]> git.zerfleddert.de Git - proxmark3-svn/blob - armsrc/lfops.c
Update cmdhf14a.c
[proxmark3-svn] / armsrc / lfops.c
1 //-----------------------------------------------------------------------------
2 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
3 // at your option, any later version. See the LICENSE.txt file for the text of
4 // the license.
5 //-----------------------------------------------------------------------------
6 // Miscellaneous routines for low frequency tag operations.
7 // Tags supported here so far are Texas Instruments (TI), HID
8 // Also routines for raw mode reading/simulating of LF waveform
9 //-----------------------------------------------------------------------------
10
11 #include "proxmark3.h"
12 #include "apps.h"
13 #include "util.h"
14 #include "hitag2.h"
15 #include "crc16.h"
16 #include "string.h"
17 #include "lfdemod.h"
18 #include "lfsampling.h"
19 #include "protocols.h"
20 #include "usb_cdc.h" // for usb_poll_validate_length
21
22 /**
23 * Function to do a modulation and then get samples.
24 * @param delay_off
25 * @param period_0
26 * @param period_1
27 * @param command
28 */
29 void ModThenAcquireRawAdcSamples125k(uint32_t delay_off, uint32_t period_0, uint32_t period_1, uint8_t *command)
30 {
31
32 int divisor_used = 95; // 125 KHz
33 // see if 'h' was specified
34
35 if (command[strlen((char *) command) - 1] == 'h')
36 divisor_used = 88; // 134.8 KHz
37
38 sample_config sc = { 0,0,1, divisor_used, 0};
39 setSamplingConfig(&sc);
40 //clear read buffer
41 BigBuf_Clear_keep_EM();
42
43 /* Make sure the tag is reset */
44 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
45 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
46 SpinDelay(2500);
47
48 LFSetupFPGAForADC(sc.divisor, 1);
49
50 // And a little more time for the tag to fully power up
51 SpinDelay(2000);
52
53 // now modulate the reader field
54 while(*command != '\0' && *command != ' ') {
55 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
56 LED_D_OFF();
57 SpinDelayUs(delay_off);
58 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, sc.divisor);
59
60 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
61 LED_D_ON();
62 if(*(command++) == '0')
63 SpinDelayUs(period_0);
64 else
65 SpinDelayUs(period_1);
66 }
67 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
68 LED_D_OFF();
69 SpinDelayUs(delay_off);
70 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, sc.divisor);
71
72 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
73
74 // now do the read
75 DoAcquisition_config(false, 0);
76 }
77
78 /* blank r/w tag data stream
79 ...0000000000000000 01111111
80 1010101010101010101010101010101010101010101010101010101010101010
81 0011010010100001
82 01111111
83 101010101010101[0]000...
84
85 [5555fe852c5555555555555555fe0000]
86 */
87 void ReadTItag(void)
88 {
89 // some hardcoded initial params
90 // when we read a TI tag we sample the zerocross line at 2Mhz
91 // TI tags modulate a 1 as 16 cycles of 123.2Khz
92 // TI tags modulate a 0 as 16 cycles of 134.2Khz
93 #define FSAMPLE 2000000
94 #define FREQLO 123200
95 #define FREQHI 134200
96
97 signed char *dest = (signed char *)BigBuf_get_addr();
98 uint16_t n = BigBuf_max_traceLen();
99 // 128 bit shift register [shift3:shift2:shift1:shift0]
100 uint32_t shift3 = 0, shift2 = 0, shift1 = 0, shift0 = 0;
101
102 int i, cycles=0, samples=0;
103 // how many sample points fit in 16 cycles of each frequency
104 uint32_t sampleslo = (FSAMPLE<<4)/FREQLO, sampleshi = (FSAMPLE<<4)/FREQHI;
105 // when to tell if we're close enough to one freq or another
106 uint32_t threshold = (sampleslo - sampleshi + 1)>>1;
107
108 // TI tags charge at 134.2Khz
109 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
110 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 88); //134.8Khz
111
112 // Place FPGA in passthrough mode, in this mode the CROSS_LO line
113 // connects to SSP_DIN and the SSP_DOUT logic level controls
114 // whether we're modulating the antenna (high)
115 // or listening to the antenna (low)
116 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_PASSTHRU);
117
118 // get TI tag data into the buffer
119 AcquireTiType();
120
121 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
122
123 for (i=0; i<n-1; i++) {
124 // count cycles by looking for lo to hi zero crossings
125 if ( (dest[i]<0) && (dest[i+1]>0) ) {
126 cycles++;
127 // after 16 cycles, measure the frequency
128 if (cycles>15) {
129 cycles=0;
130 samples=i-samples; // number of samples in these 16 cycles
131
132 // TI bits are coming to us lsb first so shift them
133 // right through our 128 bit right shift register
134 shift0 = (shift0>>1) | (shift1 << 31);
135 shift1 = (shift1>>1) | (shift2 << 31);
136 shift2 = (shift2>>1) | (shift3 << 31);
137 shift3 >>= 1;
138
139 // check if the cycles fall close to the number
140 // expected for either the low or high frequency
141 if ( (samples>(sampleslo-threshold)) && (samples<(sampleslo+threshold)) ) {
142 // low frequency represents a 1
143 shift3 |= (1<<31);
144 } else if ( (samples>(sampleshi-threshold)) && (samples<(sampleshi+threshold)) ) {
145 // high frequency represents a 0
146 } else {
147 // probably detected a gay waveform or noise
148 // use this as gaydar or discard shift register and start again
149 shift3 = shift2 = shift1 = shift0 = 0;
150 }
151 samples = i;
152
153 // for each bit we receive, test if we've detected a valid tag
154
155 // if we see 17 zeroes followed by 6 ones, we might have a tag
156 // remember the bits are backwards
157 if ( ((shift0 & 0x7fffff) == 0x7e0000) ) {
158 // if start and end bytes match, we have a tag so break out of the loop
159 if ( ((shift0>>16)&0xff) == ((shift3>>8)&0xff) ) {
160 cycles = 0xF0B; //use this as a flag (ugly but whatever)
161 break;
162 }
163 }
164 }
165 }
166 }
167
168 // if flag is set we have a tag
169 if (cycles!=0xF0B) {
170 DbpString("Info: No valid tag detected.");
171 } else {
172 // put 64 bit data into shift1 and shift0
173 shift0 = (shift0>>24) | (shift1 << 8);
174 shift1 = (shift1>>24) | (shift2 << 8);
175
176 // align 16 bit crc into lower half of shift2
177 shift2 = ((shift2>>24) | (shift3 << 8)) & 0x0ffff;
178
179 // if r/w tag, check ident match
180 if (shift3 & (1<<15) ) {
181 DbpString("Info: TI tag is rewriteable");
182 // only 15 bits compare, last bit of ident is not valid
183 if (((shift3 >> 16) ^ shift0) & 0x7fff ) {
184 DbpString("Error: Ident mismatch!");
185 } else {
186 DbpString("Info: TI tag ident is valid");
187 }
188 } else {
189 DbpString("Info: TI tag is readonly");
190 }
191
192 // WARNING the order of the bytes in which we calc crc below needs checking
193 // i'm 99% sure the crc algorithm is correct, but it may need to eat the
194 // bytes in reverse or something
195 // calculate CRC
196 uint32_t crc=0;
197
198 crc = update_crc16(crc, (shift0)&0xff);
199 crc = update_crc16(crc, (shift0>>8)&0xff);
200 crc = update_crc16(crc, (shift0>>16)&0xff);
201 crc = update_crc16(crc, (shift0>>24)&0xff);
202 crc = update_crc16(crc, (shift1)&0xff);
203 crc = update_crc16(crc, (shift1>>8)&0xff);
204 crc = update_crc16(crc, (shift1>>16)&0xff);
205 crc = update_crc16(crc, (shift1>>24)&0xff);
206
207 Dbprintf("Info: Tag data: %x%08x, crc=%x",
208 (unsigned int)shift1, (unsigned int)shift0, (unsigned int)shift2 & 0xFFFF);
209 if (crc != (shift2&0xffff)) {
210 Dbprintf("Error: CRC mismatch, expected %x", (unsigned int)crc);
211 } else {
212 DbpString("Info: CRC is good");
213 }
214 }
215 }
216
217 void WriteTIbyte(uint8_t b)
218 {
219 int i = 0;
220
221 // modulate 8 bits out to the antenna
222 for (i=0; i<8; i++)
223 {
224 if (b&(1<<i)) {
225 // stop modulating antenna
226 LOW(GPIO_SSC_DOUT);
227 SpinDelayUs(1000);
228 // modulate antenna
229 HIGH(GPIO_SSC_DOUT);
230 SpinDelayUs(1000);
231 } else {
232 // stop modulating antenna
233 LOW(GPIO_SSC_DOUT);
234 SpinDelayUs(300);
235 // modulate antenna
236 HIGH(GPIO_SSC_DOUT);
237 SpinDelayUs(1700);
238 }
239 }
240 }
241
242 void AcquireTiType(void)
243 {
244 int i, j, n;
245 // tag transmission is <20ms, sampling at 2M gives us 40K samples max
246 // each sample is 1 bit stuffed into a uint32_t so we need 1250 uint32_t
247 #define TIBUFLEN 1250
248
249 // clear buffer
250 uint32_t *BigBuf = (uint32_t *)BigBuf_get_addr();
251 BigBuf_Clear_ext(false);
252
253 // Set up the synchronous serial port
254 AT91C_BASE_PIOA->PIO_PDR = GPIO_SSC_DIN;
255 AT91C_BASE_PIOA->PIO_ASR = GPIO_SSC_DIN;
256
257 // steal this pin from the SSP and use it to control the modulation
258 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
259 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
260
261 AT91C_BASE_SSC->SSC_CR = AT91C_SSC_SWRST;
262 AT91C_BASE_SSC->SSC_CR = AT91C_SSC_RXEN | AT91C_SSC_TXEN;
263
264 // Sample at 2 Mbit/s, so TI tags are 16.2 vs. 14.9 clocks long
265 // 48/2 = 24 MHz clock must be divided by 12
266 AT91C_BASE_SSC->SSC_CMR = 12;
267
268 AT91C_BASE_SSC->SSC_RCMR = SSC_CLOCK_MODE_SELECT(0);
269 AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(32) | AT91C_SSC_MSBF;
270 AT91C_BASE_SSC->SSC_TCMR = 0;
271 AT91C_BASE_SSC->SSC_TFMR = 0;
272
273 LED_D_ON();
274
275 // modulate antenna
276 HIGH(GPIO_SSC_DOUT);
277
278 // Charge TI tag for 50ms.
279 SpinDelay(50);
280
281 // stop modulating antenna and listen
282 LOW(GPIO_SSC_DOUT);
283
284 LED_D_OFF();
285
286 i = 0;
287 for(;;) {
288 if(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) {
289 BigBuf[i] = AT91C_BASE_SSC->SSC_RHR; // store 32 bit values in buffer
290 i++; if(i >= TIBUFLEN) break;
291 }
292 WDT_HIT();
293 }
294
295 // return stolen pin to SSP
296 AT91C_BASE_PIOA->PIO_PDR = GPIO_SSC_DOUT;
297 AT91C_BASE_PIOA->PIO_ASR = GPIO_SSC_DIN | GPIO_SSC_DOUT;
298
299 char *dest = (char *)BigBuf_get_addr();
300 n = TIBUFLEN*32;
301 // unpack buffer
302 for (i=TIBUFLEN-1; i>=0; i--) {
303 for (j=0; j<32; j++) {
304 if(BigBuf[i] & (1 << j)) {
305 dest[--n] = 1;
306 } else {
307 dest[--n] = -1;
308 }
309 }
310 }
311 }
312
313 // arguments: 64bit data split into 32bit idhi:idlo and optional 16bit crc
314 // if crc provided, it will be written with the data verbatim (even if bogus)
315 // if not provided a valid crc will be computed from the data and written.
316 void WriteTItag(uint32_t idhi, uint32_t idlo, uint16_t crc)
317 {
318 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
319 if(crc == 0) {
320 crc = update_crc16(crc, (idlo)&0xff);
321 crc = update_crc16(crc, (idlo>>8)&0xff);
322 crc = update_crc16(crc, (idlo>>16)&0xff);
323 crc = update_crc16(crc, (idlo>>24)&0xff);
324 crc = update_crc16(crc, (idhi)&0xff);
325 crc = update_crc16(crc, (idhi>>8)&0xff);
326 crc = update_crc16(crc, (idhi>>16)&0xff);
327 crc = update_crc16(crc, (idhi>>24)&0xff);
328 }
329 Dbprintf("Writing to tag: %x%08x, crc=%x",
330 (unsigned int) idhi, (unsigned int) idlo, crc);
331
332 // TI tags charge at 134.2Khz
333 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 88); //134.8Khz
334 // Place FPGA in passthrough mode, in this mode the CROSS_LO line
335 // connects to SSP_DIN and the SSP_DOUT logic level controls
336 // whether we're modulating the antenna (high)
337 // or listening to the antenna (low)
338 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_PASSTHRU);
339 LED_A_ON();
340
341 // steal this pin from the SSP and use it to control the modulation
342 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
343 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
344
345 // writing algorithm:
346 // a high bit consists of a field off for 1ms and field on for 1ms
347 // a low bit consists of a field off for 0.3ms and field on for 1.7ms
348 // initiate a charge time of 50ms (field on) then immediately start writing bits
349 // start by writing 0xBB (keyword) and 0xEB (password)
350 // then write 80 bits of data (or 64 bit data + 16 bit crc if you prefer)
351 // finally end with 0x0300 (write frame)
352 // all data is sent lsb firts
353 // finish with 15ms programming time
354
355 // modulate antenna
356 HIGH(GPIO_SSC_DOUT);
357 SpinDelay(50); // charge time
358
359 WriteTIbyte(0xbb); // keyword
360 WriteTIbyte(0xeb); // password
361 WriteTIbyte( (idlo )&0xff );
362 WriteTIbyte( (idlo>>8 )&0xff );
363 WriteTIbyte( (idlo>>16)&0xff );
364 WriteTIbyte( (idlo>>24)&0xff );
365 WriteTIbyte( (idhi )&0xff );
366 WriteTIbyte( (idhi>>8 )&0xff );
367 WriteTIbyte( (idhi>>16)&0xff );
368 WriteTIbyte( (idhi>>24)&0xff ); // data hi to lo
369 WriteTIbyte( (crc )&0xff ); // crc lo
370 WriteTIbyte( (crc>>8 )&0xff ); // crc hi
371 WriteTIbyte(0x00); // write frame lo
372 WriteTIbyte(0x03); // write frame hi
373 HIGH(GPIO_SSC_DOUT);
374 SpinDelay(50); // programming time
375
376 LED_A_OFF();
377
378 // get TI tag data into the buffer
379 AcquireTiType();
380
381 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
382 DbpString("Now use `lf ti read` to check");
383 }
384
385 void SimulateTagLowFrequency(int period, int gap, int ledcontrol)
386 {
387 int i;
388 uint8_t *tab = BigBuf_get_addr();
389
390 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
391 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT);
392
393 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT | GPIO_SSC_CLK;
394
395 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
396 AT91C_BASE_PIOA->PIO_ODR = GPIO_SSC_CLK;
397
398 #define SHORT_COIL() LOW(GPIO_SSC_DOUT)
399 #define OPEN_COIL() HIGH(GPIO_SSC_DOUT)
400
401 i = 0;
402 for(;;) {
403 //wait until SSC_CLK goes HIGH
404 while(!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK)) {
405 if(BUTTON_PRESS() || (usb_poll_validate_length() )) {
406 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
407 DbpString("Stopped");
408 return;
409 }
410 WDT_HIT();
411 }
412 if (ledcontrol)
413 LED_D_ON();
414
415 if(tab[i])
416 OPEN_COIL();
417 else
418 SHORT_COIL();
419
420 if (ledcontrol)
421 LED_D_OFF();
422 //wait until SSC_CLK goes LOW
423 while(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK) {
424 if(BUTTON_PRESS() || (usb_poll_validate_length() )) {
425 DbpString("Stopped");
426 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
427 return;
428 }
429 WDT_HIT();
430 }
431
432 i++;
433 if(i == period) {
434
435 i = 0;
436 if (gap) {
437 SHORT_COIL();
438 SpinDelayUs(gap);
439 }
440 }
441
442 }
443 }
444
445 #define DEBUG_FRAME_CONTENTS 1
446 void SimulateTagLowFrequencyBidir(int divisor, int t0)
447 {
448 }
449
450 // compose fc/8 fc/10 waveform (FSK2)
451 static void fc(int c, int *n)
452 {
453 uint8_t *dest = BigBuf_get_addr();
454 int idx;
455
456 // for when we want an fc8 pattern every 4 logical bits
457 if(c==0) {
458 dest[((*n)++)]=1;
459 dest[((*n)++)]=1;
460 dest[((*n)++)]=1;
461 dest[((*n)++)]=1;
462 dest[((*n)++)]=0;
463 dest[((*n)++)]=0;
464 dest[((*n)++)]=0;
465 dest[((*n)++)]=0;
466 }
467
468 // an fc/8 encoded bit is a bit pattern of 11110000 x6 = 48 samples
469 if(c==8) {
470 for (idx=0; idx<6; idx++) {
471 dest[((*n)++)]=1;
472 dest[((*n)++)]=1;
473 dest[((*n)++)]=1;
474 dest[((*n)++)]=1;
475 dest[((*n)++)]=0;
476 dest[((*n)++)]=0;
477 dest[((*n)++)]=0;
478 dest[((*n)++)]=0;
479 }
480 }
481
482 // an fc/10 encoded bit is a bit pattern of 1111100000 x5 = 50 samples
483 if(c==10) {
484 for (idx=0; idx<5; idx++) {
485 dest[((*n)++)]=1;
486 dest[((*n)++)]=1;
487 dest[((*n)++)]=1;
488 dest[((*n)++)]=1;
489 dest[((*n)++)]=1;
490 dest[((*n)++)]=0;
491 dest[((*n)++)]=0;
492 dest[((*n)++)]=0;
493 dest[((*n)++)]=0;
494 dest[((*n)++)]=0;
495 }
496 }
497 }
498 // compose fc/X fc/Y waveform (FSKx)
499 static void fcAll(uint8_t fc, int *n, uint8_t clock, uint16_t *modCnt)
500 {
501 uint8_t *dest = BigBuf_get_addr();
502 uint8_t halfFC = fc/2;
503 uint8_t wavesPerClock = clock/fc;
504 uint8_t mod = clock % fc; //modifier
505 uint8_t modAdj = fc/mod; //how often to apply modifier
506 bool modAdjOk = !(fc % mod); //if (fc % mod==0) modAdjOk=TRUE;
507 // loop through clock - step field clock
508 for (uint8_t idx=0; idx < wavesPerClock; idx++){
509 // put 1/2 FC length 1's and 1/2 0's per field clock wave (to create the wave)
510 memset(dest+(*n), 0, fc-halfFC); //in case of odd number use extra here
511 memset(dest+(*n)+(fc-halfFC), 1, halfFC);
512 *n += fc;
513 }
514 if (mod>0) (*modCnt)++;
515 if ((mod>0) && modAdjOk){ //fsk2
516 if ((*modCnt % modAdj) == 0){ //if 4th 8 length wave in a rf/50 add extra 8 length wave
517 memset(dest+(*n), 0, fc-halfFC);
518 memset(dest+(*n)+(fc-halfFC), 1, halfFC);
519 *n += fc;
520 }
521 }
522 if (mod>0 && !modAdjOk){ //fsk1
523 memset(dest+(*n), 0, mod-(mod/2));
524 memset(dest+(*n)+(mod-(mod/2)), 1, mod/2);
525 *n += mod;
526 }
527 }
528
529 // prepare a waveform pattern in the buffer based on the ID given then
530 // simulate a HID tag until the button is pressed
531 void CmdHIDsimTAG(int hi, int lo, int ledcontrol)
532 {
533 int n=0, i=0;
534 /*
535 HID tag bitstream format
536 The tag contains a 44bit unique code. This is sent out MSB first in sets of 4 bits
537 A 1 bit is represented as 6 fc8 and 5 fc10 patterns
538 A 0 bit is represented as 5 fc10 and 6 fc8 patterns
539 A fc8 is inserted before every 4 bits
540 A special start of frame pattern is used consisting a0b0 where a and b are neither 0
541 nor 1 bits, they are special patterns (a = set of 12 fc8 and b = set of 10 fc10)
542 */
543
544 if (hi>0xFFF) {
545 DbpString("Tags can only have 44 bits. - USE lf simfsk for larger tags");
546 return;
547 }
548 fc(0,&n);
549 // special start of frame marker containing invalid bit sequences
550 fc(8, &n); fc(8, &n); // invalid
551 fc(8, &n); fc(10, &n); // logical 0
552 fc(10, &n); fc(10, &n); // invalid
553 fc(8, &n); fc(10, &n); // logical 0
554
555 WDT_HIT();
556 // manchester encode bits 43 to 32
557 for (i=11; i>=0; i--) {
558 if ((i%4)==3) fc(0,&n);
559 if ((hi>>i)&1) {
560 fc(10, &n); fc(8, &n); // low-high transition
561 } else {
562 fc(8, &n); fc(10, &n); // high-low transition
563 }
564 }
565
566 WDT_HIT();
567 // manchester encode bits 31 to 0
568 for (i=31; i>=0; i--) {
569 if ((i%4)==3) fc(0,&n);
570 if ((lo>>i)&1) {
571 fc(10, &n); fc(8, &n); // low-high transition
572 } else {
573 fc(8, &n); fc(10, &n); // high-low transition
574 }
575 }
576
577 if (ledcontrol)
578 LED_A_ON();
579 SimulateTagLowFrequency(n, 0, ledcontrol);
580
581 if (ledcontrol)
582 LED_A_OFF();
583 }
584
585 // prepare a waveform pattern in the buffer based on the ID given then
586 // simulate a FSK tag until the button is pressed
587 // arg1 contains fcHigh and fcLow, arg2 contains invert and clock
588 void CmdFSKsimTAG(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream)
589 {
590 int ledcontrol=1;
591 int n=0, i=0;
592 uint8_t fcHigh = arg1 >> 8;
593 uint8_t fcLow = arg1 & 0xFF;
594 uint16_t modCnt = 0;
595 uint8_t clk = arg2 & 0xFF;
596 uint8_t invert = (arg2 >> 8) & 1;
597
598 for (i=0; i<size; i++){
599 if (BitStream[i] == invert){
600 fcAll(fcLow, &n, clk, &modCnt);
601 } else {
602 fcAll(fcHigh, &n, clk, &modCnt);
603 }
604 }
605 Dbprintf("Simulating with fcHigh: %d, fcLow: %d, clk: %d, invert: %d, n: %d",fcHigh, fcLow, clk, invert, n);
606 /*Dbprintf("DEBUG: First 32:");
607 uint8_t *dest = BigBuf_get_addr();
608 i=0;
609 Dbprintf("%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d", dest[i],dest[i+1],dest[i+2],dest[i+3],dest[i+4],dest[i+5],dest[i+6],dest[i+7],dest[i+8],dest[i+9],dest[i+10],dest[i+11],dest[i+12],dest[i+13],dest[i+14],dest[i+15]);
610 i+=16;
611 Dbprintf("%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d", dest[i],dest[i+1],dest[i+2],dest[i+3],dest[i+4],dest[i+5],dest[i+6],dest[i+7],dest[i+8],dest[i+9],dest[i+10],dest[i+11],dest[i+12],dest[i+13],dest[i+14],dest[i+15]);
612 */
613 if (ledcontrol)
614 LED_A_ON();
615
616 SimulateTagLowFrequency(n, 0, ledcontrol);
617
618 if (ledcontrol)
619 LED_A_OFF();
620 }
621
622 // compose ask waveform for one bit(ASK)
623 static void askSimBit(uint8_t c, int *n, uint8_t clock, uint8_t manchester)
624 {
625 uint8_t *dest = BigBuf_get_addr();
626 uint8_t halfClk = clock/2;
627 // c = current bit 1 or 0
628 if (manchester==1){
629 memset(dest+(*n), c, halfClk);
630 memset(dest+(*n) + halfClk, c^1, halfClk);
631 } else {
632 memset(dest+(*n), c, clock);
633 }
634 *n += clock;
635 }
636
637 static void biphaseSimBit(uint8_t c, int *n, uint8_t clock, uint8_t *phase)
638 {
639 uint8_t *dest = BigBuf_get_addr();
640 uint8_t halfClk = clock/2;
641 if (c){
642 memset(dest+(*n), c ^ 1 ^ *phase, halfClk);
643 memset(dest+(*n) + halfClk, c ^ *phase, halfClk);
644 } else {
645 memset(dest+(*n), c ^ *phase, clock);
646 *phase ^= 1;
647 }
648 *n += clock;
649 }
650
651 static void stAskSimBit(int *n, uint8_t clock) {
652 uint8_t *dest = BigBuf_get_addr();
653 uint8_t halfClk = clock/2;
654 //ST = .5 high .5 low 1.5 high .5 low 1 high
655 memset(dest+(*n), 1, halfClk);
656 memset(dest+(*n) + halfClk, 0, halfClk);
657 memset(dest+(*n) + clock, 1, clock + halfClk);
658 memset(dest+(*n) + clock*2 + halfClk, 0, halfClk);
659 memset(dest+(*n) + clock*3, 1, clock);
660 *n += clock*4;
661 }
662
663 // args clock, ask/man or askraw, invert, transmission separator
664 void CmdASKsimTag(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream)
665 {
666 int ledcontrol = 1;
667 int n=0, i=0;
668 uint8_t clk = (arg1 >> 8) & 0xFF;
669 uint8_t encoding = arg1 & 0xFF;
670 uint8_t separator = arg2 & 1;
671 uint8_t invert = (arg2 >> 8) & 1;
672
673 if (encoding==2){ //biphase
674 uint8_t phase=0;
675 for (i=0; i<size; i++){
676 biphaseSimBit(BitStream[i]^invert, &n, clk, &phase);
677 }
678 if (phase==1) { //run a second set inverted to keep phase in check
679 for (i=0; i<size; i++){
680 biphaseSimBit(BitStream[i]^invert, &n, clk, &phase);
681 }
682 }
683 } else { // ask/manchester || ask/raw
684 for (i=0; i<size; i++){
685 askSimBit(BitStream[i]^invert, &n, clk, encoding);
686 }
687 if (encoding==0 && BitStream[0]==BitStream[size-1]){ //run a second set inverted (for ask/raw || biphase phase)
688 for (i=0; i<size; i++){
689 askSimBit(BitStream[i]^invert^1, &n, clk, encoding);
690 }
691 }
692 }
693 if (separator==1 && encoding == 1)
694 stAskSimBit(&n, clk);
695 else if (separator==1)
696 Dbprintf("sorry but separator option not yet available");
697
698 Dbprintf("Simulating with clk: %d, invert: %d, encoding: %d, separator: %d, n: %d",clk, invert, encoding, separator, n);
699 //DEBUG
700 //Dbprintf("First 32:");
701 //uint8_t *dest = BigBuf_get_addr();
702 //i=0;
703 //Dbprintf("%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d", dest[i],dest[i+1],dest[i+2],dest[i+3],dest[i+4],dest[i+5],dest[i+6],dest[i+7],dest[i+8],dest[i+9],dest[i+10],dest[i+11],dest[i+12],dest[i+13],dest[i+14],dest[i+15]);
704 //i+=16;
705 //Dbprintf("%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d", dest[i],dest[i+1],dest[i+2],dest[i+3],dest[i+4],dest[i+5],dest[i+6],dest[i+7],dest[i+8],dest[i+9],dest[i+10],dest[i+11],dest[i+12],dest[i+13],dest[i+14],dest[i+15]);
706
707 if (ledcontrol) LED_A_ON();
708 SimulateTagLowFrequency(n, 0, ledcontrol);
709 if (ledcontrol) LED_A_OFF();
710 }
711
712 //carrier can be 2,4 or 8
713 static void pskSimBit(uint8_t waveLen, int *n, uint8_t clk, uint8_t *curPhase, bool phaseChg)
714 {
715 uint8_t *dest = BigBuf_get_addr();
716 uint8_t halfWave = waveLen/2;
717 //uint8_t idx;
718 int i = 0;
719 if (phaseChg){
720 // write phase change
721 memset(dest+(*n), *curPhase^1, halfWave);
722 memset(dest+(*n) + halfWave, *curPhase, halfWave);
723 *n += waveLen;
724 *curPhase ^= 1;
725 i += waveLen;
726 }
727 //write each normal clock wave for the clock duration
728 for (; i < clk; i+=waveLen){
729 memset(dest+(*n), *curPhase, halfWave);
730 memset(dest+(*n) + halfWave, *curPhase^1, halfWave);
731 *n += waveLen;
732 }
733 }
734
735 // args clock, carrier, invert,
736 void CmdPSKsimTag(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream)
737 {
738 int ledcontrol=1;
739 int n=0, i=0;
740 uint8_t clk = arg1 >> 8;
741 uint8_t carrier = arg1 & 0xFF;
742 uint8_t invert = arg2 & 0xFF;
743 uint8_t curPhase = 0;
744 for (i=0; i<size; i++){
745 if (BitStream[i] == curPhase){
746 pskSimBit(carrier, &n, clk, &curPhase, FALSE);
747 } else {
748 pskSimBit(carrier, &n, clk, &curPhase, TRUE);
749 }
750 }
751 Dbprintf("Simulating with Carrier: %d, clk: %d, invert: %d, n: %d",carrier, clk, invert, n);
752 //Dbprintf("DEBUG: First 32:");
753 //uint8_t *dest = BigBuf_get_addr();
754 //i=0;
755 //Dbprintf("%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d", dest[i],dest[i+1],dest[i+2],dest[i+3],dest[i+4],dest[i+5],dest[i+6],dest[i+7],dest[i+8],dest[i+9],dest[i+10],dest[i+11],dest[i+12],dest[i+13],dest[i+14],dest[i+15]);
756 //i+=16;
757 //Dbprintf("%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d", dest[i],dest[i+1],dest[i+2],dest[i+3],dest[i+4],dest[i+5],dest[i+6],dest[i+7],dest[i+8],dest[i+9],dest[i+10],dest[i+11],dest[i+12],dest[i+13],dest[i+14],dest[i+15]);
758
759 if (ledcontrol) LED_A_ON();
760 SimulateTagLowFrequency(n, 0, ledcontrol);
761 if (ledcontrol) LED_A_OFF();
762 }
763
764 // loop to get raw HID waveform then FSK demodulate the TAG ID from it
765 void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol)
766 {
767 uint8_t *dest = BigBuf_get_addr();
768 //const size_t sizeOfBigBuff = BigBuf_max_traceLen();
769 size_t size;
770 uint32_t hi2=0, hi=0, lo=0;
771 int idx=0;
772 int dummyIdx = 0;
773 // Configure to go in 125Khz listen mode
774 LFSetupFPGAForADC(95, true);
775
776 //clear read buffer
777 BigBuf_Clear_keep_EM();
778
779 while(!BUTTON_PRESS() && !usb_poll_validate_length()) {
780
781 WDT_HIT();
782 if (ledcontrol) LED_A_ON();
783
784 DoAcquisition_default(-1,true);
785 // FSK demodulator
786 //size = sizeOfBigBuff; //variable size will change after demod so re initialize it before use
787 size = 50*128*2; //big enough to catch 2 sequences of largest format
788 idx = HIDdemodFSK(dest, &size, &hi2, &hi, &lo, &dummyIdx);
789
790 if (idx>0 && lo>0 && (size==96 || size==192)){
791 // go over previously decoded manchester data and decode into usable tag ID
792 if (hi2 != 0){ //extra large HID tags 88/192 bits
793 Dbprintf("TAG ID: %x%08x%08x (%d)",
794 (unsigned int) hi2, (unsigned int) hi, (unsigned int) lo, (unsigned int) (lo>>1) & 0xFFFF);
795 }else { //standard HID tags 44/96 bits
796 //Dbprintf("TAG ID: %x%08x (%d)",(unsigned int) hi, (unsigned int) lo, (unsigned int) (lo>>1) & 0xFFFF); //old print cmd
797 uint8_t bitlen = 0;
798 uint32_t fc = 0;
799 uint32_t cardnum = 0;
800 if (((hi>>5)&1) == 1){//if bit 38 is set then < 37 bit format is used
801 uint32_t lo2=0;
802 lo2=(((hi & 31) << 12) | (lo>>20)); //get bits 21-37 to check for format len bit
803 uint8_t idx3 = 1;
804 while(lo2 > 1){ //find last bit set to 1 (format len bit)
805 lo2=lo2 >> 1;
806 idx3++;
807 }
808 bitlen = idx3+19;
809 fc =0;
810 cardnum=0;
811 if(bitlen == 26){
812 cardnum = (lo>>1)&0xFFFF;
813 fc = (lo>>17)&0xFF;
814 }
815 if(bitlen == 37){
816 cardnum = (lo>>1)&0x7FFFF;
817 fc = ((hi&0xF)<<12)|(lo>>20);
818 }
819 if(bitlen == 34){
820 cardnum = (lo>>1)&0xFFFF;
821 fc= ((hi&1)<<15)|(lo>>17);
822 }
823 if(bitlen == 35){
824 cardnum = (lo>>1)&0xFFFFF;
825 fc = ((hi&1)<<11)|(lo>>21);
826 }
827 }
828 else { //if bit 38 is not set then 37 bit format is used
829 bitlen= 37;
830 fc =0;
831 cardnum=0;
832 if(bitlen==37){
833 cardnum = (lo>>1)&0x7FFFF;
834 fc = ((hi&0xF)<<12)|(lo>>20);
835 }
836 }
837 //Dbprintf("TAG ID: %x%08x (%d)",
838 // (unsigned int) hi, (unsigned int) lo, (unsigned int) (lo>>1) & 0xFFFF);
839 Dbprintf("TAG ID: %x%08x (%d) - Format Len: %dbit - FC: %d - Card: %d",
840 (unsigned int) hi, (unsigned int) lo, (unsigned int) (lo>>1) & 0xFFFF,
841 (unsigned int) bitlen, (unsigned int) fc, (unsigned int) cardnum);
842 }
843 if (findone){
844 if (ledcontrol) LED_A_OFF();
845 *high = hi;
846 *low = lo;
847 break;
848 }
849 // reset
850 }
851 hi2 = hi = lo = idx = 0;
852 WDT_HIT();
853 }
854
855 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
856 DbpString("Stopped");
857 if (ledcontrol) LED_A_OFF();
858 }
859
860 // loop to get raw HID waveform then FSK demodulate the TAG ID from it
861 void CmdAWIDdemodFSK(int findone, int *high, int *low, int ledcontrol)
862 {
863 uint8_t *dest = BigBuf_get_addr();
864 size_t size;
865 int idx=0, dummyIdx=0;
866 //clear read buffer
867 BigBuf_Clear_keep_EM();
868 // Configure to go in 125Khz listen mode
869 LFSetupFPGAForADC(95, true);
870
871 while(!BUTTON_PRESS() && !usb_poll_validate_length()) {
872
873 WDT_HIT();
874 if (ledcontrol) LED_A_ON();
875
876 DoAcquisition_default(-1,true);
877 // FSK demodulator
878 size = 50*128*2; //big enough to catch 2 sequences of largest format
879 idx = AWIDdemodFSK(dest, &size, &dummyIdx);
880
881 if (idx<=0 || size!=96) continue;
882 // Index map
883 // 0 10 20 30 40 50 60
884 // | | | | | | |
885 // 01234567 890 1 234 5 678 9 012 3 456 7 890 1 234 5 678 9 012 3 456 7 890 1 234 5 678 9 012 3 - to 96
886 // -----------------------------------------------------------------------------
887 // 00000001 000 1 110 1 101 1 011 1 101 1 010 0 000 1 000 1 010 0 001 0 110 1 100 0 000 1 000 1
888 // premable bbb o bbb o bbw o fff o fff o ffc o ccc o ccc o ccc o ccc o ccc o wxx o xxx o xxx o - to 96
889 // |---26 bit---| |-----117----||-------------142-------------|
890 // b = format bit len, o = odd parity of last 3 bits
891 // f = facility code, c = card number
892 // w = wiegand parity
893 // (26 bit format shown)
894
895 //get raw ID before removing parities
896 uint32_t rawLo = bytebits_to_byte(dest+idx+64,32);
897 uint32_t rawHi = bytebits_to_byte(dest+idx+32,32);
898 uint32_t rawHi2 = bytebits_to_byte(dest+idx,32);
899
900 size = removeParity(dest, idx+8, 4, 1, 88);
901 if (size != 66) continue;
902 // ok valid card found!
903
904 // Index map
905 // 0 10 20 30 40 50 60
906 // | | | | | | |
907 // 01234567 8 90123456 7890123456789012 3 456789012345678901234567890123456
908 // -----------------------------------------------------------------------------
909 // 00011010 1 01110101 0000000010001110 1 000000000000000000000000000000000
910 // bbbbbbbb w ffffffff cccccccccccccccc w xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
911 // |26 bit| |-117--| |-----142------|
912 // b = format bit len, o = odd parity of last 3 bits
913 // f = facility code, c = card number
914 // w = wiegand parity
915 // (26 bit format shown)
916
917 uint32_t fc = 0;
918 uint32_t cardnum = 0;
919 uint32_t code1 = 0;
920 uint32_t code2 = 0;
921 uint8_t fmtLen = bytebits_to_byte(dest,8);
922 if (fmtLen==26){
923 fc = bytebits_to_byte(dest+9, 8);
924 cardnum = bytebits_to_byte(dest+17, 16);
925 code1 = bytebits_to_byte(dest+8,fmtLen);
926 Dbprintf("AWID Found - BitLength: %d, FC: %d, Card: %d - Wiegand: %x, Raw: %08x%08x%08x", fmtLen, fc, cardnum, code1, rawHi2, rawHi, rawLo);
927 } else {
928 cardnum = bytebits_to_byte(dest+8+(fmtLen-17), 16);
929 if (fmtLen>32){
930 code1 = bytebits_to_byte(dest+8,fmtLen-32);
931 code2 = bytebits_to_byte(dest+8+(fmtLen-32),32);
932 Dbprintf("AWID Found - BitLength: %d -unknown BitLength- (%d) - Wiegand: %x%08x, Raw: %08x%08x%08x", fmtLen, cardnum, code1, code2, rawHi2, rawHi, rawLo);
933 } else{
934 code1 = bytebits_to_byte(dest+8,fmtLen);
935 Dbprintf("AWID Found - BitLength: %d -unknown BitLength- (%d) - Wiegand: %x, Raw: %08x%08x%08x", fmtLen, cardnum, code1, rawHi2, rawHi, rawLo);
936 }
937 }
938 if (findone){
939 if (ledcontrol) LED_A_OFF();
940 break;
941 }
942 // reset
943 idx = 0;
944 WDT_HIT();
945 }
946 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
947 DbpString("Stopped");
948 if (ledcontrol) LED_A_OFF();
949 }
950
951 void CmdEM410xdemod(int findone, int *high, int *low, int ledcontrol)
952 {
953 uint8_t *dest = BigBuf_get_addr();
954
955 size_t size=0, idx=0;
956 int clk=0, invert=0, errCnt=0, maxErr=20;
957 uint32_t hi=0;
958 uint64_t lo=0;
959 //clear read buffer
960 BigBuf_Clear_keep_EM();
961 // Configure to go in 125Khz listen mode
962 LFSetupFPGAForADC(95, true);
963
964 while(!BUTTON_PRESS() && !usb_poll_validate_length()) {
965
966 WDT_HIT();
967 if (ledcontrol) LED_A_ON();
968
969 DoAcquisition_default(-1,true);
970 size = BigBuf_max_traceLen();
971 //askdemod and manchester decode
972 if (size > 16385) size = 16385; //big enough to catch 2 sequences of largest format
973 errCnt = askdemod(dest, &size, &clk, &invert, maxErr, 0, 1);
974 WDT_HIT();
975
976 if (errCnt<0) continue;
977
978 errCnt = Em410xDecode(dest, &size, &idx, &hi, &lo);
979 if (errCnt){
980 if (size>64){
981 Dbprintf("EM XL TAG ID: %06x%08x%08x - (%05d_%03d_%08d)",
982 hi,
983 (uint32_t)(lo>>32),
984 (uint32_t)lo,
985 (uint32_t)(lo&0xFFFF),
986 (uint32_t)((lo>>16LL) & 0xFF),
987 (uint32_t)(lo & 0xFFFFFF));
988 } else {
989 Dbprintf("EM TAG ID: %02x%08x - (%05d_%03d_%08d)",
990 (uint32_t)(lo>>32),
991 (uint32_t)lo,
992 (uint32_t)(lo&0xFFFF),
993 (uint32_t)((lo>>16LL) & 0xFF),
994 (uint32_t)(lo & 0xFFFFFF));
995 }
996
997 if (findone){
998 if (ledcontrol) LED_A_OFF();
999 *high=lo>>32;
1000 *low=lo & 0xFFFFFFFF;
1001 break;
1002 }
1003 }
1004 WDT_HIT();
1005 hi = lo = size = idx = 0;
1006 clk = invert = errCnt = 0;
1007 }
1008 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1009 DbpString("Stopped");
1010 if (ledcontrol) LED_A_OFF();
1011 }
1012
1013 void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol)
1014 {
1015 uint8_t *dest = BigBuf_get_addr();
1016 int idx=0;
1017 uint32_t code=0, code2=0;
1018 uint8_t version=0;
1019 uint8_t facilitycode=0;
1020 uint16_t number=0;
1021 int dummyIdx=0;
1022 //clear read buffer
1023 BigBuf_Clear_keep_EM();
1024 // Configure to go in 125Khz listen mode
1025 LFSetupFPGAForADC(95, true);
1026
1027 while(!BUTTON_PRESS() && !usb_poll_validate_length()) {
1028 WDT_HIT();
1029 if (ledcontrol) LED_A_ON();
1030 DoAcquisition_default(-1,true);
1031 //fskdemod and get start index
1032 WDT_HIT();
1033 idx = IOdemodFSK(dest, BigBuf_max_traceLen(), &dummyIdx);
1034 if (idx<0) continue;
1035 //valid tag found
1036
1037 //Index map
1038 //0 10 20 30 40 50 60
1039 //| | | | | | |
1040 //01234567 8 90123456 7 89012345 6 78901234 5 67890123 4 56789012 3 45678901 23
1041 //-----------------------------------------------------------------------------
1042 //00000000 0 11110000 1 facility 1 version* 1 code*one 1 code*two 1 ???????? 11
1043 //
1044 //XSF(version)facility:codeone+codetwo
1045 //Handle the data
1046 if(findone){ //only print binary if we are doing one
1047 Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx], dest[idx+1], dest[idx+2],dest[idx+3],dest[idx+4],dest[idx+5],dest[idx+6],dest[idx+7],dest[idx+8]);
1048 Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+9], dest[idx+10],dest[idx+11],dest[idx+12],dest[idx+13],dest[idx+14],dest[idx+15],dest[idx+16],dest[idx+17]);
1049 Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+18],dest[idx+19],dest[idx+20],dest[idx+21],dest[idx+22],dest[idx+23],dest[idx+24],dest[idx+25],dest[idx+26]);
1050 Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+27],dest[idx+28],dest[idx+29],dest[idx+30],dest[idx+31],dest[idx+32],dest[idx+33],dest[idx+34],dest[idx+35]);
1051 Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+36],dest[idx+37],dest[idx+38],dest[idx+39],dest[idx+40],dest[idx+41],dest[idx+42],dest[idx+43],dest[idx+44]);
1052 Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+45],dest[idx+46],dest[idx+47],dest[idx+48],dest[idx+49],dest[idx+50],dest[idx+51],dest[idx+52],dest[idx+53]);
1053 Dbprintf("%d%d%d%d%d%d%d%d %d%d",dest[idx+54],dest[idx+55],dest[idx+56],dest[idx+57],dest[idx+58],dest[idx+59],dest[idx+60],dest[idx+61],dest[idx+62],dest[idx+63]);
1054 }
1055 code = bytebits_to_byte(dest+idx,32);
1056 code2 = bytebits_to_byte(dest+idx+32,32);
1057 version = bytebits_to_byte(dest+idx+27,8); //14,4
1058 facilitycode = bytebits_to_byte(dest+idx+18,8);
1059 number = (bytebits_to_byte(dest+idx+36,8)<<8)|(bytebits_to_byte(dest+idx+45,8)); //36,9
1060
1061 Dbprintf("XSF(%02d)%02x:%05d (%08x%08x)",version,facilitycode,number,code,code2);
1062 // if we're only looking for one tag
1063 if (findone){
1064 if (ledcontrol) LED_A_OFF();
1065 //LED_A_OFF();
1066 *high=code;
1067 *low=code2;
1068 break;
1069 }
1070 code=code2=0;
1071 version=facilitycode=0;
1072 number=0;
1073 idx=0;
1074
1075 WDT_HIT();
1076 }
1077 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1078 DbpString("Stopped");
1079 if (ledcontrol) LED_A_OFF();
1080 }
1081
1082 /*------------------------------
1083 * T5555/T5557/T5567/T5577 routines
1084 *------------------------------
1085 * NOTE: T55x7/T5555 configuration register definitions moved to protocols.h
1086 *
1087 * Relevant communication times in microsecond
1088 * To compensate antenna falling times shorten the write times
1089 * and enlarge the gap ones.
1090 * Q5 tags seems to have issues when these values changes.
1091 */
1092 #define START_GAP 31*8 // was 250 // SPEC: 1*8 to 50*8 - typ 15*8 (or 15fc)
1093 #define WRITE_GAP 20*8 // was 160 // SPEC: 1*8 to 20*8 - typ 10*8 (or 10fc)
1094 #define WRITE_0 18*8 // was 144 // SPEC: 16*8 to 32*8 - typ 24*8 (or 24fc)
1095 #define WRITE_1 50*8 // was 400 // SPEC: 48*8 to 64*8 - typ 56*8 (or 56fc) 432 for T55x7; 448 for E5550
1096 #define READ_GAP 15*8
1097
1098 void TurnReadLFOn(int delay) {
1099 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
1100 // Give it a bit of time for the resonant antenna to settle.
1101 WaitUS(delay); //155*8 //50*8
1102 }
1103
1104 // Write one bit to card
1105 void T55xxWriteBit(int bit) {
1106 if (!bit)
1107 TurnReadLFOn(WRITE_0);
1108 else
1109 TurnReadLFOn(WRITE_1);
1110 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1111 WaitUS(WRITE_GAP);
1112 }
1113
1114 // Send T5577 reset command then read stream (see if we can identify the start of the stream)
1115 void T55xxResetRead(void) {
1116 LED_A_ON();
1117 //clear buffer now so it does not interfere with timing later
1118 BigBuf_Clear_keep_EM();
1119
1120 // Set up FPGA, 125kHz
1121 LFSetupFPGAForADC(95, true);
1122 StartTicks();
1123 // make sure tag is fully powered up...
1124 WaitMS(5);
1125
1126 // Trigger T55x7 in mode.
1127 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1128 WaitUS(START_GAP);
1129
1130 // reset tag - op code 00
1131 T55xxWriteBit(0);
1132 T55xxWriteBit(0);
1133
1134 TurnReadLFOn(READ_GAP);
1135
1136 // Acquisition
1137 DoPartialAcquisition(0, true, BigBuf_max_traceLen());
1138
1139 // Turn the field off
1140 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1141 cmd_send(CMD_ACK,0,0,0,0,0);
1142 LED_A_OFF();
1143 }
1144
1145 // Write one card block in page 0, no lock
1146 void T55xxWriteBlockExt(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t arg) {
1147 LED_A_ON();
1148 bool PwdMode = arg & 0x1;
1149 uint8_t Page = (arg & 0x2)>>1;
1150 bool testMode = arg & 0x4;
1151 uint32_t i = 0;
1152
1153 // Set up FPGA, 125kHz
1154 LFSetupFPGAForADC(95, true);
1155 StartTicks();
1156 // make sure tag is fully powered up...
1157 WaitMS(5);
1158 // Trigger T55x7 in mode.
1159 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1160 WaitUS(START_GAP);
1161
1162 if (testMode) Dbprintf("TestMODE");
1163 // Std Opcode 10
1164 T55xxWriteBit(testMode ? 0 : 1);
1165 T55xxWriteBit(testMode ? 1 : Page); //Page 0
1166
1167 if (PwdMode) {
1168 // Send Pwd
1169 for (i = 0x80000000; i != 0; i >>= 1)
1170 T55xxWriteBit(Pwd & i);
1171 }
1172 // Send Lock bit
1173 T55xxWriteBit(0);
1174
1175 // Send Data
1176 for (i = 0x80000000; i != 0; i >>= 1)
1177 T55xxWriteBit(Data & i);
1178
1179 // Send Block number
1180 for (i = 0x04; i != 0; i >>= 1)
1181 T55xxWriteBit(Block & i);
1182
1183 // Perform write (nominal is 5.6 ms for T55x7 and 18ms for E5550,
1184 // so wait a little more)
1185
1186 // "there is a clock delay before programming"
1187 // - programming takes ~5.6ms for t5577 ~18ms for E5550 or t5567
1188 // so we should wait 1 clock + 5.6ms then read response?
1189 // but we need to know we are dealing with t5577 vs t5567 vs e5550 (or q5) marshmellow...
1190 if (testMode) {
1191 //TESTMODE TIMING TESTS:
1192 // <566us does nothing
1193 // 566-568 switches between wiping to 0s and doing nothing
1194 // 5184 wipes and allows 1 block to be programmed.
1195 // indefinite power on wipes and then programs all blocks with bitshifted data sent.
1196 TurnReadLFOn(5184);
1197
1198 } else {
1199 TurnReadLFOn(20 * 1000);
1200 //could attempt to do a read to confirm write took
1201 // as the tag should repeat back the new block
1202 // until it is reset, but to confirm it we would
1203 // need to know the current block 0 config mode for
1204 // modulation clock an other details to demod the response...
1205 // response should be (for t55x7) a 0 bit then (ST if on)
1206 // block data written in on repeat until reset.
1207
1208 //DoPartialAcquisition(20, true, 12000);
1209 }
1210
1211 // turn field off
1212 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1213 LED_A_OFF();
1214 }
1215
1216 // Write one card block in page 0, no lock
1217 void T55xxWriteBlock(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t arg) {
1218 T55xxWriteBlockExt(Data, Block, Pwd, arg);
1219 cmd_send(CMD_ACK,0,0,0,0,0);
1220 }
1221
1222 // Read one card block in page [page]
1223 void T55xxReadBlock(uint16_t arg0, uint8_t Block, uint32_t Pwd) {
1224 LED_A_ON();
1225 bool PwdMode = arg0 & 0x1;
1226 uint8_t Page = (arg0 & 0x2) >> 1;
1227 uint32_t i = 0;
1228 bool RegReadMode = (Block == 0xFF);//regular read mode
1229
1230 //clear buffer now so it does not interfere with timing later
1231 BigBuf_Clear_ext(false);
1232
1233 //make sure block is at max 7
1234 Block &= 0x7;
1235
1236 // Set up FPGA, 125kHz to power up the tag
1237 LFSetupFPGAForADC(95, true);
1238 StartTicks();
1239 // make sure tag is fully powered up...
1240 WaitMS(5);
1241 // Trigger T55x7 Direct Access Mode with start gap
1242 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1243 WaitUS(START_GAP);
1244
1245 // Opcode 1[page]
1246 T55xxWriteBit(1);
1247 T55xxWriteBit(Page); //Page 0
1248
1249 if (PwdMode){
1250 // Send Pwd
1251 for (i = 0x80000000; i != 0; i >>= 1)
1252 T55xxWriteBit(Pwd & i);
1253 }
1254 // Send a zero bit separation
1255 T55xxWriteBit(0);
1256
1257 // Send Block number (if direct access mode)
1258 if (!RegReadMode)
1259 for (i = 0x04; i != 0; i >>= 1)
1260 T55xxWriteBit(Block & i);
1261
1262 // Turn field on to read the response
1263 // 137*8 seems to get to the start of data pretty well...
1264 // but we want to go past the start and let the repeating data settle in...
1265 TurnReadLFOn(210*8);
1266
1267 // Acquisition
1268 // Now do the acquisition
1269 DoPartialAcquisition(0, true, 12000);
1270
1271 // Turn the field off
1272 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1273 cmd_send(CMD_ACK,0,0,0,0,0);
1274 LED_A_OFF();
1275 }
1276
1277 void T55xxWakeUp(uint32_t Pwd){
1278 LED_B_ON();
1279 uint32_t i = 0;
1280
1281 // Set up FPGA, 125kHz
1282 LFSetupFPGAForADC(95, true);
1283 StartTicks();
1284 // make sure tag is fully powered up...
1285 WaitMS(5);
1286
1287 // Trigger T55x7 Direct Access Mode
1288 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1289 WaitUS(START_GAP);
1290
1291 // Opcode 10
1292 T55xxWriteBit(1);
1293 T55xxWriteBit(0); //Page 0
1294
1295 // Send Pwd
1296 for (i = 0x80000000; i != 0; i >>= 1)
1297 T55xxWriteBit(Pwd & i);
1298
1299 // Turn and leave field on to let the begin repeating transmission
1300 TurnReadLFOn(20*1000);
1301 }
1302
1303 /*-------------- Cloning routines -----------*/
1304
1305 void WriteT55xx(uint32_t *blockdata, uint8_t startblock, uint8_t numblocks) {
1306 // write last block first and config block last (if included)
1307 for (uint8_t i = numblocks+startblock; i > startblock; i--) {
1308 T55xxWriteBlockExt(blockdata[i-1],i-1,0,0);
1309 }
1310 }
1311
1312 // Copy HID id to card and setup block 0 config
1313 void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT) {
1314 uint32_t data[] = {0,0,0,0,0,0,0};
1315 uint8_t last_block = 0;
1316
1317 if (longFMT) {
1318 // Ensure no more than 84 bits supplied
1319 if (hi2>0xFFFFF) {
1320 DbpString("Tags can only have 84 bits.");
1321 return;
1322 }
1323 // Build the 6 data blocks for supplied 84bit ID
1324 last_block = 6;
1325 // load preamble (1D) & long format identifier (9E manchester encoded)
1326 data[1] = 0x1D96A900 | (manchesterEncode2Bytes((hi2 >> 16) & 0xF) & 0xFF);
1327 // load raw id from hi2, hi, lo to data blocks (manchester encoded)
1328 data[2] = manchesterEncode2Bytes(hi2 & 0xFFFF);
1329 data[3] = manchesterEncode2Bytes(hi >> 16);
1330 data[4] = manchesterEncode2Bytes(hi & 0xFFFF);
1331 data[5] = manchesterEncode2Bytes(lo >> 16);
1332 data[6] = manchesterEncode2Bytes(lo & 0xFFFF);
1333 } else {
1334 // Ensure no more than 44 bits supplied
1335 if (hi>0xFFF) {
1336 DbpString("Tags can only have 44 bits.");
1337 return;
1338 }
1339 // Build the 3 data blocks for supplied 44bit ID
1340 last_block = 3;
1341 // load preamble
1342 data[1] = 0x1D000000 | (manchesterEncode2Bytes(hi) & 0xFFFFFF);
1343 data[2] = manchesterEncode2Bytes(lo >> 16);
1344 data[3] = manchesterEncode2Bytes(lo & 0xFFFF);
1345 }
1346 // load chip config block
1347 data[0] = T55x7_BITRATE_RF_50 | T55x7_MODULATION_FSK2a | last_block << T55x7_MAXBLOCK_SHIFT;
1348
1349 //TODO add selection of chip for Q5 or T55x7
1350 // data[0] = (((50-2)/2)<<T5555_BITRATE_SHIFT) | T5555_MODULATION_FSK2 | T5555_INVERT_OUTPUT | last_block << T5555_MAXBLOCK_SHIFT;
1351
1352 LED_D_ON();
1353 // Program the data blocks for supplied ID
1354 // and the block 0 for HID format
1355 WriteT55xx(data, 0, last_block+1);
1356
1357 LED_D_OFF();
1358
1359 DbpString("DONE!");
1360 }
1361
1362 void CopyIOtoT55x7(uint32_t hi, uint32_t lo) {
1363 uint32_t data[] = {T55x7_BITRATE_RF_64 | T55x7_MODULATION_FSK2a | (2 << T55x7_MAXBLOCK_SHIFT), hi, lo};
1364 //TODO add selection of chip for Q5 or T55x7
1365 // data[0] = (((64-2)/2)<<T5555_BITRATE_SHIFT) | T5555_MODULATION_FSK2 | T5555_INVERT_OUTPUT | 2 << T5555_MAXBLOCK_SHIFT;
1366
1367 LED_D_ON();
1368 // Program the data blocks for supplied ID
1369 // and the block 0 config
1370 WriteT55xx(data, 0, 3);
1371
1372 LED_D_OFF();
1373
1374 DbpString("DONE!");
1375 }
1376
1377 // Clone Indala 64-bit tag by UID to T55x7
1378 void CopyIndala64toT55x7(uint32_t hi, uint32_t lo) {
1379 //Program the 2 data blocks for supplied 64bit UID
1380 // and the Config for Indala 64 format (RF/32;PSK1 with RF/2;Maxblock=2)
1381 uint32_t data[] = { T55x7_BITRATE_RF_32 | T55x7_MODULATION_PSK1 | (2 << T55x7_MAXBLOCK_SHIFT), hi, lo};
1382 //TODO add selection of chip for Q5 or T55x7
1383 // data[0] = (((32-2)/2)<<T5555_BITRATE_SHIFT) | T5555_MODULATION_PSK1 | 2 << T5555_MAXBLOCK_SHIFT;
1384
1385 WriteT55xx(data, 0, 3);
1386 //Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=2;Inverse data)
1387 // T5567WriteBlock(0x603E1042,0);
1388 DbpString("DONE!");
1389 }
1390 // Clone Indala 224-bit tag by UID to T55x7
1391 void CopyIndala224toT55x7(uint32_t uid1, uint32_t uid2, uint32_t uid3, uint32_t uid4, uint32_t uid5, uint32_t uid6, uint32_t uid7) {
1392 //Program the 7 data blocks for supplied 224bit UID
1393 uint32_t data[] = {0, uid1, uid2, uid3, uid4, uid5, uid6, uid7};
1394 // and the block 0 for Indala224 format
1395 //Config for Indala (RF/32;PSK1 with RF/2;Maxblock=7)
1396 data[0] = T55x7_BITRATE_RF_32 | T55x7_MODULATION_PSK1 | (7 << T55x7_MAXBLOCK_SHIFT);
1397 //TODO add selection of chip for Q5 or T55x7
1398 // data[0] = (((32-2)>>1)<<T5555_BITRATE_SHIFT) | T5555_MODULATION_PSK1 | 7 << T5555_MAXBLOCK_SHIFT;
1399 WriteT55xx(data, 0, 8);
1400 //Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=7;Inverse data)
1401 // T5567WriteBlock(0x603E10E2,0);
1402 DbpString("DONE!");
1403 }
1404 // clone viking tag to T55xx
1405 void CopyVikingtoT55xx(uint32_t block1, uint32_t block2, uint8_t Q5) {
1406 uint32_t data[] = {T55x7_BITRATE_RF_32 | T55x7_MODULATION_MANCHESTER | (2 << T55x7_MAXBLOCK_SHIFT), block1, block2};
1407 if (Q5) data[0] = T5555_SET_BITRATE(32) | T5555_MODULATION_MANCHESTER | 2 << T5555_MAXBLOCK_SHIFT;
1408 // Program the data blocks for supplied ID and the block 0 config
1409 WriteT55xx(data, 0, 3);
1410 LED_D_OFF();
1411 cmd_send(CMD_ACK,0,0,0,0,0);
1412 }
1413
1414 // Define 9bit header for EM410x tags
1415 #define EM410X_HEADER 0x1FF
1416 #define EM410X_ID_LENGTH 40
1417
1418 void WriteEM410x(uint32_t card, uint32_t id_hi, uint32_t id_lo) {
1419 int i, id_bit;
1420 uint64_t id = EM410X_HEADER;
1421 uint64_t rev_id = 0; // reversed ID
1422 int c_parity[4]; // column parity
1423 int r_parity = 0; // row parity
1424 uint32_t clock = 0;
1425
1426 // Reverse ID bits given as parameter (for simpler operations)
1427 for (i = 0; i < EM410X_ID_LENGTH; ++i) {
1428 if (i < 32) {
1429 rev_id = (rev_id << 1) | (id_lo & 1);
1430 id_lo >>= 1;
1431 } else {
1432 rev_id = (rev_id << 1) | (id_hi & 1);
1433 id_hi >>= 1;
1434 }
1435 }
1436
1437 for (i = 0; i < EM410X_ID_LENGTH; ++i) {
1438 id_bit = rev_id & 1;
1439
1440 if (i % 4 == 0) {
1441 // Don't write row parity bit at start of parsing
1442 if (i)
1443 id = (id << 1) | r_parity;
1444 // Start counting parity for new row
1445 r_parity = id_bit;
1446 } else {
1447 // Count row parity
1448 r_parity ^= id_bit;
1449 }
1450
1451 // First elements in column?
1452 if (i < 4)
1453 // Fill out first elements
1454 c_parity[i] = id_bit;
1455 else
1456 // Count column parity
1457 c_parity[i % 4] ^= id_bit;
1458
1459 // Insert ID bit
1460 id = (id << 1) | id_bit;
1461 rev_id >>= 1;
1462 }
1463
1464 // Insert parity bit of last row
1465 id = (id << 1) | r_parity;
1466
1467 // Fill out column parity at the end of tag
1468 for (i = 0; i < 4; ++i)
1469 id = (id << 1) | c_parity[i];
1470
1471 // Add stop bit
1472 id <<= 1;
1473
1474 Dbprintf("Started writing %s tag ...", card ? "T55x7":"T5555");
1475 LED_D_ON();
1476
1477 // Write EM410x ID
1478 uint32_t data[] = {0, (uint32_t)(id>>32), (uint32_t)(id & 0xFFFFFFFF)};
1479
1480 clock = (card & 0xFF00) >> 8;
1481 clock = (clock == 0) ? 64 : clock;
1482 Dbprintf("Clock rate: %d", clock);
1483 if (card & 0xFF) { //t55x7
1484 clock = GetT55xxClockBit(clock);
1485 if (clock == 0) {
1486 Dbprintf("Invalid clock rate: %d", clock);
1487 return;
1488 }
1489 data[0] = clock | T55x7_MODULATION_MANCHESTER | (2 << T55x7_MAXBLOCK_SHIFT);
1490 } else { //t5555 (Q5)
1491 data[0] = T5555_SET_BITRATE(clock) | T5555_MODULATION_MANCHESTER | (2 << T5555_MAXBLOCK_SHIFT);
1492 }
1493
1494 WriteT55xx(data, 0, 3);
1495
1496 LED_D_OFF();
1497 Dbprintf("Tag %s written with 0x%08x%08x\n", card ? "T55x7":"T5555",
1498 (uint32_t)(id >> 32), (uint32_t)id);
1499 }
1500
1501 //-----------------------------------
1502 // EM4469 / EM4305 routines
1503 //-----------------------------------
1504 #define FWD_CMD_LOGIN 0xC //including the even parity, binary mirrored
1505 #define FWD_CMD_WRITE 0xA
1506 #define FWD_CMD_READ 0x9
1507 #define FWD_CMD_DISABLE 0x5
1508
1509 uint8_t forwardLink_data[64]; //array of forwarded bits
1510 uint8_t * forward_ptr; //ptr for forward message preparation
1511 uint8_t fwd_bit_sz; //forwardlink bit counter
1512 uint8_t * fwd_write_ptr; //forwardlink bit pointer
1513
1514 //====================================================================
1515 // prepares command bits
1516 // see EM4469 spec
1517 //====================================================================
1518 //--------------------------------------------------------------------
1519 // VALUES TAKEN FROM EM4x function: SendForward
1520 // START_GAP = 440; (55*8) cycles at 125Khz (8us = 1cycle)
1521 // WRITE_GAP = 128; (16*8)
1522 // WRITE_1 = 256 32*8; (32*8)
1523
1524 // These timings work for 4469/4269/4305 (with the 55*8 above)
1525 // WRITE_0 = 23*8 , 9*8 SpinDelayUs(23*8);
1526
1527 uint8_t Prepare_Cmd( uint8_t cmd ) {
1528
1529 *forward_ptr++ = 0; //start bit
1530 *forward_ptr++ = 0; //second pause for 4050 code
1531
1532 *forward_ptr++ = cmd;
1533 cmd >>= 1;
1534 *forward_ptr++ = cmd;
1535 cmd >>= 1;
1536 *forward_ptr++ = cmd;
1537 cmd >>= 1;
1538 *forward_ptr++ = cmd;
1539
1540 return 6; //return number of emited bits
1541 }
1542
1543 //====================================================================
1544 // prepares address bits
1545 // see EM4469 spec
1546 //====================================================================
1547 uint8_t Prepare_Addr( uint8_t addr ) {
1548
1549 register uint8_t line_parity;
1550
1551 uint8_t i;
1552 line_parity = 0;
1553 for(i=0;i<6;i++) {
1554 *forward_ptr++ = addr;
1555 line_parity ^= addr;
1556 addr >>= 1;
1557 }
1558
1559 *forward_ptr++ = (line_parity & 1);
1560
1561 return 7; //return number of emited bits
1562 }
1563
1564 //====================================================================
1565 // prepares data bits intreleaved with parity bits
1566 // see EM4469 spec
1567 //====================================================================
1568 uint8_t Prepare_Data( uint16_t data_low, uint16_t data_hi) {
1569
1570 register uint8_t line_parity;
1571 register uint8_t column_parity;
1572 register uint8_t i, j;
1573 register uint16_t data;
1574
1575 data = data_low;
1576 column_parity = 0;
1577
1578 for(i=0; i<4; i++) {
1579 line_parity = 0;
1580 for(j=0; j<8; j++) {
1581 line_parity ^= data;
1582 column_parity ^= (data & 1) << j;
1583 *forward_ptr++ = data;
1584 data >>= 1;
1585 }
1586 *forward_ptr++ = line_parity;
1587 if(i == 1)
1588 data = data_hi;
1589 }
1590
1591 for(j=0; j<8; j++) {
1592 *forward_ptr++ = column_parity;
1593 column_parity >>= 1;
1594 }
1595 *forward_ptr = 0;
1596
1597 return 45; //return number of emited bits
1598 }
1599
1600 //====================================================================
1601 // Forward Link send function
1602 // Requires: forwarLink_data filled with valid bits (1 bit per byte)
1603 // fwd_bit_count set with number of bits to be sent
1604 //====================================================================
1605 void SendForward(uint8_t fwd_bit_count) {
1606
1607 fwd_write_ptr = forwardLink_data;
1608 fwd_bit_sz = fwd_bit_count;
1609
1610 // Set up FPGA, 125kHz or 95 divisor
1611 LFSetupFPGAForADC(95, true);
1612
1613 // force 1st mod pulse (start gap must be longer for 4305)
1614 fwd_bit_sz--; //prepare next bit modulation
1615 fwd_write_ptr++;
1616 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1617 WaitUS(55*8); //55 cycles off (8us each)for 4305 //another reader has 37 here...
1618 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);//field on
1619 WaitUS(18*8); //18 cycles on (8us each)
1620
1621 // now start writting
1622 while(fwd_bit_sz-- > 0) { //prepare next bit modulation
1623 if(((*fwd_write_ptr++) & 1) == 1)
1624 WaitUS(32*8); //32 cycles at 125Khz (8us each)
1625 else {
1626 //These timings work for 4469/4269/4305 (with the 55*8 above)
1627 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1628 WaitUS(23*8); //23 cycles off (8us each)
1629 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);//field on
1630 WaitUS(18*8); //18 cycles on (8us each)
1631 }
1632 }
1633 }
1634
1635 void EM4xLogin(uint32_t Password) {
1636
1637 uint8_t fwd_bit_count;
1638
1639 forward_ptr = forwardLink_data;
1640 fwd_bit_count = Prepare_Cmd( FWD_CMD_LOGIN );
1641 fwd_bit_count += Prepare_Data( Password&0xFFFF, Password>>16 );
1642
1643 SendForward(fwd_bit_count);
1644
1645 //Wait for command to complete
1646 SpinDelay(20);
1647 }
1648
1649 void EM4xReadWord(uint8_t Address, uint32_t Pwd, uint8_t PwdMode) {
1650
1651 uint8_t fwd_bit_count;
1652
1653 // Clear destination buffer before sending the command
1654 BigBuf_Clear_ext(false);
1655
1656 LED_A_ON();
1657 StartTicks();
1658 //If password mode do login
1659 if (PwdMode == 1) EM4xLogin(Pwd);
1660
1661 forward_ptr = forwardLink_data;
1662 fwd_bit_count = Prepare_Cmd( FWD_CMD_READ );
1663 fwd_bit_count += Prepare_Addr( Address );
1664
1665 SendForward(fwd_bit_count);
1666 WaitUS(400);
1667 // Now do the acquisition
1668 DoPartialAcquisition(20, true, 6000);
1669
1670 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1671 LED_A_OFF();
1672 cmd_send(CMD_ACK,0,0,0,0,0);
1673 }
1674
1675 void EM4xWriteWord(uint32_t flag, uint32_t Data, uint32_t Pwd) {
1676
1677 bool PwdMode = (flag & 0xF);
1678 uint8_t Address = (flag >> 8) & 0xFF;
1679 uint8_t fwd_bit_count;
1680
1681 //clear buffer now so it does not interfere with timing later
1682 BigBuf_Clear_ext(false);
1683
1684 LED_A_ON();
1685 StartTicks();
1686 //If password mode do login
1687 if (PwdMode) EM4xLogin(Pwd);
1688
1689 forward_ptr = forwardLink_data;
1690 fwd_bit_count = Prepare_Cmd( FWD_CMD_WRITE );
1691 fwd_bit_count += Prepare_Addr( Address );
1692 fwd_bit_count += Prepare_Data( Data&0xFFFF, Data>>16 );
1693
1694 SendForward(fwd_bit_count);
1695
1696 //Wait for write to complete
1697 //SpinDelay(10);
1698
1699 WaitUS(6500);
1700 //Capture response if one exists
1701 DoPartialAcquisition(20, true, 6000);
1702
1703 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1704 LED_A_OFF();
1705 cmd_send(CMD_ACK,0,0,0,0,0);
1706 }
1707 /*
1708 Reading a COTAG.
1709
1710 COTAG needs the reader to send a startsequence and the card has an extreme slow datarate.
1711 because of this, we can "sample" the data signal but we interpreate it to Manchester direct.
1712
1713 READER START SEQUENCE:
1714 burst 800 us, gap 2.2 msecs
1715 burst 3.6 msecs gap 2.2 msecs
1716 burst 800 us gap 2.2 msecs
1717 pulse 3.6 msecs
1718
1719 This triggers a COTAG tag to response
1720 */
1721 void Cotag(uint32_t arg0) {
1722
1723 #define OFF { FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); WaitUS(2035); }
1724 #define ON(x) { FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD); WaitUS((x)); }
1725
1726 uint8_t rawsignal = arg0 & 0xF;
1727
1728 LED_A_ON();
1729
1730 // Switching to LF image on FPGA. This might empty BigBuff
1731 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1732
1733 //clear buffer now so it does not interfere with timing later
1734 BigBuf_Clear_ext(false);
1735
1736 // Set up FPGA, 132kHz to power up the tag
1737 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 89);
1738 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
1739
1740 // Connect the A/D to the peak-detected low-frequency path.
1741 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
1742
1743 // Now set up the SSC to get the ADC samples that are now streaming at us.
1744 FpgaSetupSsc();
1745
1746 // start clock - 1.5ticks is 1us
1747 StartTicks();
1748
1749 //send COTAG start pulse
1750 ON(740) OFF
1751 ON(3330) OFF
1752 ON(740) OFF
1753 ON(1000)
1754
1755 switch(rawsignal) {
1756 case 0: doCotagAcquisition(50000); break;
1757 case 1: doCotagAcquisitionManchester(); break;
1758 case 2: DoAcquisition_config(true, 0); break;
1759 }
1760
1761 // Turn the field off
1762 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1763 cmd_send(CMD_ACK,0,0,0,0,0);
1764 LED_A_OFF();
1765 }
Impressum, Datenschutz