+ DbpString("Stopped");
+ if (ledcontrol) LED_A_OFF();
+}
+
+/*------------------------------
+ * T5555/T5557/T5567 routines
+ *------------------------------
+ * NOTE: T55x7/T5555 configuration register definitions moved to protocols.h
+ *
+ * Relevant communication times in microsecond
+ * To compensate antenna falling times shorten the write times
+ * and enlarge the gap ones.
+ * Q5 tags seems to have issues when these values changes.
+ */
+
+#define START_GAP 50*8 // was 250 // SPEC: 1*8 to 50*8 - typ 15*8 (or 15fc)
+#define WRITE_GAP 20*8 // was 160 // SPEC: 1*8 to 20*8 - typ 10*8 (or 10fc)
+#define WRITE_0 16*8 // was 144 // SPEC: 16*8 to 32*8 - typ 24*8 (or 24fc)
+#define WRITE_1 50*8 // was 400 // SPEC: 48*8 to 64*8 - typ 56*8 (or 56fc) 432 for T55x7; 448 for E5550
+#define READ_GAP 52*8
+
+// VALUES TAKEN FROM EM4x function: SendForward
+// START_GAP = 440; (55*8) cycles at 125Khz (8us = 1cycle)
+// WRITE_GAP = 128; (16*8)
+// WRITE_1 = 256 32*8; (32*8)
+
+// These timings work for 4469/4269/4305 (with the 55*8 above)
+// WRITE_0 = 23*8 , 9*8 SpinDelayUs(23*8);
+
+// Sam7s has several timers, we will use the source TIMER_CLOCK1 (aka AT91C_TC_CLKS_TIMER_DIV1_CLOCK)
+// TIMER_CLOCK1 = MCK/2, MCK is running at 48 MHz, Timer is running at 48/2 = 24 MHz
+// Hitag units (T0) have duration of 8 microseconds (us), which is 1/125000 per second (carrier)
+// T0 = TIMER_CLOCK1 / 125000 = 192
+// 1 Cycle = 8 microseconds(us) == 1 field clock
+
+void TurnReadLFOn(int delay) {
+ FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
+ // Give it a bit of time for the resonant antenna to settle.
+
+ // measure antenna strength.
+ //int adcval = ((MAX_ADC_LF_VOLTAGE * AvgAdc(ADC_CHAN_LF)) >> 10);
+ // where to save it
+
+ SpinDelayUs(delay);
+}
+
+// Write one bit to card
+void T55xxWriteBit(int bit) {
+ if (!bit)
+ TurnReadLFOn(WRITE_0);
+ else
+ TurnReadLFOn(WRITE_1);
+ FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+ SpinDelayUs(WRITE_GAP);
+}
+
+// Write one card block in page 0, no lock
+void T55xxWriteBlock(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t arg) {
+ LED_A_ON();
+ bool PwdMode = arg & 0x1;
+ uint8_t Page = (arg & 0x2)>>1;
+ uint32_t i = 0;
+
+ // Set up FPGA, 125kHz
+ LFSetupFPGAForADC(95, true);
+
+ // Trigger T55x7 in mode.
+ FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+ SpinDelayUs(START_GAP);
+
+ // Opcode 10
+ T55xxWriteBit(1);
+ T55xxWriteBit(Page); //Page 0
+ if (PwdMode){
+ // Send Pwd
+ for (i = 0x80000000; i != 0; i >>= 1)
+ T55xxWriteBit(Pwd & i);
+ }
+ // Send Lock bit
+ T55xxWriteBit(0);
+
+ // Send Data
+ for (i = 0x80000000; i != 0; i >>= 1)
+ T55xxWriteBit(Data & i);
+
+ // Send Block number
+ for (i = 0x04; i != 0; i >>= 1)
+ T55xxWriteBit(Block & i);
+
+ // Perform write (nominal is 5.6 ms for T55x7 and 18ms for E5550,
+ // so wait a little more)
+ TurnReadLFOn(20 * 1000);
+ //could attempt to do a read to confirm write took
+ // as the tag should repeat back the new block
+ // until it is reset, but to confirm it we would
+ // need to know the current block 0 config mode
+
+ // turn field off
+ FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+ cmd_send(CMD_ACK,0,0,0,0,0);
+ LED_A_OFF();
+}
+
+// Read one card block in page 0
+void T55xxReadBlock(uint16_t arg0, uint8_t Block, uint32_t Pwd) {
+ LED_A_ON();
+ bool PwdMode = arg0 & 0x1;
+ uint8_t Page = (arg0 & 0x2) >> 1;
+ uint32_t i = 0;
+ bool RegReadMode = (Block == 0xFF);
+
+ //clear buffer now so it does not interfere with timing later
+ BigBuf_Clear_ext(false);
+
+ //make sure block is at max 7
+ Block &= 0x7;
+
+ // Set up FPGA, 125kHz to power up the tag
+ LFSetupFPGAForADC(95, true);
+
+ // Trigger T55x7 Direct Access Mode with start gap
+ FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+ SpinDelayUs(START_GAP);
+
+ // Opcode 1[page]
+ T55xxWriteBit(1);
+ T55xxWriteBit(Page); //Page 0
+
+ if (PwdMode){
+ // Send Pwd
+ for (i = 0x80000000; i != 0; i >>= 1)
+ T55xxWriteBit(Pwd & i);
+ }
+ // Send a zero bit separation
+ T55xxWriteBit(0);
+
+ // Send Block number (if direct access mode)
+ if (!RegReadMode)
+ for (i = 0x04; i != 0; i >>= 1)
+ T55xxWriteBit(Block & i);
+
+ // Turn field on to read the response
+ TurnReadLFOn(READ_GAP);
+
+ // Acquisition
+ doT55x7Acquisition();
+
+ // Turn the field off
+ FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
+ cmd_send(CMD_ACK,0,0,0,0,0);
+ LED_A_OFF();
+}
+
+void T55xxWakeUp(uint32_t Pwd){
+ LED_B_ON();
+ uint32_t i = 0;
+
+ // Set up FPGA, 125kHz
+ LFSetupFPGAForADC(95, true);
+
+ // Trigger T55x7 Direct Access Mode
+ FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+ SpinDelayUs(START_GAP);
+
+ // Opcode 10
+ T55xxWriteBit(1);
+ T55xxWriteBit(0); //Page 0
+
+ // Send Pwd
+ for (i = 0x80000000; i != 0; i >>= 1)
+ T55xxWriteBit(Pwd & i);
+
+ // Turn and leave field on to let the begin repeating transmission
+ TurnReadLFOn(20*1000);
+}
+
+/*-------------- Cloning routines -----------*/
+
+void WriteT55xx(uint32_t *blockdata, uint8_t startblock, uint8_t numblocks) {
+ // write last block first and config block last (if included)
+ for (uint8_t i = numblocks; i > startblock; i--)
+ T55xxWriteBlock(blockdata[i-1],i-1,0,0);
+}
+
+// Copy HID id to card and setup block 0 config
+void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT) {
+ uint32_t data[] = {0,0,0,0,0,0,0};
+ //int data1=0, data2=0, data3=0, data4=0, data5=0, data6=0; //up to six blocks for long format
+ uint8_t last_block = 0;
+
+ if (longFMT){
+ // Ensure no more than 84 bits supplied
+ if (hi2>0xFFFFF) {
+ DbpString("Tags can only have 84 bits.");
+ return;
+ }
+ // Build the 6 data blocks for supplied 84bit ID
+ last_block = 6;
+ // load preamble (1D) & long format identifier (9E manchester encoded)
+ data[1] = 0x1D96A900 | manchesterEncode2Bytes((hi2 >> 16) & 0xF);
+ // load raw id from hi2, hi, lo to data blocks (manchester encoded)
+ data[2] = manchesterEncode2Bytes(hi2 & 0xFFFF);
+ data[3] = manchesterEncode2Bytes(hi >> 16);
+ data[4] = manchesterEncode2Bytes(hi & 0xFFFF);
+ data[5] = manchesterEncode2Bytes(lo >> 16);
+ data[6] = manchesterEncode2Bytes(lo & 0xFFFF);
+ } else {
+ // Ensure no more than 44 bits supplied
+ if (hi>0xFFF) {
+ DbpString("Tags can only have 44 bits.");
+ return;
+ }
+ // Build the 3 data blocks for supplied 44bit ID
+ last_block = 3;
+ // load preamble
+ data[1] = 0x1D000000 | manchesterEncode2Bytes(hi & 0xFFF);
+ data[2] = manchesterEncode2Bytes(lo >> 16);
+ data[3] = manchesterEncode2Bytes(lo & 0xFFFF);
+ }
+ // load chip config block
+ data[0] = T55x7_BITRATE_RF_50 | T55x7_MODULATION_FSK2a | last_block << T55x7_MAXBLOCK_SHIFT;
+
+ LED_D_ON();
+ // Program the data blocks for supplied ID
+ // and the block 0 for HID format
+ WriteT55xx(data, 0, last_block+1);
+
+ LED_D_OFF();
+
+ DbpString("DONE!");
+}
+
+void CopyIOtoT55x7(uint32_t hi, uint32_t lo, uint8_t longFMT)
+{
+ uint32_t data[] = {T55x7_BITRATE_RF_64 | T55x7_MODULATION_FSK2a | (2 << T55x7_MAXBLOCK_SHIFT), hi, lo};
+
+ LED_D_ON();
+ // Program the data blocks for supplied ID
+ // and the block 0 config
+ WriteT55xx(data, 0, 3);
+
+ LED_D_OFF();
+
+ DbpString("DONE!");
+}
+
+// Clone Indala 64-bit tag by UID to T55x7
+void CopyIndala64toT55x7(uint32_t hi, uint32_t lo) {
+ //Program the 2 data blocks for supplied 64bit UID
+ // and the Config for Indala 64 format (RF/32;PSK1 with RF/2;Maxblock=2)
+ uint32_t data[] = { T55x7_BITRATE_RF_32 | T55x7_MODULATION_PSK1 | (2 << T55x7_MAXBLOCK_SHIFT), hi, lo};
+ WriteT55xx(data, 0, 3);
+ //Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=2;Inverse data)
+ // T5567WriteBlock(0x603E1042,0);
+ DbpString("DONE!");
+}
+// Clone Indala 224-bit tag by UID to T55x7
+void CopyIndala224toT55x7(uint32_t uid1, uint32_t uid2, uint32_t uid3, uint32_t uid4, uint32_t uid5, uint32_t uid6, uint32_t uid7)
+{
+ //Program the 7 data blocks for supplied 224bit UID
+ uint32_t data[] = {0, uid1, uid2, uid3, uid4, uid5, uid6, uid7};
+ // and the block 0 for Indala224 format
+ //Config for Indala (RF/32;PSK1 with RF/2;Maxblock=7)
+ data[0] = T55x7_BITRATE_RF_32 | T55x7_MODULATION_PSK1 | (7 << T55x7_MAXBLOCK_SHIFT);
+ WriteT55xx(data, 0, 8);
+ //Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=7;Inverse data)
+ // T5567WriteBlock(0x603E10E2,0);
+ DbpString("DONE!");
projects / proxmark3-svn / blobdiff