]> git.zerfleddert.de Git - proxmark3-svn/blame - armsrc/fpgaloader.c
hf mf dump bugfix: wrongly tried key A instead of key B for a specific Access Condition
[proxmark3-svn] / armsrc / fpgaloader.c
CommitLineData
15c4dc5a 1//-----------------------------------------------------------------------------
bd20f8f4 2// Jonathan Westhues, April 2006
62638f87 3// iZsh <izsh at fail0verflow.com>, 2014
bd20f8f4 4//
5// This code is licensed to you under the terms of the GNU GPL, version 2 or,
6// at your option, any later version. See the LICENSE.txt file for the text of
7// the license.
8//-----------------------------------------------------------------------------
15c4dc5a 9// Routines to load the FPGA image, and then to configure the FPGA's major
10// mode once it is configured.
15c4dc5a 11//-----------------------------------------------------------------------------
e30c654b 12#include "proxmark3.h"
15c4dc5a 13#include "apps.h"
f7e3ed82 14#include "util.h"
9ab7a6c7 15#include "string.h"
15c4dc5a 16
17//-----------------------------------------------------------------------------
18// Set up the Serial Peripheral Interface as master
19// Used to write the FPGA config word
20// May also be used to write to other SPI attached devices like an LCD
21//-----------------------------------------------------------------------------
22void SetupSpi(int mode)
23{
24 // PA10 -> SPI_NCS2 chip select (LCD)
25 // PA11 -> SPI_NCS0 chip select (FPGA)
26 // PA12 -> SPI_MISO Master-In Slave-Out
27 // PA13 -> SPI_MOSI Master-Out Slave-In
28 // PA14 -> SPI_SPCK Serial Clock
29
30 // Disable PIO control of the following pins, allows use by the SPI peripheral
31 AT91C_BASE_PIOA->PIO_PDR =
32 GPIO_NCS0 |
33 GPIO_NCS2 |
34 GPIO_MISO |
35 GPIO_MOSI |
36 GPIO_SPCK;
37
38 AT91C_BASE_PIOA->PIO_ASR =
39 GPIO_NCS0 |
40 GPIO_MISO |
41 GPIO_MOSI |
42 GPIO_SPCK;
43
44 AT91C_BASE_PIOA->PIO_BSR = GPIO_NCS2;
45
46 //enable the SPI Peripheral clock
47 AT91C_BASE_PMC->PMC_PCER = (1<<AT91C_ID_SPI);
48 // Enable SPI
49 AT91C_BASE_SPI->SPI_CR = AT91C_SPI_SPIEN;
50
51 switch (mode) {
52 case SPI_FPGA_MODE:
53 AT91C_BASE_SPI->SPI_MR =
54 ( 0 << 24) | // Delay between chip selects (take default: 6 MCK periods)
55 (14 << 16) | // Peripheral Chip Select (selects FPGA SPI_NCS0 or PA11)
56 ( 0 << 7) | // Local Loopback Disabled
57 ( 1 << 4) | // Mode Fault Detection disabled
58 ( 0 << 2) | // Chip selects connected directly to peripheral
59 ( 0 << 1) | // Fixed Peripheral Select
60 ( 1 << 0); // Master Mode
61 AT91C_BASE_SPI->SPI_CSR[0] =
62 ( 1 << 24) | // Delay between Consecutive Transfers (32 MCK periods)
63 ( 1 << 16) | // Delay Before SPCK (1 MCK period)
64 ( 6 << 8) | // Serial Clock Baud Rate (baudrate = MCK/6 = 24Mhz/6 = 4M baud
65 ( 8 << 4) | // Bits per Transfer (16 bits)
66 ( 0 << 3) | // Chip Select inactive after transfer
67 ( 1 << 1) | // Clock Phase data captured on leading edge, changes on following edge
68 ( 0 << 0); // Clock Polarity inactive state is logic 0
69 break;
70 case SPI_LCD_MODE:
71 AT91C_BASE_SPI->SPI_MR =
72 ( 0 << 24) | // Delay between chip selects (take default: 6 MCK periods)
73 (11 << 16) | // Peripheral Chip Select (selects LCD SPI_NCS2 or PA10)
74 ( 0 << 7) | // Local Loopback Disabled
75 ( 1 << 4) | // Mode Fault Detection disabled
76 ( 0 << 2) | // Chip selects connected directly to peripheral
77 ( 0 << 1) | // Fixed Peripheral Select
78 ( 1 << 0); // Master Mode
79 AT91C_BASE_SPI->SPI_CSR[2] =
80 ( 1 << 24) | // Delay between Consecutive Transfers (32 MCK periods)
81 ( 1 << 16) | // Delay Before SPCK (1 MCK period)
82 ( 6 << 8) | // Serial Clock Baud Rate (baudrate = MCK/6 = 24Mhz/6 = 4M baud
83 ( 1 << 4) | // Bits per Transfer (9 bits)
84 ( 0 << 3) | // Chip Select inactive after transfer
85 ( 1 << 1) | // Clock Phase data captured on leading edge, changes on following edge
86 ( 0 << 0); // Clock Polarity inactive state is logic 0
87 break;
88 default: // Disable SPI
89 AT91C_BASE_SPI->SPI_CR = AT91C_SPI_SPIDIS;
90 break;
91 }
92}
93
94//-----------------------------------------------------------------------------
95// Set up the synchronous serial port, with the one set of options that we
96// always use when we are talking to the FPGA. Both RX and TX are enabled.
97//-----------------------------------------------------------------------------
98void FpgaSetupSsc(void)
99{
100 // First configure the GPIOs, and get ourselves a clock.
101 AT91C_BASE_PIOA->PIO_ASR =
102 GPIO_SSC_FRAME |
103 GPIO_SSC_DIN |
104 GPIO_SSC_DOUT |
105 GPIO_SSC_CLK;
106 AT91C_BASE_PIOA->PIO_PDR = GPIO_SSC_DOUT;
107
108 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_SSC);
109
110 // Now set up the SSC proper, starting from a known state.
111 AT91C_BASE_SSC->SSC_CR = AT91C_SSC_SWRST;
112
113 // RX clock comes from TX clock, RX starts when TX starts, data changes
114 // on RX clock rising edge, sampled on falling edge
115 AT91C_BASE_SSC->SSC_RCMR = SSC_CLOCK_MODE_SELECT(1) | SSC_CLOCK_MODE_START(1);
116
117 // 8 bits per transfer, no loopback, MSB first, 1 transfer per sync
d714d3ef 118 // pulse, no output sync
902cb3c0 119 AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(8) | AT91C_SSC_MSBF | SSC_FRAME_MODE_WORDS_PER_TRANSFER(0);
15c4dc5a 120
121 // clock comes from TK pin, no clock output, outputs change on falling
d714d3ef 122 // edge of TK, sample on rising edge of TK, start on positive-going edge of sync
902cb3c0 123 AT91C_BASE_SSC->SSC_TCMR = SSC_CLOCK_MODE_SELECT(2) | SSC_CLOCK_MODE_START(5);
15c4dc5a 124
125 // tx framing is the same as the rx framing
126 AT91C_BASE_SSC->SSC_TFMR = AT91C_BASE_SSC->SSC_RFMR;
127
128 AT91C_BASE_SSC->SSC_CR = AT91C_SSC_RXEN | AT91C_SSC_TXEN;
129}
130
131//-----------------------------------------------------------------------------
132// Set up DMA to receive samples from the FPGA. We will use the PDC, with
133// a single buffer as a circular buffer (so that we just chain back to
134// ourselves, not to another buffer). The stuff to manipulate those buffers
135// is in apps.h, because it should be inlined, for speed.
136//-----------------------------------------------------------------------------
d19929cb 137bool FpgaSetupSscDma(uint8_t *buf, int len)
15c4dc5a 138{
d19929cb 139 if (buf == NULL) {
140 return false;
141 }
142
7bc95e2e 143 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS; // Disable DMA Transfer
144 AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) buf; // transfer to this memory address
145 AT91C_BASE_PDC_SSC->PDC_RCR = len; // transfer this many bytes
146 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) buf; // next transfer to same memory address
147 AT91C_BASE_PDC_SSC->PDC_RNCR = len; // ... with same number of bytes
148 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTEN; // go!
d19929cb 149
150 return true;
15c4dc5a 151}
152
153static void DownloadFPGA_byte(unsigned char w)
154{
155#define SEND_BIT(x) { if(w & (1<<x) ) HIGH(GPIO_FPGA_DIN); else LOW(GPIO_FPGA_DIN); HIGH(GPIO_FPGA_CCLK); LOW(GPIO_FPGA_CCLK); }
156 SEND_BIT(7);
157 SEND_BIT(6);
158 SEND_BIT(5);
159 SEND_BIT(4);
160 SEND_BIT(3);
161 SEND_BIT(2);
162 SEND_BIT(1);
163 SEND_BIT(0);
164}
165
166// Download the fpga image starting at FpgaImage and with length FpgaImageLen bytes
167// If bytereversal is set: reverse the byte order in each 4-byte word
168static void DownloadFPGA(const char *FpgaImage, int FpgaImageLen, int bytereversal)
169{
170 int i=0;
171
172 AT91C_BASE_PIOA->PIO_OER = GPIO_FPGA_ON;
173 AT91C_BASE_PIOA->PIO_PER = GPIO_FPGA_ON;
174 HIGH(GPIO_FPGA_ON); // ensure everything is powered on
175
176 SpinDelay(50);
177
178 LED_D_ON();
179
180 // These pins are inputs
181 AT91C_BASE_PIOA->PIO_ODR =
182 GPIO_FPGA_NINIT |
183 GPIO_FPGA_DONE;
184 // PIO controls the following pins
185 AT91C_BASE_PIOA->PIO_PER =
186 GPIO_FPGA_NINIT |
187 GPIO_FPGA_DONE;
188 // Enable pull-ups
189 AT91C_BASE_PIOA->PIO_PPUER =
190 GPIO_FPGA_NINIT |
191 GPIO_FPGA_DONE;
192
193 // setup initial logic state
194 HIGH(GPIO_FPGA_NPROGRAM);
195 LOW(GPIO_FPGA_CCLK);
196 LOW(GPIO_FPGA_DIN);
197 // These pins are outputs
198 AT91C_BASE_PIOA->PIO_OER =
199 GPIO_FPGA_NPROGRAM |
200 GPIO_FPGA_CCLK |
201 GPIO_FPGA_DIN;
202
203 // enter FPGA configuration mode
204 LOW(GPIO_FPGA_NPROGRAM);
205 SpinDelay(50);
206 HIGH(GPIO_FPGA_NPROGRAM);
207
208 i=100000;
209 // wait for FPGA ready to accept data signal
210 while ((i) && ( !(AT91C_BASE_PIOA->PIO_PDSR & GPIO_FPGA_NINIT ) ) ) {
211 i--;
212 }
213
214 // crude error indicator, leave both red LEDs on and return
215 if (i==0){
216 LED_C_ON();
217 LED_D_ON();
218 return;
219 }
220
221 if(bytereversal) {
f7e3ed82 222 /* This is only supported for uint32_t aligned images */
223 if( ((int)FpgaImage % sizeof(uint32_t)) == 0 ) {
15c4dc5a 224 i=0;
225 while(FpgaImageLen-->0)
226 DownloadFPGA_byte(FpgaImage[(i++)^0x3]);
e30c654b 227 /* Explanation of the magic in the above line:
15c4dc5a 228 * i^0x3 inverts the lower two bits of the integer i, counting backwards
229 * for each 4 byte increment. The generated sequence of (i++)^3 is
e30c654b 230 * 3 2 1 0 7 6 5 4 11 10 9 8 15 14 13 12 etc. pp.
15c4dc5a 231 */
232 }
233 } else {
234 while(FpgaImageLen-->0)
235 DownloadFPGA_byte(*FpgaImage++);
236 }
237
238 // continue to clock FPGA until ready signal goes high
239 i=100000;
240 while ( (i--) && ( !(AT91C_BASE_PIOA->PIO_PDSR & GPIO_FPGA_DONE ) ) ) {
241 HIGH(GPIO_FPGA_CCLK);
242 LOW(GPIO_FPGA_CCLK);
243 }
244 // crude error indicator, leave both red LEDs on and return
245 if (i==0){
246 LED_C_ON();
247 LED_D_ON();
248 return;
249 }
250 LED_D_OFF();
251}
252
253static char *bitparse_headers_start;
254static char *bitparse_bitstream_end;
7cc204bf 255static int bitparse_initialized = 0;
15c4dc5a 256/* Simple Xilinx .bit parser. The file starts with the fixed opaque byte sequence
257 * 00 09 0f f0 0f f0 0f f0 0f f0 00 00 01
258 * After that the format is 1 byte section type (ASCII character), 2 byte length
259 * (big endian), <length> bytes content. Except for section 'e' which has 4 bytes
260 * length.
261 */
262static const char _bitparse_fixed_header[] = {0x00, 0x09, 0x0f, 0xf0, 0x0f, 0xf0, 0x0f, 0xf0, 0x0f, 0xf0, 0x00, 0x00, 0x01};
263static int bitparse_init(void * start_address, void *end_address)
264{
265 bitparse_initialized = 0;
e30c654b 266
15c4dc5a 267 if(memcmp(_bitparse_fixed_header, start_address, sizeof(_bitparse_fixed_header)) != 0) {
268 return 0; /* Not matched */
269 } else {
270 bitparse_headers_start= ((char*)start_address) + sizeof(_bitparse_fixed_header);
271 bitparse_bitstream_end= (char*)end_address;
272 bitparse_initialized = 1;
273 return 1;
274 }
275}
276
277int bitparse_find_section(char section_name, char **section_start, unsigned int *section_length)
278{
279 char *pos = bitparse_headers_start;
280 int result = 0;
281
282 if(!bitparse_initialized) return 0;
283
284 while(pos < bitparse_bitstream_end) {
285 char current_name = *pos++;
286 unsigned int current_length = 0;
287 if(current_name < 'a' || current_name > 'e') {
288 /* Strange section name, abort */
289 break;
290 }
291 current_length = 0;
292 switch(current_name) {
293 case 'e':
294 /* Four byte length field */
295 current_length += (*pos++) << 24;
296 current_length += (*pos++) << 16;
297 default: /* Fall through, two byte length field */
298 current_length += (*pos++) << 8;
299 current_length += (*pos++) << 0;
300 }
e30c654b 301
15c4dc5a 302 if(current_name != 'e' && current_length > 255) {
303 /* Maybe a parse error */
304 break;
305 }
e30c654b 306
15c4dc5a 307 if(current_name == section_name) {
308 /* Found it */
309 *section_start = pos;
310 *section_length = current_length;
311 result = 1;
312 break;
313 }
e30c654b 314
15c4dc5a 315 pos += current_length; /* Skip section */
316 }
e30c654b 317
15c4dc5a 318 return result;
319}
320
321//-----------------------------------------------------------------------------
322// Find out which FPGA image format is stored in flash, then call DownloadFPGA
323// with the right parameters to download the image
324//-----------------------------------------------------------------------------
7cc204bf 325extern char _binary_fpga_lf_bit_start, _binary_fpga_lf_bit_end;
326extern char _binary_fpga_hf_bit_start, _binary_fpga_hf_bit_end;
327void FpgaDownloadAndGo(int bitstream_version)
15c4dc5a 328{
7cc204bf 329 void *bit_start;
330 void *bit_end;
331
332 // check whether or not the bitstream is already loaded
333 if (FpgaGatherBitstreamVersion() == bitstream_version)
334 return;
335
336 if (bitstream_version == FPGA_BITSTREAM_LF) {
337 bit_start = &_binary_fpga_lf_bit_start;
338 bit_end = &_binary_fpga_lf_bit_end;
339 } else if (bitstream_version == FPGA_BITSTREAM_HF) {
340 bit_start = &_binary_fpga_hf_bit_start;
341 bit_end = &_binary_fpga_hf_bit_end;
342 } else
343 return;
15c4dc5a 344 /* Check for the new flash image format: Should have the .bit file at &_binary_fpga_bit_start
345 */
7cc204bf 346 if(bitparse_init(bit_start, bit_end)) {
15c4dc5a 347 /* Successfully initialized the .bit parser. Find the 'e' section and
348 * send its contents to the FPGA.
349 */
350 char *bitstream_start;
351 unsigned int bitstream_length;
352 if(bitparse_find_section('e', &bitstream_start, &bitstream_length)) {
353 DownloadFPGA(bitstream_start, bitstream_length, 0);
e30c654b 354
15c4dc5a 355 return; /* All done */
356 }
357 }
e30c654b 358
15c4dc5a 359 /* Fallback for the old flash image format: Check for the magic marker 0xFFFFFFFF
e30c654b 360 * 0xAA995566 at address 0x102000. This is raw bitstream with a size of 336,768 bits
f7e3ed82 361 * = 10,524 uint32_t, stored as uint32_t e.g. little-endian in memory, but each DWORD
15c4dc5a 362 * is still to be transmitted in MSBit first order. Set the invert flag to indicate
363 * that the DownloadFPGA function should invert every 4 byte sequence when doing
364 * the bytewise download.
365 */
f7e3ed82 366 if( *(uint32_t*)0x102000 == 0xFFFFFFFF && *(uint32_t*)0x102004 == 0xAA995566 )
15c4dc5a 367 DownloadFPGA((char*)0x102000, 10524*4, 1);
368}
369
7cc204bf 370int FpgaGatherBitstreamVersion()
371{
372 char temp[256];
373 FpgaGatherVersion(temp, sizeof (temp));
374 if (!memcmp("LF", temp, 2))
375 return FPGA_BITSTREAM_LF;
376 else if (!memcmp("HF", temp, 2))
377 return FPGA_BITSTREAM_HF;
378 return FPGA_BITSTREAM_ERR;
379}
380
15c4dc5a 381void FpgaGatherVersion(char *dst, int len)
382{
e30c654b 383 char *fpga_info;
15c4dc5a 384 unsigned int fpga_info_len;
385 dst[0] = 0;
386 if(!bitparse_find_section('e', &fpga_info, &fpga_info_len)) {
387 strncat(dst, "FPGA image: legacy image without version information", len-1);
388 } else {
15c4dc5a 389 /* USB packets only have 48 bytes data payload, so be terse */
15c4dc5a 390 if(bitparse_find_section('a', &fpga_info, &fpga_info_len) && fpga_info[fpga_info_len-1] == 0 ) {
7cc204bf 391 if (!memcmp("fpga_lf", fpga_info, 7))
392 strncat(dst, "LF ", len-1);
393 else if (!memcmp("fpga_hf", fpga_info, 7))
394 strncat(dst, "HF ", len-1);
15c4dc5a 395 }
7cc204bf 396 strncat(dst, "FPGA image built", len-1);
397#if 0
15c4dc5a 398 if(bitparse_find_section('b', &fpga_info, &fpga_info_len) && fpga_info[fpga_info_len-1] == 0 ) {
399 strncat(dst, " for ", len-1);
400 strncat(dst, fpga_info, len-1);
401 }
402#endif
403 if(bitparse_find_section('c', &fpga_info, &fpga_info_len) && fpga_info[fpga_info_len-1] == 0 ) {
404 strncat(dst, " on ", len-1);
405 strncat(dst, fpga_info, len-1);
406 }
407 if(bitparse_find_section('d', &fpga_info, &fpga_info_len) && fpga_info[fpga_info_len-1] == 0 ) {
408 strncat(dst, " at ", len-1);
409 strncat(dst, fpga_info, len-1);
410 }
411 }
412}
413
414//-----------------------------------------------------------------------------
415// Send a 16 bit command/data pair to the FPGA.
416// The bit format is: C3 C2 C1 C0 D11 D10 D9 D8 D7 D6 D5 D4 D3 D2 D1 D0
417// where C is the 4 bit command and D is the 12 bit data
418//-----------------------------------------------------------------------------
f7e3ed82 419void FpgaSendCommand(uint16_t cmd, uint16_t v)
15c4dc5a 420{
421 SetupSpi(SPI_FPGA_MODE);
422 while ((AT91C_BASE_SPI->SPI_SR & AT91C_SPI_TXEMPTY) == 0); // wait for the transfer to complete
423 AT91C_BASE_SPI->SPI_TDR = AT91C_SPI_LASTXFER | cmd | v; // send the data
424}
425//-----------------------------------------------------------------------------
426// Write the FPGA setup word (that determines what mode the logic is in, read
427// vs. clone vs. etc.). This is now a special case of FpgaSendCommand() to
428// avoid changing this function's occurence everywhere in the source code.
429//-----------------------------------------------------------------------------
f7e3ed82 430void FpgaWriteConfWord(uint8_t v)
15c4dc5a 431{
432 FpgaSendCommand(FPGA_CMD_SET_CONFREG, v);
433}
434
435//-----------------------------------------------------------------------------
436// Set up the CMOS switches that mux the ADC: four switches, independently
437// closable, but should only close one at a time. Not an FPGA thing, but
438// the samples from the ADC always flow through the FPGA.
439//-----------------------------------------------------------------------------
f7e3ed82 440void SetAdcMuxFor(uint32_t whichGpio)
15c4dc5a 441{
442 AT91C_BASE_PIOA->PIO_OER =
443 GPIO_MUXSEL_HIPKD |
444 GPIO_MUXSEL_LOPKD |
445 GPIO_MUXSEL_LORAW |
446 GPIO_MUXSEL_HIRAW;
447
448 AT91C_BASE_PIOA->PIO_PER =
449 GPIO_MUXSEL_HIPKD |
450 GPIO_MUXSEL_LOPKD |
451 GPIO_MUXSEL_LORAW |
452 GPIO_MUXSEL_HIRAW;
453
454 LOW(GPIO_MUXSEL_HIPKD);
455 LOW(GPIO_MUXSEL_HIRAW);
456 LOW(GPIO_MUXSEL_LORAW);
457 LOW(GPIO_MUXSEL_LOPKD);
458
459 HIGH(whichGpio);
460}
Impressum, Datenschutz