]> git.zerfleddert.de Git - proxmark3-svn/blame_incremental - armsrc/lfops.c
Added undec to un-decimate data on the client side, so we can use all those sweet...
[proxmark3-svn] / armsrc / lfops.c
... / ...
CommitLineData
1//-----------------------------------------------------------------------------
2// This code is licensed to you under the terms of the GNU GPL, version 2 or,
3// at your option, any later version. See the LICENSE.txt file for the text of
4// the license.
5//-----------------------------------------------------------------------------
6// Miscellaneous routines for low frequency tag operations.
7// Tags supported here so far are Texas Instruments (TI), HID
8// Also routines for raw mode reading/simulating of LF waveform
9//-----------------------------------------------------------------------------
10
11#include "proxmark3.h"
12#include "apps.h"
13#include "util.h"
14#include "hitag2.h"
15#include "crc16.h"
16#include "string.h"
17#include "lfdemod.h"
18#include "lfsampling.h"
19
20
21/**
22 * Function to do a modulation and then get samples.
23 * @param delay_off
24 * @param period_0
25 * @param period_1
26 * @param command
27 */
28void ModThenAcquireRawAdcSamples125k(int delay_off, int period_0, int period_1, uint8_t *command)
29{
30
31 int divisor_used = 95; // 125 KHz
32 // see if 'h' was specified
33
34 if (command[strlen((char *) command) - 1] == 'h')
35 divisor_used = 88; // 134.8 KHz
36
37 sample_config sc = { 0,0,1, divisor_used, 0};
38 setSamplingConfig(&sc);
39
40 /* Make sure the tag is reset */
41 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
42 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
43 SpinDelay(2500);
44
45 LFSetupFPGAForADC(sc.divisor, 1);
46
47 // And a little more time for the tag to fully power up
48 SpinDelay(2000);
49
50 // now modulate the reader field
51 while(*command != '\0' && *command != ' ') {
52 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
53 LED_D_OFF();
54 SpinDelayUs(delay_off);
55 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, sc.divisor);
56
57 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
58 LED_D_ON();
59 if(*(command++) == '0')
60 SpinDelayUs(period_0);
61 else
62 SpinDelayUs(period_1);
63 }
64 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
65 LED_D_OFF();
66 SpinDelayUs(delay_off);
67 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, sc.divisor);
68
69 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
70
71 // now do the read
72 DoAcquisition_config(false);
73}
74
75
76
77/* blank r/w tag data stream
78...0000000000000000 01111111
791010101010101010101010101010101010101010101010101010101010101010
800011010010100001
8101111111
82101010101010101[0]000...
83
84[5555fe852c5555555555555555fe0000]
85*/
86void ReadTItag(void)
87{
88 // some hardcoded initial params
89 // when we read a TI tag we sample the zerocross line at 2Mhz
90 // TI tags modulate a 1 as 16 cycles of 123.2Khz
91 // TI tags modulate a 0 as 16 cycles of 134.2Khz
92 #define FSAMPLE 2000000
93 #define FREQLO 123200
94 #define FREQHI 134200
95
96 signed char *dest = (signed char *)BigBuf;
97 int n = sizeof(BigBuf);
98 // 128 bit shift register [shift3:shift2:shift1:shift0]
99 uint32_t shift3 = 0, shift2 = 0, shift1 = 0, shift0 = 0;
100
101 int i, cycles=0, samples=0;
102 // how many sample points fit in 16 cycles of each frequency
103 uint32_t sampleslo = (FSAMPLE<<4)/FREQLO, sampleshi = (FSAMPLE<<4)/FREQHI;
104 // when to tell if we're close enough to one freq or another
105 uint32_t threshold = (sampleslo - sampleshi + 1)>>1;
106
107 // TI tags charge at 134.2Khz
108 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
109 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 88); //134.8Khz
110
111 // Place FPGA in passthrough mode, in this mode the CROSS_LO line
112 // connects to SSP_DIN and the SSP_DOUT logic level controls
113 // whether we're modulating the antenna (high)
114 // or listening to the antenna (low)
115 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_PASSTHRU);
116
117 // get TI tag data into the buffer
118 AcquireTiType();
119
120 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
121
122 for (i=0; i<n-1; i++) {
123 // count cycles by looking for lo to hi zero crossings
124 if ( (dest[i]<0) && (dest[i+1]>0) ) {
125 cycles++;
126 // after 16 cycles, measure the frequency
127 if (cycles>15) {
128 cycles=0;
129 samples=i-samples; // number of samples in these 16 cycles
130
131 // TI bits are coming to us lsb first so shift them
132 // right through our 128 bit right shift register
133 shift0 = (shift0>>1) | (shift1 << 31);
134 shift1 = (shift1>>1) | (shift2 << 31);
135 shift2 = (shift2>>1) | (shift3 << 31);
136 shift3 >>= 1;
137
138 // check if the cycles fall close to the number
139 // expected for either the low or high frequency
140 if ( (samples>(sampleslo-threshold)) && (samples<(sampleslo+threshold)) ) {
141 // low frequency represents a 1
142 shift3 |= (1<<31);
143 } else if ( (samples>(sampleshi-threshold)) && (samples<(sampleshi+threshold)) ) {
144 // high frequency represents a 0
145 } else {
146 // probably detected a gay waveform or noise
147 // use this as gaydar or discard shift register and start again
148 shift3 = shift2 = shift1 = shift0 = 0;
149 }
150 samples = i;
151
152 // for each bit we receive, test if we've detected a valid tag
153
154 // if we see 17 zeroes followed by 6 ones, we might have a tag
155 // remember the bits are backwards
156 if ( ((shift0 & 0x7fffff) == 0x7e0000) ) {
157 // if start and end bytes match, we have a tag so break out of the loop
158 if ( ((shift0>>16)&0xff) == ((shift3>>8)&0xff) ) {
159 cycles = 0xF0B; //use this as a flag (ugly but whatever)
160 break;
161 }
162 }
163 }
164 }
165 }
166
167 // if flag is set we have a tag
168 if (cycles!=0xF0B) {
169 DbpString("Info: No valid tag detected.");
170 } else {
171 // put 64 bit data into shift1 and shift0
172 shift0 = (shift0>>24) | (shift1 << 8);
173 shift1 = (shift1>>24) | (shift2 << 8);
174
175 // align 16 bit crc into lower half of shift2
176 shift2 = ((shift2>>24) | (shift3 << 8)) & 0x0ffff;
177
178 // if r/w tag, check ident match
179 if (shift3 & (1<<15) ) {
180 DbpString("Info: TI tag is rewriteable");
181 // only 15 bits compare, last bit of ident is not valid
182 if (((shift3 >> 16) ^ shift0) & 0x7fff ) {
183 DbpString("Error: Ident mismatch!");
184 } else {
185 DbpString("Info: TI tag ident is valid");
186 }
187 } else {
188 DbpString("Info: TI tag is readonly");
189 }
190
191 // WARNING the order of the bytes in which we calc crc below needs checking
192 // i'm 99% sure the crc algorithm is correct, but it may need to eat the
193 // bytes in reverse or something
194 // calculate CRC
195 uint32_t crc=0;
196
197 crc = update_crc16(crc, (shift0)&0xff);
198 crc = update_crc16(crc, (shift0>>8)&0xff);
199 crc = update_crc16(crc, (shift0>>16)&0xff);
200 crc = update_crc16(crc, (shift0>>24)&0xff);
201 crc = update_crc16(crc, (shift1)&0xff);
202 crc = update_crc16(crc, (shift1>>8)&0xff);
203 crc = update_crc16(crc, (shift1>>16)&0xff);
204 crc = update_crc16(crc, (shift1>>24)&0xff);
205
206 Dbprintf("Info: Tag data: %x%08x, crc=%x",
207 (unsigned int)shift1, (unsigned int)shift0, (unsigned int)shift2 & 0xFFFF);
208 if (crc != (shift2&0xffff)) {
209 Dbprintf("Error: CRC mismatch, expected %x", (unsigned int)crc);
210 } else {
211 DbpString("Info: CRC is good");
212 }
213 }
214}
215
216void WriteTIbyte(uint8_t b)
217{
218 int i = 0;
219
220 // modulate 8 bits out to the antenna
221 for (i=0; i<8; i++)
222 {
223 if (b&(1<<i)) {
224 // stop modulating antenna
225 LOW(GPIO_SSC_DOUT);
226 SpinDelayUs(1000);
227 // modulate antenna
228 HIGH(GPIO_SSC_DOUT);
229 SpinDelayUs(1000);
230 } else {
231 // stop modulating antenna
232 LOW(GPIO_SSC_DOUT);
233 SpinDelayUs(300);
234 // modulate antenna
235 HIGH(GPIO_SSC_DOUT);
236 SpinDelayUs(1700);
237 }
238 }
239}
240
241void AcquireTiType(void)
242{
243 int i, j, n;
244 // tag transmission is <20ms, sampling at 2M gives us 40K samples max
245 // each sample is 1 bit stuffed into a uint32_t so we need 1250 uint32_t
246 #define TIBUFLEN 1250
247
248 // clear buffer
249 memset(BigBuf,0,sizeof(BigBuf));
250
251 // Set up the synchronous serial port
252 AT91C_BASE_PIOA->PIO_PDR = GPIO_SSC_DIN;
253 AT91C_BASE_PIOA->PIO_ASR = GPIO_SSC_DIN;
254
255 // steal this pin from the SSP and use it to control the modulation
256 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
257 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
258
259 AT91C_BASE_SSC->SSC_CR = AT91C_SSC_SWRST;
260 AT91C_BASE_SSC->SSC_CR = AT91C_SSC_RXEN | AT91C_SSC_TXEN;
261
262 // Sample at 2 Mbit/s, so TI tags are 16.2 vs. 14.9 clocks long
263 // 48/2 = 24 MHz clock must be divided by 12
264 AT91C_BASE_SSC->SSC_CMR = 12;
265
266 AT91C_BASE_SSC->SSC_RCMR = SSC_CLOCK_MODE_SELECT(0);
267 AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(32) | AT91C_SSC_MSBF;
268 AT91C_BASE_SSC->SSC_TCMR = 0;
269 AT91C_BASE_SSC->SSC_TFMR = 0;
270
271 LED_D_ON();
272
273 // modulate antenna
274 HIGH(GPIO_SSC_DOUT);
275
276 // Charge TI tag for 50ms.
277 SpinDelay(50);
278
279 // stop modulating antenna and listen
280 LOW(GPIO_SSC_DOUT);
281
282 LED_D_OFF();
283
284 i = 0;
285 for(;;) {
286 if(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) {
287 BigBuf[i] = AT91C_BASE_SSC->SSC_RHR; // store 32 bit values in buffer
288 i++; if(i >= TIBUFLEN) break;
289 }
290 WDT_HIT();
291 }
292
293 // return stolen pin to SSP
294 AT91C_BASE_PIOA->PIO_PDR = GPIO_SSC_DOUT;
295 AT91C_BASE_PIOA->PIO_ASR = GPIO_SSC_DIN | GPIO_SSC_DOUT;
296
297 char *dest = (char *)BigBuf;
298 n = TIBUFLEN*32;
299 // unpack buffer
300 for (i=TIBUFLEN-1; i>=0; i--) {
301 for (j=0; j<32; j++) {
302 if(BigBuf[i] & (1 << j)) {
303 dest[--n] = 1;
304 } else {
305 dest[--n] = -1;
306 }
307 }
308 }
309}
310
311// arguments: 64bit data split into 32bit idhi:idlo and optional 16bit crc
312// if crc provided, it will be written with the data verbatim (even if bogus)
313// if not provided a valid crc will be computed from the data and written.
314void WriteTItag(uint32_t idhi, uint32_t idlo, uint16_t crc)
315{
316 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
317 if(crc == 0) {
318 crc = update_crc16(crc, (idlo)&0xff);
319 crc = update_crc16(crc, (idlo>>8)&0xff);
320 crc = update_crc16(crc, (idlo>>16)&0xff);
321 crc = update_crc16(crc, (idlo>>24)&0xff);
322 crc = update_crc16(crc, (idhi)&0xff);
323 crc = update_crc16(crc, (idhi>>8)&0xff);
324 crc = update_crc16(crc, (idhi>>16)&0xff);
325 crc = update_crc16(crc, (idhi>>24)&0xff);
326 }
327 Dbprintf("Writing to tag: %x%08x, crc=%x",
328 (unsigned int) idhi, (unsigned int) idlo, crc);
329
330 // TI tags charge at 134.2Khz
331 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 88); //134.8Khz
332 // Place FPGA in passthrough mode, in this mode the CROSS_LO line
333 // connects to SSP_DIN and the SSP_DOUT logic level controls
334 // whether we're modulating the antenna (high)
335 // or listening to the antenna (low)
336 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_PASSTHRU);
337 LED_A_ON();
338
339 // steal this pin from the SSP and use it to control the modulation
340 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
341 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
342
343 // writing algorithm:
344 // a high bit consists of a field off for 1ms and field on for 1ms
345 // a low bit consists of a field off for 0.3ms and field on for 1.7ms
346 // initiate a charge time of 50ms (field on) then immediately start writing bits
347 // start by writing 0xBB (keyword) and 0xEB (password)
348 // then write 80 bits of data (or 64 bit data + 16 bit crc if you prefer)
349 // finally end with 0x0300 (write frame)
350 // all data is sent lsb firts
351 // finish with 15ms programming time
352
353 // modulate antenna
354 HIGH(GPIO_SSC_DOUT);
355 SpinDelay(50); // charge time
356
357 WriteTIbyte(0xbb); // keyword
358 WriteTIbyte(0xeb); // password
359 WriteTIbyte( (idlo )&0xff );
360 WriteTIbyte( (idlo>>8 )&0xff );
361 WriteTIbyte( (idlo>>16)&0xff );
362 WriteTIbyte( (idlo>>24)&0xff );
363 WriteTIbyte( (idhi )&0xff );
364 WriteTIbyte( (idhi>>8 )&0xff );
365 WriteTIbyte( (idhi>>16)&0xff );
366 WriteTIbyte( (idhi>>24)&0xff ); // data hi to lo
367 WriteTIbyte( (crc )&0xff ); // crc lo
368 WriteTIbyte( (crc>>8 )&0xff ); // crc hi
369 WriteTIbyte(0x00); // write frame lo
370 WriteTIbyte(0x03); // write frame hi
371 HIGH(GPIO_SSC_DOUT);
372 SpinDelay(50); // programming time
373
374 LED_A_OFF();
375
376 // get TI tag data into the buffer
377 AcquireTiType();
378
379 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
380 DbpString("Now use tiread to check");
381}
382
383void SimulateTagLowFrequency(int period, int gap, int ledcontrol)
384{
385 int i;
386 uint8_t *tab = (uint8_t *)BigBuf;
387
388 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
389 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT);
390
391 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT | GPIO_SSC_CLK;
392
393 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
394 AT91C_BASE_PIOA->PIO_ODR = GPIO_SSC_CLK;
395
396#define SHORT_COIL() LOW(GPIO_SSC_DOUT)
397#define OPEN_COIL() HIGH(GPIO_SSC_DOUT)
398
399 i = 0;
400 for(;;) {
401 while(!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK)) {
402 if(BUTTON_PRESS()) {
403 DbpString("Stopped");
404 return;
405 }
406 WDT_HIT();
407 }
408
409 if (ledcontrol)
410 LED_D_ON();
411
412 if(tab[i])
413 OPEN_COIL();
414 else
415 SHORT_COIL();
416
417 if (ledcontrol)
418 LED_D_OFF();
419
420 while(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK) {
421 if(BUTTON_PRESS()) {
422 DbpString("Stopped");
423 return;
424 }
425 WDT_HIT();
426 }
427
428 i++;
429 if(i == period) {
430 i = 0;
431 if (gap) {
432 SHORT_COIL();
433 SpinDelayUs(gap);
434 }
435 }
436 }
437}
438
439#define DEBUG_FRAME_CONTENTS 1
440void SimulateTagLowFrequencyBidir(int divisor, int t0)
441{
442}
443
444// compose fc/8 fc/10 waveform
445static void fc(int c, int *n) {
446 uint8_t *dest = (uint8_t *)BigBuf;
447 int idx;
448
449 // for when we want an fc8 pattern every 4 logical bits
450 if(c==0) {
451 dest[((*n)++)]=1;
452 dest[((*n)++)]=1;
453 dest[((*n)++)]=0;
454 dest[((*n)++)]=0;
455 dest[((*n)++)]=0;
456 dest[((*n)++)]=0;
457 dest[((*n)++)]=0;
458 dest[((*n)++)]=0;
459 }
460 // an fc/8 encoded bit is a bit pattern of 11000000 x6 = 48 samples
461 if(c==8) {
462 for (idx=0; idx<6; idx++) {
463 dest[((*n)++)]=1;
464 dest[((*n)++)]=1;
465 dest[((*n)++)]=0;
466 dest[((*n)++)]=0;
467 dest[((*n)++)]=0;
468 dest[((*n)++)]=0;
469 dest[((*n)++)]=0;
470 dest[((*n)++)]=0;
471 }
472 }
473
474 // an fc/10 encoded bit is a bit pattern of 1110000000 x5 = 50 samples
475 if(c==10) {
476 for (idx=0; idx<5; idx++) {
477 dest[((*n)++)]=1;
478 dest[((*n)++)]=1;
479 dest[((*n)++)]=1;
480 dest[((*n)++)]=0;
481 dest[((*n)++)]=0;
482 dest[((*n)++)]=0;
483 dest[((*n)++)]=0;
484 dest[((*n)++)]=0;
485 dest[((*n)++)]=0;
486 dest[((*n)++)]=0;
487 }
488 }
489}
490
491// prepare a waveform pattern in the buffer based on the ID given then
492// simulate a HID tag until the button is pressed
493void CmdHIDsimTAG(int hi, int lo, int ledcontrol)
494{
495 int n=0, i=0;
496 /*
497 HID tag bitstream format
498 The tag contains a 44bit unique code. This is sent out MSB first in sets of 4 bits
499 A 1 bit is represented as 6 fc8 and 5 fc10 patterns
500 A 0 bit is represented as 5 fc10 and 6 fc8 patterns
501 A fc8 is inserted before every 4 bits
502 A special start of frame pattern is used consisting a0b0 where a and b are neither 0
503 nor 1 bits, they are special patterns (a = set of 12 fc8 and b = set of 10 fc10)
504 */
505
506 if (hi>0xFFF) {
507 DbpString("Tags can only have 44 bits.");
508 return;
509 }
510 fc(0,&n);
511 // special start of frame marker containing invalid bit sequences
512 fc(8, &n); fc(8, &n); // invalid
513 fc(8, &n); fc(10, &n); // logical 0
514 fc(10, &n); fc(10, &n); // invalid
515 fc(8, &n); fc(10, &n); // logical 0
516
517 WDT_HIT();
518 // manchester encode bits 43 to 32
519 for (i=11; i>=0; i--) {
520 if ((i%4)==3) fc(0,&n);
521 if ((hi>>i)&1) {
522 fc(10, &n); fc(8, &n); // low-high transition
523 } else {
524 fc(8, &n); fc(10, &n); // high-low transition
525 }
526 }
527
528 WDT_HIT();
529 // manchester encode bits 31 to 0
530 for (i=31; i>=0; i--) {
531 if ((i%4)==3) fc(0,&n);
532 if ((lo>>i)&1) {
533 fc(10, &n); fc(8, &n); // low-high transition
534 } else {
535 fc(8, &n); fc(10, &n); // high-low transition
536 }
537 }
538
539 if (ledcontrol)
540 LED_A_ON();
541 SimulateTagLowFrequency(n, 0, ledcontrol);
542
543 if (ledcontrol)
544 LED_A_OFF();
545}
546
547// loop to get raw HID waveform then FSK demodulate the TAG ID from it
548void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol)
549{
550 uint8_t *dest = (uint8_t *)BigBuf;
551
552 size_t size=0; //, found=0;
553 uint32_t hi2=0, hi=0, lo=0;
554
555 // Configure to go in 125Khz listen mode
556 LFSetupFPGAForADC(95, true);
557
558 while(!BUTTON_PRESS()) {
559
560 WDT_HIT();
561 if (ledcontrol) LED_A_ON();
562
563 DoAcquisition_default(-1,true);
564 // FSK demodulator
565 size = HIDdemodFSK(dest, sizeof(BigBuf), &hi2, &hi, &lo);
566
567 WDT_HIT();
568
569 if (size>0 && lo>0){
570 // final loop, go over previously decoded manchester data and decode into usable tag ID
571 // 111000 bit pattern represent start of frame, 01 pattern represents a 1 and 10 represents a 0
572 if (hi2 != 0){ //extra large HID tags
573 Dbprintf("TAG ID: %x%08x%08x (%d)",
574 (unsigned int) hi2, (unsigned int) hi, (unsigned int) lo, (unsigned int) (lo>>1) & 0xFFFF);
575 }else { //standard HID tags <38 bits
576 //Dbprintf("TAG ID: %x%08x (%d)",(unsigned int) hi, (unsigned int) lo, (unsigned int) (lo>>1) & 0xFFFF); //old print cmd
577 uint8_t bitlen = 0;
578 uint32_t fc = 0;
579 uint32_t cardnum = 0;
580 if (((hi>>5)&1) == 1){//if bit 38 is set then < 37 bit format is used
581 uint32_t lo2=0;
582 lo2=(((hi & 31) << 12) | (lo>>20)); //get bits 21-37 to check for format len bit
583 uint8_t idx3 = 1;
584 while(lo2 > 1){ //find last bit set to 1 (format len bit)
585 lo2=lo2 >> 1;
586 idx3++;
587 }
588 bitlen = idx3+19;
589 fc =0;
590 cardnum=0;
591 if(bitlen == 26){
592 cardnum = (lo>>1)&0xFFFF;
593 fc = (lo>>17)&0xFF;
594 }
595 if(bitlen == 37){
596 cardnum = (lo>>1)&0x7FFFF;
597 fc = ((hi&0xF)<<12)|(lo>>20);
598 }
599 if(bitlen == 34){
600 cardnum = (lo>>1)&0xFFFF;
601 fc= ((hi&1)<<15)|(lo>>17);
602 }
603 if(bitlen == 35){
604 cardnum = (lo>>1)&0xFFFFF;
605 fc = ((hi&1)<<11)|(lo>>21);
606 }
607 }
608 else { //if bit 38 is not set then 37 bit format is used
609 bitlen= 37;
610 fc =0;
611 cardnum=0;
612 if(bitlen==37){
613 cardnum = (lo>>1)&0x7FFFF;
614 fc = ((hi&0xF)<<12)|(lo>>20);
615 }
616 }
617 //Dbprintf("TAG ID: %x%08x (%d)",
618 // (unsigned int) hi, (unsigned int) lo, (unsigned int) (lo>>1) & 0xFFFF);
619 Dbprintf("TAG ID: %x%08x (%d) - Format Len: %dbit - FC: %d - Card: %d",
620 (unsigned int) hi, (unsigned int) lo, (unsigned int) (lo>>1) & 0xFFFF,
621 (unsigned int) bitlen, (unsigned int) fc, (unsigned int) cardnum);
622 }
623 if (findone){
624 if (ledcontrol) LED_A_OFF();
625 return;
626 }
627 // reset
628 hi2 = hi = lo = 0;
629 }
630 WDT_HIT();
631 }
632 DbpString("Stopped");
633 if (ledcontrol) LED_A_OFF();
634}
635
636void CmdEM410xdemod(int findone, int *high, int *low, int ledcontrol)
637{
638 uint8_t *dest = (uint8_t *)BigBuf;
639
640 size_t size=0;
641 int clk=0, invert=0, errCnt=0;
642 uint64_t lo=0;
643 // Configure to go in 125Khz listen mode
644 LFSetupFPGAForADC(95, true);
645
646 while(!BUTTON_PRESS()) {
647
648 WDT_HIT();
649 if (ledcontrol) LED_A_ON();
650
651 DoAcquisition_default(-1,true);
652 size = sizeof(BigBuf);
653 //Dbprintf("DEBUG: Buffer got");
654 //askdemod and manchester decode
655 errCnt = askmandemod(dest, &size, &clk, &invert);
656 //Dbprintf("DEBUG: ASK Got");
657 WDT_HIT();
658
659 if (errCnt>=0){
660 lo = Em410xDecode(dest,size);
661 //Dbprintf("DEBUG: EM GOT");
662 if (lo>0){
663 Dbprintf("EM TAG ID: %02x%08x - (%05d_%03d_%08d)",
664 (uint32_t)(lo>>32),
665 (uint32_t)lo,
666 (uint32_t)(lo&0xFFFF),
667 (uint32_t)((lo>>16LL) & 0xFF),
668 (uint32_t)(lo & 0xFFFFFF));
669 }
670 if (findone){
671 if (ledcontrol) LED_A_OFF();
672 return;
673 }
674 } else{
675 //Dbprintf("DEBUG: No Tag");
676 }
677 WDT_HIT();
678 lo = 0;
679 clk=0;
680 invert=0;
681 errCnt=0;
682 size=0;
683 }
684 DbpString("Stopped");
685 if (ledcontrol) LED_A_OFF();
686}
687
688void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol)
689{
690 uint8_t *dest = (uint8_t *)BigBuf;
691 int idx=0;
692 uint32_t code=0, code2=0;
693 uint8_t version=0;
694 uint8_t facilitycode=0;
695 uint16_t number=0;
696 // Configure to go in 125Khz listen mode
697 LFSetupFPGAForADC(95, true);
698
699 while(!BUTTON_PRESS()) {
700 WDT_HIT();
701 if (ledcontrol) LED_A_ON();
702 DoAcquisition_default(-1,true);
703 //fskdemod and get start index
704 WDT_HIT();
705 idx = IOdemodFSK(dest,sizeof(BigBuf));
706 if (idx>0){
707 //valid tag found
708
709 //Index map
710 //0 10 20 30 40 50 60
711 //| | | | | | |
712 //01234567 8 90123456 7 89012345 6 78901234 5 67890123 4 56789012 3 45678901 23
713 //-----------------------------------------------------------------------------
714 //00000000 0 11110000 1 facility 1 version* 1 code*one 1 code*two 1 ???????? 11
715 //
716 //XSF(version)facility:codeone+codetwo
717 //Handle the data
718 if(findone){ //only print binary if we are doing one
719 Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx], dest[idx+1], dest[idx+2],dest[idx+3],dest[idx+4],dest[idx+5],dest[idx+6],dest[idx+7],dest[idx+8]);
720 Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+9], dest[idx+10],dest[idx+11],dest[idx+12],dest[idx+13],dest[idx+14],dest[idx+15],dest[idx+16],dest[idx+17]);
721 Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+18],dest[idx+19],dest[idx+20],dest[idx+21],dest[idx+22],dest[idx+23],dest[idx+24],dest[idx+25],dest[idx+26]);
722 Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+27],dest[idx+28],dest[idx+29],dest[idx+30],dest[idx+31],dest[idx+32],dest[idx+33],dest[idx+34],dest[idx+35]);
723 Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+36],dest[idx+37],dest[idx+38],dest[idx+39],dest[idx+40],dest[idx+41],dest[idx+42],dest[idx+43],dest[idx+44]);
724 Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+45],dest[idx+46],dest[idx+47],dest[idx+48],dest[idx+49],dest[idx+50],dest[idx+51],dest[idx+52],dest[idx+53]);
725 Dbprintf("%d%d%d%d%d%d%d%d %d%d",dest[idx+54],dest[idx+55],dest[idx+56],dest[idx+57],dest[idx+58],dest[idx+59],dest[idx+60],dest[idx+61],dest[idx+62],dest[idx+63]);
726 }
727 code = bytebits_to_byte(dest+idx,32);
728 code2 = bytebits_to_byte(dest+idx+32,32);
729 version = bytebits_to_byte(dest+idx+27,8); //14,4
730 facilitycode = bytebits_to_byte(dest+idx+18,8) ;
731 number = (bytebits_to_byte(dest+idx+36,8)<<8)|(bytebits_to_byte(dest+idx+45,8)); //36,9
732
733 Dbprintf("XSF(%02d)%02x:%05d (%08x%08x)",version,facilitycode,number,code,code2);
734 // if we're only looking for one tag
735 if (findone){
736 if (ledcontrol) LED_A_OFF();
737 //LED_A_OFF();
738 return;
739 }
740 code=code2=0;
741 version=facilitycode=0;
742 number=0;
743 idx=0;
744 }
745 WDT_HIT();
746 }
747 DbpString("Stopped");
748 if (ledcontrol) LED_A_OFF();
749}
750
751/*------------------------------
752 * T5555/T5557/T5567 routines
753 *------------------------------
754 */
755
756/* T55x7 configuration register definitions */
757#define T55x7_POR_DELAY 0x00000001
758#define T55x7_ST_TERMINATOR 0x00000008
759#define T55x7_PWD 0x00000010
760#define T55x7_MAXBLOCK_SHIFT 5
761#define T55x7_AOR 0x00000200
762#define T55x7_PSKCF_RF_2 0
763#define T55x7_PSKCF_RF_4 0x00000400
764#define T55x7_PSKCF_RF_8 0x00000800
765#define T55x7_MODULATION_DIRECT 0
766#define T55x7_MODULATION_PSK1 0x00001000
767#define T55x7_MODULATION_PSK2 0x00002000
768#define T55x7_MODULATION_PSK3 0x00003000
769#define T55x7_MODULATION_FSK1 0x00004000
770#define T55x7_MODULATION_FSK2 0x00005000
771#define T55x7_MODULATION_FSK1a 0x00006000
772#define T55x7_MODULATION_FSK2a 0x00007000
773#define T55x7_MODULATION_MANCHESTER 0x00008000
774#define T55x7_MODULATION_BIPHASE 0x00010000
775#define T55x7_BITRATE_RF_8 0
776#define T55x7_BITRATE_RF_16 0x00040000
777#define T55x7_BITRATE_RF_32 0x00080000
778#define T55x7_BITRATE_RF_40 0x000C0000
779#define T55x7_BITRATE_RF_50 0x00100000
780#define T55x7_BITRATE_RF_64 0x00140000
781#define T55x7_BITRATE_RF_100 0x00180000
782#define T55x7_BITRATE_RF_128 0x001C0000
783
784/* T5555 (Q5) configuration register definitions */
785#define T5555_ST_TERMINATOR 0x00000001
786#define T5555_MAXBLOCK_SHIFT 0x00000001
787#define T5555_MODULATION_MANCHESTER 0
788#define T5555_MODULATION_PSK1 0x00000010
789#define T5555_MODULATION_PSK2 0x00000020
790#define T5555_MODULATION_PSK3 0x00000030
791#define T5555_MODULATION_FSK1 0x00000040
792#define T5555_MODULATION_FSK2 0x00000050
793#define T5555_MODULATION_BIPHASE 0x00000060
794#define T5555_MODULATION_DIRECT 0x00000070
795#define T5555_INVERT_OUTPUT 0x00000080
796#define T5555_PSK_RF_2 0
797#define T5555_PSK_RF_4 0x00000100
798#define T5555_PSK_RF_8 0x00000200
799#define T5555_USE_PWD 0x00000400
800#define T5555_USE_AOR 0x00000800
801#define T5555_BITRATE_SHIFT 12
802#define T5555_FAST_WRITE 0x00004000
803#define T5555_PAGE_SELECT 0x00008000
804
805/*
806 * Relevant times in microsecond
807 * To compensate antenna falling times shorten the write times
808 * and enlarge the gap ones.
809 */
810#define START_GAP 250
811#define WRITE_GAP 160
812#define WRITE_0 144 // 192
813#define WRITE_1 400 // 432 for T55x7; 448 for E5550
814
815// Write one bit to card
816void T55xxWriteBit(int bit)
817{
818 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
819 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
820 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
821 if (bit == 0)
822 SpinDelayUs(WRITE_0);
823 else
824 SpinDelayUs(WRITE_1);
825 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
826 SpinDelayUs(WRITE_GAP);
827}
828
829// Write one card block in page 0, no lock
830void T55xxWriteBlock(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t PwdMode)
831{
832 //unsigned int i; //enio adjustment 12/10/14
833 uint32_t i;
834
835 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
836 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
837 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
838
839 // Give it a bit of time for the resonant antenna to settle.
840 // And for the tag to fully power up
841 SpinDelay(150);
842
843 // Now start writting
844 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
845 SpinDelayUs(START_GAP);
846
847 // Opcode
848 T55xxWriteBit(1);
849 T55xxWriteBit(0); //Page 0
850 if (PwdMode == 1){
851 // Pwd
852 for (i = 0x80000000; i != 0; i >>= 1)
853 T55xxWriteBit(Pwd & i);
854 }
855 // Lock bit
856 T55xxWriteBit(0);
857
858 // Data
859 for (i = 0x80000000; i != 0; i >>= 1)
860 T55xxWriteBit(Data & i);
861
862 // Block
863 for (i = 0x04; i != 0; i >>= 1)
864 T55xxWriteBit(Block & i);
865
866 // Now perform write (nominal is 5.6 ms for T55x7 and 18ms for E5550,
867 // so wait a little more)
868 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
869 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
870 SpinDelay(20);
871 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
872}
873
874// Read one card block in page 0
875void T55xxReadBlock(uint32_t Block, uint32_t Pwd, uint8_t PwdMode)
876{
877 uint8_t *dest = (uint8_t *)BigBuf;
878 //int m=0, i=0; //enio adjustment 12/10/14
879 uint32_t m=0, i=0;
880 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
881 m = sizeof(BigBuf);
882 // Clear destination buffer before sending the command
883 memset(dest, 128, m);
884 // Connect the A/D to the peak-detected low-frequency path.
885 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
886 // Now set up the SSC to get the ADC samples that are now streaming at us.
887 FpgaSetupSsc();
888
889 LED_D_ON();
890 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
891 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
892
893 // Give it a bit of time for the resonant antenna to settle.
894 // And for the tag to fully power up
895 SpinDelay(150);
896
897 // Now start writting
898 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
899 SpinDelayUs(START_GAP);
900
901 // Opcode
902 T55xxWriteBit(1);
903 T55xxWriteBit(0); //Page 0
904 if (PwdMode == 1){
905 // Pwd
906 for (i = 0x80000000; i != 0; i >>= 1)
907 T55xxWriteBit(Pwd & i);
908 }
909 // Lock bit
910 T55xxWriteBit(0);
911 // Block
912 for (i = 0x04; i != 0; i >>= 1)
913 T55xxWriteBit(Block & i);
914
915 // Turn field on to read the response
916 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
917 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
918
919 // Now do the acquisition
920 i = 0;
921 for(;;) {
922 if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXRDY) {
923 AT91C_BASE_SSC->SSC_THR = 0x43;
924 }
925 if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) {
926 dest[i] = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
927 // we don't care about actual value, only if it's more or less than a
928 // threshold essentially we capture zero crossings for later analysis
929 // if(dest[i] < 127) dest[i] = 0; else dest[i] = 1;
930 i++;
931 if (i >= m) break;
932 }
933 }
934
935 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
936 LED_D_OFF();
937 DbpString("DONE!");
938}
939
940// Read card traceability data (page 1)
941void T55xxReadTrace(void){
942 uint8_t *dest = (uint8_t *)BigBuf;
943 int m=0, i=0;
944
945 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
946 m = sizeof(BigBuf);
947 // Clear destination buffer before sending the command
948 memset(dest, 128, m);
949 // Connect the A/D to the peak-detected low-frequency path.
950 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
951 // Now set up the SSC to get the ADC samples that are now streaming at us.
952 FpgaSetupSsc();
953
954 LED_D_ON();
955 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
956 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
957
958 // Give it a bit of time for the resonant antenna to settle.
959 // And for the tag to fully power up
960 SpinDelay(150);
961
962 // Now start writting
963 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
964 SpinDelayUs(START_GAP);
965
966 // Opcode
967 T55xxWriteBit(1);
968 T55xxWriteBit(1); //Page 1
969
970 // Turn field on to read the response
971 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
972 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
973
974 // Now do the acquisition
975 i = 0;
976 for(;;) {
977 if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXRDY) {
978 AT91C_BASE_SSC->SSC_THR = 0x43;
979 }
980 if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) {
981 dest[i] = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
982 i++;
983 if (i >= m) break;
984 }
985 }
986
987 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
988 LED_D_OFF();
989 DbpString("DONE!");
990}
991
992/*-------------- Cloning routines -----------*/
993// Copy HID id to card and setup block 0 config
994void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT)
995{
996 int data1=0, data2=0, data3=0, data4=0, data5=0, data6=0; //up to six blocks for long format
997 int last_block = 0;
998
999 if (longFMT){
1000 // Ensure no more than 84 bits supplied
1001 if (hi2>0xFFFFF) {
1002 DbpString("Tags can only have 84 bits.");
1003 return;
1004 }
1005 // Build the 6 data blocks for supplied 84bit ID
1006 last_block = 6;
1007 data1 = 0x1D96A900; // load preamble (1D) & long format identifier (9E manchester encoded)
1008 for (int i=0;i<4;i++) {
1009 if (hi2 & (1<<(19-i)))
1010 data1 |= (1<<(((3-i)*2)+1)); // 1 -> 10
1011 else
1012 data1 |= (1<<((3-i)*2)); // 0 -> 01
1013 }
1014
1015 data2 = 0;
1016 for (int i=0;i<16;i++) {
1017 if (hi2 & (1<<(15-i)))
1018 data2 |= (1<<(((15-i)*2)+1)); // 1 -> 10
1019 else
1020 data2 |= (1<<((15-i)*2)); // 0 -> 01
1021 }
1022
1023 data3 = 0;
1024 for (int i=0;i<16;i++) {
1025 if (hi & (1<<(31-i)))
1026 data3 |= (1<<(((15-i)*2)+1)); // 1 -> 10
1027 else
1028 data3 |= (1<<((15-i)*2)); // 0 -> 01
1029 }
1030
1031 data4 = 0;
1032 for (int i=0;i<16;i++) {
1033 if (hi & (1<<(15-i)))
1034 data4 |= (1<<(((15-i)*2)+1)); // 1 -> 10
1035 else
1036 data4 |= (1<<((15-i)*2)); // 0 -> 01
1037 }
1038
1039 data5 = 0;
1040 for (int i=0;i<16;i++) {
1041 if (lo & (1<<(31-i)))
1042 data5 |= (1<<(((15-i)*2)+1)); // 1 -> 10
1043 else
1044 data5 |= (1<<((15-i)*2)); // 0 -> 01
1045 }
1046
1047 data6 = 0;
1048 for (int i=0;i<16;i++) {
1049 if (lo & (1<<(15-i)))
1050 data6 |= (1<<(((15-i)*2)+1)); // 1 -> 10
1051 else
1052 data6 |= (1<<((15-i)*2)); // 0 -> 01
1053 }
1054 }
1055 else {
1056 // Ensure no more than 44 bits supplied
1057 if (hi>0xFFF) {
1058 DbpString("Tags can only have 44 bits.");
1059 return;
1060 }
1061
1062 // Build the 3 data blocks for supplied 44bit ID
1063 last_block = 3;
1064
1065 data1 = 0x1D000000; // load preamble
1066
1067 for (int i=0;i<12;i++) {
1068 if (hi & (1<<(11-i)))
1069 data1 |= (1<<(((11-i)*2)+1)); // 1 -> 10
1070 else
1071 data1 |= (1<<((11-i)*2)); // 0 -> 01
1072 }
1073
1074 data2 = 0;
1075 for (int i=0;i<16;i++) {
1076 if (lo & (1<<(31-i)))
1077 data2 |= (1<<(((15-i)*2)+1)); // 1 -> 10
1078 else
1079 data2 |= (1<<((15-i)*2)); // 0 -> 01
1080 }
1081
1082 data3 = 0;
1083 for (int i=0;i<16;i++) {
1084 if (lo & (1<<(15-i)))
1085 data3 |= (1<<(((15-i)*2)+1)); // 1 -> 10
1086 else
1087 data3 |= (1<<((15-i)*2)); // 0 -> 01
1088 }
1089 }
1090
1091 LED_D_ON();
1092 // Program the data blocks for supplied ID
1093 // and the block 0 for HID format
1094 T55xxWriteBlock(data1,1,0,0);
1095 T55xxWriteBlock(data2,2,0,0);
1096 T55xxWriteBlock(data3,3,0,0);
1097
1098 if (longFMT) { // if long format there are 6 blocks
1099 T55xxWriteBlock(data4,4,0,0);
1100 T55xxWriteBlock(data5,5,0,0);
1101 T55xxWriteBlock(data6,6,0,0);
1102 }
1103
1104 // Config for HID (RF/50, FSK2a, Maxblock=3 for short/6 for long)
1105 T55xxWriteBlock(T55x7_BITRATE_RF_50 |
1106 T55x7_MODULATION_FSK2a |
1107 last_block << T55x7_MAXBLOCK_SHIFT,
1108 0,0,0);
1109
1110 LED_D_OFF();
1111
1112 DbpString("DONE!");
1113}
1114
1115void CopyIOtoT55x7(uint32_t hi, uint32_t lo, uint8_t longFMT)
1116{
1117 int data1=0, data2=0; //up to six blocks for long format
1118
1119 data1 = hi; // load preamble
1120 data2 = lo;
1121
1122 LED_D_ON();
1123 // Program the data blocks for supplied ID
1124 // and the block 0 for HID format
1125 T55xxWriteBlock(data1,1,0,0);
1126 T55xxWriteBlock(data2,2,0,0);
1127
1128 //Config Block
1129 T55xxWriteBlock(0x00147040,0,0,0);
1130 LED_D_OFF();
1131
1132 DbpString("DONE!");
1133}
1134
1135// Define 9bit header for EM410x tags
1136#define EM410X_HEADER 0x1FF
1137#define EM410X_ID_LENGTH 40
1138
1139void WriteEM410x(uint32_t card, uint32_t id_hi, uint32_t id_lo)
1140{
1141 int i, id_bit;
1142 uint64_t id = EM410X_HEADER;
1143 uint64_t rev_id = 0; // reversed ID
1144 int c_parity[4]; // column parity
1145 int r_parity = 0; // row parity
1146 uint32_t clock = 0;
1147
1148 // Reverse ID bits given as parameter (for simpler operations)
1149 for (i = 0; i < EM410X_ID_LENGTH; ++i) {
1150 if (i < 32) {
1151 rev_id = (rev_id << 1) | (id_lo & 1);
1152 id_lo >>= 1;
1153 } else {
1154 rev_id = (rev_id << 1) | (id_hi & 1);
1155 id_hi >>= 1;
1156 }
1157 }
1158
1159 for (i = 0; i < EM410X_ID_LENGTH; ++i) {
1160 id_bit = rev_id & 1;
1161
1162 if (i % 4 == 0) {
1163 // Don't write row parity bit at start of parsing
1164 if (i)
1165 id = (id << 1) | r_parity;
1166 // Start counting parity for new row
1167 r_parity = id_bit;
1168 } else {
1169 // Count row parity
1170 r_parity ^= id_bit;
1171 }
1172
1173 // First elements in column?
1174 if (i < 4)
1175 // Fill out first elements
1176 c_parity[i] = id_bit;
1177 else
1178 // Count column parity
1179 c_parity[i % 4] ^= id_bit;
1180
1181 // Insert ID bit
1182 id = (id << 1) | id_bit;
1183 rev_id >>= 1;
1184 }
1185
1186 // Insert parity bit of last row
1187 id = (id << 1) | r_parity;
1188
1189 // Fill out column parity at the end of tag
1190 for (i = 0; i < 4; ++i)
1191 id = (id << 1) | c_parity[i];
1192
1193 // Add stop bit
1194 id <<= 1;
1195
1196 Dbprintf("Started writing %s tag ...", card ? "T55x7":"T5555");
1197 LED_D_ON();
1198
1199 // Write EM410x ID
1200 T55xxWriteBlock((uint32_t)(id >> 32), 1, 0, 0);
1201 T55xxWriteBlock((uint32_t)id, 2, 0, 0);
1202
1203 // Config for EM410x (RF/64, Manchester, Maxblock=2)
1204 if (card) {
1205 // Clock rate is stored in bits 8-15 of the card value
1206 clock = (card & 0xFF00) >> 8;
1207 Dbprintf("Clock rate: %d", clock);
1208 switch (clock)
1209 {
1210 case 32:
1211 clock = T55x7_BITRATE_RF_32;
1212 break;
1213 case 16:
1214 clock = T55x7_BITRATE_RF_16;
1215 break;
1216 case 0:
1217 // A value of 0 is assumed to be 64 for backwards-compatibility
1218 // Fall through...
1219 case 64:
1220 clock = T55x7_BITRATE_RF_64;
1221 break;
1222 default:
1223 Dbprintf("Invalid clock rate: %d", clock);
1224 return;
1225 }
1226
1227 // Writing configuration for T55x7 tag
1228 T55xxWriteBlock(clock |
1229 T55x7_MODULATION_MANCHESTER |
1230 2 << T55x7_MAXBLOCK_SHIFT,
1231 0, 0, 0);
1232 }
1233 else
1234 // Writing configuration for T5555(Q5) tag
1235 T55xxWriteBlock(0x1F << T5555_BITRATE_SHIFT |
1236 T5555_MODULATION_MANCHESTER |
1237 2 << T5555_MAXBLOCK_SHIFT,
1238 0, 0, 0);
1239
1240 LED_D_OFF();
1241 Dbprintf("Tag %s written with 0x%08x%08x\n", card ? "T55x7":"T5555",
1242 (uint32_t)(id >> 32), (uint32_t)id);
1243}
1244
1245// Clone Indala 64-bit tag by UID to T55x7
1246void CopyIndala64toT55x7(int hi, int lo)
1247{
1248
1249 //Program the 2 data blocks for supplied 64bit UID
1250 // and the block 0 for Indala64 format
1251 T55xxWriteBlock(hi,1,0,0);
1252 T55xxWriteBlock(lo,2,0,0);
1253 //Config for Indala (RF/32;PSK1 with RF/2;Maxblock=2)
1254 T55xxWriteBlock(T55x7_BITRATE_RF_32 |
1255 T55x7_MODULATION_PSK1 |
1256 2 << T55x7_MAXBLOCK_SHIFT,
1257 0, 0, 0);
1258 //Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=2;Inverse data)
1259 // T5567WriteBlock(0x603E1042,0);
1260
1261 DbpString("DONE!");
1262
1263}
1264
1265void CopyIndala224toT55x7(int uid1, int uid2, int uid3, int uid4, int uid5, int uid6, int uid7)
1266{
1267
1268 //Program the 7 data blocks for supplied 224bit UID
1269 // and the block 0 for Indala224 format
1270 T55xxWriteBlock(uid1,1,0,0);
1271 T55xxWriteBlock(uid2,2,0,0);
1272 T55xxWriteBlock(uid3,3,0,0);
1273 T55xxWriteBlock(uid4,4,0,0);
1274 T55xxWriteBlock(uid5,5,0,0);
1275 T55xxWriteBlock(uid6,6,0,0);
1276 T55xxWriteBlock(uid7,7,0,0);
1277 //Config for Indala (RF/32;PSK1 with RF/2;Maxblock=7)
1278 T55xxWriteBlock(T55x7_BITRATE_RF_32 |
1279 T55x7_MODULATION_PSK1 |
1280 7 << T55x7_MAXBLOCK_SHIFT,
1281 0,0,0);
1282 //Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=7;Inverse data)
1283 // T5567WriteBlock(0x603E10E2,0);
1284
1285 DbpString("DONE!");
1286
1287}
1288
1289
1290#define abs(x) ( ((x)<0) ? -(x) : (x) )
1291#define max(x,y) ( x<y ? y:x)
1292
1293int DemodPCF7931(uint8_t **outBlocks) {
1294 uint8_t BitStream[256];
1295 uint8_t Blocks[8][16];
1296 uint8_t *GraphBuffer = (uint8_t *)BigBuf;
1297 int GraphTraceLen = sizeof(BigBuf);
1298 int i, j, lastval, bitidx, half_switch;
1299 int clock = 64;
1300 int tolerance = clock / 8;
1301 int pmc, block_done;
1302 int lc, warnings = 0;
1303 int num_blocks = 0;
1304 int lmin=128, lmax=128;
1305 uint8_t dir;
1306
1307 LFSetupFPGAForADC(95, true);
1308 DoAcquisition_default(0, 0);
1309
1310
1311 lmin = 64;
1312 lmax = 192;
1313
1314 i = 2;
1315
1316 /* Find first local max/min */
1317 if(GraphBuffer[1] > GraphBuffer[0]) {
1318 while(i < GraphTraceLen) {
1319 if( !(GraphBuffer[i] > GraphBuffer[i-1]) && GraphBuffer[i] > lmax)
1320 break;
1321 i++;
1322 }
1323 dir = 0;
1324 }
1325 else {
1326 while(i < GraphTraceLen) {
1327 if( !(GraphBuffer[i] < GraphBuffer[i-1]) && GraphBuffer[i] < lmin)
1328 break;
1329 i++;
1330 }
1331 dir = 1;
1332 }
1333
1334 lastval = i++;
1335 half_switch = 0;
1336 pmc = 0;
1337 block_done = 0;
1338
1339 for (bitidx = 0; i < GraphTraceLen; i++)
1340 {
1341 if ( (GraphBuffer[i-1] > GraphBuffer[i] && dir == 1 && GraphBuffer[i] > lmax) || (GraphBuffer[i-1] < GraphBuffer[i] && dir == 0 && GraphBuffer[i] < lmin))
1342 {
1343 lc = i - lastval;
1344 lastval = i;
1345
1346 // Switch depending on lc length:
1347 // Tolerance is 1/8 of clock rate (arbitrary)
1348 if (abs(lc-clock/4) < tolerance) {
1349 // 16T0
1350 if((i - pmc) == lc) { /* 16T0 was previous one */
1351 /* It's a PMC ! */
1352 i += (128+127+16+32+33+16)-1;
1353 lastval = i;
1354 pmc = 0;
1355 block_done = 1;
1356 }
1357 else {
1358 pmc = i;
1359 }
1360 } else if (abs(lc-clock/2) < tolerance) {
1361 // 32TO
1362 if((i - pmc) == lc) { /* 16T0 was previous one */
1363 /* It's a PMC ! */
1364 i += (128+127+16+32+33)-1;
1365 lastval = i;
1366 pmc = 0;
1367 block_done = 1;
1368 }
1369 else if(half_switch == 1) {
1370 BitStream[bitidx++] = 0;
1371 half_switch = 0;
1372 }
1373 else
1374 half_switch++;
1375 } else if (abs(lc-clock) < tolerance) {
1376 // 64TO
1377 BitStream[bitidx++] = 1;
1378 } else {
1379 // Error
1380 warnings++;
1381 if (warnings > 10)
1382 {
1383 Dbprintf("Error: too many detection errors, aborting.");
1384 return 0;
1385 }
1386 }
1387
1388 if(block_done == 1) {
1389 if(bitidx == 128) {
1390 for(j=0; j<16; j++) {
1391 Blocks[num_blocks][j] = 128*BitStream[j*8+7]+
1392 64*BitStream[j*8+6]+
1393 32*BitStream[j*8+5]+
1394 16*BitStream[j*8+4]+
1395 8*BitStream[j*8+3]+
1396 4*BitStream[j*8+2]+
1397 2*BitStream[j*8+1]+
1398 BitStream[j*8];
1399 }
1400 num_blocks++;
1401 }
1402 bitidx = 0;
1403 block_done = 0;
1404 half_switch = 0;
1405 }
1406 if(i < GraphTraceLen)
1407 {
1408 if (GraphBuffer[i-1] > GraphBuffer[i]) dir=0;
1409 else dir = 1;
1410 }
1411 }
1412 if(bitidx==255)
1413 bitidx=0;
1414 warnings = 0;
1415 if(num_blocks == 4) break;
1416 }
1417 memcpy(outBlocks, Blocks, 16*num_blocks);
1418 return num_blocks;
1419}
1420
1421int IsBlock0PCF7931(uint8_t *Block) {
1422 // Assume RFU means 0 :)
1423 if((memcmp(Block, "\x00\x00\x00\x00\x00\x00\x00\x01", 8) == 0) && memcmp(Block+9, "\x00\x00\x00\x00\x00\x00\x00", 7) == 0) // PAC enabled
1424 return 1;
1425 if((memcmp(Block+9, "\x00\x00\x00\x00\x00\x00\x00", 7) == 0) && Block[7] == 0) // PAC disabled, can it *really* happen ?
1426 return 1;
1427 return 0;
1428}
1429
1430int IsBlock1PCF7931(uint8_t *Block) {
1431 // Assume RFU means 0 :)
1432 if(Block[10] == 0 && Block[11] == 0 && Block[12] == 0 && Block[13] == 0)
1433 if((Block[14] & 0x7f) <= 9 && Block[15] <= 9)
1434 return 1;
1435
1436 return 0;
1437}
1438
1439#define ALLOC 16
1440
1441void ReadPCF7931() {
1442 uint8_t Blocks[8][17];
1443 uint8_t tmpBlocks[4][16];
1444 int i, j, ind, ind2, n;
1445 int num_blocks = 0;
1446 int max_blocks = 8;
1447 int ident = 0;
1448 int error = 0;
1449 int tries = 0;
1450
1451 memset(Blocks, 0, 8*17*sizeof(uint8_t));
1452
1453 do {
1454 memset(tmpBlocks, 0, 4*16*sizeof(uint8_t));
1455 n = DemodPCF7931((uint8_t**)tmpBlocks);
1456 if(!n)
1457 error++;
1458 if(error==10 && num_blocks == 0) {
1459 Dbprintf("Error, no tag or bad tag");
1460 return;
1461 }
1462 else if (tries==20 || error==10) {
1463 Dbprintf("Error reading the tag");
1464 Dbprintf("Here is the partial content");
1465 goto end;
1466 }
1467
1468 for(i=0; i<n; i++)
1469 Dbprintf("(dbg) %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x",
1470 tmpBlocks[i][0], tmpBlocks[i][1], tmpBlocks[i][2], tmpBlocks[i][3], tmpBlocks[i][4], tmpBlocks[i][5], tmpBlocks[i][6], tmpBlocks[i][7],
1471 tmpBlocks[i][8], tmpBlocks[i][9], tmpBlocks[i][10], tmpBlocks[i][11], tmpBlocks[i][12], tmpBlocks[i][13], tmpBlocks[i][14], tmpBlocks[i][15]);
1472 if(!ident) {
1473 for(i=0; i<n; i++) {
1474 if(IsBlock0PCF7931(tmpBlocks[i])) {
1475 // Found block 0 ?
1476 if(i < n-1 && IsBlock1PCF7931(tmpBlocks[i+1])) {
1477 // Found block 1!
1478 // \o/
1479 ident = 1;
1480 memcpy(Blocks[0], tmpBlocks[i], 16);
1481 Blocks[0][ALLOC] = 1;
1482 memcpy(Blocks[1], tmpBlocks[i+1], 16);
1483 Blocks[1][ALLOC] = 1;
1484 max_blocks = max((Blocks[1][14] & 0x7f), Blocks[1][15]) + 1;
1485 // Debug print
1486 Dbprintf("(dbg) Max blocks: %d", max_blocks);
1487 num_blocks = 2;
1488 // Handle following blocks
1489 for(j=i+2, ind2=2; j!=i; j++, ind2++, num_blocks++) {
1490 if(j==n) j=0;
1491 if(j==i) break;
1492 memcpy(Blocks[ind2], tmpBlocks[j], 16);
1493 Blocks[ind2][ALLOC] = 1;
1494 }
1495 break;
1496 }
1497 }
1498 }
1499 }
1500 else {
1501 for(i=0; i<n; i++) { // Look for identical block in known blocks
1502 if(memcmp(tmpBlocks[i], "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16)) { // Block is not full of 00
1503 for(j=0; j<max_blocks; j++) {
1504 if(Blocks[j][ALLOC] == 1 && !memcmp(tmpBlocks[i], Blocks[j], 16)) {
1505 // Found an identical block
1506 for(ind=i-1,ind2=j-1; ind >= 0; ind--,ind2--) {
1507 if(ind2 < 0)
1508 ind2 = max_blocks;
1509 if(!Blocks[ind2][ALLOC]) { // Block ind2 not already found
1510 // Dbprintf("Tmp %d -> Block %d", ind, ind2);
1511 memcpy(Blocks[ind2], tmpBlocks[ind], 16);
1512 Blocks[ind2][ALLOC] = 1;
1513 num_blocks++;
1514 if(num_blocks == max_blocks) goto end;
1515 }
1516 }
1517 for(ind=i+1,ind2=j+1; ind < n; ind++,ind2++) {
1518 if(ind2 > max_blocks)
1519 ind2 = 0;
1520 if(!Blocks[ind2][ALLOC]) { // Block ind2 not already found
1521 // Dbprintf("Tmp %d -> Block %d", ind, ind2);
1522 memcpy(Blocks[ind2], tmpBlocks[ind], 16);
1523 Blocks[ind2][ALLOC] = 1;
1524 num_blocks++;
1525 if(num_blocks == max_blocks) goto end;
1526 }
1527 }
1528 }
1529 }
1530 }
1531 }
1532 }
1533 tries++;
1534 if (BUTTON_PRESS()) return;
1535 } while (num_blocks != max_blocks);
1536end:
1537 Dbprintf("-----------------------------------------");
1538 Dbprintf("Memory content:");
1539 Dbprintf("-----------------------------------------");
1540 for(i=0; i<max_blocks; i++) {
1541 if(Blocks[i][ALLOC]==1)
1542 Dbprintf("%02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x",
1543 Blocks[i][0], Blocks[i][1], Blocks[i][2], Blocks[i][3], Blocks[i][4], Blocks[i][5], Blocks[i][6], Blocks[i][7],
1544 Blocks[i][8], Blocks[i][9], Blocks[i][10], Blocks[i][11], Blocks[i][12], Blocks[i][13], Blocks[i][14], Blocks[i][15]);
1545 else
1546 Dbprintf("<missing block %d>", i);
1547 }
1548 Dbprintf("-----------------------------------------");
1549
1550 return ;
1551}
1552
1553
1554//-----------------------------------
1555// EM4469 / EM4305 routines
1556//-----------------------------------
1557#define FWD_CMD_LOGIN 0xC //including the even parity, binary mirrored
1558#define FWD_CMD_WRITE 0xA
1559#define FWD_CMD_READ 0x9
1560#define FWD_CMD_DISABLE 0x5
1561
1562
1563uint8_t forwardLink_data[64]; //array of forwarded bits
1564uint8_t * forward_ptr; //ptr for forward message preparation
1565uint8_t fwd_bit_sz; //forwardlink bit counter
1566uint8_t * fwd_write_ptr; //forwardlink bit pointer
1567
1568//====================================================================
1569// prepares command bits
1570// see EM4469 spec
1571//====================================================================
1572//--------------------------------------------------------------------
1573uint8_t Prepare_Cmd( uint8_t cmd ) {
1574 //--------------------------------------------------------------------
1575
1576 *forward_ptr++ = 0; //start bit
1577 *forward_ptr++ = 0; //second pause for 4050 code
1578
1579 *forward_ptr++ = cmd;
1580 cmd >>= 1;
1581 *forward_ptr++ = cmd;
1582 cmd >>= 1;
1583 *forward_ptr++ = cmd;
1584 cmd >>= 1;
1585 *forward_ptr++ = cmd;
1586
1587 return 6; //return number of emited bits
1588}
1589
1590//====================================================================
1591// prepares address bits
1592// see EM4469 spec
1593//====================================================================
1594
1595//--------------------------------------------------------------------
1596uint8_t Prepare_Addr( uint8_t addr ) {
1597 //--------------------------------------------------------------------
1598
1599 register uint8_t line_parity;
1600
1601 uint8_t i;
1602 line_parity = 0;
1603 for(i=0;i<6;i++) {
1604 *forward_ptr++ = addr;
1605 line_parity ^= addr;
1606 addr >>= 1;
1607 }
1608
1609 *forward_ptr++ = (line_parity & 1);
1610
1611 return 7; //return number of emited bits
1612}
1613
1614//====================================================================
1615// prepares data bits intreleaved with parity bits
1616// see EM4469 spec
1617//====================================================================
1618
1619//--------------------------------------------------------------------
1620uint8_t Prepare_Data( uint16_t data_low, uint16_t data_hi) {
1621 //--------------------------------------------------------------------
1622
1623 register uint8_t line_parity;
1624 register uint8_t column_parity;
1625 register uint8_t i, j;
1626 register uint16_t data;
1627
1628 data = data_low;
1629 column_parity = 0;
1630
1631 for(i=0; i<4; i++) {
1632 line_parity = 0;
1633 for(j=0; j<8; j++) {
1634 line_parity ^= data;
1635 column_parity ^= (data & 1) << j;
1636 *forward_ptr++ = data;
1637 data >>= 1;
1638 }
1639 *forward_ptr++ = line_parity;
1640 if(i == 1)
1641 data = data_hi;
1642 }
1643
1644 for(j=0; j<8; j++) {
1645 *forward_ptr++ = column_parity;
1646 column_parity >>= 1;
1647 }
1648 *forward_ptr = 0;
1649
1650 return 45; //return number of emited bits
1651}
1652
1653//====================================================================
1654// Forward Link send function
1655// Requires: forwarLink_data filled with valid bits (1 bit per byte)
1656// fwd_bit_count set with number of bits to be sent
1657//====================================================================
1658void SendForward(uint8_t fwd_bit_count) {
1659
1660 fwd_write_ptr = forwardLink_data;
1661 fwd_bit_sz = fwd_bit_count;
1662
1663 LED_D_ON();
1664
1665 //Field on
1666 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1667 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
1668 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
1669
1670 // Give it a bit of time for the resonant antenna to settle.
1671 // And for the tag to fully power up
1672 SpinDelay(150);
1673
1674 // force 1st mod pulse (start gap must be longer for 4305)
1675 fwd_bit_sz--; //prepare next bit modulation
1676 fwd_write_ptr++;
1677 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1678 SpinDelayUs(55*8); //55 cycles off (8us each)for 4305
1679 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
1680 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);//field on
1681 SpinDelayUs(16*8); //16 cycles on (8us each)
1682
1683 // now start writting
1684 while(fwd_bit_sz-- > 0) { //prepare next bit modulation
1685 if(((*fwd_write_ptr++) & 1) == 1)
1686 SpinDelayUs(32*8); //32 cycles at 125Khz (8us each)
1687 else {
1688 //These timings work for 4469/4269/4305 (with the 55*8 above)
1689 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1690 SpinDelayUs(23*8); //16-4 cycles off (8us each)
1691 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
1692 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);//field on
1693 SpinDelayUs(9*8); //16 cycles on (8us each)
1694 }
1695 }
1696}
1697
1698void EM4xLogin(uint32_t Password) {
1699
1700 uint8_t fwd_bit_count;
1701
1702 forward_ptr = forwardLink_data;
1703 fwd_bit_count = Prepare_Cmd( FWD_CMD_LOGIN );
1704 fwd_bit_count += Prepare_Data( Password&0xFFFF, Password>>16 );
1705
1706 SendForward(fwd_bit_count);
1707
1708 //Wait for command to complete
1709 SpinDelay(20);
1710
1711}
1712
1713void EM4xReadWord(uint8_t Address, uint32_t Pwd, uint8_t PwdMode) {
1714
1715 uint8_t fwd_bit_count;
1716 uint8_t *dest = (uint8_t *)BigBuf;
1717 int m=0, i=0;
1718
1719 //If password mode do login
1720 if (PwdMode == 1) EM4xLogin(Pwd);
1721
1722 forward_ptr = forwardLink_data;
1723 fwd_bit_count = Prepare_Cmd( FWD_CMD_READ );
1724 fwd_bit_count += Prepare_Addr( Address );
1725
1726 m = sizeof(BigBuf);
1727 // Clear destination buffer before sending the command
1728 memset(dest, 128, m);
1729 // Connect the A/D to the peak-detected low-frequency path.
1730 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
1731 // Now set up the SSC to get the ADC samples that are now streaming at us.
1732 FpgaSetupSsc();
1733
1734 SendForward(fwd_bit_count);
1735
1736 // Now do the acquisition
1737 i = 0;
1738 for(;;) {
1739 if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXRDY) {
1740 AT91C_BASE_SSC->SSC_THR = 0x43;
1741 }
1742 if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) {
1743 dest[i] = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1744 i++;
1745 if (i >= m) break;
1746 }
1747 }
1748 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1749 LED_D_OFF();
1750}
1751
1752void EM4xWriteWord(uint32_t Data, uint8_t Address, uint32_t Pwd, uint8_t PwdMode) {
1753
1754 uint8_t fwd_bit_count;
1755
1756 //If password mode do login
1757 if (PwdMode == 1) EM4xLogin(Pwd);
1758
1759 forward_ptr = forwardLink_data;
1760 fwd_bit_count = Prepare_Cmd( FWD_CMD_WRITE );
1761 fwd_bit_count += Prepare_Addr( Address );
1762 fwd_bit_count += Prepare_Data( Data&0xFFFF, Data>>16 );
1763
1764 SendForward(fwd_bit_count);
1765
1766 //Wait for write to complete
1767 SpinDelay(20);
1768 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1769 LED_D_OFF();
1770}
Impressum, Datenschutz