]> git.zerfleddert.de Git - proxmark3-svn/blob - armsrc/legicrf.c
projects / proxmark3-svn / blob
? search:


766bd443ce139e7cc2bc4cf1957c3ee2ee17365f
[proxmark3-svn] / armsrc / legicrf.c
1 //-----------------------------------------------------------------------------
2 // (c) 2009 Henryk Plötz <henryk@ploetzli.ch>
3 // 2016 Iceman
4 //
5 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
6 // at your option, any later version. See the LICENSE.txt file for the text of
7 // the license.
8 //-----------------------------------------------------------------------------
9 // LEGIC RF simulation code
10 //-----------------------------------------------------------------------------
11 #include "legicrf.h"
12
13 static struct legic_frame {
14 uint8_t bits;
15 uint32_t data;
16 } current_frame;
17
18 static enum {
19 STATE_DISCON,
20 STATE_IV,
21 STATE_CON,
22 } legic_state;
23
24 static crc_t legic_crc;
25 static int legic_read_count;
26 static uint32_t legic_prng_bc;
27 static uint32_t legic_prng_iv;
28
29 static int legic_phase_drift;
30 static int legic_frame_drift;
31 static int legic_reqresp_drift;
32
33 AT91PS_TC timer;
34 AT91PS_TC prng_timer;
35
36 /*
37 static void setup_timer(void) {
38 // Set up Timer 1 to use for measuring time between pulses. Since we're bit-banging
39 // this it won't be terribly accurate but should be good enough.
40 //
41 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
42 timer = AT91C_BASE_TC1;
43 timer->TC_CCR = AT91C_TC_CLKDIS;
44 timer->TC_CMR = AT91C_TC_CLKS_TIMER_DIV3_CLOCK;
45 timer->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
46
47 //
48 // Set up Timer 2 to use for measuring time between frames in
49 // tag simulation mode. Runs 4x faster as Timer 1
50 //
51 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC2);
52 prng_timer = AT91C_BASE_TC2;
53 prng_timer->TC_CCR = AT91C_TC_CLKDIS;
54 prng_timer->TC_CMR = AT91C_TC_CLKS_TIMER_DIV2_CLOCK;
55 prng_timer->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
56 }
57
58 AT91C_BASE_PMC->PMC_PCER |= (0x1 << 12) | (0x1 << 13) | (0x1 << 14);
59 AT91C_BASE_TCB->TCB_BMR = AT91C_TCB_TC0XC0S_NONE | AT91C_TCB_TC1XC1S_TIOA0 | AT91C_TCB_TC2XC2S_NONE;
60
61 // fast clock
62 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS; // timer disable
63 AT91C_BASE_TC0->TC_CMR = AT91C_TC_CLKS_TIMER_DIV3_CLOCK | // MCK(48MHz)/32 -- tick=1.5mks
64 AT91C_TC_WAVE | AT91C_TC_WAVESEL_UP_AUTO | AT91C_TC_ACPA_CLEAR |
65 AT91C_TC_ACPC_SET | AT91C_TC_ASWTRG_SET;
66 AT91C_BASE_TC0->TC_RA = 1;
67 AT91C_BASE_TC0->TC_RC = 0xBFFF + 1; // 0xC000
68
69 */
70
71 // At TIMER_CLOCK3 (MCK/32)
72 // testing calculating in (us) microseconds.
73 #define RWD_TIME_1 120 // READER_TIME_PAUSE 20us off, 80us on = 100us 80 * 1.5 == 120ticks
74 #define RWD_TIME_0 60 // READER_TIME_PAUSE 20us off, 40us on = 60us 40 * 1.5 == 60ticks
75 #define RWD_TIME_PAUSE 30 // 20us == 20 * 1.5 == 30ticks */
76 #define TAG_BIT_PERIOD 142 // 100us == 100 * 1.5 == 150ticks
77 #define TAG_FRAME_WAIT 495 // 330us from READER frame end to TAG frame start. 330 * 1.5 == 495
78
79 #define RWD_TIME_FUZZ 20 // rather generous 13us, since the peak detector + hysteresis fuzz quite a bit
80
81 #define SIM_DIVISOR 586 /* prng_time/SIM_DIVISOR count prng needs to be forwared */
82 #define SIM_SHIFT 900 /* prng_time+SIM_SHIFT shift of delayed start */
83
84 #define OFFSET_LOG 1024
85
86 #define FUZZ_EQUAL(value, target, fuzz) ((value) > ((target)-(fuzz)) && (value) < ((target)+(fuzz)))
87
88 #ifndef SHORT_COIL
89 # define SHORT_COIL LOW(GPIO_SSC_DOUT);
90 #endif
91 #ifndef OPEN_COIL
92 # define OPEN_COIL HIGH(GPIO_SSC_DOUT);
93 #endif
94
95 // Pause pulse, off in 20us / 30ticks,
96 // ONE / ZERO bit pulse,
97 // one == 80us / 120ticks
98 // zero == 40us / 60ticks
99 #ifndef COIL_PULSE
100 # define COIL_PULSE(x) \
101 do { \
102 SHORT_COIL; \
103 WaitTicks( (RWD_TIME_PAUSE) ); \
104 OPEN_COIL; \
105 WaitTicks((x)); \
106 } while (0);
107 #endif
108
109 // ToDo: define a meaningful maximum size for auth_table. The bigger this is, the lower will be the available memory for traces.
110 // Historically it used to be FREE_BUFFER_SIZE, which was 2744.
111 #define LEGIC_CARD_MEMSIZE 1024
112 static uint8_t* cardmem;
113
114 static void frame_append_bit(struct legic_frame * const f, uint8_t bit) {
115 // Overflow, won't happen
116 if (f->bits >= 31) return;
117
118 f->data |= (bit << f->bits);
119 f->bits++;
120 }
121
122 static void frame_clean(struct legic_frame * const f) {
123 f->data = 0;
124 f->bits = 0;
125 }
126
127 // Prng works when waiting in 99.1us cycles.
128 // and while sending/receiving in bit frames (100, 60)
129 /*static void CalibratePrng( uint32_t time){
130 // Calculate Cycles based on timer 100us
131 uint32_t i = (time - sendFrameStop) / 100 ;
132
133 // substract cycles of finished frames
134 int k = i - legic_prng_count()+1;
135
136 // substract current frame length, rewind to beginning
137 if ( k > 0 )
138 legic_prng_forward(k);
139 }
140 */
141
142 /* Generate Keystream */
143 uint32_t get_key_stream(int skip, int count) {
144
145 int i;
146
147 // Use int to enlarge timer tc to 32bit
148 legic_prng_bc += prng_timer->TC_CV;
149
150 // reset the prng timer.
151
152 /* If skip == -1, forward prng time based */
153 if(skip == -1) {
154 i = (legic_prng_bc + SIM_SHIFT)/SIM_DIVISOR; /* Calculate Cycles based on timer */
155 i -= legic_prng_count(); /* substract cycles of finished frames */
156 i -= count; /* substract current frame length, rewind to beginning */
157 legic_prng_forward(i);
158 } else {
159 legic_prng_forward(skip);
160 }
161
162 i = (count == 6) ? -1 : legic_read_count;
163
164 // log
165 //uint8_t cmdbytes[] = {bits, BYTEx(data, 0), BYTEx(data, 1), BYTEx(send, 0), BYTEx(send, 1), legic_prng_count()};
166 //LogTrace(cmdbytes, sizeof(cmdbytes), starttime, GET_TICKS, NULL, TRUE);
167
168 /* Generate KeyStream */
169 return legic_prng_get_bits(count);
170 }
171
172 /* Send a frame in tag mode, the FPGA must have been set up by
173 * LegicRfSimulate
174 */
175 void frame_send_tag(uint16_t response, uint8_t bits) {
176
177 uint16_t mask = 1;
178
179 /* Bitbang the response */
180 SHORT_COIL;
181 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
182 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
183
184 /* TAG_FRAME_WAIT -> shift by 2 */
185 legic_prng_forward(2);
186 response ^= legic_prng_get_bits(bits);
187
188 /* Wait for the frame start */
189 WaitTicks( TAG_FRAME_WAIT );
190
191 for (; mask < BITMASK(bits); mask <<= 1) {
192 if (response & mask)
193 OPEN_COIL
194 else
195 SHORT_COIL
196 WaitTicks(TAG_BIT_PERIOD);
197 }
198 SHORT_COIL;
199 }
200
201 /* Send a frame in reader mode, the FPGA must have been set up by
202 * LegicRfReader
203 */
204 void frame_sendAsReader(uint32_t data, uint8_t bits){
205
206 uint32_t starttime = GET_TICKS, send = 0;
207 uint16_t mask = 1;
208
209 // xor lsfr onto data.
210 send = data ^ legic_prng_get_bits(bits);
211
212 for (; mask < BITMASK(bits); mask <<= 1) {
213 if (send & mask)
214 COIL_PULSE(RWD_TIME_1)
215 else
216 COIL_PULSE(RWD_TIME_0)
217 }
218
219 // Final pause to mark the end of the frame
220 COIL_PULSE(0);
221
222 // log
223 uint8_t cmdbytes[] = {bits, BYTEx(data, 0), BYTEx(data, 1), BYTEx(send, 0), BYTEx(send, 1)};
224 LogTrace(cmdbytes, sizeof(cmdbytes), starttime, GET_TICKS, NULL, TRUE);
225 }
226
227 /* Receive a frame from the card in reader emulation mode, the FPGA and
228 * timer must have been set up by LegicRfReader and frame_sendAsReader.
229 *
230 * The LEGIC RF protocol from card to reader does not include explicit
231 * frame start/stop information or length information. The reader must
232 * know beforehand how many bits it wants to receive. (Notably: a card
233 * sending a stream of 0-bits is indistinguishable from no card present.)
234 *
235 * Receive methodology: There is a fancy correlator in hi_read_rx_xcorr, but
236 * I'm not smart enough to use it. Instead I have patched hi_read_tx to output
237 * the ADC signal with hysteresis on SSP_DIN. Bit-bang that signal and look
238 * for edges. Count the edges in each bit interval. If they are approximately
239 * 0 this was a 0-bit, if they are approximately equal to the number of edges
240 * expected for a 212kHz subcarrier, this was a 1-bit. For timing we use the
241 * timer that's still running from frame_sendAsReader in order to get a synchronization
242 * with the frame that we just sent.
243 *
244 * FIXME: Because we're relying on the hysteresis to just do the right thing
245 * the range is severely reduced (and you'll probably also need a good antenna).
246 * So this should be fixed some time in the future for a proper receiver.
247 */
248 static void frame_receiveAsReader(struct legic_frame * const f, uint8_t bits) {
249
250 if ( bits > 32 ) return;
251
252 uint8_t i = bits, edges = 0;
253 uint32_t the_bit = 1, next_bit_at = 0, data = 0;
254 uint32_t old_level = 0;
255 volatile uint32_t level = 0;
256
257 frame_clean(f);
258
259 AT91C_BASE_PIOA->PIO_ODR = GPIO_SSC_DIN;
260 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DIN;
261
262 // calibrate the prng.
263 legic_prng_forward(2);
264 data = legic_prng_get_bits(bits);
265
266 //FIXED time between sending frame and now listening frame. 330us
267 uint32_t starttime = GET_TICKS;
268 // its about 9+9 ticks delay from end-send to here.
269 WaitTicks( 477 );
270
271 next_bit_at = GET_TICKS + TAG_BIT_PERIOD;
272
273 while ( i-- ){
274 edges = 0;
275 while ( GET_TICKS < next_bit_at) {
276
277 level = (AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_DIN);
278
279 if (level != old_level)
280 ++edges;
281
282 old_level = level;
283 }
284
285 next_bit_at += TAG_BIT_PERIOD;
286
287 // We expect 42 edges (ONE)
288 if ( edges > 20 )
289 data ^= the_bit;
290
291 the_bit <<= 1;
292 }
293
294 // output
295 f->data = data;
296 f->bits = bits;
297
298 // log
299 uint8_t cmdbytes[] = {bits, BYTEx(data, 0), BYTEx(data, 1)};
300 LogTrace(cmdbytes, sizeof(cmdbytes), starttime, GET_TICKS, NULL, FALSE);
301 }
302
303 // Setup pm3 as a Legic Reader
304 static uint32_t setup_phase_reader(uint8_t iv) {
305
306 // Switch on carrier and let the tag charge for 1ms
307 HIGH(GPIO_SSC_DOUT);
308 WaitUS(5000);
309
310 ResetTicks();
311
312 // no keystream yet
313 legic_prng_init(0);
314
315 // send IV handshake
316 frame_sendAsReader(iv, 7);
317
318 // Now both tag and reader has same IV. Prng can start.
319 legic_prng_init(iv);
320
321 frame_receiveAsReader(&current_frame, 6);
322
323 // 292us (438t) - fixed delay before sending ack.
324 // minus log and stuff 100tick?
325 WaitTicks(338);
326 legic_prng_forward(3);
327
328 // Send obsfuscated acknowledgment frame.
329 // 0x19 = 0x18 MIM22, 0x01 LSB READCMD
330 // 0x39 = 0x38 MIM256, MIM1024 0x01 LSB READCMD
331 switch ( current_frame.data ) {
332 case 0x0D: frame_sendAsReader(0x19, 6); break;
333 case 0x1D:
334 case 0x3D: frame_sendAsReader(0x39, 6); break;
335 default: break;
336 }
337
338 legic_prng_forward(2);
339 return current_frame.data;
340 }
341
342 static void LegicCommonInit(void) {
343
344 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
345 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_TX);
346 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
347
348 /* Bitbang the transmitter */
349 LOW(GPIO_SSC_DOUT);
350 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
351 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
352
353 // reserve a cardmem, meaning we can use the tracelog function in bigbuff easier.
354 cardmem = BigBuf_get_EM_addr();
355 memset(cardmem, 0x00, LEGIC_CARD_MEMSIZE);
356
357 clear_trace();
358 set_tracing(TRUE);
359 crc_init(&legic_crc, 4, 0x19 >> 1, 0x5, 0);
360
361 StartTicks();
362 }
363
364 // Switch off carrier, make sure tag is reset
365 static void switch_off_tag_rwd(void) {
366 LOW(GPIO_SSC_DOUT);
367 WaitUS(20);
368 WDT_HIT();
369 }
370
371 // calculate crc4 for a legic READ command
372 static uint32_t legic4Crc(uint8_t cmd, uint16_t byte_index, uint8_t value, uint8_t cmd_sz) {
373 crc_clear(&legic_crc);
374 uint32_t temp = (value << cmd_sz) | (byte_index << 1) | cmd;
375 crc_update(&legic_crc, temp, cmd_sz + 8 );
376 return crc_finish(&legic_crc);
377 }
378
379 int legic_read_byte( uint16_t index, uint8_t cmd_sz) {
380
381 uint8_t byte, crc, calcCrc = 0;
382 uint32_t cmd = (index << 1) | LEGIC_READ;
383
384 // 90ticks = 60us (should be 100us but crc calc takes time.)
385 //WaitTicks(330); // 330ticks prng(4) - works
386 WaitTicks(240); // 240ticks prng(3) - works
387
388 frame_sendAsReader(cmd, cmd_sz);
389 frame_receiveAsReader(&current_frame, 12);
390
391 // CRC check.
392 byte = BYTEx(current_frame.data, 0);
393 crc = BYTEx(current_frame.data, 1);
394 calcCrc = legic4Crc(LEGIC_READ, index, byte, cmd_sz);
395
396 if( calcCrc != crc ) {
397 Dbprintf("!!! crc mismatch: expected %x but got %x !!!", calcCrc, crc);
398 return -1;
399 }
400
401 legic_prng_forward(3);
402 return byte;
403 }
404
405 /*
406 * - assemble a write_cmd_frame with crc and send it
407 * - wait until the tag sends back an ACK ('1' bit unencrypted)
408 * - forward the prng based on the timing
409 */
410 //int legic_write_byte(int byte, int addr, int addr_sz, int PrngCorrection) {
411 int legic_write_byte(uint8_t byte, uint16_t addr, uint8_t addr_sz) {
412
413 //do not write UID, CRC at offset 0-4.
414 if (addr <= 4) return 0;
415
416 // crc
417 crc_clear(&legic_crc);
418 crc_update(&legic_crc, 0, 1); /* CMD_WRITE */
419 crc_update(&legic_crc, addr, addr_sz);
420 crc_update(&legic_crc, byte, 8);
421 uint32_t crc = crc_finish(&legic_crc);
422 uint32_t crc2 = legic4Crc(LEGIC_WRITE, addr, byte, addr_sz+1);
423 if ( crc != crc2 ) {
424 Dbprintf("crc is missmatch");
425 return 1;
426 }
427 // send write command
428 uint32_t cmd = ((crc <<(addr_sz+1+8)) //CRC
429 |(byte <<(addr_sz+1)) //Data
430 |(addr <<1) //Address
431 | LEGIC_WRITE); //CMD = Write
432
433 uint32_t cmd_sz = addr_sz+1+8+4; //crc+data+cmd
434
435 legic_prng_forward(2);
436
437 WaitTicks(330);
438
439 frame_sendAsReader(cmd, cmd_sz);
440
441 AT91C_BASE_PIOA->PIO_ODR = GPIO_SSC_DIN;
442 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DIN;
443
444 // wait for ack
445 int t, old_level = 0, edges = 0;
446 int next_bit_at = 0;
447
448 WaitTicks(TAG_FRAME_WAIT);
449
450 for( t = 0; t < 80; ++t) {
451 edges = 0;
452 next_bit_at += TAG_BIT_PERIOD;
453 while(timer->TC_CV < next_bit_at) {
454 volatile uint32_t level = (AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_DIN);
455 if(level != old_level)
456 edges++;
457
458 old_level = level;
459 }
460 if(edges > 20 ) { /* expected are 42 edges */
461 int t = timer->TC_CV;
462 int c = t / TAG_BIT_PERIOD;
463
464 ResetTimer(timer);
465 legic_prng_forward(c);
466 return 0;
467 }
468 }
469
470 ResetTimer(timer);
471 return -1;
472 }
473
474 int LegicRfReader(uint16_t offset, uint16_t len, uint8_t iv) {
475
476 uint16_t i = 0;
477 uint8_t isOK = 1;
478 legic_card_select_t card;
479
480 LegicCommonInit();
481
482 if ( legic_select_card_iv(&card, iv) ) {
483 isOK = 0;
484 goto OUT;
485 }
486
487 switch_off_tag_rwd();
488
489 if (len + offset >= card.cardsize)
490 len = card.cardsize - offset;
491
492 setup_phase_reader(iv);
493
494 LED_B_ON();
495 while (i < len) {
496 int r = legic_read_byte(offset + i, card.cmdsize);
497
498 if (r == -1 || BUTTON_PRESS()) {
499 if ( MF_DBGLEVEL >= 2) DbpString("operation aborted");
500 isOK = 0;
501 goto OUT;
502 }
503 cardmem[i++] = r;
504 WDT_HIT();
505 }
506
507 OUT:
508 WDT_HIT();
509 switch_off_tag_rwd();
510 LEDsoff();
511 cmd_send(CMD_ACK, isOK, len, 0, cardmem, len);
512 return 0;
513 }
514
515 /*int _LegicRfWriter(int offset, int bytes, int addr_sz, uint8_t *BigBuf, int RoundBruteforceValue) {
516 int byte_index=0;
517
518 LED_B_ON();
519 setup_phase_reader(iv);
520 //legic_prng_forward(2);
521 while(byte_index < bytes) {
522 int r;
523
524 //check if the DCF should be changed
525 if ( (offset == 0x05) && (bytes == 0x02) ) {
526 //write DCF in reverse order (addr 0x06 before 0x05)
527 r = legic_write_byte(BigBuf[(0x06-byte_index)], (0x06-byte_index), addr_sz, RoundBruteforceValue);
528 //legic_prng_forward(1);
529 if(r == 0) {
530 byte_index++;
531 r = legic_write_byte(BigBuf[(0x06-byte_index)], (0x06-byte_index), addr_sz, RoundBruteforceValue);
532 }
533 //legic_prng_forward(1);
534 }
535 else {
536 r = legic_write_byte(BigBuf[byte_index+offset], byte_index+offset, addr_sz, RoundBruteforceValue);
537 }
538 if((r != 0) || BUTTON_PRESS()) {
539 Dbprintf("operation aborted @ 0x%03.3x", byte_index);
540 switch_off_tag_rwd();
541 LED_B_OFF();
542 LED_C_OFF();
543 return -1;
544 }
545
546 WDT_HIT();
547 byte_index++;
548 if(byte_index & 0x10) LED_C_ON(); else LED_C_OFF();
549 }
550 LED_B_OFF();
551 LED_C_OFF();
552 DbpString("write successful");
553 return 0;
554 }*/
555
556 void LegicRfWriter(uint16_t offset, uint16_t bytes, uint8_t iv) {
557
558 int byte_index = 0;
559 uint8_t isOK = 1;
560 legic_card_select_t card;
561
562 LegicCommonInit();
563
564 if ( legic_select_card_iv(&card, iv) ) {
565 isOK = 0;
566 goto OUT;
567 }
568
569 switch_off_tag_rwd();
570
571 switch(card.tagtype) {
572 case 0x0d:
573 if(offset+bytes > 22) {
574 Dbprintf("Error: can not write to 0x%03.3x on MIM22", offset + bytes);
575 return;
576 }
577 if ( MF_DBGLEVEL >= 2) Dbprintf("MIM22 card found, writing 0x%02.2x - 0x%02.2x ...", offset, offset + bytes);
578 break;
579 case 0x1d:
580 if(offset+bytes > 0x100) {
581 Dbprintf("Error: can not write to 0x%03.3x on MIM256", offset + bytes);
582 return;
583 }
584 if ( MF_DBGLEVEL >= 2) Dbprintf("MIM256 card found, writing 0x%02.2x - 0x%02.2x ...", offset, offset + bytes);
585 break;
586 case 0x3d:
587 if(offset+bytes > 0x400) {
588 Dbprintf("Error: can not write to 0x%03.3x on MIM1024", offset + bytes);
589 return;
590 }
591 if ( MF_DBGLEVEL >= 2) Dbprintf("MIM1024 card found, writing 0x%03.3x - 0x%03.3x ...", offset, offset + bytes);
592 break;
593 default:
594 return;
595 }
596
597 LED_B_ON();
598 setup_phase_reader(iv);
599
600 int r = 0;
601 while(byte_index < bytes) {
602
603 //check if the DCF should be changed
604 if ( ((byte_index+offset) == 0x05) && (bytes >= 0x02) ) {
605 //write DCF in reverse order (addr 0x06 before 0x05)
606 r = legic_write_byte(cardmem[(0x06-byte_index)], (0x06-byte_index), card.addrsize);
607
608 // write second byte on success
609 if(r == 0) {
610 byte_index++;
611 r = legic_write_byte(cardmem[(0x06-byte_index)], (0x06-byte_index), card.addrsize);
612 }
613 }
614 else {
615 r = legic_write_byte(cardmem[byte_index+offset], byte_index+offset, card.addrsize);
616 }
617
618 if ((r != 0) || BUTTON_PRESS()) {
619 Dbprintf("operation aborted @ 0x%03.3x", byte_index);
620 isOK = 0;
621 goto OUT;
622 }
623
624 WDT_HIT();
625 byte_index++;
626 }
627
628 OUT:
629 cmd_send(CMD_ACK, isOK, 0,0,0,0);
630 switch_off_tag_rwd();
631 LEDsoff();
632 }
633
634 void LegicRfRawWriter(int address, int byte, uint8_t iv) {
635
636 int byte_index = 0, addr_sz = 0;
637
638 LegicCommonInit();
639
640 if ( MF_DBGLEVEL >= 2) DbpString("setting up legic card");
641
642 uint32_t tag_type = setup_phase_reader(iv);
643
644 switch_off_tag_rwd();
645
646 switch(tag_type) {
647 case 0x0d:
648 if(address > 22) {
649 Dbprintf("Error: can not write to 0x%03.3x on MIM22", address);
650 return;
651 }
652 addr_sz = 5;
653 if ( MF_DBGLEVEL >= 2) Dbprintf("MIM22 card found, writing at addr 0x%02.2x - value 0x%02.2x ...", address, byte);
654 break;
655 case 0x1d:
656 if(address > 0x100) {
657 Dbprintf("Error: can not write to 0x%03.3x on MIM256", address);
658 return;
659 }
660 addr_sz = 8;
661 if ( MF_DBGLEVEL >= 2) Dbprintf("MIM256 card found, writing at addr 0x%02.2x - value 0x%02.2x ...", address, byte);
662 break;
663 case 0x3d:
664 if(address > 0x400) {
665 Dbprintf("Error: can not write to 0x%03.3x on MIM1024", address);
666 return;
667 }
668 addr_sz = 10;
669 if ( MF_DBGLEVEL >= 2) Dbprintf("MIM1024 card found, writing at addr 0x%03.3x - value 0x%03.3x ...", address, byte);
670 break;
671 default:
672 Dbprintf("No or unknown card found, aborting");
673 return;
674 }
675
676 Dbprintf("integer value: %d address: %d addr_sz: %d", byte, address, addr_sz);
677 LED_B_ON();
678
679 setup_phase_reader(iv);
680
681 int r = legic_write_byte(byte, address, addr_sz);
682
683 if((r != 0) || BUTTON_PRESS()) {
684 Dbprintf("operation aborted @ 0x%03.3x (%1d)", byte_index, r);
685 switch_off_tag_rwd();
686 LEDsoff();
687 return;
688 }
689
690 LEDsoff();
691 if ( MF_DBGLEVEL >= 1) DbpString("write successful");
692 }
693
694 int legic_select_card_iv(legic_card_select_t *p_card, uint8_t iv){
695
696 if ( p_card == NULL ) return 1;
697
698 p_card->tagtype = setup_phase_reader(iv);
699
700 switch(p_card->tagtype) {
701 case 0x0d:
702 p_card->cmdsize = 6;
703 p_card->addrsize = 5;
704 p_card->cardsize = 22;
705 break;
706 case 0x1d:
707 p_card->cmdsize = 9;
708 p_card->addrsize = 8;
709 p_card->cardsize = 256;
710 break;
711 case 0x3d:
712 p_card->cmdsize = 11;
713 p_card->addrsize = 10;
714 p_card->cardsize = 1024;
715 break;
716 default:
717 p_card->cmdsize = 0;
718 p_card->addrsize = 0;
719 p_card->cardsize = 0;
720 return 2;
721 }
722 return 0;
723 }
724 int legic_select_card(legic_card_select_t *p_card){
725 return legic_select_card_iv(p_card, 0x01);
726 }
727
728 void LegicRfInfo(void){
729
730 uint8_t buf[sizeof(legic_card_select_t)] = {0x00};
731 legic_card_select_t *card = (legic_card_select_t*) buf;
732
733 LegicCommonInit();
734
735 if ( legic_select_card(card) ) {
736 cmd_send(CMD_ACK,0,0,0,0,0);
737 goto OUT;
738 }
739
740 // read UID bytes
741 for ( uint8_t i = 0; i < sizeof(card->uid); ++i) {
742 int r = legic_read_byte(i, card->cmdsize);
743 if ( r == -1 ) {
744 cmd_send(CMD_ACK,0,0,0,0,0);
745 goto OUT;
746 }
747 card->uid[i] = r & 0xFF;
748 }
749
750 cmd_send(CMD_ACK, 1, 0, 0, buf, sizeof(legic_card_select_t));
751
752 OUT:
753 switch_off_tag_rwd();
754 LEDsoff();
755 }
756
757 /* Handle (whether to respond) a frame in tag mode
758 * Only called when simulating a tag.
759 */
760 static void frame_handle_tag(struct legic_frame const * const f)
761 {
762 uint8_t *BigBuf = BigBuf_get_addr();
763
764 /* First Part of Handshake (IV) */
765 if(f->bits == 7) {
766
767 LED_C_ON();
768
769 // Reset prng timer
770 ResetTimer(prng_timer);
771
772 legic_prng_init(f->data);
773 frame_send_tag(0x3d, 6); /* 0x3d^0x26 = 0x1B */
774 legic_state = STATE_IV;
775 legic_read_count = 0;
776 legic_prng_bc = 0;
777 legic_prng_iv = f->data;
778
779
780 ResetTimer(timer);
781 WaitUS(280);
782 return;
783 }
784
785 /* 0x19==??? */
786 if(legic_state == STATE_IV) {
787 int local_key = get_key_stream(3, 6);
788 int xored = 0x39 ^ local_key;
789 if((f->bits == 6) && (f->data == xored)) {
790 legic_state = STATE_CON;
791
792 ResetTimer(timer);
793 WaitUS(200);
794 return;
795
796 } else {
797 legic_state = STATE_DISCON;
798 LED_C_OFF();
799 Dbprintf("iv: %02x frame: %02x key: %02x xored: %02x", legic_prng_iv, f->data, local_key, xored);
800 return;
801 }
802 }
803
804 /* Read */
805 if(f->bits == 11) {
806 if(legic_state == STATE_CON) {
807 int key = get_key_stream(2, 11); //legic_phase_drift, 11);
808 int addr = f->data ^ key; addr = addr >> 1;
809 int data = BigBuf[addr];
810 int hash = legic4Crc(LEGIC_READ, addr, data, 11) << 8;
811 BigBuf[OFFSET_LOG+legic_read_count] = (uint8_t)addr;
812 legic_read_count++;
813
814 //Dbprintf("Data:%03.3x, key:%03.3x, addr: %03.3x, read_c:%u", f->data, key, addr, read_c);
815 legic_prng_forward(legic_reqresp_drift);
816
817 frame_send_tag(hash | data, 12);
818
819 ResetTimer(timer);
820 legic_prng_forward(2);
821 WaitUS(180);
822 return;
823 }
824 }
825
826 /* Write */
827 if(f->bits == 23) {
828 int key = get_key_stream(-1, 23); //legic_frame_drift, 23);
829 int addr = f->data ^ key; addr = addr >> 1; addr = addr & 0x3ff;
830 int data = f->data ^ key; data = data >> 11; data = data & 0xff;
831
832 /* write command */
833 legic_state = STATE_DISCON;
834 LED_C_OFF();
835 Dbprintf("write - addr: %x, data: %x", addr, data);
836 return;
837 }
838
839 if(legic_state != STATE_DISCON) {
840 Dbprintf("Unexpected: sz:%u, Data:%03.3x, State:%u, Count:%u", f->bits, f->data, legic_state, legic_read_count);
841 int i;
842 Dbprintf("IV: %03.3x", legic_prng_iv);
843 for(i = 0; i<legic_read_count; i++) {
844 Dbprintf("Read Nb: %u, Addr: %u", i, BigBuf[OFFSET_LOG+i]);
845 }
846
847 for(i = -1; i<legic_read_count; i++) {
848 uint32_t t;
849 t = BigBuf[OFFSET_LOG+256+i*4];
850 t |= BigBuf[OFFSET_LOG+256+i*4+1] << 8;
851 t |= BigBuf[OFFSET_LOG+256+i*4+2] <<16;
852 t |= BigBuf[OFFSET_LOG+256+i*4+3] <<24;
853
854 Dbprintf("Cycles: %u, Frame Length: %u, Time: %u",
855 BigBuf[OFFSET_LOG+128+i],
856 BigBuf[OFFSET_LOG+384+i],
857 t);
858 }
859 }
860 legic_state = STATE_DISCON;
861 legic_read_count = 0;
862 SpinDelay(10);
863 LED_C_OFF();
864 return;
865 }
866
867 /* Read bit by bit untill full frame is received
868 * Call to process frame end answer
869 */
870 static void emit(int bit) {
871
872 switch (bit) {
873 case 1:
874 frame_append_bit(&current_frame, 1);
875 break;
876 case 0:
877 frame_append_bit(&current_frame, 0);
878 break;
879 default:
880 if(current_frame.bits <= 4) {
881 frame_clean(&current_frame);
882 } else {
883 frame_handle_tag(&current_frame);
884 frame_clean(&current_frame);
885 }
886 WDT_HIT();
887 break;
888 }
889 }
890
891 void LegicRfSimulate(int phase, int frame, int reqresp)
892 {
893 /* ADC path high-frequency peak detector, FPGA in high-frequency simulator mode,
894 * modulation mode set to 212kHz subcarrier. We are getting the incoming raw
895 * envelope waveform on DIN and should send our response on DOUT.
896 *
897 * The LEGIC RF protocol is pulse-pause-encoding from reader to card, so we'll
898 * measure the time between two rising edges on DIN, and no encoding on the
899 * subcarrier from card to reader, so we'll just shift out our verbatim data
900 * on DOUT, 1 bit is 100us. The time from reader to card frame is still unclear,
901 * seems to be 300us-ish.
902 */
903
904 legic_phase_drift = phase;
905 legic_frame_drift = frame;
906 legic_reqresp_drift = reqresp;
907
908 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
909 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
910 FpgaSetupSsc();
911 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_MODULATE_212K);
912
913 /* Bitbang the receiver */
914 AT91C_BASE_PIOA->PIO_ODR = GPIO_SSC_DIN;
915 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DIN;
916
917 //setup_timer();
918 crc_init(&legic_crc, 4, 0x19 >> 1, 0x5, 0);
919
920 int old_level = 0;
921 int active = 0;
922 legic_state = STATE_DISCON;
923
924 LED_B_ON();
925 DbpString("Starting Legic emulator, press button to end");
926
927 while(!BUTTON_PRESS() && !usb_poll_validate_length()) {
928 int level = !!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_DIN);
929 int time = timer->TC_CV;
930
931 if(level != old_level) {
932 if(level == 1) {
933 timer->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
934
935 if (FUZZ_EQUAL(time, RWD_TIME_1, RWD_TIME_FUZZ)) {
936 /* 1 bit */
937 emit(1);
938 active = 1;
939 LED_A_ON();
940 } else if (FUZZ_EQUAL(time, RWD_TIME_0, RWD_TIME_FUZZ)) {
941 /* 0 bit */
942 emit(0);
943 active = 1;
944 LED_A_ON();
945 } else if (active) {
946 /* invalid */
947 emit(-1);
948 active = 0;
949 LED_A_OFF();
950 }
951 }
952 }
953
954 /* Frame end */
955 if(time >= (RWD_TIME_1+RWD_TIME_FUZZ) && active) {
956 emit(-1);
957 active = 0;
958 LED_A_OFF();
959 }
960
961 if(time >= (20*RWD_TIME_1) && (timer->TC_SR & AT91C_TC_CLKSTA)) {
962 timer->TC_CCR = AT91C_TC_CLKDIS;
963 }
964
965 old_level = level;
966 WDT_HIT();
967 }
968 if ( MF_DBGLEVEL >= 1) DbpString("Stopped");
969 LEDsoff();
970 }
971
972 //-----------------------------------------------------------------------------
973 // Code up a string of octets at layer 2 (including CRC, we don't generate
974 // that here) so that they can be transmitted to the reader. Doesn't transmit
975 // them yet, just leaves them ready to send in ToSend[].
976 //-----------------------------------------------------------------------------
977 // static void CodeLegicAsTag(const uint8_t *cmd, int len)
978 // {
979 // int i;
980
981 // ToSendReset();
982
983 // // Transmit a burst of ones, as the initial thing that lets the
984 // // reader get phase sync. This (TR1) must be > 80/fs, per spec,
985 // // but tag that I've tried (a Paypass) exceeds that by a fair bit,
986 // // so I will too.
987 // for(i = 0; i < 20; i++) {
988 // ToSendStuffBit(1);
989 // ToSendStuffBit(1);
990 // ToSendStuffBit(1);
991 // ToSendStuffBit(1);
992 // }
993
994 // // Send SOF.
995 // for(i = 0; i < 10; i++) {
996 // ToSendStuffBit(0);
997 // ToSendStuffBit(0);
998 // ToSendStuffBit(0);
999 // ToSendStuffBit(0);
1000 // }
1001 // for(i = 0; i < 2; i++) {
1002 // ToSendStuffBit(1);
1003 // ToSendStuffBit(1);
1004 // ToSendStuffBit(1);
1005 // ToSendStuffBit(1);
1006 // }
1007
1008 // for(i = 0; i < len; i++) {
1009 // int j;
1010 // uint8_t b = cmd[i];
1011
1012 // // Start bit
1013 // ToSendStuffBit(0);
1014 // ToSendStuffBit(0);
1015 // ToSendStuffBit(0);
1016 // ToSendStuffBit(0);
1017
1018 // // Data bits
1019 // for(j = 0; j < 8; j++) {
1020 // if(b & 1) {
1021 // ToSendStuffBit(1);
1022 // ToSendStuffBit(1);
1023 // ToSendStuffBit(1);
1024 // ToSendStuffBit(1);
1025 // } else {
1026 // ToSendStuffBit(0);
1027 // ToSendStuffBit(0);
1028 // ToSendStuffBit(0);
1029 // ToSendStuffBit(0);
1030 // }
1031 // b >>= 1;
1032 // }
1033
1034 // // Stop bit
1035 // ToSendStuffBit(1);
1036 // ToSendStuffBit(1);
1037 // ToSendStuffBit(1);
1038 // ToSendStuffBit(1);
1039 // }
1040
1041 // // Send EOF.
1042 // for(i = 0; i < 10; i++) {
1043 // ToSendStuffBit(0);
1044 // ToSendStuffBit(0);
1045 // ToSendStuffBit(0);
1046 // ToSendStuffBit(0);
1047 // }
1048 // for(i = 0; i < 2; i++) {
1049 // ToSendStuffBit(1);
1050 // ToSendStuffBit(1);
1051 // ToSendStuffBit(1);
1052 // ToSendStuffBit(1);
1053 // }
1054
1055 // // Convert from last byte pos to length
1056 // ToSendMax++;
1057 // }
1058
1059 //-----------------------------------------------------------------------------
1060 // The software UART that receives commands from the reader, and its state
1061 // variables.
1062 //-----------------------------------------------------------------------------
1063 /*
1064 static struct {
1065 enum {
1066 STATE_UNSYNCD,
1067 STATE_GOT_FALLING_EDGE_OF_SOF,
1068 STATE_AWAITING_START_BIT,
1069 STATE_RECEIVING_DATA
1070 } state;
1071 uint16_t shiftReg;
1072 int bitCnt;
1073 int byteCnt;
1074 int byteCntMax;
1075 int posCnt;
1076 uint8_t *output;
1077 } Uart;
1078 */
1079 /* Receive & handle a bit coming from the reader.
1080 *
1081 * This function is called 4 times per bit (every 2 subcarrier cycles).
1082 * Subcarrier frequency fs is 212kHz, 1/fs = 4,72us, i.e. function is called every 9,44us
1083 *
1084 * LED handling:
1085 * LED A -> ON once we have received the SOF and are expecting the rest.
1086 * LED A -> OFF once we have received EOF or are in error state or unsynced
1087 *
1088 * Returns: true if we received a EOF
1089 * false if we are still waiting for some more
1090 */
1091 // static RAMFUNC int HandleLegicUartBit(uint8_t bit)
1092 // {
1093 // switch(Uart.state) {
1094 // case STATE_UNSYNCD:
1095 // if(!bit) {
1096 // // we went low, so this could be the beginning of an SOF
1097 // Uart.state = STATE_GOT_FALLING_EDGE_OF_SOF;
1098 // Uart.posCnt = 0;
1099 // Uart.bitCnt = 0;
1100 // }
1101 // break;
1102
1103 // case STATE_GOT_FALLING_EDGE_OF_SOF:
1104 // Uart.posCnt++;
1105 // if(Uart.posCnt == 2) { // sample every 4 1/fs in the middle of a bit
1106 // if(bit) {
1107 // if(Uart.bitCnt > 9) {
1108 // // we've seen enough consecutive
1109 // // zeros that it's a valid SOF
1110 // Uart.posCnt = 0;
1111 // Uart.byteCnt = 0;
1112 // Uart.state = STATE_AWAITING_START_BIT;
1113 // LED_A_ON(); // Indicate we got a valid SOF
1114 // } else {
1115 // // didn't stay down long enough
1116 // // before going high, error
1117 // Uart.state = STATE_UNSYNCD;
1118 // }
1119 // } else {
1120 // // do nothing, keep waiting
1121 // }
1122 // Uart.bitCnt++;
1123 // }
1124 // if(Uart.posCnt >= 4) Uart.posCnt = 0;
1125 // if(Uart.bitCnt > 12) {
1126 // // Give up if we see too many zeros without
1127 // // a one, too.
1128 // LED_A_OFF();
1129 // Uart.state = STATE_UNSYNCD;
1130 // }
1131 // break;
1132
1133 // case STATE_AWAITING_START_BIT:
1134 // Uart.posCnt++;
1135 // if(bit) {
1136 // if(Uart.posCnt > 50/2) { // max 57us between characters = 49 1/fs, max 3 etus after low phase of SOF = 24 1/fs
1137 // // stayed high for too long between
1138 // // characters, error
1139 // Uart.state = STATE_UNSYNCD;
1140 // }
1141 // } else {
1142 // // falling edge, this starts the data byte
1143 // Uart.posCnt = 0;
1144 // Uart.bitCnt = 0;
1145 // Uart.shiftReg = 0;
1146 // Uart.state = STATE_RECEIVING_DATA;
1147 // }
1148 // break;
1149
1150 // case STATE_RECEIVING_DATA:
1151 // Uart.posCnt++;
1152 // if(Uart.posCnt == 2) {
1153 // // time to sample a bit
1154 // Uart.shiftReg >>= 1;
1155 // if(bit) {
1156 // Uart.shiftReg |= 0x200;
1157 // }
1158 // Uart.bitCnt++;
1159 // }
1160 // if(Uart.posCnt >= 4) {
1161 // Uart.posCnt = 0;
1162 // }
1163 // if(Uart.bitCnt == 10) {
1164 // if((Uart.shiftReg & 0x200) && !(Uart.shiftReg & 0x001))
1165 // {
1166 // // this is a data byte, with correct
1167 // // start and stop bits
1168 // Uart.output[Uart.byteCnt] = (Uart.shiftReg >> 1) & 0xff;
1169 // Uart.byteCnt++;
1170
1171 // if(Uart.byteCnt >= Uart.byteCntMax) {
1172 // // Buffer overflowed, give up
1173 // LED_A_OFF();
1174 // Uart.state = STATE_UNSYNCD;
1175 // } else {
1176 // // so get the next byte now
1177 // Uart.posCnt = 0;
1178 // Uart.state = STATE_AWAITING_START_BIT;
1179 // }
1180 // } else if (Uart.shiftReg == 0x000) {
1181 // // this is an EOF byte
1182 // LED_A_OFF(); // Finished receiving
1183 // Uart.state = STATE_UNSYNCD;
1184 // if (Uart.byteCnt != 0) {
1185 // return TRUE;
1186 // }
1187 // } else {
1188 // // this is an error
1189 // LED_A_OFF();
1190 // Uart.state = STATE_UNSYNCD;
1191 // }
1192 // }
1193 // break;
1194
1195 // default:
1196 // LED_A_OFF();
1197 // Uart.state = STATE_UNSYNCD;
1198 // break;
1199 // }
1200
1201 // return FALSE;
1202 // }
1203 /*
1204
1205 static void UartReset() {
1206 Uart.byteCntMax = 3;
1207 Uart.state = STATE_UNSYNCD;
1208 Uart.byteCnt = 0;
1209 Uart.bitCnt = 0;
1210 Uart.posCnt = 0;
1211 memset(Uart.output, 0x00, 3);
1212 }
1213 */
1214 // static void UartInit(uint8_t *data) {
1215 // Uart.output = data;
1216 // UartReset();
1217 // }
1218
1219 //=============================================================================
1220 // An LEGIC reader. We take layer two commands, code them
1221 // appropriately, and then send them to the tag. We then listen for the
1222 // tag's response, which we leave in the buffer to be demodulated on the
1223 // PC side.
1224 //=============================================================================
1225 /*
1226 static struct {
1227 enum {
1228 DEMOD_UNSYNCD,
1229 DEMOD_PHASE_REF_TRAINING,
1230 DEMOD_AWAITING_FALLING_EDGE_OF_SOF,
1231 DEMOD_GOT_FALLING_EDGE_OF_SOF,
1232 DEMOD_AWAITING_START_BIT,
1233 DEMOD_RECEIVING_DATA
1234 } state;
1235 int bitCount;
1236 int posCount;
1237 int thisBit;
1238 uint16_t shiftReg;
1239 uint8_t *output;
1240 int len;
1241 int sumI;
1242 int sumQ;
1243 } Demod;
1244 */
1245 /*
1246 * Handles reception of a bit from the tag
1247 *
1248 * This function is called 2 times per bit (every 4 subcarrier cycles).
1249 * Subcarrier frequency fs is 212kHz, 1/fs = 4,72us, i.e. function is called every 9,44us
1250 *
1251 * LED handling:
1252 * LED C -> ON once we have received the SOF and are expecting the rest.
1253 * LED C -> OFF once we have received EOF or are unsynced
1254 *
1255 * Returns: true if we received a EOF
1256 * false if we are still waiting for some more
1257 *
1258 */
1259
1260 /*
1261 static RAMFUNC int HandleLegicSamplesDemod(int ci, int cq)
1262 {
1263 int v = 0;
1264 int ai = ABS(ci);
1265 int aq = ABS(cq);
1266 int halfci = (ai >> 1);
1267 int halfcq = (aq >> 1);
1268
1269 switch(Demod.state) {
1270 case DEMOD_UNSYNCD:
1271
1272 CHECK_FOR_SUBCARRIER()
1273
1274 if(v > SUBCARRIER_DETECT_THRESHOLD) { // subcarrier detected
1275 Demod.state = DEMOD_PHASE_REF_TRAINING;
1276 Demod.sumI = ci;
1277 Demod.sumQ = cq;
1278 Demod.posCount = 1;
1279 }
1280 break;
1281
1282 case DEMOD_PHASE_REF_TRAINING:
1283 if(Demod.posCount < 8) {
1284
1285 CHECK_FOR_SUBCARRIER()
1286
1287 if (v > SUBCARRIER_DETECT_THRESHOLD) {
1288 // set the reference phase (will code a logic '1') by averaging over 32 1/fs.
1289 // note: synchronization time > 80 1/fs
1290 Demod.sumI += ci;
1291 Demod.sumQ += cq;
1292 ++Demod.posCount;
1293 } else {
1294 // subcarrier lost
1295 Demod.state = DEMOD_UNSYNCD;
1296 }
1297 } else {
1298 Demod.state = DEMOD_AWAITING_FALLING_EDGE_OF_SOF;
1299 }
1300 break;
1301
1302 case DEMOD_AWAITING_FALLING_EDGE_OF_SOF:
1303
1304 MAKE_SOFT_DECISION()
1305
1306 //Dbprintf("ICE: %d %d %d %d %d", v, Demod.sumI, Demod.sumQ, ci, cq );
1307 // logic '0' detected
1308 if (v <= 0) {
1309
1310 Demod.state = DEMOD_GOT_FALLING_EDGE_OF_SOF;
1311
1312 // start of SOF sequence
1313 Demod.posCount = 0;
1314 } else {
1315 // maximum length of TR1 = 200 1/fs
1316 if(Demod.posCount > 25*2) Demod.state = DEMOD_UNSYNCD;
1317 }
1318 ++Demod.posCount;
1319 break;
1320
1321 case DEMOD_GOT_FALLING_EDGE_OF_SOF:
1322 ++Demod.posCount;
1323
1324 MAKE_SOFT_DECISION()
1325
1326 if(v > 0) {
1327 // low phase of SOF too short (< 9 etu). Note: spec is >= 10, but FPGA tends to "smear" edges
1328 if(Demod.posCount < 10*2) {
1329 Demod.state = DEMOD_UNSYNCD;
1330 } else {
1331 LED_C_ON(); // Got SOF
1332 Demod.state = DEMOD_AWAITING_START_BIT;
1333 Demod.posCount = 0;
1334 Demod.len = 0;
1335 }
1336 } else {
1337 // low phase of SOF too long (> 12 etu)
1338 if(Demod.posCount > 13*2) {
1339 Demod.state = DEMOD_UNSYNCD;
1340 LED_C_OFF();
1341 }
1342 }
1343 break;
1344
1345 case DEMOD_AWAITING_START_BIT:
1346 ++Demod.posCount;
1347
1348 MAKE_SOFT_DECISION()
1349
1350 if(v > 0) {
1351 // max 19us between characters = 16 1/fs, max 3 etu after low phase of SOF = 24 1/fs
1352 if(Demod.posCount > 3*2) {
1353 Demod.state = DEMOD_UNSYNCD;
1354 LED_C_OFF();
1355 }
1356 } else {
1357 // start bit detected
1358 Demod.bitCount = 0;
1359 Demod.posCount = 1; // this was the first half
1360 Demod.thisBit = v;
1361 Demod.shiftReg = 0;
1362 Demod.state = DEMOD_RECEIVING_DATA;
1363 }
1364 break;
1365
1366 case DEMOD_RECEIVING_DATA:
1367
1368 MAKE_SOFT_DECISION()
1369
1370 if(Demod.posCount == 0) {
1371 // first half of bit
1372 Demod.thisBit = v;
1373 Demod.posCount = 1;
1374 } else {
1375 // second half of bit
1376 Demod.thisBit += v;
1377 Demod.shiftReg >>= 1;
1378 // logic '1'
1379 if(Demod.thisBit > 0)
1380 Demod.shiftReg |= 0x200;
1381
1382 ++Demod.bitCount;
1383
1384 if(Demod.bitCount == 10) {
1385
1386 uint16_t s = Demod.shiftReg;
1387
1388 if((s & 0x200) && !(s & 0x001)) {
1389 // stop bit == '1', start bit == '0'
1390 uint8_t b = (s >> 1);
1391 Demod.output[Demod.len] = b;
1392 ++Demod.len;
1393 Demod.state = DEMOD_AWAITING_START_BIT;
1394 } else {
1395 Demod.state = DEMOD_UNSYNCD;
1396 LED_C_OFF();
1397
1398 if(s == 0x000) {
1399 // This is EOF (start, stop and all data bits == '0'
1400 return TRUE;
1401 }
1402 }
1403 }
1404 Demod.posCount = 0;
1405 }
1406 break;
1407
1408 default:
1409 Demod.state = DEMOD_UNSYNCD;
1410 LED_C_OFF();
1411 break;
1412 }
1413 return FALSE;
1414 }
1415 */
1416 /*
1417 // Clear out the state of the "UART" that receives from the tag.
1418 static void DemodReset() {
1419 Demod.len = 0;
1420 Demod.state = DEMOD_UNSYNCD;
1421 Demod.posCount = 0;
1422 Demod.sumI = 0;
1423 Demod.sumQ = 0;
1424 Demod.bitCount = 0;
1425 Demod.thisBit = 0;
1426 Demod.shiftReg = 0;
1427 memset(Demod.output, 0x00, 3);
1428 }
1429
1430 static void DemodInit(uint8_t *data) {
1431 Demod.output = data;
1432 DemodReset();
1433 }
1434 */
1435
1436 /*
1437 * Demodulate the samples we received from the tag, also log to tracebuffer
1438 * quiet: set to 'TRUE' to disable debug output
1439 */
1440
1441 /*
1442 #define LEGIC_DMA_BUFFER_SIZE 256
1443
1444 static void GetSamplesForLegicDemod(int n, bool quiet)
1445 {
1446 int max = 0;
1447 bool gotFrame = FALSE;
1448 int lastRxCounter = LEGIC_DMA_BUFFER_SIZE;
1449 int ci, cq, samples = 0;
1450
1451 BigBuf_free();
1452
1453 // And put the FPGA in the appropriate mode
1454 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR | FPGA_HF_READER_RX_XCORR_QUARTER_FREQ);
1455
1456 // The response (tag -> reader) that we're receiving.
1457 // Set up the demodulator for tag -> reader responses.
1458 DemodInit(BigBuf_malloc(MAX_FRAME_SIZE));
1459
1460 // The DMA buffer, used to stream samples from the FPGA
1461 int8_t *dmaBuf = (int8_t*) BigBuf_malloc(LEGIC_DMA_BUFFER_SIZE);
1462 int8_t *upTo = dmaBuf;
1463
1464 // Setup and start DMA.
1465 if ( !FpgaSetupSscDma((uint8_t*) dmaBuf, LEGIC_DMA_BUFFER_SIZE) ){
1466 if (MF_DBGLEVEL > 1) Dbprintf("FpgaSetupSscDma failed. Exiting");
1467 return;
1468 }
1469
1470 // Signal field is ON with the appropriate LED:
1471 LED_D_ON();
1472 for(;;) {
1473 int behindBy = lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR;
1474 if(behindBy > max) max = behindBy;
1475
1476 while(((lastRxCounter-AT91C_BASE_PDC_SSC->PDC_RCR) & (LEGIC_DMA_BUFFER_SIZE-1)) > 2) {
1477 ci = upTo[0];
1478 cq = upTo[1];
1479 upTo += 2;
1480 if(upTo >= dmaBuf + LEGIC_DMA_BUFFER_SIZE) {
1481 upTo = dmaBuf;
1482 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) upTo;
1483 AT91C_BASE_PDC_SSC->PDC_RNCR = LEGIC_DMA_BUFFER_SIZE;
1484 }
1485 lastRxCounter -= 2;
1486 if(lastRxCounter <= 0)
1487 lastRxCounter = LEGIC_DMA_BUFFER_SIZE;
1488
1489 samples += 2;
1490
1491 gotFrame = HandleLegicSamplesDemod(ci , cq );
1492 if ( gotFrame )
1493 break;
1494 }
1495
1496 if(samples > n || gotFrame)
1497 break;
1498 }
1499
1500 FpgaDisableSscDma();
1501
1502 if (!quiet && Demod.len == 0) {
1503 Dbprintf("max behindby = %d, samples = %d, gotFrame = %d, Demod.len = %d, Demod.sumI = %d, Demod.sumQ = %d",
1504 max,
1505 samples,
1506 gotFrame,
1507 Demod.len,
1508 Demod.sumI,
1509 Demod.sumQ
1510 );
1511 }
1512
1513 //Tracing
1514 if (Demod.len > 0) {
1515 uint8_t parity[MAX_PARITY_SIZE] = {0x00};
1516 LogTrace(Demod.output, Demod.len, 0, 0, parity, FALSE);
1517 }
1518 }
1519
1520 */
1521
1522 //-----------------------------------------------------------------------------
1523 // Transmit the command (to the tag) that was placed in ToSend[].
1524 //-----------------------------------------------------------------------------
1525 /*
1526 static void TransmitForLegic(void)
1527 {
1528 int c;
1529
1530 FpgaSetupSsc();
1531
1532 while(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY))
1533 AT91C_BASE_SSC->SSC_THR = 0xff;
1534
1535 // Signal field is ON with the appropriate Red LED
1536 LED_D_ON();
1537
1538 // Signal we are transmitting with the Green LED
1539 LED_B_ON();
1540 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_TX | FPGA_HF_READER_TX_SHALLOW_MOD);
1541
1542 for(c = 0; c < 10;) {
1543 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1544 AT91C_BASE_SSC->SSC_THR = 0xff;
1545 c++;
1546 }
1547 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1548 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
1549 (void)r;
1550 }
1551 WDT_HIT();
1552 }
1553
1554 c = 0;
1555 for(;;) {
1556 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1557 AT91C_BASE_SSC->SSC_THR = ToSend[c];
1558 legic_prng_forward(1); // forward the lfsr
1559 c++;
1560 if(c >= ToSendMax) {
1561 break;
1562 }
1563 }
1564 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1565 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
1566 (void)r;
1567 }
1568 WDT_HIT();
1569 }
1570 LED_B_OFF();
1571 }
1572 */
1573
1574 //-----------------------------------------------------------------------------
1575 // Code a layer 2 command (string of octets, including CRC) into ToSend[],
1576 // so that it is ready to transmit to the tag using TransmitForLegic().
1577 //-----------------------------------------------------------------------------
1578 /*
1579 static void CodeLegicBitsAsReader(const uint8_t *cmd, uint8_t cmdlen, int bits)
1580 {
1581 int i, j;
1582 uint8_t b;
1583
1584 ToSendReset();
1585
1586 // Send SOF
1587 for(i = 0; i < 7; i++)
1588 ToSendStuffBit(1);
1589
1590
1591 for(i = 0; i < cmdlen; i++) {
1592 // Start bit
1593 ToSendStuffBit(0);
1594
1595 // Data bits
1596 b = cmd[i];
1597 for(j = 0; j < bits; j++) {
1598 if(b & 1) {
1599 ToSendStuffBit(1);
1600 } else {
1601 ToSendStuffBit(0);
1602 }
1603 b >>= 1;
1604 }
1605 }
1606
1607 // Convert from last character reference to length
1608 ++ToSendMax;
1609 }
1610 */
1611 /**
1612 Convenience function to encode, transmit and trace Legic comms
1613 **/
1614 /*
1615 static void CodeAndTransmitLegicAsReader(const uint8_t *cmd, uint8_t cmdlen, int bits)
1616 {
1617 CodeLegicBitsAsReader(cmd, cmdlen, bits);
1618 TransmitForLegic();
1619 if (tracing) {
1620 uint8_t parity[1] = {0x00};
1621 LogTrace(cmd, cmdlen, 0, 0, parity, TRUE);
1622 }
1623 }
1624
1625 */
1626 // Set up LEGIC communication
1627 /*
1628 void ice_legic_setup() {
1629
1630 // standard things.
1631 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1632 BigBuf_free(); BigBuf_Clear_ext(false);
1633 clear_trace();
1634 set_tracing(TRUE);
1635 DemodReset();
1636 UartReset();
1637
1638 // Set up the synchronous serial port
1639 FpgaSetupSsc();
1640
1641 // connect Demodulated Signal to ADC:
1642 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1643
1644 // Signal field is on with the appropriate LED
1645 LED_D_ON();
1646 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_TX | FPGA_HF_READER_TX_SHALLOW_MOD);
1647 SpinDelay(20);
1648 // Start the timer
1649 //StartCountSspClk();
1650
1651 // initalize CRC
1652 crc_init(&legic_crc, 4, 0x19 >> 1, 0x5, 0);
1653
1654 // initalize prng
1655 legic_prng_init(0);
1656 }
1657 */
Proxmark3 GIT tracking
Impressum, Datenschutz