+static enum {
+ STATE_DISCON,
+ STATE_IV,
+ STATE_CON,
+} legic_state;
+
+static crc_t legic_crc;
+static int legic_read_count;
+static uint32_t legic_prng_bc;
+static uint32_t legic_prng_iv;
+
+static int legic_phase_drift;
+static int legic_frame_drift;
+static int legic_reqresp_drift;
+
+AT91PS_TC timer;
+AT91PS_TC prng_timer;
+
+static void setup_timer(void)
+{
+ /* Set up Timer 1 to use for measuring time between pulses. Since we're bit-banging
+ * this it won't be terribly accurate but should be good enough.
+ */
+ AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
+ timer = AT91C_BASE_TC1;
+ timer->TC_CCR = AT91C_TC_CLKDIS;
+ timer->TC_CMR = AT91C_TC_CLKS_TIMER_DIV3_CLOCK;
+ timer->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
+
+ /*
+ * Set up Timer 2 to use for measuring time between frames in
+ * tag simulation mode. Runs 4x faster as Timer 1
+ */
+ AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC2);
+ prng_timer = AT91C_BASE_TC2;
+ prng_timer->TC_CCR = AT91C_TC_CLKDIS;
+ prng_timer->TC_CMR = AT91C_TC_CLKS_TIMER_DIV2_CLOCK;
+ prng_timer->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
+}
+
+/* At TIMER_CLOCK3 (MCK/32) */
+#define RWD_TIME_1 150 /* RWD_TIME_PAUSE off, 80us on = 100us */
+#define RWD_TIME_0 90 /* RWD_TIME_PAUSE off, 40us on = 60us */
+#define RWD_TIME_PAUSE 30 /* 20us */
+#define RWD_TIME_FUZZ 20 /* rather generous 13us, since the peak detector + hysteresis fuzz quite a bit */
+#define TAG_TIME_BIT 150 /* 100us for every bit */
+#define TAG_TIME_WAIT 490 /* time from RWD frame end to tag frame start, experimentally determined */
+
+#define SIM_DIVISOR 586 /* prng_time/SIM_DIVISOR count prng needs to be forwared */
+#define SIM_SHIFT 900 /* prng_time+SIM_SHIFT shift of delayed start */
+
+#define SESSION_IV 0x55
+#define OFFSET_LOG 1024
+
+#define FUZZ_EQUAL(value, target, fuzz) ((value) > ((target)-(fuzz)) && (value) < ((target)+(fuzz)))
+
+/* Generate Keystream */
+static uint32_t get_key_stream(int skip, int count)
+{
+ uint32_t key=0; int i;
+
+ /* Use int to enlarge timer tc to 32bit */
+ legic_prng_bc += prng_timer->TC_CV;
+ prng_timer->TC_CCR = AT91C_TC_SWTRG;
+
+ /* If skip == -1, forward prng time based */
+ if(skip == -1) {
+ i = (legic_prng_bc+SIM_SHIFT)/SIM_DIVISOR; /* Calculate Cycles based on timer */
+ i -= legic_prng_count(); /* substract cycles of finished frames */
+ i -= count; /* substract current frame length, rewidn to bedinning */
+ legic_prng_forward(i);
+ } else {
+ legic_prng_forward(skip);
+ }
+
+ /* Write Time Data into LOG */
+ uint8_t *BigBuf = BigBuf_get_addr();
+ i = (count == 6) ? -1 : legic_read_count;
+
+ BigBuf[OFFSET_LOG+128+i] = legic_prng_count();
+ BigBuf[OFFSET_LOG+256+i*4] = (legic_prng_bc >> 0) & 0xff;
+ BigBuf[OFFSET_LOG+256+i*4+1] = (legic_prng_bc >> 8) & 0xff;
+ BigBuf[OFFSET_LOG+256+i*4+2] = (legic_prng_bc >>16) & 0xff;
+ BigBuf[OFFSET_LOG+256+i*4+3] = (legic_prng_bc >>24) & 0xff;
+ BigBuf[OFFSET_LOG+384+i] = count;
+
+ /* Generate KeyStream */
+ for(i=0; i<count; i++) {
+ key |= legic_prng_get_bit() << i;
+ legic_prng_forward(1);
+ }
+ return key;
+}
+
+/* Send a frame in tag mode, the FPGA must have been set up by
+ * LegicRfSimulate
+ */
+static void frame_send_tag(uint16_t response, int bits, int crypt)
+{
+ /* Bitbang the response */
+ AT91C_BASE_PIOA->PIO_CODR = GPIO_SSC_DOUT;
+ AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
+ AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
+
+ /* Use time to crypt frame */
+ if(crypt) {
+ legic_prng_forward(2); /* TAG_TIME_WAIT -> shift by 2 */
+ int i; int key = 0;
+ for(i=0; i<bits; i++) {
+ key |= legic_prng_get_bit() << i;
+ legic_prng_forward(1);
+ }
+ //Dbprintf("key = 0x%x", key);
+ response = response ^ key;
+ }
+
+ /* Wait for the frame start */
+ while(timer->TC_CV < (TAG_TIME_WAIT - 30)) ;
+
+ int i;
+ for(i=0; i<bits; i++) {
+ int nextbit = timer->TC_CV + TAG_TIME_BIT;
+ int bit = response & 1;
+ response = response >> 1;
+ if(bit)
+ AT91C_BASE_PIOA->PIO_SODR = GPIO_SSC_DOUT;
+ else
+ AT91C_BASE_PIOA->PIO_CODR = GPIO_SSC_DOUT;
+
+ while(timer->TC_CV < nextbit) ;
+ }
+ AT91C_BASE_PIOA->PIO_CODR = GPIO_SSC_DOUT;
+}
+
+/* Send a frame in reader mode, the FPGA must have been set up by
+ * LegicRfReader
+ */
+static void frame_send_rwd(uint32_t data, int bits)
+{
+ /* Start clock */
+ timer->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
+ while(timer->TC_CV > 1) ; /* Wait till the clock has reset */
+
+ int i;
+ for(i=0; i<bits; i++) {
+ int starttime = timer->TC_CV;
+ int pause_end = starttime + RWD_TIME_PAUSE, bit_end;
+ int bit = data & 1;
+ data = data >> 1;
+
+ if(bit ^ legic_prng_get_bit())
+ bit_end = starttime + RWD_TIME_1;
+ else
+ bit_end = starttime + RWD_TIME_0;
+
+
+ /* RWD_TIME_PAUSE time off, then some time on, so that the complete bit time is
+ * RWD_TIME_x, where x is the bit to be transmitted */
+ AT91C_BASE_PIOA->PIO_CODR = GPIO_SSC_DOUT;
+ while(timer->TC_CV < pause_end) ;
+ AT91C_BASE_PIOA->PIO_SODR = GPIO_SSC_DOUT;
+ legic_prng_forward(1); /* bit duration is longest. use this time to forward the lfsr */
projects / proxmark3-svn / blobdiff