]> cvs.zerfleddert.de Git - proxmark3-svn/blame - armsrc/fpgaloader.c
ADD: found a BCARD KeyB on the net. ref: http://irq5.io/2013/04/13/decoding-bcard...
[proxmark3-svn] / armsrc / fpgaloader.c
CommitLineData
15c4dc5a 1//-----------------------------------------------------------------------------
bd20f8f4 2// Jonathan Westhues, April 2006
62638f87 3// iZsh <izsh at fail0verflow.com>, 2014
bd20f8f4 4//
5// This code is licensed to you under the terms of the GNU GPL, version 2 or,
6// at your option, any later version. See the LICENSE.txt file for the text of
7// the license.
8//-----------------------------------------------------------------------------
15c4dc5a 9// Routines to load the FPGA image, and then to configure the FPGA's major
10// mode once it is configured.
15c4dc5a 11//-----------------------------------------------------------------------------
f38a1528 12
13#include "../include/proxmark3.h"
15c4dc5a 14#include "apps.h"
f7e3ed82 15#include "util.h"
9ab7a6c7 16#include "string.h"
15c4dc5a 17
18//-----------------------------------------------------------------------------
19// Set up the Serial Peripheral Interface as master
20// Used to write the FPGA config word
21// May also be used to write to other SPI attached devices like an LCD
22//-----------------------------------------------------------------------------
23void SetupSpi(int mode)
24{
25 // PA10 -> SPI_NCS2 chip select (LCD)
26 // PA11 -> SPI_NCS0 chip select (FPGA)
27 // PA12 -> SPI_MISO Master-In Slave-Out
28 // PA13 -> SPI_MOSI Master-Out Slave-In
29 // PA14 -> SPI_SPCK Serial Clock
30
31 // Disable PIO control of the following pins, allows use by the SPI peripheral
32 AT91C_BASE_PIOA->PIO_PDR =
33 GPIO_NCS0 |
34 GPIO_NCS2 |
35 GPIO_MISO |
36 GPIO_MOSI |
37 GPIO_SPCK;
38
39 AT91C_BASE_PIOA->PIO_ASR =
40 GPIO_NCS0 |
41 GPIO_MISO |
42 GPIO_MOSI |
43 GPIO_SPCK;
44
45 AT91C_BASE_PIOA->PIO_BSR = GPIO_NCS2;
46
47 //enable the SPI Peripheral clock
48 AT91C_BASE_PMC->PMC_PCER = (1<<AT91C_ID_SPI);
49 // Enable SPI
50 AT91C_BASE_SPI->SPI_CR = AT91C_SPI_SPIEN;
51
52 switch (mode) {
53 case SPI_FPGA_MODE:
54 AT91C_BASE_SPI->SPI_MR =
55 ( 0 << 24) | // Delay between chip selects (take default: 6 MCK periods)
56 (14 << 16) | // Peripheral Chip Select (selects FPGA SPI_NCS0 or PA11)
57 ( 0 << 7) | // Local Loopback Disabled
58 ( 1 << 4) | // Mode Fault Detection disabled
59 ( 0 << 2) | // Chip selects connected directly to peripheral
60 ( 0 << 1) | // Fixed Peripheral Select
61 ( 1 << 0); // Master Mode
62 AT91C_BASE_SPI->SPI_CSR[0] =
63 ( 1 << 24) | // Delay between Consecutive Transfers (32 MCK periods)
64 ( 1 << 16) | // Delay Before SPCK (1 MCK period)
65 ( 6 << 8) | // Serial Clock Baud Rate (baudrate = MCK/6 = 24Mhz/6 = 4M baud
66 ( 8 << 4) | // Bits per Transfer (16 bits)
67 ( 0 << 3) | // Chip Select inactive after transfer
68 ( 1 << 1) | // Clock Phase data captured on leading edge, changes on following edge
69 ( 0 << 0); // Clock Polarity inactive state is logic 0
70 break;
71 case SPI_LCD_MODE:
72 AT91C_BASE_SPI->SPI_MR =
73 ( 0 << 24) | // Delay between chip selects (take default: 6 MCK periods)
74 (11 << 16) | // Peripheral Chip Select (selects LCD SPI_NCS2 or PA10)
75 ( 0 << 7) | // Local Loopback Disabled
76 ( 1 << 4) | // Mode Fault Detection disabled
77 ( 0 << 2) | // Chip selects connected directly to peripheral
78 ( 0 << 1) | // Fixed Peripheral Select
79 ( 1 << 0); // Master Mode
80 AT91C_BASE_SPI->SPI_CSR[2] =
81 ( 1 << 24) | // Delay between Consecutive Transfers (32 MCK periods)
82 ( 1 << 16) | // Delay Before SPCK (1 MCK period)
83 ( 6 << 8) | // Serial Clock Baud Rate (baudrate = MCK/6 = 24Mhz/6 = 4M baud
84 ( 1 << 4) | // Bits per Transfer (9 bits)
85 ( 0 << 3) | // Chip Select inactive after transfer
86 ( 1 << 1) | // Clock Phase data captured on leading edge, changes on following edge
87 ( 0 << 0); // Clock Polarity inactive state is logic 0
88 break;
89 default: // Disable SPI
90 AT91C_BASE_SPI->SPI_CR = AT91C_SPI_SPIDIS;
91 break;
92 }
93}
94
95//-----------------------------------------------------------------------------
96// Set up the synchronous serial port, with the one set of options that we
97// always use when we are talking to the FPGA. Both RX and TX are enabled.
98//-----------------------------------------------------------------------------
99void FpgaSetupSsc(void)
100{
101 // First configure the GPIOs, and get ourselves a clock.
102 AT91C_BASE_PIOA->PIO_ASR =
103 GPIO_SSC_FRAME |
104 GPIO_SSC_DIN |
105 GPIO_SSC_DOUT |
106 GPIO_SSC_CLK;
107 AT91C_BASE_PIOA->PIO_PDR = GPIO_SSC_DOUT;
108
109 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_SSC);
110
111 // Now set up the SSC proper, starting from a known state.
112 AT91C_BASE_SSC->SSC_CR = AT91C_SSC_SWRST;
113
114 // RX clock comes from TX clock, RX starts when TX starts, data changes
115 // on RX clock rising edge, sampled on falling edge
116 AT91C_BASE_SSC->SSC_RCMR = SSC_CLOCK_MODE_SELECT(1) | SSC_CLOCK_MODE_START(1);
117
118 // 8 bits per transfer, no loopback, MSB first, 1 transfer per sync
d714d3ef 119 // pulse, no output sync
902cb3c0 120 AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(8) | AT91C_SSC_MSBF | SSC_FRAME_MODE_WORDS_PER_TRANSFER(0);
15c4dc5a 121
122 // clock comes from TK pin, no clock output, outputs change on falling
d714d3ef 123 // edge of TK, sample on rising edge of TK, start on positive-going edge of sync
902cb3c0 124 AT91C_BASE_SSC->SSC_TCMR = SSC_CLOCK_MODE_SELECT(2) | SSC_CLOCK_MODE_START(5);
15c4dc5a 125
126 // tx framing is the same as the rx framing
127 AT91C_BASE_SSC->SSC_TFMR = AT91C_BASE_SSC->SSC_RFMR;
128
129 AT91C_BASE_SSC->SSC_CR = AT91C_SSC_RXEN | AT91C_SSC_TXEN;
130}
131
132//-----------------------------------------------------------------------------
133// Set up DMA to receive samples from the FPGA. We will use the PDC, with
134// a single buffer as a circular buffer (so that we just chain back to
135// ourselves, not to another buffer). The stuff to manipulate those buffers
136// is in apps.h, because it should be inlined, for speed.
137//-----------------------------------------------------------------------------
d19929cb 138bool FpgaSetupSscDma(uint8_t *buf, int len)
15c4dc5a 139{
d19929cb 140 if (buf == NULL) {
141 return false;
142 }
143
7bc95e2e 144 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS; // Disable DMA Transfer
145 AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) buf; // transfer to this memory address
146 AT91C_BASE_PDC_SSC->PDC_RCR = len; // transfer this many bytes
147 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) buf; // next transfer to same memory address
148 AT91C_BASE_PDC_SSC->PDC_RNCR = len; // ... with same number of bytes
149 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTEN; // go!
d19929cb 150
151 return true;
15c4dc5a 152}
153
154static void DownloadFPGA_byte(unsigned char w)
155{
156#define SEND_BIT(x) { if(w & (1<<x) ) HIGH(GPIO_FPGA_DIN); else LOW(GPIO_FPGA_DIN); HIGH(GPIO_FPGA_CCLK); LOW(GPIO_FPGA_CCLK); }
157 SEND_BIT(7);
158 SEND_BIT(6);
159 SEND_BIT(5);
160 SEND_BIT(4);
161 SEND_BIT(3);
162 SEND_BIT(2);
163 SEND_BIT(1);
164 SEND_BIT(0);
165}
166
167// Download the fpga image starting at FpgaImage and with length FpgaImageLen bytes
168// If bytereversal is set: reverse the byte order in each 4-byte word
169static void DownloadFPGA(const char *FpgaImage, int FpgaImageLen, int bytereversal)
170{
171 int i=0;
172
173 AT91C_BASE_PIOA->PIO_OER = GPIO_FPGA_ON;
174 AT91C_BASE_PIOA->PIO_PER = GPIO_FPGA_ON;
175 HIGH(GPIO_FPGA_ON); // ensure everything is powered on
176
177 SpinDelay(50);
178
179 LED_D_ON();
180
181 // These pins are inputs
182 AT91C_BASE_PIOA->PIO_ODR =
183 GPIO_FPGA_NINIT |
184 GPIO_FPGA_DONE;
185 // PIO controls the following pins
186 AT91C_BASE_PIOA->PIO_PER =
187 GPIO_FPGA_NINIT |
188 GPIO_FPGA_DONE;
189 // Enable pull-ups
190 AT91C_BASE_PIOA->PIO_PPUER =
191 GPIO_FPGA_NINIT |
192 GPIO_FPGA_DONE;
193
194 // setup initial logic state
195 HIGH(GPIO_FPGA_NPROGRAM);
196 LOW(GPIO_FPGA_CCLK);
197 LOW(GPIO_FPGA_DIN);
198 // These pins are outputs
199 AT91C_BASE_PIOA->PIO_OER =
200 GPIO_FPGA_NPROGRAM |
201 GPIO_FPGA_CCLK |
202 GPIO_FPGA_DIN;
203
204 // enter FPGA configuration mode
205 LOW(GPIO_FPGA_NPROGRAM);
206 SpinDelay(50);
207 HIGH(GPIO_FPGA_NPROGRAM);
208
209 i=100000;
210 // wait for FPGA ready to accept data signal
211 while ((i) && ( !(AT91C_BASE_PIOA->PIO_PDSR & GPIO_FPGA_NINIT ) ) ) {
212 i--;
213 }
214
215 // crude error indicator, leave both red LEDs on and return
216 if (i==0){
217 LED_C_ON();
218 LED_D_ON();
219 return;
220 }
221
222 if(bytereversal) {
f7e3ed82 223 /* This is only supported for uint32_t aligned images */
224 if( ((int)FpgaImage % sizeof(uint32_t)) == 0 ) {
15c4dc5a 225 i=0;
226 while(FpgaImageLen-->0)
227 DownloadFPGA_byte(FpgaImage[(i++)^0x3]);
e30c654b 228 /* Explanation of the magic in the above line:
15c4dc5a 229 * i^0x3 inverts the lower two bits of the integer i, counting backwards
230 * for each 4 byte increment. The generated sequence of (i++)^3 is
e30c654b 231 * 3 2 1 0 7 6 5 4 11 10 9 8 15 14 13 12 etc. pp.
15c4dc5a 232 */
233 }
234 } else {
235 while(FpgaImageLen-->0)
236 DownloadFPGA_byte(*FpgaImage++);
237 }
238
239 // continue to clock FPGA until ready signal goes high
240 i=100000;
241 while ( (i--) && ( !(AT91C_BASE_PIOA->PIO_PDSR & GPIO_FPGA_DONE ) ) ) {
242 HIGH(GPIO_FPGA_CCLK);
243 LOW(GPIO_FPGA_CCLK);
244 }
245 // crude error indicator, leave both red LEDs on and return
246 if (i==0){
247 LED_C_ON();
248 LED_D_ON();
249 return;
250 }
251 LED_D_OFF();
252}
253
254static char *bitparse_headers_start;
255static char *bitparse_bitstream_end;
7cc204bf 256static int bitparse_initialized = 0;
15c4dc5a 257/* Simple Xilinx .bit parser. The file starts with the fixed opaque byte sequence
258 * 00 09 0f f0 0f f0 0f f0 0f f0 00 00 01
259 * After that the format is 1 byte section type (ASCII character), 2 byte length
260 * (big endian), <length> bytes content. Except for section 'e' which has 4 bytes
261 * length.
262 */
263static const char _bitparse_fixed_header[] = {0x00, 0x09, 0x0f, 0xf0, 0x0f, 0xf0, 0x0f, 0xf0, 0x0f, 0xf0, 0x00, 0x00, 0x01};
264static int bitparse_init(void * start_address, void *end_address)
265{
266 bitparse_initialized = 0;
e30c654b 267
15c4dc5a 268 if(memcmp(_bitparse_fixed_header, start_address, sizeof(_bitparse_fixed_header)) != 0) {
269 return 0; /* Not matched */
270 } else {
271 bitparse_headers_start= ((char*)start_address) + sizeof(_bitparse_fixed_header);
272 bitparse_bitstream_end= (char*)end_address;
273 bitparse_initialized = 1;
274 return 1;
275 }
276}
277
278int bitparse_find_section(char section_name, char **section_start, unsigned int *section_length)
279{
280 char *pos = bitparse_headers_start;
281 int result = 0;
282
283 if(!bitparse_initialized) return 0;
284
285 while(pos < bitparse_bitstream_end) {
286 char current_name = *pos++;
287 unsigned int current_length = 0;
288 if(current_name < 'a' || current_name > 'e') {
289 /* Strange section name, abort */
290 break;
291 }
292 current_length = 0;
293 switch(current_name) {
294 case 'e':
295 /* Four byte length field */
296 current_length += (*pos++) << 24;
297 current_length += (*pos++) << 16;
298 default: /* Fall through, two byte length field */
299 current_length += (*pos++) << 8;
300 current_length += (*pos++) << 0;
301 }
e30c654b 302
15c4dc5a 303 if(current_name != 'e' && current_length > 255) {
304 /* Maybe a parse error */
305 break;
306 }
e30c654b 307
15c4dc5a 308 if(current_name == section_name) {
309 /* Found it */
310 *section_start = pos;
311 *section_length = current_length;
312 result = 1;
313 break;
314 }
e30c654b 315
15c4dc5a 316 pos += current_length; /* Skip section */
317 }
e30c654b 318
15c4dc5a 319 return result;
320}
321
322//-----------------------------------------------------------------------------
323// Find out which FPGA image format is stored in flash, then call DownloadFPGA
324// with the right parameters to download the image
325//-----------------------------------------------------------------------------
7cc204bf 326extern char _binary_fpga_lf_bit_start, _binary_fpga_lf_bit_end;
327extern char _binary_fpga_hf_bit_start, _binary_fpga_hf_bit_end;
328void FpgaDownloadAndGo(int bitstream_version)
15c4dc5a 329{
7cc204bf 330 void *bit_start;
331 void *bit_end;
332
333 // check whether or not the bitstream is already loaded
334 if (FpgaGatherBitstreamVersion() == bitstream_version)
335 return;
336
337 if (bitstream_version == FPGA_BITSTREAM_LF) {
338 bit_start = &_binary_fpga_lf_bit_start;
339 bit_end = &_binary_fpga_lf_bit_end;
340 } else if (bitstream_version == FPGA_BITSTREAM_HF) {
341 bit_start = &_binary_fpga_hf_bit_start;
342 bit_end = &_binary_fpga_hf_bit_end;
343 } else
344 return;
15c4dc5a 345 /* Check for the new flash image format: Should have the .bit file at &_binary_fpga_bit_start
346 */
7cc204bf 347 if(bitparse_init(bit_start, bit_end)) {
15c4dc5a 348 /* Successfully initialized the .bit parser. Find the 'e' section and
349 * send its contents to the FPGA.
350 */
351 char *bitstream_start;
352 unsigned int bitstream_length;
353 if(bitparse_find_section('e', &bitstream_start, &bitstream_length)) {
354 DownloadFPGA(bitstream_start, bitstream_length, 0);
e30c654b 355
15c4dc5a 356 return; /* All done */
357 }
358 }
e30c654b 359
15c4dc5a 360 /* Fallback for the old flash image format: Check for the magic marker 0xFFFFFFFF
e30c654b 361 * 0xAA995566 at address 0x102000. This is raw bitstream with a size of 336,768 bits
f7e3ed82 362 * = 10,524 uint32_t, stored as uint32_t e.g. little-endian in memory, but each DWORD
15c4dc5a 363 * is still to be transmitted in MSBit first order. Set the invert flag to indicate
364 * that the DownloadFPGA function should invert every 4 byte sequence when doing
365 * the bytewise download.
366 */
f7e3ed82 367 if( *(uint32_t*)0x102000 == 0xFFFFFFFF && *(uint32_t*)0x102004 == 0xAA995566 )
15c4dc5a 368 DownloadFPGA((char*)0x102000, 10524*4, 1);
369}
370
7cc204bf 371int FpgaGatherBitstreamVersion()
372{
373 char temp[256];
374 FpgaGatherVersion(temp, sizeof (temp));
375 if (!memcmp("LF", temp, 2))
376 return FPGA_BITSTREAM_LF;
377 else if (!memcmp("HF", temp, 2))
378 return FPGA_BITSTREAM_HF;
379 return FPGA_BITSTREAM_ERR;
380}
381
15c4dc5a 382void FpgaGatherVersion(char *dst, int len)
383{
e30c654b 384 char *fpga_info;
15c4dc5a 385 unsigned int fpga_info_len;
386 dst[0] = 0;
387 if(!bitparse_find_section('e', &fpga_info, &fpga_info_len)) {
388 strncat(dst, "FPGA image: legacy image without version information", len-1);
389 } else {
15c4dc5a 390 /* USB packets only have 48 bytes data payload, so be terse */
15c4dc5a 391 if(bitparse_find_section('a', &fpga_info, &fpga_info_len) && fpga_info[fpga_info_len-1] == 0 ) {
7cc204bf 392 if (!memcmp("fpga_lf", fpga_info, 7))
393 strncat(dst, "LF ", len-1);
394 else if (!memcmp("fpga_hf", fpga_info, 7))
395 strncat(dst, "HF ", len-1);
15c4dc5a 396 }
7cc204bf 397 strncat(dst, "FPGA image built", len-1);
398#if 0
15c4dc5a 399 if(bitparse_find_section('b', &fpga_info, &fpga_info_len) && fpga_info[fpga_info_len-1] == 0 ) {
400 strncat(dst, " for ", len-1);
401 strncat(dst, fpga_info, len-1);
402 }
403#endif
404 if(bitparse_find_section('c', &fpga_info, &fpga_info_len) && fpga_info[fpga_info_len-1] == 0 ) {
405 strncat(dst, " on ", len-1);
406 strncat(dst, fpga_info, len-1);
407 }
408 if(bitparse_find_section('d', &fpga_info, &fpga_info_len) && fpga_info[fpga_info_len-1] == 0 ) {
409 strncat(dst, " at ", len-1);
410 strncat(dst, fpga_info, len-1);
411 }
412 }
413}
414
415//-----------------------------------------------------------------------------
416// Send a 16 bit command/data pair to the FPGA.
417// The bit format is: C3 C2 C1 C0 D11 D10 D9 D8 D7 D6 D5 D4 D3 D2 D1 D0
418// where C is the 4 bit command and D is the 12 bit data
419//-----------------------------------------------------------------------------
f7e3ed82 420void FpgaSendCommand(uint16_t cmd, uint16_t v)
15c4dc5a 421{
422 SetupSpi(SPI_FPGA_MODE);
423 while ((AT91C_BASE_SPI->SPI_SR & AT91C_SPI_TXEMPTY) == 0); // wait for the transfer to complete
424 AT91C_BASE_SPI->SPI_TDR = AT91C_SPI_LASTXFER | cmd | v; // send the data
425}
426//-----------------------------------------------------------------------------
427// Write the FPGA setup word (that determines what mode the logic is in, read
428// vs. clone vs. etc.). This is now a special case of FpgaSendCommand() to
429// avoid changing this function's occurence everywhere in the source code.
430//-----------------------------------------------------------------------------
f7e3ed82 431void FpgaWriteConfWord(uint8_t v)
15c4dc5a 432{
433 FpgaSendCommand(FPGA_CMD_SET_CONFREG, v);
434}
435
436//-----------------------------------------------------------------------------
437// Set up the CMOS switches that mux the ADC: four switches, independently
438// closable, but should only close one at a time. Not an FPGA thing, but
439// the samples from the ADC always flow through the FPGA.
440//-----------------------------------------------------------------------------
f7e3ed82 441void SetAdcMuxFor(uint32_t whichGpio)
15c4dc5a 442{
443 AT91C_BASE_PIOA->PIO_OER =
444 GPIO_MUXSEL_HIPKD |
445 GPIO_MUXSEL_LOPKD |
446 GPIO_MUXSEL_LORAW |
447 GPIO_MUXSEL_HIRAW;
448
449 AT91C_BASE_PIOA->PIO_PER =
450 GPIO_MUXSEL_HIPKD |
451 GPIO_MUXSEL_LOPKD |
452 GPIO_MUXSEL_LORAW |
453 GPIO_MUXSEL_HIRAW;
454
455 LOW(GPIO_MUXSEL_HIPKD);
456 LOW(GPIO_MUXSEL_HIRAW);
457 LOW(GPIO_MUXSEL_LORAW);
458 LOW(GPIO_MUXSEL_LOPKD);
459
460 HIGH(whichGpio);
461}
Impressum, Datenschutz