From: pwpiwi Date: Sat, 21 Sep 2019 09:58:51 +0000 (+0200) Subject: fix 'hf iclass sim': X-Git-Url: https://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/commitdiff_plain/5b12974a7f01a94c40552402b66b01bf8ec0e214?ds=sidebyside;hp=-c fix 'hf iclass sim': * chg to reader command decoder in iso15693.c (require no modulation before SOF) * add 'has_been_low_for' logic to hi_simulate.v (same as in other FPGA modes, default to "no modulation") * add simulation of chip status (IDLE, ACTIVE, SELECTED, HALTED) * check ACSN on SELECT * add simulation of RESELECT * always check length of reader commands * fix printing of NR, MAC in sim 2 mode * fix response length to CHECK command --- 5b12974a7f01a94c40552402b66b01bf8ec0e214 diff --git a/armsrc/iclass.c b/armsrc/iclass.c index 66238a10..23701540 100644 --- a/armsrc/iclass.c +++ b/armsrc/iclass.c @@ -777,8 +777,6 @@ static void AppendCrc(uint8_t *data, int len) { /** * @brief Does the actual simulation - * @param csn - csn to use - * @param breakAfterMacReceived if true, returns after reader MAC has been received. */ int doIClassSimulation(int simulationMode, uint8_t *reader_mac_buf) { @@ -919,6 +917,8 @@ int doIClassSimulation(int simulationMode, uint8_t *reader_mac_buf) { LED_A_ON(); bool buttonPressed = false; + enum { IDLE, ACTIVATED, SELECTED, HALTED } chip_state = IDLE; + while (!exitLoop) { WDT_HIT(); LED_B_OFF(); @@ -943,162 +943,193 @@ int doIClassSimulation(int simulationMode, uint8_t *reader_mac_buf) { trace_data = NULL; trace_data_size = 0; - if (receivedCmd[0] == ICLASS_CMD_ACTALL) { - // Reader in anticollission phase - modulated_response = resp_sof; - modulated_response_size = resp_sof_Len; - trace_data = sof_data; - trace_data_size = sizeof(sof_data); + if (receivedCmd[0] == ICLASS_CMD_ACTALL && len == 1) { + // Reader in anticollision phase + if (chip_state != HALTED) { + modulated_response = resp_sof; + modulated_response_size = resp_sof_Len; + trace_data = sof_data; + trace_data_size = sizeof(sof_data); + chip_state = ACTIVATED; + } } else if (receivedCmd[0] == ICLASS_CMD_READ_OR_IDENTIFY && len == 1) { // identify - // Reader asks for anticollission CSN - modulated_response = resp_anticoll; - modulated_response_size = resp_anticoll_len; - trace_data = anticoll_data; - trace_data_size = sizeof(anticoll_data); + // Reader asks for anticollision CSN + if (chip_state == SELECTED || chip_state == ACTIVATED) { + modulated_response = resp_anticoll; + modulated_response_size = resp_anticoll_len; + trace_data = anticoll_data; + trace_data_size = sizeof(anticoll_data); + } + + } else if (receivedCmd[0] == ICLASS_CMD_SELECT && len == 9) { + // Reader selects anticollision CSN. + // Tag sends the corresponding real CSN + if (chip_state == ACTIVATED || chip_state == SELECTED) { + if (!memcmp(receivedCmd+1, anticoll_data, 8)) { + modulated_response = resp_csn; + modulated_response_size = resp_csn_len; + trace_data = csn_data; + trace_data_size = sizeof(csn_data); + chip_state = SELECTED; + } else { + chip_state = IDLE; + } + } else if (chip_state == HALTED) { + // RESELECT with CSN + if (!memcmp(receivedCmd+1, csn_data, 8)) { + modulated_response = resp_csn; + modulated_response_size = resp_csn_len; + trace_data = csn_data; + trace_data_size = sizeof(csn_data); + chip_state = SELECTED; + } + } } else if (receivedCmd[0] == ICLASS_CMD_READ_OR_IDENTIFY && len == 4) { // read block uint16_t blockNo = receivedCmd[1]; - if (simulationMode == ICLASS_SIM_MODE_EXIT_AFTER_MAC) { - // provide defaults for blocks 0 ... 5 - switch (blockNo) { - case 0: // csn (block 00) - modulated_response = resp_csn; - modulated_response_size = resp_csn_len; - trace_data = csn_data; - trace_data_size = sizeof(csn_data); - break; - case 1: // configuration (block 01) - modulated_response = resp_conf; - modulated_response_size = resp_conf_len; - trace_data = conf_data; - trace_data_size = sizeof(conf_data); - break; - case 2: // e-purse (block 02) - modulated_response = resp_cc; - modulated_response_size = resp_cc_len; - trace_data = card_challenge_data; - trace_data_size = sizeof(card_challenge_data); - // set epurse of sim2,4 attack - if (reader_mac_buf != NULL) { - memcpy(reader_mac_buf, card_challenge_data, 8); - } - break; - case 3: - case 4: // Kd, Kd, always respond with 0xff bytes + if (chip_state == SELECTED) { + if (simulationMode == ICLASS_SIM_MODE_EXIT_AFTER_MAC) { + // provide defaults for blocks 0 ... 5 + switch (blockNo) { + case 0: // csn (block 00) + modulated_response = resp_csn; + modulated_response_size = resp_csn_len; + trace_data = csn_data; + trace_data_size = sizeof(csn_data); + break; + case 1: // configuration (block 01) + modulated_response = resp_conf; + modulated_response_size = resp_conf_len; + trace_data = conf_data; + trace_data_size = sizeof(conf_data); + break; + case 2: // e-purse (block 02) + modulated_response = resp_cc; + modulated_response_size = resp_cc_len; + trace_data = card_challenge_data; + trace_data_size = sizeof(card_challenge_data); + // set epurse of sim2,4 attack + if (reader_mac_buf != NULL) { + memcpy(reader_mac_buf, card_challenge_data, 8); + } + break; + case 3: + case 4: // Kd, Kc, always respond with 0xff bytes + modulated_response = resp_ff; + modulated_response_size = resp_ff_len; + trace_data = ff_data; + trace_data_size = sizeof(ff_data); + break; + case 5: // Application Issuer Area (block 05) + modulated_response = resp_aia; + modulated_response_size = resp_aia_len; + trace_data = aia_data; + trace_data_size = sizeof(aia_data); + break; + // default: don't respond + } + } else if (simulationMode == ICLASS_SIM_MODE_FULL) { + if (blockNo == 3 || blockNo == 4) { // Kd, Kc, always respond with 0xff bytes modulated_response = resp_ff; modulated_response_size = resp_ff_len; trace_data = ff_data; trace_data_size = sizeof(ff_data); - break; - case 5: // Application Issuer Area (block 05) - modulated_response = resp_aia; - modulated_response_size = resp_aia_len; - trace_data = aia_data; - trace_data_size = sizeof(aia_data); - break; - // default: don't respond + } else { // use data from emulator memory + memcpy(data_generic_trace, emulator + 8*blockNo, 8); + AppendCrc(data_generic_trace, 8); + trace_data = data_generic_trace; + trace_data_size = 10; + CodeIso15693AsTag(trace_data, trace_data_size); + memcpy(data_response, ToSend, ToSendMax); + modulated_response = data_response; + modulated_response_size = ToSendMax; + } } - } else if (simulationMode == ICLASS_SIM_MODE_FULL) { - if (blockNo == 3 || blockNo == 4) { // Kd, Kc, always respond with 0xff bytes - modulated_response = resp_ff; - modulated_response_size = resp_ff_len; - trace_data = ff_data; - trace_data_size = sizeof(ff_data); - } else { // use data from emulator memory - memcpy(data_generic_trace, emulator + (receivedCmd[1] << 3), 8); - AppendCrc(data_generic_trace, 8); + } + + } else if ((receivedCmd[0] == ICLASS_CMD_READCHECK_KD + || receivedCmd[0] == ICLASS_CMD_READCHECK_KC) && len == 2) { + // Read e-purse (88 02 || 18 02) + if (chip_state == SELECTED) { + modulated_response = resp_cc; + modulated_response_size = resp_cc_len; + trace_data = card_challenge_data; + trace_data_size = sizeof(card_challenge_data); + LED_B_ON(); + } + + } else if (receivedCmd[0] == ICLASS_CMD_CHECK && len == 9) { + // Reader random and reader MAC!!! + if (chip_state == SELECTED) { + if (simulationMode == ICLASS_SIM_MODE_FULL) { + //NR, from reader, is in receivedCmd+1 + opt_doTagMAC_2(cipher_state, receivedCmd+1, data_generic_trace, diversified_key); trace_data = data_generic_trace; - trace_data_size = 10; + trace_data_size = 4; CodeIso15693AsTag(trace_data, trace_data_size); memcpy(data_response, ToSend, ToSendMax); modulated_response = data_response; modulated_response_size = ToSendMax; + //exitLoop = true; + } else { // Not fullsim, we don't respond + // We do not know what to answer, so lets keep quiet + if (simulationMode == ICLASS_SIM_MODE_EXIT_AFTER_MAC) { + if (reader_mac_buf != NULL) { + // save NR and MAC for sim 2,4 + memcpy(reader_mac_buf + 8, receivedCmd + 1, 8); + } + exitLoop = true; + } } } - } else if (receivedCmd[0] == ICLASS_CMD_SELECT) { - // Reader selects anticollission CSN. - // Tag sends the corresponding real CSN - modulated_response = resp_csn; - modulated_response_size = resp_csn_len; - trace_data = csn_data; - trace_data_size = sizeof(csn_data); - - } else if (receivedCmd[0] == ICLASS_CMD_READCHECK_KD - || receivedCmd[0] == ICLASS_CMD_READCHECK_KC) { - // Read e-purse (88 02 || 18 02) - modulated_response = resp_cc; - modulated_response_size = resp_cc_len; - trace_data = card_challenge_data; - trace_data_size = sizeof(card_challenge_data); - LED_B_ON(); + } else if (receivedCmd[0] == ICLASS_CMD_HALT && len == 1) { + if (chip_state == SELECTED) { + // Reader ends the session + chip_state = HALTED; + } - } else if (receivedCmd[0] == ICLASS_CMD_CHECK) { - // Reader random and reader MAC!!! - if (simulationMode == ICLASS_SIM_MODE_FULL) { - //NR, from reader, is in receivedCmd+1 - opt_doTagMAC_2(cipher_state, receivedCmd+1, data_generic_trace, diversified_key); + } else if (simulationMode == ICLASS_SIM_MODE_FULL && receivedCmd[0] == ICLASS_CMD_READ4 && len == 4) { // 0x06 + //Read 4 blocks + if (chip_state == SELECTED) { + memcpy(data_generic_trace, emulator + (receivedCmd[1] << 3), 8 * 4); + AppendCrc(data_generic_trace, 8 * 4); trace_data = data_generic_trace; - trace_data_size = 4; + trace_data_size = 8 * 4 + 2; CodeIso15693AsTag(trace_data, trace_data_size); memcpy(data_response, ToSend, ToSendMax); modulated_response = data_response; modulated_response_size = ToSendMax; - //exitLoop = true; - } else { // Not fullsim, we don't respond - // We do not know what to answer, so lets keep quiet - if (simulationMode == ICLASS_SIM_MODE_EXIT_AFTER_MAC) { - if (reader_mac_buf != NULL) { - // save NR and MAC for sim 2,4 - memcpy(reader_mac_buf + 8, receivedCmd + 1, 8); - } - exitLoop = true; - } } - } else if (receivedCmd[0] == ICLASS_CMD_HALT && len == 1) { - // Reader ends the session - modulated_response = resp_sof; - modulated_response_size = 0; - trace_data = NULL; - trace_data_size = 0; - - } else if (simulationMode == ICLASS_SIM_MODE_FULL && receivedCmd[0] == ICLASS_CMD_READ4 && len == 4) { // 0x06 - //Read block - //Take the data... - memcpy(data_generic_trace, emulator + (receivedCmd[1] << 3), 8 * 4); - AppendCrc(data_generic_trace, 8 * 4); - trace_data = data_generic_trace; - trace_data_size = 8 * 4 + 2; - CodeIso15693AsTag(trace_data, trace_data_size); - memcpy(data_response, ToSend, ToSendMax); - modulated_response = data_response; - modulated_response_size = ToSendMax; - - } else if (receivedCmd[0] == ICLASS_CMD_UPDATE && simulationMode == ICLASS_SIM_MODE_FULL) { + } else if (receivedCmd[0] == ICLASS_CMD_UPDATE && (len == 12 || len == 14)) { // Probably the reader wants to update the nonce. Let's just ignore that for now. // OBS! If this is implemented, don't forget to regenerate the cipher_state // We're expected to respond with the data+crc, exactly what's already in the receivedCmd // receivedCmd is now UPDATE 1b | ADDRESS 1b | DATA 8b | Signature 4b or CRC 2b - memcpy(data_generic_trace, receivedCmd + 2, 8); - AppendCrc(data_generic_trace, 8); - trace_data = data_generic_trace; - trace_data_size = 10; - CodeIso15693AsTag(trace_data, trace_data_size); - memcpy(data_response, ToSend, ToSendMax); - modulated_response = data_response; - modulated_response_size = ToSendMax; - - } else if (receivedCmd[0] == ICLASS_CMD_PAGESEL) { + if (chip_state == SELECTED) { + memcpy(data_generic_trace, receivedCmd + 2, 8); + AppendCrc(data_generic_trace, 8); + trace_data = data_generic_trace; + trace_data_size = 10; + CodeIso15693AsTag(trace_data, trace_data_size); + memcpy(data_response, ToSend, ToSendMax); + modulated_response = data_response; + modulated_response_size = ToSendMax; + } + + } else if (receivedCmd[0] == ICLASS_CMD_PAGESEL && len == 4) { // Pagesel - // Pagesel enables to select a page in the selected chip memory and return its configuration block - // Chips with a single page will not answer to this command - // It appears we're fine ignoring this. - // Otherwise, we should answer 8bytes (block) + 2bytes CRC + if (chip_state == SELECTED) { + // Pagesel enables to select a page in the selected chip memory and return its configuration block + // Chips with a single page will not answer to this command + // It appears we're fine ignoring this. + // Otherwise, we should answer 8bytes (block) + 2bytes CRC + } } else { - // Never seen this command before + // don't know how to handle this command char debug_message[250]; // should be enough sprintf(debug_message, "Unhandled command (len = %d) received from reader:", len); for (int i = 0; i < len && strlen(debug_message) < sizeof(debug_message) - 3 - 1; i++) { @@ -1187,8 +1218,9 @@ void SimulateIClass(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain datain[i*8+0], datain[i*8+1], datain[i*8+2], datain[i*8+3], datain[i*8+4], datain[i*8+5], datain[i*8+6], datain[i*8+7]); Dbprintf("NR,MAC: %02x %02x %02x %02x %02x %02x %02x %02x", - datain[i*8+ 8], datain[i*8+ 9], datain[i*8+10], datain[i*8+11], - datain[i*8+12], datain[i*8+13], datain[i*8+14], datain[i*8+15]); + mac_responses[i*16+ 8], mac_responses[i*16+ 9], mac_responses[i*16+10], mac_responses[i*16+11], + mac_responses[i*16+12], mac_responses[i*16+13], mac_responses[i*16+14], mac_responses[i*16+15]); + SpinDelay(100); // give the reader some time to prepare for next CSN } cmd_send(CMD_ACK, CMD_SIMULATE_TAG_ICLASS, i, 0, mac_responses, i*16); } else if (simType == ICLASS_SIM_MODE_FULL) { diff --git a/armsrc/iso15693.c b/armsrc/iso15693.c index 4b4577e7..f33e0156 100644 --- a/armsrc/iso15693.c +++ b/armsrc/iso15693.c @@ -671,6 +671,7 @@ static int GetIso15693AnswerFromTag(uint8_t* response, uint16_t max_len, int tim typedef struct DecodeReader { enum { STATE_READER_UNSYNCD, + STATE_READER_AWAIT_1ST_FALLING_EDGE_OF_SOF, STATE_READER_AWAIT_1ST_RISING_EDGE_OF_SOF, STATE_READER_AWAIT_2ND_FALLING_EDGE_OF_SOF, STATE_READER_AWAIT_2ND_RISING_EDGE_OF_SOF, @@ -714,6 +715,13 @@ static int inline __attribute__((always_inline)) Handle15693SampleFromReader(uin { switch (DecodeReader->state) { case STATE_READER_UNSYNCD: + // wait for unmodulated carrier + if (bit) { + DecodeReader->state = STATE_READER_AWAIT_1ST_FALLING_EDGE_OF_SOF; + } + break; + + case STATE_READER_AWAIT_1ST_FALLING_EDGE_OF_SOF: if (!bit) { // we went low, so this could be the beginning of a SOF DecodeReader->posCount = 1; @@ -725,7 +733,7 @@ static int inline __attribute__((always_inline)) Handle15693SampleFromReader(uin DecodeReader->posCount++; if (bit) { // detected rising edge if (DecodeReader->posCount < 4) { // rising edge too early (nominally expected at 5) - DecodeReaderReset(DecodeReader); + DecodeReader->state = STATE_READER_AWAIT_1ST_FALLING_EDGE_OF_SOF; } else { // SOF DecodeReader->state = STATE_READER_AWAIT_2ND_FALLING_EDGE_OF_SOF; } @@ -748,13 +756,13 @@ static int inline __attribute__((always_inline)) Handle15693SampleFromReader(uin DecodeReader->state = STATE_READER_AWAIT_2ND_RISING_EDGE_OF_SOF; } else if (DecodeReader->posCount < 28) { // falling edge too early (nominally expected at 29 latest) DecodeReaderReset(DecodeReader); - } else { // SOF for 1 out of 4 coding + } else { // SOF for 1 out of 256 coding DecodeReader->Coding = CODING_1_OUT_OF_256; DecodeReader->state = STATE_READER_AWAIT_2ND_RISING_EDGE_OF_SOF; } } else { if (DecodeReader->posCount > 29) { // stayed high for too long - DecodeReaderReset(DecodeReader); + DecodeReader->state = STATE_READER_AWAIT_1ST_FALLING_EDGE_OF_SOF; } else { // do nothing, keep waiting } @@ -766,7 +774,7 @@ static int inline __attribute__((always_inline)) Handle15693SampleFromReader(uin if (bit) { // detected rising edge if (DecodeReader->Coding == CODING_1_OUT_OF_256) { if (DecodeReader->posCount < 32) { // rising edge too early (nominally expected at 33) - DecodeReaderReset(DecodeReader); + DecodeReader->state = STATE_READER_AWAIT_1ST_FALLING_EDGE_OF_SOF; } else { DecodeReader->posCount = 1; DecodeReader->bitCount = 0; @@ -777,21 +785,22 @@ static int inline __attribute__((always_inline)) Handle15693SampleFromReader(uin } } else { // CODING_1_OUT_OF_4 if (DecodeReader->posCount < 24) { // rising edge too early (nominally expected at 25) - DecodeReaderReset(DecodeReader); + DecodeReader->state = STATE_READER_AWAIT_1ST_FALLING_EDGE_OF_SOF; } else { + DecodeReader->posCount = 1; DecodeReader->state = STATE_READER_AWAIT_END_OF_SOF_1_OUT_OF_4; } } } else { if (DecodeReader->Coding == CODING_1_OUT_OF_256) { if (DecodeReader->posCount > 34) { // signal stayed low for too long - DecodeReaderReset(DecodeReader); + DecodeReaderReset(DecodeReader); } else { // do nothing, keep waiting } } else { // CODING_1_OUT_OF_4 if (DecodeReader->posCount > 26) { // signal stayed low for too long - DecodeReaderReset(DecodeReader); + DecodeReaderReset(DecodeReader); } else { // do nothing, keep waiting } @@ -802,7 +811,7 @@ static int inline __attribute__((always_inline)) Handle15693SampleFromReader(uin case STATE_READER_AWAIT_END_OF_SOF_1_OUT_OF_4: DecodeReader->posCount++; if (bit) { - if (DecodeReader->posCount == 33) { + if (DecodeReader->posCount == 9) { DecodeReader->posCount = 1; DecodeReader->bitCount = 0; DecodeReader->byteCount = 0; diff --git a/client/cmdhficlass.c b/client/cmdhficlass.c index ee0dd16e..48b62b17 100644 --- a/client/cmdhficlass.c +++ b/client/cmdhficlass.c @@ -100,7 +100,46 @@ int usage_hf_iclass_sim(void) { return 0; } +// the original malicious IDs from Flavio D. Garcia, Gerhard de Koning Gans, Roel Verdult, +// and Milosch Meriac. Dismantling iClass and iClass Elite. #define NUM_CSNS 15 +static uint8_t csns[8 * NUM_CSNS] = { + 0x00, 0x0B, 0x0F, 0xFF, 0xF7, 0xFF, 0x12, 0xE0, + 0x00, 0x04, 0x0E, 0x08, 0xF7, 0xFF, 0x12, 0xE0, + 0x00, 0x09, 0x0D, 0x05, 0xF7, 0xFF, 0x12, 0xE0, + 0x00, 0x0A, 0x0C, 0x06, 0xF7, 0xFF, 0x12, 0xE0, + 0x00, 0x0F, 0x0B, 0x03, 0xF7, 0xFF, 0x12, 0xE0, + 0x00, 0x08, 0x0A, 0x0C, 0xF7, 0xFF, 0x12, 0xE0, + 0x00, 0x0D, 0x09, 0x09, 0xF7, 0xFF, 0x12, 0xE0, + 0x00, 0x0E, 0x08, 0x0A, 0xF7, 0xFF, 0x12, 0xE0, + 0x00, 0x03, 0x07, 0x17, 0xF7, 0xFF, 0x12, 0xE0, + 0x00, 0x3C, 0x06, 0xE0, 0xF7, 0xFF, 0x12, 0xE0, + 0x00, 0x01, 0x05, 0x1D, 0xF7, 0xFF, 0x12, 0xE0, + 0x00, 0x02, 0x04, 0x1E, 0xF7, 0xFF, 0x12, 0xE0, + 0x00, 0x07, 0x03, 0x1B, 0xF7, 0xFF, 0x12, 0xE0, + 0x00, 0x00, 0x02, 0x24, 0xF7, 0xFF, 0x12, 0xE0, + 0x00, 0x05, 0x01, 0x21, 0xF7, 0xFF, 0x12, 0xE0 }; + + +// pre-defined 9 CSNs by iceman. +// only one csn depend on several others. +// six depends only on the first csn, (0,1, 0x45) + +// #define NUM_CSNS 9 +// static uint8_t csns[8 * NUM_CSNS] = { + // 0x01, 0x0A, 0x0F, 0xFF, 0xF7, 0xFF, 0x12, 0xE0, + // 0x0C, 0x06, 0x0C, 0xFE, 0xF7, 0xFF, 0x12, 0xE0, + // 0x10, 0x97, 0x83, 0x7B, 0xF7, 0xFF, 0x12, 0xE0, + // 0x13, 0x97, 0x82, 0x7A, 0xF7, 0xFF, 0x12, 0xE0, + // 0x07, 0x0E, 0x0D, 0xF9, 0xF7, 0xFF, 0x12, 0xE0, + // 0x14, 0x96, 0x84, 0x76, 0xF7, 0xFF, 0x12, 0xE0, + // 0x17, 0x96, 0x85, 0x71, 0xF7, 0xFF, 0x12, 0xE0, + // 0xCE, 0xC5, 0x0F, 0x77, 0xF7, 0xFF, 0x12, 0xE0, + // 0xD2, 0x5A, 0x82, 0xF8, 0xF7, 0xFF, 0x12, 0xE0 + // //0x04, 0x08, 0x9F, 0x78, 0x6E, 0xFF, 0x12, 0xE0 +// }; + + int CmdHFiClassSim(const char *Cmd) { uint8_t simType = 0; uint8_t CSN[8] = {0, 0, 0, 0, 0, 0, 0, 0}; @@ -123,23 +162,6 @@ int CmdHFiClassSim(const char *Cmd) { UsbCommand c = {CMD_SIMULATE_TAG_ICLASS, {simType, NUM_CSNS}}; UsbCommand resp = {0}; - uint8_t csns[8 * NUM_CSNS] = { - 0x00, 0x0B, 0x0F, 0xFF, 0xF7, 0xFF, 0x12, 0xE0, - 0x00, 0x04, 0x0E, 0x08, 0xF7, 0xFF, 0x12, 0xE0, - 0x00, 0x09, 0x0D, 0x05, 0xF7, 0xFF, 0x12, 0xE0, - 0x00, 0x0A, 0x0C, 0x06, 0xF7, 0xFF, 0x12, 0xE0, - 0x00, 0x0F, 0x0B, 0x03, 0xF7, 0xFF, 0x12, 0xE0, - 0x00, 0x08, 0x0A, 0x0C, 0xF7, 0xFF, 0x12, 0xE0, - 0x00, 0x0D, 0x09, 0x09, 0xF7, 0xFF, 0x12, 0xE0, - 0x00, 0x0E, 0x08, 0x0A, 0xF7, 0xFF, 0x12, 0xE0, - 0x00, 0x03, 0x07, 0x17, 0xF7, 0xFF, 0x12, 0xE0, - 0x00, 0x3C, 0x06, 0xE0, 0xF7, 0xFF, 0x12, 0xE0, - 0x00, 0x01, 0x05, 0x1D, 0xF7, 0xFF, 0x12, 0xE0, - 0x00, 0x02, 0x04, 0x1E, 0xF7, 0xFF, 0x12, 0xE0, - 0x00, 0x07, 0x03, 0x1B, 0xF7, 0xFF, 0x12, 0xE0, - 0x00, 0x00, 0x02, 0x24, 0xF7, 0xFF, 0x12, 0xE0, - 0x00, 0x05, 0x01, 0x21, 0xF7, 0xFF, 0x12, 0xE0 }; - memcpy(c.d.asBytes, csns, 8 * NUM_CSNS); SendCommand(&c); diff --git a/fpga/fpga_hf.bit b/fpga/fpga_hf.bit index 70c7909a..1bd3c416 100644 Binary files a/fpga/fpga_hf.bit and b/fpga/fpga_hf.bit differ diff --git a/fpga/hi_simulate.v b/fpga/hi_simulate.v index 92ebcb51..097b8a08 100644 --- a/fpga/hi_simulate.v +++ b/fpga/hi_simulate.v @@ -33,15 +33,33 @@ module hi_simulate( output dbg; input [2:0] mod_type; +assign adc_clk = ck_1356meg; // The comparator with hysteresis on the output from the peak detector. reg after_hysteresis; -assign adc_clk = ck_1356meg; +reg [11:0] has_been_low_for; always @(negedge adc_clk) begin - if(& adc_d[7:5]) after_hysteresis = 1'b1; // if (adc_d >= 224) - else if(~(| adc_d[7:5])) after_hysteresis = 1'b0; // if (adc_d <= 31) + if (& adc_d[7:5]) after_hysteresis <= 1'b1; // if (adc_d >= 224) + else if (~(| adc_d[7:5])) after_hysteresis <= 1'b0; // if (adc_d <= 31) + + if (adc_d >= 224) + begin + has_been_low_for <= 12'd0; + end + else + begin + if (has_been_low_for == 12'd4095) + begin + has_been_low_for <= 12'd0; + after_hysteresis <= 1'b1; + end + else + begin + has_been_low_for <= has_been_low_for + 1; + end + end end