From ac2df3460ab2ab2d39fe93350018701699d8327b Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Thu, 15 Oct 2015 10:23:15 +0200 Subject: [PATCH] ADD: @marshmellows fixes for t55x7 reading signal. ADD: @marshmellows "diphase" definition for T55x7. MOV: extracted the aquisition from the t55x7 methods and put them inside lfsampling.c FIX: pcf7931 write, there is 16bytes in a block.. not 4 as I thought before. FIX: t55x7 lowered the WRITE_0 to 16. Even bigger gap. --- armsrc/appmain.c | 2 +- armsrc/apps.h | 10 ---- armsrc/lfops.c | 110 +++++++++++++----------------------------- armsrc/lfsampling.c | 57 +++++++++++++++++++++- armsrc/lfsampling.h | 6 +++ armsrc/pcf7931.c | 4 ++ armsrc/pcf7931.h | 12 +++-- client/cmdlfpcf7931.c | 4 +- client/cmdlft55xx.c | 27 +++++------ common/lfdemod.c | 31 ++++++++---- 10 files changed, 146 insertions(+), 117 deletions(-) diff --git a/armsrc/appmain.c b/armsrc/appmain.c index 5bdbaa8d..11ec9ec4 100644 --- a/armsrc/appmain.c +++ b/armsrc/appmain.c @@ -994,7 +994,7 @@ void UsbPacketReceived(uint8_t *packet, int len) cmd_send(CMD_ACK,0,0,0,0,0); break; case CMD_PCF7931_WRITE: - WritePCF7931(c->d.asDwords[0],c->d.asDwords[1],c->d.asDwords[2],c->d.asDwords[3],c->d.asDwords[4],c->d.asDwords[5],c->d.asDwords[6], c->d.asDwords[9], c->d.asDwords[7]-128,c->d.asDwords[8]-128, c->arg[0], c->arg[1], c->arg[2]); + WritePCF7931(c->d.asBytes[0],c->d.asBytes[1],c->d.asBytes[2],c->d.asBytes[3],c->d.asBytes[4],c->d.asBytes[5],c->d.asBytes[6], c->d.asBytes[9], c->d.asBytes[7]-128,c->d.asBytes[8]-128, c->arg[0], c->arg[1], c->arg[2]); break; case CMD_EM4X_READ_WORD: EM4xReadWord(c->arg[1], c->arg[2],c->d.asBytes[0]); diff --git a/armsrc/apps.h b/armsrc/apps.h index e0b797d9..f15ffd14 100644 --- a/armsrc/apps.h +++ b/armsrc/apps.h @@ -95,16 +95,6 @@ void EM4xReadWord(uint8_t Address, uint32_t Pwd, uint8_t PwdMode); void EM4xWriteWord(uint32_t Data, uint8_t Address, uint32_t Pwd, uint8_t PwdMode); void CopyViKingtoT55x7(uint32_t block1,uint32_t block2); -/// pcf7931.h -int DemodPCF7931(uint8_t **outBlocks); -int IsBlock0PCF7931(uint8_t *Block); -int IsBlock1PCF7931(uint8_t *Block); -void ReadPCF7931(); -void SendCmdPCF7931(uint32_t * tab); -bool AddBytePCF7931(uint8_t byte, uint32_t * tab, int32_t l, int32_t p); -bool AddBitPCF7931(bool b, uint32_t * tab, int32_t l, int32_t p); -bool AddPatternPCF7931(uint32_t a, uint32_t b, uint32_t c, uint32_t * tab); -void WritePCF7931(uint8_t pass1, uint8_t pass2, uint8_t pass3, uint8_t pass4, uint8_t pass5, uint8_t pass6, uint8_t pass7, uint16_t init_delay, int32_t l, int32_t p, uint8_t address, uint8_t byte, uint8_t data); /// iso14443.h void SimulateIso14443bTag(void); diff --git a/armsrc/lfops.c b/armsrc/lfops.c index 987faf82..f0a15515 100644 --- a/armsrc/lfops.c +++ b/armsrc/lfops.c @@ -1096,6 +1096,7 @@ void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol) #define T55x7_MODULATION_FSK2a 0x00007000 #define T55x7_MODULATION_MANCHESTER 0x00008000 #define T55x7_MODULATION_BIPHASE 0x00010000 +#define T55x7_MODULATION_DIPHASE 0x00018000 //#define T55x7_MODULATION_BIPHASE57 0x00011000 #define T55x7_BITRATE_RF_8 0 #define T55x7_BITRATE_RF_16 0x00040000 @@ -1135,7 +1136,7 @@ void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol) #define START_GAP 50*8 // was 250 // SPEC: 1*8 to 50*8 - typ 15*8 (or 15fc) #define WRITE_GAP 20*8 // was 160 // SPEC: 1*8 to 20*8 - typ 10*8 (or 10fc) -#define WRITE_0 18*8 // was 144 // SPEC: 16*8 to 32*8 - typ 24*8 (or 24fc) +#define WRITE_0 16*8 // was 144 // SPEC: 16*8 to 32*8 - typ 24*8 (or 24fc) #define WRITE_1 50*8 // was 400 // SPEC: 48*8 to 64*8 - typ 56*8 (or 56fc) 432 for T55x7; 448 for E5550 // VALUES TAKEN FROM EM4x function: SendForward @@ -1152,7 +1153,6 @@ void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol) // T0 = TIMER_CLOCK1 / 125000 = 192 // 1 Cycle = 8 microseconds(us) -#define T55xx_SAMPLES_SIZE 12000 // 32 x 32 x 10 (32 bit times numofblock (7), times clock skip..) // Write one bit to card void T55xxWriteBit(int bit) @@ -1175,7 +1175,7 @@ void T55xxWriteBlock(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t PwdMod // Set up FPGA, 125kHz // Wait for config.. (192+8190xPOW)x8 == 67ms - LFSetupFPGAForADC(0, true); + LFSetupFPGAForADC(95, true); // Now start writting FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); @@ -1208,124 +1208,82 @@ void T55xxWriteBlock(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t PwdMod FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); } -void TurnReadLFOn(){ +void TurnReadLFOn(int delay){ FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD); // Give it a bit of time for the resonant antenna to settle. - SpinDelayUs(300); + SpinDelayUs(delay); } - // Read one card block in page 0 void T55xxReadBlock(uint32_t Block, uint32_t Pwd, uint8_t PwdMode) { uint32_t i = 0; - uint8_t *dest = BigBuf_get_addr(); - uint16_t bufferlength = BigBuf_max_traceLen(); - if ( bufferlength > T55xx_SAMPLES_SIZE ) - bufferlength = T55xx_SAMPLES_SIZE; - - // Clear destination buffer before sending the command - memset(dest, 0x80, bufferlength); + + //make sure block is at max 7 + Block &= 0x7; // Set up FPGA, 125kHz - // Wait for config.. (192+8190xPOW)x8 == 67ms - //LFSetupFPGAForADC(0, true); - FpgaDownloadAndGo(FPGA_BITSTREAM_LF); - FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz - FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD); - - // Connect the A/D to the peak-detected low-frequency path. - SetAdcMuxFor(GPIO_MUXSEL_LOPKD); - - // Now set up the SSC to get the ADC samples that are now streaming at us. - FpgaSetupSsc(); - - // Give it a bit of time for the resonant antenna to settle. - //SpinDelayUs(8*200); //192FC - SpinDelay(50); + LFSetupFPGAForADC(95, true); + // Trigger T55x7 in mode. FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); - //SpinDelayUs(START_GAP); - - // Opcode + SpinDelayUs(START_GAP); + + // Opcode 10 T55xxWriteBit(1); T55xxWriteBit(0); //Page 0 + if (PwdMode == 1){ // Pwd for (i = 0x80000000; i != 0; i >>= 1) T55xxWriteBit(Pwd & i); } - // Lock bit + // zero bit to seperate T55xxWriteBit(0); + // Block - for (i = 0x04; i != 0; i >>= 1) + for (i = 0x04; i != 0; i >>= 1) { T55xxWriteBit(Block & i); - - // Turn field on to read the response - TurnReadLFOn(); - // Now do the acquisition - i = 0; - for(;;) { - if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXRDY) { - AT91C_BASE_SSC->SSC_THR = 0x43; - LED_D_ON(); - } - if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) { - dest[i] = (uint8_t)AT91C_BASE_SSC->SSC_RHR; - i++; - LED_D_OFF(); - if (i >= bufferlength) break; - } + Dbprintf("ice %d",i); } + // Turn field on to read the response + TurnReadLFOn(START_GAP); + + // Acquisition + doT55x7Acquisition(); + + // field off + FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); cmd_send(CMD_ACK,0,0,0,0,0); - FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off LED_D_OFF(); } + // Read card traceability data (page 1) void T55xxReadTrace(void){ - uint32_t i = 0; - uint8_t *dest = BigBuf_get_addr(); - uint16_t bufferlength = BigBuf_max_traceLen(); - if ( bufferlength > T55xx_SAMPLES_SIZE ) - bufferlength= T55xx_SAMPLES_SIZE; - - // Clear destination buffer before sending the command - memset(dest, 0x80, bufferlength); - LFSetupFPGAForADC(0, true); FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); SpinDelayUs(START_GAP); - // Opcode + // Opcode 11 T55xxWriteBit(1); T55xxWriteBit(1); //Page 1 // Turn field on to read the response - TurnReadLFOn(); - - // Now do the acquisition - for(;;) { - if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXRDY) { - AT91C_BASE_SSC->SSC_THR = 0x43; - LED_D_ON(); - } - if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) { - dest[i] = (uint8_t)AT91C_BASE_SSC->SSC_RHR; - i++; - LED_D_OFF(); + TurnReadLFOn(START_GAP); - if (i >= bufferlength) break; - } - } + // Acquisition + doT55x7Acquisition(); + // field off + FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); cmd_send(CMD_ACK,0,0,0,0,0); - FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off LED_D_OFF(); } + /*-------------- Cloning routines -----------*/ // Copy HID id to card and setup block 0 config void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT) diff --git a/armsrc/lfsampling.c b/armsrc/lfsampling.c index 635934ef..33943421 100644 --- a/armsrc/lfsampling.c +++ b/armsrc/lfsampling.c @@ -245,7 +245,60 @@ uint32_t SampleLF(bool printCfg) * @return number of bits sampled **/ -uint32_t SnoopLF() -{ +uint32_t SnoopLF() { return ReadLF(false, true); } + +/** +* acquisition of T55x7 LF signal. Similart to other LF, but adjusted with @marshmellows thresholds +* the data is collected in BigBuf. +**/ +void doT55x7Acquisition(void){ + + #define T55xx_SAMPLES_SIZE 12000 // 32 x 32 x 10 (32 bit times numofblock (7), times clock skip..) + #define T55xx_READ_UPPER_THRESHOLD 128+40 // 50 + #define T55xx_READ_TOL 5 + //#define T55xx_READ_LOWER_THRESHOLD 128-40 //-50 + + uint8_t *dest = BigBuf_get_addr(); + uint16_t bufsize = BigBuf_max_traceLen(); + + if ( bufsize > T55xx_SAMPLES_SIZE ) + bufsize = T55xx_SAMPLES_SIZE; + + memset(dest, 0, bufsize); + + uint16_t i = 0; + bool startFound = false; + bool highFound = false; + uint8_t curSample = 0; + uint8_t firstSample = 0; + for(;;) { + if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXRDY) { + AT91C_BASE_SSC->SSC_THR = 0x43; + LED_D_ON(); + } + if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) { + curSample = (uint8_t)AT91C_BASE_SSC->SSC_RHR; + + // find first high sample + if (!startFound && curSample > T55xx_READ_UPPER_THRESHOLD) { + if (curSample > firstSample) + firstSample = curSample; + highFound = true; + } else if (!highFound) { + continue; + } + + // skip until samples begin to change + if (startFound || curSample < firstSample-T55xx_READ_TOL){ + if (!startFound) + dest[i++] = firstSample; + startFound = true; + dest[i++] = curSample; + LED_D_OFF(); + if (i >= bufsize) break; + } + } + } +} \ No newline at end of file diff --git a/armsrc/lfsampling.h b/armsrc/lfsampling.h index 7d3925cd..460e6d8b 100644 --- a/armsrc/lfsampling.h +++ b/armsrc/lfsampling.h @@ -1,6 +1,12 @@ #ifndef LFSAMPLING_H #define LFSAMPLING_H +/** +* acquisition of T55x7 LF signal. Similart to other LF, but adjusted with @marshmellows thresholds +* the data is collected in BigBuf. +**/ +void doT55x7Acquisition(void); + /** * Initializes the FPGA for reader-mode (field on), and acquires the samples. * @return number of bits sampled diff --git a/armsrc/pcf7931.c b/armsrc/pcf7931.c index 2312795b..090a6e03 100644 --- a/armsrc/pcf7931.c +++ b/armsrc/pcf7931.c @@ -1,4 +1,8 @@ +#include "proxmark3.h" +#include "apps.h" +#include "lfsampling.h" #include "pcf7931.h" +#include "string.h" #define T0_PCF 8 //period for the pcf7931 in us #define ALLOC 16 diff --git a/armsrc/pcf7931.h b/armsrc/pcf7931.h index c7eaecfe..cfa81399 100644 --- a/armsrc/pcf7931.h +++ b/armsrc/pcf7931.h @@ -1,8 +1,14 @@ #ifndef __PCF7931_H #define __PCF7931_H -#include "proxmark3.h" -#include "apps.h" -#include "lfsampling.h" +int DemodPCF7931(uint8_t **outBlocks); +int IsBlock0PCF7931(uint8_t *Block); +int IsBlock1PCF7931(uint8_t *Block); +void ReadPCF7931(); +void SendCmdPCF7931(uint32_t * tab); +bool AddBytePCF7931(uint8_t byte, uint32_t * tab, int32_t l, int32_t p); +bool AddBitPCF7931(bool b, uint32_t * tab, int32_t l, int32_t p); +bool AddPatternPCF7931(uint32_t a, uint32_t b, uint32_t c, uint32_t * tab); +void WritePCF7931(uint8_t pass1, uint8_t pass2, uint8_t pass3, uint8_t pass4, uint8_t pass5, uint8_t pass6, uint8_t pass7, uint16_t init_delay, int32_t l, int32_t p, uint8_t address, uint8_t byte, uint8_t data); #endif \ No newline at end of file diff --git a/client/cmdlfpcf7931.c b/client/cmdlfpcf7931.c index 90fa5582..c0a45cfc 100644 --- a/client/cmdlfpcf7931.c +++ b/client/cmdlfpcf7931.c @@ -66,7 +66,7 @@ int usage_pcf7931_write(){ PrintAndLog("Options:"); PrintAndLog(" h This help"); PrintAndLog(" blockaddress Block to save [0-7]"); - PrintAndLog(" byteaddress Index of byte inside block to write [0-3]"); + PrintAndLog(" byteaddress Index of byte inside block to write [0-16]"); PrintAndLog(" data one byte of data (hex)"); PrintAndLog("Examples:"); PrintAndLog(" lf pcf7931 write 2 1 FF"); @@ -136,7 +136,7 @@ int CmdLFPCF7931Write(const char *Cmd){ if ( param_getdec(Cmd, 0, &block) ) return usage_pcf7931_write(); if ( param_getdec(Cmd, 1, &bytepos) ) return usage_pcf7931_write(); - if ( (block > 7) || (bytepos > 3) ) return usage_pcf7931_write(); + if ( (block > 7) || (bytepos > 16) ) return usage_pcf7931_write(); data = param_get8ex(Cmd, 2, 0, 16); diff --git a/client/cmdlft55xx.c b/client/cmdlft55xx.c index 1daba1ad..1cadfe7a 100644 --- a/client/cmdlft55xx.c +++ b/client/cmdlft55xx.c @@ -267,8 +267,8 @@ bool DecodeT55xxBlock(){ DemodBufferLen = 0x00; //trim 1/2 a clock from beginning - snprintf(cmdStr, sizeof(buf),"%d", bitRate[config.bitrate]/2 ); - CmdLtrim(cmdStr); + //snprintf(cmdStr, sizeof(buf),"%d", bitRate[config.bitrate]/2 ); + //CmdLtrim(cmdStr); switch( config.modulation ){ case DEMOD_FSK: snprintf(cmdStr, sizeof(buf),"%d %d", bitRate[config.bitrate], config.inverted ); @@ -330,7 +330,7 @@ int CmdT55xxDetect(const char *Cmd){ // detect configuration? bool tryDetectModulation(){ - char cmdStr[8] = {0}; + //char cmdStr[8] = {0}; uint8_t hits = 0; t55xx_conf_block_t tests[15]; int bitRate=0; @@ -338,8 +338,8 @@ bool tryDetectModulation(){ save_restoreGB(1); if (GetFskClock("", FALSE, FALSE)){ fskClocks(&fc1, &fc2, &clk, FALSE); - sprintf(cmdStr,"%d", clk/2); - CmdLtrim(cmdStr); + //sprintf(cmdStr,"%d", clk/2); + //CmdLtrim(cmdStr); if ( FSKrawDemod("0 0", FALSE) && test(DEMOD_FSK, &tests[hits].offset, &bitRate)){ tests[hits].modulation = DEMOD_FSK; if (fc1==8 && fc2 == 5) @@ -365,10 +365,9 @@ bool tryDetectModulation(){ } } else { clk = GetAskClock("", FALSE, FALSE); - if (clk>0) { - sprintf(cmdStr,"%d", clk/2); - CmdLtrim(cmdStr); + //sprintf(cmdStr,"%d", clk/2); + //CmdLtrim(cmdStr); if ( ASKDemod("0 0 0", FALSE, FALSE, 1) && test(DEMOD_ASK, &tests[hits].offset, &bitRate)) { tests[hits].modulation = DEMOD_ASK; tests[hits].bitrate = bitRate; @@ -402,8 +401,8 @@ bool tryDetectModulation(){ save_restoreGB(0); clk = GetNrzClock("", FALSE, FALSE); if (clk>0) { - sprintf(cmdStr,"%d", clk/2); - CmdLtrim(cmdStr); + //sprintf(cmdStr,"%d", clk/2); + //CmdLtrim(cmdStr); if ( NRZrawDemod("0 0 1", FALSE) && test(DEMOD_NRZ, &tests[hits].offset, &bitRate)) { tests[hits].modulation = DEMOD_NRZ; tests[hits].bitrate = bitRate; @@ -425,9 +424,9 @@ bool tryDetectModulation(){ save_restoreGB(0); clk = GetPskClock("", FALSE, FALSE); if (clk>0) { - PrintAndLog("clk %d",clk); - sprintf(cmdStr,"%d", clk/2); - CmdLtrim(cmdStr); + //PrintAndLog("clk %d",clk); + //sprintf(cmdStr,"%d", clk/2); + //CmdLtrim(cmdStr); if ( PSKDemod("0 0 1", FALSE) && test(DEMOD_PSK1, &tests[hits].offset, &bitRate)) { tests[hits].modulation = DEMOD_PSK1; tests[hits].bitrate = bitRate; @@ -665,7 +664,7 @@ int CmdT55xxWriteBlock(const char *Cmd) if (block > 7) { PrintAndLog("Block number must be between 0 and 7"); - return 2; + return 1; } UsbCommand resp; diff --git a/common/lfdemod.c b/common/lfdemod.c index 71cbfea9..0f8dd452 100644 --- a/common/lfdemod.c +++ b/common/lfdemod.c @@ -369,7 +369,9 @@ size_t fsk_wave_demod(uint8_t * dest, size_t size, uint8_t fchigh, uint8_t fclow if (fclow==0) fclow=8; //set the threshold close to 0 (graph) or 128 std to avoid static uint8_t threshold_value = 123; - + size_t preLastSample = 0; + size_t LastSample = 0; + size_t currSample = 0; // sync to first lo-hi transition, and threshold // Need to threshold first sample @@ -389,13 +391,22 @@ size_t fsk_wave_demod(uint8_t * dest, size_t size, uint8_t fchigh, uint8_t fclow // Check for 0->1 transition if (dest[idx-1] < dest[idx]) { // 0 -> 1 transition - if ((idx-last_transition)<(fclow-2)){ //0-5 = garbage noise + preLastSample = LastSample; + LastSample = currSample; + currSample = idx-last_transition; + if (currSample < (fclow-2)){ //0-5 = garbage noise //do nothing with extra garbage - } else if ((idx-last_transition) < (fchigh-1)) { //6-8 = 8 waves + } else if (currSample < (fchigh-1)) { //6-8 = 8 sample waves + if (LastSample > (fchigh-2) && preLastSample < (fchigh-1)){ + dest[numBits-1]=1; //correct last 9 wave surrounded by 8 waves + } dest[numBits++]=1; - } else if ((idx-last_transition) > (fchigh+1) && !numBits) { //12 + and first bit = garbage + + } else if (currSample > (fchigh+1) && !numBits) { //12 + and first bit = garbage //do nothing with beginning garbage - } else { //9+ = 10 waves + } else if (currSample == (fclow+1) && LastSample == (fclow-1)) { // had a 7 then a 9 should be two 8's + dest[numBits++]=1; + } else { //9+ = 10 sample waves dest[numBits++]=0; } last_transition = idx; @@ -580,7 +591,7 @@ int IOdemodFSK(uint8_t *dest, size_t size) // by marshmellow // takes a array of binary values, start position, length of bits per parity (includes parity bit), -// Parity Type (1 for odd; 0 for even; 2 for just drop it), and binary Length (length to run) +// Parity Type (1 for odd; 0 for even; 2 Always 1's), and binary Length (length to run) size_t removeParity(uint8_t *BitStream, size_t startIdx, uint8_t pLen, uint8_t pType, size_t bLen) { uint32_t parityWd = 0; @@ -590,10 +601,12 @@ size_t removeParity(uint8_t *BitStream, size_t startIdx, uint8_t pLen, uint8_t p parityWd = (parityWd << 1) | BitStream[startIdx+word+bit]; BitStream[j++] = (BitStream[startIdx+word+bit]); } - j--; + j--; // overwrite parity with next data // if parity fails then return 0 - if (pType != 2) { - if (parityTest(parityWd, pLen, pType) == 0) return -1; + if (pType == 2) { // then marker bit which should be a 1 + if (!BitStream[j]) return 0; + } else { + if (parityTest(parityWd, pLen, pType) == 0) return 0; } bitCnt+=(pLen-1); parityWd = 0; -- 2.39.2