]> git.zerfleddert.de Git - proxmark3-svn/blob - armsrc/lfops.c
projects / proxmark3-svn / blob
? search:


c1f32f87769117557649845c453b6d9b0a66491d
[proxmark3-svn] / armsrc / lfops.c
1 //-----------------------------------------------------------------------------
2 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
3 // at your option, any later version. See the LICENSE.txt file for the text of
4 // the license.
5 //-----------------------------------------------------------------------------
6 // Miscellaneous routines for low frequency tag operations.
7 // Tags supported here so far are Texas Instruments (TI), HID, EM4x05, EM410x
8 // Also routines for raw mode reading/simulating of LF waveform
9 //-----------------------------------------------------------------------------
10
11 #include "proxmark3.h"
12 #include "apps.h"
13 #include "util.h"
14 #include "hitag2.h"
15 #include "crc16.h"
16 #include "string.h"
17 #include "lfdemod.h"
18 #include "lfsampling.h"
19 #include "protocols.h"
20 #include "usb_cdc.h" // for usb_poll_validate_length
21 #include "fpgaloader.h"
22
23 /**
24 * Function to do a modulation and then get samples.
25 * @param delay_off
26 * @param period_0
27 * @param period_1
28 * @param command
29 */
30 void ModThenAcquireRawAdcSamples125k(uint32_t delay_off, uint32_t period_0, uint32_t period_1, uint8_t *command)
31 {
32 // start timer
33 StartTicks();
34
35 // use lf config settings
36 sample_config *sc = getSamplingConfig();
37
38 // Make sure the tag is reset
39 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
40 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
41 WaitMS(2500);
42
43 // clear read buffer (after fpga bitstream loaded...)
44 BigBuf_Clear_keep_EM();
45
46 // power on
47 LFSetupFPGAForADC(sc->divisor, 1);
48
49 // And a little more time for the tag to fully power up
50 WaitMS(2000);
51 // if delay_off = 0 then just bitbang 1 = antenna on 0 = off for respective periods.
52 bool bitbang = delay_off == 0;
53 // now modulate the reader field
54
55 if (bitbang) {
56 // HACK it appears the loop and if statements take up about 7us so adjust waits accordingly...
57 uint8_t hack_cnt = 7;
58 if (period_0 < hack_cnt || period_1 < hack_cnt) {
59 DbpString("Warning periods cannot be less than 7us in bit bang mode");
60 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
61 LED_D_OFF();
62 return;
63 }
64
65 // hack2 needed--- it appears to take about 8-16us to turn the antenna back on
66 // leading to ~ 1 to 2 125khz samples extra in every off period
67 // so we should test for last 0 before next 1 and reduce period_0 by this extra amount...
68 // but is this time different for every antenna or other hw builds??? more testing needed
69
70 // prime cmd_len to save time comparing strings while modulating
71 int cmd_len = 0;
72 while(command[cmd_len] != '\0' && command[cmd_len] != ' ')
73 cmd_len++;
74
75 int counter = 0;
76 bool off = false;
77 for (counter = 0; counter < cmd_len; counter++) {
78 // if cmd = 0 then turn field off
79 if (command[counter] == '0') {
80 // if field already off leave alone (affects timing otherwise)
81 if (off == false) {
82 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
83 LED_D_OFF();
84 off = true;
85 }
86 // note we appear to take about 7us to switch over (or run the if statements/loop...)
87 WaitUS(period_0-hack_cnt);
88 // else if cmd = 1 then turn field on
89 } else {
90 // if field already on leave alone (affects timing otherwise)
91 if (off) {
92 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
93 LED_D_ON();
94 off = false;
95 }
96 // note we appear to take about 7us to switch over (or run the if statements/loop...)
97 WaitUS(period_1-hack_cnt);
98 }
99 }
100 } else { // old mode of cmd read using delay as off period
101 while(*command != '\0' && *command != ' ') {
102 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
103 LED_D_OFF();
104 WaitUS(delay_off);
105 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, sc->divisor);
106 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
107 LED_D_ON();
108 if(*(command++) == '0') {
109 WaitUS(period_0);
110 } else {
111 WaitUS(period_1);
112 }
113 }
114 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
115 LED_D_OFF();
116 WaitUS(delay_off);
117 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, sc->divisor);
118 }
119
120 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
121
122 // now do the read
123 DoAcquisition_config(false, 0);
124
125 // Turn off antenna
126 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
127 // tell client we are done
128 cmd_send(CMD_ACK,0,0,0,0,0);
129 }
130
131 /* blank r/w tag data stream
132 ...0000000000000000 01111111
133 1010101010101010101010101010101010101010101010101010101010101010
134 0011010010100001
135 01111111
136 101010101010101[0]000...
137
138 [5555fe852c5555555555555555fe0000]
139 */
140 void ReadTItag(void)
141 {
142 // some hardcoded initial params
143 // when we read a TI tag we sample the zerocross line at 2Mhz
144 // TI tags modulate a 1 as 16 cycles of 123.2Khz
145 // TI tags modulate a 0 as 16 cycles of 134.2Khz
146 #define FSAMPLE 2000000
147 #define FREQLO 123200
148 #define FREQHI 134200
149
150 signed char *dest = (signed char *)BigBuf_get_addr();
151 uint16_t n = BigBuf_max_traceLen();
152 // 128 bit shift register [shift3:shift2:shift1:shift0]
153 uint32_t shift3 = 0, shift2 = 0, shift1 = 0, shift0 = 0;
154
155 int i, cycles=0, samples=0;
156 // how many sample points fit in 16 cycles of each frequency
157 uint32_t sampleslo = (FSAMPLE<<4)/FREQLO, sampleshi = (FSAMPLE<<4)/FREQHI;
158 // when to tell if we're close enough to one freq or another
159 uint32_t threshold = (sampleslo - sampleshi + 1)>>1;
160
161 // TI tags charge at 134.2Khz
162 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
163 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 88); //134.8Khz
164
165 // Place FPGA in passthrough mode, in this mode the CROSS_LO line
166 // connects to SSP_DIN and the SSP_DOUT logic level controls
167 // whether we're modulating the antenna (high)
168 // or listening to the antenna (low)
169 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_PASSTHRU);
170
171 // get TI tag data into the buffer
172 AcquireTiType();
173
174 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
175
176 for (i=0; i<n-1; i++) {
177 // count cycles by looking for lo to hi zero crossings
178 if ( (dest[i]<0) && (dest[i+1]>0) ) {
179 cycles++;
180 // after 16 cycles, measure the frequency
181 if (cycles>15) {
182 cycles=0;
183 samples=i-samples; // number of samples in these 16 cycles
184
185 // TI bits are coming to us lsb first so shift them
186 // right through our 128 bit right shift register
187 shift0 = (shift0>>1) | (shift1 << 31);
188 shift1 = (shift1>>1) | (shift2 << 31);
189 shift2 = (shift2>>1) | (shift3 << 31);
190 shift3 >>= 1;
191
192 // check if the cycles fall close to the number
193 // expected for either the low or high frequency
194 if ( (samples>(sampleslo-threshold)) && (samples<(sampleslo+threshold)) ) {
195 // low frequency represents a 1
196 shift3 |= (1<<31);
197 } else if ( (samples>(sampleshi-threshold)) && (samples<(sampleshi+threshold)) ) {
198 // high frequency represents a 0
199 } else {
200 // probably detected a gay waveform or noise
201 // use this as gaydar or discard shift register and start again
202 shift3 = shift2 = shift1 = shift0 = 0;
203 }
204 samples = i;
205
206 // for each bit we receive, test if we've detected a valid tag
207
208 // if we see 17 zeroes followed by 6 ones, we might have a tag
209 // remember the bits are backwards
210 if ( ((shift0 & 0x7fffff) == 0x7e0000) ) {
211 // if start and end bytes match, we have a tag so break out of the loop
212 if ( ((shift0>>16)&0xff) == ((shift3>>8)&0xff) ) {
213 cycles = 0xF0B; //use this as a flag (ugly but whatever)
214 break;
215 }
216 }
217 }
218 }
219 }
220
221 // if flag is set we have a tag
222 if (cycles!=0xF0B) {
223 DbpString("Info: No valid tag detected.");
224 } else {
225 // put 64 bit data into shift1 and shift0
226 shift0 = (shift0>>24) | (shift1 << 8);
227 shift1 = (shift1>>24) | (shift2 << 8);
228
229 // align 16 bit crc into lower half of shift2
230 shift2 = ((shift2>>24) | (shift3 << 8)) & 0x0ffff;
231
232 // if r/w tag, check ident match
233 if (shift3 & (1<<15) ) {
234 DbpString("Info: TI tag is rewriteable");
235 // only 15 bits compare, last bit of ident is not valid
236 if (((shift3 >> 16) ^ shift0) & 0x7fff ) {
237 DbpString("Error: Ident mismatch!");
238 } else {
239 DbpString("Info: TI tag ident is valid");
240 }
241 } else {
242 DbpString("Info: TI tag is readonly");
243 }
244
245 // WARNING the order of the bytes in which we calc crc below needs checking
246 // i'm 99% sure the crc algorithm is correct, but it may need to eat the
247 // bytes in reverse or something
248 // calculate CRC
249 uint32_t crc=0;
250
251 crc = update_crc16(crc, (shift0)&0xff);
252 crc = update_crc16(crc, (shift0>>8)&0xff);
253 crc = update_crc16(crc, (shift0>>16)&0xff);
254 crc = update_crc16(crc, (shift0>>24)&0xff);
255 crc = update_crc16(crc, (shift1)&0xff);
256 crc = update_crc16(crc, (shift1>>8)&0xff);
257 crc = update_crc16(crc, (shift1>>16)&0xff);
258 crc = update_crc16(crc, (shift1>>24)&0xff);
259
260 Dbprintf("Info: Tag data: %x%08x, crc=%x",
261 (unsigned int)shift1, (unsigned int)shift0, (unsigned int)shift2 & 0xFFFF);
262 if (crc != (shift2&0xffff)) {
263 Dbprintf("Error: CRC mismatch, expected %x", (unsigned int)crc);
264 } else {
265 DbpString("Info: CRC is good");
266 }
267 }
268 }
269
270 void WriteTIbyte(uint8_t b)
271 {
272 int i = 0;
273
274 // modulate 8 bits out to the antenna
275 for (i=0; i<8; i++)
276 {
277 if (b&(1<<i)) {
278 // stop modulating antenna
279 LOW(GPIO_SSC_DOUT);
280 SpinDelayUs(1000);
281 // modulate antenna
282 HIGH(GPIO_SSC_DOUT);
283 SpinDelayUs(1000);
284 } else {
285 // stop modulating antenna
286 LOW(GPIO_SSC_DOUT);
287 SpinDelayUs(300);
288 // modulate antenna
289 HIGH(GPIO_SSC_DOUT);
290 SpinDelayUs(1700);
291 }
292 }
293 }
294
295 void AcquireTiType(void)
296 {
297 int i, j, n;
298 // tag transmission is <20ms, sampling at 2M gives us 40K samples max
299 // each sample is 1 bit stuffed into a uint32_t so we need 1250 uint32_t
300 #define TIBUFLEN 1250
301
302 // clear buffer
303 uint32_t *BigBuf = (uint32_t *)BigBuf_get_addr();
304 BigBuf_Clear_ext(false);
305
306 // Set up the synchronous serial port
307 AT91C_BASE_PIOA->PIO_PDR = GPIO_SSC_DIN;
308 AT91C_BASE_PIOA->PIO_ASR = GPIO_SSC_DIN;
309
310 // steal this pin from the SSP and use it to control the modulation
311 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
312 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
313
314 AT91C_BASE_SSC->SSC_CR = AT91C_SSC_SWRST;
315 AT91C_BASE_SSC->SSC_CR = AT91C_SSC_RXEN | AT91C_SSC_TXEN;
316
317 // Sample at 2 Mbit/s, so TI tags are 16.2 vs. 14.9 clocks long
318 // 48/2 = 24 MHz clock must be divided by 12
319 AT91C_BASE_SSC->SSC_CMR = 12;
320
321 AT91C_BASE_SSC->SSC_RCMR = SSC_CLOCK_MODE_SELECT(0);
322 AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(32) | AT91C_SSC_MSBF;
323 AT91C_BASE_SSC->SSC_TCMR = 0;
324 AT91C_BASE_SSC->SSC_TFMR = 0;
325
326 LED_D_ON();
327
328 // modulate antenna
329 HIGH(GPIO_SSC_DOUT);
330
331 // Charge TI tag for 50ms.
332 SpinDelay(50);
333
334 // stop modulating antenna and listen
335 LOW(GPIO_SSC_DOUT);
336
337 LED_D_OFF();
338
339 i = 0;
340 for(;;) {
341 if(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) {
342 BigBuf[i] = AT91C_BASE_SSC->SSC_RHR; // store 32 bit values in buffer
343 i++; if(i >= TIBUFLEN) break;
344 }
345 WDT_HIT();
346 }
347
348 // return stolen pin to SSP
349 AT91C_BASE_PIOA->PIO_PDR = GPIO_SSC_DOUT;
350 AT91C_BASE_PIOA->PIO_ASR = GPIO_SSC_DIN | GPIO_SSC_DOUT;
351
352 char *dest = (char *)BigBuf_get_addr();
353 n = TIBUFLEN*32;
354 // unpack buffer
355 for (i=TIBUFLEN-1; i>=0; i--) {
356 for (j=0; j<32; j++) {
357 if(BigBuf[i] & (1 << j)) {
358 dest[--n] = 1;
359 } else {
360 dest[--n] = -1;
361 }
362 }
363 }
364 }
365
366 // arguments: 64bit data split into 32bit idhi:idlo and optional 16bit crc
367 // if crc provided, it will be written with the data verbatim (even if bogus)
368 // if not provided a valid crc will be computed from the data and written.
369 void WriteTItag(uint32_t idhi, uint32_t idlo, uint16_t crc)
370 {
371 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
372 if(crc == 0) {
373 crc = update_crc16(crc, (idlo)&0xff);
374 crc = update_crc16(crc, (idlo>>8)&0xff);
375 crc = update_crc16(crc, (idlo>>16)&0xff);
376 crc = update_crc16(crc, (idlo>>24)&0xff);
377 crc = update_crc16(crc, (idhi)&0xff);
378 crc = update_crc16(crc, (idhi>>8)&0xff);
379 crc = update_crc16(crc, (idhi>>16)&0xff);
380 crc = update_crc16(crc, (idhi>>24)&0xff);
381 }
382 Dbprintf("Writing to tag: %x%08x, crc=%x",
383 (unsigned int) idhi, (unsigned int) idlo, crc);
384
385 // TI tags charge at 134.2Khz
386 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 88); //134.8Khz
387 // Place FPGA in passthrough mode, in this mode the CROSS_LO line
388 // connects to SSP_DIN and the SSP_DOUT logic level controls
389 // whether we're modulating the antenna (high)
390 // or listening to the antenna (low)
391 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_PASSTHRU);
392 LED_A_ON();
393
394 // steal this pin from the SSP and use it to control the modulation
395 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
396 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
397
398 // writing algorithm:
399 // a high bit consists of a field off for 1ms and field on for 1ms
400 // a low bit consists of a field off for 0.3ms and field on for 1.7ms
401 // initiate a charge time of 50ms (field on) then immediately start writing bits
402 // start by writing 0xBB (keyword) and 0xEB (password)
403 // then write 80 bits of data (or 64 bit data + 16 bit crc if you prefer)
404 // finally end with 0x0300 (write frame)
405 // all data is sent lsb firts
406 // finish with 15ms programming time
407
408 // modulate antenna
409 HIGH(GPIO_SSC_DOUT);
410 SpinDelay(50); // charge time
411
412 WriteTIbyte(0xbb); // keyword
413 WriteTIbyte(0xeb); // password
414 WriteTIbyte( (idlo )&0xff );
415 WriteTIbyte( (idlo>>8 )&0xff );
416 WriteTIbyte( (idlo>>16)&0xff );
417 WriteTIbyte( (idlo>>24)&0xff );
418 WriteTIbyte( (idhi )&0xff );
419 WriteTIbyte( (idhi>>8 )&0xff );
420 WriteTIbyte( (idhi>>16)&0xff );
421 WriteTIbyte( (idhi>>24)&0xff ); // data hi to lo
422 WriteTIbyte( (crc )&0xff ); // crc lo
423 WriteTIbyte( (crc>>8 )&0xff ); // crc hi
424 WriteTIbyte(0x00); // write frame lo
425 WriteTIbyte(0x03); // write frame hi
426 HIGH(GPIO_SSC_DOUT);
427 SpinDelay(50); // programming time
428
429 LED_A_OFF();
430
431 // get TI tag data into the buffer
432 AcquireTiType();
433
434 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
435 DbpString("Now use `lf ti read` to check");
436 }
437
438 void SimulateTagLowFrequency(int period, int gap, int ledcontrol)
439 {
440 int i;
441 uint8_t *tab = BigBuf_get_addr();
442
443 //note FpgaDownloadAndGo destroys the bigbuf so be sure this is called before now...
444 //FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
445 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT);
446
447 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT | GPIO_SSC_CLK;
448
449 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
450 AT91C_BASE_PIOA->PIO_ODR = GPIO_SSC_CLK;
451
452 #define SHORT_COIL() LOW(GPIO_SSC_DOUT)
453 #define OPEN_COIL() HIGH(GPIO_SSC_DOUT)
454
455 i = 0;
456 for(;;) {
457 //wait until SSC_CLK goes HIGH
458 int ii = 0;
459 while(!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK)) {
460 //only check every 1000th time (usb_poll_validate_length on some systems was too slow)
461 if ( ii == 1000 ) {
462 if (BUTTON_PRESS() || usb_poll_validate_length() ) {
463 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
464 DbpString("Stopped");
465 return;
466 }
467 ii=0;
468 }
469 WDT_HIT();
470 ii++;
471 }
472 if (ledcontrol)
473 LED_D_ON();
474
475 if(tab[i])
476 OPEN_COIL();
477 else
478 SHORT_COIL();
479
480 if (ledcontrol)
481 LED_D_OFF();
482 ii=0;
483 //wait until SSC_CLK goes LOW
484 while(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK) {
485 //only check every 1000th time (usb_poll_validate_length on some systems was too slow)
486 if ( ii == 1000 ) {
487 if (BUTTON_PRESS() || usb_poll_validate_length() ) {
488 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
489 DbpString("Stopped");
490 return;
491 }
492 ii=0;
493 }
494 WDT_HIT();
495 ii++;
496 }
497
498 i++;
499 if(i == period) {
500
501 i = 0;
502 if (gap) {
503 SHORT_COIL();
504 SpinDelayUs(gap);
505 }
506 }
507
508 }
509 }
510
511 #define DEBUG_FRAME_CONTENTS 1
512 void SimulateTagLowFrequencyBidir(int divisor, int t0)
513 {
514 }
515
516 // compose fc/8 fc/10 waveform (FSK2)
517 static void fc(int c, int *n)
518 {
519 uint8_t *dest = BigBuf_get_addr();
520 int idx;
521
522 // for when we want an fc8 pattern every 4 logical bits
523 if(c==0) {
524 dest[((*n)++)]=1;
525 dest[((*n)++)]=1;
526 dest[((*n)++)]=1;
527 dest[((*n)++)]=1;
528 dest[((*n)++)]=0;
529 dest[((*n)++)]=0;
530 dest[((*n)++)]=0;
531 dest[((*n)++)]=0;
532 }
533
534 // an fc/8 encoded bit is a bit pattern of 11110000 x6 = 48 samples
535 if(c==8) {
536 for (idx=0; idx<6; idx++) {
537 dest[((*n)++)]=1;
538 dest[((*n)++)]=1;
539 dest[((*n)++)]=1;
540 dest[((*n)++)]=1;
541 dest[((*n)++)]=0;
542 dest[((*n)++)]=0;
543 dest[((*n)++)]=0;
544 dest[((*n)++)]=0;
545 }
546 }
547
548 // an fc/10 encoded bit is a bit pattern of 1111100000 x5 = 50 samples
549 if(c==10) {
550 for (idx=0; idx<5; idx++) {
551 dest[((*n)++)]=1;
552 dest[((*n)++)]=1;
553 dest[((*n)++)]=1;
554 dest[((*n)++)]=1;
555 dest[((*n)++)]=1;
556 dest[((*n)++)]=0;
557 dest[((*n)++)]=0;
558 dest[((*n)++)]=0;
559 dest[((*n)++)]=0;
560 dest[((*n)++)]=0;
561 }
562 }
563 }
564 // compose fc/X fc/Y waveform (FSKx)
565 static void fcAll(uint8_t fc, int *n, uint8_t clock, uint16_t *modCnt)
566 {
567 uint8_t *dest = BigBuf_get_addr();
568 uint8_t halfFC = fc/2;
569 uint8_t wavesPerClock = clock/fc;
570 uint8_t mod = clock % fc; //modifier
571 uint8_t modAdj = fc/mod; //how often to apply modifier
572 bool modAdjOk = !(fc % mod); //if (fc % mod==0) modAdjOk=true;
573 // loop through clock - step field clock
574 for (uint8_t idx=0; idx < wavesPerClock; idx++){
575 // put 1/2 FC length 1's and 1/2 0's per field clock wave (to create the wave)
576 memset(dest+(*n), 0, fc-halfFC); //in case of odd number use extra here
577 memset(dest+(*n)+(fc-halfFC), 1, halfFC);
578 *n += fc;
579 }
580 if (mod>0) (*modCnt)++;
581 if ((mod>0) && modAdjOk){ //fsk2
582 if ((*modCnt % modAdj) == 0){ //if 4th 8 length wave in a rf/50 add extra 8 length wave
583 memset(dest+(*n), 0, fc-halfFC);
584 memset(dest+(*n)+(fc-halfFC), 1, halfFC);
585 *n += fc;
586 }
587 }
588 if (mod>0 && !modAdjOk){ //fsk1
589 memset(dest+(*n), 0, mod-(mod/2));
590 memset(dest+(*n)+(mod-(mod/2)), 1, mod/2);
591 *n += mod;
592 }
593 }
594
595 // prepare a waveform pattern in the buffer based on the ID given then
596 // simulate a HID tag until the button is pressed
597 void CmdHIDsimTAG(int hi2, int hi, int lo, int ledcontrol)
598 {
599 int n=0, i=0;
600 /*
601 HID tag bitstream format
602 The tag contains a 44bit unique code. This is sent out MSB first in sets of 4 bits
603 A 1 bit is represented as 6 fc8 and 5 fc10 patterns
604 A 0 bit is represented as 5 fc10 and 6 fc8 patterns
605 A fc8 is inserted before every 4 bits
606 A special start of frame pattern is used consisting a0b0 where a and b are neither 0
607 nor 1 bits, they are special patterns (a = set of 12 fc8 and b = set of 10 fc10)
608 */
609
610 if (hi2>0x0FFFFFFF) {
611 DbpString("Tags can only have 44 or 84 bits. - USE lf simfsk for larger tags");
612 return;
613 }
614 // set LF so we don't kill the bigbuf we are setting with simulation data.
615 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
616
617 fc(0,&n);
618 // special start of frame marker containing invalid bit sequences
619 fc(8, &n); fc(8, &n); // invalid
620 fc(8, &n); fc(10, &n); // logical 0
621 fc(10, &n); fc(10, &n); // invalid
622 fc(8, &n); fc(10, &n); // logical 0
623
624 WDT_HIT();
625 if (hi2 > 0 || hi > 0xFFF){
626 // manchester encode bits 91 to 64 (91-84 are part of the header)
627 for (i=27; i>=0; i--) {
628 if ((i%4)==3) fc(0,&n);
629 if ((hi2>>i)&1) {
630 fc(10, &n); fc(8, &n); // low-high transition
631 } else {
632 fc(8, &n); fc(10, &n); // high-low transition
633 }
634 }
635 WDT_HIT();
636 // manchester encode bits 63 to 32
637 for (i=31; i>=0; i--) {
638 if ((i%4)==3) fc(0,&n);
639 if ((hi>>i)&1) {
640 fc(10, &n); fc(8, &n); // low-high transition
641 } else {
642 fc(8, &n); fc(10, &n); // high-low transition
643 }
644 }
645 } else {
646 // manchester encode bits 43 to 32
647 for (i=11; i>=0; i--) {
648 if ((i%4)==3) fc(0,&n);
649 if ((hi>>i)&1) {
650 fc(10, &n); fc(8, &n); // low-high transition
651 } else {
652 fc(8, &n); fc(10, &n); // high-low transition
653 }
654 }
655 }
656
657 WDT_HIT();
658 // manchester encode bits 31 to 0
659 for (i=31; i>=0; i--) {
660 if ((i%4)==3) fc(0,&n);
661 if ((lo>>i)&1) {
662 fc(10, &n); fc(8, &n); // low-high transition
663 } else {
664 fc(8, &n); fc(10, &n); // high-low transition
665 }
666 }
667
668 if (ledcontrol)
669 LED_A_ON();
670 SimulateTagLowFrequency(n, 0, ledcontrol);
671
672 if (ledcontrol)
673 LED_A_OFF();
674 }
675
676 // prepare a waveform pattern in the buffer based on the ID given then
677 // simulate a FSK tag until the button is pressed
678 // arg1 contains fcHigh and fcLow, arg2 contains invert and clock
679 void CmdFSKsimTAG(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream)
680 {
681 int ledcontrol=1;
682 int n=0, i=0;
683 uint8_t fcHigh = arg1 >> 8;
684 uint8_t fcLow = arg1 & 0xFF;
685 uint16_t modCnt = 0;
686 uint8_t clk = arg2 & 0xFF;
687 uint8_t invert = (arg2 >> 8) & 1;
688
689 // set LF so we don't kill the bigbuf we are setting with simulation data.
690 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
691
692 for (i=0; i<size; i++){
693 if (BitStream[i] == invert){
694 fcAll(fcLow, &n, clk, &modCnt);
695 } else {
696 fcAll(fcHigh, &n, clk, &modCnt);
697 }
698 }
699 Dbprintf("Simulating with fcHigh: %d, fcLow: %d, clk: %d, invert: %d, n: %d",fcHigh, fcLow, clk, invert, n);
700 /*Dbprintf("DEBUG: First 32:");
701 uint8_t *dest = BigBuf_get_addr();
702 i=0;
703 Dbprintf("%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d", dest[i],dest[i+1],dest[i+2],dest[i+3],dest[i+4],dest[i+5],dest[i+6],dest[i+7],dest[i+8],dest[i+9],dest[i+10],dest[i+11],dest[i+12],dest[i+13],dest[i+14],dest[i+15]);
704 i+=16;
705 Dbprintf("%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d", dest[i],dest[i+1],dest[i+2],dest[i+3],dest[i+4],dest[i+5],dest[i+6],dest[i+7],dest[i+8],dest[i+9],dest[i+10],dest[i+11],dest[i+12],dest[i+13],dest[i+14],dest[i+15]);
706 */
707 if (ledcontrol)
708 LED_A_ON();
709
710 SimulateTagLowFrequency(n, 0, ledcontrol);
711
712 if (ledcontrol)
713 LED_A_OFF();
714 }
715
716 // compose ask waveform for one bit(ASK)
717 static void askSimBit(uint8_t c, int *n, uint8_t clock, uint8_t manchester)
718 {
719 uint8_t *dest = BigBuf_get_addr();
720 uint8_t halfClk = clock/2;
721 // c = current bit 1 or 0
722 if (manchester==1){
723 memset(dest+(*n), c, halfClk);
724 memset(dest+(*n) + halfClk, c^1, halfClk);
725 } else {
726 memset(dest+(*n), c, clock);
727 }
728 *n += clock;
729 }
730
731 static void biphaseSimBit(uint8_t c, int *n, uint8_t clock, uint8_t *phase)
732 {
733 uint8_t *dest = BigBuf_get_addr();
734 uint8_t halfClk = clock/2;
735 if (c){
736 memset(dest+(*n), c ^ 1 ^ *phase, halfClk);
737 memset(dest+(*n) + halfClk, c ^ *phase, halfClk);
738 } else {
739 memset(dest+(*n), c ^ *phase, clock);
740 *phase ^= 1;
741 }
742 *n += clock;
743 }
744
745 static void stAskSimBit(int *n, uint8_t clock) {
746 uint8_t *dest = BigBuf_get_addr();
747 uint8_t halfClk = clock/2;
748 //ST = .5 high .5 low 1.5 high .5 low 1 high
749 memset(dest+(*n), 1, halfClk);
750 memset(dest+(*n) + halfClk, 0, halfClk);
751 memset(dest+(*n) + clock, 1, clock + halfClk);
752 memset(dest+(*n) + clock*2 + halfClk, 0, halfClk);
753 memset(dest+(*n) + clock*3, 1, clock);
754 *n += clock*4;
755 }
756
757 // args clock, ask/man or askraw, invert, transmission separator
758 void CmdASKsimTag(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream)
759 {
760 int ledcontrol = 1;
761 int n=0, i=0;
762 uint8_t clk = (arg1 >> 8) & 0xFF;
763 uint8_t encoding = arg1 & 0xFF;
764 uint8_t separator = arg2 & 1;
765 uint8_t invert = (arg2 >> 8) & 1;
766
767 // set LF so we don't kill the bigbuf we are setting with simulation data.
768 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
769
770 if (encoding==2){ //biphase
771 uint8_t phase=0;
772 for (i=0; i<size; i++){
773 biphaseSimBit(BitStream[i]^invert, &n, clk, &phase);
774 }
775 if (phase==1) { //run a second set inverted to keep phase in check
776 for (i=0; i<size; i++){
777 biphaseSimBit(BitStream[i]^invert, &n, clk, &phase);
778 }
779 }
780 } else { // ask/manchester || ask/raw
781 for (i=0; i<size; i++){
782 askSimBit(BitStream[i]^invert, &n, clk, encoding);
783 }
784 if (encoding==0 && BitStream[0]==BitStream[size-1]){ //run a second set inverted (for ask/raw || biphase phase)
785 for (i=0; i<size; i++){
786 askSimBit(BitStream[i]^invert^1, &n, clk, encoding);
787 }
788 }
789 }
790 if (separator==1 && encoding == 1)
791 stAskSimBit(&n, clk);
792 else if (separator==1)
793 Dbprintf("sorry but separator option not yet available");
794
795 Dbprintf("Simulating with clk: %d, invert: %d, encoding: %d, separator: %d, n: %d",clk, invert, encoding, separator, n);
796 //DEBUG
797 //Dbprintf("First 32:");
798 //uint8_t *dest = BigBuf_get_addr();
799 //i=0;
800 //Dbprintf("%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d", dest[i],dest[i+1],dest[i+2],dest[i+3],dest[i+4],dest[i+5],dest[i+6],dest[i+7],dest[i+8],dest[i+9],dest[i+10],dest[i+11],dest[i+12],dest[i+13],dest[i+14],dest[i+15]);
801 //i+=16;
802 //Dbprintf("%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d", dest[i],dest[i+1],dest[i+2],dest[i+3],dest[i+4],dest[i+5],dest[i+6],dest[i+7],dest[i+8],dest[i+9],dest[i+10],dest[i+11],dest[i+12],dest[i+13],dest[i+14],dest[i+15]);
803
804 if (ledcontrol) LED_A_ON();
805 SimulateTagLowFrequency(n, 0, ledcontrol);
806 if (ledcontrol) LED_A_OFF();
807 }
808
809 //carrier can be 2,4 or 8
810 static void pskSimBit(uint8_t waveLen, int *n, uint8_t clk, uint8_t *curPhase, bool phaseChg)
811 {
812 uint8_t *dest = BigBuf_get_addr();
813 uint8_t halfWave = waveLen/2;
814 //uint8_t idx;
815 int i = 0;
816 if (phaseChg){
817 // write phase change
818 memset(dest+(*n), *curPhase^1, halfWave);
819 memset(dest+(*n) + halfWave, *curPhase, halfWave);
820 *n += waveLen;
821 *curPhase ^= 1;
822 i += waveLen;
823 }
824 //write each normal clock wave for the clock duration
825 for (; i < clk; i+=waveLen){
826 memset(dest+(*n), *curPhase, halfWave);
827 memset(dest+(*n) + halfWave, *curPhase^1, halfWave);
828 *n += waveLen;
829 }
830 }
831
832 // args clock, carrier, invert,
833 void CmdPSKsimTag(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream)
834 {
835 int ledcontrol=1;
836 int n=0, i=0;
837 uint8_t clk = arg1 >> 8;
838 uint8_t carrier = arg1 & 0xFF;
839 uint8_t invert = arg2 & 0xFF;
840 uint8_t curPhase = 0;
841 // set LF so we don't kill the bigbuf we are setting with simulation data.
842 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
843
844 for (i=0; i<size; i++){
845 if (BitStream[i] == curPhase){
846 pskSimBit(carrier, &n, clk, &curPhase, false);
847 } else {
848 pskSimBit(carrier, &n, clk, &curPhase, true);
849 }
850 }
851 Dbprintf("Simulating with Carrier: %d, clk: %d, invert: %d, n: %d",carrier, clk, invert, n);
852 //Dbprintf("DEBUG: First 32:");
853 //uint8_t *dest = BigBuf_get_addr();
854 //i=0;
855 //Dbprintf("%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d", dest[i],dest[i+1],dest[i+2],dest[i+3],dest[i+4],dest[i+5],dest[i+6],dest[i+7],dest[i+8],dest[i+9],dest[i+10],dest[i+11],dest[i+12],dest[i+13],dest[i+14],dest[i+15]);
856 //i+=16;
857 //Dbprintf("%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d", dest[i],dest[i+1],dest[i+2],dest[i+3],dest[i+4],dest[i+5],dest[i+6],dest[i+7],dest[i+8],dest[i+9],dest[i+10],dest[i+11],dest[i+12],dest[i+13],dest[i+14],dest[i+15]);
858
859 if (ledcontrol) LED_A_ON();
860 SimulateTagLowFrequency(n, 0, ledcontrol);
861 if (ledcontrol) LED_A_OFF();
862 }
863
864 // loop to get raw HID waveform then FSK demodulate the TAG ID from it
865 void CmdHIDdemodFSK(int findone, int *high2, int *high, int *low, int ledcontrol)
866 {
867 uint8_t *dest = BigBuf_get_addr();
868 //const size_t sizeOfBigBuff = BigBuf_max_traceLen();
869 size_t size;
870 uint32_t hi2=0, hi=0, lo=0;
871 int idx=0;
872 int dummyIdx = 0;
873 // Configure to go in 125Khz listen mode
874 LFSetupFPGAForADC(95, true);
875
876 //clear read buffer
877 BigBuf_Clear_keep_EM();
878
879 while(!BUTTON_PRESS() && !usb_poll_validate_length()) {
880 WDT_HIT();
881 if (ledcontrol) LED_A_ON();
882
883 DoAcquisition_default(-1,true);
884 // FSK demodulator
885 //size = sizeOfBigBuff; //variable size will change after demod so re initialize it before use
886 size = 50*128*2; //big enough to catch 2 sequences of largest format
887 idx = HIDdemodFSK(dest, &size, &hi2, &hi, &lo, &dummyIdx);
888
889 if (idx>0 && lo>0 && (size==96 || size==192)){
890 uint8_t bitlen = 0;
891 uint32_t fc = 0;
892 uint32_t cardnum = 0;
893 bool decoded = false;
894
895 // go over previously decoded manchester data and decode into usable tag ID
896 if ((hi2 & 0x000FFFF) != 0){ //extra large HID tags 88/192 bits
897 uint32_t bp = hi2 & 0x000FFFFF;
898 bitlen = 63;
899 while (bp > 0) {
900 bp = bp >> 1;
901 bitlen++;
902 }
903 } else if ((hi >> 6) > 0) {
904 uint32_t bp = hi;
905 bitlen = 31;
906 while (bp > 0) {
907 bp = bp >> 1;
908 bitlen++;
909 }
910 } else if (((hi >> 5) & 1) == 0) {
911 bitlen = 37;
912 } else if ((hi & 0x0000001F) > 0 ) {
913 uint32_t bp = (hi & 0x0000001F);
914 bitlen = 31;
915 while (bp > 0) {
916 bp = bp >> 1;
917 bitlen++;
918 }
919 } else {
920 uint32_t bp = lo;
921 bitlen = 0;
922 while (bp > 0) {
923 bp = bp >> 1;
924 bitlen++;
925 }
926 }
927 switch (bitlen){
928 case 26:
929 cardnum = (lo>>1)&0xFFFF;
930 fc = (lo>>17)&0xFF;
931 decoded = true;
932 break;
933 case 35:
934 cardnum = (lo>>1)&0xFFFFF;
935 fc = ((hi&1)<<11)|(lo>>21);
936 decoded = true;
937 break;
938 }
939
940 if (hi2 != 0) //extra large HID tags 88/192 bits
941 Dbprintf("TAG ID: %x%08x%08x (%d)",
942 (unsigned int) hi2, (unsigned int) hi, (unsigned int) lo, (unsigned int) (lo>>1) & 0xFFFF);
943 else
944 Dbprintf("TAG ID: %x%08x (%d)",
945 (unsigned int) hi, (unsigned int) lo, (unsigned int) (lo>>1) & 0xFFFF);
946
947 if (decoded)
948 Dbprintf("Format Len: %dbits - FC: %d - Card: %d",
949 (unsigned int) bitlen, (unsigned int) fc, (unsigned int) cardnum);
950
951 if (findone){
952 if (ledcontrol) LED_A_OFF();
953 *high2 = hi2;
954 *high = hi;
955 *low = lo;
956 break;
957 }
958 // reset
959 }
960 hi2 = hi = lo = idx = 0;
961 WDT_HIT();
962 }
963
964 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
965 DbpString("Stopped");
966 if (ledcontrol) LED_A_OFF();
967 }
968
969 // loop to get raw HID waveform then FSK demodulate the TAG ID from it
970 void CmdAWIDdemodFSK(int findone, int *high, int *low, int ledcontrol)
971 {
972 uint8_t *dest = BigBuf_get_addr();
973 size_t size;
974 int idx=0, dummyIdx=0;
975 //clear read buffer
976 BigBuf_Clear_keep_EM();
977 // Configure to go in 125Khz listen mode
978 LFSetupFPGAForADC(95, true);
979
980 while(!BUTTON_PRESS() && !usb_poll_validate_length()) {
981
982 WDT_HIT();
983 if (ledcontrol) LED_A_ON();
984
985 DoAcquisition_default(-1,true);
986 // FSK demodulator
987 size = 50*128*2; //big enough to catch 2 sequences of largest format
988 idx = AWIDdemodFSK(dest, &size, &dummyIdx);
989
990 if (idx<=0 || size!=96) continue;
991 // Index map
992 // 0 10 20 30 40 50 60
993 // | | | | | | |
994 // 01234567 890 1 234 5 678 9 012 3 456 7 890 1 234 5 678 9 012 3 456 7 890 1 234 5 678 9 012 3 - to 96
995 // -----------------------------------------------------------------------------
996 // 00000001 000 1 110 1 101 1 011 1 101 1 010 0 000 1 000 1 010 0 001 0 110 1 100 0 000 1 000 1
997 // premable bbb o bbb o bbw o fff o fff o ffc o ccc o ccc o ccc o ccc o ccc o wxx o xxx o xxx o - to 96
998 // |---26 bit---| |-----117----||-------------142-------------|
999 // b = format bit len, o = odd parity of last 3 bits
1000 // f = facility code, c = card number
1001 // w = wiegand parity
1002 // (26 bit format shown)
1003
1004 //get raw ID before removing parities
1005 uint32_t rawLo = bytebits_to_byte(dest+idx+64,32);
1006 uint32_t rawHi = bytebits_to_byte(dest+idx+32,32);
1007 uint32_t rawHi2 = bytebits_to_byte(dest+idx,32);
1008
1009 size = removeParity(dest, idx+8, 4, 1, 88);
1010 if (size != 66) continue;
1011 // ok valid card found!
1012
1013 // Index map
1014 // 0 10 20 30 40 50 60
1015 // | | | | | | |
1016 // 01234567 8 90123456 7890123456789012 3 456789012345678901234567890123456
1017 // -----------------------------------------------------------------------------
1018 // 00011010 1 01110101 0000000010001110 1 000000000000000000000000000000000
1019 // bbbbbbbb w ffffffff cccccccccccccccc w xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
1020 // |26 bit| |-117--| |-----142------|
1021 // b = format bit len, o = odd parity of last 3 bits
1022 // f = facility code, c = card number
1023 // w = wiegand parity
1024 // (26 bit format shown)
1025
1026 uint32_t fc = 0;
1027 uint32_t cardnum = 0;
1028 uint32_t code1 = 0;
1029 uint32_t code2 = 0;
1030 uint8_t fmtLen = bytebits_to_byte(dest,8);
1031 if (fmtLen==26){
1032 fc = bytebits_to_byte(dest+9, 8);
1033 cardnum = bytebits_to_byte(dest+17, 16);
1034 code1 = bytebits_to_byte(dest+8,fmtLen);
1035 Dbprintf("AWID Found - BitLength: %d, FC: %d, Card: %d - Wiegand: %x, Raw: %08x%08x%08x", fmtLen, fc, cardnum, code1, rawHi2, rawHi, rawLo);
1036 } else {
1037 cardnum = bytebits_to_byte(dest+8+(fmtLen-17), 16);
1038 if (fmtLen>32){
1039 code1 = bytebits_to_byte(dest+8,fmtLen-32);
1040 code2 = bytebits_to_byte(dest+8+(fmtLen-32),32);
1041 Dbprintf("AWID Found - BitLength: %d -unknown BitLength- (%d) - Wiegand: %x%08x, Raw: %08x%08x%08x", fmtLen, cardnum, code1, code2, rawHi2, rawHi, rawLo);
1042 } else{
1043 code1 = bytebits_to_byte(dest+8,fmtLen);
1044 Dbprintf("AWID Found - BitLength: %d -unknown BitLength- (%d) - Wiegand: %x, Raw: %08x%08x%08x", fmtLen, cardnum, code1, rawHi2, rawHi, rawLo);
1045 }
1046 }
1047 if (findone){
1048 if (ledcontrol) LED_A_OFF();
1049 break;
1050 }
1051 // reset
1052 idx = 0;
1053 WDT_HIT();
1054 }
1055 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1056 DbpString("Stopped");
1057 if (ledcontrol) LED_A_OFF();
1058 }
1059
1060 void CmdEM410xdemod(int findone, int *high, int *low, int ledcontrol)
1061 {
1062 uint8_t *dest = BigBuf_get_addr();
1063
1064 size_t size=0, idx=0;
1065 int clk=0, invert=0, errCnt=0, maxErr=20;
1066 uint32_t hi=0;
1067 uint64_t lo=0;
1068 //clear read buffer
1069 BigBuf_Clear_keep_EM();
1070 // Configure to go in 125Khz listen mode
1071 LFSetupFPGAForADC(95, true);
1072
1073 while(!BUTTON_PRESS() && !usb_poll_validate_length()) {
1074
1075 WDT_HIT();
1076 if (ledcontrol) LED_A_ON();
1077
1078 DoAcquisition_default(-1,true);
1079 size = BigBuf_max_traceLen();
1080 //askdemod and manchester decode
1081 if (size > 16385) size = 16385; //big enough to catch 2 sequences of largest format
1082 errCnt = askdemod(dest, &size, &clk, &invert, maxErr, 0, 1);
1083 WDT_HIT();
1084
1085 if (errCnt<0) continue;
1086
1087 errCnt = Em410xDecode(dest, &size, &idx, &hi, &lo);
1088 if (errCnt){
1089 if (size>64){
1090 Dbprintf("EM XL TAG ID: %06x%08x%08x - (%05d_%03d_%08d)",
1091 hi,
1092 (uint32_t)(lo>>32),
1093 (uint32_t)lo,
1094 (uint32_t)(lo&0xFFFF),
1095 (uint32_t)((lo>>16LL) & 0xFF),
1096 (uint32_t)(lo & 0xFFFFFF));
1097 } else {
1098 Dbprintf("EM TAG ID: %02x%08x - (%05d_%03d_%08d)",
1099 (uint32_t)(lo>>32),
1100 (uint32_t)lo,
1101 (uint32_t)(lo&0xFFFF),
1102 (uint32_t)((lo>>16LL) & 0xFF),
1103 (uint32_t)(lo & 0xFFFFFF));
1104 }
1105
1106 if (findone){
1107 if (ledcontrol) LED_A_OFF();
1108 *high=lo>>32;
1109 *low=lo & 0xFFFFFFFF;
1110 break;
1111 }
1112 }
1113 WDT_HIT();
1114 hi = lo = size = idx = 0;
1115 clk = invert = errCnt = 0;
1116 }
1117 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1118 DbpString("Stopped");
1119 if (ledcontrol) LED_A_OFF();
1120 }
1121
1122 void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol)
1123 {
1124 uint8_t *dest = BigBuf_get_addr();
1125 int idx=0;
1126 uint32_t code=0, code2=0;
1127 uint8_t version=0;
1128 uint8_t facilitycode=0;
1129 uint16_t number=0;
1130 int dummyIdx=0;
1131 //clear read buffer
1132 BigBuf_Clear_keep_EM();
1133 // Configure to go in 125Khz listen mode
1134 LFSetupFPGAForADC(95, true);
1135
1136 while(!BUTTON_PRESS() && !usb_poll_validate_length()) {
1137 WDT_HIT();
1138 if (ledcontrol) LED_A_ON();
1139 DoAcquisition_default(-1,true);
1140 //fskdemod and get start index
1141 WDT_HIT();
1142 idx = IOdemodFSK(dest, BigBuf_max_traceLen(), &dummyIdx);
1143 if (idx<0) continue;
1144 //valid tag found
1145
1146 //Index map
1147 //0 10 20 30 40 50 60
1148 //| | | | | | |
1149 //01234567 8 90123456 7 89012345 6 78901234 5 67890123 4 56789012 3 45678901 23
1150 //-----------------------------------------------------------------------------
1151 //00000000 0 11110000 1 facility 1 version* 1 code*one 1 code*two 1 ???????? 11
1152 //
1153 //XSF(version)facility:codeone+codetwo
1154 //Handle the data
1155 if(findone){ //only print binary if we are doing one
1156 Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx], dest[idx+1], dest[idx+2],dest[idx+3],dest[idx+4],dest[idx+5],dest[idx+6],dest[idx+7],dest[idx+8]);
1157 Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+9], dest[idx+10],dest[idx+11],dest[idx+12],dest[idx+13],dest[idx+14],dest[idx+15],dest[idx+16],dest[idx+17]);
1158 Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+18],dest[idx+19],dest[idx+20],dest[idx+21],dest[idx+22],dest[idx+23],dest[idx+24],dest[idx+25],dest[idx+26]);
1159 Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+27],dest[idx+28],dest[idx+29],dest[idx+30],dest[idx+31],dest[idx+32],dest[idx+33],dest[idx+34],dest[idx+35]);
1160 Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+36],dest[idx+37],dest[idx+38],dest[idx+39],dest[idx+40],dest[idx+41],dest[idx+42],dest[idx+43],dest[idx+44]);
1161 Dbprintf("%d%d%d%d%d%d%d%d %d",dest[idx+45],dest[idx+46],dest[idx+47],dest[idx+48],dest[idx+49],dest[idx+50],dest[idx+51],dest[idx+52],dest[idx+53]);
1162 Dbprintf("%d%d%d%d%d%d%d%d %d%d",dest[idx+54],dest[idx+55],dest[idx+56],dest[idx+57],dest[idx+58],dest[idx+59],dest[idx+60],dest[idx+61],dest[idx+62],dest[idx+63]);
1163 }
1164 code = bytebits_to_byte(dest+idx,32);
1165 code2 = bytebits_to_byte(dest+idx+32,32);
1166 version = bytebits_to_byte(dest+idx+27,8); //14,4
1167 facilitycode = bytebits_to_byte(dest+idx+18,8);
1168 number = (bytebits_to_byte(dest+idx+36,8)<<8)|(bytebits_to_byte(dest+idx+45,8)); //36,9
1169
1170 Dbprintf("XSF(%02d)%02x:%05d (%08x%08x)",version,facilitycode,number,code,code2);
1171 // if we're only looking for one tag
1172 if (findone){
1173 if (ledcontrol) LED_A_OFF();
1174 //LED_A_OFF();
1175 *high=code;
1176 *low=code2;
1177 break;
1178 }
1179 code=code2=0;
1180 version=facilitycode=0;
1181 number=0;
1182 idx=0;
1183
1184 WDT_HIT();
1185 }
1186 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1187 DbpString("Stopped");
1188 if (ledcontrol) LED_A_OFF();
1189 }
1190
1191 /*------------------------------
1192 * T5555/T5557/T5567/T5577 routines
1193 *------------------------------
1194 * NOTE: T55x7/T5555 configuration register definitions moved to protocols.h
1195 *
1196 * Relevant communication times in microsecond
1197 * To compensate antenna falling times shorten the write times
1198 * and enlarge the gap ones.
1199 * Q5 tags seems to have issues when these values changes.
1200 */
1201 /*
1202 // Original Timings for reference
1203
1204 #define START_GAP 31*8 // was 250 // SPEC: 1*8 to 50*8 - typ 15*8 (or 15fc)
1205 #define WRITE_GAP 20*8 // was 160 // SPEC: 1*8 to 20*8 - typ 10*8 (or 10fc)
1206 #define WRITE_0 18*8 // was 144 // SPEC: 16*8 to 32*8 - typ 24*8 (or 24fc)
1207 #define WRITE_1 50*8 // was 400 // SPEC: 48*8 to 64*8 - typ 56*8 (or 56fc) 432 for T55x7; 448 for E5550
1208 #define READ_GAP 15*8
1209 */
1210
1211 // Structure to hold Timing values. In future will be simplier to add user changable timings.
1212 typedef struct {
1213 uint16_t START_GAP;
1214 uint16_t WRITE_GAP;
1215 uint16_t WRITE_0;
1216 uint16_t WRITE_1;
1217 uint16_t WRITE_2;
1218 uint16_t WRITE_3;
1219 uint16_t READ_GAP;
1220 } T55xx_Timing;
1221
1222 /*
1223 T5577 Timeing from datasheet for reference
1224
1225 Fixed bit length
1226 ----------------
1227 Normal Down Link Fast Downlink
1228 Min Typ Max Min Typ Max
1229 Start gap 8 15 50 8 15 50
1230 Write gap 8 10 20 8 10 20
1231 0 data 16 24 32 8 12 16
1232 1 data 48 56 64 24 28 32
1233
1234
1235 Long Leading Reference
1236 ----------------------
1237 Normal Down Link Fast Downlink
1238 Min Typ Max Min Typ Max
1239 Start gap 8 10 50 8 10 50
1240 Write gap 8 10 20 8 10 20
1241 Reference(r) 152 160 168 140 144 148
1242 136 + 0 data 132 + 0 data
1243 0 data r - 143 r - 136 r - 128 r - 135 r - 132 r - 124
1244 1 data r - 111 r - 104 r - 96 r - 119 r - 116 r - 112
1245
1246
1247 Leading Zero Reference
1248 ----------------------
1249 Normal Down Link Fast Downlink
1250 Min Typ Max Min Typ Max
1251 Start gap 8 10 50 8 10 50
1252 Write gap 8 10 20 8 10 20
1253 Reference(r) 12 - 72 8 - 68
1254 0 data r - 7 r r + 8 r - 3 r r + 4
1255 1 data r + 9 r + 16 r + 24 r + 5 r + 8 r + 12
1256
1257
1258 1 of 4 Coding
1259 -------------
1260 Normal Down Link Fast Downlink
1261 Min Typ Max Min Typ Max
1262 Start gap 8 10 50 8 10 50
1263 Write gap 8 10 20 8 10 20
1264 Reference(r) 8 - 68 12 - 72
1265 00 data r - 7 r r + 8 r - 3 r r + 4
1266 01 data r + 9 r + 16 r + 24 r + 5 r + 8 r + 12
1267 10 data r + 25 r + 32 r + 40 r + 13 r + 16 r + 20
1268 11 data r + 41 r + 48 r + 56 r + 21 r + 24 r + 28
1269
1270 */
1271
1272 // Set Initial/Default Values. Note: *8 can occure when used. This should keep things simplier here.
1273 T55xx_Timing T55xx_Timing_FixedBit = { 31 * 8 , 20 * 8 , 18 * 8 , 50 * 8 , 0 , 0 , 15 * 8 };
1274 T55xx_Timing T55xx_Timing_LLR = { 31 * 8 , 20 * 8 , 18 * 8 , 50 * 8 , 0 , 0 , 15 * 8 };
1275 T55xx_Timing T55xx_Timing_Leading0 = { 31 * 8 , 20 * 8 , 18 * 8 , 40 * 8 , 0 , 0 , 15 * 8 };
1276 T55xx_Timing T55xx_Timing_1of4 = { 31 * 8 , 20 * 8 , 18 * 8 , 34 * 8 , 50 * 8 , 66 * 8 , 15 * 8 };
1277
1278
1279 // Some defines for readability
1280 #define T55xx_LongLeadingReference 4 // Value to tell Write Bit to send long reference
1281 #define T55xx_DLMode_Fixed 0 // Default Mode
1282 #define T55xx_DLMode_LLR 1 // Long Leading Reference
1283 #define T55xx_DLMode_Leading0 2 // Leading Zero
1284 #define T55xx_DLMode_1of4 3 // 1 of 4
1285
1286 void TurnReadLFOn(int delay) {
1287 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
1288 // Give it a bit of time for the resonant antenna to settle.
1289 WaitUS(delay); //155*8 //50*8
1290 }
1291
1292 // Write one bit to card
1293 void T55xxWriteBit(int bit, T55xx_Timing *Timings) {
1294
1295 // If bit = 4 Send Long Leading Reference which is 138 + WRITE_0
1296
1297 switch (bit){
1298 case 0 : TurnReadLFOn(Timings->WRITE_0); break; // Send bit 0/00
1299 case 1 : TurnReadLFOn(Timings->WRITE_1); break; // Send bit 1/01
1300 case 2 : TurnReadLFOn(Timings->WRITE_2); break; // Send bits 10
1301 case 3 : TurnReadLFOn(Timings->WRITE_3); break; // Send bits 11
1302 case 4 : TurnReadLFOn(Timings->WRITE_0 + (136 * 8)); break; // Send Long Leading Reference
1303 }
1304 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1305 WaitUS(Timings->WRITE_GAP);
1306 }
1307
1308
1309 // Function to abstract an Arbitrary length byte array to store bit pattern.
1310 // bit_array - Array to hold data/bit pattern
1311 // start_offset - bit location to start storing new bits.
1312 // data - upto 32 bits of data to store
1313 // num_bits - how many bits (low x bits of data) Max 32 bits at a time
1314 // max_len - how many bytes can the bit_array hold (ensure no buffer overflow)
1315 // returns "Next" bit offset / bits stored (for next store)
1316 int T55xx_SetBits (uint8_t *bit_array, int start_offset, uint32_t data , int num_bits, int max_len)
1317 {
1318 int bit,byte_idx, bit_idx;
1319 int offset;
1320 int NextOffset = start_offset;
1321
1322 // Check if data will fit.
1323 if ((start_offset + num_bits) <= (max_len*8)) {
1324
1325 // Loop through the data and store
1326 for (offset = (num_bits-1); offset >= 0; offset--) {
1327
1328 bit = (data >> offset) & 1; // Get data bit value (0/1)
1329 byte_idx = (NextOffset / 8); // Get Array Byte Index to Store
1330 bit_idx = NextOffset - (byte_idx * 8); // Get Bit Index to set/clr
1331
1332 // If set (1) we OR, if clear (0) we AND with inverse
1333 // Dbprintf ("Add Bit : %d at byte %d bit %d",bit,byte_idx,bit_idx);
1334 if (bit == 1)
1335 bit_array[byte_idx] |= (1 << bit_idx); // Set the bit to 1
1336
1337 else
1338 bit_array[byte_idx] &= (0xff ^ (1 << bit_idx)); // Set the bit to 0 (clr)
1339
1340 NextOffset++;
1341 }
1342 }
1343 else
1344 Dbprintf ("Too Many Bits to fit into bit buffer");
1345 return NextOffset;
1346 }
1347
1348 // Send T5577 reset command then read stream (see if we can identify the start of the stream)
1349 void T55xxResetRead(void) {
1350 LED_A_ON();
1351 //clear buffer now so it does not interfere with timing later
1352 BigBuf_Clear_keep_EM();
1353
1354 // Set up FPGA, 125kHz
1355 LFSetupFPGAForADC(95, true);
1356 StartTicks();
1357 // make sure tag is fully powered up...
1358 WaitMS(5);
1359
1360 // Trigger T55x7 in mode.
1361 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1362 WaitUS(T55xx_Timing_FixedBit.START_GAP);
1363
1364 // reset tag - op code 00
1365 T55xxWriteBit(0,&T55xx_Timing_FixedBit);
1366 T55xxWriteBit(0,&T55xx_Timing_FixedBit);
1367
1368 TurnReadLFOn(T55xx_Timing_FixedBit.READ_GAP);
1369
1370 // Acquisition
1371 DoPartialAcquisition(0, true, BigBuf_max_traceLen(), 0);
1372
1373 // Turn the field off
1374 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1375 cmd_send(CMD_ACK,0,0,0,0,0);
1376 LED_A_OFF();
1377 }
1378
1379 // Send one downlink command to the card
1380 void T55xx_SendCMD (uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t arg) { //, bool read_cmd) {//, struct T55xx_Timing *Timing) {
1381
1382 /*
1383 arg bits
1384 xxxxxxx1 0x01 PwdMode
1385 xxxxxx1x 0x02 Page
1386 xxxxx1xx 0x04 testMode
1387 xxx11xxx 0x18 downlink mode
1388 xx1xxxxx 0x20 reg_readmode
1389 x1xxxxxx 0x40 called for a read, so no data packet
1390
1391 */
1392 bool PwdMode = ((arg & 0x01) == 0x01);
1393 uint8_t Page = (arg & 0x02) >> 1;
1394 bool testMode = ((arg & 0x04) == 0x04);
1395 uint8_t downlink_mode = (arg >> 3) & 0x03;;
1396 bool reg_readmode = ((arg & 0x20) == 0x20);
1397 bool read_cmd = ((arg & 0x40) == 0x40);
1398
1399 int i = 0;
1400 uint8_t BitStream[10]; // Max Downlink Command size ~75 bits, so 10 bytes (80 bits)
1401 uint8_t BitStreamLen;
1402 int byte_idx, bit_idx;
1403 T55xx_Timing *Timing;
1404
1405
1406 // Assigning Downlink Timeing for write
1407 switch (downlink_mode)
1408 {
1409 case T55xx_DLMode_Fixed : Timing = &T55xx_Timing_FixedBit; break;
1410 case T55xx_DLMode_LLR : Timing = &T55xx_Timing_LLR; break;
1411 case T55xx_DLMode_Leading0 : Timing = &T55xx_Timing_Leading0; break;
1412 case T55xx_DLMode_1of4 : Timing = &T55xx_Timing_1of4; break;
1413 default:
1414 Timing = &T55xx_Timing_FixedBit;
1415 }
1416
1417 // Build Bit Stream to send.
1418 memset (BitStream,0x00,sizeof(BitStream));
1419
1420 BitStreamLen = 0;
1421
1422 // Add Leading 0 and 1 of 4 reference bit
1423 if ((downlink_mode == T55xx_DLMode_Leading0) || (downlink_mode == T55xx_DLMode_1of4))
1424 BitStreamLen = T55xx_SetBits (BitStream, BitStreamLen, 0, 1,sizeof(BitStream));
1425
1426 // Add extra reference 0 for 1 of 4
1427 if (downlink_mode == T55xx_DLMode_1of4)
1428 BitStreamLen = T55xx_SetBits (BitStream, BitStreamLen, 0, 1,sizeof(BitStream));
1429
1430 // Add Opcode
1431 if (testMode) Dbprintf("TestMODE");
1432 BitStreamLen = T55xx_SetBits (BitStream, BitStreamLen,testMode ? 0 : 1 , 1,sizeof(BitStream));
1433 BitStreamLen = T55xx_SetBits (BitStream, BitStreamLen,testMode ? 1 : Page , 1,sizeof(BitStream));
1434
1435 if (PwdMode) {
1436
1437 // Leading 0 and 1 of 4 00 fixed bits if passsword used
1438 if ((downlink_mode == T55xx_DLMode_Leading0) || (downlink_mode == T55xx_DLMode_1of4)) {
1439 BitStreamLen = T55xx_SetBits (BitStream, BitStreamLen, 0, 1,sizeof(BitStream));
1440 BitStreamLen = T55xx_SetBits (BitStream, BitStreamLen, 0, 1,sizeof(BitStream));
1441 }
1442 BitStreamLen = T55xx_SetBits (BitStream, BitStreamLen, Pwd, 32,sizeof(BitStream));
1443
1444 }
1445 // Add Lock bit
1446 BitStreamLen = T55xx_SetBits (BitStream, BitStreamLen, 0, 1,sizeof(BitStream));
1447
1448 // Add Data if a write command
1449 if (!read_cmd) BitStreamLen = T55xx_SetBits (BitStream, BitStreamLen, Data, 32,sizeof(BitStream));
1450
1451 // Add Address
1452 if (!reg_readmode) BitStreamLen = T55xx_SetBits (BitStream, BitStreamLen, Block, 3,sizeof(BitStream));
1453
1454
1455
1456 // Send Bits to T55xx
1457
1458 // Set up FPGA, 125kHz
1459 LFSetupFPGAForADC(95, true);
1460 StartTicks();
1461 // make sure tag is fully powered up...
1462 WaitMS(5);
1463 // Trigger T55x7 in mode.
1464 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1465 WaitUS(Timing->START_GAP);
1466
1467
1468 // If long leading 0 send long reference pulse
1469 if (downlink_mode == T55xx_DLMode_LLR)
1470 T55xxWriteBit (T55xx_LongLeadingReference,Timing); // Send Long Leading Start Reference
1471
1472 uint8_t SendBits;
1473
1474 if (downlink_mode == T55xx_DLMode_1of4) { // 1 of 4 need to send 2 bits at a time
1475 for (i = 0; i < BitStreamLen; i+=2) {
1476 byte_idx = i / 8;
1477 bit_idx = i - (byte_idx * 8);
1478 SendBits = ((BitStream[byte_idx] >> bit_idx) & 1) << 1;
1479
1480 byte_idx = (i+1) / 8;
1481 bit_idx = (i+1) - (byte_idx * 8);
1482 SendBits += (BitStream[byte_idx] >> bit_idx) & 1;
1483
1484 T55xxWriteBit (SendBits,Timing);
1485 }
1486 }
1487 else {
1488 for (i = 0; i < BitStreamLen; i++) {
1489 byte_idx = i / 8;
1490 bit_idx = i - (byte_idx * 8);
1491 SendBits = (BitStream[byte_idx] >> bit_idx) & 1;
1492 T55xxWriteBit (SendBits,Timing);
1493 }
1494 }
1495
1496 }
1497
1498 // Write one card block in page 0, no lock
1499 void T55xxWriteBlock(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t arg) {
1500 /*
1501 arg bits
1502 xxxxxxx1 0x01 PwdMode
1503 xxxxxx1x 0x02 Page
1504 xxxxx1xx 0x04 testMode
1505 xxx11xxx 0x18 downlink mode
1506 xx1xxxxx 0x20 reg_readmode
1507 x1xxxxxx 0x40 called for a read, so no data packet
1508 */
1509
1510 bool testMode = ((arg & 0x04) == 0x04);
1511 arg &= (0xff ^ 0x40); // Called for a write, so ensure it is clear/0
1512
1513 LED_A_ON ();
1514 T55xx_SendCMD (Data, Block, Pwd, arg) ;//, false);
1515
1516 // Perform write (nominal is 5.6 ms for T55x7 and 18ms for E5550,
1517 // so wait a little more)
1518
1519 // "there is a clock delay before programming"
1520 // - programming takes ~5.6ms for t5577 ~18ms for E5550 or t5567
1521 // so we should wait 1 clock + 5.6ms then read response?
1522 // but we need to know we are dealing with t5577 vs t5567 vs e5550 (or q5) marshmellow...
1523 if (testMode) {
1524 //TESTMODE TIMING TESTS:
1525 // <566us does nothing
1526 // 566-568 switches between wiping to 0s and doing nothing
1527 // 5184 wipes and allows 1 block to be programmed.
1528 // indefinite power on wipes and then programs all blocks with bitshifted data sent.
1529 TurnReadLFOn(5184);
1530
1531 } else {
1532 TurnReadLFOn(20 * 1000);
1533 //could attempt to do a read to confirm write took
1534 // as the tag should repeat back the new block
1535 // until it is reset, but to confirm it we would
1536 // need to know the current block 0 config mode for
1537 // modulation clock an other details to demod the response...
1538 // response should be (for t55x7) a 0 bit then (ST if on)
1539 // block data written in on repeat until reset.
1540
1541 //DoPartialAcquisition(20, true, 12000);
1542 }
1543 // turn field off
1544 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1545
1546 cmd_send(CMD_ACK,0,0,0,0,0);
1547
1548 LED_A_OFF ();
1549 }
1550
1551 // Read one card block in page [page]
1552 void T55xxReadBlock (uint16_t arg0, uint8_t Block, uint32_t Pwd) {//, struct T55xx_Timing *Timing) {
1553
1554 LED_A_ON();
1555
1556 /*
1557 arg bits
1558 xxxxxxx1 0x01 PwdMode
1559 xxxxxx1x 0x02 Page
1560 xxxxx1xx 0x04 testMode
1561 xxx11xxx 0x18 downlink mode
1562 xx1xxxxx 0x20 reg_readmode
1563 x1xxxxxx 0x40 called for a read, so no data packet
1564 */
1565
1566 // Set Read Flag to ensure SendCMD does not add "data" to the packet
1567 arg0 |= 0x40;
1568
1569
1570 if (Block == 0xff) arg0 |= 0x20;
1571
1572 //make sure block is at max 7
1573 Block &= 0x7;
1574 //clear buffer now so it does not interfere with timing later
1575 BigBuf_Clear_ext(false);
1576
1577 T55xx_SendCMD (0, Block, Pwd, arg0); //, true);
1578
1579
1580 // Turn field on to read the response
1581 // 137*8 seems to get to the start of data pretty well...
1582 // but we want to go past the start and let the repeating data settle in...
1583 TurnReadLFOn(210*8);
1584
1585 // Acquisition
1586 // Now do the acquisition
1587 DoPartialAcquisition(0, true, 12000, 0);
1588
1589 // Turn the field off
1590 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1591 cmd_send(CMD_ACK,0,0,0,0,0);
1592
1593 LED_A_OFF();
1594 }
1595
1596 void T55xxWakeUp(uint32_t Pwd){
1597 LED_B_ON();
1598 uint32_t i = 0;
1599
1600 // Set up FPGA, 125kHz
1601 LFSetupFPGAForADC(95, true);
1602 StartTicks();
1603 // make sure tag is fully powered up...
1604 WaitMS(5);
1605
1606 // Trigger T55x7 Direct Access Mode
1607 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1608 WaitUS(T55xx_Timing_FixedBit.START_GAP);
1609
1610 // Opcode 10
1611 T55xxWriteBit(1,&T55xx_Timing_FixedBit);
1612 T55xxWriteBit(0,&T55xx_Timing_FixedBit); //Page 0
1613
1614 // Send Pwd
1615
1616 for (i = 0x80000000; i != 0; i >>= 1)
1617 T55xxWriteBit(Pwd & i,&T55xx_Timing_FixedBit);
1618
1619 // Turn and leave field on to let the begin repeating transmission
1620 TurnReadLFOn(20*1000);
1621 }
1622
1623 /*-------------- Cloning routines -----------*/
1624
1625 void WriteT55xx(uint32_t *blockdata, uint8_t startblock, uint8_t numblocks) {
1626 // write last block first and config block last (if included)
1627 for (uint8_t i = numblocks+startblock; i > startblock; i--) {
1628 T55xxWriteBlock(blockdata[i-1],i-1,0,0);//,false); //,&T55xx_Timing_FixedBit);
1629 // T55xx_SendCMD (blockdata[i-1],i-1,0,0);//,false); //,&T55xx_Timing_FixedBit);
1630 }
1631 }
1632
1633 // Copy a HID-like card (e.g. HID Proximity, Paradox) to a T55x7 compatible card
1634 void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT, uint8_t preamble) {
1635 uint32_t data[] = {0,0,0,0,0,0,0};
1636 uint8_t last_block = 0;
1637
1638 if (longFMT) {
1639 // Ensure no more than 84 bits supplied
1640 if (hi2>0xFFFFF) {
1641 DbpString("Tags can only have 84 bits.");
1642 return;
1643 }
1644 // Build the 6 data blocks for supplied 84bit ID
1645 last_block = 6;
1646 // load preamble & long format identifier (9E manchester encoded)
1647 data[1] = (preamble << 24) | 0x96A900 | (manchesterEncode2Bytes((hi2 >> 16) & 0xF) & 0xFF);
1648 // load raw id from hi2, hi, lo to data blocks (manchester encoded)
1649 data[2] = manchesterEncode2Bytes(hi2 & 0xFFFF);
1650 data[3] = manchesterEncode2Bytes(hi >> 16);
1651 data[4] = manchesterEncode2Bytes(hi & 0xFFFF);
1652 data[5] = manchesterEncode2Bytes(lo >> 16);
1653 data[6] = manchesterEncode2Bytes(lo & 0xFFFF);
1654 } else {
1655 // Ensure no more than 44 bits supplied
1656 if (hi>0xFFF) {
1657 DbpString("Tags can only have 44 bits.");
1658 return;
1659 }
1660 // Build the 3 data blocks for supplied 44bit ID
1661 last_block = 3;
1662 // load preamble
1663 data[1] = (preamble << 24) | (manchesterEncode2Bytes(hi) & 0xFFFFFF);
1664 data[2] = manchesterEncode2Bytes(lo >> 16);
1665 data[3] = manchesterEncode2Bytes(lo & 0xFFFF);
1666 }
1667 // load chip config block
1668 data[0] = T55x7_BITRATE_RF_50 | T55x7_MODULATION_FSK2a | last_block << T55x7_MAXBLOCK_SHIFT;
1669
1670 //TODO add selection of chip for Q5 or T55x7
1671 // data[0] = (((50-2)/2)<<T5555_BITRATE_SHIFT) | T5555_MODULATION_FSK2 | T5555_INVERT_OUTPUT | last_block << T5555_MAXBLOCK_SHIFT;
1672
1673 LED_D_ON();
1674 // Program the data blocks for supplied ID
1675 // and the block 0 for HID format
1676 WriteT55xx(data, 0, last_block+1);
1677
1678 LED_D_OFF();
1679
1680 DbpString("DONE!");
1681 }
1682
1683 void CopyIOtoT55x7(uint32_t hi, uint32_t lo) {
1684 uint32_t data[] = {T55x7_BITRATE_RF_64 | T55x7_MODULATION_FSK2a | (2 << T55x7_MAXBLOCK_SHIFT), hi, lo};
1685 //TODO add selection of chip for Q5 or T55x7
1686 // data[0] = (((64-2)/2)<<T5555_BITRATE_SHIFT) | T5555_MODULATION_FSK2 | T5555_INVERT_OUTPUT | 2 << T5555_MAXBLOCK_SHIFT;
1687
1688 LED_D_ON();
1689 // Program the data blocks for supplied ID
1690 // and the block 0 config
1691 WriteT55xx(data, 0, 3);
1692
1693 LED_D_OFF();
1694
1695 DbpString("DONE!");
1696 }
1697
1698 // Clone Indala 64-bit tag by UID to T55x7
1699 void CopyIndala64toT55x7(uint32_t hi, uint32_t lo) {
1700 //Program the 2 data blocks for supplied 64bit UID
1701 // and the Config for Indala 64 format (RF/32;PSK1 with RF/2;Maxblock=2)
1702 uint32_t data[] = { T55x7_BITRATE_RF_32 | T55x7_MODULATION_PSK1 | (2 << T55x7_MAXBLOCK_SHIFT), hi, lo};
1703 //TODO add selection of chip for Q5 or T55x7
1704 // data[0] = (((32-2)/2)<<T5555_BITRATE_SHIFT) | T5555_MODULATION_PSK1 | 2 << T5555_MAXBLOCK_SHIFT;
1705
1706 WriteT55xx(data, 0, 3);
1707 //Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=2;Inverse data)
1708 // T5567WriteBlock(0x603E1042,0);
1709 DbpString("DONE!");
1710 }
1711 // Clone Indala 224-bit tag by UID to T55x7
1712 void CopyIndala224toT55x7(uint32_t uid1, uint32_t uid2, uint32_t uid3, uint32_t uid4, uint32_t uid5, uint32_t uid6, uint32_t uid7) {
1713 //Program the 7 data blocks for supplied 224bit UID
1714 uint32_t data[] = {0, uid1, uid2, uid3, uid4, uid5, uid6, uid7};
1715 // and the block 0 for Indala224 format
1716 //Config for Indala (RF/32;PSK2 with RF/2;Maxblock=7)
1717 data[0] = T55x7_BITRATE_RF_32 | T55x7_MODULATION_PSK2 | (7 << T55x7_MAXBLOCK_SHIFT);
1718 //TODO add selection of chip for Q5 or T55x7
1719 // data[0] = (((32-2)>>1)<<T5555_BITRATE_SHIFT) | T5555_MODULATION_PSK2 | 7 << T5555_MAXBLOCK_SHIFT;
1720 WriteT55xx(data, 0, 8);
1721 //Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=7;Inverse data)
1722 // T5567WriteBlock(0x603E10E2,0);
1723 DbpString("DONE!");
1724 }
1725 // clone viking tag to T55xx
1726 void CopyVikingtoT55xx(uint32_t block1, uint32_t block2, uint8_t Q5) {
1727 uint32_t data[] = {T55x7_BITRATE_RF_32 | T55x7_MODULATION_MANCHESTER | (2 << T55x7_MAXBLOCK_SHIFT), block1, block2};
1728 if (Q5) data[0] = T5555_SET_BITRATE(32) | T5555_MODULATION_MANCHESTER | 2 << T5555_MAXBLOCK_SHIFT;
1729 // Program the data blocks for supplied ID and the block 0 config
1730 WriteT55xx(data, 0, 3);
1731 LED_D_OFF();
1732 cmd_send(CMD_ACK,0,0,0,0,0);
1733 }
1734
1735 // Define 9bit header for EM410x tags
1736 #define EM410X_HEADER 0x1FF
1737 #define EM410X_ID_LENGTH 40
1738
1739 void WriteEM410x(uint32_t card, uint32_t id_hi, uint32_t id_lo) {
1740 int i, id_bit;
1741 uint64_t id = EM410X_HEADER;
1742 uint64_t rev_id = 0; // reversed ID
1743 int c_parity[4]; // column parity
1744 int r_parity = 0; // row parity
1745 uint32_t clock = 0;
1746
1747 // Reverse ID bits given as parameter (for simpler operations)
1748 for (i = 0; i < EM410X_ID_LENGTH; ++i) {
1749 if (i < 32) {
1750 rev_id = (rev_id << 1) | (id_lo & 1);
1751 id_lo >>= 1;
1752 } else {
1753 rev_id = (rev_id << 1) | (id_hi & 1);
1754 id_hi >>= 1;
1755 }
1756 }
1757
1758 for (i = 0; i < EM410X_ID_LENGTH; ++i) {
1759 id_bit = rev_id & 1;
1760
1761 if (i % 4 == 0) {
1762 // Don't write row parity bit at start of parsing
1763 if (i)
1764 id = (id << 1) | r_parity;
1765 // Start counting parity for new row
1766 r_parity = id_bit;
1767 } else {
1768 // Count row parity
1769 r_parity ^= id_bit;
1770 }
1771
1772 // First elements in column?
1773 if (i < 4)
1774 // Fill out first elements
1775 c_parity[i] = id_bit;
1776 else
1777 // Count column parity
1778 c_parity[i % 4] ^= id_bit;
1779
1780 // Insert ID bit
1781 id = (id << 1) | id_bit;
1782 rev_id >>= 1;
1783 }
1784
1785 // Insert parity bit of last row
1786 id = (id << 1) | r_parity;
1787
1788 // Fill out column parity at the end of tag
1789 for (i = 0; i < 4; ++i)
1790 id = (id << 1) | c_parity[i];
1791
1792 // Add stop bit
1793 id <<= 1;
1794
1795 Dbprintf("Started writing %s tag ...", card ? "T55x7":"T5555");
1796 LED_D_ON();
1797
1798 // Write EM410x ID
1799 uint32_t data[] = {0, (uint32_t)(id>>32), (uint32_t)(id & 0xFFFFFFFF)};
1800
1801 clock = (card & 0xFF00) >> 8;
1802 clock = (clock == 0) ? 64 : clock;
1803 Dbprintf("Clock rate: %d", clock);
1804 if (card & 0xFF) { //t55x7
1805 clock = GetT55xxClockBit(clock);
1806 if (clock == 0) {
1807 Dbprintf("Invalid clock rate: %d", clock);
1808 return;
1809 }
1810 data[0] = clock | T55x7_MODULATION_MANCHESTER | (2 << T55x7_MAXBLOCK_SHIFT);
1811 } else { //t5555 (Q5)
1812 data[0] = T5555_SET_BITRATE(clock) | T5555_MODULATION_MANCHESTER | (2 << T5555_MAXBLOCK_SHIFT);
1813 }
1814
1815 WriteT55xx(data, 0, 3);
1816
1817 LED_D_OFF();
1818 Dbprintf("Tag %s written with 0x%08x%08x\n", card ? "T55x7":"T5555",
1819 (uint32_t)(id >> 32), (uint32_t)id);
1820 }
1821
1822 //-----------------------------------
1823 // EM4469 / EM4305 routines
1824 //-----------------------------------
1825 #define FWD_CMD_LOGIN 0xC //including the even parity, binary mirrored
1826 #define FWD_CMD_WRITE 0xA
1827 #define FWD_CMD_READ 0x9
1828 #define FWD_CMD_DISABLE 0x5
1829
1830 uint8_t forwardLink_data[64]; //array of forwarded bits
1831 uint8_t * forward_ptr; //ptr for forward message preparation
1832 uint8_t fwd_bit_sz; //forwardlink bit counter
1833 uint8_t * fwd_write_ptr; //forwardlink bit pointer
1834
1835 //====================================================================
1836 // prepares command bits
1837 // see EM4469 spec
1838 //====================================================================
1839 //--------------------------------------------------------------------
1840 // VALUES TAKEN FROM EM4x function: SendForward
1841 // START_GAP = 440; (55*8) cycles at 125Khz (8us = 1cycle)
1842 // WRITE_GAP = 128; (16*8)
1843 // WRITE_1 = 256 32*8; (32*8)
1844
1845 // These timings work for 4469/4269/4305 (with the 55*8 above)
1846 // WRITE_0 = 23*8 , 9*8 SpinDelayUs(23*8);
1847
1848 uint8_t Prepare_Cmd( uint8_t cmd ) {
1849
1850 *forward_ptr++ = 0; //start bit
1851 *forward_ptr++ = 0; //second pause for 4050 code
1852
1853 *forward_ptr++ = cmd;
1854 cmd >>= 1;
1855 *forward_ptr++ = cmd;
1856 cmd >>= 1;
1857 *forward_ptr++ = cmd;
1858 cmd >>= 1;
1859 *forward_ptr++ = cmd;
1860
1861 return 6; //return number of emited bits
1862 }
1863
1864 //====================================================================
1865 // prepares address bits
1866 // see EM4469 spec
1867 //====================================================================
1868 uint8_t Prepare_Addr( uint8_t addr ) {
1869
1870 register uint8_t line_parity;
1871
1872 uint8_t i;
1873 line_parity = 0;
1874 for(i=0;i<6;i++) {
1875 *forward_ptr++ = addr;
1876 line_parity ^= addr;
1877 addr >>= 1;
1878 }
1879
1880 *forward_ptr++ = (line_parity & 1);
1881
1882 return 7; //return number of emited bits
1883 }
1884
1885 //====================================================================
1886 // prepares data bits intreleaved with parity bits
1887 // see EM4469 spec
1888 //====================================================================
1889 uint8_t Prepare_Data( uint16_t data_low, uint16_t data_hi) {
1890
1891 register uint8_t line_parity;
1892 register uint8_t column_parity;
1893 register uint8_t i, j;
1894 register uint16_t data;
1895
1896 data = data_low;
1897 column_parity = 0;
1898
1899 for(i=0; i<4; i++) {
1900 line_parity = 0;
1901 for(j=0; j<8; j++) {
1902 line_parity ^= data;
1903 column_parity ^= (data & 1) << j;
1904 *forward_ptr++ = data;
1905 data >>= 1;
1906 }
1907 *forward_ptr++ = line_parity;
1908 if(i == 1)
1909 data = data_hi;
1910 }
1911
1912 for(j=0; j<8; j++) {
1913 *forward_ptr++ = column_parity;
1914 column_parity >>= 1;
1915 }
1916 *forward_ptr = 0;
1917
1918 return 45; //return number of emited bits
1919 }
1920
1921 //====================================================================
1922 // Forward Link send function
1923 // Requires: forwarLink_data filled with valid bits (1 bit per byte)
1924 // fwd_bit_count set with number of bits to be sent
1925 //====================================================================
1926 void SendForward(uint8_t fwd_bit_count) {
1927
1928 fwd_write_ptr = forwardLink_data;
1929 fwd_bit_sz = fwd_bit_count;
1930
1931 // Set up FPGA, 125kHz or 95 divisor
1932 LFSetupFPGAForADC(95, true);
1933
1934 // force 1st mod pulse (start gap must be longer for 4305)
1935 fwd_bit_sz--; //prepare next bit modulation
1936 fwd_write_ptr++;
1937 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1938 WaitUS(55*8); //55 cycles off (8us each)for 4305 //another reader has 37 here...
1939 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);//field on
1940 WaitUS(18*8); //18 cycles on (8us each)
1941
1942 // now start writting
1943 while(fwd_bit_sz-- > 0) { //prepare next bit modulation
1944 if(((*fwd_write_ptr++) & 1) == 1)
1945 WaitUS(32*8); //32 cycles at 125Khz (8us each)
1946 else {
1947 //These timings work for 4469/4269/4305 (with the 55*8 above)
1948 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1949 WaitUS(23*8); //23 cycles off (8us each)
1950 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);//field on
1951 WaitUS(18*8); //18 cycles on (8us each)
1952 }
1953 }
1954 }
1955
1956 void EM4xLogin(uint32_t Password) {
1957
1958 uint8_t fwd_bit_count;
1959
1960 forward_ptr = forwardLink_data;
1961 fwd_bit_count = Prepare_Cmd( FWD_CMD_LOGIN );
1962 fwd_bit_count += Prepare_Data( Password&0xFFFF, Password>>16 );
1963
1964 SendForward(fwd_bit_count);
1965
1966 //Wait for command to complete
1967 SpinDelay(20);
1968 }
1969
1970 void EM4xReadWord(uint8_t Address, uint32_t Pwd, uint8_t PwdMode) {
1971
1972 uint8_t fwd_bit_count;
1973
1974 // Clear destination buffer before sending the command
1975 BigBuf_Clear_ext(false);
1976
1977 LED_A_ON();
1978 StartTicks();
1979 //If password mode do login
1980 if (PwdMode == 1) EM4xLogin(Pwd);
1981
1982 forward_ptr = forwardLink_data;
1983 fwd_bit_count = Prepare_Cmd( FWD_CMD_READ );
1984 fwd_bit_count += Prepare_Addr( Address );
1985
1986 SendForward(fwd_bit_count);
1987 WaitUS(400);
1988 // Now do the acquisition
1989 DoPartialAcquisition(20, true, 6000, 1000);
1990
1991 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
1992 LED_A_OFF();
1993 cmd_send(CMD_ACK,0,0,0,0,0);
1994 }
1995
1996 void EM4xWriteWord(uint32_t flag, uint32_t Data, uint32_t Pwd) {
1997
1998 bool PwdMode = (flag & 0xF);
1999 uint8_t Address = (flag >> 8) & 0xFF;
2000 uint8_t fwd_bit_count;
2001
2002 //clear buffer now so it does not interfere with timing later
2003 BigBuf_Clear_ext(false);
2004
2005 LED_A_ON();
2006 StartTicks();
2007 //If password mode do login
2008 if (PwdMode) EM4xLogin(Pwd);
2009
2010 forward_ptr = forwardLink_data;
2011 fwd_bit_count = Prepare_Cmd( FWD_CMD_WRITE );
2012 fwd_bit_count += Prepare_Addr( Address );
2013 fwd_bit_count += Prepare_Data( Data&0xFFFF, Data>>16 );
2014
2015 SendForward(fwd_bit_count);
2016
2017 //Wait for write to complete
2018 //SpinDelay(10);
2019
2020 WaitUS(6500);
2021 //Capture response if one exists
2022 DoPartialAcquisition(20, true, 6000, 1000);
2023
2024 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
2025 LED_A_OFF();
2026 cmd_send(CMD_ACK,0,0,0,0,0);
2027 }
2028 /*
2029 Reading a COTAG.
2030
2031 COTAG needs the reader to send a startsequence and the card has an extreme slow datarate.
2032 because of this, we can "sample" the data signal but we interpreate it to Manchester direct.
2033
2034 READER START SEQUENCE:
2035 burst 800 us, gap 2.2 msecs
2036 burst 3.6 msecs gap 2.2 msecs
2037 burst 800 us gap 2.2 msecs
2038 pulse 3.6 msecs
2039
2040 This triggers a COTAG tag to response
2041 */
2042 void Cotag(uint32_t arg0) {
2043
2044 #define OFF { FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); WaitUS(2035); }
2045 #define ON(x) { FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD); WaitUS((x)); }
2046
2047 uint8_t rawsignal = arg0 & 0xF;
2048
2049 LED_A_ON();
2050
2051 // Switching to LF image on FPGA. This might empty BigBuff
2052 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
2053
2054 //clear buffer now so it does not interfere with timing later
2055 BigBuf_Clear_ext(false);
2056
2057 // Set up FPGA, 132kHz to power up the tag
2058 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 89);
2059 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
2060
2061 // Connect the A/D to the peak-detected low-frequency path.
2062 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
2063
2064 // Now set up the SSC to get the ADC samples that are now streaming at us.
2065 FpgaSetupSsc(FPGA_MAJOR_MODE_LF_ADC);
2066
2067 // start clock - 1.5ticks is 1us
2068 StartTicks();
2069
2070 //send COTAG start pulse
2071 ON(740) OFF
2072 ON(3330) OFF
2073 ON(740) OFF
2074 ON(1000)
2075
2076 switch(rawsignal) {
2077 case 0: doCotagAcquisition(50000); break;
2078 case 1: doCotagAcquisitionManchester(); break;
2079 case 2: DoAcquisition_config(true, 0); break;
2080 }
2081
2082 // Turn the field off
2083 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
2084 cmd_send(CMD_ACK,0,0,0,0,0);
2085 LED_A_OFF();
2086 }
Proxmark3 GIT tracking
Impressum, Datenschutz