1 //-----------------------------------------------------------------------------
2 // Jonathan Westhues, Mar 2006
3 // Edits by Gerhard de Koning Gans, Sep 2007 (##)
5 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
6 // at your option, any later version. See the LICENSE.txt file for the text of
8 //-----------------------------------------------------------------------------
9 // The main application code. This is the first thing called after start.c
11 //-----------------------------------------------------------------------------
16 #include "proxmark3.h"
26 #include "lfsampling.h"
32 #define abs(x) ( ((x)<0) ? -(x) : (x) )
34 //=============================================================================
35 // A buffer where we can queue things up to be sent through the FPGA, for
36 // any purpose (fake tag, as reader, whatever). We go MSB first, since that
37 // is the order in which they go out on the wire.
38 //=============================================================================
40 #define TOSEND_BUFFER_SIZE (9*MAX_FRAME_SIZE + 1 + 1 + 2) // 8 data bits and 1 parity bit per payload byte, 1 correction bit, 1 SOC bit, 2 EOC bits
41 uint8_t ToSend
[TOSEND_BUFFER_SIZE
];
44 struct common_area common_area
__attribute__((section(".commonarea")));
46 void ToSendReset(void)
52 void ToSendStuffBit(int b
)
56 ToSend
[ToSendMax
] = 0;
61 ToSend
[ToSendMax
] |= (1 << (7 - ToSendBit
));
66 if(ToSendMax
>= sizeof(ToSend
)) {
68 DbpString("ToSendStuffBit overflowed!");
72 //=============================================================================
73 // Debug print functions, to go out over USB, to the usual PC-side client.
74 //=============================================================================
76 void DbpString(char *str
)
78 byte_t len
= strlen(str
);
79 cmd_send(CMD_DEBUG_PRINT_STRING
,len
,0,0,(byte_t
*)str
,len
);
83 void DbpIntegers(int x1
, int x2
, int x3
)
85 cmd_send(CMD_DEBUG_PRINT_INTEGERS
,x1
,x2
,x3
,0,0);
89 void Dbprintf(const char *fmt
, ...) {
90 // should probably limit size here; oh well, let's just use a big buffer
91 char output_string
[128];
95 kvsprintf(fmt
, output_string
, 10, ap
);
98 DbpString(output_string
);
101 // prints HEX & ASCII
102 void Dbhexdump(int len
, uint8_t *d
, bool bAsci
) {
115 if (ascii
[i
]<32 || ascii
[i
]>126) ascii
[i
]='.';
118 Dbprintf("%-8s %*D",ascii
,l
,d
," ");
120 Dbprintf("%*D",l
,d
," ");
128 //-----------------------------------------------------------------------------
129 // Read an ADC channel and block till it completes, then return the result
130 // in ADC units (0 to 1023). Also a routine to average 32 samples and
132 //-----------------------------------------------------------------------------
133 static int ReadAdc(int ch
)
137 AT91C_BASE_ADC
->ADC_CR
= AT91C_ADC_SWRST
;
138 AT91C_BASE_ADC
->ADC_MR
=
139 ADC_MODE_PRESCALE(63 /* was 32 */) | // ADC_CLK = MCK / ((63+1) * 2) = 48MHz / 128 = 375kHz
140 ADC_MODE_STARTUP_TIME(1 /* was 16 */) | // Startup Time = (1+1) * 8 / ADC_CLK = 16 / 375kHz = 42,7us Note: must be > 20us
141 ADC_MODE_SAMPLE_HOLD_TIME(15 /* was 8 */); // Sample & Hold Time SHTIM = 15 / ADC_CLK = 15 / 375kHz = 40us
143 // Note: ADC_MODE_PRESCALE and ADC_MODE_SAMPLE_HOLD_TIME are set to the maximum allowed value.
144 // Both AMPL_LO and AMPL_HI are very high impedance (10MOhm) outputs, the input capacitance of the ADC is 12pF (typical). This results in a time constant
145 // of RC = 10MOhm * 12pF = 120us. Even after the maximum configurable sample&hold time of 40us the input capacitor will not be fully charged.
148 // If there is a voltage v_in at the input, the voltage v_cap at the capacitor (this is what we are measuring) will be
150 // v_cap = v_in * (1 - exp(-RC/SHTIM)) = v_in * (1 - exp(-3)) = v_in * 0,95 (i.e. an error of 5%)
152 // Note: with the "historic" values in the comments above, the error was 34% !!!
154 AT91C_BASE_ADC
->ADC_CHER
= ADC_CHANNEL(ch
);
156 AT91C_BASE_ADC
->ADC_CR
= AT91C_ADC_START
;
158 while(!(AT91C_BASE_ADC
->ADC_SR
& ADC_END_OF_CONVERSION(ch
)))
160 d
= AT91C_BASE_ADC
->ADC_CDR
[ch
];
165 int AvgAdc(int ch
) // was static - merlok
170 for(i
= 0; i
< 32; i
++) {
174 return (a
+ 15) >> 5;
177 void MeasureAntennaTuning(void)
179 uint8_t LF_Results
[256];
180 int i
, adcval
= 0, peak
= 0, peakv
= 0, peakf
= 0; //ptr = 0
181 int vLf125
= 0, vLf134
= 0, vHf
= 0; // in mV
186 * Sweeps the useful LF range of the proxmark from
187 * 46.8kHz (divisor=255) to 600kHz (divisor=19) and
188 * read the voltage in the antenna, the result left
189 * in the buffer is a graph which should clearly show
190 * the resonating frequency of your LF antenna
191 * ( hopefully around 95 if it is tuned to 125kHz!)
194 FpgaDownloadAndGo(FPGA_BITSTREAM_LF
);
195 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC
| FPGA_LF_ADC_READER_FIELD
);
196 for (i
=255; i
>=19; i
--) {
198 FpgaSendCommand(FPGA_CMD_SET_DIVISOR
, i
);
200 adcval
= ((MAX_ADC_LF_VOLTAGE
* AvgAdc(ADC_CHAN_LF
)) >> 10);
201 if (i
==95) vLf125
= adcval
; // voltage at 125Khz
202 if (i
==89) vLf134
= adcval
; // voltage at 134Khz
204 LF_Results
[i
] = adcval
>>8; // scale int to fit in byte for graphing purposes
205 if(LF_Results
[i
] > peak
) {
207 peak
= LF_Results
[i
];
213 for (i
=18; i
>= 0; i
--) LF_Results
[i
] = 0;
216 // Let the FPGA drive the high-frequency antenna around 13.56 MHz.
217 FpgaDownloadAndGo(FPGA_BITSTREAM_HF
);
218 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR
);
220 vHf
= (MAX_ADC_HF_VOLTAGE
* AvgAdc(ADC_CHAN_HF
)) >> 10;
222 cmd_send(CMD_MEASURED_ANTENNA_TUNING
, vLf125
| (vLf134
<<16), vHf
, peakf
| (peakv
<<16), LF_Results
, 256);
223 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
229 void MeasureAntennaTuningHf(void)
231 int vHf
= 0; // in mV
233 DbpString("Measuring HF antenna, press button to exit");
235 // Let the FPGA drive the high-frequency antenna around 13.56 MHz.
236 FpgaDownloadAndGo(FPGA_BITSTREAM_HF
);
237 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR
);
241 vHf
= (MAX_ADC_HF_VOLTAGE
* AvgAdc(ADC_CHAN_HF
)) >> 10;
243 Dbprintf("%d mV",vHf
);
244 if (BUTTON_PRESS()) break;
246 DbpString("cancelled");
248 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
253 void ReadMem(int addr
)
255 const uint8_t *data
= ((uint8_t *)addr
);
257 Dbprintf("%x: %02x %02x %02x %02x %02x %02x %02x %02x",
258 addr
, data
[0], data
[1], data
[2], data
[3], data
[4], data
[5], data
[6], data
[7]);
261 /* osimage version information is linked in */
262 extern struct version_information version_information
;
263 /* bootrom version information is pointed to from _bootphase1_version_pointer */
264 extern char *_bootphase1_version_pointer
, _flash_start
, _flash_end
;
265 void SendVersion(void)
267 char temp
[512]; /* Limited data payload in USB packets */
268 DbpString("Prox/RFID mark3 RFID instrument");
270 /* Try to find the bootrom version information. Expect to find a pointer at
271 * symbol _bootphase1_version_pointer, perform slight sanity checks on the
272 * pointer, then use it.
274 char *bootrom_version
= *(char**)&_bootphase1_version_pointer
;
275 if( bootrom_version
< &_flash_start
|| bootrom_version
>= &_flash_end
) {
276 DbpString("bootrom version information appears invalid");
278 FormatVersionInformation(temp
, sizeof(temp
), "bootrom: ", bootrom_version
);
282 FormatVersionInformation(temp
, sizeof(temp
), "os: ", &version_information
);
285 FpgaGatherVersion(temp
, sizeof(temp
));
288 cmd_send(CMD_ACK
,*(AT91C_DBGU_CIDR
),0,0,NULL
,0);
292 // samy's sniff and repeat routine
295 DbpString("Stand-alone mode! No PC necessary.");
296 FpgaDownloadAndGo(FPGA_BITSTREAM_LF
);
298 // 3 possible options? no just 2 for now
301 int high
[OPTS
], low
[OPTS
];
303 // Oooh pretty -- notify user we're in elite samy mode now
305 LED(LED_ORANGE
, 200);
307 LED(LED_ORANGE
, 200);
309 LED(LED_ORANGE
, 200);
311 LED(LED_ORANGE
, 200);
318 // Turn on selected LED
319 LED(selected
+ 1, 0);
326 // Was our button held down or pressed?
327 int button_pressed
= BUTTON_HELD(1000);
330 // Button was held for a second, begin recording
331 if (button_pressed
> 0 && cardRead
== 0)
334 LED(selected
+ 1, 0);
338 DbpString("Starting recording");
340 // wait for button to be released
341 while(BUTTON_PRESS())
344 /* need this delay to prevent catching some weird data */
347 CmdHIDdemodFSK(1, &high
[selected
], &low
[selected
], 0);
348 Dbprintf("Recorded %x %x %x", selected
, high
[selected
], low
[selected
]);
351 LED(selected
+ 1, 0);
352 // Finished recording
354 // If we were previously playing, set playing off
355 // so next button push begins playing what we recorded
362 else if (button_pressed
> 0 && cardRead
== 1)
365 LED(selected
+ 1, 0);
369 Dbprintf("Cloning %x %x %x", selected
, high
[selected
], low
[selected
]);
371 // wait for button to be released
372 while(BUTTON_PRESS())
375 /* need this delay to prevent catching some weird data */
378 CopyHIDtoT55x7(high
[selected
], low
[selected
], 0, 0);
379 Dbprintf("Cloned %x %x %x", selected
, high
[selected
], low
[selected
]);
382 LED(selected
+ 1, 0);
383 // Finished recording
385 // If we were previously playing, set playing off
386 // so next button push begins playing what we recorded
393 // Change where to record (or begin playing)
394 else if (button_pressed
)
396 // Next option if we were previously playing
398 selected
= (selected
+ 1) % OPTS
;
402 LED(selected
+ 1, 0);
404 // Begin transmitting
408 DbpString("Playing");
409 // wait for button to be released
410 while(BUTTON_PRESS())
412 Dbprintf("%x %x %x", selected
, high
[selected
], low
[selected
]);
413 CmdHIDsimTAG(high
[selected
], low
[selected
], 0);
414 DbpString("Done playing");
415 if (BUTTON_HELD(1000) > 0)
417 DbpString("Exiting");
422 /* We pressed a button so ignore it here with a delay */
425 // when done, we're done playing, move to next option
426 selected
= (selected
+ 1) % OPTS
;
429 LED(selected
+ 1, 0);
432 while(BUTTON_PRESS())
441 Listen and detect an external reader. Determine the best location
445 Inside the ListenReaderField() function, there is two mode.
446 By default, when you call the function, you will enter mode 1.
447 If you press the PM3 button one time, you will enter mode 2.
448 If you press the PM3 button a second time, you will exit the function.
450 DESCRIPTION OF MODE 1:
451 This mode just listens for an external reader field and lights up green
452 for HF and/or red for LF. This is the original mode of the detectreader
455 DESCRIPTION OF MODE 2:
456 This mode will visually represent, using the LEDs, the actual strength of the
457 current compared to the maximum current detected. Basically, once you know
458 what kind of external reader is present, it will help you spot the best location to place
459 your antenna. You will probably not get some good results if there is a LF and a HF reader
460 at the same place! :-)
464 static const char LIGHT_SCHEME
[] = {
465 0x0, /* ---- | No field detected */
466 0x1, /* X--- | 14% of maximum current detected */
467 0x2, /* -X-- | 29% of maximum current detected */
468 0x4, /* --X- | 43% of maximum current detected */
469 0x8, /* ---X | 57% of maximum current detected */
470 0xC, /* --XX | 71% of maximum current detected */
471 0xE, /* -XXX | 86% of maximum current detected */
472 0xF, /* XXXX | 100% of maximum current detected */
474 static const int LIGHT_LEN
= sizeof(LIGHT_SCHEME
)/sizeof(LIGHT_SCHEME
[0]);
476 void ListenReaderField(int limit
)
478 int lf_av
, lf_av_new
, lf_baseline
= 0, lf_max
;
479 int hf_av
, hf_av_new
, hf_baseline
= 0, hf_max
;
480 int mode
=1, display_val
, display_max
, i
;
484 #define REPORT_CHANGE 10 // report new values only if they have changed at least by REPORT_CHANGE
487 // switch off FPGA - we don't want to measure our own signal
488 FpgaDownloadAndGo(FPGA_BITSTREAM_HF
);
489 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
493 lf_av
= lf_max
= AvgAdc(ADC_CHAN_LF
);
495 if(limit
!= HF_ONLY
) {
496 Dbprintf("LF 125/134kHz Baseline: %dmV", (MAX_ADC_LF_VOLTAGE
* lf_av
) >> 10);
500 hf_av
= hf_max
= AvgAdc(ADC_CHAN_HF
);
502 if (limit
!= LF_ONLY
) {
503 Dbprintf("HF 13.56MHz Baseline: %dmV", (MAX_ADC_HF_VOLTAGE
* hf_av
) >> 10);
508 if (BUTTON_PRESS()) {
513 DbpString("Signal Strength Mode");
517 DbpString("Stopped");
525 if (limit
!= HF_ONLY
) {
527 if (abs(lf_av
- lf_baseline
) > REPORT_CHANGE
)
533 lf_av_new
= AvgAdc(ADC_CHAN_LF
);
534 // see if there's a significant change
535 if(abs(lf_av
- lf_av_new
) > REPORT_CHANGE
) {
536 Dbprintf("LF 125/134kHz Field Change: %5dmV", (MAX_ADC_LF_VOLTAGE
* lf_av_new
) >> 10);
543 if (limit
!= LF_ONLY
) {
545 if (abs(hf_av
- hf_baseline
) > REPORT_CHANGE
)
551 hf_av_new
= AvgAdc(ADC_CHAN_HF
);
552 // see if there's a significant change
553 if(abs(hf_av
- hf_av_new
) > REPORT_CHANGE
) {
554 Dbprintf("HF 13.56MHz Field Change: %5dmV", (MAX_ADC_HF_VOLTAGE
* hf_av_new
) >> 10);
562 if (limit
== LF_ONLY
) {
564 display_max
= lf_max
;
565 } else if (limit
== HF_ONLY
) {
567 display_max
= hf_max
;
568 } else { /* Pick one at random */
569 if( (hf_max
- hf_baseline
) > (lf_max
- lf_baseline
) ) {
571 display_max
= hf_max
;
574 display_max
= lf_max
;
577 for (i
=0; i
<LIGHT_LEN
; i
++) {
578 if (display_val
>= ((display_max
/LIGHT_LEN
)*i
) && display_val
<= ((display_max
/LIGHT_LEN
)*(i
+1))) {
579 if (LIGHT_SCHEME
[i
] & 0x1) LED_C_ON(); else LED_C_OFF();
580 if (LIGHT_SCHEME
[i
] & 0x2) LED_A_ON(); else LED_A_OFF();
581 if (LIGHT_SCHEME
[i
] & 0x4) LED_B_ON(); else LED_B_OFF();
582 if (LIGHT_SCHEME
[i
] & 0x8) LED_D_ON(); else LED_D_OFF();
590 void UsbPacketReceived(uint8_t *packet
, int len
)
592 UsbCommand
*c
= (UsbCommand
*)packet
;
594 // Dbprintf("received %d bytes, with command: 0x%04x and args: %d %d %d",len,c->cmd,c->arg[0],c->arg[1],c->arg[2]);
598 case CMD_SET_LF_SAMPLING_CONFIG
:
599 setSamplingConfig((sample_config
*) c
->d
.asBytes
);
601 case CMD_ACQUIRE_RAW_ADC_SAMPLES_125K
:
602 cmd_send(CMD_ACK
,SampleLF(c
->arg
[0]),0,0,0,0);
604 case CMD_MOD_THEN_ACQUIRE_RAW_ADC_SAMPLES_125K
:
605 ModThenAcquireRawAdcSamples125k(c
->arg
[0],c
->arg
[1],c
->arg
[2],c
->d
.asBytes
);
607 case CMD_LF_SNOOP_RAW_ADC_SAMPLES
:
608 cmd_send(CMD_ACK
,SnoopLF(),0,0,0,0);
610 case CMD_HID_DEMOD_FSK
:
611 CmdHIDdemodFSK(c
->arg
[0], 0, 0, 1);
613 case CMD_HID_SIM_TAG
:
614 CmdHIDsimTAG(c
->arg
[0], c
->arg
[1], 1);
616 case CMD_FSK_SIM_TAG
:
617 CmdFSKsimTAG(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
619 case CMD_ASK_SIM_TAG
:
620 CmdASKsimTag(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
622 case CMD_PSK_SIM_TAG
:
623 CmdPSKsimTag(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
625 case CMD_HID_CLONE_TAG
:
626 CopyHIDtoT55x7(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
[0]);
628 case CMD_IO_DEMOD_FSK
:
629 CmdIOdemodFSK(c
->arg
[0], 0, 0, 1);
631 case CMD_IO_CLONE_TAG
:
632 CopyIOtoT55x7(c
->arg
[0], c
->arg
[1], c
->d
.asBytes
[0]);
634 case CMD_EM410X_DEMOD
:
635 CmdEM410xdemod(c
->arg
[0], 0, 0, 1);
637 case CMD_EM410X_WRITE_TAG
:
638 WriteEM410x(c
->arg
[0], c
->arg
[1], c
->arg
[2]);
640 case CMD_READ_TI_TYPE
:
643 case CMD_WRITE_TI_TYPE
:
644 WriteTItag(c
->arg
[0],c
->arg
[1],c
->arg
[2]);
646 case CMD_SIMULATE_TAG_125K
:
648 SimulateTagLowFrequency(c
->arg
[0], c
->arg
[1], 1);
651 case CMD_LF_SIMULATE_BIDIR
:
652 SimulateTagLowFrequencyBidir(c
->arg
[0], c
->arg
[1]);
654 case CMD_INDALA_CLONE_TAG
:
655 CopyIndala64toT55x7(c
->arg
[0], c
->arg
[1]);
657 case CMD_INDALA_CLONE_TAG_L
:
658 CopyIndala224toT55x7(c
->d
.asDwords
[0], c
->d
.asDwords
[1], c
->d
.asDwords
[2], c
->d
.asDwords
[3], c
->d
.asDwords
[4], c
->d
.asDwords
[5], c
->d
.asDwords
[6]);
660 case CMD_T55XX_READ_BLOCK
:
661 T55xxReadBlock(c
->arg
[1], c
->arg
[2],c
->d
.asBytes
[0]);
663 case CMD_T55XX_WRITE_BLOCK
:
664 T55xxWriteBlock(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
[0]);
666 case CMD_T55XX_READ_TRACE
:
669 case CMD_PCF7931_READ
:
671 cmd_send(CMD_ACK
,0,0,0,0,0);
673 case CMD_EM4X_READ_WORD
:
674 EM4xReadWord(c
->arg
[1], c
->arg
[2],c
->d
.asBytes
[0]);
676 case CMD_EM4X_WRITE_WORD
:
677 EM4xWriteWord(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
[0]);
682 case CMD_SNOOP_HITAG
: // Eavesdrop Hitag tag, args = type
683 SnoopHitag(c
->arg
[0]);
685 case CMD_SIMULATE_HITAG
: // Simulate Hitag tag, args = memory content
686 SimulateHitagTag((bool)c
->arg
[0],(byte_t
*)c
->d
.asBytes
);
688 case CMD_READER_HITAG
: // Reader for Hitag tags, args = type and function
689 ReaderHitag((hitag_function
)c
->arg
[0],(hitag_data
*)c
->d
.asBytes
);
694 case CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_15693
:
695 AcquireRawAdcSamplesIso15693();
697 case CMD_RECORD_RAW_ADC_SAMPLES_ISO_15693
:
698 RecordRawAdcSamplesIso15693();
701 case CMD_ISO_15693_COMMAND
:
702 DirectTag15693Command(c
->arg
[0],c
->arg
[1],c
->arg
[2],c
->d
.asBytes
);
705 case CMD_ISO_15693_FIND_AFI
:
706 BruteforceIso15693Afi(c
->arg
[0]);
709 case CMD_ISO_15693_DEBUG
:
710 SetDebugIso15693(c
->arg
[0]);
713 case CMD_READER_ISO_15693
:
714 ReaderIso15693(c
->arg
[0]);
716 case CMD_SIMTAG_ISO_15693
:
717 SimTagIso15693(c
->arg
[0], c
->d
.asBytes
);
722 case CMD_SIMULATE_TAG_LEGIC_RF
:
723 LegicRfSimulate(c
->arg
[0], c
->arg
[1], c
->arg
[2]);
726 case CMD_WRITER_LEGIC_RF
:
727 LegicRfWriter(c
->arg
[1], c
->arg
[0]);
730 case CMD_READER_LEGIC_RF
:
731 LegicRfReader(c
->arg
[0], c
->arg
[1]);
735 #ifdef WITH_ISO14443b
736 case CMD_READ_SRI512_TAG
:
737 ReadSTMemoryIso14443b(0x0F);
739 case CMD_READ_SRIX4K_TAG
:
740 ReadSTMemoryIso14443b(0x7F);
742 case CMD_SNOOP_ISO_14443B
:
745 case CMD_SIMULATE_TAG_ISO_14443B
:
746 SimulateIso14443bTag();
748 case CMD_ISO_14443B_COMMAND
:
749 SendRawCommand14443B(c
->arg
[0],c
->arg
[1],c
->arg
[2],c
->d
.asBytes
);
753 #ifdef WITH_ISO14443a
754 case CMD_SNOOP_ISO_14443a
:
755 SnoopIso14443a(c
->arg
[0]);
757 case CMD_READER_ISO_14443a
:
760 case CMD_SIMULATE_TAG_ISO_14443a
:
761 SimulateIso14443aTag(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
); // ## Simulate iso14443a tag - pass tag type & UID
764 case CMD_EPA_PACE_COLLECT_NONCE
:
765 EPA_PACE_Collect_Nonce(c
);
767 case CMD_EPA_PACE_REPLAY
:
771 case CMD_READER_MIFARE
:
772 ReaderMifare(c
->arg
[0]);
774 case CMD_MIFARE_READBL
:
775 MifareReadBlock(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
777 case CMD_MIFAREU_READBL
:
778 MifareUReadBlock(c
->arg
[0],c
->arg
[1], c
->d
.asBytes
);
780 case CMD_MIFAREUC_AUTH
:
781 MifareUC_Auth(c
->arg
[0],c
->d
.asBytes
);
783 case CMD_MIFAREU_READCARD
:
784 MifareUReadCard(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
786 case CMD_MIFAREUC_SETPWD
:
787 MifareUSetPwd(c
->arg
[0], c
->d
.asBytes
);
789 case CMD_MIFARE_READSC
:
790 MifareReadSector(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
792 case CMD_MIFARE_WRITEBL
:
793 MifareWriteBlock(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
795 //case CMD_MIFAREU_WRITEBL_COMPAT:
796 //MifareUWriteBlockCompat(c->arg[0], c->d.asBytes);
798 case CMD_MIFAREU_WRITEBL
:
799 MifareUWriteBlock(c
->arg
[0], c
->arg
[1], c
->d
.asBytes
);
801 case CMD_MIFARE_NESTED
:
802 MifareNested(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
804 case CMD_MIFARE_CHKKEYS
:
805 MifareChkKeys(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
807 case CMD_SIMULATE_MIFARE_CARD
:
808 Mifare1ksim(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
812 case CMD_MIFARE_SET_DBGMODE
:
813 MifareSetDbgLvl(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
815 case CMD_MIFARE_EML_MEMCLR
:
816 MifareEMemClr(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
818 case CMD_MIFARE_EML_MEMSET
:
819 MifareEMemSet(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
821 case CMD_MIFARE_EML_MEMGET
:
822 MifareEMemGet(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
824 case CMD_MIFARE_EML_CARDLOAD
:
825 MifareECardLoad(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
828 // Work with "magic Chinese" card
829 case CMD_MIFARE_CSETBLOCK
:
830 MifareCSetBlock(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
832 case CMD_MIFARE_CGETBLOCK
:
833 MifareCGetBlock(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
835 case CMD_MIFARE_CIDENT
:
840 case CMD_MIFARE_SNIFFER
:
841 SniffMifare(c
->arg
[0]);
847 // Makes use of ISO14443a FPGA Firmware
848 case CMD_SNOOP_ICLASS
:
851 case CMD_SIMULATE_TAG_ICLASS
:
852 SimulateIClass(c
->arg
[0], c
->arg
[1], c
->arg
[2], c
->d
.asBytes
);
854 case CMD_READER_ICLASS
:
855 ReaderIClass(c
->arg
[0]);
857 case CMD_READER_ICLASS_REPLAY
:
858 ReaderIClass_Replay(c
->arg
[0], c
->d
.asBytes
);
860 case CMD_ICLASS_EML_MEMSET
:
861 emlSet(c
->d
.asBytes
,c
->arg
[0], c
->arg
[1]);
869 case CMD_MEASURE_ANTENNA_TUNING
:
870 MeasureAntennaTuning();
873 case CMD_MEASURE_ANTENNA_TUNING_HF
:
874 MeasureAntennaTuningHf();
877 case CMD_LISTEN_READER_FIELD
:
878 ListenReaderField(c
->arg
[0]);
881 case CMD_FPGA_MAJOR_MODE_OFF
: // ## FPGA Control
882 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
884 LED_D_OFF(); // LED D indicates field ON or OFF
887 case CMD_DOWNLOAD_RAW_ADC_SAMPLES_125K
:
890 uint8_t *BigBuf
= BigBuf_get_addr();
891 for(size_t i
=0; i
<c
->arg
[1]; i
+= USB_CMD_DATA_SIZE
) {
892 size_t len
= MIN((c
->arg
[1] - i
),USB_CMD_DATA_SIZE
);
893 cmd_send(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K
,i
,len
,BigBuf_get_traceLen(),BigBuf
+c
->arg
[0]+i
,len
);
895 // Trigger a finish downloading signal with an ACK frame
896 cmd_send(CMD_ACK
,1,0,BigBuf_get_traceLen(),getSamplingConfig(),sizeof(sample_config
));
900 case CMD_DOWNLOADED_SIM_SAMPLES_125K
: {
901 uint8_t *b
= BigBuf_get_addr();
902 memcpy(b
+c
->arg
[0], c
->d
.asBytes
, USB_CMD_DATA_SIZE
);
903 cmd_send(CMD_ACK
,0,0,0,0,0);
910 case CMD_SET_LF_DIVISOR
:
911 FpgaDownloadAndGo(FPGA_BITSTREAM_LF
);
912 FpgaSendCommand(FPGA_CMD_SET_DIVISOR
, c
->arg
[0]);
915 case CMD_SET_ADC_MUX
:
917 case 0: SetAdcMuxFor(GPIO_MUXSEL_LOPKD
); break;
918 case 1: SetAdcMuxFor(GPIO_MUXSEL_LORAW
); break;
919 case 2: SetAdcMuxFor(GPIO_MUXSEL_HIPKD
); break;
920 case 3: SetAdcMuxFor(GPIO_MUXSEL_HIRAW
); break;
936 case CMD_SETUP_WRITE
:
937 case CMD_FINISH_WRITE
:
938 case CMD_HARDWARE_RESET
:
942 AT91C_BASE_RSTC
->RSTC_RCR
= RST_CONTROL_KEY
| AT91C_RSTC_PROCRST
;
944 // We're going to reset, and the bootrom will take control.
948 case CMD_START_FLASH
:
949 if(common_area
.flags
.bootrom_present
) {
950 common_area
.command
= COMMON_AREA_COMMAND_ENTER_FLASH_MODE
;
953 AT91C_BASE_RSTC
->RSTC_RCR
= RST_CONTROL_KEY
| AT91C_RSTC_PROCRST
;
957 case CMD_DEVICE_INFO
: {
958 uint32_t dev_info
= DEVICE_INFO_FLAG_OSIMAGE_PRESENT
| DEVICE_INFO_FLAG_CURRENT_MODE_OS
;
959 if(common_area
.flags
.bootrom_present
) dev_info
|= DEVICE_INFO_FLAG_BOOTROM_PRESENT
;
960 cmd_send(CMD_DEVICE_INFO
,dev_info
,0,0,0,0);
964 Dbprintf("%s: 0x%04x","unknown command:",c
->cmd
);
969 void __attribute__((noreturn
)) AppMain(void)
973 if(common_area
.magic
!= COMMON_AREA_MAGIC
|| common_area
.version
!= 1) {
974 /* Initialize common area */
975 memset(&common_area
, 0, sizeof(common_area
));
976 common_area
.magic
= COMMON_AREA_MAGIC
;
977 common_area
.version
= 1;
979 common_area
.flags
.osimage_present
= 1;
989 // The FPGA gets its clock from us from PCK0 output, so set that up.
990 AT91C_BASE_PIOA
->PIO_BSR
= GPIO_PCK0
;
991 AT91C_BASE_PIOA
->PIO_PDR
= GPIO_PCK0
;
992 AT91C_BASE_PMC
->PMC_SCER
= AT91C_PMC_PCK0
;
993 // PCK0 is PLL clock / 4 = 96Mhz / 4 = 24Mhz
994 AT91C_BASE_PMC
->PMC_PCKR
[0] = AT91C_PMC_CSS_PLL_CLK
|
995 AT91C_PMC_PRES_CLK_4
;
996 AT91C_BASE_PIOA
->PIO_OER
= GPIO_PCK0
;
999 AT91C_BASE_SPI
->SPI_CR
= AT91C_SPI_SWRST
;
1001 AT91C_BASE_SSC
->SSC_CR
= AT91C_SSC_SWRST
;
1003 // Load the FPGA image, which we have stored in our flash.
1004 // (the HF version by default)
1005 FpgaDownloadAndGo(FPGA_BITSTREAM_HF
);
1013 byte_t rx
[sizeof(UsbCommand
)];
1018 rx_len
= usb_read(rx
,sizeof(UsbCommand
));
1020 UsbPacketReceived(rx
,rx_len
);
1026 if (BUTTON_HELD(1000) > 0)