X-Git-Url: https://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/e30c654b196a87a13ae7f7d4ced930b296c038ec..b4a9d8419fde40cd39b8068ddfec34118b250c50:/armsrc/lfops.c?ds=inline diff --git a/armsrc/lfops.c b/armsrc/lfops.c index e4ebacb0..b53f370e 100644 --- a/armsrc/lfops.c +++ b/armsrc/lfops.c @@ -1,15 +1,21 @@ //----------------------------------------------------------------------------- +// This code is licensed to you under the terms of the GNU GPL, version 2 or, +// at your option, any later version. See the LICENSE.txt file for the text of +// the license. +//----------------------------------------------------------------------------- // Miscellaneous routines for low frequency tag operations. // Tags supported here so far are Texas Instruments (TI), HID // Also routines for raw mode reading/simulating of LF waveform -// //----------------------------------------------------------------------------- + #include "proxmark3.h" #include "apps.h" +#include "util.h" #include "hitag2.h" #include "crc16.h" +#include "string.h" -void AcquireRawAdcSamples125k(BOOL at134khz) +void AcquireRawAdcSamples125k(int at134khz) { if (at134khz) FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 88); //134.8Khz @@ -34,7 +40,7 @@ void AcquireRawAdcSamples125k(BOOL at134khz) // split into two routines so we can avoid timing issues after sending commands // void DoAcquisition125k(void) { - BYTE *dest = (BYTE *)BigBuf; + uint8_t *dest = (uint8_t *)BigBuf; int n = sizeof(BigBuf); int i; @@ -46,7 +52,7 @@ void DoAcquisition125k(void) LED_D_ON(); } if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) { - dest[i] = (BYTE)AT91C_BASE_SSC->SSC_RHR; + dest[i] = (uint8_t)AT91C_BASE_SSC->SSC_RHR; i++; LED_D_OFF(); if (i >= n) break; @@ -56,9 +62,9 @@ void DoAcquisition125k(void) dest[0], dest[1], dest[2], dest[3], dest[4], dest[5], dest[6], dest[7]); } -void ModThenAcquireRawAdcSamples125k(int delay_off, int period_0, int period_1, BYTE *command) +void ModThenAcquireRawAdcSamples125k(int delay_off, int period_0, int period_1, uint8_t *command) { - BOOL at134khz; + int at134khz; /* Make sure the tag is reset */ FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); @@ -141,13 +147,13 @@ void ReadTItag(void) // int n = GraphTraceLen; // 128 bit shift register [shift3:shift2:shift1:shift0] - DWORD shift3 = 0, shift2 = 0, shift1 = 0, shift0 = 0; + uint32_t shift3 = 0, shift2 = 0, shift1 = 0, shift0 = 0; int i, cycles=0, samples=0; // how many sample points fit in 16 cycles of each frequency - DWORD sampleslo = (FSAMPLE<<4)/FREQLO, sampleshi = (FSAMPLE<<4)/FREQHI; + uint32_t sampleslo = (FSAMPLE<<4)/FREQLO, sampleshi = (FSAMPLE<<4)/FREQHI; // when to tell if we're close enough to one freq or another - DWORD threshold = (sampleslo - sampleshi + 1)>>1; + uint32_t threshold = (sampleslo - sampleshi + 1)>>1; // TI tags charge at 134.2Khz FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 88); //134.8Khz @@ -236,7 +242,7 @@ void ReadTItag(void) // i'm 99% sure the crc algorithm is correct, but it may need to eat the // bytes in reverse or something // calculate CRC - DWORD crc=0; + uint32_t crc=0; crc = update_crc16(crc, (shift0)&0xff); crc = update_crc16(crc, (shift0>>8)&0xff); @@ -257,7 +263,7 @@ void ReadTItag(void) } } -void WriteTIbyte(BYTE b) +void WriteTIbyte(uint8_t b) { int i = 0; @@ -286,7 +292,7 @@ void AcquireTiType(void) { int i, j, n; // tag transmission is <20ms, sampling at 2M gives us 40K samples max - // each sample is 1 bit stuffed into a DWORD so we need 1250 DWORDS + // each sample is 1 bit stuffed into a uint32_t so we need 1250 uint32_t #define TIBUFLEN 1250 // clear buffer @@ -355,7 +361,7 @@ void AcquireTiType(void) // arguments: 64bit data split into 32bit idhi:idlo and optional 16bit crc // if crc provided, it will be written with the data verbatim (even if bogus) // if not provided a valid crc will be computed from the data and written. -void WriteTItag(DWORD idhi, DWORD idlo, WORD crc) +void WriteTItag(uint32_t idhi, uint32_t idlo, uint16_t crc) { if(crc == 0) { crc = update_crc16(crc, (idlo)&0xff); @@ -426,7 +432,7 @@ void WriteTItag(DWORD idhi, DWORD idlo, WORD crc) void SimulateTagLowFrequency(int period, int gap, int ledcontrol) { int i; - BYTE *tab = (BYTE *)BigBuf; + uint8_t *tab = (uint8_t *)BigBuf; FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_SIMULATOR); @@ -537,7 +543,7 @@ void SimulateTagLowFrequencyBidir(int divisor, int t0) AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1); AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME; AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS; - AT91C_BASE_TC1->TC_CMR = TC_CMR_TCCLKS_TIMER_CLOCK1 | + AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK | AT91C_TC_ETRGEDG_RISING | AT91C_TC_ABETRG | AT91C_TC_LDRA_RISING | @@ -673,7 +679,7 @@ static void hitag_handle_frame(int t0, int frame_len, char *frame) // compose fc/8 fc/10 waveform static void fc(int c, int *n) { - BYTE *dest = (BYTE *)BigBuf; + uint8_t *dest = (uint8_t *)BigBuf; int idx; // for when we want an fc8 pattern every 4 logical bits @@ -778,9 +784,9 @@ void CmdHIDsimTAG(int hi, int lo, int ledcontrol) // loop to capture raw HID waveform then FSK demodulate the TAG ID from it void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol) { - BYTE *dest = (BYTE *)BigBuf; + uint8_t *dest = (uint8_t *)BigBuf; int m=0, n=0, i=0, idx=0, found=0, lastval=0; - DWORD hi=0, lo=0; + uint32_t hi=0, lo=0; FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER); @@ -815,7 +821,7 @@ void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol) LED_D_ON(); } if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) { - dest[i] = (BYTE)AT91C_BASE_SSC->SSC_RHR; + dest[i] = (uint8_t)AT91C_BASE_SSC->SSC_RHR; // we don't care about actual value, only if it's more or less than a // threshold essentially we capture zero crossings for later analysis if(dest[i] < 127) dest[i] = 0; else dest[i] = 1; @@ -969,3 +975,256 @@ void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol) WDT_HIT(); } } + +/*------------------------------ + * T5555/T5557/T5567 routines + *------------------------------ + */ + +/* T55x7 configuration register definitions */ +#define T55x7_POR_DELAY 0x00000001 +#define T55x7_ST_TERMINATOR 0x00000008 +#define T55x7_PWD 0x00000010 +#define T55x7_MAXBLOCK_SHIFT 5 +#define T55x7_AOR 0x00000200 +#define T55x7_PSKCF_RF_2 0 +#define T55x7_PSKCF_RF_4 0x00000400 +#define T55x7_PSKCF_RF_8 0x00000800 +#define T55x7_MODULATION_DIRECT 0 +#define T55x7_MODULATION_PSK1 0x00001000 +#define T55x7_MODULATION_PSK2 0x00002000 +#define T55x7_MODULATION_PSK3 0x00003000 +#define T55x7_MODULATION_FSK1 0x00004000 +#define T55x7_MODULATION_FSK2 0x00005000 +#define T55x7_MODULATION_FSK1a 0x00006000 +#define T55x7_MODULATION_FSK2a 0x00007000 +#define T55x7_MODULATION_MANCHESTER 0x00008000 +#define T55x7_MODULATION_BIPHASE 0x00010000 +#define T55x7_BITRATE_RF_8 0 +#define T55x7_BITRATE_RF_16 0x00040000 +#define T55x7_BITRATE_RF_32 0x00080000 +#define T55x7_BITRATE_RF_40 0x000C0000 +#define T55x7_BITRATE_RF_50 0x00100000 +#define T55x7_BITRATE_RF_64 0x00140000 +#define T55x7_BITRATE_RF_100 0x00180000 +#define T55x7_BITRATE_RF_128 0x001C0000 + +/* T5555 (Q5) configuration register definitions */ +#define T5555_ST_TERMINATOR 0x00000001 +#define T5555_MAXBLOCK_SHIFT 0x00000001 +#define T5555_MODULATION_MANCHESTER 0 +#define T5555_MODULATION_PSK1 0x00000010 +#define T5555_MODULATION_PSK2 0x00000020 +#define T5555_MODULATION_PSK3 0x00000030 +#define T5555_MODULATION_FSK1 0x00000040 +#define T5555_MODULATION_FSK2 0x00000050 +#define T5555_MODULATION_BIPHASE 0x00000060 +#define T5555_MODULATION_DIRECT 0x00000070 +#define T5555_INVERT_OUTPUT 0x00000080 +#define T5555_PSK_RF_2 0 +#define T5555_PSK_RF_4 0x00000100 +#define T5555_PSK_RF_8 0x00000200 +#define T5555_USE_PWD 0x00000400 +#define T5555_USE_AOR 0x00000800 +#define T5555_BITRATE_SHIFT 12 +#define T5555_FAST_WRITE 0x00004000 +#define T5555_PAGE_SELECT 0x00008000 + +/* + * Relevant times in microsecond + * To compensate antenna falling times shorten the write times + * and enlarge the gap ones. + */ +#define START_GAP 250 +#define WRITE_GAP 160 +#define WRITE_0 144 // 192 +#define WRITE_1 400 // 432 for T55x7; 448 for E5550 + +// Write one bit to card +void T55xxWriteBit(int bit) +{ + FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz + FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER); + if (bit == 0) + SpinDelayUs(WRITE_0); + else + SpinDelayUs(WRITE_1); + FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); + SpinDelayUs(WRITE_GAP); +} + +// Write one card block in page 0, no lock +void T55xxWriteBlock(int Data, int Block) +{ + unsigned int i; + + FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz + FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER); + + // Give it a bit of time for the resonant antenna to settle. + // And for the tag to fully power up + SpinDelay(150); + + // Now start writting + FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); + SpinDelayUs(START_GAP); + + // Opcode + T55xxWriteBit(1); + T55xxWriteBit(0); //Page 0 + // Lock bit + T55xxWriteBit(0); + + // Data + for (i = 0x80000000; i != 0; i >>= 1) + T55xxWriteBit(Data & i); + + // Page + for (i = 0x04; i != 0; i >>= 1) + T55xxWriteBit(Block & i); + + // Now perform write (nominal is 5.6 ms for T55x7 and 18ms for E5550, + // so wait a little more) + FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz + FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_READER); + SpinDelay(20); + FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); +} + +// Copy HID id to card and setup block 0 config +void CopyHIDtoT5567(int hi, int lo) +{ + int data1, data2, data3; + + // Ensure no more than 44 bits supplied + if (hi>0xFFF) { + DbpString("Tags can only have 44 bits."); + return; + } + + // Build the 3 data blocks for supplied 44bit ID + data1 = 0x1D000000; // load preamble + + for (int i=0;i<12;i++) { + if (hi & (1<<(11-i))) + data1 |= (1<<(((11-i)*2)+1)); // 1 -> 10 + else + data1 |= (1<<((11-i)*2)); // 0 -> 01 + } + + data2 = 0; + for (int i=0;i<16;i++) { + if (lo & (1<<(31-i))) + data2 |= (1<<(((15-i)*2)+1)); // 1 -> 10 + else + data2 |= (1<<((15-i)*2)); // 0 -> 01 + } + + data3 = 0; + for (int i=0;i<16;i++) { + if (lo & (1<<(15-i))) + data3 |= (1<<(((15-i)*2)+1)); // 1 -> 10 + else + data3 |= (1<<((15-i)*2)); // 0 -> 01 + } + + // Program the 3 data blocks for supplied 44bit ID + // and the block 0 for HID format + T55xxWriteBlock(data1,1); + T55xxWriteBlock(data2,2); + T55xxWriteBlock(data3,3); + + // Config for HID (RF/50, FSK2a, Maxblock=3) + T55xxWriteBlock(T55x7_BITRATE_RF_50 | + T55x7_MODULATION_MANCHESTER | + 3 << T55x7_MAXBLOCK_SHIFT, + 0); + + DbpString("DONE!"); +} + +// Define 9bit header for EM410x tags +#define EM410X_HEADER 0x1FF +#define EM410X_ID_LENGTH 40 + +void WriteEM410x(uint32_t card, uint32_t id_hi, uint32_t id_lo) +{ + int i, id_bit; + uint64_t id = EM410X_HEADER; + uint64_t rev_id = 0; // reversed ID + int c_parity[4]; // column parity + int r_parity = 0; // row parity + + // Reverse ID bits given as parameter (for simpler operations) + for (i = 0; i < EM410X_ID_LENGTH; ++i) { + if (i < 32) { + rev_id = (rev_id << 1) | (id_lo & 1); + id_lo >>= 1; + } else { + rev_id = (rev_id << 1) | (id_hi & 1); + id_hi >>= 1; + } + } + + for (i = 0; i < EM410X_ID_LENGTH; ++i) { + id_bit = rev_id & 1; + + if (i % 4 == 0) { + // Don't write row parity bit at start of parsing + if (i) + id = (id << 1) | r_parity; + // Start counting parity for new row + r_parity = id_bit; + } else { + // Count row parity + r_parity ^= id_bit; + } + + // First elements in column? + if (i < 4) + // Fill out first elements + c_parity[i] = id_bit; + else + // Count column parity + c_parity[i % 4] ^= id_bit; + + // Insert ID bit + id = (id << 1) | id_bit; + rev_id >>= 1; + } + + // Insert parity bit of last row + id = (id << 1) | r_parity; + + // Fill out column parity at the end of tag + for (i = 0; i < 4; ++i) + id = (id << 1) | c_parity[i]; + + // Add stop bit + id <<= 1; + + Dbprintf("Started writing %s tag ...", card ? "T55x7":"T5555"); + LED_D_ON(); + + // Write EM410x ID + T55xxWriteBlock((uint32_t)(id >> 32), 1); + T55xxWriteBlock((uint32_t)id, 2); + + // Config for EM410x (RF/64, Manchester, Maxblock=2) + if (card) + // Writing configuration for T55x7 tag + T55xxWriteBlock(T55x7_BITRATE_RF_64 | + T55x7_MODULATION_MANCHESTER | + 2 << T55x7_MAXBLOCK_SHIFT, + 0); + else + // Writing configuration for T5555(Q5) tag + T55xxWriteBlock(0x1F << T5555_BITRATE_SHIFT | + T5555_MODULATION_MANCHESTER | + 2 << T5555_MAXBLOCK_SHIFT, + 0); + + LED_D_OFF(); + Dbprintf("Tag %s written with 0x%08x%08x\n", card ? "T55x7":"T5555", + (uint32_t)(id >> 32), (uint32_t)id); +}