+ legic_prng_init(f->data);
+ frame_send_tag(0x3d, 6, 1); /* 0x3d^0x26 = 0x1B */
+ legic_state = STATE_IV;
+ legic_read_count = 0;
+ legic_prng_bc = 0;
+ legic_prng_iv = f->data;
+
+
+ ResetTimer(timer);
+ WaitUS(280);
+ return;
+ }
+
+ /* 0x19==??? */
+ if(legic_state == STATE_IV) {
+ int local_key = get_key_stream(3, 6);
+ int xored = 0x39 ^ local_key;
+ if((f->bits == 6) && (f->data == xored)) {
+ legic_state = STATE_CON;
+
+ ResetTimer(timer);
+ WaitUS(200);
+ return;
+
+ } else {
+ legic_state = STATE_DISCON;
+ LED_C_OFF();
+ Dbprintf("iv: %02x frame: %02x key: %02x xored: %02x", legic_prng_iv, f->data, local_key, xored);
+ return;
+ }
+ }
+
+ /* Read */
+ if(f->bits == 11) {
+ if(legic_state == STATE_CON) {
+ int key = get_key_stream(2, 11); //legic_phase_drift, 11);
+ int addr = f->data ^ key; addr = addr >> 1;
+ int data = BigBuf[addr];
+ int hash = legic4Crc(LEGIC_READ, addr, data, 11) << 8;
+ BigBuf[OFFSET_LOG+legic_read_count] = (uint8_t)addr;
+ legic_read_count++;
+
+ //Dbprintf("Data:%03.3x, key:%03.3x, addr: %03.3x, read_c:%u", f->data, key, addr, read_c);
+ legic_prng_forward(legic_reqresp_drift);
+
+ frame_send_tag(hash | data, 12, 1);
+
+ ResetTimer(timer);
+ legic_prng_forward(2);
+ WaitUS(180);
+ return;
+ }
+ }
+
+ /* Write */
+ if(f->bits == 23) {
+ int key = get_key_stream(-1, 23); //legic_frame_drift, 23);
+ int addr = f->data ^ key; addr = addr >> 1; addr = addr & 0x3ff;
+ int data = f->data ^ key; data = data >> 11; data = data & 0xff;
+
+ /* write command */
+ legic_state = STATE_DISCON;
+ LED_C_OFF();
+ Dbprintf("write - addr: %x, data: %x", addr, data);
+ return;
+ }
+
+ if(legic_state != STATE_DISCON) {
+ Dbprintf("Unexpected: sz:%u, Data:%03.3x, State:%u, Count:%u", f->bits, f->data, legic_state, legic_read_count);
+ int i;
+ Dbprintf("IV: %03.3x", legic_prng_iv);
+ for(i = 0; i<legic_read_count; i++) {
+ Dbprintf("Read Nb: %u, Addr: %u", i, BigBuf[OFFSET_LOG+i]);
+ }
+
+ for(i = -1; i<legic_read_count; i++) {
+ uint32_t t;
+ t = BigBuf[OFFSET_LOG+256+i*4];
+ t |= BigBuf[OFFSET_LOG+256+i*4+1] << 8;
+ t |= BigBuf[OFFSET_LOG+256+i*4+2] <<16;
+ t |= BigBuf[OFFSET_LOG+256+i*4+3] <<24;
+
+ Dbprintf("Cycles: %u, Frame Length: %u, Time: %u",
+ BigBuf[OFFSET_LOG+128+i],
+ BigBuf[OFFSET_LOG+384+i],
+ t);
+ }
+ }
+ legic_state = STATE_DISCON;
+ legic_read_count = 0;
+ SpinDelay(10);
+ LED_C_OFF();
+ return;
+}
+
+/* Read bit by bit untill full frame is received
+ * Call to process frame end answer
+ */
+static void emit(int bit) {
+
+ switch (bit) {
+ case 1:
+ frame_append_bit(¤t_frame, 1);
+ break;
+ case 0:
+ frame_append_bit(¤t_frame, 0);
+ break;
+ default:
+ if(current_frame.bits <= 4) {
+ frame_clean(¤t_frame);
+ } else {
+ frame_handle_tag(¤t_frame);
+ frame_clean(¤t_frame);
+ }
+ WDT_HIT();
+ break;
+ }
+}
+
+void LegicRfSimulate(int phase, int frame, int reqresp)
+{
+ /* ADC path high-frequency peak detector, FPGA in high-frequency simulator mode,
+ * modulation mode set to 212kHz subcarrier. We are getting the incoming raw
+ * envelope waveform on DIN and should send our response on DOUT.
+ *
+ * The LEGIC RF protocol is pulse-pause-encoding from reader to card, so we'll
+ * measure the time between two rising edges on DIN, and no encoding on the
+ * subcarrier from card to reader, so we'll just shift out our verbatim data
+ * on DOUT, 1 bit is 100us. The time from reader to card frame is still unclear,
+ * seems to be 300us-ish.
+ */
+
+ legic_phase_drift = phase;
+ legic_frame_drift = frame;
+ legic_reqresp_drift = reqresp;
+
+ FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
+ SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
+ FpgaSetupSsc();
+ FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_MODULATE_212K);
+
+ /* Bitbang the receiver */
+ AT91C_BASE_PIOA->PIO_ODR = GPIO_SSC_DIN;
+ AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DIN;
+
+ //setup_timer();
+ crc_init(&legic_crc, 4, 0x19 >> 1, 0x5, 0);
+
+ int old_level = 0;
+ int active = 0;
+ legic_state = STATE_DISCON;
+
+ LED_B_ON();
+ DbpString("Starting Legic emulator, press button to end");
+
+ while(!BUTTON_PRESS() && !usb_poll_validate_length()) {
+ int level = !!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_DIN);
+ int time = timer->TC_CV;
+
+ if(level != old_level) {
+ if(level == 1) {
+ timer->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
+
+ if (FUZZ_EQUAL(time, RWD_TIME_1, RWD_TIME_FUZZ)) {
+ /* 1 bit */
+ emit(1);
+ active = 1;
+ LED_A_ON();
+ } else if (FUZZ_EQUAL(time, RWD_TIME_0, RWD_TIME_FUZZ)) {
+ /* 0 bit */
+ emit(0);
+ active = 1;
+ LED_A_ON();
+ } else if (active) {
+ /* invalid */
+ emit(-1);
+ active = 0;
+ LED_A_OFF();
+ }
+ }
+ }
+
+ /* Frame end */
+ if(time >= (RWD_TIME_1+RWD_TIME_FUZZ) && active) {
+ emit(-1);
+ active = 0;
+ LED_A_OFF();
+ }
+
+ if(time >= (20*RWD_TIME_1) && (timer->TC_SR & AT91C_TC_CLKSTA)) {
+ timer->TC_CCR = AT91C_TC_CLKDIS;
+ }
+
+ old_level = level;
+ WDT_HIT();
+ }
+ if ( MF_DBGLEVEL >= 1) DbpString("Stopped");
+ LEDsoff();
+}
+
+//-----------------------------------------------------------------------------
+// Code up a string of octets at layer 2 (including CRC, we don't generate
+// that here) so that they can be transmitted to the reader. Doesn't transmit
+// them yet, just leaves them ready to send in ToSend[].
+//-----------------------------------------------------------------------------
+// static void CodeLegicAsTag(const uint8_t *cmd, int len)
+// {
+ // int i;
+
+ // ToSendReset();
+
+ // // Transmit a burst of ones, as the initial thing that lets the
+ // // reader get phase sync. This (TR1) must be > 80/fs, per spec,
+ // // but tag that I've tried (a Paypass) exceeds that by a fair bit,
+ // // so I will too.
+ // for(i = 0; i < 20; i++) {
+ // ToSendStuffBit(1);
+ // ToSendStuffBit(1);
+ // ToSendStuffBit(1);
+ // ToSendStuffBit(1);
+ // }
+
+ // // Send SOF.
+ // for(i = 0; i < 10; i++) {
+ // ToSendStuffBit(0);
+ // ToSendStuffBit(0);
+ // ToSendStuffBit(0);
+ // ToSendStuffBit(0);
+ // }
+ // for(i = 0; i < 2; i++) {
+ // ToSendStuffBit(1);
+ // ToSendStuffBit(1);
+ // ToSendStuffBit(1);
+ // ToSendStuffBit(1);
+ // }
+
+ // for(i = 0; i < len; i++) {
+ // int j;
+ // uint8_t b = cmd[i];
+
+ // // Start bit
+ // ToSendStuffBit(0);
+ // ToSendStuffBit(0);
+ // ToSendStuffBit(0);
+ // ToSendStuffBit(0);
+
+ // // Data bits
+ // for(j = 0; j < 8; j++) {
+ // if(b & 1) {
+ // ToSendStuffBit(1);
+ // ToSendStuffBit(1);
+ // ToSendStuffBit(1);
+ // ToSendStuffBit(1);
+ // } else {
+ // ToSendStuffBit(0);
+ // ToSendStuffBit(0);
+ // ToSendStuffBit(0);
+ // ToSendStuffBit(0);
+ // }
+ // b >>= 1;
+ // }
+
+ // // Stop bit
+ // ToSendStuffBit(1);
+ // ToSendStuffBit(1);
+ // ToSendStuffBit(1);
+ // ToSendStuffBit(1);
+ // }
+
+ // // Send EOF.
+ // for(i = 0; i < 10; i++) {
+ // ToSendStuffBit(0);
+ // ToSendStuffBit(0);
+ // ToSendStuffBit(0);
+ // ToSendStuffBit(0);
+ // }
+ // for(i = 0; i < 2; i++) {
+ // ToSendStuffBit(1);
+ // ToSendStuffBit(1);
+ // ToSendStuffBit(1);
+ // ToSendStuffBit(1);
+ // }
+
+ // // Convert from last byte pos to length
+ // ToSendMax++;
+// }
+
+//-----------------------------------------------------------------------------
+// The software UART that receives commands from the reader, and its state
+// variables.
+//-----------------------------------------------------------------------------
+/*
+static struct {
+ enum {
+ STATE_UNSYNCD,
+ STATE_GOT_FALLING_EDGE_OF_SOF,
+ STATE_AWAITING_START_BIT,
+ STATE_RECEIVING_DATA
+ } state;
+ uint16_t shiftReg;
+ int bitCnt;
+ int byteCnt;
+ int byteCntMax;
+ int posCnt;
+ uint8_t *output;
+} Uart;
+*/
+/* Receive & handle a bit coming from the reader.
+ *
+ * This function is called 4 times per bit (every 2 subcarrier cycles).
+ * Subcarrier frequency fs is 212kHz, 1/fs = 4,72us, i.e. function is called every 9,44us
+ *
+ * LED handling:
+ * LED A -> ON once we have received the SOF and are expecting the rest.
+ * LED A -> OFF once we have received EOF or are in error state or unsynced
+ *
+ * Returns: true if we received a EOF
+ * false if we are still waiting for some more
+ */
+// static RAMFUNC int HandleLegicUartBit(uint8_t bit)
+// {
+ // switch(Uart.state) {
+ // case STATE_UNSYNCD:
+ // if(!bit) {
+ // // we went low, so this could be the beginning of an SOF
+ // Uart.state = STATE_GOT_FALLING_EDGE_OF_SOF;
+ // Uart.posCnt = 0;
+ // Uart.bitCnt = 0;
+ // }
+ // break;
+
+ // case STATE_GOT_FALLING_EDGE_OF_SOF:
+ // Uart.posCnt++;
+ // if(Uart.posCnt == 2) { // sample every 4 1/fs in the middle of a bit
+ // if(bit) {
+ // if(Uart.bitCnt > 9) {
+ // // we've seen enough consecutive
+ // // zeros that it's a valid SOF
+ // Uart.posCnt = 0;
+ // Uart.byteCnt = 0;
+ // Uart.state = STATE_AWAITING_START_BIT;
+ // LED_A_ON(); // Indicate we got a valid SOF
+ // } else {
+ // // didn't stay down long enough
+ // // before going high, error
+ // Uart.state = STATE_UNSYNCD;
+ // }
+ // } else {
+ // // do nothing, keep waiting
+ // }
+ // Uart.bitCnt++;
+ // }
+ // if(Uart.posCnt >= 4) Uart.posCnt = 0;
+ // if(Uart.bitCnt > 12) {
+ // // Give up if we see too many zeros without
+ // // a one, too.
+ // LED_A_OFF();
+ // Uart.state = STATE_UNSYNCD;
+ // }
+ // break;
+
+ // case STATE_AWAITING_START_BIT:
+ // Uart.posCnt++;
+ // if(bit) {
+ // if(Uart.posCnt > 50/2) { // max 57us between characters = 49 1/fs, max 3 etus after low phase of SOF = 24 1/fs
+ // // stayed high for too long between
+ // // characters, error
+ // Uart.state = STATE_UNSYNCD;
+ // }
+ // } else {
+ // // falling edge, this starts the data byte
+ // Uart.posCnt = 0;
+ // Uart.bitCnt = 0;
+ // Uart.shiftReg = 0;
+ // Uart.state = STATE_RECEIVING_DATA;
+ // }
+ // break;
+
+ // case STATE_RECEIVING_DATA:
+ // Uart.posCnt++;
+ // if(Uart.posCnt == 2) {
+ // // time to sample a bit
+ // Uart.shiftReg >>= 1;
+ // if(bit) {
+ // Uart.shiftReg |= 0x200;
+ // }
+ // Uart.bitCnt++;
+ // }
+ // if(Uart.posCnt >= 4) {
+ // Uart.posCnt = 0;
+ // }
+ // if(Uart.bitCnt == 10) {
+ // if((Uart.shiftReg & 0x200) && !(Uart.shiftReg & 0x001))
+ // {
+ // // this is a data byte, with correct
+ // // start and stop bits
+ // Uart.output[Uart.byteCnt] = (Uart.shiftReg >> 1) & 0xff;
+ // Uart.byteCnt++;
+
+ // if(Uart.byteCnt >= Uart.byteCntMax) {
+ // // Buffer overflowed, give up
+ // LED_A_OFF();
+ // Uart.state = STATE_UNSYNCD;
+ // } else {
+ // // so get the next byte now
+ // Uart.posCnt = 0;
+ // Uart.state = STATE_AWAITING_START_BIT;
+ // }
+ // } else if (Uart.shiftReg == 0x000) {
+ // // this is an EOF byte
+ // LED_A_OFF(); // Finished receiving
+ // Uart.state = STATE_UNSYNCD;
+ // if (Uart.byteCnt != 0) {
+ // return TRUE;
+ // }
+ // } else {
+ // // this is an error
+ // LED_A_OFF();
+ // Uart.state = STATE_UNSYNCD;
+ // }
+ // }
+ // break;
+
+ // default:
+ // LED_A_OFF();
+ // Uart.state = STATE_UNSYNCD;
+ // break;
+ // }
+
+ // return FALSE;
+// }
+/*
+
+static void UartReset() {
+ Uart.byteCntMax = 3;
+ Uart.state = STATE_UNSYNCD;
+ Uart.byteCnt = 0;
+ Uart.bitCnt = 0;
+ Uart.posCnt = 0;
+ memset(Uart.output, 0x00, 3);
+}
+*/
+// static void UartInit(uint8_t *data) {
+ // Uart.output = data;
+ // UartReset();
+// }
+
+//=============================================================================
+// An LEGIC reader. We take layer two commands, code them
+// appropriately, and then send them to the tag. We then listen for the
+// tag's response, which we leave in the buffer to be demodulated on the
+// PC side.
+//=============================================================================
+/*
+static struct {
+ enum {
+ DEMOD_UNSYNCD,
+ DEMOD_PHASE_REF_TRAINING,
+ DEMOD_AWAITING_FALLING_EDGE_OF_SOF,
+ DEMOD_GOT_FALLING_EDGE_OF_SOF,
+ DEMOD_AWAITING_START_BIT,
+ DEMOD_RECEIVING_DATA
+ } state;
+ int bitCount;
+ int posCount;
+ int thisBit;
+ uint16_t shiftReg;
+ uint8_t *output;
+ int len;
+ int sumI;
+ int sumQ;
+} Demod;
+*/
+/*
+ * Handles reception of a bit from the tag
+ *
+ * This function is called 2 times per bit (every 4 subcarrier cycles).
+ * Subcarrier frequency fs is 212kHz, 1/fs = 4,72us, i.e. function is called every 9,44us
+ *
+ * LED handling:
+ * LED C -> ON once we have received the SOF and are expecting the rest.
+ * LED C -> OFF once we have received EOF or are unsynced
+ *
+ * Returns: true if we received a EOF
+ * false if we are still waiting for some more
+ *
+ */
+
+/*
+static RAMFUNC int HandleLegicSamplesDemod(int ci, int cq)
+{
+ int v = 0;
+ int ai = ABS(ci);
+ int aq = ABS(cq);
+ int halfci = (ai >> 1);
+ int halfcq = (aq >> 1);
+
+ switch(Demod.state) {
+ case DEMOD_UNSYNCD:
+
+ CHECK_FOR_SUBCARRIER()
+
+ if(v > SUBCARRIER_DETECT_THRESHOLD) { // subcarrier detected
+ Demod.state = DEMOD_PHASE_REF_TRAINING;
+ Demod.sumI = ci;
+ Demod.sumQ = cq;
+ Demod.posCount = 1;
+ }
+ break;
+
+ case DEMOD_PHASE_REF_TRAINING:
+ if(Demod.posCount < 8) {
+
+ CHECK_FOR_SUBCARRIER()
+
+ if (v > SUBCARRIER_DETECT_THRESHOLD) {
+ // set the reference phase (will code a logic '1') by averaging over 32 1/fs.
+ // note: synchronization time > 80 1/fs
+ Demod.sumI += ci;
+ Demod.sumQ += cq;
+ ++Demod.posCount;
+ } else {
+ // subcarrier lost
+ Demod.state = DEMOD_UNSYNCD;
+ }
+ } else {
+ Demod.state = DEMOD_AWAITING_FALLING_EDGE_OF_SOF;
+ }
+ break;
+
+ case DEMOD_AWAITING_FALLING_EDGE_OF_SOF:
+
+ MAKE_SOFT_DECISION()
+
+ //Dbprintf("ICE: %d %d %d %d %d", v, Demod.sumI, Demod.sumQ, ci, cq );
+ // logic '0' detected
+ if (v <= 0) {
+
+ Demod.state = DEMOD_GOT_FALLING_EDGE_OF_SOF;
+
+ // start of SOF sequence
+ Demod.posCount = 0;
+ } else {
+ // maximum length of TR1 = 200 1/fs
+ if(Demod.posCount > 25*2) Demod.state = DEMOD_UNSYNCD;
+ }
+ ++Demod.posCount;
+ break;
+
+ case DEMOD_GOT_FALLING_EDGE_OF_SOF:
+ ++Demod.posCount;
+
+ MAKE_SOFT_DECISION()
+
+ if(v > 0) {
+ // low phase of SOF too short (< 9 etu). Note: spec is >= 10, but FPGA tends to "smear" edges
+ if(Demod.posCount < 10*2) {
+ Demod.state = DEMOD_UNSYNCD;
+ } else {
+ LED_C_ON(); // Got SOF
+ Demod.state = DEMOD_AWAITING_START_BIT;
+ Demod.posCount = 0;
+ Demod.len = 0;
+ }
+ } else {
+ // low phase of SOF too long (> 12 etu)
+ if(Demod.posCount > 13*2) {
+ Demod.state = DEMOD_UNSYNCD;
+ LED_C_OFF();
+ }
+ }
+ break;
+
+ case DEMOD_AWAITING_START_BIT:
+ ++Demod.posCount;
+
+ MAKE_SOFT_DECISION()
+
+ if(v > 0) {
+ // max 19us between characters = 16 1/fs, max 3 etu after low phase of SOF = 24 1/fs
+ if(Demod.posCount > 3*2) {
+ Demod.state = DEMOD_UNSYNCD;
+ LED_C_OFF();
+ }
+ } else {
+ // start bit detected
+ Demod.bitCount = 0;
+ Demod.posCount = 1; // this was the first half
+ Demod.thisBit = v;
+ Demod.shiftReg = 0;
+ Demod.state = DEMOD_RECEIVING_DATA;
+ }
+ break;
+
+ case DEMOD_RECEIVING_DATA: