6426f6ba 1151#define READ_GAP 15*8
b8f705e7 1152
1153// VALUES TAKEN FROM EM4x function: SendForward
1154// START_GAP = 440; (55*8) cycles at 125Khz (8us = 1cycle)
1155// WRITE_GAP = 128; (16*8)
1156// WRITE_1 = 256 32*8; (32*8)
1157
1158// These timings work for 4469/4269/4305 (with the 55*8 above)
8ddfbc34 1159// WRITE_0 = 23*8 , 9*8
b8f705e7 1160
1161// Sam7s has several timers, we will use the source TIMER_CLOCK1 (aka AT91C_TC_CLKS_TIMER_DIV1_CLOCK)
1162// TIMER_CLOCK1 = MCK/2, MCK is running at 48 MHz, Timer is running at 48/2 = 24 MHz
1163// Hitag units (T0) have duration of 8 microseconds (us), which is 1/125000 per second (carrier)
1164// T0 = TIMER_CLOCK1 / 125000 = 192
e16054a4 1165// 1 Cycle = 8 microseconds(us) == 1 field clock
e09f21fa 1166
8ddfbc34 1167// new timer:
1168// = 1us = 1.5ticks
1169// 1fc = 8us = 12ticks
1170void TurnReadLFOn(uint32_t delay) {
a739812e 1171 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
1d0ccbe0 1172
1173 // measure antenna strength.
1174 //int adcval = ((MAX_ADC_LF_VOLTAGE * AvgAdc(ADC_CHAN_LF)) >> 10);
24c49d36 1175
1176 // Give it a bit of time for the resonant antenna to settle.
1177 WaitUS(delay);
a739812e 1178}
1179
e09f21fa 1180// Write one bit to card
e16054a4 1181void T55xxWriteBit(int bit) {
b8f705e7 1182 if (!bit)
1d0ccbe0 1183 TurnReadLFOn(WRITE_0);
e0165dcf 1184 else
1d0ccbe0 1185 TurnReadLFOn(WRITE_1);
e0165dcf 1186 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
24c49d36 1187 WaitUS(WRITE_GAP);
e09f21fa 1188}
1189
94422fa2 1190// Send T5577 reset command then read stream (see if we can identify the start of the stream)
1191void T55xxResetRead(void) {
1192 LED_A_ON();
1193 //clear buffer now so it does not interfere with timing later
c0f15a05 1194 BigBuf_Clear_keep_EM();
94422fa2 1195
1196 // Set up FPGA, 125kHz
1197 LFSetupFPGAForADC(95, true);
1198
1199 // Trigger T55x7 in mode.
1200 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
24c49d36 1201 WaitUS(START_GAP);
94422fa2 1202
1203 // reset tag - op code 00
1204 T55xxWriteBit(0);
1205 T55xxWriteBit(0);
1206
1207 // Turn field on to read the response
1208 TurnReadLFOn(READ_GAP);
1209
1210 // Acquisition
1211 doT55x7Acquisition(BigBuf_max_traceLen());
1212
1213 // Turn the field off
1214 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1215 cmd_send(CMD_ACK,0,0,0,0,0);
1216 LED_A_OFF();
1217}
1218
e09f21fa 1219// Write one card block in page 0, no lock
70459879 1220void T55xxWriteBlockExt(uint32_t Data, uint8_t Block, uint32_t Pwd, uint8_t arg) {
e16054a4 1221 LED_A_ON();
1d0ccbe0 1222 bool PwdMode = arg & 0x1;
1223 uint8_t Page = (arg & 0x2)>>1;
e0165dcf 1224 uint32_t i = 0;
1225
1226 // Set up FPGA, 125kHz
ac2df346 1227 LFSetupFPGAForADC(95, true);
0de8e387 1228
e16054a4 1229 // Trigger T55x7 in mode.
e0165dcf 1230 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
24c49d36 1231 WaitUS(START_GAP);
e0165dcf 1232
e16054a4 1233 // Opcode 10
e0165dcf 1234 T55xxWriteBit(1);
1d0ccbe0 1235 T55xxWriteBit(Page); //Page 0
9276e859 1236 if (PwdMode){
a739812e 1237 // Send Pwd
e0165dcf 1238 for (i = 0x80000000; i != 0; i >>= 1)
1239 T55xxWriteBit(Pwd & i);
1240 }
a739812e 1241 // Send Lock bit
e0165dcf 1242 T55xxWriteBit(0);
1243
a739812e 1244 // Send Data
e0165dcf 1245 for (i = 0x80000000; i != 0; i >>= 1)
1246 T55xxWriteBit(Data & i);
1247
a739812e 1248 // Send Block number
e0165dcf 1249 for (i = 0x04; i != 0; i >>= 1)
1250 T55xxWriteBit(Block & i);
1251
e16054a4 1252 // Perform write (nominal is 5.6 ms for T55x7 and 18ms for E5550,
e0165dcf 1253 // so wait a little more)
e16054a4 1254 TurnReadLFOn(20 * 1000);
8ddfbc34 1255
1256 //could attempt to do a read to confirm write took
1257 // as the tag should repeat back the new block
1258 // until it is reset, but to confirm it we would
1259 // need to know the current block 0 config mode
e16054a4 1260
a739812e 1261 // turn field off
e0165dcf 1262 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
9276e859 1263 LED_A_OFF();
e09f21fa 1264}
1265
94422fa2 1266// Write one card block in page 0, no lock
70459879 1267void T55xxWriteBlock(uint32_t Data, uint8_t Block, uint32_t Pwd, uint8_t arg) {
94422fa2 1268 T55xxWriteBlockExt(Data, Block, Pwd, arg);
1269 cmd_send(CMD_ACK,0,0,0,0,0);
1270}
1271
6426f6ba 1272// Read one card block in page [page]
9276e859 1273void T55xxReadBlock(uint16_t arg0, uint8_t Block, uint32_t Pwd) {
e16054a4 1274 LED_A_ON();
1d0ccbe0 1275 bool PwdMode = arg0 & 0x1;
1276 uint8_t Page = (arg0 & 0x2) >> 1;
e0165dcf 1277 uint32_t i = 0;
1d0ccbe0 1278 bool RegReadMode = (Block == 0xFF);
ac2df346 1279
a739812e 1280 //clear buffer now so it does not interfere with timing later
b4a6775b 1281 BigBuf_Clear_keep_EM();
a739812e 1282
ac2df346 1283 //make sure block is at max 7
1284 Block &= 0x7;
e0165dcf 1285
1d0ccbe0 1286 // Set up FPGA, 125kHz to power up the tag
ac2df346 1287 LFSetupFPGAForADC(95, true);
1c07ca92 1288 //SpinDelay(3);
0de8e387 1289
1d0ccbe0 1290 // Trigger T55x7 Direct Access Mode with start gap
e0165dcf 1291 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
24c49d36 1292 WaitUS(START_GAP);
ac2df346 1293
1d0ccbe0 1294 // Opcode 1[page]
e0165dcf 1295 T55xxWriteBit(1);
1c8fbeb9 1296 T55xxWriteBit(Page); //Page 0
ac2df346 1297
9276e859 1298 if (PwdMode){
a739812e 1299 // Send Pwd
e0165dcf 1300 for (i = 0x80000000; i != 0; i >>= 1)
1301 T55xxWriteBit(Pwd & i);
1302 }
a739812e 1303 // Send a zero bit separation
e0165dcf 1304 T55xxWriteBit(0);
ac2df346 1305
1d0ccbe0 1306 // Send Block number (if direct access mode)
1307 if (!RegReadMode)
b4a6775b 1308 for (i = 0x04; i != 0; i >>= 1)
1309 T55xxWriteBit(Block & i);
e0165dcf 1310
ac2df346 1311 // Turn field on to read the response
a739812e 1312 TurnReadLFOn(READ_GAP);
ac2df346 1313
1314 // Acquisition
81b7e894 1315 doT55x7Acquisition(7679);
ac2df346 1316
1d0ccbe0 1317 // Turn the field off
1318 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
e0165dcf 1319 cmd_send(CMD_ACK,0,0,0,0,0);
e16054a4 1320 LED_A_OFF();
9276e859 1321}
1322
1323void T55xxWakeUp(uint32_t Pwd){
1324 LED_B_ON();
1325 uint32_t i = 0;
1326
1327 // Set up FPGA, 125kHz
1328 LFSetupFPGAForADC(95, true);
1329
1330 // Trigger T55x7 Direct Access Mode
1331 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
24c49d36 1332 WaitUS(START_GAP);
9276e859 1333
1334 // Opcode 10
1335 T55xxWriteBit(1);
1336 T55xxWriteBit(0); //Page 0
1337
1338 // Send Pwd
1339 for (i = 0x80000000; i != 0; i >>= 1)
1340 T55xxWriteBit(Pwd & i);
1341
1d0ccbe0 1342 // Turn and leave field on to let the begin repeating transmission
1c8fbeb9 1343 TurnReadLFOn(20*1000);
e09f21fa 1344}
1345
1346/*-------------- Cloning routines -----------*/
1d0ccbe0 1347void WriteT55xx(uint32_t *blockdata, uint8_t startblock, uint8_t numblocks) {
1348 // write last block first and config block last (if included)
70459879 1349 for (uint8_t i = numblocks+startblock; i > startblock; i--)
8ce3e4b4 1350 T55xxWriteBlockExt(blockdata[i-1], i-1, 0, 0);
1d0ccbe0 1351}
1352
e09f21fa 1353// Copy HID id to card and setup block 0 config
1d0ccbe0 1354void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT) {
1355 uint32_t data[] = {0,0,0,0,0,0,0};
1d0ccbe0 1356 uint8_t last_block = 0;
e0165dcf 1357
1358 if (longFMT){
1359 // Ensure no more than 84 bits supplied
614da335 1360 if (hi2 > 0xFFFFF) {
e0165dcf 1361 DbpString("Tags can only have 84 bits.");
1362 return;
1363 }
1364 // Build the 6 data blocks for supplied 84bit ID
1365 last_block = 6;
1d0ccbe0 1366 // load preamble (1D) & long format identifier (9E manchester encoded)
94422fa2 1367 data[1] = 0x1D96A900 | (manchesterEncode2Bytes((hi2 >> 16) & 0xF) & 0xFF);
1d0ccbe0 1368 // load raw id from hi2, hi, lo to data blocks (manchester encoded)
1369 data[2] = manchesterEncode2Bytes(hi2 & 0xFFFF);
1370 data[3] = manchesterEncode2Bytes(hi >> 16);
1371 data[4] = manchesterEncode2Bytes(hi & 0xFFFF);
1372 data[5] = manchesterEncode2Bytes(lo >> 16);
1373 data[6] = manchesterEncode2Bytes(lo & 0xFFFF);
42c235e7 1374 } else {
e0165dcf 1375 // Ensure no more than 44 bits supplied
614da335 1376 if (hi > 0xFFF) {
e0165dcf 1377 DbpString("Tags can only have 44 bits.");
1378 return;
1379 }
e0165dcf 1380 // Build the 3 data blocks for supplied 44bit ID
1381 last_block = 3;
1d0ccbe0 1382 // load preamble
94422fa2 1383 data[1] = 0x1D000000 | (manchesterEncode2Bytes(hi) & 0xFFFFFF);
1d0ccbe0 1384 data[2] = manchesterEncode2Bytes(lo >> 16);
1385 data[3] = manchesterEncode2Bytes(lo & 0xFFFF);
e0165dcf 1386 }
1d0ccbe0 1387 // load chip config block
1388 data[0] = T55x7_BITRATE_RF_50 | T55x7_MODULATION_FSK2a | last_block << T55x7_MAXBLOCK_SHIFT;
e0165dcf 1389
edaf10af 1390 //TODO add selection of chip for Q5 or T55x7
1391 // data[0] = (((50-2)/2)<<T5555_BITRATE_SHIFT) | T5555_MODULATION_FSK2 | T5555_INVERT_OUTPUT | last_block << T5555_MAXBLOCK_SHIFT;
1392
e0165dcf 1393 LED_D_ON();
1d0ccbe0 1394 WriteT55xx(data, 0, last_block+1);
e0165dcf 1395 LED_D_OFF();
e09f21fa 1396}
1397
94422fa2 1398void CopyIOtoT55x7(uint32_t hi, uint32_t lo) {
1d0ccbe0 1399 uint32_t data[] = {T55x7_BITRATE_RF_64 | T55x7_MODULATION_FSK2a | (2 << T55x7_MAXBLOCK_SHIFT), hi, lo};
edaf10af 1400 //TODO add selection of chip for Q5 or T55x7
118bf0c2 1401 //t5555 (Q5) BITRATE = (RF-2)/2 (iceman)
1402 // data[0] = (64 << T5555_BITRATE_SHIFT) | T5555_MODULATION_FSK2 | T5555_INVERT_OUTPUT | 2 << T5555_MAXBLOCK_SHIFT;
e09f21fa 1403
e0165dcf 1404 LED_D_ON();
1405 // Program the data blocks for supplied ID
1d0ccbe0 1406 // and the block 0 config
1407 WriteT55xx(data, 0, 3);
e0165dcf 1408 LED_D_OFF();
e09f21fa 1409}
1410
1d0ccbe0 1411// Clone Indala 64-bit tag by UID to T55x7
1412void CopyIndala64toT55x7(uint32_t hi, uint32_t lo) {
1413 //Program the 2 data blocks for supplied 64bit UID
1414 // and the Config for Indala 64 format (RF/32;PSK1 with RF/2;Maxblock=2)
1415 uint32_t data[] = { T55x7_BITRATE_RF_32 | T55x7_MODULATION_PSK1 | (2 << T55x7_MAXBLOCK_SHIFT), hi, lo};
edaf10af 1416 //TODO add selection of chip for Q5 or T55x7
1417 // data[0] = (((32-2)/2)<<T5555_BITRATE_SHIFT) | T5555_MODULATION_PSK1 | 2 << T5555_MAXBLOCK_SHIFT;
1418
1d0ccbe0 1419 WriteT55xx(data, 0, 3);
1420 //Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=2;Inverse data)
1421 // T5567WriteBlock(0x603E1042,0);
1d0ccbe0 1422}
1423// Clone Indala 224-bit tag by UID to T55x7
94422fa2 1424void CopyIndala224toT55x7(uint32_t uid1, uint32_t uid2, uint32_t uid3, uint32_t uid4, uint32_t uid5, uint32_t uid6, uint32_t uid7) {
1d0ccbe0 1425 //Program the 7 data blocks for supplied 224bit UID
1426 uint32_t data[] = {0, uid1, uid2, uid3, uid4, uid5, uid6, uid7};
1427 // and the block 0 for Indala224 format
1428 //Config for Indala (RF/32;PSK1 with RF/2;Maxblock=7)
1429 data[0] = T55x7_BITRATE_RF_32 | T55x7_MODULATION_PSK1 | (7 << T55x7_MAXBLOCK_SHIFT);
edaf10af 1430 //TODO add selection of chip for Q5 or T55x7
1431 // data[0] = (((32-2)/2)<<T5555_BITRATE_SHIFT) | T5555_MODULATION_PSK1 | 7 << T5555_MAXBLOCK_SHIFT;
1d0ccbe0 1432 WriteT55xx(data, 0, 8);
1433 //Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=7;Inverse data)
1434 // T5567WriteBlock(0x603E10E2,0);
1d0ccbe0 1435}
a126332a 1436// clone viking tag to T55xx
1437void CopyVikingtoT55xx(uint32_t block1, uint32_t block2, uint8_t Q5) {
1438 uint32_t data[] = {T55x7_BITRATE_RF_32 | T55x7_MODULATION_MANCHESTER | (2 << T55x7_MAXBLOCK_SHIFT), block1, block2};
118bf0c2 1439 //t5555 (Q5) BITRATE = (RF-2)/2 (iceman)
a126332a 1440 if (Q5) data[0] = (32 << T5555_BITRATE_SHIFT) | T5555_MODULATION_MANCHESTER | 2 << T5555_MAXBLOCK_SHIFT;
1441 // Program the data blocks for supplied ID and the block 0 config
1442 WriteT55xx(data, 0, 3);
1443 LED_D_OFF();
1444 cmd_send(CMD_ACK,0,0,0,0,0);
1445}
1d0ccbe0 1446
e09f21fa 1447// Define 9bit header for EM410x tags
1448#define EM410X_HEADER 0x1FF
1449#define EM410X_ID_LENGTH 40
1450
94422fa2 1451void WriteEM410x(uint32_t card, uint32_t id_hi, uint32_t id_lo) {
e0165dcf 1452 int i, id_bit;
1453 uint64_t id = EM410X_HEADER;
1454 uint64_t rev_id = 0; // reversed ID
1455 int c_parity[4]; // column parity
1456 int r_parity = 0; // row parity
1457 uint32_t clock = 0;
1458
1459 // Reverse ID bits given as parameter (for simpler operations)
1460 for (i = 0; i < EM410X_ID_LENGTH; ++i) {
1461 if (i < 32) {
1462 rev_id = (rev_id << 1) | (id_lo & 1);
1463 id_lo >>= 1;
1464 } else {
1465 rev_id = (rev_id << 1) | (id_hi & 1);
1466 id_hi >>= 1;
1467 }
1468 }
1469
1470 for (i = 0; i < EM410X_ID_LENGTH; ++i) {
1471 id_bit = rev_id & 1;
1472
1473 if (i % 4 == 0) {
1474 // Don't write row parity bit at start of parsing
1475 if (i)
1476 id = (id << 1) | r_parity;
1477 // Start counting parity for new row
1478 r_parity = id_bit;
1479 } else {
1480 // Count row parity
1481 r_parity ^= id_bit;
1482 }
1483
1484 // First elements in column?
1485 if (i < 4)
1486 // Fill out first elements
1487 c_parity[i] = id_bit;
1488 else
1489 // Count column parity
1490 c_parity[i % 4] ^= id_bit;
1491
1492 // Insert ID bit
1493 id = (id << 1) | id_bit;
1494 rev_id >>= 1;
1495 }
1496
1497 // Insert parity bit of last row
1498 id = (id << 1) | r_parity;
1499
1500 // Fill out column parity at the end of tag
1501 for (i = 0; i < 4; ++i)
1502 id = (id << 1) | c_parity[i];
1503
1504 // Add stop bit
1505 id <<= 1;
1506
1507 Dbprintf("Started writing %s tag ...", card ? "T55x7":"T5555");
1508 LED_D_ON();
1509
1510 // Write EM410x ID
6c68b84a 1511 uint32_t data[] = {0, (uint32_t)(id>>32), (uint32_t)(id & 0xFFFFFFFF)};
edaf10af 1512
8ce3e4b4 1513 clock = (card & 0xFF00) >> 8;
1514 clock = (clock == 0) ? 64 : clock;
1515 Dbprintf("Clock rate: %d", clock);
edaf10af 1516 if (card & 0xFF) { //t55x7
1d0ccbe0 1517 clock = GetT55xxClockBit(clock);
1518 if (clock == 0) {
e0165dcf 1519 Dbprintf("Invalid clock rate: %d", clock);
1520 return;
1521 }
1d0ccbe0 1522 data[0] = clock | T55x7_MODULATION_MANCHESTER | (2 << T55x7_MAXBLOCK_SHIFT);
edaf10af 1523 } else { //t5555 (Q5)
1524 clock = (clock-2)>>1; //n = (RF-2)/2
1525 data[0] = (clock << T5555_BITRATE_SHIFT) | T5555_MODULATION_MANCHESTER | (2 << T5555_MAXBLOCK_SHIFT);
e0165dcf 1526 }
118bf0c2 1527
1d0ccbe0 1528 WriteT55xx(data, 0, 3);
e0165dcf 1529
1530 LED_D_OFF();
8ce3e4b4 1531 Dbprintf("Tag %s written with 0x%08x%08x\n",
1532 card ? "T55x7":"T5555",
1533 (uint32_t)(id >> 32),
1534 (uint32_t)id);
e09f21fa 1535}
1536
e09f21fa 1537//-----------------------------------
1538// EM4469 / EM4305 routines
1539//-----------------------------------
8ddfbc34 1540#define FWD_CMD_LOGIN 0xC //including the even parity, binary mirrored
1541#define FWD_CMD_WRITE 0xA
1542#define FWD_CMD_READ 0x9
e09f21fa 1543#define FWD_CMD_DISABLE 0x5
1544
e09f21fa 1545uint8_t forwardLink_data[64]; //array of forwarded bits
1546uint8_t * forward_ptr; //ptr for forward message preparation
1547uint8_t fwd_bit_sz; //forwardlink bit counter
1548uint8_t * fwd_write_ptr; //forwardlink bit pointer
1549
1550//====================================================================
1551// prepares command bits
1552// see EM4469 spec
1553//====================================================================
6426f6ba 1554//--------------------------------------------------------------------
1555// VALUES TAKEN FROM EM4x function: SendForward
1556// START_GAP = 440; (55*8) cycles at 125Khz (8us = 1cycle)
1557// WRITE_GAP = 128; (16*8)
1558// WRITE_1 = 256 32*8; (32*8)
1559
1560// These timings work for 4469/4269/4305 (with the 55*8 above)
8ddfbc34 1561// WRITE_0 = 23*8 , 9*8
6426f6ba 1562
e09f21fa 1563uint8_t Prepare_Cmd( uint8_t cmd ) {
e09f21fa 1564
e0165dcf 1565 *forward_ptr++ = 0; //start bit
1566 *forward_ptr++ = 0; //second pause for 4050 code
e09f21fa 1567
e0165dcf 1568 *forward_ptr++ = cmd;
1569 cmd >>= 1;
1570 *forward_ptr++ = cmd;
1571 cmd >>= 1;
1572 *forward_ptr++ = cmd;
1573 cmd >>= 1;
1574 *forward_ptr++ = cmd;
e09f21fa 1575
e0165dcf 1576 return 6; //return number of emited bits
e09f21fa 1577}
1578
1579//====================================================================
1580// prepares address bits
1581// see EM4469 spec
1582//====================================================================
e09f21fa 1583uint8_t Prepare_Addr( uint8_t addr ) {
e09f21fa 1584
e0165dcf 1585 register uint8_t line_parity;
e09f21fa 1586
e0165dcf 1587 uint8_t i;
1588 line_parity = 0;
1589 for(i=0;i<6;i++) {
1590 *forward_ptr++ = addr;
1591 line_parity ^= addr;
1592 addr >>= 1;
1593 }
e09f21fa 1594
e0165dcf 1595 *forward_ptr++ = (line_parity & 1);
e09f21fa 1596
e0165dcf 1597 return 7; //return number of emited bits
e09f21fa 1598}
1599
1600//====================================================================
1601// prepares data bits intreleaved with parity bits
1602// see EM4469 spec
1603//====================================================================
e09f21fa 1604uint8_t Prepare_Data( uint16_t data_low, uint16_t data_hi) {
e0165dcf 1605
1606 register uint8_t line_parity;
1607 register uint8_t column_parity;
1608 register uint8_t i, j;
1609 register uint16_t data;
1610
1611 data = data_low;
1612 column_parity = 0;
1613
1614 for(i=0; i<4; i++) {
1615 line_parity = 0;
1616 for(j=0; j<8; j++) {
1617 line_parity ^= data;
1618 column_parity ^= (data & 1) << j;
1619 *forward_ptr++ = data;
1620 data >>= 1;
1621 }
1622 *forward_ptr++ = line_parity;
1623 if(i == 1)
1624 data = data_hi;
1625 }
1626
1627 for(j=0; j<8; j++) {
1628 *forward_ptr++ = column_parity;
1629 column_parity >>= 1;
1630 }
1631 *forward_ptr = 0;
1632
1633 return 45; //return number of emited bits
e09f21fa 1634}
1635
1636//====================================================================
1637// Forward Link send function
1638// Requires: forwarLink_data filled with valid bits (1 bit per byte)
1639// fwd_bit_count set with number of bits to be sent
1640//====================================================================
1641void SendForward(uint8_t fwd_bit_count) {
1642
e0165dcf 1643 fwd_write_ptr = forwardLink_data;
1644 fwd_bit_sz = fwd_bit_count;
1645
1646 LED_D_ON();
1647
6a09bea4 1648 // Set up FPGA, 125kHz
1649 LFSetupFPGAForADC(95, true);
1650
e0165dcf 1651 // force 1st mod pulse (start gap must be longer for 4305)
1652 fwd_bit_sz--; //prepare next bit modulation
1653 fwd_write_ptr++;
1654 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
24c49d36 1655 WaitUS(55*8); //55 cycles off (8us each)for 4305 // ICEMAN: problem with (us) clock is 21.3us increments
e0165dcf 1656 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);//field on
24c49d36 1657 WaitUS(16*8); //16 cycles on (8us each) // ICEMAN: problem with (us) clock is 21.3us increments
e0165dcf 1658
1659 // now start writting
1660 while(fwd_bit_sz-- > 0) { //prepare next bit modulation
1661 if(((*fwd_write_ptr++) & 1) == 1)
24c49d36 1662 WaitUS(32*8); //32 cycles at 125Khz (8us each) // ICEMAN: problem with (us) clock is 21.3us increments
e0165dcf 1663 else {
1664 //These timings work for 4469/4269/4305 (with the 55*8 above)
1665 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
8ddfbc34 1666 WaitUS(16*8); //16-4 cycles off (8us each) // ICEMAN: problem with (us) clock is 21.3us increments
e0165dcf 1667 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);//field on
8ddfbc34 1668 WaitUS(16*8); //16 cycles on (8us each) // ICEMAN: problem with (us) clock is 21.3us increments
e0165dcf 1669 }
1670 }
e09f21fa 1671}
1672
1673void EM4xLogin(uint32_t Password) {
1674
e0165dcf 1675 uint8_t fwd_bit_count;
e0165dcf 1676 forward_ptr = forwardLink_data;
1677 fwd_bit_count = Prepare_Cmd( FWD_CMD_LOGIN );
1678 fwd_bit_count += Prepare_Data( Password&0xFFFF, Password>>16 );
e0165dcf 1679 SendForward(fwd_bit_count);
e09f21fa 1680
e0165dcf 1681 //Wait for command to complete
8ddfbc34 1682 WaitMS(20);
e09f21fa 1683}
1684
1685void EM4xReadWord(uint8_t Address, uint32_t Pwd, uint8_t PwdMode) {
1686
a739812e 1687 uint8_t fwd_bit_count;
e0165dcf 1688 uint8_t *dest = BigBuf_get_addr();
8ddfbc34 1689 uint16_t bufsize = BigBuf_max_traceLen(); // ICEMAN: this tries to fill up all tracelog space
b8f705e7 1690 uint32_t i = 0;
1691
c0f15a05 1692 // Clear destination buffer before sending the command
a739812e 1693 BigBuf_Clear_ext(false);
b8f705e7 1694
e0165dcf 1695 //If password mode do login
1696 if (PwdMode == 1) EM4xLogin(Pwd);
1697
1698 forward_ptr = forwardLink_data;
1699 fwd_bit_count = Prepare_Cmd( FWD_CMD_READ );
1700 fwd_bit_count += Prepare_Addr( Address );
1701
e0165dcf 1702 SendForward(fwd_bit_count);
1703
1704 // Now do the acquisition
8ddfbc34 1705 // ICEMAN, change to the one in lfsampling.c
e0165dcf 1706 i = 0;
1707 for(;;) {
1708 if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXRDY) {
1709 AT91C_BASE_SSC->SSC_THR = 0x43;
1710 }
1711 if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) {
1712 dest[i] = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
b8f705e7 1713 ++i;
a739812e 1714 if (i >= bufsize) break;
e0165dcf 1715 }
1716 }
6a09bea4 1717
1718 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
b8f705e7 1719 cmd_send(CMD_ACK,0,0,0,0,0);
e0165dcf 1720 LED_D_OFF();
e09f21fa 1721}
1722
1723void EM4xWriteWord(uint32_t Data, uint8_t Address, uint32_t Pwd, uint8_t PwdMode) {
1724
e0165dcf 1725 uint8_t fwd_bit_count;
e09f21fa 1726
e0165dcf 1727 //If password mode do login
1728 if (PwdMode == 1) EM4xLogin(Pwd);
e09f21fa 1729
e0165dcf 1730 forward_ptr = forwardLink_data;
1731 fwd_bit_count = Prepare_Cmd( FWD_CMD_WRITE );
1732 fwd_bit_count += Prepare_Addr( Address );
1733 fwd_bit_count += Prepare_Data( Data&0xFFFF, Data>>16 );
e09f21fa 1734
e0165dcf 1735 SendForward(fwd_bit_count);
e09f21fa 1736
e0165dcf 1737 //Wait for write to complete
8ddfbc34 1738 WaitMS(20);
e0165dcf 1739 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1740 LED_D_OFF();
e09f21fa 1741}
4653da43 1742
1743void Cotag() {
1744
507afbf3 1745#define OFF { FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); WaitUS(2035); }
1746//#define WAIT2200 { FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); WaitUS(2200); }
1747#define ON(x) { FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 89); FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD); WaitUS((x)); }
4653da43 1748 LED_A_ON();
1749
1750 //clear buffer now so it does not interfere with timing later
b828a4e1 1751 BigBuf_Clear_ext(false);
4653da43 1752
1753 // Set up FPGA, 132kHz to power up the tag
1754 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1755 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 89);
1756 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
1757
1758 // Connect the A/D to the peak-detected low-frequency path.
1759 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
1760
4653da43 1761 // Now set up the SSC to get the ADC samples that are now streaming at us.
1762 FpgaSetupSsc();
b828a4e1 1763
4653da43 1764 // start a 1.5ticks is 1us
1765 StartTicks();
1766
1767 //send start pulse
507afbf3 1768 ON(740) OFF
1769 ON(3330) OFF
1770 ON(740) OFF
1771 ON(1000)
1772
b828a4e1 1773/*
507afbf3 1774 ON(800) OFF
1775 ON(3600) OFF
1776 ON(800) OFF
1777 ON(1000)
b828a4e1 1778
1779burst 800 us, gap 2.2 msecs
1780burst 3.6 msecs gap 2.2 msecs
1781burst 800 us gap 2.2 msecs
1782pulse 3.6 msecs
1783*/
507afbf3 1784 DoAcquisition_config(FALSE);
4653da43 1785
1786 // Turn the field off
1787 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1788 cmd_send(CMD_ACK,0,0,0,0,0);
1789 LED_A_OFF();
1790}
Proxmark3 GIT tracking
Impressum, Datenschutz