]> git.zerfleddert.de Git - proxmark3-svn/blob - armsrc/iso15693.c
3b39d576fbe8930091dbb3f232613c2a4631e925
[proxmark3-svn] / armsrc / iso15693.c
1 //-----------------------------------------------------------------------------
2 // Jonathan Westhues, split Nov 2006
3 // Modified by Greg Jones, Jan 2009
4 // Modified by Adrian Dabrowski "atrox", Mar-Sept 2010,Oct 2011
5 // Modified by piwi, Oct 2018
6 //
7 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
8 // at your option, any later version. See the LICENSE.txt file for the text of
9 // the license.
10 //-----------------------------------------------------------------------------
11 // Routines to support ISO 15693. This includes both the reader software and
12 // the `fake tag' modes.
13 //-----------------------------------------------------------------------------
14
15 // The ISO 15693 describes two transmission modes from reader to tag, and four
16 // transmission modes from tag to reader. As of Oct 2018 this code supports
17 // both reader modes and the high speed variant with one subcarrier from card to reader.
18 // As long as the card fully support ISO 15693 this is no problem, since the
19 // reader chooses both data rates, but some non-standard tags do not.
20 // For card simulation, the code supports both high and low speed modes with one subcarrier.
21 //
22 // VCD (reader) -> VICC (tag)
23 // 1 out of 256:
24 // data rate: 1,66 kbit/s (fc/8192)
25 // used for long range
26 // 1 out of 4:
27 // data rate: 26,48 kbit/s (fc/512)
28 // used for short range, high speed
29 //
30 // VICC (tag) -> VCD (reader)
31 // Modulation:
32 // ASK / one subcarrier (423,75 khz)
33 // FSK / two subcarriers (423,75 khz && 484,28 khz)
34 // Data Rates / Modes:
35 // low ASK: 6,62 kbit/s
36 // low FSK: 6.67 kbit/s
37 // high ASK: 26,48 kbit/s
38 // high FSK: 26,69 kbit/s
39 //-----------------------------------------------------------------------------
40
41
42 // Random Remarks:
43 // *) UID is always used "transmission order" (LSB), which is reverse to display order
44
45 // TODO / BUGS / ISSUES:
46 // *) signal decoding is unable to detect collisions.
47 // *) add anti-collision support for inventory-commands
48 // *) read security status of a block
49 // *) sniffing and simulation do not support two subcarrier modes.
50 // *) remove or refactor code under "deprecated"
51 // *) document all the functions
52
53 #include "iso15693.h"
54
55 #include "proxmark3.h"
56 #include "util.h"
57 #include "apps.h"
58 #include "string.h"
59 #include "iso15693tools.h"
60 #include "protocols.h"
61 #include "cmd.h"
62 #include "BigBuf.h"
63 #include "fpgaloader.h"
64
65 #define arraylen(x) (sizeof(x)/sizeof((x)[0]))
66
67 // Delays in SSP_CLK ticks.
68 // SSP_CLK runs at 13,56MHz / 32 = 423.75kHz when simulating a tag
69 #define DELAY_READER_TO_ARM 8
70 #define DELAY_ARM_TO_READER 0
71 //SSP_CLK runs at 13.56MHz / 4 = 3,39MHz when acting as reader. All values should be multiples of 16
72 #define DELAY_TAG_TO_ARM 32
73 #define DELAY_ARM_TO_TAG 16
74
75 static int DEBUG = 0;
76
77
78 // specific LogTrace function for ISO15693: the duration needs to be scaled because otherwise it won't fit into a uint16_t
79 bool LogTrace_ISO15693(const uint8_t *btBytes, uint16_t iLen, uint32_t timestamp_start, uint32_t timestamp_end, uint8_t *parity, bool readerToTag) {
80 uint32_t duration = timestamp_end - timestamp_start;
81 duration /= 32;
82 timestamp_end = timestamp_start + duration;
83 return LogTrace(btBytes, iLen, timestamp_start, timestamp_end, parity, readerToTag);
84 }
85
86
87 ///////////////////////////////////////////////////////////////////////
88 // ISO 15693 Part 2 - Air Interface
89 // This section basically contains transmission and receiving of bits
90 ///////////////////////////////////////////////////////////////////////
91
92 // buffers
93 #define ISO15693_DMA_BUFFER_SIZE 2048 // must be a power of 2
94 #define ISO15693_MAX_RESPONSE_LENGTH 36 // allows read single block with the maximum block size of 256bits. Read multiple blocks not supported yet
95 #define ISO15693_MAX_COMMAND_LENGTH 45 // allows write single block with the maximum block size of 256bits. Write multiple blocks not supported yet
96
97 // ---------------------------
98 // Signal Processing
99 // ---------------------------
100
101 // prepare data using "1 out of 4" code for later transmission
102 // resulting data rate is 26.48 kbit/s (fc/512)
103 // cmd ... data
104 // n ... length of data
105 void CodeIso15693AsReader(uint8_t *cmd, int n) {
106
107 ToSendReset();
108
109 // SOF for 1of4
110 ToSend[++ToSendMax] = 0x84; //10000100
111
112 // data
113 for (int i = 0; i < n; i++) {
114 for (int j = 0; j < 8; j += 2) {
115 int these = (cmd[i] >> j) & 0x03;
116 switch(these) {
117 case 0:
118 ToSend[++ToSendMax] = 0x40; //01000000
119 break;
120 case 1:
121 ToSend[++ToSendMax] = 0x10; //00010000
122 break;
123 case 2:
124 ToSend[++ToSendMax] = 0x04; //00000100
125 break;
126 case 3:
127 ToSend[++ToSendMax] = 0x01; //00000001
128 break;
129 }
130 }
131 }
132
133 // EOF
134 ToSend[++ToSendMax] = 0x20; //0010 + 0000 padding
135
136 ToSendMax++;
137 }
138
139 // encode data using "1 out of 256" scheme
140 // data rate is 1,66 kbit/s (fc/8192)
141 // is designed for more robust communication over longer distances
142 static void CodeIso15693AsReader256(uint8_t *cmd, int n)
143 {
144 ToSendReset();
145
146 // SOF for 1of256
147 ToSend[++ToSendMax] = 0x81; //10000001
148
149 // data
150 for(int i = 0; i < n; i++) {
151 for (int j = 0; j <= 255; j++) {
152 if (cmd[i] == j) {
153 ToSendStuffBit(0);
154 ToSendStuffBit(1);
155 } else {
156 ToSendStuffBit(0);
157 ToSendStuffBit(0);
158 }
159 }
160 }
161
162 // EOF
163 ToSend[++ToSendMax] = 0x20; //0010 + 0000 padding
164
165 ToSendMax++;
166 }
167
168
169 // static uint8_t encode4Bits(const uint8_t b) {
170 // uint8_t c = b & 0xF;
171 // // OTA, the least significant bits first
172 // // The columns are
173 // // 1 - Bit value to send
174 // // 2 - Reversed (big-endian)
175 // // 3 - Manchester Encoded
176 // // 4 - Hex values
177
178 // switch(c){
179 // // 1 2 3 4
180 // case 15: return 0x55; // 1111 -> 1111 -> 01010101 -> 0x55
181 // case 14: return 0x95; // 1110 -> 0111 -> 10010101 -> 0x95
182 // case 13: return 0x65; // 1101 -> 1011 -> 01100101 -> 0x65
183 // case 12: return 0xa5; // 1100 -> 0011 -> 10100101 -> 0xa5
184 // case 11: return 0x59; // 1011 -> 1101 -> 01011001 -> 0x59
185 // case 10: return 0x99; // 1010 -> 0101 -> 10011001 -> 0x99
186 // case 9: return 0x69; // 1001 -> 1001 -> 01101001 -> 0x69
187 // case 8: return 0xa9; // 1000 -> 0001 -> 10101001 -> 0xa9
188 // case 7: return 0x56; // 0111 -> 1110 -> 01010110 -> 0x56
189 // case 6: return 0x96; // 0110 -> 0110 -> 10010110 -> 0x96
190 // case 5: return 0x66; // 0101 -> 1010 -> 01100110 -> 0x66
191 // case 4: return 0xa6; // 0100 -> 0010 -> 10100110 -> 0xa6
192 // case 3: return 0x5a; // 0011 -> 1100 -> 01011010 -> 0x5a
193 // case 2: return 0x9a; // 0010 -> 0100 -> 10011010 -> 0x9a
194 // case 1: return 0x6a; // 0001 -> 1000 -> 01101010 -> 0x6a
195 // default: return 0xaa; // 0000 -> 0000 -> 10101010 -> 0xaa
196
197 // }
198 // }
199
200 static const uint8_t encode_4bits[16] = { 0xaa, 0x6a, 0x9a, 0x5a, 0xa6, 0x66, 0x96, 0x56, 0xa9, 0x69, 0x99, 0x59, 0xa5, 0x65, 0x95, 0x55 };
201
202 void CodeIso15693AsTag(uint8_t *cmd, size_t len) {
203 /*
204 * SOF comprises 3 parts;
205 * * An unmodulated time of 56.64 us
206 * * 24 pulses of 423.75 kHz (fc/32)
207 * * A logic 1, which starts with an unmodulated time of 18.88us
208 * followed by 8 pulses of 423.75kHz (fc/32)
209 *
210 * EOF comprises 3 parts:
211 * - A logic 0 (which starts with 8 pulses of fc/32 followed by an unmodulated
212 * time of 18.88us.
213 * - 24 pulses of fc/32
214 * - An unmodulated time of 56.64 us
215 *
216 * A logic 0 starts with 8 pulses of fc/32
217 * followed by an unmodulated time of 256/fc (~18,88us).
218 *
219 * A logic 0 starts with unmodulated time of 256/fc (~18,88us) followed by
220 * 8 pulses of fc/32 (also 18.88us)
221 *
222 * A bit here becomes 8 pulses of fc/32. Therefore:
223 * The SOF can be written as 00011101 = 0x1D
224 * The EOF can be written as 10111000 = 0xb8
225 * A logic 1 is 01
226 * A logic 0 is 10
227 *
228 * */
229
230 ToSendReset();
231
232 // SOF
233 ToSend[++ToSendMax] = 0x1D; // 00011101
234
235 // data
236 for (int i = 0; i < len; i++) {
237 ToSend[++ToSendMax] = encode_4bits[cmd[i] & 0xF];
238 ToSend[++ToSendMax] = encode_4bits[cmd[i] >> 4];
239 }
240
241 // EOF
242 ToSend[++ToSendMax] = 0xB8; // 10111000
243
244 ToSendMax++;
245 }
246
247
248 // Transmit the command (to the tag) that was placed in cmd[].
249 void TransmitTo15693Tag(const uint8_t *cmd, int len, uint32_t *start_time) {
250
251 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_MODE_SEND_FULL_MOD);
252
253 if (*start_time < DELAY_ARM_TO_TAG) {
254 *start_time = DELAY_ARM_TO_TAG;
255 }
256
257 *start_time = (*start_time - DELAY_ARM_TO_TAG) & 0xfffffff0;
258
259 while (GetCountSspClk() > *start_time) { // we may miss the intended time
260 *start_time += 16; // next possible time
261 }
262
263
264 while (GetCountSspClk() < *start_time)
265 /* wait */ ;
266
267 LED_B_ON();
268 for (int c = 0; c < len; c++) {
269 uint8_t data = cmd[c];
270 for (int i = 0; i < 8; i++) {
271 uint16_t send_word = (data & 0x80) ? 0xffff : 0x0000;
272 while (!(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY))) ;
273 AT91C_BASE_SSC->SSC_THR = send_word;
274 while (!(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY))) ;
275 AT91C_BASE_SSC->SSC_THR = send_word;
276
277 data <<= 1;
278 }
279 WDT_HIT();
280 }
281 LED_B_OFF();
282
283 *start_time = *start_time + DELAY_ARM_TO_TAG;
284
285 }
286
287
288 //-----------------------------------------------------------------------------
289 // Transmit the tag response (to the reader) that was placed in cmd[].
290 //-----------------------------------------------------------------------------
291 void TransmitTo15693Reader(const uint8_t *cmd, size_t len, uint32_t *start_time, uint32_t slot_time, bool slow) {
292 // don't use the FPGA_HF_SIMULATOR_MODULATE_424K_8BIT minor mode. It would spoil GetCountSspClk()
293 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_MODULATE_424K);
294
295 uint32_t modulation_start_time = *start_time - DELAY_ARM_TO_READER + 3 * 8; // no need to transfer the unmodulated start of SOF
296
297 while (GetCountSspClk() > (modulation_start_time & 0xfffffff8) + 3) { // we will miss the intended time
298 if (slot_time) {
299 modulation_start_time += slot_time; // use next available slot
300 } else {
301 modulation_start_time = (modulation_start_time & 0xfffffff8) + 8; // next possible time
302 }
303 }
304
305 while (GetCountSspClk() < (modulation_start_time & 0xfffffff8))
306 /* wait */ ;
307
308 uint8_t shift_delay = modulation_start_time & 0x00000007;
309
310 *start_time = modulation_start_time + DELAY_ARM_TO_READER - 3 * 8;
311
312 LED_C_ON();
313 uint8_t bits_to_shift = 0x00;
314 uint8_t bits_to_send = 0x00;
315 for (size_t c = 0; c < len; c++) {
316 for (int i = (c==0?4:7); i >= 0; i--) {
317 uint8_t cmd_bits = ((cmd[c] >> i) & 0x01) ? 0xff : 0x00;
318 for (int j = 0; j < (slow?4:1); ) {
319 if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXRDY) {
320 bits_to_send = bits_to_shift << (8 - shift_delay) | cmd_bits >> shift_delay;
321 AT91C_BASE_SSC->SSC_THR = bits_to_send;
322 bits_to_shift = cmd_bits;
323 j++;
324 }
325 }
326 }
327 WDT_HIT();
328 }
329 // send the remaining bits, padded with 0:
330 bits_to_send = bits_to_shift << (8 - shift_delay);
331 for ( ; ; ) {
332 if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXRDY) {
333 AT91C_BASE_SSC->SSC_THR = bits_to_send;
334 break;
335 }
336 }
337 LED_C_OFF();
338 }
339
340
341 //=============================================================================
342 // An ISO 15693 decoder for tag responses (one subcarrier only).
343 // Uses cross correlation to identify each bit and EOF.
344 // This function is called 8 times per bit (every 2 subcarrier cycles).
345 // Subcarrier frequency fs is 424kHz, 1/fs = 2,36us,
346 // i.e. function is called every 4,72us
347 // LED handling:
348 // LED C -> ON once we have received the SOF and are expecting the rest.
349 // LED C -> OFF once we have received EOF or are unsynced
350 //
351 // Returns: true if we received a EOF
352 // false if we are still waiting for some more
353 //=============================================================================
354
355 #define NOISE_THRESHOLD 160 // don't try to correlate noise
356 #define MAX_PREVIOUS_AMPLITUDE (-1 - NOISE_THRESHOLD)
357
358 typedef struct DecodeTag {
359 enum {
360 STATE_TAG_SOF_LOW,
361 STATE_TAG_SOF_RISING_EDGE,
362 STATE_TAG_SOF_HIGH,
363 STATE_TAG_SOF_HIGH_END,
364 STATE_TAG_RECEIVING_DATA,
365 STATE_TAG_EOF,
366 STATE_TAG_EOF_TAIL
367 } state;
368 int bitCount;
369 int posCount;
370 enum {
371 LOGIC0,
372 LOGIC1,
373 SOF_PART1,
374 SOF_PART2
375 } lastBit;
376 uint16_t shiftReg;
377 uint16_t max_len;
378 uint8_t *output;
379 int len;
380 int sum1, sum2;
381 int threshold_sof;
382 int threshold_half;
383 uint16_t previous_amplitude;
384 } DecodeTag_t;
385
386
387 static int inline __attribute__((always_inline)) Handle15693SamplesFromTag(uint16_t amplitude, DecodeTag_t *DecodeTag)
388 {
389 switch(DecodeTag->state) {
390 case STATE_TAG_SOF_LOW:
391 // waiting for a rising edge
392 if (amplitude > NOISE_THRESHOLD + DecodeTag->previous_amplitude) {
393 if (DecodeTag->posCount > 10) {
394 DecodeTag->threshold_sof = amplitude - DecodeTag->previous_amplitude;
395 DecodeTag->threshold_half = 0;
396 DecodeTag->state = STATE_TAG_SOF_RISING_EDGE;
397 } else {
398 DecodeTag->posCount = 0;
399 }
400 } else {
401 DecodeTag->posCount++;
402 DecodeTag->previous_amplitude = amplitude;
403 }
404 break;
405
406 case STATE_TAG_SOF_RISING_EDGE:
407 if (amplitude - DecodeTag->previous_amplitude > DecodeTag->threshold_sof) { // edge still rising
408 if (amplitude - DecodeTag->threshold_sof > DecodeTag->threshold_sof) { // steeper edge, take this as time reference
409 DecodeTag->posCount = 1;
410 } else {
411 DecodeTag->posCount = 2;
412 }
413 DecodeTag->threshold_sof = (amplitude - DecodeTag->previous_amplitude) / 2;
414 } else {
415 DecodeTag->posCount = 2;
416 DecodeTag->threshold_sof = DecodeTag->threshold_sof/2;
417 }
418 // DecodeTag->posCount = 2;
419 DecodeTag->state = STATE_TAG_SOF_HIGH;
420 break;
421
422 case STATE_TAG_SOF_HIGH:
423 // waiting for 10 times high. Take average over the last 8
424 if (amplitude > DecodeTag->threshold_sof) {
425 DecodeTag->posCount++;
426 if (DecodeTag->posCount > 2) {
427 DecodeTag->threshold_half += amplitude; // keep track of average high value
428 }
429 if (DecodeTag->posCount == 10) {
430 DecodeTag->threshold_half >>= 2; // (4 times 1/2 average)
431 DecodeTag->state = STATE_TAG_SOF_HIGH_END;
432 }
433 } else { // high phase was too short
434 DecodeTag->posCount = 1;
435 DecodeTag->previous_amplitude = amplitude;
436 DecodeTag->state = STATE_TAG_SOF_LOW;
437 }
438 break;
439
440 case STATE_TAG_SOF_HIGH_END:
441 // check for falling edge
442 if (DecodeTag->posCount == 13 && amplitude < DecodeTag->threshold_sof) {
443 DecodeTag->lastBit = SOF_PART1; // detected 1st part of SOF (12 samples low and 12 samples high)
444 DecodeTag->shiftReg = 0;
445 DecodeTag->bitCount = 0;
446 DecodeTag->len = 0;
447 DecodeTag->sum1 = amplitude;
448 DecodeTag->sum2 = 0;
449 DecodeTag->posCount = 2;
450 DecodeTag->state = STATE_TAG_RECEIVING_DATA;
451 FpgaDisableTracing(); // DEBUGGING
452 Dbprintf("amplitude = %d, threshold_sof = %d, threshold_half/4 = %d, previous_amplitude = %d",
453 amplitude,
454 DecodeTag->threshold_sof,
455 DecodeTag->threshold_half/4,
456 DecodeTag->previous_amplitude); // DEBUGGING
457 LED_C_ON();
458 } else {
459 DecodeTag->posCount++;
460 if (DecodeTag->posCount > 13) { // high phase too long
461 DecodeTag->posCount = 0;
462 DecodeTag->previous_amplitude = amplitude;
463 DecodeTag->state = STATE_TAG_SOF_LOW;
464 LED_C_OFF();
465 }
466 }
467 break;
468
469 case STATE_TAG_RECEIVING_DATA:
470 if (DecodeTag->posCount == 1) {
471 DecodeTag->sum1 = 0;
472 DecodeTag->sum2 = 0;
473 }
474 if (DecodeTag->posCount <= 4) {
475 DecodeTag->sum1 += amplitude;
476 } else {
477 DecodeTag->sum2 += amplitude;
478 }
479 if (DecodeTag->posCount == 8) {
480 if (DecodeTag->sum1 > DecodeTag->threshold_half && DecodeTag->sum2 > DecodeTag->threshold_half) { // modulation in both halves
481 if (DecodeTag->lastBit == LOGIC0) { // this was already part of EOF
482 DecodeTag->state = STATE_TAG_EOF;
483 } else {
484 DecodeTag->posCount = 0;
485 DecodeTag->previous_amplitude = amplitude;
486 DecodeTag->state = STATE_TAG_SOF_LOW;
487 LED_C_OFF();
488 }
489 } else if (DecodeTag->sum1 < DecodeTag->threshold_half && DecodeTag->sum2 > DecodeTag->threshold_half) { // modulation in second half
490 // logic 1
491 if (DecodeTag->lastBit == SOF_PART1) { // still part of SOF
492 DecodeTag->lastBit = SOF_PART2; // SOF completed
493 } else {
494 DecodeTag->lastBit = LOGIC1;
495 DecodeTag->shiftReg >>= 1;
496 DecodeTag->shiftReg |= 0x80;
497 DecodeTag->bitCount++;
498 if (DecodeTag->bitCount == 8) {
499 DecodeTag->output[DecodeTag->len] = DecodeTag->shiftReg;
500 DecodeTag->len++;
501 // if (DecodeTag->shiftReg == 0x12 && DecodeTag->len == 1) FpgaDisableTracing(); // DEBUGGING
502 if (DecodeTag->len > DecodeTag->max_len) {
503 // buffer overflow, give up
504 LED_C_OFF();
505 return true;
506 }
507 DecodeTag->bitCount = 0;
508 DecodeTag->shiftReg = 0;
509 }
510 }
511 } else if (DecodeTag->sum1 > DecodeTag->threshold_half && DecodeTag->sum2 < DecodeTag->threshold_half) { // modulation in first half
512 // logic 0
513 if (DecodeTag->lastBit == SOF_PART1) { // incomplete SOF
514 DecodeTag->posCount = 0;
515 DecodeTag->previous_amplitude = amplitude;
516 DecodeTag->state = STATE_TAG_SOF_LOW;
517 LED_C_OFF();
518 } else {
519 DecodeTag->lastBit = LOGIC0;
520 DecodeTag->shiftReg >>= 1;
521 DecodeTag->bitCount++;
522 if (DecodeTag->bitCount == 8) {
523 DecodeTag->output[DecodeTag->len] = DecodeTag->shiftReg;
524 DecodeTag->len++;
525 // if (DecodeTag->shiftReg == 0x12 && DecodeTag->len == 1) FpgaDisableTracing(); // DEBUGGING
526 if (DecodeTag->len > DecodeTag->max_len) {
527 // buffer overflow, give up
528 DecodeTag->posCount = 0;
529 DecodeTag->previous_amplitude = amplitude;
530 DecodeTag->state = STATE_TAG_SOF_LOW;
531 LED_C_OFF();
532 }
533 DecodeTag->bitCount = 0;
534 DecodeTag->shiftReg = 0;
535 }
536 }
537 } else { // no modulation
538 if (DecodeTag->lastBit == SOF_PART2) { // only SOF (this is OK for iClass)
539 LED_C_OFF();
540 return true;
541 } else {
542 DecodeTag->posCount = 0;
543 DecodeTag->state = STATE_TAG_SOF_LOW;
544 LED_C_OFF();
545 }
546 }
547 DecodeTag->posCount = 0;
548 }
549 DecodeTag->posCount++;
550 break;
551
552 case STATE_TAG_EOF:
553 if (DecodeTag->posCount == 1) {
554 DecodeTag->sum1 = 0;
555 DecodeTag->sum2 = 0;
556 }
557 if (DecodeTag->posCount <= 4) {
558 DecodeTag->sum1 += amplitude;
559 } else {
560 DecodeTag->sum2 += amplitude;
561 }
562 if (DecodeTag->posCount == 8) {
563 if (DecodeTag->sum1 > DecodeTag->threshold_half && DecodeTag->sum2 < DecodeTag->threshold_half) { // modulation in first half
564 DecodeTag->posCount = 0;
565 DecodeTag->state = STATE_TAG_EOF_TAIL;
566 } else {
567 DecodeTag->posCount = 0;
568 DecodeTag->previous_amplitude = amplitude;
569 DecodeTag->state = STATE_TAG_SOF_LOW;
570 LED_C_OFF();
571 }
572 }
573 DecodeTag->posCount++;
574 break;
575
576 case STATE_TAG_EOF_TAIL:
577 if (DecodeTag->posCount == 1) {
578 DecodeTag->sum1 = 0;
579 DecodeTag->sum2 = 0;
580 }
581 if (DecodeTag->posCount <= 4) {
582 DecodeTag->sum1 += amplitude;
583 } else {
584 DecodeTag->sum2 += amplitude;
585 }
586 if (DecodeTag->posCount == 8) {
587 if (DecodeTag->sum1 < DecodeTag->threshold_half && DecodeTag->sum2 < DecodeTag->threshold_half) { // no modulation in both halves
588 LED_C_OFF();
589 return true;
590 } else {
591 DecodeTag->posCount = 0;
592 DecodeTag->previous_amplitude = amplitude;
593 DecodeTag->state = STATE_TAG_SOF_LOW;
594 LED_C_OFF();
595 }
596 }
597 DecodeTag->posCount++;
598 break;
599 }
600
601 return false;
602 }
603
604
605 static void DecodeTagInit(DecodeTag_t *DecodeTag, uint8_t *data, uint16_t max_len) {
606 DecodeTag->previous_amplitude = MAX_PREVIOUS_AMPLITUDE;
607 DecodeTag->posCount = 0;
608 DecodeTag->state = STATE_TAG_SOF_LOW;
609 DecodeTag->output = data;
610 DecodeTag->max_len = max_len;
611 }
612
613
614 static void DecodeTagReset(DecodeTag_t *DecodeTag) {
615 DecodeTag->posCount = 0;
616 DecodeTag->state = STATE_TAG_SOF_LOW;
617 DecodeTag->previous_amplitude = MAX_PREVIOUS_AMPLITUDE;
618 }
619
620
621 /*
622 * Receive and decode the tag response, also log to tracebuffer
623 */
624 int GetIso15693AnswerFromTag(uint8_t* response, uint16_t max_len, uint16_t timeout, uint32_t *eof_time) {
625
626 int samples = 0;
627 int ret = 0;
628
629 uint16_t dmaBuf[ISO15693_DMA_BUFFER_SIZE];
630
631 // the Decoder data structure
632 DecodeTag_t DecodeTag = { 0 };
633 DecodeTagInit(&DecodeTag, response, max_len);
634
635 // wait for last transfer to complete
636 while (!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXEMPTY));
637
638 // And put the FPGA in the appropriate mode
639 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_SUBCARRIER_424_KHZ | FPGA_HF_READER_MODE_RECEIVE_AMPLITUDE);
640
641 // Setup and start DMA.
642 FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER);
643 FpgaSetupSscDma((uint8_t*) dmaBuf, ISO15693_DMA_BUFFER_SIZE);
644 uint32_t dma_start_time = 0;
645 uint16_t *upTo = dmaBuf;
646
647 for(;;) {
648 uint16_t behindBy = ((uint16_t*)AT91C_BASE_PDC_SSC->PDC_RPR - upTo) & (ISO15693_DMA_BUFFER_SIZE-1);
649
650 if (behindBy == 0) continue;
651
652 samples++;
653 if (samples == 1) {
654 // DMA has transferred the very first data
655 dma_start_time = GetCountSspClk() & 0xfffffff0;
656 }
657
658 uint16_t tagdata = *upTo++;
659
660 if(upTo >= dmaBuf + ISO15693_DMA_BUFFER_SIZE) { // we have read all of the DMA buffer content.
661 upTo = dmaBuf; // start reading the circular buffer from the beginning
662 if(behindBy > (9*ISO15693_DMA_BUFFER_SIZE/10)) {
663 Dbprintf("About to blow circular buffer - aborted! behindBy=%d", behindBy);
664 ret = -1;
665 break;
666 }
667 }
668 if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_ENDRX)) { // DMA Counter Register had reached 0, already rotated.
669 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dmaBuf; // refresh the DMA Next Buffer and
670 AT91C_BASE_PDC_SSC->PDC_RNCR = ISO15693_DMA_BUFFER_SIZE; // DMA Next Counter registers
671 }
672
673 if (Handle15693SamplesFromTag(tagdata, &DecodeTag)) {
674 *eof_time = dma_start_time + samples*16 - DELAY_TAG_TO_ARM; // end of EOF
675 if (DecodeTag.lastBit == SOF_PART2) {
676 *eof_time -= 8*16; // needed 8 additional samples to confirm single SOF (iCLASS)
677 }
678 if (DecodeTag.len > DecodeTag.max_len) {
679 ret = -2; // buffer overflow
680 }
681 break;
682 }
683
684 if (samples > timeout && DecodeTag.state < STATE_TAG_RECEIVING_DATA) {
685 ret = -1; // timeout
686 break;
687 }
688
689 }
690
691 FpgaDisableSscDma();
692
693 if (DEBUG) Dbprintf("samples = %d, ret = %d, Decoder: state = %d, lastBit = %d, len = %d, bitCount = %d, posCount = %d",
694 samples, ret, DecodeTag.state, DecodeTag.lastBit, DecodeTag.len, DecodeTag.bitCount, DecodeTag.posCount);
695
696 if (ret < 0) {
697 return ret;
698 }
699
700 uint32_t sof_time = *eof_time
701 - DecodeTag.len * 8 * 8 * 16 // time for byte transfers
702 - 32 * 16 // time for SOF transfer
703 - (DecodeTag.lastBit != SOF_PART2?32*16:0); // time for EOF transfer
704
705 if (DEBUG) Dbprintf("timing: sof_time = %d, eof_time = %d", sof_time, *eof_time);
706
707 LogTrace_ISO15693(DecodeTag.output, DecodeTag.len, sof_time*4, *eof_time*4, NULL, false);
708
709 return DecodeTag.len;
710 }
711
712
713 //=============================================================================
714 // An ISO15693 decoder for reader commands.
715 //
716 // This function is called 4 times per bit (every 2 subcarrier cycles).
717 // Subcarrier frequency fs is 848kHz, 1/fs = 1,18us, i.e. function is called every 2,36us
718 // LED handling:
719 // LED B -> ON once we have received the SOF and are expecting the rest.
720 // LED B -> OFF once we have received EOF or are in error state or unsynced
721 //
722 // Returns: true if we received a EOF
723 // false if we are still waiting for some more
724 //=============================================================================
725
726 typedef struct DecodeReader {
727 enum {
728 STATE_READER_UNSYNCD,
729 STATE_READER_AWAIT_1ST_FALLING_EDGE_OF_SOF,
730 STATE_READER_AWAIT_1ST_RISING_EDGE_OF_SOF,
731 STATE_READER_AWAIT_2ND_FALLING_EDGE_OF_SOF,
732 STATE_READER_AWAIT_2ND_RISING_EDGE_OF_SOF,
733 STATE_READER_AWAIT_END_OF_SOF_1_OUT_OF_4,
734 STATE_READER_RECEIVE_DATA_1_OUT_OF_4,
735 STATE_READER_RECEIVE_DATA_1_OUT_OF_256
736 } state;
737 enum {
738 CODING_1_OUT_OF_4,
739 CODING_1_OUT_OF_256
740 } Coding;
741 uint8_t shiftReg;
742 uint8_t bitCount;
743 int byteCount;
744 int byteCountMax;
745 int posCount;
746 int sum1, sum2;
747 uint8_t *output;
748 } DecodeReader_t;
749
750
751 static void DecodeReaderInit(DecodeReader_t* DecodeReader, uint8_t *data, uint16_t max_len)
752 {
753 DecodeReader->output = data;
754 DecodeReader->byteCountMax = max_len;
755 DecodeReader->state = STATE_READER_UNSYNCD;
756 DecodeReader->byteCount = 0;
757 DecodeReader->bitCount = 0;
758 DecodeReader->posCount = 1;
759 DecodeReader->shiftReg = 0;
760 }
761
762
763 static void DecodeReaderReset(DecodeReader_t* DecodeReader)
764 {
765 DecodeReader->state = STATE_READER_UNSYNCD;
766 }
767
768
769 static int inline __attribute__((always_inline)) Handle15693SampleFromReader(uint8_t bit, DecodeReader_t *restrict DecodeReader)
770 {
771 switch (DecodeReader->state) {
772 case STATE_READER_UNSYNCD:
773 // wait for unmodulated carrier
774 if (bit) {
775 DecodeReader->state = STATE_READER_AWAIT_1ST_FALLING_EDGE_OF_SOF;
776 }
777 break;
778
779 case STATE_READER_AWAIT_1ST_FALLING_EDGE_OF_SOF:
780 if (!bit) {
781 // we went low, so this could be the beginning of a SOF
782 DecodeReader->posCount = 1;
783 DecodeReader->state = STATE_READER_AWAIT_1ST_RISING_EDGE_OF_SOF;
784 }
785 break;
786
787 case STATE_READER_AWAIT_1ST_RISING_EDGE_OF_SOF:
788 DecodeReader->posCount++;
789 if (bit) { // detected rising edge
790 if (DecodeReader->posCount < 4) { // rising edge too early (nominally expected at 5)
791 DecodeReader->state = STATE_READER_AWAIT_1ST_FALLING_EDGE_OF_SOF;
792 } else { // SOF
793 DecodeReader->state = STATE_READER_AWAIT_2ND_FALLING_EDGE_OF_SOF;
794 }
795 } else {
796 if (DecodeReader->posCount > 5) { // stayed low for too long
797 DecodeReaderReset(DecodeReader);
798 } else {
799 // do nothing, keep waiting
800 }
801 }
802 break;
803
804 case STATE_READER_AWAIT_2ND_FALLING_EDGE_OF_SOF:
805 DecodeReader->posCount++;
806 if (!bit) { // detected a falling edge
807 if (DecodeReader->posCount < 20) { // falling edge too early (nominally expected at 21 earliest)
808 DecodeReaderReset(DecodeReader);
809 } else if (DecodeReader->posCount < 23) { // SOF for 1 out of 4 coding
810 DecodeReader->Coding = CODING_1_OUT_OF_4;
811 DecodeReader->state = STATE_READER_AWAIT_2ND_RISING_EDGE_OF_SOF;
812 } else if (DecodeReader->posCount < 28) { // falling edge too early (nominally expected at 29 latest)
813 DecodeReaderReset(DecodeReader);
814 } else { // SOF for 1 out of 256 coding
815 DecodeReader->Coding = CODING_1_OUT_OF_256;
816 DecodeReader->state = STATE_READER_AWAIT_2ND_RISING_EDGE_OF_SOF;
817 }
818 } else {
819 if (DecodeReader->posCount > 29) { // stayed high for too long
820 DecodeReader->state = STATE_READER_AWAIT_1ST_FALLING_EDGE_OF_SOF;
821 } else {
822 // do nothing, keep waiting
823 }
824 }
825 break;
826
827 case STATE_READER_AWAIT_2ND_RISING_EDGE_OF_SOF:
828 DecodeReader->posCount++;
829 if (bit) { // detected rising edge
830 if (DecodeReader->Coding == CODING_1_OUT_OF_256) {
831 if (DecodeReader->posCount < 32) { // rising edge too early (nominally expected at 33)
832 DecodeReader->state = STATE_READER_AWAIT_1ST_FALLING_EDGE_OF_SOF;
833 } else {
834 DecodeReader->posCount = 1;
835 DecodeReader->bitCount = 0;
836 DecodeReader->byteCount = 0;
837 DecodeReader->sum1 = 1;
838 DecodeReader->state = STATE_READER_RECEIVE_DATA_1_OUT_OF_256;
839 LED_B_ON();
840 }
841 } else { // CODING_1_OUT_OF_4
842 if (DecodeReader->posCount < 24) { // rising edge too early (nominally expected at 25)
843 DecodeReader->state = STATE_READER_AWAIT_1ST_FALLING_EDGE_OF_SOF;
844 } else {
845 DecodeReader->posCount = 1;
846 DecodeReader->state = STATE_READER_AWAIT_END_OF_SOF_1_OUT_OF_4;
847 }
848 }
849 } else {
850 if (DecodeReader->Coding == CODING_1_OUT_OF_256) {
851 if (DecodeReader->posCount > 34) { // signal stayed low for too long
852 DecodeReaderReset(DecodeReader);
853 } else {
854 // do nothing, keep waiting
855 }
856 } else { // CODING_1_OUT_OF_4
857 if (DecodeReader->posCount > 26) { // signal stayed low for too long
858 DecodeReaderReset(DecodeReader);
859 } else {
860 // do nothing, keep waiting
861 }
862 }
863 }
864 break;
865
866 case STATE_READER_AWAIT_END_OF_SOF_1_OUT_OF_4:
867 DecodeReader->posCount++;
868 if (bit) {
869 if (DecodeReader->posCount == 9) {
870 DecodeReader->posCount = 1;
871 DecodeReader->bitCount = 0;
872 DecodeReader->byteCount = 0;
873 DecodeReader->sum1 = 1;
874 DecodeReader->state = STATE_READER_RECEIVE_DATA_1_OUT_OF_4;
875 LED_B_ON();
876 } else {
877 // do nothing, keep waiting
878 }
879 } else { // unexpected falling edge
880 DecodeReaderReset(DecodeReader);
881 }
882 break;
883
884 case STATE_READER_RECEIVE_DATA_1_OUT_OF_4:
885 bit = !!bit;
886 DecodeReader->posCount++;
887 if (DecodeReader->posCount == 1) {
888 DecodeReader->sum1 = bit;
889 } else if (DecodeReader->posCount <= 4) {
890 DecodeReader->sum1 += bit;
891 } else if (DecodeReader->posCount == 5) {
892 DecodeReader->sum2 = bit;
893 } else {
894 DecodeReader->sum2 += bit;
895 }
896 if (DecodeReader->posCount == 8) {
897 DecodeReader->posCount = 0;
898 if (DecodeReader->sum1 <= 1 && DecodeReader->sum2 >= 3) { // EOF
899 LED_B_OFF(); // Finished receiving
900 DecodeReaderReset(DecodeReader);
901 if (DecodeReader->byteCount != 0) {
902 return true;
903 }
904 }
905 if (DecodeReader->sum1 >= 3 && DecodeReader->sum2 <= 1) { // detected a 2bit position
906 DecodeReader->shiftReg >>= 2;
907 DecodeReader->shiftReg |= (DecodeReader->bitCount << 6);
908 }
909 if (DecodeReader->bitCount == 15) { // we have a full byte
910 DecodeReader->output[DecodeReader->byteCount++] = DecodeReader->shiftReg;
911 if (DecodeReader->byteCount > DecodeReader->byteCountMax) {
912 // buffer overflow, give up
913 LED_B_OFF();
914 DecodeReaderReset(DecodeReader);
915 }
916 DecodeReader->bitCount = 0;
917 DecodeReader->shiftReg = 0;
918 } else {
919 DecodeReader->bitCount++;
920 }
921 }
922 break;
923
924 case STATE_READER_RECEIVE_DATA_1_OUT_OF_256:
925 bit = !!bit;
926 DecodeReader->posCount++;
927 if (DecodeReader->posCount == 1) {
928 DecodeReader->sum1 = bit;
929 } else if (DecodeReader->posCount <= 4) {
930 DecodeReader->sum1 += bit;
931 } else if (DecodeReader->posCount == 5) {
932 DecodeReader->sum2 = bit;
933 } else {
934 DecodeReader->sum2 += bit;
935 }
936 if (DecodeReader->posCount == 8) {
937 DecodeReader->posCount = 0;
938 if (DecodeReader->sum1 <= 1 && DecodeReader->sum2 >= 3) { // EOF
939 LED_B_OFF(); // Finished receiving
940 DecodeReaderReset(DecodeReader);
941 if (DecodeReader->byteCount != 0) {
942 return true;
943 }
944 }
945 if (DecodeReader->sum1 >= 3 && DecodeReader->sum2 <= 1) { // detected the bit position
946 DecodeReader->shiftReg = DecodeReader->bitCount;
947 }
948 if (DecodeReader->bitCount == 255) { // we have a full byte
949 DecodeReader->output[DecodeReader->byteCount++] = DecodeReader->shiftReg;
950 if (DecodeReader->byteCount > DecodeReader->byteCountMax) {
951 // buffer overflow, give up
952 LED_B_OFF();
953 DecodeReaderReset(DecodeReader);
954 }
955 }
956 DecodeReader->bitCount++;
957 }
958 break;
959
960 default:
961 LED_B_OFF();
962 DecodeReaderReset(DecodeReader);
963 break;
964 }
965
966 return false;
967 }
968
969
970 //-----------------------------------------------------------------------------
971 // Receive a command (from the reader to us, where we are the simulated tag),
972 // and store it in the given buffer, up to the given maximum length. Keeps
973 // spinning, waiting for a well-framed command, until either we get one
974 // (returns len) or someone presses the pushbutton on the board (returns -1).
975 //
976 // Assume that we're called with the SSC (to the FPGA) and ADC path set
977 // correctly.
978 //-----------------------------------------------------------------------------
979
980 int GetIso15693CommandFromReader(uint8_t *received, size_t max_len, uint32_t *eof_time) {
981 int samples = 0;
982 bool gotFrame = false;
983 uint8_t b;
984
985 uint8_t dmaBuf[ISO15693_DMA_BUFFER_SIZE];
986
987 // the decoder data structure
988 DecodeReader_t DecodeReader = {0};
989 DecodeReaderInit(&DecodeReader, received, max_len);
990
991 // wait for last transfer to complete
992 while (!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXEMPTY));
993
994 LED_D_OFF();
995 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_NO_MODULATION);
996
997 // clear receive register and wait for next transfer
998 uint32_t temp = AT91C_BASE_SSC->SSC_RHR;
999 (void) temp;
1000 while (!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY)) ;
1001
1002 uint32_t dma_start_time = GetCountSspClk() & 0xfffffff8;
1003
1004 // Setup and start DMA.
1005 FpgaSetupSscDma(dmaBuf, ISO15693_DMA_BUFFER_SIZE);
1006 uint8_t *upTo = dmaBuf;
1007
1008 for (;;) {
1009 uint16_t behindBy = ((uint8_t*)AT91C_BASE_PDC_SSC->PDC_RPR - upTo) & (ISO15693_DMA_BUFFER_SIZE-1);
1010
1011 if (behindBy == 0) continue;
1012
1013 b = *upTo++;
1014 if (upTo >= dmaBuf + ISO15693_DMA_BUFFER_SIZE) { // we have read all of the DMA buffer content.
1015 upTo = dmaBuf; // start reading the circular buffer from the beginning
1016 if (behindBy > (9*ISO15693_DMA_BUFFER_SIZE/10)) {
1017 Dbprintf("About to blow circular buffer - aborted! behindBy=%d", behindBy);
1018 break;
1019 }
1020 }
1021 if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_ENDRX)) { // DMA Counter Register had reached 0, already rotated.
1022 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dmaBuf; // refresh the DMA Next Buffer and
1023 AT91C_BASE_PDC_SSC->PDC_RNCR = ISO15693_DMA_BUFFER_SIZE; // DMA Next Counter registers
1024 }
1025
1026 for (int i = 7; i >= 0; i--) {
1027 if (Handle15693SampleFromReader((b >> i) & 0x01, &DecodeReader)) {
1028 *eof_time = dma_start_time + samples - DELAY_READER_TO_ARM; // end of EOF
1029 gotFrame = true;
1030 break;
1031 }
1032 samples++;
1033 }
1034
1035 if (gotFrame) {
1036 break;
1037 }
1038
1039 if (BUTTON_PRESS()) {
1040 DecodeReader.byteCount = -1;
1041 break;
1042 }
1043
1044 WDT_HIT();
1045 }
1046
1047 FpgaDisableSscDma();
1048
1049 if (DEBUG) Dbprintf("samples = %d, gotFrame = %d, Decoder: state = %d, len = %d, bitCount = %d, posCount = %d",
1050 samples, gotFrame, DecodeReader.state, DecodeReader.byteCount, DecodeReader.bitCount, DecodeReader.posCount);
1051
1052 if (DecodeReader.byteCount > 0) {
1053 uint32_t sof_time = *eof_time
1054 - DecodeReader.byteCount * (DecodeReader.Coding==CODING_1_OUT_OF_4?128:2048) // time for byte transfers
1055 - 32 // time for SOF transfer
1056 - 16; // time for EOF transfer
1057 LogTrace_ISO15693(DecodeReader.output, DecodeReader.byteCount, sof_time*32, *eof_time*32, NULL, true);
1058 }
1059
1060 return DecodeReader.byteCount;
1061 }
1062
1063
1064 // Encode (into the ToSend buffers) an identify request, which is the first
1065 // thing that you must send to a tag to get a response.
1066 static void BuildIdentifyRequest(void)
1067 {
1068 uint8_t cmd[5];
1069
1070 uint16_t crc;
1071 // one sub-carrier, inventory, 1 slot, fast rate
1072 // AFI is at bit 5 (1<<4) when doing an INVENTORY
1073 cmd[0] = (1 << 2) | (1 << 5) | (1 << 1);
1074 // inventory command code
1075 cmd[1] = 0x01;
1076 // no mask
1077 cmd[2] = 0x00;
1078 //Now the CRC
1079 crc = Iso15693Crc(cmd, 3);
1080 cmd[3] = crc & 0xff;
1081 cmd[4] = crc >> 8;
1082
1083 CodeIso15693AsReader(cmd, sizeof(cmd));
1084 }
1085
1086
1087 //-----------------------------------------------------------------------------
1088 // Start to read an ISO 15693 tag. We send an identify request, then wait
1089 // for the response. The response is not demodulated, just left in the buffer
1090 // so that it can be downloaded to a PC and processed there.
1091 //-----------------------------------------------------------------------------
1092 void AcquireRawAdcSamplesIso15693(void)
1093 {
1094 LED_A_ON();
1095
1096 uint8_t *dest = BigBuf_get_addr();
1097
1098 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1099 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER);
1100 LED_D_ON();
1101 FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER);
1102 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1103
1104 BuildIdentifyRequest();
1105
1106 // Give the tags time to energize
1107 SpinDelay(100);
1108
1109 // Now send the command
1110 uint32_t start_time = 0;
1111 TransmitTo15693Tag(ToSend, ToSendMax, &start_time);
1112
1113 // wait for last transfer to complete
1114 while (!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXEMPTY)) ;
1115
1116 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_SUBCARRIER_424_KHZ | FPGA_HF_READER_MODE_RECEIVE_AMPLITUDE);
1117
1118 for(int c = 0; c < 4000; ) {
1119 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1120 uint16_t r = AT91C_BASE_SSC->SSC_RHR;
1121 dest[c++] = r >> 5;
1122 }
1123 }
1124
1125 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1126 LEDsoff();
1127 }
1128
1129
1130 void SnoopIso15693(void)
1131 {
1132 LED_A_ON();
1133
1134 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1135 BigBuf_free();
1136
1137 clear_trace();
1138 set_tracing(true);
1139
1140 // The DMA buffer, used to stream samples from the FPGA
1141 uint16_t* dmaBuf = (uint16_t*)BigBuf_malloc(ISO15693_DMA_BUFFER_SIZE*sizeof(uint16_t));
1142 uint16_t *upTo;
1143
1144 // Count of samples received so far, so that we can include timing
1145 // information in the trace buffer.
1146 int samples = 0;
1147
1148 DecodeTag_t DecodeTag = {0};
1149 uint8_t response[ISO15693_MAX_RESPONSE_LENGTH];
1150 DecodeTagInit(&DecodeTag, response, sizeof(response));
1151
1152 DecodeReader_t DecodeReader = {0};;
1153 uint8_t cmd[ISO15693_MAX_COMMAND_LENGTH];
1154 DecodeReaderInit(&DecodeReader, cmd, sizeof(cmd));
1155
1156 // Print some debug information about the buffer sizes
1157 if (DEBUG) {
1158 Dbprintf("Snooping buffers initialized:");
1159 Dbprintf(" Trace: %i bytes", BigBuf_max_traceLen());
1160 Dbprintf(" Reader -> tag: %i bytes", ISO15693_MAX_COMMAND_LENGTH);
1161 Dbprintf(" tag -> Reader: %i bytes", ISO15693_MAX_RESPONSE_LENGTH);
1162 Dbprintf(" DMA: %i bytes", ISO15693_DMA_BUFFER_SIZE * sizeof(uint16_t));
1163 }
1164 Dbprintf("Snoop started. Press PM3 Button to stop.");
1165
1166 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_MODE_SNOOP_AMPLITUDE);
1167 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1168
1169 // Setup for the DMA.
1170 FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER);
1171 upTo = dmaBuf;
1172 FpgaSetupSscDma((uint8_t*) dmaBuf, ISO15693_DMA_BUFFER_SIZE);
1173
1174 bool TagIsActive = false;
1175 bool ReaderIsActive = false;
1176 bool ExpectTagAnswer = false;
1177
1178 // And now we loop, receiving samples.
1179 for(;;) {
1180 uint16_t behindBy = ((uint16_t*)AT91C_BASE_PDC_SSC->PDC_RPR - upTo) & (ISO15693_DMA_BUFFER_SIZE-1);
1181
1182 if (behindBy == 0) continue;
1183
1184 uint16_t snoopdata = *upTo++;
1185
1186 if(upTo >= dmaBuf + ISO15693_DMA_BUFFER_SIZE) { // we have read all of the DMA buffer content.
1187 upTo = dmaBuf; // start reading the circular buffer from the beginning
1188 if(behindBy > (9*ISO15693_DMA_BUFFER_SIZE/10)) {
1189 Dbprintf("About to blow circular buffer - aborted! behindBy=%d, samples=%d", behindBy, samples);
1190 break;
1191 }
1192 if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_ENDRX)) { // DMA Counter Register had reached 0, already rotated.
1193 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dmaBuf; // refresh the DMA Next Buffer and
1194 AT91C_BASE_PDC_SSC->PDC_RNCR = ISO15693_DMA_BUFFER_SIZE; // DMA Next Counter registers
1195 WDT_HIT();
1196 if(BUTTON_PRESS()) {
1197 DbpString("Snoop stopped.");
1198 break;
1199 }
1200 }
1201 }
1202 samples++;
1203
1204 if (!TagIsActive) { // no need to try decoding reader data if the tag is sending
1205 if (Handle15693SampleFromReader(snoopdata & 0x02, &DecodeReader)) {
1206 FpgaDisableSscDma();
1207 ExpectTagAnswer = true;
1208 LogTrace_ISO15693(DecodeReader.output, DecodeReader.byteCount, samples*64, samples*64, NULL, true);
1209 /* And ready to receive another command. */
1210 DecodeReaderReset(&DecodeReader);
1211 /* And also reset the demod code, which might have been */
1212 /* false-triggered by the commands from the reader. */
1213 DecodeTagReset(&DecodeTag);
1214 upTo = dmaBuf;
1215 FpgaSetupSscDma((uint8_t*) dmaBuf, ISO15693_DMA_BUFFER_SIZE);
1216 }
1217 if (Handle15693SampleFromReader(snoopdata & 0x01, &DecodeReader)) {
1218 FpgaDisableSscDma();
1219 ExpectTagAnswer = true;
1220 LogTrace_ISO15693(DecodeReader.output, DecodeReader.byteCount, samples*64, samples*64, NULL, true);
1221 /* And ready to receive another command. */
1222 DecodeReaderReset(&DecodeReader);
1223 /* And also reset the demod code, which might have been */
1224 /* false-triggered by the commands from the reader. */
1225 DecodeTagReset(&DecodeTag);
1226 upTo = dmaBuf;
1227 FpgaSetupSscDma((uint8_t*) dmaBuf, ISO15693_DMA_BUFFER_SIZE);
1228 }
1229 ReaderIsActive = (DecodeReader.state >= STATE_READER_AWAIT_2ND_RISING_EDGE_OF_SOF);
1230 }
1231
1232 if (!ReaderIsActive && ExpectTagAnswer) { // no need to try decoding tag data if the reader is currently sending or no answer expected yet
1233 if (Handle15693SamplesFromTag(snoopdata >> 2, &DecodeTag)) {
1234 FpgaDisableSscDma();
1235 //Use samples as a time measurement
1236 LogTrace_ISO15693(DecodeTag.output, DecodeTag.len, samples*64, samples*64, NULL, false);
1237 // And ready to receive another response.
1238 DecodeTagReset(&DecodeTag);
1239 DecodeReaderReset(&DecodeReader);
1240 ExpectTagAnswer = false;
1241 upTo = dmaBuf;
1242 FpgaSetupSscDma((uint8_t*) dmaBuf, ISO15693_DMA_BUFFER_SIZE);
1243 }
1244 TagIsActive = (DecodeTag.state >= STATE_TAG_RECEIVING_DATA);
1245 }
1246
1247 }
1248
1249 FpgaDisableSscDma();
1250 BigBuf_free();
1251
1252 LEDsoff();
1253
1254 DbpString("Snoop statistics:");
1255 Dbprintf(" ExpectTagAnswer: %d", ExpectTagAnswer);
1256 Dbprintf(" DecodeTag State: %d", DecodeTag.state);
1257 Dbprintf(" DecodeTag byteCnt: %d", DecodeTag.len);
1258 Dbprintf(" DecodeReader State: %d", DecodeReader.state);
1259 Dbprintf(" DecodeReader byteCnt: %d", DecodeReader.byteCount);
1260 Dbprintf(" Trace length: %d", BigBuf_get_traceLen());
1261 }
1262
1263
1264 // Initialize the proxmark as iso15k reader
1265 void Iso15693InitReader() {
1266 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1267
1268 // Start from off (no field generated)
1269 LED_D_OFF();
1270 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1271 SpinDelay(10);
1272
1273 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1274 FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER);
1275
1276 // Give the tags time to energize
1277 LED_D_ON();
1278 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER);
1279 SpinDelay(250);
1280 }
1281
1282 ///////////////////////////////////////////////////////////////////////
1283 // ISO 15693 Part 3 - Air Interface
1284 // This section basically contains transmission and receiving of bits
1285 ///////////////////////////////////////////////////////////////////////
1286
1287
1288 // uid is in transmission order (which is reverse of display order)
1289 static void BuildReadBlockRequest(uint8_t *uid, uint8_t blockNumber )
1290 {
1291 uint8_t cmd[13];
1292
1293 uint16_t crc;
1294 // If we set the Option_Flag in this request, the VICC will respond with the security status of the block
1295 // followed by the block data
1296 cmd[0] = ISO15693_REQ_OPTION | ISO15693_REQ_ADDRESS | ISO15693_REQ_DATARATE_HIGH;
1297 // READ BLOCK command code
1298 cmd[1] = ISO15693_READBLOCK;
1299 // UID may be optionally specified here
1300 // 64-bit UID
1301 cmd[2] = uid[0];
1302 cmd[3] = uid[1];
1303 cmd[4] = uid[2];
1304 cmd[5] = uid[3];
1305 cmd[6] = uid[4];
1306 cmd[7] = uid[5];
1307 cmd[8] = uid[6];
1308 cmd[9] = uid[7]; // 0xe0; // always e0 (not exactly unique)
1309 // Block number to read
1310 cmd[10] = blockNumber;
1311 //Now the CRC
1312 crc = Iso15693Crc(cmd, 11); // the crc needs to be calculated over 11 bytes
1313 cmd[11] = crc & 0xff;
1314 cmd[12] = crc >> 8;
1315
1316 CodeIso15693AsReader(cmd, sizeof(cmd));
1317 }
1318
1319
1320 // Now the VICC>VCD responses when we are simulating a tag
1321 static void BuildInventoryResponse(uint8_t *uid)
1322 {
1323 uint8_t cmd[12];
1324
1325 uint16_t crc;
1326
1327 cmd[0] = 0; // No error, no protocol format extension
1328 cmd[1] = 0; // DSFID (data storage format identifier). 0x00 = not supported
1329 // 64-bit UID
1330 cmd[2] = uid[7]; //0x32;
1331 cmd[3] = uid[6]; //0x4b;
1332 cmd[4] = uid[5]; //0x03;
1333 cmd[5] = uid[4]; //0x01;
1334 cmd[6] = uid[3]; //0x00;
1335 cmd[7] = uid[2]; //0x10;
1336 cmd[8] = uid[1]; //0x05;
1337 cmd[9] = uid[0]; //0xe0;
1338 //Now the CRC
1339 crc = Iso15693Crc(cmd, 10);
1340 cmd[10] = crc & 0xff;
1341 cmd[11] = crc >> 8;
1342
1343 CodeIso15693AsTag(cmd, sizeof(cmd));
1344 }
1345
1346 // Universal Method for sending to and recv bytes from a tag
1347 // init ... should we initialize the reader?
1348 // speed ... 0 low speed, 1 hi speed
1349 // *recv will contain the tag's answer
1350 // return: length of received data, or -1 for timeout
1351 int SendDataTag(uint8_t *send, int sendlen, bool init, int speed, uint8_t *recv, uint16_t max_recv_len, uint32_t start_time, uint32_t *eof_time) {
1352
1353 if (init) {
1354 Iso15693InitReader();
1355 StartCountSspClk();
1356 }
1357
1358 int answerLen = 0;
1359
1360 if (!speed) {
1361 // low speed (1 out of 256)
1362 CodeIso15693AsReader256(send, sendlen);
1363 } else {
1364 // high speed (1 out of 4)
1365 CodeIso15693AsReader(send, sendlen);
1366 }
1367
1368 TransmitTo15693Tag(ToSend, ToSendMax, &start_time);
1369
1370 // Now wait for a response
1371 if (recv != NULL) {
1372 answerLen = GetIso15693AnswerFromTag(recv, max_recv_len, ISO15693_READER_TIMEOUT, eof_time);
1373 }
1374
1375 return answerLen;
1376 }
1377
1378
1379 // --------------------------------------------------------------------
1380 // Debug Functions
1381 // --------------------------------------------------------------------
1382
1383 // Decodes a message from a tag and displays its metadata and content
1384 #define DBD15STATLEN 48
1385 void DbdecodeIso15693Answer(int len, uint8_t *d) {
1386 char status[DBD15STATLEN+1]={0};
1387 uint16_t crc;
1388
1389 if (len > 3) {
1390 if (d[0] & ISO15693_RES_EXT)
1391 strncat(status,"ProtExt ", DBD15STATLEN);
1392 if (d[0] & ISO15693_RES_ERROR) {
1393 // error
1394 strncat(status,"Error ", DBD15STATLEN);
1395 switch (d[1]) {
1396 case 0x01:
1397 strncat(status,"01:notSupp", DBD15STATLEN);
1398 break;
1399 case 0x02:
1400 strncat(status,"02:notRecog", DBD15STATLEN);
1401 break;
1402 case 0x03:
1403 strncat(status,"03:optNotSupp", DBD15STATLEN);
1404 break;
1405 case 0x0f:
1406 strncat(status,"0f:noInfo", DBD15STATLEN);
1407 break;
1408 case 0x10:
1409 strncat(status,"10:doesn'tExist", DBD15STATLEN);
1410 break;
1411 case 0x11:
1412 strncat(status,"11:lockAgain", DBD15STATLEN);
1413 break;
1414 case 0x12:
1415 strncat(status,"12:locked", DBD15STATLEN);
1416 break;
1417 case 0x13:
1418 strncat(status,"13:progErr", DBD15STATLEN);
1419 break;
1420 case 0x14:
1421 strncat(status,"14:lockErr", DBD15STATLEN);
1422 break;
1423 default:
1424 strncat(status,"unknownErr", DBD15STATLEN);
1425 }
1426 strncat(status," ", DBD15STATLEN);
1427 } else {
1428 strncat(status,"NoErr ", DBD15STATLEN);
1429 }
1430
1431 crc=Iso15693Crc(d,len-2);
1432 if ( (( crc & 0xff ) == d[len-2]) && (( crc >> 8 ) == d[len-1]) )
1433 strncat(status,"CrcOK",DBD15STATLEN);
1434 else
1435 strncat(status,"CrcFail!",DBD15STATLEN);
1436
1437 Dbprintf("%s",status);
1438 }
1439 }
1440
1441
1442
1443 ///////////////////////////////////////////////////////////////////////
1444 // Functions called via USB/Client
1445 ///////////////////////////////////////////////////////////////////////
1446
1447 void SetDebugIso15693(uint32_t debug) {
1448 DEBUG=debug;
1449 Dbprintf("Iso15693 Debug is now %s",DEBUG?"on":"off");
1450 return;
1451 }
1452
1453
1454 //---------------------------------------------------------------------------------------
1455 // Simulate an ISO15693 reader, perform anti-collision and then attempt to read a sector.
1456 // all demodulation performed in arm rather than host. - greg
1457 //---------------------------------------------------------------------------------------
1458 void ReaderIso15693(uint32_t parameter) {
1459
1460 LED_A_ON();
1461
1462 set_tracing(true);
1463
1464 int answerLen = 0;
1465 uint8_t TagUID[8] = {0x00};
1466
1467 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1468
1469 uint8_t answer[ISO15693_MAX_RESPONSE_LENGTH];
1470
1471 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1472 // Setup SSC
1473 FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER);
1474
1475 // Start from off (no field generated)
1476 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1477 SpinDelay(200);
1478
1479 // Give the tags time to energize
1480 LED_D_ON();
1481 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER);
1482 SpinDelay(200);
1483 StartCountSspClk();
1484
1485
1486 // FIRST WE RUN AN INVENTORY TO GET THE TAG UID
1487 // THIS MEANS WE CAN PRE-BUILD REQUESTS TO SAVE CPU TIME
1488
1489 // Now send the IDENTIFY command
1490 BuildIdentifyRequest();
1491 uint32_t start_time = 0;
1492 TransmitTo15693Tag(ToSend, ToSendMax, &start_time);
1493
1494 // Now wait for a response
1495 uint32_t eof_time;
1496 answerLen = GetIso15693AnswerFromTag(answer, sizeof(answer), DELAY_ISO15693_VCD_TO_VICC_READER * 2, &eof_time) ;
1497 start_time = eof_time + DELAY_ISO15693_VICC_TO_VCD_READER;
1498
1499 if (answerLen >=12) // we should do a better check than this
1500 {
1501 TagUID[0] = answer[2];
1502 TagUID[1] = answer[3];
1503 TagUID[2] = answer[4];
1504 TagUID[3] = answer[5];
1505 TagUID[4] = answer[6];
1506 TagUID[5] = answer[7];
1507 TagUID[6] = answer[8]; // IC Manufacturer code
1508 TagUID[7] = answer[9]; // always E0
1509
1510 }
1511
1512 Dbprintf("%d octets read from IDENTIFY request:", answerLen);
1513 DbdecodeIso15693Answer(answerLen, answer);
1514 Dbhexdump(answerLen, answer, false);
1515
1516 // UID is reverse
1517 if (answerLen >= 12)
1518 Dbprintf("UID = %02hX%02hX%02hX%02hX%02hX%02hX%02hX%02hX",
1519 TagUID[7],TagUID[6],TagUID[5],TagUID[4],
1520 TagUID[3],TagUID[2],TagUID[1],TagUID[0]);
1521
1522
1523 // Dbprintf("%d octets read from SELECT request:", answerLen2);
1524 // DbdecodeIso15693Answer(answerLen2,answer2);
1525 // Dbhexdump(answerLen2,answer2,true);
1526
1527 // Dbprintf("%d octets read from XXX request:", answerLen3);
1528 // DbdecodeIso15693Answer(answerLen3,answer3);
1529 // Dbhexdump(answerLen3,answer3,true);
1530
1531 // read all pages
1532 if (answerLen >= 12 && DEBUG) {
1533 for (int i = 0; i < 32; i++) { // sanity check, assume max 32 pages
1534 BuildReadBlockRequest(TagUID, i);
1535 TransmitTo15693Tag(ToSend, ToSendMax, &start_time);
1536 int answerLen = GetIso15693AnswerFromTag(answer, sizeof(answer), DELAY_ISO15693_VCD_TO_VICC_READER * 2, &eof_time);
1537 start_time = eof_time + DELAY_ISO15693_VICC_TO_VCD_READER;
1538 if (answerLen > 0) {
1539 Dbprintf("READ SINGLE BLOCK %d returned %d octets:", i, answerLen);
1540 DbdecodeIso15693Answer(answerLen, answer);
1541 Dbhexdump(answerLen, answer, false);
1542 if ( *((uint32_t*) answer) == 0x07160101 ) break; // exit on NoPageErr
1543 }
1544 }
1545 }
1546
1547 // for the time being, switch field off to protect rdv4.0
1548 // note: this prevents using hf 15 cmd with s option - which isn't implemented yet anyway
1549 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1550 LED_D_OFF();
1551
1552 LED_A_OFF();
1553 }
1554
1555
1556 // Simulate an ISO15693 TAG.
1557 // For Inventory command: print command and send Inventory Response with given UID
1558 // TODO: interpret other reader commands and send appropriate response
1559 void SimTagIso15693(uint32_t parameter, uint8_t *uid) {
1560
1561 LED_A_ON();
1562
1563 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1564 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1565 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_NO_MODULATION);
1566 FpgaSetupSsc(FPGA_MAJOR_MODE_HF_SIMULATOR);
1567
1568 StartCountSspClk();
1569
1570 uint8_t cmd[ISO15693_MAX_COMMAND_LENGTH];
1571
1572 // Build a suitable response to the reader INVENTORY command
1573 BuildInventoryResponse(uid);
1574
1575 // Listen to reader
1576 while (!BUTTON_PRESS()) {
1577 uint32_t eof_time = 0, start_time = 0;
1578 int cmd_len = GetIso15693CommandFromReader(cmd, sizeof(cmd), &eof_time);
1579
1580 if ((cmd_len >= 5) && (cmd[0] & ISO15693_REQ_INVENTORY) && (cmd[1] == ISO15693_INVENTORY)) { // TODO: check more flags
1581 bool slow = !(cmd[0] & ISO15693_REQ_DATARATE_HIGH);
1582 start_time = eof_time + DELAY_ISO15693_VCD_TO_VICC_SIM;
1583 TransmitTo15693Reader(ToSend, ToSendMax, &start_time, 0, slow);
1584 }
1585
1586 Dbprintf("%d bytes read from reader:", cmd_len);
1587 Dbhexdump(cmd_len, cmd, false);
1588 }
1589
1590 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1591 LED_D_OFF();
1592 LED_A_OFF();
1593 }
1594
1595
1596 // Since there is no standardized way of reading the AFI out of a tag, we will brute force it
1597 // (some manufactures offer a way to read the AFI, though)
1598 void BruteforceIso15693Afi(uint32_t speed)
1599 {
1600 LED_A_ON();
1601
1602 uint8_t data[6];
1603 uint8_t recv[ISO15693_MAX_RESPONSE_LENGTH];
1604 int datalen = 0, recvlen = 0;
1605 uint32_t eof_time;
1606
1607 // first without AFI
1608 // Tags should respond without AFI and with AFI=0 even when AFI is active
1609
1610 data[0] = ISO15693_REQ_DATARATE_HIGH | ISO15693_REQ_INVENTORY | ISO15693_REQINV_SLOT1;
1611 data[1] = ISO15693_INVENTORY;
1612 data[2] = 0; // mask length
1613 datalen = Iso15693AddCrc(data,3);
1614 uint32_t start_time = GetCountSspClk();
1615 recvlen = SendDataTag(data, datalen, true, speed, recv, sizeof(recv), 0, &eof_time);
1616 start_time = eof_time + DELAY_ISO15693_VICC_TO_VCD_READER;
1617 WDT_HIT();
1618 if (recvlen>=12) {
1619 Dbprintf("NoAFI UID=%s", Iso15693sprintUID(NULL, &recv[2]));
1620 }
1621
1622 // now with AFI
1623
1624 data[0] = ISO15693_REQ_DATARATE_HIGH | ISO15693_REQ_INVENTORY | ISO15693_REQINV_AFI | ISO15693_REQINV_SLOT1;
1625 data[1] = ISO15693_INVENTORY;
1626 data[2] = 0; // AFI
1627 data[3] = 0; // mask length
1628
1629 for (int i = 0; i < 256; i++) {
1630 data[2] = i & 0xFF;
1631 datalen = Iso15693AddCrc(data,4);
1632 recvlen = SendDataTag(data, datalen, false, speed, recv, sizeof(recv), start_time, &eof_time);
1633 start_time = eof_time + DELAY_ISO15693_VICC_TO_VCD_READER;
1634 WDT_HIT();
1635 if (recvlen >= 12) {
1636 Dbprintf("AFI=%i UID=%s", i, Iso15693sprintUID(NULL, &recv[2]));
1637 }
1638 }
1639 Dbprintf("AFI Bruteforcing done.");
1640
1641 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1642 LED_D_OFF();
1643 LED_A_OFF();
1644
1645 }
1646
1647 // Allows to directly send commands to the tag via the client
1648 void DirectTag15693Command(uint32_t datalen, uint32_t speed, uint32_t recv, uint8_t data[]) {
1649
1650 LED_A_ON();
1651
1652 int recvlen = 0;
1653 uint8_t recvbuf[ISO15693_MAX_RESPONSE_LENGTH];
1654 uint32_t eof_time;
1655
1656 if (DEBUG) {
1657 Dbprintf("SEND:");
1658 Dbhexdump(datalen, data, false);
1659 }
1660
1661 recvlen = SendDataTag(data, datalen, true, speed, (recv?recvbuf:NULL), sizeof(recvbuf), 0, &eof_time);
1662
1663 // for the time being, switch field off to protect rdv4.0
1664 // note: this prevents using hf 15 cmd with s option - which isn't implemented yet anyway
1665 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1666 LED_D_OFF();
1667
1668 if (recv) {
1669 if (DEBUG) {
1670 Dbprintf("RECV:");
1671 if (recvlen > 0) {
1672 Dbhexdump(recvlen, recvbuf, false);
1673 DbdecodeIso15693Answer(recvlen, recvbuf);
1674 }
1675 }
1676 if (recvlen > ISO15693_MAX_RESPONSE_LENGTH) {
1677 recvlen = ISO15693_MAX_RESPONSE_LENGTH;
1678 }
1679 cmd_send(CMD_ACK, recvlen, 0, 0, recvbuf, ISO15693_MAX_RESPONSE_LENGTH);
1680 }
1681
1682 LED_A_OFF();
1683 }
1684
1685 //-----------------------------------------------------------------------------
1686 // Work with "magic Chinese" card.
1687 //
1688 //-----------------------------------------------------------------------------
1689
1690 // Set the UID to the tag (based on Iceman work).
1691 void SetTag15693Uid(uint8_t *uid) {
1692
1693 LED_A_ON();
1694
1695 uint8_t cmd[4][9] = {0x00};
1696 uint16_t crc;
1697
1698 int recvlen = 0;
1699 uint8_t recvbuf[ISO15693_MAX_RESPONSE_LENGTH];
1700 uint32_t eof_time;
1701
1702 // Command 1 : 02213E00000000
1703 cmd[0][0] = 0x02;
1704 cmd[0][1] = 0x21;
1705 cmd[0][2] = 0x3e;
1706 cmd[0][3] = 0x00;
1707 cmd[0][4] = 0x00;
1708 cmd[0][5] = 0x00;
1709 cmd[0][6] = 0x00;
1710
1711 // Command 2 : 02213F69960000
1712 cmd[1][0] = 0x02;
1713 cmd[1][1] = 0x21;
1714 cmd[1][2] = 0x3f;
1715 cmd[1][3] = 0x69;
1716 cmd[1][4] = 0x96;
1717 cmd[1][5] = 0x00;
1718 cmd[1][6] = 0x00;
1719
1720 // Command 3 : 022138u8u7u6u5 (where uX = uid byte X)
1721 cmd[2][0] = 0x02;
1722 cmd[2][1] = 0x21;
1723 cmd[2][2] = 0x38;
1724 cmd[2][3] = uid[7];
1725 cmd[2][4] = uid[6];
1726 cmd[2][5] = uid[5];
1727 cmd[2][6] = uid[4];
1728
1729 // Command 4 : 022139u4u3u2u1 (where uX = uid byte X)
1730 cmd[3][0] = 0x02;
1731 cmd[3][1] = 0x21;
1732 cmd[3][2] = 0x39;
1733 cmd[3][3] = uid[3];
1734 cmd[3][4] = uid[2];
1735 cmd[3][5] = uid[1];
1736 cmd[3][6] = uid[0];
1737
1738 for (int i = 0; i < 4; i++) {
1739 // Add the CRC
1740 crc = Iso15693Crc(cmd[i], 7);
1741 cmd[i][7] = crc & 0xff;
1742 cmd[i][8] = crc >> 8;
1743
1744 if (DEBUG) {
1745 Dbprintf("SEND:");
1746 Dbhexdump(sizeof(cmd[i]), cmd[i], false);
1747 }
1748
1749 recvlen = SendDataTag(cmd[i], sizeof(cmd[i]), true, 1, recvbuf, sizeof(recvbuf), 0, &eof_time);
1750
1751 if (DEBUG) {
1752 Dbprintf("RECV:");
1753 if (recvlen > 0) {
1754 Dbhexdump(recvlen, recvbuf, false);
1755 DbdecodeIso15693Answer(recvlen, recvbuf);
1756 }
1757 }
1758
1759 cmd_send(CMD_ACK, recvlen>ISO15693_MAX_RESPONSE_LENGTH?ISO15693_MAX_RESPONSE_LENGTH:recvlen, 0, 0, recvbuf, ISO15693_MAX_RESPONSE_LENGTH);
1760 }
1761
1762 LED_A_OFF();
1763 }
1764
1765
1766
1767 // --------------------------------------------------------------------
1768 // -- Misc & deprecated functions
1769 // --------------------------------------------------------------------
1770
1771 /*
1772
1773 // do not use; has a fix UID
1774 static void __attribute__((unused)) BuildSysInfoRequest(uint8_t *uid)
1775 {
1776 uint8_t cmd[12];
1777
1778 uint16_t crc;
1779 // If we set the Option_Flag in this request, the VICC will respond with the security status of the block
1780 // followed by the block data
1781 // one sub-carrier, inventory, 1 slot, fast rate
1782 cmd[0] = (1 << 5) | (1 << 1); // no SELECT bit
1783 // System Information command code
1784 cmd[1] = 0x2B;
1785 // UID may be optionally specified here
1786 // 64-bit UID
1787 cmd[2] = 0x32;
1788 cmd[3]= 0x4b;
1789 cmd[4] = 0x03;
1790 cmd[5] = 0x01;
1791 cmd[6] = 0x00;
1792 cmd[7] = 0x10;
1793 cmd[8] = 0x05;
1794 cmd[9]= 0xe0; // always e0 (not exactly unique)
1795 //Now the CRC
1796 crc = Iso15693Crc(cmd, 10); // the crc needs to be calculated over 2 bytes
1797 cmd[10] = crc & 0xff;
1798 cmd[11] = crc >> 8;
1799
1800 CodeIso15693AsReader(cmd, sizeof(cmd));
1801 }
1802
1803
1804 // do not use; has a fix UID
1805 static void __attribute__((unused)) BuildReadMultiBlockRequest(uint8_t *uid)
1806 {
1807 uint8_t cmd[14];
1808
1809 uint16_t crc;
1810 // If we set the Option_Flag in this request, the VICC will respond with the security status of the block
1811 // followed by the block data
1812 // one sub-carrier, inventory, 1 slot, fast rate
1813 cmd[0] = (1 << 5) | (1 << 1); // no SELECT bit
1814 // READ Multi BLOCK command code
1815 cmd[1] = 0x23;
1816 // UID may be optionally specified here
1817 // 64-bit UID
1818 cmd[2] = 0x32;
1819 cmd[3]= 0x4b;
1820 cmd[4] = 0x03;
1821 cmd[5] = 0x01;
1822 cmd[6] = 0x00;
1823 cmd[7] = 0x10;
1824 cmd[8] = 0x05;
1825 cmd[9]= 0xe0; // always e0 (not exactly unique)
1826 // First Block number to read
1827 cmd[10] = 0x00;
1828 // Number of Blocks to read
1829 cmd[11] = 0x2f; // read quite a few
1830 //Now the CRC
1831 crc = Iso15693Crc(cmd, 12); // the crc needs to be calculated over 2 bytes
1832 cmd[12] = crc & 0xff;
1833 cmd[13] = crc >> 8;
1834
1835 CodeIso15693AsReader(cmd, sizeof(cmd));
1836 }
1837
1838 // do not use; has a fix UID
1839 static void __attribute__((unused)) BuildArbitraryRequest(uint8_t *uid,uint8_t CmdCode)
1840 {
1841 uint8_t cmd[14];
1842
1843 uint16_t crc;
1844 // If we set the Option_Flag in this request, the VICC will respond with the security status of the block
1845 // followed by the block data
1846 // one sub-carrier, inventory, 1 slot, fast rate
1847 cmd[0] = (1 << 5) | (1 << 1); // no SELECT bit
1848 // READ BLOCK command code
1849 cmd[1] = CmdCode;
1850 // UID may be optionally specified here
1851 // 64-bit UID
1852 cmd[2] = 0x32;
1853 cmd[3]= 0x4b;
1854 cmd[4] = 0x03;
1855 cmd[5] = 0x01;
1856 cmd[6] = 0x00;
1857 cmd[7] = 0x10;
1858 cmd[8] = 0x05;
1859 cmd[9]= 0xe0; // always e0 (not exactly unique)
1860 // Parameter
1861 cmd[10] = 0x00;
1862 cmd[11] = 0x0a;
1863
1864 // cmd[12] = 0x00;
1865 // cmd[13] = 0x00; //Now the CRC
1866 crc = Iso15693Crc(cmd, 12); // the crc needs to be calculated over 2 bytes
1867 cmd[12] = crc & 0xff;
1868 cmd[13] = crc >> 8;
1869
1870 CodeIso15693AsReader(cmd, sizeof(cmd));
1871 }
1872
1873 // do not use; has a fix UID
1874 static void __attribute__((unused)) BuildArbitraryCustomRequest(uint8_t uid[], uint8_t CmdCode)
1875 {
1876 uint8_t cmd[14];
1877
1878 uint16_t crc;
1879 // If we set the Option_Flag in this request, the VICC will respond with the security status of the block
1880 // followed by the block data
1881 // one sub-carrier, inventory, 1 slot, fast rate
1882 cmd[0] = (1 << 5) | (1 << 1); // no SELECT bit
1883 // READ BLOCK command code
1884 cmd[1] = CmdCode;
1885 // UID may be optionally specified here
1886 // 64-bit UID
1887 cmd[2] = 0x32;
1888 cmd[3]= 0x4b;
1889 cmd[4] = 0x03;
1890 cmd[5] = 0x01;
1891 cmd[6] = 0x00;
1892 cmd[7] = 0x10;
1893 cmd[8] = 0x05;
1894 cmd[9]= 0xe0; // always e0 (not exactly unique)
1895 // Parameter
1896 cmd[10] = 0x05; // for custom codes this must be manufacturer code
1897 cmd[11] = 0x00;
1898
1899 // cmd[12] = 0x00;
1900 // cmd[13] = 0x00; //Now the CRC
1901 crc = Iso15693Crc(cmd, 12); // the crc needs to be calculated over 2 bytes
1902 cmd[12] = crc & 0xff;
1903 cmd[13] = crc >> 8;
1904
1905 CodeIso15693AsReader(cmd, sizeof(cmd));
1906 }
1907
1908
1909
1910
1911 */
1912
1913
Impressum, Datenschutz